The OT Cybersecurity Battle Between Form and Function: Part one – Asset Visibility
People naturally seek order in chaos but also tend to push the boundaries of balance between form and function. As owner operators and a cybersecurity community, we have been struggling with this balance for decades. As the guiding lines between the Purdue Model levels blur and digitization ensures the integrity of physical processes across the industrial control surface, so too does cyber risk.
There has been recent discussion about dropping the labels of IT and OT in favor of treating everything as a “system.” While this is admirable in unifying the “form” of cybersecurity (allowing for the measurement of efficacy for controls, regardless of the technologies or processes covered), it leaves the “function” of cybersecurity wanting. The dissimilarities run much deeper than just the technology and include functional roles in the overall mission that are completely different.
Where we are and what’s changed
The maturity of cybersecurity has grown exponentially on both sides of these blurred lines over the past couple of decades. Organizations have customized methods to measure themselves in a “this (IT) plus that (OT) or 1+1” fashion. Unfortunately, due to the growing symbiotic cybersecurity needs between IT and Cyber Physical Systems (CPS), and the regulatory obligations to report cybersecurity events at an enterprise level, 1+1 needs to equal 3. That’s where the measurement of cybersecurity’s efficacy will require confidence.
This is a soapbox issue I have been chasing for decades. “The Nexus” – “The Gooey Middle” – “The Intersect” of IT/OT, measurement of cybersecurity efficacy still eludes some security professionals some due to asset visibility. Just as importantly, I have experienced this to be exacerbated by missed expectations, cultural pushback and talent misalignment.
Asset visibility is a well-known foundation of cybersecurity. Traditionally in IT, assets come and go off the network frequently, and risk management (due to the nature of the function in the organization) is mainly around data with an emphasis on the confidentiality, integrity and availability (CIA) triad. When it comes to the less dynamic environment of OT assets, however, expectations may need to be set and aligned around how a comprehensive inventory of OT can best be captured. How much and what kind of data is (or needs to be) captured? Is it actionable data in raw form, or does it require more context? Is enough data provided to fulfil the visibility necessary to secure the cybersecurity operational objective? That last part often gets lost… fulfilling the operational and cybersecurity objective should lead the charge.
In an IT world, from an asset management perspective, Deep Packet Inspection (DPI) from the network is sufficient to achieve the CIA objective. It provides familiar cybersecurity benefits like “east/west” lateral adversarial movement. However, with the additional focus on safety, uptime, and considering the inherent kinetic risks to safety, reliability, and productivity in OT, there are several more facets to weigh. It’s possible that the physical processes being controlled may very well be your sole indication of a challenge. And it may be more difficult still to discern between identified operational challenges and any connection to a cybersecurity threat. This is where a cybersecurity judgment call requires confidence (and way more context).
My journey has brought me through the early IT and Cybersecurity perspective. Post millennium, we witnessed the emergence of a focus, and the beginning of the long struggle, in Operational Technology to create a bridge of measurement that represents the efficacy of controls commensurately across IT and OT. What can be observed, is that cybersecurity leadership who come up through the IT cybersecurity side, tend to gravitate to cyber-solutions based on familiarity. Leadership with a heavy engineering background tend to disparage the use of cybersecurity tools. A familiar effective strategy, like Zero Trust, which is now almost expected for IT, may only be partially implemented in OT due to the nature of the equipment and function. The same holds true for asset visibility. “Sniffing” the assets on the network, while good for identifying anomalies, is much less effective for seeing a more complete inventory and the operating conditions and settings. Many assets may never broadcast “across the wire.” This could be due to the asset having little intelligence of its own, or it may only run inside the Distributed Control System (DCS). Because Hexagon PAS Cyber Integrity collects the complete configuration files from the connected assets, we provide deep visibility into each.
Cybersecurity – People, process and technology
Leveraging our secure backup repository, Hexagon’s PAS Cyber Integrity® will greatly reduce the Mean Time to Resolution. With Cyber Integrity, system hardening and baselining feed into the Management of Change process. As an added assurance, our asset and vulnerability management methodology cannot have a negative impact on operations due to the use of the natural backup function of the DCS systems.
Even armed with context, the effort and expertise needed to respond to events in CPS needs to be level set. Efforts to perform the necessary discovery process in operational technology can be very time-consuming compared to the IT environment. Dissimilar control manufacturers produce dissimilar configuration files, which complicates comparative analysis. Luckily, Hexagon PAS Cyber Integrity has solved this challenge by our ability to read and interpret configuration files from across dissimilar controllers in a digital twin of the operational landscape. This produces a safe environment for detailed discovery, with no risk of operational impact.
From a cultural perspective, being detached from the active control systems, our solution encourages collaboration between cybersecurity teams and operational engineering teams. But who is looking at the configurations? Unlike IT assets, where the basic functionality of an asset is generally categorically predictable (i.e., a server is a server, a workstation is a workstation), the functionality is then programmed to leverage the basic functions in a unique way. So, the risk to the basic server, for example, may be similar across many assets, and the programming (applications and configurations) provides a unique risk overlay. In OT, however, the asset has very limited functionality and intelligence. Therefore, the asset is not programmed; rather, the desired outcome is achieved through configuring the asset with the necessary logical conditions. The configuration of an OT asset dictates what the asset does in the overall physical process. That means that an identical asset may carry a nearly completely different risk profile at dissimilar locations across the enterprise.
To make more risk-informed decisions when looking at cyber events anywhere in the enterprise, context is necessary. Hexagon PAS Cyber Integrity illuminates the most complete operational technological playing field with deep context and enables rapid response and recovery. Join me in my next blog as I go into more detail on incident response and leveraging our deep context.
21st Annual Cybersecurity Month! Join us as we honor two decades of raising awareness and fighting back against cyber threats.
Our journey begins with a deep dive into Asset Visibility - don't miss out!