I had the pleasure of attending the RSA conference in San Francisco last week along with the PAS Founder and CEO Eddie Habibi. One of the largest cybersecurity conferences on the planet, this year’s event attracted more than 45,000 attendees. What stood out this year? For the first time, the keynote focused on the potential consequences of an attack on critical Infrastructure (power, water, fuel) in a multimedia, flashing-lights-and-all presentation.
Why was this significant? Responsibility for securing critical infrastructure is not just an IT problem, but an Operational Technology (OT) one, which has not traditionally been the focus of RSA conference speakers, vendors, organizers, and attendees. This newly emerging emphasis underscores the rapidly growing attention companies are paying to industrial cybersecurity.
We see many important trends in play that are propelling OT cybersecurity to the fore. IT and OT organizations, for instance, are working closer together to address cybersecurity, and they are having some successes in reconciling the competing priorities between these two different entities.
The OT space is different. It has different drivers (safety and process resilience as opposed to data protection), and the technology is highly bespoke and proprietary. This means companies need to operate differently as the IT assumptions for cybersecurity don’t work the same way in OT.
How do you address the heterogeneous, proprietary control systems within the process control network (PCN)? How do you secure the PCN if you don’t have an “evergreen” inventory in depth and reliable configuration baseline at that level? How long would it take for you to identify your risk to a published ICS-CERT vulnerability across multiple plant sites? How long would it take you to detect, identify and correct an unauthorized change made (deliberately or accidentally), and would it be in time to prevent a worst-case scenario? Most industrial companies have insufficient answers to these questions, which indicates the weak security posture found in most facilities.
Considering industry’s shift towards securing industrial processes and the attention paid it in the keynote, RSA still has farther to go in embracing OT cybersecurity. For instance, not a single booth this year had an OT-focused vendor. In all fairness the keynote and dedicated sandbox are certainly steps in the right direction.
Looking into the future, as an industry we must broaden the debate for cybersecurity professionals so that the information security profession understands how different these industries are. Doing so means making progress towards providing a holistic approach to support the businesses that deliver these critical services.
How is your organization bridging the gap between IT and OT? Are you seeing these winds of change?