| | AUGUST 20189cyber security risks may not be external attack vectors, but rather internal. For instance, the 2017 SANS Security ICS Report notes that the top 3 attack vectors are (in order) ­ 1) unsecured devices and "Things" (that cannot protect themselves) being added to the network; 2) internal threats (accidental or otherwise); and 3) external threats (hacktivists or nation states).The SANS study does a great job of pointing out where the glaring issues lie. Having met with countless companies over the last decade, I can tell you that right behind these hardened and fortified perimeters, one usually will find a quite squishy (insecure) middle inside the perimeter defenses, and this is where the systems that run our lives sit (generating, transmitting, and distributing power; producing clean water, etc.) The bottom line is that, as an industry, our focus must shift from connectedness to secure connectedness. Ensuring risk management of our industrial plants and infrastructure is an overriding concern for everyone, and we need more understanding and leadership from CIOs and CISOs to understand the landscape, secure adequate funding, and take action.Technologies and Services Exist that Can HelpThe aforementioned cyber perimeters cannot protect against sophisticated threats or stop the carrying in of malicious software via SneakerNet. Within these operational networks, very little visibility into assets, vulnerabilities or communications exists, and operators have limited knowledge of what is normal and what is abnormal. For those ill-equipped to implement and maintain such technologies, managed services capabilities exist to deliver the same level of benefits at an optimized price point. A few high impact solutions (which are also provided as managed services) are:OT Asset Management ­ by using passively technologies to gather a detailed OT asset management, firms are able to gain visibility into what exists in their operational environments for the first time.Vulnerability Management­ once firms achieve a level of visibility via OT Asset Management, the next logical step is to better understand what vulnerabilities exist, tied directly to the specific assets themselves. It's important to note that while there are IT-centric tools that perform these functions in IT environments, that those are ill-equipped in OT environments, and requires passive and safe technologies.OT Network & Communications Monitoring - The use of real-time monitoring enables defenders to thwart intruders from establishing safe hiding places, discovering and moving through the system, as well as data exfiltration by scrutiny of on-going system communications and the identification of suspect data flows.Might There Be Hope on Spending?Gartner recently reported a 27 percent increase in 2018 IoT Security spending from 2017 levels. However the same study also points out that the largest inhibitor to growth is a lack of prioritization and implementation of security best practices, and that this is expected to hamper the potential spend by as much as 80 percent.If you talk to energy plant operators, it is clear that they are not looking to add cyber security skills to their resume. However, they do desire an appropriate, cost-effective plan for managing risks (such as cyber threats) so they can remain focused on safety and energy production. That sure seems like a reasonable request, and one that largely sits with CIO/CISO leadership to solve. Every industry should shift their focus from connectedness to secure connectedness, ensuring risk management of our industrial plants and infrastructureMatt Morris
< Page 8 | Page 10 >