By Gregory Hale
A cyberattack can break out at a moment’s notice and understanding what devices a manufacturer has working on the network and knowing the configurations is possible today, but the next step is to take that knowledge and move toward prevention.
“We live in a digital world, but this world is not secure anymore,” said Stefan Woronka, director of industrial security services at Siemens, during a roundtable discussion at the Siemens Automation Summit 2019 in Aurora, CO, last week. “People will only rely on (digital) if the data and the networks are secure. We already see billions of interconnected devices on networks whether on the Internet or within a company. That means we are open to increased threats like Wannacry and notpetya.”
Woronka sat down with Chris DaCosta, global operations cyber security manager at Air Products and Chemicals, Jamison Utter, senior manager business development – IoT at Palo Alto Networks, and Katherine Brocklehurst, senior director, global strategic partner marketing at Claroty, to discuss a wide range of cybersecurity topics facing the industry.
One emerging topic in the industry is anomaly detection where passive monitoring solutions are gaining more traction. One common theme of all the passive monitoring is they document things after they happen. But one question remains is are companies adopting the technology in proper fashion or are they bolting it on.
“The bolt on problem is a big one,” Brocklehurst said. “Siemens is trying not to do a bolt on style. But what we see is people are trying to force-fit IT scanning tools in the operational environment.”
In another question, Woronka asked most attacks could have been prevented, but is the industry using proper cyber hygiene?
“I would say we can’t speak about Wannacry without talking about patching – and patching in the OT environment is a big issue,” DaCosta said. “The good thing is there are tools out there in the market that can help that issue. A lot of people do not take it seriously. About 80 percent of systems are unpatched. We have to change our attitudes about cyber hygiene and patching is imperative. We have seen over the past two years a number of Zero Days have become available. We patched for the BlueKeep. (BlueKeep exists within the Remote Desktop Protocol (RDP) used by the Microsoft Windows OSs. An attacker can exploit this vulnerability to perform remote code execution on an unprotected system. Microsoft issued a patch for the various OSs, but the questions remains if anyone is patching.) We have a lot of obsolete systems out there. You have to look at other technologies like whitelisting. We know because we are in the OT environment we are being targeted. We have to consider well-funded attackers to create an issue at our facilities. We have to go beyond hygiene and use tools to pick up things beyond antivirus.”
Discovering what assets a manufacturer has on site is becoming an eye opening experience.
“When we look at asset inventory we have to look at what we are getting out of it,” Utter said. “Think of it as contextual asset inventory. It just does not just tell me what I have, but I need a context of what the device is and what it is talking to. Understand what the digital identity is.”
“I do believe one of the challenges asset owners have is understanding what they have,” DaCosta said. “I think almost all of us that have that issue understand what we have and how to protect it. We need to understand the inventory. Anomaly detection tools give you what is what you have and understand the context information you have and give you a baseline to understand when changes are being made in the system you understand what is happening.”
In addition to asset discovery, threat detection plays a vital role.
“Anomaly detection has to do with behavioral, things out of the norm and not a part of the normal operation. You guys know your system and have an expectation on how things are supposed to run. You have to have an assessment capability, securing remote access, vulnerabilities and misconfigurations, where they were able to catch misconfigurations,” Brocklehurst said.
The technology now allows for greater understanding of assets and detection, but how does that lead to prevention?
“If we take this valuable vision and understand the context and turn it into policy that is prevention based,” Utter said. “Use detection to tighten the screw to prevention. I will stop the stuff that is hygiene-related to use anomaly detection to find the really hard stuff that is well beyond standard hygiene.”
Detection is the next logical step, but what are some future thoughts for OT security?
“Security automation. You are living process automation, which would mean OT people and IT people working to approve automatic changes to things like firewalls,” Brocklehurst said.
“Asset owners need a way to tell gaps in their architecture and being able to respond to threats in the environment,” DaCosta said. “The threat environment continues to change and when you become a target it becomes a different story. Having automated tools would be helpful and of interest.”
“I believe around OT and IT we are approaching the problem as an IT problem,” Utter said. “Reality-based thinking says patch. Some items will never be patched. How do we build a structure that does not need patching. Something where the network can patch the problem. How do we take this thinking and build security around a structure that fits the real world and not the academic world.”
In response to the no patching issue that led DaCosta to talk about liability.
“The reality is liability,” he said. “If something was to happen at your facility and if you are not compliant to some of the standards, you are liable and patching is one of the compliance issues to show you are doing something. I subscribe to the layers of protection approach. We are always playing catch up to the bad guys and we have to plan for the worst case.”
What to Look For
In looking at some key tips to provide organizations when it comes to cybersecurity, the panelist mentioned a few key takeaways.
“Unless there is management interest and support, then you are going to face a headwind,” Brocklehurst said. “Look for management support for doing some changes in operations. If there is some budget and appetite, do an assessment on what you have.”
“Exercise basic cyber hygiene, but remember that doesn’t protect you against well-funded attackers,” DaCosta said. “You do need to look at tools that give you better visibility. I have to assume we are a target and I have to assume we will be collateral damage if we are not a target.”
“We need the vision and take it to the C-Suite and show them,” Utter said. “Have a plan and build that vision support. This is about business continuity and the stakes are really high and really true. Automation is an eco-system of tools. Here is where we are and here is where will want to be. Allow the tools work together in the end to get to the vision.”
DaCosta summed up the session by talking about an important part of the security experience.
“I don’t think you can be successful in the cyber security journey without talking about (people) resources,” he said. “A lot of times we get fixated on devices and tools, you really need to be doing training, awareness and risk assessments.”