It seems as though every week we’re alerted to a new cybersecurity breach impacting another industry. Unsurprisingly, organizations across the globe—particularly those in critical infrastructure such as power and water providers—are responding by quickly acting to better secure their operations and assets against external intrusion. However, there are a wide variety of cybersecurity solutions available, and identifying and engineering the right solutions can be overwhelming.
Dragos, an expert organization in industrial cybersecurity, hosted a webinar, “Five Key Questions to Accelerate your OT Cybersecurity Program”, to help industry leaders better navigate the complex world of industrial cybersecurity. David Foose, Emerson’s security solutions program manager, joined Erik Anderson of McAfee, and Josh Carlson from Dragos, to dig deeper into the complex decisions any organization faces when implementing a cybersecurity solution.
Chasing “proven” cybersecurity solutions
The panel explained that while many people are looking for “proven” cybersecurity solutions, the term “proven” is fleeting. Industrial control systems often run for decades, and over that time, cyber threats will change constantly, and defense systems must evolve along with them. Josh elaborated,
“Just like with safety and reliability, this is going to be a journey or a continuous improvement process that begins with a comprehensive assessment of data points to gauge your level of visibility, detection and response effectiveness.”
David explained that a key part of that process is understanding what you have, how you can leverage it, and where you need to go to ensure cybersecure operations,
“When you understand your current inventory, you know when to purchase and implement a solution to fill a gap and when to use and extract value from what is already there. The key to starting the cybersecurity journey is to match your immediate needs with solutions, then build upon that foundational platform to add more features as needed.”
Partnering for success
However, selecting the right mix can be complicated and overwhelming, and that complexity is magnified when plants consider the additional maintenance effort that security solutions can potentially generate. David explained how a strategic partnership can help an organization build confidence when turning a cybersecurity audit into a targeted action plan, and can help them maintain and support security solutions over the many years they will likely run.
“Aligning yourself to a particular company or group has to do with much more than technology. Supply chain, ability to support, and culture can factor heavily into any decisions for long-term business partnership.”
Josh and David also exposed two common myths about cybersecurity solutions: that they can be one-size-fits-all or that they are set-and-forget. Users and organizational culture play a key role in the success of any solution, and cybersecurity technologies must be tailored to fit the unique dynamics those factors create in any plant. David explained,
“Even the most technically sound and optimally configured product can be thwarted by two primary failings: lack of monitoring and business exceptions. Organizations that fail often put too much faith in the product or solution alone.”
Up-to-date solutions are strong solutions
One solution to this problem, Erik shared, is actively and regularly maintaining existing cybersecurity systems. But it also requires getting people involved in supporting cybersecurity initiatives. It is important to find ways to bridge the gap between OT and IT stakeholders, and that often means giving each group space and authority to do what they do best. Erik explained,
“OT stakeholders need to keep the system running. IT stakeholders, in the context of cybersecurity, specialize in preventing attackers from disrupting system operations or extracting data.”
While the two groups use different methods, the goals clearly overlap, and not only asking questions, but also actively listening to the answers helps build the bridge to effective collaboration.
Emerson provides a wide range of cybersecurity solutions, from advanced cybersecurity services for control systems to consulting services to help identify vulnerabilities, close gaps, and secure your entire automation architecture.
To learn more strategies for effectively implementing cybersecurity in an industrial setting, you can watch the webinar on demand. You can also visit Emerson’s industrial cybersecurity page to learn more about the best practices and technology solutions for implementing effective defense-in-depth layers.