When teaching the OT Security 101 Workshop for Div0, one conundrum I had (and in general, for any introductory workshop) is how we can provide enough material for the faster peers amongst us, yet make sure the slower ones can catch up. We do this through the concept of the extra mile. This was first inspired by OffSec’s modules, where they make a distinction between “objectives required for the syllabus” and “stretch targets”. The term extra mile has since stuck with me, and here are my thoughts of some of the exercises and extra miles presented in class. If you find these debriefs useful, please DM me on LinkedIn as I am considering running such debriefs for other topics of workshops I cover with a similar approach.
Exercise: What is Operational Technology (OT)? Challenging Assumptions
Why This is NOT an Extra Mile: It is important that we set the context right on OT systems from the outside. A modern take on OT systems requires we examine, quite critically, why OT systems have certain characteristics. This exercise forms the basis to why many aspects of cybersecurity have to be thought through differently.
In class, we will have described, at the minimum, between the data focus in IT versus the process focus in OT. We will also have questioned some assumptions on the isolation of OT systems (and in fact, business use cases today require OT systems to be connected to IT systems, at least one-way).
Exercise: Revisiting the Constraints in OT Systems
Why This is NOT an Extra Mile: If not already clear in Chapter 1, the most important lesson to understand is that physical processes drive the operations in the OT space. Three minutes is not enough to do justice to this exercise, but time constraints require I do this (this is usually worth an entire panel discussion).
If you have some time on this exercise, make it worth your while by considering OT systems from a sector-specific angle. Think about the processes that are critical and the non-negotiables in these sectors (e.g. some consider safety as paramount, while others consider precision in physical process as paramount). These usually set the stage for the constraints in cybersecurity measures that can/cannot be implemented. In other cases, the highly proprietary nature of the industry can also result in a narrow band of choices available for the end-users to secure said sector. Use Slide 41 (Revisiting Defence in Depth) to provide a perspective of how Defence in Depth as a principle is now used not to minimise the chances of all controls in a chain failing, but as a principle to investigate any and all possibilities of fulfilling a security objective, given that some controls are impractical.
Exercise: Interdisciplinary Nature of Cybersecurity
Why This is NOT an Extra Mile: We often forget that cybersecurity comprises of people, process and technology. We use the GRC picture in this exercise to describe this point. There are other soft skills required to bring home the point that cybersecurity is an interdisciplinary industry. One of my own writing looks at how market failures exist in cybersecurity. Think about other disciplines that have interesting links to cybersecurity. I will be happy to have a chat with you on these topics.
Extra Mile: Threat Models
Why This is an Extra Mile: Not everyone is a threat modeller. But threat modelling provides you with a great perspective to how systems can be attacked. In CSA’s Threat Modelling Guide, they provide an introduction to threat modelling using STRIDE-LM. They presented a MITRE ATT&CK table of attack in the guide. This extra mile is meant to make you replicate a similar concept but in an OT environment, which is generally an open-ended exercise that I felt could be done outside class.
Extra Mile: Who are the Threat Actors
Why This is an Extra Mile: This is not really touched on in class, but it is important to note how nation state attackers are often the main adversaries OT system owners are worried about; this is simply a by-product on how many OT systems run the country (e.g. utilities, air/land/sea transportation). Because of that, it is quite important to gain an appreciation for the types of threat actors most interested in geopolitical objectives, such as a cyberattack as part of a broader psyops campaign against a nation’s people. But this is a more advanced concept, hence an extra mile.
Slides for the Div0 OT Security Workshop are available here, in case you have lost your copy.