By Gregory Hale
Traditionally an IT security conference, Black Hat USA continues to reach out and touch the industrial control system industry.
It only makes sense as the security market has grown throughout the IT industry and it is still a fledgling upstart in the ICS arena. That is all changing as attackers are making inroads in the low hanging fruit of ICS systems, and operators are scrambling to, first, understand the issue, and second, figure out where to start.
In the ICS environment, it is all about understanding what security means and then adapting to and adopting a culture much like the industry did 40 years ago or so when it came to safety.
“It is all about changing cultures,” said Eddie Habibi, founder and chief executive at PAS, who attended Black Hat USA 2017 in Las Vegas, NV, for the first time this year and sat down for a few moments to share his thoughts on the evolving ICS security movement. Along those lines, PAS is making a big push in the ICS security environment and he saw in person, what he already knew: OT security is on the precipice of taking off.
Security, Habibi said, needs to model much of what safety has brought to the industry.
“You go into a plant today and they say they have had zero incidents in x amount of days,” he said. “When we see that related to cyber, then we have made it. We need to leverage the experiences from safety.”
Yes, technology and processes are vital for manufacturing automation companies, but Habibi feels security, like safety, is a human challenge.
“At the end of the day, there is no incident that is not a human error,” he said. “Safety incidents are human error of commission or omission. Security is the same thing.”
That all comes from the manufacturer understanding what inventory they have and just what is on their system.
Habibi said it is amazing to find users don’t even come close to having a grasp on what they have.
He mentioned a CISO at a refining company saying he felt they had about 500 end points, but after further investigation, it turned out they found 26,000.
‘Know What You Have’
“The first rule of cybersecurity is to know what you have,” he said. “If I don’t learn my end points, I can’t secure them. We are trying to create awareness on inventory. You can’t be aware of 99 percent of what you have, you need to know it all.”
Whenever you talk about security, the idea of cost always comes into play.
Security is thought of as an insurance policy – and a cost – but not as a business enabler that allows companies to stay up and running producing more product.
Right now, the industry is a cost-focused culture that ends up being short sighted and misguided.
“We need to learn the lessons from safety,” he said. “For the past 40 years, it has been a culture that creates awareness and makes (safety) a priority.”
One way to create, and force, a secure environment is to create regulations forcing companies to have a baseline. Habibi, though, does not think that is the way to go.
“We need to develop best practices,” he said. “We don’t need more regulations, we just need best practices. Regulations help provide an incentive for laggards to make security a priority. However, it is not something industry leaders need to do the right thing.”