Does your organization even have a CISO position?
Cybersecurity continues to be an overlooked aspect in organizations—including those owning ICS (Industrial Control System) production facilities. Anyone following the news has most assuredly heard of the plethora of massive data breaches that organizations have endured over the last few years, and yet corporate digital footprints continue to expand without a commensurate concern for the cybersecurity implications.
Data breaches involve loss of control of private information, be it sensitive financial data such as credit card numbers, account credentials (such as passwords and user IDs), or personal information (such as social security numbers).
From a CIA (Confidentiality, Integrity, Availability) cyber perspective, data breaches involve a violation of data confidentiality. ICS and SCADA systems are primarily concerned with availability. Given these differing perspectives, are there any lessons to be learned for the OT personnel tasked with protecting ICS from organization data breaches?
Are your IT and OT groups on speaking terms?
From a cybersecurity perspective, IT (Information Technology) and OT (Operations Technology) personnel in ICS organizations have similar but disparate objectives. IT personnel are to protect all corporate digital assets. With a focus on availability, OT personnel don’t protect data assets in the same manner their IT brethren do. This can lead to some ignorance of the increased risk factors that exist in an organization after a data breach, which on the surface may not appear to be an OT issue.
OT should be cognizant of the ongoing security incident response queue that the Security Operations Center (SOC) personnel are handling in order to assess new potential vulnerabilities. This is particularly important during the forensic analysis after a data breach occurs. Technical arrogance founded in a “not invented here” mentality or an “I know best” approach to security control implementation is not an optimal way to organize a cybersecurity defense. IT and OT personnel should share forensic results to allow an assessment from each perspective on increased risks.
Having an incident response security team that is pollinated with skill sets from both IT and OT backgrounds—and who know the specific configurations of both within an organization—can be invaluable.
Why have cross-discipline teams? Malicious actors who compromise privileged accounts and obtain the credentials of an administrative IT network engineer may be able to make firewall rule changes and open ports for command and control access to remote servers previously blocked. This can fundamentally change existing DMZ protections, providing “air-gapped” network segmentation for control networks.
Also, software downloads may be enabled where previously denied. Patches or other software modifications may have occurred. In short, a breach of confidential data access can lead to new threat vectors emerging all the way down the line to the physical control devices, such as Programmable Logic Controllers (PLC).
Another reason for IT / OT peer communication relates to passwords. Organization passwords in both IT and OT domains are typically stored using the same technologies, making technical details, such as the specific hash function being used, an important decision.
This was a key point after the recent Quora data breach, where user IDs and passwords and other data items were accessed by unauthorized external personnel. Normally the algorithm used to hash passwords would be the last thing to be posted in a news article on a data breach, yet Quora went so far as to confirm on Twitter that they were users of bcrypt—a strong password hashing function meant to protect against rainbow table cyberattacks. Since the Quora implementation of bcrypt also involved hashing using a salt value for each user, it makes the results prohibitively expensive to decipher.
As such, Quora was better able to defend their critics and demonstrate that they had effective data protections in place, and even though password data was exposed, the likelihood of user data compromise was low.
OT personnel need to understand from their IT brethren exactly how they protect passwords and other sensitive data items and ensure their OT networks follow the same procedures.
Companies conduct M&A (Merger and Acquisition) activities on a continual basis. Simple “build or buy” decisions get evaluated using numerous economic factors to drive purchase opportunities, such as filling in product gaps or driving down operational costs. For ICS organizations, each time a new physical plant is purchased and integrated into an existing IT infrastructure, cyber risks emerge.
Many M&A transitions focus on high level strategic analysis, such as SWOT (Strengths, Weaknesses, Opportunities, Threats) to create an integration / transition plan. For instance, an organization may evaluate two different inventory systems and choose one to keep and create a plan to convert the organization onto a common platform.
Cybersecurity may not be top of mind when creating or evaluating an M&A transaction, but it should be a key part of conducting M&A due diligence. One only needs to look at the recent Marriott 500 million record data breach to see how costly it can be to not have a robust and successful cyber vulnerability scan and formal risk assessment conducted. Estimates are premature, but fines and legal liability costs will probably total in the hundreds of millions of dollars, particularly because Europe’s General Data Protection Regulation (GDPR) mandates fines as high as 2% of company revenues.
For ICS organizations, a cyber team with appropriate cyber skills from both the IT and OT business units should participate on transition teams. High visibility transactions merit strong due diligence and cyber aspects should not be overlooked.
Keep in mind…
Typically, criminal activity creates a data breach in the first place. Organizations that use a security breach to discipline cyber teams miss an opportunity to learn from a crisis and build strengthened protections to withstand future attacks and hire the skilled cyber personnel needed in the future, for both IT and OT.