When it comes to cyberattacks, it’s more a matter of if than when, no matter how strong your cyber hygiene is. One of the best ways to minimize damage from cyberattacks is to be prepared for them. So how do you get your organization prepared? Tabletop exercises are a great way to help build your incident response plan.
Dino Busalachi is the principal partner and co-founder of Velta Technology — a system integrator that works with operational technology/industrial control system (OT/ICS) security. He recently spoke to us about tabletop exercises for the ICS Pulse Podcast. To listen to the whole interview, you can find it on our ICS Pulse Podcast page. The following is edited for clarity.
ICS Pulse: You guys use the term “digital safety.” Why did you land on that term, and what do you think the benefits are?
Dino Busalachi: Safety is everybody’s responsibility, No. 1. That’s one of the ways to get the OT teams engaged in this dialogue when you start talking about bringing these tools in. Because even if IT [information technology] is maybe driving the initiative, which is a good thing, that they know there’s something that needs to be done, you’ve got to get the OT team to the table.
Safety is something that they do care about. Process integrity and operations is something that they really care about. IT helps you manage your business; OT is why you are in business. They’re the reasons why you’re in business. They are the cash registers. They’re the revenue generating stream on that plant floor.
IT is managing your business systems in the environment, but they’re not the reason why you’re in business. You have to get those people who are responsible for why you’re in business engaged in how they’re going to secure and protect these control systems that make the products that they make.
ICSP: Could you walk us through the importance of tabletop exercises and what role they play?
Busalachi: The tabletop exercise is really good to get all of the key stakeholders involved in the discussion. That includes the C-suite being involved in this discussion so that you can at least get everything out there to describe how are you securing that environment today. One of the questions I always like asking is, “Are you applying the same due diligence to secure and protect the plant floor as you do to your business systems, your enterprise? And if you’re not, why aren’t you doing that?”
One of the key things that I always like doing is getting to the plant early, before you get to the tabletop exercise, and have pictures taken of the control systems in their specific manufacturing facilities and present those as a part of the exercise. A lot of times, you’ll have the IT executive, the CISO or the CIO or their IT cyber group presenting the enterprise security strategy. That’s great. As they go through it and doing all the things that they’re doing, then you can pivot to these control systems and say, “Let’s talk about these.” Usually, what will happen nine out of 10 times is you’ll hear that part of the organization go, “Well, I don’t think those are my scope.” As soon as the CEO or the CFO or the COO or the risk people hear that, they’re like, “Wait a minute. I thought you were the cybersecurity guys.” OT is sitting over there going, “Yeah, we’re not the OT security guys because I don’t have budget, I don’t have resources and nobody told me that it was my job.”
Those are the gaps that you’ve got to get out onto the table quickly in front of those folks so they can start figuring out what can they do, especially when you talk about some of the controls around how you’re going to provide visibility, boundaries, access, exposures and continuity inside that environment from a security perspective, and start really digging into it. Every single security framework that you go through, the No. 1 tenant of all of them is asset inventory — actionable, real-time asset inventory — and not a snapshot in time, but monitoring as it is right now in real time.
A lot of organizations think that an assessment is doing penetrations tests. If you’re going to do a pens test on a plant, that plant is going to be shut down before they let you do that because it’s disruptive in what it does. The nature of it is what you’re probing and scanning inside of that environment. The only way they’d ever let you do that is when they’re in some planned downtime or maintenance window to fix stuff, clean stuff, replace stuff to get ready for maybe their next cycle of startups.
You’re missing out on a whole bunch of stuff when you’re doing that. These environments are more dynamic than people realize. They think that the OT environment is very static. It’s not. There are assets coming and going. There are applications coming and going. There are users coming and going. There are new protocols coming and going. There is new remote access into that environment. There’s a whole bevy of activity going on inside that plant that nobody’s really tracking or monitoring because IT is not watching it.
This is because they don’t know what’s good or bad. They don’t know what’s right or wrong. If somebody made a change to a PLC (programmable logic controller), that doesn’t mean anything to them. It means a lot to the OT guys when somebody made a change to a PLC. The pens testing, in my opinion, is something that you do in the enterprise. It’s done in an environment that’s active and hot and live. Going in there and trying to attack the control system environment could potentially shut you down. It could break equipment. Now you could have faults. It’s very disruptive.
You still need a group that specializes specifically in protecting and securing industrial control systems. There are a lot of vendors out there who sell the technology, but being a practitioner to go in there and know how to put that tool in and expand its visibility down through that control system, down into those panels to get those sensors in there and then to make sense of all of that stuff, is important.
Who’s going to do the mitigation remediation work and the research on what patches we could apply? You need to make it set up for those groups that are closer to those assets versus somebody who’s too far away that doesn’t really know. You’ll hear everybody say, “Well, you can’t patch those things.” How do you know? Have you even looked? Have you read the advisory bulletins and studied them to see what your options are? You need to do that in real time and have an accurate picture of the weaknesses that are associated with the assets that you have.
You can keep an eye on them and then determine if there are things that you can do and start your research in your work. Of course, that requires money and people to do that.
For more episodes of the ICS Pulse Podcast, click here.