Who is responsible for the security of technology and networks? That’s probably information technology (IT). But who is responsible for all the web-enabled, and therefore vulnerable, devices on the plant floor? Unfortunately, that’s still a gray area. Dino Busalachi, chief technology officer (CTO) of Velta Technology, says it shouldn’t be. He believes operational technology (OT) needs to own cybersecurity on the plant floor.
In June, Busalachi sat down with us to discuss why OT needs to take responsibility for its own networks, how IT and OT can work together and why the Industrial Internet of Things (IIoT) has made things more complex. This is a transcript of Part 1 of his Expert Interview Series installment with Industrial Cybersecurity Pulse. It has been edited for clarity.
ICS Pulse: Let’s talk a little bit about the information technology (IT), operational technology (OT) divide. When most people think of cybersecurity, they think of IT. Historically, the responsibility for cybersecurity has certainly fallen on IT. But when you look at the proliferation of the Internet of Things (IoT) and the Industrial Internet of Things (IIoT), is that now an outdated philosophy to assume that IT alone can handle the kind of threat that’s out there?
Dino Busalachi: If you think about the proliferation of technology into the industrial control system arena — with networks and computing capabilities, platforms over the last 20 years, 30 years almost, and those systems are out there for quite a while — the lifecycle replacement strategy for control systems can actually be one or two or three decades, where on the IT side, those technologies can change every three to five years. We’re seeing an explosive growth of the number of assets that are connected in this environment. Some people like using the term IoT, the Internet of Things.
And so, when you look at the plant floor, all the new machines that come in, all the new process control technology, has a lot of the similar technology that you would expect to find in IT. It might be hardened, but it’s still networking technology. It’s still computing technology software that’s out there, firmware that’s out there. It has the same vulnerabilities and exposures as IT assets. So to your point, IT and OT have commingled their assets together. They’ve done a lot of that, too. There hasn’t been a real clear separation as this explosive growth has moved into that environment.
I think for a lot of organizations, it has shifted on who actually owns the security for these types of assets. If you talk to the OT teams, they don’t believe cybersecurity is their responsibility. They just don’t. They would shift that responsibility over to IT. They will defer and deflect. If you talk to an IT professional, they would say that cybersecurity is their responsibility, but I don’t think they really understand the assets that are involved. They haven’t gone through and really seen and had a tool that’s given them that asset inventory for those systems that are out there. They just don’t know. They walk by those panels. They don’t realize that there’s hundreds of devices inside those panels, sitting on a network, running software, and that have the same CVEs, common vulnerabilities and exposures, as do their IT assets.
ICSP: And if a bad actor can get into those, they could wreak havoc on the OT systems, but they also could make a jump into those IT systems as well.
Busalachi: There’s the external threats, but you also have to look at the internal threats, too. You still need to have visibility into the environment. It could be malicious behavior inside; it could just be human error. In the OT world, we have a term we use, it’s called process integrity, operational resiliency and safety. We like to call it digital safety. Those terms are typically foreign to an IT organization, who doesn’t have the same responsibility. Their job is confidentiality, integrity and availability — people call it the triad — where on the other side of the coin, safety is first, then availability, then integrity and then confidentiality. They’re flipped. Their priorities are upside down between the two groups.
One of the questions we always like asking the executives on the IT side is, “What do you believe your role is in regards to cybersecurity for industrial control systems?” And you’ll get mixed messages from these folks depending on their understanding of the plant floor and how many resources they actually have involved and engaged in that space. If you have a very large manufacturing company with 20, 30 plants in their fleet, they’ve only got a few people. On the other side of the coin, on the OT side, they’re responsible for a lot of stuff, and they also have very few people. Everybody is running on razor-thin resources. We don’t have the human capital. That’s a struggle.
The other thing that we’re up against is what I call “the silver tsunami.” People like me that are getting up to that retirement age that are leaving. That’s a lot of experience walking out the door, and how do you bring that expertise back in? How do you keep that knowledge in-house, because those assets aren’t going anywhere? So you’ve got to somehow be able to turn those technologies over to a younger workforce. And they work differently, and they use tools differently. They want to use their smartphone, they want to use a tablet, they want remote access, they need to have wireless, and all of those things can create a lot of problems inside the manufacturing environment when you’re talking about security and safety.
ICSP: You asked what the role of an IT leader should be. As an OT leader and decision maker, what do you believe your role is in regards to cybersecurity for industrial control systems?
Busalachi: I believe that the OT leadership, they own the assets. They need to own their place. This is their stuff. All these vulnerabilities and all these exposures are theirs to solve. IT can help them. IT can help them organize it. They can help them explain what these things are, but at the end of the day, those assets and the responsibility of production and safety falls to OT, so they have to own it.
That’s their supply chain. That’s all their original equipment manufacturer (OEM) and the system integrators and any of the technologies that they bring in have to have some metric to determine what is the security posture of this asset. What are the exposures related to it, and is there an index associated with it? That’s some of the things you are going to start seeing coming down the pipe, whether it’s regulatory-driven or whether insurance companies get involved. If you want to buy cybersecurity insurance, you have to demonstrate to them how good of a job you’re doing.
You just can’t go to the IT guys and say, “I want to buy cybersecurity insurance,” and then they fill out an application and they give information to the insurance agencies and carrier. What are you doing on the OT side? Business interruption, is that included?
Because if this stuff goes down, you quit making stuff. It’s not about data theft and intellectual property. This is about not being able to make goods. This is your cash register over here. You’ve got to be able to keep it running. And they’re not going to separate them. They’re not going to go back to the days of being air-gapped and isolated because it just doesn’t work. You can’t do that anyway.
I can walk into a plant today — pick a global manufacturer, most of them will let me walk in there with my laptop and plug it into the network. And when COVID came along, they opened up Pandora’s box and cobbled together all these remote systems capabilities to get OEMs and SIs (system integrators) and third parties into the environment because they couldn’t travel to the plant. They had to give them access, so they blew holes in the firewalls; they broke down all the rules, and what they thought was secure, they had to tear apart and move it to the perimeter for people to gain access to the environment.
ICSP: A perfect example of how intertwined everything is now was the recent Colonial Pipeline attack. That was more of an IT breach, but that obviously spilled over to the OT side because they had to shut down operations. A similar thing happened to Molson Coors where they had to shut down operations. That obviously causes huge problems for companies when they do have to shut down.
Busalachi: They don’t have any visibility. If IT calls up and says, “We’re under attack,” and they ask the OT guys, “How are you doing over there?” what are the OT guys going to tell them? They don’t have any tools down there telling them whether there’s malware in their environment. Are they going to wait for their HMIs (human machine interfaces) to lock up because they got encrypted? And that’s how they know. It’s like, “OK, now I can’t shut down a machine safely or I have to go to manual mode.”
And even if you go into the manual practices, do you have enough people on-site to even do that? Because everybody has gotten so automated, there’s less people working in these environments, so it becomes very difficult to rely on technology to shut things down. That pipeline is, what, 5,500 miles long. You’ve got control systems all throughout that thing, thousands and thousands of control systems. How is anybody going to go out there and manually do anything? They need technology to shut that stuff down, and if it’s not available to them, then it becomes very dangerous. There was a pipeline rupture some years ago in Olympia, Wash., and it was due to operator error, but it was because they lost visibility and lost control of being able to control the movement of gas through a pipeline. At the end of the day, the pipe ruptured. It ruptured. 800,000 gallons of gas were spilled down a creek that ended up getting ignited and people died. People went to jail.
Control systems can be very dangerous. And we saw some of the temper and disruption with the Colonial Pipeline being shut down. You had people putting gasoline in plastic bags and putting them in the trunk of their car. How does that happen? Why would that happen? Why would anybody think that would be normal for people to do that.