{"id":118490,"date":"2022-07-28T09:00:00","date_gmt":"2022-07-28T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=118490"},"modified":"2023-05-15T23:03:57","modified_gmt":"2023-05-16T06:03:57","slug":"industrial-systems-what-it-takes-to-secure-and-staff-them","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/07\/28\/industrial-systems-what-it-takes-to-secure-and-staff-them\/","title":{"rendered":"Industrial systems: What it takes to secure and staff them"},"content":{"rendered":"\n

The security community is continuously changing,\u00a0growing,\u00a0and learning from each other to better position the world against cyberthreats. In\u00a0the\u00a0latest post\u00a0of\u00a0our Community Voices\u00a0blog\u00a0series, Microsoft Security<\/a>\u00a0Senior Product Marketing Manager<\/em> <\/em>Brooke Lynn Weenig<\/em><\/a> talks\u00a0with <\/em>Patrick C. Miller<\/em><\/a>, Chief Executive Officer (CEO) and owner of Ampere Industrial Security and the founder and former Director of the Energy Sector Security Consortium. The thoughts below reflect Patrick’s views, not the views of Microsoft, and are not legal advice.\u00a0In this blog post, Patrick talks about security and hiring challenges in the industrial security industry.<\/em><\/p>\n\n\n\n

Brooke: How did you get into industrial security?<\/strong><\/p>\n\n\n\n

Patrick: <\/strong>My dad was in telecommunications, so I grew up with a wire in one hand and a flashlight in my teeth, crawling down dark holes full of asbestos and dust and running wires. I built a lot of analog phone systems, and even had a pair of pole spikes, a test set, and a hard hat. I have done everything from climbing poles and stringing line to wiring building-size main distribution frames (MDFs). I was a phone tech who programmed phone systems for most of my younger days. I had done a lot of the security components on the telecom side. Back then, there were a lot of things like long-distance fraud and voicemail access that had to be secure.<\/p>\n\n\n\n

I was going to school for biology, with a focus on the botany and microbiology side, when I got a chance to touch the supervisory control and data acquisition (SCADA), operational technology (OT), and industrial control system (ICS) environments as a side job. I was working as a propagation manager for an exceptionally large commercial greenhouse operation, using my biology skills and doing technical stuff. I merged them together and automated a bunch of horticulture warehouse operations, including light, shade, temperature, water, and airflow management. That is where I got my toe in the water of programming and building in industrial environments.<\/p>\n\n\n\n

Brooke: How did you grow your skills in the industrial security world?<\/strong><\/p>\n\n\n\n

Patrick<\/strong>: There were no security certificates or college courses in the late 1980s and early 1990s. I fell backward into operational security because of incident response. We had things like bulletin board systems. I had one of the first dial-up modems, and I would go through my university account and look up how to do something. I learned primarily through 2600: The Hacker Quarterly and hands-on success or failure from whatever tutorials were available back then. <\/p>\n\n\n\n

Now, I specialize in ICS or OT. Whether it is water in a pipe, power on a wire, traffic on the street, boxes on a belt\u2014it is all flow control. It is incredibly challenging but also very satisfying. At the end of the day, you know you helped keep the lights on, keep the water flowing, keep the gas moving, whatever it may be. Those are critical infrastructures.<\/p>\n\n\n\n

Brooke: Why are industrial systems targeted in cyberattacks?<\/strong><\/p>\n\n\n\n

Patrick<\/strong>: Gas, water, electricity, food processing, and transportation are all very necessary. Civilization depends on these infrastructure services. If I am a ransomware operator or a criminal, I can hold your system hostage and since you know there is a quick and severe impact, there is a high likelihood you are going to pay me. They are a high-value target from a criminal aspect as well as from a nation-state or geopolitical perspective for the same reasons but different motivations.<\/p>\n\n\n\n

Proprietary information is a target as well. If you have some product or manufacturing or a better way of doing something, I do not have to do the research and development (R&D) to compete with you. I can just steal all your data and do what you do better because I am not spending all the money on R&D and effort. For lots of varied reasons, they are high-value targets.<\/p>\n\n\n\n

Brooke: What are the biggest challenges in securing industrial systems?<\/strong><\/p>\n\n\n\n

Patrick<\/strong>: With industrial systems, our biggest worry is our legacy environment because it is just old. Some of the components have been around 40 to 50 years. They are digital-ish and they have analog inputs, but they were not designed to be networked. They were designed to be in a closed system where you had to have physical access to them, but we networked them anyway. They are terribly insecure because the expectation was that these environments would never connect to anything else.<\/p>\n\n\n\n

We are seeing a trend to not necessarily disconnect them, but rather connect them in smarter ways. And if you need access to these environments, you must jump through enormous amounts of pain to get an inbound connection. We are just isolating the heck out of it and finding ways to intelligently island or \u201cturtle-mode\u201d those environments so they can operate by themselves. That way, if you have a problem, you can still run the important stuff in an isolated, disconnected mode and you do not lose power, water, gas, or whatever it may be.<\/p>\n\n\n\n

If there’s ransomware burning through your corporate environment, you can take your industrial environment and shut it off from the outside world so it can operate in \u201cturtle mode.\u201d However, costs go up. Isolation is expensive and extra architecture is expensive. There are a ton of challenges, both financially and operationally, in trying to move toward a more defendable architecture than we had.<\/p>\n\n\n\n

Brooke: What else can enterprises do to protect themselves from these security risks?<\/strong><\/p>\n\n\n\n

Patrick<\/strong>: I have done multiple presentations on if you can only do some things, do these things. They may sound simple, but they are often not easily done in industrial environments:<\/p>\n\n\n\n