The tide of IT cybersecurity and networking professionals assuming responsibility for the protection of operational technology (OT) and cyber-physical systems is rising unabated. On a daily basis, enterprises are realizing the significance of protecting these systems that impact the physical world, whether it’s a robot on an assembly line or a building management system handling refrigeration inside a hospital.
As a result, new paradigms are being introduced to talented computing professionals who just aren’t accustomed to the nuances of OT cybersecurity, such as thinking about safety over confidentiality, or defending engineering workstations over web-facing applications and databases.
OT cybersecurity advocates and specialists such as Mike Holcomb are well suited to lay down a foundation for starting and succeeding in this unique cybersecurity discipline. On the latest episode of the Nexus Podcast, Holcomb explains what those fundamentals are, and how engrained processes in the IT world such as vulnerability management take on a distinctly different flavor in the OT world.
“If you're coming from the IT world, you really need to nail the cybersecurity fundamentals at a minimum before you want to make a shift into OT,” Holcomb said. “And then you also have folks like engineers and other people already in OT doing automation, PLC technicians, or the folks that are running plants that some get that kind of that bug to also learn about cybersecurity and how it applies into control system environments.”
Holcomb, global lead for ICS and OT cybersecurity at global engineering and construction solution provider Fluor, discusses his advocacy and efforts to educate engineers and IT cybersecurity professionals in the nuances of protecting operational technology and industrial control systems. He also produces and hosts a learning series available for free on YouTube called "Getting Started in ICS/OT Cyber Security" where he explains the fundamentals of OT cybersecurity.
“I just remember when I started asking those questions [about cybersecurity], and I couldn't find people to have those conversations with. And this is before SANS had their training and others out there as well. I started to realize that folks doing operations and maintenance work in these facilities, it's not that they didn't necessarily want to have the conversation, they just weren't doing anything for cybersecurity.”
Things have definitely changed—and sped up—in the past 10-15 years. Engineers, asset operators, and others are asking pointed questions about protecting these systems while understanding that things like patching in IT doesn’t necessarily translate directly into OT.
“You can just patch these systems and reboot them and everything will be secure. That’s not how it works because you are going to get somebody hurt,” he said. “You're gonna bring the plant down at the very minimum. And so I think that's still very, very typical for IT people today.”
Patch management inside a factory or industrial environment, for example, requires extensive knowledge exchanges between cybersecurity teams, engineers, and asset operators to understand dependencies between systems, the consequences of downtime, and engrain in some that the concept of Patch Tuesday is not viable in OT.
“In OT if you have a patch, you have to sit down, you have to work with the engineers and the folks that run the plant to understand: ‘Do we even need to patch this asset? We might not even need to.’ So in OT, we take this now-and-never-next approach. Is this something that could affect safety or availability and we have to take action? … More often in the OT world, we see that this vulnerability is so buried into the environment or there's very little that an attacker could do with it, or we have all these compensating controls to reduce risk.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
