David Anteliz is the senior technical director at Skybox Security, a global leader in Security Posture Management and has been in the cybersecurity industry for nearly 30 years. Many of the projects he works on are centered around helping customers understand the drivers of how to best mitigate and manage their vulnerability estate, including what effective vulnerability management looks like and how to manage all the tools and processes they have in place. Editor in Chief Thomas Wilk spoke recently with Anteliz on the role that network segmentation plays in cybersecurity strategies.
PS: Let’s start with your insight about plant teams who have some responsibility for OT network security, and your observation that “their chief worry is defending what they don’t know much about.” What are you seeing that led to this observation?
DA: Going back to the OT administrator, or the administrator trying to manage a bunch of different cybersecurity tools to begin with, and having those tools thrown on their table. From an internal security and auditing/compliance standpoint, it’s challenging to ascertain where the gaps in their network might exist. Many of these professionals are tasked to keep the lights on, make things work, and go as quickly as possible. Certain trade-offs come with managing those responsibilities, such as security. Unfortunately, if you don’t know what your security state needs to look like, what your perimeter security needs to look like, or what an OT vulnerability might represent in the organization: it is very difficult to wrap your arms around it, let alone understand the net impact that it could have across the rest of the environments.
So, to them, it’s basically fight or flight. They’ll do their best to apply everything they can, regardless of whether it addresses the situation. They’ll often use a compliance framework to try to achieve a level of security. Unfortunately, while they’re satisfying those criteria, they don’t necessarily achieve the security level that the organization needs. That is a problem that I often see. They’ll say: “I’m compliant. I’ve achieved X, Y, Z certification.” Yet, at the end of the day, they get breached or find a pretty large security gap in their environment.
I’ve seen that phishing is typically the easiest, lowest hanging fruit, and the most concerning threat vector. This is followed by malware: scan and exploit, trying to figure out where the holes are in the environment and where those vulnerabilities sit. That said, we are in 2022 and still struggling with removable devices.
PS: In our first email exchange, you observed that plant teams say they’re dealing with things like log4j or they’re trying to stop ransomware. Your thought was that they need to focus just as much on a fundamental element of network security: network segmentation.
DA: With segmentation, we’re able to offset some of the problems that come with brute force attacks, situations where scanners are trying to attack or scan environments. We are limiting the scope and scale at which they can do that with a basic approach.
Going back to the basics, let’s understand what kind of security we have in place. Let’s assess that security. It’s like trying to remediate the front door with the appropriate type of lock for the appropriate type of environment. You’re not going to safeguard a bank with a standard lock. We need a big ole safe door and a big ole safe to lock that down.
It’s pragmatic to take those steps and slow down, but also not be afraid to ask questions. For your readers: it’s okay to ask questions about what is required to secure these environments and identify what’s most vulnerable and critical to this infrastructure. Can this programmable logic controller (PLC) withstand downtime? Can this specific manufacturing asset suffer downtime? What does that represent in terms of dollars? Starting to quantify those values and understanding what risks might be able to do to your organization will help also frame what kind of security products or solutions you should be assessing.
I’m not saying throw things at the wall and see what sticks, but assess what you have, understand what kind of protections you have in place, and test it out. As an industry, we’ve done a very good job of looking at what we have and being overly proud of what we’ve deployed. That gets us into trouble because we think we’ve satisfied the criteria. Remember that it’s okay to ask questions. What should we be looking at? Why should we be looking at it? And how much of it do we need?
This story originally appeared in the September 2022 issue of Plant Services. Subscribe to Plant Services here.