When asked about the cybersecurity and visibility gaps that still exist between information technology (IT) and operational technology (OT), Dino Busalachi tells the story of a large pharmaceutical company and its OT cybersecurity platform provider. In this unfortunately true tale, one of the process control managers, the VP of engineering, called the chief information security officer (CISO) of the company and said, “We have a problem, and you and I both need to solve it together.” A few days later, the CISO called him back and said, “I really want to understand better what you’re talking about. I want to go tour the plant.”
“It almost sounded like the CISO had never really walked through the plant. I mean, the real side of the plant versus just a cursory tour,” said Busalachi, chief technology officer of Velta Technology.
And that’s where the real problem lies. According to most cybersecurity frameworks, the National Institute of Standards and Technology (NIST) included, cybersecurity and visibility are inextricably intertwined. It’s essential to know exactly which assets are in your environment and determine their security posture. But many IT managers don’t really understand — or believe it’s their job to understand — industrial control systems. As Busalachi puts it, those “big green and gray boxes out there. They look like they have Christmas tree lights on the side of them.”
“There’s literally hundreds of assets — devices, connected devices — inside them sitting on networks, running software, running firmware, running applications of programs,” Busalachi said. “There’s much more of them — of these OT assets or IoT (Internet of Things) assets or whatever vernacular you want to place on them — than there are traditional IT assets. It’s almost a 15:1 ratio. Volumes and volumes of this stuff. And these assets have the same vulnerabilities and exposures as your traditional IT assets.”
Organizations that do not understand and secure their OT systems — these volumes of devices sitting on networks — leave enormous cybersecurity gaps that threat actors are more than happy to exploit.
For example, if you look at the common vulnerabilities and exposures (CVEs) for a programmable logic controller (PLC) compared to traditional IT systems, there are many similarities. On a typical plant floor, you’ll find Windows machines, Cisco switches, phones and other devices that have vulnerabilities. But none of this is visible to the IT systems, and IT seldom recognizes that, Busalachi said. The solution to improving cybersecurity and visibility begins with communication.
“When we say cybersecurity to people, it’s like boiling the ocean. It’s a big word. It means a lot of things in a lot of different places — verticals, industries, technology, etc.,” Busalachi said. “But when it comes to the industrial space, you’ve got to figure out how you take cybersecurity and process integrity, or operational resiliency — or as we like to call it, digital safety — and wrap that up together. How do you provide that into that space for those groups and make sure that they understand it?”
Busalachi suggested asking IT and OT executives a simple question — what do you believe your role is in regards to cybersecurity for industrial control systems assets? — and letting the conversation stem from there. Listen to what each has to say, and then have somebody who really knows this stuff help with the gaps in that conversation because “there are definitely going to be some gaps.”
But it’s not just about engendering communication between executives; companies also need to bring their technology partners to the table. Most manufacturers have a wide range of automation technology vendors throughout their environment, especially if the manufacturer has dozens of plants around the world. Whether you’re a Rockwell shop, a Siemens shop, a Honeywell shop or use a combination of all three, it’s important that those vendors become part of your cybersecurity infrastructure, Busalachi said.
“The CIO (chief information officer) should have them on speed dial,” Busalachi said. “When you have an event like what Colonial [Pipeline] had, the CIO should know exactly who they need to call to help them, just like they would pick up the phone and call Cisco or Microsoft. … They need to do the same thing on the OT side. And OT can help them with that, to build that relationship, so they can become part of that team.”
While these disparate groups must work together, there still needs to be a single owner of cybersecurity on the plant floor, and Busalachi firmly believes that has to be OT. It’s essential for IT to provide consulting and guidance. Cybersecurity has traditionally been their purview, so OT still has a lot to learn. But OT needs ot be in charge of cybersecurity and visibility. Safety is priority one on the plant floor, and that’s the job of the asset owner, not the IT department.
“What goes on in that space is going to be [OT’s], so they’re going to have to become proficient with these technologies,” he said. “They’re going to have to know what’s best-in-class. They’re going to have to know how to apply these technologies. They’re going to have to know how to integrate them up into IT tools, so IT can get information coming up out of this space so they can assist and help.
“At the end of the day, the OT team is going to have to quit deflecting and deferring cybersecurity up to IT. They’re going to have to own this space because IT is probably not going to sit down with Rockwell or Siemens or GE or Honeywell or Emerson or whoever’s industrial control system technology you’re buying — and the OEMs (original equipment manufacturers) and the system integrators who put this stuff together for you — and bring it into your plant and help you manage and maintain and support it.”
In Part 1 of our interview with Dino Busalachi, he went into more detail about why OT needs to own the plant floor and the damage that can occur when OT systems go offline. And check out our Industrial Cybersecurity Pulse YouTube page to view previous installments from our expert interview series.