Earl Perkins

A member of the Gartner Blog Network

Earl Perkins
Research VP
5 years at Gartner
32 years IT industry

Earl Perkins is a research vice president in the Security and Privacy team at Gartner. His focus areas include identity and access management (IAM), including user provisioning, role life cycle management… Read Full Bio

Coverage Areas:

When are we going to stop admiring the cybersecurity problems facing smart grids and other operational technologies?

by Earl Perkins  |  May 22, 2014  |  4 Comments

I think after a few years of incessant media coverage on every conceivable way our critical infrastructure can be compromised, many within and outside of operational technology (OT) firms are likely to be desensitized to the problems outlined, from taking down power grids for millions to disabling water and sewage treatment plants, from diverting trains to disastrous collisions to destroying sensitive medical devices, from opening oil and gas pipelines to stopping assembly lines– the list just keeps growing. Desensitization to all of this news would be unfortunate, since we do need people who remain sensitive to the risk without wallowing in despair over the scale and occasional drama associated with the problem.

At the heart of it all is the realization that (a) the number of type of systems that can be compromised is more vast than we perhaps previously envisioned; (b) the increasing complexity of new technologies and their integration and interaction increases the threat surface and opportunity for compromise; and (c) what can be done to actually mitigate or prevent some of these threats from becoming reality is nowhere near as exciting to talk and write about as the threat itself. We appear to be a society long on admiring problems and their consequences and short on actually providing some good news about what can be done to solve problems. Let’s take a look at just a few simple, positive activities taking place that will help an enterprise an effective security and risk management plan for their IT/OT infrastructure.

1- The majority of the problems that have already been reported could have been prevented without new, sophisticated technologies. Instead old-fashioned best practices in security and risk management (that have been practiced for years), applied consistently across the enterprise would have prevented many of the headlines from being written. These practices include a top-down, risk-driven governance process, effective communications across engineering, management and operations and simple techniques applied to the use of threat intelligence, detection and response, access control and vulnerability management (among other domains). They include having a security architecture that has defined controls across all layers of IT and OT infrastructure– data, application, system, network and endpoint. They include a balance between prevention and detection that allows for reduced response times to compromises. Proven security and risk practice has been documented and available for a very long time. What has been missing is an appreciation of the risks taken in continuing with their absence and the mandate or will to apply them in many enterprises;

2- There are existing points of integration between IT and OT security that are available today, and using them as a starting point to engineer, manage and operate security requirements is efficient, cost-effective and can result in immediate early benefits against the threats described. One of those points is the network. For decades, IT and OT network architects, engineers, managers and administrators have worked together. In some cases they have shared network protection assets. In other cases they have provided support and maintenance for one another in key security areas. Unlike other areas of IT and OT, most OT-centric enterprises have network teams that as a rule respect and trust one another– a key criteria to move forward quickly in securing OT infrastructure. Ensure that your network planners play a key role in implementing IT/OT security process and technology early in the program;

3- There are a number of excellent forums for OT security and risk planning, management and operations information, and that number is growing monthly. Not only are such resources as ICS-CERT and vendor-sponsored reports and services available to report threat information, but there are peer forums, frameworks, checklists, templates and other information sharing and guidance tools available to enterprises that seek to improve their security and risk management posture. Most enterprise planners know how to filter out vendor-marketing speak for some of the available resources. Most of these resources cost nothing but the time to access and use them. In fact, if there is a problem with this activity it may be that there are almost too many resources, and sometimes enterprise planners have difficulty knowing where to start. That is a good problem to have, considering the alternative. Gartner can assist you in finding, filtering and using our tools as well as other available tools to assist in building or managing your security and risk management program;

4- There are signs of progress in the development of risk frameworks that encompass a more holistic view of security for the enterprise, where IT, OT and physical security considerations are incorporated into a more comprehensive digital security model for assessing, addressing and managing risk for the enterprise. More comprehensive and complementary security controls are being defined. Major industry players in security and risk management are moving to acquire companies that incorporate OT security functionality into existing IT security, to create partnerships with other providers to ensure that this comprehensive idea of digital security is addressed according to industry-specific and process-specific requirements. It is still early, but the momentum is there and OT-centric enterprises can expect better assistance soon.

Yes, the sky is dark. Yes, there are real threats, real problems, real risks. No, the sky is not falling. The news isn’t all bad. There are ways to address these threats. Keep that in mind the next time you read the next scary story about OT security.

4 Comments »

Category: Cybersecurity Operational Technology OT Security Security     Tags:

4 responses so far ↓

  • 1 When are we going to stop admiring the cybersecurity problems facing smart grids and other operational technologies? | Euler Global Consulting   May 22, 2014 at 4:41 pm

    [...] By Earl Perkins [...]

  • 2 Ken Steinberg   May 22, 2014 at 6:15 pm

    Nice article Earl.

    I have consulted with a number of DC agencies over the years and we always get to the same question about the cybersecurity industry.

    When is the cybersecurity industry going to realize what medieval and the present-day military already know?

    There is no long-term defensive posture. No castle, fort, of cyber-boundary is completely defensible. If you are on the defense, the enemy will eventually find a weakness. The only two postures that can thwart ongoing attacks are offense and obfuscation/randomness.

    We all realize that it would be the “kiss of death” to any security CEO to tell their shareholders the “problem was solved” but it sure would be nice to see some actual innovation in the cybersecurity field and perhaps some analyst coverage about companies that are attempting to provide offensive or obfuscation approaches.

    Is Gartner up for the challenge of reporting “ahead of the curve”?

    Keep up the great work.
    Ken

  • 3 Ken Steinberg   May 22, 2014 at 6:20 pm

    One more quick note. I think it is common knowledge that the utility grid is still unsecured because the utilities are more afraid of making changes (the cost, testing, re-certifying, the “unknown”) than updating the control systems.

    They are basically “incentiv-ized” not to make changes. The devil you know vs the one you don’t. Unfortunately this leaves them open to ongoing probing and eventual subversion.

  • 4 Earl Perkins   May 23, 2014 at 5:35 am

    Thank you Ken for the comments. The situation for OT-centric firms like utilities are a bit more complex to address than obfuscation and/or randomness, but that is certainly one element of the solution. Having worked in the energy and utility industry for 16 years before becoming an analyst, I find that potential security and risk decisions are dominated by money– the lack of it, the effective use of it in detection as much as prevention, the pursuit of profit vs. the reality of regulated industry requirements. Providing incentive to each industry, whether utility or manufacturing, health care or oil and gas, has different components to the incentive. In the case of utilities, the capital assets that might require modification are prohibitively expensive without that incentive. We have found that utilities aren’t afraid of change as much as they are afraid of making decisions that result in loss of money they would rather spend elsewhere.