Security 101 says change all default passwords and for us in traditional IT it is second nature. But in the OT environment, that concept is not well understood. Please note this is only my experience in organisations, not all follow these practises.
OT shares the same network (typically) as IT, may or may not be firewalled (also read ACLs) but these folk run their shops independent to IT. Many of the examples in the article require 99.999% uptime so patching, password changes, etc., typically are not done or do not get the attention that they require. Vendors, also tell these folk that they CANNOT change the default password (rationale, in the event their support is required, they do not want a few extra minutes to attain the new password.
As of late, we are seeing more and more information being disseminated on OT, the risks and the fixes.
MHOO, the CISO of the organisation needs to understand both IT and OT and be willing to assist OT in understanding the riskes and vulnerabilities they may face.
d
@dcontesti If passwords are an enormous issue, right they have far worst to happen in 2024 with Post Quantum Cryptography (PQC) once this commences its transition. They had best prepare, because knee jerk reactions will not solve the problem - planning, preparation is absolutely essential.
Regards
Caute_Cautim
@dcontesti It will take time, they will have to change over to Quantum Key Management (QKM) and test every application before the migrate. A degree of crypto agility will be required, because there may be interim stages and systems are tested and new algorithms released. The main issue initially will be to create the CBOM, on exactly what the existing system use, the keys, the owner etc. This will be important, and then to go into testing phase, which will take time to conduct steadily. It will take years.
Recent, developments state 2026 will be a 1 in 7 chance of RSA being broken, but others are predicting this may happen before this. The main issue, is the preparation, planning and testing and developing crypto agility to be able to switch as necessary. Unfortunately many state nations are now conducting testing on OT systems especially on the USA systems, to see what they can gain - or test their ability to enter such systems and cause general disruption if possible. It is easy to think, it will not happen, but human beings are often human beings, they make mistakes, different priorities arise, and things get put aside and forgotten.
Yes, I understand the distinction between Engineers and safeguarding OT systems, pumps, and systems which are meant to last 30 years plus. With the advent of AI, and the use of constantly testing systems, from afar, may actually find identify weaknesses, which were previously not seen to be at risk.
Imagine, having to find all the IoT systems, within a medical infrastructure, where often these are expected to last for many years without having to be upgraded or change the underlying crypto algorithms or key managements systems. If the Payments Industry rebelled when SSL V3 was stated as being under attack, and asked for a two year delay, even when it was known such systems were under threat, what hope for systems, where they are deeply embedded using traditional algorithms and systems? Next year 2024, should be an insightful year, and many issues will arise, whether they are compliance, regulations or whether your data needs to be kept encrypted for 100 years in the case of the Japanese health regulations - average life of a human people in Japan etc. Once, Shor's algorithm, has formally been proven and vindicated with the first Quantum Computer able to actually break 2048-bit RSA, then it may actually be a wake up call for action. For some, it may actually be too late, given that NIST issued their guidance in 2022 previously. With the addition of AI capabilities assisting the bad actors, I think things will become highly lively in the near future.
But we can only wait and see at the present time.
It is coming, and we just need to be prepared and manage it all.
Happy Christmas and a happy New year to all
Regards
Caute_Cautim
@dcontesti wrote:OT ... require 99.999% uptime so patching, password changes, etc., typically are not done or do not get the attention that they require.
This is precisely what IT needs to understand about OT. My OT colleagues jokingly say that the CIA triad stands for "availability, availability, availability".
I once encountered a malware-infected machine urgently requiring 15 minutes maintenance. Manufacturing leadership offered a window 20 hours distant, during shift change. An earlier window would have shut down an assembly line that would take a few hours to get back to normal cadence. The plant manger offered to, alongside us, approach senior leadership, explain the cost of immediate action and the cost of delay.so that a formal decision could be made. In the end, conversation lead to a compromise involving a short-term router ACL and some manual data transfer that minimized both costs.
This was a huge learning activity for a bunch of us in IT. All it took was on plant manager willing to listen to our concerns, help us understand his perspective and willing to be swayed by a compelling argument. My take away was that OT does understand risk; the difference is just very different priorities.
... understand both IT and OT and be willing to assist OT in understanding the risks and vulnerabilities they may face....
This goes both ways. IT also needs to devise mitigations that address their risk concerns.
If they "can't" change the 1111 password to 1234, perhaps propose alternate mitigations, such as whitelisting access to the login prompt on the firewall/router.
We have found OT willing to invest in network segmentation/firewalls, on-prem equipment (decreases the impact of Internet/intranet outages), and high-availability architectures (to facilitate maintenance without downtime). They will tolerate mitigations that improve IT goals without harming OT goals, they will champion mitigations that achieve both IT and OT goals. In the end, it really is just a game of finding the product your customer wants to buy.
HI All
It appears this piece is relevant to the last responses:
https://nexusconnect.io/articles/one-does-not-simply-patch-ot
Regards
Caute_Cautim