NCSAM 2019 Perspectives on ICS & OT Cybersecurity: Building cybersecurity awareness in the industry

October is National Cybersecurity Awareness Month (NCSAM). The annual collaborative effort between government and industry aims to raise awareness about the importance of cybersecurity and ensure all have the resource to be safe and secure.

Led by the United States’ Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA), this year’s theme—OWN IT. SECURE IT. PROTECT IT.— stresses personal accountability and taking proactive measures. At Mission Secure, cybersecurity is what we do. In support of NCSAM 2019, we’re taking an operational technology (OT) and industrial control system (ICS) approach to this year’s theme.

Own ICS. Secure OT. Protect Operations.

Interview with Kent Pope, CRO, on building cybersecurity awareness in the industry

Kicking off NCSAM 2019, we sat down with Mission Secure CRO, Kent Pope, to discuss and gain his insights on building cybersecurity awareness in the industry. Having spent his 30-year career in cybersecurity, Kent discusses the state of OT cybersecurity, industry challenges and building awareness within organizations.

Let’s start with a little history. Can you give a recap of your cybersecurity career?

Early on, I started working with mainframes and dumb terminals for the Hertz Corporation. At that time, Hertz was working on a data project aimed to centralized network management, create efficiencies and reduce cost. From there, I went to work for a few resellers and then founded my own reseller business, running that for several years. We provided full turnkey computer services from fiber and copper cabling to custom accounting software and complete network builds, including high-end Tricord and Compaq servers. Technology and the challenges we were addressing we’re quite different back then, but the drivers were similar—productivity, efficiency and cost.

After working at Cisco for a few years, I joined TippingPoint, a new cybersecurity start-up. TippingPoint was one of the first Intrusion Prevention System (IPS) and evolved during an interesting time in the tech industry. We grew into the leader for IPS, eventually purchased by 3Com. Then, HP acquired 3Com. After TippingPoint, I stayed in the cybersecurity space, working at CSC and a few other startups. Cybersecurity’s been my focal point for the last 15 years or so, and it’s definitely evolved.

Throughout all these experiences, I focused on and enjoyed connecting users to the technology they needed to solve their challenges or pains. And today, cybersecurity is one of the biggest challenges we face.

Over your time in the industry, how has technology and cybersecurity changed?

It’s been a long time. When I first got into IT security, it was more about physical security. Where were floppy disks being handed out? Where was the data physically going? Data was a lot more secure then. It stayed in one location or one area.

Nowadays, data—and not just data but devices—are everywhere. Data flows like water. So now, there are more and more smart devices and more devices on a network. And there’s a lot of bad actors who have learned they can use technology for malicious intent or to harm a company.

Let’s pivot on that note; there’s usually a distinction between IT and operational technology (OT) cybersecurity. What are your thoughts about control system and OT cybersecurity?

It’s a situation where OT or control system cybersecurity is up-and-coming. Organizations are starting to become aware of the vulnerabilities to control systems, the repercussions that can happen and the financial cost if they do get compromised or breached. If someone can take control of a tanker or shut down a plant, the financial burden of that scenario for the company is massive. And that’s just financial costs. There are also potential safety, human, environmental and reputation costs in those scenarios.

If you read the trade rags and other publications, OT and control system cybersecurity is critical to operations. It’s something that organizations need to address. But it’s also still very green. There’s not a lot of people who have gotten the OT network visibility and protection that they require.

#CyberAware is one of the themes this month. In terms of OT cybersecurity awareness, adoption and protection, where are organizations today? What are some key challenges you see for the industry going forward?

In general, more companies are somewhat aware there's an OT cybersecurity issue. The proactive ones who see cybersecurity as crucial as safety are moving fast towards detection and protection. Meanwhile, most of the market is becoming more aware of the critical business risks. As such, more organizations need to increase their knowledge about OT cyber risks and attacks that are happening.

Where are we vulnerable? What’s our cyber risk? How do we mitigate our liability? Those are questions executives and board members ask when I meet to brief them. They want to protect their operations, reduce risks and maximize ROI. To achieve this, they need to solve a key challenge of obtaining visibility and protection down to Levels 1 and 0 in an operational environment. The goal is to keep an operation up and running, despite a cyber attack, and that means the devices controlling the physical processes must be protected. All companies must get there, but we are early in the OT cybersecurity maturity cycle versus where I've been working with IT clients for the past 20 years.

What are some pointers for building greater OT cybersecurity awareness within organizations?

I always talk about how you crawl, walk and then, run. Organizations are the same. Some companies understand they have a cybersecurity problem, and some of them say they don’t. Most of the time a facility says they’re air-gapped and thereby secure, they are not. Then, an assessment discovers hundreds of connections to the outside world. A lot of times, it’s just not knowing or not understanding how processes happen or how people get into these environments. There’s a lot of vendors and service providers with access to help make sure those operations are working, for example.

In speaking with the management of various industrial companies, they don’t really understand their OT cyber risks. The number one thing they need to do is to identify their risks.

An assessment can help identify those risks, offering a true picture of your organization’s cyber posture. Armed with that information, you can start building a defense architect and begin mitigating risks.

To wrap up, what’s one tip for securing industrial control systems from cyber threats.

This is true across cybersecurity; what you don't know can hurt you. So, take action and identify your risks. For enterprises, this usually means getting an assessment.

Own ICS. Secure OT. Protect Operations.

About Kent Pope

Kent contributes more than 30 years of business development and leadership experience in cybersecurity organizations, large and small. As CRO, Pope is responsible for leading sales and marketing to further accelerate Mission Secure’s mission to help companies across industries and critical infrastructures prepare for and protect against cyber attacks.

Before joining Mission Secure, Kent’s led teams in various senior management roles at high-growth technology companies, including numerous cybersecurity start-ups taking them from pre-revenue to exit stages. Kent was the Director of Named Accounts at Forescout Technologies who acquired SecurityMatters in 2018 and built the national sales team at Click Security, acquired by Alert Logic in 2016. Kent joined Cylance during its initial, early stages; Cylance was purchased by BlackBerry Limited earlier this year. In addition to the early-stage and rapid-growth cybersecurity companies, Kent’s worked at CSC, one of the world’s largest managed security service providers (MSSP), and held management and sales roles at Fortune 50 companies including Hewlett-Packard and Cisco. He also founded and led a systems integration business.

Kent holds a BSc in Engineering Physics with an emphasis in computers and electronics from Oklahoma Christian College and is based out of Mission Secure’s Houston office.