IT Security has matured rapidly over the past decade in order to counter escalating threats. This level of rapid maturation hasn’t been matched in the ICS Security arena, and there are 5 basic reasons why:
1. Traditional views | You can’t see the forest for the trees: We’ve all had the experience of standing too close to a problem for too long and losing sight of the actual problem. Current methods for problem solving in ICS Security have actually blinded us to the bigger picture. Product companies want to apply their product to solve very specific solutions. Services companies are normally focused on meeting very specific customer defined needs. Really great integration companies are the closest thing to problem solvers, but they are typically constrained by scope, schedule, and budget. This paradigm is not effective, and will continue to fail if we do not challenge the way that we do things.
2. The Threat: There are clear and present threats to IT environments. We hear about these attacks on a regular basis, and most of us have been affected by an IT Security breach in one way or another. Threats to ICS environments have escalated as well, but they’re very different than threats to IT environments. ICS threats are fairly sophisticated and focused on stealing information. Reconnaissance, theft of intellectual property, process mapping, and theft of other intangible assets happens on a fairly regular basis.
3. The People: We’ve all seen reports about the skills gap in the IT Security realm, but that gap is massive in the ICS Security realm. If you’ve been to an ICS Security conference in the past few years, you’ve likely heard there are only 400-600 security personnel in the entire United States. Yes, those numbers are growing, but that’s because anyone who can spell “ICS” and “Security” are branding themselves as ICS Security experts. There are very few people in this fight who have actual operations experience, security knowledge, and a solid understanding of the tools available for their use. On the flip side, there are plenty of charlatans selling snake oil as ICS Security products or services. Make sure you understand who you’re dealing with before engaging with a security provider.
One other thing to consider when you’re talking with security providers is that most of them assume that operations is slow to adopt change. But these “ICS Security professionals” who think operations is slow to adopt change have probably never set foot in a production environment, or haven’t looked at change from any other perspective than their own. Change happens every day in operations, to the point where change management processes are so good that there are people dedicated to tracking changes on a daily basis throughout the production environments. Operations and production environments have to change often to meet market demands, or they lose their competitive advantage, so they know change better than most. It’s just a clear example of how security can be very out of touch with operations. Again, interview your potential security providers very thoroughly.
4. The Process: ICS networks are unique, so applying purely IT security solutions and methodologies will fail. Failure in a production environment can be extremely dangerous and costly. These assets are physical, but they live in the cyber realm, so you cannot look at this from one specific lens and expect to have success. If you approach this problem academically, you’ll quickly see that ICS security has been going in the wrong direction, because traditional IT Security methodologies are being used in environments where they will not work. This can quickly be confirmed when pulling data on the adoption curve of ICS Security compared to any other security domain in history. The industry has been trying to apply tools and methods that aren’t relevant to this unique environment.
Current ICS security solutions do not align well with Owners and Operators of these systems, because they have very different goals and processes to accomplish those goals. ICS environments were never built with security in mind…they were built with production in mind. The reason why IT and ICS Security methodologies fail is because they do not understand the processes and functions of ICS systems.
A successful ICS Security program must begin with the understanding that this environment is very different than IT environments. Outer space lacked the oxygen our astronauts needed to breathe, but we overcame that obstacle. Deep ocean exploration became possible when we learned how to build craft capable of withstanding enormous water pressure. We didn’t change the environments where we wanted to operate, we changed how we approached the environments. When you start looking at ICS networks as an environment instead of just a collection of parts, then you can start thinking about accepting the environment and learning new ways to work within it. Once you understand the environment, you’ll begin to understand the processes and how to secure them.
5. The Technology: Technologies in the security space are made to solve specific problems. In the IT realm, they’re usually created to solve very specific problems or do very specific things. Security teams have to sort through all of the potential technologies, pick a few that solve parts of their problem, and hope that they can get them all to work together. Security Operations Centers are built around the concept, and it has been fairly effective in the IT realm. Unfortunately, this does not work very well in the ICS realm. Each location and each network is very unique, and the ICS equipment on site will change the requirements for security tools.
You need to have a really good understanding of your ICS network at each of your locations before you select specific technologies. And yes, you will need several different technologies. Selecting the right technologies, and ensuring that you have the right people to operate them effectively can be monumental challenges. As we all know, you only get one misstep before your operations personnel lose faith in the solutions that you’re trying to bring to their environment. A holistic solution that incorporates multiple technologies is the only way to go.
The Future: Our team at Red Trident has set out to revolutionize ICS security, and help mature the industry’s capabilities. We challenged the paradigm, and looked at security from a much broader perspective. We approached the environment from an operations perspective, and merged physical and IT security methodologies into a holistic solution. Our new approach quickly and effectively secures the entire ICS environment.
Red Trident has redefined the problem, and we are now completing the development of a holistic solution that is simple, addresses the complexities of ICS Security, and provides a method for easy adoption to the end users.