In my previous column, I expressed the hope that the Operational Technology (OT) security community will move away from pushing an IT compliance security model in the world of OT. Instead, as a community, we can focus our efforts and discussion on how to more efficiently make demonstrable gains in the OT security posture. One of the ways our industry can start seeing greater efficiencies in our controls security investment is to design for our operational environment.
When designing for the OT environment, we should review outdated paradigms, and consider newer technologies and the operational realities of the environment. To accomplish these efficiency gains in security OT, we will have to pivot our thinking on some of the staid paradigms of the IT world. For example, in a post-Stuxnet world, endpoint protection, while an important part of a defense-in-depth posture, has real limitations in OT. A decade ago, we inherently trusted the traffic between the HMI and the controller. My colleague Matthew Schwartz, Director of Enterprise Security at GE, says “Endpoint protection has gone the way of the dodo in critical infrastructure.” What could drive greater network security in OT?
Technological advancements in sensing technology capabilities and lower production costs allow us to bridge the gap between traditional network security at OSI layer 3, 4, (network, transport) with new network security controls up to OSI layer 7 (application). We have the opportunity to provide highly actionable information to our critical infrastructure operator colleagues by leveraging sensors, controls path device log aggregation, and decision engines trained to recognize valid system parameters. We can verify the path; network devices with industrial protocol awareness can be deployed as sensors to provide unparalleled visibility. This approach may see broader application in industry as it has been demonstrated in Idaho National Laboratory’s Sophia project and in existing commercial offerings.
Another common IT paradigm that is less effective in the OT environment is the use of System Information and Event Monitor (SIEM) in OT environments, which sit between the controls and plant network. Hands-on plant side experience suggests that in many sites a SIEM is rarely touched after initial installation, so as threats evolve and environments change, very little is done to inform the SIEM of the latest ICS risks and the context of the operation. The firewall that sits next to the SIEM is of course updated annually, but by and large, these policy updates address traditional IT threats associated with the operating system and its configuration.
There are a lot of operating contexts that make a SIEM difficult to maintain. When we think about the effectiveness of a SIEM in OT, let’s consider the operational context of Floating Production, Storage and Offloading (FPSO). There is a very limited rotating staff on a marine vessel and there is only intermittent satellite internet connectivity. How pragmatic is it to think that a SIEM on such a vessel will be updated for known ICS threats?
A SIEM is a powerful tool but its efficacy is tied to both the quality of configuration and updates. Unfortunately, typical SIEMs have been designed with configuration and update workflows targeted at an IT professional in lieu of being tailored for the instrumentation and control technicians that will maintain them on a FPSO unit for example.
Our peers that operate in critical infrastructure environments are constantly weighing the cost benefit analysis of operational integrity and demonstrable security improvements. As an industry, we have a unique opportunity to pivot our thinking away from IT compliance paradigms towards design for purpose to promote investment in demonstrable improvements in OT security.