The Claroty Blog

OT/ICS News Roundup: Week Ending 5.4.18

| Patrick McBride

Here are a few stories that turned our heads in Operational Technology (OT)/ Industrial Control Systems (ICS) security over the past week:

POWER: Looking to the Cloud for Energy and Power Sector Security

 A cloud security platform can provide utility companies with the necessary security controls to protect from malware attacks, while minimizing additional staffing requirements. Threat intel curated by the cloud security vendor and continuously updated through the platform reduces the strain on utility security personnel. Additionally, cloud delivery can ensure a single point of visibility into threat activity across any of the network segments.

Power plants and other industrial utility companies are realizing that connecting previously air-gapped industrial environments to the internet is accompanied by automation efficiencies and productivity improvements, and they are also becoming keenly aware of the vulnerability of the ICSs that control these environments. As hackers advance their methods, power plants and other utilities face challenges in implementing a set of security controls that are effective against sophisticated malware attacks. CISOs can add cloud-based security offerings to augment the security of NERC-CIP standards and provide analysts with a complete look at security events. As standards evolve, they should provide clarity on the use of cloud-based security in these environments.

Our Take:

Adoption of cloud for ICS will be slower we saw in IT for several reasons, not just standards.  Cloud architecture can obviously provide a very efficient and scalable platform for SIEM and other security analytics tools and future OT security tools will almost certainly move in that direction.  It’s also important to remember that NERC-CIP standards shouldn’t prescribe technology, they should define outcomes. In other words, the focus should be on the what, not the how.  Over the last year, were seeing indications that they are finally heading that way.


Manufacturing Business Technology: The Industrial IoT: What Your Organization Needs To Succeed

The IIoT represents great change and great opportunity. However, many manufacturers are not sure how to identify which skill sets or certifications their employees need. As a result, almost one-third of major global corporations reported they face an IIoT skills gap. Over half of these organizations also said they need new technical skills. Forty one percent indicated better data integration and analytics capabilities were needed, and thirty three percent highlighted the ability to rethink business models.

IT and OT professionals must know IIoT standards along with machine protocols to secure the IIoT. It’s also important that they know how to manage existing control systems, which weren’t originally designed to be connected to enterprise networks but are now in the connected factory.

To make up for the IIoT security talent shortfall and to capitalize on the benefits of the IIoT, it’s imperative that industrial organizations create a talent development and acquisition plan that keeps employees’ skills updated as technology and processes continue to change. By enabling employees with the training and certifications they need, organizations are best positioned to remove security obstacles in their connected industrial environment and achieve desired business outcomes.  

Our Take:

We agree, the skills gap is significant (far worse than the IT skills gap that enterprises have been lamenting for years). Top-shelf OT professionals that also have solid security chops are harder to find than unicorns, so organizations are going to have to grow your own.  We believe part of the solution is in organizations driving better collaboration between their IT security and OT functions.  Cross-pollinating knowledge and skills between the two centers of excellence seems to be the quickest path to creating the skillset that is needed. Skills are not the only part of the solution though.  These personnel will also need a toolset that integrates with both the security and operations infrastructures.


MotherBoard: Nuclear Power Plants Have a 'Blind Spot' for Hackers. Here's How to Fix That.

For all of the hardcore services WhiteScope offers, Rios, a veteran of the Iraq War and a former incident response leader at Google, has only begun scraping the surface of the complex supply chain that feeds the thousands of digital components that go into a nuclear facility.

A nuclear power plant’s critical systems are well fortified from run-of-the mill cyberattacks launched from outside a plant. That makes the supply chain, with its often far-flung production sites, a logical target for well-resourced hackers looking for a foothold into a facility. As a result, meticulous regulators, seasoned nuclear plant employees, and cunning penetration, or “pen” testers like Rios are all playing their part in the ceaseless effort to make the supply chain more cyber-secure.

A typical American nuclear plant has between roughly 1,000 and 2,000 “critical digital assets,” or digital components and support systems that impact safety, security, or emergency preparedness, according to Jim Beardsley, a cybersecurity official at the US Nuclear Regulatory Commission. With many analog components going out of stock, the onus is on nuclear operators and their suppliers to conduct rigorous tests to ensure that equipment installed at plants is bug-free.

Our Take:

Maintaining visibility and control over the supply chain is definitely a critical element of solving this.  Let us not forget the “support chain” though; that is the ecosystem of both employees and contractors with access to critical systems.  Any reformed (or otherwise) hacker will tell you one of easiest ways into a restricted system is through people.  Whether it is through social engineering, extortion, or other means, exploiting credentialed personnel is a vulnerability that must also be addressed.

Subscribe to the Blog