PS: As the new year starts, what are the two or three things that are top of mind for cybersecurity professionals like yourself?
DT: First would be visibility into OT security and knowing what needs to be secured. I’ve been in many facilities where I have been asked to help secure OT cyber-assets and systems like environmental monitoring, heat trace, DCS, SCADA, etc. But, I have to go find them first and this is a very labor-intensive exercise because existing documentation is either inaccurate or missing.
Once we identify what we need to secure, with the larger goal of having visibility into OT cybersecurity, we have to secure it. If we discover an electrical relay protection network that is isolated and is dealing with high voltage relays and protection, before we secure it, we need to ask a few questions: What software is on it, and are there patches available? Could we harden it? Are there settings we could remove?
Then we expand our thinking to include all the different domains that go into cybersecurity. That includes subjects such as authentication, remote access, patching, hardening, monitoring, and reporting.
PS: Are there other top-of-mind issues that are facing the cyber industry right now?
DT: Yes – incident readiness. Based on our team’s experience conducting cybersecurity vulnerability assessments and risk assessments, there are two things you need to be ready. First is having strong protective controls in place that reduce the probability of exploit like authentication, firewalls, antivirus, and application whitelisting. That’s where most industries have invested for the last 10 or 20 years.
Next, you need strong detection and response capabilities, because that is what reduces the severity of an impact. We need to be able to detect if we’ve been exploited, or inappropriate use, or suspicious behavior, and then respond as quickly as possible.
In a survey that I’ve monitored, more than 85% of organizations surveyed admitted to some type of cyberattack in the last 12 months. In a different survey that Honeywell commissioned, half admitted that cyberattacks had suspended their operations.
PS: What kinds of tips or advice would you have regarding cyber preparedness for our maintenance and reliability audience?
DT: We’re becoming more and more dependent upon control systems and technology to function and succeed. At some point in time, there was a justification or an ROI that was made to invest in that technology in the first place. But what if it was down for cybersecurity reasons, somebody hacked in, or ransomware, or denial of service, and it was out not just hours, but potentially days? I’m not talking about plant downtime or process downtime, but the total denial of your digital systems. The networks, the computers, the firewalls, and the data on them. Do you have workarounds and recovery plans?
Cybersecurity is one of the few domains capable of having this kind of impact if it’s not addressed. It’s a mindset that you must carry through the entire life cycle of the control system, from its initial selection through to design, configuration, commissioning, and maintenance. Chances are, the control systems we have now are legacy technology. They were built or designed 10 or 20 years ago, so cybersecurity wasn’t baked into it from the beginning.
We’re working to mitigate that now, and the key takeaway is to leverage every opportunity from daily checklists: When you’re doing maintenance on the system, or procedures, leverage unplanned outages, as well as scheduled turnarounds to improve cybersecurity.