With this year’s RSA Conference almost upon us, it might be helpful to take a look at how critical infrastructure is playing out this year. While we’ve seen a few cyber attacks in the news targeting critical infrastructure, things have been quiet for the past year. In some ways, we’re starting to see the market mature beyond answering the mail for North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards and other compliance requirements. Some organizations are looking to protect their operational technology (OT) with some of the same cutting edge solutions that the enterprise side is adopting. The reasons are multiple, but it includes the fact that much of OT is IT with some of the same routers, switches, and endpoint operating systems that are used in the enterprise, only with different missions and requirements in mind. It’s true that the growing Internet of Things (IoT) explosion has brought more embedded systems to the OT side. But they often use the same protocols and are built with a robustness not seen in earlier eras. Additionally, the cybersecurity industry is in the midst of an analytics craze with machine learning and anomaly detection showing great promise. The beauty of many of these tools is that they can operate passively, notifying operators or security teams of suspicious activity with much greater fidelity. Consequently, process control networks can confidently deploy these solutions without fear of interfering with operations.
All that portends somewhat of an IT/OT convergence, that elusive scenario we’ve been hearing for the past decade or more. However, convergence doesn’t mean a physical or even virtual convergence of the networks. Far from it. In fact, technologies like Software Defined Networking (SDN), logical network segmentation, and unidirectional gateways means more isolation, not less. But it’s a more cost effective isolation that emphasizes the virtual over the physical. Nonetheless, the use of separate devices for OT and IT will continue but with more virtual air gaps rather than physical ones between them. Unidirectional gateways and logical network segmentation can accomplish most of the benefits of physical air gaps without the visibility or productivity losses that usually result from the physical gaps. Additionally, we won’t be seeing much convergence of the IT and OT personnel. They’ll continue doing their separate jobs. However, IT will increasingly serve as the aggregation point for all threat and security event data for both IT and OT. It makes little sense for OT to run their own Security Information and Event Management (SIEM) system. The Security Operations Center (SOC) normally housed as part of IT or as an outsourced managed security service will play that role. But it will be a role that needs to understand OT and what constitutes suspicious activity. The OT specific sensors and security analytics engines will help, but SOC personnel really need to understand set points, tolerance levels, and other OT metrics.
So what does this mean for your RSA trip if your company is in the critical infrastructure business? While our government has taken to calling everything critical infrastructure, for these purposes let’s focus on the following: oil/gas, utilities, manufacturing, transportation (mainly various forms of rail and increasingly aviation), building management, mining, healthcare and other industries that make heavy used of industrial control systems (ICS). I realize that warehouses, retail, hospitality, and many other industries use some variation of embedded systems that might be called industrial control systems. But that’s a discussion for another day. So for those in the industries I’ve noted, it seems clear that the need for better cybersecurity is translated into better visibility, better analytics to deter suspicious or anomalous activities, better asset and configuration management, more effective and productive process isolation, and a more knowledgeable security operations team to ferret out the false positives and the appropriate action when suspicious activity is discovered.
I had hoped to offer some pointers to which vendors to see on the exhibit floor in each category. But it appears many of the leading vendors in these categories focused on the OT market have chosen not to exhibit although their representatives will likely be at the conference. Consequently, I’ll forgo recommendations for exhibitors to see as it would be very misleading. Instead, I recommend asking the vendors at the show in these categories to tell you how they can serve the OT market.
Visibility and Analytics
While potentially different markets, visibility and analytics are usually two sides of the same coin. One can’t do any analytics without an ability to see and collect the data first. And visibility means little if you don’t do anything with the data. A smart analyst with a copy of Wireshark doesn’t scale too well. This category is sometimes referred to as Network Analysis and Visibility. However, that category includes a variety of tools with varying levels of intelligence. For purposes of this discussion, I’m leaving out the endpoint detection and response (EDR) tools that are incredibly valuable on the enterprise side and will likely become mandatory for most enterprise environments. However, adding agents to industrial control systems is not an easy task with unsupported embedded systems and the potential for performance impacts on supported systems. That’s something that should be investigated but with great care. Consequently, passive collection and reporting on the network is the preferred method for most OT environments.
Asset and Configuration Management
This category has been particularly popular with those seeking compliance with NERC CIP, which requires detailed inventories and change histories designed to detect unauthorized changes. It sometimes includes the newer batch of products offered under the file integrity management category. Unfortunately, the larger market has not always viewed these technologies as a priority, partly because it may involve a higher amount of labor to maintain the system and sort through false positives. It is also viewed as a foundational or hygiene element that is not as sexy as machine learning technology that purportedly detects advanced threats with a high fidelity rate. However, the reality may prove otherwise.
Logical Network Segmentation
For years, we heard about the need to physically separate OT from IT. However, that had some drawbacks. It meant that removable media and physical proximity were required to extract data from OT systems. For engineers and cloud applications that were performing real-time analytics on the data, that was a problem. After all, the biggest risk for OT was not exfiltration of the data as most of it was not particularly sensitive from a confidentiality perspective. Instead, it was the risk of modifying the data on OT systems or taking control of them. That is where logical network segmentation can help. In the more extreme case, unidirectional gateways, which combine a physical separation (i.e., data can come out but can’t go in) offered a solution for those who just needed real-time data streams. And for those who need two-way functionality, a modern version of the old jump server technology is now available. These offer a customized and highly granular view of the devices and functions available to a user wanting to access OT and other segmented networks. They also offers more rigorous authentication options and extensive monitoring.
Security Operations Expertise for Operational Technology
As I noted above, a key part of protecting OT environments is having cybersecurity professionals who understand them. It’s particularly critical for those in security operations who have to respond to issues in seconds. That means having analysts who understand the implications of a security breach on industrial control systems and the acceptable kinds of responses. A device that controls the flow of electricity or operates a key safety system can’t be shut down or disconnected from the network on a moment’s notice. And just throwing suspicious events over to a control engineer who understands OT systems but doesn’t understand cybersecurity isn’t any better. Whether one is hiring for permanent staff, using a managed security services provider, or some combination, the goal should be people with domain and cybersecurity depth. One doesn’t need a decade of experience in each, but a willingness to learn is key. But you only get that talent by asking for it.
Critical Infrastructure Sessions at RSA
While there is not a dedicated critical infrastructure track at the RSA Conference, there is plenty of content available. Here are some sessions I encourage folks to attend.
The Sandbox –While there are actually three sandboxes, two of them, the ICS Sandbox and IoT Sandbox, specifically focus on critical infrastructure or, more broadly, cyber-physical systems. There are some great talks here, so check them out.
Regulating the Internet of Things (Bruce Schneier - February 14, 2017 | 1:15 pm - 2:00 pm | Marriott Marquis | Yerba Buena 5) – You can’t do much better in kicking off the track sessions with another thought provoking talk by cybersecurity legend Bruce Schneier.
IoT and SCADA: Lessons Learned and Case Studies (Lawrence Dietz - February 14, 2017 | 1:15 pm - 2:00 pm | Marriott Marquis | Nob Hill C) – RSA isn’t just for listening. Join this Peer to Peer session and contribute your own thoughts.
IoT Ecosystems: An Adversary’s Perspective (Anthony Gambacorta - February 14, 2017 | 2:30 pm - 3:15 pm | Moscone West | 2002) – What are IoT attackers really interested in? Find out at this session.
The Future of Ransomware on the Internet of Things (Panel - February 14, 2017 | 3:45 pm - 4:30 pm | Moscone West | 2002) – It’s only beginning, but the implications on not pleasant. Find what we can do to solve this challenging problem. I’ll be serving on this panel and look forward to a lively discussion.
Global Approaches to Protecting Critical National Infrastructure (Panel - February 14, 2017 | 3:45 pm - 4:30 pm | Moscone West | 2004) – Critical infrastructure protection is not an isolated activity. It requires collaboration with industry and government world-wide. Find out how different countries approach this challenge.
Best Practices: Securing Industrial Networks (Mille Gandelsman - February 15, 2017 | 7:00 am - 7:45 am | Moscone West | 2009 Table D) – While it’s early, it’s the perfect opportunity to network and learn from others at this Birds of a Feather gathering.
IoT Evidence Analysis and Preservation in Investigations and Litigation (Erik Laykin - February 15, 2017 | 8:00 am - 8:45 am | Marriott Marquis | Yerba Buena 13) – Protecting the Internet of Things is challenging enough, but how about making a case against an attacker. Find out what to do.
Internet of Insecurity: Can Industry Solve It or Is Regulation Required? (Panel - February 15, 2017 | 8:00 am - 8:45 am | Moscone North | 130) – Bruce Schneier is back for an encore. Look for some differing points of view on a very challenging question.
Practical Insights in Protecting ICS Networks from Cyberthreats (Ola Lawal - February 15, 2017 | 10:30 am - 11:15 am | Marriott Marquis | Nob Hill B) – Peer to Peer sessions like this offer the kinds of diverse insights that often are missed in the single speaker and panel sessions. Hearing from those in the trenches teaches us a ton.
Securing IoT: Tech’s Latest Wild West (David Levine - February 15, 2017 | 11:45 am - 12:30 pm | Marriott Marquis | Nob Hill D) – These Peer to Peers fill up fast. Check this one out if you can.
Mirai and IoT Botnet Analysis (Robert Graham - February 15, 2017 | 1:30 pm - 2:15 pm | Moscone South | 308) – Mirai proved to be a bit of a watershed in our understanding of the threats that IoT poses. Listen to how it all happened and what to worry about next.
The Cyber-Circus: What the Rise of Hacking Everyday Things Means for All of Us (Keren Elazari - February 15, 2017 | 2:45 pm - 3:30 pm | Marriott Marquis | Yerba Buena 5) – Remember when hacking was just online? We’ve certainly got a lot more to worry about now.
Eggs and Beacon—Scrambling IoT Beacon Indoor Proximity Systems (Trevor Horwitz/Mike Kerem - February 15, 2017 | 2:45 pm - 3:30 pm | Moscone West | 2002) – A great opportunity to dive into a specific IoT technology. Is this Big Brother or just consumer convenience?
Securing the North American Electric Grid (Marcus Sachs - February 16, 2017 | 8:00 am - 8:45 am | Moscone South | 302) – Hear from the head of security for the North American Electricity Reliability Corporation (NERC) on how the most critical of critical infrastructure is being secured.
MEDJACK.3: New Research on Attacks on Hospital Medical Devices (Anthony James - February 16, 2017 | 8:00 am - 8:45 am | Moscone South | 308) – While still in its infancy, attacks on medical devices are clearly on the roadmap. Learn more about one particular kind of attack.
Meaningful Use or Meltdown: Is Your Electronic Health Record System Secure? (Gib Sorebo - February 16, 2017 | 9:15 am - 10:00 am | Moscone West | 3014) – This is the one session you must see. Well okay, it’s mine, so I’m biased. If you’ve ever wondered whether all that information you gave to your doctor is secure, check out this session.
IoT and Data’s Perilous Journey (Greg Hoffer - February 16, 2017 | 1:30 pm - 2:15 pm | Moscone West | 2002) – You thought the Internet was a confusing place. Try tracking your data with the Internet of Things.
Securing Medical Devices Using Adaptive Testing Methodologies (Daniel Miessler - February 16, 2017 | 1:30 pm - 2:15 pm | Moscone West | 2005) – Medical devices vary quite a bit, but they have a unique function. Find out more about how to test them.
Securing the Things with Internet: Law and Technical Issues for IoT (Panel - February 16, 2017 | 1:30 pm - 2:15 pm | Marriott Marquis | Yerba Buena 13) – Watch this all-star panel tackle the policy, technical and legal aspects of the Internet of Things.
Navigating Cybersecurity in the Connected-Car Revolution (Panel - February 17, 2017 | 9:00 am - 9:45 am | Moscone West | 2004) – The car is quickly becoming the quintessential IoT device. Are we ready for that to happen?
Cyber/Physical Security and the IoT: National Security Considerations (Panel - February 17, 2017 | 10:15 am - 11:00 am | Moscone West | 2004) – When you’re trying to protect a whole country from IoT attacks, the challenges get bigger. Hear from experts in national security.
IoT End of Days (Charles Henderson - February 17, 2017 | 10:15 am - 11:00 am | Moscone West | 2002) – How do we secure IoT in such a market-driven frenzy? Find out from this industry expert.
Life and Death: Security Considerations for Safety-Critical Industries (Panel - February 17, 2017 | 11:30 am - 12:15 pm | Marriott Marquis | Yerba Buena 5) – Finish off you RSA track sessions with a reminder of just what’s at stake for cybersecurity. People’s lives may be in the balance.