OT security: Helping under-resourced critical infrastructure organizations
In this Help Net Security interview, Dawn Cappelli, Director of OT-CERT at the industrial cybersecurity company Dragos, talks about the OT security risks critical infrastructure organizations are facing, offers advice on how they can overcome obstacles that prevent them improving their cybersecurity posture, and explains how the recently set up OT-CERT she’s heading can help asset owners and operators of industrial infrastructure.
[The answers have been lightly edited for clarity]
Supply chain risks are compounded for organizations that must protect both their IT and the OT from cyber-attacks. What technologies and approaches should they consider implementing? What specific pitfalls should they avoid, and how?
Most third party risk programs are IT-focused – including suppliers that have access to the organization’s intellectual property or network. But some OT suppliers have access – physical and remote – to the OT environment, for troubleshooting, maintenance, etc., and it’s important that the risk posed by those suppliers is included in the enterprise third party risk program, since remote access to OT poses obvious security risks, and on-site access often involves USB drives and other direct electronic access which also can introduce malware into the OT environment. The good news is that these vendors can simply be included in existing third party risk programs.
On the other hand, more and more suppliers are being impacted by ransomware hitting their OT environment. This impacts their ability to provide their products and services to their customers, which can in turn impact their customers’ operations. Therefore, the scope of third party risk programs needs to be broadened once again to include critical suppliers in OT – those whose products or services are critical to the organization’s own OT operations. Now the bad news: existing third party risk programs typically do not assess security risk in OT environments. In fact, although frameworks and best practices are emerging in OT security, organizations usually need to rely on OT security experts to assist in these assessments and remediation recommendations.
Finally, we have seen increasing cyber attacks against the software supply chain, as well as attacks targeting vulnerabilities in critical OT products. When choosing suppliers of critical OT products, it is important to determine whether the vendor is certified to ISA/IEC 62443 – the leading security certification in OT. Those certifications should be an important factor in choosing products for the OT environment.
How can IT and OT Sec teams improve their cooperation towards their common goal (of keeping all systems working to support the company in achieving its business objectives)?
The biggest problem in OT security is the cultural divide between IT and OT. IT security is a mature field, with standards, frameworks, and an abundance of mature and emerging technologies. The OT security field is much less mature, lacking people with OT security experience, established best practices and frameworks, and with a much smaller selection of security technologies.
Historically, IT and OT have worked independently on security, with OT engineers overseeing security in the OT environment where it was not as critical due to lack of or limited connectivity to the internet and to the enterprise. Today, however, most OT environments are connected to the enterprise IT environment and to the internet. The benefits of Industry 4.0 and digital transformation in OT has accelerated connectivity in OT, including to cloud environments. The prevalence of converged IT/OT environments makes it imperative that IT and OT teams work together to secure them.
The problem is that cultural divide. The good news is that it can be conquered, by bringing the two teams together to create an OT security strategy that is owned jointly by both teams. Conduct a workshop with representatives from IT, IT security, OT managers, OT engineers, and IT/security personnel from OT. Use the NIST Cybersecurity Framework as the basis of the workshop.
You might find the atmosphere to be a bit contentious at first, but as the teams walk through the framework, they will begin to understand and respect the “other side”, and will begin to discover synergies and develop ideas for how they could work together toward a common goal. Since the plan was developed together, joint ownership of the plan boosts its chances for success as the team works on the strategic roadmap they created together.
The theory of keeping IT and OT networks secure is there, but there are many obstacles to putting it in practice – especially when the organizations aren’t large and well heeled. Which are the most common ones and how can they be overcome?
An OT security program should focus on the following 5 critical controls:
1. ICS-specific incident response plan: Create a dedicated incident response plan for specific cyberthreat scenarios at specific OT locations, and consider table top exercises to test and improve response plans.
2. A defensible architecture: Hardening the OT environment – remove extraneous OT network access points, maintain strong policy control at IT/OT interface points, and mitigate high risk vulnerabilities. Include the people and processes to maintain it.
3. Visibility and monitoring: You can’t protect what you can’t see. Maintain an inventory of assets, map vulnerabilities against those assets (and mitigation plans), and actively monitor traffic for potential threats.
4. Multi-factor authentication: Multi-factor authentication (MFA) is a rare case of a classic IT control that can be appropriately applied to OT. Implement MFA across your systems of systems to add an extra layer of security for a relatively small investment.
5. Key vulnerability management: Over 1200 OT-specific vulnerabilities were released last year. While patching an IT system like a worker’s laptop is relatively easy, shutting down a plant has huge costs. An effective OT vulnerability management program requires timely awareness of key vulnerabilities that apply to the environment, as well as alternative mitigation strategies to minimize exposure while continuing to operate.
Now let’s examine the approach for an under-resourced organization. They need a straightforward method for assessing and addressing their OT security gaps that is practical to them considering lack of expertise and resources. That is where the Dragos OT-CERT (Operational Technology – Cyber Emergency Readiness Team) comes in.
We will provide them with a simple self-assessment instrument to provide a baseline of their current security posture. Next we will provide an asset management toolkit, which will consist of training, an asset management template that they can use to capture and maintain the inventory of their assets in OT, and a guide. This is the foundation for critical control #3. Following that will be a self-service ransomware toolkit to assist them in preparing for cyberattacks in OT (critical control #1). Each month we will release additional resources to assist them in addressing the critical controls listed above in a way that is practical for them.
You are the first director of Dragos’ OT CERT center. Tell us a bit about this new project and your plans for it.
When I was CISO at Rockwell Automation, we continuously expanded our third party risk program to address the increased supply chain cybersecurity risks that I discussed above. Unfortunately our risk analysis sometimes prevented us from accepting the risks posed by small or medium suppliers with a cyber posture that did not meet our requirements.
While there are some free resources available for IT security in small businesses, I could not find any free resources for them to create a minimum level of security in their OT environments. Supply chain cybersecurity risk, and the urgent need for someone to step up and help small organizations to raise their security posture became my “hot button” issues as I retired as CISO.
Our CEO, Rob Lee, recently stated, “When you think of our mission of Safeguarding Civilization…it’s not ‘safeguard the companies that can drive revenue fastest’…we should provide answers for all organizations within our community, including the smallest and most underserved companies.” That is why Dragos created the OT-CERT.
Designed to support asset owners and operators of industrial infrastructure, Dragos OT-CERT provides free cybersecurity resources for the Industrial Control System (ICS) /OT community. Resources are available exclusively from the OT-CERT portal, providing members with information and materials to help build an OT cybersecurity program, improve their security posture, and reduce OT risks.
Membership is open to organizations globally, and firms of any size are welcome to join. OT-CERT membership is especially beneficial for resource-constrained organizations. Small to medium-sized businesses often do not have a dedicated OT security team or access to the same level of resources as large enterprises, and Dragos OT-CERT was created with these organizations specifically in mind.
In addition, OT-CERT will coordinate with OEMs regarding disclosures for vulnerabilities discovered by Dragos threat intelligence researchers, as well as cyber threats detected by Dragos targeted at the OEMs’ products. OEM partnerships, like the ones we have with Emerson and Rockwell Automation, are critical to coordinated vulnerability disclosures and effective threat response to protect and support industrial infrastructure in the escalating cyber threat environment.
I am honored to be the first director. My security career started in CERT at Carnegie Mellon University – the first cybersecurity organization in the world. CERT is dedicated to providing resources to help the community to defend against cyber threats, so that passion is part of my DNA.
What “fights” do you expect to be involved in while bringing your vision of the project to life, and why do you believe you’ll win them? How has your career to date prepared you for such an undertaking?
The biggest challenge I anticipate is getting under-resourced organizations to join OT-CERT. Many believe incorrectly that it will never happen to them – who would be interested in attacking them? Or they are convinced that they do not have the resources or expertise to build a security program and therefore will not give it a try. I firmly believe that what we plan to provide is practical for small and medium sized organizations with OT environments, and it is imperative to industrial infrastructure that we get them to participate.
My strategy for overcoming this challenge is our OT-CERT partnership program. We have partnered with the National Association of Manufacturers (NAM) and four Information Sharing and Analysis Centers: E-ISAC (electricity), ONG-ISAC (oil and natural gas), DNG-ISAC (downstream natural gas), and WaterISAC. Our partners will promote the OT-CERT to their members, and work with us to ensure that our resources are useful to them.
We will conduct joint workshops with some partners – workshops focused on organizations of similar size, sector, and potentially geographic location. In the workshops participants will learn from each other, collaborate on new strategies, and build relationships for ongoing information sharing. In addition, best practices and other learnings from the workshops will be reflected in OT-CERT resources for the benefit of all OT-CERT members.
I’ve been faced with “new frontiers” twice in my career, and I love conquering a challenge by building something new. I was the founder and director of the CERT Insider Threat Center, which I grew from one seminal insider threat study with the Secret Service into the global center of expertise on insider threat. After 13 years I left CERT to build an insider risk program for Rockwell Automation. At that time I knew of 4 other people that were building comprehensive, global insider risk programs, and we created an information sharing group which grew to more than 200 companies with 300 members in a few years. The group is still very active, and is now being run by the National Insider Threat Center at CERT at Carnegie Mellon.
As CISO at Rockwell Automation I was faced with another new frontier: OT security. There were no best practices or frameworks, and few technologies available, so once again I formed an information sharing group of CISOs with OT environments so we could all learn from each other and develop and share our own best practices.
I am excited about the opportunity to build a new information sharing community in OT-CERT!
The security of the IT and OT at industrial and organizations in the energy industry has always been important, but with the explosion of ransomware and the fact that these orgs are likely to be pawns in global (cyber) conflicts, the danger of crippling cyber-attacks is seemingly higher than ever. Can you offer some advice to those in charge of cybersecurity defenses at these types of companies – advice that will stop them simply treading water and start them moving towards a better cybersecurity posture?
I believe most large organizations in industrial infrastructure are working to raise their security posture to mitigate the elevated cyber threat environment. I believe the weak link in cybersecurity is the supply chain, and it is imperative that we all work together to address it. Both nation states and cybercrime groups have targeted suppliers to get to their customers’ IT environments and / or information – SolarWinds, Accellion, and Kaseya are just a few. It would be foolish to think that they will not try that same tactic in OT environments. For that reason it is imperative that CISOs make sure they are including their OT suppliers in their third party risk programs as soon as possible.
I am grateful that Dragos has committed to OT-CERT so we can impact the security ecosystem of the industrial infrastructure community, but we need the awareness and support of larger organizations. Security teams can point their vendors that do not meet their OT security requirements to OT-CERT and other free resources for IT security in small businesses. Only by working together can we protect global industrial infrastructure from the impacts of ransomware and sophisticated cyber attacks targeted at OT environments.