For decades it seems, we’ve seen a hesitancy within control environments from the hard hats to keep keyboard warriors at arm’s length. Regardless of the expertise and added value an individual may bring, the guardrails go up in order to preserve the safety and reliability of an automation process.
Don Weber, a cybersecurity veteran specializing in securing connected automation environments, has observed incredibly talented people be less than accepting of outsiders to a control environment.
“They understand the technology. They understand the techniques, what people are trying to do, and they're worried about these people coming in and creating those unsafe situations,” Weber said in this episode of the Claroty Nexus podcast. “They're not accepting of other people for, in some cases, very good reasons.”
Weber stresses that this gatekeeping mindset needs altering, and that the guardrails need to come down as more critical infrastructure is connected to the internet, and risks change beyond availability and safety.
“We need to modify our behavior so that we're accepting new people and accepting new experiences, and of people with an understanding of new domains,” Weber said. “We're deploying applications. We're deploying servers within these environments. We're expecting them to do more than just work. We're expecting them to be configured correctly so that they protect the environment from digital attackers. We’re going to need to bring those people in and teach them the requirements for implementation, accepting that new knowledge base so that we're doing this administration and security correctly.”
Weber also discusses the value of cybersecurity certifications within control environments, the weight they carry with hiring managers, and the currency of curriculum attached to the myriad certifications available. For example, Weber said he’s interacted with officials from universities who want to facilitate control environment security training within their programs.
“I'm seeing more and more professors and instructors looking down this path,” Weber said. “And all you have to do is look at DEFCON and some of the other conferences around the world. A lot of the capture-the-flag [contests] now include control environments.”
Finally, Weber discusses a new methodology for scoring implementation vulnerabilities identified when testing and performing cybersecurity assessments of industrial and automation control environments. The IACS System Testing and Assessment Rating (STAR) is freely available and fills a gap identified by the industry that current security assessment tools and frameworks aren’t doing a good enough job with assessing the consequences of implementation vulnerabilities within control environments.
“We're using those old ways to kind of rate risk,” Weber said, adding that many ratings don’t consider the consequence of an exploit against a control system.
Operators and others can select different criteria within the risk calculator such as threat actor skill level, ease of exploit, and technical and safety impact of a successful exploit of an implementation flaw.
“None of the calculations really talked about consequences,” Weber said. “Tell me what the consequence of this vulnerability is and actually one of the things I like to point out is when you go look at the MITRE ICS ATT&CK matrix, and you look over all the way on the right at the impacts. The impacts are completely different than the enterprise. Impacts in the control environments are stuff like loss of visibility, loss of control, manipulation of control and so there was no really good way to talk about that.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.