5 Critical Controls for ICS and OT Cybersecurity StrategyDragos CEO Robert Lee on Why Vulnerability Patching Is Important in IT But Not OT
IT and OT security are far more different than most in the industry realize. IT focuses on digital systems and data, and OT concerns itself more with physical systems and their interconnectivity, said Dragos Co-Founder and CEO and SANS Senior Instructor Robert Lee.
The stark differences between IT and OT security are laid bare when it comes to vulnerability patching, which Lee said is a crucial aspect of IT security but far less important in OT. In fact, Lee said just 2% of vulnerabilities in OT actually pose a significant threat. As a result, he said, security controls in OT must be adapted to the specific context of each system and its potential risks (see: Dragos CEO on Opening Execs' Eyes to OT Security Threats).
"There are a lot of security controls out there that people can apply [in OT], and it's hard to determine which ones are good," Lee said. "It's not an ethics discussion." He said to start by asking, "What are the risks?" - in line with the requirements - in order to know that the controls are relevant against those risks. "Start with the scenarios and then reverse-engineer out," he said.
In this video interview with Information Security Media Group at RSA Conference 2023, Lee also discusses:
- The differences between securing industrial control systems in OT and IT settings;
- The challenges related to gaining visibility into industrial control environments;
- How organizations can determine which of their assets are the most critical.
Lee is considered a pioneer in the industrial control systems threat intelligence and incident response community. He currently serves on the U.S. Department of Energy's Electricity Advisory Committee and is part of the World Economic Forum’s subcommittees on cyber resilience for the oil and gas and electricity communities.
Michael Novinson: Hello, this is Michael Novinson with Information Security Media Group. We're going to be talking about ICS and OT security with Robert Lee. He is the co-founder and CEO of Dragos, and a SANS senior instructor. Hi, Robert, how are you?
Robert Lee: I'm doing well. Thanks.
Novinson: Thanks so much for making the time.
Lee: Yeah, of course.
Novinson: Off the top, you want to get a sense of the most significant differences between securing ICS and OT environments versus securing conventional IT environments.
Lee: So first thing as a broad generalization if we look at IT security, it tends to be a little bit more system security and data security. How to protect the system, patching passwords, endpoint protection systems, access controls, etc., and how to protect the data encryption at rest and transit, data loss prevention, so forth. But in the world of OT, it's more systems and physics. So any one system is not that important. So, malware on an engineer workstation, I don't care. But, somebody has access to engineer workstation, malware or not, with a knowledge of how to modify the logic on the controller in such a way that can cause a physical manifestation - system one's impact on system two, and back on system three - that's going to be a very different beast. So you take that context, but then you also realize they have different systems, different threats, different ways how threats operate, different impact on what happens, different mission and purpose of that environment, then the security controls are probably not going to be the same. So we have to adapt based on what we see in the risk to understand and what are the controls that matter. As a quick example, vulnerability patching. With IT, it is like half the game. And OT, there's maybe 2% of vulnerabilities that matter. And so over time, like vulnerability management can be important, but it might be like one of the last things you do instead of rushing through that at the beginning. Now, why is it that patching is less of the point of emphasis in the OT world? First of all, it's just that systems' view versus system of systems, any one system, not the point. So any one patch is not the point. But also a lot of the functionality in the environments that exist is native in those environments. Its functionality officers can take advantage of what they need to do. They - engineer or operator - can open up a circuit breaker, so can an adversary. I don't need special malware vulnerabilities exploits to do that. And in IT, those vulnerabilities give additional permissions and access and so forth on the system and OT not so much. So the vulnerabilities we care about in OT are the ones that have been used, so over being actively exploited by adversaries, or they add new functionality in the environment to cause disruption or destruction. And that accounts for about 2% to 4% each year of the vulnerabilities.
Novinson: Well, last year, you'd published a paper looking at critical controls for securing ICS and OT environments. What are the key findings?
Lee: Tim Conway and I, over the SANS Institute, wrote this paper: The Five ICS Cybersecurity Critical Controls. Anybody can download if they want it, it's just on the website. Where that came from was SANS years ago created the 20 critical controls. And those were widely adopted across the community. The Center for Internet Security kind of took them on and ushered them to the community. We've always been asked, what would it be for ICS or OT environments? And so Tim and I went through every single attack that's ever happened in ICS. And, the challenge was just what the controls that were consistent across all are. Over the good investments, like, if he did these things, it's going to be a good investment all the time. And we got to those five controls. Probably the more interesting observation for me was the need to start with ICS incident response first, and then reverse-engineer out the rest. Because a lot of times people start with, let's think about our architecture, and then do this, and eventually it gets incident response, and they find that it doesn't align. And so start with the bad day in mind and reverse-engineer out the other controls. That way, we have things that are made against the scenarios we care about as business.
Novinson: Interesting. So beginning with the end in mind. Why do you feel in the context of ICS, it's so important to start with that and what does it look like in practice?
Lee: So No. 1, there's a lot of security controls out there that people can apply. And it's hard to determine which one's a good one or not, and it's not an ethics discussion. Is it a good control or bad control? Like it's not a morality thing? It's is this one effective against the risk? But if we don't start with what are those risks in mind, what are the requirements? What are the scenarios that we're going to plan for? A ransomware scenario, Ukraine 2016 or 2015 electric scenario like, you don't start with the scenarios, you don't know if the controls are going to be relevant against those risks. And you also don't know the data that you're going to need. You're got to ask the questions, you got to have a response. So you start with those scenarios and you reverse-engineer out. For example, for us application whitelisting would make sense over here not antivirus. Or for us, segmenting the Active Directory and domain controller is going to be most important between IT and OT. So it just helps guide people and helps them prioritize.
Novinson: I realize it's going to differ by vertical, but what would you say at a high level are the most significant risks that people face around ICS?
Lee: I would say from the scenarios, No. 1, you got to cover ransomware. Everybody has to. I care a lot about the state actors. I care about national security impact. Start with ransomware. After that, generally, like across every industry, be it the pipe dream scenario. So the malware that was cross-industry and scalable and can go after industrial infrastructure, and then it's going to be vertical-specific. So electric power, you're going to look at the Ukraine attacks, oil and gas, you're going to look at the prices attack in Saudi Arabia. So maybe in manufacturing, you're going to think a lot about the espionage of like the Drill Dragonfly campaign and have X malware so you're going to kind of model off of what's happened in an industry. When you go to a board and executive staff, it is way more tangible. It's not I saw this research at DEFCON, and we have to do this. It's, here is something that has happened to our peers, and we have to decide are we going to accept the risk or not? That makes it a very easy executive discussion.
Novinson: So from a visibility standpoint, what are some of the challenges around gaining visibility into inter-industrial environments?
Lee: So visibility monitoring was the third critical control. And there's a couple of different challenges. One of which is just, do you have the architecture and networking to allow it, because a lot of the ways we want to do visibility and monitoring of these environments is passively. We don't want to be sort of messing with the equipment - these high speed, high cost, very important piece of equipment. We don't want to just like keep scanning it and poking at it all the time. You want to be able to just sort of sniff the traffic. You will passively monitor what's going on, build an inventory and understand the threats. And to do that, you're going to be dealing of like span ports, and switches or tech infrastructure. Sometimes they go into places where the company wants to do that. But then they get into their environments, through like flat networks, old switches, not mirroring capabilities, etc. And so they have to kind of bring up the environment to a level that it's now defensible, something that you can then go monitor. Once that part takes place, then it's just culture. It's showing operations or IT sometimes anyone can be the problem. By showing operations or IT, here's why we're doing this. Here's, how it matches back to those scenarios. If we all agree that this is important, then this is why we are accomplishing this. And that's a better way to do it than just coming in from security and saying, we are from security, we're putting this in, it is according to NIST Cybersecurity Framework or a 60 443. Hey, operators, we understand this is your plan. Here's what we're trying to accomplish. Do you agree? Great, then you need to help over here.
Novinson: And how have the conversations around critical infrastructure security changed since Russia's invasion of Ukraine a little over a year ago?
Lee: Regionally, it changed a lot in Europe. So I think there's definitely a lot of European companies that were very proactive anyways, but there was a bunch that were very focused on, give me an asset inventory. But we talked about, cool, we will do that. And what about the threat detection? They were like, threat detection? ICS threat? Okay, fine. That's adorable. And then Russia invaded Ukraine. They're like, so threats exist. And we should talk about the response plans, too. And so I think that's changed in Europe. I think in U.S., Australia, Saudi Arabia, kind of new places like that. I think they've already known that they've got the threats. And so those conversations weren't necessary. The shift in the conversations over the past couple of years, it's just been about the level of where the conversation is happening. So it's not uncommon for the President or Congress to be talking about OT-specific security. It's not uncommon for boards to be addressing it like one of the top-three requirements in their company. So the conversation about operations security has just raised a massive level, partly because everyone always thought it was getting done. Their CSO, whatever, would paint the picture, here's the enterprise IT cyber risk, here's what we're doing in the enterprise IT. And the executives would be like cool, that's across the enterprise? And analysts are going "no, no, no, it's not the enterprises, it is enterprise IT." So CEOs would then say, sorry, you're spending 98% of our money on the website, and not where we generate revenue. I need you to go, you call OT. OT go focus on that stuff. And that's where the conversation shifted.
Novinson: In the OT world, how can organizations go about determining which of their OT assets are the most critical?
Lee: So I'd start with the five critical controls that's going to tell you those scenarios. The scenarios are going to guide you; for example, for oil or gas. Hey, tracers, malware was used against the safety system in Saudi Arabia. Where's our safety system? Where's our distribute control system around it? So trying to find those crown jewels needs to be driven by what are we trying to accomplish in the first place. After you do it based on an intelligence-driven approach, ground truth reality, what's happened. Then you should look at it from a consequence approach. Hey, go find the oldest crustiest engineer in the plant and just say, hey, man, what would be a bad day for you? Oh, boy, that over there, that starts happening, you better run. Cool, thank you. Those are probably crown jewels. So think about it from what does a bad day look like but start with what are the adversaries doing. Maybe combine that intel driven with a consequence-driven view, you'll have a good understanding of crown jewels.
Novinson: Let me ask you here, finally, I know you mentioned the dialog from the President, Congress and boards, what's the downstream impact for security practitioners that all of these folks are focused on critical infrastructure?
Lee: I think sometimes security folks can get kind of set in our ways. You got a playbook that you run. You go to 15 different organizations, you run that playbook, that's the same. Whatever operations, you get to understand the business, what they're trying to accomplish, what's that plant doing versus that one to tailor the discussion. And there's a view from an executive staff now that you're my security professionals, and you should be doing that. And so the ones that are not, dialog is fine. The ones that are just pushing back or ignoring that, quite a bit of it. They're going yeah, that's nice, but I know how to do security. That's bias and the regular bias in these conversations, and businesses are not in the place to put up with that too much. And what I mean by that is, there's an expectation that IT security folks are doing the right security work, but rapidly learning the operations side of their business to protect the core components and risk of the business. And if they don't, I've started to already see individuals being removed from the jobs and like a CSO level. We don't want that. But I think if you lose trust with the executives that what you're doing to help advise on the rest of the company, then you're probably not going to have a job very long.
Novinson: Certainly, very important stuff. Robert, thank you so much for the time.
Lee: Thank you.
Novinson: We've been speaking with Robert Lee. He is a SANS senior instructor, and the co-founder and CEO of Dragos. For Information Security Media Group, this is Michael Novinson. Have a nice day.