When you read your favorite cybersecurity blog, do you often wonder what it would be like to sit down with the authors and get their real thoughts about some of the topics they write about? Most blogs and articles are so carefully curated, edited, fact-checked, and linked to supporting evidence that they can seem somewhat stilted, and worse, heavily contrived. Perhaps this is why meeting some of the speakers and authors at public events is so much fun. It gives us all a chance to hear the person in an informal setting, with all the possible candor that makes for a true connection.
We thought this may be a good approach for a new series that we call “Pub Talk”. It gives us a chance to get an unvarnished glimpse at some of the cybersecurity issues of some of the popular and respected experts in the field. These are the conversations that we all want to have over our favorite beverage. Unbridled, honest, yet still family-friendly, we hope you enjoy these casual conversations.
In our first chat of the series, we imagine ourselves at the Revolution Bar on Clapham High Street, in London. As the drinks are served, I am joined by Henry Partridge, from Belden, and Lane Thames, and Tyler Reguly, who are both from Tripwire.
Richard: From an OT security standpoint, what is the top of your list as far as OT security is concerned?
Tyler: I think a lot of it is that low-hanging fruit idea. One of the things that, even today when I was looking at the latest in the CSA industrial alerts, the very first one on the list was the problem of hard-coded credentials. Things that we were fixing in the nineties in IT are just being discovered in OT as we start to do a lot of IT/OT convergence. And, so, I think one of the big things that I notice is that we have all these little issues, whether it's systems that don't work, or hard-wire passwords sitting on the factory floor or it's these systems that are going onto our networks where the vendor says, “well, our best practice is to not plug it into your local network”.
Henry: It's obvious that people are going to want to have remote access into these plants, and those types of devices are inherently insecure, especially as you open up different systems, that may be not as secure as you would expect them to be even outside the plant. You definitely want your low lying fruit to be taken care of like Tyler was saying.
Richard: What are some of the best tips, or tricks, because remote access just seems like it's going to happen. How do you mitigate that risk?
Henry: You want to establish a security perimeter that you say, this is the plant, this is where the data's coming from. Then you want to put in some kind of restrictor or firewall at that point. Possibly even a DMZ, where you can push the data from the plant into the DMZ, and then from that DMZ, you allow only certain connections to happen.
Richard: Good advice there. It sounds almost historical. I mean, that's where we once were. We had industrial control systems created without having to worry about security. Lane, how about you? I didn't get a chance to turn to you about some of your top-of-mind OT security concerns.
Lane: When I look at 10 years down the road, five years down the road, the problem with this is about segmentation and firewalling and stuff in terms of opening up firewall holes with policies. The, the thing that I see in the future is scale. Just today, we had a heated debate on what to call an “edge device” in the very near future. As we start retrofitting or replacing and refurbishing legacy systems with cheaper and more powerful systems with, in particular, more powerful communication and computing capabilities and the ability to communicate over an IP based network, this is where the scale aspect comes in.
Richard: Tyler, I'm intrigued, from your perspective, as far as IT/OT convergence it's some scary movie where the Monster's right behind you. What's your perspective on that convergence, and where are we, and maybe a prediction about when that gap actually closes?
Tyler: It's interesting, because, you referenced a horror movie monster, but we're now seeing horrors that are built around IoT devices, and they feel much more realistic and more frightening to look at, where you see these devices that are allowing people direct access to your network through any number of means; great for automating little tasks and stuff, but in order to have that, I now have to have a hub in my home. It has to have a connection to the internet. It has to receive data back in from other services. So, now I've got not just these devices that people could potentially connect directly to, but I've also got paths in from the various service providers because it uses a cloud-based model.
Whether you look at these home IoT devices or medical IoT devices or military IoT or industrial IoT, any of these devices have that same problem where we've become reliant on various cloud providers that are giving us access to our data either through their systems. This means that now we get into those supply chain issues where we have all of these different other cloud service providers that have a path through our network.
There is a television show on where the last episode was literally about taking out a power grid, and the way that they approached it was that it was to compromise of one of the service providers. Yes, it was a TV show. Yes, they simplified things, but that sort of attack of all these different cloud service providers that we're giving paths in and out of our network, even if it's just temporary is a really scary thing that I don't think we're looking at, especially in terms of IT/ OT convergence. We're thinking about them in terms of maybe it, we're not thinking about what that means to the industrial networks that we've connected to our IT networks. I think that's going to be the next round of horror movies.
Richard: Do any of you think that there's going to be some type of ISO certification, or a seal of approval or something where these millions of devices have been identified at some level of security? A scale of one through five, instead of having to run it through your own lab and building your own security or practice around it?
Lane: I know that folks that I work with have been talking about this. Some type of an organization that could actually say, “Hey, this is a good, certified device.” If you think about some of the recent executive orders and stuff that has been happening recently, I would hope that some type of standards organization would come in to help with certifying certain types of things. But if you think about industrial systems, what about a car? These cars that communicate over the air. People don't really quite realize that even maybe some of the gadgets we buy, like the thermostat in your house, what can a criminal do?
Richard: From an operator standpoint, what's the first couple of steps or approaches that you'd recommend in order to try to quantify the problem?
Lane: From an operational perspective, visibility is first and foremost. You can't protect what you don't know you have. If you bring in a crazy device, like a Wi-Fi connected device, and you put in the employee kitchen for your employees to use, you can't just do that and it benefits the employees, because that device might be a foothold for a criminal who wants to break into your OT network. Visibility across the entire space of IT and OT is going to be first and foremost in this process.
Henry: Those entry points in and out of the OT environment are key. You have some kind of devices that can monitor that traffic and possibly even send logs or to a correlator that can trigger some sort of alert about unusual traffic. I agree with Lane that you have to have that visibility to see the anomaly.
Lane: We mentioned earlier this idea of an air gap, but the phrase “air gap” needs to go away because we can no longer provide a guaranteed air gap. There are so many connected OT devices, that you can't even imagine in terms of the scale. Visibility in terms of, if you know what's on your network, then the next step is that you should know where it's connecting and how it's connecting.
Tyler: I teach my students who don't promote industrial security how you can easily find exposed devices on the internet. I encourage everyone to try and diagram every connected device on their home network. I tried this in my apartment. My apartment's under 700 square feet. I still could not get every single connected device that I have. I looked at it and revisited it multiple times. And every time I scanned my network, I found new devices. If you can't diagram your entire home network, how are you ever going to know what's on your network in the enterprise, what's on your network, on the factory floor. It's absolutely impossible.
Richard: The visibility challenge is big enough, let alone trying to get “underneath the hood” of these devices to figure out where and how they were manufactured. I like how you illustrate it, and how and both of you have talked about just kind of the evolution of the industrial spaces. It’s a relatively immature space. Henry, how do you see IT getting involved with OT? How do you see that convergence happening?
Henry: Well, I think there could be some good things that IT can offer us as far as some of what they've had to deal with. For example, IT has been working with remote access a lot longer than OT has. For OT, it's more of a new thing. Maybe there could be some more defense in depth by pulling remote access through the IT network and keeping in and gaining that little, extra wrapper of security that they might have, but then there's also risk there too. It depends on how well the IT space is secured.
Tyler: I think there are two spaces where I'd like to see huge improvements in growth. One is that a lot of more active IT security technologies have been pushed out to the OT space, and that's due to instability and OT products. Let’s use printers as a hypothetical example, even though they're not OT necessarily, but the idea that these products are built with very weak TCP stacks that can't handle a lot of the active discovery and active scanning techniques that we see. I'd really love to see the vendors of these technologies take a more active step in making systems that are more robust. And the second one is I would love to see a lot more IT/OT convergence when it comes to not only the technologies, but red teaming and blue teaming exercises.
Lane: Richard Feynman said one time, that it was a beautiful time to be a physicist. To me, as an engineer, I'll say it's a beautiful time to be an engineer because we're entering a new world where it's very exciting. One of the key things of doing this is significant interdisciplinary collaboration between those involved, the IT and the control engineers, and the OT folks working together.
Richard: What are the biggest cybersecurity threats right now? Ransomware, internal breaches, remote access, industrial espionage?
Tyler: Can I say “all of the above?” I mean, if you look at the news right now, it's probably ransomware that's driving a lot of the news that we're seeing. I think most organizations need to do a much better a job of making their staff aware of what they can and can't do what they can and can't click on. That's always going to be a huge threat until we figure out a better way to deal with that.
Lane: Ransomware is one of our biggest threats, and the vector to get in is often phishing. And, as Tyler just mentioned, this is based off of poor awareness and such, but there is also an increase in threat actors in criminal organizations that implement advanced persistent threats, or APTs as we call them, that are starting to focus and drill in on ICS networks, industrial control system networks.
Henry: I think in this environment where everyone's trying to work from home and take advantage of remote access, it just accentuates the risk that we've talked about and that Lane and Tyler just talked about, because it opens up more doors.
Richard: From my standpoint, it's a “follow the money” approach, and certainly ransomware is the most present monetization of cybercrime. When you describe a network as “robust”, what do you think is the best way to demonstrate that?
Tyler: The CIS controls that were updated this year is a great starting point. I think if you can get through those controls, that's robust. If you have questions about them, the State of Security blog has been reviewing one control a week for the last 14 weeks. If you can look at those controls and say, “Hey, I'm practicing all of that on my network”, I would consider you to have a robust network at that point.
Lane: We talked about devices that might be connected to the internet, but applying these controls is especially critical in the top of your IT organizations, because that's how the attackers are getting in to get into your OT networks. Keep in mind that in many, many cases, breaking into the IT network can shut down your OT networks. The Colonial pipe incident is a perfect example of that particular case.
Henry: Yeah, I think a good network design is helpful in creating a robust network. If you look at the NIST guidelines for ICS networks, that would be a good place to start to get some basic good network design and, and robustness for your networks.
Richard: It looks like the bartender has made the rounds for last call. This has really been an excellent time chatting with you all. I definitely learned some things here today. And practicing robust security and being protected is why we're sitting in these seats. And we will continue on this journey, because there is no endpoint. The bad people out there continually get creative and keep us employed and active.
And, with that, we got our coats and walked off towards the Clapham North tube to head home, considering what the future holds for IT/OT convergence, and every other cybersecurity concern.
Be sure to subscribe so you can sit down with another group of cyber professionals for our next edition of Pub Talk.
You can register for the next Tripwire Industrial Cybersecurity Pub Talk, today!
