Featuring Jason Haward-Grau, CISO at PAS Global
“We’re chronically late to the party” starts Jason on stage “…because we’re still trying to learn the lessons from the last 10-15 years, while our adversaries are out there innovating.” He’s at CS4CA Europe 2018, speaking about securing industrial control systems (ICSs) by monitoring and detecting unauthorized change in the process control network (PCN). He asks the audience: “How many of you have a documented library of your ICS cybersecurity environment?” There is silence. “If you don’t, how do you expect your people to react when something goes wrong?” More silence. “If you haven’t defined what they should do when everything is good and easy, imagine when things get out of hand?” A slightly stunned audience stares back at him. He’s got their attention.
After his presentation, we meet for an interview. He continues:
“A lot of organizations still have this notion of wanting to buy something shiny, exciting, and new to fix a problem.” A bit like asking the doctor for one pill that will make us healthier? I offer. “Exactly.” -He accepts my metaphor. “But there isn’t one. The problem is that an IT space is relatively straightforward: you’ve got one body. In OT space, you’ve got somebody’s hand that might be 30 years old, a face that might be 15, and legs that might be 60 – which makes it incredibly difficult to create a unified fix.”
Understand your risks to prioritize
“Since there is no silver bullet, you need to start with the basics, by asking: ‘do I understand my processes and risks?’” He emphasizes the importance of defining your risks, the likelihood of them happening, and their potential impacts. “Only once these things are clear, can you prioritize”.
Intent: The problem and the solution
“In IT, we’ve come a long way improving its threat landscape and cybersecurity. The problem Is human beings. -They can make mistakes. Also, code is designed with one particular use in mind, but almost everything can be used for something bad. The intent changes the use of the code. If you don’t know you’re vulnerable to that, then you’re going to be exposed. IT has seen this with WannaCry and Notpetya, for example. They were really bad things- but nobody died. On the OT side of the house, there is the potential to create an environmental disaster and to impact people’s health and safety… which is why this stuff is so difficult to deal with”.
“IT change is expensive. OT change is exorbitant –because you’re changing a system along with vaults, piping, and cabling. You’re constructing stuff. An entirely new operating environment is hugely expensive. So a company will shy away from doing that, except once every 20 years or so, if it has to build a new plant (and normally those new plants are built off the back of old things). Adding to that, there is no drive to ensure that they have the newest and most secure technologies, because they want to go with what they already know and has been validated.”
So, what to do?
“Understand your digital maturity –your people, processes, everything. Target your top five risks. Break them down step-by-step” Before this sounds remotely straightforward, he adds “everyone’s risks are different, so it is important to understand your own but remain aware that even your own risk profile changes. Organizations tend to do a risk assessment once a year. This is a problem for both IT and OT”.
“In IT, for the past 15-20 years, we’ve been used to managing change. In OT, it’s a bit more challenging because the changes aren’t just systemic. It’s actually fundamentally changing a process. And, if not executed correctly, that process could kill people.”
“IT-OT integration is a headache for many organizations.” Referring to CS4CA Europe, he adds “one of the biggest takeaways from last night was to get someone who is OT into your IT team. You need collaborative governance, and you need to recognize that IT doesn’t know what OT does. Bring people from OT who can speak the IT language, and pick a standard.”
“The challenge with cyber is: the risk is so complex and unique to every circumstance, that it is very difficult to quantify. But ultimately, all complexities can be broken down”.
“Technology is not the answer. It is a component of the answer. There is no technology panacea. The key is starting from the basics and having strong foundations” he repeats. Someone has taken the stage by now and starts to speak on the microphone, ending this interview… for now. The discussion will continue in 2019 at the Cyber Security for Critical Assets Summit (CS4CA) USA, with PAS as the official sponsor.