New strategies, “soul-searching” needed to secure critical infrastructure

At this year’s S4 conference in Miami Beach, top industrial control system experts offered various solutions that could replace the increasingly obsolete security through obscurity method for protecting ICS. The inadequate security of operational technology is a chronic crisis threatening the stability and reliability of critical infrastructure systems worldwide.

MIAMI BEACH — The S4 industrial cybersecurity conference in Miami drew its biggest crowd ever, with 1,100 people traveling to sunny Florida for the annual event last week. The boom in attendance from fewer than a hundred a decade ago reflects a growing recognition of the need to protect the critical and complex systems that run energy, water and other essential services.

The theme of this year’s event was “Create the Future,” emphasizing its focus on moving ICS cybersecurity, which has traditionally relied on an outdated “security through obscurity” approach, into a more forward-looking mode. Conference organizer Dale Peterson framed the conference during his opening keynote by evoking 19th-century map makers and their fear of empty spaces, known as horror vacui, urging attendees to explore the great unknown.

“We need to get past our own horror vacui and admit what we don’t know,” he said. “Now, your good security practice, the one you prefer, might be highly effective. How are you going to prove that? How are you going to gain the confidence in the knowledge to draw it on the map? What metric are you going to use?”

Peterson said the chronic lack of actionable data hampers the ICS community. “Now, OT security metrics are still rare. The metrics I do see tend to measure the implementation of the OT security control, not the effectiveness of the OT security control. This doesn’t necessarily mean that those security metrics are wrong, but to be right, we would need to have other metrics that showed these security controls were really helping us meet our mission.”

The range of technologies on display in Miami and the diversity of the conference’s speakers reflected how far the ICS community has come since S4’s early days. A decade ago, researchers at the conference — including a graduate student with no prior ICS experience — found dozens of zero-day vulnerabilities that exposed “pathetic” security practices in OT equipment.

The latest conference highlighted that plenty of work remains.

“One of the most important fundamental things that organizations need to do is realize where they stand in terms of cybersecurity, what their maturity is, what they have in place, and then do some soul-searching because organizations previously have just tried to check boxes in a lot of cases, especially for OT security,” Lesley Carhart, director of incident response at Dragos, told README. “And an important part of building a healthy security program is understanding what the relationships among the people look like, what technologies are already in place and what is possible in terms of mitigations. We saw that at S4 talks that spanned the continuum of maturity and technology.”

Jose Fontano / Unsplash

Interdisciplinary approach needed

Peterson called for a multi-disciplinary approach to the ICS cybersecurity challenge. “We need to be looking at behavior fields like psychology, economics, political sciences, actuarial and insurance statistics, and IT and anywhere else we can get the answers,” he said. “When you go exploring, sometimes you don’t get where you want to go. You can stop short. Sometimes you get there, find nothing, or find something that disproves what you are looking for.”

Gene Spafford, professor at Purdue University’s department of computer sciences and co-author of the book, “Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us,” has long maintained that the field of psychology is integral to cybersecurity. Spafford said that his interdisciplinary information security degree now includes psychology as an option.

“If we’re really going to understand security, we also have to understand the people, because it’s the people who buy it, configure it, set the policy, use and misuse the systems. And if we try to put all of the onus on the hardware and the software and leave the humans out of the equation, we’re not addressing the full problem.”

Defense on the back foot?

Spafford also discussed the need for the ordinarily slow-moving ICS cybersecurity community to embrace changes to their systems.

“We have to start thinking about going forward,” he said. “We shouldn’t worry about replacing it all at once. Instead, we should leverage opportunities to replace things appropriately as they present themselves and do it incrementally. That also will give us some observable benefit that we can then use to justify making other changes.”

Michael Fischerkeller, Senior Researcher at the Institute for Defense Analyses, pointed out that “states are accumulating strategic gains through cyberspace via exploitative campaigns, not coercive cyber operations.”

He cited North Korea as a prime example. “North Korea has used cyber operations to undermine the SWIFT international currency exchanges to exploit international banks, to exploit cryptocurrency exchanges, to exploit the bridges to those exchanges to the tune of about 2 billion over the last four years,” he said.

Fischerkeller prefers the term “initiative” when talking about what most cyber experts call offensive operations. “So, the terms offense and defense, in our view, are vastly overused because most of the activity in cyberspace occurs in a geopolitical competition, not a crisis or environmental conflict. Offense and defense don’t apply well in competition,” he said. “What we say is that what matters in cyberspace is, you have to have initiative,” because “if you have the posture of anticipation, they’re on the back foot, and they’re responding to what you are doing. If they have it, you are on the back foot.”

Rethinking what’s “critical”

Another change advocated by Munish Walther-Puri, senior director of critical infrastructure at Exiger and former director of cyber risk for New York City’s Cyber Command, is to reduce reliance on the term critical infrastructure.

“The word ‘critical’ is both clear and confusing,” he told S4 attendees. “It is clear because we know it means ‘the most important.’ It is confusing because it gives us no help whatsoever to figure out what’s most important.”

American Public Power Association / Unsplash

Walther-Puri said psychologist Abraham Maslow’s hierarchy of critical needs is a helpful lens for viewing ICS security. A hospital, for example, could encompass many of the critical infrastructure sectors as defined by the Department of Homeland Security, including healthcare, transportation, nuclear (many treatments rely on radiation) and chemical.

“That was not helpful for our purpose” while helping defend New Yorkers from cyberthreats, Walther-Puri said. He argued organizations should view cybersecurity from the perspective of services first and then sectors.

“One of the things that were impactful for me getting the chance to work for the city [was] seeing how everyday people, everyday New Yorkers experienced those services and where the cyber defense of that technology was crucial,” Walther-Puri told README after his talk. “It changed my thinking about what’s critical.”

Civilian “targeteering” and security by design

“ICS is doing threat intelligence wrong,” Anna Skelton, control systems cybersecurity analyst at Idaho National Laboratory, said at S4. She suggested threat intelligence researchers adopt “targeteering,” a term borrowed from the military.

Right now, when a cyberattack happens or researchers uncover a new threat targeting ICS systems, “either your vendor or maybe your internal team will ingest this information, will regurgitate it, write it up a little bit more, put their threat group names on it, put an opinion dressed up as an assessment, slap it on there, good to go, out the door,” she said.

The problem with this approach is it’s “passive,” Skelton said. “It’s reactive. Either you are the news, you are the problem, or you are just reading the news.”

Her version of “civilian targeteering” entails selecting a broad target, learning why the target is a good one, learning where your critical dependencies are, understanding where the target lives in the wider environment, looking for vulnerabilities and then deciding what you are going to do with all this information. Skelton said this approach is filled with uncertainties, “so you have to be comfortable with the idea that you will not know what’s going on right away. It’s going to take some time.”

Sarah Fluchs, CTO of critical infrastructure consulting firm admeritia GmbH, told S4 attendees that while security operations is an essential component of tackling ICS security issues, it is equally important to focus on security by design at the outset, which organizations frequently overlook. “Of the yin and yang of security decision-making, there’s another half and this other half is often neglected security design. Security design decisions are about building a system that is defensible in the first place” before security operations even kick in.

Good vibes all around

The feedback from S4 attendees was consistently positive, with the conference given high marks by all for its substantive and social activities. “I’m seeing a lot of modern technology approaches to older problems, legacy problems,” Ron Fabela, Founder and CTO of SynSaber, told README. “There’s a lot of interest and a lot of money now being invested into these problems, which I think we’ll get movement on, hopefully.”

Patrick Miller, CEO of Ampere Industrial Security, told README, “this year’s S4 had the expected great content, high production quality, and excellent networking. We’re seeing new products, new missions, and the best part was the new and diverse people who came to the event to learn and be part of the community.”