Wednesday's sessions of SecurityWeek's 2018 ICS Security Conference continued examination of risk management and the importance of security operators engaging the realities on the plant floor.
In a presentation on consequence-driven risk management, LEO Cyber Security's Clint Bondungen stated a first principle: we do cybersecurity because cyber threats pose a risk to the business. He argued that cyber risks should be viewed as process hazards. Identifying consequences helps determine safety controls and define the possible impact of events. (He also offered a skeptical take on the familiar risk equation, which depends upon speculative numbers and lends a specious appearance of rigor to what in fact is a questionable and subjective process.)
Two security leaders from Sony, Kristin Demoranville and Stuart King, described the realities of assessing security in factories. A security assessment is neither a tour nor a policy enforcement drill. Their argument was that security comes down to people and process, which is neither surprising nor controversial, but the lessons they drew were instructive. It is essential to recognize, they said that "anything will break production." That is, surprising events that you, the security officer, would not expect to be a problem, in fact can disrupt industrial processes. It's important to discover the factory and understand how it works, and it's important to establish trust with the people who work there. "Hanging out on the line and in the break rooms," will give you a realistic appreciation of a facility's risk. You will find, Demoranville and King said, that not everything that looks like a risk is in fact a risk, and that many things that look benign actually do present hazards.
We'd heard earlier from Dragos on the Triton/Trisis malware deployed against a Saudi petrochemical facility. Yesterday Nozomi's co-founder Dr. Andrea Carcano spoke about their own investigation of the malware, including their reverse engineering of the probable attack methods. His conclusion was that "exploitation [of industrial control systems] is no longer for the elite." Increased connectivity, readily available exploitation tools and malware samples, and easily accessible ICS documentation and equipment have combined to lower barriers to entry.
SecurityWeek's 2018 ICS Cyber Security Conference concludes today. We'll have more coverage tomorrow.