Black Hat: IT-OT Learning Curve
Wednesday, August 3, 2016 @ 03:08 PM gHale
By Gregory Hale
Cybersecurity is way too big for the manufacturing automation sector to handle on its own and that is why working with IT has so many benefits.
That convergence between IT and OT is becoming clearer at events like the traditionally IT-centric Black Hat USA 2016 in Las Vegas. OT can learn from the advances IT has made in security over the past few decades.
One of the areas OT is learning to pick up on is the idea of speed.
“Speed is an important factor for security,” said Jeff Moss, a computer researcher and founder of Black Hat and DEF CON security conferences, during the kick off to Black Hat USA 2016 in Las Vegas Wednesday. “Speed can be measured. Time it takes to remediate. How long to cleanup a breach. Speed is a key metric.”
In fact, he said, when he ended up invited to give a talk at a chief executive roundtable, the top concern these leaders talked about was speed. They talked about speed to market; speed to react. The more secure an organization is, the more they are willing to push the envelope because a company feels confident in protection. “As we allow computers to take more risk, (you can gain a) speed advantage through confidence in your security.”
“Speed has totally changed how we have to learn and adapt from our experiences,” he said.
Kaminsky’s keynote focused mainly on advanced technologies years away from OT, but in reality OT could learn from; if not the technology, just the idea of thinking differently.
One topic focused on a micro-sandboxing system that uses small virtual machines (VMs) to carry out sensitive tasks, limiting their ability to infect other parts of the system.
This idea limits the ability of the code running in the VM to communicate, and monitor what is going on inside to make sure there are no unexplained requests.
Another idea was a “magic browser,” which could allow web designers to build webpages that allow functions in a known safe state.
“People are afraid of going on the Internet because they fear a security incident of some type,” he said.
Lack of Confidence
That fear is also leading to a lack of confidence in advances in technology.
“With IoT, people are assuming it is insecure out of the gate,” Kaminsky said. “Usually an industry has time to get their act together. Those days are over. We are not taking all the lessons we have learned and then doing something about it.”
Kaminsky talked about instead of keeping security a secret, users should release information.
“You are not competing on security,” he said. “We should release code so it is out there. Don’t be afraid of taking the knowledge exchange and make it more accessible to other people.”
Sharing security information is something the OT industry can learn and work to advance.
Protecting Supply Chain
At the Codenomicon event Tuesday night, they had a talk that had an OT angle to it entitled “Mitigating Software Supply Chain Risks – Gaining Trust of Software in Cyber Assets.”
Schneider Electric’s Director of Cyber Security and Architecture Paul Forney talked about the supply chain and ensuring its security. One way of ensuring a secure supply chain, he said, was having an organization committed to a secure development lifecycle.
Schneider Electric ended up certified for its Security Development Lifecycle certification based on IEC 62443-4-1.
The first industry certificate for SDL applies to Schneider Electric’s Process Automation business product development centers in Foxboro, MA, Worthing, UK, and Hyderabad, India.
Traditionally, IT and OT has not been a strong relationship. But it is getting better – and stronger. For a secure manufacturing enterprise in the IIoT environment, IT and OT will have to work together.