By Nate Kube
It’s becoming very important for those needing to protect refineries, power grids, healthcare institutions, traffic systems and other solutions that are run by automated controls to use specialized security researchers to perform site assessments and, later, certifications.
After all, you wouldn’t take your automobile into a lawnmower repair shop to get fixed.
The only thing lawnmower and car repair people have in common is they both work with machines that have motors and wheels. However, those motors and wheels work in very different environments.
Likewise, those needing to protect critical infrastructures using OT (operational technology) cannot rely on IT security specialists. Both technologies use computers but also work in very different environments.
Just as you would not ask the plant manager to fix the flaw in your Windows system, you can’t expect the IT director to have all the answers to protecting your OT system. IT specialists strive to protect data; OT environments work to keep machines producing. Therefore, the byproducts of IT versus OT attacks are also different.
During the 2015 RSA security conference, Wurldtech’s Frank Marcus, director of technology, led a peer discussion that underscored the heightened profile of cyber security in the age of the Industrial Internet. Addressing the audience of global critical infrastructure experts, Marcus spoke about the evolution of threats against critical infrastructure. While enterprise cyber attacks may grab bigger headlines, cyber attacks on physical infrastructures can have greater consequences, including environmental damage and human safety.
Protecting these types of attacks are not the focus of IT departments. While the primary goal in IT is to protect data, OT security strives to keep processes running. Whether from outside threats, like hackers or state sponsored actors, or inside threats, like human error, in an environment where companies are operating drills, electric grids, MRI’s or locomotives, unplanned downtime is simply not acceptable. This is especially true for industries such as oil and gas, energy producers, health facilities and transportation systems in which even a couple minutes of downtime can yield tens of thousands of dollars lost.
Developing OT Specialists
In the real world, Wurldtech began with “white hat” hackers who recognized there is an incredible amount of risk in our critical infrastructure. Our hackers tested all the possible ways these machine-to-machine networks could be infiltrated to identify where vulnerabilities exist and determine how to protect against them.
Once we had enough data, we were able to create a comprehensive cyber security solution to help provide protection for critical infrastructure against the persistent and dynamic cyber threats that challenge production environments, transportation systems and healthcare operations. If a system is successfully hacked, it is possible to help stop that attack from getting to the Internal Internet where it can wreck havoc on the factory, grid or drilling station.
Once the solution ends up installed, you need a security and quality testing service that simulates attackers challenging your system to make sure that the you are controlling who is talking to whom. Such a service imitates attackers challenging your own system, allowing you to “know yourself” by making sure that you are controlling who is talking to whom.
Also, be sure to ask the manufacturers of your mission critical devices if they have been tested to repel cyber attacks. Have they had their products monitored to both network and operational parameters, allowing vulnerabilities to be discovered and faults to be reproduced, isolated, identified and resolved before these products were introduced to the market? Are they certified to be secure?
In addition, management needs assurance the security experts they hire are not only highly certified and trained to carefully assess, design and implement OT security but to do so in their industry environments. For instance, oil management needs to assure that the security experts they hire are certified in HUET/BOSIET, RigPass and TWIC, trained to carefully assess, design and implement OT security in offshore and onshore environments.
If your goal is to help secure operational assets, reduce compliance penalties and enforce supplier security, you need such specialized expertise.
Nate Kube founded Wurldtech Security Technologies in 2006 and as the company’s Chief Technology Officer is responsible for strategic alliances, technology and thought leadership. Kube has created an extensive Intellectual Property portfolio and has filed numerous authored patents in formal test methods and critical systems protection. Wurldtech is an independent subsidiary of GE, which acquired the company in 2014.