VivekPonnada

foreign [Music] I thought this was interesting if you look at the left side this is part of that recommendation from Snyder as to what they're supposed to do for this or in general in the other I see a specific attack they mentioned device protection parking workstation Harmony Network Harmony private heart and I looked at it and I thought come on even if there was no end controller even if you go back 10 years ago back to stock snap what would be different in our recommendations not that's what prompted me to talk about this right we focused so much on zero days we focus so much on nation states attacking each other but all said and done the recommendations are no different from yesterday it doesn't matter what the attack is tomorrow or the day after what we recommend doing is exactly the same but you can take the OPC UA recommendations right so the toolkit that we talked about that has both the generic PLC attack Vector as well as the OPC UA same thing look at the right conditions first up proper segmentation of itunot this is what any O2 practice you would recommend on day one proper segregation allow listing it's fairly common in ICS networks a lot easier compared to it to do allow listing you go down the list and that shows firewalls monitoring and blocking the track enabling and aggregating audit logs if you go down the list every single one of them is a recommendation with only practice students have been issuing or talking about for a long time so nothing that incontroller provides or any other attack the other tool here is going to change these recommendations right let's put all these in perspective project-based Camp how many of you have heard of this one back in 2012 it's one two I strongly recommend you watch the video from Ray Whitman and Dale Peterson on the S4 Channel I put two links here I'll share this with whoever wants but it's amazing that back in 2012 they looked at a few controllers and said let's do an evaluation Let's do an investigation of security of these controllers they found uh in fact they had to stop in a couple hours because it was so bad this is 2012. and they said ah it's not really worth it because you know proper credentials hard quarter credentials be used credentials all basic stuff High authentication access control it was pretty bad in their list of things so they had red check marks against every controller it was so bad that they stopped and let all those oems of the controllers you know they said hey your systems are so bad go fix it and 10 years later they actually did another video recently it's not on YouTube yet but it'll it'll show up soon enough nothing might change folks older Control Systems nothing much is involved more modeling Control Systems you can go to the same vendors GE Siemens Honeywell if you buy a modeling control system today they're much better they have a lot more security features built in um so they're capable now of incorporating a lot of security into the infrastructure into the project right but the older system still remain in play none of these systems are replaced overnight so unlike in it right the traditional OT systems are not replaced every three to five years they replaced every 15 to 20 years so something that was bought for and paid off in 2000 is still up and running and it's still insecure quite a lot because it doesn't have access access controls it doesn't have authentication it doesn't have any security features no encryption for example there's a list from Temple University they published this you have to sign up with your email and they'll make sure that you're not a malicious attacker right to be able to give you this list but this list has more than 1200 records uh all know or disclosed incidents right most of them are ransomware but they have a whole school of items and they map everything to the minor attack framework and almost every one of you have heard of the minor attack framework um there is a section for ICS as well so that's something you might not have looked into but there is a specific section which includes some unique things for ICS right like loss of views lots of production that's not directly into it so they have a specific section for it so I recommend you take a look minor attack for ICS the key is if you look at the overall picture again it goes back to my list where targeted nation state attacks on Industrial control systems do exist but they're not the vast majority audience of those 1263 you can move these six or seven the rest of them are not I see a specific attack right they were from I.T they were from insecure mode access they were from some kind of collateral damage not necessarily targeted but I see us so they extended last year why is it an issue in OT right so most of OT control systems are proprietary Hardware with unique protocols because these were developed when there was no equivalent I.T protocol I.T Hardware to just leverage for coaching purposes so back in the day control systems were hydraulic pneumatic previous to digital right ecosystems existed before there was anything electronic or digital so when they were adapting control systems with digital they had to come up with their own so the ge's and Siemens and honeywells of the world designed their own control systems and at the time safety and reliability were the requirements not necessarily secure all right so the protocols were developed with no security yes security no so it's also called this insecure by Design some people hate this because well it was never requested of the engineers to incorporate security so how could you call it security by Design because we never asked as Engineers without something with security and then black networks this is a pretty big issue pretty much every industrial site you go to has a pretty platform more common in some applications like manufacturing where you walk on the factory floor touch a device you can log into any other device across the network across the floor across the company across the line across the whole company in the OT world because it's one network right it's usually it's like one or two guys that manage it and maintain it a lot easier for them if it's all insane now copying files transferring content connecting to billing systems for example connecting to the sap World connecting to the tool shop inventory system whatever that might be a lot easier for them which is a flat Network so it's a big problem so that's why the collateral damage right the effect one system you have access to the Whole Net patching is not always possible this is again a big problem compared to it an idea what do we do right as soon as there is a known vulnerability an exploit or whatnot you're like what's the patch the first thing you do is you'll find out from the vendor from Microsoft whatever the case may be find the patch apply it so you're good that's your mitigation in the OT world that's not practical at all number one patch might not be available because yeah 20 years ago this system has been obsolete for 15 years so there's no way a vendor patch is available on the vendor himself or herself who's out of business all right because that's the vendor that you bought from 20 years ago 30 years ago it only existed anymore testing and validation there's no lab there is no demo there is no place to test and validate and protest in a representative environment and you just can't do it the only time you can test or validate is during an outage or a shutdown that only happens every year every three years every five years every 10 years so you might not be able to validate there is no redundancy so that system is down to validating your testing your production is impact no outage window available that's the other thing right so yeah just because you have a vulnerability in the I.T world because everything is connected to the internet by default we assume that it's exploitable if one exploit exists out there it's exploitable everywhere right in this world if you properly segment and isolate it might not be exploited maybe it needs admin credentials maybe it needs certain access at that particular HMI or workstation doesn't have um so there are many other things that make the exploit maybe not relevant to your environment right that needs to be valid the last one not always relevant to risk production this is something very difficult for a traditional I.T person to understand going back to insecure by Design taking modbus protocol industrial Control Systems it's hardly ever used for control these days but at least you've heard of it right OPC UA we talked about OPC before uh it is a secure version there is a secure Pathway to implement it there is an insecure way to implement it as well so those protocols especially if you have no authentication no encryption they will just follow your command so if you have access to a fully patched Workstation it works this itself dispatched but the protocol taught into the control system is not encrypted so you can command it to do something just like in the Florida Oldsmar case where that HMI or workstation could have been 100 patched the controller that it's talking to could also be 100 patched but if you were able to log into the HMI and just add the content of live change the set point from 10 to 50. it'll execute so how is patching relevant in this case it's not patch but our other systemic issues in this world right awareness this is increasing but we still have people let's say we're not a Target well yes you're not a deliberate Target but you are part of the ecosystem right collateral damage that's fairly common the other thing you used to hear more is your air gap comes this is a very difficult Challenge and the first thing that comes out of someone's mouth is your air gap you know for a fact they're not considering their their plant um as connected or Network their gaps don't exist anymore in OT they're always connect like in the colonial example even though you think you're physically disconnected removed your networks are separate the fact is you had connections you had connections to your internal systems Network internally uh to your inventory systems networking totally to your management interfaces it's like one engineer I mean I'll give you an example if you look at it finally you can find you might have 100 different plc's you'll have a few Control Systems Engineers that are supposed to manage the whole set of plcs or DCS and everything and for them to go in front of the HMI which is in the plan you have to put on their coveralls on their boots hard hat and trip to you know the say pour it over and get to the plan it might take half hour to get to that workstation however they've connected it to their computer on their desk they could still perform their job safely and you can think and whatnot and not have to waste 30 minutes to go to the HMI right so more often than not they have connected because there are other reasons for this network even if that's not established those connections were not documented and nobody authorized it they've already done right compliance remote lenders access right these things exist many remote access options exist especially if you have a compliance regimen where you have to maintain certain emissions so you have to maintain certain quality of product you have external connections for sure because how do you maintain right whether it's connecting to your ratepayer rate basis or connecting to your emission system you have external connections that are probably not documented and then backups I saw a meme earlier today about you know we lost our server Hey where's the backup on that server that's fairly common in the OT space where it's not really thought through right where the backups are going have you tested validated backgrounds greatly ever anyone else management support this is hard because for lack of all the stuff right for lack of inventory for lack of visibility for lack of truly understanding what connections exist what your inventory is in your OT world how could you ask management for support like what would you ask you go in front of the marriage and say oh I need to improve my O2 security posture well where do you start right now they find it difficult to evaluate the risk in the IT world there's a lot more documented processed with a lot more risk awareness risk mitigation process where you have a clear case to say these are my assets this is the risk this is the budget that could resolve a certain amount of risk right so you have this cap conversation frequently in I.T not so much emotion the resources and funding are a big problem because it's very hard for management to make the decision for lack of disability legislation non-existent in most cases and when they exist like in the power sector nerkship there is a compliance regimen it's limited to medium and high critical sites and it's also very prescriptive it's not very risk based right as in what a has to do versus B has to do is exactly the same it doesn't matter if a is on an island where you know if you impact that particular site a whole island doesn't have power versus you're here in the middle of um let's say Calgary where if one side goes down hey nobody cares because there's other power producers on the network right they try to uh managed address somewhere they have slightly different rules but for the most part it's very descriptive it's not risk-based that's a problem because um again compliance is not security but even if you follow the compliance procedures sometimes it's just wasted dollars wasted effort because they're not actually fixing the risk but you're just doing something because you have to follow legislation in many other cases other credit infrastructure other than power um except for the most recent oil and gas and the TSA came out with a certain regulation for TSA pipelines after Colonial uh the rest of the Industries or binaries petrochemical there is no legislation so again when you go in front of management and ask for funding you can't really tight back to I have to do it right you can tell them what the risk is because you have other problems you can't say I have to do this because of legislation so you're kind of stuck but you don't know how to make the conversation happen uh this is a game you need to OT it's a long project Cycles some of these projects take a long time to build so how many of you have started a project on the IP side and finished it in six months several I would think other projects might take two years three years whatever right but you finished phase one in the first two months you went through multiple phases you got you know the whole company covered in maybe a few months or a couple years in the OT space um let's take the worst example nuclear power plant but first of all you can't even build anymore these days you can't get permission to build a nuclear plant but even if you did it takes 25 30 years to get to the finished stage in a new tripod less so in other industries by petrochemical plants from the initial design stages all the way to build and production I commissioned several LNG plans admission several refineries several pipeline applications pipelines might take anywhere between two to three years some of you have heard of Keystone XL where it didn't happen for decades right then there are other pipelines that actually got through the permits and approval process it might take 10 years to get there so long project site so the decisions that you made are security 10 years ago 15 years ago are relevant today and that's a problem because you didn't have any security requirements 15 years ago right so when you're building projects that's one of the problems we have and then the construction engineering firms that are building this they're not the ones operating that's another problem right where they are forced to think about their current requirements they're not thinking what could happen five years from now because that's another company altogether that's operating and then upgrades on capex driven this happens every day so control systems like we mentioned you know are not replaced for 15 20 years and they're typically capex right so you invested a million dollars two million dollars and an upgrade and your Roi is over 20 years you're not doing anything year over year so no maintenance budget for cyber security because that was never a big 20 years ago right and then public good versus private cost of security and this yeah critical infrastructure whether taking a water treatment plant or employing a pipelines case it's a private company right they make their own risk-based decisions so Colonial might be 100 okay within one week downtime for ransomware attacks but as a country the US the southeast and some parts of Northeast they suffer because gas prices wrapped up people didn't have gas on time you saw those pictures or videos of people waiting line to get gas right so that's a public problem but the cost of security is with a private end all right so that's a conflict of interest where critical infrastructure people depend on it but the expenditure has to come from a private organization and then nation states yeah I mean the whole talk today I'm I'm trying to tell you that don't focus on nation states but that one-off chance that nation states do attack a sector or a particular company that is not a fair game right you know how are you supposed to protect yourself against nation states when your whole OT system was never architected for security you're not having to deal with nation states uh one character in this case is a combination of security cyber security insurance so in the past this wasn't a deal but these days you can't even get insurance without some level of cyber security hygiene so in terms of sticks you know legislation but there are some benefits as well but this is the extended landscape I wanted to put this in perspective that we have so many other fundamental systemic issues that needs to be addressed that need to be addressed without having to focus on the nation states right so the nation state part is just a tiny aspect of it and then the reality check industry Trends and everybody needs to be aware right digital transformation Cloud analytics the previous talk was about Cloud right it has made so much progress in Cloud because you see the scale you see the cost improvements you see so many benefits so that will slowly percolate to OT as well but that increases the attack surface quite a bit for OT especially because we have other problems iot projects that are happening every day so iot as you all know I guess a benefit overall because you can scale projects quickly you can Implement I always use an example years ago on a Time phone I needed a level transmitter and to get that properly commissioned the level transport itself was like 500 bucks but the cabling the power supply the PLC the connectivity the fiber to the PLC to that location for a couple of Miles all the total upwards of 50 Grand just to get a level indicator right level transfer but if you have an iot level transfer that could be a thousand dollars but you got the signal right away for a thousand dollar investment you got your letter so iot is pretty popular in the OG space as well not just in it a lot of projects now stock with iot because it's cheaper faster so that's going to continue to happen right but think about it we just talked about how OT has as a whole isn't secured by Design and now you're connecting parts of it to the cloud director so when you were thinking it was isolated you were safer and now you have direct connections to internet every day because of this increased iot use cases unlimited experience professionals this is a problem every year I would think but more so in OT because the traditional OT knowledge those people have retired or are retiring more and then the