It is not every day that you witness a star-studded lineup of CISOs and cybersecurity veterans come together on one platform with a common agenda–collectively shaping the OT/ICS security landscape –but this unbelievable feat was achieved at the inaugural edition of the OT-ISAC Virtual Summit 2020.
By Mihir Bagwe, Tech Writer at CISO MAG
Since the last decade, Cyber-Physical world damages have become more real, relevant, and predominant. In fact, the recent attacks on the administrative network of Kudankulam Nuclear Power Plant (KKNPP) in India and the one at Iran’s Natanz nuclear facility on July 2, 2020, which inflicted physical damage to the facility, are prime examples of how state and threat actors are taking the game a notch higher by attacking OT/ICS for bringing down nations and businesses.
To address these issues and help build a resilient OT/ICS cybersecurity posture, OT-ISAC decided to conduct a virtual meet where experts from the infosec community could come together and share their thoughts, expertise, and analysis for the collective good of the industry.
Keynote at OT-ISAC Virtual Summit 2020
The keynote for the event was jointly given by David Koh, Commissioner of Cybersecurity & Chief Executive of Cyber Security Agency of Singapore (CSA); William Nelson, Chair & CEO of Global Resilience Federation (GRF); and Dale Peterson, CEO, Digital Bond.
David Koh said, “OT cybersecurity is an increasingly pressing issue with the growing convergence of OT and IT. Regardless of the seniority or the domain (engineering or IT) we all need to work together for defending the OT environment from cyberthreats.”
“Cybersecurity is like a seat belt in the car. It has to be there, and it is mandatory for your safety.”
OT systems were traditionally considered as solid entities, which could not be penetrated without a physical access to it. However, this is not the case anymore. Explaining the cause of this scenario, Koh explained, “OT systems in the past were often isolated from business networks and the internet, which allowed the OT systems to remain secure by obscurity as they were typically air-gapped from other systems. Therefore, a possibility of a cyber incident was deemed to be remote. However, then came the digitalization wave and the industrial processes started to shift from the systems based on the proprietary computing to those based on open source IT computing platforms. OT and IT began to converge and there was no longer an air gap between the two. This evolution has dramatically changed the OT cyberthreat landscape. With increased interconnectivity between OT and IT systems comes large attack surfaces for malicious cyberattackers who are always looking out for these gaps.”
He further informed the attendees about three specific security challenges to OT systems:
- Poorly authenticated remote access.
- Exploitation of known vulnerabilities in OT systems.
- Malicious activity that can go undetected as system operator can mistake anomalous behavior for system error as OT systems are not regularly patched and rarely have a centralized dashboard.
Keynote speaker, Bill Nelsen, before joining the GRF, worked as the President and CEO of FS-ISAC for 12 years. He is well-versed with the importance of working together and thus shared his thoughts on the need for collaboration in the ICS Community. If adversaries can share their attack tactics and promote their tools as a service, then why should we not collaborate? Bill stressed, “This is the key to cyber resilience.”
Similarly, Dale Peterson, a veteran with over 20 years of experience in ICS security, gladly shared his thoughts on “The future of ICS security products.”
The key topics related to OT/ICS security covered during the event included evolving industrial cybersecurity, governance, risk and compliance, third-party and supply chain risk, and ICS & CIIs.
Based on the key touchpoints related to OT/ICS security, panelists in a fireside discussion spoke about the need for cross-pollination of OT and IT realms.
“There is no miracle box to protect your OT. It needs different technologies and collaboration between OT and IT teams.”
Gary Kessler, President of Gary Kessler Associates, suggested how engineers need to adopt a “Security by design” approach at the very beginning, and not as an afterthought post a breach or security lapse. Kessler also stressed on the need to equally focus on inside vulnerabilities rather than only on outside threats. He added, “Threats come from the outside which are uncontrollable in nature. However, vulnerabilities are already present in the systems and processes. Thus, we need to equally see on both sides of the spectrum.”
Moving towards the touchpoints of governance, third-party risks, and its associated compliances, Dr. Ong Chen Hui, CTO in Trustwave, said, “The supply chain in OTs these days are beyond control. Thus, vendors and third parties need to have their vulnerability assessments and monitoring systems. Collaboration and partnership at all levels is the key to securing critical information infrastructure (CII).”
Shawn Thompson, CISO, Dept. of Transport, seconded Chen Hui and highlighted the need for a practical or risk-based approach for strengthening an organization’s cyber defense posture.
“Organizations and their supply chains should adopt a risk-based approach rather than a compliance-based approach. Risks are different for different industries and there is no ‘one size fits all’ rule.”
The APT Threat
Due to the lack of hardened security measures and fragmented operations, OT/ICS systems are also predominant targets of APT attacks. Victims of such attacks include power plants, chemical manufacturers, seaports, and military objects. APT groups often have the backing of nation-states and are therefore more interested in analyzing and exfiltrating specific confidential data rather than penetrate networks and systems for monetary gains.
“APT attacks on critical infrastructure can start with small things, as small as an employee connecting an MP3 player to a critical system.”
Referring to the origin and duration for which threat actors can stay hidden in the network to only analyze what’s worth, Anastasiya Tikhonova, Head of APT Research at Group-IB said, “APT attacks on critical infrastructure can start with small things, as small as an employee connecting an MP3 player to a critical system. It has happened before and provided threat actors a free entry into the victim’s network. APTs also stay in the system for a longer period, sometimes as long as four years to analyze, penetrate, and exfiltrate targeted data.”
OT-ISAC’s efforts of hosting this event and bringing the top OT security experts together on a virtual platform is noteworthy. The main intent of the event, as its name suggests, was information sharing. Attacks and attack vectors targeted towards OT/ICS industry have spiraled upwards, especially since the onset of the pandemic; however, discussions like these help in shaping the security posture of the OT/ICS infrastructure.
CISO MAG was the official Media Partner of the OT-ISAC Virtual Summit 2020, and had exclusive access to the content. We take this opportunity to thank Image Engine, the event producer and organizer, for providing the required technical assistance for event registration.