Among the many lessons learned from the ongoing pandemic, leaders from both the operations technology and information technology sides have seen the benefits of working together more closely. Traditionally, these two areas have functioned in somewhat isolated silos, although advancements in automation and IoT-related technologies have been pushing the two closer together.
We recently sat down with Rick Peters, CISO of Operational Technology North America at Fortinet to learn more about his perspectives in working with both groups as security concerns have increased, and more employees have been asked to work from home
Jeff Reinke, editorial director: Prior to March of this year, what were the biggest challenges that OT investment and implementation strategies had to account for? How has this changed?
Rick Peters, Fortinet: Leading into 2020 the challenges that required attention and investment centered on the adoption of cybersecurity best practices to address the risks introduced with the convergence of IT and OT networks. The diminishing choice to isolate OT networks challenges security experts to confront increased attention from cyber adversaries motivated to accomplish extortion, espionage, or event sabotage.
The primary focus when investing is measurable ROI, and for OT that is characterized by steps that yield safe and sustained operations. To defend the converged IT/OT environments requires emphasis on security practices that are designed to yield continuous situational awareness and the confidence that activity from the plant floor to the cloud can be trusted.
The shift toward implementing a more holistic OT security solution where elements are integrated to form an ecosystem approach was driven by the need for transparency (think minimal latency), scalability (long term and sustainable), and speed (accomplishing detection, analysis, and response without threatening operations). Arguably, these OT security strategies remain vital well into 2020 but clearly the necessity for rapid innovation as part of confronting the pandemic-driven work from home shift hardly spared OT leadership.
The necessity of extending the OT environment to address an expanding number of employees accomplishing enterprise business outside of the plant required a commitment to protecting data being transacted over untrusted networks. Accommodating these changes demanded the execution of strategy designed to extend trust, and that required attention to technology, processes, and workforce. Of course reinforcing a program of education and employee practices is also a key component to being resilient in periods of rapid change as cyber adversaries demonstrated a penchant to elevate their attention via campaigns to gain access.
JR: Are there any particular technologies that you feel have been more beneficial in helping address key issues?
RP: Cybersecurity maturity, as it relates to OT, is all about raising the stakes to ensure safe and continuous operations. The proliferation of enabled technology (i.e. IoT and IIoT) illustrate a challenge to insist on earned trust for all assets dynamically accessing the enterprise.
The concept of Zero Trust Network Access (ZTNA) has been foundational to progress. Built on the principles of broad visibility, integrated control, and automated awareness, ZTNA fundamentally enforces the “Never Trust, Always Verify” model to protect at every wired and wireless network node thereby ensuring all endpoint devices are validated. This is a crucial step in defensing the cyber physical.
Ultimately ensuring plant and worker safety centers on gaining and sustaining situational awareness to the extent that unwarranted behaviors are detected, quarantined, analyzed, and responded to during the process of executing business. Gaining the service of robust back end intelligence services can advance the state of cyber readiness in the OT environment as the emphasis is protecting systems from the inside-out. That doesn’t diminish the importance of defending the edges.
Extending the notion of intelligence-based services with growth in the solution space also includes the advent of automated endpoint protection, detection, and response (EDR). Delivering automated management, architecture, and platform supports proactive attack surface risk mitigation. The attention to pre-infection and post-infection yields a comprehensive and real-time solution.
JR: Over the last 5 years or so there’s been a concerted effort to break down the silos between IT and OT. Has the pandemic helped those efforts?
RP: The value systems of IT and OT subject matter experts will continue to differ as they are deep-rooted in practices that are well understood and trusted. What is important is to characterize the value that can be gained to protect high-value assets despite increased attention from those seeking to disrupt operations, steal intellectual property, and degrade the reputation of the company.
Integrating best cybersecurity practices while paying attention to the uniqueness, and in some instances the fragility of OT devices, illuminates the need to refine solution implementation. The pandemic certainly illustrated the need to accommodate rapid innovation and to ultimately consider how to best protect key OT assets.
Indifference to such strategy would simply serve to create greater opportunity for the adversary to gain access employing legacy tradecraft that takes advantage of existing OT system vulnerabilities due to infrequent patching/ updating. It is equally important to educate and build awareness of the role each OT expert plays in understanding and appreciating the importance of individual cyber vigilance. A cross-cutting campaign can seek to educate both IT and OT counterparts to gain a comprehensive appreciation of the value of the physical plant and the intellectual property that distinguishes the business.
JR: What do feel are the primary areas that manufacturers should focus on when it comes to protecting IP and data?
RP: In 2020 it is very clear that data is the commodity of greatest interest to the adversary. As mentioned previously, this really is a three-tiered challenge that technology alone will not solve.
The commitment to workforce education, adoption of consistent business processes that are clearly articulated and enforced via firewall policy, and the implementation of an automated containment strategy that limits access based on role-based privilege. Insisting on the principle of least privilege across both internal and external network communication in turn prohibits that ability to move about without restriction and deters migration of an attack campaign from moving horizontally or vertically within the enterprise.
Simply put, provide only the access that is minimally required and nothing more. Integrating internal segmentation at multiple points within the network delivers extra layers of enterprise protection from an array of attack vectors.
JR: If you could endow IT and/or operations personnel with one gift, opportunity, etc., what would it be?
RP: An appreciation for the absolute value of partnership in accomplishing the corporate goals of growth through safe and sustained operations.
This is normally the ultimate goal yet one can lose sight of it given the demands and priorities of the moment. I’d complement that with the notion of value gained through the adoption a security framework that can be broadly interpreted as it delivers a process which articulates value for both IT and OT leadership.
A final element would be an appreciation for extending that same penchant for partnering and recognizing that no single entity possesses the crown jewels for solving IT and OT security challenges in their entirety. Rather, it requires an ecosystem approach where experts seek to collaborate and integrate solutions that target security gaps and solutions that scale to ensure longevity.