Over the past two weeks, we have had the privilege of discussing the latest trends and observations about the state of OT cyber security with our clients and partners at two events: our own Verve Security customer conference, held in Houston, TX, and the 2020 RSA Conference in San Francisco, CA. These back-to-back events, provided an interesting perspective on the opportunities and challenges facing cyber security leaders as they embark on a mission to tackle OT.
Verve Industrial’s Customer OT Cyber Security Conference
We were thrilled to produce a great lineup of speakers at our conference in Houston on February 19th and 20th. Three of the leaders include Eric Cosman, President of ISA, primary architect of the ISA 99 standard, and long- time leader at Dow Chemical Company, Eric Byres, Founder of Tofino and Adolus, and John Cusimano, leader of AeSolutions’ ICS cyber security services team.
They joined us in Houston to share their perspectives on addressing OT cyber security. Our customer attendees ranged from industries of generation and transmission utilities to chemicals, oil and gas, and process and discrete manufacturing. The breadth of industry participants added to the rich discussions in the room.
Eric Cosman provided a great historical perspective on the challenges and potential solutions to achieve true security maturity. One of the primary takeaways was organization and governance challenges, rather than the technical challenges, of OT security, including how the language used in the cyber security industry to separate OT and IT contributes to the disconnect. Eric’s perspective surrounds the need to refer to OIT or Operational Information Technology to break down barriers that are often put up between organizational silos. One of the key governance challenges is just in the way OT systems are administered or managed today.
Jon Shadduck, Director of Cyber Security Architecture and OT Security at Ameren, reflected on the need to create a new mindset around OT Systems Administration or OT Systems Management (OTSM) that provides the same kind of asset management found in IT in the OT world. Eric’s comments were a clarion call for a new way of approaching an old problem – securing OT systems.
John Cusimano and Verve Industrial’s VP Solutions, Rick Kaun, brought us down to where the rubber meets the road, sharing a very practical example of how to conduct a true risk assessment of cyber physical systems leveraging AeSolutions’ leading CyberPHA framework enabled by automation in the Verve Security Center.
John’s view is that OT cyber security is not put into true risk management framing. After all, what operations executives and C-suite truly cares about are the risks to the system, rather than cyber security in a vacuum. John and Rick described how Verve Security Center’s 360-degree asset visibility, vulnerability and risk information, combined with the CyberPHA process, AeSolutions helps management teams get very rigorous and practical about how to prioritize the risks they need to remediate.
Eric Byres and Verve Industrial’s Director of Cyber Security Insights, Ron Brash, dove into the risks of actors outside the four walls of the company – i.e. supply chain risk, specifically the software supply chains that so many of the OT systems depend on. The major takeaway from this discussion was the need to leverage the community to vet software, rather than each organization only relying what it knows.
So many pieces of software provided by OEMs or other application vendors come as black boxes with little clarity on whether it is authentic or what vulnerabilities may be buried in the underlying code of firmware or application software vulnerabilities. Eric and Ron demonstrated how the power of community leads to higher confidence in OT supply chain security through platforms such as aDolus, which allows users to upload software to its platform and compare it to others in the network. It is truly a way of having organizations help each other and build value from the community.
RSA Conference 2020
This week, we boarded a plane for San Francisco to join 40,000+ attendees for RSA’s 2020 Cyber Conference. The ICS or OT part of RSA still remains relatively small, but there are signs that the conference organizers are starting to understand the critical risks our infrastructure face. Megan Samford, Chief Product Security Officer at Rockwell Automation, led a panel of her peers at Schneider, Siemens, etc. on how to better secure the product environments.
Similar to Eric Byres’ vision, Megan believes we will make much more progress if we work together across organizations – even competitors – to bring the best thinking to bear on OT cyber security. It was a great milestone to have those organizations all on the same stage together.
In addition, there were several presentations from the ICS area, including Dragos' Rob Lee and others presenting keynotes on findings from 2019. It is great to see that this critical, often under-looked area of OT cyber security is now raising on an awareness level at this key cyber security conference.
Our discussions with clients and others over the week reflected many of the same themes we heard at our own conference the prior week: the need for a new governance model, the need for true OT Systems Management, the need for platforms that can provide true risk assessment and management in these sensitive environments.
Several of the IT leaders to whom we spoke mentioned the challenges of having the same risk management in OT as they do in IT. We reflected on the joint presentation by John Cusimano and Rick Kaun as potentially a new model for addressing that gap.
So many companies are beginning an OT cyber security maturity journey. It is great to see that there are real resources out there that can help them build the right foundational approaches to create the right governance, true risk assessment, the ability to manage assets as is possible in IT, and to use the power of the community to share information with one another and leverage our combined strength for the better.
We look forward to the rest of 2020 and the progress we all can make in protecting the world’s infrastructure.