Bad actors might always desire illicit monetary gains through breaches, but when the cybersecurity of the supply chain and other essential resources get compromised the damage might be measured in more than dollars. As more industrial and infrastructure assets become connected, organizations must prepare for more than hackers armed with ransomware just out to make a buck.
Last week, Honeywell Connected Enterprise held a small gathering in New York to discuss its Honeywell Forge industrial connected software solution that offers insights on asset performance and the supply chain as well as provides cybersecurity among other things. After the presentation, CTO Jason Urso spoke with InformationWeek about presumptions being made about firewalls and air gaps, defending against different attack types, and potential benefits AI might offer to cybersecurity.
With so many assets potentially being connected through one platform, what approach do you take to stop bad actors who might see an opportunity to go after those assets? Is there a sense that this becomes a target? A central fortification against such cyberattacks?
The first way that we think about these control systems and the environments that they run is defense and depth. That sounds like a platitude, but it really is, first of all, saying, “What fundamental things do we need to have in place?” You’re going to have network architecture that keeps things secure yet allows for connectivity to happen. You need to have certain firewalls and firewall rules that are in place in order to narrow the attack surface. You’ve got to have antivirus. You’ve got to have patching. You’ve got to have all of these foundational things that need to be in place just to have a basic level of cybersecurity hygiene.
Everything we do in the control system space, whether it be industrials or buildings, is built on that foundation of defense and depth. If one layer is penetrated, there are others in place that can protect you.
As we add technologies, it’s to help people understand what are the vulnerabilities that they have that they just aren’t aware of. They think they’ve got a defense and depth method in place but maybe not all the patches got deployed because of some issue. Maybe the antivirus didn’t work right. Maybe a firewall on a particular node failed.
We’re trying to augment that basic level of security with something that provides very detailed insight into, “Here’s your problem and here’s the medicine to go and fix your problem.”
In an OT (operational technology) space, people want to be driven by action. They’re not experts and they want to understand very succinctly, “Where are my risks, based on my company’s compliance guidelines for assuring all these defensive methods are in place? Show me how well I’m performing against that and if I’m not, tell me what I need to do.”
That’s where we start to see this cybersecurity application fitting.
We need to be thoughtful as we’re delivering cloud SaaS software. How do we safely and securely connect to the customer’s environment so we can fulfill our mission?
Our cloud software has to understand and appreciate there all these layers in place and there are very rigorous security methods that are needed in order for cloud-to-edge connectivity to occur.
Are there dynamic differences in cyber defense and threat detection when you have obvious attacks such as ransomware versus long-term infiltrations like what happened with SolarWinds?
The approaches that we use are very similar -- they’re not targeted toward malware types, but we have to recognize that there are those different types. The identification, remediation, and recovery are actually quite different. In the ransomware instance, you’re trying to isolate it immediately to prevent it from spreading and then dealing with a very quick recovery. In other cases where maybe the motivation might be different, it’s understanding how do you eradicate what is there, which might not be affecting operations right now but there is this looming threat that exists.
We think about the malware types more in terms of how do you recover from it, but how do you defend against it -- the approaches are really quite similar.
With the do-it-yourself IT types at organizations who think they have everything in order, what essential security questions are they not asking? What are they overlooking but poses a threat?
The biggest issue is the assumption that OT is segregated from IT and therefore it must be safe “because I put a firewall in place.”
The fact of the matter is, we’re more connected than we ever have been before, so the OT information is flowing up into the IT area. We’re partially segregated but not completely.
The second area is people are doing work in the IT space and need to bring that work down into the OT space. So, if you’re changing controls on how the plant is running, somebody might do that on a desktop and need that to get into the OT environment. You could have all the segregation, in fact, you could be completely air-gapped, but when the person carries the memory stock from their desk and plugs it into the system, they’ve diligently carried that malware and put it right into the OT network.
We have to get over the fact that [segregation] provides a barrier, it’s one of the levels of defense and depth, but it is insufficient now given the desire to have more connectivity and interaction. That is what we need to combat in the OT environment.
There needs to be five or six or seven other barriers.
There is a lot of speculation on what generative AI might do on attack and defense in cybersecurity. Is this a key concern at the moment, or is it still a potential concern for the future?
With generative AI, there’ll be a desire to crawl through data from all different sources and try to interpret it, so that means we’re going to have even more connectivity than we had before. All of those isolated pockets of information will be consolidated for the purpose of doing analysis and providing results from that analysis using tools like generative AI.
That creates a threat. But also, AI plays a role in detecting those threats. So being able to do pattern matching and understanding that something different is happening in this environment than it normally does. Using AI as a mechanism of identifying those threats sooner than we would otherwise with maybe some pre-prescribed rules that were in place -- now we can detect differences in behavior. That gives us an advantage in identifying threats.
What to Read Next:
12 Ways to Approach the Cybersecurity Skills Gap Challenge in 2023
How Do Modern CISOs Prove Their Value? Focus on ROI
NSA Gives Assessment of Cyber Threats from Russia, China, and AI