2021 Hack the Capitol panelists discussed IT-OT convergence and divergence, legislative solutions, supply chain security, China, Defend Forward, compliance, risk management, the Mideast landscape, the role of the press, and human nature—with frequent reference to Oldsmar, Florida.
Hack the Capitol: views from the panelists
Hack the Capitol's panels offered some valuable perspective on infrastructure protection, supply chain security, and public-private partnetship. The discussions are particularly interesting in the light of recent US Federal undertakings to address cybersecurity.
Defending forward in industrial control systems.
Jamil Jaffer, Executive Director of the National Security Institute, led discussion with David Weinstein, Associate Partner at McKinsey & Company, Marie O’Neill Sciarrone, CEO of Tribal Tech, and Vishaal Hariprasad, CEO of Resilience, about developments in the Operational Technology (OT) space, whether Defend Forward (DF) makes sense there, and what industrial control system (ICS) operators need from the country’s leadership.
The panelists noted a trend towards IT-OT “convergence” that brings new vulnerabilities and risks. Once isolated ICSs are increasingly connected across the OT and IT environments. Many even have a public-facing Internet connection. The pandemic accelerated the drift towards remote access, which assists business interests like real-time status updates, but as Sciarrone pointed out, documented ICS attacks date back to the 80’s. Since we’ve known about the relevant attack vectors, adversarial intent, and impact for decades, she said, it’s time to take a hard look at how to move the needle.
The jury’s still out on whether DF works for ICS infrastructure, on the panelists’ view. Hariprasad observed that attacks progress through OT networks very differently than through IT networks, and leverage idiosyncratic features of ICSs. OT assets are distributed and, perhaps most importantly, difficult to patch, since patching typically requires shutting down operations. Offensive measures tend to ricochet back on the sender, so DF campaigns may make matters worse. Weinstein said IT strategies often don’t translate well to OT environments, and DF may not account for the “nuances” of OT security. Changing enemies’ risk calculus is generally a good thing, but there are many open questions with regard to specific scenarios, like what are the enemy’s goals, where are the red lines, what actions will be undertaken, how will the enemy respond, and what could be gained and lost.
There’s a communication gap between cyber officials who are concerned about variables like intelligence gain (or loss) on the one hand and ICS operators on the other, whose primary concern is often their bottom line. What operators really need from the Government, the panelists argued, is actionable information. In Sciarrone’s words, officials need to tell operators what to do, how to do it, and why it matters to them. At minimum, operators would benefit from knowing the adversary’s objective. Hariprasad added that tools, not reports, are the answer, and financial incentives would also be nice. Weinstein noted that the ICS space is under-resourced and nowhere near cyber maturity: what operators need to know is where to invest to most efficiently shrink risk.
Two broader problems with DF, in Sciarrone’s eyes, are whether it’s moving us towards a segregated Internet, and how it protects general consumers. Chinese firms are flooding the market with IoT devices sold at a loss, and we’re paying little attention.
The panelists closed with some words of wisdom for the country’s cyber leaders. It’s “crazy,” Jaffer remarked, that Mom and Pops are expected to defend against APTs—and without clarity about what measures are permitted. Weinstein stressed that deterrence is crucial to take the burden off the backs of ICS operators, and Sciarrone pointed to the problem of many hands as a root cause of Government ineptitude. The new Federal “A Team” needs to prove itself by applying lessons learned, starting with settling roles and responsibilities. Congress struggles with handing out authorities without rolling any back, a recipe for ongoing turf wars. Legislators also love to propose new solutions instead of applying existing ones. (Case in point: the regularly recycled plan for a cyber reserve.)
Last but not least, in order to “make cyber cool again,” leaders need to speak so that people can understand, and keep the lines of communication open between the cyber nerds, policy wonks, and boots on the ground.
ICS security: the view from Europe.
Samuel Linares, Managing Director at Global Industry X, discussed the view from Europe with Anton Shipulin, Industrial Cybersecurity Lead at Kaspersky, Agustin Valencia, Global Head of Operational Technology Security at Iberdrola, and Suzanne Rijnbergen, Director of ICS Security at Accenture. The panelists agreed that ICSs have become a hot topic in recent years—paralleling the rise of formerly air-gapped controls’ new hyperconnectivity—while back in the day, only fields like oil and gas worried about it. Chemical and nuclear utilities were “first movers,” then manufacturing joined the party. Different countries still have different priorities and levels of maturity, but Stuxnet changed the game globally.
The evolving threat and geopolitical landscapes complicate security for people like Shipulin, who are trying to do their jobs in an effective warzone. Tensions in Russia are high, he said, centered around the US and NATO. Rijnbergen and Valencia noted that supply chain concerns have taken on new weight, but sometimes there are few alternatives to untrusted vendors, and the question about how to manage existing untrusted gear has no easy answer. If countries adopted nuclear-level standards for every sector, the delays would be prohibitive.
The panel swapped war stories about increasing regulatory and compliance burdens, which they generally agreed to divert resources from real risk management efforts, and cultivate a culture of “comply and lie” as firms learn to game audits. Checking a box does not guarantee security, Valencia remarked, especially when that box says something like “collect logs,” without the requirement to analyze them. He described compliance as a vicious cycle where operators become more concerned with paperwork than security, leading to more failures, then more rules. A “lose-lose” situation is born, since failure to comply carries penalties, but complying leaves no time for actual security. Firms begin doing the math on whether those penalties are worth eating.
Shipulin shared that a 2018 critical infrastructure protection law is the chief cybersecurity framework for Russian industries. Three years later firms are still drowning in paperwork and haven’t completed the first requirement, assessing facilities’ criticality. That energy could be better spent, he said.
Minimum standards may be helpful for those still ‘learning to walk,’ Valencia said, but beyond that, organizations need to dial into their specific circumstances. Trying out another metaphor, Rijnbergen said a “north star” can help orient security efforts, even while full compliance remains a myth, but firms can’t hide from threats behind compliance. Realistically, she added, operators are motivated by risk management—if not financial or reputational, then compliance risk can get the ball rolling.
Effective risk management, Valencia said, no matter the region, requires modeling responsibilities and coupling them with accountability, empowering CISOs and CIOs, and ensuring visibility into the “crown jewels.” Rijnbergen stressed that visibility into processes and governance is just as important as visibility into technology, and ownership of ICS security elements like gear, data, and vendors needs to be settled in the boardroom. Shipulin mentioned that managing risk through managing people requires respecting their expertise, especially in OT, which means taking pains to understand operators’ daily duties, then supplementing their security practices without piling on their plates.
To advance the ICS workforce, Shipulin proposed local native language professional networks and communities as an antidote to the isolation and lack of information-sharing too often seen in the sector. Plenty of resources exist; the barrier is awareness. Rijnbergen said the industry should practice outreach and share best practices both locally and internationally via neutral organizations, social media, and a diversity of role models. Paying professional rates, Valencia added, would be a step forward towards encouraging and valuing OT know-how.
The panelists hoped the future of ICS security would include greater homogeneity as a means to greater agility, and respect for the motto, “if you connect, you must protect.” Observing that what was once an obscure trade is now a national security priority, Shipulin expressed a desire for an evolution of the geopolitical situation such that we come to agree on the rules of the road. In the meantime, he advised that the international community keep calm, and collaborate on.
ICS and the Cyberspace Solarium Commission.
Mark Montgomery, Senior Advisor for the Cyberspace Solarium Commission, moderated a conversation between Representative Mike Gallagher (Republican, Wisconsin 8th) and Samantha Ravich, Commissioner at the Cyberspace Solarium Commission. They attributed the Commission’s success to its development of concrete legislative proposals, noting that Government efforts towards security are often characterized by incoherence, fragmentation, and inefficiency, and onlookers’ advice often hits the wrong level of abstraction. The Commission’s white paper on the information and communication technology (ICT) supply chain—which undergirds ICS security—spelled out five clear steps towards cohesive remediation, for example.
It also helped that the country is at last awakening to the interdependency of geopolitics and critical supply chains, evinced namely by the “big China problem,” where a powerful centralized economy has established dominant market positions through unfair trade, IP theft, and political bullying. Even the response to Beijing has lacked an overarching strategy, however, and much work remains to be done.
Another area that exhibits the country’s room for growth is water utility security, which “terrifies” Ravich. Energy receives lots of love, but most people would do fine without power for a spell—as our adversaries are well aware. The Oldsmar incident demonstrated that rudimentary cyber hygiene practices are routinely ignored, and this “soft underbelly” of national security has been inadequately attended to by both the public and private sector. While the telecom industry, for instance, is starting to design for security, many water plants still run on Chinese gear and don’t update passwords. The Commission is investigating a number of potential solutions, from loans to training, intelligence sharing, and boosting manufacturing standards.
Other panelist wish list items include the following:
- clarifying national policy with enduring legislation, as opposed to transient executive orders (EOs)
- streamlining appropriation and authorization authorities
- networking OT operators and Federal agencies through info-sharing opportunities
- empowering Sector Risk Management Agencies with clarified responsibilities
- standing up a National Supply Chain Intelligence Center to better gather and distribute risk intelligence
- stand up a National Cyber Certification and Labeling Authority to oversee a voluntary certification regime
- centralizing efforts to assess key technologies
- conducting an evaluation of which if any recently enacted measures would have stopped Holiday Bear
- establishing a Continuity of Economy plan to mitigate the fallout from a devastating attack
With regard to the last point, Ravich noted, our enemies must see that we’ll quickly pick ourselves up and fight back if they hit us where it hurts.
Supply chain security: preventing the next big hack.
Tatyana Bolton, Policy Director at R Street Institute, moderated discussion between Alexiaa Jordan, Lincoln Network Analyst, Nina Kollars, Associate Professor at the Naval War College, and Megan Samford, Schneider Electric VP.
The panelists recapped China’s strategic moves to eliminate foreign vendors from their ICT supply chain while pumping as much software and equipment as they can into other countries’ ecosystems. The long-term goal is global dependence on China, which would mean Beijing gets to write the rules. Companies face a difficult choice in the short-term, however, between accepting the risk that comes with adversarial vendors, or paying more for trusted supplies. Jordan praised President Trump’s initiatives to China out of the supply chain, but Kollars noted that many countries have had trouble with the security-cost tradeoff. Some crunch the numbers and decide to take the risk, so the US needs to chart its own course while continuing to try to persuade allies to come along, preferably with carrots, not sticks. Bolton noted that plenty of domestic industries struggle with cost-security tradeoffs as well, as seen at Oldsmar.
ICS security is also plagued by human psychology issues, the panelists agreed. Pride, ego, and turf wars can get in the way of progress, as can a preoccupation with “flashy” wins over mundane measures. People also prefer to ignore hard problems (like defense) and focus on what’s obviously fixable. Some face or fear retaliation for raising red flags, due to a lack of reporting avenues and whistleblower protections. Although security lapses are safety lapses, Samford said, cyber organizations have not instituted safety culture protections for disclosing problems, so everyone knows about terrible risks but keeps their lips sealed.
States and smaller organizations also lack the resources to address many of the current challenges, as earlier panels noted. Looking at something like the SolarWinds breach, Samford said, it’s not clear what resources would have improved the situation—if not static analysis or penetration testing, maybe only something like whiteboard coding. Prioritization is necessary in the face of limited resources. OT security covers the full lifecycle from development, sourcing, and shipping through installation, operation, and maintenance, but the front end deserves special attention given the long lifespan of ICS equipment.
The panelists identified a number of other ICS security areas for growth, echoing previous speakers’ calls for a national strategy in place of ephemeral EOs, workforce development efforts, and robust partnership across sectors and skillsets. Kollars mentioned the broad need for both technical and social, STEM and humanities skills in the industry, and flagged the importance of calibrating cyber conversations to participants’ levels of expertise. Some organizations need help with basic hygiene practices; others are leaning into initiatives like the Department of Energy’s Cyber Testing for Resilient Industrial Control System (CyTRICS) program.
The industry should also look to examples from other fields, like disaster management, where Incident Command Systems are a game changer, and the safety world, where scalable, interoperable accountability mechanisms safeguard systems and employees. The general field of human relations is also instructive. In a previous panel, in the context of cross-sector collaboration, Shipulin observed that it’s better to make friends than enemies. Samford passed along additional words of wisdom that could bolster information-sharing efforts: you have to be a friend to have a friend.
ICS security in the Mideast.
Omar Sherin, Cybersecurity Partner at Ernst and Young, led conversation between Sarah Al-Kindi, Cyber Defense Senior Specialist at Petroleum Development Oman, Darweesh Al-Buainain, Chief Information Security Officer at Saudi Aramco Total Refining and Petrochemical, Reem Al-Shammari, Digital Transformation Leader at the Kuwait Oil Company, and Aasef Iqbal, Solutions Architect at Fortinet.
The panelists identified several impediments to OT security. Operators are typically saddled with legacy systems, and their skillsets often don’t extend to cybersecurity. IT experts, on the other hand, are usually unfamiliar with the particulars of OT. The resulting challenges are both technical and managerial. As the industry rolls out automation projects, administrators are working to adapt IT security techniques for OT equipment, and implement behavior analytics tools.
The evolving threat landscape presents another challenge. Over the past couple years, the average price tag of an attack on OT systems in the Mideast has nearly doubled. Threat actors are increasingly diverse and motivated, with some old hands reappearing, but OT security hasn’t kept pace with the threat level. System visibility remains opaque, equipment is outdated but growingly connected, assets aren’t inventoried, networks aren’t properly segmented, and security by design is a long way off. The panel stressed that human life is at stake, in addition to business outcomes.
The Mideast has it particularly bad, the panelists agreed, thanks to the geopolitical landscape, not any unique regional security failings. Mideast cyber investments are significant, but the area presents a tempting target with prolific oil, gas, and aluminum plants.
Their proposed path forward should sound familiar. Clarifying individual roles and responsibilities smooths large digital transformation projects where accountability can become confused. Formalized cybersecurity standards and accreditation protocols can help weed out unsafe vendors with, for example, poor patch management policies, as can testing labs and open communication between stakeholders. Information-sharing can be tricky given the high stakes of OT security, but utilities should strive for continuous improvement in this arena as well. OT and IT experts need to learn each other’s languages. Administrators should aim for a zero trust approach, and plan in advance for connectivity when implementing new solutions.
The panel largely agreed that one coherent strategy for OT and IT security and risk management would be ideal, since the “separate but aligned” approach has failed for a decade.
ICS and the press.
Kim Zetter, Cybersecurity Journalist at Zero Day, talked shop with Nicole Perlroth, Cybersecurity Journalist at The New York Times. Perlroth warned about the shadowy, unregulated zero day market, and Zetter ran through the genius of Stuxnet. They described journalists as “translators” from expert-speak to the language of laypeople and policymakers, and “contextualizers” of specific incidents within larger trends.
Zetter and Perlroth used to be able to cover every cyber event, and even had slow news days. Now, breaches are like shootings, and they have to prioritize stories with a novel element or those that illustrate noteworthy developments. Nation state attacks, and new vulnerabilities, actors, and tactics are the sorts of occurrences that would clear the bar of public interest. The breach beat, Zetter noted, is still useful for consumers who wouldn’t otherwise learn of threats to their data. Cybersecurity journalism is a big tent with demand for all sorts of reporting from daily happenings to regulatory advances and geopolitical movements. ICS coverage, for example, is a burgeoning market.
Two challenges the panelists wrestle with are the tension between getting people’s attention and accurately conveying nuance, and the balance between conveying the gravity of cybersecurity and portraying the situation as frightening and impossible. The moral often doesn’t sink in without “hype,” but with hype, the wrong moral sometimes sinks in. Journalists have limited influence over how their stories are received, and sometimes the narrative goes off the tracks. The ransomware incident at Düsseldorf University Hospital, for example, is still incorrectly described as the first fatal cyberattack. Something else that bothers both panelists is when stories remain unresolved. In the cyber world, as in the kinetic world, events sometimes get covered up, or the trail of evidence runs cold.
Perlroth and Zetter offered cyber professionals some communications advice. When dealing with reporters who aren’t subject matter experts and can’t do the translating for you, try to pitch the content at a more digestible level of technicality. Media training can help here. Presenting information in historical context is also useful for a lay audience. Perlroth found it helpful to hear, for example, the theory that NotPetya was meant to erase evidence of a long series of tests on Ukrainian infrastructure after Kyiv was used as a “test kitchen” for new techniques.
The panelists shared their cybersecurity predictions, positive and negative. As they see it, better state and local ICS security funding, more robust Federal defenses, stronger standards for design and for government contractors, and incentives for penetration testing are on the horizon—as are attacks that result in injury, with the potential for misattribution and escalation. The threat landscape is bustling: an Israeli utility-miming honeypot, for example, attracted ransomware within two days.
Zetter questioned the Biden Administration’s new, potentially “hypocritical” espionage red line and its deterrence impact, arguing that we shouldn’t manipulate norms for political convenience. Perlroth wondered whether CyberCom’s showy hack of Russia’s grid influenced Moscow to limit Holiday Bear’s range to emails and documents.
Hack the Capitol moderator and CEO of SCYTHE Bryson Bort closed with appreciation for the panelists and also for a well-attended virtual session: more than twelve-hundred people participated.