Control Loop: The OT Cybersecurity Podcast 6.29.22
Ep 3 | 6.29.22

The OT-CERT provides critical resources to the industrial community.


Dave Bittner: It's June 29, 2022, and you're listening to "Control Loop." In today's OT cybersecurity briefing, ICEFALL vulnerabilities affect OT devices. Sandworm is back in action against Ukrainian infrastructure operators. Exploiting Follina in a cyber espionage campaign. Ransomware hits an automotive hose manufacturer. A study suggests that 89% of electricity, oil and gas and manufacturing firms have been hit by cyberattacks. A proposed budget bill would increase CISA funding and other notes on U.S. cyber legislation. Slovenia conducts cybersecurity exercises for nuclear facilities. CISA is making a set of cybersecurity tabletop exercises available to critical infrastructure operators. Dawn Cappelli joins us to discuss how the OT Cyber Emergency Readiness Team is planning to address cybersecurity resource gaps for industrial infrastructure. And in the Learning Lab, Nick Shaw joins us for Part 2 of OT Fundamentals, where he explains the Purdue reference model for industrial cybersecurity.

Dave Bittner: Researchers at Forescout have disclosed a set of 56 vulnerabilities they're calling ICEFALL and that affect OT devices from 10 vendors. Forescout says the vulnerabilities are divided into four main categories - insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware updates and remote code execution via native functionality. Several of the issues flagged in the report have been known within the community for some time. It's worth noting that some of the vulnerabilities collected under ICEFALL represent design choices that don't lend themselves to simple, straightforward patching. Completely mitigating the ICEFALL vulnerabilities will require vendor-delivered system updates, not all of which are immediately available. In the meantime, network isolation, particularly isolation of OT and industrial control systems from business networks and the wider internet, restricting network connections to specifically selected engineering workstations and, of course, focusing on consequence reduction are the sensible practices affected organizations should follow. CISA noted the report on ICEFALL, and the agency has advised attention to both the report and the mitigation recommendations it contains. CISA also pointed out that five of its recent alerts address issues associated with ICEFALL. Each of those advisories contains actionable mitigations, and users of these products should review CISA's materials and determine where the recommendations apply to their environment. 

Dave Bittner: Researchers at SEC Consult have discovered vulnerabilities in Infiray thermal cameras that could allow hackers to interfere with industrial processes. Steffen Robertz from SEC Consult told SecurityWeek the camera is used in industrial environments to check or control temperatures. The test device was located in a factory where it verified that metal pieces arriving on a conveyor belt were still hot enough for the next process step. An attacker would be able to report wrong temperatures and thus create inferior products or halt production. The temperature output might also be fed in a control loop. By reporting a lower temperature, the temperature of, for example, a furnace might be increased automatically. The researchers noted, the vendor was unresponsive during the disclosure process, hence it is unclear whether patches are available. Customers are urged to approach their vendor contact and request security reviews and updates. 

Dave Bittner: Trellix has identified critical vulnerabilities affecting HID Mercury Access control panels sold by carrier subsidiary LenelS2. The risk here is to plant physical security and access control, but note that access to production systems within a plant has been used before to introduce malware into control systems. These control panels are widely used for physical security, and the researchers were able to exploit the flaws to remotely manipulate door locks. The most serious of the vulnerabilities can allow for unauthenticated remote code execution and received a CVSS score of 10. SecurityWeek points out that most of these vulnerabilities can be exploited without authentication, but exploitation requires a direct connection to the targeted system. Trellix states, customers using HID Global Mercury boards should contact their Mercury OEM partner for access to security patches prior to weaponization by malicious threat actors, which could lead to both digital or physical breaches of sensitive information and protected locations. The researchers note that Carrier was very helpful and cooperative in getting the vulnerabilities patched. CISA issued an alert regarding the vulnerabilities stating, Carrier recommends updating these access panels to the most current released firmware via the LenelS2 partner center. Please contact a carrier support channel partner for instructions. The controller can also be configured to disable web access, which prevents remote login to the controllers' web page. 

Dave Bittner: BleepingComputer reports that Ukraine's computer emergency response team has warned that the Russian APT Sandworm is exploiting the Follina vulnerability in phishing attacks targeting Ukrainian organizations. The phishing emails have DOCX attachments that purport to contain a list of interactive maps. CERT-UA warned that APT28, the GRU operators familiarly known as Fancy Bear, or in this case Sandworm, have opened a renewed campaign of exploitation against systems still vulnerable to Follina, the Microsoft Diagnostic Tool Vulnerability tracked as CVE-2022-30190. 

Dave Bittner: The GRU is running two distinct campaigns, Ukraine's State Services of Special Communications and Information Protection warns. Both of these campaigns use phishing as their mode of access. The phishbait appeals to two very different sets of fears. The first campaign, which Malwarebytes has described, counts on an email recipient's fear of nuclear war, which is especially topical given the ongoing Russian nuclear saber rattling described by the Telegram and other media outlets. The malicious document, Nuclear terrorism a very real threat, carries CredoMap malware as its payload, CERT-UA says. The other campaign uses a more proximate, if less existential dread to induce the recipient to click - fear of the taxman. Anyone in wartime might be forgiven an understandable lapse of memory where paying taxes is concerned. The phishbait sample CERT-UA shares is sternly titled Imposition of Penalties, and the malicious document carries a Cobalt Strike Beacon as its payload. The email's subject is Notice of Non-Payment of Tax. 

Dave Bittner: The goal of both campaigns appears to be espionage, although it's worth noting that CERT-UA sees the tax-themed campaign as directed specifically against critical infrastructure, which suggests that the GRU has concluded that a tax threat is a productive access point to infrastructure operations. This campaign is so far espionage and not yet sabotage, but access to business systems has been used before as a point of entry to move to disruption of control systems. The GRU did it, for example, when it took down portions of Ukraine's power grid in 2015 and 2016. The U.S. government has attributed Sandworm to Unit 74455 of Russia's GRU. 

Dave Bittner: Nichirin Flex-USA, a U.S. subsidiary of Japanese automotive hose-maker Nichirin, has disclosed a ransomware attack it sustained on June 14, SecurityWeek reports. As a result of the attack, the company had to shut down some of its automated production systems and switched to manual processes. Nichirin also warned of phishing emails that appear to be coming from the company, stating, if you reply to these emails, there are risks of fraud, virus infection or leakage and misuse of your personal information. Please do not reply to any unknown email, access the URL listed, open any attachments, etc., and delete the email immediately - good advice, even if the social engineering doesn't put the attacker directly into an OT network. Among the serious information that can be obtained by phishing is, of course, user credentials, and those have provided an entry point into OT networks before. 

Dave Bittner: Trend Micro has found that 89% of electricity, oil and gas and manufacturing firms have been hit by a cyberattack that impacted their productivity within the past 12 months. Trend Micro stated, of the responding organizations that suffered cyber disruption to their industrial control systems and operational technology, the average financial damages amount to approximately $2.8 million, with the oil and gas industry suffering the most. Almost three-quarters of respondents admitted they experienced cyber disruption to their ICS/OT environments at least six times during the year. 

Dave Bittner: On the subject of ransomware, a report from Cybereason found that 80% of ransomware victims who paid the ransom later fell victim to a second attack. In 48% of these cases, the second attack was carried out by the same threat actor that perpetrated the first attack. Cybereason adds that more than two-thirds of those subsequent attacks demanded a higher ransom than the initial attack, and nearly 6 out of 10 organizations were unable to recover all of their systems and data, even after paying the ransom. Since ransomware has shown its ability to disrupt production, the caution applies to industrial infrastructure organizations as well as users of IT systems. 

Dave Bittner: VentureBeat has a summary of Gartner's cybersecurity predictions for 2022 and '23. One of these predictions is that by 2025, threat actors will have weaponized operational technology environments successfully to cause human casualties. Gartner notes that in operational environments, security and risk management leaders should be more concerned about real-world hazards to humans and the environment, rather than information theft. 

Dave Bittner: The proposed budget legislation for the U.S. Department of Homeland Security contains $2.93 billion for the Cybersecurity and Infrastructure Security Agency, CISA, FedScoop reports. Jonathan Reiber, vice president of cyber strategy and policy at AttackIQ, told FedScoop, Russia is clearly an accelerator of increased cybersecurity spending and management, which is to the good. But these investments are long overdue to bring the U.S. government into a place where it is in a strong enough position commensurate with the threat. 

Dave Bittner: CSO Online offers a look at cyber-related legislation in the U.S. Proposed cybersecurity laws that have been passed by the House include the inter-governmental Cybersecurity Information Sharing Act, DHS Roles and Responsibilities in Cyberspace Act, the President's Cup Cybersecurity Competition Act and the Cybersecurity Grants for Schools Act of 2022. 

Dave Bittner: The Slovenian Nuclear Safety Administration conducted a large-scale exercise focused on cybersecurity for nuclear facilities. According to the International Atomic Energy Agency, the scenario involved real operational technology systems with insider threats, external cyberattacks and physical intrusions to a hypothetical nuclear facility, exhibiting the impacts of a computer security compromise of critical operational control systems leading to a nuclear security event. 

Dave Bittner: Elena Buglova, director of the IAEA Division of Nuclear Security, stated, increasing awareness about the response capabilities needed to secure nuclear facilities from cyberattacks is one of the objectives of such exercises. The identification of any existing vulnerabilities, the testing of internal procedures and the strengthening of collaboration among involved stakeholders are some of the practical benefits for the host countries. The interest for computer security exercises is growing, and the IAEA stands ready to support countries' requests in this area of nuclear security. 

Dave Bittner: Igor Sirk (ph), director of SNSA, added, the organizing team and the participants were extremely engaged. The well-tailored scenario offered all of them a firsthand experience on the interconnections between safety, security and emergency preparedness functions during a highly sophisticated cybersecurity incident. Our national capabilities for response to emergencies triggered by cybersecurity events at nuclear facilities have been further strengthened after this exercise. 

Dave Bittner: The Connecticut National Guard is hosting a two-week-long training exercise dubbed Cyber Yankee that's focused on defending utility companies against cyberattacks. WFSB quotes Karmin Ng, deputy exercise director of Cyber Yankee, as saying, Cyber Yankee is a regional exercise that evaluates military cyber teams in responding to a cyber incident. Ransomware attacks, phishing, infiltration are all part of the exercise. The more realistic we can make the exercise, the better prepared, not only in the military participants, but the utility employees will be ready for a realistic cyberthreat. 

Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency is also making exercises available to its industry partners that can help them prepare for threats to their operational technology and other aspects of their business. CISA hosted a workshop on June 23 that delivered an overview of the CISA tabletop exercises package - CTEP - an unclassified adaptable exercise resource focused on facilitating discussion around a scripted hazard or threat scenario. Robert Lauer, the workshop facilitator, explained that the CTEP is designed to assist government and industry partners in developing your own tabletop exercises with pre-built templates. There are more than 100 scenarios to choose from. They encompass both cyber and physical security, and some of them involve both categories of risk. The CTEP materials provided as a package include a situation manual, an exercise planner handbook, a facilitator and evaluator handbook and various templates that can be used throughout the exercise. The ultimate goal of the resource is to help facilitate understanding, identify strengths and areas for improvement and/or changes in policies and procedures. 

Dave Bittner: GovTech reports that the workshops will be held monthly and hosted by CISA exercises, infrastructure, security and exercise branch with participation from private stakeholders and critical infrastructure owners and operators. There is no registration required for these workshops, which are open to the public. To get the CTEP exercise material, an organization needs a critical infrastructure community account on the Homeland Security Information Network, which they can apply for on the DHS website. 

Dave Bittner: Dawn Cappelli is director of OT CERT at Dragos. She joins us today with insights on how the OT Cyber Emergency Readiness Team is addressing the cybersecurity resource gaps that exist in industrial infrastructure. Here's my conversation with Dawn Cappelli. 

Dawn Cappelli: Let's go back to 2016. I became CISO at Rockwell Automation, and Rockwell Automation creates industrial control system products. So I became CISO and came up with our security program for our IT enterprise. But then I realized, oh, I think I'm responsible for manufacturing security as well. And back then, looked for, like, OK, what are the best practices? What are the frameworks? And there was really nothing at that point in time. So in January of 2017, we started putting together our manufacturing security strategy. Well, fast-forward to June of 2017 and NotPetya hit, and suddenly the whole world was aware that, oh geez, we have to think about OT security. 

Dawn Cappelli: Previously, you know, in power, oil and gas, energy - they realized they had to think about security because they had been a target. They had been targeted by the threat actors. But if you were in food and beverage, you were just manufacturing, you know, random things that weren't power and weren't targeted, people felt like, why would they target us? We don't have to worry about securing our manufacturing environment. NotPetya changed all of that. So suddenly everyone realized, oh, we need to think about security in our plants. But like I said, there was nothing available, no real standards or frameworks, at that point in time. So that's kind of how it all started. We all were trying to figure this out together. And it's come such a long way since those days. Now we have mature technologies that are specific for OT. We have best practices. We have the NIST Cybersecurity Framework for OT environments. We have the MITRE ATT&CK framework for ICS. So we have much more at our disposal now. 

Dave Bittner: Can you walk us through what that process has been like? I mean, there is such a spectrum of sort of ground truth realities when you think about, you know, all the different organizations that have to deal about - deal with operational technology. How did you decide on a starting point? 

Dawn Cappelli: Well, since I really didn't have anything else to start with - and we had used the NIST Cybersecurity Framework to design our IT enterprise security strategy - I thought, well, let's try that for OT and see how it works. And it worked really well. The biggest thing that I found, the biggest barrier, was getting IT and OT to work together. People are still challenged with this today. IT is used to doing things - you know, it's a - IT security is very mature. OT security is much less mature. And IT and OT traditionally have not worked together. So now you have to get those two very different cultures working together. And another thing that's been really interesting for me, you know, talking about the history of OT security, in, like, 2019, ransomware really started becoming prevalent, and it was hitting really anybody it could but focusing on OT environments because the bad guys realized, if I can take out a company running OT, their security program is much less mature. Recovery is much more difficult. And so they're much more likely to pay the ransom. And so they suddenly started hitting OT, including small- and medium-sized companies. 

Dawn Cappelli: So for me, that was a big turning point in my career. That's what led me to Dragos - was at Rockwell, we didn't used to care about small- and medium-sized companies that manufactured components for our products that had nothing to do with security. They didn't expose our IP. They couldn't be sabotaged to sabotage our product. But then we started getting letters from our small and medium suppliers saying, we were taken out by ransomware. We won't be able to supply your product for at least a month, maybe more. We don't know how long it'll take to recover. And so that really opened my eyes that we have to do something to help these small- and medium-sized manufacturers. 

Dave Bittner: You touched on the cultural difference between the IT and OT side of the house. Can you dig into some detail there? I mean, where does that cultural gap come from? 

Dawn Cappelli: Well, think about your IT environment. You come in in the morning, and your system might have been patched overnight. It restarts. It applies the patch. You don't have to even think about that. In OT, you can't do that. You can't just apply the patch and have the plant restart overnight or even have a few computers restart overnight. So patching is one area that's very different. And secondly, just recovery. Whenever we started our security strategy at Rockwell, we said, OK, are all of the programs, the PLC programs as well as the IT - you know, the IT traditional computers in the plant, are they all backed up? And it was all over the map. You know, some of the PLC programs were on someone's computer under their desk, which probably had never been backed up. So they're just - those are just a few of the very different items. Back then, the technologies - you know, right now we have very sophisticated technologies in IT security. For OT security back then, they were in their infancy. And now they've come a long way. 

Dave Bittner: So that leads us to the Dragos OT-CERT endeavor here, and OT-CERT stands for Operational Technology Cyber Emergency Readiness Team. What prompted the creation of this? 

Dawn Cappelli: So the mission of Dragos is safeguard civilization. And our CEO, Rob Lee, he - you know, he quoted it in a blog. We can't save civilization if we only save the companies that can afford to buy our products and services. If we truly want to safeguard civilization, then we need to help those small- and medium-sized companies that are part of our critical infrastructure. And so that's why we're starting OT-CERT. OT-CERT has two missions, really. One is to provide free resources for those small- and medium-sized companies. And second, we also - you know, we're in a very escalated cyberthreat environment right now, and so at Dragos, we want to be able to have relationships with the OEMs in OT so that when we discover a vulnerability in their products, we are a certified numbering authority, so we can actually work with them on the vulnerability, coordinate the disclosure of that vulnerability and also communicate with them whenever we discover new cyberthreats that appear to be targeting their products. 

Dave Bittner: Well, describe to me how this would all work. I mean, if I'm that small- or medium-sized organization and I decide that this OT-CERT is something that I want to become a member of, what sort of things can I expect? 

Dawn Cappelli: Well, first of all, I personally went through everything on the Dragos website and looked for - what do we have that's applicable for small- and medium-sized companies? Because you figure a lot of them, they don't have a security staff. They outsource their IT security. They probably - the small ones, a lot of them don't have any OT security. Even the medium size, they don't have a comprehensive security strategy. So we'll have some public resources that are already available from Dragos. But in addition, we're creating specific materials for them. So first of all, we've taken the C2M2, the Cybersecurity Maturity Model, and created a light version. And this version is, like, 14 simple questions that they can use to self-assess. Where am I OK? And where do I have gaps? And again, it's specifically for small- and medium-sized companies, not large. 

Dawn Cappelli: So then they identify their gaps. Well, now what? What do I do about it? So every month, we'll have a campaign where we put out a new resource, at least one resource, for them every month that they can use then to address those gaps that they identified in the survey. For instance, our first release of OT-CERT, which will be coming soon, we will put out an asset management resource because we know that that - if you don't have asset management, it's very difficult to secure your environment. So it will explain for a small- and medium-sized organization what do you need to do for asset management, and we'll have an Excel template that they can download and use and just go out and start filling in your asset inventory. Then we'll look - we'll have tabletop exercises. Again, like, a tabletop exercise kit specifically targeted to small- and medium-sized organizations. So those are kinds of examples of the kinds of things that we'll be putting out there. 

Dave Bittner: How do people find out more? And where's the best place to learn about it and sign up? 

Dawn Cappelli: Well, it's going to be launched on June 7, so that is when we will open it up for what we're calling applications. This is because it's open to asset owners and operators - small, medium, large - because another thing that I'm hoping is that those large companies will help promote this to their own supply chain because they, like Rockwell, like me as CISO at Rockwell, I'm sure they're realizing the same thing I did, that I have to help strengthen my supply chain. We're only as strong as the weakest link. And so we're all in this together. We all have to work together on this. So June 7, it will be launched for people to go in and apply. Then they'll get an account, and they'll get information on how to log in. In a few weeks, we'll have that first resource kit out there and available to them. And then we'll start scheduling the workshops, and we'll get this thing going. 

Dave Bittner: All right. Well, Dawn Cappelli, it's exciting stuff. Congratulations. Looking forward to following along as this develops. Thanks for joining us today. 

Dawn Cappelli: Thank you. 

Dave Bittner: Our thanks to Dawn Cappelli from Dragos for joining us. 

Dave Bittner: In today's Learning Lab, Mark Urban welcomes back Nick Shaw for Part 2 of OT Fundamentals, where he explains the Purdue reference model for industrial cybersecurity. Here's Mark. 

Mark Urban: Thanks, Dave. Last episode, we discussed some of the differences between operational technology, OT, and informational technology, or IT. And we're continuing that discussion again with Nick Shaw, advisory solution architect at Dragos. Nick, I think you wanted to start going to the next level in with something you call the Purdue model. Could you explain what the Purdue model is, please? 

Nick Shaw: The Purdue model was developed in the '90s, and really, it was a method of organizing assets into different layers and grouping those assets when you look at connecting an enterprise to the shop floor. So simply, what it is, is a model where end users or integrators can really follow and tie together various applications from those various levels of enterprise to plant floor. And we'll dive into what some of those levels are. But at a high level, it's a way to get data from your plant floor, where your processes lie, to the enterprise to make better and faster business decisions. So as you move down the various layers of the model, time frames and increments become smaller. And I'll expand on what I mean for those. But really it's level zero up through level four, where level four is the business systems for production scheduling, really material use, ordering of new materials, logistics for the raw and the finished goods. And the time frame you're looking at at level four is really looking at a window of months to weeks, days and shifts. And then when you move down to the next level - is level three - really that's where operations for manufacturing is - batch management, manufacturing execution, plant performance systems and your data historians. And those time frames move into shifts, hours, minutes, seconds. 

Nick Shaw: Now, when you get into the next couple of layers - levels two through zero - you look at things from milliseconds, even nanoseconds, when you're talking about controlling or monitoring a physical process. So level two - working down - you've got control systems for supervising, monitoring and really controlling the physical process itself. So this is where supervisor control and data acquisition live. This is where I'm collecting data from the live process. I'm making decisions based off that data. I can go back and schedule maintenance or predict when I need maintenance. I can do reporting and visualization based off that data. And then level one is where intelligent devices, such as the controllers - the PLCs or RTUs, you know, to actually control batch processes, discrete processes, continuous process or electrical generation, refinery of oil - those different things live. And then when you get down to level zero, these are where the actual physical process lives. You've got things like sensors that are taking different values from a process, whether it's a temperature, how much moisture is in the product, weights for a checkweigher - different things that would be instrumentation to manipulate that physical process. 

Mark Urban: Got you. So Purdue model is sort of a logical model - a way to think about how the different levels or componentry of industrial systems are organized - all the way from the top, where it's kind of enterprisey (ph) IT stuff, and then going into the actual operational side of it, all the way down to level zero, which are sensors checking if water is moving, sensors checking the temperature in kind of refinery boiling pots. And I'm - I know I'm not using the proper terms there. And each of those levels has, you know, particular kind of tolerances for time and latency and in different types of systems that kind of live in there. But you brought up a couple of different kind of terms that I just wanted to kind of test with you - see what - I think one of them that you talked about was a PLC. What's a PLC? 

Nick Shaw: Yeah, so these are different devices. I threw out a couple acronyms and in industrial we have alphabet soup. So a PLC stands for Programmable Logic Controller. And really, it's a smaller, hardened, environmentally harsh device that can handle inputs and outputs, process logic and makes decisions based off of the various inputs and set points to command a machine via outputs. So this is really the brains of a piece of equipment - a manufacturing line that a operator interacts with. And these are typically a smaller computing device, hardened for harsh environments that have vibration and impact resistance, variable temperature ranges, and they're fanless. So these are really used for process control in an environment. And so these are found as part of that level one in the Purdue model for intelligent devices that are really managing a continuous process control batch, discrete or otherwise. 

Mark Urban: What else is in level one? 

Nick Shaw: So from other devices that are in level one, you've got HMIs. And an HMI is a Human Machine Interface and it is exactly what it is. It's really an interaction device that shows you what's going on in a process. So it could be a physical control panel with push buttons and indicator lights or a graphical screen or touchscreen for an operator that can view or control a process. So this is the main interface that you have to a PLC for manipulating set points, being able to monitor what the process is doing - so getting feedback out of the machine or the PLC that makes up the machine to be able to look at the process. So when you're looking at additional devices, you have, depending on the application, you could have an RTU, which is a Remote Terminal Unit. And this is really something that's used in a wide geographical use - very common in electric sector, oil and gas. And it's kind of like a PLC that handles inputs and outputs, and they make up a distributed system that can collect data through various sensors, like a PLC, and send that data to a central monitoring point such as a control center. 

Mark Urban: So we just talked about the Purdue model. Can you take us through some of the devices that you mentioned when you were kind of going through those different levels? 

Nick Shaw: Yeah, absolutely. So a PLC, which I mentioned before, it stands for a Programmable Logic Controller and these are hardened devices for harsh environments that have vibration and impact resistance, variable temperature ranges, and they're typically fanless devices. So a PLC is really used for process control. I consider it the brains of a machine or process, packaging line - the various different applications for using a PLC. This is really one of my crown jewels when I'm looking at a facility. And a PLC can be found in level one of the Purdue model. It's typically where we see controllers, like PLCs or RTUs - a Remote Terminal Unit - and other different distributed control systems. So level one is where I find a lot of PLCs controllers and otherwise that really just handle IO, process logic and really control and monitor the process. 

Nick Shaw: Another acronym I threw out there was an HMI, and that's a human-machine interface, and it is exactly what it is. It's really a way for a human to interact with a controller or a piece of machinery. It could be a physical control panel with push buttons and indicator lights or a graphical screen or touch screen for an operator to view and control or manipulate a process. And a HMI, typically, can be found at two different levels. You can have a local HMI tied to a physical piece of equipment, whether it's a case packer, a welding station, et cetera. And those can also be found at level one in the Purdue model. Sometimes you'll see a supervisory HMI that's distributed that you'll see at level three, more looking at the overall facility from a manufacturing operations perspective or, like, a control center, for example. 

Nick Shaw: Then, when you look at other devices that you would find in an OT environment for industrial, you have data historians. And, really, this is a digital data record that's taking time-base values from the process. And sometimes, this is used for regulatory compliance reasons, but it also can be used for observing historical data on the process. So this is extremely useful for diagnosing failures. You can look at various metrics from the different parameters, from a controller and from a process, and collect different telemetry from sensors that are actually monitoring or manipulating the physical process down at level zero. So you would find a data historian up at that operations level, level three, of the Purdue model. And this is also helpful for planning proactive maintenance and scheduling that planned downtime to really help guide how you're making business decisions for when you should be running, when you should be doing maintenance, ordering raw materials, et cetera. And then you've got sensors and actuators. These are - could be temperature probes. They could be looking at moisture for a product. They could be weighing raw materials that go into a batch for making a final product, motors, different things that control, like, a conveyor belt, for example, valves or flow meters - these live at that level zero. This is really affecting the physical process from an instrumentation standpoint. 

Nick Shaw: Now, when you talk about other common elements in OT, you've got IT-like elements like a network switch, a router, a Windows workstation. Now, these might have specialized usages, whether it's performing administration functions, like an engineering workstation that's actually programming the controllers on the plant floor. An operator workstation - that's your distributed HMI looking at supervisory functions across a plant. You might have these IT devices that are playing different roles in an OT environment that could have some impact. 

Mark Urban: Nick, you just went through quite a bit of alphabet soup, like you said, like you warned us on episode one with this world. An incredibly different set of devices, complexities in how they communicate, tolerances in communication latencies, languages and protocols that they speak at - you know, a vast, kind of different world than we're used to living in the IT side of the house. That's a lot to take in and, frankly, you know, it's a complex area when you're talking about cybersecurity. So if you're to take a step back, what's the approach that you see being most effective for people to start approaching this issue of protecting that, you know, highly complex and different world? 

Nick Shaw: Great question, Mark. And you've really got to figure out what you have in your environments, on your plant floor, in your processes to figure out what's the strategy I take to secure it? And I know in a later episode, we're targeting - I'm discussing five critical controls for industrial controls cybersecurity. So when I look at getting started, I want to know what's in my environment, what different types of devices are out there, how are they communicating with one another? How are they affecting the physical process? And then I can start looking at criticalities for those devices. Do they cause bottlenecks? Is this, you know, potentially a safety issue with the product I'm making or a people safety? 

Nick Shaw: So once I figure out what I have in my environments, I can start coming up with a strategy to be able to look at, how do I defend this architecture? How do I create a standard for my environments to really adopt a model like the Purdue Enterprise Reference Architecture, which is not a network - a network standard - but there are different standards and guidelines out there for designing networks to follow those different levels of Purdue. And once I can put in a defensible architecture - of course, I want to be monitoring communications between these assets to look at various threats that I might be seeing. And threats, you know, I want to reiterate that they're not just threat adversaries, but it also could be internal. It could be changes to these devices. If somebody makes a logic change to a PLC and changes how it's handling that input or output, that could result in a safety, productivity or quality issue. So find out what you have, as a first step - various assessments, various tools out there to find out what you have from this environment and be able to identify, where are my PLCs, where are my HMIs, engineer workstations, et cetera? And then, you can come up with the strategy to put a defensible architecture in place, monitor that environment and then take further steps for additional controls. 

Mark Urban: And Nick mentioned that we'll kind of have a recap of some of those and a couple other things in an upcoming episode about the five critical controls. Thanks to Nick Shaw, advisory solution architect. Nick, thanks very much for your time today. Back to you, Dave. 

Dave Bittner: And that's "Control Loop," brought to you by the CyberWire and powered by Dragos. For links to all of today's stories, check out our show notes at Sound design for this show is done by Elliott Peltzman, with mixing by Tre Hester. Our senior producer is Jennifer Eiben. Our Dragos producers are Joanne Rasch and Mark Urban. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.