Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Executive Order: White House takes on Utility Hackers…
PART 1 of Enemy Perspectives in OT.
Power Plant: "Who's there?"
"It’s me, Huawei"
Power Plant: "Huawei who?"
Background: The concern of foreign hardware and software being installed inside our national grid is nothing new. These components have historically come from everywhere with various degrees of scrutiny. Pressure on CapX and OpX spending has led to multiple sourcing teams procuring through cost-competitive but ethically challenged vendors.
Before the opinion is analyzed, one must understand what The North American Electric Reliability Corporation (NERC) is about to do. NERC CIP (Critical Infrastructure Protection) regulates everything cyber for utilities. Chapter 013 of NERC-CIP covers "Supply Chain Risk Management." It's not yet enforceable, but it will require six cyber features vendors must comply with. Specifically:
This is all pretty basic stuff and was designed to move the needle but not burden the vendors or utilities. The White House is coming over the top and functionally adding a seventh feature: blacklisted firms.
Politics aside, this issue has been wrestled with behind the scenes of FERC and not necessarily thrust into the spotlight until now. The CIP standards have teeth and are driving rapid maturity within the sector. Utilities are far more mature than the rest of the infrastructure industries. This executive order feels different; this is much more public, political, and targeted. It might lack the teeth of NERC, but that doesn't mean it doesn't bite. Only time will tell how it's received on the national and domestic stage.
It sounds like this is going to publicly target a "blacklist" and make funds available for replacement with less risky vendors.
There will be a rush of managers, directors, and CISOs getting questions on "do we own ABC or XYZ?" This same line of questioning is what panicked this group in 2017 when the Schneider Triconex vulnerability was released. In my experience, asset discovery is the number one use case for all of OT. Many have moved on a solution, but most have not. This leaves many of our Critical Infrastructure Teams combing through old POs or delivery slips for real-time knowledge of their operating environment.
It's also clear that NERC and the White House will spend considerable time ironing out the details. In the meantime, here are three pragmatic improvements any firm needing to improve production floor security can take:
There are many solutions on the market that break down OT network traffic to determine the make/model of IT and OT gear. More importantly, they connect CVEs, detail patching history, and discover configuration errors. These discovery tools will be the enablement arm of this order. Most utilities don't have this functionality today. Most rely on physical records and tribal knowledge.
Once identified, some critical components cannot be removed or are so widely deployed that replacement is too costly. Also, NERC-CIP does not require third-party verification. A malicious actor, skilled in documentation and process, would not be deterred. If a product does have questionable origins, reverse engineering is the only way to determine how to properly mitigate potential vulnerabilities – either accidental or purposeful.
Of note, Russia requires a cryptography compliance verification before US software can be sold within the country.
The threat to the supply chain ranges from the largest generators to the smallest switches. At some point, there will be a weak point. Overlaying this network with the ability to detect and respond to anomalies' behavior is critical. Three examples of real (and undetected) behavior found in the wild:
All of those behaviors have been routinely examined and monitored on the IT networks (with various degrees of success) for years. The OT world has gotten a pass for much too long. No matter the threat source, a firm has to be ready to see things that are abnormal operations of IT equipment, especially when it’s connected to critical infrastructure.
The above three steps will enable speed of identification, allow protection features, and reduce time to detection…. regardless of political pressure.
Conclusion: The sentence above is a “Respond and Recover” away from a NIST Full House. The White House is inadvertently signaling that the foundations of IT are not being implemented in OT. Things like NIST are a far-off dream here and are only complicated further by Trump and NERC one-upping each other. Managing an OT security program capable of meeting C-Suite budgets and White House expectations is difficult. There is help. Building strategic and pragmatic programs in OT is a reality. Call it Plan, Build, Run or People, Process, and Technology – having expert guidance can keep a CISO sane.
May 07, 2020
This article discusses how threat actors attack critical energy infrastructure and how they achieve success.
October 29, 2017
The United States Department of Homeland Security identifies 16 critical infrastructure sectors whose assets, systems and networks—whether physical or....
January 02, 2020
Part 2 in the Gaining Visibility into NIST SP 800-190 series is designed for security practitioners and others starting down the path of understanding....
Let us know what you need, and we will have an Optiv professional contact you shortly.