Posted by Dr. Edward G. Amoroso
Former SVP and CSO of AT&T
Current CEO of TAG Cyber, LLC
As a current academic in good standing at the Stevens Institute of Technology, New York University, and the Applied Physics Laboratory at Johns Hopkins University (and yes, I get that this may be overdoing the whole college thing just a bit), I am privy to the little secrets of the computer science professor and researcher trade. One of these little secrets is called generalization – also known as job security – and also known, in cyber security, as Alice and Bob.
When asked to describe a new protocol for whatever property may be of interest – perhaps anonymity, or scaling, or whatever – the endpoints are always Alice and Bob. This is done, in my estimation, so that whatever technological changes may come to endpoints, the class lecture slides need not be altered. It also allows for any professor to respond confidently, when asked if today’s lecture applies to the new world of mobile devices, or gaming consoles, or Internet of Things devices, that yes, Alice and Bob can be virtually anything. (Except real humans named Alice and Bob, which seems ironic.)
So this Alice and Bob answer sounds really great, and it has certainly stood the test of time. But when it comes to industrial control devices, it is wrong.
Here is the problem: Industrial control devices such as wind turbine controllers, or heat pump monitors, or air conditioning sensors, talk in funny languages that can range from analog pulses to proprietary back-and-forth exchanges that will be as understandable to your firewall as Mandarin Chinese to a small child in Finland. Furthermore, unlike Alice and Bob, which are programmable endpoint computers that can be adjusted to run a protocol, industrial control devices can be just about anything. And they were probably put there when either Carter or Reagan was president.
This is where companies like Bayshore Networks come in. While researching my 2017 TAG Cyber Security Annual, which was released today for public download, I reached out to my good friend Francis Cianfrocca, who founded the company. He helped me understand – over fun demos in his office, Greek salads in Queens with his lovely wife joining us, and a pad and pencil filled with scribbled technical drawings – that operational technology is flat out different than information technology.
Francis helped me understand that if you position a commercial firewall inside the exchange between an aircraft engine and its telemetry monitoring that it will feel like it has been dropped in a strange land, one where the usual Alice and Bob chatter, what with their exchanging keys and sending cyrpto and the like, will be conspicuously absent.
What does this mean for CISO teams? It’s simple: If you are in the business of securing industrial control or operational technology devices, then you must either stop using Alice and Bob, or you’d better sit down and teach them – along with your security devices – a new language.