For physical conflicts, we expect our government to protect us from nation-state adversaries. It turns out, though, that industrial enterprises are much better positioned to defeat most nation-state attacks on power plants, pipelines, and other critical infrastructures than governments are.
For example – consider classic industrial attacks:
Now consider government approaches to cyber defenses:
What are the lessons here?
The one cyber risk that governments are much better at controlling than we are is insider threats. Governments have been dealing with people threats for centuries and have powerful tools at their disposal for such investigations.
Secure Operations Technology
The world’s most secure industrial sites have long concluded that they must defend themselves against even sophisticated cyber attacks. How do they do it? Secure sites observe that all cyber attacks are information – and so they carry out thorough inventories of offline and online information/attack flows that come into their critical networks. These sites then deploy physical controls for these attack & information flows, instead of relying solely on software protections.
For example, to control offline threats, secure sites physically remove as many CD-drives, floppy drives, and USB ports as possible, and put technology & procedures in place to detect and remediate all use of removable media. Secure sites are similarly strict with laptops – no device that has ever been exposed to an Internet-exposed network is ever allowed to connect to an industrial network.
For online threats, secure sites deploy at least one layer of unidirectional gateway technology in their networks. Unidirectional gateway hardware can physically send information in only one direction – generally out of the industrial network. The gateway software replicates servers – most commonly historian databases that are the focus of IT/OT integration. Users and applications on the enterprise network interact normally with the replica databases.
Practitioners not familiar with the technology are often surprised to discover that unidirectional gateways support OT intrusion detection systems, remote access systems, anti-virus updates, and many other communications needs. The 2019 book Secure Operations Technology (SEC-OT) addresses this gap, documenting the perspective, methodology, and best practices of secure industrial sites.
The bottom line – with even sophisticated cyber attacks frustrated, the biggest residual risk is insiders. This is where secure sites ask their governments for help. Again, governments have much more powerful tools at their disposal than do commercial enterprises for such threats.
Looking forward
The threat environment continues to worsen. Today’s targeted ransomware uses techniques that five years ago were attributed only to nation-state adversaries – we all need to start defending against these techniques. When critical industrial sites deploy SEC-OT protections, they defeat the sophisticated attacks that governments cannot help with, and they call on the government for help with residual personnel risks.