Personal Insights
IIoT and Critical Infrastructure: From Security and Safety Concerns to Corporate Business Risks
My priority in previous blogs around IIoT security has been to provide practical recommendations of measures customers can take right now to improve the security risks around IIoT solutions and industrial environments. In this blog, part of SAP’s contribution to Cybersecurity Awareness Month, I’d like to take a higher level approach and discuss adoption and obstacles to adoption of such security measures, and how we might resolve some of these.
Increasingly, I believe the technical issues are solved or solvable, and in many cases immediate actions can be taken to improve the security of the landscape. The more intractable barriers seem to me more cultural, organizational and even societal.
Misaligned incentives
Much has been written already about the divide between IT and OT organizations that IIoT needs to bridge. The difference in culture alone (safety vs security the most prominent) causes confusion and misalignment, and organizationally that translates into different business structures and hierarchies that often only come together at C-level. That goes on top of the ongoing complexities of the relationship between the business, and IT and security organizations. Ongoing publicized data breaches in regular IT and web applications clearly show that often basic security measures are not taken, and we still see troubling security failures for which perfectly adequate technical solutions exist. We generally know what to do. The reality is that we often don’t do them.
In Bruce Schneier’s latest book, Click Here to Kill Everybody, Security and Survival in a Hyper-connected World, much of the reason for this is the result of a misalignment of incentives. His argument is much more extensive than can be reproduced here, but it is helpful to quote his setup to make it clear what we’re talking about:
Imagine a CEO with the following choice: spend an additional 5% on the cybersecurity budget to make the corporate network, products, or customer databases more secure, or save that money and take the chance that nothing will go wrong. A rational CEO will choose to save the money or spend it on new features to compete in the market. And if the worst happens […] most of the costs of the insecurity will be borne by other parties. […]
This is a classical Prisoner’s Dilemma. If every company spent the extra money on security, Wall Street will just accept the expense as normal, but with everyone choosing their own short-term self-interest, any company that thinks long-term and spends more is immediately penalized, either by shareholders when its profits are lower or by customers when prices are higher. […]
The economic considerations go further. Even after deciding to prioritize security over near-term profits, a CEO will spend enough money to secure the system up to the value of the company. This is important. Disaster recovery models will be built around losses to the company, and not losses to the country or to individual citizens. And while the maximum loss to the company is everything the company is worth, the true costs of a disaster can be much greater. (p. 124)
Even the most noble of intentions to do it right will crash on the cliffs of economic reality, if this misalignment is not dealt with. And while this has been an issue within IT, where the damage is about information loss, exposure or manipulation, within an IIoT context – that is, a cyberphysical context – damage is likely to include physical harm to facilities and equipment resulting in costly downtimes, but also human casualties or significant harm to the environment. Moreover, a number of actual incidents in industrial environments show that attacks are often directed by nation state- or nation-state associated actors of high sophistication and resources.
The impact of incidents goes up or remains the same, but certainly won’t go down. Meanwhile the attack surface is ever-growing larger, and risk management is complicated by having too little data available to us to properly assess the probability. For many established OT operators (chemical industry, oil & gas, for instance) much of the impact costs are known, but with often per industry only a handful of documented incidents, it is difficult to assess the probability of a catastrophic event. Nevertheless, having operated for a long time under tight regulations and knowing full well that many are under constant attack, those in regulated industries are probably better prepared to align the risks from a business perspective. It is a lot harder for those whose risk models have not accommodated for a higher possible impact than previously and have never felt themselves in the cross-hairs before. Regardless, the impact of a cyberphysical incident can easily exceed the value of the corporation, and thus be terminal. Terminal risks affect shareholders and may be a way to get their attention. Risks to human life, the environment, and national security get the attention of governments.
It seems we have at least three cultural and organizational divides we must cross: From IT to OT, from OT to IT, and from IT/OT to the business.
Security as Safety
In OT the paramount priority is safety, that is, avoid accidents and properly manage the ones that happen, avoid injury, and keep the environment operating safely. The IT perspective is one of security, i.e. avoid attacks against confidentiality, integrity and availability, as well as manage incidents that occur. There seems to be some overlap there. Patching systems in OT environments (mission critical, rare planned downtimes, fear of introducing problems, etc.) has interesting parallels with customer practices around patching SAP systems, for instance. A lot of the confusion could be resolved by talking in terms that others are familiar with and speak to an established safety culture.
In converged environments: what are the likely outcomes of security incidents?
- Unplanned downtime/industrial accidents
- Damage to equipment
- Injury to employees
- Injury to the public and environmental damage
Those are safety issues. Why don’t we as information security specialists not rephrase our concerns in terms of safety? Perhaps we should not talk of cybersecurity, but of cybersafety.
Safety as Security
In addition, there must be a bridging from OT to IT, and frame existing safety measures in terms of security. OT operators are much better equipped to identify and isolate what the critical assets are to protect and impress upon IT the realities of their environment, where availability of systems is critical, and where the environment is heterogeneous and resilient. As someone from information security, I was quite impressed with the general practice of running redundant PLCs of different OEMs, and therefore running on a different software and chip architecture stack. The trend in IT has been solidly the other way with increasing homogenization and standardization. OT operators also have extensive experience with network isolation, and more recently network micro-segmentation, far more aggressively than anything we see in IT. Security professionals need to listen and learn from these operators, most of all to understand the constraints such environments operate under and which cannot be easily changed.
GRC
The bigger divide to cross, though, the more I think about it, is the one to the business. IT and OT could be the best of friends and completely aligned, but the business is where the corporate strategy is set, where budgets are allocated, and new initiatives are kicked off with a perceived business benefit. I hear time and time again from customer staff I speak to that they’d love to go slow, and do careful impact assessments, or implement recommended best practices and security frameworks, but that the business moves forward, and they can’t be an obstacle. Lines of businesses add features to their products to make them more attractive in the market or add sensors to existing shop floors to optimize them further to reduce cost and maximize equipment efficiency. IT and OT both support the direction the business wants to go.
Therefore, I think we should be talking about these issues of safety and security in these converged environments not as safety or security risks, but as corporate or business risks. Rather than security risk management within the CISO’s organization, I think it should be part of corporate Governance, Risk Management and Compliance (GRC) that is typically part of the CFO’s organization.
However, especially here we are likely to run up against those misaligned incentives again, so we need help beyond the four walls of an individual corporation. They will come both in the forms of carrots as well as sticks.
Whose responsibility?
Where will that help come from and whose responsibility is it to get it right? Which parties can we count on, and to what extent? The answer is not immediately clear.
National and supra-national governments undoubtedly have a role to play and will insert themselves into the conversation simply based on the potential impact on society and national security. Bruce Schneier in his book puts a lot of hope on government, though at the same time recognizes that this may be misplaced. Government itself has misaligned incentives with both an interest in protecting physical infrastructure but also often interested in their own cyberoffensive capabilities. Government regulations can be positive as well as negative. GDPR has a wide reach and I would say is generally welcomed, while other EU regulation has been mixed. Interestingly, at the 2nd Europol-ENISA IoT Security Conference that I was privileged to speak at, it appeared that ENISA was quite reluctant to drive towards regulation in IIoT, recognizing that industry was taking the lead in this domain and was reluctant to stifle innovation. It was instead security companies making the strongest demands for regulation.
The Chinese Cyber Security Law will help make industrial environments and beyond more secure, but China also has a very different approach and perspective compared to the EU when it comes to citizen privacy and surveillance. The state of California adopted an IoT Security law, but on Federal level the effort seems stalled. The balkanization of the internet is well underway, with an increasing number of governments requiring in-country hosting. Regulations are national (or EU wide) but tend to have global reach due to the nature of the internet, and modern supply chains and manufacturing are no longer constrained to national borders or single markets.
Standards bodies can facilitate, but the experience in IoT generally has been that such organizations move slowly and often deal only secondarily with adoption. Moreover, the long tail of equipment life in OT can make this problematic. All new OT equipment by large OEMs support OPC-UA. Its adoption, though, is by no means universal as older equipment hasn’t reached their end of life yet.
Industry groups can move quicker and can put requirements on their members and thereby drive adoption wider, sidestepping the misalignment problem. When further endorsed and enforced by government and regulations, this can be very effective. But it requires the industry to self-organize around the topic. They could have a very useful role, though, in potentially exposing bad actors that are not following industry guidelines.
What I have also seen is OT operators themselves taking the initiative and forcing their suppliers to align and get it right. These tend to be the most forward looking, and the most security-conscious – for instance among defense contractors or oil & gas – where there is a deep experience of operating under tight oversight, strong regulations and in an environment with clear adversaries and constant attacks. While this may not be repeatable as a process for other organizations not under similar constraints, the lessons learnt during adoption and implementation of security measures could help drive the market.
Finally, perhaps the best positioned to make an impact on the short to medium term is alignment by large tech companies, security companies in the space and OT OEMs. Collaboration between such organizations would not be as controlled or slow-going as standards bodies tend to be, don’t have the problems that come with government and politics, and the parties have a clear incentive, either in providing services directly to customers, or providing enabling software and services. In IIoT we’re past the initial market positioning where every provider wanted the whole pie. We’re seeing a retrenchment of organizations focusing on what they’re good at, and this is driving initiatives to make adoption easier, safe and secure, growing the pie bigger for all rather than fight over a smaller one.
We need all parties in the ecosystem to get involved and take responsibility. This sounds idealistic, but I am hopeful, because that is where incentives align most favorably. Attitudes are changing. We have a real opportunity to get it right.