Control Loop: The OT Cybersecurity Podcast 7.13.22
Ep 4 | 7.13.22

CMMC and your industrial environment, plus the five most critical security controls.


Dave Bittner: It's July 13, 2022, and you're listening to "Control Loop."

Dave Bittner: In today's OT cybersecurity briefing, a cyberattack hits a Ukrainian energy provider. A Chinese-speaking threat actor targets building automation systems. An Iranian steel mill suspends production due to a cyberattack. The U.S. TSA issues relaxed pipeline cybersecurity directives. A U.S. cybersecurity bill focuses on training. Ian Frist from BlueVoyant joins us to discuss the cybersecurity maturity model certification from the U.S. Department of Defense and what it means for industrial environments. And in the Learning Lab, Robert M. Lee teaches us about the five critical controls for OT cybersecurity. 

Dave Bittner: DTEK Group, Ukraine's largest private energy firm and operator of power plants in various parts of Ukraine, disclosed that it's been the victim of a cyberattack. The attack, in CNN's account, had complicated goals. As DTEK put it, it aimed to destabilize the technological processes of its distribution and generation firms, spread propaganda about the company's operations, and to leave Ukrainian consumers without electricity. XakNet - that's hack with an X - a hacktivist organization that's transparently a GRU front, whatever its denials on Telegram may say, claim to have penetrated DTEK's networks and publish some screenshots as coup counting evidence of its success. But the actual consequences of the operation, if any, remain unclear. 

Dave Bittner: Vosveteit, relying in part on information from Slovakia's National Security Authority, makes two points that seem to position the incident in the larger context of both lawfare and kinetic combat. They say, these cyberattacks on the consortium occurred just days after Rinat Akhmetov, one of the richest men in Ukraine and a shareholder of DTEK, sued Russia at the European Court of Human Rights for causing billions in damages to his assets. And they also occurred at about the same time Russian forces shelled a DTEK power plant in Kryvyi Rih, a mining and industrial city in the Dnipro region. 

Dave Bittner: Researchers at Kaspersky warn that a Chinese-speaking threat actor has used the ShadowPad backdoor to target industrial control systems in Pakistan, Afghanistan and Malaysia. The threat actor exploited the proxy logon vulnerability in Microsoft Exchange Server to gain initial access. The researchers say, in mid-October 2021, Kaspersky ICS CERT experts discovered an active ShadowPad backdoor that affected a number of industrial control systems in Pakistan, specifically engineering computers in building automation systems that are part of a telecom company's infrastructure. A further analysis of the attack revealed other organizations affected by it - manufacturing and telecommunications companies in Pakistan, a telecommunications company in Afghanistan, and a logistics and transport organization - a port - in Malaysia. Apparently, the wave of attacks uncovered by the experts began in March 2021. 

Dave Bittner: The researchers add, although the final goals of the attack remain unknown, the attackers are most likely interested in gathering information. We strongly believe that those systems themselves could be a valuable source of highly confidential information. Additionally, we believe there is a chance that they also provide attackers with a backdoor to other, more strictly secured infrastructure. Kaspersky observed minor links to the Chinese APT Hafnium, but they don't believe these are sufficient enough to make a confident attribution. 

Dave Bittner: A cyberattack hit one of Iran's major steel companies, forcing it briefly to halt production, SecurityWeek reports. The attack struck the state-owned Khouzestan Steel Company and two other major steel producers. An anonymous hacking group - Predatory Sparrow in the Jerusalem Post's translation - has claimed responsibility for the attack, saying that it was done to target the aggression of the Islamic Republic. The group shared alleged closed-circuit footage from the Khouzestan Steel Company in which a piece of heavy machinery on a steel billet production line malfunctioned and caused a fire. The CEO of Khouzestan Steel, Amin Ebrahimi, claimed that the attack was thwarted, saying, fortunately, with time and awareness, the attack was unsuccessful, and noting that everything could be expected to return to normal within a week. Neither of the other steel producers targeted in the attack noted damage or production issues. 

Dave Bittner: Predatory Sparrow has been heard from before, CyberScoop observes, notably in 2021's wiper attacks against Iran's rail system, and Check Point has obtained samples from the most recent incident that link it to the earlier attack. Relatively little is known about the group beyond, that is, their self-presentation as hacktivists opposed to the Islamic Republic. 

Dave Bittner: A report from the Capgemini Research Institute found that only 6% of smart factory organizations have established mature practices of cybersecurity. The report says, we found organizations in general to be inadequately prepared in terms of awareness, governance, protection, detection and resilience. Our analysis indicates that governance is a particular area of concern, with this area demonstrating the lowest level of preparedness across multiple parameters. Response preparedness is also strikingly low. Fifty-four percent of executives say they don't have or do not know whether they have a team dedicated to preparing for and responding to cyberattacks at their organization's smart factories. 

Dave Bittner: After last year's unprecedented Colonial Pipeline attack, the U.S. Transportation Security Administration responded by issuing a set of strict cybersecurity directives for pipelines and other surface transportation industries. The first-of-their-kind directives received pushback from companies and industry lobbyists who felt that the rules, written in the heat of the moment, were too extreme and could disrupt business operations. Now the TSA has released updated, less-stringent directives that industry experts say could indicate how the administration plans to write permanent rules going forward. One revised directive allows designated pipeline operators a full 24 hours to report an attack - twice the time allotted in the original rules. An update to a second directive is expected to be less stringent about required security measures, like multifactor authentication, password reset requirements, which work in traditional business settings but would prove nearly impossible for pipelines' more complicated systems. 

Dave Bittner: TSA says they consulted with industry and government partners in drafting the new rules, explaining the goal is to move to a performance-based model that will enhance security and provide the flexibility needed to ensure cybersecurity advances with improvements in technology. Suzanne Lemieux, director of operations, security and emergency response policy at the American Petroleum Institute, told The Wall Street Journal, we're encouraged by the changes they've made. There were a lot of things that weren't well thought out in the urgency of getting this out last year. 

Dave Bittner: The U.S. House of Representatives passed the Industrial Control Systems Cybersecurity Training Act, a cybersecurity bill introduced in May aimed at strengthening U.S. cybersecurity protections after a government-issued warning back in April about Russia-linked malware targeting industrial processes. SecurityWeek reports that the legislation would amend the Homeland Security Act of 2002 to allow the Cybersecurity and Infrastructure Security Agency to create a free training program, both for government agencies and the private sector. It would focus on cyber defense strategies for industrial control systems. 

Dave Bittner: Representative Eric Swalwell, a Democrat from California's 15th district who introduced the bill, explained, with the increased threat of Russian cyberattacks, we must be cognizant of cyberwarfare from state-sponsored actors. This bill would help train our information technology professionals in the federal government, national laboratories and private sector to better defend against damaging foreign attacks. 

Dave Bittner: C4ISRNET has a summary of the eighth annual Cyber Yankee exercise held by New England National Guard teams last month. The exercise is meant to simulate the National Guard's response to a cyberattack against a critical infrastructure organization. Lieutenant Colonel Ryan Miller of the Connecticut National Guard said they will be paired up with mission partners from water, electrical and gas pipeline, and they're going to be defending those networks or responding to an already compromised network. Connecticut National Guard Staff Sergeant John Young stated Cyber Yankee is an exercise that helps cyber operators develop experience in the field. What you get is the ability for cyber operators to see what kind of threats are out there, how they can mitigate those threats in a cyber environment, as well as getting experience collaborating with industry partners in critical fields for not just Connecticut but other states. It's interesting and heartening to see a National Guard role in the cyber protection of utilities. We hope they learned valuable lessons from Cyber Yankee. 

Dave Bittner: Ian Frist is director of proactive services at BlueVoyant. I caught up with him at the recent SANS ICS security conference in Orlando for his insights on industrial infrastructure and the defense industrial base. 

Dave Bittner: So we're going to be focusing on CMMC and what that means for ICS environments. Can we just start off with the - maybe demystify some of the acronyms and so on and so forth? 

Ian Frist: Yeah. 

Dave Bittner: Can you give us a little bit of the background - what CMMC is, and where did it come from? 

Ian Frist: Yeah, absolutely. So CMMC is the Cybersecurity Maturity Model Certification. And it was announced in 2020 by the Department of Defense as a way to validate the security of their suppliers, specifically the security of suppliers that were processing, storing or transmitting controlled unclassified information, or CUI. I won't call it CUI. I just... 

Dave Bittner: (Laughter) You just can't bring yourself to do that? 

Ian Frist: I can't do it. 

Dave Bittner: Fair enough. 

Ian Frist: I can't bring myself to do it. 

Dave Bittner: Fair enough. 

Ian Frist: And it was - it's really built off of NIST 800-171. So a little history lesson. Starting back in 2017, contractors were required to meet NIST 800-171 to accept Defense Department, you know, contracts. But they only had to raise their hand and say, hey, I meet this, right? 

Dave Bittner: I see. 

Ian Frist: So CMMC evolved out of that to say, we want to add a third-party assessment into this process to validate you're actually meeting the requirements we're asking you to. Now, it grew through some changes - 1.x, they added 20 additional controls and some more levels. They since rolled that back to just the hundred and ten controls in NIST 800-171. And it adds that third-party assessment. They had an interim rule, right now, where you have to upload your score to 171, but the whole idea is to get that third-party assessment as part of it. 

Dave Bittner: And so what does that mean on a practical level? First of all, who's the third party? 

Ian Frist: Yeah, so that's a good point. So the third party being the CMMC accreditation body, right? 

Dave Bittner: OK. 

Ian Frist: So DOD - you know, obviously, they do all the rulemaking, they pass the law, they set the standard. 

Dave Bittner: Right. 

Ian Frist: You know - well, Congress passes the law, right? But they - that's all driven from DOD. 

Dave Bittner: Yeah. 

Ian Frist: And they - the CMMC accreditation body is an independent body that administers the CMMC process. So under the accreditation body, you have, you know, kind of two sets of groups. You have the consulting side, which are your registered provider organizations, or RPOs, and your registered practitioners, your RPs, which work under those RPOs. And then you have the assessment side, which are your certified third-party assessment organizations, C3PAOs, and then your certified assessors and CMMC-certified practitioners - or professionals, sorry. And that's kind of the two sides under CMMC. So the C3PAOs are who will actually carry out the assessments using certified assessors once we have enough certified assessors. Right now, there are provisional assessors - like I'm a provisional assessor, provisional instructor. So that's who will carry it out. 

Ian Frist: Now, the interesting piece of all this is the contractor is required to pay for the assessment. So if you're a DIB member and you process, store or transmit CUI and you see CMMC in your contract, you have to go out, talk to some C3PAOs - there's not a set price - and then tell them - you know, you talk about scope and size of organization and how many sites and... 

Dave Bittner: Can you shop around? 

Ian Frist: You can shop around, right? 

Dave Bittner: OK (laughter). 

Ian Frist: You can shop around. So the idea is they're really hoping for that open market to level itself out, right? 

Dave Bittner: OK, yeah. 

Ian Frist: But there's going to be expense there. And that's one of the concerns with DOD that they're trying to figure out, is how do we make this affordable for small contractors, right? Because the DIB is full from companies that make massive manufacturing facilities that make, you know, tanks or, you know, jet fighters. 

Dave Bittner: Right. DIB is Defense Industrial Base. 

Ian Frist: Defense Industrial Base, yeah. 

Dave Bittner: Yep. Yep. Just checking. 

Ian Frist: Yeah, the acronyms are everywhere. 

Dave Bittner: (Laughter). 

Ian Frist: So the Defense Industrial Base is full of big contractors, right? They have these big primes. 

Dave Bittner: Yeah. 

Ian Frist: But they also have all these suppliers that feed into those primes, and they might make a bolt for the F-35, right? 

Dave Bittner: Right. 

Ian Frist: And maybe that bolt is so specialized, it's controlled unclassified information. So that small machine shop now might have to meet CMMC. 

Dave Bittner: I see. 

Ian Frist: So that's kind of the scope of it. The numbers that have been thrown around - they've said as many as 320,000 members of the DIB, and they expect - I think the last number I saw was 86,000 to need assessed. So that's a lot of companies, especially since there's only five C3PAOs right now. 

Dave Bittner: How does this affect the folks in the ICS world? 

Ian Frist: Yeah, so that's the really interesting piece. And what's interesting about that is in - under the old version of CMMC, there was no clarification about it. So we spent a lot of time, you know, when I was consulting, trying to figure out, does that PLC process, store or transmit CUI, right? That's difficult - right? - looking at that data, trying to figure out if it's aggregated enough to be CUI, working with their engineers and their experts. Well, when they rolled CMMC 2.0, they released a scoping guide. And they included a category of specialized assets, which includes IoT, OT, ICS systems. It also includes test systems and government-owned systems. 

Ian Frist: And what they said was, assessment-wise, you're going to be assessed against one control, you have to have a system security plan. But as a contractor, your responsibilities going into it are you have to list it on your asset inventory - every one of those assets - you have to have it on your network diagram, and you have to show that you're - you pick security controls utilizing your risk management process, not that you just picked them out of the air. So that means you have to have a risk management process. 

Dave Bittner: Right. 

Ian Frist: And you have to use it and show you've used it, right? 

Dave Bittner: OK. 

Ian Frist: So that's a - those are fundamental cybersecurity functions, right? But they're hard to do in ICS sometimes, you know? I got a chuckle yesterday when I was talking. I said, everybody in here has an asset inventory, right? And, you know, of course, everybody laughed because we know, in manufacturing, that's not true, right? 

Dave Bittner: OK. 

Ian Frist: There's a lot of companies that have been running - you know, they turn on the hand grenade line in the morning and they turn it off in the evening. And it's been making hand grenade lines, and it got updated after the Gulf War some time. But really, it's been making hand grenades since World War II... 

Dave Bittner: Right. 

Ian Frist: ...Right? So those systems - you know, they got updated. They're connected, right? They're industrial control systems, but nobody's looked at them in a while. They don't have accurate inventories. They don't have accurate network diagrams. So they've - really what they've done is they've said, you've got to do these fundamentals. They're pushing companies do the fundamentals, which is great, right? To have that basic thing done, have that asset inventory, have that network diagram. And it's good for a lot of ICS folks because it's usually funding and time that's stopping them from doing that, right? Everybody knows they need to do that but, you know, having that leadership buy-in to get the funding to buy the tool to do the asset inventory, to help you do the network map, right? 

Ian Frist: So now you have a compliance regulation that you can lean on to take back to leadership and say, hey, to meet it, we've got to do this. And I think that's going to be really helpful. I'm also really excited that they're allowing companies to develop their own risk management process and use that to identify appropriate controls. Rather than just checking boxes on random controls that may not fit the OT, they're saying, no, you define what risk is acceptable for you and then, you know, you meet that risk, right? You get to decide what controls to put in place to make the risk to be an acceptable level. 

Dave Bittner: Is there a part of the plan - a standard for measuring success? 

Ian Frist: So on the risk management side and ICS? 

Dave Bittner: Yeah. 

Ian Frist: Not that they've released yet. 

Dave Bittner: OK. 

Ian Frist: I'd have to look at my crystal ball now, right? 

Dave Bittner: Yeah. Yeah. 

Ian Frist: And - because I'm not officially with DOD. You know, I don't - but I think that that will mature with time. I think NIST 800-171 - they've said CMMC is going to follow that. So as it gets revved, as they add requirements, as they add things into NIST 800-171, they might add some more brackets for the OT - the ICS. But that may also depend on how successful this is, right? If assessors go out and it looks like companies are doing the right thing and they're following risk management and they're using appropriate risk management, they may say, hey, we can just let them go because they're doing, you know, what's relevant. So I don't know where that's going to end up. I could imagine where they add a few more things in, right? Maybe they said, OK, we said asset inventory network diagram, but now we want to add in, like, you know, microsegmentation or something like that - right? - like, your ICS network has to be segmented from your IT network or something. But nothing yet - nothing firm. 

Dave Bittner: I see. Is there a sense that this has been, I don't know, adequately collaborative - that there's been, you know, input from industry to make - this isn't just coming down from on high? 

Ian Frist: So that - there was a lot of feedback after 1.x that it had just come down from on high, right? 

Dave Bittner: OK. 

Ian Frist: That academia and the government had gotten together and written this standard and everybody was like, whoa, it's too much. 

Dave Bittner: Right. Meanwhile, back in the real world. 

Ian Frist: Right. 

Dave Bittner: Yeah. 

Ian Frist: There's - so they removed those 20 extra controls. They scoped it back. You know, they've released some clarification. And there is a lot of work - there are a lot of different organizations within the ecosystem working to be that advocate, right? There are different, you know, things working with the CMMC-AB to work on assessment processes and accepted frameworks and things like that. So they are pushing towards that ecosystem - and it does feel like an ecosystem because it's a small group, right? I think there's only 250 provisional assessors right now and less than 70 provisional instructors. 

Dave Bittner: OK. 

Ian Frist: So it's a small group right now. And it - I - you know, DOD is very involved in the process. They show up to CMMC-AB town halls. They've been pretty open. 

Dave Bittner: Yeah. 

Ian Frist: So I do feel that they're listening to feedback. As we know, I mean, it's - nothing happens overnight, right? 

Dave Bittner: Right, right. 

Ian Frist: And there's always people that seem a little frustrated that it's not changing fast enough. But I think, absolutely, they're listening to the industry. 

Dave Bittner: What is the message that you're putting out to people in - is - are we at the stage where it's, you know, don't panic, you know, we got this. There's people - the resources are here. We're going to - everybody, we're going to help you through this. Or - you know, you're out making presentations about this. What's the word you're spreading? 

Ian Frist: So I'll steal this from Rob Lee. I heard it at a conference years ago when he said it. And he said, peddle hope. And I've always kind of held to that... 

Dave Bittner: Yeah. 

Ian Frist: ...Even before I heard it. So I'm always trying to say, hey, don't panic. We can work through this, right? Because I think it's much more helpful. It is coming, right? March 2023, they think rulemaking will be complete for the interim rule and they expect this to be in contracts next summer. So it's coming and it's coming quickly, and it takes time to prepare. But, no, I'm absolutely trying to spread the message that, hey, this is coming. We need to be prepared, and here are some things you can do to help you get prepared. And also that it's a good thing - right? - that this - that regulation isn't always scary. The fact that, especially for industrial control systems - you know, this is bringing some regulation into manufacturing. It's giving you a lever to free up those budgetary constraints. And it's allowing you to use a mature process, like a well-developed risk management, you know, plan and procedure to decide what controls to implement. Those are all good things, right? So that's kind of the message I'm trying to have people take away is that it is coming. You know, we do need to work towards it, but it's a good thing it's coming. 

Dave Bittner: For the folks out there who might be scratching their head and maybe feeling a little overwhelmed by this, where do you recommend they begin? Where's a good place to get started? 

Ian Frist: So you can always go to the CMMC-AB website? I think it's 

Dave Bittner: Yeah. 

Ian Frist: I'll have to look. But, you know, you can start there. Always free to reach out to BlueVoyant - you know, come to the website. But if you go to the CMMC-AB, there is a whole marketplace of registered provider organizations, C3PAOs, and they've at least been vetted by the CMMC-AB as being reputable, right? 

Dave Bittner: Right, right. 

Ian Frist: They've gone through that process. C3PAOs have gone through a whole much more strenuous process - been assessed against CMMC and everything else. But go out there, you know, and be in the community. Look around on LinkedIn. Follow #CMMC, things like that. There are resources out there. There are - even Reddit. There are some - actually some really great Reddit threads on CMMC. 

Dave Bittner: Yeah. 

Ian Frist: But start with the CMMC-AB website. You know, look on there, look on the marketplace. Like I said, we're always happy to help. You know, we can do a call to talk about where you're at, what you need, that kind of thing. 

Dave Bittner: All right. Well, Ian Frist, thanks so much for joining us. 

Ian Frist: Thank you. 

Dave Bittner: Robert M. Lee is CEO of Dragos, and he joins us with this edition of The Learning Lab. 

Robert M Lee: Today, I wanted to talk about the five critical controls for industrial control systems. And this is something that I'm working on over at the SANS Institute, it's something that's informed from the Dragos Year In Review. So it's all based on real insights, right? So it's not theory, it's not, hey, I had an idea. It's off of real incident response cases, real assessments, real work across our customer environments. But realistically, these are the five things you kind of naturally come to anyways. I look at them as being intel-driven. If you take all the different case studies out there of threats that we're responding to and dealing with, what does it really boil down to that you need to do well? 

Robert M Lee: I kind of flippantly say that these are the five things you've got to do for national security risk. If you want to do anything beyond that for business risk, feel free. But if you're not doing these five things, you're probably deficient. And these are the five things that I wouldn't - this is probably overly flippant, but I wouldn't want to be in a position testifying in front of Congress without having done these five things in a major attack. These are the ones that are just kind of commonsense things based off the attacks and incidents we've seen. What we're doing over at the SANS Institute - Tim Conway and I are writing the paper on it. It's pretty much done, but we will probably iterate on it for a while and obsess about it before we release it, and then you'll see quite a bit out of - come out of the SANS Institute - the classes and so forth. But anyways, without further ado, these five. 

Robert M Lee: So the idea behind it is what are the things that we have to do based on the requirements that we're trying to drive as a business and then map it to a framework or standard? And right now, what I see a lot of people make mistakes in is they'll pick up a NIST Cybersecurity Framework or a 62443 or a NERC CIP or whatever, and they'll drive their security program by that standard. But that standard is really there as a lexicon in the same way that MITRE ATT&CK for ISC is. It's a lexicon. It's not a bingo card. It's not go do everything. It's here's a common language and - to be able to talk to your peers across the company and between the industry. 

Robert M Lee: So you should do the controls and then map the output of them to a standard, not vice versa. And the way the controls start - the first control is ICS-specific incident response plan. And what I've seen throughout my career is that folks will first start with, let's think about our architecture and endpoint protection and patching and all these things around our systems. And then eventually, we'll get to a detection program to try to detect threats. And then eventually, maybe we'll respond to threats, and we'll try to figure it out then. And what happens - if you start that way, you don't necessarily get all the things that you're going to need doing the incident response. 

Robert M Lee: So let's hypothetically say that you have 20 requirements out of an incident response, ranging from operations requirements to regulatory to security to compliance to legal to whatever. You have, let's say, 20 requirements coming out of the incident response - just a made-up number. If you don't design for the incident, on average, you're answering two or three of those questions. But if you design for the incident and then kind of reverse engineer your way into it, you're answering 18 or 19 of them. Like, you're always going to miss something, but you're making sure the data and the collection and the insights that you have are supporting what is going to be the worst day for you, which is your incident. And so, you know, again, shortly stated, we take a lot of incident response cases where people have done good security work, but it's all just disjointed. 

Robert M Lee: So the idea is start with the incident response planning first and reverse engineer - what do you need out of your environment, your architecture, your defense program, all these things, to be able to support you in an incident, to be able to answer those critical questions, to make sure you have the right data stored for the right amount of times, from the right locations, that you have the detections that actually gets you to the incident - kind of all those things. That first control so critical because it really sets the theme for every other control and it's where you should be deciding what scenarios you want to deal with. 

Robert M Lee: As an example, let's say you're a power company, and you didn't prepare for China, Iran and Russia teaming up to form a superpower to come at you. Who cares? Never happened before. It's not a big deal. Like, if you get punched in the face by three state actors teaming up to come after you, everyone's going to be like, yeah, no kidding, right? I still think you can defend against it, but everyone's going to look at you and go, yeah, that makes sense. Like, you couldn't prepare for that. That makes sense. But if you're a power company and you're not prepared for ransomware across your operations environment or the Ukraine 2015 power outage scenario or Ukraine 2016 power outage scenario, everyone's going to look at you and go, dude, what? Like, these are three well-known scenarios. They're in your industry. What do you mean you didn't prepare for them? And so I think you have a responsibility to the community and you have a responsibility to the people that your critical infrastructure serves and your shareholders to make sure that the knowns are covered. 

Robert M Lee: Too often, we see people go, I want to know the unknown unknowns. Like, dude, just start with the knowns, and a lot of the things that you cover in the knowns will help you in those unknown scenarios. So anyways, long story short, incident response plan for ICS specifically is No. 1. That should set the scenarios. Those scenarios are going to be things that you can brief up to the board and brief down to operations, brief down to security operations personnel of, here are the scenarios we want to be prepared against. And the scenarios really hearken back to, like, a safety culture and kind of Process Hazard Analysis or HAZOP scenarios. It's very focused on what an engineering mindset would be anyways. 

Robert M Lee: You can use the ICS Cyber Kill Chain to think about those scenarios, as well. And it just really creates an alignment. Do I want every security operations analyst triaging every possible alert? No, that's silly. But do I want to know what tactics and techniques align with the scenarios that I care most about as an organization so that I can create the runbooks off of them and all the processes to make sure that, when those things happen, that we're paying special attention to them? Of course. Anyways, so I get that first control done. I can do things like tabletop exercises and other things in that control, but really it's, what are the scenarios with alignment across the company with an incident response plan specific to them? 

Robert M Lee: The second control then is a defensible architecture. It's not defended, it's not secure. I hate when vendors come out and go, this is a secure product. No, it's not. It's a defensible product. It's a defensible architecture. But adding the human component is what makes it defended, OK? So what is a defensible architecture? Well, it's going to depend on your industry and that scenario? If I come up with a scenario against ransomware, which every industry at this point should have across your operations environment, you're going to find things like segmentation is important. You're going to find things like having IT and OT share an active directory server is not helpful, that ransomware commonly compromises active directory and then populates that thing like a highway to death - you know, highway to hell just across your organization. So let's make sure that we separate out those AD environments, especially in the critical sites. I might find pretty commonly that my incident response requirements have things that depend on ICS - on that systems of systems. A lot of IT is system analysis and data analysis, a lot of ICS is systems of systems and physics. 

Robert M Lee: So if I want to understand that the logic has been changed on a controller, I'm not doing that with host-based analysis. I'm doing that with network - systems of systems. I need to see the network interactions. So I want to see span ports or tap infrastructure in a defensible architecture, as an example, from that second control, depending on my scenario. So I'm going to pick out those scenarios in control one and have plans against them. That's going to drive what I need out of my defensible architecture. That defensive architecture is going to reduce as much risk as I can, reasonably, while enabling me to add humans in to defend. That gets me into my third control, which in ICS is going to be ICS network monitoring, and so that's going to be all the variety of different ICS visibility products out there. Pick your one that works best for you. 

Robert M Lee: The point, though, is, can I see system to system interaction? Can I understand what's happening inside the protocols of ICS traffic, whether it's a VNET protocol from Yokogawa, Modbus TCP is a common protocol, OPC for Historian - what's that systems of systems interaction? Can I identify that an engineer workstation changed the logic of a controller across the network? You know, that type of system of system analysis - the benefit of that category, anyways, is that control is going to give you everything from asset inventory to go reinforce that defensive architecture, it's going to give you vulnerability identification in any of your modern products, and more importantly, it's going to get you the detections that you need. So it's kind of - it - reinforcing control, too, and making sure that your prevention controls don't atrophy over time. And it's also making sure we can even get to the incident by having the right detections in place, especially those tactics and techniques and procedures of those adversaries and the scenarios we care most about. 

Robert M Lee: The fourth control is going to be a classic IT control - secure remote access. For most considerations, there won't be huge ICS differences. There are some. But in most cases, we'll push for multifactor authentication, especially for remote sessions where we can get it, like a OEM or integrator or maintenance personnel coming in to remote in the site, I want to put them on multifactor authentication. If it can't be supported, then I'll go back and put compensating controls in my defensible architecture and try to have things like jump post or extra monitoring or so forth around those accesses. Either way, I need to identify where those accesses are, so I want that visibility and insights from that control three first. I need to understand what my architecture is from that control two, and then I'm going and applying secure remote access where I can. 

Robert M Lee: And then the last control is a key vulnerability management program. A lot of folks come into ICS environments, and they look at it and go, oh, my gosh, it's Windows XP or Windows 7 and, oh, that's so vulnerable. That's a very system view. I'm not saying we can't fix those things, but what is the risk that we're trying to reduce here? What are we trying to solve for? Again, go back to that critical in control one - what do we need out of this? - which should inform what vulnerabilities actually matter. When we, at Dragos, look at our Year in Review reports, we go through every single vulnerability each year on the intel team, and we just think about which ones actually add extra risk into the environment. So something that is either being exploited by adversaries currently or is introducing new functionality into the industrial environment that is risky. 

Robert M Lee: So in other words, if there's a vulnerability that allows me to modify the logic of a controller from an engineer workstation, I'd roll my eyes because that's the whole point of the engineer workstation. I don't need the vulnerability to do that. There's a lot of native functionality in the environment that makes a lot of vulnerabilities useless. But what are the ones that are adding new functionality that is risky or are actively being exploited? And when you look at that, on average, it's about 4%. So what's, like, the four to - I don't know - say 20 - but what's around the 4% of vulnerabilities you should actually care about? Where are they located? And let's go address them. And that can also get into things like software bill of materials where I don't just want to know that Honeywell disclosed a vulnerability. I want to know that three other OEMs also had it and didn't disclose it because they didn't know about it because maybe it was, like, the PIPEDREAM malware and taking advantage of the CODESYS the software. 

Robert M Lee: So ICS incident response plan - that's going to set the requirements for the rest of the program and alignment across the company, which is usually missing, on what are we trying to solve for? Then gets to control two on defensible architecture, which is defined by what we need the architecture to support in that incident as well as helping reduce the risk of it. Control three is that ICS network monitoring or network security monitoring - that visibility in system of systems analysis. Control four is that secure remote access, very often multifactor authentication. And control five is the key vulnerability management program. And again, there's a lot of people out there - like, you didn't say anything about antivirus or this or that or the other. Like, there's a lot of controls we're leaving off because these are the five that you - would manifest in the various instances we've seen. These are the five that are most important for you. I'm not saying that other things won't return value. 

Robert M Lee: You should go have business discussions on the rest of things and figure out what makes sense for you based on your business risk. But those five are pretty unalienable in the sense that you really need to be doing those five, and those - that's why we're making them the critical controls. That's why you'll see white paper come out from SANS, you'll start seeing our courses and you'll start seeing it reinforced around the community. And there's a number of governments around the world I've already talked to that are going to work on amplifying and reinforcing, as well, because it's just common sense in terms of preparing us for those things that we worry about most. 

Dave Bittner: That's Robert M. Lee from Dragos. 

Dave Bittner: And that's "Control Loop," brought to you by the CyberWire and powered by Dragos. For links to all of today's stories, check out our show notes at Sound design for this show is done by Elliot Peltzman, with mixing by Tre Hester. Our senior producer is Jennifer Eiben. Our Dragos producers are Joanne Rasch and Mark Urban. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.