New Resource: Adapting IT Advice for OT | Episode 129
The CIS Top 18 is widely used in IT, and Jack Bliss of 1898 & Co. has adapted that list for OT/industrial, adding a lot of industrial context and lists of related OT-centric tools and technology.
Waterfall team
“…Cyber Tool Framework is the OT/ICS version of CIS TOP-18.”
About Jack Bliss and 1898 & Co.
Jack Bliss is a motivated cybersecurity consultant that enjoys working with others to achieve common goals. Experience with secure network architecture, risk mitigation, network/system hardening, cybersecurity assessments, and network configuration. Emphasis on the NIST cybersecurity framework, the ISA 62443 standards, and other best practices. Constantly embracing new challenges, and ways to make clients more successful.
1898 & Co. is a global business, technology and security consultancy serving critical infrastructure industries. We partner with clients to plan, secure and optimize their business. As part of Burns & McDonnell and our 120 years of industry experience, we understand the complexity of your asset-intensive business model, the trends impacting your industry, and the need to ground big ideas in operational realities.
Share
Transcript of this podcast episode #129:
New Resource: Adapting IT Advice for OT
Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.
Nathaniel Nelson
Welcome everyone to the Industrial Security Podcast. My name is Nate Nelson. I’m here with Andrew Ginter, the Vice President of Industrial Security at Waterfall Security Solutions, who’s going to introduce the subject and guest of our show today. Andrew, how are you?
Andrew Ginter
I’m very well, thank you Nate. Our guest today is Jack Bliss. He is an industrial cybersecurity consultant at 1898 and co. And he’s just published a cyber tool framework. This is an adaptation of the the CIS, the Center for and Internet Securities. They have a well-known top 18 critical security control. So he’s adapted the CIS top 18 to the needs of OT and industrial sites based on his field notes of of working in the space for a number of years, capturing his best practices. So this is what we’re going to be discussing, his his contribution to the field here.
Nathaniel Nelson
All right, then let’s get into it.
Andrew Ginter
Hello Jack and welcome to the podcast. Before we get started, can I ask you to say a few words about yourself and about your background and about the good work that you’re doing at 1898 & Co.?
Jack Bliss
Yeah, thanks for having me, Andrew. My name is Jack Bliss, and I’m an industrial cybersecurity consultant with AT&T8 Co. My cybersecurity career started in 2016, junior year of high school, when I joined a competition called CyberPatriots, which is a nationwide computer networking and system hardening competition. In that year, we actually won nationals, making us the first team in Missouri to do so. In college, I worked as a computer networking consultant for IT organizations. And finally, for the past five years, I’ve been at 1898 & Co. Working as an industrial cybersecurity consultant which has been and an interesting journey i think my mom had a certain sense of security that i would be typing away in in a cubicle but after just a couple years in the job i was off to get underwater helicopter safety training which is required to go out to to oil rigs but but yeah it’s when i started we were a team of eight And now we’re a team of 80, so growing like crazy. And I couldn’t be more grateful to work for such an amazing organization and such an impactful role. The The experience I’ve gained during this time, learning from some really great mentors and colleagues has been invaluable.
Andrew Ginter
Nate, we don’t usually comment this early in the episode, but Jack mentioned the the offshore training and sort of the difference between a desktop and what you do on the OT side. I’ve never done the training, but I’ve heard about it. And it’s something else. If you physically want to travel out to a an offshore platform in, let’s say, the Gulf of Mexico or or the North Sea, I’ve never done it. But I’m told that, yeah, there’s a bunch of classroom training. And then the test is they put you in your your life jacket and your whatever into a dummy helicopter, a helicopter cabin. And They put physically a dummy beside you, set up the same way you are. And they have a crane drop you into a swimming pool full of ice cold water.
Your job is to get out of the helicopter and get back to the surface with your partner, dummy, who has been rendered unconscious by the fall. If you do it, you pass and you can go out to the platform. If they have to send the divers after you to save your life, you fail. Go do the training again. So, yeah, it you know, people imagine cybersecurity is a desk job. Sometimes it’s not.
Andrew Ginter
And our topic today is the Cybertool framework. This is something that you put together. It’s available at cybertoolframework.com. Can you tell us what is it? Where did it come from? Sort of what’s what’s the genesis of this thing?
Jack Bliss
Yeah, so in one sentence, cyber tool framework is the OT or ICS version of CIS top 18. So it takes the CIS top 18, which is an IT focus framework, but is easily digestible compared to other frameworks and standards, such as NIST, ISO, or 62443, and aligns those 18 controls or really requirements to OT cyber tools and practical insights. Being more digestible, this better speaks to small or medium-sized critical infrastructure organizations.
Jack Bliss
So the structure is as follows. With with the top 18 requirements in column 1, matched to cybersecurity tools in column 2, including OT-specific options where applicable, and complemented by field notes and best practices in column 3.
Throughout, I emphasize meeting these controls across three levels, people, processes, and technology, while reflecting real world scenarios. There is maturity referenced in some of the recommended controls. So if you’re a small organization, start with X. If you’re a more mature organization, you should aim to hit this threshold, et cetera. Free tools are also provided for each requirement, catering to organizations, looking to bootstrap their cybersecurity efforts.
the The idea for Cybertool Framework came from the fulfillment in consulting. In consulting, we get to work with a broad range of clients in different maturity stages and help them be successful. And so Cybertool Framework is really an extension of that. It’s a resource that can reach a bigger audience and make a bigger impact then than myself individually. So Cybertool framework helps to address the growing need for OT cybersecurity education and enablement, particularly among among organizations in the early stages of developing their cybersecurity programs. It aims to empower these organizations and practitioners to make informed decisions and cut through the noise of shiny marketing white papers.
I strongly believe that education and enablement outside of furthering regulation or mandating secure cyber design, education and enablement is one of the big pushes that can improve our overall cyber resilience across critical infrastructure, helping organizations and people make the right decisions at the right time, and utilizing what they already have, i.e. Working smarter, not harder. And at the core of this is knowing what you have, knowing how it functions or communicates, understanding what systems or risks cause the worst case scenario, and then going through a risk reduction process like 62443, 3-2, PHA or CCE that reduces risk to an acceptable level.
As you select these mitigated controls to get to an acceptable level, Cybertool Framework could be one of these many resources to help organizations or practitioners navigate that landscape.
Andrew Ginter
Okay. But let me ask you to to to back up a bit. You’ve used a lot a lot of terminology here. A I don’t have outstanding statistics on who listens to this podcast other than we get about 3000 downloads per episode. But anecdotally, just talking to people at events and and whatnot, The sense I get is that maybe one third, give or take, of our our audience here is engineers who are coming into cybersecurity responsibilities and have to come up to speed on cybersecurity issues and and approaches. And roughly one third, give or take, is IT people who have become responsible or are are becoming or are interested in becoming responsible for OT security and have to come up to speed on OT issues and OT mitigations, and one third is other. But to those two audiences, someone coming from IT, someone coming from engineering, let me ask you, can you explain For the people coming from the engineering side of things who may not have heard of the CIS top 18, what is the CIS top 18? Before we talk about how you adapted it, what is it? And for the other sort of third who are coming from IT who might know the CIS top 18 cold, first tell us what is the CIS top 18 and then can I ask you, why does it need to be adapted for OT?
Jack Bliss
Yeah, that’s that’s an amazing question. In security, there are different types of security frameworks.
Jack Bliss
There are control-based frameworks such as COVID, ISO 27002, CIS. There are risk-based frameworks. Like NIST, CSF, or standards such as 62443, 3-2. There are threat intelligence-based frameworks like MITRE, etc. Cis Top 18 is a control-based framework created by the Center for Internet Security, the same organization that maintains the CIS benchmarks which are very popular for system hardening.
Jack Bliss
Control-based frameworks give it to you straight. There’s no high-level process flowchart or models or hundreds of pages of reading material to follow. They are fairly prescriptive, requirement-based frameworks that list out the what and roughly the how, and in the case of CIS top 18, it lists out the top 18 things organizations should accomplish from a cybersecurity perspective. Again, straight to the point, it’s it’s one PDF that’s 54 pages, so it’s really digestible. Now, as as I mentioned, and as as you’ve sort of alluded to there, it’s tailored to IT t environments. So OT specific controls and guidance are missed, but the CIS topic team creates a great foundation for OT cybersecurity and tools, as well as guidance to be aligned to.
Andrew Ginter
so So that makes sense sort of from the engineering perspective. What is the CIS18? Why is it important? How does it differ from from other documents in the space? can you Can you address the engine or sorry the the the IT audience? IT t people coming into the OT space, in my experience, often the first question they ask is is why not just use everything I know already I already know the CIS top eighteen apply it why do they need in a sense application notes for OT why not just apply it.
Jack Bliss
Yeah, so there’s there’s a different methodology in how the CIS top 18 or cyber tool framework in this example would be applied. And in In IT, t it may be reasonably feasible to to blanketly apply these 18 controls. And you would do so in a risk-based approach. However, in in OT, there are different tools that IT doesn’t have. There are many different IDS solutions such such as Clarity and Dragos, but there’s also a different risk-based approach in OT that doesn’t exist in IT. T We’re talking about systems that have different security capabilities, and we’re talking about systems and environments that have different goals, and those goals are safety and availability first and security second. So you can’t just take the top 18 and start to address them sequentially one through 18. You have to go first through a thorough risk-based process and address them and in that sort of methodology. And so all those lessons learned All those lessons learned, the risk-based methodology, as well as how you can apply these 18 controls in an OT environment and for OT organizations are outlined on the Cybertool Framework website.
Nathaniel Nelson
Andrew, everything that Jack is talking about thus far makes perfect sense to me. But it strikes me that this top 18 and his specific cyber tool framework is yet another framework in years of doing this podcast. We’ve discussed so many. He mentioned a few of them in his answer there. I need a framework for frameworks here. When should I be focusing on what and how did these all fit in together?
Andrew Ginter
Good question. So let’s let’s pick it apart. What is a framework? A framework is a fancy word for a checklist. Ok, a framework is not a standard that says you must do X, you must do Y, you can do Z.
Andrew Ginter
A framework is not a regulation that says you must do X, Y and Z or you’ll be fined. A framework is a checklist saying, have you thought about your wireless? Have you thought about antivirus? have you And so when you look at the frameworks out there, the checklists out there, which of them should you use? well You’re going to use most of them eventually. The question in my mind is, where do you start? Do you start with the NIST cybersecurity framework? Well, you read the framework, and what I got the first time I read NIST cybersecurity framework was the five pillars, now six pillars, six sort of things, big picture things you have to think about. And then when you get into the individual specifics, they refer you to other standards. Oh, so
Andrew Ginter
It really is very high level, very abstract, and it’s it’s a bit hard to use because you have to keep flipping to these other standards. the the the beauty of and so let me let me say as well IEC 62443 is a standard, not a framework. You can think You can use it as a framework if you want. You can go through every security control that 62443 recommends in, let’s say, the 3-3 standard. You can go through every one of them and say, should I use this? Where would I use this? But it’s a lot to go through. The value that the CIS top 18 brings is they give you what the expert who who developed the framework, they give you the 18 security controls to consider. They don’t say you have to use them. They say you should think about them. That’s why it’s a framework, not a standard. And they say these are the ones that in our experience tend to be the most valuable.
If you’re just getting started, what’s the first thing you should do once you start thinking about security controls? Hit the top 18. Go through them. And once you kind of wrapped your head around them and sort of the the high value stuff you’ve got to do, you can take the next step and become more comprehensive. So this is this is it. Framework’s a checklist. And here’s a checklist to get you started. You’ll keep it in your pocket as you become more experienced, as your your system becomes more mature. But if if you’re a consultant going into one side after another starting from zero, you might wind up using it more often than not.
** Commercial Break with OT Security Message **
This portion of the podcast episode has a musical segway that breaks off to discuss a common OT security conundrum in which IT style solutions such as making an impossibly long password in order to avoid having a pressure boiler be compromised, when a engineering solution would make more sense such has having that boiler sport a pressure release valve that releases excess pressure if it ever gets hacked, instead of relying on the password strength in such a life-threatening vulnerability, not to mention threat to the industrial operation.
**We now get back to the Industrial Security Podcast**
Andrew Ginter
Okay, so you’ve taken this sort of very popular, almost standard document in the IT t space. You’ve applied it to the OT space. One of the things you did was you added a whole column on tools. And i’m not I’ve looked through the document. for For anyone who hasn’t looked at it yet, each row, each column of tools is not one or two tools. You’ve got dozens listed for each of these security controls in in some of these these rows. On the other hand, if I look at the next column over sort of the industry application, you almost don’t mention the tools in the industry applications. That seems to be a different topic. The title of the document is cybersecurity tools. Can you talk about tools? What’s what’s important about tools? How do we use that that column of tools there?
Jack Bliss
Yeah, so the tools in in version one or the the the MVP minimal viable product stage of cyber tool framework just has the tools listed in alphabetical order and that’s to get rid of any any any bias. And so later and in in a version two, we could potentially start to organize those tools based on certain common criteria.
But you’ll notice there’s paid tools as well as free tools for each of the controls. And so the difference looking at OT versus IT t tools you can really be seen looking at something like network monitoring and defense. And network monitoring and defense Data diodes are are really yeah prevalent and and a a strong remediation, mitigating control for on the network side. You also have, of course, just like IT, t you have next gen firewalls like Cisco Firepower, FortiGate, Palo Alto, but in the the third column there, the field notes and best practices considerations, I referenced that Fortigate is oftentimes a really popular firewall in the OT space because of the number of OT protocols that it understands in its and its IPS. And so that’s there’s there’s nuance to some of these controls and tools that are referenced that are specific to OT And not to it t continuous vulnerability management is another one and that sort of synergistic to asset inventory where tools like clarity dragos industrial defender for scout. These are tools that help with asset management, vulnerability management and also act as an IDS in these critical infrastructure organizations. Again, tools entirely unique to the OT space and and their implementation is is unique as well. So there’s there’s some examples there of the different tooling that that exists in the platform and how that differs from IT to OT.
Andrew Ginter
OK, thank you. And again, having having looked through the document, the the tools column, I was struck by what you added there. I was also struck by what you did not add. I mean, you mentioned in your introduction, you mentioned safety and protecting equipment and environmental safety as as priorities for physical processes that are are being automated but automated by control systems. But you did not mention that in the the in the document. I don’t see ah row a section on safety in the document. On the other hand, in the CIS18, there’s a whole section on protecting web browsers and protecting email systems and teaching people not to click on links, which seems irrelevant to the OT space because in OT networks, nobody can route packets to their email server. So i’m It seems to me that there’s still something missing here.
Jack Bliss
Right, agreed. So version one was strictly tied to the CIS top 18 to make it recognizable. As you mentioned, there’s certainly room to add requirements to make it more OT centric. Safety would certainly be something added to a version two, supply chain security, even secure control network and system design, legacy system security, which is a huge pain point comes up in almost every assessment. All of these organizations due to the system lifecycle time, and the cost to replace a system under OEM support contract is insanely expensive. So replacing legacy systems aren’t always an option. How do we live with these legacy systems? Maybe even assessment methodology. Some of the assessment methodology is described under Control 18, which is penetration testing, where I describe how in OT the approach is different than a penetration test in IT. T But it’s really important that organizations looking to hire third parties know what criteria to look for so that they get their expectations met. And And even other controls like physical security could be one that’s added. So there’s certainly room to grow these out. And you I’m sure you’re well aware that there’s a a top 20 secure PLC coding practices resource or standard out there. We actually have consultants on our team that contributed to that. So maybe down the road, cyber tool framework morphs into something similar, its own standalone resource or standard.
Andrew Ginter
Okay. That makes sense. So let’s let’s come back to the the the existing document. Can you give us a couple of examples? In a sense, what are sort of the the the most striking examples yeah in your mind of of sort of IT t versus OT differences in applying the CIS18? What are some of the the the the the key takeaways for one or two of your rows? Can you give us some examples as to as to the value people get from looking up the document and reading through it?
Jack Bliss
Absolutely. Yeah. So taking vulnerability management as an example, there seems to be a big push or emphasis on CVE-based vulnerability management in OT without any additional context. This is evident in the branding of tools that are sold, the marketing white papers you see floating around on LinkedIn and and as we go about our day-to-day consulting, buy our tool and go chase your tail trying to remediate these CVEs.
The CVE sentiment is that we mirror the approach we loosely mirror the approach of IT. However, an IT Everything is tied to tenable. Everything is kept up to date using WSUS and system refreshes that occur every three to five years. That’s a different landscape in OT, and that approach just won’t work. This is due to several reasons. The extended life cycle, 15, 20 year life cycle, means that many OT environments operate with outdated hardware and software that can’t easily be patched or upgraded. So naturally, version-based CVE’s can’t be widely addressed and security measures must therefore be tailored to these constraints. You’d probably be better off focusing on other mitigating controls such as network segmentation or allow listing as an example. However, getting back to CVEs, Even running agent-based scans like Tenable in combination with other solutions like AD and WSUS could, in some cases, introduce additional cyber fragility into the environment that could affect the overall availability of the process. So there’s a balance to this. The systems may not be able to support Tenable, AD or WSUS. Think obsolete operating systems, Windows CE, or industrial control systems. And And finally, frequently, our security teams double as engineers. Take a small utility. We’ve worked with plenty where network or system admins who are wearing the cybersecurity hat, they have limited time, knowledge, and resource. And so all of these real world reality scenarios shapes why our approach to CVEs has to be different.
To fix version-based CVEs, patching will help in some cases, but in others, a system refresh is required as a system itself is too old. And so both both of which patching or replacing the system could require OEM approval. And when approved by the OEM, upgrades can be prohibitively expensive. Many OT organizations upon analyzing their cyber ALE, which is Annualized Lost Expectancy, i.e. How much cyber risk they’re exposed to on an annual basis, this cost isn’t justified.
You wouldn’t want to spend more than your ALE on cyber to address that risk. And so you could spend several hundreds of thousands, if not millions of dollars conducting widespread patching and system refreshes. Just one of your many system vendors alone could charge a couple hundred thousand dollars to upgrade a few of their systems when your organizational see cyber ALE could be less than that as a whole. Therefore, the cost just doesn’t make sense a lot of the time. You’re spending more than your cyber risk warrants. So you could see the vast difference between IT t and OT. What’s one approach to effective vulnerability management in OT? First, we focus on security measures that reduces our risk. And these oftentimes may not be related to CVEs, but they’re important to point out. These are related to reducing catastrophic risk scenarios, safety system segmentation, secure network design, application whitelisting, et cetera.
But getting back to CVEs, we can prioritize high- riskk high risk systems where we may get a great ROI for replacing these legacy systems. Because sometimes replacing these legacy systems isn’t just about security, it’s the added benefit of increased availability. And so naturally by doing this, we will then greatly improve our CVE ticker, so to speak. And then next, organizations need to prioritize CVEs that are being exploited in the wild, starting with high-risk systems working their way down.
These could be version-based or configuration-based CVEs, but now we’ve sort of narrowed down the CVEs to a number that is more approachable by the organization and remeing remediating CVEs that will address real risk, hopefully without spending more than the organization’s ALE. So, vulnerability tools, vendors, they won’t provide this context. It’s about addressing CVEs within the the organizational constraints and within our OT restraints that exist in the real world. But all of that type of context or guidance is offered by Cybertool framework.
Andrew Ginter
So let me add something here, Nate. As someone who’s worked in the field for, god, it’s 40 years now, and pretty much all of my career representing vendors, you know, let me let me speak up sort of in def defense of vendors. Jack has indicated that, yes, and he’s right, patching, sort of what he calls the the common vulnerability exposure, the CBE approach. Patching security updates can be very expensive. Having, you know, industrial vendors approve these updates or even test and deploy these updates is very expensive. In my experience, it’s not because the vendors are gouging the owners and operators, it’s because of the different way that you evaluate risk in industrial networks. And and Jack mentioned this, the The buzzword he did not mention is engineering change control. Here’s the thing. Every change to a safety critical system, every change to a critical infrastructure risks messing something up. You risk making a mistake. If you make a mistake in a safety system, it’s possible that people die.
Andrew Ginter
If you make a mistake in a reliability critical system, it’s possible that you have unplanned shutdowns of your critical infrastructure. And so before engineers and we’ve We’ve discussed this many times. Before engineers patch anything, before they make any change in a system, they study the change. They test the change. This engineering study and this this engineering testing is a very expensive process. It doesn’t matter if the people at site do it or the vendors do it and you buy the tested components from the vendors. Someone has to do it. It’s a very expensive process because the consequences of making a mistake are unacceptable. And so this is why patching is expensive. This is why you have to do it differently. This is why all these compensating measures are so much more important in the OT space than the IT t space. His framework got it right. He’s got the the compensating measures in there that you have to evaluate. He maybe was a little bit soft on the why, but that’s feedback for for Jack that we can provide for for future versions.
Andrew Ginter
So thanks for that. Can we talk as well? you you talked about about consequences and brownfield systems, legacy devices. Can we talk about, I don’t know, call it applicability. A small shoe factory is a very different animal to secure than a high speed passenger rail switching system. Do you mention this in this version of the document? Is sort of the the the difference between the different sort of consequentiality, if that’s a word, yeah is that sort of taken into account?
Jack Bliss
Yeah, great question. The and and This really ties back to AOE, which we we just discussed. These these organizations, depending on their sector or or their size, they have different annualized lost expectancy. And so you you don’t want to spend more on cybersecurity to remediate risk that that would cost more than your ALE. And in in a version two, I think it would be interesting to sort of create a baseline of of controls for different sizes of organizations.
If you’re a small organization, you should aim to do these three things. If you’re a medium-sized organization, you should aim to do these five things. I think something like that would make CyberTool Framework that much more actionable. But no matter what size of organization that you are or what sector that you’re in, when you’re using a tool like CyberTool Framework, the first step should be conducting a thorough risk assessment to identify the most effective mitigating controls. So let’s suppose this risk assessment determines network monitoring and defense as a priority. The organization already knows what they have. They documented data flows. They determined that there’s too much bleed over from IT t to OT. Maybe a DMZ makes sense. The network infrastructure itself isn’t hardened. We aren’t using centralized authentication like RADIUS. We’re missing where you were using SNMP version one, et cetera. So the organization within a reference cyber tool framework to understand how to implement this requirement comprehensively, addressing this requirement from a people, processes, and technology standpoint. The governance driven by the people defines the organization’s risk appetite, standards, and budget, which and then which then in turn influences the the selection of technology And then these processes then guide how the chosen technology is implemented and maintained. So this integrated approach is how cyber tool framework is used effectively, not a rigid checklist, but a flexible resource reference to help organizations identify specific risks.
The cyber tool framework preface emphasizes that the 18 requirements aren’t meant to be addressed sequentially from 118. Instead, it should be based on risk. So risk really answers how these controls are are ranked or applied. However, risk aside, yes, there is a sort of natural ranking. In my opinion, I would follow the NIST, CSF, identify, protect, detect, respond, recover functions in order. Requirements like inventory and control of hardware and software assets would likely be first. Knowing what you have is a good foundation for you to now address other requirements like secure configuration of enterprise assets and software, which would fall under the protect function. And then of course, under each of the under each of these requirements, I do discuss maturity loosely. But again, I think this could be further built out. For example, looking at network monitoring and defense, a small organization may aim to establish IT t and OT segmentation best practices, like a DMZ. Vlan segmentation, have their configurations and rules audited by a third party or SAS, where medium to large organizations that may have a higher risk profile should aim a little bit higher, such as sending firewall logs to a SIEM or using something like a data diode. Having analysts or an MSS analyze these logs continually, deploying an IDS in the DMZ and then subsequently other network zones.
And then using things like active defense measures, like honeypots, maybe something like Finkist Canary. So future enhancements to Cybertool framework will include, like i like I mentioned, more detailed baselines that tie to organizational size size to these reference controls, but this is still a work in progress.
Andrew Ginter
Okay, so that makes sense. If I might switch gears, let me ask you a hard marketing question. it’s It’s great, it’s tremendous that you’re out there creating this knowledge, but bluntly, those of us who write things down, create knowledge, that’s of limited use if nobody ever reads it. How do you get the word out? How do you tell how you how do you may let people know that this resource exists?
Jack Bliss
Another great point, right now we we have analytics on Cybertool framework. So last month around 100 people were were using the the platform. So there’s a natural natural progression and and growth there. But down the road, Cybertool framework, the aim is is to have it be integrated with other solutions that I believe could add a lot of value to the community. Again, particularly in the education enablement of OT security. This will enhance the overall impact of these resources being unified and give it more weight, if you will. But, you know, 1898 keeps me pretty pretty busy, so I don’t plan to to embark on a major marketing tour for for for the time being. However, there isn’t there is that old marketing saying that a great product is free marketing, and so as I enjoy putting these resources together, I truly hope that they they help other people and organizations navigate the OT security landscape. And, you know, right now, I’m i’m content with that.
Andrew Ginter
Cool. So can I ask you, looking forward, you’ve talked about a version two a couple of times and and what might be in there. You know, we’ve talked about about getting the word out. I mean, there’s other I don’t know if there’s other podcasts you could consider. I would i would recommend you and any any of the listeners go on your cell phone to the Beer ISAC podcast. It’s not really a podcast, it’s a list of other podcasts. Every industrial security podcast that I’ve produced is in that list, but it’s a list of of other useful content out there in the in the podcast space and and who puts it out. So can you talk about the future? what What is the gleam in your eye for version two and and how are you going to get the word out for it?
Jack Bliss
Right. I I definitely feel Cybertool framework deserves a version two where we first introduce ICS specific controls, as you mentioned, safety, safety system segmentation, secure control network and system design, legacy system security assessment methodology, et cetera. Second, we could loosely rank the requirements on a maturity scale And then when within each requirement, we could create baseline or sub-requirements that align to organizational size. And we discussed this earlier, but I think this would make a make this resource more actionable and tailored. So if you’re a small organization, you should be able to meet this threshold. If you’re a medium-sized organization, there’s a higher threshold for you and so on and so forth. Finally, maybe there’s a methodology for ranking the cyber tools themselves.
Right now, all the tools are alphabetical to keep any bias out. But down the road, it would be interesting to rank them based upon some sort of common criteria. But before or maybe after version two, as I mentioned, I want to look to implement other resource ideas and and sort of combine them and and do a rebranding to Control Shield, which I think is a a sexier name than Cybertool framework. But for now, I’m just having fun. I’m I’m learning and organizing my thoughts as I put these resources together, growing as a consultant, and hopefully giving back.
Nathaniel Nelson
Andrew, I think I know even less about marketing than about industrial cybersecurity. So where do you start when you’re thinking about how to get the word out?
Andrew Ginter
You know I get questions like this on a regular basis. We we do a lot of face-to-face events. People come up. I’m very active in this space. I write a lot of articles. I’ve written three books. I didn’t start by writing a book. I started by writing a blog. I started by writing little articles. Today, what I recommend is put the articles on LinkedIn. Do an article on OT security every couple of weeks. Get your buddies to comment on the article. That raises the profile of the article. Develop a following. Use that following when you produce your first big piece, like a 50-page framework, and post it somewhere. Get your buddies to diligently amplify the the the comment on and like your your big announcements. That’s sort of if you’re if you’re on your own. If you’re working for somebody, do a couple of articles and show them to your marketing team. It’s their job to do marketing. You know, more than half the time they’re likely to come back to you and say, this is this is good stuff. Oh We want to promote this stuff and they will work with you to put it on the corporate blog or amplify it on LinkedIn or or whatnot. More fundamentally, the question is, what do you write about? Jack here is someone who came from IT, t so had some background, and has spent five years in the OT space, and what’s he writing about?
Well, he doesn’t have 30 years in the OT space like I do and is writing textbooks. He’s writing about what he’s learning. He’s he’s developed a checklist of knowledge and tips and tools that he uses in his everyday work. This is information he’s assembled because he needed it. Well, frankly, if he needed it, other people are going to need it too, especially other people coming through the same sort of learning chain is as he did coming from IT into OT. And so whatever learning chain you’re coming from, you’re learning stuff. As you learn stuff, whatever you find interesting, in stuff that you learned that week or two weeks, that’s worth writing about because if it if it was useful to you, it’s going to be useful to someone else. That’s how you get started. And then once you’ve got sort of a history of writing and a theme that you’ve developed, you can think about next steps and and yeah larger assets. But by all means, do get started.
Andrew Ginter
Well, this has been great. Thank you, Jack, for joining us. Before we let you go, can you sum up from us, you know, what are the main points that we should take away from your cyber tool framework?
Jack Bliss
Yeah, in relation to Cybertool framework, it’s really in its MVP or minimal viable product stage. It’s currently about 40 pages of total content and there’s certainly more detail to add. I have some of this documented for 2024 edits. And other Version 2 edits that we talked about, Andrew, in this episode. I hope that in its current form, it helps those trying to navigate this nuanced space that is OT security. Those IT t folks that are familiar with CIS Top 18 will be very familiar, and there’ll be OT-centric guidance for how you adopt says CIS Top 18 for OT. And for OT engineers or practitioners that are aiming to digest more of the IT t-centric information, CAS type 18 is a very digestible framework. So, again, I hope that that a resource like this helps to navigate the the OT security landscape. If I may, I’ll give a quick overall elevator pitch to organizations out there. Keep it simple, document your assets in parallel, and more importantly, document the connectivity, both physical and logical. You can manually cable trace, you can use protocols like CDP, LDP, SNMP, even even MAC address tables to help run packet captures at various segments of your network to start to develop this high-level diagram. It doesn’t have to show every device in a color-coordinated Visio, but get a good understanding of your environment. If you can achieve these things, you’re ahead of 75% of organizations at your level. Now, look at this documented environment and break it down into zones. One for IT, one for IT, OT, DMZ. If you have one, one for the OT or process network, one for each Wi-Fi zone and each system zone. Start there and now begin a risk assessment approach to identify what can cause a catastrophe in each of these zones.
Focus on those risks and finally break down your mitigating controls into two categories, cyber-based and non-cyber-based. What barriers can you put in place to prevent this catastrophe from both pools? Now, if you get to this level, you deserve you deserve a trophy. But finally, a shameless plug for 1898 and Co. At 1898 & Co., we help organizations throughout the security lifecycle from governance to technology. We assist clients in starting and improving their cybersecurity programs from the inception of materializing funding, writing policies and procedures, implementing technology, and conducting continuous assessments, vulnerability, risk, and pen testing.
We also, of course, do advising and recently finished our MSS or SOC based in Houston. So if you’d like to learn more or have feedback from me on Cybertool Framework, that’s cybertoolframework.com. You can leave feedback directly on the site or you can find me on LinkedIn at Jack Bliss.
Nathaniel Nelson
So that just about does it Andrew for your interview with Jack Bliss. Do you have any final thoughts that you might want to take us out with today?
Andrew Ginter
The resource here is is a great resource. If you want to find it, it is on the web, Cybertool Framework, no spaces, no dashes, cybertoolframework.com. The framework, it’s it’s short, it’s sweet, it’s usable, it connects the worlds of IT and OT. It’s a great place to get started with concepts that that lead into more advanced risk management and other advanced OT topics. And I think it’s great that Jack is doing this. I wish more people would write down what they’re learning, write down the knowledge that they use every day for other people to come up to speed and and take advantage of it.
Nathaniel Nelson
Well, thanks to Jack for sharing his knowledge with us. And Andrew, thank you as always for speaking with me.
Andrew Ginter
It’s always a pleasure. Thank you, Nate.
Nathaniel Nelson
This has been the Industrial Security Podcast from Waterfall. Thank you to everybody out there listening.
Trending posts
From Blind Spots to Action: OT Threats Exposed
Where does IT Security END and OT Security BEGIN?
Insights into Nation State Threats – Podcast Episode 134
Stay up to date
Subscribe to our blog and receive insights straight to your inbox