Virtualization Technology News and Information
VMblog Expert Interview: 1898 & Co. Talks Cybersecurity in Operational Technology


Back in May, President Joe Biden signed an executive order requiring a Zero Trust standard to improve the U.S.'s cybersecurity measures.  With his promise to allocate billions of dollars in funding towards improving security measures for critical infrastructures, many people are wondering what exactly this means.  

1898 & Co., a top cybersecurity consulting firm focused on operational technologies and critical infrastructures, has consistently implemented the Zero Trust approach in its cybersecurity solutions.  It first starts with a comprehensive assessment of assets and its security measures in place.

To better understand things, VMblog reached out to Carmen Garibi, the Director of Critical Infrastructure Cybersecurity, Risk Management & Compliance at 1898 & Co., part of Burns & McDonnell.

VMblog:  Why is cybersecurity in operational technology such an important topic right now?

Carmen Garibi:  Cyber security is a recognizable topic.  Everyone practices cybersecurity in some fashion - on a personal basis everyone is updating their patches on their phone or personal computers and IT systems at work are covered with cybersecurity training and updates. An area that is sometimes left behind is operational technology - the rotating elements of a company's operation. This area doesn't often get the same attention because the technology in this space doesn't get upgraded or updated as frequently as the IT side. While organizations get new laptops every three years, operational technologies get installed to run its full life cycle and systems do not get updated or patched, leaving this space vulnerable to cybersecurity threats. The recent cyber-attacks in the news give insight into this situation as operations have been shut down due to the inability to have visibility into the OT environment after ransomware has been found. 

A second reason OT cybersecurity is an important topic right now is the affect it is having on individuals lives. From the Colonial Pipeline and JBS incidents, we recognize that downstream impact an attack can have.

VMblog:  What are the key / most important changes happening in OT cybersecurity space?

Garibi:  The most important changes happening in OT cybersecurity now include:

  • Regulations to secure OT critical infrastructure
  • Monitoring and detection solutions that increase visibility into the OT network, monitor for anomalies and incidents, and provide alert mechanisms to advise when an incident is detected
  • Sharing threat and incident information across the industry

One of the best ways to establish a strong defense again cyber-attacks is sharing the incident information and threat information seen and experienced by organizations. If an incident or a threat is found by one organization, alerting others of that situation can better prepare entire industry sectors. This is not an established practice. Most organization do not want to share the incident for fear of reduced market trust or because of the "no harm, no foul" mentality. The idea that an incident didn't cause any harm keeps organizations from sharing the threats they are facing, but this mentality needs to change for the betterment of the industry and defense against attacks.

VMblog:  Does regulation drive cybersecurity protection?  Should it?

Garibi:  The connection for a higher degree of security through regulation is definitely there.  However, as well intention as regulation tries to be, regulation mostly drives compliance, not resiliency.  The argument can be made that true compliance should deliver resiliency, but sometimes regulation can take an organization down the path of meeting the minimum requirements vs. establishing a program that addresses the program. Nevertheless, we see that industries that do not have regulation often do not take steps to build cyber resiliency.  Regulation is certainly needed, to at least establish the need for an organization to begin their cyber resiliency journey, but it certainly shouldn't be the end all a cyber program. It should be the beginning.

VMblog:  What is the biggest gap in OT cybersecurity across critical infrastructure?

Garibi:  The two biggest gaps in OT cybersecurity right now are visibility of the OT network and sharing threat and incident information across the industry. Often, operators lack visibility into the OT assets and resources. If an asset or resource is not visible, it will not be able to be protected or establish defense. It would be the equivalent to not knowing how many access points are in an office building. It would be impossible to prevent unauthorized entry if there's no knowledge of where a bad actor can access entry. Additionally, sharing threat and incident intelligence is crucial. This is where industries can truly make a difference. Now, an experience of a cyber incident is often not shared. Imagine this information was shared and operators and organizational leaders could get proactive about their ability to secure aspects of their operations because of a peer's experience. This is a powerful way to establish a proactive approach to cybersecurity incidents. The new federal policies coming should enable more information sharing across all critical infrastructure, not only energy.

VMblog:  Let's get real, how difficult is it to implement an OT cybersecurity program that truly defends against cyber-attacks?

Garibi:  As with anything, it comes down to change management. OT cybersecurity shouldn't be a technology purchase, it shouldn't be about a single team managing an entire organization's cyber resiliency. It needs to be an organizational effort that will require people, process, and technology in combination, working together to secure the operation, its people, and its customers.

VMblog:  What do you make of the federal moves related to cybersecurity, does it make critical infrastructure more secure?

Garibi:  They are very important and meaningful. The attention that critical infrastructure cybersecurity is receiving is long overdue.  However, the current infrastructure bill doesn't go far enough with funding - at least on the current details. 

VMblog:  Finally, where does an organization begin with their OT cyber journey?

Garibi:  Two things: 1. Baseline - begin by understanding what the current cybersecurity posture in OT is and what is missing.  2. Gain visibility into the OT environment - it's important to determine the number of assets an organization has, where those assets are, how they are communicating, and what vulnerabilities they may have. 


Published Wednesday, October 06, 2021 7:33 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<October 2021>