Nobody should be just sitting around and waiting for a cyberattack to occur. Taking a reactionary approach to protecting your systems could create delays and downtime, exposing your networks and information to greater risk. Recently, ICS Pulse talked to Mike Nelson, director of strategy and consulting at CyberCX, about the kind of cyber strategy companies should be applying to be proactive. He dives into the importance of security testing and how the industry has grown into adopting cybersecurity tactics. Listen to the full podcast here.
The following has been edited for clarity.
ICS Pulse: What is your background, and how did you get into industrial control system (ICS) security?
Mike Nelson: I got my start right out of university, attended Penn State here in Pennsylvania in a program focusing on security and risk management. I did a little bit of pen testing and a little bit of risk management-style work as most of my coursework there. Then I got scooped up, as many of the people do from that program, by big four cybersecurity consulting. Right out of university, I was sort of thrown into a variety of consulting projects. I focused pen testing, AppSec — a little bit more at the technical end of cybersecurity. From there, I moved into more cybersecurity program management, vulnerability management program and building that style of work.
ICSP: Can you tell us about some of your personal experiences in assessing industrial control security?
Nelson: I started off, as I mentioned, in that pen testing, AppSec world, which is where I got my first exposure to ICS systems and some of the cybersecurity parameters and elements that surround them. Mostly, it was pen testing and reviewing what I would call ICS adjacent systems at the time. Not too deep into ICS technical pen testing, like going against SCADA (supervisory control and data acquisition) systems, but more so pen testing for enterprises that operate those systems and want to make sure they’re securely configured and segmented off from their main operations.
Initially, the view was, “Hey, do we have the authentication configured for these types of things correctly? Do we have them set up in a way that you’re not able to get to them from our enterprise environments?” From there, I worked a little bit more toward the end of the spectrum where I’ve led teams and led groups of people who are doing that more technical pen testing, diving into SCADA environments and diving into ICS sort of systems to look for some of those more configuration-style details to see if those systems are set up securely.
ICSP: Can you tell us a bit about what the value of security testing is and the differences in the operational technology (OT) environment?
Nelson: Pen testing is widely accepted in the information technology (IT) space, widely accepted in the industry. There are several regulatory frameworks, compliance frameworks, that require it. It’s built into standards like PCIDSS. HIPAA heavily alludes to effective vulnerability management and pen testing. But in the ICS space, in the operational technology space, pen testing gets a bad rap in my mind because there’s a lot of restrictions that are put on pen testing or a lot of preparation that needs to go into it before taking that same style of approach that you do in IT environments. Where you’re just looking at, “Hey, is there an exploit, or is there a vulnerability here that we can use to our advantage to get some type of access on the system or deeper into the environment?
You’ve got to be careful when you’re pen testing and reviewing OT environments. They are not traditionally set up in the same way as IT environments, with the dev and pre-prod and all the lower-level environments you could typically pen test against in the IT space. OT requires a lot more preparation, a lot more focus and a heavy familiarity with what the impact of your testing might cause there. It’s something you’ve got to be worried about on the IT side, but especially on the OT side when you’re talking about systems that maintain safety or physically move things or make changes in an environment.
ICSP: I imagine the idea of pen testing scares the standard OT engineer.
Nelson: It still scares me, and I lead teams that do it in some ways, so absolutely. Pen testing ICS is an element that you’ve got to put a lot of preparation into. And I think you hit a good point there, which is [that there’s] a little bit lesser understanding in the OT space. I know we’re going to get into this conversation in a few minutes around who typically owns OT cybersecurity, but you’re exactly right. In that space, a lot of times who we’re talking to are engineers and operations managers and maybe not the polished CISOs that you typically get on the IT side. You’ve got to do a lot there to articulate what is the goal, what are the expected outcomes of this? It’s a bit more work to do to build the background and build the case for pen testing in OT environments.
ICSP: You were mentioning your personal experiences in ICS security. You’ve been doing this for a little while now. What are the differences you’re seeing now versus when you started 10 years ago? How has the industry progressed and hopefully grown?
Nelson: Progressed and grown. Enough? That’s questionable. We’ll talk about it here. Early on, in my early pen testing days, in that big four consulting work, we were seeing things like SCADA systems exposed to the internet. Just internet accessible because engineers or operators want to be able to monitor or work from home on those systems. I’d hazard to say, I don’t think that that’s happening as much these days. I think a lot of that low-hanging fruit has been cleaned up.
Companies are looking at just what are the basics, what are the minimal things that we need to do to put an acceptable level of security into these environments? And that’s led to what I would say is a general maturation in the space, a general uplift. That comment that I made a little bit earlier on, has it gone far enough? I think there’s still more to achieve. I think there’s quite a bit more to achieve industrywide on identification and knowing what ICS systems you have in your environment, knowing which of those are controlled by you or your vendors or your suppliers. There are many more strides to be made in ICS security overall for the industry.
ICSP: Building off that, why is it important to align your cyber strategy with business goals?
Nelson: I think it’s important to align your cyber strategy with your business goals. You want investment and you want support, and you want funding in a lot of cases of your cybersecurity strategy. It’s good for all of us to recognize that we should secure things because it’s the right thing to do, and we don’t want to have interruptions to business operations or availability issues with systems. But in putting together a strategy that really aligns what you’re doing in the cybersecurity space to support business objectives, then you’re speaking the language of the executives that are essentially funding the cybersecurity program or enabling the cybersecurity program, raising awareness about the cybersecurity program in an ICS space. Really focusing on that alignment and focusing and saying, “How can our cybersecurity strategy best enable the business?” is a good way to get that increased acceptance and increased support from the business overall.
ICSP: Something we talk about a lot with different guests is that there’s almost a disconnect between your board of directors or your C-suite and the traditional OT engineer. How do you train the leadership or board about cybersecurity needs and risks?
Nelson: The first part of that is building awareness. Most of your board or executives, your typical group of stakeholders that sit at that level, are hearing things from news, from media in understanding, “Hey, there’s a cybersecurity incident that took place maybe in this adjacent industry or affecting somebody else in our industry.” Or maybe they were personally affected by a cybersecurity incident that took place in their business. Really building that awareness and understanding of what are the potential consequences and having that language translated not just from “Hey, we could have system outages” or “Hey, we could have systems unavailable” to “What is the impact on the business if that takes place?” Building that awareness is really the place to start with that board and executive level audience in understanding whether we’re good to go here, or we have a ways to go to mature in this space.