How to Stay Ahead of the Next Operational Technology Threat

RSA Conference 2019: In an exclusive interview, Cisco keynoters explain why things aren't quite as bad as they seem for security and how working together actually works.

Cisco RSAC Keynote

SAN FRANCISCO—The daily deluge of negative security headlines and data breaches isn't the whole story when it comes to modern cyber-security, according to Cisco.

In a keynote at the RSA Conference here, Cisco executives outlined some key successes against recent threats and detailed a strategy for bridging the gap between information technology (IT) and operational technology (OT) systems. In an exclusive interview ahead of the keynote, Matt Watchinski, vice president of Cisco's Talos Threat Intelligence unit, and Liz Centoni, senior vice president and general manager of IoT at Cisco, provided the inside story on what's really behind the headlines of data security today.

"We often don't talk about successes, but they are there and we can learn from them," Watchinski told eWEEK.

One of the major successes that the industry has had over the past year was with the VPNfilter incident in May 2018. In that incident, an attacker group was able to infect more than 500,000 devices around the world and could have potentially shut them all off as well.

Watchinski said that one of the underreported and largely unknown elements of VPNfilter is the fact that the malware authors had an embedded kill switch that quite literally could have killed the infected routers, severely impacting the internet as a whole. But that didn't happen, and the reason why is because cyber-security vendors, including Cisco, as part of a group working together with law enforcement were able to detect the threat and take action. The ability of vendors to work together is a key strength of the modern cyber-security landscape, according to Watchinski.

From a malware perspective, Watchinski said VPNfilter was noteworthy for a number of reasons:

  1. It targeted IOT devices.
  2. It used those devices to move into traditional IT networks.
  3. It searched out OT networks connected to those IT networks.
  4. It had specific functionality for stealing industrial control protocol credentials, so it could
    pivot and monitor these OT networks.

The VPNfilter threat serves to underscore the risks of different types of technology, including OT, which is often distinct from IT.

"The machines are rising, and we’ve learned so much in a very short period of time," Watchinski said. "We now need to learn the world of OT, a very different world than ours. But these things are converging and we must adapt to meet them." 

Understanding OT

OT requires a bit of a different approach to help secure, and there is a need to bridge the worlds of IT and OT to actually make security work, Centoni told eWEEK.

"What you're securing means different things to an IT and OT person," she said.

For OT, the concerns are about production and the key thing that is often needed is visibility. She said that going into an OT environment and talking about malware and threat reduction doesn't work because that's not the OT mindset.

Fundamentally, what Centoni is advocating for is that OT and IT security teams come together to form an OTSEC effort. 

"OT systems stick around for decades, so it’s important to get it right," she said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.