Convergence of physical and cyber has been a pop-up topic for many years, but not a lot of rigor has been put into looking at the problem academically and practically. Don’t get me wrong, there has been work done and some advances in the discussions, but there hasn’t been any significant progress in this realm since we all started talking about it.
One thing that this COVID-19 has done is to force some of us to spend time on research and continuing education. At Red Trident, we spent some time checking out recent conference talks, YouTube videos, and websites to see what people were talking about, and we have been surprised by the fact that people in the industry are still talking about the same things in the same way. We wanted to change that dialog, so we got some people on a call, locked it down, and started a very long, winding conversation that took us in many different directions.
What did we want to accomplish?
We wanted to completely change the conversation and add some academic rigor around the problem set. We wanted to look at the problem from a totally different perspective, and we wanted to think completely out of the box when it came to defining the problem. The one thing that we did NOT want to do is look at this from the standpoint that we would have to include current technology or TTPs in the conversation.
What parameters did we put around the conversation?
We brought in OT security professionals, IT security professionals, and Physical security professionals at all levels. We had technicians, academics, and everything in between. Every single person in the room had experience working in production environments in both the commercial and military sectors. We absolutely refused to have anyone in the room that had only worked in consulting roles, because we wanted to only have people with direct, hands-on experience with owning, maintaining, and/or operating networks in a production environment. Not that there’s anything wrong with consultants, because all of the people certainly had consulting experience, but we did narrow our group down to those who had practical experience as an asset owner, maintainer, and/or operator.
What parameters did we put around the conversation?
We had a few loose parameters that we applied to the discussion, and we thought that they were loose enough to not really be an issue. We found pretty quickly, though, that the parameters really helped keep our conversations from delving into the same old conversations. Here are the parameters used:
- We’ve seen way too many companies come up with products to solve very specific problems, and we didn’t want to do that. The first parameter was that we had to take a very high-level approach and stay focused on defining the problem.
- Everyone was equal. Everyone in the room had a voice, everyone in the room could apply their knowledge, and everyone’s experiences were considered and included.
- We could not approach this from an IT, OT, or Physical perspective. We had to approach this from a Security perspective.
- We had to be able to apply overarching principles in our own domains to different perspectives. As an example, we would take the term “defense in depth” and go around the room to see how that would be applied in different domains. That exercise was very eye-opening.
- We had to stay focused on redefining the problem, and we had to stay away from talking about solutions.
How did this change our approach?
The parameters really changed the conversation. As an example, when we were talking about how information flows, we asked the physical security experts what their thoughts were. They equated information flow to transportation flows into and out of plants. They noted that they do vehicle inspections very differently than rail inspections, or commercial freight inspections. It made all of us think about inspections and information sources from a totally different perspective, and it was very enlightening. That is just one very small example of the way we incorporated multiple security domains to help define a bigger picture.
There are many different ways to look at convergence, and we chose 2 methodologies that are distinct and easily recognizable. We are only going to discuss one of them in this discussion and leave you in anticipation of the second.
The first methodology is pretty traditional when it comes to physical and cyber convergence. We applied some very traditional security methods, but again we did it from a different perspective. For example, we asked everyone in the room about a scenario where an engineer is logging into a console within a production environment. We asked the simple question of “how do you authenticate that the person is actually who they say that they are?”
We went around the room and took in everyone’s input. Again, we were quite surprised at how many different layers of security could be wrapped around an asset when physical and cybersecurity principles were applied properly. Conversely, it was also very disheartening to learn how seemingly small gaps in security could quickly lead to very large vulnerabilities being exposed.
We looked at wrapping physical layers around OT infrastructure so that we could add layers of security, and then we reversed that view and wrapped IT layers around physical security infrastructure. We began to look at how we did access management from different perspectives, as well as role-based access, and asset discovery, and logging, and threat management, and how all of those things are different when you start thinking about people as well as packets. When you start looking at things from multiple perspectives with academic rigor applied from multiple different disciplines, things start to get very interesting quickly.
The Problem – You can’t see the forest for the trees
When you stand too close to a problem for too long you get tunnel vision and lose sight of the actual problem. It’s all about perspective, and modern ways of problem-solving have actually blinded us to the bigger picture. Product companies want to apply their product to solve very specific solutions. Services companies are normally focused on meeting very specific customer-defined needs. Really great integration companies are the closest thing to problem solvers, but they are typically constrained by scope, schedule, and budget. Time and time again this has been the issue in various industries, and it will continue if we do not challenge the way that we do things.
OT networks are unique, and applying purely IT security solutions and methodologies will continue to fail. These assets are physical, and they live in the cyber realm, so you cannot look at this from one specific lens and expect to have success. As we approached this academically, we confirmed what we had all been thinking…traditional OT security is going in the wrong direction. This was confirmed when pulling data on the adoption curve of OT Security compared to any other security domain in history. The industry has been trying to apply tools and methods that aren’t relevant to this unique environment.
Current OT security solutions do not align well with Owners and Operators of these systems. While we were doing our initial research, we all commonly heard two phrases: “operations are slow to adopt change”, and “OT environments were never built with security in mind.” Half of that statement is true, and the other half is a very good example of how most “OT security professionals” don’t really understand the environment.
Those “OT security professionals” who think that operations are slow to adopt change have probably never set foot in a production environment, or haven’t looked at change from any other perspective than their own. The group that we assembled all had experience in production environments, and they all expressed quite clearly how much they had to adapt and change to production needs on a daily or weekly basis. Their change management processes are so good that there are people dedicated just to tracking changes on a daily basis throughout the production environments. Operations and production environments have to change often to meet market demands, or they lose their competitive advantage, so they know change better than most. It’s just a clear example of how security can be very out of touch with operations. This resonated with everyone from the cyber and physical space and really helped us think of Security from a very different perspective.
The second part of the statement above states that OT environments were never built with security in mind. Yep…that’s true. So what? Space was never built with oxygen so that our astronauts can breathe, but we sure overcame that. Deep ocean exploration wasn’t built with normal earth atmospheric pressure, but we overcame that. We didn’t change the environments where we wanted to operate, did we? No…we changed how we approached the environments. When you start looking at OT networks as an environment instead of just a collection of parts, then you can start thinking about accepting the environment and learning new ways to work within it.
So, how did we end up defining the problem? You’re going to have to read the next blog post for that.
Red Trident did not set out to revolutionize OT security; we set out to challenge the paradigm and how we have traditionally looked at security in general. As Emmett Moore said, “While it is easy to stare at the mirror and believe what you see is reality, this team of professionals shared with Red Trident something that we believed but were unable to prove. The current OT Security industry does not understand operations, their drivers, or the problems they need solved. Solutions have been created that are singularly focused, which reduces their effective value, and creates complexities and barriers to adoption.” We are here to challenge that paradigm, because we think that it’s wrong.
The approach that we took with this meeting really helped information flow in new ways, and we all learned a huge amount from many different perspectives. Red Trident is now developing a different approach to the OT environment and OT Security. Everyone talks about security products with the disclaimer that “there’s no silver bullet when it comes to security.” Yes…that’s true if you’re shooting at the wrong problem. Red Trident has redefined the problem with the knowledge, insight, and broader perspective that we recently gained, and we are now completing the development of a holistic solution that is simple, addresses the complexities of OT Security, and provides a method for easy adoption to the end-users. This is the silver bullet that you’ve been looking for, and it aims right at the heart of the true problem plaguing OT security.