The ICS Dichotomy Of Surface Area
Dale Peterson
ICS Security Catalyst, Founder of S4 Events, Consultant, Speaker, Podcaster, Get my newsletter friday.dale-peterson.com/signup
I finished up Volume 3 of The Great Mental Models and the model, or concept, that has me thinking is Surface Area. Where we need to reduce it and where we need to expand it.
The application to security is obvious and used in the chapter. We want to minimize the attack surface to limit what an adversary can attack. Least privilege firewall rules, closing unnecessary ports, removing unnecessary software, and even the concept of role based access control to reduce user authorization to what is required are all examples or reducing surface area.
We have even seen ICS protocols consider this issue, primarily based on being firewall friendly. Allowing OPC classic through a firewall required a big hole or exhaustive and difficult configuration. So much so that Matrikon and others had successful products just to deal with this protocol failing. One of the OPC UA design objectives was to address this.
Reducing or minimizing complexity is another example of reducing surface area to increase security and reliability. The ICS community, more engineers and automation pro's than security pro's, have been less successful in this. I often think of the words of Ed Schweitzer from a S4x20 interview, saying we need to reset complexity periodically.
The problem may be that our natural bent in the ICS security and ICS community to reduce surface area reduces our creativity and openness to new ideas. The pull quote from the chapter:
领英推荐
Sometimes, as individuals or as organizations, we have a creativity problem. We need some fresh ideas, but have a hard time coming up with them. We rely on what we already know and often end up with more of the same. When we need to spur innovation, we can try increasing our surface area of exposures to new disciplines. More surface area can give us more diversity, which is sometimes what we need in order to innovate and create.
I'm sure you have observed, and maybe are guilty of, instances where an idea from someone new to ICS and OT is dismissed out of hand. Where someone from outside ICS was told they shouldn't even be part of an ICS security discussion because they lack experience, an engineering degree, or the ability to design and implement a control loop.
A simple example, the ability to recover in an acceptable time period is important in all systems and particularly important in ICS where downtime will have a major impact. For most of the 00's and 10's, and still occasionally today, a common recovery plan for ICS cyber assets was re-install from media. Some times it was even worse - - - call the vendor that deployed it to come out and reinstall. By increasing the knowledge surface area to include IT, much faster and effective cyber asset recovery methods were "discovered".
Expanding our knowledge surface area to IT and IT security is obvious, and it is much more than this. Megan Samford is preaching we have a lot to learn from Emergency Managers. The insurance market has many ideas on risk management to consider. What should we be learning about human factors?
We need to bring more people with diverse knowledge and experience into OT and ICS security to address the change that business opportunities are driving, or even forcing. And this dichotomy of how we treat surface area in ICS may be why we struggle so much with new ideas and new to the space people.
On one hand keeping the attack surface as small as possible, reducing complexity and perhaps reducing variability/change is the right approach. On the other hand, limiting what ideas, and people, we consider for use in solving the OT and ICS security challenge is hurting the community.
Cyber-Physical Risk Expert | Founder Cyber-Physical Risk Academy | Consultant, Speaker, Trainer, Publisher | Operational Technology | Masterclasses | Training | 45+ years in process automation. OT security focus.
2 年Considering cyber security based on attack surface, ignores the time factor. Exposure is the better parameter because here we combine static exposure (primarily based on design with attack surface as one parameter) and dynamic exposure (based on security operations). Therefor most risk models are using exposure to model the resilience of the target (either asset or channel). Cyber security requires basically a holistic view on the target, this target is the combination of the process automation system and the process installation. Because a skills gap in the OT cyber community the focus is on vulnerabilties in the automation system ignoring the wider surface that includes the vulnerabilities in the overall installation / process design. We just need more OT engineers, guys and girls that oversee the whole. Too many now are looking at the brown grass straws spotting a vulnerabilty in a PLC or transmitter, forgetting the wider meadow and surrounding forrest with much bigger threats More focus on OT engineering, less on security technicians. Would also make the S4 conference more balanced for secure manufacturing. A process safety conference addressing the cyber threat offers more insights - skipping the awareness presentations
Senior Vice President
2 年Complexity in the OT world will be difficult to unwind. So many of these systems were installed 20 plus years ago and were designed to be a platform for innovation and change. Control and process engineers are smart - they think of different ways to improve the process, implement various tools and strategies to achieve their goals, and layer on newer systems talking to the old ones. Reducing the complexity without going backwards on the control strategy is no easy task.......
Industrial Security Champion
2 年Can't help but think back to the presentation on patching without disrupting the process/ downtime by Luigi Auriemma way back. Amazing cutting edge stuff foreign to ICS and prematurely dismissed. Where would we be now if that concept was taken and applied to upgrading and patching ICS?