It may have come to you in an email or perhaps during a 1:1 with your boss but either way the news probably caught you by surprise. You will be taking your security skills to the industrial side of the house.
Congratulations! And good luck – you are going to need it.
Much of what you have learned and the craft that you have perfected in protecting confidential information with your security wizardry won’t work in this new world. In fact that “I” in IT (information technology) isn’t nearly as critical and confidentiality is now on the lower end of the concerns spectrum. You are about to enter the “OT” where the O stands for operations. It is safety, yes human safety, and continuous operations that are more important than any kind of data slurping attacker.
So where to begin? Get your steel toed boots on and visit the plant, or whatever industrial environment you are there to secure and prepare to unlearn and relearn much of what you know. Its time to make new friends with the engineers that keep the products going out the door.
Lets start with that word “secure.” Sure, it still has that door lock connotation but there is more to it. Consider the view that the hinges on the door are *securely* attached to the frame. So the act of opening or unlocking won’t result in the whole thing falling on you. That means operating safely first and then “locked down secure” second.
And what is most likely, or most commonly going to bring those operations to a halt? Well chances are its an aging piece of equipment that was old enough to have chaperoned you on your first date. Those failures are one of the reasons people started connecting everything to modern networks in the first place. Monitoring things to know when they will fail and then preventing it. And how does that monitoring happen? Possibly not so differently from the very first telemetry efforts. You know, the ones that connected the Russian Winter Palace to Army Headquarters – in 1845. Signals over a wire. You can debug things by oscilloscope right? If not then perhaps these plant floor engineers have got some tricks worth learning.
What about those human caused events? The ones in the newspapers. The ones that got you hooked on this security journey? Those happen too but not as you thought. Perhaps some sleepy eyed process engineer accidently sets the cooling system threshold to 350 Celsius instead of 35. Or the eternally eager, fresh from college, new hire is dreaming of a big bonus when he decides to “optimize” the system that has been running fine for the last 15 years. What does that mean to you? A bit less “intrusion” and a lot more application control.
Speaking of human caused events – you don’t want to be a cause of one yourself. A natural desire to take a quick inventory or get a network map might drive you to run a quick scan and see what all is out there. But remember much of the connectivity and endpoints don’t have the most robust of TCP stacks in place. In other words your standard NMAP type approaches could take down the systems you were trying to discover.
So now what? Move slowly, cautiously, make friends with your OT brethren and watch this space. Over the next few months we will provide some best practices and “how to”s that will help your impeccable IT security expertise succeed in the OT world.