3.8.23 > Tom Smertneck

Recently Think Tank Advisor Tom Smertneck was asked about the Key Challenges the OT Sector will face in 2023… here is his deep dive on what we are in store for across all 16 critical infrastructure sectors

What are the key challenges that the OT sector will face in 2023, and how can these be overcome as organizations work towards building their ICS resiliency?

Firstly I define “the OT sector” to include operations in all the 16 critical infrastructures currently outlined by CISA (Critical Infrastructure Sectors | CISA), along with businesses with a brick and mortar presence as those structures operate with many of the same connected and communicating electronics and subsystems (ICS-industrial control systems) which define ‘the 16’. These may be retail or consumer product manufacturing, warehousing, logistical transportation, and delivery in these non-critical sectors. These are the most vulnerable businesses now as they don’t see themselves as targets therefore, naively, not vulnerable.

I see three key challenges “the OT sector” is facing or continuing to face in 2023 as:

Bolstering IT or building new OT cybersecurity resources via workforce development or finding, recruiting, and hiring capable ICS (OT) cybersecurity resources

        • Workforce development might include partnering with a local university or one of the emerging cloud-based Cyber Ranges/Pen-Testing companies.
        • Or enrolling their resources in the OT cybersecurity training and certification program known as ISA/IEC 62443, which is a comprehensive program about the global now-horizontal-cybersecurity standard that can train a spectrum of management, IT and Controls Engineers to be more effective organizationally, operationally and in hardware and software product development.
        • This may be challenging for the OT side of operations as many cyber ranges, which have been created and built to attract IT/Enterprise networking security specialists, are also in the emerging mindset of building OT architectures, schemes, and penetration testing scenarios with which to attract subscribers or, in the case of universities/colleges and tech-schools, students and adjunct professors.
        • Another challenge for owners of OT operations is the ability to find, vet and secure with operational confidence Service Providers who can truly assist or deliver master service provisions (MSP) in ICS cybersecurity.
          • This involves finding or delivering feedback to existing HVAC, Electrical (low voltage) and IT cybersecurity service providers that to continue as a valid MSP/master service provider for them they must be able to confirm training and certifications in OT Cybersecurity and not IT Enterprise Networking. These confirmations would indicate capability to secure connected and communicating industrial vs. office equipment presently in-use, as well as ability to consult on what changes, updates or upgrades may be needed to more securely prevent OT control system breaches, clandestine equipment configuration changes or wholesale takeovers.

Investigating and documenting status of their present cybersecurity posture in both the Enterprise (IT) and OT operational segments. In both segments this means:

            • assessing, documenting, and identifying asset status,
            • documenting the history of CVEs that have been cleared/rectified and those still needing to be resolved along with actions plans and timetables for those resolutions
            • Establish a program for modernizing OT SCADA operations to include new analytical processes that can independently monitor large data changes that can indicate potential infiltration and control system takeover. This modernization is being referred to a “ML” for Machine Learning and “AI” for Artificial Intelligence, and often mentioned together as ML/AI.

Addressing the probable need for organizational restructuring to enable, asap, cybersecurity improvement to their OT  environment.

              • This is because IT resources have not been able to fully protect Enterprise networks and data, which they understand and better know network equipment, architectures, and data protocols.
                • And these IT cybersecurity resources struggle despite striving to “cover their bases” in the OT architectures and environments without much, if any, guidance under the direction of existing CISO or non-CISO lead organizations.
                • Most CISO’s who have been trained in IT network cybersecurity also have little insight into what’s required to secure ICS operational architectures.
              • OT cybersecurity resources in product development firms (hardware or software) would be instrumental as leaders or contributing team members more prone to understand and synthesize the ability to “design security-in vs. strap-on” from following ISA/IEC 62443 guidance in Section 3 (Systems 3.1-3.3) and Section 4 (Components 4.1-4.2) [ISA/IEC 62443 Series of Standards – ISA]

What role do you expect the OT workforce to play, as organizations work towards improving and strengthening their ICS resiliency? Do organizations have the necessary capabilities, and required budgets in place to build ICS resiliency, as attackers are getting closer and closer to OT environments?

If understood and enabled by the CISO or lead CISSP who’s become OT cybersecurity capable, the “OT workforce” would likewise need to be conversant in IT network fundamentals and HTTP/HTTPS fundamentals as at certain levels of an OT architecture they also apply and can be a layer of defense.

The OT resources could play a leading role in structuring cyber range exercises to help their IT cousins to become more enlightened and capable in architecture, connectivity, equipment additions or other strategies, and vice versa.

    • For example, how to establish, develop or improve process sensor data-change monitoring via SCADA Historian analysis or, if process critical, real-time change monitoring via M.L. (machine learning) or AI (artificial intelligence) approaches that are understood by SME’s and continuing to emerge.
    • OT architectures are likely to need approaches with Defense-in-Depth where their IT cousins can assist in formulating appropriate MFA and Zero-Trust approaches being deployed at the Enterprise level. These can be mapped into OT operational architectures without much impact to data latency or process operations integrity as they are primarily targeted to login authentication and similar fundamental cybersecurity tactics.  This is the teamwork most mid- and large company organizations may be in-process of arranging now.  Again, it’s the small manufacturer who falsely believes they’re not a big enough target to offer hackers or ICS conversant infiltrators to take the time nor make the effort.

Regarding budgets, this is another aspect of a company’s risk assessments with creating and forming a Business Impact Analysis (BIA) once a status of existing assets and vulnerabilities are complete. Several platforms, e.g. @SecurityGate.io have this capability recently built into their platform.

This type of ROI inquiry and assessment will help a CISO, Plant Manager, or Cybersecurity Lead to determine what possible ‘next steps’ should be prioritized, e.g:

    1. Workforce cross-training (IT/OT) and which manner – for example:
      • Regular Red/Blue Team exercises, or
      • Segmenting new Industrie 4.0 implementations with finer architectural segmentations using data diodes or simplex-only communication from IoT devices, or possibly
      • Creating a new IT/OT Cybersecurity team based upon ISA/IEC 62443-2-1 “Establishing an IACS security program” (ISA/IEC 62443 Series of Standards – ISA)
    2. Clearly OT Control System resources can play a leadership or sounding board roles in any existing Enterprise Security Team for cross-training as well as ideations, innovations or migrations toward fulfilling a Corporate Sustainability Program.

With cyber-attacks potentially becoming ‘uninsurable,’ what are the ICS resiliency measures that ICS and OT environments must adopt to deal with rising cybersecurity incidents? How swiftly can these action plans be put into place?

IMHO I believe ‘uninsurable’ would only be a temporary measure as insurance companies are in business to make money, therefore they cannot ultimately turn their clients and market segments completely away despite the recent news that indicates more “war powers acts” and no coverage for infiltrations and data exfiltration’s tagged as perpetrated by nation-state actors.

        • As such, the insurance industry is becoming more IT/OT knowledgeable and conversant to the point of restructuring their policies with new compliance requirements that enable continued coverage, and with new policies and levels of coverage depending upon the risk level they assess from the client’s reporting of IT & OT cybersecurity status, posture, improvement plans, resource staffing, etc.

In terms of resiliency measure, beyond what has been previously mentioned, are taking a proactive approach with their insurance broker and even primary carrier(s) for property and casualty policies with evidence and possibly desired policy/contract language that indicates their current, near-future and long-term IT/OT cybersecurity efforts to rectify, improve and bolster personnel resources, capabilities and continuous training plans.

  • Likewise, insurance companies also need to improve their segmentation of “Carrot & Stick” approach to policy language and support.
  • And, again IMHO, to achieve better policy offerings, and outcomes, there needs to be a collaborative, cooperative and integrated support from various federal agencies involved with Cybersecurity and Insurance to give Insurance companies and policy writers guidance on workable solutions for both the risk-takers and those needing cybersecurity risk avoidance (clients). This would include CISA, Federal Insurance Office (FIO) of the Treasury Dept, Board of Governors in the Federal Reserve System and the like, which sounds like an extremely large task given the lack of cooperation between them historically.

 

Tom Smertneck is a Strategy and Business Development Consultant, Manufacturers Representative at Energy Aspects LLC.  He is recognized as a proactive connector of ideas, people and companies. He works as a catalyzing agent for innovative solution creation & delivery with concentrations in industrial automation and controls, industrial (OT) cybersecurity and high-value asset condition monitoring solutions. He has engaged with various entities across the sixteen critical infrastructure segments in our North Central Midwest Region since 1998.