Leveraging Tools from Other Departments for OT Assessments

about leveraging tools from other departments what got this talk started was when Michelle and I met with our similar backgrounds we noticed that in cyber security it seemed to be starting from scratch assessment and regarding with you know we need all these things some of those things from our backgrounds already exist in some of those other departments so that's what we're here to talk about today so the first step in every security framework is instead of security requirements it is identify the critical skill systems and assets and we're going to take a step back now and talk about OT and Industrial controls so in it your assets are computers data and everything certainly data is still

there in OT is a little different the industrial control system so industrial controls we have electric and power grid food and gas Manufacturing deny um and OT processes are a little different you can have discrete processes which are manufacturing where everything is in a continuous processes which is like the power grid batch processes which is like mixing things together and so and then universally as well the industrial control systems and Works through uh the Purdue model so um this was started by uh Theodore Williams professor of character and electrical engineering obviously from Purdue um so um we have all the devices themselves that's the physical process and the actuators and the sensors all work well one is the specifically for

those Sixers who is the supervisory systems for in a manufacturing area that's going to be for a cell or a local HMI which is a human machine based to work on those systems specifically you get into level three your point wise your your scheduling age or reliability is stop for the plan once you get into uh past the pre your backup in the Enterprise Zone in your interfacing with it usually there is a vmz zone so that the control systems are isolated from the rest of your I.T area

security which most people are familiar with their health zones and then as we start under those lower winds we're talking about OT and so that's where you get more of the business with specific devices right um whereas on the it side we might have a few of those but on OT side that's the majority of what we're dealing with and so that's where we start to run into some of the challenges on how to secure OT systems because some of our typical cyber security tools that we would use they don't you know some of those we can apply but some they can't so in order to figure out what how to cure operational technology we really have to understand the

processes understand the system understand what that purpose is and it gets a little more complex because with the OT pieces rarely is there something Standalone right you have when you have Legacy systems because most plants most power you know manufacturing locations I mean they weren't built in the last couple decades caves right they were built like half a century ago so and they were built with equipment that's the purpose was to last right so they don't get replaced often um you do they get updated we maintain them we keep them up but we're not like on the it side where it's a standalone thing and we can just kind of replace this computer update um on the OT side we're talking about

integrated items right so rarely again do you have anything that's you know not built and talking either physically you know integrative with something and then talking um things as well so that's where some of the challenges come in your legacy equipment it's owned by other teams right so now you're having to you know interact with the other teams and to get to understand those and then there's also some prototype you know um protocols as well so a lot of the tools we like to use in security you know they might not work with these um other prototypes and back then there was a lot of proprietary prototypes as well now there's some more basic ones but even

those like some of the very similar or common ones that are used in OT like modbus I mean they'll use from the MSI model level one and two and then seven then like back then it uses one two three and seven so a lot of our security steps in that those middle layers and so those don't use those and even if you have an area that has um you know the more IP tcpip area those are still talking to things that they're integrated with that have those other protocols so these are some of the challenges that come up with when we start talking about operational technology and this is just some of those protocols that we would use there

and then the other thing that comes up right with OT is now safety comes to the Forefront whereas on it we're worried about confidentiality um availability and integrity now OT safety comes to the Forefront of that as well so you're still worried about those but you know you have those other pieces so one of the tools and what we'd like to kind of do next is talk about some of these other teams that again already have tools that you can kind of Leverage because again ot to be able to secure that you have to understand right and you have to understand what they're doing so one of the tools the first tools I'd like to type out from

engineering um he really owns it is a risk prioritization tool and it's I've used it many times to kind of get to know very quickly um so I've had to set up many factories I've had to go change factories um so to understand very quickly it's a tool that I've used but it's called an FMEA it's very modes effects analysis I know somebody who came outside so you guys are probably very familiar with it this was made in like the 1950s been around for a long time but basically what it is is um people go through and they'll if it's a if they're looking at it they're looking at the components and the sub assemblies if they're looking at

it process wise they're looking at the processes the functional the functionality but they'll go through each of those and they'll say okay how can this spam what's the severity or imp of that failure um and then they'll look and say well what's the probability of that you know how often does that happen and then how easy is it for us and they take those factors and they create a risk priority number um and they kind of prioritize their risk um so for us on the security side this is great information for us to know right because instead of us going in and you know starting from scratch or trying to figure out what's important right the

teams already have this and they have already identified what their risk factors are um so we can utilize this and I I mentioned there there's action number as well some like to relabel things so sometimes they call them action number um instead of RPM but the big um the Big Value in fmeas is really that you have all the smes that you're probably trying as a security professional to get information from that you know you probably have an email too to ask things or if you're trying to do a consequent cyber driven events you're trying to get them to be included in that um so it has these teams these smes have already come together to create this so

if you if you can ask for an FMA exists um it's gold because you already have these smes that have taken the time to go through and meet people with steps so hopefully they have been bribed with you know lots of good food um and snacks and caffeine because these are very painful to me but again once you have them that's great valuable information to have so again the first step is they're going to list those components process steps or functions and they're going to say how can this fail and then how else can it fail so they've kind of they'll go through that piece and then they're going to say what's the consequences of that you know

what's the severity of that and they'll rank that um and then they'll go back through and say well what are the causes right and so right now when they're talking about causes they are probably looking at what I would like to call um the the children of product liability you know which is you know acts of convenience um but you know I mean like how these things could have been misused so they're looking at it in that way right what and then they're looking at reliability so one thing that security teams can do is one get these to review them but also start to push back into the engineering teams to have the some of those

potential causes to be things that we're worried about so because um ransomware potential because you know like some of those things that we're concerned about um pushing that into their um as well and then I look at well what controls do we currently have in place like what's going to trigger this that you know where we know that it's an issue before we feel the impact so they'll um list those out how easy is that to detect they'll determine that and then they come up with their risk priority so they don't stop there because that's all great information to Heaven if you always trying to understand the environment what we need to look at security wise

and maybe Target I don't know just to kind of understand the process but they also go through and they put okay how can we reduce that risk and put mitigation plans in there and then they go and rescore everything so what can we use fmeas for we can use them to understand the process and get to understand the process very quickly um we can use it to take the you know when we have to do a risk assessment instead of us starting from scratch or asking all these teams to hey here's our our form things you know start from scratch build and you know build out the portrait we're filling in the blanks and using what they already have which also

with the OT environments and I.T environments one of the biggest piece right that's a challenge is building those relationships because you're you're having to work with those teams you have to get their buy-in so it allows you to build that relationship and kind of respect the work they've already done because you're building upon that as opposed to asking them to start over um building playbooks right so if we go through and we kind of identify like oh so for this particular item if we if we isolate that device or we you know do something um isolate a file or whatever foreign this is the impact it's going to have the overall process where we wouldn't

have that knowledge otherwise looking in but it kind of gives us that view of what what would happen if we take action um so building in those playbooks um so that we understand if we have to isolate something or if we saw something would have look like and then from context of asset lists um IB hosts so you guys probably have you know your list of here's the IPS um and what do I do with this like how does this apply how does it fit in the process so looking at the fmaa and kind of matching those two those so you have context here I am here so this is just one of the tools again

that's out there that you know Engineers typically own that security teams can use but also you can push into to again add some of those causes and when I say that like part of that is um there's you know there these teams own this equipment and it works and they sometimes get you know a little sensitive about adding things to it right for the security purposes that might make it not work um so so the way if you can use their language and start putting into their risk you know and so when you add your side your your item in there then your risk goes up to the top of that priority list right because if you had cyber

security and there you know the ability to detect that right now is probably oh so that's going to raise that score you know the probability of that and we can't really say but we kind of have to put it on the higher level so then that kind of puts it in their score and it gives them some leverage one to go and ask for um some additional funding to help make those changes and then also um just some higher contexted in their language of what others are so it's again to me that's one of the gold standards of tools you can ask for um if they don't have one though um there's some alternative to tasks for

a process map or large history map it's going to give you a good look at the overall process and help you understand quickly it's just not going to give you some of those other things um but these are often used to create the FMEA at the beginning and then a side pack that's going to go through and say supplier input process output and customers so this is another tool that if they don't have an FMA process very quickly that's just one area from the engineering side I'm going to and talk about some areas from safety and quality before I jump into that I realized I forgot we have problems industrial controls look like instead of

controller

so when we talk about integration like you're not gonna you know you'll have this piece uh the two smaller pieces I think um they use backnet um protocols so I mean you're never going to have those individually so if you want to make changes you can't just you know change something out because it's integrated with everything else so that's where some of that makes instances and you have to understand how that's integrated and this probably goes to an actuator or something so when you start changing these changing that which makes it exciting so let's move down to uh safety and quality um so one of the um documents that uh safety and quality keep track of is an 8D now usually 8ds

are used after an incident uh and these are physical incidents oh uh so quality spells happen safety incidents happen nobody wants them to but but that's reality so as um as part of the root cause analysis and everything that everybody does afterwards fill out an ad um to determine what happened why it happened and how can we make sure it doesn't happen again this again is something cyber security can use to look at um what happens when something like that happens in a plan if it's cyber security related and then there's already mitigations in place and maybe we just need to add to those mitigations or look at a couple of different things to work

with that

um job Hazard analysis form is along those same lines this looks specifically at the worker um and their work environment and what that looks like so if you've got somebody in a plan that works with a bunch of tools that are coming online they've got again mitigations in place they've looked at the hazard so people don't get hurt but what happens when if there's a cyber security attack on the tooling and so you can use that again to work with these documents that they already have in place so um just took it from Sunrise um Hazard analysis can have an effect on a safety and cyber security can have an effect on Hazard analysis and by looking

at the response plans again you're building those relationships with the people on the plan and working with them with the stuff they already have which I think we think helps out to make them a little more

and then you're understanding their world a little better yeah okay the next we're going to go through quality and sourcing uh supply chain essentially often especially with smaller manufacturers they're not going to have enough I mean sure Raytheon Boeing GM suppliers GM Lear they have fmeas they're forced to right but once you get down to the Mom and Pops they're they're not going to have that they don't have that um people to do it they don't have the bandwidth to do it but what the um tier one suppliers will have will have supplier shorts let me try that again suppliers scorecards um so that they've gone out and evaluated the supplier they've gone through a questionnaire to talk about

what the suppliers do what they have what their equipment looks like what their processes are and um you can add cyber security as an input into that or put it into the contract up front to say you know hey what about these things and it's just a few questions for them it's not you know as a small business they're not just going to have all of that time and stuff to do that so this is a good to get them talking about cyber security and looking at their stuff as well

another thing you can you can supply chain in their documentation data sheets their schematics that talks about their parts in industrial controls it is being still is kind of common the first page of the uh the sheet it'll have the admin password huh because good to know right so then you know that that's available and that's something you need to protect against so because that's not you know it's changing it's changing slowly but that's out there and so knowing that I think is super useful and so that your protections are probably a little different because you can't change her that's great so um those are other things to look

okay so to summarize um so what these documents do is help you understand the supply chain the supplier scorecards where those suppliers are how working with contracts to get some of the cyber security things that we would need out there to help protect the rest of the system foreign [Music]

so Finance is often all about inventory an inventory can be a monster right but by doing inventory and what the financial um people Force the rest of us to do thank you is do you now have insight into existing assets what did they already buy well it's already out there what's not being what's remotely located they will also know what is coming up what changes are coming what have they all been what that isn't period

one of the other things to remember is an industrial controls as Michelle mentioned you're looking at years of use of equipment and so they um high value calibrations are something that Finance is paying for high value maintenance and those are going to be your critical assets of what they're taking care of up front to make sure it continues to last for 20 30 years

so um in summary one of the other things is uh return on investment so chances are you walk into a place I walked into a manufacturing facility on the west coast of Florida and they're using Commodore 64s were under testing that's really cool he needs to come to our 64 pieces right everybody's taking their head like oh you know what it still works still works and that's key and so there's probably been somebody has walked into that plan gone home but you're still using commodore 64. we should upgrade there's somewhere out there there's been a study done on what it would take upgrade there are 50 test cells pull that into Windows 10 or whatever

and how they'd have to change the programming and how they'd have to change the setup so that information exists and that's something else you can get from Finance when you're looking at what do we need to upgrade what is that going to take

so in summary yeah so um permanent engineering quality you know fmas as I mentioned um process Maps iPod and value stream Maps is a good thing to get um safety and quality on those response plans as well you can push it like so when we have a cyber security response plan right we're gonna you know again trying to introduce something new but they already have existing response plans for you know safety incidents and quality so I highly recommend reviewing those and seeing if you can modify those to utilize so you're not interested in anyone but also on those plans making sure the Cyber team is added to the communication plan because what you don't want is there being a safety

incident over here they've shut down the factory you got your cyber team over here seeing the log shut down and going what's going on and you know as this team's trying to investigate but if they're part of this the communication plan and you push that into there that you're you know team really the logs all that is already going to know what's going on and then so they're not having to chase down something that they don't need to so for saving time there um and then they're also possibly looking and seeing was there any cyber reasons you've caused that um and then for sourcing equality the vendor scorecards examinson um you were already having a touch point

the vendors we're kind of analyzing them if there's certain hold down requirements for cyber security definitely include sourcing team it's with one touch point and you're not confusing them with another team asking the offender for requests um and then data sheets and then vendor Audits and schematics and that goes into some of the product Integrity right like if you want to if you're doing your product review you want to know what we actually purchased yeah the vendor sheets from purchasing to see what actually came in as well and then Finance you know just that asset inventory insights that you might not have you know we have those remote locations you know everybody's always like what's over there in that

substation you know what I mean so they make everybody do annual inventories so they're going to have at least a starting point those some items might have been depreciated so they might have fallen off but at least they'll give you a good start for that um they know what they've approved they know what they've purchased it's kind of follow the money as opposed to you know it's just another way to go about it because a lot of our schools again are trying to do some scans and stuff we might not pick up some of those things and we're definitely not going to pick up the things that were purchased and are sitting on the shelf waiting to be

implemented um but finance will be able to tell us that and then vendor insights um to provide that on which vendors you know we're spending a lot of money and equipment and to do high value calibrations because again those are the areas you know kind of we didn't wouldn't think about otherwise but those are you know obviously high value assets to the business that we need to protect and those kind of you can pick those up that way as well just to remember these things are all great for us to very quickly learn the process but if the wrong person gets a hold of them it's also a great way for them to so I definitely recommend any of

these documents being put in your DLP programs having the right sharing permissions as well um any questions

uh how do you handle pushback of business in general so this is so I typically if I ask you I like to find the outline and the finest tumor and I usually find that person if your room up it's harder but that looks like they've worked in 19 garment that has the multipures and stuff um I like to find them so I can understand because I am is talking about that RMI piece like what do they use to make decisions on what we can change and what the hour of it is and how are they measuring that so that that way you know you when I use them to make sure I if I have any new

um programs or anything I get them they're the first people I train I get them in and on board on those they I use them as a stop Gap in case other initiatives are coming in like that um but then I also understand what does it take to get things you know for the capex and all that what are they looking for there so that I can understand that and then start building our requests and issue and as I mentioned putting in the FMEA and putting in now the risk into the ot's team have probably been fighting you know to get funding for changes now when you have that cyber piece in there you can pull them in the Cyber budget

into that a little bit as well and help it buy-in but um definitely you know the by from financing but then the team and the teams that are supporting it mostly kind of the knowledge they have and you know like they've already done this work so instead of asking them just fill out something new see if the tools they already have to your question yes thank you so this is from the perspective um

having considered or explored what tools and processes OT has that would facilitate uh the audience and what else for it operations assuming away from the L2 classes so I understand you're correct securely asking it we considered like like security tools that exist that could help the OT side the it tools or processes when in OT is facilitate audit security the I.T side away from the perspective so whatever people that are there can be used yeah absolutely I mean so on the finance financing I mentioned the person that has like the multiple monitors and you know the two so they also know who else they've approved like duplicate um equipment for you know I mean or assets

for those are great to use for pilot groups for like if you have EDR you know figure if you need to do certain patching and testing so you can like make sure you understand like utilize them to get those insights of which assets you can pull in for you know some of these pilot groups right so let's disconnect and then what tools and processes OT has that round and use it in an I.T perspective OT this is nothing related to Diane Carroll none of the systems what can we use on the icing side that may have been similarly or confused uh Panic manner away from anything else but I think that was that last to each other

is there a way to suffering let's remove Oteen and from the IQ perspective what audits and we do on the I.T side of Industry away from OT any tools that have been produced or processes that were produced uh sourced from the Omni side that we can use in it right and so that's why like you can use that and build upon it as opposed to starting scrap for some of your other stuff I mean a lot of that already exists there you know they're a vendor um your vendor audits your you know supplier quality stuff that already you know those have already been reviewed by your team the teams and those other departments so that's you know kind of

what we're listening here is those things that you can't pull from there and build up as opposed to start so I think what you're trying to get to is um this all applies to OT and so how does that translate into it kind of thing um a lot of this is built off of lean and agile mentality over years and years and years and years of iteration so a lot of it is directly guided towards that OT side but the same mentality applies so you're able to and again any empirical system is uh evaluate um or sorry transparency inspection and adaptation so it'd be the same thing start with a similar process like this see kind of what type of things that

it's asking for and then you're you're pretty much going to then trying to shift that into the IT realm so um like I'm trying to remember what the uh FMEA example there was um can you go back to this

uh yeah so that go back one or one board one so this kind of idea here you have your your Playbook or your plan um you're gonna like and again this kind of follows in regards to the OT side but on I.T side you have the same type of mentality where okay you have some type of risk that we need to mitigate okay here's the mitigation plan here's the risk reevaluate afterwards because if you just think a plan is going to successfully cover it indefinitely then you're opening yourself back up kind of idea we consistently go back through and okay there's a new score that's still not acceptable let's go back and iterate again and try to walk

through it so getting that type of visibility so that way you can act on it I think what's important I think a lot of the these documents that there have been shown have been iterated year over year over year to get to kind of a standard for that type of Industry specifically technology whisper I just want to say thanks like I work in um like the backseat minute back like loan management and go through it's not a lot like trying to find assets trying to find information about the assets and systems and there's like a lot of things on here that I didn't consider I saw my interviews with those things and stuff and unless you pluck out sometimes it's

really difficult to find information like we lucked out in a lot of cases like we just they actually installed the our agent on the box so now we know a lot of we can actually a lot of that but without this stuff it's

figure that out and then I'm gonna work to see if I can make the slides available for you know make sure it's okay for the speakers and some sort of Public Library related to b-sides or um is your contact information at the end slide

thank you stood out to me that I didn't notice was I didn't even think about this asking Finance for those high value running spots that they you're throwing money at every year is we have a but we're an MSP that has a lot of blockchain industry or two might have not available

customers on on the calibrated side it's like if the company is ISO they'll be a master health and list um so you know you refer to that too to see what is being calibrated regularly and so obviously if it's key to the process as well and the beauty of it is since a lot of us a lot of these industries are legally required to have some of this documentation it's usually there even if you have to kind of like pry it out and it usually takes a lot of product but better thank you

um