“And I didn’t even know what a P.L.C. was, so I had to Google for “What is a P.L.C.?” That, even, baseline knowledge, we just did not have.”
– Security company’s Sr. software security analyst trying to decode Stuxnet in Fall of 2010.
Some IT people (including me) have waded into OT waters with the false assumption that they can apply their IT knowledge to OT or industrial operations. I have found a good rule of thumb way for measuring an IT professionals OT cybersecurity competence by evaluating how they look at a cyber incident that takes place at an industrial facility. The way cybersecurity professionals look at Stuxnet for example is useful in revealing the level of OT understanding.
I take notice of these descriptions from my experience in writing my first article on cybersecurity and energy in 2012[1]. I quickly accepted the offer to write thinking that my years of IT security experience were easily applicable to the IT used in the production, generation and distribution of energy. After doing some research for the article I realized that my IT knowledge did not even provide half of what I needed to write about the security of the technologies used in this sector. Addressing this gap put me on a long learning curve which included introducing myself and speaking to utility operators and plant engineers. It was a humbling experience to realize I still had a lot to learn about OT. However I could tell in my conversations then and later that some OT professionals had a poor appreciation for IT security aspects that if ignored could affect the success of their work.
There was a NOVA science episode on cyber war in 2015 where the Stuxnet story was used to illustrate how far cyber based threats have developed to threaten critical infrastructure[2]. The main source for the information for the piece on Stuxnet was IT security company Symantec. A very telling OT understanding moment came during Symantec’s description of finding the famous Windows zero days in the first Stuxnet warhead. It was later said that to go further in the investigation they first had to “find out what a PLC was”. Ralph Langer was given credit for pinpointing the location of the target but then the documentary switched over to Symantec’s work on discovering what Stuxnet did which became possible after obtaining some Siemens PLC’s from an auction site.
Other security experts were also interviewed but the NOVA documentary stuck with Symantec’s narrative on Stuxnet with a focus on those same 4 Windows 0 days. Watching this I could not help thinking of Ralph Langner’s announcement on what Stuxnet actually did in September of 2010[3] Ted Talk from 2011[4] and S4 presentation [5] and kept asking myself “Ok, now when are you going to finally say something about the Siemens part and who analyzed that?” Alas it never happened. The show’s producers perhaps edited out other comments or were just comfortable with going with Symantec’s lead on the story.
Some IT security based companies may see OT security as a new territory for making money. This can be seen by offering an edited version of the report on-line and implying that the more detailed stuff comes to paying clients[6]. This is fine but the solutions they offer may be influenced by an IT bias (not seeing the OT forest for the trees) rather than on a comprehensive understanding of OT[7]. Something that if not recognized can lead to unpleasant consequences when they are applied.
Instead of IT security professionals giving out advice on securing OT it would be better if it would come from OT security professionals. It would be even better if an OT security professional would start up an OT security company that incorporates IT cybersecurity rather than the other way around. Sadly, I am not aware of any that have the same influence as the IT based ones. However with the media shining the guru light on these IT based security companies it will be an uphill battle for the OT security based start-up to get the needed recognition to impact on safety and reliability of OT. This has to change.
p.s. I do not wish to discredit any security company or individual in this blog post. Just want to point out the existence of an IT-OT gap that needs to be filled asap.
Vilnius
February 12, 2019
[1] Butrimas, V., Brūzga, A., The Cybersecurity Dimension of Critical Energy Infrastructure”. perConcordiam V3N4 p. 12-17. October 29, 2012. http://www.marshallcenter.org/mcpublicweb/MCDocs/files/College/F_Publications/perConcordiam/pC_V3N4_en.pdf
[2] https://www.pbs.org/wgbh/nova/video/cyberwar-threat
[3] https://www.langner.com/stuxnet/
[4] https://www.youtube.com/watch?v=CS01Hmjv1pQ
[5] http://www.digitalbond.com/blog/2016/06/20/s4-classic-video-langners-stuxnet-deep-dive/
[6] Just one example “Full reports detailing the TTPs and Dragos’ research is available to our WorldView subscribers.” https://dragos.com/adversaries/
[7] Another good case study is the attack on Saudi Aramco in 2012. It appears and IT team responded. Commented on this in a blog: http://scadamag.infracritical.com/index.php/2019/02/11/learning-incomplete-lessons-from-a-famous-cyber-attack-can-lead-to-surprising-and-unpleasant-results/