Bringing IT and OT together to protect Critical Infrastructure
While there’s no silver bullet, there are many tools, supporting guidance, and policy documents available to the community. The underlying technologies, threats and risks are homogenizing across IT and OT, so now is the time for all security professionals to work together.
I recently had the privilege of speaking at ICS Village’s Hack the Capitol event about cybersecurity challenges in the Critical Infrastructure space. Several common themes emerged throughout the day: it’s getting difficult to identify the so-called “industrial control system,” the global threat presence is rising quickly, and the Critical Infrastructure community is still focused on reactive – instead of proactive – measures. The discussions covered both technology and policy topics. While many policies in this space have been updated recently, they still address only the fundamentals of cybersecurity and are limited when it comes to emerging threats, technology, and staying relevant in the future. Several speakers noted that while this is a problem, many system owners in this community still struggle with just the basics. While the split between Information Technology (IT) and Operation Technology (OT) still exists, several organizations are undertaking cross-training between those formerly separated groups. The same challenges of time, budget and prioritization still force cyber to take a backseat to reliability and cost as they do across other industries.
My talk focused on using established technology frequently employed by the U.S. Government – especially the Department of Defense and the Intelligence Community – for high risk / high threat network connections – called cross domain solutions. While OT operators understandably question the resiliency of typical IT systems, the Government’s cross domain solutions are deployed, quite literally, in life-or-death situations. Folks that build military and intelligence systems have a deep appreciation for availability and reliability when lives are on the line. Whereas traditional network security devices look for “known bad” or “suspected bad” traffic, a cross domain solution ensures that only “known good” traffic – down to the bit level within each packet -- is permitted. This eliminates a wide swath of attack vectors. Instead of the attacker only needing to find one issue anywhere in your system, they now need to know precisely how your system works and then manage to execute an attack while playing within the rules. This type of device, while more complicated than a typical firewall or intrusion prevention system, gives much higher confidence that only the right activities are occurring on the network. While a cross domain solution is very robust, it does require the system owner to know precisely how their systems are constructed and how they operate. This can require a longer integration and transition time and requires support from the owner’s vendors. Once deployed, these devices stop both known and unknown attacks and frequently run untended.
The recurring theme at Hack the Capitol was that the time to simply be aware of the threats is up. The threats are still growing. Systems are getting more complicated and more connected. Corrective actions must be taken to improve the cyber robustness of the entire community. While there’s no silver bullet, there are many tools, supporting guidance, and policy documents available to the community. The underlying technologies, threats and risks are homogenizing across IT and OT, so now is the time for all security professionals to work together. IT teams can learn how to construct and operate truly critical systems and OT teams can learn how the changing cyber landscape effects their environments.