Ian Schmertzler from Dispel and Alan Hudson from VTScada by Trihedral spoke at the SANS Industrial Solutions Forum in September, 2021. Below is a summary of that talk.
CISOs and Senior Network Security Architects (people with titles that should allow them to drive change) from household name firms in consumer goods, food and beverage, building management, upstream, midstream, and downstream ONG, dry bulk shipping, fishing, hydro, mining, water, and wastewater have been reporting decision loops of over 18 months for cyber resilience initiatives.
This cycle time has been wreaking havoc. To give a few stories from SANS attendees:
The ICS cyber community needs an effective, repeatable approach to remain productive in OT settings.
Cybersecurity and Operations are not separate undertakings. They directly impact one another. The reason why they have fallen into separate specialties is that both are complicated. That does not mean you can't develop a healthy understanding of what the other team is doing over a few hours of conversation. Achieve that, and work to ensure the other side achieves it as well, and you will find yourselves working towards the same purpose.
You start to think about the things Operations cares about with OT settings, and they start to think about the things you care about. The actionable support works because they are simple and they push that collaboration along.
We worked on the problem of a fictional company with numerous OT networks of various ages and configurations. To begin with, we worked things from the perspective of a cybersecurity officer joining in the selection of a SCADA system.
To assist in this effort, we brought in a brave friend: Alan Hudson from VTScada by Trihedral. For the avoidance of doubt, there was/is no commercial relationship between Trihedral (or, for that matter, their parent company, Delta Electronics) and Dispel.
SCADA providers are typically perceived by OT cyber professionals as the enemy: some systems pushed by salespeople who don’t know NIST 800-160 v2, 800-171, 800-172, 800-53, or IEC 62443-3 from a telephone number but are quite adept at boxing out the cyber team and selling to Operations based upon usability features.
When something gets sold to Operations and the OT Cyber team has to veto it, you create a relationship problem that pits internal groups against one another. This is not an example of the often referenced “IT<>OT Divide” but, rather, a case of an OT<>Operator Divide, and that is far more personal for many SANS attendees.
Most SCADA providers, then, would be insane to wander into a room with over 130 cyber professionals. What makes VTScada different is: (1) they architected their software such that it can be set up to meet the standards without making life miserable for either Ops or Cyber; and (2) they go out of their way to teach their customers about cyber resilience.
75% of the purchase processes Alan had worked through in the preceding month had not involved a single cyber participant. Together, sharing considerations a cyber person might bring to the table using diagrams and terminology people working in Operations would readily understand.
Begin your meetings with Ops or Management by providing a walkthrough of the Purdue Model. It takes only 2 to 3 minutes, and it will ensure everyone is oriented. For a pre-formatted Purdue Model to use in such a meeting, go here:
Points to convey while working on the problem of a SCADA system:
The above points are not cyber-specific, but they are characteristics that will substantially reduce the noise in the search process. Next, here is how to architect a resilient network in and around the OT System, and what Operations should bring to the table.
It was at this point that the audience took (commandeered) the talk in the direction of 800-171 secure enclave scenarios. Down-select early in the process for SCADA systems that work well within topologically segmented environments, handle private certificate authorities, and interface with project-specific clocks.
Invite your colleagues to learn proactive efforts, which will spark collaboration. Then connect with a trusted provider like Dispel that can offer strong cybersecurity infrastructure for your organization.