Engineering-Grade OT Security - Network Engineering
The presentation is based on chapters 5 and 7 in the presenter's new book "Engineering-Grade OT Security: A manager's guide." We start with a look at the latest incident data from the 2024 threat report. Cyber attacks with physical consequences are increasing. Ransomware is responsible for most of the consequences, and modern ransomware is trading tools with nation states - the difference in capability is disappearing. Nation-state-grade ransomware is today's pervasive network threat.
Cyber-Informed Engineering is a new way of looking at OT security. CIE is positioned as "a coin with two sides - cybersecurity on one and engineering on the other." The engineering side of the coin has been under-emphasized and offers powerful analog, electro-mechanical and other engineering-grade mitigations for cyber threats - mitigations that do not exist in the IT / cybersecurity space. These mitigations are engineering grade - they behave deterministically, with mathematically-defineable failure modes - in the face of cyber attacks.
Network engineering is a collection of techniques being applied at consequence boundaries. Increasingly, standards and regulations in other industries (TSA Pipelines, TSA Rails, French ANSSI Critical Infrastructires) demand special treatment of consequence boundaries - connections between networks with very different worst-case consequences of compromise. The most common consequence boundary in the electric sector is the IT/OT boundary. Less common is the OT/Internet boundary (IIoT) and the protective relay / substation control network boundary.
Network engineering techniques include the EPRI IIoT methodology, analog signalling, dependency analysis, abstraction for safe remote control, and unidirectional gateway technologies. In this presentation, we argue that the pervasive threat demands network engineering at consequence boundaries, to interrupt the pivoting attack path from the Internet into OT systems whose compromise represents material threats to worker safety, environmental safety or to society, in the form of a compromised or crippled critical infrastructure.
We walk through common blind spots in consequence enumeration, including "brickable devices" - attacks that can lead to long-term downtime for critical infrastructures. We explore how worst-case consequences should drive security program decisions. We look at which worst-case consequences are credible in light of today's threats to critical infrastructures, from nation states to hacktivists to nation-state ransomware. Not all threats and threat vectors are credible.
Free copies of the author's 2023 book will be available to participants.