Lesley Carhart on OT Challenges, Incident Response, and Bridging the Gap Between Cyber and Operations
In this episode, co-hosts Kali Fencl and Daniel Schwalbe sat down with Lesley Carhart, a seasoned incident responder specializing in Operational Technology (OT) cybersecurity at Dragos, in person at BlackHat USA 2024. Lesley shares their journey, from their unique background in avionics and electronics to becoming a leading expert in the field. We explore the evolving landscape of OT cybersecurity, the challenges of protecting legacy systems, and the critical importance of building strong relationships between cybersecurity teams and operational engineers. Lesley also discusses the realities of incident response in industrial environments, the misconceptions surrounding OT security, and the human-centric approach needed to tackle these complex issues. Tune in to learn about the delicate balance between innovation and safety in protecting the critical infrastructure that powers our world.
Lesley guided us through the unique challenges of securing critical infrastructure; from power plants to elevators, and explained why it’s not as simple as updating to the latest operating system. Here are some key takeaways from our conversation:
The Long Life Cycles of Industrial Technology
One of the primary challenges in industrial cybersecurity is the long life cycles of the technology involved. Lesley shared that systems being built today with Windows 11 will likely be in use for the next 30 years. This extended lifespan means that what we see in production now will remain in use for decades. Unlike consumer technology, where updates and replacements are frequent, industrial systems require extensive testing and vendor approval for any upgrades. These upgrades can only occur during scheduled maintenance outages, which might happen just once a year to avoid significant financial losses.
Foundational Security Hygiene
Improving Operational Technology (OT) security isn’t about adding the latest cybersecurity controls, but focusing on foundational security hygiene. Lesley emphasized the importance of segmentation, monitoring, and having a robust incident response plan. For instance, if updating an old Windows 95 computer isn’t feasible, housing it on a secure network segment and monitoring its communications can mitigate risks. While advanced security solutions like Extended Detection and Response (XDR) might not be applicable to all industrial devices, adopting architectural controls and secure processes from enterprise environments can enhance industrial cybersecurity.
The Impact of AI on Industrial Cybersecurity
AI’s role in industrial cybersecurity is a double-edged sword. On the defensive side, traditional methods like packet analysis and network passive detection remain crucial due to the age and vulnerability of many systems. However, AI tools like ChatGPT can lower the barrier for attackers. Lesley pointed out that AI can assist in crafting more convincing phishing emails or even writing code to manipulate industrial processes. This ease of access to sophisticated tools makes it imperative to rethink security strategies and anticipate new threats.
Myths About OT Security
Lesley debunked some common myths about OT security. First, many organizations underestimate the presence of OT systems within their environments. Whether it’s data centers or building management systems, OT is often integral to operations. Second, the notion that OT cybersecurity can be managed like IT cybersecurity is flawed. The consequences in OT environments range from operational failures to life-threatening situations, requiring specialized approaches and expertise.
Navigating IT and OT Tensions
Lesley also shared insights on managing the often tense relationship between IT and OT teams. Effective communication and collaboration are essential to bridge the gap between these two domains. Understanding the unique requirements and constraints of OT systems can help IT professionals develop more tailored and effective security measures.
Work-Life Balance and Hobbies
In addition to her professional insights, Lesley discussed the importance of maintaining a work-life balance in the high-stress field of cybersecurity. She revealed a surprising hobby outside of her cybersecurity career, showcasing the importance of having interests and activities that provide a mental break from work. Be sure to listen to the whole episode to learn all about it!
Conclusion
Our conversation with Lesley provided a deep dive into the complexities of industrial control systems security. From the long life cycles of industrial technology to the foundational security practices needed to protect these systems, Lesley’s expertise sheds light on the critical aspects of OT cybersecurity. As AI continues to evolve, staying ahead of potential threats and fostering collaboration between IT and OT teams will be crucial for securing our critical infrastructure.
Stay tuned for more insights from industry experts in our upcoming episodes of the Breaking Badness Cybersecurity Podcast!
