IT security research communities have been around for decades, sharing their findings with community members and the vendors of the affected product with the aim of accelerating some type of corrective action to safeguard users. As appreciation for the value of this service continued to grow, vendors began to offer bug bounty programs to provide researchers financial motivation to work with them to identify vulnerabilities. Today, bug bounty programs are prevalent, and researchers are being well compensated.
But what about research communities focused on the vulnerability landscape relevant to critical infrastructure?
On the heels of a historic period for critical infrastructure organizations, including the acceleration of digital transformation, targeted ransomware attacks, and crafty supply chain attacks, the need for research communities focused on operational technology (OT) and industrial controls systems (ICS) is urgent. While these communities are emerging and having a positive impact, it is still early days. What will it take for them to proliferate and grow?
Let’s look at the unique challenges for researchers analyzing these assets, the current state of these communities, and four ways to accelerate their growth moving forward.
Historically, OT has been a closed environment. Networks run on proprietary protocols, legacy equipment is pervasive, and ICS equipment is specific to a designated function. A proprietary domain, where equipment is hard to access, does not foster peer review. As a result, researchers are largely self-motivated, consisting of exploit finders motivated by the thrill of hunting down attackers, and those who simply want to enrich their understanding of how attackers operate to raise security levels.
Today, the OT environment is quickly changing and is more exposed to attack as highly connected cyber-physical systems (CPS) become the norm. More commercial companies and open-source tools have entered the OT ecosystem with the acceleration of the Extended IoT (XIoT), which includes OT/Industrial IoT (IIoT), Internet of Medical Things (IoMT), and enterprise IoT. Finding vulnerabilities and assessing and managing risk is more complex than ever – all the more reason to encourage more researchers to share their expertise and insights.
Fortunately, we’re seeing growing public- and private-sector recognition that security is a team sport. The White House Executive Order, section 2, and several key initiatives by the Cybersecurity and Infrastructure Security Agency (CISA), demonstrate a clear push to remove barriers to sharing threat information and increasing collaboration. National security memorandums, industry-specific directives, and concrete guidance and resources pave the way for greater public-private collaboration to help every organization better protect themselves.
With more than 60% of industrial organizations centralizing OT and IT governance under the CISO, a recommended best practice, enterprises are beginning to do security assessments and more penetration testing of their OT environments. Asset owners and operators are doing security processing on commercial equipment to gain a technical understanding of how software and systems are becoming vulnerable. In their quest for knowledge, the MITRE/ICS framework has quickly become a go-to resource.
With widespread recognition that knowledge is power, limited bug bounty programs are emerging. The Zero Day Initiative (ZDI), the world’s largest vendor-agnostic bug bounty program, has expanded to include OT and interest continues to grow. ZDI’s second ICS-themed Pwn2Own contest is scheduled for 2022 with four categories, including Control Server and Human Machine Interface (HMI).
Much of OT security research remains uncharted territory, but we are gaining ground. More leading vendors that make OT equipment are creating sophisticated internal programs to proactively look for vulnerabilities. In the second half of 2021, we saw a 35% increase in vendors doing internal research and a 76% increase in the number of vulnerabilities disclosed through their programs.
We’re making progress, but there is much more we can do to help research communities proliferate and to derive additional value from their insights. Here are four suggestions:
1. Elevate the profile of OT engineers. OT equipment used to be perceived as static hardware, but now OT is comprised of critical, software-driven systems that must evolve with the XIoT. With that paradigm shift, OT engineers are increasingly recognized as tech-savvy and their understanding of vulnerabilities is essential to strengthening security posture in the age of digital transformation. We must continue to encourage engineers to pursue DevSecOps from the OT side as a lynchpin to securing the industrial economy.
2. Close the bug bounty gap between IT and OT. Vendors should launch additional programs to incentivize more OT research with financial rewards and recognition. Since attacks on critical infrastructure impact livelihoods and lives, the more researchers working with you to combat hackers working against you, the better. Embrace and encourage researchers’ talents and contributions.
3. Partner to break down barriers to access. To enable research, vendors should create initiatives to make their equipment more accessible to researchers. Perhaps an unconventional idea, but vendors that secure OT/ICS assets and environments should forge partnerships to share access to equipment with each other. It’s time for a force multiplier given the vast scope of vulnerabilities and the inherent risk of the XIoT. Sharing access to equipment is a rising tide that lifts all boats.
4. Provide practical guidance. Vendors should not assume disclosure of a vulnerability equals patching. Given patching cycles, the prioritization of uptime, and prevalence of legacy systems, patching may not be viable. We need a different way to look at risk and mitigate it with compensating controls, including better segmentation, secure remote access, and detection tools. After all, the ultimate outcome of a reported vulnerability should be to make the OT environment more secure as quickly as possible.
As critical infrastructure moves to the cloud and the XIoT universe continues to expand, our exposure to risk also expands. OT systems and devices can’t be treated as block boxes anymore. Adversaries don’t see them that way and neither can defenders. We must encourage the growth of research communities to help strengthen industrial cybersecurity, and we need to act fast.
Amir Preminger, VP Research at Claroty, contributed to this article