No matter how good a company’s information technology (IT) department is or how many advanced technologies they’ve invested in, there’s a good chance their networks are still at risk. The attack surface has widened dramatically in recent years. Although cybersecurity often falls to the IT group, it should never be the responsibility of a single team or department. It’s something that needs to be shared and embraced throughout an entire organization, and that includes its network of technology partners, vendors and suppliers. To help manage all of this, it’s important to create a culture of cybersecurity, said Matt Leipnik, lead industrial cybersecurity specialist for Nexus Controls, a Baker Hughes business.
“If you take a step back from a cybersecurity culture and you just look at the culture of businesses generally, it’s very difficult to change a culture once it’s set,” Leipnik said. “We see a lot of effort by organizations to define the culture that they want to have in the organization and the kind of people they want involved.”
This is potentially even more important in regards to cybersecurity. When an attack hits, teams from different departments must work together under extreme pressure to sort the problem out and get production back up and running, as thousands or millions of dollars are being lost. For all that to work smoothly on very short notice, you must have the right culture in place. And that’s not just on the IT side but on the operational technology (OT) side, as well. Leipnik said the easiest way to start creating this culture is by building off what you already have.
“One of the key things we can look at is health and safety,” Leipnik said. “That’s quite a well-respected and understood set of principles in industrial organizations — something that you don’t get as much in, let’s say, normal businesses. So, cyber is a really good extension of that because you’ve already got that mindset around risk management, safety, things like assessing your situation and understanding what your risk controls are going to be around it. How do you protect, ultimately, people?”
As the situations with the Oldsmar water treatment facility and the Colonial Pipeline have shown, even attacks that enter through the IT side can have a physical, human impact. Attacks on OT can cause anything from massive explosions after boilers blow up (in the most extreme scenario) to reductions in electricity or fuel supply. Ransomware attacks on hospitals could even lead to loss of life. This impact on human safety through cybersecurity is something both the IT and OT sides need to understand.
Building the right culture
Much of this culture creation comes down to finding a common language and laying out efficient ways to communicate quickly throughout an organization. For example, when things really go sideways during an attack, is email the best channel to use, or should there be a more immediate and private WhatsApp group? Building a positive and collaborative working relationship between the IT and OT sides, can be a challenge, however, because they have different fundamental goals and interests.
“In the past, we’ve worked to solve a number of those problems, and I would actually not describe that as industrial cybersecurity activity,” Leipnik said. “I’d describe it more as, like, marriage counseling, to be honest. Sometimes, we’ve had teams that don’t actually talk to each other.
“We had one example, I remember, where the IT side of the organization managed the switches inside the production environment and then decided to port scan the switches for vulnerability without telling anyone, and knocked everything over and ceased production on the plant. The OT guys were so annoyed that they actually no longer talked to each. That was one of the first things we had to do was just get everyone in a room and kind of see things from the other people’s point of view, walk in their shoes.”
According to Leipnik, one of the best ways to do that is to get the teams to work together more often. Whether that means taking people from the IT side and giving them some exposure to operations or bringing the OT people into IT, both sides can benefit from seeing how the other half lives.
“That builds understanding,” Leipnik said. “And then you start to understand, ‘Well, OK, what drives your team and what keeps your team up at night is not necessarily the same thing that applies to our team. But now we understand that that’s what worries you, we can better factor that in. So next time we decide to do a change, we’ll bring you into the room.’”
It’s also important to know the answers to some basic questions. Who is responsible for what? How are the teams going to talk to each other? How can they inform each other better of what they’re doing? The ultimate goal is to break down the walls and make things more transparent.
A risk-based approach
When building a culture of cybersecurity, Leipnik also advised leveraging a risk-based approach to provide better efficiency of investment and return.
“You’ve got a limited set of resources. You’ve got all these plates spinning,” Leipnik said. “How do you know where you should spend your time and which plates you can let drop and which plates you’ve got to make sure that you can never drop. One of the ways around that is when you get more mature or you’re going into that more proactive approach, it allows you to take a risk-based approach to security.
“You’ve kind of got two [options]. One is like a maturity-based approach, which is, we’ll just build up from the bottom. We’ll just add layers of security and technology and process, and, eventually, we’ll have quite a comprehensive set of protection. But, we haven’t really focused that so much. We’ve just added the traditional layers of the onion. Whereas with a risk-based approach, what we’re really saying is, who are the bad actors? How are they working? What are they trying to do in my market, and how are they behaving?”
Adopting this approach allows companies to prioritize more effectively and spend money on defending the areas attackers are most likely to target. It’s also much more flexible. As hackers’ threats and methods change, companies can dynamically adapt, based on how their risk has changed.
“There’s no point putting bars on the door and 17 locks on your front door if the attackers are just going to come in through the roof, right?” Leipnik asked. “You start to understand how the attacker looks at you, and, therefore, you look more at how you’re going to manage those risks. That then gives you where you should spend your resources, to what degree, how quickly and in what order.”
In Part 1 of our interview with Nexus Controls’ Matt Leipnik, he discussed how to get buy-in for cybersecurity from the C-suite and how to scale cybersecurity after that. And check out our Industrial Cybersecurity Pulse YouTube page to view previous installments from our expert interview series.