In a recent episode on the PrOTect OT Cybersecurity Podcast, we had the pleasure of hosting Slade Griffin, Director of security assessments at Contextual Security Solutions. Slade is an expert in vulnerability assessments, penetration testing, risk assessment, security program development, forensic analysis, and incident response, with a passion for cybersecurity that shines through in his work.
One of the key themes we discussed on the podcast was the importance of building trust and buy-in across teams for effectively implementing cybersecurity in operational technology (OT) environments. Security teams need to be in lock-step with the operators, the engineers who are the experts in how the equipment works and who have the responsibility to control, program and run those machines. Their day-to-day job is focused on ensuring uptime, availability and safety, and their metrics are tied to these factors. Security is not typically their area of expertise, and they may not fully understand the value and importance of cybersecurity measures. So, by default, they're going to not trust security like they're responsible for the business. As a security team, it's important to understand the operational requirements of the organization, build trust with the operations team, and align to the common mission.
Slade recounted a project working with a hospital where he encountered an IT person who was frustrated with people not following all the cyber policies. In his pen test, Slade was able to gain access to restricted areas and data. He was planning to write a scathing report, until he saw doctors running around and realized what was going on around him. These healthcare workers were trying to save a life. It was a lightbulb moment that it's the cybersecurity’s team to support the mission, whether it was providing water, electricity, gas, or saving lives. It doesn’t mean accepting excuses for not following security practices, but security is the overlay. Slade expressed that understanding what the mission is, and how what he’s going to do is going to help that or impact that, is critical when implementing security changes.
Slade and Aaron discussed a bit about NIST 800-53, complimented the standard on laying the concept of building out a framework with layers – defense-in-depth.
NIST 800-53 covers a wide range of security controls, including access control, incident response, audit and accountability, and system and communications protection.
In situations where patching or updating is not feasible, organizations can implement alternative security measures, such as monitoring, whitelisting, and network segmentation. For instance, organizations can monitor access to systems that cannot be updated and restrict access to only authorized users. Network segmentation can be used to isolate critical systems from other parts of the network to reduce the risk of a cyber attack spreading.
Automation is an essential tool for managing security at scale, but human decision-making is still necessary in most cases. Automated security tools can detect and respond to threats quickly, but human analysts must interpret the data and make decisions about how to respond.
Embedded systems, such as those used in critical infrastructure like power plants and transportation systems, may be difficult to update or replace due to their critical function. In such cases, alternative security measures must be implemented to mitigate the risks. Offloading everything to the cloud is not always the best option, as the unique requirements of each system must be considered.
In summary, it's important to have a defense in depth approach and avoid having a single point of failure to limit the impact of potential security breaches. Compartmentalizing environments and providing controls and monitoring can help with this. Network segmentation has become more common due to regulations like PCI compliance, but it's still rare in unregulated environments. Adding layers of security like UB keys is important, but it's also crucial to ensure everyone in the organization follows good security practices, including using strong passwords.
Slade reflected on his hopes for the next 5-10 years and mentioned that he was preparing to give a talk on substations. Recent news of physical security attacks on substations have raised concerns. Power was restored quickly, but it got him asking the following questions:
Answers received so far indicate they are not focusing on the things that really cause these problems, like squirrels, branches, ice, or car wrecks. But it’s the rare, exciting events that get all the attention. He notes that this his him being a “downer” about not focusing on the right things.
However, Slade mentioned that the things that give him hope are watching people's willingness to learn and their ability to challenge reports. He has noticed that people are becoming more aware of different layers of security and are willing to push back when necessary. He sees a positive shift in the industry, where people used to believe that security professionals didn't know much. Now, there are an abundance of educational resources available on YouTube for people to learn about different security concepts. While there’s still a tendency to focus on bad news, we can’t let that overshadow the good progress being made.
This summary doesn’t do justice to the deep and insightful conversation with Slade, please listen to this podcast episode for full effect!