S4: Lean OT Security

Wednesday, January 17, 2018 @ 04:01 PM gHale

By Gregory Hale
For the majority of folks working in the manufacturing automation sector, they are still at the learning and awareness levels of security – and that is a good thing.

However, for security professionals winding their way through the daily maze of warding off attackers and vulnerabilities, they truly have to understand the future and understand what works today and has worked in the past, just may not fly in the future.

S4: Open-Minded Security? Just Try
ICS Alert: USB Malware Attack
Safety System, DCS Attacked
API: Finding Success from a Failure

That was the message from two keynote presentations Tuesday at the S4x18 conference in Miami.

For Ralph Langner, founder and chief executive of Langner Communications and the researcher credited with finding Stuxnet, he knows asset owners are still not being proactive with security.

“Wake up calls are not doing a thing,” he said. “I was disappointed Stuxnet did not do much of anything.”

After Stuxnet broke, he talked to government leaders in Washington and “it still did not do much of anything.”

On top of that, the industry moved over to scare tactics and that did not do anything, he said.

“Why do users want less OT security rather than more? Langner asked. Why do so many OT security efforts stall? How come software products which nobody needs go viral, but OT security products don’t?”

While one answer could be users just don’t get the importance of OT security, but Langner said that really doesn’t help the matter if you think you are smarter than end users.

Real Answer
The real answer is to find out the needs of the end user. Not how they need to fit into a product, but how the product can work for them.

“If you can demonstrate some short-term gain, you will get end users to buy in,” he said. “How can you make it fun to use? How can we make this security procedure easy to use?”

That is just where lean security comes into play.

“Lean security is an approach aiming to make security much more efficient,” he said. “Lean OT security focuses on reducing cost and inconvenience associated with security.”

The principles behind lean OT security are:
• Bottom up
• Authority reversal
• Agile
• Tangible

“Users are the experts, you listen to them, not the other way around.”

In another keynote, David Cullinane, chairman of the Cloud Security Alliance, new technologies and advances on current technologies are not in the future – they are here now.

Robust Software
“Software is the lens for your worldview,” Cullinane said. “Software can change a product’s characteristics and value – immediately. Software differentiation leads to cascading ecosystems.”

While software is hardly a world changing technology, it is developing and evolving to become more robust and offer more capabilities than ever before.

On top of that, while those in the industry may feel the cloud is a new entity, it really isn’t. “Cloud is not new. It has been around for a long time.” To add to cloud adoption is the Internet of Things (IoT). “IoT is moving quicker than I thought,” Cullinane said.

Other areas he said to look at that are here already are software defined networking, Big Data, and cyber incident exchange.

Emerging technologies, he said, are: Artificial intelligence, blockchain, 3D printing, Dev ops, autonomics, virtual and augmented reality, ambient communication (Alexa).

Technologies further out are quantum computing and DNA-based storage and computing. Rest assured, he said, they will be here quicker than anyone thinks.

In talking about the cloud, Cullinane defined it simply as “it is just there. You turn it on and just use it. It is pay per use and globally accessible and allows for business agility.”

The IoT, on the other hand, is a global infrastructure for the global information society, he said.

Cheap computing leads to the IoT. Fog computing, an architecture that uses one or more collaborative end-user clients or near-user edge devices to carry out a substantial amount of storage, communication, control, configuration, measurement and management, could allow for the cloud and IoT to integrate.

“These trends will lead to a dynamic digital enterprise,” Cullinane said. “It is going to get to the point where the cloud will be the security provider. Security must be delivered as a service in the environment.”

Leave a Reply

You must be logged in to post a comment.