Paul Rogers is the president and CEO of Wurldtech as well as the general manager of GE Industrial Cyber Security. For more information about Wurldtech, visit wurldtech.com.
When you hear a discussion about Industrial Internet of Things (IIoT) or Big Data Analytics, the topic of industrial cybersecurity is quick to follow. How do you view the relationship between IIoT and cybersecurity?
Historically, the introduction of technology into any consumer or business domain tends to drive rapid transformation, and the organizations that embrace new technologies have a better chance of creating and maintaining competitive advantage.
The IIoT represents the next big opportunity for industrial organization. Because flow control operators can tap into rich analytics that reflect the state of their current operations, they will be able to optimize their existing processes, assets and production capabilities.
Cybersecurity comes into play because, necessarily, organizations need to be connected to the Internet and to other systems in order to reap the rewards, and whatever is connected needs to be protected. With any new technology comes risk, but the risk doesn’t have to get in the way. It just needs to be appropriately addressed and mitigated.
How would you rate the current level of cybersecurity awareness among the industry in general? What level of uptake are you seeing regarding the implementation of cybersecurity best practices and systems?
There’s a high level of awareness of cybersecurity when it comes to traditional information technology (IT) data — like credit card information, transactional data or intellectual property that resides in a document, but there’s still very low awareness of operational technology security. Operational technology (OT) — industrial control systems, process control systems, Supervisory Control and Data Acquisition (SCADA) and the like — is a whole different set of technologies, and a distinctly different culture of people operates those technologies. The awareness about OT security is growing, but slowly.
What role do you see standards and regulations playing in industrial cybersecurity now and going forward?
Standards and regulations are helpful because they provide definitional clarity and somewhat of a level playing field in terms of understanding dynamics that contribute to security. However, standards and regulations should not be confused with security. You can have all your ducks in a row with regard to regulation parameters, but in no way does it mean you are secure.
In a traditional IT security environment, people understand that regulations and standards are one thing, and security is another. In OT, there needs to be much more awareness about this distinction.
Traditionally there has been a bit of a divide between OT and IT in industrial organizations. How has the cybersecurity issue impacted this dynamic?
Now that the IIoT is taking shape and organizations are seeing the value of IIoT, it’s a forcing function for OT and IT to understand one another. That’s true for all technology disciplines, such as networking or access control, but particularly true for cybersecurity. Hackers are hackers, and they will use whatever means necessary to achieve their goal. There is no IT/OT divide for the adversaries, so IT/OT cybersecurity experts will need to learn to communicate and cooperate across their technology domains.
During the GE Minds + Machines conference in October 2015, one presenter categorized cybersecurity threats into four main categories: internal actors, hacktivists, organized criminals and nation states. How significant of a threat do each of these categories present?
It would be easy to say that nation states pose the biggest threat to industrial organizations, but it only takes one disruptive event to bring a process control network down, and this disruption can cost millions of dollars and cause potential harm to human life. So even though we think about nation states as the primary adversary, an inside actor who makes a simple configuration error that is non-intentional and non-malicious could cause a significant disruption. Organizations need to strategically think about the problem from the perspective of any kind of disruption.
As we consider cloud-based and software as a service (SaaS) solutions for industry, some have said that end users should feel more comfortable about the cybersecurity of these solutions because so much time and effort is being focused on securing them. Others have said that cybersecurity should be viewed as a positive (enabler) rather than a negative (disabler).
No silver bullet exists for security because each organization must contend with the complexion of its own environment, and each organization has a risk tolerance that will be different than their cohort. Sometimes a particular SaaS solution might be more secure but sometimes a home-grown solution will prevail.
Place focus on the size and nature of your attack surface, and put into place measures that reduce that risk, quickly. For example, in an OT environment advanced technology exists today that can lock down your control processes and help ensure that malicious code cannot infiltrate your network. Security vendors have such technologies today.
Are there any specific industry segments applying cybersecurity well or not so well?
There’s no quantitative data to tell us this yet. I think it’s so early that many organizations are still getting up to speed with how to put foundational practices and technologies in place to reduce exposure.
What practical recommendations do you have for modern industrial organizations regarding cybersecurity?
The best way to get started is to implement technology that monitors, alerts, and blocks malicious or un-authorized traffic. This technology exists today, but I’m not talking about a traditional firewall. Security platforms today understand industrial protocols and commands and can be very precise in monitoring and controlling the flow of information and the specific commands across a process control network. This is the fastest way to reduce risk immediately.
How do you see industrial cybersecurity evolving during the next five to 10 years?
I think we’ll see a maturation of awareness, similar to how IT cybersecurity caught hold five to six years ago with the first big data breaches. Hopefully, organizations will realize that securing a process control network is quite different than securing a traditional IT network.
Questions for this interview were provided by Matt Migliore, the Process Flow Network’s senior editor, content marketing. He may be reached at firstname.lastname@example.org.