OT-Security: “Those two controls could have prevented most of the attacks”

Dale Peterson [Part 2/2]

Dale Peterson is the co-founder and managing director of Digital Bond Inc. He has many years of experience in the IT security sector and is the creator and program chair of S4 Events, the world’s largest conference for industrial cyber security.

Dale Peterson, co-founder and managing director of Digital Bond Inc.

Here you can find the first part of our interview with Dale Peterson.

What are your current thoughts on OT network monitoring and anomaly detection? We know you’ve done extensive analyses regularly on these systems.

As you said, I’ve looked at this a lot. And I’m a big fan of the technology. I think where most people are having trouble with it is, they are either using it for the wrong purpose. And even more often, maybe they’re putting it in before they’re ready.

So in terms of using it for the right purpose, a lot of the early sales of this technology war, it was originally built as a detection product, but people were using it to get an asset inventory because they had no asset inventory. They had old spreadsheets. One of these vendors would come in and hook into the span port on a switch and all of a sudden would see all these things. And the asset owner said, wow, I’ve never had that. This is great.

But it’s really not an asset inventory, asset management product. If that’s what you want, you should really buy a product specifically for that, like Langner OT-Base or Tripwire, even some of the vulnerability management companies like Tenable now, they have this capability. But you want something that will be your single source of truth of asset management that preferably even has things like change control.

These detection products, they should connect to your asset management product. So when they see something new on the network, they should send it to the asset management, and the asset management should send information about what they know to the detection product. But make sure if you’re buying a detection product, you’re buying it for detection.

The timing issue is really important because if you’re not in a position where you can use the product, then why waste your money on it? And we saw this in the enterprise IT as well. People bought a lot of intrusion detection systems and they just sat there and no one ever looked at them. So if you don’t have an incidence response capability, then what good is the AI detection product. So if you don’t have that OT incident response capability in house, or on retainer, don’t even bother getting this.

Then if you do have incident response, and you’re saying, I’m buying this to monitor the network, do you have the team, are you willing to spend the resources to actually monitor the network? So I see a lot of people buying these things and they’re not really ready for them.

And is this what you should be doing at this point for efficient risk reduction? Would you be better off with consequence reduction, with improving your recovery capability, maybe with putting in application white listing? Is this what you should be doing next? The problem is, the marketing efforts of these 20- some companies are awesome. They’re out there hitting every executive, every board. So, a lot of companies are getting pressure from the top to say, what is our detection strategy? Which product are we buying?

And if I’m an asset owner, I want to get ahead of that curve. I want to go to management and say, this is our strategy. And we’ll be ready for this product. You know, before the board comes and says, how come we’re not doing this?

Is it fair to say that unless you’re operating something like a nuclear power plant, that you can probably focus on level 2 and upwards for security measures and patching?

Well, this is where I’m a contrarian. Until you fix level 1, there’s not a lot of value in risk reduction in securing level 2. Because if I’m at level 2, I can do whatever I want. I have this patching decision tree that’s called ICS patch and it really focuses on exposure. So rather than saying, I’m going to try to secure everything on level 2, I might say I’m going to secure everything that is accessible from outside the network, from like the ICS DMZ from level 2, or I might even say I’m going to segment my engineering workstations and secure them more, but my operator stations not.

So, this again goes down to where do I spend my money? Would I rather spend my time and money patching everything on level two every quarter? Or would I rather put in application white listing?

Can you tell us about a case of a medium sized business, so not a large utility or a uranium enriching facility or something like this, where you say better OT security would maybe have prevented the attack or would have mitigated the consequences of the attack significantly?

I actually think this is an easy answer because what we’re seeing is the same issue on most of the exploits that are public. Probably the number one way to stop attacks right now is two factor authentication for remote access.

If you look at almost all the public issues that have come up in the last three years, there are people riding in on single factor authentication remote access. They get the credentials and they’re in there for months planning their attack.

And then the second way, we’ve seen it as very obvious too, it’s removable media. And that’s usually mass market malware. So those would be the two controls that would stop most of the attacks that we’ve seen over the last few years.

Many CIOs and CISOs that we are in contact with tell us they are really swamped by the marketing of cybersecurity providers and consultancies. So what would be your advice on vendors for cutting through the noise?

That’s a good question. I think they’re doing a pretty good job, right? They’re scaring the heck out of the customers. They’re getting customers to buy things oftentimes that are not the right things for them to be buying. Not that they’re bad, but they’re just not at the right part in their program.

If I was consulting for a vendor that was trying to make an impact, I would say, try to go above the CISO. Often, at least one of the board members or even the CEO loves security and likes to get involved with a recommendation to the CISO, because they read an article on a new product. The CISO can try to convince, but if a vendor finds and convinces a board member, it’s going to be tough for the CISO to push back. They also have some job preservation to do.

What is a half-truth or a wrong statement in your opinion, which you still encounter often in ICS security?

Well, I think “cyber hygiene” one is the one that bothers me the most. First of all, I think it’s misstated. Hygiene is what everyone does, right? We all are supposed to wash our hands and wear a mask these days. And I don’t consider patching or hardening a configuration something that everyone does. That is what an OT security professional does. So I think the term itself is a little wrong.

And I also think this mantra that everyone’s responsible for security is wrong because I really, if I’m relying on all my people to do the right thing for me to be successful in security, I am going to fail. And I’ve shown these charts with the seatbelt adoption in the United States where you just cannot get people, even if it’s their own self-interest, even if it’s a law, you can’t get them all to do the right thing. And look at all the effort it took in safety systems to get us where we are. And we still go through this song and dance on safety, and we still don’t get a hundred percent. It would take us decades to get where we are and safety with security. So I, I would rather see us focus on reducing the burden on the engineers, the technicians, the operators really just make them authenticate. And tell me if someone is sitting down that you don’t recognize at an engineering workstation. Other than that, I want it all to be automated.

And we are seeing people measuring cyber hygiene as their key metric. And I think that’s just a big mistake. And unfortunately, I don’t know if that movement can be stopped. I think that is got a lot of momentum. If you attend any conference, you will hear that over and over again. You’ll hear patching over and over again, as the most important thing we need to do. I would like to see the CISOs get a little bit smarter on that.

Final question: If you could send an email to all the CIOs of the world, what would be the core message?

Focus on risk. Don’t treat your OT cyber risk any different than risk in other parts of the company. Spend your time and money where it comes to reduce risk, and make sure you’re looking at both sides of the risk equation: reducing the likelihood and reducing the consequences.

Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.