Information sharing has long been a desired end-state among cybersecurity leaders. Yet many organizations have been hesitant to disclose incident information in the past out of either competitive concerns, or for fear of bringing additional exposure to their organizations.
The rise of information sharing and analysis centers (ISACs) has eased some of those concerns. Member organizations in any number of industry ISACs share anonymized threat intelligence, vulnerability information, and other useful tactics, techniques, and procedures that emerge from incidents—all to the benefit of industry ecosystems.
Operational technology has its own ISAC. The OT-ISAC was launched in October 2019 through a partnership between the Cyber Security Agency of Singapore (CSA) and Global Resilience Federation Asia Pacific (GRF APAC). Its goal is to improve information sharing among asset-heavy enterprises in order to better response activities to threats to OT and cyber-physical systems.
Steven Sim, the chair of the OT ISAC advisory committee, joins the Nexus Podcast for an in-depth conversation about the state of the OT-ISAC, information-sharing, and why organizations are prospering from this channel for not only sharing, but community initiatives, including conferences, and training opportunities for OT engineers and cybersecurity practitioners.
"I think increasingly organizations are more willing to share because they realize that we are only as strong as our ecosystem," Sim said, pointing to the damaging NotPetya attacks of 2017 as a watershed moment demonstrating the value of information-sharing as a practice.
"Entire organizations were being taken offline... There were damages to the organization and then as well as downstream impact to the to the whole economy," Sim said of NotPetya. "So this was in fact one of the larger wake-up calls to many organizations who realize that the ability to get the latest tracked intelligence; having access to early warning systems is a good way to flip the asymmetry of attacks and be able to stay at the front of this intelligence and be able to react."
Sim explained that threat intelligence and incident information is anonymized and shared with member organizations through OT-ISAC's Malware Information Sharing Platform, which operates through a REST API. Indicators of compromise, for example, are pulled down through the platform in an automated fashion and ingested by member organizations. That intelligence can be then fed to members' endpoint detection and response systems, firewalls, or other security monitoring and response tools.
Sim also discussed some upcoming initiatives for the OT-ISAC, including its new Domain Advisory Circle, which OT-ISAC hopes will bring together expertise from a number of pillars, including engineering and OT asset operators, as well as threat intelligence and risk and governance initiatives, and a final workforce development pillar.
"The goal is really to guide our strategic direction for memberships and to strengthen community driven efforts in OT, SCADA, ICS, cybersecurity," Sim said. "It's definitely a community-driven initiative."
Sim said an advisory committee will be formed among carefully selected practitioners globally.
"With their input, they will provide thought leadership. They will help level up the maturity of some of the practices, both from the blue team perspective as well as red team," Sim said. "[They will] build our capabilities across the different sectors that have operational technology and to be able able to better defend against emerging, sophisticated attacks, whether it's AI-driven and so forth, as well as we move into not just Industry 4.0, but Industry 5.0."
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
