Atsakymai į ESET renginio metu užduotus klausimus: Vytautas Butrimas

Kitas straipsnis

Klausimai ESD pranešėjams Vytautas Butrimas (1).

What’s the difference between critical infrastructure and critical information infrastructure?

Answer: Very good question as it is the key one that needs to be understood when developing critical infrastructure protection policies. Critical infrastructure is made up of the technologies that support modern economic activity, national security and well-being of our society. Information infrastructure is a subset of critical infrastructure just as energy, water and transport infrastructures are subsets. The main difference being that in information infrastructure the main operation is about data in the last 3 the main operations are about a physical process, for example treatment and distribution of clean drinking water, generation and distribution of electricity to customers that does not short out their PC’s and refrigerators and safely transporting people on planes, ships and trains.


How many real incidents do you investigate in critical infrastructure?

Answer: I have not investigated any real industrial cyber related incidents. However, there are some well-known incidents that have been investigated. Stuxnet for example. Some of this information is available publically and during my presentation I mentioned some sources. One thing to keep in mind about cyber investigations. Cyber forensic investigation capabilities are usually very poor in the industrial sector. The main motivation of the engineer is to keep the services running. That is a lot of work to do in itself for I have spent time with these engineers and watched them work. They don’t have time to stop what they are doing to investigate whether an incident was caused by an equipment malfunction or was done intentionally. The results look the same. I mentioned in my presentation the Triton case. The petrochemical plant did not call for a cyber forensic investigation until after the second time the safety systems tripped the plant. The first assumption was equipment malfunction which was the answer they also got from the manufacturer who checked the equipment. The asset owner did not have anyone to perform any cyber forensics on-site and had to call in expensive consultants from the outside before they learned the plant’s systems were compromised.

In one sentence, how would you describe Lithuania’s success in the OT cyber security?

Answer: To my knowledge only two countries in the world, United States and Norway, have understood what IT and OT are and established an additional national CERT (US’s ICS-CERT and Norway’s KRAFTCERT) dedicated to the cybersecurity and safety of industrial control systems (ICS)/OT.

How could Lithuania raise up the cybersecurity maturity in SCADA, DCS and OT environment? Main aspects.

Answer: Look at the slide below (sadly I did not have the time to present it) that illustrates what the problem is. We have a lot of bright computer science graduates (represented in the big blue sphere) from our schools who have no idea what a program logic controller is and we have a lot of engineering graduates running our critical infrastructure (smaller grey sphere) who don’t think anything is hunting for their engineering systems from cyberspace. Problem is that the computer science graduate is the one coming to the industrial environment that he does not understand and is tasked with cybersecurity. Dangerous. There are just a few that understand both worlds (smaller yellow sphere). A bridge needs to be built between the IT and OT worlds. Both sides need to sit down together (when the engineer can get away from his task of monitoring a potentially hazardous physical process) and have a conversation about cyber security. In the long term the universities preparing the next generation of computer science (IT) specialists and engineers need to cross-train their students so they know something about each other’s world. They are now in collision. It should instead be a partnership and the policy makers who are likely to be IT biased should invite the engineers to the table. By the way notice the two different standards. On the OT side the ISA 62443 Industrial Automation and Control System standard is dominant while ISO 2700 is found in the IT domain. The domains are different.

What could be main competence differences between IT and OT cybersecurity specialists?

Answer: See the answer to the question just above. Can just add that the main difference is the IT specialist deals with bits and bytes while the OT or industrial control system specialist deals with trying to monitor and control (usually remotely) a potentially hazardous physical process. In other words he is much closer to the laws of physics than the IT guy in the office/ministry/home/enterprise environment of PC’s and mobile phones. The main difference is the OT or industrial control system engineer’s main concern is SAFETY. IT concerns for confidentiality are further down his security priority list.

Kaip apsisaugoti nuo ransomware?

Answer: If you are in the Home/Office IT environment you can do a lot to protect yourself by following some well-known IT security best practices. For example the “SANS 20 Critical Security Controls” or what is now popularly called keeping good “Cyber Hygiene”. Keep your computers patched and updated and don’t forget regularly to back up of your data. In the industrial control system environment especially in those sites (as discussed in my presentation) that consider patching to be an unacceptable industrial risk, keeping up to date documentation of what you have and how things are configured is one way to say answer a ransom demand. Otherwise you may have to swallow hard and pay to get your industrial operation running again. Norsk Hydro the multi-national aluminum company was hit very hard with ransomware earlier this year but they were able to say “no” because they apparently had good documentation of their systems and could go to manual re-entry of code and resume operations. However it still cost the company money. According to one report the company spent over 45 mln. Euro (2) over the first two months to manually rebuild their operations. Others less prepared are choosing to pay the ransom. This problem is likely to get worse in the future.

1. Views expressed do not represent the official view of NATO or any institution the author is affiliated with.



Žiūrėti pranešimo video įrašą ESET Youtube paskyroje

Parašykite mums