4 Min Read
Protecting OT Networks and Safeguarding Critical Operations
Written by Mission Secure
October is National Cybersecurity Awareness Month (NCSAM). The annual collaborative effort between government and industry aims to raise awareness about the importance of cybersecurity and ensure all have the resource to be safe and secure.
Led by the United States’ Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA), this year’s theme—Do your part. #BeCyberSmart— encourages individuals and organizations to own their role in protecting their part of cyberspace, stressing personal accountability, and the importance of taking proactive steps to enhance cybersecurity. At Mission Secure, cybersecurity is what we do. In support of NCSAM 2020, we’ve put together short “Interview Bytes” to discuss cybersecurity from an operational technology (OT) and industrial control system (ICS) perspective.
Interview Bytes |Week 4: The Future of Connected Devices.
“It’s just a crazy attack surface and exploits. It’s ‘an ounce of prevention is worth a pound of cure’ type situation.”
Autonomous vehicles, drone delivery, smart cities, AI, and machine-learning—the outlook of connected devices and a more interconnected existence look nearly certain. But how can we achieve new technological heights while staying secure?
As operations across industries digitally transform, they leave critical operational technology (OT) networks exposed. In the final segment in our National Cybersecurity Awareness Month series, Ed Suhler, VP of Defense Services, Mark Baggett, VP of Industrial Control Systems, and Weston Hecker, Ethical Hacker, share their words of advice for protecting critical operations today and into the future.
Question: What are some words of advice to protect critical operations from cyber threats?
From a Defense Perspective | Ed Suhler, VP of Defense Services: Don’t rely on outdated ways of thinking about cybersecurity to protect you. Air-gapping doesn’t work anymore. And make sure that the critical things you make sure work in your environment will work in the face of a threat.
From a Commercial Perspective | Mark Baggett, VP of Industrial Control Systems: I second that to say, know who’s on your network and what they’re doing. If you don’t have a view into your network, I can guarantee you’ve got people on there that you don’t know are there.
From a Hacker's Perspective | Weston Hecker, Ethical Hacker & Cyber Evangelist: Especially with everyone having their Internet of Things devices, a smart light bulb or things like that unnecessariness that needs to be plugged into a network, and with the rise of a small computer in your pocket—everybody has their iPhones or Android phones—you have a huge attack surface. And just with some of those, I’ve seen several proof-of-concepts where people are able to compromise an Android device. And then, it basically goes around compromising everything that it wirelessly comes in the range with. It’s “an ounce of prevention is worth a pound of cure” type situation.
The Future of Connected Devices: Protecting OT Networks and Safeguarding Critical Operations
The business case today for continuing to modernize OT is the same as it has been for more than 200 years: getting things done faster, more safely and efficiently, and at a lower cost. The benefits of OT investments cannot be overstated. Historically, OT has been one of the great contributors to improving quality of life by enabling the economical and safe delivery of clean water, energy, and wastewater treatment, as well as the production of many of life’s manufactured staples.
It is therefore not surprising that OT functionality is finding a wider audience beyond its traditional industrial base. The benefits of monitoring and controlling our physical environment are increasingly attractive to commercial enterprises, governments, and even consumers. But the cybersecurity concerns associated with OT have never been higher as the ability to isolate OT systems becomes increasingly difficult.
For organizations across industries, critical infrastructure, and national defense, the ultimate goal is cyber resiliency—to ensure the safety and security of operations in the face of a cyber-attack. It’s a task made difficult with the IT/OT convergence and the rapid adoption of new, emerging technologies. But one that organizations must achieve as they look to the future of connected devices and the protection of their critical OT networks and operations.
Tip of the Week: An ounce of prevention is worth a pound of cure. Protecting OT networks today is safeguarding operations against tomorrow’s cyber threats.
Do Your Part. #BeCyberSmart
Throughout October, industry experts and an ethical hacker shared their insights into today’s cyber risks, new vulnerabilities, heightened impacts, and recommendations for protecting critical OT networks and operations. Catch up on the series:
Week 1: Threats to Critical Infrastructure & Industrial Operations
Week 2: Words of Wisdom from an Industrial Ethical Hacker
Week 3: Cyber-physical Vulnerabilities: New Threats and Impacts
As technology continues to transform organizations, it is more pertinent than ever to reassess cybersecurity best practices, especially in protecting cyber-physical processes and systems. As Gartner poignantly states, “A focus on ORM – or operational resilience management - beyond information-centric cybersecurity is sorely needed.”
About the Speakers:
Ed Suhler currently serves as the Vice President of OT Cybersecurity Implementation Services at Mission Secure, where he focuses on implementing Mission Secure’s patented technology to secure client operations from cyber risks. Ed often leads as the technical project manager for customer engagements, including Fortune 10 and 1000 clients in oil and gas, maritime, smart cities, and defense industries. Ed cybersecurity projects cover a range of control systems and critical assets, including transportation management systems, power distribution systems, and unmanned aerial systems (UAS) for the U.S. Navy. Ed holds five patents for applications of cyber protections to cyber-physical systems and has filed additional patents on his research efforts on system-aware cybersecurity methods and techniques. He’s authored numerous white papers on the application of system-aware cybersecurity and its use in industries such as transportation, oil and gas, autonomous systems, and electrical distribution systems. Ed holds a Bachelor of Science in Management and Management Information Systems from the University of Virginia.
Mark Baggett has over 30 years of experience and is an industry veteran and industrial control systems (ICS) expert. His expertise stems from the energy sector, where he’s designed, engineered, and implemented control systems for the industry’s biggest players, including BP, Total, Shell, Exxon, and ConocoPhillips, among others. Mark’s experience spans the globe with ICS projects across Europe, Asia-Pacific, and North America. As VP of ICS at Mission Secure, Mark leverages his expertise to help operations assess current systems, vulnerabilities, and potential attack vectors, providing guidance and recommendations to mitigate cyber risks and implement a secure cyber architecture. Mark’s managed cybersecurity projects for oil rigs, refineries, pipelines, manufacturing plants, and chemical facilities. He’s routinely invited to speak on ICS cybersecurity, most recently presenting at the SCADA Technology Summit and AIChE’s 2020 Spring Meeting. Mark holds a bachelor’s degree in Secondary Education and frequently teaches control system training courses at San Jacinto College located in Pasadena and Houston, Texas.
Weston Hecker contributes a wealth of cybersecurity expertise as a cyber evangelist and ethical hacker with over 17 years of pen-testing and 14 years of experience in cybersecurity research and programming. Weston’s found several software and firmware vulnerabilities, including Microsoft, Samsung, HTC, and Verizon. He works with organizations on their cybersecurity strategies, including leaders in oil and gas, chemicals, maritime, and defense sectors.
A regular on the cybersecurity circuit, Weston’s delivered over 50 presentations ranging from industry-leading events to regional conferences and universities. Notable events include Blackhat, Defcon, ISC2-Security Congress, SC-Congress, BSIDESBoston, and TakedownCON. Weston’s work with universities includes projects and training such as the “Hacking Oil Rigs for Profit” event at the University of Houston. He’s also working on a major university’s project with the Department of Homeland Security on 911 emergency systems and attack mitigation. Weston attended school in Minneapolis, where he studied Computer Science and Geophysics.
Originally published October 30, 2020, updated January 27, 2021.