Industrial systems: What it takes to secure and staff them

The security community is continuously changing, growing, and learning from each other to better position the world against cyberthreats. In the latest post of our Community Voices blog series, Microsoft Security Senior Product Marketing Manager Brooke Lynn Weenig talks with Patrick C. Miller, Chief Executive Officer (CEO) and owner of Ampere Industrial Security and the founder and former Director of the Energy Sector Security Consortium. The thoughts below reflect Patrick’s views, not the views of Patrick’s employer, and are not legal advice. In this blog post, Patrick talks about security and hiring challenges in the industrial security industry.

Brooke: How did you get into industrial security?

Patrick: My dad was in telecommunications, so I grew up with a wire in one hand and a flashlight in my teeth, crawling down dark holes full of asbestos and dust and running wires. I built a lot of analog phone systems, and even had a pair of pole spikes, a test set, and a hard hat. I have done everything from climbing poles and stringing line to wiring building-size main distribution frames (MDFs). I was a phone tech who programmed phone systems for most of my younger days. I had done a lot of the security components on the telecom side. Back then, there were a lot of things like long-distance fraud and voicemail access that had to be secure.

I was going to school for biology, with a focus on the botany and microbiology side, when I got a chance to touch the supervisory control and data acquisition (SCADA), operational technology (OT), and industrial control system (ICS) environments as a side job. I was working as a propagation manager for an exceptionally large commercial greenhouse operation, using my biology skills and doing technical stuff. I merged them together and automated a bunch of horticulture warehouse operations, including light, shade, temperature, water, and airflow management. That is where I got my toe in the water of programming and building in industrial environments.

Brooke: How did you grow your skills in the industrial security world?

Patrick: There were no security certificates or college courses in the late 1980s and early 1990s. I fell backward into operational security because of incident response. We had things like bulletin board systems. I had one of the first dial-up modems, and I would go through my university account and look up how to do something. I learned primarily through 2600: The Hacker Quarterly and hands-on success or failure from whatever tutorials were available back then.

Now, I specialize in ICS or OT. Whether it is water in a pipe, power on a wire, traffic on the street, boxes on a belt—it is all flow control. It is incredibly challenging but also very satisfying. At the end of the day, you know you helped keep the lights on, keep the water flowing, keep the gas moving, whatever it may be. Those are critical infrastructures.

Brooke: Why are industrial systems targeted in cyberattacks?

Patrick: Gas, water, electricity, food processing, and transportation are all very necessary. Civilization depends on these infrastructure services. If I am a ransomware operator or a criminal, I can hold your system hostage and since you know there is a quick and severe impact, there is a high likelihood you are going to pay me. They are a high-value target from a criminal aspect as well as from a nation-state or geopolitical perspective for the same reasons but different motivations.

Proprietary information is a target as well. If you have some product or manufacturing or a better way of doing something, I do not have to do the research and development (R&D) to compete with you. I can just steal all your data and do what you do better because I am not spending all the money on R&D and effort. For lots of varied reasons, they are high-value targets.

Brooke: What are the biggest challenges in securing industrial systems?

Patrick: With industrial systems, our biggest worry is our legacy environment because it is just old. Some of the components have been around 40 to 50 years. They are digital-ish and they have analog inputs, but they were not designed to be networked. They were designed to be in a closed system where you had to have physical access to them, but we networked them anyway. They are terribly insecure because the expectation was that these environments would never connect to anything else.

We are seeing a trend to not necessarily disconnect them, but rather connect them in smarter ways. And if you need access to these environments, you must jump through enormous amounts of pain to get an inbound connection. We are just isolating the heck out of it and finding ways to intelligently island or “turtle-mode” those environments so they can operate by themselves. That way, if you have a problem, you can still run the important stuff in an isolated, disconnected mode and you do not lose power, water, gas, or whatever it may be.

If there’s ransomware burning through your corporate environment, you can take your industrial environment and shut it off from the outside world so it can operate in “turtle mode.” However, costs go up. Isolation is expensive and extra architecture is expensive. There are a ton of challenges, both financially and operationally, in trying to move toward a more defendable architecture than we had.

Brooke: What else can enterprises do to protect themselves from these security risks?

Patrick: I have done multiple presentations on if you can only do some things, do these things. They may sound simple, but they are often not easily done in industrial environments:

  • Do asset inventory. If you do not know what you have, you do not know what to protect because you do not even know that exists.
  • Get rid of any of those fragile systems. Like if it is under someone’s desk and critical but you cannot replace it because you do not know how, that is a huge risk. Find a way to replace it with something new that you can defend.
  • Design a network you can defend. Get it to a place where you can truly isolate it with no dependencies.
  • Lock down remote access. Attacks usually come from the IT side.
  • Have effective change management.
  • Practice incidence response like it is game day.
  • Train your people and give them what they need to operate that environment and the time to do it.

Brooke: How can industrial security leaders attract more talent?

Patrick: I do not think there is a skills gap. There are a lot of people out there who would do and can do this job if we figure out how to characterize it well. You do not need to be a programmer or a cybersecurity expert to learn this stuff. It involves systems, connected in certain ways, and doing things in very methodical and predictable methods. It is not something outside the norm for most technical minds.

I typically see no entry-level path to get people into the industry. Your expectation is you are going to hire somebody who is a junior and needs 5 to 10 years of experience even as a junior. A lot of these job descriptions are entirely unrealistic. I see job descriptions where they are asking for more experience on a platform than that platform has existed. There are a lot of people you could get who have basic skills and you train them for a week or two. They are going to be hungry to show you what they can do and just grow from there.

Brooke: What skills do industry security professionals need to be successful?

Patrick: Industrial security sounds harder than it really is. When I train people, we break it down into these simple, bite-sized pieces and little breadcrumbs of steps. At the end of the day, they say, “Wow, that was way simpler than I had thought it was.” There is this mysterious cloud about cybersecurity, but it is just lots of small parts. You just must learn what all the parts are and what the acronyms are. Once it is described in a real-world kind of application, most people pick it up quickly.

Most of it is they must be curious enough. Empathy is another because to secure a system, you must have some empathy for what you are doing and why it is important. In the IT and OT world, you have engineering folks, and they just want the thing to work. If there is an alarm going off on their screen and they must react and click something, they do not want their screen to lock them out so they cannot click that button, which in some cases could cause the plant to have big problems. You must have enough empathy for their situation and what they need, and then, as a security professional, design around that so they can still have those things but in a more secure way. If you can be detail-oriented and have strong curiosity and empathy, you can succeed in this space.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

READ MORE HERE