Podcast: Episode #29 - Ian Frist: Beyond Buzzwords, Building Effective Programs in OT Security

August 24, 2023

In a recent episode of the PrOTect OT podcast, Aaron Crow, the CTO, welcomed guest Ian Frist to share insights from his extensive background in the cybersecurity and compliance realm.

Ian currently works at Corning, where he leads the compliance organization inside the cybersecurity group. Interestingly, his journey into ICS/OT wasn't intentional. Originally starting in the realm of cyber with the National Guard, Ian actually started as a medic in the Guard. Over time, his career trajectory led him towards compliance, primarily due to his involvement with the National Guard and familiarity with the CMMC. Ian's transition into the GRC side further solidified his position in compliance, and he has since become an active voice in the field, even speaking at events such as the SANS conferences when possible.

Ian's passion for ICS/OT emanates from a deep-seated appreciation of the field's uniqueness and significance. While many in the ICS/OT space might come with some IT background, Ian feels that his experiences helped him develop a profound understanding and love for how OT stands apart and its crucial role. What resonates with him most about OT is how it directly impacts the real world, particularly areas like manufacturing. Ian believes that being immersed or inadvertently landing in an environment like ICS/OT provides invaluable exposure. This exposure, in turn, offers a unique perspective that could be missed by those coming purely from an IT background without investing the time to understand OT environments. Ian credits this perspective as instrumental in his success and ability to comprehend the importance of systems that power our world.

Recognizing the Significance of Compliance in OT Security

Ian delved deep into the growing relevance of compliance in the world of OT. He underscored the notion that "the auditors are coming." For sectors like manufacturing or those operating outside of utilities/NERC CIP, Ian emphasized that audit measures are on the horizon. This imminent scrutiny is epitomized by frameworks like CMMC (Cybersecurity Maturity Model Certification), which made a point to include OT. The CMMC demands an asset inventory and a network diagram at a minimum for level two. These sound elementary, yet they pose challenges for many manufacturing companies. By level three, OT's scope expands considerably, as inferred from recent documents highlighting the inclusion of intermediary devices in its purview. Ian's takeaway is clear: compliance is not confined to IT environments anymore but is encroaching into the realms of ICS and OT.

In many cases these compliance frameworks aren't too prescriptive. Unlike NERC CIP's rigid stipulations, the current regulations provide broader guidelines, like having a risk management plan or a network diagram. This shift can be seen as an opportunity for organizations, offering them a valid reason to invest in fortifying their OT environments.

One notable evolution in compliance is the palpable shift in its scope. Frameworks like CMMC and Europe's NIS2 are casting their nets over OT. CMMC's explicit category for ICS-OT assets, for instance, signifies the changing dynamics in compliance frameworks.

Compliance: More Than Just a Checklist

Ian believes that while some may view compliance regulations as restrictive, they play an indispensable role in fostering risk management. Regulatory bodies, whether it's DOD, CMMC, or NERC CIP, define an acceptable risk threshold for their respective sectors. The objective is not to rob companies of their decision-making autonomy. Instead, it's about ensuring that these companies meet a fundamental risk mitigation baseline. Seeing this from a risk management lens, as Ian pointed out, is essential for grasping the broader perspective.

OT Maturity Divergences Across Industries

Ian highlighted the varied OT maturity levels present across different industrial sectors. There's a current juncture where there's a continual push for enhanced OT cybersecurity. Industries like electricity and utilities have made notable advancements, while the water sector seems to perennially lag, primarily attributed to financial constraints. However, even this sector is gradually progressing.

Manufacturing stands out, feeling the repercussions of rising compliance standards, increasing cyber-attacks, and an amplified risk environment. There's an urgency within the manufacturing sector to bolster its OT cybersecurity, particularly given the criticality of the manufacturing and supply chain, which was starkly evident during the COVID pandemic. Drawing parallels, Ian noted that the current focus for manufacturing is similar to what the electricity sector underwent seven to ten years ago.

A common pitfall that Ian observed is that consultants and vendors sometimes lose sight of the broader perspective. There's an inclination towards advanced security tools and measures that may not be readily suitable for certain sectors. A significant concern is the limited product availability tailored for foundational security layers, especially when many don't possess even the basic asset inventory or network diagram.

Build a Program

Ian emphasized the value of building a comprehensive program when opting for tools and technological solutions. He fervently advocates for building cohesive cybersecurity programs over merely opting for tools and technology. While solutions play an integral role within these programs, they must operate in tandem with a holistic approach. One cannot address cybersecurity with a fleeting, point-in-time solution.

Foundational elements, such as asset inventories, network diagrams, and data flow diagrams, are paramount. Without these, the vulnerabilities arise from unknown sectors, which can be a critical blind spot. Tools are not infallible; they can overlook high-latency air-gapped systems. Ian pointed out that the efficacy of a tool hinges largely on the preliminary information fed into it. Regardless of the advanced features a tool might boast — be it AI, blockchain, or any cutting-edge tech — understanding one's operational environment remains paramount.

Navigating the Complexity of Modern and Legacy Systems

This amalgamation of old and new systems is gradually complicating every vertical. While industries still operate with legacy analog or early digital devices that serve their purpose efficiently, the integration of new devices running on contemporary operating systems introduces added layers of complexity. Safeguarding both is an intricate endeavor.

In strategizing for such diverse environments, one might need to rethink their conventional approach, even re-evaluating classic models like the Purdue model. It's essential to weigh the risks associated with each type of device and to determine the appropriate controls.

The inherent challenge is that many industries remain tethered to legacy systems because of their reliability and cost-effectiveness. A company won't replace a machine that's been efficiently producing a product for decades simply for the sake of modernization. The financial and logistical implications of transitioning to a new system often outweigh the perceived benefits. Hence, the cybersecurity approach cannot merely be a clarion call for replacement or upgrades. Both modern and legacy systems demand protection.

Ian cautions against the assumption that contemporary systems are inherently secure because of their modernity. Equally, one cannot apply the same protective measures for modern systems as one would for legacy systems. Modern devices often require internet connectivity, updates, and other functionalities that might not be relevant for older equipment. The challenge is discerning how to safeguard both without compromising functionality.

The Illusion of Air-Gapping in Cybersecurity

CNC machines, commonly found in various manufacturing and fabrication settings, offer an illustrative example of why the concept of air-gapping might be deceptive. Many operators believe that if their CNC machines are off-network, they are intrinsically secure. However, as pointed out, the common practice of programming these machines via thumb drives, especially ones obtained from external vendors, represents a potential vulnerability. An air-gapped machine doesn't imply impermeability; the data it receives and emits is still vital. If the integrity of that data is compromised at any point, the entire operation is at risk.

When discussing the importance of network diagrams and data flow charts, the emphasis is on the clarity they bring. Network diagrams ought to showcase even these supposed "air-gapped" connections, and data flow diagrams should elucidate how data traverses these connections, be it via thumb drives, portable devices, or other means. Recognizing these paths is essential for developing a well-rounded security program.

Aaron further underscored the misconceptions in the industry. It's a frequent occurrence to observe network diagrams that ignore air-gapped elements, giving a false sense of security. This exclusionary approach fails to capture the entirety of the operational environment. With technologies like passive network monitoring in the OT space, the challenge arises when dealing with non-network-connected devices. Are they simply omitted? Aaron argues for the inclusion of all devices, even serial and hard-wired ones, in asset inventories. They play a role in the broader operational framework and should be considered when crafting security and operational strategies. As Aaron elucidated, understanding the entire environment means recognizing and accounting for every connection, even those that bridge perceived gaps.

Business Impact and Risk Management

For businesses, understanding the potential impact of risks is crucial. There are situations where the gravity of the impact supersedes the likelihood of the event occurring. In these scenarios, companies might find that the potential fallout is so severe that they prioritize managing this risk regardless of how unlikely it is to happen. The risk management strategy isn't always about minimizing the probability of an event; often, it involves preparing for and mitigating the consequences if the event does occur.

Risk reduction can take several forms:

  1. Compensating Controls: Introducing measures to decrease the likelihood of the risk event.
  2. Better Recovery Protocols: Establishing strong recovery plans ensures that, in the aftermath of an event, operations can resume quickly.
  3. Preparation and Tabletopping: Regularly simulating potential incidents to ensure readiness.
  4. Backup and Contingency Planning: Interacting with engineers and other relevant stakeholders to understand how unique systems can be restored or replaced in case of failure.

Historically, there has been a tendency to emphasize reducing the likelihood of risks. However, it's equally important to consider how the aftermath of a potential risk event can be managed and mitigated.

The Foundation of Cybersecurity Programs

Ian highlighted the significance of foundational elements in building robust cybersecurity programs. Some of these cornerstones include:

  1. Asset Management
  2. Network Diagrams
  3. Data Flow Diagrams

While these elements might be stipulated within specific frameworks as controls, Ian views them as prerequisites. Without them, one isn't adequately prepared to dive into the more intricate parts of the framework.

Furthermore, the success of these foundational elements is underpinned by two critical aspects:

  1. People: Without the right personnel, it's impossible to effectively implement and manage these foundations.
  2. Processes: Strong, clear processes need to be established as part of the fundamental building blocks.

Ian's mantra revolves around the idea of comprehensive programs that require an investment in people, processes, and technology, in that order. Technology should augment and enhance the capabilities of the people and the efficiency of the processes, not act as a makeshift solution or a temporary fix. Relying on technology as a "crutch" is not only ineffective in the long run but could also give a misleading sense of security, making it even more perilous.

Listen to the Full Episode

This has been a brief preview of the discussion, shortened for brevity. For the full insights of the conversation, be sure to listen to the full episode here: