October is National Cybersecurity Awareness Month (NCSAM). The annual collaborative effort between government and industry aims to raise awareness about the importance of cybersecurity and ensure all have the resource to be safe and secure.
Led by the United States’ Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA), this year’s theme—Do your part. #BeCyberSmart— encourages individuals and organizations to own their role in protecting their part of cyberspace, stressing personal accountability, and the importance of taking proactive steps to enhance cybersecurity. At Mission Secure, cybersecurity is what we do. In support of NCSAM 2020, we’ve put together short “Interview Bytes” to discuss cybersecurity from an operational technology (OT) and industrial control system (ICS) perspective.
Interview Bytes | Week 1: If you can connect it, protect it
“When it comes to cybersecurity, a lot of these systems are inherently not built for cyber.”
Today, there are few physical or process operations that don’t leverage operational technology (OT). Physical operations controlled by digital assets (control systems or OT) permeate nearly every part of our lives. The food we eat and the medicine we take to the energy that powers our lights and the lights that manage traffic flow—all these physical operations and processes rely on critical control systems to safely and reliably function.
In the defense and federal government space, building control systems, HVAC, power generation and distribution, fuel depots, base security, or the weapons system platforms themselves, such as autonomous vehicles, ships, air vehicles, and ground vehicles, all share control systems. As more critical logistical support systems, mission operational systems, and communications systems become further automated, the risks associated with cyber threats are magnified in the field.
In this segment, Ed Suhler, VP of Defense Services, and Mark Baggett, VP of Industrial Control Systems, share their insights into today’s cyber threats from two perspectives: defense operations and commercial organizations.
Question: What are the new cyber threats worrying organizations today?
From a Defense Perspective | Ed Suhler, VP of Defense Services: The cyber threats that we face within the Defense Department and within the federal government space, in general, come to the Internet of Things. And the Internet of Things has reached an entire category of devices, processes, and things on the network that we didn’t have before.
From a Commercial Perspective | Mark Baggett, VP of Industrial Control Systems: The same applies to commercial. We had systems that were standalone systems years ago. Well, now they’re connected because of the Internet of Things. Everybody wants that data. They want data from the shop floor all the way to the chief executive officer’s desk. Whenever you have that many people connected to your live control systems, you’re going to be more vulnerable—the more people who have access, the more people that can get in. And you’re going to have more problems.
From a Defense Perspective | Ed Suhler, VP of Defense Services: Things that were considered to be air-gapped are just no longer air-gapped. And when it comes to cybersecurity, a lot of these systems are inherently not built for cyber. They’re built to do whatever those physical processes are, whether that’s the weapon systems, the flight control systems, or others.
From a Commercial Perspective | Mark Baggett, VP of Industrial Control Systems: We’re more connected now than we’ve ever been, and we’re more vulnerable now.
If you can connect it, protect it: Tip of the week
For decades, OT ensured the safe, reliable, and continuous operation of physical processes. For protection, these systems maintained an “air-gap” keeping them unconnected from all other systems. But, over the years, IT and OT systems have come together, and this convergence exposes OT networks to new cybersecurity threats that cannot be overcome with traditional IT cybersecurity.
And the risks are significant. Cyber adversaries are attempting to control physical process operations, which can result in health and safety impacts, environmental damage, production shutdowns, and even loss of life. These commercial and defense organizations need to trust that their operations are locked down and will remain reliable, even in the face of cyber threats.
The first step is knowing what’s on your network so that you can protect it. Assessing the current state of OT cybersecurity is always the initial step. Assess your cyber vulnerabilities and risks. Every operation should start by conducting a cyber risk assessment of the OT networks controlling the most critical assets, processes, and platforms. The goal of the assessment is to identify the most critical OT and IT cyber risks and close any immediate gaps.
Tip of the Week: Find out what’s on your network. Know what’s on your network so that you can protect it.
Once you know what is on your network, you can start to mitigate any immediate threats and plan a longer-term cyber-protection strategy. But you can’t protect your operations if you don’t know your assets. What are they? Where are they? What are they doing? What should they be doing?
OT assets were built for efficiency and reliability but typically not for cybersecurity. This reality is even direr for environments with legacy equipment. OT systems will not be replaced wholesale with more secure systems any time soon. And they need to be cyber resilient today. It is no longer enough to keep the adversary at bay. A new approach is needed to ensure that critical operational functions continue in the face of a cyber threat.
Do Your Part. #BeCyberSmart
The increasing frequency of successful operational technology (OT) cyber-attacks serves as a wakeup call to all network administrators, IT and OT alike: the smallest hole in today’s cyber defenses gives adversaries a vector for attack. Cybersecurity is no longer only safeguarding personal data and intellectual property—it is protecting vast, complex operations that impact everyday life and each individual’s lives throughout society.
“A focus on ORM – or operational resilience management - beyond information-centric cybersecurity is sorely needed.”
More from Ed on OT Cybersecurity in Defense: The OT Cybersecurity Blind Spot: The need for visibility and protection for Level 0
More from Mark on OT Cybersecurity in Commercial Operations: Cybersecurity and safety: Increasing risks and escalating impacts
About the Speakers:
Ed Suhler currently serves as the Vice President of OT Cybersecurity Implementation Services at Mission Secure, where he focuses on implementing Mission Secure’s patented technology to secure client operations from cyber risks. Ed often leads as the technical project manager for customer engagements, including Fortune 10 and 1000 clients in oil and gas, maritime, smart cities, and defense industries. Ed cybersecurity projects cover a range of control systems and critical assets, including transportation management systems, power distribution systems, and unmanned aerial systems (UAS) for the U.S. Navy. Ed holds five patents for applications of cyber protections to cyber-physical systems and has filed additional patents on his research efforts on system-aware cybersecurity methods and techniques. He’s authored numerous white papers on the application of system-aware cybersecurity and its use in industries such as transportation, oil and gas, autonomous systems, and electrical distribution systems. Ed holds a Bachelor of Science in Management and Management Information Systems from the University of Virginia.
Mark Baggett has over 30 years of experience and is an industry veteran and industrial control systems (ICS) expert. His expertise stems from the energy sector, where he’s designed, engineered, and implemented control systems for the industry’s biggest players, including BP, Total, Shell, Exxon, and ConocoPhillips, among others. Mark’s experience spans the globe with ICS projects across Europe, Asia-Pacific, and North America. As VP of ICS at Mission Secure, Mark leverages his expertise to help operations assess current systems, vulnerabilities, and potential attack vectors, providing guidance and recommendations to mitigate cyber risks and implement a secure cyber architecture. Mark’s managed cybersecurity projects for oil rigs, refineries, pipelines, manufacturing plants, and chemical facilities. He’s routinely invited to speak on ICS cybersecurity, most recently presenting at the SCADA Technology Summit and AIChE’s 2020 Spring Meeting. Mark holds a bachelor’s degree in Secondary Education and frequently teaches control system training courses at San Jacinto College located in Pasadena and Houston, Texas