Bringing IT and OT teams together – and keeping production running – has always been important. And now more than ever, with fewer personnel to get things done and more remote workers.

Listen to our online panel discussion to hear from IT/OT security experts about best practices for aligning IT and OT teams, while securing your operational networks during periods of higher risk.

We promise — no PowerPoint slides, just honest straight talk from the experts — and a chance to get your questions answered by real folks with battle-tested experience.

 

Our Panel of Experts

Paul Brager, Global OT Security Program Functional Leader, Baker-Hughes (oil & gas services)
Arieh Shalem, Director of IS Operations, First Quality Enterprises (manufacturing)
Niyo Little Thunder Pearson, Cybersecurity Team Lead, ONE Gas (energy utility)

 

Webinar Transcript

Phil Neray

Good morning everyone. For today’s webinar, we’ll be joined by experts from Baker Hughes, First Quality Enterprises, and ONE Gas to talk about bringing IT and OT together. We’ve got a great group here this morning, people with real experience to talk about what they’ve learned over the years. My name is Phil Neray, and I’ll start by introducing the folks that are on the call today.

Our first speaker is Paul Brager. He’s the Global OT Security Program Leader for Digital Technology at Baker Hughes, which is an oil and gas services firm. Paul has a CISSP, a GICSP, and a few other certifications. He’s been at Baker Hughes for three years. Before that he was at Booz Allen Hamilton as an ICS Cybersecurity Specialist, and before that was at Marathon Oil.

Arieh Shalem is the Director of Security Operations at First Quality Enterprises. First Quality is a manufacturer of specialty papers, with nearly 5,000 employees. Ariah is based in New Jersey, and before that he was the CSO at Orange Telecom, he was the CTO at AIG, and he’s a graduate of the Technion Institute in Israel with a degree in computer science.

And then finally, Niyo Little Thunder Pearson joined ONE gas, which is an energy utility in Oklahoma, in 2014 as a Security Analyst. He was previously at American Express where he led security incident response. He’s an expert on Splunk as well and has a CISSP.

And I’m Phil Neray. I’m the VP of IoT and Industrial Cybersecurity for CyberX. Good morning everyone and welcome. I want to thank you all for being here today. Let’s start with the big question that we have for today, which is: how do you bridge the gap between OT and IT? For many years there’s been this us vs. them perception in some circles, that OT doesn’t really understand security and that IT people don’t really understand why OT is different. The whole CIA vs. AIC kind of a triangle difference. I don’t think those differences exist as much anymore, but let me open that up. Who wants to start with this question?

Arieh Shalem

So the way I’m looking at – it can be IT and OT, it can be IT and information security, it can be whatever it is. There’s always a challenge when you want to do something, and there’s another department or another part of the organization that doesn’t want to do that. You need to find one common goal. The way we try to do it, and we’re successfully able to do it with CyberX, is in the end, our goal was one: we need to protect our company and you need to do yours, we need to do ours. And by using that specific tool, for example, CyberX, you’re going to get something – you’re going to get visibility, you’re going to get things that you’re going to be excited about getting – from implementing a tool like that. But you’re also going to get your back covered. So we will know things that might happen and will help you get things that might be operationalized for you ahead of time. And we will be able, together, to save the organization from both security and operations. When you know how to make that kind of discussion, when they come openly to you and say, “Yeah, this is just another thing that’s going to bother me and they’re going to suck my resources.” – things like that. You’ve got to find the right terms and the right words, and show the value of what you’re bringing to the table, but you’re only able to do it once you give the other side something. You can’t just say, “We have to do it, because security is saying it. When you’re saying things like that, it’s going to fail. If you’re not able to provide the others, OT for that example, a seamless security solution that also provides them an operational benefit, that project can fail. It doesn’t matter how amazing the tool is.

Phil Neray

So it’s about finding common ground. Can you give an example of what you mean by helping them from an operational point of view?

Arieh Shalem

Sure, I can give one. We found out during the POC, using CyberX, that our network wasn’t tuned enough, and in one of our locations it was hitting sky high. And by just deploying CyberX, one probe in one location, when they saw that and were able to fix it, they were amazed. They said, “What? You’re able to do that?” They didn’t know that, and it was running for years, just VLAN configuration, something that could be that simple, but it was hitting their network very badly and they were thinking, “This is part of the way those machines work.” So when you’re doing that, you’re giving them an operational benefit, but also finally going to get started on lots of discovery, things like that. I think that that was a good example. That was one of where they were able to say, “Okay, we can see value in that. Let’s do that.”

Phil Neray

Thank you. Who else would like to chime in on this conversation?

Paul Brager

I can certainly take a stab at it. So I’m going to take a slightly different approach. Traditionally, as you mentioned, there’s always been kind of this us vs. them mentality around IT and OT. And what we’re finding certainly now, as we’re starting to enable environments more, as we’re starting to leverage data and information coming out of those environments, and subsequent that data being fed back into environments or performance enhancements – what we’re realizing is we’re really not all that different. Certainly our day-to-day operational responsibilities and accountabilities are very different. But at the end of the day, we’re all trying to enable the business to generate revenue and profits. And so oftentimes when you’re talking about bridging the two, what you’re really talking about is how do you work together in order to make this do what it intends to do and what it would like to do. Certainly in the security realm of the world, again, when you start looking at OT, obviously the threat landscape and threat surface are very, very different. So certainly, being able to have reasonable conversations between IT and OT security-related resources will certainly help to close that gap.

And then as Arieh mentioned, certainly getting business advocates and business partners to champion what it is that you’re doing and seeing the real value – and not from the technical bits and bytes that we typically care about, but how the value is being pushed forward for them and making their environments more productive, more available, limiting the amount of impact to certain areas of the supply chain – things that you can enable by converging this gap and making sure that everyone is working from the same sheet of music.

Phil Neray

Thanks Paul. Niyo what would you like to say about this, please?

Niyo Little Thunder Pearson

I think one of the biggest fundamental issues that you have with the understanding of OT and IT is that – and I’ll start it from the perspective of the IT corporate side – there’s not a firm understanding of what they’re trying to protect. One of the first things I did, because of my experience in various areas prior to this was actually take time and go out into the field. I actually looked at the embedded electronics that have the greatest control around the environments. We’re a natural gas utility, so his focus was on ultimately who has the highest controls in the environment. Is it actually coming from the control room or is it actually being regulated by the elements that are in the field and getting a greater understanding of what you have? Because if you don’t know what you need to protect, you don’t know how to build anything around it or create a culture of awareness for it. By doing that and sharing that with a lot of the IT folks, it helps separate out what they thought as the traditional, “Well, these solutions should work.” And I always compare it to putting a square peg into a round hole. But I say that from the standpoint that people constantly try to take IT-related things and really push into OT – it needs a firmer understanding of how the environments work and function. And by doing that and taking the time to go and understand how it works and how it’s all laid out and how it works together, I think you build a greater partnership with the OT folks and the operation folks, in that you’re wanting to understand how the actual environment is vs. how you’re wanting to interpret it your own way.

On the OT side, I would say one of the biggest things that you deal with is that these things have been done the same way for the majority of the last 30-40 years. They have a lot of gaps between the reality of the situations that exist today. Even with everything in the news, it really doesn’t cement anything. And I say that from the standpoint of: always compare it to rainbows and unicorns. If you ever saw a rainbow, I’m sure you couldn’t remember the date that you saw it, and no one’s ever seen a unicorn – if you had, you’d probably need to see someone about that. But from that standpoint, I would just say that it’s hard to resonate something in a culture when they don’t have an ability to really see it or be hands-on with it. One of the attacks and approaches we’ve taken is to try to show them just how real these kinds of things are. Taking red team approaches and really trying to show them, “Look, this is the after-effect of what could be caused, and it’s out there today.” I spent a lot of time trying to get research and stuff pushed into the forefront to the commercial space and you know, we are behind. So from that standpoint, it requires showing them like, “Here’s what’s out here today. Here’s why this is important.” And when you really cement that little gap, I think from that point they become invested in trying to help protect it. Because in the end we all want to protect, whether it’s critical infrastructure or a manufacturer, any kind of platform that is using any kind of SCADA, ICS – from that standpoint we’re invested in making sure that it’s protected.

Phil Neray

Yeah. That’s interesting. So, some basic things around the educating folks in the field about security – like it’s not okay to plug your laptop into the industrial network, or it’s not okay to dual home your computer so you can be connected to two networks at the same time. How do you educate folks without turning into fear, uncertainty and doubt? You said red teaming, so that’s an interesting approach. Any other ideas on how you do that without sounding like a doom and gloom kind of classic cyber person?

Niyo Little Thunder Pearson

Yeah. So our program’s a little bit different. I came out of the financial sector right as LulzSec took down MasterCard and VISA. And American Express kind of stood there as we watched others go down, and from that standpoint it really changed the threat landscape. So from that standpoint, when I came in into the company, I started developing an adversarial cyber defense program. It is really based around the fact of it’s not just the traditional risk models that we used to have before – what is the actual attack surface, what is an active attack surface, and what’s an inactive attack surface? So understanding that the existence in an ICS environment that maybe you don’t have PowerShell locked down yet – that’s a potential attack surface. But on the flip side of that, if you really get into the operational areas, what is the vulnerability management program for a PLC or RTU? Are we just dropping them in and never upgrading them? Or are we doing it once a year, once every couple of years? How does that process look today and how does that equate to what we’re seeing from a threat intelligence side? So my lens is always going to be more around the red team and really from the standpoint, and again, it helps really cement it. I think we’ve cemented things not just with people that work in the field, but also managers and the executive board by saying, “Look, here’s what the potentials of these kinds of activities are doing.” And it’s not doing it in such a way that we are causing any kind of harm into the environment. We’re taking simple philosophies and just showing that those things can be done. In other words, “Okay, well here’s some kind of communication node that’s out in the environment, and this communication node can talk to other communication nodes.” So you can do a Denial-of-Service (DoS), or you can do a distributed Denial-of-Service (DDoS). A lot of times you don’t even have to show that you’re doing a DoS – it’s simply saying, “Look, I’m behind this device and I can ping the other device – that is no good.” And that if we had a scenario where we were trying to track something down, we’re having to pull in, say, the Sprints and the Verizons and AT&Ts of world to determine what the node is in order to shut it down. So I’m always more about creating kind of a, “Here’s what you need to look at to really help cement this as not just a theory or an idea, but as something that can potentially happen.”

Arieh Shalem

Yeah, that’s a good thing you’re saying. I want to add to that. So it’s always the lack of confidence. You know, when you’re deploying an information security tool, you’re going to get hate back, right? And you would like to educate them. So one of the things that you need to do first as security: you want to believe in what you’re selling them. So I’m taking the example of the nuclear in Iran, you know, the fundamental malware that was there. And it was discussed a lot, what potentially needs to be done in order to orchestrate such an attack. Because in the end, to put it into layman’s terms, let’s say the travel PLC and it’s able to program it to between zero to 10, and that’s the normal ratio of configuration that is allowed from specific IPs or from specific users – doesn’t matter. That’s the right ratio. But now let’s say that I would like to manipulate that type of data, and instead of changing the ing configuration between zero one, two, three, four, five, now I may say I need to change it from one to seven, and then from seven to five, and from five to nine. And I’m asking them, “If I do that, would you know that I did it? Yes or no?” And they’re obviously saying no, and then I’m saying, “Let me show you that I can give you that type of visibility by using a tool, for example, like CyberX.” And we did a sort of penetration test just to prove the point that we’re able to discover changes within an allowed configuration, and that for them was a discovery. This is something we can actually use.

Phil Neray

That’s very interesting. It makes a lot of sense, because I’ve had conversations with folks and they go, “Hey, we’re all set, we’re air gapped, we have firewalls.” And then you go, “Okay, if someone were actually manipulating your controllers or downloading a RAD into your controller, like they did in TRITON attack, would you even know?”

Arieh Shalem

You started that question when you said that – now you have a vendor that comes with a laptop and connects directly to your ICS network, what can you do? And they’re always trusting or they’re saying they have no other choice than to trust that vendor. And I’m saying, okay, you know what? That’s fine. You should trust him, but you don’t know if that computer has been breached before when he was at home or Starbucks or whatever. Let us help you discover that in real time. Now people are asking me, why do I have that background? It’s because I’m working in a paper product company.

Phil Neray

Paul and Niyo, do you want to chime in on this conversation about how do you make people aware about security that are in the OT domain?

Paul Brager

Yeah, I think we have to give people some credit for having some general common sense. So oftentimes, we go into these conversations around OT, and we have a tendency to really dive into the bits and bytes of it and really spend time discussing all the things that you shouldn’t do, that you can’t do, why you shouldn’t do them. And those types of things, as opposed to really trying to help folks frame and understand why this is relevant to them and why it is important for them to, to become more knowledgeable about some of these things. And they try to educate themselves, particularly with the people that work in these environments from an operational perspective daily. Oftentimes we know, when we go out and we talk to people at sites and things like that, that we have never encountered anyone that didn’t want to do the right thing. It was more of a question of, we’re not sure exactly what the right thing is to do. And so, from a standpoint of a security professional, you have to recognize that these people are not cybersecurity experts, in many cases they’re not IT experts either. And so what you have to do is you have to make this relevant to them. You have to make whatever it is that you’re expecting of them or asking you to do – you have to make it relevant to either something that makes sense to them or something where they can actually bridge the gap between what you’re trying to get them to understand or what you’ve been trying to get them to do. And so, it’s pulling what they’re familiar with. Sometimes it’s a lot easier than others just depending on the population of people that you’re dealing with. But most of us have been doing this long enough to where we can spend time figuring out how to bridge that gap, because ultimately these people are going to be your front line defenses inside of your ICS environments. So if they don’t understand what you’re trying to promote, your program is not going to be very successful.

Phil Neray

That makes a lot of sense, and I like what you said, that people want to do the right thing, and that applies to the board as well. So while we’re on this topic, Paul, what have you found are one of the most effective ways to communicate OT risks to the board without getting into the bits and bytes?

Paul Brager

So, one of the things that I thought was interesting as we’re going through our own board conversations and things like that is, one of the kind of recurring themes is how do you want them to feel, right? How do you want them to feel after you present the information that you present. Do you want them to feel as if everything is under control and that we have the right amount of resources and investment and all the things that we need in order to be able to successfully manage our ICS ecosystem? Or do we want them to feel really uncomfortable to the point that where there was a panic button and everyone was kind of running around with their hair on fire? Or do we want some degree of spectrum in between? And it really depends on an honest assessment of where you believe that you are. At the end of the day, your board of directors and your executive leadership, they’re asking you these questions because they legitimately want to know. If you don’t have a cultural transparency so that you can have those conversations, then that’s a completely different problem. Certainly the people that are practitioners, people that are responsible for their strategies and executions within these environments, have to functionally be aware of all the elements that are happening so that you can articulate it in a way where it doesn’t push the panic button, so to speak, but it also doesn’t give them necessarily this sense of false security. Because the complacency is what ends up getting you in the end. And if we’re shaping narratives as opposed to actually providing transparency, then what you end up with is a program that is slanted towards the narrative and not really addressing necessarily the problem.

Phil Neray

So how do you translate cyber risk into business risk for the board? What have you found is a good way to do that?

Paul Brager

I mean, there’s normally some sort of tangible measure or mapping between the two as far as what the board cares about, or even what your leadership cares about. And certainly if you’re a manufacturer, like we are, obviously it impacts production, impacts the logistics, things like that. All of those things can severely impact the bottom line. So, those are the types of things that your board is going to care about – and certainly your leadership as well. They’re going to care about, you know, “Okay, yeah, we get all the bits and bytes, but what does this actually mean? Does this mean that we lose a million dollars a day? Does it mean we lose $10 a day?” Because obviously the response to that is going to be very different depending on what your estimation is. And again, it’s okay for you to be wrong, right? In many cases, as cybersecurity professionals, we get into this mode of wanting to be finitely from the work all the time. And the problem is that security doesn’t behave that way, and certainly in ICS, it really doesn’t behave that way. So there are times when we will believe that something is far more critical or far more detrimental than it is, and it turns out that there are some mitigating factors or there are some other things that are there that basically mitigate some of the concerns that you had. Great. We won, right? Oftentimes we may misestimate it in the other way, or other direction where we think that something’s really not a big deal until we talk to that one person who’s been there for 14 years that recognizes if this goes down or this disappears, then we have a problem. So again, being able to articulate what you’re actually dealing with and actually speaking with people in language they can understand, but being very honest and very transparent about what the situation is as you perceive it, subsequently that’s what they’re paying you for, right? That’s what they’re paying you to do. They might not like it. No, they may not like it at all, but you can never be accused of not being transparent about what the real situation is.

Phil Neray

So you mentioned downtime and financial losses due to downtime. Especially in the oil and gas industry, where does safety fit into that equation in terms of educating the board?

Paul Brager

Well, certainly with our board, and I’m sure probably every other board in this space, safety has been a paramount concern for them for pretty much as long as the oil and gas industry has existed. If you think about traditional OT, it’s going to be around availability and it’s going to be around safety, and security is kind of a third, if you will, and certainly an increasing third at this point. But the link between cybersecurity and safety is always a bit nebulous. Certainly when you’re talking about some sort of cyber-physical type impact where you have some cyber manifestation that ultimately impacts some physical component within your environment and causes a loss of life, or loss of limb, or damage to property, or what have you. And so again, having those conversations with the board – I have not had to have those types of conversations. Those are usually more reserved to leadership typically. We basically will have kind of the overarching conversation, and for the most part I have not encountered anyone that it didn’t resonate with. But I would contend that most boards in this space, probably most boards in any space that have to do with industrial, certainly are markedly aware of the physical aspects of meeting these environments and subsequently the safety of the people that are operating with them, as well as the properties that they are operating within. So the potential of loss – not only loss of life, but loss of property, buildings, structures, products that have been manufactured – and it all has a ripple effect down the whole supply chain for them.

Phil Neray

Got it. Here’s an interesting question. What role is cloud playing in your OT infrastructure? If at all, how do you see that changing over time? How are you using cloud in general for security, in terms of analytics or data lakes? And it’s okay to say cloud isn’t there yet for us, but go ahead. Who wants to comment on cloud?

Arieh Shalem

I can start. So, cloud for information security is one portion, cloud for OT is another section, and cloud for IT or the rest of the company is another topic. Each one of them brings a different challenge, because in the end when you’re moving stuff to the cloud, you’re losing security whether you like it or not. And if you don’t prepare ahead – make sure you got the right visibility, meaning even using tools like a CASB or getting your logs through your SIEM, getting the encryption keys, creating automation or using API tools in your SOC to start, or at least start getting visibility and detection around things that are extra training to the cloud – you’re basically losing the game. And the best analogy I can give is maybe you can remember back in the days when VMware started, everybody in IT was excited: “Now everything will be automated. We’re going to be able to create machines.” But it just created a nightmare.

Another layer of something that both IT and security need to deal with is the same when you look at cloud. Cloud can save you time maybe by provisioning or being able to expand and use a lot of AI, BI, things like that. But if you don’t know how to build the right security measures around your cloud, you’re losing the game and that’s a big headache. So, we try to mix and match. And for example, we’re using CyberX’s sandbox, and the sandbox is not located on prem. It’s a cloud service. So how do you protect your CyberX and do you even trust them? What type of security controls you have on their sandbox just to use it, based on API. And working with CyberX’s development team, we were able to create those types of security measures. and visibility, just to make sure that when we’re sharing files, when we investigate it, we’re able to detect or understand if any potential attacker that was able to penetrate your cloud, whether it did or not, we will get an notification by doing that. So, cloud – it can drive the discussion all over. OT usually don’t – and that makes sense. The manufacturers are still not ready for full-blown cloud operations. That’s not there yet. They will start using more and more BI and AI in the future when those solutions are more mature, which right now they’re not.

So again, the way I’m looking at it, we can use cloud, for example, when you want to digest a lot of events in real time and you don’t have enough power in your own on-prem operation, then you want to use cloud and that is fine. But then you’ve gotten into another problem: your lines to the internet, your MPLS lines. Because if you need to do a lot of traffic in real time and that stuff in the ICS network creates massive log events, digesting a billion events per day, that’s a massive thing that if you want to be the cloud around it, you need to plan ahead.

Phil Neray

Thank you, Arieh. Who else wants to comment on the topic of cloud?

Niyo Little Thunder Pearson

So I’ll say something in regards to this. I think to the prior points, cloud is just emerging as a technology. And I say that, I know how long it’s potentially been out, but look at it from the standpoint of this. Today the way I view cloud is it’s like 90s style security. You look at where we came with all the firewall technology and all the deception technology, and all these things. And then you look at how the cloud structure is, and it’s very simplified. Yeah, you can go through it and you can use puppet and chef and you can start to automate the infrastructure, immutable infrastructure, and things like that. But you should always account in your design for what your lowest technology stack is, and you have to understand for the majority of, say critical infrastructure and these OT environments, a lot of these are very old embedded systems. The cloud is not actually giving you a leg up, and I agree it’s creating more concern, more coverage.

I’m a big proponent currently that as far as it goes to controlling any kind of ICS or SCADA environment, that should never route through the cloud. There’s too much that has to be addressed, whether it’s just from the cloud architecture and in its routing and its ability to see and monitor to the actual hypervisor components that go behind it and everything that’s managed by the CSP itself. I think from that standpoint, we’re a long ways from being comfortable in trying to migrate anything into there. Now I’ve seen a lot of processes, a lot of the potential data sets that they wanted to push the cloud from some of the OT, but I think that has to be measured based on what its potential harm is either to the customer base or actually to the operation base as far as giving too much insight into how those particular things are run. But you can get things like, for instance, if we’re having to establish a meter and we’re having to shut off a meter, those kinds of calculations can easily be captured through whether it’s a BI process or something like that. So I think it has to be reevaluated based on the circumstance of the organization, and a strategy put in place. But from that standpoint, if we’re talking about control-related activity, I think we’re a good 5-10 years from trying to put control in the cloud, at least in the critical infrastructure space.

Phil Neray

Thank you, Niyo. So moving away from OT security, just talking about security and this concept that’s emerging around XDR, the idea that you can collect data from many different telemetry sources in your environment – logs, firewalls, monitoring solutions like ours – putting them in this big data lake and then applying machine learning to do a better job of correlating attacks that often cross boundaries across IT and OT, or that are living off the LAN techniques, so you need better ways of detecting that suspicious activity. What are your thoughts on using the cloud for that type of XDR detection and response from various sources?

Niyo Little Thunder Pearson

That particular element, it can be beneficial. It goes back to the program – how is your incident response and your program built today, and how is the hunting aspect, and do you do hunting today in your program? I think those things can be beneficial, but keep in mind that I see a lot of deployments that go out that simply are getting deployed and never matured. So I think from the standpoint that if you struggle with that internally and with some of the on-premise solutions today, this may be still kind of the same kind of thing. It may consolidate it for you. It may make the management as far as trying to get to that data a lot simpler, but from the standpoint of not having enough context to know what to do with it and really make it a helpful and a maturity stance for your organization, you need to evaluate where you are in your incident response and forensic side – again, hunting capability of your organization.

Arieh Shalem

He touched the right point. So, that’s the thing. We can say it again, but the way we’re using XDR, it’s only cloud. You can’t digest again, like I said, so many events on-prem. We have to use the cloud to do that. But then again, it brings, like I said, another headache on how you protect your data in your cloud. And that’s another challenge not only for security but for anything. I do want to touch on one crucial key, and it also ties into being effective and connecting the cloud is any automation. It’s crucial for running a successful SOC that is based in IT, but monitors OT, to be able to provide values both to OT and IT. And the way we’re doing it is we’re doing integrations, automations using APIs, and logging between CyberX, our current SIEM, our SOAR (the security automation orchestration platform), and our next generation firewalls. The way we do that is we digest the alerts that are coming from CyberX – and a lot of alerts usually are part of the operating, the controls engineers – they’re doing a lot of scans in the network. Those scans are BAU (business as usual), but they’re still presented in the CyberX platform as a potential event, and it causes our SOC analysts to have to close those events, and they’re massive. So we were able to, with the help of CyberX, develop those API calls and use them, digesting them in combination with them and the login that comes to our team creating playbooks. And right now our CyberX playbook is around 29 steps when it runs automatically, but it allows us to close all those alerts in real time without the need of any human intervention. That is crucial to understand because those OT networks, what would happen before that automation is we needed to reach out to them every day. Did you perform this scan? Did you perform that scan? So, for them it was a nightmare. It took us time until we got into the right rhythm and were able to build the automation so that now they’re excited about it. And my team, the SOC analysts are also excited about it because it became something that they don’t need to do. And we’re able to get the real needle out of the stack, because what we’re getting right now using that automation is real alerts that we’re able to deal with. We’re able to clean the noise from the environment. And not only that – another use of automation, potential blocks – so we are able right now in real time, once we see an alert that is coming from CyberX and it has the right criticality and is proven as something that should be treated, for example, blocker specific URL – our automation closes the loop in real time. We create a rule in our firewall that closes that gap and provides the feedback back to our SOC analyst saying, that alert is done. You don’t have to do anything about it. It’s documented already. You’ve got everything in a one stop shop.

Phil Neray

That’s pretty cool. So security orchestration and automated response (SOAR).

Arieh Shalem

Yeah, there is no way of digesting that amount of alerts and being able to find the needle in the haystack – let’s keep it real. We don’t want to sell stories. Putting any information security solution creates alerts, and you need to deal with those alerts, right? So you have to find something that helps you, and you have to make sure that the vendor that you’re working has the right APIs to get the visibility of not only reading those alerts, but also providing you ways to actually do something effective, like write commands. Like for example, block, right? You don’t just want to read, you also want to mitigate. So the combination of using an API with a read-write is the right combination. And when you’re able to orchestrate it using your sole tool, you’re winning the game.

Phil Neray

Okay. So it’s about bi-directional integration, which is interesting. And the other thing that’s interesting about what you said is when I’m talking to organizations, they say, “Okay, great. So we’ve detected that something happened, but how do we quickly stop it?” And it sounds like by integrating with your firewalls, you’ve figured out a way to do that. That’s great. Okay, let’s move on to how things may have changed for you in the last few months, starting first with just keeping production running. So there are fewer people actually going to the facilities, but yet you have to keep production running, because that’s the goal of your organization. So Paul, could you start with that? What is your company doing to keep production running in all your plants given the current situation?

Paul Brager

Certainly for us, our plant operations are our central business, so those folks certainly are continuing to work. They have the appropriate gear that they need in order to work in those environments, and particularly for many of our manufacturing environments, they’re spread out so the people aren’t on top of one another. Certainly, our continued support of them – we’re working with them around assessments and things of that nature – and then certainly, business still has to go on. There’s still integration for projects and things like that that have to occur, that are in flight, that are actually enabling distance. They’re actually enabling revenue, and certainly in our space, with what’s happening with all of the things, being able to generate revenue, being able to affect cost savings and help out in that regard is a key focus for everyone. But we have the people that are not essential – most of us are working remotely. And additionally, there are the increased safety majors at the individual plants and sites. Certainly we’re doing what we can as an organization to make sure that people come in and go home safe and that they don’t take things home to their family members and things like that.

Phil Neray

Niyo, do you have a comment on what your organization is doing, given that folks are working remotely and you need to keep the gas flowing?

Niyo Little Thunder Pearson

I mean, from that standpoint, in a utility stance, we’re never really going to stop working in a physical presence. It’s just a more elevated manner about how we go about handling things from the actual overall strategy, as far as protecting those that are doing OT work and IT work. It’s taking into account how the actual attack surface has changed, and making sure that we’re validating the defense, and ensuring that we’re able to get total visibility around that. One of the biggest things that I really try to call early on is I know a lot of organizations adopted this split tunneling process with a lot of remote VPN technologies. The thing that we forgot about was the fact that we’ve had these huge botnets that have been out in the world for a long, long time and where hackers have basically commandeered the firmware infrastructure of things like the NETGEARs and all these various APs that are sitting out in the environments. And yet now we have a lot of people going home and actually working from home, and those botnets, which are established to do a couple of functionality features, can actually be turned into an actual router to allow an attacker to get into an organization. So one of the biggest things is trying to show some of the member companies and other people is that there’s attack surface there, and it’s an active attack surface, and showing that you can pull a credential and then you can pass yourself along into that organization. To help ensure that, again, we are adapting our approach in the security and the stance to help protect everything that’s around, whether it’s critical infrastructure or other environments that support ICS and SCADA. So I think it’s really important to always shift that strategy and that’s definitely what we’ve done to ensure that we have total visibility, that we’re able to continue support and monitoring for what’s out there and continue on.

Phil Neray

That’s great. Arieh, can you comment on: A) how you’re keeping your plants running, and B) how are you addressing the fact that there’s more remote access from your OT equipment vendors, for example?

Arieh Shalem

So we’ve actually, as part of our holistic security program, onboarded a solution that’s helped us closely monitor privileged users, record them, monitor their activity, getting the logs, being able to detect alerts based on specific commands that they were running, both operational and also security. And especially now with everybody quarantined and working from home, that’s even become a bigger challenge: how to do it right. So what we’re doing, and again, we got prepared for it ahead of time is using that solution, extending it, using an always on VPN, and an additional 3-4 security tools on top of that, just to make sure that we get the right visibility and are able to mitigate in real time by blocking potential threats to our network based on numerous triggers that we put into that system. So that’s the way we’re doing it.

Phil Neray

So it sounds like you’re using two factor authentication, password vaults, auditing.

Arieh Shalem

That’s for sure. Everything is recorded. All the sessions are being recorded in real time. That’s part of it. Of course, MFA – that’s also part of it. The always on VPN and the additional security tools that we’re putting on every machine. For some of them we have specific VDI with our security tools in case they cannot bring something that is not a validated company computer. So things like that.

Phil Neray

That’s great. So I guess this is a related question, but what are you doing with respect to your security operation centers and your analysts? Are they working from home? How are you making sure that you can continue handling the work that comes into the SOC, with more folks working from home?

Arieh Shalem

There is no other option. There is no way around it. Everybody’s working from home. It is what it is. And like I said, we get prepared ahead of time. So it became for us a sort of second nature to be able to provide our SOC analysts and SOC security services the security connection to our facilities. When they don’t, they’re unable to get the data out of the company and just use it as a sort of employee. That’s the way.

Paul Brager

If you think about it, a lot of manufacturing environments are asynchronous anyways, in some respects. And so, from a perspective of the team when your security operations and things of that nature, yes, we’re going to continue to get logs and things like that from those environments. There’s very little human interaction with that anymore. Those things are typically automated. The places where you run the risk of having impact is going to be when you’re going to physical sites for things. Or if there’s a need for you to go to a physical site, obviously the ability to do that right now is hampered, not only necessarily because of the travel restrictions, but even within countries or within regions, whether or not you can go into a facility if you’re not deemed essential, you may or may not be able to get through to the facility. So, from my perspective, most of the work that we do is remote anyway. Certainly on the operational security side of it, as far as people reviewing laws and things like that, those people are at the sites. They’re at some centralized location, either within HQ, or within a partner, or what have you, that are digesting and triaging those events, and then forwarding them to the relevant people depending on what those things are, and involving and looping in the people in order for them to be able to engage it. So, for us, outside of not being able to physically go in and do assessments at sites and things like that, we’re just basically leveraging, the capacity and capabilities of individual sites to be able to continue to move the security projects and security efforts forward. And those things that we can’t move forward, we’re just shifting them to the right until we’re at a point where we can.

Phil Neray

So it sounds, building on what was said before, automation and integration are keys to making your security defenses more effective and more efficient. And that automation and integration are also how you’re dealing with it now. How are you prioritizing your OT security projects? How are you deciding what to move to the right, as you said, and what still needs to be done?

Paul Brager

That prioritization normally doesn’t come from security. The prioritization normally comes from the business. And when you’re thinking about the economic climate that we’re in, certainly in the oil and gas space, obviously projects that are not critical to direct line revenue and things of that nature where there’s not necessarily a clear sign of revenues – those projects may be shifted to the right. Oftentimes when those projects are shifted any remediation efforts, any redesigns, any enhancements in environments, and things of that nature are also shifted to the right with it. So, we worked very closely with our business partners to understand where they potentially thought they would have been at this point in a year, where they are now, and how the strategy has shifted. And then we adapt our strategy and deployment strategies and projects to align with that, because ultimately that’s where the money and the resources are coming from in order for us to be able to leave the external nomination.

Phil Neray

So it’s all about supporting the business. Arieh, do you want to comment on how you’re prioritizing OT security projects?

Arieh Shalem

Lucky for us ownership and my boss, because that’s what manufacturers care a lot about, are making sure their OT network is up and running. This is how we make money, that’s our bread and butter. And we got all their support, which not just by words – they actually actively helping us in any direction that we’re bringing to the table. When we’re reaching out to owners, either for specific controls that we want to implement, vulnerability management, patching, adding tools like CyberX, penetration testing, things like that – they’re on board. Anything that can help them secure and make sure that we can produce our product, they’re all in.

Phil Neray

So if I combine that with what was said at the beginning of the conversation about going out to the sites and meeting with the folks in the plants, it sounds like you have a combination of top down and bottoms up to make your OT security project successful.

Arieh Shalem

Exactly that.

Phil Neray

So, we’re reaching the end of the hour. We have some links here to additional resources. If you’re interested in some other upcoming webinars at the bottom there, including another CSO round table – it’s going to be at a strange time of day for the North American and European audience because it’s the APAC audience, but if you might be interested in it, you can always go check out the recording.

Thank you very much Arieh, Paul, and Niyo. I really appreciate you guys spending the time to do this. And for everyone else, we’ll be distributing the link to this recording shortly. Have a great day, enjoy your weekend, and thank you from CyberX.