This article by CrowdStrike’s Kris Krewson and Dragos’ Lesley Carhart has been crossposted from CrowdStrike’s series ‘From the Frontlines.’
We sit in a dusty break room, notepads in hand, and nervously watch the corporate IT cybersecurity and industrial operational technology (OT) teams meet one another for the first time. The OT team — consisting of plant managers, process control engineers, mechanics, technicians, and other experts — immediately put their guards up when we entered the plant, fully expecting another security audit. After carefully explaining we’re just there to build bridges and facilitate planning between the two teams, we can see the tension gradually relaxing in the room. Someone finally reaches across the table for a doughnut.
We turn to the senior electrician and ask, “Could you help us understand what you would do if there was a computer that had a virus on it?”
After carefully considering the question, he hesitantly begins to walk us through their disaster recovery process — a plan he created totally on his own because there was no relationship between his segmented industrial network and corporate information security. The IT staff leans in, interested. He has a pretty clever and detailed plan.
We glance across the table at one another in relief and share a smile. Real cooperation between the IT and OT teams has begun and we’ll likely be here for hours as they catch up on years of stories and ideas. Like a marriage counselor, we’ll be there to guide, offer discussion points, and provide technical clarification, but a great deal of our involvement is simply making the discussion between two nervous stakeholders possible.
Guidelines for Building Cooperation
As cybersecurity consultants, we provide trusted strategic advisory services to organizations that are taking proactive measures to identify risks, detect threats and better secure their environments. Leveraging the partnership between CrowdStrike® and Dragos, together we can provide clients with a comprehensive strategy to improve their security posture in both their IT and OT environments.
When we come on-site, we often discover a troubled or even non-existent relationship between the IT and OT teams. A common misconception we hear is that industrial control system (ICS) operators don’t care about cybersecurity. Realistically, nearly everyone we speak to in our work is invested and interested in security — they may just use different terminology, risk models and controls. However, the biggest difference is prioritization.
Operational risk management and business priorities are usually different, and poor approaches in the past by IT cybersecurity staff have often left their OT counterparts wary. In most environments, IT and OT teams are quite segregated and have had little interaction or cooperation. As cybersecurity becomes more of a concern for all organizations and businesses request increasing visibility, automation, and connectivity in their OT environments, the two teams are being brought back together by necessity. If done right, this reintroduction can improve the organization’s security posture considerably. If done wrong, it can lead to serious culture shock.
CrowdStrike® and Dragos frequently consult in industrial environments where IT and OT teams are having these conversations — acting as technical advisors and mediators to enable constructive discussions between the teams. Sometimes, the most important role we play is to help heal relationships that have been strained by unfortunate pen tests or scanning, hostile audits, and lack of communication. Sometimes our role is to provide deeply technical cybersecurity expertise, and other times we spend a large portion of the time keeping the discussion healthy and on track. Here are some lessons we’ve learned along the way:
1. Don’t merge into one entity and lose what was special and unique about each of you.
There is a lesson to be drawn from romantic associations: When a relationship is young and new, both parties may feel the urge to merge — to do everything together, which may cause individuals to lose touch with what was special and unique about each of them and their experiences. Similarly, we see some organizations merging IT and OT cybersecurity into one team, or perhaps simply assigning the IT team new responsibility for the OT environment. While we don’t recommend a particular organizational model, it is important that the complexities of each environment, the specialty skill sets required, and the differing priorities based on risk are respected and documented.
Remember, you’re different and that’s okay. Industrial systems tend to have an extremely long lifecycle and exist in closed ecosystems. When an operator decides to install a facility, they typically approach an industrial technology vendor who sells them high- and low-level hardware, software, support and maintenance as a package. This can be a massive capital expense and may be expected to stay in service for one to three decades. Clearly, commercial computer systems and software included in the package will eventually become obsolete. Some devices may be upgraded or replaced through a maintenance contract, but many may fall out of support yet remain integral to operations. If systems can’t practically be replaced and continue to function harmoniously with the rest of the system, they must remain in operation indefinitely.
As cybersecurity professionals, we spend most of our careers thinking data security is the highest priority, knowing that failing to secure digital data has expensive and potentially catastrophic results. We spend years reciting best practices such as “patch every computer,” “update antivirus,” and “don’t use vulnerable software.” Entering the OT environment doesn’t invalidate these guidelines, but IT cybersecurity staff need to keep an open mind when considering how these may or may not apply. Operational environments are actually hyper-focused on safety and risk management, but from a more holistic standpoint.
2. Both parties have to make an effort.
We’ve delivered tabletop incident response exercises at manufacturing plants where the OT personnel did not know they had a corporate IT cybersecurity team, much less that they could or should call them for support during an incident. If the first time your IT cybersecurity team is hearing about an incident at a plant is because it spread to the corporate network, it’s too late.
Similarly, some IT cybersecurity personnel have no idea how the plants work. Take your IT cybersecurity team on a plant tour and ask questions about the OT team’s priorities, bottlenecks in the process, and network architecture. Know which systems are owned by the company versus leased from and maintained by a vendor.
Remember that bridges may have been burned, and require rebuilding. OT staff may be wary after years of audits chiding them about obsolete systems they cannot afford to patch; vulnerable software, which absolutely cannot be replaced; or weak passwords the vendor requires to maintain a service contract. Both sides need to make the effort to understand each other’s worldview and priorities.
3. Practice bidirectional communication both prior to and during incident response.
Prior to an incident, both the IT and OT teams need to conduct security awareness training, beyond phishing campaigns. Training should teach operators what type of activity is suspicious from a cybersecurity perspective so they can better understand when a mechanical issue may be a cyber issue. Train operators to bring up issues during their daily standup or on a monthly cybersecurity call organized by corporate IT cybersecurity. The awareness campaign should co-opt the tactics from the latest SHE (Safety, Health, Environment), quality, or food/product safety campaign to help operators understand that cybersecurity is mission critical — if the plant is not secure, it’s not safe.
To properly defend and respond, the teams must build healthy channels of communication. The IT cybersecurity team must understand the OT team’s risk modeling, processes, operations and needs. The OT team holds a wealth of knowledge about system operation, areas of concern and procedures. The IT cybersecurity team can provide tools, procedures and threat intelligence to inform and equip the OT team.
4. Plan for the future together.
One of the most important exercises we undertake with clients is integrating their IT and OT incident response plans. There are points of concern that IT teams frequently don’t consider, such as quantifying and analyzing functional risk in processes. There are also areas that OT might not consider, such as industry targeting by threat actors, or cybersecurity incident triage. Both teams are needed to build a comprehensive view of what could go wrong, as well as what will be needed to protect against and detect potential causes. Operators often fill many roles, work shifts in difficult to access locations, and have unique safety and protective equipment concerns. Cybersecurity is merely one of many concerns they have to juggle during their day — and clear communication paths and processes are crucial. We spend many engagements building out cut sheets and checklists for potential cybersecurity scenarios.
In addition to incident response plans, the teams must work together to create a forensics plan for the OT environment, including how to take forensic images of different types of devices, an inventory of available logs and requirements for onsite visits. If the IT team or third-party incident response support team plan to go onsite, it may be a matter of quickly acquiring the appropriate PPE (personal protective equipment), or they may need clearance from various government entities, which can take precious time.
5. Practice together to prepare for your worst day.
The best plans are living documents — practiced often and updated with lessons learned. The IT and OT teams should practice together, working through a tabletop incident response exercise scenario that’s specific to the organization. These exercises create awareness, identify gaps, and build relationships.
The scenario must apply to your business — evading your specific controls and hitting your critical assets so you can have those critical conversations. When developing the scenario, the IT team should work with the OT team to understand what a critical impact is for them. If an industrial system is hacked into or infected with malware, it does not automatically result in an impact that operators are concerned about. If process owners’ primary concerns are bodily harm, environmental contamination or loss of production, they may determine that a compromised computer or controller could not realistically lead to these outcomes. In many operational environments, there are physical or analog safety measures (such as pressure valves), which will prevent a catastrophic outcome regardless of digital commands entered into devices. In this type of scenario, an infection or tampering might render production data invalid or force manual processes, but this poses a substantially lower risk. Understand that their bad day may not be the same as your bad day.
When things aren’t going well in a relationship, you have to ask yourself the question — is this worth fixing? In the case of IT and OT collaboration on cybersecurity, the answer is unequivocally yes. So how do you start?
Build individual relationships across both teams. At many sites, we find operators and engineers who have worked at the facility for decades and know the process and people inside and out. These are people to seek out, respect and learn from. Additionally, cybersecurity is in the news, and it’s cool! The IT cybersecurity team will find plenty of OT professionals interested in learning more about cybersecurity, or even people already heavily involved in the field. Even if they currently have misconceptions or they are working outside your corporate IT processes, guide them and help them be a part of the team. They’ll be your best allies as you work together to improve the security posture of your organization.
Register for the CrowdStrike / Dragos Webinar
Interested in learning more about protecting your IT and OT networks? Be sure to register for our joint CrowdStrike / Dragos Webinar on July 23, 2019 titled “SecOps Marriage Counseling for IT and OT Networks.”
Additional CrowdStrike Resources:
- Attend the Webinar conducted by Security Experts from CrowdStrike and Dragos: Register for the webinar here.
- Learn more about CrowdStrike Services by visiting the webpage.
- Learn more about the CrowdStrike Falcon endpoint protection platform by visiting the webpage.
- Test CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.
Additional Dragos Resources