Welcome to our new website!
March 11, 2021

Introduction to Securing Operational Technology

Introduction to Securing Operational Technology

Kunle Adetoro from Fortinet

You have Operational Technology in your environment and probably need to think about it a little bit.  I was lucky to chat with Kunle who is an expert not just in cybersecurity but also in OT Security.  In this episode he give great information on the differences between IT and OT and what you need to consider when protecting it.

Connect with Kunle:
https://www.linkedin.com/in/kunle-adetoro/

Connect with Robert:
https://www.linkedin.com/in/robertrounsavall/

Some of the standards and trainings mentioned in the episode:

NERC:
https://www.nerc.com/pa/Stand/Pages/default.aspx

IEC 62443:
https://en.wikipedia.org/wiki/Cybersecurity_standards#IEC_62443

SANS ICS Training:
https://ics.sans.org/

Fortinet ICS Solutions:
https://www.fortinet.com/solutions/industries/scada-industrial-control-systems

 

Transcript

Robert Rounsavall:

Hey, everyone. Welcome back to The SynAckFinAck Podcast. This is your host, Robert Rounsavall. Today I'm joined by Kunle Adetoro, and he is a Consulting Systems Engineer for Critical Infrastructure and Operational Technology. I'm really excited to have Kunle on. I've known Kunle for a long time. He is an expert in Cyber Security. And he's made a move from traditional Cyber Security over into this critical infrastructure operational technology role. I'm excited to learn about it, about what he's got going on. Kunle, thank you so much for hanging out with me today.

 

Kunle Adetoro:

Thank you very much, Rob.

 

Robert Rounsavall:

Well, why don't we start out with, just tell me a little bit about how you got interested and into technology and security. So, go back as far as you want or can and how did you get into the field?

 

Kunle Adetoro:

So initially, I have my bachelor's degree in Industrial Technology. So, I was going for my masters in the UK. And I decided that in order to further improve on my industrial degree and improve and prepare myself for my master's, I wanted to do IT course, to be able to allow me to do IT based industrial sites. So I said, okay. I started with my first two years at a community college in the UK. And I got hooked on IT at that point. I got my first major PC. Well, obviously, I had been using Atari, and before that. But I've now got my first computer, and I got hooked on it. And at that point, I relocated to the US. And when I relocated to the US, I decided I was not going to do anything in Industrial Science anymore, I was going to move into IT. So, I started taking courses in IT. Obviously, started with networking in the IT vertical. And then I moved into IT security. And I developed my skills as a Network Manager and a Security Specialist.

 

And as I grew, because after my first degree, after my bachelor's degree, I worked for four years before I went to the UK with a glass manufacturing company called Fuyao Glass. So, working for Fuyao Glass and understanding OT from that aspect, I went back into my background. And when I came back to Fortinet, I now implored my knowledge, my background knowledge in OT, along with my IT specialism. And moved into Cyber Security for critical infrastructure and OT.

 

Robert Rounsavall:

Got it. So, you kind of started down this road and then veered into networking and security. When did you come to the US? How long ago was that?

 

Kunle Adetoro:

Actually, when I came into the US for the first time in 1982.

 

Robert Rounsavall:

Okay.

 

Kunle Adetoro:

But obviously, I was younger then and after a few years, my father moved back out of the US. And I decided that we're going to go out, we decided we're going to take the whole family along with him. So, we went back to Africa, and then to the UK. For I now decided I wanted to come back to the US.

 

Robert Rounsavall:

Oh, cool. And when did you... because I mean, you've been here obviously, I've known you for... gosh it's probably been over 10 years. So, when did you come back into that? When did you make your final move into it?

 

 

Kunle Adetoro:

So, I came back to the US in 1994.

 

Robert Rounsavall:

Okay, cool.

 

Kunle Adetoro:

In 1994 from the UK, I came back into the US. And from that point on, I worked for a glass company in the DC area. And then I started doing IT consulting for a consulting firm in the DC area. And once I started doing that, that's how I started developing my skills and my knowledge and my background.

 

Robert Rounsavall:

So, when you were doing consulting, were you going around and seeing a bunch of different clients? Or were you on one client for a period of time? Or what kind of consulting did you do?

 

Kunle Adetoro:

Well, the consulting that I did was both. Seeing different clients, but also like, for instance, I spent about three years with the FAA as a consultant, the consultant for the FAA. But the other organizations that I did work for, that was short term. And more like a month or two months.

 

Robert Rounsavall:

Okay, so that was kind of... FAA was kind of your main gig but they pop you out to different places here and there. And what kind of technologies were you working with at that time?

 

 

Kunle Adetoro:

I was working mostly with Windows systems, but also with a lot of work with databases and Database Administration and Management.

 

Robert Rounsavall:

All right. And then did you kind of veer into networking? How did you get from there into more of the hardcore networking and security stuff?

 

Kunle Adetoro:

So, when I left back at the consulting firm, I went to work for a cargo management company or an airline conglomerate, Air Cargo back then. And Air Cargo hired me on as a Systems Administrator, then promoted me to Network Manager. And been promoted to Network Manager, I was responsible for everything within the network. That's how I got into Cyber Security. Because unfortunately back then, being a conglomerate of the airlines, they were more interested in software development than security. Our web server then was compromised. So, I decided that. I went to management, I decided to upgrade our proxy firewall to a true firewall to utilize the checkpoint at that time.

 

Robert Rounsavall:

Okay. So, you were a Network Manager and then you dealt with your first incident that kind of led you into a little deeper water with security, right?

 

Kunle Adetoro:

Yes.

 

Robert Rounsavall:

Awesome.

 

 

Kunle Adetoro:

And I got more interested in security than networking and then systems administration. And moved on from there to go work for George Washington University as a Security Manager. Network Security Manager for George Washington University.

 

Robert Rounsavall:

Oh, cool. Okay. And then at some point, you ended up at Fortinet, right?

 

Kunle Adetoro:

Yes. So, when I left George Washington, I came back to... I now decided, my family would say we wanted to move to Florida. And when I moved to Florida, I worked for a company called Guarded Networks as utilizing my checkpoint and Cisco skills at that time. And then they were a major management company that is the central management, MSSP for small banks. Small and medium sized banks. So, I supported them on the checkpoint, as well as... and then from there, I learned and had a large install of FortiGate solutions. And as I started managing the FortiGate solutions, I got so comfortable with it that all my questions to the FortiGate support engineers and management, made them realize that I had good skills around the Fortinet solution. And then they offered me a position for Fortinet. So, they recruited me out of Guarded Networks. And that's how I started with Fortinet. And then I spent 10 years with Fortinet and left for a couple of years, and then came back. I went to look for greener pastures. But I found out that the home pasture was much more greener.

 

Robert Rounsavall:

Right. That's awesome. So you went to school, got interested in security, started out doing with, you know, some consulting roles, then worked your way up to Network Manager, then worked at a MSSP and then going to work at a vendor. So, I guess one of the questions I have and for people listening to this podcast, who are getting into the security field, what's it like working for a security vendor like Fortinet versus an operational role?

 

 

 

Kunle Adetoro:

One of the key differences working for a vendor like Fortinet is, you are at the tipping point in a lot of technology. A lot of so you are essentially, you would be involved in a lot of industry based, tip of the iceberg solutions that you have to be well developed. So, there are going to be solutions that you have to work around and build your own security solutions around it. And they're going to be designed so that you are going to have to develop or build off the cuff that you haven't seen before, or you haven't experienced before. So, working for a vendor versus working for a customer is a lot different. Because there are going to be a lot of solutions that you haven't seen before that you have to work on developing. Or building a solution for, to meet the needs. And you are not going to see the same things over and over again. You're going to see... there are going to be changes every day, in terms of challenges. Not only challenges, in terms of what is the solution that's needed here? What is the problem? So, the problems facing keeps increasing? I'll put it like this. You have a broader surface in which to develop your skill set.

 

Robert Rounsavall:

Got it. That makes a lot of sense. So, it seems like you were able to transition from being in MSSP kind of operational environment, really getting on a platform and learning a platform for a growing company helped you make the leap from that operational environment to a vendor like Fortinet. That's cool. And you're right. It is, you know, you get to see different viewpoints. And if you're in a certain place, you've got a set of technologies you're working with. And, you know, you kind of get it locked down. And at some point, if you're looking for a change, would you recommend to folks to, you know, you've been in the industry for a long time, if somebody is at a place where they were there in operations, would you recommend to them making the jump to one of the vendors?

 

Kunle Adetoro:

My recommendation would be to make the jump to more of a service provider, not a vendor. Because then you understand the different changes. So as I said, if you think about it, at a service provider, you're dealing with multiple customers, while dealing with multiple customers, you're dealing with big differences in terms of their infrastructure. And that will help to build you up for, in terms of your skill sets or your ability to handle those challenges to work with a vendor.

Because with a vendor, you're also dealing with multiple environments. So, there's a lot of solutions that you have to develop and build at a vendor that possibly hasn't been done before, utilizing either the vendor solution or some other solution. So, integration and configuration is more important with vendor versus just overall support of a product.

 

Robert Rounsavall:

So, getting that experience in a SOC or MSSP, where you're seeing a lot of different problems from a lot of different customers. And that's fun. That can be a really fun learning experience. I mean, I loved working in the SOC. I've seen, you know, a lot of the folks who worked with me and my teams have gone on to do some really cool things. Yeah, that makes that makes a ton of sense. So, wonderful experience and background. You jumped from Fortinet, you bounced around a little bit, then you had an opportunity to come back and really with this new focus on operational technology and critical infrastructure. So, you know, I've got a couple of questions around that. So, just when you say, “I work in Operational Technology”, what do you mean? What kind of networks or devices are you trying to protect or focused on these days?

 

Kunle Adetoro:

So, network technology is another phrase that you can utilize for critical infrastructure. And OT is more cyber physical, protection of cyber physical. When we talk about cyber physical, we're talking about large equipment like providing protection of large equipment. Like a conveyor belt in a factory, manufacturing a robot army in a car manufacturing company, an oil rig, all these solutions. And I'm sure you heard recently about the issue at Oldsmar? The compromise at Oldsmar in Tampa area?

 

Robert Rounsavall:

Okay. No, I haven't. What happened there?

 

Kunle Adetoro:

The city of Oldsmar. So, the water treatment plant was compromised.

 

Robert Rounsavall:

Okay. I did hear about that. I do recall hearing about that. For audience, can you brief what happened over there?

 

Kunle Adetoro:

What happened was, there was an attacker... and they were very lucky because the attacker was able to get into the system. And his goal was... he came in via an unsecure method using TeamViewer. So, he used TeamViewer to get into their operational technology SCADA master. So, the machine that was actually making changes to the water treatment plants. So, the amount of lye that was going into the water, the chemicals that was going into the water for treatment to the tank of the water, they increased it. So, I think the level was for million liters of water, you have like a 100 mil of the chemical that needed to go into that. And he increased it. The attacker increased it by 100,000 which would have made it poisonous for anybody that drank that water. So, it was going to poison the city of Oldsmar. And that is just the tip of the iceberg in terms of what some people have been able to do. I mean, you've heard of electrical outages, you've heard of nuclear issues where like in Ukraine, electrical issues in Ukraine, nuclear outage and nuclear issues with Iran. And also, a lot of people do not realize how vulnerable the OT system is and the difference between OT or critical infrastructure and IT is life depends on your OT system. So, it is more... it affects people's lives and safety more than IT. So, IT is more protection of data and data Security, while OT is more protection of life and system. And that was one of the things that excited me while moving into this role at Fortinet.

 

Robert Rounsavall:

So, when you talk OT, you're really talking about the computer systems that are maybe controlling, like you say, the water treatment center or a dam.

 

Kunle Adetoro:

Yes. Exactly.

 

 

Robert Rounsavall:

Or a factory. So, that could be a standard compute platform. Or it could be something like Programmable Logic Controller. Is that correct?

 

Kunle Adetoro:

It's typically a Programmable Logic Controller, a PLC or a Human-Machine Interface, or an RTU or a sensor vendor, a sensor that's out there that's monitoring. So for instance, you want to monitor your valves on the water treatment plant. It was something as simple as... I worked with a company that was digging quarries, that was crushing rocks. And on Friday, they went home. And when they went home, somebody hacked into the system that was controlling the conveyor belt that was loading the rock crusher. And instead of it moving rocks at an interval, it just loaded the crusher up, and essentially caused them to have an outage that cost them millions of dollars. By the time they came in on Monday, they had to shut everything down for two weeks. And it cost them millions of dollars to be able to fix the crusher, as well as they lost a lot of money for the period in which they had to shut down their environment.

 

Robert Rounsavall:

Got it. Okay. No, that that makes a lot of sense. And I can see how it's important in systems. And I don't know if this is a dumb question or not, but what is the difference? Or is there a difference between Operational Technology and Industrial Control Systems, ICS? Or is that kind of the same thing? Or...

 

Kunle Adetoro:

It is the same thing. But it is used the same. Well, there is a difference, because part of your operational technology is the Industrial Control System. So, all you have within that system, you have your OT. Within OT, you have ICS, you have SCADA. So, you have those systems that are embedded into that.

 

Robert Rounsavall:

Okay. So, an Industrial Control System is part of the OT system.

Kunle Adetoro:

Yes.

 

Robert Rounsavall:

Okay. Same thing with SCADA.

 

Kunle Adetoro:

Correct.

 

Robert Rounsavall:

So, I guess one of the things that I'm curious about are, what are some of the challenges of protecting those systems? You know, you think, oh well, I'm a security guy or girl. I can just protect it like anything else. What are you seeing out there that... what makes it harder or easier to secure those types of systems?

 

Kunle Adetoro:

Well, to secure those kind of systems is, if you think about it, in OT, the security is more... historically, they've been more air gapped. So essentially, they had historically been systems that have been put in place and they had no communication with anything at all. So, they were all within themselves. They didn't talk to the internet at all. They didn't talk to anything outside of that environment. So, security was never built into the products that were utilized in that environment. So, because security was never built into them, as Industry 4.0 came about, which is, obviously we had the Industrial Revolution, as things improved. Organizations now realize that in order for them to improve their processes, as well as improve their financial capabilities and profitability within their environment, they had to have more knowledge. They have to know when, they have to be able to predict when a system is going to go down by monitoring its behavior over a period of time, you have to be able to predict when you need a certain... So, you're manufacturing widgets. If you're manufacturing widgets, you need to know how many of this product you need and how many of that products in order to make this? And how many do you have left? So, you have to have a system in place that will give you that information.

And obviously, while you're doing manufacturing, you're gonna have wastage. So, you want to know how many of this you have, how many of this you need? What was your waste product? And compare that and be able to give you some financial information like, okay, here's how much we've lost based upon this. And that information needs to come from the factory floor and go up into the enterprise level. So, because that transformation over that convergence is happening, it's not opening up your OT environment to the internet a little bit more than it used to be. So, now you have a system that has been placed in place for 15 to 20 years. It's not been patched, it's not been upgraded. So, you have a Windows 7 machine, a Windows XP machine that has your SCADA master or engineering workstation that's talking to your PLCs or your HMIs or your RTUs. That system has not been upgraded in 10 years. So all the worms, all the viruses that will that used to affect Windows XP, this system is probably still vulnerable to it.

 

Robert Rounsavall:

So, what you'll have is you're connecting up to a network, and you'll see things that have been pretty much gone for the most part and 95% of all environments for the past 10 years, all of a sudden, they start to show up again in these environments, because you have old systems. Is that right?

 

Kunle Adetoro:

Exactly, yes. And because of the need for the OT environment for constant processes. So, they cannot start stop the system, they cannot stop the processes. It's just like, you and I, we live on electricity. So, if the electrical provider says, "Okay, I need to shut down electricity for the whole city. Because I need to upgrade my system." We're gonna scream bloody murder, "Why are you gonna shut up our electricity?" So, they have to have systems in place and processes in place that will not allow the systems to go down. So, the key thing for them is safety and accessibility. Those are the key things for OT environments. So, they don't care about confidentiality as much.

 

 

 

 

Robert Rounsavall:

Yeah, that's interesting. Because in most traditional IT environments, safety is important. But you're not thinking about potential loss of life or environmental impact or any or anything like that.

 

Kunle Adetoro:

Exactly.

 

Robert Rounsavall:

So, along the lines of the challenges of protecting, are there, I guess, a couple questions. And I want to hear about specifically what Fortinet is doing with their platform or platforms to fix it. But are these OT vendors who are selling the equipment, have they started to get a clue? And are they starting to improve their security on their own staff? Or are they still kind of putting out vulnerable systems?

 

Kunle Adetoro:

They are. The vendors are now improving their systems. But in order to replace what was in existence before, it's gonna take a long time for the organization to be able to plan that outage. And they have to do it systematically, where they will do maybe a certain section that's not going to bring the whole system down. And that it can bring it up relatively quickly. So, they are improving it. And they are working. And that is part of the key wherein we work with the vendors. And we work with other partners. So, we realize that we cannot be... well, no company can have everything to fix all the problems. So, we realize that. So, we're not working with the vendors, where we're integrating solutions into them and utilizing what we call our API fabric. We now use what we'll call the Fortinet Security Fabric, where we integrate with the different vendors, and put solution in place where we can embed security into their solution.

 

 

 

Robert Rounsavall:

And one of the unique things about Fortinet. I haven't looked at the latest and greatest you guys are doing. But traditionally, your company has been really good at taking capabilities in technologies and integrating them into a single or minimal amount of platforms, and constantly growing the capabilities. So if I'm a security person, I'm just like, oh, well. I'm just going to firewall off by OT subnet, and I'll be good. What does Fortinet bring to the table specifically for OT? And how does the platform work to address that security problem?

 

Kunle Adetoro:

Fortinet realizes that. So looking at that, there's some compliances like, for instance, NIST and IEC 62443 and NERC, and some of the other compliance requirements that are out there. And the guidelines and the standards that are defined by that, Fortinet has built, configured our solution whereby we can now have full visibility into the traffic type, depending on your configuration. So, we can see, not just the fact that, let's say you are doing Modbus traffic from your PLC to your... I can see the traffic, I can see the exact command that was being set. And Fortinet has provided solution that will now say, when your PLC is talking to your HMI. Even though they're in the same layer two network, I can see the command that's been set. And I can put parameters in place that's going to say, this is what I want to be sent between these two devices. If anything changes, alert me or block it, depending on what your playbook is.

 

Robert Rounsavall:

So, that makes a lot of sense along those lines when you talk about Modbus traffic. Normally, you're thinking of TCP or UDP. And am I correct that Modbus is a different protocol on the network? And it's clear text and you can kind of see the commands on the wire and if you're not doing something to protect it, you can just kind of inject commands in there and make things do whatever you want.

 

Kunle Adetoro:

So, Modbus is a TCP traffic.

 

Robert Rounsavall:

Okay.

 

Kunle Adetoro:

But it is typically clear text. So, if you do a man in the middle, you can inject what you want into it. Because the end unit, the master that you're talking to or the slave you're talking to, does not have any security that says, I can only accept this command from this person.

So, I can now inject myself into your environment and send anything I want to your PLC or your RTUs. And they will accept it.

 

Robert Rounsavall:

Okay. So, what my understanding is, what Fortinet does is, it'll sit in between there, intercept that traffic, and you can configure it, so it will only allow certain commands and certain things through so that it will eliminate or dramatically reduce a risk of that third party or man in the middle or something like that happening.

 

Kunle Adetoro:

Absolutely. And then the other advantage that it does is, even though it sits in between there. So, the typical deployment in any environment is where you have all your devices in a layer two network, it's going to talk, they're going to add another for them to leave that network. Or for them to talk to your firewall at the gateway, they have to leave that network. So, if it's a layer two device, to talk to another layer two device, they're never going to go to the firewall. So, most deployments and most other vendors, most deployments, that's their typical solution. So, unless the traffic leaves that network to go to another network, it's never gonna pass through their device. But what Fortinet has done is they've developed what we call ‘Access VLANs’, which will allow the traffic from two devices or multiple devices on the same layer two network. In order for them to talk to each other, they have to first go to the FortiGate. They have to pass through the FortiGate device where we can now apply our visibility and access control features to the traffic as well.

 

 

Robert Rounsavall:

So, you have the ability to get really granular on the type of traffic you allow to a particular device. Even though that device would typically accept any traffic, when you drop your stuff in there, all of a sudden, you're saying, Nope. Only this from here, and that can work with that device.

 

Kunle Adetoro:

Correct.

 

Robert Rounsavall:

Okay. So, you're basically getting a lot of new visibility into that network that you didn't have previously.

 

Kunle Adetoro:

Exactly. So as an example, I have a little demonstration that I do in my lab. And that demonstration shows where the historian, which is a device that's supposed to read data, from your OT environment, from your sensors, from your PLCs or so on, it reads the data from them. And then it logs it and then reports on it for you. While the historian is only supposed to be reading, but as long as it's able to talk to those PLCs or those systems, it also has the ability to write. Because the reading and the writing is using the same protocol. So, you're not going to be able to work with the FortiGate solution. I can now say, once this device is identified as a historian, its job, I can build a risk control that says it will only do its job. I'm not going to let it do anything else about what it's supposed to do.

 

Robert Rounsavall:

Got it. Now, I know we're kind of coming up a little bit on end of our time together. It's a really interesting way to go about securing this and it's an area that I'm personally trying to learn more about. So, I'm excited to hear from you. You mentioned some compliance requirements around OT devices. I think you mentioned NERC and NIST. And so, what are these folks having to deal with from a compliance perspective? Are there auditors going around and checking things? Or what's that looking like?

 

Kunle Adetoro:

Right. So for NERC, which is the North American electrical... forget what the full acronym is, but it's the compliance requirements for electrical companies within the US and North America as a whole. And so, there are auditors. There are certain portions of the standards or the requirement, the NERC requirements, that you have to comply with and there are financial repercussions to not comply with those.

 

Robert Rounsavall:

Okay.

 

Kunle Adetoro:

So, there are auditors that need to go and come in and validate that you've been doing this and you'll be complying with the requirements of the NERC. And there are multiple features, multiple functions within a NERC CIP. So, within NERC and also, there's IEC 62443 which is a standard that is available, that is utilized by most OT environments. So, NERC is built off of baseline is IEC 62443. IEC 62443 is also compatible with NIST. And in Europe, they use NIS D. NIS D also. So, there is a lot of compliances. And most of them tie into the similar standards. Most of them have similar standards. But there are some that are financial, they have financial repercussions if you do not comply with them. And most of them do have audit capabilities. Auditability. Sorry.

 

Robert Rounsavall:

Nice. No, that makes a lot of sense. And I'm guessing that you drop your solution in, you get it configured and you can provide, probably help meet a lot of those requirements. Aside from just giving people protection that they didn't have, you can help meet a lot of those compliance requirements. Great.

 

Kunle Adetoro:

Absolutely.

 

Robert Rounsavall:

Well, let's break it off there. I guess before I go, a couple quick questions. If you're advising someone who wants to get in or learn about security or OT security, where would you point them? Or what would you have them do? Or any technologies they can kick the tires on? Or what do you think if they want to get better at or learn about that type of security?

 

Kunle Adetoro:

The key thing is there's key training that's available. One of the key areas that you want to kind of look at SANS. The SANS Institute. The SANS Institute offers multiple training on ICS and ICS related solutions.

 

Robert Rounsavall:

Got it.

 

Kunle Adetoro:

Then you can also look at some of the vendors also providing levels of security training that they also give within their environment.

 

Robert Rounsavall:

Okay, so if you're using a particular type of product, look to that vendor and see if they have some security training in your work.

 

Kunle Adetoro:

Correct. And like as an example, I think, like Fortinet has a security training for OT security, Cyber Security training.

 

 

Robert Rounsavall:

Oh, wow. Okay. Well, we'll get links to all that in the show notes. Kunle, if people want to find out more about you and Fortinet, where do you hang out online? Are you on LinkedIn or any...?

 

Kunle Adetoro:

Yes. I'm on LinkedIn.

 

Robert Rounsavall:

Okay. What I'll do is I will put a link to you in the show notes and some of the things we spoke about. Also, the link to Fortinet. So, if you're dealing with OT, Industrial Controls, you've heard from someone today who has just an incredible depth of experience in all areas of security. But really excited what you're focusing on now. So Kunle, thank you for your experience, your expertise and for sharing with us today. And why don't we wrap it up there and hang tight and we will say goodbye off here? Does that sound good?

 

Kunle Adetoro:

Thanks, Robert. Yes, absolutely. That sounds great.

 

Robert Rounsavall:

Awesome. Hang tight.

 

Robert Rounsavall:

Hey, guys. If you like what you heard today, if you're looking at OT and learning about OT, I'm getting questions about OT and what we can do, check out Fortinet. They've got some really great platforms. If you're looking at things along those lines, connect with Kunle. And they will help get you squared away. If you know someone who would be interested in this content, please share it with them and we'll catch you on the next one.