The theme for S4x22 was No Limits. In my 10-minute opening of the event, I suggested one way to break free from limits is to take conventional wisdom and flip it. Look at the world as if the opposite were true.
I gave three examples, and my favorite was:
flipping cyber assets need cyber hygiene
– to –
learn to live with dirty cyber assets
The term cyber hygiene has taken hold, even though it is hard to differentiate it from follow good security practice. Leaders in security, industry and government have picked up this buzzword, and it is a go to, generic must do item. They may even be able to rattle off a few elements of cyber hygiene, such as security patching or cyber asset inventory.
In terms of naming or branding, cyber hygiene is a master stroke. It is easy to visualize as most people understand are familiar with other types of basic hygiene, such as health and food preparation. It’s also hard to argue against any form of hygiene because hygiene=clean=good and unhygienic=dirty=bad.
Well let me try, at least for the ICS and OT world.
ICS Reality 2022
Almost all ICS / OT environments are filled with dirty, unhygienic cyber assets. Missing patches with patch intervals measured in quarters or years and typically limited to Microsoft and a few other vendors. Control protocols lacking source and data authentication. Level 1 and Level 0 devices being very difficult or impossible to secure if they are accessible by the adversary.
Some early adopters have deployed and maintain cyber assets with secure baseline configurations and have a well considered and implemented user authentication and authorization process. Some early adopters have robust detection, response and recovery. There are asset owners who have been working on ICS cyber risk management for many years and are making progress.
However even with the credit given where due, by a cyber hygiene criteria it is a very dirty environment. The level of effort to achieve and maintain cyber hygiene across all cyber assets in the zone would be massive.
Lack of Prioritization
The importance of hygiene varies based on the players and environment. A sterile, clean environment is hugely important for surgery. Less so for kids playing in a sandbox or mud puddle. From a risk perspective a dirty restaurant is much more risky than a dirty kitchen at home due to the much larger number of people who could get ill or worse.
When we put cyber hygiene on a pedestal, as the primary item for all cyber assets, we miss the opportunity to allocate resources where they can achieve the greatest risk reduction. This is addressed in our ICS-Patch, what to patch when in ICS, decision tree. There are a small subset, usually much less than the 20 in the 80/20 rule, of cyber assets where cyber hygiene can provide most of the risk reduction. Examples:
- Firewalls and other perimeter security devices
- Engineering workstations
- Historians, OPC Servers and other cyber assets used to pass data between zones
- Any ICS cyber asset directly accessible from outside the zone
Lack of Perfection
The Colonial Pipeline incident has been wrongly interpreted in my opinion (and it is a prime example in by 2022 Truth or Consequences Keynote). The legacy VPN lacking two-factor authentication was in violation of the company’s policy and unknown to the company’s security team. They weren’t perfect. Who is?
People aren’t perfect. Neither is our technology. The idea that if we just work harder on this generically applied cyber hygiene we will reduce cyber incidents in OT is at best unproven, and at worst untrue. It would be great to get some statistical analysis on what level of cyber hygiene is required to see a bend in the curve of cyber incidents. My SWAG is it is a quite high percentage, 95%+. Given the ICS Reality in 2022, this means a lot of cyber hygiene will have minimal results until you cross that level, whatever it is.
This is another argument, if you are a proponent of a cyber hygiene, to identify the small number of critical for risk reduction cyber assets, and focus your cyber hygiene on those cyber assets. Even if this means most OT cyber assets get dirtier and dirtier.
If you disagree and believe cyber hygiene should be a, or THE, priority in ICS security, the mental exercise of how you would manage and mitigate cyber risk in an unhygienic ICS is worthwhile. First, because it may help you come up with new ideas, tactics and strategies. And second, because almost all ICS environments will be severely unhygienic for at least the next 1 – 3 years.