The right mindset and the right preparedness!

#CyberSecurity #CyberRisks #CISO #IOCL #Tenable

Team Pro MFG

We will have to relook into the processes and we will have to create a purple team. The good thing is that we have the technology to enable practitioners to accomplish both the tasks. The right mindset and the willingness are needed to go ahead with it.

Dr Yask Sharma, CISO, Indian Oil Corporation Ltd, explains that both technological complexities and advancements will continue to grow and bring in more risks in the power and energy industry, but we need to have the right mindset and the right preparedness to use it to our advantage and to strengthen our cybersecurity programs, in this exclusive interview with Niranjan Mudholkar, Editorial Director, Pro MFG Media. With his expert inputs, Kartik Shahani, Country Manager, Tenable India, adds further value to this insightful conversation.

Increasing use of digital technologies is bringing a new wave of cyber complexity. Does the industry have adequate cybersecurity programs in place to address these risks?

Let us first understand that the available technology tools are likely to be one step behind the cyber attackers. That’s because these tools have been developed or created to defend against an attack that has happened in the past. So these tools and technologies may not really work against any new form of cyber-attack. So relying completely on these tools to deal with the new security threats is not the right approach. At the same, it is important to understand that the attackers too are using the same tools to carry out these sophisticated attacks. So our cybersecurity preparedness depends on how we are using those tools. Of course, the advancement in technology has certainly equipped the practitioners to do what was not possible earlier. Today, everybody is connecting from multiple devices. Just a couple of years back, we did not have that kind of visibility through various mobile devices. But now we have these HDRs, extended detection, and so many other factors which bring in a lot of visibility and these are certainly aiding the security practitioner. So both technological complexities and advancements will continue to grow and bring in more risks, but we need to have the right mindset and the right preparedness to use it to our advantage and to strengthen our cybersecurity programs.

The interconnectedness of the OT and the IT is further exposing people, equipment, processes, and intellectual property to cyber threats. How can we stay a step ahead in this situation?

The first step towards solving a problem is to accept that there is one. Gone are the days when we could take some kind of alibi and say that OT is not my area or say that IT-OT integration is fairly new. Incidentally, I have done my PhD on the subject of OT security and my learnings are based on actual work experiences. The whole world woke up to this concept of OT security probably around 2010 when Stuxnet (malicious computer worm) was discovered. So it has been a little over a decade now since that attack. But we haven’t made enough progress in that time. So yes, it is absolutely important to look at OT security from the three angles of people, equipment and processes. I don’t think that technology or the equipment factor is lacking anywhere; in fact, technology has been advancing and it is equipping the security people. What a security practitioner needs to understand is that technology can only do so much. It will give us visibility and it will give us vulnerability points. Now, are we really looking at the people and the processes? Let’s start with people. When it comes to IT-OT integration, we need to create a purple team - it has to be a mix of both IT and OT. Please understand that whatever is happening in OT – as far as the cyber space is concerned – it is actually about the IT of OT! There are no attacks happening purely on the OT system where IT is not involved. Therefore it is absolutely essential that the people with expertise in IT should provide the necessary support in OT security and I am talking about something at the top level.

Now, let’s look at the process part. It is time for us to relook into the processes. If you look at the recent attacks that have happened on the OT, most of the time the attackers have tried manipulating the processes. Very rarely you will find any OT attack actually exploiting any of the vulnerabilities of the system. In fact statistics say that not even a single successful OT attack has ever exploited the vulnerability in the system. Therefore, it is important to relook and to understand what the processes are doing. If the need be, then create a newer set of processes. But that is something that the OT people do not really want to do. Even the OEMs are stuck with something that has been carrying on for a long period of time. So it is not that easy. But the future requirements are absolutely clear. We will have to relook into the processes and we will have to create a purple team. The good thing is that we have the technology to enable practitioners to accomplish both the tasks. The right mindset and the willingness are needed to go ahead with it.

What are the key challenges when it comes to implementing security measures at the OT level and how can we address them?

When it comes to IT, generally two parties are involved – the customer and the software. Whenever we look at OT, there are three parties involved – the customer, the OEM and the security professional. The OEM’s role in the OT is critical. If we have to carry out any changes in the OT environment, you have to involve the OEM. The OEM has to be on boarded in all the required security mitigation steps and that’s a major challenge. Another important challenge when it comes to OT security is the compliance issue. Across the globe, most countries are trying to tighten the noose around the OT part because critical infrastructure is running on it. That’s why they have stringent controls. Unfortunately, at times, these stringent controls become impediments in implementing security solutions. I say unfortunately because while the security has to adhere to these controls, the attacker can simply bypass them and carry out the attack.

Also, today, no conversation of OT can be complete without talking about IIOT because all the OT environments are now a mix of OT and IIOT. I think IIOT is really changing the way we look at security from an OT point of view. Today, IIOT is directly sending the data probably to the cloud. Securities are always based on a framework like the Purdue Model.

When it comes to the OT security, there is a certain funnel through which the data has to pass and the top-most level would not speak to the bottom-most layer. So the data would flow in one direction and with IIOT coming into the picture, the whole Purdue Model has kind of collapsed. The IIOT has destroyed this whole idea wherein the data has to follow through this funnel. Therefore, the security professional will have to entirely relook at and revise the existing model to address the new cyber threats before designing any security in the OT environment. The earlier concepts of security are no more relevant today.

In our experience working with OT environments, we often find organizations following the ‘Regulatory compliance equals security’ mentality. What are your views on this common security pitfall?

If somebody is living in that false notion then they cannot be further from the truth. Regulatory compliances have nothing to do with security; they have more to do with the control over data. Compliances generally do not talk about security requirements but they talk about statutory requirements like who is the owner of the data and so on. Even if we look at the certificates, we often talk about the ISO/IEC 20000 certificate or the ISO 27001:2013 certificate. If you read the documents, you would realise that these are the bare minimum requirements that are more like a foundational thing. So it is not correct to equate compliance with security. These certifications give you a false notion that you are secured or that you are safe. It is more of a framework for people to follow.

In fact, I am so often asked this question about the framework that we follow. Please understand that this framework is just a set of references as to how the security architecture is going to look. It is not something that I can put straightaway in my environment. It is good to have a reference document but it cannot be blindly copied. Well, it should not be blindly copied by anybody. We need to create our own frameworks that suit our system requirements.

Expert Inputs by Kartik Shahani, Country Manager, Tenable India

Managing cyber risks across the enterprise and up the supply chain

With interconnected networks and software systems and subsystems being supplied by third parties, an organization's infrastructure becomes intimately intertwined with that of its suppliers. This means that having an understanding of how an attack against a partner or supplier could impact your organization is critical. The solution to gaining this understanding is to have continuous monitoring and threat intelligence relating to the full supply chain, as well as risk-based vulnerability management.

Knowing whether vendors maintain optimal cyber hygiene plays a vital role in identifying the threat landscape but given the huge number of suppliers, starting early on in a relationship is key.

Having an environmental baseline that includes accurate asset inventory, and an understanding of business processes, traffic flows and dependency mappings is essential to establishing where trust relationships exist and where a zero-trust model should be implemented. In doing so, business leaders can use zero-trust to ensure communications within supply chains are secure and from approved and trusted users.

Finally, it’s important to limit access to important data by identifying who has access to privileged accounts and ensuring the appropriate level of privilege is decided for each role within the organization. Implementing identity access management and encrypting all internal data can make it difficult for cybercriminals to establish backdoors to infiltrate during a supply-chain attack.

Map, plan and build resilient systems

One of the best tools to help perform the risk assessment process is NIST Special Publication 800-82, which offers specific guidance for Industrial Control System security. Per this document, organisations should employ a risk assessment process that has four components:

● Framing - Developing the framework for the risk management process and the level of acceptable risk.
● Assessing - Identifying threats and vulnerabilities, the damage that could be done through the exploitation of these, and the probability of these being leveraged successfully during an attack.
● Responding - Identifying countermeasures to address identified threats and vulnerabilities, and implementing said countermeasures.
● Monitoring - Constantly looking for new vulnerabilities and threats, and adjusting accordingly.

Facing the threats in 2022

SolarWinds style attacks on SaaS and shared services are imminent

We believe that attacks against commonly used SaaS and other software platforms will accelerate in 2022. Therefore, organisations must take precautions to adequately ensure that their third-party vendors are secure and implement audited industry best practices. This highlights how critical it is to ensure that third-party software and services have best security practices. It also highlights the need to utilize a security solution that provides appropriate visibility, security and control across the converged infrastructure.

Colonial Pipeline set the table for improvement

Attacks like Colonial Pipeline made security tangible for non-security professionals. Spikes in gas prices and lines at the pump are something that the everyday citizen, CEO and policymaker can understand. Every board of directors is now interested in what the cyber risk is to their company. Stakeholders are more invested than ever, and policymakers are no exception. If the government and private sector can acknowledge their shared priorities and work together toward a more secure world, 2022 will bring a promising climate for improvement.

NEWSLETTER