In an era when cybersecurity is of paramount importance, private-public partnerships within the security community are an integral part of effective cyber hygiene — especially when it comes to protecting critical assets. Victor Atkins of 1898 and Co. recently joined the ICS Pulse podcast to dissect the intersection of government regulation, cybersecurity and critical infrastructure protection. Listen to the full podcast here. And you can find Part 1 of the conversation here.
The following has been edited for clarity.
ICS Pulse: The government has a responsibility to protect critical infrastructure and ensure the country’s functioning. Regulations and directives are being introduced, but what practical impact do you think they will have, especially considering the need for a public-private partnership?
Victor Atkins: Regulations do have a place. In my opinion, the government is becoming frustrated with the voluntary approach, as it hasn’t yielded the desired results. Encouraging asset owners to go beyond regular compliance hasn’t been effective. The private sector has made it clear that without incentives or a solid business case, they won’t invest in the necessary improvements.
The voluntary approach isn’t achieving the government’s goals quickly enough. Our system offers limited ways for the government to encourage desired behavior. They can provide funding, but that often comes with unwanted conditions, or they can enforce regulations. I believe we are now seeing a shift toward more regulatory actions.
However, a problem arises when the government issues regulations without sufficient expert input on their impact. This can result in overly burdensome or unfeasible solutions. Excessive cybersecurity measures, for instance, can hinder the normal functioning of critical systems. We need to strike a balance between regulatory actions and expert opinions to avoid eroding trust between the government and the private sector. Regulations should be well-informed, measured and supported by government funding through grants and other means to facilitate implementation.
ICSP: Cybersecurity used to be considered the responsibility of information technology (IT), while operational technology (OT) remained air-gapped and less of a concern. But that’s no longer the case. Your company focuses on OT security, so what suggestions or advice do you have for security teams trying to bridge the gap or foster collaboration?
Atkins: This is indeed the biggest challenge we face. Education is a crucial part of the solution. People in the control center and IT have their own norms and languages, and it’s essential to teach them about each other’s objectives.
In my experience, building integrated teams around specific problems is effective. For example, if a transmission company has a critical substation connected to a key control center, they should bring together IT cybersecurity professionals, control center operators, engineers and executive leadership. They need to organize around the question of reducing risks in that particular environment, rather than abstractly. By facilitating discussions, workshops or any means necessary, they can foster understanding and collaboration. It’s a human endeavor that requires empathy and appreciation for each other’s challenges.
This approach can be scaled to other areas of the organization, but it requires top-down support from leadership. Without leadership prioritizing and actively participating in the collaborative process, it becomes an extra burden on already busy professionals. To foster successful collaboration, leadership needs to emphasize that this is a priority and expect a collaborative solution.
ICSP: During another podcast discussion, someone likened the IT/OT relationship to marriage counseling, bringing both sides together to understand each other’s perspectives. Have you encountered similar sentiments?
Atkins: Absolutely. I’ve had conversations with representatives from both sides, and it usually follows the same pattern. Each side feels misunderstood and claims that their requirements have been ignored. Regardless of which side is speaking, it’s evident that aligning solely with professional identities is counterproductive. The focus should be on protecting critical functions against strategic risks, with cybersecurity professionals providing expertise and support, rather than solely responsible for security.
ICSP: You mentioned that it’s often easier to teach OT professionals about cybersecurity than the other way around. Your own experience reflects this, as you weren’t involved in cybersecurity until 2017. Could you elaborate on that?
Atkins: Cybersecurity professionals come with their own training, certificates and language focused on data confidentiality, integrity and accessibility. However, in an OT environment, their approach may not be entirely relevant. Engineers, on the other hand, possess inherent knowledge about how the systems work. By teaching them cybersecurity concepts, they can become conversant in cyber, and bridge the gap between OT and IT.
I believe that solutions in this context are often more about design, architecture and network considerations rather than just implementing specific cybersecurity measures. While cybersecurity knowledge is valuable, it’s challenging to teach cybersecurity professionals all the intricate details and experience that engineers have accumulated over years. Instead, cybersecurity professionals should serve as advisors, collaborating with engineers and leveraging their expertise.
ICSP: The distinction between discrete OT and IT environments seems increasingly irrelevant given the growing interconnections. What are your thoughts on this?
Atkins: I completely agree. As we move toward distributed energy resources and other advancements, the boundary between OT and IT is rapidly disappearing. Even traditional substations now have digital connections, and the notion of an air gap is unrealistic. Technologies with monitoring systems and relays can be seen as smart devices, introducing connectivity and vulnerabilities. Any digital pathway that enables control and transparency can also be exploited by adversaries for disruption. Consequently, the concept of an air gap and a strict division between OT and IT is becoming obsolete as integration becomes the norm.