By Andrew Ginter, VP Industrial Security, Waterfall Security Solutions
January 19, 2022
We hosted a (CS)²AI Online™ seminar on January 12, 2022 that focused on (CS)²AI - KPMG Control System Cyber Security Annual Report 2021.
Here is a bit about the event:
This session presents key findings from the (CS)²AI-KPMG 2021 Annual Control System Cyber Security Report.
Each Report is the culmination of a year-long research project led by the Control System Cyber Security Association International and draws on input from our 21,000+ global membership and thousands of others in our extended (CS)2 community. Based in decades of Control System (CS) security survey development, research and analysis led by (CS)2AI Founder and Chairman Derek Harp and Co-Founder and President Bengt Gregory- Brown, and backed with the support and resources of our Global Advisory Board members, the (CS)2AI Fellows, our Strategic Alliance Partners (SAPs), and many other SMEs. . We asked key questions about personal experiences in the front lines of operating, protecting, and defending Operational Technology (OT) systems and assets costing millions to billions in capital outlay, impacting as much or more in ongoing revenues, and affecting the daily lives and business operations of enterprises worldwide. Over five hundred and fifty of them responded to our primary survey and many others participated in numerous secondary data gathering tools which we run periodically.
This pool of data, submitted anonymously to ensure the exclusion of organizational politics and vendor influences, has offered insights into the realities faced by individuals and organizations responsible for CS/OT operations and assets beyond what could fit into this Report. We hope the details we have selected to include serve the decision support need we set out to answer.
Speakers:
Derek Harp: (CS)2AI Founder and Chairman
William Noto: Director OT Product Marketing, Fortinet
Andrew Ginter: VP of Industrial Secyurity, Waterfall Security Solutions
Brad Raiford: Director, Cyber Security, KPMG in US
As always, we encourage our audience to participate throughout the event by contributing feedback and questions for our speakers. We weren't able to answer all of your questions, so we have asked some of our speakers to answer a few of them. Below, are some answers to a few questions posed during the event.
Do you want to have access to more content like this? Register for our next (CS)²AI Online™ seminar or symposium here, or consider becoming a member of (CS)²AI to access our entire library of recorded sessions.
****************
Many questions came in that there was no time to address in the recent CS2AI webinar giving a preview of the annual report / survey results. Here are some questions I would really like to have addressed - all of them in the theme of "looking forward." Ie: what does today's survey (and other context) tell us about the future of industrial security?
Cloud / Internet / Remote Connectivity
First let's look at three closely related questions: (1) What makes the Internet of Things so susceptible to being compromised? (2) How do you see the future of OT security with the emergence of cloud service in ICS and the increase of remote connection due to Covid? (3) Where does the trade-off between conveniece (remote access) and security (protecting the ICS) balance out? Which technologies or products can prevent remote exploits or additional cyber attack vectors?
Well, to start with, all data flows from outside control-critical networks into those networks represent attack vectors. This is because all cyber-sabotage attacks are information, and every information flow can encode attacks. So, when we look at online communications - out to Internet-based remote access laptops, or cloud services, or vendor support websites - when we look at these communications, too many people assume that encryption makes us secure. They think encryption gives us "secure communications."
This is a mistake. In fact, encryption & authentication give us a degree of protection from Man-in-the-Middle (Mim) attacks. Encryption does nothing to protect us from compromised endpoints. If malware has taken over our remote access laptop, or the cloud service that monitors and controls our ICS "edge" devices, or the trusted vendor's website, then encryption buys us nothing. The attack information comes at the ICS targets INSIDE the encrypted connections we have open to the compromised endpoint on the Internet.
To question (1) - attacks inside cloud/Internet connections are the single biggest new cyber-sabotage risk with the IIoT. This is a huge impediment to adoption of cloud services or the IIoT in many enterprises, and indeed in entire industries. To questions (2) and (3), we deal with this new risk by asking the right questions. If we ask the wrong questions and we get meaningless answers. The right questions include:
a) What is the benefit of cloud/Internet/remote connectivity? Almost always, the benefit is increased efficiencies that reduce the cost-per-output of the industrial process, or that reduce the time-to-output and so indirectly reduce the cost-to-output. "Convenience" is never the driver. When was the last time you heard a large industrial enterprise say "our top priority this year is increasing convenience for our employees and contractors"? This doesn't happen. Almost always, the benefit and motive for cloud/Internet/remote connectivity is increased efficiencies / cost reductions.
b) Next question - with the benefits of connectivity clearly established, what are the costs? Cost is tricky. Think about it. Nowadays most industrial sites already have a security program that these new cloud/Internet/remote connections have to fit into. That security program already mitigates certain risks and accepts other risks. The level of residual risk the organization is willing to accept is something the organization has already decided on, and acted on, and deployed security solutions and procedures for. So when we connect to the Internet for cloud / IIoT or remote access services, we have to understand what new risks we add to that residual risk mix. And then we have to ask how much we will have to spend to change our security program to once again reduce all of our risks back to the point we've decided is acceptable.
Cloud/Internet/remote connections increase risks materially. If we are not careful, the cost of reducing total residual risk back to the level we've decided is acceptable can exceed the efficiency benefits we hoped to gain from the new automation and connectivity.
c) The last question we should ask is what alternatives are there to these very expensive new security measures? An alternative that many sites are deploying is unidirectional gateway technology - between edge/ICS systems and cloud/Internet systems. Most of the time, all or nearly all efficiency benefits of cloud/Internet/remote connections comes from data that flows OUT of the control-critical network. A unidirectional gateway supports that flow, and physically prevents any cyber attack from pivoting from the cloud/Internet/remote laptop back into the ICS target.
The bottom line - neither cloud/Internet connectivity, nor remote access, nor convenience are ends unto themselves. Nobody says "the top priority for my large industrial enterprise this year is increased connectivity." Connectivity is a means to an end. The end is efficiency. Modern approaches such as unidirectional gateways give us the benefits of cloud connectivity, without the security risks and the associated costs of material changes to security programs.
Compliance
Another long question had to do with compliance, arguing that compliance limits innovation, and that "by tightening the hands of developers, scientists and engineers, the company is limiting how far they can go and invent or discover new things."
For starters, one point I made in the webinar comes from an upcoming Industrial Security podcast with Suzanne Black of Network Security Technologies. She points out, rightly, that security programs are worthless without compliance. Compliance programs measure whether the business is doing what that business decided had to be done security-wise. If nobody complies with that security program the business so carefully created, then the program is not reducing risks, is it?
When it comes security vs. innovation, I recommend episode #25 of the Industrial Security Podcast. The guest was Kenneth Crowther, a product security leader at GE Global Research. Kenneth fights the security vs innovation fight every day - he works with engineers to embed security capabilities into GE products. His conclusion - you have to be watching what's coming out of these innovators very closely to figure out when is the right time to intervene and start inserting security into their designs. Start too early and yes, you slow innovation. That means your competition comes out with product before you do, and you lose the first-mover advantage. But intervene too late, and it can take enormous time and effort to insert security into a design after the fact, again losing first-mover advantage. So yes, security slows innovation, but lack of security renders great innovations unmarketable. So compliance experts in innovative companies have to walk a fine line.
Security Program Cost
One last question: "Cyber Security Control System Programs can be applied to companies in third world countries, which have critical SCADA systems, but do not have the possibilities of investing a lot of money as countries like the United States or Europe do? Many of the brands related to cybersecurity do not see it profitable to work with several countries, due to the size of their companies. What are your recommendations?"
There are a couple of answers to this question. One is that cybersecurity concerns only arise when industrial operations have been automated with computers - usually to reduce costs. My earlier point applies here - when organizations anywhere in the world deploy automation, no matter how much money they have, they need to look at benefits vs costs. They need to compare the efficiency gains of the automation to the cost of deploying security programs strong enough to keep cybersecurity risks at an acceptable level. If an organization can't afford the security, well, they should reconsider deploying the automation.
That said, though, there is a real lack of advice out there as to how "poor" organizations can secure their systems. To help make progress in this arena, Waterfall Security has volunteered me to work with a government agency right now to put some advice together for small water utilities - ETA for the report is Q3/22. Even in wealthy countries, the smallest water utilities might have less than 5,000 customers, no IT people on staff, and certainly no industrial security people on staff. But - these same utilities constitute critical infrastructures. I mean, if a hacktivist decides to "take revenge" or something on an unsuspecting population, which is a better target for making lots of people sick - a large, well-defended water system, or a couple of tiny, poorly defended ones?
I won’t go into detail, but let me say that the principle of the report and its advice is the same as above. If we want to avoid spending a lot of money on a security program that can maintain residual risks at a level appropriate to critical infrastructures, well then, we must be prepared to give up at least some of the least-valuable benefits of indiscriminate automation its associated connectivity.
Further Reading
That’s probably enough for now. Anyone who would like to follow up with me one-on-one is welcome to connect with me on LinkedIn, or submit a “contact me” request at the Waterfall website. And for more information about Waterfall Security Solutions or Unidirectional Security Gateways, please do visit us at https://waterfall-security.com