The continual evolution of technology is what makes my journey as a security professional so fascinating. I have always told my protégés that “To truly be in cybersecurity, one must learn something new every day.” Few domains have witnessed such swift and transformative progression as cybersecurity. The maturation of this discipline has been driven by visionary alliances, initiatives, and ever-evolving threats that underscored the necessity for adaptability and foresight.
Foundational Internet Protocols came from an alliance. Established in 1986 and initially supported by the U.S. government, the IETF, currently led by Jay Daley has been operating under the auspices of the Internet Society since 1993, a non-profit organization with local chapters around the world. The IETF laid down the groundwork for internet standards and security. This foundation signified that as the internet burgeoned, security protocols would be paramount.
Approaching the new millennium, the digital realm faced an influx of sophisticated threats. This period gave birth to the MITRE Corporation's CVE (Common Vulnerabilities and Exposures) system in 1999, providing the cybersecurity community with a unified lexicon and approach to vulnerabilities. I've had the honor over the past year or so, of being a part of this alliance, specifically in the mapping of the CVEs to ISA/IEC 62443 and its subsequent promotion. MITRE also created the ATT&CK framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. These tactics have been amassed for Enterprise, Mobile, and as Samuel Visner noted in another post, as of January 2020, industrial control systems.
By the early 2000s, as digital infrastructure proliferated, initiatives like the Center for Internet Security (CIS), currently led by John Gilligan, and its Critical Security Controls emerged, setting the stage for a more secure digital era. These protocols became pivotal, outlining robust defensive mechanisms for organizations. Around the same period, the digital landscape acknowledged the indispensable nature of web security. Consequently, the Web Application Security Consortium (WASC) was established, shifting industry focus towards ensuring the integrity of web platforms.
By 2006, as online commerce expanded, the inception of the PCI Security Standards Council. The council was founded by American Express, Discover, JCB International, MasterCard, and Visa Inc. Founding Members share equally in ownership, governance, and execution of the organization’s work. This alliance and subsequent standards highlighted the real-world implications of cybersecurity. Tasked with ensuring the sanctity of financial transactions, this initiative would forever change the underlying processes and controls for protecting transactions, online and in brick-and-mortar establishments across all industries.
The late 2000s and early 2010s witnessed a surge in cloud technologies. Recognizing this shift, the Cloud Security Alliance, founded by my friend Jim Reavis in 2009, underscored the need for updated security practices.
In 2012, OASIS, a respected, non-profit standards body, led by Richard Struse introduced STIX/TAXII, Structured Threat Information Expression (STIX), and TAXII, short for Trusted Automated eXchange of Intelligence Information, championed a collaborative defense by facilitating structured sharing of real-time threat intelligence among diverse organizations.
As I said in my post yesterday, compared to the long history of maturing the security standards, processes only recently have the cybersecurity community, as a discipline, added focus to Operational Technology (OT) and Industrial Control Systems. However, as the digital realm matured, it was evident that unique security challenges faced Operational Technology and Industrial Control Systems. Recognizing the critical nature of infrastructures relying on OT and ICS, entities such as the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), established in the late 2000s, became pivotal in the domain. Operating under the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) led by Jen Easterly, ICS-CERT provides robust resources to bolster the defenses of critical infrastructures.
Industry groups, such as the International Society of Automation (ISA) with the ISA99 project led by Eric C. Cosman, introduced standards like the ISA/IEC 62443 series in the 2010s, providing tailored guidelines for industrial automation and control systems security. This further fortified the landscape with comprehensive guidelines tailored for industrial automation and control systems security. While we have made headway in identifying the OT attack vectors, tools, Techniques, and common knowledge, and built a security framework for OT, we still find ourselves, in some cases, using tools fundamentally designed for IT. Integration and sharing between OT and the IT business segments are necessary to fully measure and manage cybersecurity, and ultimately, the overall business risk.
So, let’s look at a practical example of how these alliances, which produced great standards and frameworks, have influenced technological advancements. From the early days of digital communication protocols to the modern focus on Operational Technology (OT) defenses, cybersecurity's journey has been nothing short of amazing. To illustrate the power of alliances, this example revolves around the birth and maturation of Security Information and Event Management (SIEM) systems.
Early log proliferation and the need for management in the same epoch that saw the foundational work of the Internet Engineering Task Force (IETF) in 1986, the IT world was rapidly expanding. As infrastructures grew diverse and complex, each facet churned out logs like a library endlessly acquiring new books. Unfortunately, at the time, logs were in many cases bespoke and disparate in format. Seeking Log aggregation and normalization, organizations, not just wanting to store but also make sense of these logs, birthed log management systems.
Real-time Threat Detection emerged parallel to the more standardized web security protocols championed by the Web Application Security Consortium (WASC). The cyber threat landscape was undergoing its own transformation. It wasn't just about keeping logs for forensic purposes anymore. The digital realm needed real-time vigilance. Enter Security Event Management (SEM) tools, focusing on detecting live threats by analyzing event data as it streamed in.
The expanding digital universe didn't just require independent solutions; it craved a merger. SIEM was this harmonious blend—marrying the archival capabilities of log management with the real-time alertness of SEM. The driving forces behind this amalgamation echoed the complexity of modern IT environments, stringent regulatory landscapes, and an ever-mutating threat panorama.
Initiatives such as PCI Security Standards Council, which underscored the tangible implications of cybersecurity, SIEM platforms began to solidify their position as indispensable tools for organizations. They offered businesses a panoramic view of their digital environment, crucial for detecting, responding to, and investigating security incidents. This shaped the future of Incident Response and the associated playbooks.
In 2012, SIEMs paved the way for the next generation of security tools. These included User and Entity Behavior Analytics (UEBA), focusing on nuanced behavioral patterns, and Security Orchestration, Automation, and Response (SOAR) systems, streamlining and integrating various security responses.
As we've observed through the progression from foundational internet protocols to OT security measures, the essence of cybersecurity needs to adapt. I would say it needs to remain fluid, however, I would be remiss. In the current security climate, "fluid" is simply too rigid, one must remain "vapor". The alliances made between government, industry, academia, and tool designers/vendors will continue to shape and define OT security. With the stories of SIEM, UEBA, and SOAR in mind, it becomes clear that alliances will influence tool adoption and capabilities.
Organizations will gravitate to, and look to adopt, tools and technologies that resonate with established or emerging frameworks and policy recommendations. This alignment not only helps secure current operations but ensures readiness for the threats of tomorrow. By doing so, we can ensure the continual evolution of the practices and technology choices of OT security. When it comes to safeguarding our most critical assets and infrastructures we all are better, faster, and stronger together than separately.
This wraps up my thoughts (for today anyway) on how alliances will change OT security. As global threats continue to grow, we grow and innovate. Stay brave, stay bold, and stay unified in our cybersecurity goals.