CEO IIoT Insights: How can you secure what you cannot see in an industrial enterprise?
As part of the CEO IIoT Insights Series, IIoT World’s Managing Editor, Lucian Fogoros, interviews the CEO of PAS, Eddie Habibi, about cybersecurity risks facing industrial companies in IIoT era.
Lucian Fogoros: How would you characterize the extent of the cybersecurity and technological risks currently facing industrial companies?
Eddie Habibi: Companies are flying blind when it comes to 80% of the cyber assets that exist within an industrial process facility. They lack sufficient visibility into what assets they have and how they are configured. Without this data, basic cybersecurity questions remain difficult to answer. For example, did an unauthorized change occur, where are my vulnerabilities, and can I recover quickly if the worst case scenario happens? What’s at risk? Production, safety, environment, brand reputation, and even personal liability are impacted if these systems are compromised.
Lucian Fogoros: Are certain types of attacks seen more frequently within smart manufacturers?
Eddie Habibi: Most CISOs with whom we meet are as concerned with the insider threat as they are with the outsider one. Insiders have access to the systems that can negatively impact production, safety, and corporate brand as well as have the knowledge on how to inflict targeted damage. What is missing is the will and disposition. It unfortunately only takes one.
Lucian Fogoros: With cybersecurity, are most of the industrial organizations usually reactive or proactive? Why?
Eddie Habibi: We are encouraged by the proactive measures taken by our customers in power and process industries. Over the last three years, we have seen an increase in board-driven initiatives to identify and secure industrial control systems. The challenge, however, is that most still rely on perimeter-based approaches to keep the bad guys at bay, while entrusting security by obscurity to mitigate risk further. What we know is that this approach no longer works – perimeter-based security is one email away from being breached, and attackers are becoming more familiar with the complex systems in an industrial facility having performed reconnaissance on these systems for years now. To illustrate, APTs such as Havex and BlackEnergy, had infiltrated thousands of organizations for at least two years before being discovered in 2014 and both remain in play today. In fact, BlackEnergy was the APT that established the initial network presence during the Ukrainian power attack in 2015.
Lucian Fogoros: Does the question of ICS security receive the necessary resource allocation among industrial companies that are involved in IIoT?
Eddie Habibi: There is definitely budget for ICS cybersecurity projects. The challenge organizations face is where to best allocate those dollars and focus attention. Clearly network segmentation is a good first step for many, but the cyber systems that draw the most spend tend to represent only 20% of the cyber assets that exist in a plant – namely the workstations, servers, routers, and switches. Organizations lack visibility into the remaining 80% with insufficient inventory capabilities to track assets and asset configurations. These systems include field instruments, I/O cards, PLCs, and other mission critical assets. How can you secure what you cannot see? Better automated inventory methods will give visibility into the systems most responsible for production and safety and will better support cybersecurity best practices, such as change, vulnerability, and compliance management.
Lucian Fogoros: What final piece of advice would you give industrial companies regarding mitigating the cyber security risks they face?
Eddie Habibi: Get a handle on all the assets in an industrial process facility – not just the IT-based ones, but also the highly complex, proprietary industrial control systems. With a complete inventory of all cyber assets, organizations can more appropriately take action to mitigate risk and at the same time improve operational efficiency.