The buzzwords "cyber hygiene" is being said and written by many of the guru's in the ICS security community. It's hard to argue that basic hygiene is bad, but what is and isn't cyber hygiene?

I recorded a 3-person pod with Marty Edwards of the Automation Federation and Michael Toecker of Context Industrial Security. They were selected because they used the term, and all three of us had different views on what cyber hygiene means and the usefulness of the term. For example is applying security patches cyber hygiene? Is there a difference between cyber hygiene and cyber maintenance.

Amazingly, for three experienced and opinionated people, we all ended up changing our viewpoint and reached a basic agreement. Take a listen and see if you agree with where we ended up.


This episode was sponsored by CyberX. Founded by military cyber experts with nation-state expertise defending critical infrastructure, CyberX has developed an end-to-end platform for continuous ICS threat monitoring and risk mitigation.

Check out the CyberX Global ICS and IIoT Risk Report and my podcast from last year on the report with Phil Neray.

United States


00:00:10hi this is Dale Peterson and welcome to the unsolicited response podcast this is the place where you are bleeding edge ideas analysis and opinions on ICS security from the people who are driving progress in creating a future of ICS in the industrial internet-of-things
00:00:27our sponsor for this episode is cyber X founded by military cyber Security Experts with nation-state expertise defending critical infrastructure cyber access developed an end-to-end platform for continuous ICS threat monitoring and risk mitigation I'll tell you more about a global risk report you can get from cyber X later in the podcast I just finished recording this podcast with Marty Edwards and Michael Tucker and it was really great I think you're going to really enjoy the concept of what is cyber hygiene what is cyber maintenance where these terms should fit and how they should be used
00:01:04I think all three of us were a bit surprised that we changed each other's mind and all learn something and actually ended up agreeing at the end of it which was quite shocking for Marty and I Michael claims credit that he was a mediator on that one know before I get into the podcast and that is to get ready for the S4 x 19 call for papers it opens on June 1st and the way we work is as the proposals come in we evaluate them we say yes no or maybe and sometimes will actually say hey can you change this and then we can make it a yes so the earlier you actually submit your proposal to speak at s for the better your chances are of getting it in if you send it in on August 15th on the last day we still save some spots for great presentations but I would say is probably two thirds full by that time so this is the time to plan for what you want to propose as soon as it opens on June 1st now enjoy my interview with
00:02:04Michael Tucker and Marty Edwards on this new term cyber hygiene and its applicability to ICS
00:02:12joining me on the unsolicited response podcast I actually have to guess this time it's a three-man pod I have myself Michael Tucker who is the founder of context industrial security he's actually a digital Bond alumni but when I looked at the dates he's actually Michael you've had your company for 4 years now and also on the line is Marty Edwards he is currently the managing director of the automation Federation but I'm sure many of the listeners know Marty from his days as a director of ics-cert he's actually the has the honor of being the longest-serving director of ics-cert he stuck it out for about 6 years and left to the automation Federation in January of 2017 what you got and surprise me that it's already been a year this past but the welcome to park podcast Marty 2017 but who's keeping count it is almost a year
00:03:12you know I'm looking at my handwriting and in my notes say June it's just my AC in my use but let's talk now about the issue so one of those things that happens is your fine in our community and then probably true in any communities that sometimes a certain word or phrase will come up and it it just seems to catch on and become something that people use quite a bit and isn't sometimes for variety reason sometimes it's helpful sometimes it's not for example for a long time and you still here at the word holistic was used a lot and attended what used to drive me a little crazy was attended be to be used by vendors when they had a security weakness they weren't addressing they would say while you need a holistic solution in and talk about all the things except their problem so I wasn't a real big fan of that term but we've got a new term out now that I really want to discuss what it means and
00:04:12if it's helpful and how we should use it in the community and that's trimmer hearing more and more which is cyber hygiene so maybe as a place to start Marty are you a fan of that term do you use it and if you do what does it mean to you I think they'll you know I have used the term in the past and as all terms 10 to evolve I'm not so sure I'm a I'm as big of a fan now as I was in the past you know the favorite one that I always had was smart grid I think people use that term to mean whatever they wanted it to me and especially in the marketing context in the US government and other governments have used the term cyber hygiene to try to encapsulate those most basic good practices in and I think they they take the concept from personal hygiene right you should brush your teeth do you know that kind of thing everyday well what are the equivalent things that you should do within cyber context so I have used it in the
00:05:12I guess after this podcast will determine if I tend to use it in the future and if you look at the definition of hygiene items actually looked it up its conditions or practices parentheses as of cleanliness conducive day for health so I don't think it's an avoidance term like holistic was you can certainly see benefits of having good hygiene Weatherby cyber hygiene or any type of hygiene Michael what about you are you a fan of this term do you use it and what does it mean to you I am a fan of the term and I have used in the past as well basically to refer to good cyber practices things that that help you ensure that you have a healthy system I also use it in the context of cyber maintenance so these be routine activities that you need to do in order to ensure that your security system stay up and running you know that you're continuing to be updated
00:06:12that antibiotics is continuing to protect your system that you're watching your update and kind of just that whole series of activities that are really helpful for industrial customers to its really helpful for them to do because it not only ensures that they continue to have a healthy system but it also keeps just the normal riff-raff out like this the normal stuff that you would normally catch like you know the annual cold or you know getting your flu shot or things like this so that you can focus on some of the more aapt file a tax or maybe individual attacks that are more focused towards your company rather than just the normal cyber threats that everyone faces okay and I guess just to be fair I'll answer the same question
00:07:04I'm not really a fan of the term and I don't use it and I'm curious in in diving into the what does it mean as as well as as the difference maybe between cyber maintenance in cyber hygiene but we'll do dive into that a little bit later maybe right now let's let's try to determine because it would this was coming up in Twitter a little bit about cyber hygiene whether it's good or bad or or or appropriate and the answer everyone that came up with is well depends what you mean by cyber hygiene so you don't Marty maybe I'll start with you again although you we can ping pong back and forth on this I hear a lot of times when people talk cyber hygiene it almost sounds like just another word for patching to me so it is patching part of cyber hygiene and and if is there more to cyber hygiene and patching patching Dale and of course patching is one of the challenging
00:08:04prison in some industrial control system environments so if I was trying to Define Cyber hygiene in my head yeah I think I would would say that we all know what good cyber practices look like you know good good maintenance of your networks with appropriate documentation and appropriate segmentation having a risk analysis of those Network environment so you know how much you know rigor you need to put into the the cyber security envelope around them and then you know defining policies that match back to that you know that like the cleanliness I guess they're the The Good Housekeeping type of thing for for those Network and in my mind I've I've connected cyber hygiene to that sort of Good Housekeeping sort of concept typically in in hygiene if we talk about help for exam
00:09:03the cleanliness there's some general list of things you should do I guess there are cases where you can go
00:09:11on a scale of hygiene ride you can do certain things that everyone says this is basic hygiene and this is it's there such a thing as advanced hygiene I don't think they use that word but hygiene means different things to different people so you would definitely put patching in their Michael what else would you put in their normal argument is antivirus in there and I would put a backup program in there as well to make sure that you just like viruses or I'm looking at the health of the whole system and so backup your important to the health of the whole system if you ever have something go down you can bring it back up you can do it quickly that means that you spend less the song that tends to resonate really well with with engineering managers out of plants they like the idea of little down time they like the idea of practices that they can
00:10:11you know say what you didn't do this and this happened and you know that couple cause-effect type of relationship really speaks to him and then on the actual Frontline side you have folks were like okay these are these things that I have to do routinely and while they're doing those things routinely they send the notice other things that they may not be doing well at the time I'm I'm taking of cyber hygiene less of a destination and more of a set of practices that lead to better cybersecurity overall I totally agree with with Mike you know cyber hygiene have to include in to use another word you don't like holistic you know you have to have that broad-based approach right so backup sardaar certainly part of it you know I think having a good Network design and segmentation principals also is part of it so that if you have some type of outbreaks a ransomware you know gets in your system you've got a way to to contain that
00:11:11particular infection and deal with it you're flipping it over on its head it might be actually useful to try to Define what's not in cyber hygiene and you know I tend to think of things like Advance the threat analysis where you've got actual threat Intel coming into your company in your using Madden in more of an active defense type of scenario as being beyond the scope of cyber hygiene if so I think I sent a lump everything that you could do on a day-to-day basis with a reasonable cybersecurity budget into that sort of cyber hygiene category and then you're more advanced organizations are going to go even deeper into their into their environment and you guys can you know we can get in to discussion about this because initially when I heard it it just you know made me cringe a little bit I didn't really know why so I thought a little bit what is it about the term that I did
00:12:11lichen and there's one I think there's one just marketing reason and then there's a then there's a actual technical or process reason the marketing reason is I much prefer the term that Michael used earlier cyber maintenance it's the term that I always use and from a marketing standpoint I think of the people in operations are used to the concept that they have to have a maintenance approach to their to their physical equipment even if it's a run to feel beating its approach that is a maintenance approach and they understand things like preventive maintenance in and just in terms of convincing them they need to do this telling them they need cyber hygiene to me is is a harder sale then saying hate you maintain everything else in your plant or in your system why don't you have a maintenance program for these other assets that that's a marketing argument but but I I think that's you know that's not as important as
00:13:11maybe the technical argument and now would be that when I think of hygiene I think of a universal practice that should be applied consistently you know everyone should brush their teeth for example everyone should wash their hands before they eat dinner and you can't argue that what you're suggesting is cyber hygiene is not a good practice but I don't think from a risk management standpoint it so the right way to approach the problem so for example if we look at Patchett I don't think people should be patching all of their systems the same way as a basic tasks like washing your hands are brushing your teeth I think they should be accelerating there patches almost immediately on things that are may be accessible from the Internet or the corporate Network or things of that nature your firewalls how your attacks service accessible through the fire walls but then things that are internal
00:14:11like a a web server on a PLC or a panel connected to a PLC if we're spending time doing quote good hygiene and patching those I think we're spending a lot of time and effort on things that aren't actually moving the needle on risk when we have bigger problems so that's kind of like that's kind of where I have the issue is it it to me hygiene means this is something that's good we should focus on doing it everywhere and I don't think that's the right approach to some of our past discussions Dale you know I actually agree with you and I loved it though the term maintenance and I like the way that you described it with preventive maintenance and and run to failure and if you think about it what you explained with regards to patching companies make risk-based judgement calls all the time for your rotating Machinery which pump or which machine are they going to spend more of their maintenance Budget on based on the crib
00:15:11quality of that piece of equipment to their their overall operation right and end so taking those Concepts it operations people understand and applying them in cyber I think I think makes makes a ton of sense alright so guys I think we're missing the fact that we don't always talk to the same people and and the individuals are always the ones who are doing the maintenance osira maintenance is great for people to understand cyber all right and then you can you can give them that concept and they can run with it cyber hygiene works for all the employees of the site in other words all of your Insider's all of your unconscious workers as we like to call them in another industry and so the Cyber hygiene piece can also be used as training for them right because they are the 70% of folks that are in and around a control system that may not always know how to interact
00:16:11but they can follow a set of principles and guidelines that ensures that they aren't adding risk to your system so things like don't plug USBS in the control systems don't charge your phone in my control system don't plug in a laptop to my control system don't run or grab software that you think you need and just put it on my system you know things like this I think are good cyber hygiene in the end they're good because everybody follows them and you can say will everyone at our site has been trained in cyber hygiene they know not to do this and we they know that the consequences of it are are potentially Dyer and then we also have a cyber maintenance program where we ensure that our cyber systems are up and running that that be patched things that we maintain thing and I do agree with your your patching analogy not everything needs to be patched you and I've gone back and forth on this I think a couple of times as well
00:17:11about frequency in South and I hope that I've come to agree with you on that Dale well that's as you were talking about that so there was part of what you were calling cyber hygiene that I could really buy into so rules that could be applied universally across the plan though that rule you know if you look at Mike's exclamation of of the of cyber hygiene in those cases those rules are what popped into my head was it it's just like having a safety culture these are the sort of normal safe or secure behaviors that we've expected of everybody in the plant and that's different than then hatching in maintaining those cyber devices within your environment to pull a fast one on both you so I'll own up to that buy you know kind of lonely and some other things into the Cyber hygiene idea there so I'll talk to that
00:18:11I think that's actually a really important way I mean you've you've actually very quickly convince me that the term cyber hygiene isn't bad I understood going in the marketing aspect that certainly made this was going to be more accepted in and useful in the operations world than it is going to be across your organization but you could actually have something that says you need cyber maintenance and you need cyber hygiene and then you would you would put things like like patching would not belong in cyber high G if the way you're describing it because you're not applying this basic easily understood practice to everything in the environment am I am I getting that wrong or were you was that what you're trying to plan for it but only if you can stated as a broad principle that can be given to folks who don't necessarily know the ins and outs
00:19:10for instance like an engineering manager you know their cyber hygiene piece might be okay have you we need to ensure that we have no vulnerabilities you know what I'm really bad at this right now because of the first time I thought I've thought it through from that perspective but you know do we have any boner ability to our firewall that would be a good cyber hygiene principal right there that her manager could actually say to their Engineers it's it's easily said easily question and then the engineer gets to go and think okay have I gone through here in about you waited my entire perimeter okay have I done this on a reasonable bass you know what is my model look like I am I concerned about you know and be able to answer honestly that question say I'm in here too but that doesn't sound like hygiene to me you know I Gene to me is don't stick a USB stick into this don't connect a device it's not part of our ICS into the ICS
00:20:10wash your hands brush your teeth you know if if it's taking more than a couple sentences to say the principal I'm not sure it's high G yeah I agree with that concept that the the basics don't don't put a USB stick in or don't connect the laptop up to the system I mean I think that you could build a definition that that everybody would rally around that that was like I said earlier much like a safety culture you know Don't Step the step across the yellow line you know don't go in this area without your personal protective equipment on and then when you look at the more advanced analytics if you're starting to look at each system and what patch levels are needed and build a as you call the maintenance program around each piece of equipment or each cyber environment that you're trying to protect that you could bet you could and then you should have a different a different plan in place based on the risk of the system so
00:21:10like you said the other some systems that you would want to ensure we're at the best available level of patching all the time and there are other ones that you know we can probably do that on an annual basis when we have a routine outage in the way I always put that in that case you're actually not patching necessarily to reduce security vulnerabilities your patching just so that your software does not become obsolete now to date and that's that's more typical maintenance you want to make sure that it's a supportable system you know what if we extend this further I would say then that the backup actually wouldn't be cyber hygiene because you're going to have vastly different backup requirements for different systems for example you may not need the backup every HMI or you use there certain invited or certain environments where the system doesn't change so you don't need to back up the engineering workstation or database everyday
00:22:10it might change once a quarter and your recovery Point objective might be quarterly or something like that so I'd be hard-pressed to come up with a two-sentence thing that would apply to be on something really kind of Broad and stupid you should be a have the ability to recover that that's not something that someone can actually Implement so I tied actually put backup and Recovery in the maintenance mode not so much the Cyber hygiene where would you fall in that and you have any other examples of of something that would fall in either case are the two is that we have okay I'm going to go and answer your question I would agree backups need to be moved probably to something more closer to a cyber maintenance piece left the principle it's more practice AP updates same deal and so it but the thing is too is that I think that the 70% of individuals who work at a plant need to be aware of
00:23:10one of these cyber maintenance activities and then we need to boil them down to simple principles because they may be on the front lines of it for instance and operators one of those 70% of people all right they don't necessarily know the things need to be patched which things need to be patched and going to switch things need to be backed up but they do know that there's a little agent running on their system and if it says to them that there any of our signatures are out of date they should probably call somebody and they need to know who to call and they need to know the pay this is not a good thing that I am sitting in front of an unhealthy system at this point and I need to make sure the engineer understand that and the people responsible are going to go and fix it for me to tell you how many times I've seen that happen just of it needs to be moved off to something else but the principal needs to be there for people to be able to say this is wrong this is something that needs to get fixed and I think it's important
00:24:10another words to I thought I think the issue and I pull the stop work
00:24:15let me take a quick break for my interview to talk about this episode sponsor cyber acts as I mentioned cyber X has been a good supporter of s for being a sponsor since 2015 and Neil Fishel right up they gave me says founded by military experts cyber X has developed a platform that helps organizations continuously reduce ICS risk so they have a very interesting product but what I want to actually talk to you a little bit about is there global ICS in iot Risk report we did a podcast episode with Phil Neri on this back in November of last year and what they actually did is they have this platform that obviously they selling they're promoting to reduce ICS risk and they put that platform in 375 different ICS networks primarily to show the the acid on her what the platform can do but as a side benefit of that they actually were able to collect a lot of data in terms of what is on that Network what's happening on that
00:25:15at work and they compiled that data anonymously of course so no acid on her information was given out but they compiled that data and created this Global ICS and iot risk report how you can get that report at Cyber x - and I'll link to both the place to get the report as well as the podcast I did with Phil in the show notes cyberex was able to generate this report because their platform has the built-in intelligence to understand a large number of ICS protocols the popular ones of course as well as many proprietary protocols so I'd encourage you to download that report listen to the podcast and check out their platform at Cyber x -
00:26:01now back to my discussion with Marty Edwards of the automation Federation and Michael Tucker of contacts industrial security
00:26:11Marty have you as as we've gone through this do you have anything else that you would think be a good example of something to Lenny delineates between a cyber hygiene and and something else whether you call it cyber maintenance or something else yeah I think I think something like always changing the default password of a device when it first comes into the system is more of a hygiene type Concept in a maintenance type concept you know a maintenance tech concept would be you know adhering to the your password change or update policy if the organisation had one for the specific system another interesting perspective I think is I was flipping through some reports from Anissa the European union network information security agency and they had a quote in there that said that they the youth UK government attributed the success of 80% of the attacks and 80%
00:27:11so the tax succeeded due to what they call Poor cyber habits and I think they're trying to say that you know if if people did these basic good cyber hygiene good cyber have habits type practices or they could eliminate 80% of of the of the attack I'm sure those are for i t BAE Systems right so there's some differences in the operational technology area but we're trying to capture the low-hanging fruit I think it's what the concept is so how we boil that down to a principal then you know this default password for a good password is a password that only you know like would that be how we could we could move that down to a principle that we could just simply States and people would understand
00:28:00I don't know about the only you know part because within an operational environment you know we we have needs to accommodate shift workers and things like that so but I think it would be that you know don't ever allow a device to come in and leave the leave the the password the same as as as the default it's in the user manual that's available here on the internet for example yeah I was actually going to ask you that whether whether issuing individual accounts was cyber hygiene or not because then you start to get into in this is where I've had of the biggest problem again with the concept because it's it relates to something I'm seeing a lot where
00:28:45you'll get it in I am not railing against the itot conversion it's it's happening it needs to happen it's it's a good thing but we're seeing a lot of uninformed issues where someone with the board will hire someone to come in and audit the system you know the hire someone firm and hurts in young and IBM someone like that and not one of their ICS people just someone who does the Enterprise in the first thing they'll find his missing patches and then the number one thing that has to be done is everything has to be patched you know it quarterly or bi-monthly or something like that and they actually have these reports akande up going up to the board showing their pass their patch
00:29:29completion percentage every quarter and that just is so wrong so I'm I'm worried about things coming in and probably why I reacted so strongly to the term I'm worried about things coming in under this cyber hygiene umbrella that are actually not reducing risk much and are taking all the I guess all the money and all the time that the team has to secure the system without doing much so that's kind of where I get to it now this what you mentioned this individual user accounts is another good example of that is you can make that happen is that is that cyber hygiene is that a control that we should be pushing out to everyone and it maybe that's the thing we need to start doing is looking at what controls should be pushed out to everyone and I'll go through that again you know the individual user accounts debate quite frankly in the operational technology ICS space personally I don't think it has a
00:30:29that much value you know I think it's certain situations you need to have individual role-based access I think there's other access that you can have shared accounts in an environment that's that's properly controlled that can be quite effective and so I wouldn't want a lump all that into into the Cyber hygiene category cuz I agree with you Dale I think it tends to get picked up by the consultant crowd that that then wants to use it as a tape measure to measure progress and you know how I've seen them in the government these reports that come out with X number of percent of systems patched in a big it in Vine with a hundred thousand your Windows desktop machines I think it's a valid metric to to say that we're at 95% pass completion you know on on those network but you have to look at each one of these
00:31:27enclaves or zones in the control system environment and and they each need to be handled differently in their needs to be tailored controls for them so you know I think this I think there's more date that needs to occur to put the to get the bucket right which what cyber hygiene and what cyber maintenance and then what's something else what's the principle that were trying to defend with individual user accounts the principal were trying to defend is being able to track user activity down to an individual or I feel that in in the event of an issue you can go back to that individual if they're trusted and say hey did you do this and then be able to you don't understand will yeah they did and so it's obviously more important for privilege users that point Engineers to have an individual user account and left necessary for an operator potentially to have one of those in the course depends on on the on the security controls on the system
00:32:27we recently did a yokogawa system yeah yeah that's right I mean I'll go back to you know how I initially through through this on the table is that what I was trying to get across was we need to ensuring that there's no default account that still enabled in in the device when it comes in could fall more into the Cyber hygiene category the individual accounts / user you know I think that's a different discussion it in you can even break that down and this is where I think we need to be careful for example you could say individual accounts are required for all users with administrator privileges one of the dangers we have here and I always worry about it when you have these discussions where you say this good practice and the Enterprise doesn't apply is that is a defense mechanism in our industry has been for decades you know all that doesn't work
00:33:27are you don't understand our system so we have to be careful that we don't fall into that but I look at it more from a risk standpoint if I'm going to spend all this time and effort how much risk and risk reduction am I getting it also
00:33:42could I be doing something else with that time and money that would have given me a lot more risk reduction I was just going to give the example of application whitelisting versus patching you know if I have my choice on all my internal systems non non accessible attack surface and I'm going to say okay I can spend all my time patching them by monthly or I can spend that time and money deploying application whitelisting or monitoring the firewall logs for egress attempts I can think of a lot of things I would rather do then patch everything in my ICS level 2 and level 1 bimonthly I did you know great I could check that box and it certainly is improving security you can't argue that it's not helping but I just spent all that time and money on something that's barely moving the needle where I could have done so much more that's that's where I really get the heart back and you know I mean
00:34:42really like this concert side first of all fundamentally agree with your statement about you need to take a risk-based approach the other concept that that really I hadn't considered too much before is this this whole idea of cyber maintenance and when when you talk about the things that you should be doing such as look at your egress logs on your firewalls and still doing those things instead of patching a thousand you know our to use or something on on some frequent basis just fits really well into year was scheduled maintenance plan right so here's the things you should be doing often like during a grease gun around and going and greasing these bearings on these critical pieces of equipment versus tear something that you should do on an annual turn around bases where you might want to bring in additional resources you might want to contract some organization out to come
00:35:42and go through an update the software on all of these devices when you have a good outage window but you know focus on those high priority things in your higher risk environments like the demilitarized zones around your control system you know zones and an enclave. And I think that Translating that into some sort of a maintenance schedule and maintenance plan just makes a tremendous amount of sense to me I'm already I'm going to have to do something I've submitted cyber maintenance talks to a couple of ICS I just conference is recently so I've been thinking this through for a while the other the other fun side about cyber maintenance to and putting it into a cyber maintenance program is that you get management oversight and you get management oversight through a program that they're familiar with and that Finds Its way through various KP eyes and reviews and things like that to board level
00:36:42type supervision alright we're there measuring quality and measuring you know risk and things like that and they're doing it in in a in a consistent way already so you gain the advantages of oversight and and this understanding that the maintenance program is Cypress act at a I'm pretty sure I'm at a facility and you gain all of that can you gain it for specific activities related to cybersecurity what's in there it stays in there it's not going anywhere without somebody without somebody spending a lot of time and usually when it's in there somebody spent the amount of time designing it to set folks can actually do the work without you know requiring a huge amount of
00:37:27figuring things out on the fly so it sounds like Dale has a another podcast topic coming up that should be stiver maintenance program and then I'll I'll say that you and I could write a paper on this cuz I think it's a great concept but I think we might have stumbled across the good definition of cyber hygiene so
00:37:49something that belongs in a cyber hygiene practice to me would be something that doesn't require a risk-based decision on a on a you know on a system by system or sub system component basis so if it's just something that you apply across the board no matter what the same way you know we don't we don't bring in USBS from outside and plug them into our system IG you know it's it's it's a you don't have to think about you and I have to think it's just a good expenditure of time or money it's just you you do it because it's known that if you don't bad things happen and then whether you called cyber maintenance or something else where you have a Taylor program that probably isn't cyber hygiene and I and I
00:38:33I could be wrong but I really don't think the way cyber hygiene is being used today is actually broken down that way because I'm at almost always includes patch I think that we tend to in the past anyway cuz I'll change my behavior going forward 10 it's a lump too much into that cyber hygiene category I like you're sort of threshold definition that you know if it if it's something that you should just do regardless of what system your operating on and it doesn't take us a risk-based or tailored approach then it should get lumped into the Cyber hygiene category I think that's a good definition there was one of the things I wanted to talk to you about just for a couple minutes here and didn't we always mean we always talk about the difference between Enterprise in in the ICS Network I was thinking about something I haven't actually talked about it in a while but Richard bait look back way back me this was maybe six eight years ago when he was with GE
00:39:33he was in charge of their incident response he stood up at a conference which and it was really surprising to hear and refreshing and he said that they know they assuming in fact they know that their network is compromised all the time their corporate Network and they're not under any illusion that they can do anything to stop that so they create not that they don't try so they have this and I think he would have used this term again but they have this level of cyber hygiene across the entire Burger corporate network but then they spend a lot of their resources on what is critical to them so they're not trying to prevent every users workstation from being compromised whether they're trying to prevent it but they're realize they're not going to be successful they're only going to be achieved some level of success there will be failures and then there are focusing their efforts on the things that are most important you know maybe their financial systems
00:40:33other Manufacturing Systems things of that nature
00:40:36I almost think that you could take that approach and map it over to the ICS where you say we we have this basic level of security and we can call it cyber hygiene or whatever we want and then we determine what's really important and that's what we make sure we protect and detect and recover against does that work for you guys or would you tweak it anyway I was just going to say that it it kind of does but I don't think that we have anything from a technical perspective was in a lot of ICS networks that you can subdivide like that I don't think that there's a there's a you know a n industrial control system that you really don't care about it you know or when we don't need to spend a whole lot of time on it and I think a lot of that stuff there is pretty darn important and it is the Crown Jewel so is everything in the ICS Network or everything in the OT network is the crown jewels
00:41:36we got to protect all of it so I don't know about the subdividing portion of that but I definitely agree that you know from you if you were to look at the whole Enterprise alright itot all of it from from mr. Bay Lakes mr. Bay Lakes you know discussion point there is you then the icing at than the OT Network would definitely be one of those days that you would spend a lot of time protecting Michael I guess just to take that a step further even though I think we all tend to agree that the control system environments are are very critical and they need to be they need to be protected speaking from my former life as a senior controls engineer
00:42:21you recognize you only have so many hours in the day and so you know all animals are created equal but some are more equal than others right to use a George Orwell term yet so if you had a if I was the engineer and I had 15 work orders on my desk in the morning I'm going to do the one that deals with the you know immediate safety issue or a media Eno high-value equipment damage if I'm going to have a mechanism to prioritize those even if it's not properly documented it's just sort of your expert opinion and those are those are the order that I'm going to go through there I think what we're trying to articulate here as a concept that there needs to be at that same type of prioritization approach in the way you deal with your cyber assets you know and it like we deal with our physical assets and unfortunately the snake oil sales
00:43:21and in the marketing hype comes in there and and that's been diluted I think in the cybrary and we need to put more maintenance type engineering rigor into how we make those too and I think prioritization it's just a natural consequence of anything but prioritization doesn't affect the controls you put in place and I'm just going to I'll just state that without explanation I heard is prioritizing activities you know that's necessary but that prioritization doesn't affect the controls you put in place to protect that okay well let me let me push back on that a little bit because I think the analogy actually carries forward someone's so Michael you and I've actually seen it together when we visited some that works in the past that on the corporate Network there's a lot of times worse a flat Network where any IP can reach any other IP and so what what GE was doing and and what others
00:44:21to do is they need to start putting internal zoning in for example to prevent that and and then perhaps you know restricting who can get into the more sensitive zones I think you can do some of that and I see I sending the easiest example would be recovery time objectives on critical components or or sparing needs on critical components but you could even wear even starting to CNN Joel Angeles a big proponent of this is more segmentation inside the ICS itself so maybe all the operator stations are in a Zone and then the server that they communicate is in another Zone and only the allowed Communications is through that and where is he engineering workstation because that's seems to be lately what a lot of the attackers are targeting
00:45:12and then even even we've seen this in skating at work do you let everything talk to everything or do you restrict it to least privilege you know so I think I think actually there's more we can do inside at some organizations are getting mature enough where they can start to look at the ad for the for many years it was you know that would have been a nice to do but they weren't even at the point where they were could recover a computer so we're not going to worry about internal zoning but we're getting some acid owners that are pretty far down to maturity level and and I actually would push back and say you could do some of that in the ICS it depends I guess on the technical capabilities of the system is the big one so there's certain there's certain DCS out there that you can't pregnant very well they just don't support it you know being able to segment off my bus type connections yeah great you can do that that's no problem but if you're looking at a DCS system like the whole thing is is integrated
00:46:12and any any system on there and act as any other system basically using the same ports and protocols so segmentation to do you a lot you really have to look at it from the technical perspective first before you start you know dividing risk stones and and things like that you know Wanna Cry kind of cemented that into my brain that it was a necessary thing for it networks for instance in in some like a wannacry will obliterate a lot of flat i t o t networks so yeah a little bit Michael yeah I agree on the concept that you need to have a technical you know approach that is also done in collaboration with your vendor right so that you don't break the the design of the system but you know I think in general one of the key findings over and over again if you look at the I see a certain vulnerability on site
00:47:12Chapman programs yo was that there was just a complete lack of segmentation so you've got these really really critical maybe safety oriented or or high production value-oriented systems just sitting on the same network as you know some minor I could do without it for a few weeks type of system in Ms wrong from a risk perspective we need to go through the yellow through the analysis and decide what's important and what's not quite as important so that you can adequately defend it cuz if you're trying to let you know defend everything with the same level of responsiveness or just the same recovery you know objectives you your you're going to fail you're actually I think both ride in a sense this is probably a push on the vendor Community right they need to be designing these system so that they support segmentation eyewear
00:48:12this is already in 2018 I've worked on two projects where we've had a goal of separating the safety system from the control system for obvious reasons Triton and others but I mean that reason has been around for years and the vendor system just does not allow that they they have to be on the same Loop to work so you know there's nothing the owner operator doing segmentation there but that's a push to the vendor saying you know if you have things with different with different security levels or consequence levels yeah yeah exactly separate though so I know you can do some now but I'd also I guess agree a little bit with Michael is that we are somewhat hamstrung by what the system supports
00:48:59yeah I agree with that that's basically where I was going with that is just that you are hamstrung in some cases from a technical perspective because not everything does exactly what you wanted to do and a lot of times to is that if you want to implement security controls segmenting this kind of stuff makes it more difficult to implement of security controls to so there I've had a couple of technical examples of atoms in 2017 where were where we are going hey you know you would like to do this but if we do this it's going to make your life a lot more difficult and we had to come to a nice compromise there when we were coming up with the design so yeah I'll give you guys a chance for closing, and I guess just a loop loop back on that with me is I think we're talking about these any of these security control segmentation or any of them
00:49:53it really depends where you are in your process and where you going to get your risk reduction so a lot of times are good things you can do but people just aren't ready for them and that's that's one of the real challenges I think as a matter of fact if I was going to say the biggest challenge today for someone implementing and ICS security program is determining where they will get their best risk-reduction next and then getting by off on that because a lot of times it's not obvious you know sometimes it's it's as simple as having a an offline system for Recovery might actually be massive risk-reduction cuz they can recover in an hour manually I mean but instead they're doing all these other things I think it's really hard
00:50:39to identify where you going to get your maximum risk reduction and then get everyone to sign off that's the right thing to do that that's a biggest challenge we're seeing today and and that's I think the loop all the way back that's my concern about this cyber hygiene especially when it starts talking about patching and in everyone with their own account and all these things that are good security practices if that becomes cyber hygiene were not going to have very efficient risk-reduction that's that's my final soapbox Michael you wanted to say something so do you have any any thoughts on you know the complete what you were saying before or kind of final thoughts on the issue during this call my understanding of what I thought cyber hygiene was is changed quite a little bit just talking with both of you on it you know it and it's kind of more evolved into what are a set of set of principles that we can apply to everybody in order to you know reduce risk on the system and in that. Doesn't
00:51:39choir you to make you know what you were saying before a risk-based decision ever been in my life and it would be something like a risk-based decision that requires extensive knowledge of the system is basic things and
00:51:54I've always been a fan of the Cyber maintenance argument I would find it very interesting when talking to folks about cyber hygiene how they see it applying to the various levels within an organization especially an OT organization okay this is this for front-line workers and Engineers is this for operators is this for managers and I'd like to hear them explain why they're calling something cyber hygiene before just you know deciding oh yeah provides this capability that's where I'm coming from now
00:52:32okay great thanks how about you Marty yeah like Michael I think my definition of cyber hygiene is morphed a little bit during this conversation so I think now I would accept your definition Dale that it is it incorporates those things that you know you should just do regardless of the you know the risk assessment of the tailor to Pro 2 to a specific system you should just do these things everywhere because they're good I think we also tend to confuse the it best practices from the OT best practices and you know that just looking at confidential confidentiality integrity and availability and and the way that that's difference in the OT space I think his is a good example so we have to come up with our own definitions about what good cyber hygiene best practices
00:53:32are in the operational technology space that should be applied everywhere regardless of the risk environment you're running in and then I think that there's a lot more to the concept of cyber maintenance in in trying to build a very good maintenance program around when you do things why you do them and you know I think we've we've got a lot of
00:53:59models that we can can borrow from in the physical maintenance world that could be quite applicable here so I asked that's actually the Nugget for me in this whole discussion is this whole cyber maintenance contact
00:54:15okay well thank you both for being on a podcast I must say that my definition and appreciation for the term as grown as well change that it's a rare pot of air podcast where everyone's mind was changed slightly amazing well that's a show I want to thank my guess Michael Tucker of context industrial security and famously and S4 along as well as Mario Edwards who is currently the managing director of the automation Federation and formally the director of ics-cert really appreciate their time in as use heard at the end we were actually bit surprised that we convinced each other up some things in and seem to make some good progress and trying to find these terms in a path forward I'm always looking for comments and how we can improve the podcast you can send those to ask for at digital along with any ideas you have for future Gasser future topics remember the S4 call for presentations will open up on June 1st so be thinking
00:55:15what you going to submit or what you seen that we should have there cuz we're at we also look for suggestions I would say at least 1/3 of our presentations are one we go out and Chase because someone told us about a great speaker a great research project and I'll talk to you next time something warrants and unsolicited response

Transcribed by algorithms. Report Errata
Disclaimer: The podcast and artwork embedded on this page are from Dale Peterson: ICS Security Catalyst and S4 Conference Chair, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.


Thank you for helping to keep the podcast database up to date.