OT Security Made Simple welcomes senior OT cyber security expert Mohammed Saad, who spent twelve years developing security solutions at Honeywell. He talks about his experiences with customers, successful attacks and how the communication gap between IT and OT in companies needs to be bridged.
Also listen to us on:
Transcript
Klaus Mochalski
Welcome to a new episode of OT Security Made Simple. I'm Klaus Mochalski, founder of Rhebo. My guest today is Mohammed Saad. Mohammed is a long-term OT cybersecurity specialist. He spent over 12 years, if I remember correctly, in different OT security roles at Honeywell. Today, he is an independent OT cybersecurity advisor. But Mohammed, over to you. Tell us a little bit about yourself.
Mohammed Saad
Oh, thanks, Klaus, and thank you for having me in your podcast. So as you just mentioned, I'm in ICS & OT since like 20 years now. I'm a control system engineer by education and by majority of my experience in time, I have experience in multiple control systems and automation. And I am pleased to have been with Honeywell for the last 12 years. I started part of the startup of their OT cybersecurity startup. I love working with customers. I love creating and developing cybersecurity programs. Right now, I'm working as an advisor for OT cybersecurity and business development. So, I'm helping also OT cyber companies and technology companies to grow up and to scale up, as well as helping our asset owners and customers to secure their cybersecurity program.
Klaus Mochalski
It really seems you have seen a lot when it comes to building cybersecurity programs, especially with regard to OT. This is a trend that we've been seeing over the past year in more mature asset owner operations, so that OT security has been taken more seriously than it has been, like five years or even 10 years ago. There's definitely been a development, and we want to talk about this.
I want to extract from you, for our listeners, what you really see as a best practice approach today. For me, this is a follow-up on a previous episode that I've done with Jonathan Gordon from TakePoint Research. We recorded an episode which was called Why CISOs are Becoming a Company's Superman and Superwoman. The takeaway of this episode for me was that OT cyber risk is becoming or is being treated as a risk to a business as any other business risk. As such, it is basically communicated all the way up to the board, to the management team. The CISO needs to be part of this management team, and they basically deal with this issue, with this problem, with the cybersecurity risk, like with any other business risk.
And, of course, the challenge in a day-to-day business is to solve the bi-directional communications problem. So not just run to a bottom-up approach where your OT engineers tell you what they need and what they don't, but also top-down. And this is, I think, the big challenge here to solve this communication disparity that we quite often see. And that's really what I'm interested in hearing from you. So, let's start by talking about what do you mean if you talk about a cybersecurity program?
Mohammed Saad
Yeah. So, 10 years ago, when we started this OT cybersecurity, talking to our customers, I think the major thing was trying to help our OT customers to sell the need for the OT cyber security assessment to their board or to their corporates. As we go, we found IT and OT are talking different languages. Both are talking different languages. Hundreds of hundreds of talks, people are talking about how IT is different than OT.
But I found so many asset owners who are very successful. Those guys understand the value of having a middle organization to handle the translation and the communication between both sides. Because IT is always talking about financials, business risk, and they have already regulations, they are up-to-date, and every great thing is happening. In OT, it's always talking about legacy technology, legacy protocols, and also they are not talking about a similar risk, they are talking about a physical risk and operation loss, and other stuff. I think, and I saw this, having a middle organization which we earlier called IT or OT organization or OT leadership or something this type, helped a lot in translating the OT needs to corporate IT and getting it approved.
But the other thing is, as we evolve, CISOs always have the responsibility of the overall company cybersecurity. However, they always overlooked the OT stuff because in many cases, they didn't understand the needs there. But what happened after many attacks happening right now - and these attacks make those companies suffer a lot from financial loss or operation loss - they found, that, “Oh, operation is much more expensive to ignore!” So, the CISO himself right now is getting questions from his CIO or the board about, “Are we ready to face this type of attacks?” So, right now, [the CISO] starts to try to understand this.
So, building some of this organization and having some OT CISO who's reporting to the [corporate] CISO or [who is] reporting to the CIO is helping the organization expanding the cybersecurity all over both organizations.
And I see it also as a cost-effective solution, by the way, because you don't need to spend much more on policies here and there. You just need to expand policies. For sure, the solution is going to be different, but for policies, procedures, everything should be linked to the risk.
Klaus Mochalski
That's very interesting. You're saying a lot of things here, and I'm trying to get this in order to better understand for our listeners. First of all, you're saying the CISO is responsible, and they are getting the questions because now OT cybersecurity risk is a well-published issue, so you can't ignore it anymore. That's natural that you get the questions. Second, you're saying that it's not enough in most organizations to simply educate the IT department in all things OT and the OT teams in IT security. But you need to formalize or institutionalize this in an organization by creating a department or a team that's responsible for bridging the gap or the communication disparity between the OT and the IT teams. This team, so to say, should report to the CISO. You also mentioned a role of an OT CISO. Is this separate from the company CISO? Is this just a role that you could combine in one person, or should it be different?
Mohammed Saad
If we're talking about a large company whose CISO is one of the executives and he is reporting directly to the board or something, so he is running all the security. And this OT CISO is going to report to him or his organization because at the end, it is supporting his vision and his task. If we are talking about [companies with a] CIO, who has CISOs reporting to him, one part of the thing here is we need to empower the OT CISO to make sure the physical risk and the OT cybersecurity risk has been addressed, and we have authority over others as well.
So, we can say, short answer is, by default, he's going to report to the corporate CISO. But also we can say this CISO could be, we name him IT/OT leader in some companies because it's based on how large this company is. By default, it's reporting and empowering the corporate CISO.
Klaus Mochalski
This sounds like a very challenging position to be in. I'm just trying to imagine myself being in this position, having to bridge these two worlds. How, for instance, do [they] anticipate and [how] would [they] handle the pushback that we quite often get from IT departments? I've seen this myself [in regards to] for instance, [vendors] who are providing the hardware that I'm trying to secure. If there is, let's say, a Cisco label on the machine, then IT feels responsible. If there is a Honeywell or Siemens label on the device, then someone totally different feels responsible. This usually doesn't get crossed or intermixed. There has been a sharp boundary.
If the OT people start getting into the realm of what the IT department perceives as their area of expertise, then usually there's quite often a pushback. They say, Well, we handle firewalls! That's our responsibility. How do you deal in this role of the OT CISO with this pushback from the IT department?
Mohammed Saad
I'm not anticipating the OT CISO to be a 100% technical guy. He should be having organizational skills because if you're watching also my recent talks and the articles, I was talking about an Enterprise OT Cybersecurity Program. This means you are not only looking for a OT cybersecurity program from a OT cybersecurity standpoint, but how to link this to the corporate. I think IT are always looking to secure all the organization because they don't like anything to go down. OT are looking to secure their OT and the ICS, and they don't like anybody to harm the latency and operation of the OT.
And by having an OT CISO who understands something about organization, something about communication, something about leadership, plus having experience in the ICS, like industrial control systems, he [or she] can communicate this in the same language IT is talking. They are talking about confidentiality; they are talking always about risk and risk score and how much is going to affect the business at all. Not only one side, not only operation. I think this guy is going to help in these pushbacks.
Klaus Mochalski
We definitely need someone with communication skills, maybe even some political skills because sometimes these discussions, as we know, can get quite messy. It's a very challenging role. It's not just the technical skills that are important here. I understand this. You also mentioned that in IT security many discussions are driven by commercial [interests]. That's probably a good thing because we're talking about commercial companies, so everything should be driven by financials. That's very natural. I think that's something that we need to understand and maybe better manage and better communicate in the OT security side as well.
From your experience, how can we align the specific OT requirements with regard to financial implications? With the messaging and the discussion lines of IT departments [where] any investment needs to be justified and that a risk is quantified, both in terms of likelihood as well as consequence? We need to have the same for OT. But also given that, historically, there have not been as many OT incidents that can statistically inform or drive a certain investment decision or justify an investment decision. How do we handle this challenge? Because sometimes an [counter] argument could be, Well, we don't see many OT cyber incidents, so maybe it's best to mostly ignore this issue and not invest too much in it. How do you handle this, specifically if you are in this role of the OT CISO?
Mohammed Saad
Yeah. I think the major issue, again, is communication. Because why aren’t there much more attacks making a disaster in OT? Because OT is multi-layer. You have safety. You have not only the safety PLC or the safety systems, but you have also safety at process control level. You have valves, you have safety valves, and others. You have many layers of security, we can say, or protection, we can say, for things not to go sideways for the OT. I think the OT CISO is going to help in translating:
- how OT [is structured]
- what ICS is,
- why there are no attacks, and
- what will happen if there is an attack.
I had one of my customers seven, eight years ago, and he was in a very well-known oil and gas company. They suffered from one of the famous attacks at that time. However, he was struggling to secure funding for his OT program for two years. They had the attack. They have been in the news, and he was [still] suffering from securing the budget. Why? Because the attack, yes, it hit. Their shutdown happened, but it was operational shutdown. Means, they were able to restart the refinery in like just 6 hours. So, they didn't lose a lot of money. And what he did is just demonstrating how much loss one attack, if an attacker can compromise one controller in this plant, would [cause].
The discussion on the commercial [side] is not fully fair for the OT because sometimes you are investing in safety and the protection of things not to happen. But understanding the consequences of breaches is something else. This guy, the OT CISO, or his organization, are going to help in translating this message to corporate.
Klaus Mochalski
That's probably a good comparison you have drawn to safety systems, because for safety systems, it's similar. You invest in something that you hope you are never going to need, and they're just there for this low probability incident that may happen at one point, but if it doesn't happen, everyone is happy, and maybe we need to treat OT security from a similar perspective.
Mohammed Saad
Exactly. But for safety systems it’s easy to secure budget because it's mostly driven by operation. But when it comes to something called the networks or signals or whatever, it's driven by the IT budget, which is the problem coming from there.
Klaus Mochalski
It doesn't hurt, it doesn't bleed if something happens, so it's hard to imagine. Exactly. I guess that's the communication challenge that we all face. I think this provides a pretty good understanding to our listeners how you would tackle this challenge all the way, trickling down from the CISO position, having this department in this translation role between the OT requirements and the IT departments, providing some of the services and definitely informing decisions.
If I were an asset owner, a company starting with this program, I have my CISO appointed as being responsible also for OT security. How would you start with this journey, integrating cybersecurity across all my layers, including OT security, what would you recommend as the first steps, the first simple steps to take for these companies that are at this level in their journey?
Mohammed Saad
I always say this to my customers: Secure the basics. Don't look to this shiny technologies or software or whatever. Think about it first. You need to have a very solid scope of work for all your sites assessment, cybersecurity assessments. You should have assessment for all your sites. What I insist on is having a very well-written scope because assessment is based on scope. You can write four-line items, and it could be understood by somebody somehow and some other somehow [different].
Don't depend on just software solutions to give reports about what's happening there because we all know not every asset is connected to the network in the OT. Do the cybersecurity assessment first. Then from there, you are going to identify the gaps, and based on your budget plus the gaps and the priorities or the severity of each cybersecurity gap, you can identify which one is going to be first. If there are multiple sites, it's going to be based on the risk for each site, plus the budget, plus the severity.
Klaus Mochalski
This is a real pattern that we have also covered in this podcast, that you should always start with a cybersecurity assessment, and properly done. This will inform all of your follow-up decisions, and it's always better to take [this as] the first step. You don't need to solve all the problems in one step or in one budget cycle. But this assessment will tell you what the most serious issues are, if done correctly, and then you can tackle them one by one, and you don't even have to tackle them [all at once].
It's important that you take the first steps, but you take the first steps in an informed manner so that you know that you're solving the problems with the biggest impact first before you tackle the smaller problems. Not always is a solution that someone tries to sell you the best solution for your challenge.
Also, these decisions, what systems you need, what services you may require, this is all driven by this initial cybersecurity assessment, and this needs to be done right. Then it probably needs to be done on a regular basis as your systems change. The assessment needs to be redone. Then you will always take informed decisions and never invest money in the wrong things.
I guess that's something that every management in a company is afraid of.
Mohammed Saad
Yeah. Another one which is also really important, and that's why I'm promoting this Enterprise OT Cybersecurity Program is policies and the procedures. So, IT or Corporate always have great policies and procedures. OT? Nothing in many cases. And when it comes to disaster recovery, sometimes you take the decision to shut down a plant just because you don't know what to do. It's like, What I'm going to do after an attack?
So, here it is: In parallel with the assessment, either it is a cybersecurity assessment or a risk assessment, work to extend and expand the [corporate cybersecurity] policies and the procedures to OT. For sure, procedures are not going to be the same. But policies on how are you going to respond to an attack, or how are you going to do the disaster recovery, who to communicate to, and the other stuff is, because everything is connected right now.
Klaus Mochalski
That's another important takeaway. The gap between IT and OT, it doesn't just need bridging, but it's also a potential source of learning for both sides. The OT department or the people responsible for OT security should always try to learn from IT because [IT] have done this for many, many years, some of them for decades. Of course, they have the procedures in place that are very reliable. This is something that we can certainly translate to the OT cybersecurity problems.
Mohammed, thank you so much. It was a very interesting discussion. We are already hitting our time limit here. Maybe we can continue this discussion and look more in-depth of what it takes to implement such a program. I found it really interesting to discuss with you how to implement such a cybersecurity program in this podcast.
Mohammed Saad
Thanks a lot. I appreciate having me and looking forward to talking to you again.
Klaus Mochalski
All right. Thank you.
