“It was the best of times it was the worst of times, it was the age of wisdom, it was the age of foolishness”
– Charles Dickens, – Tale of Two Cities
Never before have I felt so strongly of the existence of separate worlds of understanding between IT and ICS as I have had these past two weeks. I first visited an electric power transmission operator and explained that I wished to find out about how the latest advances in information technology and telecommunications were being applied in this critical sector. I spoke of my special interest in the production part of the operation or the OT side as opposed to the IT practiced in the offices of the enterprise. One of the replies from the technical managers was that “for us IT and OT are merged together”. I responded that this was what I was particularly interested in. There are special security aspects that are well-known in the IT world that need to be considered when applying them to the OT side.
My next visit was to the operator of a natural gas distribution system. I made note of the concerns for addressing gas leaks that I understand can be a headache for the operator. I asked the manager for security, who spoke extensively about the physical security measures employed, a question about the valves that are used (closed) to isolate the location of a leak so repairs can be made. He could not tell me whether the valves had automatic shut off capability (in response to a sharp drop in pressure) or not and suggested I ask the IT department. Later in visiting the SCADA control room and after viewing the “big board” that visually represented the status of gas flows in the pipelines I did find out that the valves had no automatic closing capability. The pipeline gas flow control valves were managed remotely from the control room. I asked the controllers what would they do if they experienced a slow data flow or loss of SCADA? How would they manage the loss of telemetry about the pipeline and how would they issue a command to the valve if they lost communications? My question did not seem to make an impact for the reply was a quick “this has never happened to us before”. I tried to clarify that communications can be targeted by a cyber attack as was demonstrated in one of the regional electric transmission systems in Ukraine in 2015.
I finished my visit by speaking to the gas operator’s IT department. After getting a brief look at their impressive bank-vault like server room featuring all the state of the art physical and fire safety solutions being employed I spoke about and gave the IT manager a copy of a recently issued analysis of a malware module that was specifically designed to attack control systems used in managing electric grids (1). The reply again was very quick and was just as telling: “oh, that concerns the electric industry and not us, gas is different”. I tried to explain that even though the malware was designed for attacking the power grid the module and concepts can easily be applied to other sectors, including gas pipelines. Your operations also use SCADA and depend upon IT and Telecommunications to remotely monitor and control the pipeline. I got the funny feeling that I was not talking to people who knew their “system”. Missing was a knowledge of the OT side on the part of IT professionals I was meeting with.
I advised both the electric and gas operators to give the report careful consideration but realized that the IT department (especially the pipeline operators) had a poor knowledge of OT. In preparing other meetings with IT and OT specialists I have started to make note of a phrase mentioned several times from the IT manager when describing an OT colleague – “I have never met him before”. As I often say in my work a lack of understanding of the security peculiarities of IT as opposed to OT can lead to ineffective security policies. Policies that can result in costly surprises or even loss of life. Addressing this problem can be very difficult if management is not fully informed and places too much faith ( in having a bank-vault server room and smart security fence and video surveillance system) in their security and IT departments. The OT side of the operation needs to be better integrated in the work of the IT department. A better enlightened management needs to require IT and OT to work more closely together than it appears now if we are to take security concerns and measures beyond the physical space. Until then the IT and OT “Tale of Two Cities” will continue.
Reference:
1 https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_6.pdf