2021 ICS Cyber Security Conference

The Control Systems Cyber Security Association International (CS2AI), in collaboration with a team of ICS SMEs from the ICS cyber security practitioner community and its coalition of strategic alliance partners, conducts a yearly analysis on the current state of control system cyber security. Leveraging the participation of multiple stakeholders across roles and industry sectors, the survey is designed to help answer key questions about how we can best protect critical systems in the face of ever-growing and -evolving threats.
 
This session will reveal key findings from the not-yet-published Report, enabling defenders to improve their security posture through greater understanding of the diverse concerns and decision drivers that the industry faces.

The Department of Energy’s Cybersecurity for the Operational Technology Environment (CyOTE) program provides a methodology for energy sector asset owner-operators to combine network-based sensor data with local context to recognize faint signals of malicious cyber activity before an adversary can cause higher-impact effects. By leveraging this methodology with existing commercial monitoring capabilities and manual data collection from broader but informative sources in operations and even in the business domain, asset owners can better understand relationships between multiple observables which could represent a faint signal of an attack requiring investigation. Visibility is necessary but the importance of visibility is in the understanding and decisions it drives – complicated by infrastructure changes, new technologies, and determined and sophisticated adversaries. Independently getting to the point of making a risk informed business decision on whether to respond to an incident or fix a reliability failure sooner and with more confidence is the promise of CyOTE.  

While CyOTE is an energy sector program, the insights and takeaways are broadly applicable to other industrial sectors. This presentation covers the history of CyOTE to explain how the key insights came about, and then walks through the methodology as a way to put those insights into practice, showing how it complements other high-priority investments and activities in energy sector OT cybersecurity.

In every critical infrastructure sector, security teams responsible for industrial operations are re-evaluating their security programs as targeted ransomware, supply chain breaches and cloud connectivity all emerged as top-of-mind concerns. However, when these teams look for resources, advice on many facets of cyber security programs is often confusing and even contradictory. There exists a significant challenge in today’s environment where opinions based on narrow experiences are oftentimes presented as fact. It becomes a high hurdle to separate the facts from the fictions.

This talk will highlight some of the greatest arenas of discussion that have emerged in the field of Industrial Cybersecurity over the past two plus decades including:

• IT/OT Convergence – There is only T
• The perimeter is dead
• Encryption will protect us
• It isn’t “if”, it’s “when” you’ll be hacked
• CIA vs AIC
• Regulations are necessary to drive security

We will also explore some of the classic blunders in security strategies that we must learn from, in order to avoid repeating our history.

Finally, we will reserve some time for direct Q&A, ensuring that attention is given to the latest developments and audience concerns.

Most IT and OT practitioners assume that by searching the National Vulnerability Database (NVD), one will find all the vulnerabilities associated with a software product or device. Sadly this is not the case: the NVD is far from a complete set of vulnerabilities, with some sources claiming that 76% of all ICS vulnerabilities are missing from the NVD*. Furthermore, the NVD rarely maps vulnerabilities in software components back to the packages that contain those components, leaving ICS users no means of determining that the software they are deploying is at risk. Finally, mergers and acquisitions mean that the vendor name on the product in use often doesn't match the vendor name seen in the NVD disclosure details or the Common Platform Enumeration (CPE) listing.

This talk will discuss how a variety of Artificial Intelligence (AI) techniques can be used to discover vulnerability associations. Specifically, we will discuss how the combination of Natural Language Processing (NLP), extraction of Merger and Acquisition (M&A) product histories, and Software Bill of Materials (SBOM) analysis can alert both asset owners and suppliers to vulnerabilities hidden deep inside legacy products.

Learning Objectives

• Understand the scope of the problem trying to associate component vulnerabilities with products and why AI is necessary.
• Learn the different SBOM formats approved by NTIA and how they can be generated for both current and legacy software (when source code is unavailable).
• Learn how to monitor your software supply chain for components and vendors that are problematic.

Cyber is a risk equation. It takes into account the likelihood of successful attacks and the impacts and consequences those attacks can have. However, the variables in the cyber environment are what make it so unpredictable. The lack of historical data, the explosion in connectivity, the dependency on the digital world and a wildly changing operating environment make traditional risk models obsolete. This is why insurance has struggled so intensely with cybersecurity. As a result, many insurance companies do not offer cyber insurance, and if they do, it is often narrowly defined and filled with exclusions that the policies are non-competitive.
 
Cyber is no longer staying in the digital world. The rise of attacks on industrial operations and critical infrastructure are resulting in real-world impacts. No longer is cyber about stealing data; it now impacts the flow of oil, the functions of machinery, the navigation of vessels and the core operations of businesses. This translates into what now is called “cyber-physical”, the real-world operational and safety risk posed by industrial cyber attacks, and the latest buzzword around board rooms. 
 
This is a game-changer for insurance. The consequences of a cyber-physical event can be devastating and insurance can no longer ignore the issue. Insurance companies need to be able to tell whether an event was caused by a cyber attack, be able to assess damage and impact and develop the ability to underwrite an ever-changing risk environment. This will take rethinking risk and the tools used to assess, underwrite and manage risk. 
 
This presentation will address the emerging challenges of industrial cybersecurity for the insurance industry and the new tools, solutions and roles the industry must adopt to adapt to cyber risk.