Accelerating IACS / OT Cybersecurity Improvements
Today I had to remind myself to tell a team leader about an IT cybersecurity team member that provides superior security assessment work for a utility client. The IACS and OT industry likes to say that IT administrators and cybersecurity professionals cannot provide good guidance or do active assessments safely in production environments. This individual’s contributions to the vulnerability assessment of complex production and test environments continues to be invaluable and has helped to improve the design and deployment of solutions affecting millions of people supported by the utility.
Here is a snippet of the kudos I outlined about this individual. He was and is “always upbeat, professional, technical, fscking devious, careful, and accepting of direction. His background, and interests, are not related to IACS / OT technologies or solutions. But he participated on the IACS / OT assessment team and used his skills effectively.”
Let’s break each of these down since I feel these key traits are critical for each team member working on production networks.
Key Traits
Upbeat – working in ICAS/OT environments can be intimidating, particularly when some things are out-of-scope or fragile. He asked clarifying questions but never let himself get so frustrated that he could not focus, add value, or be safe.
Professional – hackers will be hackers, and there is a need for standards that let them flourish. But, IACS/OT environments have operational standards that include dress, safety, and technical actions. He always dressed to the location standards and respected limitations from the client, as imposed. He pushed on some technical requirements with clarifying, and challenging questions, but accepted with answers and even statements like ‘we have to do it this way.’
Technical – going in, he outlined that he did not have experience with utility communication protocols, vendor solutions, or even electricity. As the assessment was scoped and conducted, he focused on the technologies he was familiar with and reviewed their implementation. His security assessment skills involving Windows operating system, database configuration, web application implementations, and Kubernetes deployments were things required within the vendor’s solution but the owner / operator’s OT admin and OT cybersecurity team did not have skills.
Fscking Devious – Using his non-OT skills, he found issues with operating system configurations, credential and data leaks in application files, exposed encryption certificates that allowed unauthorized authenticated access to production data, wrote Windows executables that the vendors software executed via a scheduled task with SYSTEM level privileges, and more. His skills identified gaps where the vendor told the client ‘yes, we did that’ but in actuality they had not achieved the cybersecurity requirements for the project as outlined by the owner / operator during selection of the solution. Most of the time people were amazed at how easily the issue was identified and taken advantage of.
Careful – when he first started working on this client’s projects his approach followed normal IT security assessments: ‘go anywhere – get everything, that is within scope’. He accepted the initial guidance to ‘ask before you do’ and ‘be careful with production data’. He realized being careful was an operational requirement and he defaulted to this approach for all his devious thoughts. Asking permission before doing.
Accepting Direction – already explained, but I have seen plenty of cybersecurity professionals decide to do things anyways because ‘I know the client / vendor should account for this, and I am going to show them. Then they will understand.” This attitude breaks testing and production environments. In the worst case it can lead to safety issues. Accepting limitations and scope is a valuable, and required, skill in IACS / OT cybersecurity assessments.
Conclusion
The point I am trying to make here is that the IACS / OT side have a lot of challenges deploying and maintaining production environments. They are experts with production technologies and even may understand cybersecurity principles. However, they are not cybersecurity experts, nor do they have IT administrative experience defending against swift vulnerability exploitation. But the choices owners / operators are making and, more challenging, the choices that vendors and integrators are making, generate easy to exploit situations with real consequences. The identification of these issues, which leads to the prevention and detection of exploitation, can be improved by using skills from team members with limited and even no IACS / OT experience. Identifying team members with the right mentality and maturity can be more important than requiring years of OT implementation experience. Cause, do you / we really have time to wait for that?
Go forth and do good things,
Image Source: Generated with Midjourney, 20250117