If you are developing a modern medical, manufacturing, or logistics facility, there’s no doubt that a large portion of your investment was made into the electronic aspects of your device. Sensors, connected devices, and machinery are synchronized to deliver a streamlined experience. For facility operators, this includes elevators, HVAC systems, PLC controls, valves, pumps, and a whole slew of systems that we don’t think of as ‘connected.’ And that’s precisely the problem.
Many of the devices mentioned are controlled now by a central building management system, but they were not necessarily designed with protection in mind. If a hacker gains access to something as simple as an elevator, they can move about the network to knock out security feeds, tamper with monitors, and cause havoc. At times this turns into a ransomware attack. Other times it can turn into a full facility shut-down, depending on the threat actor and their motives.
From IT to OT, and product security
Mirel Sehic, Global VP and GM of Cybersecurity at Honeywell joined the Left to Our Own Devices podcast to share his thoughts on the matter. Regarding attacks on operational technology systems, “you’ve lost access to your security feeds. Now, if it’s a standard premium commercial building, you may say, ‘okay, I need to fix that right away’. But what if it was a hospital? What if it was a data center? What are the implications, and is this an inconvenience or does it put lives in danger?”
Studying engineering, mechanics, and robotics, Mirel Sehic cut his teeth on process control environment and PLC to control valves and pumps in manufacturing sites, oil rigs, and other places. His experience as a critical infrastructure control systems engineer for heavy industry showed him first-hand that the critical infrastructure we rely on so dearly, is not up to snuff in terms of cybersecurity.
This line of work has led him to the cutting edge of integrating control systems for ICT, PLC, and digital systems. He has witnessed the digital transformation firsthand, watching companies implement IT, to OT, and now to product security– ensuring connected controls don’t become cybersecurity weak points.
The dangers in overcomplicated systems
Every facility has a central control system, but those all need customization and tweaks since no two are the same. Homes, airports, federal buildings, academic institutions, warehouses, and others all have unique challenges that must be addressed.
Looking to get a better understanding of today’s cybersecurity awareness landscape amongst facility operators, he conducted a survey that found 93% of cyber leaders believe political instability creates an environment for significantly more attacks over the next two years. Even more alarming:
- 27% of respondents said they already had a breach in the last 12 months
- 44% of respondents said they have something installed or in the works for cybersecurity or product security
- And a whopping 50% of respondents said they are just starting their security journey
What’s concerning is that these risks are shared by everyone, even outside of the breached organization. Hospitals risk exposing personal identifiable information, disruption of service knocks out accessibility, supply chain backlogs lead to empty shelves, and so on.
The biggest challenge facing these organizations is how to integrate legacy systems into their modern digitized operations.
The ISA 99 Purdue model was designed to create truly segmented networks, stopping hackers from moving about if breached, but that’s not the reality for most places. Usually the organization is flat with devices sharing data between each other, the cloud, and various facilities. Mirel Sehic explained that “today we have flat networks. So, what does this lead us to? Well, we’ve got a lot of systems talking on these networks. Some are dated, some are fairly new and some are bleeding edge new.”
Meril tells his clients and shares with the industry, “All of these systems have started to talk to each other– so that’s new. That wasn’t really the case in the past. Systems are now talking to other systems that weren’t sharing data. These systems are also talking to the edge devices and back down. They’re talking from the device level to the cloud or from the device level to the edge, to the cloud.”
“If you think about it, I guess the biggest challenge here is we are digitizing, we’re moving to a connected world– an interoperable one. We maybe haven’t stopped and said, ‘hold on a second, all these legacy systems, maybe they weren’t designed to operate in this type of form and function’.”
Keep it simple
Keeping it simple goes hand in hand with educating practitioners on what it means to secure networks and keep the business interests at the core of our decisions. We need to go above the tree cover to see the whole forest.
What threats are we facing? What risks do we hold? What are we comfortable with? According to Mirel Sehic, “Like all things, we start by breaking items down into the various constituents and we prioritize based on the applicability of that specific thing to the environment. This is very key because not everything that is applicable for one environment.”
When comparing a medical facility with a refinery, “There’s a difference of perspective, differences of approach, differences of threat and vulnerability management. How do we make it practical to all the business stakeholders? And I’ll emphasize the word business cuz that’s what we need to do.”
The better we simplify our messaging and remove any jargon, the more others will understand how it impacts their business. Bringing executives and various stakeholders into the conversation removes the mystery that cybersecurity is shrouded in. It creates conversations that allow us to put together a road map. Some of the questions Chief Product Security Officers (CPSOs) should be asking are:
- What is the organization’s risk appetite?
- How much are they willing to spend to keep that appetite as-is?
These questions lead to pivotal conversations. Only once you lay it all out can you begin to weigh that risk appetite, then you understand how many security layers you can apply. See, risk can never be zero but too little risk and you may layer technologies that impede operations, too much appetite and facilities become targets.
How SBOMs can help in the coming years
While the concept of a software ‘ingredient list’, known as a Software Bill of Materials (SBOM), has been around for some time, we are only recently starting to see it become required by regulatory and oversight bodies.
Requests for SBOMs are only going to increase since, if we think about it, “the huge majority of the applications we use today contain some element of open source code,” said Sehik. “Open source code is created by a very dedicated, very committed, very methodical group of independent contributors that are actively updating the repos and doing all this great stuff all the way through to one person managing the repository. That person may rarely check in, only completing the initial commitment.”
As great as open source may be, it still needs management and oversight, which is made significantly easier and more transparent with proper SBOM generation and management.
“So if we were to pair this software ingredient list with active vulnerability databases then we get our nutritional value for our product?” said Mirel Sehic. “Too many vulnerabilities is just as bad as having too much sugar in your diet. So these vulnerabilities need to be managed. Not every vulnerability means code red. It needs to be mapped to, to your business context.”
Going back to simplicity, SBOMs are a way to simplify our understanding of what exists within a device and begin to approach it as a mapped system instead of a black box of jumbled pieces. “It’s a standout way to reduce your exploitability and your overall threat footprint.” said Sehik.
Preparing for 2023 and beyond
It’s no surprise that Mirel Sehic is looking to 2023 as “a year of going back to basics”.
Three tips he gave were:
#1 – Measure what you have and build upon a solid foundation “Break out your architecture diagrams, map out the interfacing systems, and the relevant vendors. Figure out your cybersecurity posture as it relates to your current business operations. I think this first quantification step is super, super critical. It’s important as it allows us to actually make a start from a point of clarity.”
#2 – Simplify cybersecurity processes. Break it down into small chunks that can be addressed. Consider what’s actually relevant to business operability?
“Your tasks should be almost put into three buckets, abandoned– things you’re gonna stop doing. Things that you’re going to nurture and things that you’ve started that are going in the right direction. And finally, innovate– these are the new things you’re gonna do to help the business grow.”
#3 – Accountability is key and ownership drives urgency. Have people be primary contact so they can be responsible for moving the needle. “It allows these business benefits to be realized a lot quicker. We need to hold ourselves to account, we need to hold others to account and what we call our, our, our say do ratio.
Ultimately, education and simplicity allow us to take a big picture approach in bite-size pieces. Security systems are not built in a day and resilience is equally as important as protecting against today’s threats.
When simple words and terminologies are used to describe challenges, executives and various players begin to take notice. This leads to a better plan that is properly funded and secure into the future.