Developing ICS/OT Engineering Cyber Defense Teams

Relying on control systems and critical infrastructure is commonplace. Flipping on a light switch at home or the office, pumping gas into your vehicle at a gas station, pouring water from a tap— we rely on industrial control and critical infrastructure systems to support all these things and ultimately our modern way of living. We rely on some of these critical systems to generate and distribute power and heat to our homes, businesses, and healthcare centers. In the fuel manufacturing industry, there’s a reliance on the production and refining of oil & gas. For critical city and town services for our homes there’s a reliance on the management of our water systems, etc.

This interconnected and interdependent complex mix of both legacy and modern computer systems and engineering systems is responsible for processes in the physical world. They require additional considerations when it comes to security. For the teams managing and tactically defending this control system infrastructure, the skills and knowledge of safety, engineering, control system deployments, and more, is required beyond the tried true and tested security skills applied to protect traditional Information Technology (IT) systems.

Modernization, ICS Risks, ICS Teams

Industrial Control Systems (ICS) were not always as connected, highly automated, or complex as they are today. ICSs had been designed, built, tested, and deployed for a particular purpose and ran on proprietary protocols in isolation. These systems were engineered and operated in a completely isolated network away from other networks, including those in the outside world such as IT business networks and the public Internet.

Over the years of advancements in modern network technology and equipment, as businesses sought cost savings benefits, control systems have shifted away from an isolated control environment toward a more connected environment. Of course, more external connections ultimately broke the isolated, or "air-gapped," model, making ICSs less isolated and therefore more exposed to cyber risk.

This shift changed the risk surfaces and the threat landscape. We’ve seen increased threats including ransomware and tailored ICS-specific attacks against engineering control systems. As such the shift has also changed the security job tasks, security roles, and knowledge required to now perform ICS security for the protection of these engineering processes in today’s threat landscape.

ICS-specific Cyber Security Requirements

We do not get to choose if we are a target of a cyber-attack. However, as ICS/OT security managers and tactical cyber defenders in ICS/OT, we get to choose many things about our control system security program. This includes but is not limited to how we conduct ICS incident response, how we prioritize safety, which tools will be available to assist our tactical teams, where best to deploy control system network visibility. And of course, we get to choose who will be on our teams defending our critical infrastructure. We have some much opportunity for ICS defense! Whether working in a converged IT/ICS or specific ICS security team, it is imperative those selected as ICS/OT security defenders be trained with the ICS-specific knowledge and have the many ingredients needed for protecting control systems.

An ICS Security Team Skills Recipe

Securing Data vs. Enabling and Securing Physics: Traditional IT security focuses on digital data at rest or data in transit and the pillars of C.I.A. (Confidentiality, Integrity, and Availability). Operating technology/industrial control systems (OT/ICS) manage, monitor, and control real-time engineering systems for physical input values and control output for physical actions in the real world. The main priority in OT/ICS is safety and reliability of operations.

Modern trained ICS cyber security staff understand the nuances between traditional IT and ICS security, the ICS mission, safety, the engineering process, ICS protocols and active defense strategies that excel inside control environments, impacts of incidents in ICS to equipment, the environment, and people. A recipe to help us obtaining, training and retaining the top ICS security defenders include these ingredients:

Technology and Processes (even if automated) do not get us far in the defense space without a trained and focused workforce. Human defenders—the people (workforce)—are the ones who use the ICS security technologies, work with the engineering, safety, business, IT department, and other teams and understand the ICS mission, possible impacts and recovery. These people understand the industrial process, protocols, normal vs. abnormal for engineering operations network traffic patterns, safety with context, the commonly targeted assets in control systems, etc.

If you're lucky, you'll...

• inherit a good team
• get to choose your team
• be able to build a good team

You know you've succeeded in building an effective ICS security team when:

• Your team contributes to the safety and reliability of operations.
• The engineering, operators, and safety teams communicate well with you.
• You are still with the organization.
• People totally want to join your team.
• Other organizations or departments wish to steal your team members.

Split brain! Conflict of interest! Safety! - Set up for success!

Safety could be at risk if information or traditional business systems are prioritized over industrial engineering control systems. Or, if the responsible reporting structure for ICS/OT security fails to fully embrace the differences between IT and OT/ICS.

Consider, for instance, a security incident on the IT business email system, and a security incident on the SCADA (Supervisory control and data acquisition) system of a power grid occurred simultaneously. Which incident gets the priority to focus efforts, tools, and team members to investigate, respond, and defend? What pace and rigor will the organization give to the incident selected as a primary focus. More specifically, what drives the decision to manage these very different risks, and related impacts, in these different environments?

Did the organization select their focus based on what was the most important for the safety of the people, the environment, and the organization overall? Today’s ICS incident response teams must understand the control system processes, the engineering, industrial protocols, safety factors, and ICS-specific cyber threats and tailor incident response playbooks, and risk management strategics accordingly.

ICS418: ICS Security Essentials for Managers

The ICS418: ICS Security Essentials for Managers course empowers leaders responsible for securing critical infrastructure and operational technology environments. The course addresses the need for dedicated ICS security programs, the teams that run them, and the skills required to map industrial cyber risk to business objectives to prioritize safety. The course speaks to the needs of the full range of managers, including:

• Managers asked to "Step-Over"
  • Traditional information technology (IT) security managers who must create, lead, or refine an ICS security program

• Practitioner to Manager "Step-Up"
  • Industrial engineers, operators, or ICS security practitioners promoted to a manager position to create, lead, or refine an ICS security program

• "In-Place" Managers
  • Existing ICS security managers who need to further develop their leadership skills specific to industrial security
    

In-Class Industrial Management Simulation 

Those familiar with the Cyber42 cybersecurity leadership simulation game may have learned about it when taking SANS Cybersecurity Leadership courses. SANS has extended this awesome tool for ICS418 by introducing Cyber42: Industrial Edition, which borrows many features from the original Cyber42 game. The scenarios are specific to industrial control systems and, of course, safety is added to the mix of industrial cyber incidents. In Industrial Cyber42, the object of the game is to finish with the highest safety culture.

Take ICS418 with Dean and get to know him!

Check out Dean's upcoming ICS418 scheduled classes, see more of his ICS community contributions, and learn more about him here.

For deeper insights about building robust ICS/OT cyber defense teams, securing your critical infrastructure, and fostering an organization-wide culture of safety, download the SANS Strategy Guide: ICS is the Business.