A lesson from Grandma Mae
My grandma Mae made the most wonderful cupcakes for my birthday one year when she came to visit. I hung around the kitchen and watched the magic. When they looked done (to me) I was excited to start frosting. She grabbed a toothpick stuck it in one and pulled it out. Looking at the uncooked batter on the tip, she said “Oh, sweetie, not yet, the middle is still gooey, it has a way to go.”
OT Security is not a new topic. As Dale Peterson recently said, “The number of people who think you should design, deploy, maintain, and secure OT the same way as user desktops on the corporate network (what most mean by the term IT in this discussion) is tiny. This is no longer a revelation or in dispute.”
We have been admiring this OT Security challenge for decades now. I was a seasoned CISSP at the time but was awakened to the challenges in the field of ICS Security following the Digital Pearl Harbor exercise in which I participated in 2002. While IT Security practices matured, going from rudimentary system lockdown and hygiene to Cybersecurity with proactive threat profiling and hunting, OT networks were air-gapped (or at least that’s what we told ourselves).
Rigor and IT/Cybersecurity processes have been defined, refined, and re-defined, and are well documented. Business leaders have come to rely on the reporting and visibility into our technology-based business risk.
OT Security has matured as well but only relatively recently. The Global Industrial Cyber Security Professional (GICSP) certification from the SANS Institute was conceived in the winter of 2013 to address a growing challenge spanning multiple industries (SANS, 2016). This certification introduced security concepts into industrial engineering practices and gets our engineers to make more secure decisions. This deep understanding of the physical processes, ICS nuances, and limitations is a necessary skill set in our overall cyber-physical security schema.
What's missing is the nexus.
We owe it to ourselves to use the lessons learned from the path we took to mature cybersecurity as a discipline and career choice. We were forging a new path. LAN/WANs displaced the Mainframes and took off like a shot in the 1980s. Cybersecurity as a practice (and career choice) didn’t mature until 1994 with the release of the ISC2 CISSP certification. With that, we witnessed an explosion in the creation of point solutions to aid every aspect of the IT/Cybersecurity discipline. We developed Tactics, Techniques, and Procedures (TTPs) to best utilize these security tools along with honing the metrics and output to make better business decisions.
These tools ran us ragged, however, trying to keep in front of the challenges. So, the market-driven world of technology responded and morphed the tool landscape to ease the pressure. Through alliances and MA&D with other vendors, we rationalized the tool sets, consolidated capabilities, and created new tool categories entirely. Those were hard, expensive, time-consuming lessons for everyone. We can do better than flooding the market with point solutions again.
领英推荐
All these growing pains planted the flag of security expectations with business leaders and consumers. This is where we sit today. I won’t go into the “Industry 4.0” diatribe but as we further blur the line that used to be the airgap with more standard IT platformed resources, we meet the gooey center of cybersecurity.
While OT Cybersecurity is recognized and necessary, it is the talent pool with a firm understanding of the differences and limitations between the technological platforms, and an expert eye to blend the dissimilar cybersecurity rigors that is left wanting.
Currently, while looking to augment the Security Operations Center (SOC) we must carefully blend OT into those risk, vulnerability, Incident Response (IR), and recovery capabilities. While OT can be treated as another “specialty technology” from a response standpoint, it remains an enigma if the SOC cannot identify threats and vectors from a defense standpoint. As the whole mission of a SOC is to monitor, prevent, detect, investigate, and respond to cyber threats around the clock, without visibility, tools, and TTPs specifically designed for OT, this mission is exponentially more difficult. This immediately accentuates our opportunity to blend tool dynamics to cross the IT/OT threshold as well. So, why wait for the market to scream, why not just do it? But that's another tangent.
The operational culture and learning paths have created two very different mindsets. That of a cyber defender and that of an industrial control engineer (with cyber training). For now, this disparate focus and talent pool is ripe for a hierarchal SOC deployment. A SOC for IT and one specific to OT. The processes for detecting and responding are so different and can march to a very different timeline, that a single SOC may be overwhelmed. The reporting between IT and OT SOCs (feeding a central organizational SOC) depicts a more complete organizational technology risk landscape. The organizational SOC standardizes the IR duties and responsibilities (above and beyond the technical). SOC operations cumulatively, supply necessary documentation of steps taken to identify, respond, and remediate situations. The comprehensiveness of this documentation can mean very different outcomes should any regulatory body or litigious action question an event. Think SEC reporting requirements.
This is why I say, “We are now where we were in 1994”
We are standing at the threshold of an opportunity to tune our disciplines to create a new and exciting career path for our up-and-coming cyber defenders. These cyber defenders will focus on our gooey center and become the cybersecurity nexus between IT and OT to streamline, define, and document the rigors necessary to work, respond, document, and report as a unified team. These defenders will uncover opportunities to blend tools and create TTPs to better execute the mission on both sides of the house.
When it comes to OT Security, it is recognized, growing, and a necessary piece of our overall cybersecurity strategy...
but “the middle is still gooey, it has a way to go.”