In 2021, digitally connected networks enable an expanding perimeter of billions of edges that have to be managed and protected. As the lines between information technology (IT) and operational technology (OT) networks blur, leaders are challenged to protect the enterprise against advanced threats across an expanding attack surface and a complex ecosystem that includes too many vendors, too many alerts, and slow response. As recent cyberattacks have demonstrated an increased risk to both IT and OT environments, readiness equates to the enforcement of rules and policies that provide the visibility, control, and situational awareness to respond at the speed of business.
It is imperative that today’s organizations evolve their security posture, yet gaining the necessary investment may be challenging when the cost of doing nothing is hard to quantify. How can you gain the necessary buy-in from executives that see security as a competing force against agility and performance? How can you look at security in a more holistic view and achieve cybersecurity resilience? How do you demonstrate the value of security to all strata of the business as a critical component of continuity?
At a recent Converge roundtable event, IT executives from various Houston-based organizations gathered to discuss these questions.
Guided by insights from Richard Peters, CISO at Fortinet, this invitation-only dinner drew from the experiences of the attendees offering their views on how industrial controls can meet the demands of both security and efficiency in today’s connected environment.
Participation in this executive event gave participants the opportunity to discuss key issues and strategies with a handful of senior executives and market leaders in an informal, closed-door setting, allowing them to emerge with new strategies and solutions that could immediately be put to work.
The following is a snippet of the discussion between Richard Peters and Converge’s Cybersecurity Delivery Lead, North America, Brian DiPaolo.
Brian DiPaolo: What is driving the convergence of IT and OT?
Richard Peters: So, first of all, Brian, thanks for the opportunity today to engage on a topic that I’m very passionate about. When we examine what’s going on in the connected IT and OT domains, if you’re looking for one cause that’s driving it, it really is the appetite for data. Now, we could argue that technology and innovation are accelerants that require that proportional attention, but it is the executive appetite for data, for actionable data that allows businesses to pivot, to be able to manage their assets more efficiently. It is all about doing and accomplishing that mission within the OT space more effectively. So, if data drives that efficiency, now we’ve suddenly connected environments that don’t look like the typical IT.
Now, often when you venture into an OT space and you examine the stack from the point of interface of the IT enterprise and the OT infrastructure, what you encounter are legacy technologies. And accompanying those legacy technologies, of course, is an expanded attack surface. So, you have to consider a wealth of vulnerabilities coming back into play that quite honestly from the IT point of view have been treated and resolved. There’s a lot of heavy lifting that must be done, but the good news is we’ve made a lot of traction collaboratively because this really is a joint pursuit of protecting the cyber-physical, which of course is very cross-cutting. We’re talking about Energy and Utilities, which includes traditional fossil fuels as well as all renewables, we’re talking about Manufacturing, which is a very broad spectrum of application, and of course Transportation, we’re considering the rail, cruise lines as an example, and also into the aircraft industry. Very diverse, very complicated, but what we can do is distill it down and figure out how to design security in to be able to accomplish a level of resilience that will allow the executive to sleep well at night.
Knowing Your Environment
DiPaolo: You mentioned legacy environments and several different industries. Are there any other key challenges with that convergence of IT and OT, and what are the best ways to overcome them?
Peters: You have to think about how you’re going to solve hard problems, and solving a problem in the operational technology space usually starts with knowing your environment and understanding how to take the right first step. I’m a big believer in adopting a framework that allows you to take a strategic view of your assets and what you’re trying to accomplish. I know we can dive deeper into this topic, and we will through the course of this conversation, but you’re really helping each customer baseline where they are in their cybersecurity maturity journey. Understanding that allows you to calibrate your approach specifically to the customer and think about where there are gaps or pain points because every single engagement, every single customer you work with is going to look a little bit different because of where they are, what steps they’ve already taken, what point solutions they’re already integrated into their environments.
Of course, at the end of the day, what we’re really trying to do is adopt an ecosystem approach, something that’s agile and allows you to continue to grow because the operational technology customer is looking for a solution that will last. They’re not accustomed to making lots of changes, so they’re looking for a scalable, fast solution because it’s got to meet their speed-of-business requirement. They understand one abiding principle that underpins all cyber-physical business, and that is safe, continuous operations. If you fail that metric, then the rest doesn’t matter. Of course, for security to come in and be a part of the solution, it has to be very transparent, again it has to scale because they’re going to continue to tag and engage with a larger array of enabled devices. You hear that characterized today as the industrial internet of things, the IIoT, or even IoT spaces, which again, that whole landscape, that whole surface is growing exponentially. So, you have to be able to think about how to solve those issues not just for today, but for two, four, five years, and beyond because the OT proprietor is typically managing assets, hardware, and software that can span decades. It is not uncommon to disclose that an OT system is employing a version of XP still in the field. Most would scratch their heads, thinking that can’t be, but that reality is there. And, so as you’re designing solutions, you have to think about compatibility and your ability to support and work across legacy as well as greenspace environments.
OT and Cloud
DiPaolo: We’ve definitely seen those XP systems still hanging around in those types of environments, so that’s very insightful. Let’s pivot to newer technologies, specifically the cloud. We’re seeing an exponential increase, especially through COVID, of adoption of the cloud. And, with some of the organizations that we’re speaking to around OT environments, SCADA environments, and industrial environments, we’re seeing a lot of different responses to that where some of them can’t have this integration with the cloud at all, some of them are embracing it, some of them are in between. What is your feedback on integrating OT with your cloud strategy or just not integrating it at all? What are your thoughts there?
Peters: To think about a holistic solution for OT or even IT for that matter, you have to be able to consider how you’re going to adopt new technologies. That’s a reality. We talked about the appetite for data at the top of this conversation, and that’s certainly a top-of-mind consideration. OT environments are becoming more digitized through web-enabled sensors that collect that data through the use of cloud-based applications because, you know, it’s not all on-prem. There are a lot of expanded environments today, and we need to be able to collect all that intelligence, so organizations with operational processes that are digitizing their environments are using that sensor technology and now connecting through cloud-based applications. I think what’s really important is when you think about the digitization of your operational environment, the reality is you have data and apps that are moving back and forth between these different platforms.
At Fortinet, the thing that gets me excited is we’re working with a lot of partners to provide a very broad set of security offerings for any cloud. Again, you have to be agile in that space. So, we’re enabling organizations to design security in and to deploy any application anywhere. And, we do that while maintaining the same security level. So, if you want to break it down, there are about three main solutions set offerings. You have to be able to address the customer cloud security requirements that originate from unique cloud adoption initiatives. And, you’re always going to be addressing network security, application security, and platform security. So, there’s a lot on the mind and then you layer on top of that the fact that the attack surface is broadening and I need to be consistent in how I build trust in that environment. We always talk about earned trust for operational technology. That becomes another way of thinking in the solution space. So, we’re talking about cyber-physical processes going way beyond what we’ve witnessed historically. Network and application attacks have to be targeted with a resilient approach to defending the environment. So, a misconfiguration in the cloud should just be another event that we capitalize on and collect. It’s intelligence that’s actionable, and it allows us to pivot and correct those issues without having to see the environment shut down and, of course, coming back to safe and continuous operations, which aligns with that objective.
DHS Security Directive
DiPaolo: While we’re on this subject, one thing that we can’t ignore is recent events, one of those being the Colonial Pipeline ransomware attack. As an outcome of that, the Department of Homeland Security (DHS) has released a security directive associated with it. That obviously is focused on pipeline environments, but it says something about all OT environments. What does the DHS security directive mean for any organization that has an OT environment, and how do they need to respond?
Peters: Well, what we’re witnessed really over the past year is our new administration leaning pretty hard into the protection of industrial systems, industrial control systems, but it started all the way back with the 100-day plan that the Biden administration authored and they were really focusing on the electric system first. And, then, almost on the tail end of that you saw in May, the executive order come out, 14028, which was all about improving the nation’s cybersecurity comprehensively to include industrial control systems. And, then, right on the heels of that there was a national security memorandum (NSM), that characterized going beyond the electric system and amplified the need to be able to address protecting our pipeline operations, our Water and Wastewater treatment, and our Chemical production industries because they are volatile, and the attack vectors can cause significant issues, as it threatens the very customer that’s depending on that.
So, the pipeline industry didn’t have an equivalent to the North American Electric Reliability Corporation standard, otherwise known as NERC, which sets the cybersecurity requirements for power generation. So, I thought, what are we going to do in pipeline operations to insist that those who are managing those critical assets understand and have the ability to prove that they can accomplish effective and timely cybersecurity assessments and mitigation plans? Because it is about readiness. A demonstrated readiness. If you were to take a look at any of the frameworks that are out there, as you break them down, one of the areas that are very important is response and recovery. That suggests that you’re ready, you’ve tested, you’ve been in, and you’ve gone through a logical test and you’ve exercised the system. You’re ready for that event that you know is going to happen at some point in time if it hasn’t already, and that lets you then have a process in place that suggests we know how we’re going to recover, we understand the stability of our environment, and we understand the dependency on the IT enterprise and its impact on the OT situation.
In fact, Colonial Pipeline was a great illustration of the absolute value of a readiness and response strategy. They encountered a cyber adversarial event affecting their IT enterprise that prevented them from prosecuting business with clear insight relating to product delivery. As a preventive measure, they opted to shut down the pipeline to preserve the integrity of how they were accomplishing business. The good news is , they had a six-to-seven-day recovery plan. What they lacked was a clear communication strategy that would have helped alleviate some of the broad reactions you witnessed by the consumer. And the reality today, Brian, is our private sector, our national readership spans all of our citizens globally, so they read, digest, and react to what they’re seeing in open source. Now, I might say ignore that, pay attention to deconflicted intelligence, but obviously, that’s not going to be the step that every citizen takes because it’s easier to read the latest sensationalized story on the internet and then respond to it. In this particular case, we observed a large-scale consumer reaction. Up and down the east coast of North America, you had citizens rushing to the pump, and that created a crisis that unfortunately didn’t have to happen, but it became part of the successful attack campaign in this particular instance on an OT system collaterally.
DiPaolo: Thanks for the great recap, highlighting how with all of these industrial systems in different verticals, there are key risk analyses and controls that need to be put in place to protect those systems. I want to hit on one last question. You mentioned a couple of things during our discussion – looking at frameworks and doing a baseline to start, you talked about a strategy of how you adopt new technology, as well as even a communications strategy. With all those things considered, where I’m trying to attack this OT security problem, what is my first step, where do I start, and how do I prioritize that first step?
Peters: So, I’m going to pull a couple of threads here that I think will be important across the OT spectrum, so it’s not limited to one sub-sector vertical. And, I’d say it starts by knowing your own. By that, I mean what represents the most valuable targets or assets within your environment, because as we’re talking about a cyber-physical plant typically, there’s intellectual property some might characterize as their tradecraft, their secrets, crown jewels. However you want to characterize that, you have to maintain clear knowledge of where those assets reside and how they are protected because your adversary knows. They’ve been accomplishing collection, they’re performing reconnaissance, they’re mapping and figuring out where there are opportunities to exploit your environment. And, if they can then get on target, they may accomplish a long period of reconnaissance. In fact, SolarWinds is a great example of that. So, you’ve got to know your own first, make sure you understand your own business, what it is you’re trying to protect. And then, you take an ecosystem approach, and I’m kind of foot-stomping that one because you have to think comprehensively. You don’t want to get too stuck on a single point solution, but it is about building trust, what I characterize as earned trust. So, if we’re starting out, we’re going to insist on complete visibility on-prem and extended, which helps us recognize the dynamic nature of the connected environments.
So, that’s a really great first step, and I would say beyond that we have to be proactive in our strategy to defend our infrastructure, not reactive. So, we need to think inside out. By that I mean be committed to a strategy that accepts that my system, my infrastructure will be breached at some point. And, if I behave that way, then I can start to build a containment strategy with segmentation. I can go beyond that by leveraging behavioral analytics and actionable intelligence that allows me to keep my system current and allows the integrity of the environment to present something that’s a whole lot more resilient. You might say that sounds like cyber hygiene. Yeah, it is, it’s very practical, but we’re applying it in an environment that historically didn’t have to deal with as many of the challenges as IT, but in 2021 we’re wrestling with all of those spaces and so we have to accomplish all that again at the speed of business. We want our executive to understand that at any moment in time we understand the state of the environment, and any activity that’s going on that’s characterized as malicious or unknown is treated as such and can then be quarantined and neutralized. That allows us again to protect those critical assets and understand again how to protect those assets, which are absolute, those things that we’ll call intellectual property. Those are the areas that we just can’t allow any access to and so we have to be very proactive.
DiPaolo: Thank you very much, Rick.
Peters: I get very excited about what we’re accomplishing. As a collective community today, we’re kind of the coalition of the willing, we’re all working together to raise the bar to protect our critical infrastructure. And, the good news is our government is also very aware and behind it as well, so it’s kind of a perfect storm. A lot of energy is being directed at raising the bar. I believe in what we’re doing, and I believe as we look back, we’re going to realize that we’re applying a lot of lessons learned. We’ve been through a lot in the last couple of years. A global pandemic on top of all of that, of course, has created a concern. We’re taking these logical steps to apply lessons learned, and at the same time, really up the stakes of the game to protect our infrastructure.
For a full list of upcoming events, see our calendar