Video
Podcast | Cyber trends – what should we know?
Cyber security is a process that we need to approach comprehensively. On-the-spot action can give the illusion that ‘som...
Podcast | IoT Security
How is an IoT network different from an IT network? What does the pentesters’ work look like? What is the weakest link in an organization and why is it important to be aware of the risks? All of this was covered by Sylwia Buźniak, HR Bussines Partner and Kamil Lunda, EXATEL’s Cyber Security Auditor.
Hello everyone. Our guest in this episode is Kamil Lunda, a security expert. Today, we would like to talk about OT security. Hi Kamil.
- Hi Sylwia, good morning everyone.
Kamil, as usual, I would like to know in general, high-level terms, what is an OT network?
- An OT network is, as the name implies, a network which gathers switches, industrial devices, and all sorts of information transfer related to this network which inform users or engineers about the industrial automation processes taking place.
So in general, the acronym OT stands for operational technology, correct?
- Yes.
And how is it different from an IT network?
- First of all, instead of computers it uses mainly the logical switches and SCARA-type systems that aggregate information and transmit it in a visual form for the administrator.
Is security then different for such networks than for IT networks?
- It is different. I’m not going to say that it is entirely different, that would be a lie. Most importantly, we want to separate both issues due to the fact that by entering one network during the attack, if the networks are not separated, the unauthorised attacker will have access to everything. When we limit the access by segmenting the network, if someone breaches, they’ll only have access to a narrow slice of information, rather than the whole thing at once.
So what is important for companies with operational technology, is to simply segment and separate the IT network from OT, yes?
- It’s also important to remember that once you have a lot of devices in your network, if you keep them all in one place, I’ll compare it to the situation on the road: any movement can be compared to a car. All the cars are on one road, in one place, you get traffic jams. When you have OT, you mainly care about the information transfer time between one point and another. Often, this is because if you have delays related to the transmission of information, it can lead to great damage, even in the final… even to explosions.
Yhm. Tell us, what services or security issues such companies should pay attention to? Having the operational technology.
- First of all… They should be aware of what their network is in general, what goes through it, what is it used for, so that there is no situation when you say ‘ok, the network is set up, everything is here, I have not changed any password’, so everything continues to work on admin/admin login combination. There are websites that like such situations. Through IP addresses send… information is available that say, ‘hey look, here this host continues to run on the default login’. If you don’t want an unauthorized user to come in and start, God forbid, making various changes, then you need to keep in mind the basic aspects of security, such as just changing passwords, keeping the software continuous and up to date.
And what type of services should the companies use?
- A good start is to hire a specialist who understands what they are doing and why. Once we have a network administrator-type specialist, it would be worth checking if what they do, what they claim is done well is indeed done well, without any doubts. This is where audit and inspection activities come in.
And what types of services from companies like EXATEL could the other entrepreneurs use?
- We can start with a cyber security reconnaissance to see if the person we hire… if the person hired by the organization is doing things correctly, and if we are sure they are doing it correctly, pointing to various elements that still need to be improved or even drawing special attention to some inadequacies, which possibly result from a simple overlook.
[00:05:02]
And could you say something more about how this service looks like in EXATEL? Because you work in the team that performs such reconnaissance.
- Yes, it is divided into two components. The technical part, which is performed by Pentesters from both the defensive and offensive formations, and the process-procedural part, in which it is determined whether the procedural actions correspond to the factual state of matters. If there are no such actions, to indicate what should be noted, what measures should be taken.
What is your opinion on this situation? Based on your experience and the projects you have been involved in, how do you assess security in this type of a company? No names, of course, just a subjective assessment of the situation from your perspective.
- This is a very tricky question, on the one hand you have to keep in mind that if you already come forward with a request for actions of the pentest type then you already have some awareness: ‘I am doing something, but are you sure I am doing it properly?’. If we already have this first awareness that ‘ok, this is where the threats are coming out, this is where some action needs to be taken’, then this company already has a great advantage. The bigger issue, are the companies that operate with the oh so Polish mentality of ‘it’s going to work anyway’.
Are you able to tell us something about any case or incident you experienced, that you were involved in?
- Tomato.
Kamil, what is your opinion, what would you recommend to the companies that have small budgets for cyber security?
- A small budget usually also means a small team of people who deal with cyber security, so instead of saying: ‘hey, hire more people’, from my point of view, as I mentioned earlier, it’s important to define who has access to what in our networks, what devices we have there, and to define the accesses of different users, after all, the person who deals with uploading a price change to our website does not need to have access to the source code of the application we are developing.
So what would you recommend, in summary, from what I understood-
- Maximum restriction of access for employees, leaving them with only what is essential to perform their duties.
So this process-procedural aspect, yes? Because it has to be written down somewhere.
- Yes, that’s my area, yes.
Ok, so it has to be written down somewhere, right?
- Yes, not so much to written down, but just so we are aware of what kind of information we have, what kind of levels… what levels of access to information we require. We have one application, let’s suppose, in which we code something and here it should be noted that you can give limited access to this information. A person who has to code, let’s suppose, jumping characters in a game, doesn’t at all need to have the access to the whole music layer or the graphic layer.
Yhm. And if the companies do not have such specialists, can then a company like EXATEL provide such a service? Would you recommend using an outside company to write down procedures, access processes?
- Of course, well, that’s what it’s for… Not everyone has to be a specialist in everything, by the way, we’re not a specialist in everything either.
Yhm.
- You have to take into account the budget, often just hiring an external specialist or a group of specialists is much cheaper than maintaining your entire security-related department.
So such a company benefits-
- We provide such SOC services. You can benefit from process-procedural support, or, if you have your own security department, we can provide the support of Pentesters who will check whether what we have done so far makes sense.
Yhm. When it comes to security reconnaissance and the documentation of the process-procedural audit, what does this process look like? Do you physically visit that customer?
- Well, it depends on the arrangements made with the customer. We can go to the site, check the physical security they are currently using, see if they have… if the employees are aware of the security issues, if there is no mandatory monthly password change. This usually results with yellow post-it notes with the credentials on display.
It happens, right?
- It happens.
Especially in administrative positions.
- Well, but then I would be more likely to look under the keyboard, not at the monitor.
Yes, awareness in the organizations is also very important, isn’t it? Building awareness, but that’s another, different topic and perhaps we’ll save it for another conversation. Kamil, a conclusion. What would you recommend to such organizations, what should they do, what should they watch out for?
- Start with awareness.
Okay, thanks a lot.
