In-brief: The headlines warning about cyber risks on the Internet of Things obscure the truth. That’s especially true of critical infrastructure, warns Cisco’s Marc Blackmer.
Tabloids are not my thing. But there was something so ridiculous about “Man Hit in Head by Flying Dog” that I gave in to my curiosity. See, I’m one of those people who believes you should only say and print what you know to be true, so I was intrigued as to how a story about a flying dog couldn’t be a complete fabrication. As it turned out: the dog had been hit by a van with such force that it sent the poor creature through the air and into a bystander’s head. Unfortunate. Also while, indeed, the gentleman was hit by an airborne dog, the headline was misleading. It also prompted me to buy their paper. Lesson learned.
I’m seeing something similar to the “flying dog” effect in the headlines and presentations about cybersecurity and the Internet of Things (IoT). If we are to believe most of what we read and hear about IoT security, particularly in respect to critical infrastructure, it could come crashing to the ground tomorrow. Don’t believe it.
True, there are many known security issues with industrial control systems (ICS). These devices and systems tend to be older and have spent much of their existence in secluded, air-gapped networks. They are now facing a hostile connected world and need protection. But is our critical infrastructure really in such bad shape?
That is the question I put to Robert (Rob) M. Lee, ICS515 Course Author at SANS Institute, and author of “SCADA and Me: A Book for Children and Management.” His answer? “No.” In fact “industrial control networks are more defensible than IT networks because industrial networks are very static,” Lee told me. That makes it much easier to detect anomalies. It also takes a great deal of specialized knowledge to understand and manipulate industrial processes. There are a great deal of monitoring and physical safety measures designed into these processes that it would be difficult for an attacker to gain and maintain access without being detected.
[Read more of Marc’s thought leadership on Security Ledger.]
Rob was also sure to point out that defensible is not the same as defended. Many of those whose expertise is industrial control system security will readily say that control environments are immature when it comes to cybersecurity. The introduction of firewalls, for example, is still relatively new for many industrial organizations. It will take time to reach parity with the information technology security practices in other sectors. This, also, is understandable when we consider that routable protocols are still considered “new” in industrial environments, even though they’ve been a mainstay of enterprise networks for more than two decades. There is going to be a learning curve.
The good news is that the industrial control sector can close that gap in less time than it took the IT world to gain its maturity, Rob argues. In addition, organizations with industrial control system infrastructure need to be prepared to defend against ICS-aware malware like Stuxnet and HAVEX, which share characteristics and behavior irrespective of their payload or intended targets. Fortunately, the detection methods for one known strain of malware can be applied to later variants, including those targeting ICS systems. This gives ICS environment the benefit of a known body of detection that can be applied to ICS from the beginning.
ICS serves as a great corollary for the security of the Internet of Things. Both are part of a rush to connect devices to capitalize on the benefits of connectivity, while also having to deal with a new cyber security reality. The methods for applying cybersecurity to ICS and the larger Internet of Things that critical infrastructure systems are a part of will vary. The constant for both is that the security of these systems needs to be dictated by a realistic assessment of the risks they face, not by scary headlines. As is the case with traditional IT environments, we have to look at our industrial control system environments objectively, as they are, and determine a course of action that is rooted in an objective assessment of risk.
Objectivity is easier said than done, so I asked Rob for some practical advice. The first question he asks his clients is “where do you want to be [as an organization]?” To achieve their goal, Rob makes sure they understand “…that they need to invest in architecture and defense.” He also doesn’t promote cybersecurity for cybersecurity’s sake, but as a byproduct of efficient operations, which helps to make the business case for cybersecurity investment.
For instance, network security monitoring can help to detect misconfiguration within the ICS, thereby providing operational value, he says.
No problem has ever been solved by hysteria. No complex problem (and cyber insecurity is a complex problem) has ever been solved with a single technology. As I’ve argued before, the solution doesn’t start with technology. We have to start with objectivity and rationality. To do otherwise, will leave us chasing our tails, and accomplishing nothing.