Protecting industrial control systems (ICS) from cyber-attacks is of primary concern for the operators of critical infrastructure around the globe. These systems are absolutely vitall to delivering the essential services and resources we all depend upon in our daily lives, such as electricity, water, oil and gas. Just one small glitch within the components of these systems could affect millions of people at a given time. However, much like the rest of the security industry, there has been a push for increased connectivity of these control systems with traditional enterprise IT systems, which could open the door to additional cyber risk.
In her keynote address entitled, "Securing Critical Infrastructure: Closing the Gaps," which she gave at the recent ASIS 2015 conference, Galina Antova, co-founder of Team8 Industrial Security, shed a light on this issue as she examines the integration between information technology (IT) and operational technology (OT)and the challenges that come with that convergence.
“It’s quite a long road to where we need to be, so everyone kind of assumes there is this IT/OT convergence and they’re going to get these synergies and benefits, but the reality is there are quite a lot of challenges associated with that,” said Antova. “I’m going to talk about practical ways in which we can move the industry forward in three main categories: people, processes and technology. We’re all fairly technical people and we assume that we have to create new software and technology, but in my experience in working with customers, some of the most challenging things are actually organization. How do we bridge the gap in the organization between the IT team and OT team? They have different priorities and it’s quite a large clash.”
According to Antova, when most people talk about IT/OT integration, it basically centers on how those systems are supposed to integrate without a lot of thought about how to secure them.
“Between enterprise security and the shop floor or OT cybersecurity, the gap is humongous. (Industrial security is) at least about 15 years behind,” said Antova. “Most of the larger operations are just at a state where they are deploying perimeter protection and anti-virus. But I think it’s not fair to make that comparison and assume, 'Well, it took 15 years for enterprise security to get where they are, so therefore we have to go through the same cycle.' It’s a little bit different because you’re trying to serve different purposes. The reason you want to have security on the shop floor is to not only protect yourself, but also to increase the resiliency of the process.”
Antova said the top priority in the OT market is the availability of the process, which is what they are trying to protect. The way to close the gap, however, is not necessarily by deploying a sophisticated product.
“What’s important to keep in mind is you need to have the operational benefits as well as the security benefits. A lot of people talk about advanced persistent threats (APTs) and that manufacturers and critical infrastructure is under threats by China,” explained Antova. “What hurts the bottom line of companies more than advanced persistent threats that are supposed to be happening are equipment malfunctioning or human errors. Those things cause a lot more damage to the bottom line than a cyber-attack. It’s not as narrow as the enterprise space, it’s much more complicated.”
Antova said companies are starting to realize they need something around industrial security; however, they are oftentimes implemented in the wrong way.
“We need resources that understand both sides of the fence, but it is really challenging to find those types of people,” said Antova.
Antova is also in favor of creating some type of industry standards to help measure people and their skill sets against.
“First and foremost, we need to have some kind of a benchmark as to what are the types of professionals we need to hire,” she said. “I joke with friends of mine that are going into our coming out of a university that the most severe talent crisis in cybersecurity is actually going to be in industrial security.
The ICS market has also learned, according to Antova, that they can’t just copy things over from the IT/enterprise space anymore and think they are automatically applicable to their segment.
“I think where companies sometimes fail is they think they have to repeat the same paths enterprise security went through so they start with things they know like anti-virus and so rather than ask themselves what is the benefit and what is the actual protection of an anti-virus? Is an anti-virus even going to detect any of the threats that are relevant for me?” said Antova “Before you worry about China attacking you, worry about how you can actually increase the uptime of your production by having something on the networks that understands those networks.”
