On this week’s episode of the SecurityIntelligence podcast, intrepid co-hosts Pam Cobb and David Moulton are joined by operational technology (OT) security experts Rob Dyson and Anshul Garg for a brainstorming session to help organizations devise a winning strategy to boost operational technology security.
Bridge the Gap Between Physical and Connected Controls
According to Dyson, the term OT security is “not a shared terminology across all spaces.” Garg notes that while other terms such as industrial control systems (ICS) and supervisory control and data acquisition (SCADA) are often used interchangeably with operational technology security, the increasing number of connected legacy systems — think black screens with green font — makes operational technology security the “prototerm” for this emerging IT attack scenario.
As Dyson points out, companies have contingency plans for power outages and other physical process interruptions but lack the ability to quickly remediate OT incidents, despite the potential for real-world damage.
“It’s not just one industry,” Garg says. “Energy and utilities are being impacted, healthcare life sciences, chemical and petroleum, industrial products, automotive, manufacturing, electronics, building system and consumer products” are all affected.
Put simply, while companies are great at keeping the lights on, they struggle to bridge the security gap between physical systems and connected controls.
The Elements of a Successful OT Security Strategy
Legacy controllers and new ICS systems pose a risk because they link network access with physical operations. As a result, when security incidents occur, companies sometimes take drastic action. Dyson recalls one case in which an organization that was under attack “decided to just disconnect from the network,” effectively creating its own distributed denial-of-service (DDoS) attack to solve the problem. That’s not exactly ideal.
Dyson suggests three key areas of improvement:
- Security and event monitoring
- Access controls
- Identification and classification of data
According to Garg, 74 percent of companies have not conducted an OT risk assessment, 67 percent do not monitor their OT network 24/7 and 81 percent have no OT-specific response plans in place.
But it’s not all bad news: Emerging standards such as IEC-62443 and NERC CIP are helping companies identify and mitigate key areas of risk. And as Garg points out, companies are getting better at working together: “They’re picking the brains of peers and seeing how they can collaborate more.” Dyson, meanwhile, notes that both the U.S. Department of Homeland Security (DHS) and Department of Energy (DOE) are “really big on this information sharing.”
Lacking OT security is a losing proposition for organizations. Winning strategies must leverage monitoring, access and data handling solutions to come out ahead.
David:So, Pam, I know you asked this question of our guests for this episode, but I’m curious, why do you think OT security is just now coming to the forefront?
Pam: I think a lot of it has to do with the onslaught from popular media about how hackers are going to take us all down and return us to an apocalyptic state. But I also think as part of just a business practice, there are so many companies with older embedded industrial technologies as they are adopting new technologies and moving things through the cloud, they’re realizing, “Oh no, these wires are all connected.” This is an ecosystem of IT here in our business. And it’s not a little system island that maybe they had before.
David:So Pam, for those who are listening, how would you define OT security?
Pam: I mean it’s not off-topic security, which maybe could be our podcast name, but it does mean Operational Technology. So those legacy systems that we inherited that run with like green font on a black screen and they are kind of the backbone of a lot of infrastructure systems. So electric utilities, manufacturing, things like that.
David: Right. So some of the big stories that I’ve seen tie OT to safety issues where, you know, if your OT is compromised, it ends up being a problem because you can’t get power to your hospital or your safety systems are turned off. I think that might be a big reason that people are starting to pay attention to it. It’s connecting that cyber world to the real world.
Pam: Yes. There are a lot of IRL as the kids say…
Pam: …realities. Yeah. A lot of good IRL impacts. So it is definitely a safety concern. When you even think back to one of the earliest OT-related attacks of Stuxnet — like some deep pull from the hacker archives — where you know, a power plant was impacted with potential, you know, far-ranging repercussions based on that attack. That’s what we’re seeing. It’s a physical manifestation of impact based on a cyber attack is the real problem here.
Pam: This is the Security Intelligence podcast where we discuss cybersecurity industry analysis, tips, and success stories. I’m Pam Cobb.
David: And I’m David Moulton.
Pam: In this episode, I spoke with two of my colleagues, Anshul Garg and Rob Dyson. Anshul and Rob spoke with me about the risks inherent with industrial environments including implications for personal safety, the environment, and how organizations can make strides towards a more advanced industrial security. Here’s our conversation.
Pam:Why don’t you gentlemen introduce yourselves? Rob, let’s start with you. What’s your background and your current role at IBM?
Rob: Hi, my name is Rob Dyson and I’ve got a global role here, you know, within the security services organization in IBM. I’ve been working in the area security for well over 20 years now. And my current focus is on OT security services.
Pam: And Anshul, what about you?
Anshul: Hey, Pam, thanks for having me. I’m Anshul Garg. I’ve been in the security business for about 10 years. I’ve been in product marketing and product management. Right now I’m working as the product marketing manager for IBM security services, looking at OT security among other things.
Pam: So Rob, what is even OT security and do we even have a market definition of what that is?
Rob: Yeah, well, that’s a great question, you know, because OT security is something that today is not a shared terminology across all spaces. And we call it OT security. And that is something you hear in the field quite often because it stands for operational technologies or the types of things that exist in industrial environments but you know, that’s often termed industrial control system security as a process control devices. There’s lots of different terms that are used out in the field. But I think what’s the trend is, is starting to become classified as OT.
Anshul: Yeah. And I would agree with what Rob just said because we did some analysis on what people are searching for and what terminology the industry is searching for. And people use the term ICS Security, SCADA Security and OT security interchangeably. But based on our discussions with analysts and some of the market leaders, we understand that OT security is the proper term to talk about this particular scenario here.
Pam: So when I think of operational technology, I think a lot of older technologies and things that weren’t necessarily meant to be connected to the internet. So what are some of those risks at these industrial environments, Rob?
Rob: Well, yeah. So we’re truly talking about, you know, industrial environments, many of which are critical infrastructure. So, you know, these are environments that produce things that keep our economies going every day, whether it’s our electricity, water or manufacturing of oil and gas or other devices. But these environments are you now, very dangerous. So there’s a big safety focus. And that’s probably the biggest priority you have in an OT environment is that everybody is worried about safety and it’s regulated even.
And beyond that, you know, the big focus is on the process availability and making sure that there’s lots of integrity in that process because you wanna make sure that the goods that are being produced are of the highest quality so that you got, you know, low error rates and so on and so forth. So very different than corporate IT.
Pam: So are these industrial companies prepared with OT-specific security policies and do they even have dedicated resources?
Anshul: Oh, well that’s a great question, Pam. What we did was we looked at some of the research that Bloor Research had done and looked at some of the data points around that. And it was interesting what they came out with. They’d actually interviewed about 317 industrial organizations. And what they found out from the assessment was, well, not earth-shattering but yes, it can be that a lot of organizations are not prepared. Seventy-four percent did not have an OT risk assessment done. Seventy-eight percent did not have OT specific cybersecurity policies. Sixty-seven percent of these organizations were not monitoring their OT network around the clock. And the most important thing, 81 percent did not have an OT-specific incident response plan.
Now, when you keep in mind that these are these organizations are being attacked a lot, on the verge of being targeted by nation state actors, an incident response plan is critical. And 81 percent did not have it. So yes, they are not prepared to deal with this scenario.
Pam: So, Anshul, you talked about OT security response plan. And I know from my previous history in utility industry that there’s response plans for non-IT-related. So wouldn’t those things overlap and be covered?
Anshul: Rob, you wanna talk more about that, please?
Rob: Yeah. So what we’re talking about here is the response to a cybersecurity incident that doesn’t exist in these environments. So I think from a production perspective, again, around safety and product availability and so on. You know, these companies do have response plans to that, right? So if there’s, and in your case, say an electrical outage, yes, there is a response plan for that because they need to get that electricity to the consumer as quick as possible. But what they don’t have is the ability to respond to a cybersecurity incident.
So it’s more of what happens when somebody is in there and they’re messing with the environment and now they cause the environment to behave different than it’s supposed to. And how do they triage that and get some sort of quick remediation? They are just not prepared to do that today.
Pam: Gotcha. So, well the implications are still a power outage for example. There may be additional implications in terms of network cleanup. So what exactly is at stake beyond just some of the operational considerations? Things like revenue or even safety?
Rob: Well, you hit on the big one. There’s safety implications, right? So, you know, it kind of goes back to the question on why would nation-states, terrorist organizations want to attack these environments? Well, one is the impact that they can get is a lot more visible than what they can get from a corporate IT cyberattack. For instance, they can break an outage with safety systems and cause people to get hurt or killed.
And they can also shut down the process, which not only does, you know, impact or the revenue stream because there they are now not getting the product out and we’re talking about large quantities at one time. So it could be millions of dollars, you know, within an hour of loss. But in addition to that, some of these environments are dealing with a lot of chemicals, petroleum, and things that could have environmental impacts as well.
So you can see there’s a lot of good reason that these environments need to be protected. On the flip side, there’s a good reason why there’s a lot of interest from the threat actors in the world to cause problems in this environment.
Pam: So when we’re looking at the threats to these types of, you know, OT security environments, what does that framework look like compared to other IT security frameworks? And really, what are those complexities that get layered in and makes them unique?
Rob: Well, the real difference you have here is that these environments are highly technical. So the different security frameworks you have that are coming out now like the IEC-62443, and it’s an example, NERC CIP, you know, things like that. You know, they’re really focused on, you know, the technical elements of these processes and how would you put controls in the right places in order to manage the particular risk.
If you think about the corporate IT side, you know, people will fall back to, you know, ISO 27002, let’s say, as a management guideline, you know, and F-14 domains and so on. But in the industrial environments, you’re finding that the new regulations and the new standards that are coming out are a lot more prescriptive in a sense that they are giving guidelines that are a lot more technical.
Pam: So we’ve been talking about industrial companies, which is kind of a broad category. So I’m curious if there’s any sectors within that that are really making strides toward some of these best practices and setting an example.
Anshul: What I’ve seen is like the industries that are being affected like you mentioned, it’s not just one industry. Energy and utilities is being impacted, healthcare and life sciences, chemical and petroleum, industrial products, automotive manufacturing, electronics, the building system, consumer products. So there are a lot of industries that are being impacted by this.
I think people have started to recognize this and have started taking action. In my opinion, I’ve seen a lot of energy and utilities and chemical and petroleum companies that recognize this problem and take active steps. And that’s because again, because of the technicalities of these environments.
And Rob, I’d just be curious to get your point of view as well as to what you’re seeing in the field on this.
Rob: I mean, I think the only thing I could add is where I see, you know, some of the leaders have been certain companies in the energy and utilities market. And the others might be chemicals and petroleum. You know, I’ve seen a few companies, we’ve actually performed services for a few companies that are definitely leading the way because they realize, you know, the overall impact and they’re starting to make those investments.
Pam: So why do you all think that OT security is sort of just now coming to the forefront?
Rob: Well, I mean that’s really based on the fact that in the industrial environments there’s been a big push, which we call the digital transformation. And the reason for this is that it’s time for companies to do more with less, optimize their environments. And they’re doing that with new technologies, new techniques, which all involve really more connectivity across the various different client plant or site locations. They want to gather more data for analytics so they can optimize those environments, do more automatically without people. And so this is making those environments more visible to the outside world. And by doing that, it makes them also more vulnerable to the outside world. So now, because of this trend of digital transformation, it’s time for them to focus on securing these environments.
Pam: So it doesn’t feel like practical advice is to unplug everything. So what kind of recommendations do you actually have for industrial companies that are trying to take this next step towards better security?
Rob: Yeah, you know, it’s funny you say “unplug everything” because that’s exactly what happened recently when there was a big cyberattack on a company, they decided to just disconnect from the network. So in a sense, they create their own denial of service attack on themselves by remediation that way. So that’s definitely not a good technique.
I think, you know, what everybody is doing right now is they’re trying to figure out, “Well, how can I at least put security on the agenda?” I think the best companies now, they really realize they got to – you just start from the basics, right? And one of those basics which would be, you know, “Let’s slow down, let’s get a good security strategy in place. Let’s take a look and find out what your environment really is.”
Get some good visibility and accountability for all your devices and then determine what’s most critical and start prioritizing that and putting good security controls around those. And that probably will take them on a journey that will cover three primary areas.
One is the whole thing about monitoring your security or monitoring your environment for cybersecurity events. And the other would be putting in access controls to monitor access because these environments usually have lots of third parties, contractors and vendors and so forth working in them. And so you wanna control the access to that and also bring visibility to who’s doing what. And the third area would be to identify and classify the data that’s in these environments so that you can put the appropriate security controls in place around that data.
Pam: One of the things that we talk about here at IBM a lot is collaboration and the benefit of working together. And I’m curious if you’ve seen any of these industries come together in organizations like ISACs and share best practices or what are they doing to get the word out and connect with their peers?
Anshul: Yeah, that’s a very interesting question. And of late, we’ve seen a lot, in fact, happening on social channels where organizations are sharing their concerns. They’re picking on the brains of their peers and seeing how they can collaborate more. And there are lots of technical blogs that have been written on this topic and a lot of collaboration that has been happening within the industry. So yes, the industry has started to recognize this and there’s a lot of collaboration that’s happening within the teams within the various organizations to make sure how can help each other.
And Rob, I’ll be curious to get your point of view as well as to what would be your thoughts on this?
Rob: Well, I mean, one that comes to mind is you know, there is energy or electricity, ISAC, right? So, know if you look at the organizations like NERC and FERC, you know, they’re really big on this information sharing. And you know, within the United States, especially Homeland Security is really big on information sharing, as well, the Department of Energy. You know, they’re really big on making sure that they’re keeping all the vendors informed and other, you know, electricity providers and so forth informed. So yes, there is a really big push around what we call critical infrastructure which actually is somewhat of a platform for OT security.
Pam: Great. So where do you all see the state of OT security in the near future? Maybe six months to a year from now?
Rob: You know, companies are taking this serious. So a year ago, a lot of companies really did not have a budget for this. And so they’re scrambling today to figure out, “Well, you know, what should I budget?” You know, “What’s the plan? What kind of strategy should I have?”
And so if I look out another six months to a year, you know, I think that you know, most companies will be starting that journey in order to develop a good security program, at least the baseline, you know, that they can build upon. And you know, and I think a year from now, you know, most companies will have at least, you know, some sort of a strategy that they can start down that path.
David: Pam, you referenced working for a utility company in the interview. Any particularly fond memories that come to the surface?
Pam: I have several to pull from. I think the one most appropriate in the context of this interview — but if you bought me a drink at a bar, I would probably share the others — the most appropriate one is probably the time I was 23 and in a professional development program with a large electric utility and was sent with many other 23-year-olds to go learn how to run a power plant. And I just think, gosh, we don’t necessarily make good decisions at age 23 and maybe why would we wanna entrust not?
Now, I will say we were in a very safe environment. It was, you know, a training center, but like, “Oh you push this button and turn this knob.” And I mean, a lot of process documentation. And think about how influential you are in your youth without the experience of many years in the cybersecurity industry and dumb things like losing your badge and someone could use that to get in and take your place and imitate you in the power plant. Or like what happens if I push this button instead? And like that’s not a hacker. That’s just, maybe not brightness. But yeah, that was interesting. Like a group of six of us looking around like we could totally make this go nuclear.
Pam: It was an interesting time in my life.
So let’s turn the tables a bit, David. Let’s talk about maybe some uplifting news. What have you heard recently, fun and uplifting and exciting out there in the cyber world?
David: Well, there’s been a couple of things. One of the stories that came across about a month ago for me, was a West Virginia professor who won a half a million dollar grant to continue working on cybersecurity techniques. And I believe the professor’s name is Yanfang Ye. And I thought that was an incredible thing that the work that she’s doing was noted and that this grant will fund her research for the next five years. So congratulations to her and her team for that.
Another story that I came across that I really thought was worth noting was the work that’s going on in North Dakota. And I think I saw something like this a while back in Michigan too, but it was this idea of providing cybersecurity for the entire state, so different state-level organizations, but centralizing it so that budgets are so stretched or nonexistent, you know, for a small town or a school or a library. And I thought the idea of thinking about security as a team sport, state to state, is a interesting approach and one that I would like to keep an eye on and see how that goes.
Pam: Sports ball. Interstate sports ball.
Well, that’s gonna be it for this episode. Thanks to Anshul Garg and Rob Dyson for joining us as guests.
David: Listen to this podcast on Apple Podcasts or wherever you get your podcasts. We want your feedback. Leave us a review on Apple Podcasts or comment on our SoundCloud page.