3 OT Security Myths
There are many misconceptions and myths in operational technology (OT) security. This is a problem, because when we start with the wrong premises, then we most often draw incorrect conclusions – this is how logic works. Let's look at some OT security myths and misconceptions and see how they lead us astray.
Andrew Ginter
1) Information is the asset we protect – protect the confidentiality, integrity and availability (CIA) of the information, in that order, or maybe in AIC order, or IAC, or something.
Information is the asset we protect in most IT networks. In OT networks, in contrast, we most often protect safe, reliable and efficient physical operations. Take a metro for example: safety is first – nobody wants to die on the way to work. Reliability next – the metro needs to get hundreds of thousands of people to work every day, and passengers want their trains to be on time. And then efficiency – it does no good to have the world’s safest, most reliable metro, if the population cannot afford to use it.
So what? Can we not stand on our heads and say there must be information somewhere in the metro’s automation system that we can protect? Well, we can stand on our heads, yes, a lot of people do, but why bother? 50-year-old cybersecurity theory (Bell / La Padula) teaches us how to prevent theft or leakage of important information. Many of us learned this theory in school. What we did not learn is that 2 years after Bell & La Padula came out with their theory, Biba came out with a complementary theory.
Bell / La Padula teach us how to prevent espionage – theft or leakage of important information (eg: how to make a Nuclear Bomb – these researchers were funded by the US DoD in their day). Biba teaches us how to prevent sabotage (eg: changing the targeting coordinates for the missiles delivering The Bomb).
Biba’s theory used exactly the same concepts and terminology as Bell / La Padula but applied the concepts differently. In Biba’s theory, information is not the asset we protect, but the threat. All cyber-sabotage is defined (mathematically) as information. The only way a targeting system or an OT control system can change from a normal state to a compromised state is if attack information enters the system – somehow. The goal with OT systems is not to “protect the information” – the CIA, or IAC, or AIC of the information. The goal is to protect control systems from information – to keep attack information from affecting critical functions, such as safe, reliable and efficient physical operations.
Get this wrong and we fixate on information as the asset, when attack information entering the system is in fact the threat we must defeat.
2) Asset inventory is one of the first steps towards OT security – we cannot protect what we don’t know we have.
Here is an example of how misinterpreting the asset bites us. If we are to prevent theft or leakage of that information, it is vital that we know what and where that information is. We cannot prevent theft or leakage of information if (a) we do not know it exists or (b) we do not know where it is. An asset / information inventory is therefore one of the very first steps we must carry out if we are to design mechanisms to protect our information assets.
Biba, however, teaches us that information is the threat. This means that one of the very first things we must do is not inventory where our information lives, but rather inventory all of the ways attack information can reach our vulnerable OT systems. We need an inventory of data flows, most importantly those data flows that enter our OT systems from the “outside” – from potentially compromised sources. Understanding our perimeter and data flows that cross the perimeter is much more important than enumerating all of the countless “information assets” inside that perimeter.
Technical note: these perimeter-crossing data flows can be online or offline. Offline means the attack information lives in physical media, like USB thumb drives, laptops, or new computers arriving from our suppliers. We physically carry offline information into contact with our OT systems. Online information is more ephemeral – it is communicated into our systems with the movement of electrons, photons, electric or magnetic fields, or event sound waves – vibrations and quantum “things” rather than the movement of macroscopic physical objects.
Yes, eventually we will probably also benefit from an inventory of computer & information assets, but for most of us, our first priority is to prevent or control the movement of attack information into our systems – not protect that information, for example by encrypting that attack information.
3) If only we could wave a magic wand and patch everything and zero-trust everything, just like we do our IT networks, then our OT networks would be “secure.”
In most OT networks, the worst credible consequences of compromise are completely unacceptable: things blow up and people die. Or long-lead-time physical equipment is destroyed, and production / infrastructure is down for months or years, not hours or days. In most IT networks, the worst credible consequences are undesirable, and sometimes material, but will not put us out of business. This is the essential difference between most IT and OT networks: we cannot “restore” human lives nor damaged equipment from backups.
This means that even if we could wave our magic wand and secure OT networks exactly as we secure our IT networks, then our OT security program would still be woefully inadequate. The worst credible consequences (credible = reasonable to expect) define the required strength of our security program. When consequences are unacceptable, we need to protect our OT networks much more thoroughly than we protect our IT networks. Our postulated “magic wand” is not nearly enough.
Summing Up
Don’t get me wrong – I’m not saying information is never an asset (robotic programs in discrete manufacturing can be very valuable), nor that asset inventory is useless, nor that IT-style security mechanisms, where we can manage to apply them in OT, are pointless. What we’re talking about here is priorities. If we apply the world’s very best “protect the information assets” IT security program to OT systems, we might, accidentally, prevent material sabotage of physical operations. And we’ll probably spend an enormous amount of money doing that.
Moreover, no security program is complete until it has all the pillars of the NIST CSF: govern, identify, protect, detect, respond and recover. I’m not saying to ignore any of those pillars. To one extent or another, we most often need to “do it all,” but in which order, and where should the funding / implementation priorities lie?
What I am saying is that if we understand our priorities and constraints more accurately, then we can do a much more effective job of all of the above, for far less money.
About the author
Andrew Ginter
Share
Trending posts
Stay up to date
Subscribe to our blog and receive insights straight to your inbox
