When you think about the potential for cyberattacks, who do you think of as being the primary targets? Probably large companies. In reality, any company is susceptible to threat actors. This means that every company, regardless of size or revenue, should exercise effective cybersecurity hygiene and instill cyber strategy.
Recently, the ICS Pulse Podcast talked to Mike Nelson of CyberCX about the cyber strategy that companies should be applying to be proactive. He talks about getting your C-suite and board involved and what’s on the horizon with artificial intelligence (AI) tools. Read Part 1 of the transcript here.
This has been edited for clarity.
ICS Pulse: What’s the biggest question you’re getting right now from your clients?
Mike Nelson: Where to start. In fact, it’s a little bit depressing that we still get this question so often in that many clients are coming to us and saying, “Industrial control system (ICS) cybersecurity or operational technology (OT) cybersecurity, we know we need to do something, but what is it that we need to do? What is the roadmap for us to achieving better security in this space?” So many clients and customers of ours are paralyzed, potential customers as well are a little bit paralyzed by the size and scale of the problem in ICS cybersecurity. Think of how quickly this has become an industry-wide issue with, “Man, we really must do something here to be able to protect against these types of attacks or these types of interruptions.” It’s taken executives and security program leaders and engineering leaders a little bit of time to understand the size and scope and the scale of the issue and realizing what the size and the scope and scale is.
It’s a big investment to get an actual program, a whole end-to-end program, off the ground to address this, but there are thankfully incremental steps that you could take along the path. I’ll be encouraged when in a few more years’ time, what we’re hearing is, “Hey, we’ve done A, B and C. What can we do about D, E and F to move further forward in our ICS cybersecurity posture?” We’re still hearing a lot of the, “Where do we start?” I think due to the size and due to the weight of the issue currently.
ICSP: Why do you need to get the leadership and the board involved in cybersecurity decisions?
Nelson: Absolutely. That’s one of the biggest pieces of any successful cybersecurity program is not only building up the executive support and the board level endorsement of the initiatives, but the actual operational engineers and workers who are going to carry it out at that level of, “Hey, what we really want to accomplish here is reviewing a system or application before we deploy it on the environment. Why are we doing that? What is that going to accomplish for us?” Getting the buy-in of the level of stakeholders that are going to be carrying out the program is another crucial piece to building up a successful ICS security posture, not just that executive level sort of endorsement.
ICSP: I want to go back to something you said earlier, talking about ownership. I want to look at some of the challenges that are facing business in the ICS community and ICS security. I think you mentioned earlier that idea of who should own this? Which is I think a big part of it. Can talk about that, and then what other challenges do you see facing business in ICS?
Nelson: We’re coming around to most businesses, enterprises understanding ICS cybersecurity. “It’s a big initiative. We’ve got to do something here.” The question within those businesses is who needs to own it? Is it something that you toss on top of the responsibilities of the existing, more traditional IT cybersecurity team? The team that’s doing enterprise security or organizational cybersecurity for the business? Or is it something that you align with the operations leaders or engineering leaders that are responsible for the change management, the deployment, the monitoring of a lot of these operational systems that are surely going to be in scope for a program like this?
It’s a question that our clients and customers and those in the industry have been faced with for a pretty significant period now. And like I said, it’s a big question to decide the answer to, which I think is causing a little bit of this analysis paralysis on where does it best sit within the business to spin up an ICS cybersecurity program? To hit your question there more directly, there is no right answer. If you’ve got a CISO who’s willing to do it and take it on and say, “OK, one of my largest initiatives is going to be ICS cybersecurity,” then that’s the right place for it to sit. If it’s the operations leaders maybe that have recently experienced an incident or impact from something within the business that has taken place and are serious about solving this type of issue, then it can sit there.
It’s not so much a question of where the right place for it to sit is so much as who’s the right leader to drive this ICS security initiative forward? A last one here from me on this topic quickly is we’ve seen a lot of our clients have success with, “It’s not traditional IT cybersecurity. It’s not traditional operations or engineering, either.” And so, building up and spinning up a separate team or maybe going and working with an MSSP or an organization who has experience in this space to say, “We at least need to lay the groundwork here before we put the operation of the program combined with IT cybersecurity or combined with regular engineering.” Really, just who is going to address this, who’s going to start taking a crack at this, is one of the most critical questions to answer when you start to get something like this off the ground.
ICSP: One question that we’ve been asking our guests a lot recently, just as current events have changed the tides, is what impact do you think AI tools are going to have on the space in general?
Nelson: On cybersecurity in general, I think there’ll be quite a large impact from both an attacking and a defending standpoint. We’ve seen media articles around attackers using AI to craft payloads and basically exploits that are not easily recognizable to existing defenses and tooling that a lot of organizations have deployed. That’s certainly one offensive use case here that it’s potentially available to attackers to encrypt or encode or configure their payloads in a way that’s going to be not the traditional standard and easily detected via signatures.
But on the other hand, for defenders, you’ve certainly got capabilities, now building capabilities, growing capabilities, with things like Copilot and Amazon’s offerings and the security space, as well. Whereas defenders looking at environments and trying to detect anomalies and what’s taking place, you’ve got a pretty solid indicator of when something is taking place that’s different from the norm or different from the baseline. Enabling that level of monitoring and enabling that data analysis that can take place thousands of times more efficiently with a machine than with a human, which is able to say, “Hey, something’s going wrong in this area here,” or, “I’ve had a detection in this area here,” is certainly going to be a valuable tool for defenders, as well.
I think that there is a lot to be done in terms of network monitoring and understanding what devices are on the network, understanding the profiles of those devices when they connect. There’s certainly AI elements that could be helpful in organizations and enterprises managing their network operations and understanding what’s taking place on their networks. I can see that as one use case where it’s going to be supportive in ICS cybersecurity build, as well.
ICSP: It seems like the biggest role it could play in ICS environments is going to be the asset visibility, asset management and vulnerability management. Because as we all know, there’s a bunch different vulnerabilities out there for all these different devices. It’s more about deciding which ones are the priority.
Nelson: I think you’re right. Visibility and detection, detection of anomalies, detection of unexpected activities and visibility. Just being able to extend monitoring to a much wider array of systems than what an effective team of 24/7 humans can monitor at the same time is some value you’re going to be getting out of the AI space in ICS cybersecurity. That said, I want to back it up with, nobody’s going to go replace MSSPs with entirely full AI, 24/7 monitoring from machines at this point. There’s still always going to be that layer of follow-up triage once a detection gets basically identified. But I think you’ll start to see more efficient identification and detection to help enable those second-level, human-level follow-ups that’ll take place off those tools, activities there.