SAN FRANCISCO--One of the great things about the Internet is that information on nearly anything is available at any time. That democratization of information can make life easier for attackers in many cases, but there is still at least one realm where that's not the case.
The world of industrial control system security shares a few similarities with normal IT security, but defending ICS is a unique and strange beast. Understanding the way ICS work and how they tie into IT networks in expected and unexpected places is a major challenge and the number of people on either side of the ball fully versed in that discipline is vanishingly small. Lesley Carhart is part of that small population, and one of the things she’s found over the years doing incident response and threat analysis in ICS environments is that the esoteric nature of those systems works to the advantage of the teams defending them.
“Security through obscurity is a real thing. I don’t think it’s ideal, but it’s a real thing in those environments and it’s effective,” said Carhart, a principal threat analyst at Dragos, a firm that specializes in ICS security.
“There are not a lot of people who understand at a deep level how these systems work and that includes the adversaries. There certainly are adversaries who do, but it is a very high bar to entry and you have to invest a significant amount of time and money to get over it.”
The systems in mining operations, trains, power plants, and other complex environments generally are made by a small number of highly specialized companies. The software on a given device may be custom built and may speak custom protocols. Understanding how all of that works and what weak spots and potential vulnerabilities may exist is not an easy task, even for just one specific device. Which is why even within the niche community of ICS security experts, there are smaller subsets of people who specialize in specific devices or industries.
Carhart, for example, tends to focus on manufacturing, but other specialists may dig in on power plants or transportation. And they spend years understanding how those environments work, what the risks are, who the specific adversaries might be, and how to defend against them. All of which means that the attackers on the other side of the fence need to invest an equal amount of time, money, and resources to gain an equal level of knowledge and expertise. None of that is simple, nor are there really any shortcuts to be had.
“If you’re a bad guy and you want to take out the power in this country, you have to know the specific devices that a grid operator uses, then you have to learn everything you can about those devices. And the information isn’t always easy to find,” Carhart said.
“We definitely have adversaries who know how to do those things, but it’s expensive, it’s time consuming, and it’s difficult. The phrase security through obscurity has never been so true. It’s one of the things that’s protecting us from catastrophic things happening right now. Teaching this kind of security is not easy. There’s so much to learn.”
While some of the threats facing ICS and the companies that operate them are comparable to typical enterprise threats, the consequences of successful attacks can be quite different, depending upon the environment. Supply chain attacks and serious intrusions by nation-state adversaries are real threats in the ICS environment, but those are not the ones that Carhart spends her time worrying too much about.
“It’s the more practical things that worry me the most, like the IT people not talking to the operational technology people. Device-level supply chain attacks may happen eventually, but why bother when you can just bang on someone’s VPN that’s out of date,” Carhart said.
“Attackers are humans and humans are lazy. I think we’re going to see a lot more ransomware in these environments because it’s a lower barrier to entry.”