In the first three parts of this blog series on cybersecurity for OT critical infrastructure infrastructures, we discussed the elements and specific roles of verification and visibility for an effective cyber-resiliency framework. However, it is also important to note the requirement of velocity in the resilience equation. You need to achieve verification and velocity at speed to be protected, monitor, and to respond to an incident.
Cybersecurity frameworks and strategies all recognize the need for speed. In the NIST Framework, rapid response and mitigation are prioritized, “Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity incidents. Also, activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident.” Respond | NIST In NERC’s framework CIP-008-5 it mandates that “security incidents related to any critical cyber assets must be identified, classified, responded to and reported in a manner deemed appropriate by NERC.”
VELOCITY – Verification and Visibility at Speed in Protecting Digital and Physical Assets in Critical Infrastructure
The current critical infrastructure threat landscape includes sophisticated and capable hackers from state actors and organized criminal gangs. They often share the latest and most effective hacking tools and tactics among each other. A breach can have catastrophic consequences for OT industrial systems and is essential that security measures require speed to mitigate threats. This operational velocity is required for monitoring ports and services, security patch management, malicious software identification, and especially rapid incident response.
A quote from Gene Yoo at the Forbes technology Council succinctly present the stakes for both IT and OT operations: “In cybersecurity, speed defines the success of both the defender and the attacker. It takes an independent cybercriminal around 9.5 hours to obtain illicit access to a target’s network. Every minute a company does not use to its advantage gives hackers a chance to cause greater damage.” The Importance Of Time And Speed In Cybersecurity (forbes.com)
What is necessary to ensure in achieving verification and visibility at speed in cybersecurity to help reduce the threat of attackers? George Platsis, Senior Lead Technologist, Proactive Incident Response & Crisis Management at Booz Allen Hamilton, sees the need of a combination of three factors: resources, organizational structure, and environment understanding. He notes that “you can have all the resources in the world, but if your organization is not structured to execute, you will have blind spots. Proper resources give you capability. Sound organizational structures give you ability. Strong environmental understanding gives you knowledge. There is your trifecta.” He sees technology as an enabler for bolstering those three factors with velocity: “well configured automation increases your resource capabilities and possible your environmental understanding.”
Automation is also a theme articulated by Patrick C. Miller, CEO at Ampere Industrial Security and Founder and President Emeritus of the Energy Sector Consortium for velocity. He believes that getting operational/security telemetry from systems/networks, then analysis through tools and human review requires a significant amount of integration. He says that making the data useful and removing unnecessary alerts or false positives to chase down is essential for response and that it can probably cover as much as 70%-80% of the work. That automation significantly allows for greater speed. Patrick says that “the challenge is to automate where it makes sense, and with tested/proven process. All automated processes require independent monitoring, as well. Checks and/or tests to ensure the process is still functioning as expected (all controls intact and working) is crucial. This applies to the areas of 1) asset inventory; 2) phase out of fragile systems; 3) architecting networks and systems for defense; 4) change control and configuration management; 5) logging and monitoring; 6) reduction of complexity; 7) well-rehearsed incident response and recovery.”
According to Marcus Sachs, Research Director for Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security, and former Senior Vice President and Chief Security Officer at the North American Electric Reliability Corporation, we are making headway on verification, visibility, and velocity. If the computer knows what’s going on the machine knows it. It’s logging it. He says that “if you’re a looking at your logs, and doing log reviews, and even having a machine review your logs for you, you’re going to see things very quickly. But if you wait for the phone call, or you wait for the website that goes down to be your first indication there’s a problem and you are way behind the curve.”
Emerging technologies, including artificial intelligence are changing the game in terms of doing things faster and having the ability to monitor equipment, threats, automate incident response. The new capabilities for automation and reaction a speed is highlighted in a new Congressional Research Report on “Evolving Electric Power Systems and Cybersecurity” November 4, 2021.
The report states that “while these new components may add to the ability to control power flows and enhance the efficiency of grid operations, they also potentially increase the susceptibility of the grid to cyberattack. The potential for a major disruption or widespread damage to the nation’s power system from a large-scale cyberattack has increased focus on the cybersecurity of the Smart Grid.
The speed inherent in the Smart Grid’s enabling digital technologies may also increase the chances of a successful cyberattack, potentially exceeding the ability of the defensive system and defenders to comprehend the threat and respond appropriately. Such scenarios may become more common as machine-to-machine interfaces enabled by artificial intelligence (AI) are being integrated into cyber defenses.” R46959 (congress.gov)
In this blog series we discussed the elements of (1 Verification), (2) Visibility, and (3) Velocity for cybersecurity resilience in cybersecurity, particularly OT critical infrastructure systems. Those three elements do not stand alone as pillars and are part of a unified cybersecurity triad. It is this triad of velocity, visibility, and verification that will help critical infrastructure operators assess situational awareness, adhere to compliance mandates, align policies & training, optimize technology integration, promote information sharing, establish mitigation capabilities, maintain cyber resilience, and ultimately be more cyber secure.