- By Melissa Landon
- April 05, 2021
Accenture hosted the virtual event on March 24, 2021. It featured conversations with leaders in the operational technology (OT) cybersecurity field, who shared how industrial organizations are conceptualizing risk, maximizing budget and implementing programs to overcome OT security challenges.
“We have seen a substantial year over year increase in the number of suppliers impacted by cyber attacks,” said Guy Delp, VP, Global Information Security at Pfizer, during his keynote speech at Accenture’s Operation Next event. “These are data breaches, operational disruptions and full-scale ransomware attacks.” He explained what he has learned about asset protection throughout the pandemic.
Accenture hosted the virtual event on March 24, 2021. It featured conversations with leaders in the operational technology (OT) cybersecurity field, who shared how industrial organizations are conceptualizing risk, maximizing budget and implementing programs to overcome OT security challenges. The event showcased speakers from Duke Energy, Norfolk Southern, Idaho National Laboratory, Chevron, Dominion Energy, Nozomi Networks, Forescout and Dragos.
Pfizer’s Delp shared what he’d learned about ensuring OT cybersecurity during the past year of pandemic disruption. He said the No. 1 question he’s been asked lately is ‘What’s the past year been like?’ The single best word I can use to summarize the past 12 months is ‘connection,'” he said.
Unite behind a common goal
Delp’s first piece of advice elaborated on that keyword. He recounted a story about former U.S. President John F. Kennedy Jr. to illustrate why the building of connection within a company is the beginning of the journey to protect its assets. Just after JFK had delivered his speech about why the U.S. was putting a man on the moon, he visited the NASA headquarters. Eventually, he came across a custodian who was mopping the floor. He asked the custodian, “What do you do here at NASA?” The man replied: “I’m helping to put a man on the moon.”
“That right there illustrates the feeling of being connected to a vision and a mission,” Delp said. In that case, the mission involved putting a man on the moon, but for Pfizer, the mission in 2020 involved delivering vaccinations against COVID-19 to world. Pfizer had 90% of its workforce working from home but needed to continue running its plants and research facilities 24/7. This presented a challenge, he said.
“We’re not just protecting assets,” Delp said. “These assets represent a product or a solution or, in some cases, a cure.” First, Delp recommended sitting down with the security team to ensure they understand they’re not just protecting controllers or data historians. Rather, “they’re defending the products, the energy production, the food, the medicine that we all depend on.”
Use only helpful metrics
Second, Delp recommended implementing helpful metrics. For example, counting how many tickets were closed in any given quarter or calculating how long it took to close those tickets are not helpful measures. ”Instead, spend time finding out how an incident really occurred so that you can fix systemic issues rather than just fighting the same battles over and over,” he said.
Ask your stakeholders about their security procedures
Third, Delp stressed the importance of asking suppliers and other third-party stakeholders security-related questions, such as: Are they enforcing multi-factor authentication? Do their admins use separate credentials for their critical work? Do they conduct robust security application testing? Are they tagging external emails so that colleagues know to take extra care opening an email from outside the company? “Hold your suppliers to the same security standards that you hold yourself to,” Delp recommended.
Fourth, Delp predicted that the future of security will rely on getting the fundamentals right. “Focus on the boring stuff, as uninteresting as it sounds,” he said. “A large majority of cybersecurity attacks happen because an attacker is able to exploit some fundamental weakness in a company’s security posture.”
What’s good for IT is often also good for OT
Accenture’s Operation Next event featured dozens of other speakers and closed with a second keynote. Dale Peterson, founder of Digital Bond and S4 Events, provided both a visionary and a practical preview into what the future of OT security may hold.
Peterson opened his talk by recalling a project he worked on with the Department of Homeland Security in which his team was charged with the task of creating the first intrusion detection signatures for industrial control systems (ICSs). After developing a solution, he and his team began presenting the results at various conferences and user groups. He was surprised with the feedback: attendees were worried that technology could bring down or cause an outage in the OT or control system.
“Actually, if you look at what is making a difference in the IT world, you can predict that it will be in the OT world in the next three to five years,.” Peterson said. He encouraged attendees not to be afraid of the solutoins IT departments are proposing. “When you hear the statement ‘That won’t work in OT,’ I want you to take a step back and say, ‘Well, wait a minute, I’ve heard that before, and it’s usually not right,’” he said.
In OT security, less is more
Peterson advocated for a “less is more” approach to OT cybersecurity. “We need to be thinking about this question: ‘How do we reduce the burden on our employees?’ Not, h‘How do we get them to do more?’” he said. In 1963, seatbelts were introduced in the United States, and in 1968, the law dictated that every car had to include them.
“Now, compare the seatbelt to the airbag,” Peterson said. “There’s nothing a person has to do; they climb into the car, and the airbag is working. We want our security program to be more like airbags and less like seatbelts. We want to rely on people doing the right thing as little as possible.” The solution is to bring more automation into OT security.
Focus on reducing consequences
While a lot of cybersecurity and OT security conversations often focus on reducing likelihood of an attack, Peterson suggests that such conversations should focus on reducing consequences. “Focusing on consequences makes discussions with executives a lot easier,” he pointed out. Likelihood can involve a lot of numbers and predictions, but consequences of an attack are more concrete and easier to explain. “If you reduce the consequences, you can decrease the maximum risk, even if there is still some likelihood.”
Several approaches exist for reducing consequences. You can use a cyber process hazard analysis (PHA) or another type of methodology. But simply put, you will be identifying bad results that would affect business and figuring out ways to prevent them from happening or figuring out ways to reduce how bad they would be if they did happen.
Did you enjoy this great article?
Check out our free e-newsletters to read more great articles..Subscribe