Our new Biannual ICS Risk & Vulnerability Report is the most up-to-date look at CVEs disclosed in OT devices.
Check it out!
Q&A: Claroty and Rockwell Automation Discuss Cyber Risk in OT and IIoT
October 20, 2021
Rockwell Automation Fair® 2021 is less than one month away. The two-day event—to be held November 10-11 in Houston, Texas and virtually—promises to be an exciting convergence of industrial leaders and an opportunity to spark meaningful dialogue about what’s needed to secure the converging worlds of operational technology (OT) and the industrial Internet of Things (IIoT).
As a close partner of Rockwell Automation, Claroty is looking forward to engaging with a wide range of industrial professionals at Booth 1409, as well as during our two sessions, PT02 – Adapting Manufacturing Cyber Defenses to Industry 4.0 and PT22 – Top 10 Security Threats.
In the run-up to Rockwell Automation Fair® 2021, the following Q&A recaps insights shared by Claroty CEO Yaniv Vardi and Rockwell Automation CEO Blake Moret during a recent panel moderated by ISMG’s Tom Field, offering insight into what’s needed to manage evolving cybersecurity risks facing manufacturing sites and critical infrastructure.
How should we manage cybersecurity risks in critical infrastructure on which the day-to-day functioning of society relies?
The industrial Internet of Things (IIoT) includes a lot of processes where machinery is moving. This creates a lot of safety and reliability concerns, because you can’t bring these processes down in the middle of activity. You have to make sure that the movement is being controlled at all times, and so the stakes, in many cases, are higher.
The types of technology and applications are different between IT and OT parts of enterprise networks. There is some commonality between the two with IT-OT convergence, and cybersecurity effects need to be handled in a coordinated way. However, there are very real differences in the approach, the availability of equipment, and the technologies you use.
Companies in the industrial economy are going through digital transformation. They are automating and optimizing their traditional manufacturing processes and trying to connect whatever they can to be more competitive and increase productivity. That creates a huge risk, and the way to mitigate that risk is creating a proactive risk management approach and culture in the company.
Visibility is the first thing that needs to be addressed. You need to identify what assets you have in the network—OT, IoT, IIoT, IT, whatever you have. It’s all growing more interconnected between OT and IT, to the network, to the cloud, and CISOs are struggling with visibility on the OT side, but it’s the first thing you need to address.
From there, start to build your vulnerability management and risk management programs. Start to understand the risk you inherited and address that. But digital transformation is really pushing hard on getting visibility first into what you have; you can’t protect what you don’t see.
What are the complexities of managing security in a landscape shaped by the often competing demands of a variety of direct stakeholders?
What I said before about digital transformation, getting industrial companies to connect IT and OT—there are a lot of conflicts between IT and OT. IT is really focusing on confidentiality and data. They embrace change, need to patch systems and mitigate vulnerabilities, and address bug fixes. Change is positive for IT.
On the OT side, change might create risk and is more negative. You can’t take a system down when you have to patch it. You may have 20-year-old legacy systems that can’t be patched anymore or will be patched slowly. OT priorities are focused on availability and reliability, and this creates conflict between IT and OT.
More than that, when we spoke to many CISOs, we learned that the IT security teams many times don’t know much about the OT side of things, the industrial networks. So they have issues and challenges with visibility, understanding what assets they have, how the assets are connected. The operations teams—such as plant managers and process engineers—many times don’t know much about security. And so there’s a gap that has to be addressed. Because these companies are trying to be competitive and increase productivity, hence connecting OT to IT.
The way we see companies addressing this today is with an executive sponsor—a CISO, CIO, even CEO—who is pushing a strategy and the industrial cybersecurity journey forward, while ensuring that IT and OT teams are aligned behind the strategy.
To add to that, I think the skills gap is particularly manifested here. You’re trying to implement a defense-in-depth approach on the factory floor, understanding how big that attack surface is. From the end devices, to the networks, to the software, to insider risk, and being able to educate a changing workforce—that’s a real challenge for manufacturers.
Cyber threats on manufacturing sites have been getting a lot more attention at the CEO and board level. How can CISOs push for more effective preparation and response when it comes to industrial cyber threats?
The pandemic got businesses to operate differently by accelerating a rapid shift to remote operations for many industrial companies; 40% of U.S. businesses confirmed they will start operating remotely or with a hybrid approach. This means the manufacturing and industrial space will have to get users access to networks remotely because they still need to control and manage production. You have to get third-party vendors access to networks remotely. This has happened since last March and attackers are exploiting it. You see the frequency and impact of attacks growing significantly. A lot of it is happening because of the remote access that is being granted, but not securely.
We live in a new era—a time when we are changing the way we do business. But not all companies are addressing the new way they are operating the business. CEOs need to be aware of this and address it.
It is a pervasive and consistent topic in board discussions. Board members know they need to have some domain expertise and understand the basic concepts themselves. They’re looking for a consistent, broad, unified approach. When it comes to the question of whether IT and OT security should ultimately be managed under one organization, I believe the answer is yes. Given that air gaps are no longer protecting OT and a lot of OT data makes its way into the organization’s IT environment, there has to be a coordinated approach while recognizing the differences between IT and OT and making sure that all the major threat areas are addressed. It’s defense-in-depth, it’s making sure your traditional Failure Mode Effect Analysis (FEMA) is updated to contemplate events that were not probable or high priority in the past, and therefore weren’t addressed or funded.
When it comes to improving IIoT security, there is no one-size-fits-all approach. What do you see as most important to tailoring a cybersecurity solution to a company’s needs?
We also learned that different companies are at different maturity levels in the cybersecurity journey. Just because a company is big, that doesn’t necessarily mean that they are at a high maturity level. Maturity often relates more to a company’s industry vertical or the country it operates in than its size.
You need to address the maturity level of a company before you provide your solution. I see many cybersecurity vendors deploying their entire platform into a customer’s environment and saying, ‘here is the solution,’ and leaving it at that. That’s not an effective approach, because not all companies are at a maturity level where they can leverage an industrial cybersecurity solution without guidance and support.
Companies first need to understand the network, what assets they have, how they are connected, what are the proprietary protocols, and so on. Then vulnerability and risk management, then threat detection, then secure remote access. There is a journey you need to go through. As a technology vendor, you can’t just drop your platform and assume the customer is at the right maturity level.
The concept of a journey is really important when introducing a new technology to your manufacturing operation. It shouldn’t happen all at once.
What are the similarities between the industrial security and safety journeys?
With the recent executive order from the Biden administration, I was happy to see they are addressing cybersecurity very similarly to safety, with best practices and industry standards around how to address it, how to create a board review of cybersecurity and safety committees, and how to force critical infrastructure to address it. I saw a lot of similarities between how the administration addressed safety and cybersecurity.
Something positive that came out of the Colonial Pipeline incident is that more companies are addressing industrial cybersecurity similarly to how they addressed safety before.
Moving forward, what do organizations need to do to ensure they are maintaining the required security posture while also achieving the best benefits of connectivity?
By continuing to assess the organization you created to address these issues, making sure you’re getting the sense of urgency it demands, and having the right people in the right roles. As IT and OT come together, not just for cybersecurity, but for the benefits of having an effective organization that blends the perspective of different knowledge bases across disparate groups.
I agree. It’s a three-fold approach. Assessment is one thing you have to do and communicate your strategy very clearly to the organization. And then operational visibility; s I said before, when we have spoken to CISOs and CIOs of industrial manufacturing companies, the No. 1 challenge is visibility, understanding what they have in their networks. You can’t protect what you don’t see. Start with that.
And then lastly, collaboration around putting the solutions for threat detection, vulnerability management, and so on. Also making sure you address the ecosystem. Just doing it for your own operation many times doesn’t make sense. Look at automotive. They could have the majority of the production line being delivered by a provider further up the supply chain. If the suppliers are being attacked, the impact on the production line is the same as if it were attacked directly. Having a collaborative approach on addressing cybersecurity strategy, not just internally, but also making sure to address the entire ecosystem.