There is no shortage of vulnerabilities out there in the industrial control system/operational technology (ICS/OT) environment, but many of those vulnerabilities have never been found to actually impact ICS/OT. That’s why it’s important to take a risk-based approach to protecting your operational systems. The Industrial Cybersecurity Pulse Podcast recently sat down with Thomas Pace, CEO and co-founder at Netrise Inc., to discuss the futility of chasing vulnerabilities, why the ICS/OT space can be more complicated than IT and proper cybersecurity resource allocation.
Listen to the full podcast here, and you can read Part One of the transcript here. The following was edited for clarity.
ICS Pulse: Let’s talk about risk management versus chasing all the vulnerabilities you encounter. Dragos released a statistic recently that 5% of vulnerabilities actually have impacts on industrial control systems, so people are often using their limited resources to chase problems they may not even have. How important is risk management versus chasing just vulnerabilities?
Tom Pace: Using resources they don’t have to chase problems they don’t have? Significantly more important. This idea of getting to zero vulnerabilities for any vulnerability management program is just totally setting yourself up for failure. As an example, we find a significant number more vulnerabilities than people expect in the devices that we analyze. What we tell people all of the time is, “If you are going to leverage the data from our platform to say this month I have 1,000 vulnerabilities, and next month I want to have less than 1,000 vulnerabilities, I can only guarantee you one thing: You will fail.” Firmware doesn’t get updated every month. It might get updated once a year. There is no set of circumstances where, over time, your firmware is going to get less vulnerabilities. That’s never going to be the case. Once again, this comes back to where you go for your source of vulnerability information.
Let’s talk about the NVD (national vulnerability database). That doesn’t tell you if there’s exploits available for those vulnerabilities. That doesn’t tell you if there are active threat groups leveraging those vulnerabilities right now in the wild — like, all these other things that matter a whole lot that are not part of that database. Now, to take the — not necessarily the opposing view of that Dragos research, but to just look at that from the other side of the coin — whenever we have a device and that device does not have a CPE listed in the national vulnerability database, which means, by definition, there are no CVEs associated with it, are we to assume that device has no vulnerabilities? Yes, if you were insane. We all know that that’s not the case. And then we might tell you, “Hey, there are 1,500 vulnerabilities in this device,” right?
One of the things that people always tell me is, “All those vulnerabilities might not even be reachable. They might not be able to be exploited.” I go, “OK, what percentage is that? Let’s just use the number. Let’s say 5%. Well, I’m not a mathematician, but that’s 75 vulnerabilities in one device that can cause an impact.” Now, if we took that same mentality, and we applied that to Windows and said, “Listen, you’re going to have 75 vulnerabilities that can cause an impact here. Would you like to address those or no?” Everyone in the world would be like, “Oh, no, we need to address those.” And it’s like, “Exactly.” The problem you have in the ICS (industrial control system) and OT (operational technology) space is that significantly more effort is required to determine what is there, what can be exploited, what context is required, etc.
A lot of times, people just throw the baby out with the bath water and say, “Oh, this is hard, or it’s too much.” And it’s like, yes. By the way, this is exactly how this problem started in traditional operating systems 25, 30 years ago. Companies like Tenable and Rapid7, they just come out and cure the vulnerability problem on Day One. Enterprises are still dealing with vulnerability management issues of the Windows operating system. Yet, somehow, we’ve allowed ourselves to just say, “This is too hard for these devices, so we’re not going to bother in a lot of cases.” That seems really crazy to me.
ICSP: When we’re talking about ICS/OT, it can be more complicated. Unlike an information technology (IT) system, patching can be difficult because you have to take systems down. You’ve got legacy systems where there may not be patches anymore, and there may not be support for it anymore. How much harder does that make the process of trying to secure ICS/OT?
Pace: Significantly harder. This is what I did at DoE (Department of Energy). I helped determine the impact of various vulnerabilities and risks against our ICS devices, of which we had more than a couple. I mean, the hilarity of going to an ICS engineer, or an OT engineer, or whatever, and saying, “Hey guys, we’re going to patch the PLCs (programmable logic controllers) this weekend.” “No, you’re not.” There’s a 0% chance that’s going to happen because availability is king. Confidentiality and integrity, as part of the CIA triad, are always going to take a backseat to availability — as it should. Which is why we should be leveraging, as you guys have already mentioned, a risk-based management approach to vulnerability management and vulnerability remediation. It’s not the same, right?
Say, you have a vulnerability in a medical device. Those manufacturers are not going to update those software components because guess what happens if they do? They’ve got to go get that thing re-certified back through the FDA, and that is a very expensive and time-consuming process.
They don’t give a shit if another vulnerability was identified in some open-source component, because they just had to go through this process for five years. It’s just reality, and people go, “They should care.” And it’s like, “Well, if they did care about that, that company would not have a business. And then that device would not be doing what that device is meant to be doing, which is saving lives, and yada, yada, yada.” In a vacuum, they should care. When context is provided, they probably did the right thing.
ICSP: Let’s take it out of critical infrastructure, or saving lives. Even if you’re making beer, or widgets, do you want to shut that down? That’s how companies make money. That’s the cash register. It’s got to keep running.
Pace: It’s a risk management-based approach, right? Our goal at Tom’s beer making company is to make beer. Why? Because we want to make money. If I have to take down my production line for X amount of time, I don’t make X amount of beer. If I don’t make X amount of beer, my shareholders are unhappy. This is just basic stuff.
ICSP: We were talking about resource allocation earlier. Right now, an inordinate amount of cybersecurity resources go to the IT side. I’ve heard 90%. I’ve heard 95%. They’re not generally going toward protecting industrial control systems. I understand why it’s happening, but is it sustainable? Whether you’re talking about critical infrastructure or private industry, it seems risky to put that little into protecting ICS/OT.
Pace: It’s undeniable that ICS and OT is significantly underrepresented from a cyber skills gap. However, what I would say is — and I don’t have a good enough oversight or perspective here to make this comment conclusively — I’m seeing a ton of people that are going from IT in traditional cybersecurity into the OT space. I mean, it is exactly what I did. I don’t have an OT background necessarily. I’m not an engineer or something like that, and I think a lot of that is happening. I think because of the IT/OT convergence that has already happened. I think because of Industry 4.0. I think because of whatever 40 other buzzwords we can use to talk about the fact that OT is IT, and IT is OT. It’s hilarious to me that we have this discrepancy between OT and IT.
It’s like if your router stops working in your IT network, is your network operating? No, it’s not. Why is that not operational technology? Obviously, it is. This is just vernacular nonsense that tech and cyber will deal with forever, for reasons that are unknown to me. But you see a lot of people creeping into that space. Now, do you have to have certain knowledge to be really effective in OT and ICS stuff? For sure. But you can pick that stuff up. It’s really just a part of the broader cyber skills gap, which by the way, right now isn’t looking like too much of a gap, is it? Considering everybody’s getting laid off all over the place, there’s no shortage of people looking for work right now. That’s a really interesting dynamic that we’re living through right this second.
ICSP: Yeah that’s a little bit of a scary dynamic, but it is interesting.
Pace: Oh, no, no. It’s not scary at all being a seed-stage startup CEO that raised money during COVID and is now dealing with an insane recession. It’s a breath of fresh air, I can tell you.
Do you have experience and expertise with the topics mentioned in this article? You should consider contributing content to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.
