Consequences, models, and other notes on ICS security.

We close our coverage of SecurityWeek ICS Cyber Security Conference, held last week in Atlanta, with some observations contributed by the participants.

Comparative numbers: cyberattacks and natural disasters.

What do a global cyber attack affecting industrial control systems and a major hurricane have in common? According to Ed Turkaly of GE's Baker Hughes, what they've got in common is about $120 billion in losses and remediation costs. 

Or, to take another number, what's the harm, really, in cryptojacking? After all, what could a little coin mining that you might easily overlook on a device really amount to? Actually, it amounts to a lot. Radiflow's T.J. Roe pointed out that Bitcoin mining, both legitimate and illegitimate, is now consuming more electricity than one-hundred-fifty-nine countries. That's not the sum of the their consumption, but rather the power used by individual countries. Still, that's a lot.

Learning incident response from the mistakes of others.

Baker Huges's Turkaly, who used the hurricane comparison to motivate some thought about how to prioritize one's security investments and operations, stressed, as many other speakers had, the importance of understanding the shop floor. The sort of familiarity and ground-truth one gains in making the effort to do so are invaluable.

In truth, and this was another common theme, for all the talk of exotic and sophisticated threats one hears in many quarters, the greatest risks to OT systems continue to be found in the exploitation of "basic, fundamental gaps" in defenses. This was the argument made by IBM's Robert Dyson and Nozomi's Edgard Capdevielle, who went on to sketch the areas that deserve attention if one seeks to realize some immediate improvements in security. Their advice was to concentrate on (1) visibility, (2) access control, (3) network and endpoint security monitoring, (4) log management, (5) incident reporting, and (6) training. Nothing exotic, but all measures that, they said, would well repay the organization that took them.

Digital twins: an approach to modeling.

Finally, we had an opportunity to sit down with Mark Hearn of Irdeto, and talk with him about digital twins. He quoted a standard definition: a digital twin is an "evolving digital profile of the historical and current behavior of a physical object or process that helps optimize business performance." A digital twin is essentially a formal model, a software model that enables an enterprise to process data alongside the original system to observe behavior and model changes without breaking production.

Part of doing this effectively, Hearn said, involves looking at attackers' motivations, and Irdeto spends time infiltrating dark web fora, posing as a semi-contributing member to obtain insight into those motivations. (They're struck, Hearn observed, by the ways in which the hackers in those dark web precincts are motivated by anonymity, arrogance, and a penchant for risk-taking.) Industry needs, in his view, to think the way the hackers do, and they tend to think in terms of what works across many sectors. For all of its benefits, the move toward open source software common to many industries, plays to the hackers' advantage.

A core use case of digital twins is to offer a lower-risk way of tuning something on the factory floor. Irdeto is also interested in raising awareness of the importance of securing the software itself. They've sought to draw lessons from other sectors. Their Secure Environment, for example, which is focused on the automotive industry, is analogous in some ways to an automated form of two-person control.

Thinking like a hacker involves considering, Hearn said, how the ecosystem looks to an attacker. If you think of hackers as a business, he argued, you'll gain valuable insight into how to defend against them. Once you think of the hacker as a competitor, you'll treat them with a completely different and arguably more alert and effective mindset.