Protecting your kingdom: Tom Jackson on safeguarding operational technology

Think of your business like a kingdom. In the center is the castle: the office space where your IT resides.

The next layer is the village, the home of your operational technology (OT) such as your manufacturing plants and stores.

Both of these areas need cybersecurity protection, but OT security has historically lagged far behind IT security.

Tom Jackson has spent 30+ years driving resilient cybersecurity ecosystems for industry. He sat down to explain why operational technology has taken a backseat - and why protecting it is critical for your business.

OT is where you make money

Many of today’s cybersecurity solutions target enterprise - the land of IT.

But on the other side of the coin is OT; your operational technology.

Virtually every company is underpinned by a robust operational technology component. If you make, manufacture, sell, pump, boil, or produce any sort of product to make money, that is the operational side of your business.

According to Tom Jackson, your OT could be comprised of anything from an oil rig to Disneyland.

“I think the three items that come to most people's minds when I say an industry are going to be in the critical infrastructure, which is going to be things like power utility, oil, gas, chemical,” said Tom.

But that list goes on, covering anything from amusement parks to manufacturing plants to hospitals. Operational technology is extremely broad - and it’s everywhere.

Old tools are no longer cyber-secure

OT may last for decades, but the computer systems running it don’t.

A 30-year-old plant with a 30-year-old computer system is not going to be a guard against 21st century threats.

It can be difficult to explain to OT personnel why the computing systems need to be updated when the tool itself is still functioning effectively.

“You're going to see older computer systems. It's not unusual to find Windows 7 everywhere, XP everywhere. And the reason is that is not seen as a computer system. It's seen as a tool. It came with the assembly line, and this is how I get the assembly line fired up in the morning. I go over to the tool and log in,” Tom said.

He used the analogy of a wrench.

“I bought a wrench 30 years ago, the wrench still works. Why do I need to replace the wrench? And so a lot of times that's kind of what we're up against,” said Tom.

But the fact remains that when it comes to the OT space, a tool you set up three decades ago simply isn’t going to cut it in the modern world of cybersecurity.

The rise of ransomware

When a risk begins to threaten production and income, people begin to take notice.

Updated systems and cybersolutions have slowly trickled down to the realm of OT. However with them came cyberattacks and ransomware.

Only once attacks on big companies began to make headlines did the focus turn to OT cybersecurity.

“We had Stuxnet years ago. And being an OT practitioner I was thinking, this is the wake-up call. But Stuxnet quickly became an academic exercise, fell off, and you didn't really see a whole lot. But when ransomware started to show up in the last few years, suddenly you had the attention,” Tom said.

“IT was shutting plants down. The board could not ignore it. You saw Maersk, the shipping line, you had Merck, the pharmaceutical. Just recently you had Kohl’s. These weren't little blips, these things.”

While OT is often last on the list to be considered for cybersecurity measures, it can be the first on the list to impact a company’s finances.

That disconnect is why Tom believes a sustained focus on OT cybersecurity is necessary.

The risks depend on what you’re making

There are hundreds of different types of OT. Each has its own risks attached.

When you look at OT, the risk varies. For example, the risk for a person manufacturing sneakers is going to be a different risk than somebody running a chemical plant.

They're running the same gear, the same equipment from the same vendors, with the same problems. But at the end of the day, their risk appetite will dramatically change just because of what they do and what they manufacture.

Manufacturing tends to focus on risks to personnel - such as safety - but overlooks other risks.

“There's a tendency to assume there are no exposures in the plant. All risk doesn't have to be life and limb. It can just be production shutdown,” Tom said.

The first step to overcoming OT vulnerability means being aware of what those risks are.

IOT revolutionized OT

Historically, everything was done manually in OT. Often, it literally involved checking boxes for compliance.

"One thing that I found interesting for the first 10 years, nothing changed. It was Groundhog Day. Every day we would go out, we'd see the same things. The same report, and every day was the same.

Part of the problem at the time was that it was very manual, very subjective, very qualitative. These assessments were kind of a check box under the compliance report, so it was check the box, move on. So a lot of people weren't really reading them,” Tom said.

In the OT world, as long as things are up and running, everyone is happy.

With the growth of the ‘internet of things,’ data became king. Companies started looking at IOT and how to implement it in order to gain access to rich data analytics.

This data became vital for informing process improvements and predicting maintenance.

This was another part of the wake-up call for executives and business leaders who became aware of the value of implementing robust systems in the OT landscape.

“What happened was that all of a sudden now OT that may not have been on their radar is, because that device is going to have to be at the plant.

You're not going to run a vibration sensor in the corporate office. You're going to put it out. You're going to run the IOT device in the plant. And that started to wake people up,” Tom said.

OT and IT converge on the cloud

The cloud has created new opportunities to mine data from OT together with IT.

The promise of the cloud is a ubiquitous understanding of your entire company, thanks to the rich data and innovations that come from cloud-based applications.

However, the cloud was primarily designed for enterprise IT systems, not long-standing OT systems. And with the cloud, outdated systems just aren’t going to cut it.

“The cloud was built for the enterprise. The cloud was built for these types of products, these servers, these systems, the OSI model. The cloud wasn't necessarily built to take on Modbus and BACnet out in the plant. And so there's going to be a little bit of a delay as people try to address that gap right now,” said Tom.

In order to access all that rich data, both need to be updated together under one strategy. This is where experts like Tom come in.

“I can't just land the cloud on corporate and have a hundred plants still sitting in the 1990s. I need to get that data out. I want to get that benefit,” he said.

This means there needs to be a comprehensive roadmap for both IT and OT systems to move onto the cloud together, in a way that suits both functions.

Such a change needs to be proactive from the very top - not a situation where you wait for things to go wrong.

“I think right now what's holding back a little bit of the conversion is just that ‘I haven't looked at my OT environment in 30 years, and now I have to land the cloud in the next 30 days’. That's going to be really the wake up call,” Tom said.

Seemingly overnight, Chief Security Officers who were accustomed to playing defense are being tasked with major undertakings in the attempt to play offense.

The 5 major threats to OT security

As mentioned, there are thousands of types of OT, each with their own purpose, structure, and systems. However, Tom has identified a number of common threats.

1. Segmentation

In the OT environment, buildings are often built over years. They might be acquired through mergers and acquisitions. What was a 100 square foot plant 30 years ago could now be a 10,000 square foot plant.

In these cases, segmentation is often secondary to design or non-existent.

“So things are added without what you would call a cyber strategy. They're built and expanded as needed. And in doing so, segmentation is often overlooked or it's assumed. Because nothing's hooked together, but segmentation without design is almost as bad as bad segmentation,” Tom said.

2. Ignored Patching

Patching is essential for keeping systems up to date on the latest threats. However, Tom has found over the years that many plants do not patch.

The reason? Because a whole plant can’t just be switched off and on like a computer without major disruption to production.

“Why don't they patch? It's not that these folks don't understand patching. They may not understand it as well as an IT department, but they do see it as part of IT and necessary element to maintain uptime, availability, and safety. The problem they have is, think about it when you're in the office or you're at home and you get a patch.

When the patch is complete, there's a good probability you got to reboot your computer. Well, how do you do that in an operational environment? How do you reboot a power plant Tuesday at 3:00 PM because the corporate manual said patch? You can't,” said Tom.

3. End of life systems

If an OT is working on that 1999 version of an operating system, patching simply won’t be supported. Replacing that system could mean updating the entire network, which is not always a viable option.

“Not patching is a bad thing because you're just giving the bad actors pretty much a blueprint to how to get into your network. The problem with patching is that in some times an OT cannot patch if you have an end of life operating system that's no longer supported,” Tome said.

“So now I can't patch the OS. I can't patch the firmware. What do I do? Well, I can't just replace the $2,000 computer because the $10 million network runs on it.”

When patching isn’t possible, other creative defense strategies need to come into play.

4. User access control

In a plant, the system is there to keep the plant running. A whole team will need access to one system, rather than to personal files or data. This means that multiple users share access to one system, with one password.

“You've got one PC in a plant running 24/7 with three shifts, And there's 10 people to a shift. That's 30 people a day. Do they all have their own password?

No. They tend to share a common password because the keyboard and the PC are how I get the production running. So it's not viewed as ‘well that's my private business and nobody needs to see it.’ Everybody has access.

That's problematic, but again, from an environment, you do understand why they do it,” Tom said.

5. Remote access

Plants often have contracts with external vendors to maintain, run diagnostics, and so on. Part of the contract with these vendors is access to the systems for analytics.

This issue arises when this remote access is connected to the vendor themselves, leaving the plant open to the vendor’s cybersystems. This is a catch-22 as vendor access is vital to instant resolution of problems.

“From the environment that makes perfect sense uptime and availability. I don't have time to wait. I need access. So remote access is very common,” Tom said.

OT is getting its own tool belt

There has always been a manual process for OT. In recent years, tools have been emerging which are specifically designed for the OT environment.

This means improved data and understanding of that environment, feeding into a more robust cyber strategy.

“Earlier, everything we did was manual. If a client wanted us to do an asset inventory, if it was a chemical plant, it could be 10, 15, 20 acres. And we'd have to have people out there with a clipboard handwriting it, transposing it to Excel. Because there were no tools. Now there's new technology and that's going to go a long way because it can be implemented in the network. And now the OT is starting to benefit from some of those hardware advances in IT,” said Tom.

These newest tools are in some cases OT-specific, which is going to go a long way to help companies get an insight to the legacy of those networks.

The other benefits will lie in data production. No longer a subjective report, objective data will help businesses inform more effective strategy.

“It's going to be: here is what's going on in my network. We have these misconfigurations, we have all this, stuff's talking to the internet. I can tell you because

I have network traces,” Tom said.

“This is going to go a long way, I think, to help close the gap by putting OT onto a legitimate cyberstrategy for the long term.”

Cyber awareness is the best weapon

The key to protecting OT is to educate every employee on the importance of cyber.

Operational personnel should understand that cybersecurity maintains the functioning of their operational site, rather than inhibits it.

“Explain to them that cyber can help mitigate risks that can shut systems down that will impact uptime, availability, and safety. It's not cyber for cyber sake. Cyber is another dimension of maintenance.

If you get hacked and you go down, and you go down in a non-elegant way. Is that going to be detrimental to safety? Yes. Then let us work together on seeing what the cyber issues are,” Tom said.

Ultimately, cybersecurity in OT should be at the forefront of cyber strategy design.

Hackers and ransomware attacks won’t discriminate between OT and IT. That means your security program shouldn’t favor one either.

We’re stronger together.

Keep connected with Cybersecurity Heroes at Apple Podcasts, Spotify, Stitcher and Google Podcast.

Catch all the links to the episode below.

Listening on a desktop & can’t see the links? Just search for #CyberSecurityHeroes in your favorite podcast player.

Sounder: https://cybersecurityheroes.sounder.fm/episode/operational-technology-security-tom-jackson

Apple: https://podcasts.apple.com/us/podcast/cybersecurity-heroes/id1559807252

Spotify: https://open.spotify.com/show/5mHFCbw5R2AsfyiSGwYlre?si=-Pj9muHES7Kh1EH7gnkrLQ

Cyber Security Heroes is brought to you by IRONSCALES.

An email security platform powered by AI, enhanced by thousands of customer security teams and built around detecting and removing threats in the inbox.

We offer a service that is fast to deploy, easy to operate and is unparalleled in the ability to stop all types of email threats, including advanced attacks like BEC, ATO and more.

learn more at ironscales.com

#cybersecurity #infosec #informationsecurity #itsecurity