Industrial control systems (ICS) are no strangers to digital attacks. In its Threat Landscape for Industrial Automation Systems in H1 2017 report (PDF), Kaspersky Lab blocked attack attempts against 37.6 percent of ICS computers that use the Russian security firm's products. It also detected 18,000 variants of 2,500 different malware families that infected 20.4 percent of ICS computers via web downloads or phishing attacks. To better understand these and other digital threats confronting ICS devices, I decided to speak with Robert Landavazo. He's an ICS engineer at Tripwire who specializes in NERC CIP compliance. Below is a portion of our conversation. Maribeth Pusieski: How did you first get involved in the industrial security space? What was your career path? Robert Landavazo: I was always interested in security when I was younger, and I was fortunate to be supported by family. So I went to school for Information Technology and Security. I don’t think it’s typical to follow through with childhood career aspirations, but it somehow played out exactly that way for me, and I wouldn’t change a thing. Once out of university, I got into software development working on an application that automated design documentation of complex systems in the video production industry. From there, I went into IT for public safety (i.e. 911) and was then hired by a NM electric utility. There, having access to appropriate funding and resources helped me and the team I was on create from the ground up a more mature security program, of which Tripwire was a significant component. In fact, this whole experience helped open my eyes to what can occur when a corporation makes implementing a mature security and compliance program a priority. Not only that, but the move to Tripwire was exciting, as I can now evangelize, educate, and assist others with what I already know. MP: What brought you to Tripwire? RL: My career path exposed me to a variety of seemingly disparate industries. But as I encountered more of them, I began to see an emerging thread – the value across corporations for solid foundational security programs. For example, consider the fact that the Internet of Things (IoT) covers all sorts of devices from refrigerators to “smart” Firemen helmets with heads-up displays. That type of diverse environment could create incidents that are like something out of a Twilight Zone episode or Stephen King novel. Just to illustrate, what if all the refrigerators were able to band tighter (reference to HBO’s Silicone Valley) to skew or make unavailable incident information being sent to the firefighters through a DDoS attack? MP: We´ve seen a lot of attacks on various critical infrastructure. Do any specific events stand out as turning points for you? RL: It’s easy to reference the Ukranian power company incident and others like it in the news, but what interests me are those that aren’t directly associated with critical infrastructure but can and probably are having direct effects on ICS environments. Take the KRACKs WPA2 security flaw, for instance. It highlights why there needs to be more work and investment around cybersecurity. While it’s true that the vast majority of critical infrastructure isn’t reliant on 802.11x, environments closely neighboring them have large Wi-Fi deployments, making them a huge target in order to get a foothold for an attack vector into critical infrastructure environments. It really is all about corporations maturing into best practices as well as their agility to react quickly to vulnerabilities in their environment. MP: How do you think IT and OT can work together better? Any practical insight or advice? RL: Administrators and analysts with responsibilities in the respective IT or OT environments have a lot to offer each other. The days where each organization could successfully operate independently are over. The hold-outs in opening the doors of communication will quickly find themselves behind the curve. Experts in OT can teach their IT counterparts a lot about uptime and availability, and experts in IT can teach their OT counterparts a lot about security and best practices that can and should overlap. MP: In your opinion, what does the future look like for industrial cyber security? RL: The first time I set foot in a substation, I did a double take when looking at a lot of the equipment’s nameplates. Yes, some of this gear predated me. While traditional IT environments matured much faster, ICS environments did not. I think this will start to change; I think we are about to see the trend of innovation in ICS speed up. Perhaps not like we saw with IT over the past 10+ years, but mark my words, it’s happening! MP: Finally, what advice would you give any folks looking to learn more about industrial cyber security? RL: There are a lot of resources out there, but be forewarned – a lot of the content I’ve run across recently smells a lot like IT, and that isn’t always the best fit for industrial environments. That being said, it is improving as ICS security gains more attention, so carefully evaluate your source of information while keeping an open mind about what’s out there. Again, IT has a lot it can teach OT, just as OT has a lot it can teach IT. On November 7, Tripwire will host a “Tripwire University: ICS/SCADA Edition” webcast, where Robert Landavazo & Jonathan Skeele will spar over differing views and methods in a point-counterpoint between IT Security and Operations.
Both gentlemen are knowledgeable and experienced professionals within what we might say are at times incompatible disciplines. Somehow, they’ll get along as they enlighten us on how it works and sometimes doesn’t when ICS security is in the spotlight. To sign up to the event, click here!
