Sailors assigned to Navy Cyber Defense Operations Command monitor, analyze, detect and respond to unauthorized activity within U.S. Navy information systems and computer networks. NCDOC is responsible for around the clock protection of the Navy’s computer networks, with more than 700,000 users worldwide. (Photo by Petty Officer 2nd Class Joshua Wahl/U.S. Navy)

Era of IT/OT Convergence Has Shifted Realm of Risk for Military Ops, Says CISO

Organizations that leverage operational technology (OT), particularly military and government entities, have been keenly aware of the rising threats to critical infrastructure. OT is foundational to driving operations within the Department of Defense, such as Navy vessels, where maintaining strong security posture is crucial.

Unfortunately, the attack surface is expanding as OT becomes internet accessible. In fact, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) released an Activity Alert earlier this year that warned of increased malicious activity targeting critical infrastructure and urged organizations to take immediate action to secure OT assets.

As National Critical Infrastructure Security and Resilience Month just wrapped up, I’m sharing a few key measures for protecting these safety- and mission-critical systems in the era of IT/OT convergence.

Understanding Adversary Motives

Recently, I had the opportunity to speak with Christopher Cleary, the chief information security officer for the Department of the Navy, at Tenable’s virtual user conference, EDGE Week 2020. During our fireside chat, Christopher described Navy vessels as akin to floating cities, full of industrial control systems (ICS) that can be compromised during a successful OT attack. As these OT environments converge with IT, cyber risk becomes a priority concern.

Preventing attacks in these converged environments requires strategic awareness and defenses, including a keen understanding of adversary motives. “We see adversaries, depending on which one, begin to shift from solely looking at traditional IT systems,” Cleary said. “Certain bad guys want to get in to steal money, others may want to steal industrial secrets, but what’s worrisome is when you see the adversary looking to target ICS. It’s concerning because the biggest reason they would want to be there is to degrade those environments from operating, which would impact our ability to execute on our mission, whatever that may be.”

OT attacks differ from traditional IT attacks as the true, underlying motives of OT attacks are often blurred. “Today, it might be someone targeting a power distribution facility, such as what happened in the Ukraine. Nobody really figured out what happened during the time the power was out. Our adversaries may only need the light to go out for a minute to allow special forces to run through a field in the dark,” Cleary explained. “They may not need to take a piece of critical infrastructure of ours down to bare metal, they may just need to turn it off for a little bit. You could drive yourself crazy thinking what an adversary may want to achieve with targeting critical infrastructure.”

With potential motives boundless and an attack surface that now extends from OT to IT, today’s adversaries are able to traverse from one environment to another with relative ease. For this reason, taking a proactive stance in addressing cyber risk is crucial in order to see a threat, predict how it may affect operations and act to address it in real time.

Being proactive means security teams must secure OT by staying on top of critical vulnerabilities that an adversary can exploit to gain access to critical infrastructure. Identifying these high-risk vulnerabilities and moving quickly to remediate them allows teams to stay one step ahead of attackers. In order to identify these vulnerabilities, organizations should start with unified visibility.

Maintaining Visibility Across Converged Environments

I previously served as director of the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS‐CERT), where I saw corporations, civilian agencies and military entities spend millions to billions of dollars in protecting IT infrastructure, with little attention and investment made in OT security. Luckily, organizations are now starting to recognize the importance of also protecting these systems that power our global economy.

A key part of securing converged environments is holistic visibility. Organizations must have a bird’s-eye view of where both their IT and OT assets reside, who interacts with them and how exposed they are.

In the Navy, for example, visibility is especially critical to securing operations. “There are no two electrical systems in our base that look the same,” Cleary said. “We make sure to consider if we know where all the parts and pieces are, and who we can work with to put it together – often it is the person that built it 20 years ago. … Once every system is identified and their roles are understood, it’s just as important to understand what to prioritize when a fix is needed.”

It’s crucial for security teams to keep tabs on which assets are most critical to operations in order to prioritize vulnerabilities. Effectively identifying these high-risk vulnerabilities allows security teams to address attack vectors that are more likely to be leveraged instead of using precious time sorting through low-risk vulnerabilities.

Communicating Cyber Risk

Security leaders are now tasked with understanding the full scope of cyber risk in order to communicate to mission owners how a potential attack could directly affect operations. Without counterparts from the operations side on board with tackling cyber risk, it can be difficult to improve an organization’s security posture. For this reason, security leaders must translate cyber risk into a common language to communicate the ripple effects of a cyber threat – both in monetary loss as well as mission failures. “At my level it’s about trying to articulate the risk and the interdependencies of all of it, how I can present that risk and how we can look at ways of mitigating that risk,” Cleary said.

As adversaries set their sights on vulnerable OT, more organizations are taking a proactive stance to predict adversary motives and reduce their risk. Organizations that operate critical infrastructure, especially military entities, must maintain full visibility across IT/OT environments, prioritize high-risk vulnerabilities and communicate cyber risk to peers in order to effectively improve security posture in converged environments. Taking these critical steps allows security teams to secure cyberspace and avoid interruptions to mission critical operations.

(Visited 304 times, 2 visits today)

Marty Edwards is a globally recognized Operational Technology (OT) and Industrial Control System (ICS) cybersecurity expert who collaborates with industry, government and academia to raise awareness of the growing security risks impacting critical infrastructure and the need to take steps to mitigate them. As Vice President of Operational Technology Security at Tenable, Edwards works with government and industry leaders throughout the world to broaden understanding and implementation of people, process and technology solutions to reduce their overall cyber risk. As industry Co-Chair of the Control Systems Interagency Working Group (CSIWG), he works to promote and advance OT security across the public and private sectors. Prior to joining Tenable in 2019, Edwards—a 30‐year industry veteran—served as the Global Director of Education at the International Society of Automation (ISA). While at ISA, he was recognized by his industry peers with the SANS ICS 2019 Lifetime Achievement Award. Prior to ISA, Edwards was the longest‐serving Director of the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS‐CERT). Edwards also served as a program manager focused on control systems security at the Department of Energy’s (DOE’s) Idaho National Laboratory (INL) and has held a variety of roles in the instrumentation and automation fields. Edwards holds a diploma of technology in Process Control and Industrial Automation (Magna cum Laude) from the British Columbia Institute of Technology (BCIT), and in 2015 received the institute’s Distinguished Alumni Award. In 2016, Edwards was recognized by FCW in its “Federal 100 Awards” as being one of the top IT professionals in the U.S. federal government.

Leave a Reply

Latest from Cybersecurity

Go to Top
X
X