On November 30, 2023, within the framework of the XVII STIC CCN-CERT Conference | V ESPDEF-CERT Cyberdefense Conference, 2023, the panel was held.
“How do industrial SOCs manage the technological Cybersecurity risks of the Industrial SOC, its personnel and its processes?”
During this colloquium, the guests, Antonio Villalón, Director of Security of the Cybersecurity, cyberintelligence and operations of mission-critical systems company S2 Grupo, Javier Sevillano, director of the Security Operations Center of the Cybersecurity specialist Innotec Security, Part of Accenture , Aarón Flecha, Industrial Security Research at the Cybersecurity provider S21sec by Thales, and José Valiente, director of the Industrial Cybersecurity Center (CCI), as moderator, shared their experiences related to the internal management of cyber risks, as well as the technology, personnel and processes necessary to provide an Industrial SOC service.
In the panel, a compilation of the most important points in the opinion of the members who made up such panel were highlighted.
People, processes and technology: the trinomial of any Cybersecurity strategy
People, processes and technology are the three most important elements to take into account in any Cybersecurity strategy, also in the industrial field. Three aspects on which the panel focused precisely.
The first question that each of the participants answered was related to what, if applicable, would be their concerns when hiring an industrial SOC: the lack of confidentiality of information about the industrial systems that the supplier has, the unavailability of the monitoring service and the personnel who manage the cyber incident or the alteration of the data collected by probes and other systems that cause incorrect and serious actions.
And although half of the public – who were able to participate through a live interactive vote – pointed out the second option, only Javier Sevillano (Innotec Security) chose it. The rest of the panelists opted for the latter. “The fact of starting to work on material that may be diffuse with respect to the reality of the incident itself already entails great complexities,” Aarón Flecha, from S21sec, reasoned in this regard.
Responsibility and certifications
Responsabilities
The experts then spoke about who is responsible for managing risks within a SOC and what measures are mainly adopted in their organizations to carry out the required protection.
In the case of Innotec Security, the person responsible for Cybersecurity risks is the person responsible for the entity’s Information Security management system, which ultimately resides with the director of operations and, ultimately, the CEO. “In a company dedicated only to Cybersecurity, obviously, the responsibility lies at the highest levels of management,” said Sevillano.
S2 Group is in the same situation: the final person responsible is the general management. And as for the measures, for Antonio Villalón the detection of anomalies is very important; “That is, an oven that begins to operate outside its standard temperature ranges, an IP that suddenly generates traffic to a sensor… Everything that allows us, finally, to detect minimally advanced things,” he exemplified.
Other technical measures, in this case presented by Aarón Flecha, are having a fluid channel between different departments – “in the end, when an incident occurs, a multitude of profiles must come into play,” reasoned the representative of S21sec −, specialized certifications in the part of Industrial Cybersecurity – which were discussed below – or the correct training of workers.
Certifications
After each of the panelists explained what certifications their respective SOCs have, all of them commented on the presence –or not– of an excessive number of them. Not in vain, as the moderator of the debate, José Valiente, reflected, “the scope that must be achieved from this high number of certifications is a tremendous requirement that is very complicated.” A situation that, in the opinion of Javier Sevillano, from Innotec Security, will get worse. In fact, he pointed out the administrative burden they pose as the main problem.
Antonio Villalón and Aarón Flecha were of similar opinion. The Security Director of S2 Grupo, although “he doesn’t know if they are excessive,” lamented the overload that comes with obtaining, maintaining and renewing them.
Procedures
The next point that the panelists discussed was related to the most critical procedures in managing cyber incidents in an industrial environment.
In this sense, Aarón Flecha, from S21sec, put the focus on people: “The idea is to have a well-established procedure, with roles and responsibilities, taking into account that it is necessary to speak the language of the plant people. And this is very important not only in incident response, but in almost all Cybersecurity services that are provided. The plant people are specialized, they are great engineers and they have their vocabulary, but when you introduce the concept ‘Cybersecurity’ you also have to explain to them that it is necessary to collaborate among everyone. Not in vain, in the end you learn from those engineers who are in the plant and they can learn from you at the Cybersecurity level,” he reasoned in this regard.
Next, José Valiente, the moderator of the panel, wanted to know if the members of the colloquium, all of them with great responsibilities, even at the management level, can access all the information that the SOC has or change part of it. And the answer was unanimous: no.
Following the case of S21sec, its representative explained that each incident is managed in isolation and that not all profiles in the organization have access to said event: only those that have been activated. “That is to say, if I am involved in the incident, I am not interested in exfiltrating or changing information, because I am already in the ‘war,’” he stated emphatically.
In the case of Antonio Villalón, from S2 Grupo, he does not have access to all the information either, despite being the company’s Security Director. “If I request information to which I do not have access, the obligation of the person from whom I request it, no matter how much of a director I am, is to notify. And if I want to take the information about my services or the financial information, I would have access to part of it and I could take it with me just as I can see it on the screen. But it would be detected in a very short time,” he explained.
Finally, at Innotec Security, Javier Sevillano assured that “you only require the necessary information to execute your part of the procedure.” “The first thing is to restrict access permissions to information to a minimum to make the risk as low as possible,” he concluded.
Confidentiality
The last major issue of the colloquium was related to the confidentiality of critical data. Data that industrial environments have and that, according to José Valiente during the event, “are very sensitive given their nature and given their relationship with certain designs, configurations, accesses, etc.”
And cybercriminals are fully aware that they can find this information from telemaintenance providers or those that provide services to industrial SOCs, for example. Hence, the CCI director’s question to the panel members was related to guaranteeing the confidentiality of the data handled by its staff.
Antonio Villalón intervened on this to close the debate: “Guarantee does not guarantee anything, despite the fact that the company has security measures to try to increase or work with certain guarantees the confidentiality of our information in the industrial part,” he stated flatly. Some measures that are related to the trinomial people-processes-technology. And in which the aforementioned company gives great importance to monitoring; That is, being able to detect certain behaviors or attitudes that may be anomalous or raise suspicions.
Conclusions
From the CCI, based on the ideas presented in the panel, the following conclusions are presented:
- The senior management of organizations must be at the peak of responsibility in relation to risk management within a Security operations center. In fact, this is true in the case of the three Cybersecurity companies that participated in the round table.
- The high number of Cybersecurity certifications that companies must have represents an enormous administrative burden in terms of obtaining, maintaining and renewing them. Despite this, it is necessary to have them.
- Communication between all profiles with Cybersecurity responsibilities is crucial. For example, in the case of plant workers, it is necessary to adapt the vocabulary when introducing the concept of ‘Cybersecurity’ to collaborate together.
- The members of an industrial SOC should not have access to all the information. In fact, it is necessary to restrict access permissions to a minimum in order to keep the risk as low as possible.