Bill's Deep Dive: How Deloitte and Dragos' Cyber Risk Platform Converges IT and OT Security

Bill's Deep Dive: How Deloitte and Dragos' Cyber Risk Platform Converges IT and OT Security

By Bill Lydon, Editor, Automation.com

As automation technology gets more advanced, with more capabilities, so to does it come with an increasing number of cyber security vulnerabilities. As such, this week’s Deep Dive will revolve around the discussion I had with Sean Peasley, of Deloitte & Touche LLP, about their latest announcement of their new cyber risk platform. This platform was enabled by Dragos, an Industrial Control Systems (ICS) security firm, founded by industrial control system security subject matter experts from the U.S. intelligence community.  As a partner with Deloitte & Touche LLP, Peasley  serves as Consumer & Industrial Products leader for the Cyber Risk Services practice and has more than 30 years' in helping organizations address their most pressing and pervasive cyber risk challenges. With experience in cyber risk management, cyber threat intelligence, cyber war gaming, identity and access management, privacy and data protection, and business resilience focused principally on the consumer and industrial products industry, Peasley was able to provide extensive background on the industrial control system initiative

Deloitte ISC Cyber Risk Management Model

 “Deloitte started the cybersecurity practice almost 25 years ago and we are now the largest cyber risk practice of any organization globally with, over 3000 people in the United States and 15,000 globally,” Peasley exclaimed proudly,  He went on to explain how company has a long history of working with companies to manager cyber security risk in many areas including information technology, enterprise networks, business systems and how they served a broad range of customers in multiple industries. Peasley’s focus is on manufacturing. 

Over the last several years, companies in production environments in this manufacturing arena as well as in utilities, and oil & gas, have realized the need for a holistic cybersecurity approach. This has been normal operating procedure in the IT environment for the last 30 year, but hasn’t always transcended to the OT arena.  To remedy this, as Peasley explained. Deloitte & Touche LLP offers a turnkey service to users in manufacturing that goes across the OT and IT systems for assessment, ongoing monitoring, and mitigation helping clients to assess implement and monitor security and strategies for resiliency.  With years of experience and know-how in cyber risk, they are leveraging this expertise with the aim of enhancing Industrial Control Systems (ICS).

Naturally, I peppered Peasley with questions on this fascinating offering. Let’s go into our deep dive on Deloitte’s cyber risk services

Does Deloitte have people with actual ICS experience?

Peasley: Yes, over the last several years we’ve hired people with specialized skill and experience in various industries, including manufacturing, oil & gas, and utilities.  Currently we have over 50 ICS specialists in the United States alone, and are growing significantly, with over 200 people around the globe. 

As more organizations embrace the digital transformation, opportunities for interconnected manufacturing and automation-driven operations continue to emerge. Yet, along with these growing industrial IoT opportunies comes new access points for cyber-attackers, especially when it comes to ICS and OT ecosystems. These ecosystemes are often a patchwork of older technologies that were not built with security in mind. In fact, according to a recent Deloitte and Manufacturing Alliance for Productivity and Innovation survey, 50% of surveyed companies indicate they perform ICS vulnerability testing less than once a month and 31% say they have never done an assessment. It’s hard for organizations to move beyond securing these systems to more advanced monitoring and response when they aren’t utilizing basic cyber security fundamentals.

The result of these challenges and emerging cyber threats, Deloitte’s new threat monitoring capability was built, enabled by Dragos’ ICS and OT threat monitoring technology. This platform empowers organizations to better identify vulnerabilities in their ICS and OT ecosystems and to monitor for specific intrusions that might already be present. Armed with a more complete understanding of the threats and vulnerabilities within the ICS and OT ecosystem, Deloitte is working to help organizations increase cyber resilience through the development of scenario planning, cyber defense, and response capabilities.


How will PLC and DCS controllers be secured?

Peasley : The Dragos Platform is able to ingest data from across the ICS including network communications, logs, events from physical systems such as closed circuit television, data historian process information, and more. Deloitte personnel then use this data to make recommendations for better security and risk management in the environment. This helps PLC and DCS controllers benefit in two core ways:

  1. Their network communications are seen and analyzed passively in the platform
  2. Any logs from these devices, or alarms from systems such as alarm servers, are able to be ingested into the Dragos Platform

This helps operators have full visibility across their ICS, as well as quick notification on abnormal events and malicious activity.

Does this service work with edge devices (e.g. smart sensors, smart motor drives) on the plant floor?

Peasley: The Dragos Platform is IIoT ready to help enable visibility and threat detection. It can ingest any form of data, including the output of smart sensors, to get that visibility. The Deloitte team is well versed in edge devices and focuses heavily on smart sensors.

How does the threat monitoring aspect work?

Peasley: Threat monitoring across the industry works in four main ways:

  • Signatures
  • Baselines,
  • Anomalies
  • Behavioral analytics.

Each have their use. For example, signatures are less popular today, but they are still great for scoping the scale of an incident, when tracking a known threat. Many competitors will leverage only one of those options, and the market has appeared to focus primarily on anomalies. While anomaly detection is very important, it does not require intimate knowledge of ICS - and is, in essence, creating a baseline that includes thresholds and time-to-alert on abnormalities, assuming that the baselines are created without any unexecuted threats present.  Behavioral analytics is the most difficult method, because it requires knowledge of the ICS and what malicious behaviors would look like on that system. The Dragos Platform leverages all four types of threat monitoring, but their largest focus is on these behavioral analytics.

Studies show that the use of unvetted contractor personnel by the prime contractor is one of the biggest risks that these services could pose.   How do you deal with this?

Peasley: We are a 160-year old firm with a history of providing financial audit, consulting, tax, and advisory services to many of the world's most admired brands, including 80 percent of the Fortune 500 and more than 6,000 private and middle market companies.   We have a deep expertise in the area of rigorously doing background checks and vetting of employees. 

How does Deloitte help organizations increase their cyber resilience? What is the deliverable?

Peasley: We work with our clients to develop a more secure, vigilant, and resilient cybersecurity posture. With technology enabled by Dragos, we are better equipped to help our clients assess their ICS and OT environments, monitor for threats in the environment and then use that threat intelligence to develop/manage cyber risk management programs with ICS specific incident response capabilities.

Does IT and OT evaluation, planning, and protection differ? If so how?

Peasley: Very much so. There are skills in both IT and OT that should be leveraged, but at its core, the priorities and requirements of IT and OT require different approaches across evaluation, planning, and protection. Take the Dragos technology, for example. Already entirely passive in the ICS, it is ensuring that human defenders are positioned to make better and more timely choices. But simply deploying anti-malware and blocking technologies in an ICS, as you would in IT, can lead to negative effects on system availability and can contribute to very harmful situations down the road.

What kind of resources or time will a user need to put in for a complete threat assessment?

Peasley: Threat assessments internal to asset owner and operator environments, will largely depend on the requirements and scope of the engagement. However, in Deloitte's experience, we find that the scale of these engagements is in the range of 4-24 weeks, depending on the client. With this new capability, we gain efficiencies through the automated analysis and deeper insight to our client’s environment. For example, The CyberLens tool, from Dragoscan, passively begins mapping the networked ICS, showing what is on the network as well as what communications or ICS protocols it's using. Deloitte's work is then able to be transferred directly into the Dragos Platform, providing a continuous monitoring solution.

Related Articles

MORE ARTICLES

VIEW ALL

RELATED