5 steps to cybersecurity success; start with communication
by Thomas Wilk
The industrial manufacturing space is one in which IT and OT infrastructures are increasingly converging. Plant teams want to ensure safe and reliable operations, with assets running as much as possible, and the ultimate responsibility for this lies with operations, maintenance, and the entire OT team.
However, OT networks and control networks tend to be primitive without security built in. They are built on implicit trust because they are built for specific functions, and with the lack of certain security controls—segmentation, access control, secure remote access, lack of patching—conditions exist for a perfect storm of attacks and intrusions.
Enrique Martinez is technical solutions architect for OT security of World Wide Technology, and offered his thoughts on how asset management and operations teams can approach OT security in a planned, effective manner that safeguards both assets and operations.
Step 1: Build trust between IT, OT, and engineering
It's a truism among reliability professionals that every reliability success story starts with the following statement: "This is how maintenance and operations started speaking the same language and coming to an agreement." The same is true in the world of cybersecurity, where key players include the IT, OT, and engineering teams.
"You cannot have reliable operations without the three of them," says Martinez, adding that building trust between the three teams is based on managing that ongoing relationship through conversation. "I'm a very big fan of a whiteboard—we will go whiteboard the system, lay it all out—and then once I have an understanding of that system, I'll bring in the security piece out, overlay it to them. I explain to them what it is that I'm doing and why. I am not pushing something on you as an engineer, but I'm explaining to you why we're doing this," and it usually involves risk reduction, ensuring the reliability and availability of the systems, and helping ensure that damage to those system is minimal in case of a security event.
"It's really more gaining an understanding, a level-set that this is where we are, this is where we are going to get to, and this is how we're going to get there together as a group— IT, OT, engineering, maintenance, I&C, whoever it is," adds Martinez. "Instrumentation and controls technicians are usually vital to those operations, and in my experience, having I&C technicians that understand what you're trying to do will help you get a lot further."
Step 2. Safety first
When establishing a rapport between IT, OT, and engineering, Martinez emphasizes that safety should be everyone's primary concern and central point of common ground. "For industrial systems, it's going to be safety— safety first. It's also going to be availability; we need to be able to continue operating. And then lastly, it's risk reduction as it pertains to safety and availability."
Often a reliability or maintenance engineer will approach the finance team for support in security efforts, as finance can help other plant teams quantify the value of risk reduction. "I've personally lived this where, we have an effort, whether it is due to regulatory compliance, or because it's an effort for reducing risk, and you go to a business unit, and you say, hey, we want to reduce this risk, we want to take this action, and it's just to make your operation safer and more reliable," says Martinez. "The first response that I get—and this is before we start having the true conversations and the relationship management part of the equation—their answer is, 'well, we've never been hacked, why do we have to make changes?' So, to me it's a race, you're constantly fighting all these different attacks that are coming in, and there's new ones coming in every day."
For Martinez, his approach to cybersecurity is that there's two types of entities, the ones that have been compromised, and the ones that are compromised and don't know it, and over the last few years, it's been proven that even safety systems can be vulnerable.