![]() ![]() I think we’re going to see a lot more ransomware in these environments because it’s a lower barrier to entry.To build secure and resilient Web3 systems, transparency alone is not enough. “Attackers are humans and humans are lazy. Device-level supply chain attacks may happen eventually, but why bother when you can just bang on someone’s VPN that’s out of date,” Carhart said. “It’s the more practical things that worry me the most, like the IT people not talking to the operational technology people. Supply chain attacks and serious intrusions by nation-state adversaries are real threats in the ICS environment, but those are not the ones that Carhart spends her time worrying too much about. While some of the threats facing ICS and the companies that operate them are comparable to typical enterprise threats, the consequences of successful attacks can be quite different, depending upon the environment. Teaching this kind of security is not easy. It’s one of the things that’s protecting us from catastrophic things happening right now. ![]() The phrase security through obscurity has never been so true. “We definitely have adversaries who know how to do those things, but it’s expensive, it’s time consuming, and it’s difficult. And the information isn’t always easy to find,” Carhart said. “If you’re a bad guy and you want to take out the power in this country, you have to know the specific devices that a grid operator uses, then you have to learn everything you can about those devices. None of that is simple, nor are there really any shortcuts to be had. All of which means that the attackers on the other side of the fence need to invest an equal amount of time, money, and resources to gain an equal level of knowledge and expertise. And they spend years understanding how those environments work, what the risks are, who the specific adversaries might be, and how to defend against them. Which is why even within the niche community of ICS security experts, there are smaller subsets of people who specialize in specific devices or industries.Ĭarhart, for example, tends to focus on manufacturing, but other specialists may dig in on power plants or transportation. Understanding how all of that works and what weak spots and potential vulnerabilities may exist is not an easy task, even for just one specific device. The software on a given device may be custom built and may speak custom protocols. The systems in mining operations, trains, power plants, and other complex environments generally are made by a small number of highly specialized companies. There certainly are adversaries who do, but it is a very high bar to entry and you have to invest a significant amount of time and money to get over it.” “There are not a lot of people who understand at a deep level how these systems work and that includes the adversaries. I don’t think it’s ideal, but it’s a real thing in those environments and it’s effective,” said Carhart, a principal threat analyst at Dragos, a firm that specializes in ICS security. “Security through obscurity is a real thing. Lesley Carhart is part of that small population, and one of the things she’s found over the years doing incident response and threat analysis in ICS environments is that the esoteric nature of those systems works to the advantage of the teams defending them. Understanding the way ICS work and how they tie into IT networks in expected and unexpected places is a major challenge and the number of people on either side of the ball fully versed in that discipline is vanishingly small. The world of industrial control system security shares a few similarities with normal IT security, but defending ICS is a unique and strange beast. That democratization of information can make life easier for attackers in many cases, but there is still at least one realm where that's not the case. SAN FRANCISCO-One of the great things about the Internet is that information on nearly anything is available at any time.
0 Comments
Leave a Reply. |