In this week’s Whiteboard Wednesday, Scott King, Senior Director of Security Advisory Services at Rapid7 and Brian Proctor, Director of Strategic Accounts at SecurityMatters, team up to discuss how to manage F.U.D. in your ICS environment. Learn how to establish a program built on best practices to effectively understand and manage your ICS environment, as well as how to create a foundational framework to help protect your control systems.
Scott King: Hello, everyone. My name is Scott King and I work for Rapid7.
Brian Proctor: Hi, I'm Brian Proctor from SecurityMatters.
Scott King: Today, we're here talk to you about how to manage F.U.D. in ICS security.
Brian Proctor: Have you ever received those emails from your executives reading the latest news articles, asking, "What's our risk? What's the threat and what are we doing about the latest vulnerability that they read about?" I know I have as an asset owner. And today we really want to talk about strategies of when you receive those, what's a message that you can send back to those executives.
Scott King: And in order to effectively respond to those emails, one of the first things you need that you need to do as a security leader running a security organization is you need to be running a best practices program, that's based on a foundational framework, such as the NIST cybersecurity framework. A framework like that gives you all the foundation that you need in order to effectively understand and manage the types of controls and the types of risks that exist within your ICS environment. So when you get that email from your leaders that are asking you about the latest article they've read in the newspaper, you are able to effectively talk to the specific components and aspects of that article and respond to that, in terms of how that article can manifest itself into risk within your organization, and how you're effectively managing that risk.
Brian Proctor: Right, and one of the first things about starting a framework, starting a program based upon a framework, it's really starting with inventory. What do I have? What's out there? I used to get those questions a lot. How many relays, RTUs, PLCs, do you have? And when are they running? So right here we have a Purdue model network diagram that we've drawn up of a what you would typically find in a control system. And if you're an asset owner and there's a new vulnerability that's maybe related to a Rockwell PLC, and you don't know how many PLCs you have. And what firmware version they're running, you can't answer these historically difficult questions to answer. Really getting that inventory by whatever means possible, whether that's passively looking at the protocols or even doing physical site locks is also possible as well. But understanding the various assets in the various levels of your control system is very, very key. Because once you understand what's out there, then you can understand how to protect those assets.
Brian Proctor: If you cannot answer, "What do I have? What's out there?" You need to go back and start with that to really establish your program.
Scott King: I 100% agree. And typically what you read in these news articles is going to be conversations that are specifically talking about foreign hacker groups that are infiltrating infrastructure within the United States or within a particular segment of the United States. And the reality of that is a lot of those types of attacks are primarily based around things like email phishing, malicious web URLs, and essentially tricking users into visiting malicious websites. Now, one of the big questions that we get it is, well how would you pivot from an IT network that was infiltrated by an adversary into an OT network? And the answer is pretty straight forward. A lot of OT networks are connected to the same IT networks that people do business on and run their companies with. So by looking at a model like this, what you're doing is you're separating out your IT network from your OT network and you're able to apply a level of control that allows you to manage assets that are critical to the running of your systems in your ICS environment, that do not have any bearing whatsoever on your IT systems.
Brian Proctor: Great. That's our opinions on the first step of how to really manage F.U.D. in ICS cybersecurity. Thanks so much for tuning in. We'll talk to you next time.