NCSAM 2019 Perspectives on ICS & OT Cybersecurity: Helping organizations ‘secure’ OT

October is National Cybersecurity Awareness Month (NCSAM). The annual collaborative effort between government and industry aims to raise awareness about the importance of cybersecurity and ensure all have the resource to be safe and secure.

Led by the United States’ Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA), this year’s theme—OWN IT. SECURE IT. PROTECT IT.— stresses personal accountability and taking proactive measures. At Mission Secure, cybersecurity is what we do. In support of NCSAM 2019, we’re taking an operational technology (OT) and industrial control system (ICS) approach to this year’s theme.

Own ICS. Secure OT. Protect Operations.

Interview with Paul Arceneaux, VP of Product, on helping organizations “SECURE OT”

We’re all about control systems for NCSAM 2019. Week one covered building ICS cybersecurity awareness within organizations, followed by ‘owning’ industrial control systems during week two. As Don stated last week, “Find a partner that knows OT cybersecurity. Finding a partner that can help block unauthorized traffic, lock-down and segment your OT network is key; it can get very granular and requires an understanding of control system protocols and the operation’s environment.”

(ICYMI | Building awareness in the industry & owning Industrial Control Systems.)

This week dives into securing operational technology or OT with Paul Arceneaux, Vice President of Product. Leading product development at IT and OT cybersecurity companies, learn more about how a product leader and innovator views the OT world and what organizations can do to “secure OT” going forward.

A technologist at heart, you have a long history in IT cybersecurity from Siemens and HP to more recently, Alert Logic. Let’s start with why OT cybersecurity. What are the differences between IT and OT cybersecurity?

It comes down to response time. But let’s start with traditional ideas.

Planning for traditional IT is upfront, and there’s a quantity/quality of use expected from users. From a workflow perspective, what users are looking at is managed by IT. For example, your IT cybersecurity can disallow users from doing certain things. And that’s okay. It’s allowed and expected. On the IT side, a little bit of downtime due to something not working or an incident won’t necessarily kill the company.

Now, go over to the OT side—unplanned downtime is a flashing red light. From manufacturing and LNG to refineries and maritime, if you cut out the processes running in the network, the company stops. There is no revenue; production stopped. And challenges can occur. Merely have that operation shut down can be catastrophic for some companies.

So, from an OT standpoint, it’s about making sure those processes keep running safely and reliably. And today, you typically see a little more cybersecurity risk-taking on the OT side. There are gaps, and those need to be filled to make sure processes keep running safely—even if under a cyber attack.

Ultimately, it comes down to response time. What is the response time on those processes? On the IT side, a user will typically call up, unable to access a particular system or component. For OT, you want to make sure response times are within milliseconds of an incident. It’s a user- versus process-based mindset on the backend. Users can wait. Industrial processes, for the most part, cannot.

On a similar note, there’s been a long-standing discussion on IT versus OT departments. What do you think about the IT/OT convergence and its impact on cybersecurity in industrial operations? What do you think we’ll see in the future?

Looking at typical OT setups, this is what historically occurs. The OT team will set up its environment, and that is what persists. As time moves on, the group makes adjustments. Assets might have to be updated. They’ll adjust for different values, upgrading a piece of equipment. But for the most part, the OT architecture of that whole entity stays the same.

In the IT world, we’ve seen an evolution. A revolution throughout the marketplace. The market in the IT world moves extremely fast, and technology moves really fast. BYOD (bring your own device), an app for everything, social media—all of these constructs from users force IT groups to respond quickly. They’ve handled a lot of these shifts well.

Without the user demands seen on the IT side, OT moves very methodically and slow. The very slowness of OT causes issues. If there’s a security flaw on a piece of equipment, a service or something running in the OT environment, the adoption rate is prolonged. They’re working methodically to make sure things stay up and running.

The two groups are oriented differently. IT has a user base that expects new features to be continuously released; IT is very fast. It’s uptime for OT, back to the goal of making sure everything stays up and running.

Then today, you’ve got a new regime, a new generation, running OT networks. They’re more familiar with and used to the IT way of working. They want some of these new features. Coupled with the adoption and resurgence of IIoT (Industrial Internet of Things) devices, today’s OT teams want more data to run their operations. They want to be able to evaluate devices and data too. These new constructs are now happening within OT. And that’s part of the convergence.

In some cases, OT is turning into an IT shop. IT is now putting demands on the OT groups to give data back to IT so they can also use it to make better business decisions. In other cases, IT is taking over some of the operational control sites in the network. If IT is truly just taking information, presenting data to users, about connectivity and communication, then there is a subset of IT in every OT network. And every OT network has some form of IT. The question, then, becomes a budgeting problem. Within whose budget does ICS cybersecurity fall? As such, we’ve seen a lot of companies merging IT and OT budgets.

There is a natural conflict between IT and OT groups due to their slightly different ways of managing networks. But cybersecurity, especially in the OT network, is where they can, and likely will need to, come together. Cybersecurity is where IT meets OT.

“Secure IT” and securing your digital profile is a theme of NCSAM this year. What can you tell us about securing OT networks and control systems?

When you look at all of the IIoT initiatives and everything people and companies are doing today, data is king. The more data you collect, the more analyses you can do. The better informed you are, the better business decisions you can make.

For OT networks, organizations need to collect data from Level 3 down to Levels 1 and 0. That is the required set of data to collect, analyze, compare and validate to really know what’s going on in the OT network and protect it. Get the data—that visibility piece—and then validate that data so you can control your network. We need to question control systems and validate their accuracy since, just like the IT/OT convergence, they can be hacked and compromised.

The more data organizations collect and validate, the more operators and cybersecurity folks can use that data to make better decisions—for cybersecurity, operations and the business.

A recent report indicates 93% of ICS professionals were concerned about the threat of operational shutdowns and downtime. How are organizations doing with securing OT networks and control systems?

It’s all about uptime. There’s a mentality that this plant isn’t going down on my watch. In practice, this evolves a bit. In traditional IT environments, you place a solution in your network to stop a particular vulnerability or exploit. Or you do something based on the IT policy. But those actions and policies are a lot easier to manage. IT is user-centric, so IT actions tend to be user-based factors or services like usernames and passwords. When you get into a control system environment, it’s different.

Where a business network user can log into Netflix, an OT network user shouldn’t be able to because of the security footprint. You don’t want to have or allow the same variety of control as in the business network. In control networks, you want to lock it down further. This PLC can connect to this other authorized device. Only this port can talk to this specific port. But a balance is needed, an understanding of the OT environment is required, to make sure your operation is protected.

For example, there’s a gut IT reaction to put in a firewall and block everything from entering the OT network. But if you do that, you might actually miss something that’s needed or traffic that’s required to keep the operation running. Some devices or specific traffic might be okay; then, allow those but notify the operator immediately when something abnormal occurs. And if those anomalies do occur, it comes back to response time. How am I going to manage or correct this incident quickly?

Everything in the OT network should be a lot more understood. Hence, the set of rules, policies and products you need in the OT network is going to be different to lock down those systems and processes. When industrial operations involve factors like human safety, environmental concerns and community considerations in addition to revenue, it’s about maintaining that reliability, that safety.

Am I responding quick enough? Can I ensure that I’m doing all I can to protect my network and keep it running from an OT cybersecurity standpoint? Those are the questions organizations are asking and working on addressing.

On that note, what’s one tip for securing industrial control systems from cyber threats.

See. Understand. Protect. It comes down to visibility and protection in the OT network. Being able to see what's going on, understand what's happening and map it out. And then protect based on that information.

Own ICS. Secure OT. Protect Operations.

About Paul Arceneaux

Paul comes to Mission Secure as a seasoned product visionary and technology executive with a proven history of building products and teams that succeed, as well as defining and executing product strategy. Most recently, Paul served as the Vice President of Engineering at Alert Logic, where he led efforts to redefine the cybersecurity analytical engine, incident response system and UI/UX of customer-facing web presence to transfer the company and garnish success in the cloud-based security market. Among many notable achievements, he orchestrated the largest software product launch in the company’s history, resulting in better company to customer visibility and shortening customer acquisition time and lowering churn.

Prior to his time at Alert Logic, Paul acted as COO at Netgate and in various VP roles in the technology space at companies such as ANXeBusiness, Tipping Point, PinPoint Technologies, Siemens, and CNET. Notably, during his time at ANXeBusiness, Paul transformed the product strategy, pivoting the company from legacy connectivity network products to managed security and compliance SaaS products, resulting in significant growth in revenue.

Paul excels at leading teams in definition of new product lines and prioritization of development efforts. He has overseen product lines from initial concepts through delivery, including negotiations with hardware OEM vendors and collaboration with technology partners to bring products to market. He is a change agent with a history of redefining strategies, go to market methodologies and value propositions that generate immediate and measurable results.