Cybersecurity success hinges on teamwork, collaboration
Cybersecurity successes in 2020 will depend on information technology (IT) and operations (OT) coming together and collaborating and working past their differences.
Looking at what security has to bring for the coming year in the manufacturing automation sector has plenty of positives where boards are becoming more involved, information technology (IT) and operations technology (OT) will work more closely together because of a shortage of skilled workers, and there will be greater level of accountability.
Of course, with positives, there are also negatives facing the industry like boards are becoming more involved, IT and OT will work more closely together because of a shortage of skilled workers, and there will be greater level of accountability.
That appears to be the security outlook for the coming year: More teamwork with a mandate to mesh all segments of an organization so boards can work with IT, which can work with OT and have the company thrive. That level of teamwork also means the stakes are high to succeed to the point where manufacturers will be able to fight off attacks and increase uptime and productivity.
“Cybersecurity of control systems has finally gotten the attention of the board,” said Eric Byres, chief executive at software security validation provider, aDolus. “Oil and gas, energy, chemicals, aerospace are starting to get the senior level awareness just like safety did years ago. I am starting to see board level people ask questions that they didn’t even care about before. Some senior level people even said they have funding for projects, but they don’t have the manpower. Funding is not the problem. The lack of skilled people is the problem.”
There has also been a change in what manufacturers are looking for in terms of security.
“We have noticed in the last year or so there is a push for deploying security tools and features as opposed to spending more time on assessments,” said John Cusimano, vice president of industrial cybersecurity at aeSolutions. “There is a push on ‘let’s do something.’ We have seen a big increase in demand for program management services. Everything from writing policies and procedures, all the governance activities where they have a good documented program. And of course, training everyone. In terms of training, we see training rolling out in phases, starting with general awareness training throughout the company, anybody that interacts with OT systems. Operators, production personnel, engineers. And then also more specialized and role-based training for unique roles.”
Attacks are occurring and becoming more apparent, but are they rising?
“I don’t think incidents are increasing. I think it is the people’s ability see incidents occurring which is making the reporting come out,” said Joel Langill, director of ICS Cyber Security Services at AECOM – Management Services. “When I went in and did an energy company investigation, I found indicators and then I did some work with a different client in the same area and I found indicators on a network where there should not be any public traffic. When I was giving a briefing on the two different investigations, I noticed the indicators were the same. They were Russian.”
“I think what is clear is the attacks we’ve seen in the past are going to be more sophisticated, and that is a given,” said Leo Simonovich, vice president and global head of industrial cyber and digital security at Siemens. “The story that is not being told is the preparedness is not ready to deal with those attacks. The challenge the energy industry is facing is the gap between the readiness levels and the increase in attacks is widening. And that is problematic. In a Ponemon study sponsored by Siemens, we found only 42% of respondents said they were prepared to deal with the changing threat environment. That means 58% are not prepared. Energy companies expect at least one attack that could have operational or safety consequences, but yet they are not able to respond. Preparedness is as much about visibility and understanding how secure you are as it is to understand what is in your environment and what the plans should look like to respond against threats.”
IT and OT working together
Being able to respond to threats and attacks means having the right people on board that not only understand security, but also understand the complex OT environment. That only points to the direction IT and OT coming together.
“I did an analysis and key security officers are now not having security ending at the plant floor firewall,” Byres said. “We are starting to see OT security is falling under a cybersecurity czar. The bad guys attack by any means they can, they don’t care if it is OT or IT. You have to have security coordinating OT and IT and you have to have somebody that says ‘I am responsible for keeping this company secure.’ I am starting to see more and more there is somebody reporting to the board that is responsible for cybersecurity for all operations. Physical security should be in the same group as well. A security czar should manage everything on what is being posted on a site and going out to the world along with the locks you are putting on the doors.”
There may be forms of IT and OT working together, but it doesn’t mean it always works.
“The IT/OT divide is still there,” Cusimano said. “It is improving and that is a big focus of our services through our CyberPHA process which is designed to bring together, IT, OT operations, and engineering personnel together to address and work on improving industrial cybersecurity together as a team. I am seeing more a mix of IT and OT personnel. The relationship is being forced by executives as boards of directors become more aware of the risks in OT security. Typically they mandate the company address the issue and most of the time they will lean on the IT department. The CEO will go to the CIO and ask ‘what are we doing about OT security?’ Traditionally the CIO would say I don’t know, it is not my responsibility. Now, they have to do something. In an ideal world, a CIO will reach out to operations and the engineering folks and work collaboratively with them. If the CIO recognizes IT doesn’t really understand production networks and OT systems, they would ideally work together. I have seen a variety of situations where it can become a collaborative process and other times the CIO is heavy-handed and they will say I don’t’ care what operations and OT personnel think, I have my orders from the CEO. There are pitfalls to that approach.”
In the new era of manufacturing, a connected world will bring more people together.
“I think the way it will evolve is IT and OT will become a lot smarter,” Simonovich said. “It is not about the ability to connect devices because security will become much more of a concern. In the IoT implementation, security will become more of a variable. We have seen the excitement to get going, but it slowed down because of a lack of security. Now we are seeing a pick-up in digitalization programs where security becomes a fundamental element or a pillar of how digitalization is run.”
On the other hand, Langill has a harder edge to the idea of IT-OT convergence.
“Every OT systems I have been exposed to will never allow anybody that is not qualified on that system to touch it,” he said. “I think people have now finally realized IT and OT are different. They are inherently different at the attack level. The idea is the attack characteristics are different.”