The Human Bridge as the Key Component in the Successful Protection of Critical Infrastructure Cyberspace
Protection of Critical Infrastructure Cyberspace – Much has been said about the need to protect the world’s critical infrastructures from cyber threats. Risk factors, such as an increased threat landscape, geopolitical instability, and most importantly, the global shortage in OT cybersecurity skills have turned today into the most dangerous period for industrial companies. Unfortunately, very little has been written on how to break the barrier and enter into the cyber defense world of OT systems and industrial control systems.
Over 10 years ago, when I first began my journey in the world of securing critical infrastructure, I had over a decade of experience in information security and cyber expertise with IT systems communications and infrastructure. Despite this, no one prepared me for the interesting and intriguing encounter with the world of critical infrastructure. While I was certain that my significant experience in cybersecurity would ease my way into the world of cyber protection for critical infrastructures, a big surprise was awaiting me.
Despite the similarities between IT and OT environments, “it’s all T”, there are a few main differences in how both environments are protected. Specifically, there is importance in making sure that employees have the required knowledge and tools to implement the protection measures. In the words of Patrick Miller, an expert in IT/OT, “you need a workforce trained on the appropriate technology”.
There is a particularly significant difference between the protection of IT Systems, OTs and Industrial Control Systems (ICS): while cyber defense workers are familiar with and experienced in the processes and technologies for protecting the traditional computing environment (IT), the knowledge and ability to realize the same concept and level of protection for the operating environment (OT) is limited. This limitation is due, in part, to the following challenges:
In IT data protection, information is guarded. Any damage inflicted on the information may lead to loss of trade secrets and/or sensitive data and impairment of data availability/data integrity.
These events are classified into the following categories:
The CIA model Vs the AIC model:
C–Confidentiality A –Availability and business continuity
I –Integrity I – Integrity
A –Availability C – Confidentiality
In OT Systems, the protection of the confidentiality of the information and sensitive data is second to that of the operational process, namely, the “safety aspects and business operational implications related to the production line process”, which can be impacted by a cyberattack.
It is therefore evident that in OT systems, the main priority is the organization’s ability to continue producing.
Protection of Critical Infrastructure Cyberspace
Knowledge – Data, information security and cyber security professionals are most familiar with the protection of IT environments (protocols, products, tools and more). In most cases, they do not understand the change required to adapt their knowledge when assessing risks, choosing protection solutions, monitoring, and preparing a recovery plan for operating environments.
Collaboration – In most cases, the trust that runs the operation and maintenance of the systems in the production environment is not granted to the Information Security Manager, or to the organization’s Information Systems and Communications Networks Manager. The ability to make reviews/changes and the hardening of the requirements leads to the need for deep collaboration and trust between the organization’s two different units.
While cyber defense professionals usually have the knowledge required to talk to IT professionals, the knowledge and trust required for dialogue with operations/control
professionals are different for the most part (sector specific knowledge, such as a variety of concepts relevant to a production environment such as PAC, which is inexistent in the IT network, understanding of chemical/engineering processes, etc.).
External parties’ dependences – While the IT environment can be used by enterprise employees and local vendors with whom the organization has good familiarity (including background work/ reliability checks), in working with these manufacturers, support and maintenance are often provided by dependent professional parties and are under warranty, and the client’s ability to influence them is low (such as a system vendor or expert software from abroad).
Expensive cost of production line and business operations – Any need for upgrading, updating or downtime is immediately translated into large sums of money and risk to the control process. As part of risk reduction, a dedicated area for running files and simulations can be considered as a preliminary process to the network online process.
“Halting/Downtime” cost – Difficulty in balancing risk and locating appropriate controls that prevent the process from being halted versus locating compensatory controls that allow for risk reduction without halting and compromising the production line.
Limited supply of dedicated protection solutions – While solutions such as code analysis, vulnerability detection, staging systems simulations and others are available and embedded into many systems around the world, they may not always be compatible with dedicated ICS environments. In addition, these tools are not always approved for use by the manufacturer or by the equipment’s operators, due to concerns regarding operational damage, liability coverage, etc.
Use of old and unchangeable technologies – such as a network that has not been given proper security inputs in the characterization and construction process; the use of old controllers, protocols and traditional communication based on old and unsupported classical technologies; all leading to difficulties in running antivirus or security updates, etc.
Equipment Lifecycle – While IT equipment is replaced relatively frequently and proportionately in organizations (taking into consideration the organization’s financial cycle), the replacement of a controller or component of SCADA involves significant efforts, resources, and financial costs to the organization. These increased costs lead to keeping equipment that is 10-30 years old or more, which can be protected using limited tools that do not fit with the contents.
In light of all the above, let me share with you a successful use case on pivoting into OT cybersecurity.
Building trust and a common language between IT cybersecurity personnel and OT chemical/engineering personnel – It is more often than not that information security requirements and guidelines are handed down from “the ivory tower” seated with excellent cybersecurity personnel whose experience stems from IT orientation, to the Industrial Control systems and personnel, without an actual understanding of the requirements and without ever setting foot on the production floor, meeting the people, systems and understanding their operational needs, including the relevant protocols, products, tools and more.
In most cases, these types of guidelines, largely including security guidelines that if applied would lead to the stopping and compromising of the production line in most organizations, were never de facto implemented by the Industrial Control personnel. In order to build the basic trust that is required between the two disciplines, we must go down to the field and get to know the Industrial Control personnel, we need to be present in their day-to-day operational routine, we need to learn the language and terminology and the operational processes, while teaching them the basic concepts from the world of content to cyber security. Only then, can we start to offer common courses of action and collaborations that are built on trust, common language, and technical expertise.
Training & awareness – There are very few institutions and organizations in the world that provide professional cyber training to OT environments, and those that do provide professional training are unfortunately not affordable to the general public. There is a vital need for more professional training programs on OT environments for cybersecurity personnel, since full time Industrial control personnel workers cannot be expected to add cyber defense tasks to their daily job function.
Organizations must make the necessary investments and hire full-time operational cybersecurity experts rather than part-time ones. Academic institutions and research organizations need to generate additional investment in building laboratories and arenas where operational cyber personnel can be trained. At the end of the day, the first responder to a cyber-event is a critical part of the mitigation process. The engineering team is in fact, the first line of cyber operations’ defense.
“In preparing for battle, I have always found that plans are useless, but planning is indispensable”. (Dwight D. Eisenhower)
Information Sharing, Indications and Warnings – Information sharing underpins any true partnership and is necessary to mitigate the threat posed by a cunning, adaptive, and determined enemy. To formulate comprehensive security plans and make informed security investment and action decisions, individuals and institutions alike require timely, accurate, and relevant information.
Accordingly, we must adopt measures to identify and evaluate potential impediments or disincentives to security-related information sharing and formulate appropriate measures to overcome these barriers. We need to develop and facilitate reliable, secure, and efficient communications and information systems to support meaningful information sharing among various internally IT/OT entities and externally public and private entities.
Cyber Organization quality assessment program – One of the missing links in organizational cyber sturdiness is the lack of understanding of the most important roles in any organization – the decision-makers. From my experience, this is one of the common factors of cyber defense and resilience failures, based on analysis of many cyber events and compromises. The creation of a fully executable plan and associated documentation to identify gaps and build a highly efficient Cyber Organization.
Protection of Critical Infrastructure Cyberspace – We need to check the cyber organization’s level of security and to share knowledge and skills to further monitor the Cyber Organization’s quality by providing different KPI’s that can be translated into cyber organizational strengths and weaknesses. The outcome will be a detailed plan with staffing recommendations, practical steps for implementation, changed agents, procedures, roles and responsibilities, success KPIs, controls, and other features, all with the goal of bettering the organization’s cyber sturdiness.
To summarize, as the risk landscape becomes more complex and fast-moving, it exposes the critical infrastructure for weaknesses. We need to remember that “Cyber security isn’t just about technology: more than anything, it’s about people”- only when we work together and collaborate, can we illuminate the darkness.
The Human Bridge as the Key Component in the Successful Protection of Critical Infrastructure Cyberspace