What do the movies “Groundhog Day” and “Independence Day” have in common, and what can we learn from them related to cyber defense? Well, if you weren’t able to attend the annual RSA Conference back in February, cyber defense expert Tony Sager explained it all at the Tripwire booth. (In case you missed it, Belden acquired Tripwire in January of 2015.)
Let’s start first with “who is Tony Sager?” That’s a fair question as many of you may be unfamiliar with Tony’s decades of work in cyber defense with the U.S. National Security Agency (NSA), the SANS Institute, and now as senior vice president and chief evangelist for CIS (formerly the Center for Internet Security).
Tony Sager, Senior Vice President at CIS
Googling Tony won’t do his contributions to the field of cyber security justice – nor will this link at CIS on his background. However, in his talk at RSA he masterfully distilled all his years of experience into just a few key points of guidance.
According to Tony, cyber security is a lot more like the movie “Groundhog Day” than “Independence Day.” He explained why during his talking points at the Tripwire booth during RSA.
Knowing About Flaws Doesn’t Get Them Fixed
This statement could not be more true when we consider defending industrial networks, endpoints and control systems against malicious insiders, employee error or outside adversaries. There are many reasons why, and each is blogworthy.
- Just because a flaw is announced doesn’t mean there is a fix available.
Of the 1,552 total vulnerability disclosures examined by FireEye/iSIGHT in their 2016 ICS Vulnerabilities Trends Report, 123 vendors have known flaws, and 33 percent of those vulnerabilities had no fix at the time they were publicly announced. Lack of vendor fixes and slow patch times for most industrial environments presents a significant opportunity for potential adversaries.
- Operations teams must typically prioritize production and availability over security concerns.
- Production and supply chain integrations are often reliant upon specific versions of hardware, firmware and software, so any change could cause disruption.
- Operations teams are unwilling to introduce the risks inherent in changing anything already working and in production.
- Some systems do not have adequate test environments to validate before moving to production.
The Bad Guy Doesn’t Perform Magic
Tony always reminds audiences that adversaries are not all-powerful, big forces with magic up their sleeve. Instead, adversaries follow many basic practices used in business today.
He illustrated this using a “cyber” OODA Loop (Observation, Orientation, Decision, Action), a military strategy and combat process method developed by U.S. Air Force Colonel John Boyd. This strategy is now widely used in many fields to understand commercial operations and learning processes. It demonstrates how adversaries pursue their targets and learn about defenses in place using the OODA Loop process – there’s no magic.
From Tony Sager’s RSA presentation slides, used with permission.
However, Tony took the illustration further with his “Duelin’ OODAs” (pictured above) because defenders and adversaries are in constant engagement – each applying the OODA loop to the other to gain advantage, increase agility, and more rapidly take informed action. His ultimate point on this? The adversary’s loop is the defender’s opportunity, which leads into his next point.
The Pareto Principle – The 80/20 Rule
You’ve no doubt heard of the Pareto Principle, more commonly known as the 80/20 rule. When applied to cyber defense, Tony used the illustration below to show that there are a large, but limited, number of defensive choices available and that defenders will commonly gain 80 percent of the results needed with 20 percent effort.
From Tony Sager’s RSA presentation slides, used with permission.
In his own experience, the tasks associated with that 20 percent are largely foundational security controls. For industrial and critical infrastructure settings, this can help teams simplify, prioritize and focus on the 20 percent that gets them the 80 percent security results they require and yet, at the same time, they can maintain operational requirements for availability, reliability and safety.
A 1-2-3 Approach to Cyber Security
It was not part of Tony’s talk, but Belden’s three-step approach aligns well to help organizations get started – whether your top priority is to secure the ICS, secure the network or secure the endpoints.
SUMMARY: Cyber Security is More Like “Groundhog Day” than “Independence Day”
For Tony, the idea of “Cyber Security – The Movie” might have been inspired by the recent Academy Awards. His perspective was that cyber security is much more like “Groundhog Day” than “Independence Day.” If you haven’t seen these movies, then let me put it into cyber security parlance.
“Independence Day” – Industrial organizations are threatened by an apocalyptic cyber invasion and one man, Will Smith, (an ICS Engineer) stands alone against the complete annihilation of the production networks, endpoints and control systems. Unlike the real movie, he fails due to his flat network, unauthenticated and unmanaged privileged access, direct connections to ICS from the internet, and undetected intrusion to Level 2 assets. The invaders gain command and control and manipulate physical I/O within his environment, causing catastrophic disruption, harm to human life and complete system failure. Unfortunately, Will was in charge of a power generation plant and its transmission substations, which the invaders were able to use to cause a cascading power failure, ultimately resulting in world crisis and destruction. I could write more, but why?
“Groundhog Day” – Industrial organizations are doomed to continuously repeat the same day. The movie’s hero, Bill Murray (an arrogant, but talented Operations Design Architect) is given a rare opportunity as he relives the same day over and over. He can either repeat his organization’s cyber security vulnerabilities and weaknesses as each day predictably unfolds, or use each day to gradually improve security within his industrial networks, endpoints and control systems using foundational security controls. In the end, Bill’s character triumphs through:
- Segmenting his industrial network following ISA/IEC-62443 standards (formerly ISA-99)
- Creating and maintaining an asset inventory of all endpoints in his operations environment
- Establishing process and technologies to monitor and manage change in the environment, including hardware, firmware, software and logic updates to PLC, RTU, IED, DCS, HMI, operator consoles, etc.
- Controlling use of administrative privilege
- Monitoring, controlling and limiting internet ingress and egress to his network, endpoints and control systems including network ports, services (such as remote access) and protocols in use
- Installing boundary defense, including segmentation, using advanced and next generation firewalls and intrusion prevention systems
- Establishing an incident response mechanism for rapid detection of threats and intrusions to his operations environment
Oh, and in the end, Bill got the girl…
What has your organization done to begin securing your industrial networks, endpoints and control systems? Which standards are in use and what level of maturity would you say you’ve achieved?
Comments to this blog and emails to firstname.lastname@example.org.
- Webinar: Where Are We Now?: The SANS 2016 ICS Survey
- Blog: Where to Find Hard-to-Get Industrial Security Data
- Blog: IT and OT Must Adapt for the IoT – 13 Experts Share How
- Webpage: Tofino Xenon for securing ICS
- Datasheet: Tofino Xenon Product Bulletin