Industrial (ICS/IIoT/OT/variations of “not enterprise IT + physics”) infrastructure has benefited greatly in one form or another in having heterogeneous infrastructure. An electric transmission substation in one part of a single company is different than an electric substation elsewhere even in the same company; not only often in vendor choices but configuration, integration, implementation, and physical process requirements. The differences between industries is even more vast.
When attackers want to train for an offensive mission they routinely train and prepare for the environment that they will face. This is universal across domains and is not unique to cyber. As attackers gain experience through repetition the ability to successfully repeat an attack increases. As attackers develop knowledge especially among seasoned professionals on the team they routinely codify that knowledge into software, or malware, to scale their efforts especially to increasingly new members on the teams. We have seen this as a community across numerous attacks, in the industrial community we saw the obvious expediting of knowledge from the Ukraine 2015 attack on the electric grid to the Ukraine 2016 attack when knowledge was codified in the form of the CRASHOVERRIDE malware. Tradecraft to achieve successful attacks, once made public, is no longer bound to the team that created it and creates a blueprint for other teams. The increasing aggression and innovation of adversaries does not out pace defenders but creates an environment that becomes dangerous quickly for teams that do not invest properly in security.
None of these observations are novel. I have in many ways been inspired in my career by many professionals before me. I have learned from so many of those around me. My years in the U.S. Intelligence Community shaped my biases and world view. The peers I made early in my career were true experts and I received a leg up in that regards. But I write this blog as I think of one individual specifically tonight, Michael Assante. Mike has been one of the single biggest influences on my knowledge of ICS cybersecurity. One of the observations I naturally came to from spending time on defense and offense was that the heterogeneous industrial infrastructure we have that lends itself to a sort of natural defense against highly scalable disruptive or destructive attacks is shifting. We are seeing an increasing trend of homogeneous infrastructure as our industrial control and automation vendors acquire one another, settle on common technologies, and otherwise seek common operating platforms and approaches. This isn’t a vendor issue, the pressure comes from customers, and a vicious circle forms. This has been going on for years and is not as easily explainable nor dismissible as simply “IT and OT convergence” although that surely plays a role.
There are numerous professionals that have thought about this challenge. I have hired many like minded individuals to Dragos that have come to similar observations and felt a call to action. But notably on this topic I refer to not only Mike but also Tim Roxey and Andy Bochman. Andy is fortunately evangelizing the work of Idaho National Labs on Cyber-informed Consequence-driven Engineering (CCE). CCE is a larger and more nuanced view of this topic but for the purpose of a short blog I will try to easily express it with the simple question: “should the system controlling critical functions of protection and safety related equipment also be able to run Minesweeper?” Or as Mike would say “it’s not analog systems, it’s next-generation-non-digital-assets.” We need to think critically about not reversing the trend of industry, on how we continue to support business needs, but how we as a community think about the evolution we are achieving and what risks to what specific systems are not worth accepting as society.
I often get asked about what I fear in the world of ICS. I often talk about municipalities and cooperative electric systems, gas compressor stations, and infrastructure sites of under funded but critically valuable infrastructure. I try to do this respectfully understanding the hard mission many have and admirably take on often under resourced to do so. But one of the strategic things I fear most is that the heterogeneous infrastructure we take advantage of now one day crosses the line of homogenous infrastructure to the point that once state-only cyber attacks become scalable enough for non-state actors. At that point, the dynamics shift drastically and irreversibly in a direction that poses significant risk to our world. We live with so much fear and hype around cyber attacks on infrastructure (seriously, the phishing email to the energy company isn’t killing anyone or taking down “the grid”) that I often try not to articulate those things that scare me most. However, as I go introspective tonight thinking deeply of my friend Mike and the personal health battle he is waging right now I cannot help but articulate, written to everyone, that I do fear the path we are on, with all the progress the industry is making (it is impressive to see what many of our infrastructure companies are doing), is met with equally risky decisions that are forming a world where homogeneous infrastructure is met with scalable cyber attacks in a way that is difficult to counter at a pace society can accept.
I will always stress that defense is doable. I hope we as a community can ensure that we understand that statement does not mean “defense is easy” or that “defense is inhereted” but instead that it is an achievable goal we must work towards. My contribution to Mike’s view of the world is the understanding that the threats are becoming increasingly aggressive and numerous. Adding in an intelligence-driven view of the world overlayed onto a consequence-driven view of the world can significantly increase our chance to prioritize risk reduction. As we balance the risks we accept with compensating controls we will continue to win. If we make strategic missteps in our community miscalculating the risk of our changing infrastructure though I fear the inevitable reality of an impactful infrastructure attack that leads to loss of human life.