Annessa McKenzie began digitizatizing operational technology environments in 2007, yet industrial service providers are stuck on antivirus solutions.
"I want to be able to sit down at the table with some of our electrical providers — and some of them are getting there — and be able to have a real conversation about security," said McKenzie, VP of supply chain and CSO of Calpine, during the SANS ICS Security Summit Thursday. "I firmly believe our supply chains need to be thinking about cyber engineering, as much as they're thinking about selling us products."
Modern security concepts found in IT are not always replicated in OT. The historically physical barriers in OT create digitization nuances not present for IT. But companies struggle more with the organizational convergence of IT and OT, than the technological convergence.
It's a common misconception that there's "no way we can push these industrial control systems [ICS] to where we pushed our IT systems. But believe it or not, if you pull those covers back, it's a Dell box, it's a Cisco switch," said McKenzie.
Protecting OT environments is a responsibility shared between IT and OT workers as the perceived air gaps condense as digitization increases.
It boils down to a unified understanding of policies, processes and procedures across departments.
"Even though I may not be responsible for a specific OT asset and the security of that OT asset, I'm right there in the thick of it when they're deploying and designing and implementing it," said Mikhail Falkovich, director of IT at Con Edison, during the summit.
Converging IT and OT personnel
While IT and OT have been converging for more than a decade, the culture of cybersecurity is stuck in a silo, limiting the abilities of OT security practitioners.
"If [employees] know what the operating issue is, and its operating weird, then that's one thing. But if they don't understand or cannot explain that operational event, then call me, call my team," said Falkovich.
Through joint training development, companies running OT environments can train users and control center operators in what to do in the event of a cyberattack. Employee awareness comes down to having the ability to differentiate between normal and abnormal activity within the IT and OT organizations.
"We need to invest in our human factors, and stop calling them as our weakest link," said Dr. Reem Al-Shammari, CISO of Kuwait Oil Company, during the summit. When technology fails, people become the first line of defense.
That was the case in the recent attempted hack on a water treatment plant in Oldsmar, Florida. A plant operator noticed remote activity manipulating levels of sodium hydroxide in the water before correcting the changes.
The incident raised the profile of OT security, especially in water utilities, said Thomas Kuczynski, VP of IT at D.C. Water & President at Blue Drop, during the summit. The failure of technology is only picked up by humans because automated patching is insufficient for modern day, human-operated cyber campaigns.
The idea of conventional patching is outdated because now companies "have to worry about whether or not your patch is actually your compromise," said Kuczynski.
What OT CISOs need
Companies should not misconstrue the convergence of IT and OT as integration, where there's an expectation to segregate the two environments if an incident occurs, said Al-Shammari. They should, however, consider IT/OT convergence an aspect of business enablement.
OT and ICS environments already carry the burden of protecting public safety while also maintaining the critical infrastructure supporting society. These critical industries are still shaping what cybersecurity means in terms of how to digitize assets and segment appropriate networks.
"As we see the IT/OT key systems begin, and continue, to converge and become smarter, we really need to begin asking ourselves the questions: 'Are we engineering the security upfront? Or are we going to learn from the lessons of the past and engineering in the end and cost us more?'" said McKenzie.
There's only so much OT practitioners can do in their silo, but that changes when the entire IT/OT ecosystem "understands what the boilerplate rules of the game are from a cybersecurity perspective," said McKenzie. "When they're building the software, there's some fundamental things that need to be put in place," including defendable and self-healing codes.
The cloud is enabling self-healing code, a concept thought impossible when OT digitization began. But with underlying artificial intelligence and machine learning, "why can't we have it?" said McKenzie.
The cloud reduces infrastructure costs in IT and OT and enables data exchanges between the two environments. The technology also plays a role in segmentation for OT, yet without adequate authentication enforcement, critical ICS are always at risk.
Every update to OT is coming from the cloud now. However, introducing more ingrained communication between once disparate systems is introducing more risks from outside OT environments.
The key to ensuring the cloud has defense in depth and control layers for specific ICS use cases. "I'm always afraid, and I always put in so many barriers in place," to ensure the company has the appropriate operational capability for the business to run securely, said Falkovich.