Mike Holcomb - How Do We Secure Critical Infrastructure?

well I appreciate everybody for coming I think uh again not an AI talk so but I appreciate again everybody's time uh we're going to talk about a subject very near and dear to my heart we we talk about industrial control or OT uh cyber security I probably in know some way suckered everybody because the original title of the presentation was how do we secure critical infrastructure and I had a really great presentation I do through my office and it's very I don't know straightforward I mean it's great information and then I realized uh two days ago I wanted to blow it all away and start with something else uh so we're still going to touch on the same content but just from a little different aspect and I think it'll be probably a little bit more fun and so I came up with yes things we say or I say to piss off I call them the cranky old white guys in the control system Community right and you find them everywhere but and we'll talk a little bit about that as as we go on so uh please everything we talk about just hold it against me not my companies that I that I work with so just a little level set just so you know a little bit of who I am so my name is Mike hul I'm the fellow for cyber security for those of you that know floor we're one of the world's largest engineering and construction companies uh in the world uh and uh I'm also the practice lead for IC OT cyber security so I actually do get the advantage of working in some of the world's largest icot environments so see in the upper left was my very first project which is the largest traditional power plant in the Western Hemisphere here uh which was uh where I fell in love with power uh for the very first time I got to work on the new New York bridge I got to do offshore oil rigs for shell and then our largest project right now for Shell uh and our just our largest project their largest project is a $50 billion LG Port facility up in Canada where um any Gold Rush fans I used to be a Gold Rush fan so it's actually like literally two miles from where they film film old Rush which is really cool the really exciting thing about this it's actually really a small town it's almost like a mediumsized town they you kind of see the the tank where we store the LNG down below that's the size of a large Sports Arena just to kind of give you an idea of the size and scope so when we first started talking about it from a risk assessment perspective and talking cyber security I I wasn't thinking as big as as that so so that's a little bit about me and and and what I do so a main focus for me especially these days is working in different environments with different clients and getting owners and operators to understand they are targets right IA security reminds me of it security 20 years ago nobody thought they were a Target when we were all sitting ducks and that's the very much the same for OT these days and so and if you're not familiar with the ideas the owner is it's the company that owns that facility right so if we talking about that Dominion Energy power plant Dominion Energy is the the owner of that facility you have the operators that's a company that runs the power plant right generates electricity to allow the owner to make money at the end of the day right so sounds straightforward it's just weird when you haven't or you're not familiar with those those terms and usually the owners and The Operators are the same company or they could be they could be different right but real quickly I want to talk about so the five ways that attackers typically are going to get into the OT environment and hopefully if this is new to you it'll make a little bit more sense in a couple of slides but for now think the number one way attackers get into the OT network is through it and so and that makes sense right we have people in the back office right they're sitting in their cubicle in their office they're on the internet they're browsing the internet right they're reading their emails right they're clicking on links they're opening up attachments that they shouldn't be right they get infected the attacker now has that foothold in it and it's just a matter of time before they move into the OT environment if a path exists so we're going to come back to that so we have this fancy term called transitory cyber assets that can be brought into the OT Network so we're talking about what are some examples of transitory cyber assets laptops right USB yeah anything we bring into the Environ I said fancy term just for yeah stuff we bring into the environment that we plug into systems that they could be infected and potentially give the attacker another foothold right that was stuck net uh which we'll talk a little bit about so uh I've seen unfortunately environments where you have the OT Network or it Network right with assets that are exposed to the internet usually accidentally or some somebody maybe had did it on purpose is thinking they were doing the right thing right so we worry about that we worry about remote access capabilities most OT environments today have remote access for people to come in to do maintenance remotely whether because of coid or we don't want to pay their travel or there's a lot of environments that I don't want to be in to do maintenance on systems right it's just simply not safe and so we love this idea of remote access capabilities even if it's just a safety consideration right and then malicious insiders are really a big thing in in the OT world but the landscape changed because up till Colonial pipeline so this was May of 2021 so about two and a half years ago right before Colonial pipeline OT environments only worried about what type of attackers what was the the one main group of attackers we were worried about getting into our power plants and our chemical refineries nation states yeah the advanced persistent threat right so it didn't matter if it was the Americans the Chinese the Russians right you're always worried about the APS and that's all you were worried about with Colonial pipeline Colonial pipeline wasn't a nation state that took down the United States largest gasoline pipeline for 10 days it was what it was a r someware group right anybody remember the name dark side so I'm like okay I'm a Star Wars geek I'll roll with it I I I can appreciate it right the idea is it wasn't a nation state though it was dark side right sending out a bajillion emails to everybody on the face of the planet trying to get somebody to click on a link or open up an attachment infect their computer and somebody in the back office at Colonial pipeline they did exactly that their entire environment burned completely down to the ground and then Colonial pipeline said oh we're going to shut down the OT Network right which shut down the pipeline and it was down for 10 days and so there were repercussions and of course yeah they there was some money loss and but life got back to normal but at the end of the day well guess what all the other ransomware operators out there they realized oh you know what well we're in it to make money so so guess what if we start targeting these environments I bet we can make make more money right and and activists we've actually seen a big rise in activism around OT environments so all of our environments are becoming not only are there more attackers now and different types of attackers but the volume of attacks has just completely uh risen off the charts so this was my original talk and so this is where I had taken the idea of the critical security controls from it how many of you are familiar oh usually there a lot more especially with the usually the sand crowd in in austa right but the idea is you know taking those critical controls in it but bring it into the OT world so the idea I love critical security controls because a It Was Written in plain English so anybody could understand it right my my mom could read the document and understand it probably right so the other great thing about it it was a prioritized list so if I didn't have a cyber security program then I know exactly where to start and then I can work my way down the list as I have time and other resources like money right and so when I was building our list right the idea was what's the first thing the one thing I can do if I only had could do one thing to protect my OT Network well it would be put a firewall between it and OT and doesn't sound very complicated and there yeah there's a lot more that's why there's a big bucket called secur Network architecture but that's that one thing where we would start and then you can see we go from incident response and work our way down and we'll touch on some of these and there's actually 20 but we're just talking about the the top 10 here for the five I consider are the the fundamental building blocks that everybody needs and then if you want to move to a top tier world class cyber security program you really want to do at least the top 10 right right so my story changes a little bit so about four months ago I actually started actively posting on LinkedIn any LinkedIn folks out here and I you know I just had joined and yeah I use it to keep in touch with people at you know the office or people you meet at conferences but I actually started posting content about OT and ICS cyber security um and what I did was because when we look at how do we secure our environments we don't have individuals that understand the whole big picture to do the job right because if you go into a power plant you might have somebody from it cyber security that understands how we secure things like the network and protect the assets but they don't understand the engineering aspect they don't understand the physics of the environment we have engineers and other OT professionals that understand the physics and how the plants designed and how it runs but they don't understand how to secure it right so that's where we're in this world right now where where you we have folks like myself from an IT cyber security background learning the engineering aspect and then we have Engineers learning the cyber security aspect but you really still don't have a lot of individuals that do both things right I'm very lucky I get to work with the engineers that I do because I get to learn so much the whole point is and if you are looking at getting started into industrial or icot security I did a couple of free ebooks that right now then I'll show you the Links at the end but and then it depends on are you coming from an IT cyber security background or are you coming from an OT background what you'll see in kind of this common theme we'll talk about is there's so much overlap you know 80 90% overlap it's just those that 10 maybe 20% that they're it's very very different right so we want to focus on those commonalities so this idea things we say to upset the Old Guard in ic right IC cyber security is just like it cyber security now I will not be that extreme but you see that in ic folks they say they're not the same they're nothing alike like for me it's well no I mean they're actually more alike than not again there's like 80 90% overlap which is awesome because you can take somebody from it cyber security and you can put them in OT and it's not going to blow up the power plant right or bring down the grid which as a lot of lot of folks will will you know kind of make it sound like right so we have Engineers on the we talk about the OT side of the house right and then so maybe in the power plant right and then we have well well on the it side of the house right we have our it cyber security folks and idea is yeah we allow these environments to communicate we almost always need to right unless it's there's nuclear something involved right otherwise if I'm a power plant right if I'm a an owner of that power plant I still need information from the OT Network to understand things like well how many or how much resources we're using to generate power how much power are we generating right I at the end of the day know how much I'm going to be building my clients for right how much money are we going to be making right so just a simple example right if I'm a manufacturer of pharmaceutical I I need to know how much we're generating how much we're creating so I can at least schedule logistics for shipping so we need to get that information from OT over to it the problem is we talk about remember what's the number way that attackers get into the OT Network they come from it so then it becomes this whole adversarial mindset that if I'm in OT I'm gonna put up the walls and I don't want anything to do with it right you come near me and gets really ugly right that's what happen that still happens in a lot of environments the problem is when you have it and OT going at each other right the only people that win are who the attackers because nothing's going to be sa secure it's really sad to see these environments so a big part of OT cyber security is getting it and ot to work together really it's not a technical control right I when I got out of it cyber security for the most part right I thought I was done with security awareness I do more security awareness today than I ever did in 20 years of of it cyber security perod because ultimately it's not right the it side of the house and the OT side of the house it's we're all live in the same house right let's protect the house right and let's protect for me right it's ultimately around the world around us right if I have that power plant right the power plant goes down can we live without power for three four five six hours yeah sure not a big deal but what three or four five six hours becomes three or four five days or weeks or months right then we get into like walking dead territory right you know in the world and you start to think of how yeah civilization yeah really does break down because we're all we're all human at the end of the day so that's really what it's about for me so we have to move past the the pettiness really is what it comes down to a lot of times so we got to get people to talk together the great thing is you know overall and I do not not want to sound dismissive or put down the IC Comm the IC OT cyber security Community is incredible and there are a lot of great supportive people in it most definitely it's just like anywhere there's a few bad apples that are out there and that's partly what you know generated or was kind of behind this presentation so I thought I was smart and so we talk about the perut to model can be used for cyber security this drives the old school folks crazy and so I found this out the hard way because and I thought it was being really smart I put together this little series I was going to do a post a week called what the heck is right because in icot there's a ton of new acronyms right PLC HMI rtu skada right SCA da like what the heck are all these things sis right so it's like and then it's oh what the heck is the Purdue model right because that comes up in almost every conversation we have and so I woke up one morning I was looking at LinkedIn and I saw there was this gentleman and he's a you know self-proclaimed IC luminary he's done a lot of great work in the in the community and I saw that he reposted this to his his group and I was like this is awesome I you know I was really excited and then I read what he wrote on the post he said oh what the heck is the Purdue model it's something that proves you don't know what you're talking about I was like oh you know my my heart broke a little bit I didn't cry but my heart broke a little bit you know I was just like what are you talking about and what he was talking about and I'm gonna go back and this is the only picture I have of it but the idea is the Purdue model as originally designed 20 plus years ago we actually had a floor engineer that was on the team that that created the Purdue model which is really I can ner out about but the idea is it breaks down logically how systems in it and OT especially the OT Network talk to each other right and that there's a logical division between it and OT right the back office and the power plant if you want in our current example and then it also gets into how we have all these other different systems that make up the OT Network to allow that power plant to move in the real world and generate electricity the Purdue model no it was not designed for for security purposes completely get that right and no it doesn't and this is the Sans version of the Purdue model which even has a DMZ between it and OT right and they flip out because the Purdue model does not have a DMZ okay I get that the original Purdue model doesn't right we've all adapted it I keep thinking is you know when we you know had cell phones first came out and then someone came and said right we can add a camera lens and we can make this a camera and then people were like no you can't like why not right so for me right the Puma yeah no it was not designed for cyber security completely get that but we use it for cyber security now especially for those environments that what if they don't have a cyber security program there are a lot of OT environments out there that have no cyber security at all I'm surprised there haven't been worse incidents and there have been a lot you just don't hear about them uh unfortunately or fortunately I don't so but so yeah that's a little bit of my story normally I would dive into power plants a little bit right but the idea is yeah we have a power plant right and then it has this idea that yeah like in that power plant that I had worked in right we actually brought in we piped in natural gas right you mix that in a combustion chamber with oxygen right you light it it creates steam or it heats water to create steam which turns a turbine which into turn goes ahead turns the generator to create electricity right okay that makes sense and then there's a lot of other things in there but so this is a bird's eyee view of the power plant I was just using this try to think yeah everything in the the yellow line is essentially what we call inside sorry the battery limits which is really think that's the power plant and then everything around it those are all the ancillary services that we have so remember we're bringing in LG or yeah natural gas sorry we're bringing in water right we have to heat water so we're bringing in water right so we bring in those Services we have the back office which is this kind of big white building on the right hand side the upper left hand or upper top white building that's where the the control center for the power plant is right you don't don't want your operator sitting in the middle of the power plant in case something goes wrong but they have a nice big window so they can see if yeah something is going wrong physically inside the environment right but again it's this whole idea of yeah we have the power plant the OT Network and then we have the it Network right and we want them to communicate it's just we want to be careful in how we design that communication and do it as securely as possible and so this is where this is actually my number one viral post of all times and this is actually only like two weeks ago which was really cool um so you can see my cheesy little iio diagram one one the day but the idea is we don't want to allow it connections to originate and reach into the OT Network right how do we get the data out well we have OT send the data to it right because remember if an attacker gets in the it environment and we allow it to reach into OT right the attackers they're going to find that pathway and they're going to get into the network it's as easy as that right and we know it's not a question of if it's a question of when right they're going to get into the IT Network period the end so why are we then going to give them a pathway to go straight into the OT Network when if all we need is so