CBR: What are some of the recent things you’ve been doing in critical industry?
David Hatchell: As a provider of IT security technology, this is not a space in the operational technology world we’re going to natively understand. We are, therefore, building expertise within our own cloud so people understand process control, in addition to building external partnerships.
CBR: How do those partnerships work in this sector?
DH: With Siemens we specifically joined forces to solve the problem with critical industry security, arriving at a common conclusion that the problem needed to be solved at the network level. First we slide in with a strong perimeter defence, providing a firewall specifically tuned to these industrial protocols. That’s how we can make the most effective splash.
We have to work individually and uniquely with some of these vendors. Each of these vendors – Emerson, Honeywell, GE etcetera – all are providing services to their customer base. All are trying to provide some base level security, either product security or aftermarket security, to take care of their new systems or to provide it against legacy. So looking at that space, and saying how we work with each of those manufacturers to provide their technologies became very important.
CBR: How important is integration in that process?
DH: It’s extremely important in this space. From a plant perspective you want to minimise the number of controls you’re putting in a plant, and you want to make that interface extremely simple. Process control operators think in terms of red, yellow and green – is the system up and running, is it potentially at risk, or is it down. So the mapping of security in that process control view can be challenging.
CBR: Have you seen much vertical customisation of your tools?
DH: In some cases there are manufacturers that are coming out with their own versions of dashboards to present to a process control operator. The three most common technologies deployed in this space are application control, SIEM to monitor and manage the plant, and lastly the network piece. Having those three basic elements is the foundation to success across any vertical process control.
CBR: Is there any contradiction between siloing data for security reasons and integrating technology for security reasons?
DH: In some cases the data has been siloed. In the old world before the plants were connected, all that information was residing at that plant. If there was an insider attack and somebody infected the plant through a USB key, nobody would know about it. What evolved over time is they connected that plant to enable the IT people to have visibility in the network. That then broke down that wall.
Now what we’re seeing with IoT in terms of companies like GE, is that they are providing their own predictive maintenance services to the customer. You’ve got these edge devices that are, in some cases, 20 to 30 years old that are needing some gateway in front of that to abstract all the data and send it back to GE for predictive analytics.
Content from our partners
That has then meant that the perimeter becomes even more important, because the IT division is managing all those policies of how they’re interacting with their vendors. It’s pulling back all that across that same perimeter firewall. So the silos are absolutely breaking down.
CBR: Is there a trade-off to be made segmenting data against integration?
DH: As emulation has evolved, users have been able to self-declare what they consider critical cyber-assets and critical cyber-systems. In some cases you’re able to decouple their assets in a way to get under that threshold, so it will then not be defined as a critical asset.
In some ways that has increased the segmentation of data by decoupling to meet the regulations. Is that a good thing for security? Probably not. Is it a good thing for the operation of that plant? Maybe so.
CBR: Do you think hackers damaging infrastructure physically will be a significant threat in the next few years?
DH: Absolutely. I think the threat in that specific area is the sheer interconnectedness of legacy devices. The proper security to secure the router trust from that device into the cloud and have that managed, and have the identity managed, monitored and segmented is extremely important.
We spend a lot of time looking at this problem, from helping design secure gateways to enabling that connection securely. We obviously see more threats from the traditional industrial control system (ICS) type of attacks on which we spend a lot of time. The increase in threats on that side is not just from vulnerabilities – as nation states start to look at this problem, they are starting to be able to infiltrate those lower levels in the process control network. That is a lot scarier.
CBR: Are you more worried about state sponsored attacks or cyber terrorism?
DH: I think it’s different cases for different industries. In the Siemens world you’re saying: "OK I’m going to make a batch pharmaceutical. It’s going to be a repetitive process." The injection of something into that process could then contaminate that whole batch.
Even worse, there was a manufacturer we were talking to who said: "My biggest concern is if something compromises my process which increases the degree of rust potential in that automobile. That would be a defect which we’d find three to four years later." The ability for somebody to impact their financials, and the ability for somebody to impact that, is what they are most concerned about.
CBR: What would you say the number one challenge is for companies looking to secure their industrial processes?
DH: I think the biggest challenge is lack of guidance. For example, there has started to be more sector specific guidance on how to apply this to the chemical side. If you look at pharmaceutical or any discrete process manufacturing, it is a board level management equation where you have to bring in stakeholders from your security, your legal, your audit and your risk management teams to help drive it.
It’s understanding and articulating the risk at board level in order to get the type of funding and technologies needed, in addition to the changes in products and processes you’re having to impact. That’s what’s really important.
CBR: Is education a government led project, or is it something security companies have to sort out?
DH: In a lot of ways it can be government led. A great example is here in the US, the Department of Homeland Security sponsors the Industrial Control Systems Joint Working Group – a free seminar for two to three days where anybody can attend and learn the basics of industrial control systems from their peers.
Looking at standards being developed country by country, Qatar, for example, is doing their own set of standards based on some of the industrial automation standards. I think there’s a tremendous convergence of global standards which can be applied. I think it’s helped a lot of sectors that have tried to solve this problem move much faster.
CBR: How do you feel about the level of cybersecurity regulation around utilities in terms of the US?
DH: I think in some ways it’s been good. The adoption of basic security tools into a plant has been good. It’s encouraged manufactures to customise and templatise the security solutions they’re bringing in to meet those regulations. It’s also shown that it can be adaptable. The challenge is when the same standards were used for vegetation management are also used for security.
For example, there was a recent attack on a substation in Northern California which cut off the physical emergency cables and physically shot out a transformer. It was not a cyber attack per se, but the organisation was able to look at that problem and react, and get an order down to help prevent this in the future. So I think in some ways regulations have been good.
