WWT's OT Security Experts, Gregory Nicozisis and Alex Bond, Report on S4X23
The S4x23 ICS security event took place February 13-16 in Miami, Florida. With over 1000 attendees from 28 countries around the world, this year's S4x23 conference saw 64 diverse performers give insight on the future of OT and ICS security across 3 different stages. Topics covered included the rapid evolution of OT and ICS cybersecurity, current organizational challenges and trends, and ways the cyber community can join forces to build a stronger, more secure future for OT and ICS environments.
Now, let's see what the event was like on the frontlines…
Day 1 – Tuesday, February 14, 2023
The opening keynote address from Dale Peterson kicked off the conference for the 1000 OT Security attendees. Dale's theme for the address was "Explore," which was perfectly fitting for the tone of the event. We, in the OT Security world, are always exploring how to address, investigate and figure out the best path forward in a forever-evolving environment with vast amounts of legacy systems.
Dale's address got us thinking… The OT environment has been around much longer than the IT world we are more familiar with, yet exploring how to secure this environment is new. Understanding and admitting what we don't know is a starting point for this journey. Exploring what OT Security means to us now is necessary. We need define OT itself by determining what we are trying to target, what systems and devices are present, how our specific OT worlds are run; only then can we begin the journey to secure it all.
After the keynote address, we picked up our S4 swag. Since the conference was held in Miami, some local flavor was included in our bag of goodies. One of which was locally produced coffee grinds in a Cuban flavor. Mmmm good, I do love great coffee!
A common theme for the day was to show that, while within "IT world," cyber security professionals are familiar with attack vectors, threats and concerns, including the dangers of Ransomware, stolen credentials, and data exfiltration, these concerns are also common in the "OT world!" In addition, these environments are both highly sensitive to threats related to geo-political tensions, concerning organizations that produce materials vital to national defense (weapon parts, micro-chips, vehicles, etc.).
Cyber security awareness of potential threats becomes more crucial in the OT world. Thus, how do we approach securing this environment. being the IT approach to security often is vastly different in an OT landscape?
Day 2 – Wednesday, February 15, 2023
In the session on Security by Design Decisions, presented by Sarah Fluchs, there was a discussion on how we can help product and system engineers move security into the design phase. Operational technology operators invest far more resources in securing systems after procurement where options are limited and are trying to secure the environment around the system, rather then giving system engineers the resources to create secure designs.
Fluchs focused on how we can help engineers make guided security decisions by applying a security engineering framework that would allow them to create secure designs leveraging filters, standardized control libraries and diagrams.
While moving security into the design phase has long been acknowledged as the most efficient way to produce a secure design it is uncommon that the system engineers have the time, resources, or security expertise needed to implement robust security controls into the design phase. If system engineers are to be expected to implement security controls, we need to find ways to enable them to do so, and I think an approach such as the one proposed in this presentation is a great place to start.
Are we on the right track for addressing OT/IoT/ICS security initiatives?
A common theme for the day – organizations typically have, to varying levels, a grasp on what is compromised within their enterprise or IT landscape, but not so much within their OT/IoT/ICS landscape.
With a growing number of methods to address and solutions for security within this landscape it all usually comes back to fundamentals. What does this network look like? What devices are on the OT network? How do they communicate, and which vendors have access to this environment to support these specific systems? Tools will not solve these issues alone and they will not always do what you think they will do!
Referencing the Purdue Model, consultants and plant managers will say:
- Thou shalt not transfer data directly between Level 4 and Level 3.
- Thou shalt not use the Internet on the Manufacturing floor.
- Thou shalt only operate on-prem.
Is the Purdue Model still relevant? This is a question that came up several times during day two of the conference. The concise conclusion, in which we completely agree, is that of course it is! However, the key difference is not the Purdue Model itself, but how do we approach and address security within the Purdue Model. The foundational and key approach is understanding the environment first and foremost before applying technology and processes to Purdue. This is the core theme of the day.
Assessing an organizations OT environment and the risks, gaps, network and assets associated with the environment are first steps in the journey. When understanding this environment, it can then be applied to the Purdue Model and begin the proper 'next-steps' on the right approach to securing this environment. The Purdue Model can be different for every organization.
Before technology can be applied on any level, the lay-of-the-land needs to be identified and documented prior to the onset technological conversation. What may work in one organization, may not work in another. "Risk and visibility assessment" may be an overused phrase in the IT world, but that is for good reason because they are a necessity!
Day 3 – Thursday, February 16 ,2023
The last day of the conference was loaded with strategizing and executive-level perspectives. As more and more organizations are introducing the responsibility of security OT within the IT security teams (the CISO, security directors, cyber engineers, etc.) more questions arise including, how do we begin?
Often, the cyber security teams are well versed in securing IT with strategy initiatives, road-mapping, budget and resourcing, and deep-level technical expertise. The problem? Much of that experience often does not translate to securing an OT environment. Executive leadership then asks how is progress measured once we begin our OT Security journey?
There were several sessions that included interviews with executives from various organizations. One of the common questions asked to these executives: What does OT or OT Security mean to you? It's a fantastic and important question to asked to anyone with governance in this space. Very interesting responses by all of the executives involved.
The point? The Purdue Model is relevant, but how it is approached is always different based on the organization and how their environment is set up. Yes, it's the people, their processes and of course, the technologies used to build their products. This leads to understanding their environment before applying OT security principles to secure these environments.
A comical but a very important session on day 4 was a gameshow format called, "My Favorite Metric." There were 3 judges and 3 contestants. The contestants had five minutes to present what they thought would be the best way to measure OT security progress. The judges had feedback for each contestant, both the good and not-so-good. At the end, a winner was chosen, but we all got the message that even though certain metrics are a solid bet, one metric that works for an organization may not work of another!
It was truly exciting to attend the S4 OT Security conference with all the great strategy and technical minds around the world conversing about all things OT Security. The Cyber Security practitioners in attendance have always deeply understood the importance of security and cyber awareness, and this event shows that it's becoming equally important to the executive leaders and boards of directors, who have come a very long way in this regard.
What's most exciting is that now that awareness is growing for the OT environment, a whole new world and approach have begun!
Thank you for taking time to read this. We hope you enjoyed it.
Greg Nicozisis and Alex Bond signing off!