On Thursday, October 18, 2018 at GridSecCon 2018 on behalf of New Context, I will be talking about what it means to run security orchestration in your converged IT and OT environments.

Both IT and OT are struggling to keep up with the ever changing and advancing threat landscape yet they are facing very different challenges and need to understand each other better. All industries struggle with lack of resources, skills and budget for cyber security. With the coming convergence of IT and OT, many organizations have begun to look at implementing IT automation within their OT environments. Unfortunately these IT automation tools are just a series of playbooks for incident response.

The next wave of threat management features will begin to merge information sources from both analog and digital sources. And we will begin to see tool’s capabilities will go beyond incident response to the point of reaching true orchestration of many, traditionally isolated, IT and OT systems.

If you are considering deploying security orchestration tools into your OT environment, then there are a few key points to consider.

Deployment Considerations

When first installing one of these products, consider how much access you are comfortable providing. Take a increasing stepped approach. On the onset, you may feel most comfortable with a read-only / alert-only deployment. As time, your comfortability and maturity increase, work towards an environment of full automation.

What OT can Learn From IT

Modern IT infrastructure makes heavy use of designs that include ephemerality, instrumentation and isolation. OT can take a page or two from IT on these topics. While Netflix runs a highly mature and advanced infrastructure, they do provide a northstar of what we can achieve. Consider the approach that Netflix takes with their Chaos Monkey utility.

“If your application can’t tolerate a system failure would you rather find out by being paged at 3am or after you are in the office having already had your morning coffee?”
-Netflix Chaos Monkey

What IT can Learn From OT

When it comes to orchestration, IT can learn a few things too. In the world of OT, they are veterans at prioritizing safety and reliability. Furthermore, OT makes use of state estimators and heavy analysis before implementing changes. ICS devices may seem antiquated to modern infrastructure, but the single-purpose ICS devices have an upside in that they are highly predictable. If your not familiar with some of the horror stories of IT operators going off the rails or not heeding warnings, then spend a few days reading the BOFH stories at the Register.

“went into the server room and walked up to the server with its console perched on top. I logged in and, without checking, I entered the shutdown command.” -BOFH, The Register

Come See Me in Vegas at GridSecCon 2018

In this lightening talk, we will discuss the difference between today’s automation and tomorrow’s orchestration. Let’s explore what real orchestration could look like in a converged IT and OT world. I look forward to seeing you all next week at GridSecCon 2018.