Have been following the warnings and advice currently given to enterprises on bolstering cyber and other defenses in the wake of the recent (January 2019) escalations of conflict between the US and Iran. In particular the warnings that focus on advising those who use “industrial control systems and operational technology”. Technologies used to monitor and control physical process found in sectors of critical infrastructure.
Well respected ICS security companies in the private sector are raising the alarm in terms of threats to the security and safety of industrial operations. However I am starting to wonder if the right messages of advice are being sent by the authorities that are appropriate to the perceived threats. The US DHS CISA in its January 6th bulletin on “Increased Geopolitical Tensions and Threats” accents Iran’s ability to conduct cyber operations against strategic targets and its “increased interest in industrial control systems and operational technology”. This is encouraging to read as a general but relevant guidance. However in its recommended actions for cyber protection the message becomes less clear for those who operate a potential strategic target such as a petrochemical facility, water supply system, and transportation system or power grid. Under the listed actions for Cyber Protection point Nr. 7 recommends “Vulnerability Scanning and Patching” while it makes for good Office IT security it may be problematic for securing the industrial control (OT/ICS) and engineering systems used to monitor and control a physical process at a plant or manufacturing facility.
The bulletin in addition recommends implementing the “Cybersecurity and infrastructure Security Agency (CISA) Cyber Essentials” recommendations. Page 1 is titled “The Leader’s Guide” which as one reads further, basically rings like an IT security document. The focus is on “Your Data” and in terms of “Systems” the accent is on “information”. Nothing encountered that indicates an appreciation for the importance of the security and safety of the physical process nor for the control systems and engineering systems used to keep it all safe. The impression that this is an IT security biased document is further reinforced by the flip side of the guide which is titled “The IT Professionals Guide”. As one of the “essential actions for building a culture of cyber readiness” one finds the recommendation for “automatic updates for all operating systems and third party software”. Do not get me wrong, there are many good things to do on this list of recommendations for the engineers to implement such developing and incident response and disaster recovery plan but the context is still the enterprises Office IT (data/information) and not about the industrial processes. In other words these recommendations apply very well for protecting against incidents such as the 2012 cyber-attack that Shamooed 30,000 hard drives in the business part of Saudi Aramco. Not so applicable, however for what happened at that petrochemical plant hit by Triton in 2017 and not much help for industrial enterprises like Norsk Hydro that were hit in 2019.
One wonders about the possible
consequences that may result from applying these IT centric recommendations in
an industrial setting. Here we have a
list of things the CEO and CISO can use to justify orders to the OT managers
and senior plant engineers who are not worried so much about the Office IT but
about the safety of the industrial operation they are responsible for. Will they be able to convince the ones giving
the orders that doing a vulnerability scan or implementing automated patching
of control system devices and IED’s may not be a good idea?
It would be useful, in addition to this IT based
advice, to come up with a separate document
that would be more applicable to industrial operations. It would be called
Cyber Guide of Essentials for The OT Professional and Senior Plant
Engineer. If someone knows where one is
available please share. If it does not
exist then I am willing to join anyone in the SCADASEC CoI to help create one.