We're in Atlanta this week for the 2019 ICS Security Conference, which opened this morning. We'll have notes and updates throughout the duration of the conference. This morning we had the opportunity to hear presentations on the state of operational technology (OT) security and on the risk social engineering poses to industrial control systems.
The state of OT security: the good, the bad, and the ugly.
Mark Carrigan, COO of PAS Global, used his Eastwoodian title to sum up the mixed state of industrial control system security. He saw the good as increased signs of cooperation between OT and IT, with OT beginning to catch up to IT, particularly with respect to access management. Across the industry, he said initiatives have tended to focus on the right things: visibility, audits, and security awareness programs. And above all, companies now understand that OT security deserves investment.
The bad? Attacks on OT are no longer simply collateral damage from attacks against IT systems. The adversaries, especially nation-state threat groups, are now researching OT systems and developing attacks designed specifically for those systems. And unfortunately companies remain reluctant to share information about attacks.
And then there's the ugly, chiefly the confusing OT security market, and the tendency companies have to fixate on "shiny objects," the latest buzzwords and trends. We also find, Carrigan observed, that solution results seem to fall short of expectations, and too much information overwhelms understanding. To much focus on detection is also ugly: basic protection and recovery mechanisms "can have massive risk reduction."
He closed with four pieces of advice: "Fundamentals matter. Don't chase the shiny object. Integration is key. Industrie 4.0 is coming--get ready."
Social engineering and critical facilities: attack the human, not the technology.
Chad Lloyd, Security Architect, Schneider Electric, began by pointing out that compromising a system very often starts with compromising a human being. Studies indicate, he said, that 97% of cyberattacks try to trick a human being. He reviewed principles of social engineering, and emphasized that social engineering enables an attacker to bypass cyber defenses in depth and physical security measures. He pointed out a mismatch between IT and OT. IT worries about confidentiality, integrity and availability. OT, by way of contrast, is concerned with safety, availability and integrity (which together make up reliability), and only then confidentiality. Social engineering will seek to exploit these different interests.
After a description of how social engineers pull off their confidence games, Lloyd offered some general considerations for making an organization more resistant to this threat. He recommended instituting a security awareness program, with a primary focus on social engineering. Do a baseline assessment, and target training to risky positions. Make the training short, interesting, and interactive. He recommended that organizations include social engineering in risk assessments and penetration tests, and extending such assessments to third-parties.
With respect to technology, Lloyd suggested that organizations consider control escalation and mutual control. Two-factor authentication is valuable. He urged that enterprises not permit unmanaged devices on their networks. Endpoint security is valuable (but he cautioned that this isn't a panacea, and that organizations shouldn't rely on it exclusively). One-way sneaker-netting and unidirectional data diodes are also useful.
In sum, he agreed with Carrigan: attention to the basics matters. And those basics include training.