Did you know that this is the 15-year anniversary of the release of the movie Terminator 3: Rise of the Machines? Is the world like the movie portrayed it would be? Yes and no. Machines certainly do more than we dreamed possible. And yet…self-actualized robots are not the rise of the machines the movie anticipated. And the next threat landscape is not Skynet. So, what are the machines that point toward the next threat? And what is the new threat landscape?
It all starts with success and failure. As a society we focus more on our failures and invest little time celebrating successes. In the high-pressure world of information security, this is especially true. However, it is through analyzing those very successes (along with our failures) that we can apply our experiences to shape an ever-changing world.
Today, attackers have a much higher barrier to entry; we’ve moved beyond simple buffer overflows and generic passwords. We have memory protections, visibility tools, inspection protocols, protection software, and intelligence services that help keep us safe every day. In fact, in the last two years no 0-day was used in any major breach. We started building security into our products and services from the ground up rather than “bolting it on” after the fact. Cisco Talos releases more than 300 vulnerabilities a year, working with numerous software and hardware vendors. We’ve even created alliances among competitors like the Cyber Threat Alliance to share intelligence, so we can do a better job protecting all of our customers collectively.
We’ve influenced internal stakeholders to develop an InfoSec-oriented culture inside our companies. The bridges we’ve built into all parts of the organization have helped colleagues realize that security is a competitive differentiator rather than a barrier to success. And we’ve extended that influence to the boardroom as we elevated Security to a top business priority. In other words, our successes have taught us that people, habits, beliefs, ideas, and cultures have just as much impact as the code we write.
Applying what we’ve learned to a new world
Since Terminator 3 came to the screen, the explosion of devices around us has increased security’s complexity. And those same devices introduced interesting challenges into our societal fabric. Some estimate that by 2020 there will be over 250 billion devices connected in the era of the Internet of Things (IoT). But let’s think beyond our phones and game consoles. Consider the devices and systems that we rely on for our everyday lives. No…not email. Instead, the systems that provide the electrical power to our servers, or ensure we have clean drinking water. These are the industrial control systems, commonly referred to as Operational Technology (OT), that form the back bone of modern society. They often went unnoticed, until recently. Because when our mobile phone gets hacked, it’s a minor inconvenience. When OT devices get hacked, lives could be at stake.
IT, OT, and IoT are converging as modern technologies make it into our power grids, our water pipelines, transportation networks and critical infrastructure. The machines are rising, and we’ve learned a great deal in a short period of time. Now we need to look ahead and examine the world of OT. Security is uniquely qualified to tackle the OT challenge as we apply the lessons we’ve learned to defend this new threat landscape.
Partnering with OT
If working with the OT world is our future, it’s time to get comfortable within it. So, who runs OT? OT owners span the pipeline operator in an oil and gas refinery to the substation manager in a utilities company to the plant manager of a manufacturing facility. These professionals among others keep the lights on, the water flowing and the hospital running. OT careabouts differ from what we see in the typical business environment. Their priorities include:
- Safety – keeping workers safe and injury free;
- Availability – continuous delivery of services; and
- Resiliency – maximizing uptime and systems backup.
In security, our first priority needs to be partnering with our OT colleagues. This will create the longer term opportunity to help them protect their production lines and our very way of life.
Bridging the OT gap
Traditionally, OT hasn’t partnered with security, often seeing it as a blocker to uptime, and more importantly, profitability. The question is how we can bridge the gap between IT and OT so we can join forces in the face of a common threat? We can do this by letting our OT counterparts know we understand their challenges across three vectors:
Critical Assets – while you may not be familiar with terms such as programmable logic controller (PLC), remote terminal unit (RTU), or Energy Management System (EMS), you likely understand the underlying operating systems (commonly Windows or Linux), and the networking infrastructure.
Visibility – we’re all familiar with the idea that you can’t protect what you can’t see. Due to the critical nature of the processes that control systems operate, OT cannot usually see more than fifty percent of its infrastructure. Security professionals understand that visibility is the first step to good security. Getting a grasp on what you need to be monitoring within this environment must be your initial goal.
Scale – industrial systems are large, and we need to help our OT friends protect systems at scale even if they are not easy to access or even connected to a network. How do you protect thousands of miles of oil pipeline in remote areas of the world?
Saying hello to “OT Sec”
As the defenders of this unfolding threat landscape, securing the OT world will ultimately become your responsibility. It’s a priority with higher stakes than we’ve faced as a society. It will require you to own complex challenges and take a leadership role, as you did 15 years ago when you bridged a similar gap with IT.
How can you do it? You will need to influence OT by understanding the business outcome of operations, and how an attack can impact and take control of programmed manufacturing flow. Learning the systems, priorities and language of the OT world will help you gain entry. With this new way of thinking a partnership can be formed – one where you design and create, and OT decides on mitigation.
What’s the good news? You already have experience bridging that gap – with DevOps. 15 years ago the IT relationship with App developers was adversarial. IT cared about availability and uptime. Application developers cared about getting products to market and serving consumers. And surprisingly – we now have DevOps where IT, app dev, and security work together.
The rise of the machines is the era of IoT and defending this expanded threat landscape necessitates a partnership with the OT world. Leverage our successes of the last 15 years to lead us into the next decade of Security and say hello…to OT Sec. Because the attackers? They’ll be back. And now we’ll be ready!
This blog post is a summary of Cisco’s keynote presentation from Matt Watchinski and Liz Centoni at RSAC 2019. You can watch the keynote replay now.