The future of OT security in modern industrial operations

Both the likelihood and consequences of cyberattacks to OT/ICS components continue to grow for modern industrial operations.

In this podcast, Andrew Ginter, VP of Industrial Security at Waterfall Security Solutions, and Edward Amoroso, CEO of TAG Cyber, talk about how new approaches are needed to gain defensive advantage over already-capable cyber adversaries, to keep up with new OT/ICS technologies, and to serve business risk management needs in increasingly-demanding, competitive environments.

Here’s a transcript of the podcast for your convenience.

Andrew Ginter: Hello everyone and thank you for joining us. This is Andrew Ginter, the VP of Industrial Security at Waterfall Security Solutions. I’m joined here with Edward Amoroso, the CEO of TAG Cyber and the former CSO at AT&T. Hello Ed.

Edward Amoroso: Nice to be here Andrew.

Andrew Ginter: This is the fifth in our series on industrial control system security topics and we were going to take a look into the future, take a look at what are sort of the hot topics, what are the trends, what are the recent innovations that we’re seeing in the space, and what’s that mean for us going forward.

I may I’ll take a start. The first topic in our fifth series paper was the Industrial Internet of Things. We all know vaguely the Internet of Things, this is you know stuff we carry around well as the classic example is the cell phone, stuff for the CPU and software inside it, connected to the Internet, and this is coming to the industrial world. We’re seeing increasingly individual sensors with CPUs in them, we’re seeing smart applications, we’re seeing these sensors with CPUs in them reaching straight out to the Internet, straight out the cloud providers, the way our cell phones do through multiple layers of firewalls. This is a problem. Classic control system security theory says you do not run one connection through multiple layers of firewalls out to the IT or the internet networks. That’s not done. It introduces a path for attacks all the way back into our most sensitive systems.

I’m one of the co-authors of the industrial internet consortium security framework, and they identify in that framework a lot of crypto systems, trusted platform modules, endpoint hardening approaches, but they recognize that in spite of all these endpoint hardening approaches, there are applications where this direct connection out to the cloud is considered an unacceptable risk, because of course, all software can be hacked, even crypto systems.

And so what’s documented in the security framework and what people are talking about is an unidirectional gateway. Again, the one-way hardware with you know software on either end, serving the need of connecting these sensors out to the Internet.

The product Waterfall has in this base is called a Unidirectional Cloud Connect. It has the gateway hardware inside it. It can physically send only one way. The software gathers information from the industrial network, it then translates it into a cloud friendly format like the Predix format or Microsoft Azure WebSockets, and pushes the data out to the Internet through the one-way hardware, so that it doesn’t matter how clever our enemies are, it doesn’t matter how compromised the cloud or the Internet is, it’s not physically possible to come back and threaten the devices that are controlling the physical process, you know threaten physical safety and physical reliability.

Edward Amoroso: We put this in kind of the future state, but I think we would all agree that these types of activities, these trends coming a lot faster, and I think a lot of us would have expected and maybe a complementary thing that comes out of all of this is something that you brought up to me when we were going through this, and this is the idea of universal monitoring, and so that kind of comes out of this idea that as we have devices sprawling across not just the internet but private enclaves, that you want one monitoring approach, you don’t want to have your IT stuff over here, your OT stuff over there but you know you certainly don’t want to be opening firewall ports and doing insecure types of pain.

So, an awful lot of work needs to be done to convince people that you really can build the universal monitoring, and I suspect a universal that functionality is going to be relying on things like the unidirectional gateway that you guys develop. I think that’ll be one of the building blocks that will be required to do that. So, I would expect moving forward that one of the great requirements that we’ll see in organizations within both IT and OT will be a convergence of not just the management, but certainly the monitoring, the collection of telemetry, the analysis and the ultimately driving some sort of actionable response to mitigation, or management action, that’s going to converge on something that’ll be universal in common. That’s good, it’s good news because it’s cheaper and easier so it’s not like that’s a bad thing, but I know I’ve read a lot of pieces that presume that that needs to be separate, and I think that can be converged, and I know it at Waterfall you guys spent a lot of time on that concept of converging things and using your gateway as s component. So, I presume you would agree that the universal piece is a worthy goal.

Andrew Ginter: Very much so, and you know historically Waterfall has been involved with SCADA engineers, with plant engineers. Increasingly we are engaging with IT teams that have some degree of responsibility for the operations networks, in particular fundamentally we can we can only optimize what we can measure. If we want to optimize the security of these industrial networks, the IT teams have to carry out their mandate of monitoring them for security and for intrusions. And so increasingly we’re engaging with IT teams who have mature more security monitoring programs in place, have essentially universal coverage on their IT networks for their devices on those networks, and they want to extend that coverage deep into the OT space, and of course need to do so without introducing vulnerabilities and the one-way hardware of the gateway or the Unidirectional Cloud Connect enables that, it lets them fulfill their mandate.

In fact, a second reason, the second way that we find ourselves interacting with IT people is incident response. Now this may be a little surprising. We do have a newish technology called the BlackBox. Think of it as tamper-proof forensics, think of it as the same black box as you see on aircraft. When something goes wrong, where do the investigators go? They make a beeline for the black box because they want to know what was happening.

The problem is that modern attackers will go and erase their tracks as part of the attack, or if they’re on the network still at the same time the incident response teams arrive, they may actively try to thwart the investigation, working against the response teams while the response teams are trying to figure out what’s going on. And so this black box is again has the unidirectional gateway hardware inside, the laser on one circuit board, the receiver on the other, a short piece of fiber in between. It’s only physically possible to send information from the monitored network into a storage device, a large hard drive or array of hard drives, and keep a tamper-proof copy of the data, so that when the incident response team arrives, they can make a beeline for the box, physically open up the access port. There is no network access to the repository, you’ve got to physically be there to touch it, pull the data off of it, and start your forensic analysis.

So, that’s two ways that we see this IT/OT integration. We see IT becoming increasingly interested in this class of sort of OT technology, because they’re responsible for monitoring and because they see some advantages for this one-way technology when it comes to investigations.

Edward Amoroso: Yeah it’s probably one of the – there was a concluding theme here, it’s that, this convergence: convergence of interest, convergence of common benefits that you get by bringing the best elements of IT and OT together in your architecture, and in your operations. I think that probably, if you had to summarize that I’d say that through five reports and five little webinar pieces that we’ve done, that that’s how I would summarize the basic methods with convergence, that make sense?

Andrew Ginter: That make perfect sense. The Gartner group started predicting this convergence back in 1995. I remember some of the initial announcements that caused great, great controversy back then. There’s no way this is going to happen was what the OT guys were saying at that high and well. They were wrong, Gartner was right, that’s it’s all coming together and it’s taken 20 over 20 years we are figuring out how to make all this happen so that as you said we can realize these efficiencies: software control, the flexibility and the power of software control coupled with connectivity is making everything cheaper for us, and this is the name of the game, this is progress.

Edward Amoroso: Andrew, it’s been a delight for me we’re working with you. I hope we can pick up and do it again.

Andrew Ginter: Indeed. Thank you so much Ed and thank you everyone for joining us, and if we get something with you know Ed and I going together in the future, we’ll let you all know. Thanks again.