The National Security Agency is warning Pentagon agencies and private sector defense contractors to better secure their operational technology (OT) equipment — the special computer systems that run industrial machinery. The warning highlights the increasingly numerous and dense connections between OT equipment and regular IT networks, saying that each such connection increases the risks to OT.
The Defense Department is a huge user of OT. It is, for instance, one of the largest fuel handling organizations in the world — all of its refueling depots rely on OT.
But the NSA warning should serve as a wakeup call for all federal agencies. OT is everywhere in the federal enterprise — HVAC and entry control systems are in every government building, for example. And OT systems are vital to many critical infrastructure sectors — starting with energy and oil and gas, but including water and sewage, pharmaceuticals, and manufacturing.
The stakes were revealed this year when a hacker obtained remote access via the public internet to an OT system that controlled the water system for the town of Oldsmar, Fla., and attempted to poison it.
The NSA warning points out that many government OT systems are “stagnant … past end-of-life and operated without sufficient resources.”
Federal agencies need to start thinking about the security of their OT systems the same way they look at their IT networks — vulnerabilities have to be mitigated, risk management decisions must be made, and investments have to be planned.
The federal OT security challenge
Federal agencies have spent years getting on top of their cybersecurity issues, but securing OT is a very different challenge. OT systems are often designed to be in place for decades, and they’re not built to be updated the way conventional software IT is. Increasingly, these systems, designed to operate on a standalone or air-gapped basis, are in practice accessible online through the business IT networks of the agencies that operate them.
Many federal CIOs have an “uh-oh” moment when they first see the traffic from their “isolated” or “air-gapped” OT systems flowing across their business IT networks — and realize they’re sometimes accessible from the public internet.
<<< Start >>>
<<< End >>>
That creates a large and, in many organizations, poorly understood attack surface. Agencies may not have a good idea of all the risks they could be facing because they don’t have visibility of the entire attack surface, and the vulnerabilities of OT systems are not well understood except by expert specialists.
Key takeaways for federal OT security
At Operation: Next, a recent OT security conference staged by Accenture, Guy Delp, VP of Global Information Security at Pfizer, discussed building a security operation to protect OT assets. Pfizer is currently using its OT assets to manufacture COVID-19 vaccines.
Delp offered seven takeaways that are highly relevant for federal agencies.
- Build a connection to the overall mission. Delp retold the famous story about the NASA janitor who put down his mop and told President John F. Kennedy, “I’m helping to put a man on the moon.” The security team has to understand their role in the organization and be a team player.
- Measure what matters. Focus on metrics that measure effectiveness of the output, versus those that measure input. The number of tickets resolved is a bad metric because it incentivizes shoddy work. Time to mitigation — if you properly define mitigation — is a much better metric.
- Analyze OT security across your ecosystem. Your suppliers are an attack vector — you need visibility into the risks they represent. Make sure you are asking them tough questions: Do you enforce multi-factor authentication? Do you have a Privileged Account Management strategy? Be honest with yourself: Where are your blind spots? How far can you see down the security stack? Share your data to empower your suppliers and other ecosystem partners. “Getting your data into the hands of those that can use it acts as a force multiplier for your security team,” said Delp.
- Foster a cybersecurity culture. Among the IT staff in most federal enterprises, there is at least a baseline understanding of cyber threats. But that’s often not there in the teams that run OT. On the other hand, the security team, while it likely has an excellent grasp of IT, may know next to nothing about how OT systems operate. Fostering a cybersecurity culture in the OT space means ensuring that your security team and your OT team are working together.
- Ensure interoperability. The data is key. Security tools need to be able to provide data in a form that’s usable by other vendors’ tools. An API-first mindset is key for interoperability. Security leaders need to evaluate tools from a data-centric perspective first — “Can it collect the data I need?”
- Focus on the boring stuff. Hollywood-style Zero Day attacks are one in a million. Most successful hacks use low hanging fruit, like known unpatched vulnerabilities. No one ever got a high five for patching a new vulnerability within the time window dictated by the threat assessment — but that is the boring stuff that keeps an agency secure. The most effective security programs focus on the fundamentals: Inventory, patching, logging, building asset visibility. These are not problems that are ever “solved.” They are problems that have to be constantly worked — like gardening.
- Invest in talent. Defending OT requires a mind meld of IT cybersecurity and OT operational expertise. By and large, trained cybersecurity personnel don’t have the skills and experience to deal with OT. OT engineers, on the other hand, don't have the cybersecurity skills they need to protect these newly-vulnerable systems. There’s only a very restricted pipeline of people with these hybrid skills. Agencies seeking to mature their OT security efforts have to grow their own hybrid experts by training OT engineers in cybersecurity or cybersecurity experts in OT.
Different agencies are at different stages on their OT security journey. But few have the visibility they require into the connectivity of their OT. And fewer still are in a position to leverage that visibility with specialized OT security expertise to properly assess their risk.
“A significant shift in how operational technologies (OT) are viewed, evaluated, and secured within the U.S. is needed,” warns the NSA, “to prevent malicious cyber actors from executing successful, and potentially damaging, cyber effects.”
The threat to OT systems is real, and agencies need to have a plan to defend themselves.