The Internet of Things (IoT) and interconnectedness of production systems in smart factories have increased the risk of serious security breaches in factories, power stations, ships, and ports. The Operational Technology Cyber Security Alliance (OTCSA) with its 12 founding members aims to change that together because no company can fight this battle in isolation. Satish Gannu, Chief Security Officer and Senior Vice President of Architecture and Analytics, ABB Ability™ and Mark Milford, VP Cyber Security at Wärtsilä discuss how OTCSA works to bridge dangerous gaps in security for operational technology and industrial control systems.
Mark Milford: OTSCA came about because of a new mindset. We were a collection of like-minded groups and individuals who believed that no single organisation can meet the challenges of the IoT space today, and the only way to do that is through collaboration.
Satish Gannu: When we spoke to our customers at ABB, we realised that their maturity on cybersecurity was low compared to the IT side of the house. The reason for that was because Operational Technology (OT) does not spend time on security like IT and it doesn’t get the same budget. Historically, attacks on OT have been insignificant, but recently we have seen direct attacks on OT, like the Ukraine blackouts of 2015 and 2016 and Trisis Triton on the Saudi Petrochemical plant. Such attacks can have a huge impact ranging from ecological damage to loss of life.
We realised it was very important that we work with low maturity companies to help them reduce their risk, but we couldn’t do it alone. Cybersecurity is like the old African proverb that says, 'It takes a village to raise a child.' It takes many Security product and services companies to get cybersecurity right.
From day one, the idea has been to not just launch something, but to create an architectural blueprint that customers can directly take, apply and reduce their risk while meeting global standards and compliance. It's a very lofty goal, and we're working towards it.
Gannu: There have been breaches to operational technologies in the past. For example, Wannacry and NotPetya in the case of Maersk. NotPetya had a USD 300 million impact on Maersk's profits. Some attacks are accidental while others are targeted ones like Ukraine and Saudi Arabia. It could be power, water, manufacturing, or any other industry that could be at risk. The impact could be huge and damaging.
Milford: What's happening now is that informational technology and operational technology are converging. There are new systems and new technologies out there that are being referred to as the Industrial Internet of Things (IIoT). This is a new phenomenon, because the amount of connectivity between different technologies is increasing rapidly.
If you talk about a worst-case scenario, it could be everything from loss of life, deliberate malfunction of a system within a factory right to just minor loss of data. Either way, it's an absolute nightmare for business continuity if you are not able to respond to that sort of an incident very quickly. That is where the OTSCA enables us. It gives us the ability to respond to such incidents much more quickly than we would have done before.
Milford: This a complete change in mindset, and it's a very, very good thing. A single company can’t address all the challenges there are at the moment. While it sounds strange, what we are basically doing is relying on each other’s experience within the cybersecurity sphere to make sure we come out with a holistic solution rather than an individualistic solution for one particular company. You tend to see now that all the competitors are interconnected at some point, especially when it comes to the maritime industry. It makes sense that there is no gap in terms of business competition because these systems have to operate side by side.
Gannu: I have heard that when it comes to cybersecurity, the bad guys do a lot of sharing among themselves so why not the good guys? In fact, most of the deployments that we have seen have multi-vendor equipment, so we would love to have more of our competitors join this alliance. At the end of the day, we are looking at the customers' benefit. If we reduce the risk for the customer, it helps everyone in the ecosystem.
Milford: At the customer level, you can get a much more holistic view of how operational technology has networked with information technology in the IIoT space. The customer gets a much better, more integrated product, and we are much more aware of the threats and vulnerabilities in terms of what that network really offers.
For the small customers, we are providing robust guidelines through our alliance so that the integration of these products is done correctly and to the best of our ability. The customers are getting a much better product that sits within the network and has much more robust outward-facing capabilities towards threats.
Gannu: Basically, we have three types of OT operators as a part of our alliance: a mature group, that understands or has dealt with cybersecurity, a group which has done some work with cybersecurity but wants to know more, and a group that has not spent any money or time on cybersecurity. When we started, we wanted to work with people in the mature group who can work with our IT security partners, since our IT security partners have invested a lot of time and money in cyber research. That combination helps us figure out what is required for the other two categories of customers.
Even in OT, we talk of IT-OT integration. One of the things we have seen historically is that OT gets vulnerable because of integration with IT. That's not because they do anything wrong but there's always been tension because OT does not trust IT and vice versa. Our focus is on the IT-OT integration, which we have identified as one of the weakest links.
Gannu: Cybersecurity is always evolving, and attackers constantly want to be one step ahead of you in terms of how they can exploit and take advantage of you. Each attack has a different motivation. The cybersecurity landscape will keep morphing.
We see risk of a cyberwar because of political scenarios in the geopolitical space. A lot of governments are taking the protection of critical infrastructure like power and water as a very serious matter.
Mark: People are going to accept newer technologies, and with that comes additional risk. Collaboration is a very good way of sharing that risk across several stakeholders within different lines. The two go hand-in-hand. The future for technology is bright. It will lead to efficiencies, cost reductions etc. But at the same time, we have to make sure that we make those products as secure as we possibly can. Collaborations like the OTCSA go a long way in ensuring a more stable, resilient world.
The founding members in the OTCSA are ABB, Check Point Software, BlackBerry Cylance, Forescout, Fortinet, Microsoft, Mocana, NCC Group, Qualys, SCADAFence, Splunk and Wärtsilä.
To learn more about the OTCSA or how to become a member, visit: www.otcsalliance.org.
The OTCSA mission:
• Strengthen cyber-physical risk posture of OT environments and interfaces for OT/IT interconnectivity
• Guide OT operators on how to protect their OT infrastructure based on a risk management process and reference architectures/designs which are demonstrably compliant with regulations and international standards such as IEC 62443 Guide OT suppliers on secure OT system architectures, relevant interfaces and security functionalities Support the procurement, development, installation, operation, maintenance, and implementation of a safer, more secure critical infrastructure
• Accelerate the time to adoption of safer, more secure critical infrastructures