Focus on ICS (Industrial Control System) security is higher now than it has ever been before. It seems nearly every security company on the planet now offers “ICS” capabilities to protect against threats in pretty much the same manner as IT (Information Technology). The growth in support is happening for a multitude of reasons, but primarily we see IT interacting more and more with OT (Operational Technology) as systems are upgraded to take advantage of newer technologies. Problems from integrating IT with OT arise, but what we need to consider is the impact on our friends in OT. The mere act of plugging in a blinking box within an ICS environment can only get you so far. Without a robust relationship infrastructure with OT, your security program is going to struggle to operationalize your security efforts within the ICS environment. Getting OT to work with you is easier said than done because in general… OT doesn’t trust IT.
Why does OT not trust IT? Each organization is different, but some a common theme I’ve seen is IT’s track record is poor. How many times have enterprise systems gone down seemingly without an explanation? Unexplained outages would be unacceptable for a power plant or a manufacturing floor. So when we ask OT for permission to implement tools (seemingly from the Enterprise) in their environment, it’s natural to expect some pushback. Every time security makes an ask of OT it costs political capital, and if we don’t have a sufficient relationship infrastructure established we wouldn’t be able to execute at the desired level. Even if we were able to make the implementation happen from a technical perspective do we have the access and the buy-in from OT to reap the rewards from the effort (response capabilities and network architecture adjustments as an example). If you have not yet begun to develop an intentional relationship infrastructure with OT, then today is the day to begin. Luckily there are a few small things that we have done that can help you along your journey.
Your ICS Security Project Starts Today
Some of you may have gotten the privilege to go to a plant or onto the manufacturing floor for a tour or to meet with someone, but one thing is for sure. You stick out like a sore thumb. I work for an electric utility and every time we go out to a location we must wear FR (Fire Resistant) clothing, it’s a safety thing, and one thing I notice is how clean and “new” looking my stuff compared to other people at the plant. The contrast is a reminder that I am a tourist in their world — a visitor from a foreign land who may understand the base concepts, but not like the natives do. I liken this experience to taking a foreign language. Anyone can sit in the classroom and study a language and listen to tapes, but you don’t truly appreciate how language and culture intertwine until you live in the native land. Immersion should be our initial goal. How do we move from being a tourist to being accepted? The first, and hardest, part is being present. Presence is where intentionality becomes apparent.
How do we begin being present? It starts with visiting locations with OT systems, including the remote locations. Management should do everything they can to send people out once or twice a month to visit different remote locations. Most issue laptops to their teams, why not let people work from a plant or a manufacturing center one or two days a month? By merely being around your analysts can develop the intelligence networks that they can rely upon to get questions about the environment answered. Doing so also alleviates pressure from management continually having to negotiate interactions between employees across teams.
When you send your teams on location always bring gifts of some sort. Bribery won’t win you friends, but it can certainly help. What kind of bribery do you ask? Well, here’s a few things that we like to do:
1. Bring donuts – Donuts in the break rooms. Also leave a note like, “Have a safe day. Your friends in Security.” Relationship building is a series of little things. Break room donuts are an affordable way to show appreciation to all employees at the location.
2. Bring candy – Candy for the control rooms is an awesome treat. Control rooms are 24 hours a day operations, and so there’s always someone there, and they likely have a sweet tooth. Bags of candy again are cheap and last a long time. Over time the control room operators cheer your arrival as they know bags of candy are part of the deal… Being known as the Candy Team is a pretty good thing.
3. Bring swag – How many conferences have you gone to where you have grabbed a big old bag of swag and then did nothing with that stuff? Grab an extra t-shirt or two (get bigger sizes), coffee mugs, and stickers (for helmets). It’s also a treat to watch how security swag proliferates throughout a location because they think it’s cool. *Pro Tip: If you’re doing a deal with a vendor have them toss in a box of shirts or some type of swag to hand out. Having extra swag helps out with the next part of developing our relationship.
Being present is an incredibly powerful first step, but in the interest of uniting IT and OT into a unified Enterprise Security program must go beyond location visits and candy. Opportunities to do this kind of work are all over the place within the OT / field side if you only look. There are two ways to think about this work, security-driven and security participation.
When we say, “security driven,” what we are saying is something that security owns and is managing. An example of this type of activity is the hosting of a security conference specifically for a business unit or collection of groups. An energy company that drills for natural resources may want to do an Exploration Security Conference. The company can invite cyber and physical security professionals (both inside and outside the company) to present on specific topics relevant to exploration engineering groups. Bringing in external parties gives you the ability to have someone with more “authority” speak on things you already know. There are plenty of experts and vendors willing to come to talk to your group, but they may see this as a sales opportunity (so be warned). The conference could be a whole day or only be a few hours. The length of time depends on the amount of meaningful content you can deliver and how much availability the participants have. Remember, this conference is all about them and not an opportunity to gloat about how great you are. A successful conference facilitates another opportunity for your group (or their leadership) to get together and discuss security specific content. Teams should expect to learn a lot from this exercise as well which, in turn, can help to craft more intelligent security solutions.
A meaningful relationship infrastructure isn’t necessarily only about work. Being present at a work location is powerful, but connecting on a more human level creates the long-lasting partnerships that can help drive more positive security solutions that stand the test of time. The main advice here is to participate beyond securing all the things. Some of the groups in my organization hold annual events centered around demonstrating skills for colleagues and families. An example of this is an annual safety rodeo where different teams demonstrate safety and rescue techniques. Our security team’s participation is as simple as renting a tent and having a presence. During the event, we have between 2 to 5 people ” staffing” the booth at all times to answer questions or hand out prizes (such as candy and swag). A member of our team also fashioned up a shooting gallery that was a hit, especially among the kids that were there. If there’s a raffle or any other set of prizes be sure to donate something. We like to give out coolers which are always a hit with our friends out in the field.
To quickly recap:
– Being present is critical to forming a relationship. Be aware at first you are considered a tourist. Show respect and soak in the experiences.
– If you’re going to be a tourist at least bring treats. Donuts placed in break rooms, bags of candy for the control rooms, and swag for everybody.
– Host a security conference dedicated to security issues relevant to ICS / OT. Bring in third parties/vendors to help hammer points home.
– Participate in their stuff. Have a presence, donate prizes to raffles, bring your families to connect on a more personal level.
Keep in mind that the reason we are spending so much time cultivating relationships with our friends in OT is that we rely upon this newly laid relational infrastructure to help us work through adding security capabilities within their realm. Having these relationships in place also help with Incident Response as when you come onsite in a more official capacity you are a known entity rather than an invader from a hostile land.