Demystifying the alphabet soup of OT, IT, IOT.
Dave Bittner: It's July 27, 2022, and you're listening to "Control Loop." In today's OT cybersecurity briefing, more deniable DDoS attacks strike countries friendly to Ukraine, accessing Russian intentions and capabilities in its hybrid war. Log4j is now considered endemic. CISA’s ICS security advisories maintain 2021's rates. Operational technology and the criminal-to-criminal market. TSA issues revised pipeline cybersecurity guidelines. Our guest is Puesh Kumar from the Department of Energy, discussing the DOE's efforts to secure both critical infrastructure and clean energy infrastructure. In the Learning Lab, Kimberly Graham, senior director of product management at Dragos, talks with Mark Urban about the alphabet soup of OT. That bit of alphabet stands for operational technology.
Dave Bittner: Lithuania's state energy provider, Ignitus Group, sustained a large distributed denial of service attack in mid-July, LRT reports. The attacks had been intermittent over more than a week, peaking on Saturday, July 9, 2022. Ignitus says that it has now overcome the attacks and that its control systems were not affected. Tech Monitor says that Killnet claimed responsibility for the operation. Lithuania, like other Baltic states, has strongly supported Ukraine during Russia's war. It has recently stopped imports of Russian natural gas and earlier this month imposed further restrictions on Russian shipments to its discontinuous Kaliningrad territory.
Dave Bittner: The degree of control Russian intelligence services exercise over Killnet remains unclear, but the group makes no secret of its determination to support Russia in its war against Ukraine. Wired has a brief overview of the group's activities, which have affected targets in Lithuania, Italy, the United States, Romania and Norway. Killnet has declared war against these and other states who've been too sympathetic to Ukraine. For all of its online posturing, Killnet's activities haven't so far risen above a nuisance level. Flashpoint offers a suitably tepid appraisal of the group's work, saying while Killnet's threats are often grandiose and ambitious, the tangible effects of their recent DDoS attacks have so far appeared to be negligible.
Dave Bittner: Grandiose and negligible are never, of course, a good combination from the threat actor's point of view. But it would be unwise to dismiss Killnet's potential out of hand. Granted that DDoS is to cyberwarfare what interference by taxicab radios is to traditional electronic jamming of tactical networks. Nonetheless, Killnet's selection of an energy utility is enough to give reflective observers pause. We heard in our last podcast of a Russian-aligned threat actor's apparent penetration and doxxing of Ukraine's largest privately held electrical utility. So there's ongoing evidence that Moscow's operators haven't forgotten about the energy sector.
Dave Bittner: Western intelligence services continue to look for an explanation of why Russian cyberattacks in support of its war against Ukraine have so far fallen short of the devastating potential widely expected as the special military operation began. They've occurred, and some of them, notably some wiper malware deployed in the opening days of the Russian invasion, have been destructive in their efforts. But on the whole, the cyberoperations have seldom risen above a nuisance level. That Russia has been capable of more was shown in its earlier attacks against sections of Ukraine's power grid in 2015 and 2016. Yet during the current war, the lights have stayed on. And indeed, Russian attacks against Ukraine's grid have been conducted by cannon fire or missile strike.
Dave Bittner: Deputy National Security Advisor for Cyber Anne Neuberger reviewed the bidding on July 20 at the Aspen Security Forum. Defense News quotes her as saying, with regard to the Russian use of cyber and our takeaways, there are any number of theories for what we saw and what, frankly, we didn't see. Some argue for the deterrence the U.S. has put in place. And in this, she was alluding to the discussion between Presidents Biden and Putin after the Colonial Pipeline attack. Neuberger goes on and says, some argue that it was the result of the extensive cybersecurity preparations Ukraine did, supported by allies and partners. And some argue that we don't quite know.
Dave Bittner: Ukraine thinks defensive preparations made a contribution to blunting Russian cyberattacks. Illia Vitiuk, head of the cybersecurity department of the Ukrainian State Security Service, pointed to the weeks of preparatory Russian cyberattacks before the actual invasion. He said to CyberScoop, for us, it was like a full dress rehearsal. The Ukrainian services had an opportunity to assess the enemy's capabilities and to address their own vulnerabilities in advance of the onset of war. And he says they were able to make good use of the opportunity. But there's no clear single explanation for why Russia's cyberoperations against industrial control systems have in general failed to materialize.
Dave Bittner: The U.S. Department of Homeland Security's Cyber Safety Review Board has decided that the Apache Log4j vulnerability disclosed this past December - and exploited by various actors since then - will be with us for the foreseeable future. It can be expected to remain a significant risk to the software supply chain for at least another 10 years and maybe longer. This endemic risk presents organizations with at least two challenges - one close and local, the other broad and general. Dark Reading observes that the first of these challenges is one of visibility. Organizations need to know what's in the software they use - and that goes for OT as well as IT systems - whether it's susceptible to exploitation of Log4j and what mitigations they can undertake to manage their risk. The second challenge lies in the open-source software supply chain itself. Open-source software probably requires more attention and more resources than it's too often received.
Dave Bittner: What struck FedScoop about the report were its findings that most of the organizations surveyed lacked software inventories and software bills of material. The CSRB offered 19 specific recommendations and organized them under four headings. They include address continued risks of Log4j, drive existing best practices for security hygiene, build a better software ecosystem and provide for investments in the future. The board's conclusions are worth the attention of all industrial organizations. Some products are integrating the visibility, detection and educational measures the board recommends. One example of this sort of approach was announced by Dragos and Emerson last week. Dragos is extending its ICS and OT cybersecurity solutions to Emerson's DeltaV distributed control system, where it is designed to enhance the protection of process industries.
Dave Bittner: On July 14, the U.S. Cybersecurity and Infrastructure Security Agency released an unusually large number of ICS advisories - 30 in all. Twenty-nine of them affect Siemens products, one an OPEN Alliance design system. Since then, the agency has issued smaller sets of advisories affecting products from MiCODUS, Dahua, ABB, Johnson Controls Rockwell Automation, AutomationDirect and Mitsubishi Electric. These recent advisories, all of which can be found on CISA's site, represent a continuation of CISA's program of seeking to keep ICS operators up to speed on vulnerabilities and mitigations that affect their systems. A study by SynSaber, reported by SecurityWeek on July 21, counted them up and concluded that CISA had, through the end of June, disclosed a total of 681 vulnerabilities in ICS systems in its advisories. That's slightly more than the number covered in the first half of 2021. So CISA's discoveries and disclosures are running about on pace year over year.
Dave Bittner: Cyberattack tools generally considered are showing increased commodification. Malware is now traded in a variety of dark web markets and can be bought and used by individuals and organized criminal gangs who can thus forgo the need to develop and prove their own malware. It's not just the script kiddies and the lazy who buy their attack tools. It's capable and ambitious gangs as well. Buying malware, buying access, buying the other things you need can simply make good economic sense. Outsourcing works in criminal markets as well as it does in legitimate ones. This criminal market extends specifically to programmable logic controllers. And the market also seeks to present a legitimate fact to its potential victims.
Dave Bittner: A Dragos study has found that multiple accounts across a variety of social media websites are advertising programmable logic controller, human machine interface and project file password cracking software. Buyers can retrieve forgotten passwords by running an executable provided by the seller that targets a specific industrial system. So if you're an operator and have forgotten a password to an essential system, you can pay for a tool that will crack the password and restore your access.
Dave Bittner: Forget for a moment that a little reflection on the words password cracking would put even the most obtuse engineer and ABET accredited college ever spawned on their guard. Password cracking - that can't be good. And in fact, it's not. In fact, it's worse than that. Password cracking software isn't cracking anything. It's exploiting a firmware vulnerability - now patched by the vendor, we note. And more than that, the software also carries a Trojan as a payload. And the unwary user who just wanted to crack a password has given away access to their system. As Dragos says in its conclusion, Trojanized software is a common delivery technique for malware and has proven effective for gaining initial access to a network.
Dave Bittner: Ars Technica points out that the incidents Dragos looked into represent financially motivated criminal activity, but that there's no reason to assume that comparable techniques couldn't be used by nation-state or terrorists to conduct attacks with kinetic effect - to sabotage a dam, power plant or similar facility. To this, we'll add that espionage services and terrorists are also customers in the criminal-to-criminal market, and that commodity malware is as accessible to them as it is to the crooks. So don't try to recover passwords by downloading a cracker from the internet. You'd be better off writing passwords on sticky notes - not that you should do that either.
Dave Bittner: On July 21, the U.S. Transportation Security Administration - the TSA - issued a revised version of its cybersecurity guidelines for pipeline owners and operators. TSA says that the new version differs from its predecessor, which had been released in July of last year, and that it focuses on performance based rather than prescriptive measures. TSA says the Security Directive requires that TSA-specified owners and operators of pipeline and liquefied natural gas facilities take action to prevent disruption and degradation to their infrastructure to achieve the following security outcomes - develop network segmentation policies and controls to ensure that the operational technology system can continue to safely operate in the event that an information technology system has been compromised and vice versa; create access control measures to secure and prevent unauthorized access to critical cyber systems; build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations. And reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.
Dave Bittner: It goes on to specify pipeline owners and operators are required to establish and execute a TSA-approved cybersecurity implementation plan that describes the specific cybersecurity measures the pipeline owners and operators are utilizing to achieve the security outcomes set forth in the Security Directive, develop and maintain a cybersecurity incident response plan that includes measures the pipeline owners and operators will take in the event of operational disruption or significant business degradation caused by a cybersecurity incident, and establish a cybersecurity assessment program to proactively test and regularly audit the effectiveness of cybersecurity measures, and identify and resolve vulnerabilities within devices, networks and systems. The ransomware attack on Colonial Pipeline in May of 2021 lent urgency to the first set of guidelines TSA issued. This latest iteration reflects the experience gained over the past year, as well as considerable industry input to TSA.
Dave Bittner: Our guest this week is Puesh Kumar. He's director of the Office of Cybersecurity, Energy Security and Emergency Response at the U.S. Department of Energy. Our conversation centers on securing both critical infrastructure and clean energy infrastructure. Here's my conversation with Puesh Kumar.
Puesh Kumar: DOE is the Sector Risk Management Agency for the U.S. energy sector. And what that means is we work with the energy sector, and that spans electricity, oil, natural gas and all forms of generation. So that's everything from traditional fossil fuels to renewable energy to nuclear energy and really across - cuts across all of those generation assets. And so we work with the sector to prepare for and then buy down risk from all hazards. And then, when called upon, we respond in partnership with our partners in industry but also the partners in the state, local, territorial and tribal communities across the United States. And so we're looking at all risks. And what does that mean? We certainly are looking at cyber risks, which is certainly the risk du jour that is on all of our minds today. But we're also looking at natural hazards. We're looking at physical risks to the energy sector and also the more existential risks, such as an electromagnetic pulse or a geomagnetic disturbance. And so we really look at risk in its entirety, and we work with the sector to buy down that risk. And how do we do that?
Puesh Kumar: So there's really three key ways that we really focus on doing that. One, we work on federal and state policies. So we partner with our interagency partners, with the White House and others to really think through what are sensible federal policies to really buy down this risk, particularly in the case of cyber. You're seeing it in legislation. You're seeing it in terms of executive orders. We're really all thinking about, how do we ensure that we better manage cyber risk as a country? The second way we look at buying down risk is we engage in what we call capacity building. So we partner with industry, we partner with states to really run exercises, to develop training, to develop tools, to buy down some of this risk through some of that engagement with the sector. And then last but not least, DOE is inherently an R&D agency. You know, we have 17 national laboratories across the country that are working on some of the most innovative research across the board. And so we get to partner with them to help us develop next-generation tools and technologies to buy down that cyber risk. But we're also partnering with companies across the country, manufacturers, suppliers, cyber technology companies like Dragos, to really ensure that we're looking at innovative approaches to applying those tools and tech to identify cyber risks and then mitigate them, in an automated way, perhaps, and then also respond to them if we need to.
Puesh Kumar: And so we're really looking at cyber risk across all of those different areas, and we're partnering with those different stakeholders, again, industry, states, academia, manufacturers, suppliers, cyber technology companies, to all come together to buy down risk. And that's at the heart of what we're trying to do, is really where I started, which is as a Sector Risk Management Agency, we really need to look at risk broadly and how do we start to address it?
Dave Bittner: It really sounds to me like you and your colleagues are coming at this from a very collaborative point of view. And I'm wondering, you know, how much progress can be made, you know, using a carrot versus a stick. It seems to me like the way you come at this, at least initially, is the carrot side, to try to reach out and be collaborative with all the stakeholders.
Puesh Kumar: Yeah. That's such a great question because, you know, that's something that we think about a lot is what's the right approach? And you certainly have the carrot and then you have the stick. And I would say that, you know, if you look at the electricity sector, you have a little bit of both, and then that's probably healthy. So you have cybersecurity regulations and requirements in the form of the Federal Energy Regulatory Commission, or FERC. FERC is the regulator for the bulk power system in the United States. And the execution of that happens through the North American Electric Reliability Corporation, or NAERC. And so they have a very defined role in terms of regulating the reliability of the North American electric grid. And a component of that reliability is cybersecurity. And so they have that role of making sure that, you know, we have baseline requirements for critical infrastructure across the United States. This is important. We need to have baseline requirements that make sense that can be applied across the sector. And so there is a regulatory model that you can call the stick.
Puesh Kumar: From the DOE end, we are the carrot. And, you know, we really do think you need to have both sides. And, you know, we actually are OK not being the stick from the DOE end because that enables more partnerships, that enables more information sharing. So we actually find that companies are more willing to share threat information, reach out about challenges that they're having within the sector in terms of buying down the risk so that we can develop innovative technologies. Because if you have the role of the stick, they may not be willing to share it with you because they don't want you to regulate against that. And so that doesn't mean that the stick is necessarily a bad thing. I think you really do need to have both that keep each other in balance as you start to develop national-level policies.
Dave Bittner: There's a lot of innovation that's going on these days in the energy sector. And I'm thinking particularly, you know, some of the clean energy things. And I know that is a focus of your organization. One of the things that you all are working on is a clean energy cybersecurity accelerator. Could you describe that for us?
Puesh Kumar: Sure. Happy to. So before I jump into the accelerator specifically, maybe I'll take a step back just really quickly to really help frame what's happening in the electricity sector from a clean energy perspective. So, you know, what we're seeing in the electricity sector is a change like we've never seen before. It is a change where we are trying to address the significant risk of climate change. We're trying to buy down risk. That is a separate risk. It's - certainly, we're worried about the cyber risk, but we're also worried about an increasing wildfire season, an increasing hurricane season that we're seeing more and more every year that's costing more and more money from an economic perspective and can also lead to national security risks as well. And so we're seeing the impacts of climate change playing out. And so it is imperative that we really figure out ways to buy down that risk. And some of that's going to happen through the deployment of clean energy systems like wind, like solar. And we really need to start integrating those things along with battery storage and microgrids. And so this is going to take a huge shift in what the grid will look like in the future.
Puesh Kumar: No. 2, we're seeing customer requirements change. So across the United States, customers want to play a more active role in their energy usage. There's been an increase in rooftop solar on homes, remote control capabilities for energy usage, and EV adoption is just skyrocketing across the United States. You know, one of our studies at DOE found that plug-in hybrid EV sales nearly doubled from 300,000 in 2020 to 600,000 in 2021. And so I can't even wait to see the numbers in 2022 and then the out years. And then No. 3, we're seeing changing technologies. And so to integrate the clean energy systems of the future, all the wind and solar and all the things from a customer requirements perspective, we're seeing the technology market change as well. So the architecture is changing. We're seeing how things can better communicate with the grid to make them more reliable, to make them more efficient. We're also integrating a lot of these different sources together to better just strengthen the resiliency of the U.S. electric grid more broadly. Also, we're seeing third parties enter into this market space that was once really controlled by the electric utilities out there. And so we're seeing third parties who are contributing to the grid.
Puesh Kumar: And so we're also now having to rethink how we architect all of these systems. And so we're relying on cloud infrastructure, which, I'll tell you, back in the day, we were very hesitant for the grid to go into the cloud. It made us all very uneasy. But we're having to contend with that because we have to be able to integrate these different sources of generation and cloud infrastructure is going to be one way we do that. And we're going to have to look at remote connections that we never thought we would want in a very critical infrastructure such as the electric grid. So how do we enable cloud remote connections but ensure that they are secure? And so to do that - you know, we've been giving this a lot of thought at the department as we've been watching the grid evolve. And so we're looking at a number of initiatives to, again, really help us address some of these risks as these technologies start to evolve.
Puesh Kumar: And so one of those efforts that we launched last year was the Clean Energy Cybersecurity Accelerator. So it's designed to bring together early stage technologies in an environment that we've set up at the National Renewable Energy Laboratory, or NREL. NREL has this cyber range where they actually have connected a lot of different sources of renewable energy. Think, again, wind, solar, EVs. It's all connected together. And so the idea is we can bring in some of those early stage technology developers for cybersecurity to come in and plug in their devices and see how they work in a real environment. That gives them an opportunity to actually conduct some of the testing of their products and technologies before they're ever deployed out into the sector. What that helps is it helps them better improve their technologies, but it also helps improve these technologies before they ever get deployed.
Dave Bittner: For the folks in our audience who are out there working with critical infrastructure every day, the folks in industry, what's the message from the Department of Energy? What would you like them to know about the potential collaborations?
Puesh Kumar: What I'd like folks out there to know is from an energy sector perspective, the grid is evolving. It's happening every day. It's happening all around us. I find that very exciting because it really does shift how we're thinking about what the grid of the future will look like. What does the smart grid or grid modernization will look like? So it is a strategic opportunity, in my mind, to address both the climate risk but also ensure that it's secure. And so - but it's going to take all of us coming together to do that. And so one of the areas where we're really investing a lot of time is on a philosophy we're calling - or a strategy we're calling cyber-informed engineering. And really the idea is, how do we build cybersecurity into early stage design? And so basically, it should be from ideation to deployment. Cybersecurity needs to be throughout every phase of the process as we develop the next generation electric grid, the next generation energy sector more broadly.
Puesh Kumar: And so we all need to come together - standards, bodies. We need to have universities and academia. We need manufacturers and suppliers, and we need cyber technology companies, and we need utilities - all coming together to think through how do we really shift to the left in terms of embedding cybersecurity into everything that we're doing so that, you know, we have a cultural shift? And that's one of my hopes, is we have a cultural shift where, in the energy sector, reliability and safety are core components of how the energy sector operates. And I think we need to add security to that, too. Cybersecurity has to be synonymous with the reliability and the safety of the energy sector. In fact, you can't have reliability and safety without having cybersecurity. And so that's the cultural shift that I'm really hoping to drive. And all of us at DOE are really committed to this all the way from the secretary down to the individual staff throughout the programs, that we're making sure that cybersecurity is integrated throughout everything we do.
Dave Bittner: Our thanks to Puesh Kumar from the U.S. Department of Energy for joining us.
Dave Bittner: Joining us this week for our "Control Loop" Learning Lab is Kimberly Graham. She's senior director of product management at Dragos, and she brings us our OT lexicon. Thanks, Dave. I'm joined today by Kimberly Graham, senior director of product management at Dragos. Welcome, Kimberly.
Kimberly Graham: Hi. Thanks for having me.
Mark Urban: I wanted to continue with - sort of on the OT 101 topic, specifically focusing on the alphabet soup of OT, IT, IoT, IIoT. And it's important to understand the differences. So let's start with OT.
Kimberly Graham: So OT stands for operational technology. So that's, like, devices that affect physical processes, if you want to go by the NIST definition. But it's basically things that manage industrial systems. And we say ICS, industrial control systems. So it controls things like the movement through - like, water or gas through a pipeline, controlling product lines for things like food production, pharmaceutical production, distribution of electricity, anything involved with those types of industrial systems. And we talk about - lot about industrial systems and things like, you know, the big manufacturing equipment. But it also applies to things like building automation. So if you think about large data centers that need lots of building automation or just, you know, standard office buildings - same with things like medical devices.
Mark Urban: Now, how does that relate to IT?
Kimberly Graham: I think most people know IT is information technology instead of operational technology, and that's really about the data and systems and things that support a lot of business from things like social media to our bank accounts, our health care records, when you book a hotel, you know, when you're searching on Google. All of those things, all the servers, all of that infrastructure that supports all of those systems, all of that is data and information. And that's IT.
Mark Urban: Makes sense. So we're talking security. Which is more important to protect, IT or OT?
Kimberly Graham: It's not some - it's not one or the other, you know, 'cause we want both. We want to protect things like our account information in our banks. You know, we want people to protect our health care records. We don't want, you know, folks breaking in and accessing our private information or our text messages or anything like that. But at the same time, you know, if you go back to the OT world, you know, we depend on electricity, and hospitals depend on electricity. You know, right now, there's a heat wave. We need our air conditioning. You know, we need to be able to drink water. You know, during the winter, we need heat for homes. We need fuel at the power plants themselves. So, you know, while we do want to protect the IT, we also want to protect the OT.
Mark Urban: So that operational technology underlies a lot of the critical infrastructure that we use to live every day. Can you give an example of kind of the impacts if there were a successful attack?
Kimberly Graham: If someone shuts down, you know, electricity, then that impacts everyone's homes. Air conditioning goes out and, you know, now we're worried about the safety of folks who are in houses that are too hot. Same thing in the winter - the heat goes out, you have situations where, you know, people are too cold. Hospitals need power; wastewater processing, and we can't shut off water, especially during the summer. So it becomes huge to just our daily lives. And it's actually a - kind of a life safety thing when it comes to a lot of this operational technology.
Mark Urban: Can you give an example of - or a couple examples about how the world of protecting operational technology differs from the world of protecting information technology?
Kimberly Graham: The biggest difference in the IT versus OT in terms of production has a lot to do with the O in OT - operational. So if you think about IT, we have ways to patch and protect IT systems. We've been doing it for a very long time. It's something that we've built processes around that we can deploy patches to laptops, patches to servers, that kind of thing. If you have something like a laptop that's very old and you haven't patched your operating system - you know, imagine a laptop that you just haven't opened for five years. You turn it on, you start surfing the internet, you're probably going to get infected. We know not to do that. We can't do that in the IT world. But in OT, it's a little bit less flexible. We have infrastructure that's 10 years old, 20 years old, 30 years old. And that's because they need to be up 24/7 with no gaps because the power has to be on all the time. You know, the water has to be flowing, the pipelines have to be flowing all the time, 24/7, no exceptions.
Kimberly Graham: So if you look at the types of technology that they use, a lot of them are older. And they're older not because anyone forgot to patch them or didn't want to upgrade. It's because, by necessity, they need to be older. So these systems weren't built with this idea of all these interconnected systems on the internet. It was really built to be in this kind of protected bubble where systems only talked to systems they were supposed to talk to and so on. There's lots of new technologies, of course, in the OT space. It's not stagnant by any means. It's just that those systems, once they're deployed, they tend to be in that environment for a very long time, and that has to be addressed. So you have to protect OT, but you have to protect it in a very different way.
Mark Urban: Let me throw one more letter into the mix and ask about IoT. Give us your perspective on IoT.
Kimberly Graham: IoT stands for internet of things. So it's the - you know, if you think of your Google Home devices or your Alexa devices - and not just those devices themselves but all the devices that you can control from that ecosystem. So we've seen smart refrigerators. We see cars connected into the system. Thermostats is very popular; cameras; door locks now we have just in folks' homes that you can control with your voice or control with an app on your phone. It's this idea that all of the things, you know, that you interact with on your daily life are just connected to the cloud, and you can control them through various convenient means.
Mark Urban: OK, so that's IoT. How does that relate to OT?
Kimberly Graham: So not a lot. So the IoT that we encounter in our daily lives is very different than OT.
Mark Urban: OK. So let me add one I to the mix and bring us to IoT.
Kimberly Graham: IoT is kind of where you start to bridge that. So OT being very different from IoT, you can kind of think of IoT - industrial internet of things - as IoT for OT. So it's kind of like that. It's a little bit different because we're not talking about Alexa and Google necessarily, but we are talking about interconnected devices that use these, you know, cloud-type technologies, whether that's a public cloud or it's something like an on-prem private cloud. So if you look at all these complex industrial processes, IoT is something that is being added to make these systems more efficient. So think of it as these smaller devices like sensors and smart meters, location sensors for tracking, things that can provide more data to these analytics platforms that use things like, you know, cloud technologies and big data and all of that, so they can focus on things like product quality, operational efficiency, safety for the workers, environmental health and that kind of thing.
Kimberly Graham: If you look at, like, a chemical plant, like a petroleum refinery, they have things that are, like, tank monitors. So those are really smart sensors that are IoT that help manage tank levels and look for leaks and warn potentially of potential, like, structural issues. In some industries, you see, like, vibration monitors and all of these different components. If you look at electric utilities, they'll have sensors to not only inform of outages but also add some automation to isolate areas. So that way, you know, an operator doesn't necessarily have to immediately act. It can be something that's automatically isolated. Or there's even a predictive capacity. As these IIoT devices feed information into those, you know, big data and cloud systems, then they're able to actually do some predictive analysis, say, hey, this might look like it's a problem, before there's even a problem.
Kimberly Graham: So these are not independent devices at all. They're fully dependent to be managed by whatever that cloud technology is. Like I said, whether it's on-prem or off-prem, it's still a cloud-type technology where these IIoT devices are being managed, and they're sending all of their data to that system. So there's not, you know, a lot of local storage or anything like that. They have to be dependent on that network, which adds risk. You know, if you look at all of these devices, they're connected all throughout the environment. So they're there, obviously, for a reason. And I think it's definitely technology that makes sense to embrace. But there are always new vulnerabilities. There could be vulnerabilities in the platforms themselves, in the devices themselves, and you see these devices spread out around a lot of different industries. So when you deploy these, when you, you know, decide to architect these environments, you have to make sure that you're deploying IIoT in ways that that don't impact your OT environments, in ways that you're not introducing new attack vectors into your OT.
Mark Urban: Can you talk about a couple approaches to, you know, securing the operational technology environment, you know, from potential risk of IIoT?
Kimberly Graham: So the first one that I would recommend is implementing the five critical controls for effective OT security, which I think Rob Lee talked about on the last episode. So if folks haven't heard that, I definitely recommend going and looking at that. That's a great way to reduce risk. Just those five critical controls is huge to implement to protect OT. And then when you're, you know, beyond just, you know, protecting OT from everything, including IIoT, if you look at the IIoT design itself, build an architecture that has proper network segmentation, so an architecture that's actually defensible so you know exactly where they are, what they're communicating to, what they can communicate to, and what they can't communicate to. So having that in a separate network really makes sure that it can't become a new attack vector. Because if there is a compromise of that IIoT platform or of those devices, then they're still locked into that, limited to that one network because of the segmentation. So there's other technologies that may already be in the environment, secure remote access, those types of tools. You're looking for using things like multifactor authentication, jump post, firewalls designed for OT, those types of concepts. Another thing that's, you know, not always thought about, is limiting mobile networks like 5G connections into OT sites. Because a lot of times, people say, well, this is air gapped. But then you ask the question, how is it remotely managed? And they say, well, we've got the cellular, this 5G connection that goes into it. And that's not really air gapped.
Mark Urban: Can you explain a little bit about ICS network monitoring and how that helps - kind of once they have the architectures, how does that help kind of manage on an ongoing basis?
Kimberly Graham: So, you know, ICS network monitoring is one of those critical controls. And it's one of the key critical controls. So if you - you know, you can plan and architect all these solutions, but you need to monitor and make sure that your architecture is holding up, that communication pathways that you expect to see are the only ones that you see. So you can keep track of, you know, what's new in my environment? Did a vendor, come in and plug something in? You'll see situations where the environment is partially controlled by a vendor or a vendor has access. You want to make sure that you're watching that, monitoring that, not because you don't trust the vendor, not because they're going to do something malicious, but just through the implementation of something might introduce a change that may impact the security of your architecture. So you do want to make sure you put the time into the architecture, but you need to really validate that architecture and validate all of your - you know, all of those controls that you've put into place with something like ICS network monitoring, so you can make sure that it's running exactly as designed continuously.
Mark Urban: So for to wrap up, you know, keeping OT, operational technology, safe is what this podcast is about. IIoT is here - just leverage the critical controls to reduce risk. IT, information technology, that's the bits and bytes that are data and information, very important to secure. Operational technology, OT, that's what manages the physical processes that run electric grids and manufacturing and plants. IIoT are those connected devices like sensors in OT environments to optimize performance of the machinery or plants. Is that a fair summary? Did I miss anything?
Kimberly Graham: No, I think that's very accurate. There's nothing that's ever static, so I'm sure we'll see new technologies come out that may change. But, you know, that's one of the things that we'll continue to track.
Dave Bittner: That's Kimberly Graham, senior director of product management at Dragos. And that's "Control Loop," brought to you by the CyberWire and powered by Dragos. For links to all of today's stories, check out our show notes at thecyberwire.com. Sound design for the show is done by Elliott Peltzman, with mixing by Tre Hester. Our senior producer is Jennifer Eiben. Our Dragos producers are Joanne Rasch and Mark Urban. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.