The cybersecurity world changed forever on June 27, 2017, the day of the NotPetya attack. Masquerading as ransomware, the particularly vicious malware first surfaced in the Ukraine but rapidly went on to destroy data on Windows computers all over the world, taking down whole data centers—and businesses—at a time.
What made NotPetya so devastating was its scope. Though the Russian military hackers who were its authors initially targeted computers in the Ukraine as part of an ongoing conflict, NotPetya spread like wildfire, eventually generating more than $10 billion in losses.
But perhaps more significant for production environments was the loss of the idea that industrial control networks were somehow safe from such mayhem. Before that day, it was still possible for manufacturers to believe their operational technology would not be targeted by hackers; that their systems were air gapped, or at least separated to some degree, and therefore not subject to attack; that nothing much had ever happened, so it was safe to go back under the covers. There had been attacks that affected industrial controls before, but after NotPetya, the world looked very different.
Since then, the picture has darkened further. Not only are industrial control systems (ICSs) getting caught up in the random spread of attacks, but hackers are now specifically targeting ICSs, particularly in power and water plants and the oil and gas industry. More than 40 percent of ICSs were attacked at least once during the first half of 2018, according to Kaspersky Lab. The specter is that an intruder remotely logs into a plant and shuts it down by deleting all the backups and all the control logic.
And yet… “Manufacturers don’t feel like they’re targets,” says Mark Littlejohn, global leader of cybersecurity managed services for Honeywell. “That philosophy used to work but it doesn’t anymore.” NotPetya and the WannaCry ransomware attack prove you don’t have to be the target anymore. Bystanders can—and will—get burned.
In this new normal, the question has shifted from whether manufacturers need industrial cybersecurity expertise to how they will obtain it. The situation is difficult, if not dire. It is hard enough to find general information security professionals—reports cite a million or more unfilled jobs—never mind those who have any experience in the operational technology (OT) realm, where lives could be at stake if systems go down. So, what is a manufacturer to do?
In a nutshell, the options come down to these: Hire from outside, train someone from inside (from either the IT or OT side of the house) or use service providers/consultants to identify vulnerabilities, vet strategies and monitor operations. A fourth choice—and likely the best—involves mixing and matching among these options.
Industrial cybersecurity from the ground up
The field of industrial cybersecurity is essentially brand new, making it even tougher to find coverage. “Manufacturing organizations are finding it challenging to develop their own industrial cybersecurity teams,” says Barak Perelman, co-founder and CEO of Indegy, an ICS security provider. “They don’t have anyone to learn from.”
Larry Grate, director of technology for Nashville-based Premier System Integrators, learned ICS security skills on the ground almost by accident 10 years ago when he got a call from a desperate customer. A maintenance person had accidentally downloaded a rogue file that brought down the customer’s Maine facility.
“They were completely flat,” recalls Grate, who worked with the company to build an industrial demilitarized zone (DMZ) where traffic bound for the manufacturing network would terminate, and also helped put other protections in place.
More recently, Grate felt it was time to hire someone specifically for the ICS cybersecurity role. When the job posted, the problem wasn’t getting resumes. “I had more resumes for that position than we have ever had on anything we have ever posted,” he says. The problem was that they weren’t the right resumes. “We had a number of people coming out of school with a master’s in cybersecurity, but they did not have any practical experience and did not come from a manufacturing background. We felt the learning curve would be too great.” It took a full six months to find the right person for the job and make the hire.
In fact, Grate might have gotten lucky. Especially in hot urban markets, “hiring may not be affordable,” says Edgard Capdevielle, CEO of Nozomi Networks, which provides artificial intelligence-based ICS cybersecurity systems.
Hiring a pure information security specialist—no matter how accomplished—is not likely to get the job done. Whereas the IT world might worry about data residing on 500 assets, the OT world needs to safeguard the reliability of 50,000 assets or more. When Jason Haward-Grau was chief information security officer (CISO) for an oil and gas company, he oversaw more than 28,000 OT assets that controlled refining and water flow processes.
“There are still things out there that are not working in a network; they don’t have an IP address,” he says. “You have massive numbers of legacy control systems that have never been managed in a consistent way. They sit below the IT waterline. How do you deal with that?”
Now CISO at PAS, an ICS cybersecurity vendor, Haward-Grau says manufacturers will have to hire or develop in-house skills sooner or later. “They have accountability for the safety of their plant operations,” he notes. “Cybersecurity is just another factor around safety.” Use services to vet and audit your ICS cybersecurity plan, by all means, he adds, but the basic function is core.
“You contract to get rapid bench strength. You need assessment and a plan. But then you have to figure out what is core, what needs to be kept close,” Haward-Grau says. Consultants can help guide your plan, leading you to answer questions, such as where the most urgent risk is. Answers to such questions will determine how many resources should be put in place. “Those decisions need to map to safety and business objectives.”
Grow your own expert
Cultivating an existing employee to handle ICS cybersecurity is an appealing option for many companies. The question there is whether to train an information security person on OT matters or train an engineer on cybersecurity.
“There are OT practitioners who are morphing into cybersecurity or you have IT security who are crossing over into OT,” says Patrick McBride, chief marketing officer for Claroty. “Both approaches are valid, given the current low supply levels of talent.” The wise approach, he says, is not to confine yourself to one discipline or the other but to keep an open mind.
Perelman is somewhat more prescriptive. The first step, he advises, is to find one or two good and experienced IT security professionals to lead the team because they will have the best perspective on where attacks generate. Next, augment the team with one or two OT engineers, who will bring to operations the message about the need for a cybersecurity plan and practices. This piece is critical, he adds.
“What we’re seeing is that the most important thing is not the expertise in cybersecurity. The relationship with plant managers is more important,” Perelman says. “Mixed teams are always best.” Too many times he has seen a company expend significant effort to install a good cybersecurity team, but the program failed because they didn’t have the relationship with the operations team. “Everything was moot,” he says.
Whether hiring an outsider or training someone in-house, there is always the perennial worry about someone poaching your ICS cybersecurity professional after you’ve invested in their training. There is no easy answer, Haward-Grau says—just the heavy lifting it takes to retain employees with hot skills.
At PAS, he devotes a major portion of his CISO role to the care and feeding of his cybersecurity team. “You have to make sure they are actually engaged in the company they work for. OT is the highest demand area. Retention is a significant challenge,” he says. He introduced a program of ongoing training (including desirable ICS security certifications) and a recognition of skills attained. “Everyone is rewarded and recognized.”
Haward-Grau’s team has stayed put—he has zero attrition at the moment. “It’s partly about culture and my team is at the heart of everything I do,” he says. “You challenge them to learn more, to keep current, to plan for the fact that people will leave. I help them with their careers.”
The experts interviewed unanimously agree that the hybrid approach is best when filling this increasingly important skill gap. Perelman of Indegy advises separating the assessment and identification of risk (which drives the creation of a strategy) and the mitigation of that risk (which links to internal execution).
Indegy works with organizations once they decide what their cybersecurity plan for the year will be. “Our experts will help them validate their plan with an architecture or strategy review,” he says. “Then the team executes it. Build your program internally but review it with an external partner.”