Penny Wise Pound Foolish Security by Obscurity

Security by Obscurity

I cannot remember the first time that I heard the statement “Security by Obscurity”. In fact, I’m sure the term pre-dates my time on the internet.

What I can remember is the last time I heard it without saying something. I was working with a new company, we were in a machine builder I had known and they asked about security of the software we were offering… “Security by Obscurity” was how we led off.

It was one of those really strange moments that I must have looked like I was sucking a lemon. Biting my tongue and thinking to myself, “Is this seriously the best answer we have? They probably won’t find you in the vast internet? Then even if they do, they probably won’t guess the admin/password login that was almost certainly not changed?!?”

Security by Obscurity is like walking 20 miles to work **naked** and hoping no one sees you.

Everyone will see you. 

I’ll skim, rather than do a deep-dive into the topic of air-gapped Industrial Control Systems, if that’s even possible in 2020. With the amount of remote work that I do, I’d imagine everyone knows where I fall in this conversation.

My main point of contention is the fact that most people who think they have an air-gapped system simply don’t. And since they don’t, they then open themselves up to a virtually unlimited amount of disruption.

A single ethernet cable, dual-homing a computer will destroy decades of work.
A single vendor needing access and putting in their own access point will eventually do irreparable damage.
Someone, anyone just plugging in ethernet cables in without understanding the architecture can negate hard work, security measures, and financial investments you’ve made into your systems.

Would you stake your company’s future on hoping that no one finds you on the internet?

Now, let’s talk tools, strategies, stop-gaps. Where does that hope that we’ve placed lead?
These are the only things stopping us from needing to rely on “obscurity” to keep us secure.

Shodan is an invaluable tool that allows users to create maps of Industrial Control Systems on the internet. Everyone in this industry should know about and using Shodan. The pit-fall?

“Hackers” don’t have to stay within the confines of the law. They can build much more robust tools. They are not worried about whether the work they do is “technically illegal”. Many of them are going to try to extort money off of you. Hacking is the smallest of the crimes.

They can use social networking and phishing schemes to get access to systems.
This is not a movie plot.
It happens everyday.
Read the ICS Certs.
Read the news.

People are getting hacked. Facilities are going down. Millions of dollars are changing hands to hackers that you don’t know about. And the ones you do know about? Entire cities have had their public works systems held for ransom. Your company could fall just as easily.
Security by obscurity leads to embarrassment that you hope the public doesn’t hear about.

What’s the wise choice?

Understand where you are.
Identify your systems, figure out your networks.
Get an ICS Cybersecurity Assessment.

Then you can make informed decisions as to where you currently stand and what you can do to mitigate those risks.

Will there be a pile of money to fix everything at once?
Probably not, but Cybersecurity is an ongoing process.

Everything in life is about making informed decisions.
The ask is to become informed and then make those choices.

Smart Money

Not all ICS Cybersecurity tools or assessments are equal. Make sure you understand what you’re going to receive:
The outcome.
The advice.
The remediation.

Will they automatically tell you everything is wrong and you have to rip and replace? There are people out there who will do that after a $200,000 assessment.

Are they going to use tools that will take down the OT network because they are “standard IT tools?”
(Want to find a way to get everyone against you and ICS Cybersecurity? Take the facility down while testing.)

Do they have the OT background? Will they understand your systems?

All of these things need to be discussed internally, and they need to be asked around the industry.

If you have questions or would like opinions, please feel free to reach out: [email protected].
I’m currently doing some really interesting work in this space and would be happy to fill you in.