IoT devices can improve business operations, but they also create new pathways into a business’s digital environments. This can lead to cyber incidents that bring down business activities and/or create huge privacy breaches or thefts of sensitive intellectual property.

There are new endpoints now touching networks that were never imagined when networks were built, such as smart building systems, security cameras, temperature gauges, valves on a chemical line that distribute liquid (sometimes toxic and dangerous), etc. Similarly, in a bring-your-own-device (BYOD), Internet of Things (IoT) world, our remote workforce creates a whole new set of challenges when securing all access points. Are you counting your employees’ home networks in your list of endpoints? Smart watches?

What kind of security is built into all these internet-connected devices? How do we identify and monitor them without deploying agents? How easy is it to control access? How do we segment them from our other networks?

Partnering with SecureWorld, Fortinet and NTT, this webinar explores the latest technology, training, and trends for securing unmanaged IoT/OT endpoints and bringing IT & OT together.

 

Our Panel of Experts

Paul Brager, Director, Global OT Security Programs, Baker Hughes
Phil Neray, Vice President of IoT, Industrial Cybersecurity, CyberX
Rick Peters, CISO, Operational Technology North America, Fortinet
Stew Wolfe, CyberSecurity Practice Leader, Canada, NTT LTD

 

Webinar Transcript

Bruce Sussman:

Hello, and welcome to the SecureWorld Remote Session. Today we are talking about locking down unmanaged IoT endpoints and securing the new frontier of industrial IoT (IIoT). It’s fantastic to have you here. We have a great group of panelists/experts with us today, and this is going to be a robust conversation. I want to say thank you to our sponsoring supporters today, CyberX, Fortinet, and NTT. We appreciate you – this is how we’re doing collaboration right now and it wouldn’t be possible without your support, so thank you for bringing the community together in this way.

On a quick note of introduction, my name is Bruce Sussman. I will be the moderator for today’s roundtable discussion. I’m Director of Content here at SecureWorld, and I also host a weekly podcast that publishes every Tuesday on all the major platforms. As I was thinking about IoT and IoT devices, I think there’s no question – they can greatly improve operations within organizations, but they also create new pathways into a business’s digital environment. We know that the business risk from all of these devices is growing. However, there is also a growing opportunity and more tools and ways to approach and mitigate this risk. So, today’s expert panel will unpack both the risk and some of the solutions and opportunities that your organization has to minimize the risk. It will be time well spent. So, great to have you with us whether it’s Monday morning or Monday evening, depending on where you are. Here’s our webcaster’s guide to the conversation.

Just a few pointers for you as we get started – for one thing, there are resources available to you in the More Resources list, so check that out because there’s some great information on this topic. This is designed to be an interactive session. If you have questions as we go along, you can pose it by typing it in the Q&A box on the left side of your screen. And the last thing is that this will be available on demand, so if you’ve got colleagues, teammates, or other leaders within the organization who you think should see this, you’ll be able to share it with them after the fact.

Let’s meet our featured panelists and get some introductions. We have Phil Neray, who is Vice President of IoT & Industrial Cybersecurity at CyberX; Paul Brasier, who is Director Global Operational Technology Security Programs at Baker Hughes; Stew Wolfe, who is Cybersecurity Practice Lead for Canada at NTT; and Rick Peters, who is CISO of Operational Technology North America at Fortinet. Gentlemen, it’s great to have you here on the panel. I think we should start out so the audience knows just a little bit about you. Phil, let’s start with you first. Would you give us a few bullet points about your role and your organization and your background?

Phil Neray:

Yeah, thank you everyone. It’s great to be here. My name is Phil Neray, and I’m with CyberX. I’ve been with the company for about three and a half years. I’ve spent most of my career in the security space. I have a degree in electrical engineering, and early on in my career I worked on oil rigs in South America, as well as a large public electric utility in Quebec. So, this is coming around full circle for me to be talking about OT and security in the same theme. Thank you.

Bruce Sussman:

Fantastic. Thank you for that introduction. Next, let’s go to Paul with Baker Hughes. Paul, welcome to the remote sessions.

Paul Brager:

Hey, good morning. My name is Paul Brager. I’m the Director of Global OT Security Programs at Baker Hughes. I’ve been in the space for about 27 years, doing everything under the sun in cybersecurity, certainly much of that in industrial. What I do for Baker Hughes primarily is lead up a team that is responsible for our manufacturing ecosystem internally – all of our manufacturing sites, engineering labs, service shops, service depots, and those types of things. Certainly glad to be here and to be contributing. Obviously we’re seeing a lot of IoT/IIoT expansion within our environments, so I think it will be a good conversation going forward.

Bruce Sussman:

Okay, great. Thank you for that introduction there, Paul. All right, let’s go to Stew from NTT. Stew, welcome to the remote sessions.

Stew Wolfe:

Great, thank you for having me today. I’m Stew Wolfe, and I lead the cybersecurity practice for NTT in Canada. I’ve been involved in the IT field now since about 1993, in security since the late ’90s, so over 22 years now in security. Technical background, system engineer, ethical hacker, and then moved up to the business layer providing consulting advice to customers. One of the key practices I lead is around industrial security and medical device security as well – a really interesting area, definitely a lot of threats happening within that industry. I speak to a lot of customers about how to better secure their industrial manufacturing and utility environments across the country. I’m also well connected into our global team that does a lot of interesting things with partners such as CyberX and Fortinet to secure environments.

Bruce Sussman:

Okay, that’s fantastic. Thank you, Stew. Now let’s say hello to Rick Peters from Fortinet. Rick, good afternoon and welcome to the remote sessions.

Rick Peters:

Hey, good afternoon Bruce. First, I want to say thanks again for this opportunity to parlay expertise. I’ve been with Fortinet roughly two and a half years, working operational technology, and prior to that, just over 37 years at the National Security Agency as an electrical engineer. I spent the latter two decades in an executive role leading exploitation and defense of critical infrastructure, several assignments working in industrial control systems and SCADA technology, and had a great opportunity to wrap up working endpoint, from both the offensive and defensive ends, which was an extraordinary chance to build off on and into this topic we’re talking about today. Just leave you with guilty knowledge, it’s a whole lot more fun to break things than it is to defend them, and of course, the advent of so much change in operational technology has certainly enabled the landscape, the attack surface, which is a terrific segue into this conversation today.

Bruce Sussman:

Yeah, that sure is. Thank you for that overview, Rick, and I appreciate all your service for the years that you were working and helping to protect us.

All right, let’s break today’s roundtable discussion and do a couple of different areas. I think the first area that I’d like to start with is defining the problem. We’re talking about addressing the types of devices. What are we talking about here? Who’s interested in hacking them, and what is the impact on organizations? So, let’s unpack some of these questions during this part of the roundtable discussion. I think we can look at this question through each of your lenses and the backgrounds that you have, and so I’d like to start with Rick. I was thinking about the lessons you learned from US intelligence during your time there. Regarding the defense, the exploitation of these devices, the exponential growth of them, and how that has changed the risk landscape, what are you thinking of the problem here?

Rick Peters:

Boy, this is a big one. Having spent the majority of my life on the inside in the SCIF spaces, you’d think, wow, you’re beyond that issue – and nothing could be further from the truth. If there’s one thing that we understand very well, it’s very difficult to control the insider. Those activities that we believe we can keep our finger on the pulse of are very, very difficult. And the advent, of course, of all the mobile technologies and telephony, and then you couple that with the attitude and the change culturally. You’ve got generations who’ve never known the sense of not being connected. So, connected generations don’t give that technology up easily, so whether you’re in an open business space or operating within the confines of a SCIF, you have those challenges. You couple that with the explosion of enabled devices today, both on the inside and out, and it challenges us to wrestle with a problem at scale. And certainly plenty of knowledge of change that actually forced impacts, both to the intelligence community and I think today, the business community is having to wrestle with it as well. You start to shift your focus to operational technology. It’s that balance now of managing risk, but not only that, recognizing that you have an imperative for safe and continuous operations, and so that raises the stakes even higher.

Bruce Sussman:

Very good point. Thank you, Rick, for that overview. That’s great. Stew, I’d like to come to you next. Would you give some examples of how you see this new frontier of unmanaged devices? What are you thinking right now?

Stew Wolfe:

It’s an interesting area, because the IT area typically has been very independent of the industrial side of the business, and the two areas don’t really understand each other. The engineers on the OT side, industrial control systems, whether it’s in DCS or SCADA environments, are focused on the availability of their equipment, correct processing of their equipment, but they don’t necessarily think of the security impact. And these systems were typically isolated, not connected to the internet. Now we’re also seeing IT being responsible for those environments, which has now changed the dynamic and started the conversation between the two worlds. But there’s a lot of knowledge transfer that needs to happen to make OT aware of the security impact, and it’s definitely a huge risk, because we’ve seen multiple examples of steel manufacturing plants losing $75 million over three weeks in Scandinavia from being down. That was a sample of a ransomware attack. The thing is, when you impact these industrial environments, it’s not like you can just turn on a PC and then it comes back up. These can take a good three weeks, and if you’re losing hundreds of thousands of dollars, if not millions of dollars every day, there’s a real impact to your business. What we’re starting to see now is a shift and a change where OT is becoming more aware as we connect things such as PLCs and SCADA devices, and as we separate both the OT and the IT environments from each other from attack. So, it’s becoming more of a concern for sure and an important area to protect.

Bruce Sussman:

Okay, that’s fantastic. Appreciate that overview. Some of the things you talked about allude to possible blind spots within the organization. I wanted to go to Paul next. Paul, this is something that you and I had discussed a couple of years back at SecureWorld Houston, where you’re an advisory council member, that some organizations do have blind spots in this area. What were you talking about in that case?

Paul Brager:

So, obviously with the advent and the speed at which in many cases IoT and IIoT is being adopted within the environments, what you’re finding is security is always kind of a lagging indicator. In many cases, these devices are coming onto networks or coming into the environments. They are being enabled within environments, because of a specific need for them, and specifically for the data that’s coming off of them. And security may not be front of mind. If you think about the vast universe’s devices, they’re not getting a single standard or single way of security. So, what ends up happening in your ordinary broader ecosystem response is you may stumble upon some of these devices, but not necessarily even know what they are. Some of these devices or systems may be attached to machines or assets that you purchase. You may not have any idea that they even communicated, and so your universe, your ecosystem may expand on you rapidly.

Bruce Sussman:

Yeah, and it’s a little frightening as well, but it’s good that we understand that problem. Some of these enabled devices may be sneaking in some ways in these industrial environments. Thank you very much, Paul. Now let’s go to Phil. Phil, I was wondering from where you sit, what are the top risks organizations are not considering in their security plans right now for protecting these kinds of devices?

Phil Neray:

Sure, yeah. Well, unlike the IT security field in the OT domain, the risks are in some ways similar but in other ways different. In IT, we’re mainly talking about theft of data, such as customer data, and in the OT field, we have some bigger risks, including downtime due to, as an example we heard before, ransomware or downtime due to a disruptive attack intended to sometimes cause damage to the facility. As we saw in the Triton cyber-attack on a petrochemical facility, we’re talking about safety and environmental incidents in those cases. And then theft of sensitive intellectual property and trade secrets, much of the sensitive information about proprietary product designs or manufacturing processes are stored on the OT side in the historians, for example, or even in the logic that’s contained in the programmable logic controllers, so that’s also a third aspect. So, we’ve got downtime, safety and environmental incidents, and theft of sensitive intellectual property being the key business risks.

Bruce Sussman:

Appreciate that list. That’s fantastic. All right, let’s go to our first question that we have. I think I’ll pose this one to Rick. What keeps you up at night with respect to the modern remote workforce? We have made significant advances in security, so maybe we should be less paranoid regarding this misuse of this remote workforce. But what do you think, given your background and your insights?

Rick Peters:

Yeah, so historically I come from the largest gathering of the paranoid on the planet. I’m in a place now where I can apply a lot of lessons learned, and I’m certainly trying to do that. But one of the things I think is clear is that right now, we’re balancing versatility value vs. vulnerability. Already we’ve heard Paul, Phil, and Stew talk about the complexity, value, and impact to operational technology, and I think that’s very important when you start to think about the space. You can sound like a broken record if you keep coming back to the insider as a concern, as a focus point, but we’re really talking about protecting against the misuse of these technologies. We might say technology is a beautiful thing, but from the opposite side, it is a wonderful thing for those who seek to accomplish missions as a cyber adversary. We certainly have lots of evidence already. We just heard the mention of the Triton incident, and that was extraordinary because it broke new ground. But we combine a couple of things going on – certainly, this period in our history has brought about some security fatigue. We’ve stretched ourselves, we’re working in using enabled technologies at even a grander level, both to support the industry and to extend the workforce. And naturally this pace has changed our behavior and naturally it’s opened Pandora’s box, if you will, from the cyber adversaries who are using simpler tools and techniques to simply get onto the target. That’s really what keeps me up at night. So, it’s really making sure that we understand and can combine our initiatives to protecting that which is absolute, which is a critical infrastructure that citizens rely on daily.

Bruce Sussman:

Yeah, there’s no doubt we have come to rely on all of these things. That’s a great point. Thank you very much for that overview, Rick. Let’s go on to our next question now, and this is for Phil. Given that both IT and OT are involved in securing this new frontier of devices, how do you bridge the gap between these teams? Because sometimes, goals and objectives are significantly different. So what do you think about bridging the gap here?

Phil Neray:

Yeah, it’s a great question. Of course, there have been in many organizations an “us vs. them” kind of mentality. But I think what we’ve found by talking to our clients, the way to make OT security projects successful is to take both a top down and a bottoms up approach. So from a top down, having the senior security leaders talk to the business leaders and have them understand the risks that we talked about before, which are risks that everyone can align around safety, uptime or downtime, and theft of sensitive intellectual property. Get the buy-in at the top, make sure it’s communicated from the respective leaders.

But then the bottoms up approach is equally important. What we’ve found is that spending a lot of time at the facilities themselves, talking to plant personnel, explaining to them what’s required, explaining to them that we’re actually going to make their lives easier by introducing stronger security. They don’t have to deal with malware infestations or sophisticated attacks by APT groups, which they’re really not qualified to handle. Instead, the corporate security organization, which does this every day 24/7, will now take over that side and have it integrated with their workflows and the tools they already have in their security operation centers, like their SIEMs and their analytic platforms. So it’s a combination of the two, and communication is key both top down and bottoms up.

Bruce Sussman:

The top down and the bottom up, I like that. Great that you stress the communication piece in there. That is excellent. Stew, I think you have something that you’d be able to add onto this.

Stew Wolfe:

Yeah, I just wanted to say that one of the biggest concerns from OT is availability. On the IT side, we’re more concerned about confidentiality, and I think one of the ways to get OT and IT to work together is to show OT that assessing the impacts in their environment from a security perspective, we’re not going to actually touch their equipment. We’re going to passively take a look at it and be able to figure out what the vulnerabilities are without impacting their operations. That’s really critical because a lot of the OT guys don’t want you to go near their environment, even to see if it’s vulnerable because they don’t want their environments impacted. So as long as you can ensure them of the importance of security, but that we’re not going to impact their operations, we’re there to help ensure their availability. I think that’s really key messaging.

Bruce Sussman:

Yeah, that’s fantastic. That business enablement message – we’re on the same team and we’re going to enable you to do business securely. That’s very good point. Let’s move on to our next question, and actually Stew, since you were talking, how about you take this one? Why do you think security is important in industrial environments like manufacturing and oil and gas environments? We know it is, but why? What are the reasons that you’re seeing?

Stew Wolfe:

Downtime costs within manufacturing environments is a huge financial impact, not only to the company but also to any of your supply chain providers as well. Everybody suffers from that, so it’s really critical both in oil and gas and manufacturing that you maintain that uptime, that you’re able to fingerprint or identify what devices are actually vulnerable to assure that there’s no monetary loss caused by a cyber breach. We are seeing more and more attacks against those type of environments, whether it’s just purely malicious, whether it’s political in nature. All of this is really important to be able to protect. So, we’re definitely seeing an increasing attack surface in these environments.

The other thing is that historically, the machines, the PLC controllers, the SCADA devices, the historians, the distributed control environments – a lot of these machines or devices are not really designed with security in mind. That’s really critical. A lot of them are very old. You think about purchases with an industrial environment that may be a 30-40 year purchase vs. IT, and they refresh every three years. These devices are old, they’re antiquated, they’re not designed to produce logs. You can’t change a password, you can’t encrypt the data. Most of the time, the devices are shipped without security. Minor security is added on as a bolt on piece to the actual device itself. So, as we connect these environments to the internet, we connect them to our IT environments. We have manufacturers coming in to do maintenance on the equipment through the internet. They’re no longer air gapped environments. It’s now become more and more critical that we look at vulnerabilities, vulnerabilities that we typically saw within the IT environment that are now impacting OT, and also that we use specific technologies that can see what we call non-traditional protocols – so protocols that are very specific to the OT environment. You need technology that can identify those types of vulnerabilities and communicate with that kind of equipment to be able to identify what’s going on. So really, really important within the manufacturing and oil and gas environments, and definitely an increasing attack surface area. We’ve seen many examples of that of late and really over the last few years.

Bruce Sussman:

Okay, great. Stew, thank you very much. Paul, I see that you would like to add on to this. What do you have?

Paul Brager:

We’ve all seen what’s happened with COVID, particularly on oil and gas, over the course of the last few months. Certainly, many of our environments obviously are operating very leanly. We’re certainly looking to manage costs as always. So, if you have some sort of cyber incident or some sort of cyber-attack inside of those production environments, you’re not managing costs, you’re definitely spending money to try to mediate those things. As Stew mentioned, all of the different things that we’re seeing that we’ve been seeing in IT for years, we’re now starting to see those things propagate and promulgate inside of OT, in environments that were never designed with that capacity in mind. Certainly, we have to become more and more diligent around making sure that we have good partnerships, not only within the production environments themselves, but back into IT leadership, being able to make sure that we communicate to them what the risks are that we’re seeing and try to get in front of the curve as much as we can.

Bruce Sussman:

That’s such a great point too. If you have an incident, you are simply spending money and you’re potentially not bringing any in. So yeah, that’s a fantastic point. Really appreciate that, Paul. All right, let’s go onto our next question. And one of the challenges with unmanaged IoT is identifying that it exists and differentiating it from ordinary computers within an environment. So what are some of the strategies that you’ve used to help accurately identify IoT assets? Paul, you were kind of touching on this in your opening statement. Would you tackle this question for us?

Paul Brager:

There’s always an overarching paradigm here that if you can’t see it, you can’t protect it. In many cases, certainly in industrial environments, what constitutes IoT and IIoT, operational technology, SCADA – those lines are starting to be blurred very quickly. What you’re finding are PLCs, RTUs, different types of controllers, different types of equipment, that not only have elements of control, but they also have elements of sensing, certainly around temperatures, pressures, things like that. That data is subsequently being supplied to either internal analytics or cloud analytics. From a standpoint of strategy, the best methodology obviously is to try to get in front of it, to actually be at the table when some of these discussions are had around what the business is attempting to do.

Paul Brager:

Clearly that is not always the case. In many cases, having been in security as long as I have, I realize that we are typically the last people that they want at the table, because they typically don’t want us to slow them down. In the absence of that, understanding visibility-wise what your ecosystem looks like, what is normal so that you can start to try to understand these variations – if you start seeing large amounts of data leaving your environments and things like that, being able to have some visibility in that space and being able to tackle exactly what that is. Again, relationships within your production environments – talking to those folks, making sure that they understand what it is that you’re concerned about from a cybersecurity perspective, and they may invite you to the table to talk about some of these capabilities because the business should certainly be pushing production to be able to provide more and more of this data to them in near real-time in many instances. That being the case, we have to work hand-in-hand with those entities in order to make sure that we’re securing that data appropriately.

Beyond that, oftentimes it’s really trial and error. Sometimes you’re in an environment, you’re looking at something else, doing an assessment, and you find a lot of unmanaged compute sitting somewhere. You’re not exactly sure why it’s there or what it’s doing. You will speak with someone at the site or at the plant, they’ll be like, oh, well, we put those in six months ago and they’ve started sending data to this provider and we’re doing this and that and the other. So, after you wake yourself up with smelling salts, you have to sit back and figure out a strategy to try to protect those assets and try to certainly protect the data that they’re producing going forward.

Bruce Sussman:

Yeah, that’s fantastic. I like that smelling salts analogy. I think a lot of organizations wake up at various points. The question is, when do you do it right before or after an incident? Hopefully before. That’s very good, Paul. Thank you. All right, let’s move on to our next question, and this is around zero trust. Obviously it’s been a hot topic for the last couple of years at least. It’s really gained some mainstream discussion within security. It’s been around longer than that, but it’s really kind of reinvented itself in the last couple of years. Does this approach serve to broadly remediate risks for enabled devices? Rick, would you be willing to tackle this? What do you think about this idea of zero trust and enabled devices?

Rick Peters:

Sure. It’s interesting when you start to peel it back, you realize there are a number of threads that can help support the argument of zero trust networking, but the operative word in the query here is remediation. It’s managing risk, because the realization, regardless of where you come from, is not a physical problem. You can put in a place two party integrity and controls and enforce policies, but the speed and scale of what we’re talking about today doesn’t make sense to try and make it a physical problem. It says we need to have to put things into your environment that help to automate that process. If you think about practicing “never trust but always verify” as your absolute principle that says, all right, I’m going to be able to accomplish that. I must accomplish that to protect wired and wireless communications, absolutely. I can take the next step of saying I’m going to practice the principle of least privilege. By that we’re talking about protecting all internal and external networks and putting into play the integration of an internal segmentation firewall. If you were to couple that with some switching, we then can do microsegmentation and now you’re doing that sort of traffic analysis that says, I’m aware of all things that are going on. I could control the movement of an adversary that pops up on the radar inside my environment, so they’re unable to accomplish or execute their mission and move north, south, east, west within the environment.

On top of that, you’ve got to insist on implementation of multi-factor authentication. Again, putting into those key pieces of intelligence that you rely on to enforce that. That is knowledge, possession, and inheritance, that which I have personally and that which the system can assign to me – again, think role-based control, allowing me to do my job but not be able to go beyond the bounds of what I can accomplish. Then on top of all of this, realize it’s not perfect. We’ve got to know our limitations.

Bruce Sussman:

Okay, fantastic. That’s great. Let’s move on to our next question. Phil, would you tackle this one? How is cloud effecting OT security? So what do you think about the cloud’s role in all of this?

Phil Neray:

Yeah, thanks Bruce. Well, Paul kind of touched on this a few minutes ago when he talked about new devices, industrial IoT (IIoT) devices that are being brought into plants that are different than the legacy devices we talked about before. These IIoT devices are still, in general, unmanaged. They don’t support agents. They don’t have security built in, but in many cases they’re being connected directly to the internet to gather data such as temperature or vibration data to help with initiatives such as predictive maintenance. They are communicating to the cloud, so that increases the attack surface now in a way that plants never had to deal with before. So, that’s an aspect of cloud. The other aspect of cloud is we’re starting to see firms move some of the actual SCADA operations into the cloud. Obviously you still need the controllers controlling the actual physical devices, but we’re seeing some cloud attack surface opening up there. So, these are all things that increase the risk.

Now from a security point of view, the cloud is also a resource that we’re going to see being used more and more to detect and respond to threats faster now. We’re seeing this concept of XDR building on EDR, which is endpoint detection and response. XDR is the idea that you collect data from various telemetry both at the endpoint layer and the network layer and any other logging devices you have, you put them all in a big data lake in the cloud, you apply machine learning and analytics. This is a way to deal with sophisticated threats faster and more efficiently. I know that in the OT world, there is some resistance to moving anything to the cloud, but I think more and more we’re going to start seeing this as the preferred approach for security operations centers.

Bruce Sussman:

Okay. That’s great, Phil. Yeah, I think everything is going to the cloud, so that’s really interesting. I appreciate that overview. I want to ask this next question to Paul. We talk about the premise of IoT suggesting there’s data captured, forwarded, and analyzed, and Phil touched on some of that data and the data lakes and all the things that could be going on. What security strategies, if any, have you used to manage the connections, data flows, and interactions with these unmanaged devices?

Paul Brager:

Certainly in many cases, as we’ve all alluded to here, is that many of these devices are unmanaged. So, understanding how this data is leaving those devices and where it is key and paramount to actually protect that data. Again, the ideal situation in an ideal world, having conversations with the business, having conversations with plant leadership, and things like that – trying to understand what are they trying to accomplish. Are they trying to gather data for predictive analytics? Are they trying to do it for enrichment of something? Or are they trying to use this data for feedback? Certainly understanding what that use case is so that you can better manage how that data is being propagated. And then going to the different sensors, gateways, things like that, that are collecting the data – understanding how they collecting it. Are they collecting it in an encrypted fashion, or are they storing it, or they immediately forwarding it? What protocols are they using, MQTT or what have you, to propagate those things into the cloud? Understanding the cloud, the actual enrichment vendor, whomever it is that you’re using to do your visualizations and your analytics – what do they do with that data? Is the data anonymized? All these different things that you would think about making sure that the data that you’re providing to the cloud and out of your environment is not necessarily uniquely identifying within your environment or giving away any information that an adversary could potentially use to your detriment. Obviously the universal data that can be coming off these sensors, some devices can be virtually anything – can be temperatures, pressures, harmonics, whatever the case may be – and in and of themselves, they may not mean much of anything, but if they’re aggregated inside of some sort of visualization or analytics, they may actually be quite valuable. It may be that your business is using that data as a competitive advantage to be able to go to market or produce faster or what have you, so you have to make sure you have very firm control and a very firm understanding and knowledge of where that data is going and how it’s being used.

Bruce Sussman:

Okay. That’s a fantastic overview. Thank you, Paul. Let’s go on to our next question now. Which organization is accountable for compromises involving IoT or OT devices? Phil, would you want to take a crack at this one?

Phil Neray:

Certainly, Bruce. So for many years, IT security teams were kept out of the plant, and the OT teams were responsible for security in the plants. That’s changed over the last couple of years as business leaders have come to understand the risks and also the basic understanding that the people that run the plants, their main job is to keep plants running, to produce higher quality. Obviously there’s some overlap. They want to make sure that there’s no safety incidents, but their expertise lies in production, not security. So, we’ve seen the responsibility and accountability for security on the industrial side shift to the IT organizations, typically to the CISO, or if there’s no CISO, to the CIO. That team is much better suited to handling sophisticated attacks. They have tools and workflows that they’ve been working on for 10 years or more and have made huge investments on. By making sure that your OT security products integrate well with your SOC tools, you can seamlessly introduce the alerts and the other information produced on the OT security side into your SOC team workflows.

Now, there’ll be some tweaking required if new logic download is detected on a PLC. Somebody in the SOC needs to have a list of people to call to verify that that was a legitimate download and not something performed by an adversary. But many of the tactics that we see on the OT side are very similar to what we’ve seen on the IT side in the kill chain. It’s initial compromise, lateral movement, privilege escalation. Some of the ways they actually accomplish those things are different and take advantage of the unique protocols and characteristics of OT environments, but the overall kill chain is still the same. So, it makes a lot more sense for the CISO in their organization to be responsible for detecting and responding quickly to these types of incidents.

Bruce Sussman:

Okay. Yeah, good overview – because you do, you want to be able to respond quickly to these incidents. Thank you very much, Phil. All right, let’s go on to our next question. Is there a one best practice, or you could probably explain more than one if you want, but one at least to manage security as it relates to the expansion of IIoT and IoT enabled devices. This kind of brings us full circle here, and Rick, you touched on this right out of the gate. Would you tackle this question with some best practice ideas?

Rick Peters:

Sure, and I want to attribute some credit already to Phil who preceded on this by talking about the kill chain. There’s so much going on today, but one thing we know is that your OT system operators are trying to protect a very rich asset, the cyber-physical, and they’re taught that not much tolerance for latency. It’s all about productivity, safety, and speed to market. So, being able to think about security and think about it in terms of speed, scale, and avoiding that latency is very important. I prefer to think that we ought to, and if I was having a private conversation with a board right now, I would say, believe that you’ve already been compromised. Your attack surfaces exploded, you’re using legacy hardware and software. You combine that with the leveraging of enabled devices at a level and a rate of explosion and expansion that we’ve never seen before. You’ve got to continue to believe that that’s going to be the case in the out-years, so start thinking inside out and designing for automated awareness. This goes way beyond the trust – always verify and never trust – and gets into the analysis and inspection of traffic, being able to enforce policy, add speed so that you can recognize and detect and inoculate a situation at speed. That’s very, very important. So if we’re thinking in that dimension now, It’s not that we’re discrediting perimeter security or we’re thinking in both dimensions. That allows the OT system owner then to have that awareness of what’s going on within their domain, across the hierarchy, whether it’s at the enterprise connection level or if it’s all the way down to the plant floor.

Bruce Sussman:

Yeah, that’s fantastic. That idea of inoculating a situation at speed – very good. Now we’re gonna move into the audience Q&A portion of the panel. Here’s a question with OT equipment maintenance being handled remotely. how are you protecting against malicious remote access to your OT networks? It used to be very closed environment. It’s much more open now. So, how do we protect against that?

Phil Neray:

We’re seeing this in our client base where not only your own employees are working remotely, but you also have contractors working remotely, which has happened for a while as well, where you need to do maintenance or configuration changes to your OT equipment, and so either the OT equipment vendor or systems integrator is responsible for it. We’re seeing now a huge increase in RDP access to industrial networks, and as we know, RDP is the preferred attack vector for ransomware attacks – it’s actually the number one attack factor. What we’re seeing with our clients is they are increasing the amount of continuous threat monitoring going on in their facilities – the idea being that you want to very quickly detect any unauthorized or suspicious activity coming in over that remote traffic, so you can stop the attack before they blow up or shut down your plants. You may not be able to keep them out, but you want to catch them as quickly as you can and then push them out before they get to your crown jewel assets.

Bruce Sussman:

Okay. Yeah, great point. Anybody else want to add on to this?

Rick Peters:

Yeah, I totally agree with what Phil was describing there, and it’s important to recognize that cyber campaigns against OT targets are as diverse as the number of companies that are out there. While it may not be the OT target that’s used as the access point, it may be the ultimate destination, so we have to recognize the intent and the understanding of what our assets are and what is our most important and rich asset – often that’s the intellectual property, that which separates us from our competition. Similarly, understanding that and being able to recognize that you’re going to see multithreaded attacks, that it might even confuse you – so your ability to control, again, not just enforced zero trust network access, but to control understanding what’s going on behaviorally can recognize those behaviors. If I’m already applying those control metrics that we talked about before using segmentation, then I can capture that event and stifle the cyber adversary from taking that next step in their campaign. Then being able to exfiltrate that intellectual property, which will set me back.

Bruce Sussman:

Yeah, exactly. Thank you for painting that picture, that’s very clear. All right, let’s move on to our next question. This one’s from Mark, and he has a question for Paul. How do you convince your management to allocate the funds needed for an effective cybersecurity platform before an attack happens? So what’s your argument or idea there?

Paul Brager:

As you alluded to, it typically is not identification of the problem, it’s who’s going to pay for it. So, typically if your manufacturing environment and things like that they operate on their own P&L, security may have been in the budget, may not have been, so it’s a lot of big borrow and steal, honestly. It’s a lot of being able to articulate what the actual risk is, and if you can take that risk and you can articulate it in a manner that resonates with the plant or with the site, they will help you find the money for you to rectify the profit. Or if there are initiatives around enablement and things like that where they want to become more connected, they want to be able to apply data more readily to business, like real-time decision systems and things like that in order to be able to facilitate faster, smarter production. You can certainly piggyback on those efforts with security requirements to set the outer markers, and so that helps move your security program to the right as well. Ultimately again, really being able to articulate the risk, not in bits and bytes because the people that you’re talking to may have no idea what you’re talking about – so being able to articulate that and in terms of productivity loss, assets loss, potential loss of life, things that matter within an OT environment. If you can get that message across, they will help you find the money.

Phil Neray:

If I could jump in here, some things we’ve heard from our clients – one of the quotes I heard was never let a good incident go to waste. So, if you’ve had any kind of malware incident in your plant, or even a shutdown caused by employee misconfiguration or some non-cyber-related incident but that would have been detected and quickly mitigated by continuous monitoring, use that as a way to show what the value is of implementing stronger cybersecurity. So number one, never let an incident go to waste. Number two, the DHS, for example, put out an advisory recently warning that chemical facilities were being targeted by adversaries. So, using third-party resources like the DHS, MITRE, NIST, and others to show you’re not doing fear, uncertainty, and doubt here – this is a real issue that needs to be addressed as a business risk – will often cause budgets to appear that weren’t previously allocated. The board might say, this is a level of risk that we are not willing to tolerate, given our risk appetite. If you tell me that you think in the next 12 months, there’s a 20% chance that our plants could get attacked and shut down or blown up, that might not be the level of risk they’re willing to deal with and therefore they’ll allocate a budget for it.

Bruce Sussman:

Yeah, good point. Anyone else want to chime in on this?

Stew Wolfe:

Yeah, I was just going to say that this is kind of the typical problem that we see on the IT side as well – being able to get approval for things. A lot of that is because you can’t necessarily quantify the impact to the business. So, if you can quantify and show them the monetary loss and how that particular asset is enabling the business, why it’s important to protect from a threat risk perspective, that’s really key. The other thing is that you need to have some sort of plan and roadmap, so you want to be able to have good governance, be aligned with the business, understand what investments they want to make on the OT side, on the industrial side, and then be able to have some sort of budget and allocation for current and future projects as well so that you’ve got money there to be able to allocate when things happen, and also when you want to be able to make new investments as well.

Bruce Sussman:

Okay, great. That was a good answer to that question. Here’s our next question. This is from Shea. If OT is mostly focused on availability and IT is mostly focused on confidentiality, who is mostly responsible for integrity? Interesting question. Does anybody want to take a shot at what Shea was talking about there?

Paul Brager:

I’ll take a stab at it. I will say that it depends. Typically, in your OT environments, availability obviously is key, followed by safety, and then security is counted as third. So, it kind of depends on what you mean by integrity. If you’re talking about the integrity of the data, integrity of the elements of control loop, and things like that, then obviously the site itself is going to be very accountable for that, because it’s going to have impact on its ability to produce. It’s going to have a very direct impact on its ability to produce. They’re not waste. If you’re talking about the integrity of data as it’s leaving the facility, then that’s a shared responsibility. A) is the data actually what you intended for it to be? And then B) at the least a facility that goes into the broader enterprise environment or split of files, does it arrive at that destination in the appropriate format as intended? But if it’s integrity inside of the manufacturing environment or the production environment itself, it’s the responsibility of those people that are there, because they’re directly impacted by it.

Rick Peters:

Yeah, Paul is spot on. It’s not a responsibility you can divorce, regardless of whether you characterize yourself as IT or OT. It’s a matter of priority, and it’s also a matter of understanding the context of what it is you’re talking about. Obviously the closer you get to the decisions that affect live production, the more you care about the integrity of those actions and you govern that very carefully. You may have ranges of settings that are allowed, and you can interdict if there’s an attempt to try and do something that obviously would cause a process to spiral or to have a production line be affected in such a subtle way as it could affect you down the road and having to do a recall of a product. So again, it’s a comprehensive responsibility, but I think in terms of OT, it’s understanding what’s happening on the inside.

Phil Neray:

Also, I think this dichotomy of CIA being different across IT and OT, it’s true, but I think it’s changing and I don’t think the lines are as clean as they once were. If you look at availability on the IT side, it’s also really important if your SAP systems and your email systems go down, that’s a major hit to the company. So, availability is important on thE IT side, and then confidentiality is important also on the OT side, if we were talking about the theft of sensitive intellectual property. So, I think the lines are blurring and I think the distinctions are less relevant now than they once were.

Bruce Sussman:

Fantastic. Appreciate those responses. Now a question from Mike, who wants to know, how do executives avoid alert fatigue and prioritize tasking of remediation activities? So, what do you think about this problem of alert fatigue in this space?

Stew Wolfe:

I think the first thing comes down to having a managed service. There are managed services that you can purchase or also even do for yourself, but be able to filter out the alerts that are false positives, be able to prioritize which critical systems you have that are most important, and then figure out what vulnerabilities you need to address first. The other piece is having an effective incident response program should you be attacked as well. All those pieces need to come together to be able to clearly see. Then the other piece is also having good threat intelligence and being able to correlate what’s going on so that you can reduce the number of false positives and be able to get down to just a few key actionable alerts that you actually need.

Bruce Sussman:

Fantastic. Well, thank you so much, Phil. Thank you, Paul. Thank you, Stew. Thank you, Rick. Really appreciate your expertise and unpacking things. Thank you all very much for being a part of today’s panel discussion. Really appreciate all of you and want to let you know that we have a brand new podcast episode coming out tomorrow. It’s called SecureWorld Sessions. It’s available on all the major platforms and in this week’s episode, we’re talking about cyber insurance and incident response, how your cyber insurance may derail things if you’re not aware of what it says. I interviewed Shawn Tuma, who’s a nationally-known cyber attorney and an advisory council member with SecureWorld as well.

In the meantime, thank you again to CyberX, to Fortinet, to NTT – we appreciate your support of this digital collaboration. I hope you found great value in today’s conversation, and remember, you can download a certificate of attendance tab if you need to. You can watch this on demand and share it with other members of your IT or OT security team. So, thank you for being with us today on today’s SecureWorld Remote Session. Have a fantastic rest of your day, and this concludes our broadcast.