By Katherine Brocklehurst
What do the movies “Groundhog Day” and “Independence Day” have in common, and what can we learn from them related to cyber defense?
Well, if you weren’t able to attend the annual RSA Conference back in February, cyber defense expert Tony Sager explained it all at the Tripwire booth.
Let’s start first with “who is Tony Sager?” That’s a fair question as many of you may be unfamiliar with Tony’s decades of work in cyber defense with the U.S. National Security Agency (NSA), the SANS Institute, and now as senior vice president and chief evangelist for CIS (formerly the Center for Internet Security).
Googling Tony won’t do his contributions to the field of cyber security justice – nor will this link at CIS on his background. However, in his talk at RSA he masterfully distilled all his years of experience into just a few key points of guidance.
According to Tony, cyber security is more like the movie “Groundhog Day” than “Independence Day.”
Flaws Need Fixing
This statement could not be more true when we consider defending industrial networks, endpoints and control systems against malicious insiders, employee error or outside adversaries.
Just because a flaw is announced doesn’t mean there is a fix available.
• Operations teams must typically prioritize production and availability over security concerns.
• Production and supply chain integrations are often reliant upon specific versions of hardware, firmware and software, so any change could cause disruption.
• Operations teams are unwilling to introduce the risks inherent in changing anything already working and in production.
• Some systems do not have adequate test environments to validate before moving to production.
Bad Guys Follow Basics
Tony always reminds audiences that adversaries are not all-powerful, big forces with magic up their sleeve. Instead, adversaries follow many basic practices used in business today.
He illustrated this using a “cyber” OODA Loop (Observation, Orientation, Decision, Action), a military strategy and combat process method developed by U.S. Air Force Colonel John Boyd.
This strategy is now widely used in other fields to understand commercial operations and learning processes. It demonstrates how adversaries pursue their targets and learn about defenses in place using the OODA Loop process – there’s no magic.
However, Tony took the illustration further with his “Duelin’ OODAs” because defenders and adversaries are in constant engagement – each applying the OODA loop to the other to gain advantage, increase agility, and more rapidly take informed action. His ultimate point on this? The adversary’s loop is the defender’s opportunity, which leads into his next point.
You’ve no doubt heard of the Pareto Principle, more commonly known as the 80/20 rule. When applied to cyber defense, Tony showed there are a large, but limited, number of defensive choices available and defenders will commonly gain 80 percent of the results needed with 20 percent effort.
In his own experience, the tasks associated with that 20 percent are largely foundational security controls. For industrial and critical infrastructure settings, this can help teams simplify, prioritize and focus on the 20 percent that gets them the 80 percent security results they require and yet, at the same time, they can maintain operational requirements for availability, reliability and safety.
For Tony, the idea of “Cyber Security – The Movie” might have been inspired by the recent Academy Awards. His perspective was cyber security is much more like “Groundhog Day” than “Independence Day.” If you haven’t seen these movies, then let me put it into cyber security parlance.
“Independence Day” – Industrial organizations are threatened by an apocalyptic cyber invasion and one man, Will Smith, (an ICS Engineer) stands alone against the complete annihilation of the production networks, endpoints and control systems. Unlike the real movie, he fails due to his flat network, unauthenticated and unmanaged privileged access, direct connections to ICS from the internet, and undetected intrusion to Level 2 assets. The invaders gain command and control and manipulate physical I/O within his environment, causing catastrophic disruption, harm to human life and complete system failure. Unfortunately, Will was in charge of a power generation plant and its transmission substations, which the invaders were able to use to cause a cascading power failure, ultimately resulting in world crisis and destruction.
“Groundhog Day” – Industrial organizations are doomed to continuously repeat the same day. The movie’s hero, Bill Murray (an arrogant, but talented Operations Design Architect) is given a rare opportunity as he relives the same day over and over.
He can either repeat his organization’s cyber security vulnerabilities and weaknesses as each day predictably unfolds, or use each day to gradually improve security within his industrial networks, endpoints and control systems using foundational security controls. In the end, Bill’s character triumphs through:
• Segmenting his industrial network following ISA/IEC-62443 standards (formerly ISA-99)
• Creating and maintaining an asset inventory of all endpoints in his operations environment
• Establishing process and technologies to monitor and manage change in the environment, including hardware, firmware, software and logic updates to PLC, RTU, IED, DCS, HMI, operator consoles, etc.
• Controlling use of administrative privilege
• Monitoring, controlling and limiting Internet ingress and egress to his network, endpoints and control systems including network ports, services (such as remote access) and protocols in use
• Installing boundary defense, including segmentation, using advanced and next generation firewalls and intrusion prevention systems
• Establishing an incident response mechanism for rapid detection of threats and intrusions to his operations environment
Katherine Brocklehurst is with Belden’s Industrial IT group. Her area of responsibility covers industrial networking equipment and cyber security products across four product lines and multiple market segments. She has 20 years of experience in network security, most recently with Tripwire. Click here to view Katherine’s full blog.