Proof of Concept: Key Steps for Improving OT SecurityRockwell Automation Report Finds Gaps in OT Patch Management, Threat Detection
In the latest "Proof of Concept," Nicole Darden Ford, vice president of global security and CISO of Rockwell Automation, joins editors at Information Security Media Group to discuss findings from Rockwell Automation's new research report on cybersecurity preparedness in critical infrastructure.
The report, which includes a survey of 122 senior industrial security leaders with roles ranging from CISO to plant engineers and business managers, explores how operational technology organizations are challenged with growing number of gaps in OT security, the state of critical infrastructure cybersecurity, and insights into preparedness and best practices.
In this video with Information Technology Media Group, Darden Ford joins Anna Delaney, director, productions, and Tom Field, senior vice president, editorial, to discuss:
- Highlights from Rockwell Automation's new OT security report;
- Why many companies struggle to maintain effective patch management practices;
- Recommendations for critical infrastructure organizations on ways to reduce their exposure to cyberattacks.
Darden Ford, who leads information security at Rockwell Automation, previously served as global vice president and CISO at Carrier, where she oversaw global information security, compliance and product (IoT) cybersecurity through the company’s spinoff from parent company United Technologies Corporation. Prior to that, she served as global vice president and CISO for Baxter International where she was responsible for global information security, information governance and IT quality compliance. Darden Ford began her career in the U.S. military and federal government, supporting the Joint Chiefs of Staff, security management, network engineering and telecommunications.
Anna Delaney: Hello, and welcome to Proof of Concept, the ISMG talk show where we discuss today's and tomorrow's cybersecurity challenges with experts in the field, and how we can potentially solve them. We are your hosts. I'm Anna Delaney, director of productions here at ISMG.
Tom Field: I'm Tom field. I'm senior vice president of editorial at Information Security Media Group. And Anna, it's been a while. Very good to see you.
Delaney: So good to see you. Tom, how have you been?
Field: I'm well. We've both been busy traveling and paying attention to different events, summits and roundtables. But I wonder, have you been paying attention on LinkedIn to all the different notifications? And when we hear about the great resignation, all I ever see when I go on LinkedIn now is virtual confetti and balloons as people are starting new roles.
Delaney: Yes, I have been using the like button and the congratulations button a lot as of late, and you're right. Is this symptomatic of post COVID times or are there just many more jobs in the market?
Field: I think there are terrific opportunities. And one thing that we've certainly talked about plenty of times on this show is that the concerns that we're all dealing with in cybersecurity aren't going away. They're growing. And so, the need for cybersecurity leadership isn't going to diminish. In fact, those opportunities are growing. Oddly enough, that ties into our conversation today.
Delaney: Indeed, we have a leader join us as our special guest. Why don't you introduce her, Tom?
Field: Well, she's had a lot of confetti and a lot of balloons on LinkedIn. You may have known her as the CISO of Baxter International. You and I met her when she was the CISO with Carrier and she is now the CISO with Rockwell Automation. Please welcome our friend, Nicole Darden Ford.
Nicole Darden Ford: Hi, how are you guys doing? Nice to see you again.
Field: Doing very well. It's good to see you. Nicole, how are you finding your new role so far? It's been four to six months.
Ford: It's been six months. And it's been awesome, great ride, learning so much, meeting with clients and customers about their OT challenges and just getting to know this industry.
Delaney: And I know it's early days, Nicole, but what are you hoping to achieve for Rockwell and the wider OT community?
Ford: Well, I'm hoping to get the word out and amplify the messaging of the importance of cybersecurity in the OT space. I think it's important that we continue to send the best message possible to our customers about things that they can do to protect their OT environments.
Field: Great topic. I'm glad you brought up. I'm sorry, I didn't want to cut you off.
Delaney: No, I was going to say you have a report out, and Tom take it away.
Field: Indeed. Interested in the 2022 critical infrastructure research report. We'd love to discuss some of the highlights. So if I can, you've had a chance to review the material. What surprised you most in the research that was conducted?
Ford: What surprised me most in the research was that I read that 73% of the surveyed critical infrastructure organizations said they experienced cyber breaches. What a large number! It tells us that we should be paying close attention to our preparedness, so that we can effectively mitigate threats before they ever become breaches.
Field: So, devil's advocate. Are all breaches preventable?
Ford: No, but a large number are preventable. About 80% of breaches use entry points that are already known and can be solved for. The tools and processes already exist. Let's take patching, for example. Research shows that 66% don't have an effective OT patching strategy in place. Like we saw with the Coronavirus, the longer a virus, or an exploit in this case, is out there, the more it evolves. And we don't want to allow cyber attackers to have access, easy access and time to get better at exploiting gaps. We need to stop them before they inflict greater harm and damage in OT spaces.
Delaney: So, Nicole, you mentioned the lack of OT patching. Why do you think companies hesitate on more obvious protections just like OT patching?
Ford: It's hard to do. It's not like on the IT side, where you're taking a server down. Quickly, you're patching it and you're rebooting it in a couple of minutes and you're back up and running. You're taking production offline, which is a high cost for most organizations. I mean, think about it. When you take down a production line, they're no longer able to produce product. So that's a big concern. Sometimes it's a budgeting problem. In that case, business leaders don't have an accurate picture of their risk or probable costs. And we see cyber insurance companies will make that clear as soon as their rates arise due to a lack of security protections. Also, many legacy PLCs and production assets can't be directly configured using modern cybersecurity tooling. There are ways to solve this. And here at Rockwell, we do it all the time. It may involve upgrading some equipment. It could involve virtualization, which we've set up for several clients. The key message is that it's possible, it can be done, and it has to be done.
Delaney: Moving to another cybersecurity preparedness factor, performing network asset inventories. Now, 45% said this step is happening quarterly or less often. So what should be happening instead, Nicole?
Ford: It depends on the industry. In most cases, we recommend no less than quarterly, right? That means that if we can get organizations to consistently inventory quarterly, and sometimes they can go biweekly, which makes the most sense for the organization. In fact, many of our clients are moving to real-time asset inventory. We can automate this process, so it's generally painless for organizations, and this is what we recommend.
Field: Nicole, shifting gears a little bit. I want to talk about hardening networks. Now, when we talk about that, often that means segmentation, firewalls, a demilitarized zone set up to stop breaches from moving from IT to OT or vice versa. Yeah, in this survey, only about half - 50% - say that they have either segmentation or the DMZ in place today. Talk about what's at risk here.
Ford: The risk is lateral movement, where breach can move from IT to OT or vice versa, or from low-value network assets to high-value network assets. The more attackers can penetrate your infrastructure, the greater damage and downtime they can cause. Segmentation in DMZ or demilitarized zones provide an air gap between IT and OT. And additional segmentation can further protect business critical assets with strong access controls, firewalls and policy roles based on zero trust.
Field: So, Nicole, another topic, the ongoing march of IoT in industrial operations. What are your thoughts on this? 45% of the surveyed companies do not monitor and control endpoints in real time. I might argue they don't know where their endpoints are in real time, but I go off topic.
Ford: Yes, that means a good number of devices connected to OT systems aren't configured properly or contain security flaws. You may get lucky, but in most cases, it's only a matter of time before threat actors go after these unsecured and unmonitored endpoints in cyber attacks.
Delaney: So, Nicole, let's talk about critical infrastructure overall, with recent attacks on Colonial Pipeline, JBS and Oldsmar water. Do you believe organizations understand the risks? And are you seeing a growing sense of urgency to act?
Ford: We see all levels of response. Nothing serious will happen to others who have an immediate interest in rolling out full scale deep protections across multiple sites worldwide. I'm encouraged that many responses in our research report stated that several measures were in progress or planned. So, attention and action is taking shape. In my opinion, we cannot move fast enough. The task is with every industrial CISO and COO, head of plant, engineering or operations and also with business leadership and boards, as risk of downtime and liability increase exponentially, to fundamentally shift thinking toward deploying modern cybersecurity protections as quickly as possible. So it is absolutely imperative. Many costs of breach go unrecorded, and is way beyond downtime, damage and/or ransoms. It now includes risk of litigation, high cybersecurity costs such as cyber insurance increases, reputational harm, supply chain problems and worker and public safety and so much more. I tell customers, "You either pay now or you'll pay later. If you pay later, the costs and damages will be much greater."
Delaney: So, what can industrials do to get the ball rolling and how do you typically get started in a cybersecurity engagement at Rockwell Automation?
Ford: Well, we always start with an assessment of risk and vulnerability. That way we work with fax and can quickly pinpoint what's needed and how to prioritize time and investment. We also, at Rockwell, have a 24*7 OT SOC and an army of trained OT cybersecurity professionals who are experts in industrial operations. We know what's important for preserving industrial uptime. For those who want to contact us for a consultation or assessment, please visit our website at rockwellautomation.com.
Field: Well said, Nicole. We're going to transition from talking about the survey now and talk about even more important things. First of all, with this new role, did it come with a relocation for you as well?
Ford: I am still in sunny Florida. Loving the sun in the fun, but I quite often find myself in Milwaukee, Wisconsin, which is an amazing food capital. Love the food.
Field: Is there a direct route?
Ford: There is not a direct route. I go through Chicago to Milwaukee.
Field: Okay, this begs my next question. I hesitated to ask because I'm afraid what the answer might be. I'm going to ask how you spent your summer. Did you spend your summer just traveling between Florida and Chicago and Milwaukee?
Ford: I did. Again, the work that we do, specifically at Rockwell, never ends. And again, making sure that our customers are safe and secure is my primary concern. So yes, I spent most of my summer going from Florida to Chicago to Milwaukee.
Field: And I assume that other travel is back as well. Anna and I we have both been hosting events around the US over the course of the past season. Anna has taken some vacation in Europe. But I've had the opportunity to see, I think, everybody's real hot streak in the US over the past month and a half. How about you? Much business travel?
Ford: It's just heating up. And it's been so great to see my colleagues in cybersecurity and frankly, in technology, through some of my travels, so I had been all over and it's just going to continue to increase.
Field: Good problems to have. It's nice to be out in the world again. I'm encouraged that Blackhat had the attendance that it had most recently and that we're seeing people get back together as you say, Nicole. As much work as we've got done over these past two and a half years, it is nice to be back in the community.
Ford: It is nice to be back with my colleagues and amongst my peers. That's where the best learning occurs.
Delaney: Nicole, it's been a pleasure. Thank you for being with us to share your insight and expertise. It's been great.
Ford: Thank you for having me. I appreciate it.
Delaney: Thanks so much for watching. Until next time.