Hi, I am Nate Kube and I am really pleased to be starting a dialogue with SecurityWeek’s readers.
As a founder and CTO of Wurldtech Security Technologies, I have had the opportunity to watch significant changes take place in industrial cyber security since starting the company in 2006.
I started out working on a project on communications robustness testing and was able to engage with some forward thinking energy producers on understanding security risks in an operational context. At that time, we lacked a common language to talk about security in the energy industry.
Since then, the collaboration that has taken place between energy operators and controls suppliers has enabled us to progress towards actionable product security standards and more transparent methods to assess security posture.
On the eve of the ratification of IEC 62443, we have moved towards an international standard in industrial security that will support more efficient investment in demonstrable reduction in security risk by both operators and suppliers.
While a great deal has been accomplished over the past eight years, as a sector we have a lot of work still ahead of us.
In this column, I look forward to starting a broader conversation about the challenges and possibilities in the operational technology space.
One challenge to securing critical infrastructure frequently discussed is the “IT – OT Divide”. While I have not heard many operators refer to their controls systems as OT or Operational Technology, I have heard their concerns about security practices and policies that fit in the IT world being shoehorned into their industrial environments without proper regard for the differences between the two.
I have a colleague who jokes about comparing the form factor and user experience of the average industrial control system to a smart phone, she says it’s “like seeing a person walking down the street, rocking a 1990s mullet.” It’s not far from the truth.
Industrial control systems have not changed a lot over the past twenty years. Industrial controls systems tend to be complex, relying on proprietary protocols and equipment from different vendors, making their integration complex. The other reason is the incredibly long life of a control system compared to IT equipment; it’s not unusual for an industrial control system to operate for 15 years or more.
When supporting energy operators in field security assessments earlier in my career, I observed that speaking about security risk in the context of operational impacts was the most effective way to explain security posture.
There is an operator reticence to make any change that can impact the integrity or availability of the process. In power generation and energy production, most operators will not make changes to industrial controls while in operation, regardless of redundancy or qualification testing. These operators have asymmetric risks associated with making change; the potential benefit of applying a patch is dwarfed by the tremendous financial and operational costs of even one hour of interrupted operation. A difficulty in maintaining software and configuration inventories across an operation, much less an enterprise, discourages making changes after commissioning.
Given these concerns, it is easy to understand the real obstacles that operators face when trying to apply IT practices to operating networked control infrastructures. The pragmatist in each of us has to ask if we have tried to push the wrong paradigm into OT security?
The diligence shown within critical infrastructure over the past decade is commendable. To this end, I would like the OT security community to move away from asking what can we do to gain greater adoption of a greenfield IT security model and instead ask how we can gain demonstrable gains in OT security posture more efficiently.
What security controls can we design for the OT space that addresses the lifecycle and operational environment of industrial controls?
Let’s spend the next eight years creating a security paradigm that supports the operational realities and security risks of the OT space. In future columns I’ll take a deeper look at some possibilities on how we can get there.