Interview: Bring on the barbecue - how IT & OT must work together to build better security
BT is a provider with a mission. 31c0n was hosted by Aura Information Security last week, where BT's account CISO Bryan K Fite took the stage to talk about the divide between enterprise IT and OT (operational technology) - caused directly by a firewall.
Those two groups are now being forced to consolidate their networks and as a result, whitelisting network nodes and their trusted hosts.
“That is a control that could work in an operational technology where you have a manufacturing machine that only needs to talk to a controller. In the enterprise space, if you try to whitelist something on the internet you would break it. There are too many sites. There are too many stakeholders in the environment that would need to access sites that aren’t on the list, or when they learn about a new site that comes up, they could never get there. Operationally, it would never work,” he says.
He believes that aspects of both the IT and OT worlds can solve many of each other’s technology problems - or as he describes it, a “big barbecue” where those two groups can meet and get on with the job. How do you achieve that? Fite says that there are two main ways.
“People can have a compelling event, typically a breach, and during the post-mortem they’ll come to a conclusion that they really need to partner. They’re part of the same organisation, and that the divide that we’ve artificially put up doesn’t work. Historically it has been about protecting the plant floor from the enterprise, because the plant floor is where the money is made and the enterprise is where the bad guys can get in.”
He says they believe they need an air gap. But in fact, it’s the OT systems that are being breached to get to the enterprise. Now the plant has to protect itself and the firewalls don’t really work anymore.
“A lot of companies will do a penetration test or vulnerability assessment to say, ‘how good are we against our peers, our standards and best practices. They’ll often find out it’s a sobering experience because they’ll find out they have assets that are on the wrong side of the wall. They’ve punched so many holes in that wall to make the business work; it’s Swiss cheese. There’s no wall there.”
On partnerships and trust
Organisations used to have complete control over IT systems but now that partnering and the cloud have become such big things, it’s important to have good measures of trust.
Fite says that as a partner, you want to take advantage of the digital revolution. His first piece of advice: Do your homework.
“Read the contract. What do they actually sell you? From a security standpoint, are there waivers against confidentiality, integrity and availability? You’ll find most contracts will ensure availability in a service level agreement, but very rarely will they take on confidentiality and integrity.”
He says that organisations also have security policies they must adhere to. Assess your partners against them, and ask ‘will you sign off that you do these practices?” When in doubt, read the contract.
His second piece of advice is to ’know thy supply chain. Look at your partner and see which other partners they have. Try to limit complexity.
On security and data breaches
Fite uses a human-centric approach to security, depending on the roles those humans play. They could be beneficiaries, operators or threat agents.
“If I’m a consumer, I’m benefiting from it; if I’m a shareholder I might have a different perspective. If you can view the model from those filters, you can understand what’s important to you and the things you can ask your vendor or community member.”
If partners can demonstrate their systems, people and/or breach disclosure, he says that’s a good sign. Nobody is shocked when breaches happen anymore - it’s how the companies handle that breach. It’s who they call first when a breach happens.
“Is it the marketing people, the lawyers or the techs? In reality it should be all those people, but you can find out more about a partner based on how you find out. Is it through the media or a direct communication from a partner, or is it from a friend who might have heard something, or do you actually have to call them and ask?”
On automation and the human touch
Looking at the security industry as a whole, Fite has an interesting viewpoint about the AI and automation buzzwords that are popping up.
“I’m concerned that we’re rushing to automate broken business processes. I believe automation is the only way we’re going to scale to the challenge, but we need to make sure what we’re automating has been properly modelled.” He says that from a professional viewpoint, we still aren’t getting the basics right. When I see breaches, it’s about poor password policies. In the post-mortems you see indicators in the logs, but nobody reads logs because there are too many of them.”
He says many organisations also don’t understand what their assets are. Often they put their protection in the wrong place, when an adversary actually wants something else.
On autonomous vehicles and privacy
Looking briefly at the topic of autonomous vehicles, Fits says that there’s a lot that people don’t think about when it comes to security. If your spouse can track your movements through an automated toll road.
There’s also the potential for eavesdropping through court orders through many IoT devices, and many people aren’t aware of that.
“We shouldn’t be afraid of our machines but sometimes innovation can be used to help or hurt.”
Meanwhile, Fite will be working on research that helps make the world just that little bit safer for all the beneficiaries.