OT: Air-Gap is a myth and Cloud is here to stay! - Vivek Ponnada

um vivekponada i am um oh so it looks like the slides are available so let me just share my slides okay is it working now ashley okay perfect so we'll continue so quick background uh i've been in the industrial control space all my life i've been doing ot security for the past eight and a half years my background i have an engineering degree and also an mba in finance and a sensor for industrial control so when i'm talking usually i talk with the uh big bias towards operational technology and in general ics space so currently i work for nazomi networks i'm the regional sales director for western canada i'm based here in vancouver and some of you know me from my um

participation in the community here in b-sides as well as i say and isakka and i also happen to lead co-lead with sarah flux the top 20 secure plc coding practices project so the interesting discussion for today right quick peek at the agenda so air gap was a thing so we'll go a little bit deeper into what that was and why it isn't valid anymore and then let's talk about purdue model and things that break the purdue model and then reality check about where we are so these pictures should tell you a good story so on the left you see a big piece of equipment doesn't matter to you what that is it happens to be a steam turbine

producing power but if you look at this picture this is actually from the early 1900s so 100 years later if you walk into a turbine hall the equipment look very similar so the technology kind of all the metallurgy evolved the the temperatures at which we run these things evolved the amount of megawatts that produce vault a lot of things kind of evolved but they look very much similar so the key difference is back in those days these sensors were all local so if something was measuring pressure you would display the pressure on this indicator here something was measuring temperature it would show up on the gauge right there for an operator to go and troubleshoot and click on things

right adjust levers adjust valves anything that was local right so that's all localized control and then eventually now most of this control is done by programmable logic controllers plcs the picture that you see at the top right here and the sensors to have a vault so here you see a pressure transmitter so the fitting here the tubing that hasn't changed in 100 years or actually hundreds of years but the thing at the top definitely evolved so that's all digitized you see this local indication but it also communicates to this programmable logic controller over wires so usually two wires that go in here physical milliamps four to twenty milliamp signal goes to the plc and then

four to twenty milliamp output also goes to a valve you see this valve this is a globe valve this hasn't changed in hundreds of years however it now has a smart positioner at the top so this smart positioner not only does control of the valve the valve position but also gives you indication about you know if the proximity switch that's showing the open or closed feedback is faulty or if the valve calibration is out of whack meaning the zero position the max position if they are not exactly what they should be this smart positioner can adjust it you can calibrate the valve you can stroke the valve meaning move the valve position from remote so those are the additional features we

got with these introductions of smart features and this has nothing to do with our smart 22nd century thing these things happened in the late 1900s so the sensors got smarter the end devices got smarter by tacking on things to something that already worked for 100 plus years okay now the picture on the left i don't know if you're able to see it clearly here um it's showing black on my side but maybe that's well worth it so picture on the left was supposed to be an older control room okay the older control room the operator had limited view but they still had a view they had data recorders they had slides they had paper charts they had a big red button

to push in case something was wrong it looked pretty messy because you needed direct connection from these sensors and outputs actuators in front of the operator but then to the right where now the operator has a lot more view right you see all these displays all these video screens where they can see live animations of where the process is what pipeline has what temperatures what product what pressures what furnace uh you know is is burning at what temperature all those things the operator can see on a display right and they can choose to rearrange they can reorganize they can monitor the process much better all the data is now in front of the operator versus before when it

was a struggle to pick and choose what was available okay that brings to the most famous ot model that you'll ever see out there it's called the purdue model and i say that's a torchbearer ot because that's what we use as a reference whenever we see ot equipment we say where does it line up in the purdue model this model goes from level zero to level five and i put the same picture so that you can relate to them so at level zero you have these sensors and actuators right so the pressure transmitter that we saw in the previous picture and the valve and the smart positioner that we saw in the previous picture would be considered level zero there is

some kind of processing some kind of data historically like in the 60s 70s 80s and the 20th century it was strictly milliamps and volts but since then we added different protocols that can bring in additional data like hard protocol different field bus protocols that now have more data so you can now configure the transmitter to say this transmitter would be called pt01 in section one or you can configure this smart positioner to say this is val 2001 controlling some kind of ethylene equipment right so you can do all that stuff at level zero at level one you have these controllers programmable logic controllers distributed control systems and then at level two you have this user interface right operator

interface or engineering workstation that you use to download programs to the plc's and the operator again same picture so you can see how that lines up in the purdue model now air gap as we hear about it came in because back in the day back in 19th century early 20th century even late 20th century all these things were limited in connectivity so the amount of data that went from zero to one was strictly limited to whatever the sensor information was and whatever the valve output needed to be from the controller and the most they traveled was to this level two and there were no switches back in the day because this was not ethernet this was not

the regular i.t protocols that we're familiar with these were all proprietary at the time so there were some connections but most of the data was limited to this so the level two and above were disconnected meaning if you were in the plant and your email let's say in the 1990s you had email obviously at the corporate level you had other systems managing inventory looking for billing things like that those were disconnected from this process network so while air gap is a technical military term they applied that in ot saying hey this section is disconnected from the rest of the it network so let's call it air gap that kind of made sense right and because of that the uh the risk to

the ot network or the risk from the ot network to it vice versa both of them was limited because you were not physically connected these things were not connected to the id network now in this newer model um where everything is connected everywhere there's a reason and purpose for that right because the data here is rich is useful is beneficial for a lot of things it started being connected to the it network so in this reference base case model what they're saying is you have a dmz where you terminate things from the internet and then you separately authorize and authenticate data coming from ot because most of these ot networks have obsolete systems and patch

systems uh unsupported systems so this architecture if you build it a certain way if you build it with security in mind you would have a dmz and you'll have firewalls with specific rules to allow for specific access specific type of access specific protocols all that is in theory right so this purdue model is in theory how it would work even if you have an ot network that's you know fairly insecure so that's the concept and again the reason for connectivity is you have production systems you have inventory management you have billing if you're a pipeline company for example that want to know what product is actually in the pipe right now and how much you're billing

your end user that information is at this level zero so for that information um to be used for billing or to be used for something else for inventory management or for bidding on the next megawatt you need that information in your it systems so how do you get there is to have some kind of implementation like this where you have firewalls in place you have routing you then have a dmz where you terminate the connection and then have someone else from it from internet access get to the dmc and collect the information that's the idea anyway okay however things that break the purdue model so by design if you have an iot device whether it's a audio or video recording device

including drones that are used these days to collect information for example if you want to inspect a top of a stack for example you send a drone up there and that drone is collecting information about the status of what it's visualizing but it might also have a 4g or a 5g model right or if you have smart sensors for data collection now if you have a pipeline pick that's collecting information while traveling through the pipeline or if you have other sensors that collect information about the weather because that's what you're using in your process if you're a transmission distribution company this weather related sensor is important because you might want to dispatch people or personnel in advance where

you're expecting some kind of tree fall right so that you can clear the shrubs have less of an outage window or if you have other barcode readers or any of the other iot devices that are proliferating everywhere for good reason they have these modems built in so that breaks the purdue model because now all the data is not strictly going into level 0 to level 2 but it's directly connected to the internet same thing with plcs we have now plcs available with web server and 5g modems built in which completely breaks the purdue model because now the level 1 device is directly able to access the internet and then by dependencies right so if you

have a vendor that you need support with on some operation of your gas turbine for example and they need to be able to log into your hmi the human machine interface to be able to help you troubleshoot or maybe optimize some of the operation they typically have some kind of remote access to your hmi now you can do it properly securely through the dmz or like in most cases the vendor has only you know one tested way of doing it and that's a direct connection to the user interface and then in other cases by practice or by errors right so maintenance personnel as accessing the engineering workstation from the office network happens all the time so they bridged without the dmz

directly their level 5 network to the level 2 engineering workstation or maybe some other process optimization inputs that have direct access to the hmi again this happens because you're trying to optimize something with information that you have in level four or level five and you now have direct access to the level two in the model and then billing and erp systems that are able to write to the hmi as opposed to only reading right because if you have a firewall and it's all based on rules right so you might have a bad rule that then says you know not just reading but also enabling write similarly undocumented external connections this happens all the time if

an operator connects a cell phone to charge and on the hmi suddenly has created a bypass to the hdmi right and then misconfigured firewalls we talked about one before misconfigure routers happens all the time in my line of work i see this all the time where people think they have no connections they say oh yeah we're air gapped we're disconnected and next thing you know you do a passive ingestion of packets on the network you realize they've had so many external connections that were not documented so by all these problems the purdue model is broke right so the theoretical model never was true in the first place but even if you had this idea that you have

this plan built in with the purdue model in place it's still broken because of all these things next up industry trends right so these are the other aspects of you know the cloud is here to stay peace so digital transformation cloud analytics we all know in our i.t world we know how much of a benefit we got from these cloud analytics projects right same thing in the ot side a lot of end users are leveraging these transformation projects to connect more things so you need more data means more connectivity and then significantly faster and inexpensive projects leveraging iot so if you were to connect the sensor in the traditional way right lay new cable lay new hubs lay

new everything just to get a piece of information from a remote tank farm onto the you know level zero network to level one to level two that sometimes costs you millions of dollars versus putting a sensor out there that has an iot capability bring it to the cloud you're just done with a couple thousand dollars right so see significantly different economies of scale leveraging iot which means even more cloud application in ot and then retiring experienced professionals sometimes you hear this thing oh in the past we were able to run this in manual in the past we did not need uh internet connectivity or even if our i.t site is ransomware we can run ot

manually all that is is gone right so the experienced professionals that could do it manually have retired or are retiring or the tools that were in place the methods the processes in place that were able to cause this manual operation don't exist anymore so you can't go back i mean this is one of those things where the wine is being uncorked you can't put the cork back and then risk analysis right it's meaningless for organizations now that cloud is here to stay to focus just on i.t risk the business risk is the key right at the end of the day you have to figure out if the incident whatever that might be happened and and happened to you know cause any

disruption to your primary business objective it caused any production loss yes or no that's the only important piece right um as far as the production is concerned and then if there was any unacceptable impact on personal health safety or environment this has always been the case with ot right ot essentially every time you think about ot and industrial control system thinking personnel health safety and environment so that hasn't changed so if there's an impact that you gotta look for risk analysis and risk mitigation for that piece so clearly ransomware affecting only i.t systems and ot systems not under being attacked that's just irrelevant the key thing is to figure out if your business is at

risk because of this increasingly applying cloud and iot in the ot space and then actions right what you have to do in ot is slightly different from what you do in it in inot you have to still identify all your assets most ot places don't have asset information asset inventory they don't have a good asset management structure in place you have to start there you have to then assess your vulnerabilities and then monitor the risk right over time detect any anomalies and detect any threats in your environment and then this is another key aspect in it you're used to let's patch up things as long as you're up to date you're in good you know golden shape right but that's not

the case here in our case we not only have to think about reducing likelihood but also have to think about impact so if something wrong would happen how can you limit the worst case that can happen so if you know of a furnace that can go you know boom in case of an ot impact you have to figure out what other physical boundaries or whatever physical ways you can cut off fuel for example to limit the impact right i know we're going slightly over so let me make it quick on the last slide here so final thoughts all the things that i mentioned in the previous slide about how cloud connectivity analytics and everything is

here to stay and you can't undo it right and how you start with the asset discovery asset visualization all that is step one i mean thankfully you know that's a good good step like collect a lot of information rich information for you to use going forward but you still have to go through these other steps you have to still go through personnel training right still leveraging industry groups of one industry one vertical has a main attack vector you know leverage that for the others in the industry establish a disaster recovery policy and a recovery time objective and this is crucial like if you're talking about fire right so most of the ot installations historically have had

great plans for fire but because fire is something you don't really plan for right you say hey in case of a fire you know we throw all our resources at it you know bring the community resources bring the water bring the fire personnel everybody but you don't plan for rebuilding right away because that's not how those extremities work whereas in our world you have to build resilience like you have to be able to constantly adapt to say i'm expecting this kind of cyber attack whether it's ransomware or something else and how do you get back up really quickly right for that you have to do tabletop exercises instant response exercises and then obviously you can outsource every one of

your instant response um scenarios but you have to have a retainer with someone right you have to build your own personnel but also have a retainer with a third party and then once you have an instant post instant management that's crucial right think about a ransomware situation some countries are making it illegal to pay ransom and then unlike in i.t right you can't just come back up it's not like you can um re-flash an image or restart a container like in our world you have to rebuild everything from scratch which means that sometimes even if the recovery key works it might take months for you to come back up so you have to have a recovery

time objective for coming back up in a much quicker fashion right whatever is applicable for your industry and for your company so there's a lot more to our ot world where cloud is increasingly everywhere prevalent 100 percent right a lot more iot for sure the air gap that hasn't existed in more than two decades people still keep talking about it so when you hear that tell them air gap is myth doesn't happen anymore and cloud is here to stay with that i will end and take any questions