12 October 2022 Line

We are often focusing on the wrong things

Mark Bristow, Director at the Cyber Infrastructure Protection Innovation Center

At the international Industrial Security Conference, the 14-15-16 November Mark Bristow, Director at the Cyber Infrastructure Protection Innovation Center, MITRE Labs will give a presentation about ensuring operational resiliency in a contested world.

Read an interview with Mark here.

What is your background? And how do you work with industrial security on a daily basis?

As the director of MITRE’s Cyber Infrastructure Protection Innovation Center (CIPIC), I work with asset owners and operators of critical infrastructure, industry consortium, U.S. government agencies, and international partners every day. MITRE is helping these organizations better secure critical infrastructure by leveraging our cyber defender resources such as MITRE ATT&CK, CALDERA, D3FEND, and ENGAGE but with an ICS or OT focus. We are building tools that can be leveraged by the cyber community to better secure critical assets.

Before joining MITRE this year, I spent the last 14 years in various leadership roles at CISA, including incident response for ICS-CERT and subsequent organizations. I have a family connection to control systems; my father worked for a major vendor for most of his career, and I found my first ICS software bug at 10 years old one Saturday at the lab with my father. I also teach the ICS515 Visibility, Detection and Response class for SANS.

What do you see as the biggest opportunities and challenges in connection with cyber- and industrial security?

The control systems cybersecurity community is at a critical point. For many years, we have struggled to raise awareness about the need for security for industrial control systems. Once we became successful in getting business leaders to understand the need, now we must implement smart solutions that drive operational outcomes. This is both an opportunity and a challenge. With acceptance of the need, implementing defenses is the next challenge. In too many cases, a compliance-based approach has been taken to ICS cybersecurity which ultimately prioritizes “easy to measure” security controls like patch levels and password complexity. The challenge with applying these controls to ICS is that in my cases, while good for security, these controls will not substantively impact the safety or reliability of the process. We need better ways to measure risk that allow us to prioritize the impactful and likely scenarios that ultimately will reduce the risk of failure.

When looking forward just 5-10 years, what do you think will be different within security?

I’m really excited to see the concept of cyber-informed engineering (CIE) taking hold. The U.S. Department of Energy recently released a strategy for CIE that takes the concept of Consequence-driven Cyber-Informed Engineering (CCE) to the next level. This is changing the way that process control engineers are looking at how they design systems, much in the same way we do in safety engineering, to insure that malfunctioning or maliciously manipulated control systems components have minimal impact to safety and process reliability. This concept is gaining adoption across the industry which will greatly improve the resiliency of our systems in the future.

Besides more funds for security, what do you think would make a difference in the industry?

While many organizations are increasing their funding for ICS security, it’s time for the ICS security industry to focus those resources for maximized return-on-investment. Significant work is done in the areas of compliance with standards and regulatory frameworks. While this is a great first step and ensures a baseline of cybersecurity throughout the industry, it is insufficient to stop many adversaries who want to hold infrastructure at risk. Much of the focus on these efforts is on items like ICS device patch management where actual ICS intrusions are using credential stealing/impersonation as a key vector that is not adequately addressed by the standards. The community needs to prioritize resources to where they will be the most impactful in stopping the adversary.

What are your own expectations for the conference? And which keynotes are you looking forward to hearing?

As an American, I’m always really interested to see how my international colleagues are looking at control systems cybersecurity and what challenges are being faced. Industrial processes often are not isolated to a single country or region. Having a shared international perspective is critical. Additionally, the technologies that underpin our control systems are similar across industries and political boundaries, so we have a number of shared challenges.

I’m looking forward to hearing about how the cloud and data analytics are transforming our industry (presentations by Vivek Ponnada, Patrick Miller) as well as how we can increase ties between organizational culture and operations (James McQuiggan). I’m also really interested in how cyber conflict has evolved, and I think the presentation on recreating the 2015 Ukraine attack (Casper Bladt and Jens Nielsen) and the Cyber Conflict talk (Joe Slowik) will be interesting in that regard, along with my presentation.

What will your keynote be about, and which learnings are you hoping the participants take with them?

We often are focusing on the wrong things. When participants leave my keynote, I want them to have strategies for evaluating what the “right” things are for them.

Over the last 20 years, we have gone from industrial cybersecurity being barely an afterthought to a topic that is a focus for owners and operators but also for the public. This increased awareness is great, and now we have resources to tackle these problems, but it came with some drawbacks. Often organizations are driven to a compliance mindset by regulatory regimes, insurance underwriters, and risk managers who don’t understand process control. This creates scenarios where resources are expended on activities and mitigations that may not have tangible impact on the overall resiliency of the system. We need to do better.

We need to take a consequence and threat-informed approach to mitigation prioritization that ensures that our defense strategies will frustrate an adversary. Long gone are the days where obscurity of these systems could be counted on to help reduce probability of impact, so now we must focus not only on what is vulnerable but what our adversaries are likely to do and how we can stop them. We also must look beyond the cyber domain for solutions. In some cases, resiliency can be achieved through physical modifications to the control system or processes instead of only through cyber means.

WOULD YOU LIKE TO HEAR MORE FROM MARK BRISTOW?

At the Industrial Security Conference the 14 – 15 – 16 November, Mark will give a presentation about will cover how the landscape has changed over the past 10 years and discuss some ways that owners and operators can engineer resiliency solutions to prioritize activities and reduce these risks.

Read more about the conference and sign up here!

©2022 The MITRE Corporation. ALL RIGHTS RESERVED.  Approved for Public Release; Distribution Unlimited. Public Release Case Number 22-01053-6