Jennifer Minella, founder and principal advisor of Viszen Security, has spent the majority of her career as a network security architecture specialist, largely advising and handling implementations for critical infrastructure organizations.
“Most of my career, I worked on the networking side up to that IT/OT border,” Minella explained on the Nexus podcast. “This is a population I’m familiar with and comfortable with that has a need. …What we need to be doing for those systems, how we need to be managing, monitoring, and securing them is fundamentally different. There are some concepts that will translate [from IT], but what we do operationally; the tools we use and how we use them differs a lot from IT to OT.”
As more security leaders and practitioners are being charged with securing OT systems, they’re quickly learning this as well, with the most striking thing being how some fundamental IT security approaches, products, and solutions just don’t fit.
“We have to tackle it differently, and I think that’s a problem we all solve together,” Minella said. “That’s a problem we all solve together.”
Minella said she’s also a proponent of zero-trust architecture; figuring out its application within OT has been a project she’s tackled through the zero trust working group at the Cloud Security Alliance, a non-profit that promotes best practices and education around secure cloud computing implementations.
“We were able to take the five-step road map for zero trust that the CSA had standardized and pull in the OT-specific pieces from other models because why re-invent the wheel,” she said. “We take the reference architectures [ISA 62443 and ISA99], and the risk evaluations and assessments and the tooling that’s already there for OT, and we pull that into that five-step model and explain what it means to inventory in OT… it’s very tuned for OT.”
During the recent RSA Conference, Minella and offensive security specialist Bryson Bort gave a presentation on approaches for securing converged environments from these divergent perspectives. Part of their aim, Minella said, was to help IT specialists who have OT now rolled up under their responsibilities and must now reset expectations about their relationships with engineers and asset operators. She estimated that 95% of the attendees were from the IT side of the house.
“You can’t start to teach advanced defensive tactics until you get the cultural side worked out and you build those relationships to figure out who needs to be involved in the conversation, why, and who needs to be involved from IT,” she said.
“We have to teach our IT and infosec teams coming from the enterprise IT side that our goals and objectives in OT are completely different,” Minella said. “In IT we value agility and speed and we’re patching constantly. On the OT side, we just need stability. We need resilience, stability, availability; we just need the thing to work. So the culture of that is very different.”
The cultural foundations must be established and understood well before pen is put to paper to iron out policies, for example, she said.
“Technical control policies, like in IT if somebody puts in their password three times and they get locked out, that’s standard,” Minella said. “You don’t want to lock an operator out of an HMI on an OT floor. That’s not appropriate.
“It’s hard to start writing policy that’s appropriate for your organization until you understand a little of the technical and operational aspects of how that system works,” Minella said.
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
