Listen to our online panel discussion, where we joined forces with Ports of Auckland, Vector and other IoT/OT security experts to discuss how to ensure cyber resilience and production uptime in the face of limited staff availability.

During this critical time, it has never been more important to ensure the continuous operation of your IoT/OT networks and facilities. This webinar covers how to:

  • Secure your critical networks from adversaries during periods of higher risk
  • Accelerate incident response by leveraging automated workflows (SIEMs, SOAR, firewalls, NAC, etc.)
  • Meet customer demand for essential goods

 

Our Panel of Experts

Stephen Kraemer, CISO, Ports of Auckland
Aaron McKeown, CISO, Vector Ltd

 

 

Webinar Transcript

 

Phil Neray

Good morning and good afternoon, everyone. Welcome to our webinar, Ask the CISOs. We’re going to be talking about IoT/OT cyber resilience. I’m very happy to have with us today two CISOs – Aaron McKeown from Vector, an energy company in New Zealand, and Stephen Kraemer from Ports of Auckland. My name is Phil Neray, and I’m the VP of IoT and Industrial Cybersecurity at CyberX.

Just to say a few words about our panelists today… Aaron, as I said, is the CISO at Vector. He’s had a number of roles in security, including Head of Security, Engineering and Architecture in past roles. He has a bachelor’s in information science from University of Newcastle, and also certifications from AWS.

Stephen is the CISO at Ports of Auckland. Before that, he was the CISO at HealthAlliance and has had various roles, including having started in the Antarctic in the nineties as a master’s in computer information systems. He is currently working on a doctorate in cybersecurity and insurance from Colorado Technical University and is a CISSP and CCSP.

Thank you both for joining us today. We have some interesting questions that we’ll be talking about, and the goal is to make this an informal conversation. We have no PowerPoint slides, except for the few that I’m showing you now. And for those of you in the audience, I encourage you to ask questions through the chat window. Let me start with this question: how do you bridge the gap between OT and IT? We’ve seen for many years that the two groups were quite separate, and with a convergence of OT and IT and the need for stronger security, we’re having more conversations between the two groups and they need to work together more. Stephen, do you want to start by letting us know what are your thoughts on this topic, please?

Stephen Kraemer

Sure, absolutely. Thank you, Phil. It’ll be interesting, because I think Aaron will come from a little bit of a different aspect on this, but for Ports of Auckland – firstly, for Ports of Auckland, who are really just on the cusp of adopting automation and making operational technology a real discussion of convergence – it’s kind of picking up the conversation with the OT folks in terms of other convergence technology sort of connects and unfolds from ground zero. And so we know traditionally that the skillsets and the mindsets and even the way that the operational technology is managed on the OT side is significantly different than that on the IT side. On the IT side, things move fairly quickly. Things are pushed out. 80-20 rule, largely operational. We’ll fix the rest of it as we go, but we need to get it out there and start making it productive, gain those efficiencies, start making money off of that, and all of those types of business pressures.

But on the OT side, the demands of the infrastructure are quite specific, and the tolerances are very low for information that’s not flowing properly to the right place at the right time. And so it creates a real divergence in mentalities. And so, when it comes to cybersecurity, we like to talk about on the OT side, the only thing that the OT people are really concerned about on a day-to-day basis is availability. They need the ones and zeros and the information and the signals to be flowing to the equipment so that it can do its thing, and it has to happen in real time.

On the IT side, it’s more about the confidentiality and the integrity of the information. We don’t want our information shared. We need our information to be accurate when we’re doing finances and that sort of thing. And so it’s not that these principles don’t apply to the other side, but they start from different ends of the spectrum and that does create that gap. So the approach from a cybersecurity side, which traditionally has its roots in CIT, needs to take a different perspective and needs to address those people on the OT side with that learn perspective to try to bring them along on a journey that, in many regards, CISOs themselves are just getting their heads around.

Phil Neray

Aaron, what are your thoughts?

Aaron McKeown

Yeah, I don’t really see the gap in that sort of way. I suppose mainly from the perspective of – I’m coming from a heavily cloud-focused experience of late, and I sort of see this as the same sort of gap between infrastructure and cloud that I’ve experienced over the last six or so years. And really, when I thought about that and I thought about this question, I really think about risk and really the cloud sort of adage, which is the one of shared responsibility. And realistically, it’s a shared responsibility between OT and IT, and that’s how we tend to approach things. What that really means is that between the OT and IT teams, they share the responsibility of the risk, the management of the risk, and the implementation of the mitigation for those risks.

And so those teams really have to work together to actually address those sorts of shared responsibilities. And the way I see that is that, for example, at Vector, we have cybersecurity architecture and data teams. Those teams work very, very closely with our business units. And those business units are the units that operate the OT platforms. And so every project we kick off, we see those cyber data and architecture teams working very, very closely with the part of the business that operates the OT systems. And so that builds a shared investment and a shared responsibility. So that’s how we’ve been able to bridge that gap. But then there’s another point which is important, which is the technical gap. And I suppose what I mean there is the view of operating two independent platforms, and where we’ve been able to bridge that technical gap is by having a unified security operations center where we’re able to take feeds from both our OT and IT platforms, add some sort of threat intelligence, and then have that unified view for the entire business. So, that’s how we’ve sort of thought about it and how I’m thinking about it myself personally.

Phil Neray

So that makes a lot of sense. Now what did you have to do in your security operations center to get your analysts to understand what a PLC is, or what a PLC stop command looks like and how that’s different than what they might be used to?

Aaron McKeown

Well, I guess that’s really down to that entire sort of cooperation and handover process. But most importantly, it’s really about them not necessarily understanding what a PLC should do, but what a PLC shouldn’t be doing is probably more the important thing that they should be understanding. Anomaly detection platforms are a very, very important part of our entire security operations center capability, so it’s really about developing runbooks and having the security operations analysts knowing what to do when certain things happen inside the environment.

So, without having runbooks and regular processes and all those sorts of things, we wouldn’t be able to operate the way we are. But those runbooks can’t just be created by IT security operations people, they need to be created in consultation with the business during the project lifecycle before things are handed over.

Phil Neray

Got it. Stephen, what are your thoughts on that part of things? Here we’re talking more about getting IT security people to understand not just what you were talking about before, about the safety and availability being more important on the OT side, but more about if you can’t patch these systems every day, you can’t reboot them every day, it’s a different world. How have you addressed that part of things?

Stephen Kraemer

Yeah, definitely. And that kind of correlates with what I was saying, and I think to Aaron’s point as well, Vector has probably been running OT systems as part of its core business for an awful long time, whereas for Ports of Auckland this is really relatively something new, which is why I laid the initial groundwork that I did, but we’re ending up in the same place. And so, when we talk about unified security, we have a cybersecurity operations center that cuts across the entire organization, and we incorporate all of the tools that are necessary to monitor and detect and to prevent all of those things that are happening across the enterprise. But that’s not to say that there are differences, and when it comes to some of those differences, there are some educational pieces that need to happen in terms of, for example, we’re at the stage in our maturity where during an incident we’re not going to get the same reaction from the OT side. We’re not going to have the same understanding from the personnel who are involved as you would get from a traditional corporate IT incident response. However, this still needs to happen, and so you have to have ways that you work through that. And I think this is what Aaron was alluding to – you’ve got to have runbooks and playbooks that, in this example of an incident, help guide you through all the conversations, the people, the steps, and the things that you need to do to capture what’s going on with that incident all the way through the stack and make some sense out of it and be able to respond. And that’s a real education process, especially for the people on the OT side. They’re not dummies. They they get it. But convincing them that this actually needs to happen is probably the real conversation.

Phil Neray

Yeah. So, how do you do that? Because it relates to our next question, which is how do you educate them about security? How do you tell them, dual homing your desktop to go into the OT network and the IT network at the same time isn’t a good idea? Or buying a router at the local electronics store and plugging it in isn’t a good idea? How do you handle that part?

Stephen Kraemer

Well, there’s a couple of techniques. One is do it before they figure it out. The other one is never waste a good crisis. But once you get past those two and you make as much ground as you can, the real issue is that – and I think it goes back to something Aaron said – it’s getting that side of the business to appreciate what it is that you’re actually trying to achieve and that you’re trying to protect that investment, that the risks are genuine, but they do happen, which is what I mean when I referred to never waste a good crisis, and that if we don’t do anything, then the worst case scenario is going to happen. And I think reasonable people will accept reasonable arguments. So I believe that if you present it the right way and work at it and have a couple of incidents and a few other things to help you along, it starts coming together. It doesn’t hurt to have the executives understanding it as well, let’s put it that way.

Phil Neray

Well, actually it brings up another point about top down versus bottoms up. But let’s go to Aaron for a second. What are your thoughts on this question? How do you educate OT people and raise awareness?

Aaron McKeown

I think there are a couple of ways. The first one is sort of what Stephen was talking about – communication and engagement is critical to the education process. So, like I was talking about – our different teams, architecture, cyber data, engaging with OT – there has to be highly engaged communication in the entire process, both through project and operational work. And that’s really a facilitator for education, communication, and engagement,. It facilitates regular repeatability of process and understanding of why things are being done and why questions are being asked and that sort of thing. That leads into my next point, and something we do at Vector a lot are internal and external security risk reviews as part of project activities or operationally. And those risk reviews are executed against internal and external standards. What we do during that risk review process is we work with the business, the OT teams to perform those risk reviews, but the important part is after the review is completed, we sit down with the stakeholders and we step through the results and we help them to understand why we’ve got the result that we’ve got, and we start to work on how we’re going to plan the mitigations for whatever that’s been picked up. And that’s another way we can educate different parts of the business – OT, for example, about the risks that are being introduced. And I guess two other things… one is when we have formal training or informal training going on, whatever topic it is, security is security, and we try and get as many people to that training as possible because you can always learn something. And then the last thing is it’s really important for both IT and OT to participate in community forums and sessions and different interest groups and all those sorts of things. Because you always learn something from your peers or your colleagues or from other peers inside our own industry. And that’s really good and important for the education process as well.

Phil Neray

That’s great. Let’s talk about this bottoms up versus top down. It’s probably not an either or, but how did you get your peers on the management team to understand what you’re trying to do in shoring up security on the OT side to get them to go along with it, to get them to tell their teams that they should be cooperating with your teams? What did you find to work in that area of things, Aaron?

Aaron McKeown

Again, I think it’s about communication of risk. So, I’m big into the idea of taking emerging risks, threat vulnerability information from our partners and then passing that to my colleagues or passing that to the executive teams, the board, etc., and then translating those risks, vulnerabilities and threat information into scenarios that could affect Vector. Or I’m really into the idea of taking information that we get from some of these special interest groups and looking at it and saying, okay, this has happened in this side of this organization. Now how can we protect ourselves or mitigate against that same scenario? Because that really allows people to think about these things in a certain context and gives them some relatability, I suppose. So if you make these things relatable to their job or to their part of the business, it really helps send that message a lot faster and send that message in a lot clearer manner.

Phil Neray

Got it. Stephen, what are your thoughts?

Stephen Kraemer

I had a little bit of a unique opportunity coming into Ports of Auckland – not completely unique, probably some manufacturing organizations, logistical organizations would come across this – but operational technology at Ports of Auckland was largely air-gapped when I first got there, with some exceptions. It was quite legacy, but what Ports is doing is they’re automating the port. We’re about 90% of our way through the first phase of that automation, and therefore, we had an opportunity to sit down and actually think through what we wanted the architecture to look like and get people on board and start discussing how that was actually going to map out. So, on the technology side, I think we fared fairly well. And I think Aaron can agree with this, it wouldn’t be usual to be able to go in and just set up your boundaries and your OT architecture from scratch. But that’s really the opportunity that we had.

Having said that, then I revert back to some of the things I said earlier where there’s a steep training curve to bring people on board. So, the technology piece kind of happened. It was an easier conversation because we could integrate it with the project. Bringing the organization on board took a lot of discussions with the executive team to get them across the line to really understand these differences that needed to be bridged, and they’re intelligent people. Once they got it, once they understood all of the risks, and we’ve talked about many of them, then they started to recognize that the project itself wasn’t merely a technology project – it was a change to the culture that ran really deep and that things needed to happen. And those things are happening now. So, we’re coming up on the top side of that. But yeah, it’s been a real journey. But definitely getting them to understand the risk of bridging those gaps, especially in the case of Ports, where you’re bringing this new thing together, is critical. But really the principle plays out for Aaron and everybody else as well. It just had to happen really, really quickly at Ports of Auckland.

Phil Neray

Well, it sounds like you also had a business-led initiative to automate and build what I guess you would call a smart port, to get more revenue, more efficiency out of the port. So there was a business driver to add this automation, and the team had the foresight to get you involved from the beginning and make sure there was security to secure this new technology.

Stephen Kraemer

Yeah, that’s right. When the project was still nascent and it was just a few people down in a corner office in the basement of the building, the executive team made the decision to go out and do things correctly and bring a security professional end to the organization to help them sort that out. And I don’t want to get ahead of ourselves, but they have big plans that go well beyond the automation when we start looking at supply chain. And we started looking at cloud and we start looking at edge and we start looking at IoT and all of those things that I think are probably going to come up at some point in the discussion here.

Phil Neray

Yeah. So, I skipped over one of the questions, because I wanted to talk about cloud. I mean, sometimes when you’re in conversations with folks from the OT side, and you just mentioned the word cloud, it creates a very visceral reaction. “Oh no, we can’t go to the cloud. The cloud is not secure.” Aaron, I think you have some thoughts on that. Tell us what your thoughts are on cloud and security in general, but OT security in particular.

Aaron McKeown

Yeah. As Stephen was saying, he was talking about air-gapping, and I guess from my view, the traditional approach to OT security is this whole security via obscurity sort of view. I suppose everyone can agree with that. And once you start using cloud, there’s no more obscurity. So, I guess cloud to me is we could easily swap the word cloud with new and emerging technologies, because I put things like serverless computing, containerization, and cloud all in the same bucket of how is one of those technologies affecting OT security. Because it’s just not conversations about cloud, it’s conversations about containerization and serverless computing and all sorts of things, edge, etc. that we’re having at the moment.

But I guess what I’m seeing is I’m seeing pushes from multiple people inside the business, multiple vendor partners, multiple industry contacts pushing for various parts of our OT systems to be affected by these new technologies, if not from a remote access perspective, a monitoring and management perspective, etc. And my personal experience is that yeah, the cloud is generally described as not secure, but it can be made secure. You’ve just got to get back to the same principles that were being used when people were starting to move into the cloud. You’ve really got to look at the key areas such as identity and access management, authorization, defense in depth. You’ve got to look at things like whether you’re adhering to best practice and you’ve got good anomaly detection platforms in place, monitoring management, these sorts of things. You have to essentially double down on all those sorts of things once you start introducing cloud or new technology areas. But you need to do it in a controlled sort of manner. So realistically, what you’re doing is you’re spreading the risks that are currently being exhibited in those areas over to your OT environment. And you need to just do it in a well understood and controlled way that allows you to start putting that layer of security mitigation techniques into your environment. It’s critically important.

Phil Neray

That’s great. And Stephen, where does cloud fit in for Ports of Auckland?

Stephen Kraemer

Well, cloud is already there. So, technically speaking, you can go from a cloud service provider and use a lot of the main services that other folks would use, and in some way, shape, or form, there’s connectivity. You can work it out right down to level zero, somewhere in a PLC sitting on a crane or straddle somewhere. And so, really Aaron summed it up very nicely that you’ve got to have those things in place that prevent those two systems from directly talking to each other except where you’ve prescribed it, and that has to be tightly controlled. So, there’s a whole set of things that need to be architected into the system and behaviors and ways of operating that need to be developed so that you can do that.

From a Ports of Auckland perspective, we’re looking at Industry 4.0-type technologies to incorporate into supply chain 4.0 Approach. We have inland ports, downstream/upstream customers, and we want to tap into that and understand those behaviors and those things that those people are doing. And that’s going to drive a technology convergence and development that’s going to start using IoT and edge computing and a lot of the technologies that Aaron was mentioning. You’re going to have Microsystems and Kubernetes and all of those types of things that are already out there. That isn’t all perfectly glued together and everybody hasn’t figured it out, but they’ve got to be ready for it. So we’re starting to make the bed for that and thinking about that and what that means, because it is coming and we’re going to be a part of it and we see that there’s a lot of value in doing that. So yeah, that might be a good starter.

Phil Neray

That makes sense. And how about cloud as a security platform? This concept that you may have heard of called XDR, where you’re gathering information from many different sources of telemetry, the network layer, the endpoint layer, your firewalls, putting them in some big data lake in the cloud, and applying analytics to it as a more effective way to correlate across different attacks, identify the source of attacks, and mitigate attacks. Aaron, what are your thoughts on cloud for security specifically as a way to do a better job with security?

Aaron McKeown

Ultimately what the cloud brings to that type of scenario is it brings scalability, stability, and those sorts of infrastructure-style things to that scenario. But what it also brings is the ability to interconnect through APIs, all of these discrete security platforms that you described, some OT platforms, endpoint server, threat intelligence, etc. And I, for one, think those systems are incredibly important to comprehensively see all the indicators of compromise that are affecting the organization or could possibly affect the organization. So as far as we’re concerned, we’ve spent the last two or so years building this unified security operations capability that does take all of those sources and feeds from different points of our business. And then that information is enhanced with external threat intelligence information and put into a data lake so that we can start building anomaly detection platforms, because what is really important is having that universal visibility but also that defense mechanism so that we can see a threat as it comes into our environment. So, I think the types of systems that you’re talking about and the ones that most of our security partners are working on are incredibly important. And I, for one, am quite excited about those types of technologies, especially when it comes to OT and IT working more closely together.

Phil Neray

That’s very cool. Yeah, I’m with you there, especially because we know that attacks often start in IT and move to OT. Sometimes it goes the other way, especially with internet connected devices. So, let’s move on to talking about how your organizations are addressing the current situation with fewer people, perhaps, available to go into your facilities. Let’s start with you, Stephen. What are you doing to keep the port running in the current situation?

Stephen Kraemer

Yeah, absolutely. So, to just kind of walk through very briefly what happened when we went to level four, the highest isolation level in New Zealand about six weeks ago. A couple of weeks prior to that, there was quite a bit of planning that went on that involved the emergency planning team, each of the business units, putting together plans on who needed to be at the port and how we were going to operate for those people that either needed to be at the port or working from home. So, obviously a lot of people were pushed out to home. I think that’s pretty universal for all of us, but some people needed to stay on the port, and so things had to be put in place to make sure that the operation could continue.

People that traditionally did work together needed to be separated, but you still had to have certain teams that were cohesive. So you needed to have the right gear and the right processes that protected those workers, but also allowed the operations to continue on. Some examples are we no longer allow crews that are coming in on the ships to disembark. People are not sharing things back and forth physically. If there has to be any physical interchange, it’s very narrow – might be one person and they’re wearing protective gear and all of that. And then on the other end, when you even come into the port itself, you have to have a need to be there. And once you’re there, you’re going to be screened. So if you want to go in and you have a need to be there, if you’re a knowledge worker for example, you’re going to get some sort of a once-over temperature check, questions asked and answered, and all that type of thing.

And then you have to maintain your social distancing. So from a cybersecurity perspective, what that means is most of the security team has been working at home, and it’s usually not a problem for most of the technology workers. Obviously there are certain people that have to be onsite to do hardware stuff. That’s traditionally not a role for the security team, depending on how you’re broken out. But in this case, our information security team plus the cybersecurity operations center were able to complete their tasks remotely, thanks to a lot of the great tools which are coming along and being developed. You mentioned XDR earlier, but there’s already a lot of convergence that’s happening in threat intelligence tools to tell us what’s going on. And it’s just a matter of getting those feeds set up and then having the right people sitting in front of that pane of glass, able and willing to do the analysis.

And so, we had gotten ahead of most of that. A lot of our infrastructure was in place before COVID, thankfully, and right up to this go-live with automation that I mentioned earlier. And so, it hasn’t, as far as I can see, impacted us, except it doesn’t allow us to do our physical inspections. And so, there’s quite a bit of ground out there on the port. We’ll try to compare notes with Aaron, because they’re running all over the North Island, but there’s still a need to go out there and make sure that things are secure. And so, from a physical security side, it’s probably made it a little bit more difficult. But on the other hand, the number of people running through the ports is greatly reduced, so maybe that offsets some of that risk.

Phil Neray

And has there been an observation that if, just in terms of running the port, keeping the security part to the side, this work that you’ve been doing with the rest of your colleagues in introducing more automation and autonomous cranes – are you that far along with autonomous trains or autonomous vehicles that you’re actually in a good way with respect to having fewer people available?

Stephen Kraemer

Yeah, that’s a good point. I think we’re probably not getting those benefits yet, but because we’re on the cusp of this go-live with automation, it really puts it in front of you where you can realize the benefits. Everybody can really see that if we were automated fully, to where we want to be, let’s say, by the end of the year, that probably would have a dramatic difference on how we would have prepared for COVID. Yeah, that’s a good point. We’re not quite there yet.

Phil Neray

Okay. So Aaron, Vector is one of the top energy utilities in New Zealand – so I know a lot of people are relying on Vector keeping going. Tell us what your organization is doing.

Aaron McKeown

Yeah, the story is very similar to Stephen’s that prior to level four, we had a lot of planning going on. And one thing I can say is that during level four and level three, we had extreme lockdown protocols in place across the organization, and no more so than in the control room-type setting, where we took the task of establishing three fully isolated and dedicated control rooms for our control room operators and ancillary services. Those three control rooms were then set up in such a way that there were three separate sort of groups of people that were not able to interact with each other. So essentially, you were talking about sort of triple redundancy, and that was incredibly important because as an essential service, we had to keep that service running no matter what.

So that was something that we invested heavily in and implemented very, very quickly at the very start of this entire 6-week process. But now, because we’re now moving into that level two period things, things are changing quite a lot – we’ve got less control over people’s lives, I suppose, because the government is relaxing a lot of the controls themselves. And so now, our focus has turned to contact tracing, because as we have our staff and partners going out to do their day-to-day work, we’ve really now focused heavily in the last few weeks on contact tracing and processes and technologies for contact tracing. But then that’s now introduced all sorts of concerns including technology, process, cyber, and even privacy to ensure that we meet all of those requirements while still being able to operate in a secure and safe manner.

Phil Neray

How are you folks doing contact tracing?

Aaron McKeown

We have a number of different processes for contact tracing that are being used across the business, as well as a number of technologies as well that we’re using for contact tracing. Our work is out in the field, so obviously we need to make sure that we’re operating in a safe manner.

Phil Neray

That’s great. Okay, thanks. So, this is a question that’s come up. We had one of our customers say to us, “You’ve deployed to all of these plants. There’s a few more that we had on our list that we wanted to deploy to. But now can you please speed that up, because we’re concerned about all the remote access to our factory networks, especially from third party suppliers?” So, what kinds of things are you doing to guard against malicious access being hidden across all that legitimate remote access that your employees might be doing in your third party suppliers?

Aaron McKeown

Well, the first thing we did at the start of this period was contacted our security partners. We contacted organizations that are part of our operational visibility and threatened diligence landscape, to essentially ask them to increase their awareness of remote access specifically or COVID-19 related sort of threats. So, that was the first thing we did. I think the first call I made was to a number of organizations to talk to them about how our systems would be affected, what the potential points of threats were, and asking them to start to develop plans to better protect us as an organization. So, that was the first thing we did. But then the second thing we did was we mobilized the IT, the OT, and the cybersecurity teams to start looking at our remote access networks and our remote access platform to make sure that we had firstly the right stability and redundancy in place, but then obviously the right security controls in place given the increased amount of usage that we’d see. So, those were two of the first things we did to really improve as a state, because these are platforms that are used all the time, but there are platforms that we’re seeing used more and more at the moment.

Phil Neray

Sure. Okay, so it sounds like you had already some fairly rigorous remote access protocols and procedures and authentication and faults and all of those things that you would expect to see.

Aaron McKeown

Those things are pretty important.

Phil Neray

Yeah. What about you, Stephen? Talk to us about remote access.

Stephen Kraemer

Yeah, we’ve put a lot of effort into the last two or three years, especially running up with the automation go-live, to make sure that the way people engage, first of all, was fairly consistent and secure. So, a lot of those things that you just mentioned, Phil – two factor authentication, named account, basic stuff that you’re going to require are already in place. From an infrastructure perspective, there’s only a couple of ways that you can actually engage Ports of Auckland if you want to access remotely. Some of it’s reserved just for employees, and we have the most common way, which is to come in through a Citrix-type platform. And then for a few special customers, who are really a core part of our business, we may consider setting up some sort of a site-to-site VPN-type scenario, but even that is quite restricted.

Like Aaron, a lot of our stuff was being set up and was just set up in time. It’s just because of the way the timing of COVID occurred with the just about to go live with the automation, we had all of these things already in place and we had a really good grasp on our current state. Again, that’s probably more unusual, and Aaron’s scenario would be more usual. But I wouldn’t say we’re anywhere overconfident, because there’s no confidence in this game. We all know we’re a millisecond from being owned at any given point in time, but we’ve strategically thought through what we needed to do on the remote access piece. We’ve gone out and identified who our remote access constituents are – so customers, stakeholders, vendors that needed to come in, all those people, and we did a review on them. Then we made sure those that need to come in remotely are well managed, using specific com parameters and very specific access points.

Phil Neray

Yeah, that’s great. It sounds like you guys are writing in the right place., and maybe what I’m thinking of when I wrote down this question is a lot of our manufacturing clients may not be as far along, and they might still be in the mode of not such great practices, like sharing credentials with third party vendors and those kinds of things. But you guys are critical infrastructure, so it’s obvious you guys have put a lot of thought into this.

Stephen Kraemer

People are picking up the game quickly in light of what’s going on on the cyber threat landscape in the world right now.

Phil Neray

Yes, for sure. I think both of you have already started answering this question about if security teams are working from home. And sort of, nothing really has changed. Is there something missing with that having someone next to you in the chair that you can talk to about an alert that just came in? How is that culturally?

Aaron McKeown

I think generally, what’s missing is the socialization of the employees, of the team. There’s no doubt about that. For me, I’m one that likes to be in the office. We were just talking about that earlier actually, and I think that fits in, but for us at Vector, my cybersecurity team is split between two locations, Auckland and Wellington. So it’s normal for us to be having our daily standups and our meetings using technologies like Teams and like Slack and like Skype and all those sorts of things. So that has just continued but enhanced us. We also have virtual security operations capabilities with remote locations, so that has just continued as normal. But one of the things that I think has been important for Vector as an organization, and certainly the digital part of the business, is just to ensure that we have regular check-ins of an ad hoc nature so that we can actually just make that human and face-to-face communication. If it’s not just having a one-on-one with a team member or a one-on-one with a peer, it’s having a virtual get together at the end of the week or something like that.

Those things are things where people tend to chat and communicate, and that’s where you pick up a lot of the information about what’s going on in the rest of the business. And I think that’s probably what’s missing at the moment. That non-formal communication where you do find out what other parts of the business going on, and we’ve tried to sort of replace that with a few different initiatives, which has been really good.

Phil Neray

That’s a really good point. Yeah, you’re missing that sort of conversation you might have waiting in line to pick up your food at lunch with someone from another part of the business. Stephen, tell us about this part of it, the social aspects of everyone working from home.

Stephen Kraemer

Yeah. I mean, the social aspects are, it’s limited in a way, but it’s created opportunities in another way. So I think, for example, we meet quite frequently with the security operations team. I’m not necessarily at all the meetings, but I try to be there. But what I’ve noticed is that I think people are a bit more focused on what the issues are. We’re perhaps a bit less distracted by some of those things that can take place at the office that do impact our ability to be effective. We’ve taken opportunities to do more training, to deepen our runbooks, to look at taking a more strategic approach about where we need to land in the next six months, a year, so far down the track, and kind of incorporate that into our learnings and our training. So I think in many ways it’s been really beneficial and my sense is overalll – and it’s just my observation because I haven’t polled, but we did a corporate-wide survey, but I haven’t seen the results for the security operations center team – that people generally have received working at home quite well and that they’ve found for many people, not all people, I wouldn’t call it a newfound joy, but certainly a reinvigoration in a different way of doing business and that they’ve kind of grasped that. And I think we’re getting the best of it. That’s my sense anyway. Now again, that’s not speaking for everyone. And would we sustain that longterm, over a 1-2 year period? I don’t know. We’ll probably find out, because I think we’re going to be in this of remote working for quite a while.

Phil Neray

Indeed. This is definitely a thought that has occurred to me that in that way, the world has permanently changed. I don’t think it’ll be like it is today, at least for me in Massachusetts, where I’ve been in quarantine for almost two months now, so hopefully it won’t be like that, but I do think there will be a lot more working from home, a lot less social interaction, and it’ll just be part of a new way that the world goes forward.

Stephen Kraemer

A different type of social interaction, isn’t it? You’re still interacting socially, but it’s how you do it.

Phil Neray

Yeah. What about in terms of prioritization? A lot of organizations in general have put projects on hold. So I would imagine that security projects have been put on hold. So this question should really be how are you prioritizing security projects in general? Which types of projects are continuing to get the focus from your teams, and which of these would have been pushed aside a little bit and postponed? Aaron, tell us about that.

Aaron McKeown

Yeah, it’s true that at the start of this period, a significant amount of projects were affected due to resource allocation into our immediate COVID-19 response, and that’s across architecture, cyber data, etc. Addressing those things that I talked about earlier, shoring up remote access platforms, VPN, anomaly detection, multifactor authentication platforms. But as we came out of that period, projects have probably, if not ramped up, have been refreshed, refocused. We’ve done a significant amount of modeling in regards to our projects, capabilities, deliverables. But what I could say is that many of our OT-related security projects accelerated as a result of COVID-19, they haven’t decelerated, and the reason is because we really translate these things to risk.

If we see the risk has heightened because of a certain situation occurring like it has, we then need to prioritize mitigations for that risk. If that’s security-related to building out OT detection capabilities at one of our bottling plants or if that is the new connectivity for some sort of digital-enabled system – that’s where we’re able to put the people. But I know my teams are completely engaged now on cyber projects, and many of them are related to OT security, which is really good and it’s important to see, because it means the business is investing in the areas which will best protect it.

Phil Neray

Very interesting. Stephen, what about you?

Stephen Kraemer

Yeah, I don’t really see it slowing down, very similar to what Aaron was saying, for anything that sort of needed to be propped up or stabilized or needed to get done that could help with the act of forcing the organization to work remotely. Those things did take precedence, and so if we had something shovel-ready sitting there, we just kind of went with it. And there are going to be some initiatives that are going to come from a longer term view of the pandemic and the need to work at home, with our strategy going that is going to be coming out. But we’re also about in that transition phase I talked about earlier, where we are about to go live and a lot of the projects were winding down for the automation itself, and that did pay a lot of dividends into the CIT area as well.

So we’re sort of transitioning now into building up our risk and assurance aspects. It’s never been as strong probably as what Aaron was referring to at Vector. It sounds like they’re a bit further along than us. So we’re starting to look at those things, and those things need to happen and we’re not losing any ground on it. And then in terms of, what I referred earlier to as supply chain 4.0 – some of those forward-looking things that we want to get into. The ICT team is definitely burning a lot of energy right now, getting themselves retooled, if you will, into a team that needs to maintain the current state and the automation pieces and the IT/OT, but then also that forward-leaning supply chain 4.0-type stuff where we’re going to start leveraging IoT, cloud, AI, where data and information is going to be king. So we need to start looking at that, and we’re in sort of a grassroots planning stage from a cybersecurity perspective to start getting those thoughts in place, those things in place. What is it that we need to meet that forward-leaning demand that’s going to be coming? And so that’s keeping us very, very busy.

Phil Neray

So when you say supply chain 4.0, is that about real-time data sharing with your supply chain partners? Tell us a bit more about what that looks like.

Stephen Kraemer

Yeah, I mean ultimately, it’s all about the information, right? So, what you want to do is you want to know what your customers need and you want to know where their things are at, up and down the supply chain. So you want to come compress the entire experience and make it as fast and efficient as possible. And the way that supply chain 4.0 Looks at that is you’ve got to get down to the nth degree, to the last mile, and get as close to your customers as possible. And that means knowing where everything is at and in real-time or near real-time. And the only way you can do that was a lot of sensors, IoT, pushing things out to the edge, and getting information from all of those different places, which are scattered across the globe. When you’re thinking about supply chain, if we want to do real-time reordering and you want your customers to be happy, the people that are going to survive are the people that are going to be able to create value and find opportunities in all of that information that’s flowing back and forth, while making sure that today this stuff is flowing back and forth smoothly and efficiently. But also looking ahead and thinking what advantage can they find as a business? What advantage can an organization find that’s going to put them ahead of the next person who’s really trying to do the same thing? And so that information becomes king, because that’s where the jewels are and that’s where the money is. It’s whatever you can glean out of that information. Of course, that’s another whole hour or two-long episode that you could do on a webinar but, but we’re looking at that sort of thing, and we need to start prepping ourselves from a cybersecurity perspective to be able to absorb that.

Phil Neray

Very interesting. So you brought up IoT. I’m just curious, Aaron, when we say IoT, what does that mean for your business?

Aaron McKeown

I guess I think of it in two ways. There’s all of the internet-enabled endpoints that we run through the IT part of the business, I suppose, and that’s the more sort of traditional way I would think about IoT. But then the way I’m really thinking about IoT is again, this IT/OT bridge and the digitalization of many of our corporate and OT platforms. And what I mean by digitalization is the connection and enablement of being able to get data in and out of those systems – that’s what I really think about. And that’s where I think about things like, how are we going to handle the many producers and consumers of that information, the access, the authorization, the identity management, how are we going to handle the APIs, these sorts of things?

That’s what I really think about, because the endpoints could be anything. It’s really about how we authorize those endpoints and deliver that information to those endpoints that I’m really concerned about right now.

Phil Neray

Got it. And what are some examples of those endpoints? Just so we can visualize.

Aaron McKeown

Anything as simple as an outage site, for example, that you know is available to our customers, and then getting real-time data from our systems onto that outage side so that our customers can see where outages are going on. That’s a really good example. Or hooking into a GIS platform so that we can then include some of that GIS information. These sorts of things are examples of how that connectivity is really starting to exhibit itself inside our organization. It’s down to, for example, if our crews need to go out to a site, we need to be able to give them more and more information about the job they need to do, where the site is, any access requirements, all those of things. So it’s really about those producers and consumers of that information and how are we going to securely get it to the end points that we need to.

Phil Neray

That’s great. Thanks. I kind of skipped over the question on presenting risk to the board, because Aaron, you were already starting to get into it. You were talking about explaining what had happened to other organizations so you could make it real to executives. Anything else you want to talk about with respect to, communicating risk to the board?

Aaron McKeown

I guess the only other thing is that you really need to be clear and consistent, and one of the things that I’ve learned over time is the consumers of this information are not technical cybersecurity specialists. So you really need to remove all shorthand or jargon from these documents and really think about how you communicate the risk and how that risk is going to affect the business’s ability to operate. And the other thing is, I suppose that reports need to be regular.

Phil Neray

Got it. Stephen, what are your thoughts on presenting OT risk to the board?

Stephen Kraemer

Aaron is spot on in terms of needing to keep the message simple. These people are no fools, but they’re not technical either, so you’re not going to get one past them in terms of actually highlighting the risks. Once you start talking about risks, they’re going to dig into that and get to the nub of it and figure out contextually what it actually means in terms of risk to the business, not to the technology. So from that perspective, it’s very key that you’re talking about business risk with the board, and they’re going to want you to be knowledgeable and know that you know the landscape and know what you’re talking about. And then I think it’s also important when you address them that the initiatives that one describes from a security perspective align with the organizational objectives, align with what the technology teams are doing. If you just come in and think you just do your own thing because you like the technology, you think of service is cool, very quickly that’s not going to pay dividends for the organization. You’re not going to lower the risk in the right areas in the right way, and that’s going to start showing up on some of those trend charts that Aaron was referring to.

And then I think it’s also important to communicate the value that security can provide to the business. And I like to – I probably don’t position it enough, but I did it earlier and I do it often, but I probably still don’t do it enough – I do like to position security as an enabler. And you have to put the right parlance in place. You get that point across. But when you do think it through, it is an enabler. I wouldn’t say it’s a revenue stream, but it’s definitely an enabler. And when we think about Vector, if we think about Ports of Auckland, if we think about what happens if we put a lot of that technology that is out there or the things that we want to do, the forward-leaning stuff, and we don’t secure it properly and it all comes crashing down, then there’s a lot of value that’s going to be lost to the organization, whether it’s through reputational loss, whether it’s through monetary loss, lost customers, and all the rest of it. So that’s really important that they do understand that it’s not just a bunch of techie people running around, put some cool gadgets in place, lowered the numbers a little bit, and you don’t need to know the rest. So I think the more you can speak to them about business, business risk, business value, then I think the better off you’ll be with the board. And then of course, you’ve got to produce some results as well, as I’m sure my colleague would agree.

Phil Neray

So obviously, your point talking about downtime and loss of revenue – is safety part of that conversation as well? Is that part of your risk conversation?

Stephen Kraemer

Definitely on that. When I was talking to the board about what we needed to do from the operational technology aspects, this kind of new paradigm of how to port automation, we put safety as one of the key principles. So instead of the traditional triad of confidentiality, integrity, availability – the CIA triad – we added safety in there as well. So that was front and center. And in fact, I described to the board some of the challenges that they had at the Shinkansen train system. It’s the first bullet train in the world – the Japanese created it and they were having a lot of problems with the braking system. Under an emergency, how do you stop the train safely without killing everybody?

So there’s a way that you do that when you’re traveling at 300 kilometers an hour, and once they got that figured out, that was one of their last big hurdles that they needed to get over to make a safe system. And they’ve never had a fatality on that system in the 40-50 years that it’s been running, however long it’s been running. But it’s the brakes, you know, who knew? You’d think, well, why is that important? We want to go fast. What the hell do we want to talk about the brakes for? But they needed to get the brakes right, and that was an enabler for them to go fast because they could go fast confidently. So it enabled them to finally do what they wanted to do: create a really fast train and do it in a safe manner.

Phil Neray

That’s a great analogy for how security enables the business. For sure. Aaron, any parting comments on communicating with the board where safety fits into the conversation when you’re talking to them?

Aaron McKeown

I completely concur with Stephen. Safety is of critical importance, and that’s just not across the physical aspects of safety, we even in cybersecurity and in delivery of risk and audit information to the board, we have to take into account safety aspects and some of the implications of our decisions on the ability to keep our partners, our customers, and our staff safe. So yeah, I completely agree with what Stephen was talking about then.

Phil Neray

That’s great. I want to thank you both for a really great conversation we’ve had today. For the audience, here’s where you can get some more information in terms of OT security, how to accelerate network segmentation, a great Gartner report on something they call cyber-physical systems (CPS) risk and how that changes the role of the CISO. Actually, many of the comments we both made just now about safety are echoed in that report. Also some upcoming webinars that we’re doing if you’re interested – one of them with SANS about a new framework that MITRE has developed for describing adversarial tactics, specifically in the context of ICS. It’s pretty interesting.

Again, I want to thank you. Thanks to my guests, Stephen and Aaron, for your time tonight and your thoughts. I want to thank the audience for hanging in there with us, and have a great rest of your day. Take care.