Isaac Newton’s First Law of Motion:
An object at rest stays at rest and an object in motion stays in motion with the same speed and in the same direction unless acted upon by an unbalanced force.
And his second law of motion states that acceleration of an object is the result of the forces acting on it and its mass. In Operations Technology (OT), and in IT security’s involvement OT, we have either a large mass, a small unbalanced force, or both. The result is we go years and even decades with little change in speed or direction, inertia. COVID-19 is an unbalanced force that changes this; it is just a question of how and how much.
OT Security Inertia
In the 20 years of OT security, minimal changes have taken place in securing industrial control systems (ICS). There is a lot of mass and very little force to change the direction. In fact, most security additions and changes have been around the ICS rather than actually changing the ICS. For example, security perimeters have been built around the ICS, and detection products are listening passively on the ICS.
It has taken 20 years to finally see some changes to the ICS itself such as signed firmware and secure ICS protocols. And these changes have tiny deployments and a slow adoption rate. The biggest changes to the ICS have been endpoint protection on workstations and servers, anti-virus and application whitelisting. Active Directory could be viewed as a change to the ICS, but this also could be viewed as a more efficient method of role based access control that has been an ICS feature from the start.
Some of the biggest OT security success stories in changes to ICS have been in areas that were not entrenched. Industrial wireless, WirelessHART and ISA100, are a great example. This was a new technology and those developing it came to the logical decision that the communication should be secured, encrypted and authenticated. Every device sold has this security. It is unlikely that a non-secure or less secure wireless LAN solution will be accepted for communication to Level 1 and Level 0 devices in OT. This is an example of inertia being good.
The mass of OT has not changed. However in the last five years we have seen an increase in the unbalanced forces trying to change its direction. The two main forces are 1) the increased value of ICS data and 2) CISO/IT Security increasingly gaining responsibility for OT cyber risk. IT Security’s own inertia is another problem.
IT Security Inertia
While IT and IT security often views themselves as fast moving and adaptable, especially as compared to OT, there is significant inertia in IT security controls.
For decades the widely accepted good security practice was to force users to frequently change their passwords. To their great credit NIST and other organizations looked at the results of this recommendation, saw it was ineffective, and changed it. Yet we still see this password change requirement in most security policies. Why wouldn’t organizations throw away this detrimental security control that is detested by users? Inertia.
The largest example of IT security inertia is the incessant focus on applying security patches in OT. This despite the fact that 90%+ of security patching in the OT environment results in close to zero risk reduction, and there are much better risk reduction activities that can be done with dramatically less effort and a higher success rate.
Why is security patching a (the?) top recommendation by IT security teams and consultants when it is difficult and resource intensive? It is often a key metric for the enterprise. It is one of the important things IT security does. IT security tries to make sure things are patched, and they have been focused on this for decades.
People love to talk about the differences between OT and IT. One of the similarities is they both have significant inertia with the motion heading in different directions. In most cases, neither in the right direction to provide the security controls required for ICS cyber risk management. They need to interact to be one object in a new direction.
The concept of inertia also can apply to behaviors, although not as formulaic. The longer an individual or group adopts a behavior, the more force it takes to change that behavior. COVID-19 is a large behavioral changing force, at least in the short run. Two common refrains uttered by pundits in the last two months are:
- COVID-19 will accelerate change that was already happening
- The world will never go back to its pre-COVID state
The longer that we are in work from home, less travel, and severe economic slowdown the more the past state of inertia will fade and a new state will become locked in. Consider the example of remote operations, and potentially even machine learning based operators that I have previously predicted. The COVID-19 state of operations makes this look more possible and more appealing for many reasons including.
- Remote access to the ICS for engineering and operational support has increased in many sectors during COVID-19. (despite the security implications of this, and perhaps driving a new OT security approach)
- The potential difficulty of having people come into a control room and use shared computers in a pandemic is a concern.
- The downturn in the economy will place increased importance on cost savings and efficiencies in many sectors.
How, if at all, do you think COVID-19 will alter OT and OT security?
Note: I’m really enjoying the Mental Models books that inspired this post.