In this podcast, our panel establishes key steps agencies should take to modernize, converge, and align their IT and OT systems.
Corey Baumgartner 00:14
On behalf of BeyondTrust, Tenable and Carahsoft, we would like to welcome you to today's podcast focused on a Zero Trust approach to secure operational technology systems. We're Brian Gattoni, Chief Technology Officer at CISA, Dr. Brian Gardner, Chief Information Security Officer for the City of Dallas, and Lance Cleghorn, a digital service expert at the defense digital service will outline steps to modernize, converge and align ot systems with Zero Trust principles.
Josh Brodbent 00:45
We are getting lots of great questions, and I really appreciate that. We're going to try to do my best to work as many of these in as we possibly can. So this question is going to be for Lance. And it's actually a couple of questions that have come in that I feel like you could answer very well. One of them has to do with, you know, solving the funding issue inside DoD for upgrades and the implementation of cyber hardening requirements. So how do they sell their need to get that funding and start implementing the upgrades and mitigations that they need for securing their IoT infrastructure?
Lance Cleghorn 01:18
This is a fantastic question. And you can really tell this person is currently living under the struggles of DoD when it comes to IoT. So funding is absolutely one of the areas that I think lacks the current like, drive that we need, right? So it sort of goes back to an earlier point I made where like leadership is really heavily invested on how they perform in terms of like it and it cybersecurity, but that really doesn't translate well to OT. So from sort of like a like a top down approach, DES has been working specifically with like the secretary's office and other folks to like, help identify, how can we actually start to evaluate OT, and then from there, it's sort of like tacitly implies that we would also have to attach funding. You're very right, though, like funding within DoD is something that's hard to come by. I think that's like a general nomenclature across all have industry. But it's especially true in sort of this fall between the cracks kind of area of OT and CS. But I think really unlocking the ability to first assess and determine risk. That's how you really start to present it to leadership, right. And then it's their responsibility to sort of start making the ruckus that's necessary to ultimately secure that kind of funding. But it's a very good question.
Josh Brodbent 02:29
Thank you, Lance, I appreciate that. This one's for Michael. Michael, given the evolution of properly quantifying ot risk, what's a good approach for prioritizing risk mitigation vulnerabilities?
Michael Rothschild 02:40
Yeah, it's a great question. You know, one of the things that is an industry standard are CBSS scores. It tells you exactly what is happening. When you have a log for J or anything else that's out there, it gives you kind of a, it's almost like a storm scale of how bad that storm was, in this case, Cyber Storm, potentially is one of the things that it doesn't take into account. And it can't for every infrastructure is what does this mean to your environment? And what I mean by that is particularly, you know, you're running an environment, maybe manufacturing, maybe critical infrastructure, like water or electricity that Dr. Brian, I mentioned before, these assets that are affected, first of all, how many assets are affected by log for J, or by an OT vulnerability? And what are some of these assets of these PLCs that are running? What are they actually doing in terms of the operation in your ot environment? So one of the things that we recommend is not only to take into account your CVSS and CBSS, two scores, but also create something called a vulnerability priority rating score, which takes into account things like asset criticality, how many assets are affected these types of things? Why is that important? Well, in many of our ote infrastructures, we don't have the same maintenance windows that we do. On the IT side, we may only shut down for maintenance windows two, three, maybe four times a year. So you're gonna have to live with a lot of these vulnerabilities for a while, and there's other compensating controls that you need to take care of. So those vulnerabilities don't actually get exploited. So again, one of the things we recommend is having this vulnerability priority rating score. So when you're ready to take down for maintenance, you have a triage list of what you need to deal with first, second, third, and so forth. So those two combinations that the industry standard CBSs score, your own vulnerability priority score, or VPR score, which takes into account you know, operations and asset, criticality and number of assets and these types of things. We believe that both of those scores are really important for you to address those those risks.
Josh Brodbent 04:47
That's a great answer, and especially having you know, a score that you can quantify those things off of is obviously a good place to start. Dr. B, you mentioned earlier, you know, proper segmentation in your network. Talking about good segmentation. When does a segment start? And where should you end it? Like as we talked about convergence? And again, that question of what's what, when you have a question in those gray areas, how do you? How do you look at that? So?
Dr. Brian Gardner 05:14
So, really, when you look back at the Zero Trust, right, you're, you're looking to minimize the trust into that network. So whatever is going to give you the most secure answer that is our approach, and then go from from that point forward. I did want to add, I meant to jump on with Michael and the question, another good way, for the way to communicate risk is really if you can quantify in dollars, our management really understands dollars. So I apologize, I meant to jump on there, Michael to say if you can put it in dollars and cents, they get it, they really do get it and so but But to your question, Josh, it's really understanding how can we reduce the risk as much as possible? So what is going to be the most secure fashion and reducing that to a zero? close to Zero Trust? If we can get there? That's when we segment that's how we, we approach it, so Okay. All right. Really, really, with some DHS guidance? That's how we we've done in the past?
Josh Brodbent 06:20
Yeah, that's a great answer. Especially the the DHS guidance that's in there. So I'm gonna ask this question to Lance, somebody wanted to know, how much information about ot networks? Is it appropriate to keep on an open network?
Lance Cleghorn 06:33
That's a good question. So So typically, like network maps of any kind, at least, like if we're talking about within DoD, they typically fall into like the CUI, FO UO category, right, where they're like not typically releasable in a public fashion. I've definitely seen network maps that are very, very high level, but usually at that point, you know, that they kind of lose their values. So just sort of saying, like, we have AWS infrastructure, right. Typically, like if you're, if you're talking about an open system within DoD, it's that level of on specificity. That's usually required. It's usually very difficult to share those kinds of things without encroaching on like the CUI FO UO category.
Josh Brodbent 07:08
Okay. Thank you for answering that. So, I will also throw that question to Brian, you know, from from offensive perspective, Brian, what do you think about net maps being stored on open systems?
Brian Gattoni 07:22
I agree with Lance, right. If you get to the level where the engineers could assure that it's working, it may be something you want to keep keep control of. But if it's to communicate the relationships between entities to communicate the relationships between vendors and service providers at a high level, you can still have a lot of really useful conversations on where folks are going together. So there's room for all of them. But there's a level of protection necessary, when you get down to that network map level. Right? If I see IP addresses fully, fully laid out, I better see a marking at the top of the paper.
Josh Brodbent 08:01
Yeah. So Brian, I'm gonna follow on with a question to you. What if an environment is not converged? What other security threats if any do do we need to worry about?
Brian Gattoni 08:12
It's an interesting question. And I'll be frank, I don't have a lot of specific hands on experience with ot networks, just with discussing with ot providers, right. Alright. The folks that do that work, there's a lot of reliance on the physical security that you know, protect access to any device on that network. And I say network in the sense that they may be connected by wires, but they don't at all resemble what we are used to in a classic IT environment, right? They, they'll use combinations of electrical pulses, or they'll use combinations of really bespoke niche proprietary protocols to send their ones and zeros back and forth to do. Their they're their business, which is why Michaels entirely right, you scan it, you could tip it over. So a lot of the folks I've discussed, you know, non converged operational technology, the concerns with rely very heavily on the physical security of the network and its attached devices to provide that, that assurance that it will do what is supposed to do when it's supposed to do it.
Josh Brodbent 09:18
Awesome. Lance, do you have something to follow up there?
Lance Cleghorn 09:21
Yeah, sure. So I think this is a really good question. I think that the reason there's really like a reason industry has already concluded that convergence is like the right way to approach OT, you know, when we were doing a lot of assessments of like ot networks, we really saw like the greatest hits album of unsupported Windows operating systems. So like all the way from like XP up to seven. So when VISTA box it was awesome, but really like ultimately, like think about how difficult it management is in an air gapped or isolated environment where there's no internet, like almost all patches nowadays are like staged installers where they come with a very small, like footprint, and then they pull down the rest of the patch from from the internet, right? So, DoD specifically has a lot of experience with like patching air gapped systems, right? Like, that's how we handle, you know, classified networks. But at the same time, ot presents like a very unique sort of situation, because a lot of times these kinds of networks aren't given the same level of like care and feeding that we would, you know, other air gapped networks, right. I think it's a really good question. And I think it really goes down into like, how air gapped system actually is like, I think Brian made a really good point earlier. Like, there's probably some hidden points of convergence that you don't already know about. Right. So it's definitely an interesting thing going out in the field and seeing like, how these networks are, like, converge already, if that makes sense.
Josh Brodbent 10:41
Yeah. For a follow on here, Michael, why don't we get an industry perspective?
Michael Rothschild 10:45
Yeah. So one of the interesting things that we've seen is that there are a lot of good reasons to have it and OT converged. But, and many companies are doing it. I mean, we've we've spoken to many companies that itno T are now working together, which is, there's good reasons from it from a cost perspective, from a visibility perspective, from an operations perspective. But having said that, there are just so many industries that are keeping that air gap. And one of the really important things that we saw over a decade ago was that you can be accidentally converged, it can be something really simple as bringing in a thumb drive, it can be something really like Mission Impossible ask that you bring in your cell phone and the radiation off one of these devices can actually hit a tower somewhere. So unless you're in a gigantic Faraday box, you should assume from a security and risk perspective, that you're you may be accidentally converged. So just because you say you have an air gap doesn't necessarily mean you do have an air gap. And it's also incredibly important to keep in mind that while nine times out of 10, maybe even nine and a half times out of 10, your employees don't intend to do anything wrong. That can sometimes be the biggest attack vector, unintended attack vector that can happen out there, again, as simple as bringing a thumb drive into an air gapped environment.
Josh Brodbent 12:09
Yep. That's a great point, Michael. And we've had a lot of great questions. Today, I'm going to start kind of moving towards final thoughts that you want to leave the audience with, you know, we're having this conversation around OT and it and Zero Trust approach to, you know, to OT systems, I've had to deliver a lot of presentations over the past 24 months around this topic. And you know, I've talked a lot about the nonhuman accounts and Zero Trust, right, everybody likes to talk about identities and identity management, and how all of that stuff comes into play. But you know, I find the nonhuman accounts, the OT accounts to be a huge risk for us from a Zero Trust perspective. And that's definitely, as you guys have said, in those air gapped environments, in the physical security environments, you know, these are the it's essentially the traditional castle and moat type, perimeter security, and we're trying to move away from that. So as we kind of wrap up here, I'm gonna give each of you just a couple of minutes to give your final thoughts around what Zero Trust should look like in an OT environment, and maybe a thought that you want to leave the audience with here. So I will start with Dr. B, why don't why don't why don't you kick us off here?
Dr. Brian Gardner 13:23
Sure. Thank you, Josh. So from my perspective, I'll tell you, when I came to see I didn't even know what an OT environment was. So really partner with with the OT, the people on the OT, because I think somebody early on mentioned that, that there's non understanding, I think it was Lance mentioned, there's just not an understanding between those two, and really understand how to get that convergence, and then really work with them on the cybersecurity side, that's what's been effective here. To that point, really give start to educate them on what that means from a Zero Trust perspective, and then really learn that ot environment. So as we converge, we're really partnered in securing that as the best way possible. That's, that's what I would leave with.
Josh Brodbent 14:10
Thank you, Dr. B. I'm gonna move over to Lance give us like, two minutes of your thoughts here.
Lance Cleghorn 14:15
Yeah, so I would definitely say like, you know, as it comes to like Zero Trust and convergence and all these things, like, do what you do best, right, like, assess risk, and don't rush to, like, meet the next buzzword or do the thing that like you've noted some industry person is doing or championing, right. We've seen a lot of things in our assessments where there are air gapped networks that are that are perfectly secure and in a really great way. And we've seen things where there's converged networks that are that are potentially heading in that right direction, but I don't think like you should rush you know, to try and fit inside of a box. One of the sort of like war stories we had out in the field is we saw a contract specialist out like noting, I think someone mentioned in the chat like doing like a site walkthrough as a result. Someone actually taking asset inventory, like with pen and paper. And when it came right down to it, you know, initially we were like, Oh, that's a really bad idea, right? And then when we actually sort of like worked it all the way through, we were like, actually, you know, that might be the best solution for this specific network, right? So I think like, don't try and fit yourself into a box, you know, do what you do best, like assess risk and, and mitigate it, right? Like, don't try and converge or don't try and beat Zero Trust, if you can't.
Josh Brodbent 15:25
Thank you, Lance. That was great. Brian, over to you give us like two minutes of your final thoughts here.
Brian Gattoni 15:32
So final thoughts, one, thank you all for hosting this conversation as part of that larger dialogue to share best practices amongst the community, which is always fantastic. It's a reminder, as we says, of work through the application of Zero Trust for the federal government, you know, that everybody's Zero Trust journey is going to be I'll say personal, some people say local, but is going to be unique for your organization. And so as you look at the various described pillars of Zero Trust are the common architectures right? When you go to apply it to operational technology, and you recognize that that operational technology is there to provide a critical service for your critical infrastructure. I like to lean into the visibility and analytics side of the Zero Trust journey, being able to maintain that confidence as you converge your ot as you put Zero Trust into your paradigm, that that technology is performing its mission in an assured way, that those critical services that rely on that infrastructure are going to get what they need, whether that be you know, clean water or or enough power, whatever it is. That's what that's what critical infrastructure owners and operators are in the business to do. And so the more competence you can give yourself and your senior leaders that your convergence is going well, that you're spending their money on the modernization is going well, by maintaining the visibility and analytics, part of the Zero Trust journey. I think it'll help you smooth out your transition.
Josh Brodbent 17:03
Also. Thank you, Brian, for that. And we will close at least this part of it. Michael, your your industry thoughts here as we wrap up?
Michael Rothschild 17:12
Yeah. So I think two important things. insecurity, we always hear the sky is falling. I don't think the sky is falling. I think that there are risks we're used to risk on the IT side happens on the OT side also. And I think Lance put it really, really well in that don't have that knee jerk reaction, right? You want to have a defined plan, and work the plan and execute on the plan. I think that's the first thing. The other thing is what we learned from it, there is benefit to layered security. And when you look at OT, it's not an island or a silo into itself, whether you converge or not. And part of that is being able to work whatever technology you put in to secure your ot environment. It needs to work with the technology is there already whether you're running, next gen firewall, sim soar, you know, a ticketing system, IAM System, these things should work together because we've seen too often that attacks can get in weakest point, and then laterally creep from one place to another. Build a solution, don't just deploy a product.
Josh Brodbent 18:16
I love that build a solution, don't just deploy a product. I may steal that at some point, Michael Sorry. All right. Well, listen, I want to thank the panel for making this a really easy panel to moderate. I want to thank the audience for your participation.
Corey Baumgartner 18:31
Thanks for listening. We hope you enjoyed our podcast series Zero Trust Approach to Secure Operational Technology. If you'd like more information on how Carahsoft BeyondTrust and Tenable can help secure your OT environment, please visit www.carahsoft.com.