Tripwire’s General Manager of Industrial Cybersecurity, Kristen Poulos, discusses the risks that come with the increasing number of connected devices operating on the plant floor and throughout facilities. In this episode, Kristen shares how IT can partner with OT to protect the safety, productivity, and quality of operations.
The following is an edited excerpt from a recent episode of Tripwire’s Cybersecurity Podcast.
Tim Erlin: Welcome everyone to the Tripwire Cybersecurity Podcast. I’m Tim Erlin, vice president of product management and strategy at Tripwire. And today I am joined by Kristen Poulos, who is our GM of industrial cybersecurity. We’re here to talk about industrial cybersecurity. Why are we having this conversation now?
Kristen Poulos: Yeah, it’s relevant now because there’s risk now. I’m sure most of the followers of this topic now understand that this so-called air gap between the industrial world and the outside world has been eliminated. But I also think it’s important to understand why this has happened. So the “next industrial revolution” might be used to describe this theme of increasingly connected devices on the plant floor. And these devices speak traditional IT, not OT protocols. And many can communicate with the outside world.
This is a great thing. But it means that significantly more data while being made available can help users make better decisions. It also means that this door has been opened for malicious outsiders. So with all the promise of the efficiencies of industry 4.0, cybersecurity maturity has to increase in accordance. And that’s why it’s important to talk about industrial cybersecurity right now.
Who’s Responsible for OT Security?
TE: OT and ICS environments have really been separate from enterprise IT and as such haven’t really been a part of enterprise cybersecurity, either. So, who do we see today as responsible or having that responsibility for securing the OT assets an organization has?
KP: Yeah, and there’s been a lot of migration and movement here with who holds this responsibility.
So, you know, physical security, that’s always going to be an OT owner’s responsibility, but cybersecurity is a different realm. The threat landscape is very different. And because like we mentioned, technologies are converging because attacks can begin in an enterprise environment and migrate to the industrial space. And because events can impact every single person in the company. Whether that cyber event impacts a brand reputation, production downtime or is maybe even a safety incident responsibility for OT, cybersecurity is increasingly becoming the responsibility of someone in the C suite. And this is likely a CIO or a CSO. All that said, though, some of the most successful organizations that I’ve seen have implemented OT cybersecurity controls with a very strong partnership between IT and OT and sometimes even created new roles to help bridge the gap and translate each stakeholder’s requirements to the other. So yes, the ownership is shifting to the CIO, but real successful deployments are going to be executed with that solid partnership.
Crossing the IT-OT Divide
TE: The IT security community and the OT engineering community both have a shared responsibility for the operational state of these assets, and they don’t always get along. What do you think the IT security practitioners should know about OT engineers in the environment that they work in?
KP: So first of all, while this promise of IT-OT convergence is a very promising theme, I think an IT practitioner absolutely needs to know that not all OT technologies have converged. So it’s going to be first of all important that they learn a bit about industrial protocols. And it’s important when they think about implementing security controls that they think about tools and processes where they’re able to communicate in both traditional IT and OT protocols.
Second, the technology refresh cycles are completely different in OT. Now OT refresh cycles I think are shortening. But there shouldn’t be any expectation from the IT folks that they’re going to be as short as the technology refresh cycles that are seen on the IT side. And so they need to be thinking more long-term. And as they’re implementing new controls, because you can’t have downtime once a year when you’re doing your cybersecurity refresh, your plant managers and your controls guys are not going to be happy with that.
Finally, I think maybe the last thing to remember is that some OT networks are older than the security practitioners who are now assigned to protecting them. So they were designed before cyberattacks were even possible. So when you get in there and you start learning about the network, you’re now in charge of it. It’s not uncommon at all to see a flat network. And what will seem to be a daunting task to secure. So it’s important to have a roadmap towards maturity and certainly not think about securing your OT environment with some single big bang project. It really is going to be a continuous effort.
TE: So does that mean that the security controls that we’re deploying on the IT side now don’t apply to the OT environments?
KP: Well, it’s a hybrid, so some of them absolutely do apply, and you’re going to use some of the same practices and controls. But they will be modified for an industrial context.
TE: So then there’s the flip side of it. Right? So if that’s what IT should know about the OT environment, what should OT engineers know when they start engaging with IT security folks?
KP: I think it’s important for them to have an appreciation and a nuance for the complexity of IT security. You know, where these folks are really coming from. IT security’s a lot more mature, and the threats are extremely sophisticated. So I’ve heard IT folks think, “Oh, IT guys, they overcomplicate things or they don’t understand the OT world.” And I think what’s important here is really finding a balance. And again, this is why I’m a huge proponent of creating that security role to bridge the gaps and bring the teams together.
You know, there’s this all familiar CIA triad, right? We, we’ve talked about this a lot. Confidentiality, integrity and availability. These are the three pillars of it. Cybersecurity and IT’s in a very specific and meaningful order. But when OT cybersecurity emerged, we flipped that and it was AIC to put availability first. Uptime has everything. And so that’s some of the source of that riff. I anticipate the more IT and OT converges, the more IT folks and OT folks have to interact, the less we’re going to think about this triad in any specific order but rather as three key security priorities of equal importance that both teams need to work together to resolve.
Developing a Plan for Securing OT Assets
TE: So we’re in this situation where IT and OT are starting to converge. That means that you have IT security folks who are finding themselves increasingly responsible for environments that contain OT assets. Where should they start? If I’m an IT security engineer and I suddenly have this new responsibility, what’s the first thing I should do or be concerned about?
KP: Know what you have. And again, this goes back to finding a tool that communicates in both those IT and OT languages so you can discover assets that are communicating across the OT network. And I mentioned passive technologies earlier. I think it’s important to find a balance and blend between both passive and active technologies.
TE: And once you have that visibility, what’s the roadmap look like?
KP: You know, you’ve got these flat networks now. You might want to start thinking about how you’re going to segment them. You can start monitoring log activity, you can start assessing devices that have identified vulnerabilities. So it’s not uncommon at this stage after you’ve achieved visibility to start doing things like investing in firewalls or even something like a patching solution. And from there, I think it’s really more about continuously monitoring your environment. Once you are able to establish a configuration that you call secure, the right monitoring tools are going to be able to immediately flag when there’s been some deviation from your definition of secure. And this is really a key capability especially when organizations like to model their cybersecurity practices around some of the trusted industry standards or frameworks.
TE: So that all makes sense. I actually think that’s not that different from how you might approach a new enterprise IT environment. But we’re in the middle of a really significant, unprecedented change with COVID-19 driving different ways that people work and approach work. Technology’s impacted, of course. Do you see industrial cybersecurity having being impacted significantly by COVID-19? And what do you think those impacts are going to be?
KP: Yeah. from what we can tell, it’s going to pick up the pace and demand a faster acceleration of not only implementation for organizations who haven’t yet begun to invest in cybersecurity. But also the roadmaps vendors are going to I think accelerate in the technologies that they start bringing to market for industrial cybersecurity.
TE: Alright, awesome. Well, we’re out of time or we’re close to out of time. I really want to thank you for spending the time with us. Hope it was interesting and educational for everyone. I hope you tune in next time to the Tripwire Cybersecurity Podcast. Thanks.