Industrial Control Systems (ICS) allow operators to monitor and control industrial processes, including those in manufacturing, power transmission, oil & gas, and other industries. You can find Industrial Control Systems in lots of different places - from a precise formulation of a particular drug, medicine to running the power grid to building or managing the process of making recipes. Matt Morris, VP of Strategy and Products at NexDefence explains what cybercriminals are usually after, what are the most critical cybersecurity issues for an industrial enterprise that could arise as a result of making the most critical data Internet-accessible and other crucial aspects executives should be aware of in the upcoming years.
Carol Rudinschi: Your company is in Top 500 World's hottest Security companies according to the latest edition of Cybersecurity Ventures’ Cybersecurity 500. What are the key elements that helped your startup to be among the most innovative cybersecurity companies?
Matt Morris: There are a few things that I’m sure played a role in our high rating among all IIoT and ICS cyber security vendors on the Cybersecurity Ventures Top 500 list –
- Maturity – NexDefense was literally the first pioneer in the Industrial cybersecurity arena, and our technology has been around now for nearly 8 years. The development of that technology was originally funded and developed by the US Department of Energy in collaboration with Battelle Energy and Idaho National Labs in 2009/2010, and NexDefense gained exclusive rights to the technology. Since then, NexDefense has spent almost 6 years perfecting the original concept and technology. When prospects see our technology during demos, most of them will make remarks that Integrity Operations and Vision are the most mature solutions they’ve seen.
- Proven – NexDefense boasts the largest number of customers globally relative to our competition in energy (utilities, oil & gas), defense & critical infrastructure.
- Broad (and Deep) Visibility & Awareness – one of the greatest assets of the NexDefense Integrity platform is its ability to provide both deep and broad (wide) visibility and awareness. Stated differently, instead of simply providing security insights for a specific set of open and proprietary ICS/SCADA protocols, which is largely defined as deep visibility and awareness, NexDefense Integrity provides visibility and awareness of all communications (regardless of open or proprietary protocol), and perhaps more importantly, it provides insights and awareness around other points of risk that are present in the ICS/SCADA environment. In our experience, design flaws, misconfigurations, and system failures account for more than 90% of all events that may compromise the production and/or safety of ICS/SCADA systems, and NexDefense integrity uniquely provides that level of visibility and awareness.
Carol Rudinschi: Industrial control systems (ICS) are increasingly at risk of cybercrime today. What are the most critical security issues for an industrial enterprise that could arise as a result of making the process data Internet-accessible?
Matt Morris: In our experience, most companies are not (yet) to the point of allowing their most critical data to be internet-accessible. Of course, this is a different story for smaller, municipal water companies, utilities, etc. where they simply don’t have the headcount to maintain many, if any, additional equipment or systems. But it will likely be some time before medium to larger enterprises will make process data internet-accessible in mass.
That being said, one of the biggest issues that we are routinely discussing is the fact that the ICS/SCADA process data is the calling card for some of the most well-guarded (and secured), proprietary information on the planet. There are many companies who have extensive procedures and governance, and rightly so, for proprietary recipes such as the formula for Coca-Cola, or perhaps the exact formulation for a particular drug, medicine, etc. They will spare no expense to guard and secure these secrets from a data security perspective, and may even have other physical controls in place. However, some of these same companies may not fully comprehend how, when those recipes are transformed into a physical process, that the recipe that was previously stored and secured in a database somewhere is ultimately revealed. This means that companies should be investing into security controls that are purpose built on the ICS/SCADA side, just as they do on the IT side of the house Yet, many companies do not have the same level of ICS/SCADA security mechanisms and controls in place to protect their intellectual property.
Carol Rudinschi: What are cybercriminals usually after? What should industrial companies be protecting?
Matt Morris: When it comes to ICS/SCADA, you will see everything from nation-states (e.g. Russia, China, North Korea), to hacktivists, to disgruntled employees, and honestly speaking, the target and goals are as infinite as the attackers who perpetuate them. In the case of nation-states, the goal could be to disrupt something as essential as the power grid itself such as what Russia did in the Ukraine, or perhaps as an aid to a larger attack that contains both physical and cyber elements. For hacktivists, they are frequently playing around to see what they can and cannot do, and in some ways sharpening their skills for larger, paid for engagements. I consider many hacktivists to simply be an extension of nation-states as many times they become cyber attackers for hire (to the highest bidder). Finally, one can easily understand how disgruntled, perhaps terminated employees may want to put their stamp on a particular company, product, etc.
Carol Rudinschi: Where is the most sensitive data in an industrial organization?
Matt Morris: Without a doubt, it’s the intellectual property embedded in the process itself, because the process itself ultimately reveals very sensitive information, such as the recipe for various pharmaceuticals, or perhaps beverages, the types of materials used to construct certain products, and more.
Carol Rudinschi: What is the hardest part to secure a plant in the IT-OT convergence process?
Matt Morris: Honestly, the hardest part of securing ICS/SCADA systems is not so much a technical difficulty, although there can be challenges there for those who are ill-informed. The largest percentage of companies make the mistake of implementing what is easy/safe (from their perspective), which are usually IT-centric technologies in the OT domain. This goes over like a lead balloon, and then companies are left scratching their heads as to what happened and why they were not sufficiently protected when something bad happens.
The biggest/hardest issue today is getting C-level leadership and boards to understand that IT-centric technologies are not sufficient. In fact, I can make a great case as to why an ICS/SCADA visualization, monitoring and detection solution such as NexDefense Integrity should be the first purchase for ICS/SCADA environments… right behind the perimeter firewalls, but with the same level of certainty.
Carol Rudinschi: What is on the horizon for ICS security solutions in the manufacturing industry?
Matt Morris: There are a few capabilities that will make their way into the ICS/SCADA environments in the coming weeks, months, and years. At this point in time, we are seeing that most customers are at a relatively low level of maturity, so simply implementing some of the basic controls can go a long way. This includes getting a continuous and accurate asset inventory, change notification, visualizing the environment in terms of data flows and connectivity, various network topologies, and proper network segmentation. Once they get that under control, they want to begin digging into network analytics, and building in their first line of detection and alerting (either using signature-based IDS, behavioral, or both). Eventually, they may also begin to incorporate risk and threat-related analytics, though these are very early today and we find that they are not very good (yet).
Over time, the use of machine learning and artificial intelligence will continue to grow and evolve, and drive real value. We are all aware of the massive shortage of good cybersecurity talent globally, which some are estimating to be as high as 5 million by 2020, so solutions will need to leverage AI and machine learning for what they are best at, versus employing large teams of data scientists, which are also in high demand.