The impressive Bryson Bort joined us for an episode of the PrOTect OT Cybersecurity Podcast. Bryson is a skilled cybersecurity professional with an impressive background as an entrepreneur and former U.S. Army Officer. He founded SCYTHE, a platform for next-generation attack emulation, and GRIMM, a cybersecurity consulting firm. Additionally, he co-founded the ICS Village, a non-profit organization dedicated to raising awareness about industrial control system security.
Our host and CTO Aaron Crow discussed with Bryson the nuances of OT security, from the technical to the cultural, as well as the importance of threat context in effective security strategies. Here are some highlights… but be sure to catch the full episode, you don’t want to miss it.
On the notion that OT security is a generation behind, Bryson noted that “operation technology” was doing just fine before computers showed up. Increasing complexity, cost of scale, and changing economics demanded more of operators, and so computers were introduced to keep up with the pace of change. This introduced a learning curve for plant operators, who eventually learned to operate these OT-focused computers. But with focus on the operational aspects of the organization, these users may not fully understand the second-order effects of introducing this technology into critical environments, and the potential security exposures resulting from computer networking.
In efforts to close the gap between operations and OT security, a cultural divide tends to become apparent when IT security professionals and security vendors attempt to jump straight to cybersecurity solutions. While tools can support the process, they cannot solve the underlying cultural differences including different vocabularies, skill sets, approaches, and priorities.
Bryson recounts his experience working for a multinational manufacturing company, which required him to travel across the globe to meet with plant managers at numerous different sites. He dressed up in PPE and walked the plant floors with them to understand their unique challenges and operations. He pointed to the "talking head syndrome" in the industry, where experts simplify complex security problems and suggest “easy” solutions like segmenting or upgrading operating systems. He explains that these solutions may not work for every plant, as incorrect segmentation can break plant operations, and employees may find ways to circumvent security controls when faced with constraints. Bryson stressed the need for building trust with plant managers and employees and working collaboratively to integrate security measures into plant operations without creating unnecessary friction. He emphasizes that this approach can create a win-win situation and avoid issues coming up only at the end of a project.
OT faces several challenges that cannot be patched easily. For example, the inherent structure of operational technology lacks encryption, which results in the inability to perform real session authentication. This, in turn, impacts the way in which a threat actor approaches the environment. While there is considerable emphasis on the perimeter in OT, most of the threat vectors stem from IT. It is incorrect to assume that there is a true air gap between the two systems. The DMZ is the real target. A threat actor does not need to access the PLC directly but can rather focus on the beachhead in that branch head: the high-level industrial control systems, including the distributed control system, safety instrumented system, and HMI.
The operating system’s usually one or two generations behind what is found in IT, typically a Windows or Linux box, already configured to manage and oversee all other aspects of the system. It has complete knowledge of where all other devices are located, and the PLC simply follows the operating system's instructions. As such, this operating system becomes the primary target for threat actors looking to infiltrate the system and compromise it.
In Bryson's opinion, the Purdue model has been misused in the context of enterprise architecture. While the model was originally developed to address timing issues in devices, modern computers have already addressed this problem. He suggest that this model gives a false sense of defensive depth, as the five levels quickly truncate to a single vector in charge, with everything else following commands. This is another example for the need for education and foundation in cybersecurity between IT and OT professionals.
Back to the issue of patching, Bryson pointing out that than vulnerability management in the OT world is more about risk mitigation than about patching. In IT, a large majority of it defense is driven by vulnerability management. And in the IT world this is it's baked into compliance, which by itself is not security. Security is what you decide to do on top of that. When conducting a vulnerability scan, a list of potential issues is generated, and they are ranked using the Common Vulnerability Scoring System (CVSS). The most critical issues are then addressed through patching, while smaller issues are ignored.
But patching doesn’t give credit to the other security measures that would catch an intruder before they can exploit the vulnerability. Additionally, not all assets and users are equal in value, so context and understanding of access and impact are crucial in developing a comprehensive security strategy.
On the OT side, there is a focus on mitigating risks by looking at vulnerabilities in the broader context of the system and identifying ways to mitigate around them. This approach may involve assuming that certain vulnerabilities cannot be patched, but instead using a combination of strategies to mitigate their impact. By taking a more holistic view of cybersecurity, organizations can better protect their assets and systems from potential attacks.
Bryson and Aaron continued discuss the importance of understanding the threat context, which led into the important work Bryson is doing with SCYTHE. Bryson explains that they built the platform for security threat emulation and validation. He emphasized that security is defined by the threats, and their platform makes it easy to measure and validate against those threats. It focuses on understanding the behavioral characteristics of threats to provide a more comprehensive defense. The common denominator throughout the discussion is the importance of trust in the security process. SCYTHE aims to build trust by providing transparency and allowing users to see exactly what the tool is doing and how it works.
Bryson points out that ransomware is no longer just technical jargon but is now a term that even non-experts are familiar with, following the Colonial Pipeline attack. He predicts that ransomware attacks will continue to grow, especially with the rise of connected cars. For instance, he anticipates a situation where a person is unable to start their car without paying half a Bitcoin to the infotainment system.
Bryson expresses a positive outlook on the nation's cybersecurity efforts, noting that the cybersecurity industry and the US government's cybersecurity programs are relatively young. He anticipates continued development and improvement in unified cybersecurity programs in the near future, with agencies like CISA working to mitigate risks and provide assistance to those in need. Bryson believes that within the next five years, the government will consolidate different programs into a comprehensive approach to cybersecurity, leading to better regulation and more efficient support for victims of cyberattacks.
The discussion with Bryson entailed dozens of insights that can’t be contained in one blog post. If you found any of these highlights interesting, please make sure to catch the full episode.