Posted on in Podcasts
You're listening to the RSA Conference Podcast, where the world talks security.
Hello listeners and welcome to this edition of our RSAC 365 Podcast series. Thank you so much for tuning in. I'm your host Kacy Zurkus, content strategist with RSA Conference. Today, I am joined by Ian Bramson, who is the global head of industrial cybersecurity at ABS Group for a followup conversation to his RSA Conference 2022 session, The Cyber Physical War – Lessons From the Front Line.
Before we get started, I want to remind our listeners that here at RSAC, we host podcasts twice a month, and I encourage you to subscribe, rate and review us on your preferred podcast app so you can be notified when new tracks are posted. So now I'd like to take a moment to ask Ian to introduce himself and maybe give us a little bit of background on his session from the conference in June before we dive into today's topic. Ian.
Great. First of all, thank you very much for having me. I very much enjoyed giving the presentation at RSA and I thank you very much for having me on. I'm, as you mentioned, the global head of industrial cybersecurity for ABS Group. We focus on managed services and consulting services specifically for the industrial or the OT environment for critical infrastructure. So I've been here about three years doing that. Prior to that, I was at Siemens. So I have a fairly now getting more extended experience specifically in the OT environment.
We are super excited to have you today. Your session was a super popular one at conference, as the security of critical infrastructure and the industrial sector grows in everyone's understanding of why it's important. But I think the session in particular, folks, if you haven't listened to it's available in our library. Definitely go check it out. But Ian, at the start of your session, you mentioned some conversations that you had had with folks at RSA Conference and people had questions why you were talking about OT at RSA Conference, because it's an IT venue.
You said that you thought that was kind of messed up, which made me chuckle. But at the same time, it does kind of beg the question, why are people having this conversation? So can you share for our listeners why OT is indeed a necessary part of the conversation, particularly why there needs to be more education about what is happening in the cyber physical realm?
Sure. Well, what we're seeing a lot more now, especially in the last few years it's picked up, is that attacks are going not just in the IT realm, but a lot of the attackers are expanding into the operational technology space. They're using at the beginning some of the same tactics and techniques that they would on the IT side, but they're now applying those into the OT environment and you'll have some attacks that what we call is OT bleed. There's an it attack that then has OT consequences.
Then you start seeing a lot more pure OT attacks, things designed for that industrial environment. So the attackers are expanding what they're doing. There's been a history of attack on OT, but it's been picking up more in the last couple of years. So it now needs to be much larger part of the conversation because it's no longer just an IT focus or primarily an IT focus. As the attackers fill the space that's available to them, which is on that OT side, a lot of that game is changing. It becomes a lot more, as you mentioned, cyber physical, real world impacts of a cyber attack.
So you shut stuff down, you blow stuff up, you slow stuff down, et cetera, things that are happening in the real world. That's a game changer in the realm. It is related to the IT world because, for several reasons, one, it's related because a lot of the attacks come from IT into the OT space. Two, a lot of the senior management does not necessarily delineate between the two so they've been turning to the IT professionals, the CISOs and the heads of IT to go over and to really manage the problem. That is causing some stress in the IT world because [inaudible] it's a whole different kind of space, but they are more and more being delegated the responsibility to protect those industrial base.
One thing that I thought was really interesting that you pointed out in your presentation also was the sheer number of attacks on critical infrastructure and OT environments, which certainly, as you point out, extends far beyond Colonial Pipeline, which I think is unfortunately sort of where people's minds go to when they think about attacks on critical infrastructure, oh, there was that big one at Colonial Pipeline. There's a lot more that is happening and has happened in the past two years. Could you maybe talk about those attacks and the cybersecurity risks that you have seen in the industrial space?
Sure. You've seen an actual almost map, that evolution or rapid adaptation into the OT space over the last couple of years, if you take it back to the Colonial Pipeline attack, which technically again was an IT attack, but they shut down the pipeline for a week. So it had an OT consequence. Although that was a warning bell to all of us, I often say it was a dinner bell for the bad guys, meaning they looked around and said, "Hey, wait a second. We can check down a pipeline for a week? What else can we do?"
If you can see after that point, there are attacks on other parts of critical infrastructure. There are attacks on water supply. There are attacks on meat packing. There are attacks on power and energy, as there has been traditionally, but there was an uptick. As things went along, you also saw more vulnerabilities come out. Things like Log4j, which was both IT and OT but definitely had an OT element, which the government raised as a high vulnerability alert.
Then you also had things like Pipedream, which were specific attack sets for the OT environment come out. Then of course you have things like the Ukrainian conflict, which also expedited things where you saw that there are attacks on their critical infrastructure in Ukraine well before any physical attacks ever happened. Even beyond that, you saw very non-traditional engagements happening then. What I mean by that is I often call that one a what we call a multiplayer game, meaning it wasn't just Russia and Ukraine. It seemed that everyone was jumping in.
You had people like Anonymous, the hacker group, actually declare war on a nation, which I don't think has ever really truly happened before, at least not at that level. You would have a lot more of activity. You had attacks on different kinds of power grids coming out from that. So you can see that what's happening is the attack surface is changing and adapting and learning at a faster rate than it had traditionally into this OT space.
You also mentioned that you believe that it won't be long before OT surpasses IT on the priority list for many industrial organizations, yet some would question whether that's actually true. Can you explain your thinking there?
Sure. I said it's IT OT convergence the way I have said it in the past. It's not a convergence. It's the hostile takeover from OT to IT. What I really mean by that is within an organization, particularly the ones that has industrial base, this wouldn't happen to someone who doesn't have an OT or industrial base. Then this is talking about people who have manufacturing or production or delivery or anything that has that strong operational technology as part of their core business.
What I'm seeing out there in the market right now is that as senior management starts understanding the difference between OT and IT, your focus starts going to OT almost immediately because it's their base. If you're a power company, your turbines are your main source of revenue. Your pipeline, obviously it's the pipeline transportation, it's whatever mode you're using. So it's the core part of not only their revenue, but their identity.
So what I'm seeing more and more as we go out is they're saying, "Well, that's our crown jewels. I mean, that's how we make money. It sits right on our revenue." They'll often say things to me like, "Well, can you cover the IT as well because I don't want two shops covering me." You're covering the more important of the two. So what I'm saying, it's a hostile takeover. What I mean is at the senior management, the focus, the investment, the funding, the expectations, those will start shifting over into that OT environment being the main focus of where senior management wants to place its investments and its tracking and its accountability.
So at some point, that OT will be a wildly significant, if not the more significant portion, of those discussions at the board level. If it's a discussions at the board level up that much, then you better start learning your OT if you don't know it today. So that's what I meant by that is that as it becomes more important, it sits next to revenue. We're already seeing the first parts of that and I can see that trend continue.
That leads me to my next question, because there's this trend that is starting, I would dare say, is that kind of the nascent stages as the hype and awareness around OT and cyber physical security is becoming more part of the conversation. Obviously that's going to result in change, right, eventually. But right now as you see it, because you talked about this sort of hostile takeover piece and the need for the board to understand that relationship and be able to allot investments in order to make those necessary changes. But right now, is the board getting the right message and is the budget matching the hype?
Or when should we expect to see that hockey stick?
Yeah, no, it won't. But right now, I would say most boards do not understand the difference between OT and IT. In fact, I'd go further. The ones that see an industrial base when they're asking questions, oftentimes what I'll see is IT giving or the CISO giving a IT answer to maybe an OT question. When the intent of the board is saying, "Are we protected?" They often or they maybe asking not our enterprise systems, but into our industrial base, "Is it protected?" They don't really know what to ask. They think, "Are we protect against ransomware?", which is not often shown in the OT space at the moment, or they'll just ask, "Are we protected overall?"
The head of IT will go in there and say, "Absolutely, we're doing the X, Y, Z." I'll say all these great things that they're doing, but they'll be listing the stuff they're doing on the IT side. While on the OT side, they're often far less mature and they have far more exposures, but they won't be delineating the difference and the board does not know the difference. However, as attacks propagate, as more education goes out there, as more board members become more acutely aware of what that means, you'll see.
Now of course if there's some large events that will accelerate it, but there's only so long you can give IT answers to all the questions that they have. At some point, they'll be delineating between the IT and the OT and that's where questions about budget, that's where questions about authorities and resources will start coming into play between the two. It's not there now. You're starting to see it, but the time to start getting and acting on that, if you're in that IT world and don't pay attention to OT and just say, "Ah, it won't happen," or, "It's off in the distance," it'll catch up to you much faster than you think.
So in my mind, that is sort of a top down approach, right? We want the board to understand so that the investment is there. But what do both OT and IT teams need to understand, those who are in the trenches, so bottom up approach, what do they need to understand in order to protect industrial organizations?
Well, both sides need to understand probably a lot more about the other. If you're on the IT side and you've just been given the responsibility for protecting OT, probably the worst thing you could do is go over there and act like you know what you're talking about, because the people who are running the operations will likely be quite defensive. I've seen that time and again. But if you go in a more collaborative state, then you'll likely get much farther along. You also will likely need to partner with those or hire to that people who know OT well, who can speak that language.
You have to understand those environments are fundamentally different, how attacks form, what they're attacking. We often say on the OT side at the top layer, when you're getting into the OT networks, they look a lot like IT, they look a lot like computers. But as you get deeper into those networks, man, those things start looking a lot more like pieces of equipment and valves and devices than they do about any computer. At that point, you really need to know how to talk the operations language. You have to understand what's important to them.
Uptime is of the utmost importance. It's not confidentiality. There's not a whole lot of confidentiality on the operational side. It's all about the uptime. It's all about the accessibility. So these kinds of fundamental shifts are important. If you're on the OT side, you have to understand that the IT side has a lot to provide as far as experience. They've gone through a lot of these steps before and they can lend a lot of that in there. The ones that work the best understand this, but often and too often, it's more conflict than it is collaboration.
Part of my goal in having this conversation with you today is, how do we bring those groups together? So that in 2023 and beyond, the conversation is no longer that, oh, giving a talk on OT is an anomaly at an IT security event, right? So you have the ear of the it community right now. Maybe there are folks listening from the OT community, but what are some of your parting words of wisdom that you can share to bring these groups together to be more collaborative, to help them understand each other?
Sure. Well, first thing is, I mean, we're all fighting the same fight. Bad guys are coming after all of us. So we need to work together, whether you're IT, whether you're OT. If you're it, you want to learn that environment on the OT side, and as they mentioned, if you're OT, there's a lot of lessons to learn from the IT. So together it's much stronger. There's great data that can be shared between the two. Eventually, they're going to be forced to work together in a collaborative environment.
So the time to start is now. The threats are already evolving there. They're already expanding into that space. So we need to catch up and make sure that we work together in a very collaborative environment so that you do have strong OT tracks at every IT venue and you have the strong working groups and we can learn together because this battle is being fought in the networks and in the systems and in devices and in the equipment of our industrial sector. That's where the digital front lines are and we are all on the same side trying to fight it.
I love that it's very optimistic and hopeful and hopefully we will get there sooner rather than later, right? Because protecting our critical infrastructure and ensuring the cyber physical security of the industrial sector is hugely important. I know that many of our listeners and community share that goal. Ian, thank you so much for joining us today. Listeners, thank you for tuning in.
To learn more about industrial security, check out Ian's session in our library. To find products and solutions related to connected devices in OT security, we invite you to visit rsaconference.com/marketplace. Here, you'll find an entire ecosystem of cybersecurity vendors and service providers who can assist with your specific needs. Please keep the conversation going on your social channels using the hashtag RSAC and be sure to rsaconference.com for new content posted year round. Thank you all so much.
Technology Infrastructure & Operations
critical infrastructure cyberattacks exploit of vulnerability infrastructure security operational technology (OT Security)
Share With Your Community