Finger Wagging and Disrespecting Professionals Will Not Secure Critical Infrastructure
In his recent article, titled Critical infrastructures cannot be secured because network security and engineering won’t work together, Joe Weiss has provided the IACS cybersecurity industry with an example of hyperbole and fear mongering what needs to be stamped out rather than perpetuated. The advancement and maturity of this field will not evolve effectively when build on, or supported by, this biased and bigoted vernacular. It is difficult to call out all the issues in his meandering post. So, I will focus on three important topics where he needs to take a hard look at his beliefs and the approach he is bringing to the security and safety of industrial and automation control environments.
Hyperbole Click-bait Article Title
The title of his post indicates that experts providing administration for corporate and control environment infrastructures will not work together, thus breeding insecurity. He is accurate in his depiction that there are challenges integrating administrators more familiar with corporate and internet service-based requirements than operational requirements, specifically at the process levels. This lack of familiarity has traditionally forced operational personnel and vendor / integrator teams to deploy supporting IT technologies (e.g. Windows / Linux systems, Active Directory, web / database applications, network devices) within the control environments, from Level 3 down to the process levels. This situation was acceptable prior to the integration / connection of the OT environments to the corporate network and the internet using Ethernet field bus technologies. This integration was done to improve monitoring and control which improved operations and safety while also advancing interactions with corporate business units.
In my experience, the real issue for this topic is the OT personnel, to include vendors / integrators, not accepting expert input from the IT administrative teams. The original basis was because the IT administrators did not understand operational requirements and their normal administrative practices and configurations broke the OT environments. The operating term there is ‘operational requirements’. The root cause of this issue is that the IT administrators are not being provided with the control technologies operational requirements. If you let someone loose without guidance or direction they will fall back to the techniques with which they are most familiar. However, if you provide them with guidance, restrictions, and parameters and follow up with them they will very often meet and exceed the goals. From the vendor / integrator perspective, the owner / operation is not providing them direction to work with these IT administrators when designing and deploying these technologies. In other words, the vendors / integrators need your cybersecurity requirements in addition to operational requirements for these technologies. The latter of which you already provide – so start including them.
Look, the OT environment, particularly at Level 3, is deployed using network, server, and application technologies that are similar to the corporate environment. Threat actors use their skills and tools from the corporate environment to great success on the Level 3 assets. Your OT administrators have limited, if any, experience in defending against these tactics and techniques. Your IT administrators do have this experience. So, isn’t it more cost effective to select some of the IT administrators and teach them about operational requirements than it is to start training your OT administrators and wait for them to gain this experience over time? While also tasking those OT administrators with operational duties that take precedence over cybersecurity efforts. Start integrating your administrative teams, allow them to develop simple methods for implementation and auditing, and remove the ‘cannot’ from your OT culture. Let them learn from and with each other.
Vulnerabilities of Field Devices
As a security researcher, I have a passion for ensuring the devices controlling the physical world are understood and protected. All my education involving hardware hacking, protocol analysis, attack surface exploitation, and input validation has helped me understand the consequences of allowing a threat actor physical and digital access to the process environment. I share Joe’s expectation that unnecessary applications, the attack surface, are reduced as much as possible to limit the functionality that can be used or exploited by threat actors. However, my research and knowledge acquired through years of security research, security assessments, and penetration testing helps me understand that these features cannot be exploited without physical or digital access to the device or field bus (yes, I consider Ethernet a field bus network, it just allows networks to be joined together). Physical or digital access are REQUIREMENTS for exploitation of vulnerabilities or features. When teaching I refer to this as understanding the medium, determining the adapter required to interact with the medium, and using protocols to communicate across the mediums to applications.
Vendors provide additional features in their products because they do not know how the solution will be deployed. Each situation is unique. More features means the product is more useful and is more cost effective to produce and makes it cheaper overall. Each device will have a standard implementation guide that outlines these capabilities to ensure operational requirements can be used across all their clients in a variety of different industries. So, yes, it is the owner / operator’s responsibility to understand the technologies that comprise the solutions they are purchasing / building so that a team can outline risk reduction techniques to prevent and detect unauthorized physical and digital access to devices and field buses. These capabilities can be your friend, if you understand them and manage them appropriately (like all friends). Should vendors have better hardening guides? Of course. But, again, they do not know every use case for their device, so any hardening / configuration guide is merely the starting point for the owner / operator.
Look, if you understand the technologies and the vulnerabilities you are in a great place. This knowledge allows your team to prevent the use / exploitation of these applications using risk reduction techniques: terminate, tolerate, treat, and transfer. If you understand the medium and communication protocol then you know what an exploit looks like. With this knowledge you can monitor for this type of behavior and anything that identifies unauthorized, suspicious, and malicious activity. But you need to remember, if you start looking you will start finding. Your combined IT and OT team had better know how to respond. Hence, all this knowledge and experience should all feed into your operational requirements.
Conclusion (yes, this is my third issue)
The strongest part of Joe’s article can be found in part of his conclusion statement. Yes, organizations need to start forcing their OT and IT teams to coordinate and we need to improve the education of people in a variety of technical domains. Unfortunately, these thoughts are not supported very well by the rest of his article nor the inclusion of the sentence containing the statement “inappropriate advice being dispensed by ‘OT cybersecurity experts’ who don’t understand control system field devices.” This dogmatic statement is maliciously speculative with the intent to bolster his own personal worth. It would be no big deal if he did not have an audience that respected his previous contributions to the field and who allow his “old school” (borderline “good ol’ boy”) biases try to drive the industry.
Look, we do not have time for infighting, shenanigans, and personal vendettas. Adults need to start working as teams. The best, and more secure, environments that I have encountered have the OT administrators checking with and accepting help from the IT and cybersecurity administrators. They set and communicate operational requirements, employ the cybersecurity requirements where possible, and evaluate and prioritize next steps. Every one of the ‘OT cybersecurity experts’ I know, which Joe knows and refers to, are presenting the approach I have outlined here. They are achieving success in securing industries and critical infrastructure around the world. THIS is why we CAN secure our OT and process environments. This approach is much more effective and affordable than wagging a finger and disrespecting educated, experienced, and dedicated professionals.
Go forth and do good things,
Don C. Weber
References:
Joe Weiss Linked In Post
Image Source: AI generated on MidJourney on January 10, 2025