Skip to main content

OT/ICS Cybersecurity

Guarding the Digital Fort: Lessons in Risk Management from Alcatraz

As we commemorate the 90th anniversary of Alcatraz Island becoming a federal prison on January 1st, 1934, it's worth reflecting on how risk management principles can be applied to seemingly unrelated aspects of our lives, such as operational technologies (OT). Just as Alcatraz was designed to securely house some of the most dangerous criminals, risk management in operational technologies aims to protect valuable assets from potential threats. In this article, we'll explore the world of risk management in operational technologies by drawing parallels to the infamous Alcatraz prison and asking thought-provoking questions that challenge our perception of risks.

Prison and OT cybersecurity have a mirrored but similar objective. Prison keeps bad actors in, while OT cybersecurity needs to keep bad actors out. OT encompass the control systems, networks, and devices that keep essential infrastructure running, from power plants to manufacturing facilities. Just like Alcatraz was a fortress in the middle of San Francisco Bay, OT environments are often thought of as isolated from external networks to enhance security. But how secure are they, really?

Recognizing Vulnerabilities vs. Risks. Just because a prison has walls and cells doesn't mean it's impenetrable. Similarly, just because a vulnerability exists in an OT system doesn't necessarily mean it poses an immediate risk. Consider this: Alcatraz had vulnerabilities, but the risks associated with exploiting them were meticulously managed. Are all vulnerabilities equally risky in your OT environment?

Lessons from Alcatraz's Isolation. Alcatraz's isolation played a crucial role in its security. It made escape attempts extremely challenging. In OT, isolation is often used to protect systems from cyber threats. However, in a connected world, is complete isolation a feasible strategy, or do we need more sophisticated risk management approaches?

The Role of Guard Towers and Monitoring. Alcatraz's guard towers were strategically placed to monitor inmate activity. In OT, continuous monitoring and vigilant oversight are essential to detect and respond to threats promptly. How well and comprehensively are your OT systems being monitored, and what tools are in place to identify potential risks?

The Importance of Incident Response. Alcatraz had a well-practiced incident response plan to handle emergencies. Similarly, OT environments must be prepared to respond swiftly to security incidents. Do you have an effective incident response plan in place, and have you tested it?

Effective incident response in operational technology (OT) environments is crucial, much like the well-practiced incident response plan that Alcatraz had to handle emergencies. This response plan involves a collaborative effort between IT cybersecurity and OT security teams. Despite their distinct roles, these teams need to work together seamlessly to ensure a comprehensive and efficient incident response. While IT cybersecurity focuses on network security, OT security is responsible for safeguarding industrial processes. Information sharing between these teams is key, as it provides a holistic view of the organization's security and risk landscape, facilitating a coordinated response when security incidents occur.

In the context of incident response workflow, OT environments require a structured approach. This includes steps such as incident identification, containment, eradication, recovery, and lessons learned. Identification involves monitoring network traffic and system logs to spot anomalies, while containment aims to isolate affected systems or devices. After containment, IT and OT teams collaborate to remove the root cause and vulnerabilities before bringing the systems back to normal operation. Post-incident analysis is crucial for understanding the incident's root causes and identifying ways to prevent similar incidents in the future. 

Documentation plays a pivotal role in incident response. Like how Alcatraz meticulously recorded incidents and escape attempts, OT environments should document every aspect of their incident response efforts. This includes creating detailed incident reports that outline the incident's scope, impact, and actions taken. Standard Operating Procedures (SOPs) should be developed, outlining roles and responsibilities, response procedures, and contact information for key personnel. Training materials should be provided to educate employees about incident response procedures, ensuring that the response team is well-prepared. Regular reviews and updates to incident response documentation are necessary to adapt to evolving threats and technologies.

Alcatraz's Infamous Escape Attempts serve as a stark reminder that even the most fortified defenses cannot guarantee absolute security. Despite the formidable security measures in place, determined inmates found ingenious ways to exploit vulnerabilities and attempt daring escapes. In the realm of OT, this historical lesson raises a pertinent question: How do we adequately prepare for the possibility of advanced threats?

Much like Alcatraz, where inmates have time and incentive to meticulously plan their escapes, cyber adversaries in the OT landscape are constantly evolving and devising new strategies to breach critical infrastructure. Here are examples of OT-targeted attacks and exploits that shed light on the need for proactive preparation:

  • Stuxnet: The Wake-Up Call for OT Security: Stuxnet, a computer worm discovered in 2010, targeted Iran's nuclear facilities, including industrial control systems (ICS). It exploited zero-day vulnerabilities in Windows operating systems and programmable logic controllers (PLCs). This attack highlighted the potential devastation that advanced threats pose to OT environments, underscoring the importance of robust security measures.
  • Trisis/Triton: Targeting Safety Instrumented Systems (SIS): The Trisis/Triton malware was designed to target and compromise the safety instrumented systems (SIS) at a petrochemical plant. This sophisticated attack aimed at disabling safety measures, which could have led to catastrophic consequences. It demonstrated that adversaries are willing to jeopardize not just data but also human safety.
  • Ransomware Hits Critical Infrastructure: Recent incidents of ransomware attacks targeting critical infrastructure, such as the Colonial Pipeline incident in the United States, illustrate how attackers are shifting their focus to disrupt essential services. Ransomware attackers are becoming increasingly sophisticated and strategic in their targeting, highlighting the need for robust incident response and recovery plans in OT environments.

Balancing Security and Operational Needs. Alcatraz's stringent security measures often made life difficult for both inmates and staff. In OT, a balance must be struck between security and operational efficiency. How do you navigate this delicate balance in your organization?

Futureproofing Your OT Environment. Alcatraz eventually closed its doors due to high operational costs and concerns about the aging facility. Similarly, in OT, we must plan for the long term and invest in technology and practices that will remain effective against evolving threats. Are you future-proofing your OT environment?

So, how should organizations prepare for advanced threats in OT? 

  • Maintain Comprehensive Visibility of all OT and Industrial Automation and Control System (IACS) assets through all layers and zones.
  • Implement and maintain rigorous Change Control and Configuration Management.
  • Implement real-time monitoring of OT networks to detect unusual activities and potential threats promptly.
  • Based on an asset’s exploitability, regularly prioritize, update and patch OT systems to address known vulnerabilities and reduce the overall attack surfaces.
  • Restrict access to critical OT systems and devices to authorized personnel only, minimizing the attack vector.
  • Develop and regularly test incident response plans specifically tailored to OT environments, ensuring that teams can respond effectively to threats.
  • Security Awareness, the best budget dollar ever spent on cybersecurity. Provide training and awareness programs for OT personnel to recognize and report suspicious activities.
  • Foster collaboration between IT cybersecurity and OT security teams to share threat intelligence and expertise.

Alcatraz's history of escape attempts serves as a sobering reminder of the determination of adversaries. The realm of OT is no different, with advanced threats continuously evolving. By drawing insights from real-world OT-targeted attacks and exploits, organizations can better prepare for the challenges posed by these determined adversaries. A proactive and multi-faceted security approach, combined with ongoing vigilance and collaboration, is essential to safeguarding critical infrastructure in an increasingly interconnected world.
 


Ready to learn more? Discover What's New in OT/ICS Cybersecurity.

About the Author

Edward Liebig is the Global Director Cyber Ecosystem in Hexagon’s Asset Lifecycle Intelligence division. His career spans over four decades, with over 30 of those years focused on cybersecurity. He has led as Chief Information Security Officer and cybersecurity captain for several multinational companies. He's also led Professional and Managed Security Services for the US critical infrastructure sector for two Global System Integrators. With this unique perspective Edward leads the Cybersecurity Alliances for Hexagon PAS Cyber Integrity. In this role he leverages his diverse experience to forge partnerships with service providers and technologies that drive collective strengths to best address our client’s security needs. Mr. Liebig is an adjunct professor at Washington University in St. Louis and teaches as part of the Master of Cybersecurity Management degree program.

Profile Photo of Edward Liebig