Eddie Habibi, founder and CEO of PAS Global, is considered a pioneer and thought leader in the fields of industrial control systems (ICS) cybersecurity, Industrial IoT, data analytics and operations management. He talks to Intelligent CISO here about why IT and OT security must come together to ensure industrial facilities remain secure, using best practice guidance from Christophe Rey-herme, CISO for industrial control systems at Total Marketing and Services.
Digitalization and Industrie 4.0 initiatives require tight integration between the complex, heterogeneous and highly complex Industrial Control Systems (ICS) and the enterprise IT. However, the very components that enable digitalisation – sensors, connectivity and smart applications – also increase risk. Digitalisation enhances efficiency, improves safety and optimises production but it also creates more opportunities for bad actors to penetrate operational technology (OT) environments and to wreak havoc.
To secure industrial facilities and ensure safe, reliable production, OT and IT security – traditionally two separate disciplines with different priorities – must come together to share cybersecurity and risk management best practices.
We recently reached out to a panel of industry experts focused on OT cybersecurity risk mitigation and asked them to share their strategies for making industrial control systems more secure. The first-hand experience collected comes from experts across a diverse range of industries, including oil and gas, chemicals, refining, and power generation. Their essays illustrate the importance of understanding similarities and differences between IT and OT environments.
In this article, we share an excerpt of the eBook, Advice for CISOs: How to Approach OT Cybersecurity.
Despite the ‘CISO’ reference in the title, the information presented is useful for anyone involved in helping protect OT environments.
Security awareness is key to ICS cybersecurity
As chief information security officer (CISO) for industrial control systems at Total Marketing and Services, Christophe Rey-herme is in charge of industry and cybersecurity for roughly 300 plants around the globe.
A major part of his responsibilities is to increase his colleagues’ security awareness and then to assist them in improving security for the business as a whole. When considering high-level ICS security priorities, he recommends that security professionals keep these three tips in mind:
- Make everyone aware of the importance of cybersecurity to themselves and the plant. Rey-herme and his team have pursued a variety of strategies for raising security awareness among their colleagues, including making training videos as well as hacking and cybersecurity demonstrations that show their colleagues how easy it is to gain control over a system when it’s not secure. “When people see the risk and what can happen if they don’t secure the system, they become interested in the subject. Then, they begin to look for solutions for improvement,” he says. “Once I have a partner at the plant who is interested in improving our solutions, that’s a key point enabling me to move forward. I have too many plants to do everything on my own. I absolutely need to have at least one or two people in each plant in charge of cybersecurity who are really aware of the risk. I get that through various awareness campaigns.”
- Cybersecurity has to be a business enabler. This includes helping to acquire and deploy solutions that plant operators want and consider realistic for their real-world environments. When he first started working at Total Marketing and Services, Rey-herme noticed that the cybersecurity team tended to focus mostly on whether the company’s plants were complying with the rules. “Now, we show the plants not only why and where they are not compliant, but we also provide a technical solution that ensures the business needs while complying with our cybersecurity rules,” he says. To streamline the process going forward, Rey-herme and his team have built a catalogue of solutions that can assist plants in fulfilling both objectives.
- Collaborate with enterprise IT security people when determining risk exposure, especially in areas where there are connections between the plant and enterprise networks. “Part of our risk is coming from the connection of some of our plants to the enterprise network,” he says.
This presents a challenge because OT engineers are often unaware of the risk such connections pose to ICS systems and IT people are often unaware of the connections, or they do not know how to evaluate the risks those connections create, or both. Rey-herme finds it valuable to collaborate closely with his colleagues in the enterprise IT security team so that they can effectively address both sides of the equation.
Ensuring adequate security is challenging in a plant environment, since OT tends to focus first and foremost on safety and operational continuity. As a result, OT engineers need to see security as a threat to operational continuity in order to take it seriously.
This is why Rey-herme considers security awareness a top priority, as it enables the business to come together more effectively in support of a unified strategy. By raising awareness, communicating the importance of compliance and collaborating with enterprise IT colleagues, he believes security organisations can go a long way toward achieving improved security.