As IT and operational technology converge across industries, vulnerabilities to cyber-attacks increase. Businesses across the world have seen ransomware attacks increase year over year by 90 to 100 percent.
“Clearly, this is something that’s not going away,” says Megan Samford, vice president and chief product security officer of energy management at Schneider Electric. “We’re seeing targeted malware that has been crafted in a style of framework that is repeatable. And it’s targeting commonalities across industry, which could be certain protocols that are used throughout vendors.” The need for cybersecurity services is growing across the operational technology (OT) environment. To help address this, Samford and other Schneider executives met with analyst firm IDC to discuss how companies can prevent millions of dollars in loss by improving their cybersecurity solutions.
(Editor’s note: This webinar excerpt has been edited for clarity and length.)
What are some trends impacting OT cybersecurity?
Carlos Gonzalez, research manager of operational technology at IDC:
Looking at the industry trends that are really pushing the OT space forward, industry 4.0 and digital transformation are still the No. 1 moving factor for OT cybersecurity. By 2026, IDC forecasts that 49.1 billion connected IoT devices will be installed. Security teams will have a hard time ensuring that all these devices are protected as they get connected to the network.
The pandemic, of course, has brought on the rise of hybrid work. So, more people are working in remote areas or from home, which is adding new devices to the network. We need to protect these devices. And it’s going to be critical for it to make sure that these devices are secure and not vulnerable to attack. There’s also changes to the regulatory requirements as there have been increases in attack, especially on utilities and infrastructure.
The disappearance of air gapped systems is the latest last trend within IoT. A lot of OT operators want to believe that their old systems – their legacy systems – are air gapped. However, it just takes one device with one Ethernet or USB connection to make an entire network accessible.
How can we best protect OT systems from attacks?
The first, nontechnical step relates to cyber hygiene, best practice training, or revisiting policies to enforce secure modes of operation. Then the conversation will shift to technical controls, and it starts with visibility. So, running regular asset identification tools, and cross-referencing those results with vulnerability data, is always a great place to start. The analysis can be based on either best practices or international standards. In some cases, the industry or company specific standards is used as the baseline.
Jay Abdallah, vice president of cybersecurity solutions and services at Schneider Electric:
What we see is that a lot of the technology controls out there today must be used in conjunction with whatever the hygiene, or the program, is that the operator has in place. Once you have that visibility – once you understand precisely what it is that’s out there – you can then begin designing the most appropriate combination of host- and network-based controls for your environment to mitigate the risk.
If we recognize that operational stability and efficiency are always priority No. 1 in OT, that option to upgrade is not necessarily always on the table. So, if that were the case, based on the nature of the infrastructure or the budget, the technical controls that I would fall back to are a combination of zero trust technologies, perimeter access controls, and strong, host-based protection to reduce the risk whilst always maintaining operational uptime.
Should companies have a dedicated cyber expert or rely on external services?
Andrew Nix, regional cybersecurity business consultant team lead at Schneider Electric:
Depending on your organization’s size and what it is that you do, it’s important that you have an individual, a team or teams, with ownership of and responsibility for your people, your processes, and the technologies related to the operational cybersecurity of your organization. Someone that knows your company’s objectives and has the authority to make decisions on behalf of the organization for the safety, the resiliency, and the sustainability of its employees, as well as its IP and facilities.
With that said, this can be one of those things that’s far easier said than done. Especially when it comes to operational cybersecurity expertise – qualified individuals who are experienced with things, like programmable login controllers, SCADA, distributed control systems, safety systems, power and building management systems. They’re hard enough to find combined that with needing knowledge of OT specific standards, like IEC 62443, NIST 800, NERC CIP … and then how to apply those standards
Now, you’re really looking for a unicorn or a team of unicorns. And you’re competing with everyone else for them. Those skill sets are in very high demand.
So, when it comes to utilizing partners and trusted advisors in this space, it’s important to know that it’s OK to ask for help. Whether you’re just starting your digital modernization and need some guidance, or you have a large OT cybersecurity team and just need an outside perspective. You’re not alone. And this is why organizations like Schneider Electric offer to manage cybersecurity services to our customers to help supplement our customers in-house cybersecurity expertise. Either in the short term, while building teams, or long term as partnered advisors.
OT cybersecurity solutions
Learn more about the expertise available for applying cybersecurity solutions in various OT environments. Watch the webinar to learn how these solutions function together.