Zero Trust Key to Operational System Cyber Protection
Converging systems broadens the attack surface.
Converging operational systems with information systems provides an array of benefits but also allows increased opportunities for cyber adversaries. Among other remedies, two experts in the Defense Department and industry recommend zero-trust cybersecurity and training and education to cope with the increased threat.
Josh Brodbent, regional vice president for solutions engineering for the public sector, at BeyondTrust, and Lance Cleghorn, a digital services expert at Defense Digital Services (DDS), describe operational technology as systems that haven’t normally been connected to the Internet but are now becoming so at a rapid pace.
“Operational technology are devices that traditionally haven’t included a network component but have the potential to also interact with the physical world in a really significant way. There’s a large intersection between the Internet of Things and operational technology and maybe the difference is scale and refinement,” Cleghorn explains.
He cites smart thermostats and smart refrigerators as two relatively common examples. “They might seem like nice conveniences, but in industrial applications where we have similar but more sophisticated devices to control the temperature of COVID vaccines or biological samples, they might represent operational technologies,” he adds.
Within the Defense Department, or DoD, operational technologies can include mission platforms, wastewater treatment or drinking water treatment facilities, electrical power systems, heating and air conditioning, and even security cameras or systems designed to automate building access, such as electronic badges.
“There’s a litany of examples we can talk about specifically to mission platforms, but one of the things we found most impactful was talking about these blind spots like wastewater,” reports Cleghorn, whose organization spent about two years studying operational technology (OT) vulnerabilities. “If wastewater starts to back up and creates a hazard health-wise, the base has to be closed. So maybe then, F-16s don’t fly, people don’t get the air support they need and people lose their lives in a combat scenario. These types of situations are at least plausible theoretically, and that’s why we need to have a big focus on these types of areas.”
As OT became more networked, information technology (IT) professionals largely took a hands-off approach, but the professionals installing heating and air conditioning or other operational systems were not necessarily aware of cyber threats or the need to secure those systems. “Traditionally, we looked at our operational technology and IT separately. The reason we did that is that people who installed OT were unlikely to be IT experts,” Brodbent offers. “The challenge with taking that particular methodology comes around the fact that people who install OT don’t understand IT and cybersecurity, so therefore, the practices they set up aren’t necessarily secure.”
He describes as an example, a supply chain company that had failed to provide adequate security when installing operational systems. “I was having a conversation with them around it, and their response was, ‘Well, we haven’t been hacked yet, and that was the easiest way to set it up,’” Brodbent recalls. “That’s really not how we do cybersecurity.”
Cleghorn suggests that cost savings and simplicity are two of the major factors leading to the systems converging. Along with those benefits, however, comes an increased risk, he points out. “Convergence also comes with a litany of risk. That’s really what we’ve seen a lot of when we’ve gone out and investigated this.”
Brodbent agrees. “For me, it really comes down to attack surface. If you think about an air-gapped deployment where OT exists on a closed network, the attack surface is really small and complicated. By integrating these things and getting all these extra benefits, we also open up a Pandora’s box of lateral movement into operational technology.”
With converged systems, it is possible for adversaries to “compromise a teleworker working on an open Wi-Fi at McDonald’s or Starbucks and then use that to pivot to some shared service and eventually into the operational technology itself,” Brodbent explains.
He adds that so-called air-gapped systems, which are supposed to be cut off from the Internet, seldom are. That is in part because it is easier to update programs with Internet access. “If I wanted to update Adobe or Microsoft Office, very rarely now is it easy to find stand-alone installers for those things. You click a button, and it reaches out to a Microsoft server interactively and pulls down the update. Out of convenience, a lot of people will interconnect their air-gapped network in some capacity to get updates more easily and transfer information in and out more easily.”
Brodbent offers a theoretical example of a commanding officer who wants to see the temperature on every chilling system in a data center. “It was air-gapped earlier, but now we’ve got to plug in a cable so that we can get that information to the commanding officer without the forethought of what that means from a security perspective,” he suggests.
Both experts recommend a zero-trust approach to secure operational systems. “There’s this concept of zero trust and microsegmentation and making sure we’re being diligent about segmenting our networks correctly,” Brodbent offers when asked what specific steps organizations should take. “Even as we’re bringing these networks in, make sure that we’re doing microsegmentation or segmenting them correctly and just engineering our networks appropriately even as we converge them.”
Cleghorn suggests training and education also play an important role in securing the systems. “From the investigative work and the experiences we had out in the field, one of the biggest things that we found was there’s a really significant need for improved cross-training between IT professionals and OT professionals. We really feel like at DDS that’s the essential first step,” he says.
Easy-to-follow examples also are helpful. “Top-down guidance for implementation that has tangible, real-world examples that operators in the field can follow, I think are important.”
Tweaks to the contracting process also may offer benefits. “Everything in government somehow comes back to contracting, right? So, better contracting vehicles that support a smaller number of OT vendors but vendors that have very developed or mature cybersecurity programs are important,” Cleghorn says.
Cleghorn works with the Hack the Pentagon program, which uses bug bounties and crowd sourcing to identify security weaknesses, and he touts the benefits of that approach for operational systems. “Creating the opportunity for OT vendors to be tested in real adversary emulation scenarios with industry-level transparency in something like a vulnerability disclosure polity or a bug bounty to improve the overall cybersecurity of this technology sector is something we at DDS really want to see happen,” he asserts. “And there are efforts to do that, but we want to make sure the transparency is there, and it happens to as many vendors as possible to grow this ecosystem and evolve its cyber maturity.”