I am a polyglot. Which means I speak multiple languages, but I like that word because it is a mouthful <wince>. When I am speaking in another language, I have to translate that through English before the Spanish or Mandarin words come out of my mouth. This is the hardest thing to learn not to do and requires immersion in the culture and language that you are trying to learn. This is the same problem that we have when OT analysts or engineers talk to their colleagues in IT security.
Over a decade ago I contracted for a manufacturer that made gaskets for very large pipes and blowout preventers for oil wells and pipelines. The equipment they made was used in dangerous places, and was used to prevent physical harm to people and the environment. The manufacturing processes required to make these devices were also not altogether safe. The processes required poisonous gasses and materials — and the workers responsible for production needed to wear an inordinate amount of testing gear.
It was a great company, very cool people, and they were fairly liberal with their use policies on most things digital and computing because the company was run by engineers and scientists. In other words the policies resembled those of a college campus: they were open, Internet connected, and flat. The people running the manufacturing plants assumed that threat actors were not an issue.
Today a policy such as this would be dangerous if not downright sacrilegious, but this was in a time before ransomware was popular, before bitcoin made it relatively easy to reap financial gain from malware, and a time before nation-states engaged in stealing trade secrets and performing cyberwarfare. Sure, viruses were rampant, but they didn’t have much of an impact on the company’s bottom line and rarely knocked out many systems at once.
Let me preface the conversation with the observation that I am, and have always been, a bit paranoid. Especially when it comes to computers. I performed my first software hack at 12 and my first hardware hack at 13. So it is an ingrained personality trait.
When I saw their current state, I immediately suggested segmenting their networks, which was not a popular idea at the time, and disconnecting the production lines from the internet connection. They could do this easily by using a separate firewall to make sure the Engineering Work Stations (EWS) were behind a security control or proxy of some sort.
My suggestions weren’t just ignored — they were derided. Yep, they made fun of me. This was not the first time, nor will it be the last that someone makes fun of me, about computers or pretty much anything else. I could not win budget to implement my ideas. Every time I had a meeting with the production line manager or process engineering director, the answer always was, “We have safety systems for that.”
I found that I could not speak the OT engineers’ language.
I continued to worry about the current state of security at that company. So after a few months, I told them about a personal experience I had had at a previous gig.
A few years before I was a contractor I worked at a large exploration and production oil company. I had been flown in via helicopter to an oil and gas rig in deepwater to find out why there were persistent issues with some of the computer systems on the rig.
While I was there, they began to have other, more troublesome issues. The anchoring computer kept rebooting. This is the computer that dynamically adjusts the position of a 5 million pound drilling rig as it bobs up and down in the ocean. Eventually, I found a worm on a laptop that was not supposed to be connected to the network. It was the Slammer worm, which even at that time was considered old.
Slammer attacks SQL processes on computers and generally makes them reboot, sometimes over and over again. This particular computer had Microsoft SQL Data Engine (MSDE) on it, which is like a shrunken version of SQL for local applications.
The worm kept rebooting the anchoring system, and the anchoring system had the database server software installed on it. That meant the manual anchoring system had to kick in, and every time the manual anchoring system kicked in, the stability of a 2-mile long steel “drill string” that was drilling a hole in the bottom of the ocean was put in jeopardy. Drilling holes two miles underneath the ocean’s surface is expensive, and an unstable drill string could cost millions of dollars a day — or cause catastrophic environmental damage or even loss of human life
This is the moment from that gig that really sticks with me. The story that I ended up relating to my co-workers at the manufacturing company was about when I was awake for 72 hours trying to find a problem with the IT systems that seemed to be causing operational issues with the rig itself. On the second day, the company man (the gentleman in charge of the project, who wore Carhartt jackets and steel toe boots) started to joke about dangling me over the side of the rig.
I didn’t like that joke. I didn’t find it very funny.
The decking to the water was a three-story drop, and you could clearly see the sharks feed down at the bottom. It was like something out of a comedic spy movie. Evil doctors danced in my head. Eventually I got so tired my mind wandered. A singular thought popped into my noggin during those hours of troubleshooting and working on the rig: The crew and company man didn’t always feel safe here either. The safety of the crew on the rig was the responsibility of that man, and he would do just about anything to keep them safe — in fact it was his #1 priority.
I may have felt some fear, but danger is something they dealt with every day. That was a big moment of insight for me. It is a shared experience I still struggle to get across when I teach an OT security class.
At the gasket company, I found that I had to translate what I meant by “security.” A CISSP would think that security is “confidentiality” first and foremost. Keep data like ACH paycheck numbers confidential and not posted into Pastebin. It has taken me a while to start translating the word “security” from its IT meaning of “confidentiality” into its OT meaning of “safety.”
Learning a new language is not easy. Your meaning can get lost in translation. Expecting to always get it right or do so in a day is impossible.
CyberX offers training and certifications that bring IT and OT teams together. See our “Services” doc for more information.