Critical infrastructure and industrial operations, such as power and oil and gas, remain top cyber targets. Why do you think this remains the case?
Control systems and OT (operational technology) networks are still unprotected targets. And adversaries have gained more in-depth knowledge about control systems and how they can be manipulated and attacked; they have increased their capabilities and understanding of these systems. There has also been an increase in the number of attacks and breaches in control systems.
The industrial organizations that rely on critical control system assets and systems are taking notice and starting to try to mitigate the risks as much as they can.
Industrial cyber-attack reports seem few and far between. What are some of the biggest misconceptions or challenges for securing control systems and industrial operations?
First, industrial cyber-attack reports are few because of under-reporting. Most organizations that have experienced incidents in their control systems have no desire to report it to the world. And there aren’t laws across industrial operations requiring organizations to report or disclose breaches like financial services.
The second issue is realizing there is a problem with OT cyber security. A lot of companies say they have not faced attacks yet, and so do not invest in securing their OT networks. But 90% of organizations don’t know an attack occurred as they don’t have the systems or employees to monitor or detect a breach in the control systems. In the Maritime industry, for example, vessels, LNG, LPG, FSRU, and oil tankers are $300+ million ships with modern industrial control systems running critical operational elements. These vessels connect to third-party OEMs, the shipowner, the manager managing a fleet of vessels, and other third-party providers with access. We see little to no cyber security across the vast majority of these vessels. So, even if there is a breach in the control system environment, owners and operators have no way to detect it unless there is a disaster.
The next challenge is mitigating critical control system cyber risks. There is often a skill and knowledge gap to overcome. Organizations typically have IT professionals that do an excellent job of understanding their corporate network and how to lock it down, but limited knowledge of control systems and what to do with them. Many IT professionals have never been to ships or offshore platforms. Then you have OT professionals who do a fantastic job running the operations efficiently but are not cyber security trained. Bringing the two groups together and implementing solutions across people, process, and technology is a challenge we face every day and one we try to help our customers overcome.
New cybersecurity alliances are taking forms, such as the ISA Global Cyber security Alliance and the Operational Technology Cyber Security Alliance. Where do you see these types of alliances fitting in, and what value do they offer industrial organizations?
In the industrial control system cyber security market, there are not a lot of players. There are some from the US, Switzerland, Israel, and the Netherlands. All these companies and more see the challenge. They are not experts in control system cyber security, but the alliance is a way for them to get involved and share their views and expertise. It is one thing to have an assessment and prepare, but at the end of the day, when you are attacked, you need to be able to respond. You need individuals that understand control systems and the type of attack, especially if it is a large-scale attack, and there are not many experts in these areas.
Alliances can be a way to form partnerships where organizations could respond to more significant incidents. We recently joined a cyber alliance in maritime to support that use case. We’re also one of the founding members of the ISA cyber security alliance and will be announcing a stream of partnerships in 2020 with large organizations across the world. We welcome and support cyber security alliances. They are great ideas, and we will see more of them.
You may also see some standards emerge that organizations can apply internally and benchmark. In the control system world, we have NIST, IEC 62443, and ISO 27001, but very few industries, with power being an exception, have specific standards. In the maritime sector, the International Maritime Organization (IMO) has its standards as well and has more or less directed owners and operators to implement specific cyber security measures to comply with the IMO standards. As these global cyber alliances form, you will see more of these standards tailored to each industry.
As organizations look to secure their OT networks and control systems, what are some steps they can take to further their cyber security posture and reduce risks faster?
Mission Secure recommends an assessment and design process following industry-based standards. To start, companies can install technology into the OT network that scans the network, showing what’s on the network and what’s talking to which devices. This step starts to develop a map of the control systems, communication flows, and what assets or devices connect to the network. Once companies have a precise control system map, they can start to separate assets that should be communicating versus the ones that should not be communicating. Then, organizations need to block those that shouldn’t be communicating and lock down the network, so operations run the way they need without extra traffic in the background.
In a recent maritime vessel assessment, we found four million connections from the vessel to IP addresses onshore over five or six days. That information can be dissected and helps to figure out assets or devices that need to communicate, segment those devices away from the system network, and monitor them for what you don’t need to communicate back and shut down the unauthorized communications.
In addition to technology, the other elements are people and processes. There is training, incident response plans, and backup procedures. All these people and process plans need to come together with technology. One can’t install technology, click a button, and cyber security happens. That’s not realistic. It’s also why Mission Secure offers cyber advisory services in addition to hardware and software technology. Clients require a comprehensive approach to secure industrial operations.
A seasoned entrepreneur, David has expertise in IT, cybersecurity, energy, finance and risk management. As CEO and co-founder of Mission Secure, David’s responsible for strategic planning and execution. He advises leaders in industry, defense and government on control system cybersecurity.
Earlier, David was CEO, co-founder and board member at Gravity Renewables, a private equity-backed clean energy company. David was CEO and co-founder of Roam Secure, a leading provider of emergency alerting systems; acquired by Cooper Industries, now Eaton Corporation. David also founded The Ballast Fund to invest in early-stage companies. He was an investor and board member of Trusted Metrics, a cybersecurity firm acquired by SolarWinds.
Beginning his career at KPMG, David is a CPA and earned a BSc in Economics and Finance from the London School of Economics. David speaks regularly at investor and industry events.