For critical infrastructure organizations, whitelisting is one of the top practices for protecting against harmful applications and mitigating targeted cyber intrusions. To better appreciate why, it’s important to understand how both IT and OT environments work, and how they operate under different conditions.
Comprised of fluid, intertwined technology stacks, IT has a lot of moving parts—which means it also has an incredible number of exploit variants. From network to compute to application to data and more, IT teams are responsible for safeguarding every layer in a stack with its own brand of add-on security (e.g., VPN, SEIM, NGFW, DLP).
On top of that, these security teams are caught up in a perpetual game of cat and mouse with attackers who always seem to have the advantage and be at least one step ahead. It’s a never-ending cycle of identifying new viruses, updating malware signatures, closing security holes, etc.
OT systems are engineered for specific, measured, prescribed actions based on content, and not context. That’s determinism. Things only happen one way—the way they were designed to act. If given a certain input, they will always produce a certain output, time and time again. It’s an either/or. For example, you open a valve or you close a valve. There are no in-betweens.
No question, the OT threat landscape is scary, but because of its deterministic environment, the nature of attacks is not as dynamic as in the IT world—and the primary security focus becomes about ensuring control.
IT is about digital information storage, retrieval, transmission, and manipulation. Most businesses want to ensure smooth data flow. For example, Amazon wants to be sure identities are verified, that credit cards are working, and that searches and purchase histories can be used to offer up “you so need this, too” suggestions. None of these crosses over into the physical realm of process control and manual manipulation.
OT is all about process control, which is why it’s not germane to think about things in the same way you would in the IT world, where defenses are layered (at times, seemingly ad infinitum) onto technology stacks. Industrial organizations typically run a small suite of control applications, and maybe a few more to help manage and maintain systems. For the most part, the environment remains relatively static.
More gateways mean a larger attack surface. And considering that 60 percent of network traffic is bots, it’s no wonder attackers only need to be right once—yet another reason IT guys are one step behind the bad guys. It’s nearly impossible to keep up.
Fewer gateways, fewer avenues for attackers to pursue. The key is reinforcing armaments at those known gates, moats, and tunnels from the start.
In order of importance, priorities are: confidentiality, integrity and availability (the CIA triad). First and foremost, businesses and consumers expect financial, medical and personal data to remain private.
In OT, an additional priority tops the list, while the rest are flip-flopped. The new order: control, availability, integrity, and confidentiality. Control equates to safety because, in this environment, loss of control could have dire consequences. Next is availability (e.g., we expect to have water at the flick of a faucet), then integrity (e.g., we expect that water to be clean and pure), and finally, confidentiality.
The amount of data that can be transferredat any given time is a big deal in the IT world, where connected constituents have gone all Oliver Twist, minus the “please, sir.” That means both bandwidth (think of this as a multiple-lane highway) and throughput (the number of cars traveling on the highway at any given time) demands are ever growing.
The “information highway” infrastructure is less complicated and less congested in OT. If, say, a four-lane highway were built, it was done so because four lanes were more than adequate to handle the relatively fixed amount of anticipated traffic. Throughput requirements aren’t changing as quickly or drastically as in the IT space.
Security patching is so commonplace in IT that vendors have a regular weekly release day. Vulnerabilities are easy for attackers to find. They’re also often only discovered as a result of an exploit. In fact, because of the dynamic nature of IT environments, it’s becoming a rarity to find vulnerabilities pre-exploit.
The good news for IT is that, once found, vulnerabilities generally have effective patching available within days to mitigate damage.
No matter what, security cannot make critical infrastructure less available or reliable. In fact, it cannot have any negative impact—no disruptions, no slow downs—to the realtime and deterministic operation of critical infrastructure.
So even if Patch Tuesdays did exist (which they don’t), they wouldn’t be a viable solution. It’s just not feasible to drop security measures in and expect them to work as they might in IT.
Pop up content