ICS Security - Patch me if you can
Blog

OT-hanksgiving: What to Be Thankful For in ICS Cybersecurity

Cybersecurity Musings
Ron Fabela, SynSaber CTO & Co-founder
Ron Fabela
CTO, SynSaber

2022 has been a whirlwind of activity in ICS cybersecurity. As we take a step away to enjoy family, friends, and feasts during the holidays, let’s look back at the year and give thanks for some initiatives that are moving us towards a brighter ICS security future.

Side note: Celebrating Hanksgiving has been a tradition in our household since first mentioned on the Big Bang Theory. For ideas on how to combine my thanksgiving meals and dad jokes (my two favs), check out https://www.vulture.com/2013/11/hanksgiving-recipes-based-on-tom-hanks-movies.html

Patch Me if You Can (Cyber-Informed Engineering)

ICS Security blog - Patch me if you can

A continuing challenge in ICS security is the concept of “insecure by design,” or the idea that industrial control systems don’t have security built into their engineering and architecture.

Hardly a new subject, it was solidified in the community as part of DigitalBond’s Project Basecamp efforts (for a glimpse into S4s of old, check out Reid Wightman’s presentation at S4x12 https://www.youtube.com/watch?v=dtadMIN3CCc) and has gained new traction as a phrase of the day.

Like Shodan, or “Air Gap,” we in ICS tend to fixate on negative examples and experiences of the ICS cybersecurity challenge.

That’s why I’m thankful for a new focus spearheaded by INL (Idaho National Laboratory) and others this year. The antithesis of “insecure by design” is “Cyber-Informed Engineering,” which looks forward into the future and challenges us to find opportunities to build in cyber security instead of bolting on.

Here are some excellent resources for Cyber-informed engineering:

The Source
https://inl.gov/cie/

The Strategy
https://www.energy.gov/sites/default/files/2022-06/FINAL%20DOE%20National%20CIE%20Strategy%20-%20June%202022_0.pdf

This was further expanded upon by Andy Bochman and Sarah Freeman, adding an important qualifier: “Consequence Driven.” Important because in industrial security, it’s not enough to fear the theoretical or real “threaty threats” or put too much focus on CVEs (https://synsaber.com/industrial-vulnerabilities/).

The impact on operations or “consequences” must be considered to provide practical risk evaluation.

The Source
https://inl.gov/cce/

The Book!
https://www.routledge.com/Countering-Cyber-Sabotage-Introducing-Consequence-Driven-Cyber-Informed/Bochman-Freeman/p/book/9780367491154

🦃 Why I’m Thankful: A positive and proactive approach to the challenge instead of more negativity!

You’ve Got Money! (Federal Funding for ICS Cybersecurity Programs)

ICS Security blog - You've Got Money

The government often falls into the carrot or stick category for industrial control system security.

While there has been a resurgence of guidance with the building of CISA (which could be a precursor to a regulation stick), we also had some great carrots come out of the legislation.

Industrial control system security is getting the attention it deserves, and this time it’s coming with funding attached!

Some highlights include:

While government funding won’t solve everything, a lack of resources is often the first hurdle to implementing any cybersecurity program.

Not since the Recovery Act earmarked money for smart grid modernization (with cyber! https://www.smartgrid.gov/recovery_act/) have we seen this much focus on resources for securing and strengthening our infrastructure.

🦃 Why I’m Thankful: Not only is the community understanding cyber security, but they now have the seed money to go invest!

A Beautiful Day in the ICS Neighborhood (Back Together as a Community)

ICS Security blog - ICS Neighborhood

Although there is plenty of turmoil in the world, 2022 saw the ICS security community coming back together at conferences more and more.

The people of ICS: operators, consultants, vendors, OEMs, and government, all have a critical role to play. and let’s face it, we play better together.

Even with the slow start due to the pandemic, the ICS security roaring 20s are in full swing!

Never before have we had more conferences, content, guidance, and technologies available to solve the problem. We are truly standing on the shoulders of giants, and the new generation of passionate ICS security community members are creating more and more content to help everyone. Here are some shout-outs for great content in the ICS cybersecurity space:

Dale Peterson:
Founder of Digital Bond and the S4 conference, Dale has been a consistent source of meaningful content. As the S4 event grew from a few dozen nerds in a conference room, so grew the content in between S4s.

https://dale-peterson.com/podcast-2/
https://www.youtube.com/@S4Events
https://www.linkedin.com/in/dale-peterson-s4/recent-activity/shares/

Top 20 Secure PLC Coding Practices:
Sarah Fluchs and Vivek Ponnada did something few in the industry have achieved: take an idea and see it through to execution. From the website: “The aim of this project is to provide guidelines to engineers that are creating software (ladder logic, function charts, etc.) to help improve the security posture of Industrial Control Systems.”

The project is the tactical implementation of lofty goals such as Cyber-informed engineering. Sarah, Vivek, and the team have provided both the use case and template for what I hope are more positive practical implementations of cybersecurity for years to come.

https://plc-security.com/

Insane Forensics:
Dan Gunter isn’t just a good friend that I don’t get to play video games with enough; he’s also an expert in threat hunting with a wealth of experience in industrial control systems. In return for game time, we in the community have weekly “Tech Talk Tuesdays” that deep dive into useful subjects for any ICS defender.

https://www.youtube.com/@insaneforensics
https://www.linkedin.com/company/insane-forensics/
https://insaneforensics.com/

🦃 Why I’m Thankful: Content generators from a wide range of backgrounds and experience make our great community even stronger!

Looking Forward to ICS Cybersecurity in 2023

There’s plenty to be thankful for in 2022, and I hope you go out and find more positive impacts in industrial cyber security. Not only should you find them, but be sure to amplify them! Too frequently, it’s the negative content that gets the shares and clicks. So it’s up to us to ensure that our community’s great works and efforts do not go unnoticed.

As we move into 2023, I’ve begun to think about the practical application of securing our critical infrastructure. This is exciting! No longer are we a small community thinking about what the art of possible can be. Now is the time to act! We have the resources, talent, guidelines, and passionate community members to make 2023 a time of action.

I’m thankful for an ICS security community that will make the roaring 20s not another lost decade, but a decade of positive impact.

~Ron 💜🚀