How football helps explain critical infrastructure cybersecurity

Feb. 18, 2016
This is the part of the organization where physical security and cybersecurity intersect

With the Super Bowl still on our minds, continuing to contemplate how the offensive team exploited defensive weaknesses and how the defense adjusted to unpredictable attacks, we can draw some analogies to protecting critical infrastructure which use operational technology (OT) versus information technology (IT). Understanding how this technology works in a connected environment consisting of machines, control units and sensors will provide major opportunities for physical security specialists over the coming months and years. After all, this is the area of security where the physical access control and cyber world intersect.

According to Reed Exhibitions, which runs ISC West, here are some facts that strengthen that prediction:

  1. 2014-15 was a watershed year for cybercrime.
  2. Cybersecurity has become an overarching corporate risk issue (rather than an IT risk)
  3. Organizations are struggling to balance tech investments with processes redesign and staff training.
  4. Chief Information Security Officers (CISOs) take center stage in a more connected world.
  5. The Internet of Things (IoT) has brought new threats.
  6. IoT is an accelerator for the blending of physical and cyber.
  7. CISOs recognize physical security as an asset against growing cyber risks.

This is why the Security Industry Association is sponsoring the inaugural Connected Security Conference, to be held right on the same exhibit floor as this year's ISC West. For those of you attending ISC West and who are not familiar with cyber security, OT, the Industrial Internet and the critical infrastructure, these analogies should help you to understand some of the basic challenges.

Football Teams Must Protect Against the Opponent's Deviations

When a quarterback sees a second stringer covering the tight end, he will change the play from a run to a pass. Contrarily, when the tight end continually lines up next to the tackle, leading to a run play, but suddenly appears split out, the defense needs to notice this and be ready for a pass play. Similar to football, you need to protect your OT system by looking for such deviations.

Football Teams Attack the Opponent's Weakest Links

If the opponent's secondary is weak, look for many passing plays. If the cornerbacks are slow, beware of deep passes. So it is with Industrial Internet security.

To get into OT systems, hackers first attempt to obtain a foothold by attacking the weakest system whether it is in the OT network or a connected enterprise IT system. For example, unpatched systems vulnerable to common malware attacks or users clicking on phishing emails and walking-in their system into an OT environment are common weak links.

Security is Weakest at the Seams

In football, a receiver will adjust his route to find the seam between two defenders in a zone defense. In OT, this is the point where assets interact and where they need the most protection.

Industrial innovation is heavily reliant on connectivity - between devices and systems, machines and data, people and processes. This connectivity is great for productivity upstream, mid-stream and downstream, but is also exposes these systems to greater cyber threat.       

As OT leverages the benefits of increased connectivity, threats of a successful cyber attack greatly increase with the expanded attack surface. The more seams, the more opportunities. As a result, system operators and security directors face challenges in responding to the growing number of security threats.

Not Everyone is Protected the Same

Different positions have different rules. Some have to do with protection. For instance, you can't run into the punter once he has kicked the ball but you can do so to any other player. Kickers are whitelisted for that extra protection. Likewise, extending next generation firewalls using network whitelisting can provide added security for specific critical infrastructures.

Overloading to One Side Makes the Other Side Weak

In football, when we overload all of the wide receivers to one side of the field, we have denied passing to the other side. In computing, a DoS (Denial of Service) attack is an attempt to make a machine or network resource unavailable to its intended users, such as interrupting or suspending services of a host connected to the Internet. DoS attacks can impact both IT and OT but the impact of a DoS attack originating inside the OT environment can cause a significant outage.

Here's the problem: Many of the devices and software used in operational environments are 10 to 30 years old. Many were not designed to be connected, have not been patched very often and were not devised to withstand modern attacks. Many applications run on Windows XP or older operating systems that are literally impossible to patch. Surprisingly, many operators don’t know what’s actually transpiring on their OT network and, even if attacked, have no knowledge of the assault.

To further exacerbate the security challenge, many OT networks are flat with no or limited IP segmentation so that a worm outbreak cannot be quickly isolated. An OT security system needs to enable virtual zoning to provide network isolation so one weak link cannot impact the entire network.

You Can't Stop a Football Game Because of an Injury

You have to wait until play stops. Likewise, you can't shut down a critical infrastructure because you need to patch a deficiency.

The cornerstone of IT enterprise security is the use of software patching to eliminate underlying implementation vulnerabilities.Patch management in an OT system occurs infrequently and requires that a system be taken offline. Unlike in IT, where a service can be taken down to perform a patch, taking a critical infrastructure asset offline outside a planned maintenance window is simply not an option.

Closing down the refinery, production floor or electric grid periodically to add yet another patch is not a remedy that works when minutes of downtime can cost immense amounts of money. To eliminate turning off the operation when patching, hot patches must be delivered to a security solution that resides directly in front of the control unit, just like a football player blocking for his runner, while the system continues to produce.

The Team That Blocks Best Typically Wins

That's basically a football cliché. It's why so many linemen are drafted in the first round. This is no different in cybersecurity in the OT world. You've got to block unwanted traffic and it's reassuring to see when the blocker is doing its job right in front of the control unit.

In football, the game is won earlier in the week and season with advanced preparation. Similarly, in OT security, you need to be prepared to respond to an attack before it happens. You need to integrate safety procedures, incorporate response policy, deploy cyber protection and have visibility of activity on the OT network in order to be prepared for a cyber attack.

As ISC West hosts a Connected Security Conference this year, it reflects that practitioners and experts from broad sectors are engaging in conversations about cybersecurity in today’s OT environment. The exhibit / conference will help physical security professionals address the complex challenges associated with a more connected world while exploring security innovations delivering combined visibility across logical and physical security.

About the Author: Tom Le is vice president-engineering for Wurldtech, a GE company. For more information about Wurldtech, please visit