As operational technologies gain more computing power, they require security that’s similar to traditional IT systems, says Sid Snitkin, vice president, cybersecurity advisor services, ARC Advisory Group.
Snitkin was among a group of presenters who kicked off the ARC Industry Leadership Forum in Orlando on Feb. 6 with a cybersecurity workshop.
“The OT systems are becoming IT systems,” Snitkin says. “So all the capabilities that you would use to protect your IT, you do to your OT. You need IT-level security.”
Most companies have deployed firewalls and endpoint protection but haven’t invested in the people with security expertise and necessary training and the tools to manage those systems, which has created a gap in OT security, he says.
While technology is helpful, many session speakers, including those representing the chemical, oil and gas and petrochemical industries, say effective cyber security requires better planning, training and communication across organizations.
Colonial Pipeline Lessons
Many companies mistakenly believe their OT systems will continue to operate without interruption if a cyberattack interrupts their IT operations, says Klint Walker, a cybersecurity adviser for Region IV of the Cybersecurity and Infrastructure Security Agency (CISA). He used the Colonial Pipeline hack as an example of how such misconceptions can send a ripple effect through the entire supply chain.
Walker explained how attackers gained access to the system on April 30, 2021, and lurked inside the network for 10 days, more than enough time to put safety systems at risk, steal 100 gigabytes of data and receive a ransom of $4.4 million. The breach left airplanes and emergency vehicles without fuel and diverted hazmat drivers from the chemical and industrial sectors to deliver gasoline.
The attackers stole a password from a former employee who was using the same code to gain access to Colonial Pipeline’s VPN. Multifactor authentication could have added the extra security layer that the company needed to stop the hackers, Walker says.
Companies also need to collaborate with their supply chain partners and develop contingency plans with alternate suppliers or vendors in the event of an attack, Walker says.
“Most organizations are really good at knowing when there’s a problem, and they’re also good at the other end of the spectrum of recovering from a disaster,” he says. “It’s everything in the middle that gets a little fuzzy. So, most organizations have to wait for a problem to become a disaster before they know what to do with it.”
Cybersecurity as a Strategic Focus
In a follow-up panel discussion, cybersecurity experts from Chevron, Exxon Mobil and BASF discussed current cybersecurity challenges and strategies in their industries.
“Most companies have some form of operational excellence philosophy, program, some established way that they measure their excellence against both their competitors and internally, and I think one of the most important things you can do in this space is to make sure that security is part of that excellence metric,” says Kenny Mesker, enterprise OT cybersecurity architect at Chevron.
He adds that companies must incorporate cybersecurity as part of their overall safety strategy. It also requires buy-in from the executive suite. Many C-level decision makers are more concerned about impacts to their finances or reputation. They are seeking assurance that nothing bad will happen.
“I’ve had this conversation time and time again – that’s not risk,” Mesker says. “That’s just the impact part. That will never go away. You can spend a trillion dollars on cybersecurity, and that picture won't go away. That's still a potential impact no matter what. So reframing that conversation with executives has been a big part of the digital transformation for the last five years or so.”
Instead, the conversation should focus on the effectiveness of cybersecurity defenses and return on investment for those strategies, Mesker adds.
Cybersecurity also must align with digital transformation efforts. Cybersecurity experts, engineers and business leaders need to be involved in the digitalization planning process to balance results with security, says Richard Eckhart, industrial IT cybersecurity manager, Exxon Mobil.
“We don’t want to go too cyber secure where we erode the value of the business opportunity, so that balance of what’s the fit-for-purpose/fit-for-risk approach is something that we’re continuously evaluating and we utilize our governance capabilities to make sure that we’re acting on informed decisions,” he says.
Digital policy frameworks should have enough flexibility to enable productivity but rigid enough to mitigate certain amounts of risk, says Glenn Aydell, BASF, team lead, industrial networking and automation security.
“Create a defensible architecture, and evaluate whether the new whatever it is going to put that defensible architecture at risk, and in most cases you can find a solution that does not increase the risk to your environment,” Aydell says.
Echoing what Walker from CISA said in the earlier discussion, Aydell said it’s important to determine how risk in one part of the organization will impact others.
“Yes, we may still be able to create chemicals if the IT systems completely shut down, but can we print the bill of lading, can we ship that product, is the logistics system down? So there are dependencies there, and a requirement for collaboration between the IT and OT side and then finding a balance.”