We had the privilege of hosting Dan Gunter on the PrOTect OT Cybersecurity Podcast where he shared insights on OT security and data. Dan Gunter is a highly accomplished cybersecurity expert with extensive experience on both the government and industrial fronts. He the founder and CEO of Insane Forensics, a company dedicated to providing digital forensics and threat-hunting services to organizations to protect themselves from cyber threats.
Through the lens of computer science, OT can be viewed like any computing technology: silicon, bits and bytes. Then what’s the difference between a Windows system on the OT side versus the corporate office? The fact is there are other applications and other configurations that are OT centric. We need to help people understand what those bits and bytes look like in the context of an operational environment, and what that data highway going into plants and factories look like. Operators can use data to understand behaviors in their OT environments, for example when a user overstays their maintenance window, what activity did we see on the network? What activity can we see on disk? We can identify cyber risk through the data, and then we need to associate that with what the asset owner cares about: e.g. keeping these Windows systems up that are protection $10 million in uptime revenue and maintaining safety by ensuring these automated systems are handling chemicals like benzene and acids correctly.
Approaching OT systems with embedded devices and protocols is a unique challenge, particularly because many of these technologies have been around for decades. This makes securing them difficult, especially as cyber threats weren't a concern when these systems were designed. Forensic analysis is crucial to understand the impact of various components on the overall risk and availability of the system, especially in the context of today’s emphasis on SBOMs.
In today’s reality of limited resources, for asset owners who do not have a dedicated OT security team to start their security programs. Start with your OEMs: Emerson, Honey, GE, etc. These companies are getting better at sharing information, although some information may require a non-disclosure agreement or may be limited to customers. Nevertheless, their security guides have significantly improved in recent years. It’s essential to start here.
Sometimes, we find issues and call the OEM to verify if it's normal behavior. It's also possible to reach out to their product security teams to double-check something. When making major purchases, it's advisable to include these consultations in the contract.
After consulting the OEM, you can start adding controls, such as passive network monitoring and configuration change detection. Products have different strengths and weaknesses, and every plant has different technology. Therefore, it's crucial to understand the outcomes specific to your situation.
Several service groups can help with this, such as those specialized in research and development, red teaming or blue teaming, and compliance with standards like 62443. These standards and best practices may not be the ultimate solution, but they can provide useful ideas and set a benchmark.
Whether you're doing it in-house or outsourcing, it's advisable to be both preventive and reactive. Waiting for an incident to happen will cost more time and money. Being proactive is essential, even if you're resource-constrained. Start conducting tabletop exercises or attending conferences. And remember, it's crucial to take action rather than getting bogged down by analysis paralysis. Any motion is better than none to some extent.
Wrapping up the conversation, Dan was asked for his thoughts on OT security in the next 5-10 years. Dan shared his excitement about the information era and the further growth in our ability to consume and process data, especially in smart cities and 5G systems. He also pointed to AI having a more a significant impact on security and playing a role in quickly identifying malicious scripts. Predictive maintenance and data collection for warranty and maintenance purposes will also become more prevalent in the security industry. The normalization of open-sourcing proprietary protocols will allow asset owners to have better visibility without having to purchase another vendor. In the OT space, smarter algorithms will enable better baselines and more granular understanding of security events, leading to better situational awareness for asset owners. Solving the problem of correlating ops and security events will further improve situational awareness.
This is has been a condensed summary of TJ’s episode on The PrOTect OT podcast. For more, listen here or wherever you get your podcasts.