Klaus Mochalski
Hello, and welcome to a new episode of the OT Security Made Simple podcast. I am your podcast host, Klaus Mochalski. I'm the founder of Rhebo, and my guest today is Jonathan Gordon. He's with Takepoint Research. And with this, over to you, Jonathan, for a brief introduction.
Jonathan Gordon
Hey Klaus, thanks for having me. My name is Jonathan Gordon. I'm the Directing Analyst at Takepoint Research. So I look after primarily industrial cybersecurity practices, which really involves a lot of discussion and creating focused research and sort of actionable insights for anyone involved with protecting and safeguarding industrial enterprises.
Klaus Mochalski
So your specialty is really looking at OT specifically. This is a background that you have been dealing with for the past couple of years, I guess.
Jonathan Gordon
Yeah. We've been doing this for about seven or eight years now, and it very much started around OT and ICS cybersecurity, sort of like the lower levels. And over time, it's really sort of that we stepped back to look at everything that can really impact industrial enterprises. So [it’s about] ability to really produce or stay functional. It's looking at all the cyber threats that either come from the OT or the ICs or even from other sources. Right.
Klaus Mochalski
In the preparation for this episode, we had a discussion on current topics that you have seen most often over the recent weeks and months and how this has evolved over time. And you mentioned that there is now a differentiation order. You can distinguish more mature asset owners, how they organize their security operations, as opposed to the earlier days of OT security. So what has been the experience or what have been some of the key findings that you've seen with these more mature operations over the past months and maybe a few years?
Jonathan Gordon
It's a really interesting time. I spent a lot of time speaking to and really learning from asset owners and operators across, I guess, different regions, different markets, different sectors. And most people in this sort of niche industry, they would feel that the industry moves very slowly at times, right? Sometimes it's like discovering this lost world of technology that a lot of people thought extinct. But change is happening, and of late, I guess, it tends to happen in these growth spurts. And I think we happen to be in one of these spurts right at the moment.
Some of the conversations that we've been having over the last six to twelve months, a little bit longer, feel like they're maturing. It's not a uniform sort of process, but depending on the region and the sector. But most discussions up until recently, have always focused on what we call bottom up. It's like, I need a tool for this or a process for this, or we've just had an incident, and management's determined to put something in place. So it's always reactive or very focused on how we do something from the bottom up.
And of late, it's sort of evolving to talk about what we look at as the top down. So really, – whoever's responsible in the organization – the CISO or the industrial CISO, if you like – whoever's being recognized as that key figure – are addressing the cybersecurity and the cyber risk. They're looking at how to actually address the risk from a strategic point of view and how to align that with the company's business objectives. So it's really about building a business case for that industrial cyber security. And that's something that we're starting to talk about a lot more. It shows that sort of maturity step forward in the market.
Klaus Mochalski
It sounds like this is a much more planned approach, compared to many projects we have seen in the past. Which overall appears like a very good idea, to judge the risk in the OT area, with your operational technology, like any other risk in your business, and treat it accordingly. To quantify the risk, look at the consequence, and only then look at the things that you need to do. This may involve tools or it may involve adjusting processes or hiring people even, but this comes much later.
So you basically start from the top down. It seems pretty obvious that this is the right approach. But how do you do this? We have also seen some CISOs who have not a great experience with operational technology overall, and I'm not saying with the cyber security part, but in general, with the specific requirements of operation technology. What does it mean to operate a pump in a pumping substation? And how is this gap being bridged, if you have this top down approach. And at the same time, you have the experts, the OT engineers, having to run these systems. How do the two go together?
Jonathan Gordon
That's a terrific question. That's kind of like the age-old question in our space. It's really this colliding of two very distinct worlds. And the CISOs responsibilities in the industrial context are kind of very markedly different or distinct from a traditional enterprise. Whatever strategies they implement have to be sort of seamlessly implemented across those two worlds, the OT, the IT, and then the other sort of team in between that happens to be in that organization.
I think that the key is to understand how the business works. It's crucial for everybody involved in the process, whether you're in the plant, in the control room – all the way through – to understand how the company makes money. Why is it in business? Who are the customers? What sort of services, what sort of products are you providing for whom? And what are the risks that could impact the ability to produce or serve those customers? And that's critical whether you're in operations, whether you're in engineering or you're the CISO or the chief risk officer, et cetera.
And, I mean, we know in the industrial setting that we frequently sort of rely on these legacy systems, which pose their own set of challenges for cybersecurity. But there are also people that tend to focus, whether they're in operations or engineering, that are tasked with keeping these systems running. And the real answer is, how do you merge these two sometimes opposing worlds? And I think, if you step back and everybody sort of looks at the goal, focuses really on what we're trying to achieve, it's really that we're trying first and foremost to enable the business.
We see a lot of different technologies coming in. Whether you're manufacturing baby formula or protecting freight transport, there are lots of different technologies coming in. And the traditional role of the CISO was to look at this and say, Okay, well, this is inherently insecure. Let's slow things down and take a look at it from a security perspective. But I think more and more what we're looking at is how do we enable the business to innovate, to continue or to enhance productivity and better serve customers – but to do that securely.
So the focus is really shifting. And if we can focus on this enablement, which includes those sort of operational automation perspectives of productivity and reliability, together with that protection and the safety and cybersecurity, we can elevate and really all focus on the risk, identify the risk, and then mitigate or transfer to managing that risk. And then it makes sense for everybody in that value chain. So really, the focus is on the value at risk for the organization, and then everyone's sort of aligned. Whether you're in the OT or the IT or wherever your department happens to be, it kind of makes sense to you in your space, and then you can start communicating with others, right?
Klaus Mochalski
Yeah, it makes total sense. So if you are an organization with, let's say, manufacturing operations, which has been digitalized and running modern automation environments, then that's an important part of your business that you need to protect. And so naturally, it falls into the realm of the CISO to protect, like any other vital assets in the company. I think this is understood.
But from what you're explaining, it seems like there are a couple of new challenges coming along for the CISOs. The first obvious one is to have a decent understanding of the underlying technology, the assets that need protection. So they need to become familiar with the OT infrastructure in their companies. They need a basic understanding of what a PLC is doing, what makes a PLC safe or unsafe, what makes it secure and unsecure. They need to have a basic understanding. We discussed, and let's talk about this a bit, f this requires a different type of CISO, or if they need to get additional qualifications in the OT space. So that's one area.
And the other area that I see as a challenge – and maybe this is something they always had – is that they need to work on alignment, like getting all the different parts of the company aligned so that everybody understands that they are working towards the same goal. That's the success of the company. And quite often we are saying that the optimization criteria in OT are different from those in IT. But this is true only on a technical level. On a higher level, they are the same: making profit for the company and making sure that you are not hit by [a cyber attack], or that a certain risk doesn't have substantial consequences threatening your business. So getting alignment across all of these different parties, the different stakeholders, people in the organization’s departments and teams, this becomes key.
So do we need different kinds of CISOs today who accommodate this deep technical knowledge on the OT side? And how deep does it have to go, and how much of moderators and drivers of alignment do we need here?
Jonathan Gordon
Yeah. So CISO is becoming like a superman who needs all sorts of skills. But I think it's very interesting. It's kind of like the further you go up you get to a role where [this happens]. And it's also the budgets, right? We're seeing cybersecurity budgets that are increasingly centralized under the CISO, even in the industrial companies. And it really emphasizes the need for strategic oversight and strategic understanding and how to make these decisions. And I think more than ever, there are a lot of those soft skills that come into place.
So definitely understanding how the company actually creates value, who the customers are, how it generates revenue, et cetera, what's at risk are critical. So it's really an understanding of the business, and they need to be able to communicate with their peers on the business side, not just the engineering and the operations and the technical side, but really within the business as well. It might be the CFO or the CRO or definitely the CEO. They're getting more time in front of the board as well to really explain how they're dealing with these cybersecurity risks.
Klaus Mochalski
Actually, that sounds to me like the more obvious part, that they need to understand all the details of the business and how the business generates money, and that they have to work with the management board on a daily basis.
I think for me, it sounds like the more challenging part of their job to have an informed discussion of a certain technical depth, even with, let's say, an OT field engineer. Is this something that they should also be able to do?
Jonathan Gordon
You're absolutely right. The key is about facilitating these open discussions and really aligning. But having these discussions, whether they're very technical or lower level or very business-focused and being engaged with your audience. I think that that's the key. You need to know who your audience is. You need to know who's in the room, what's in it for them, what's their worldview, whether they're focused on keeping a particular production line up and running.
Sometimes engineers or operations people see cybersecurity itself as a risk, a risk to reliability or production. You're asking to do something or change a process that they've always done this way. The key is about building trust on every layer. And, you know, it's about understanding first and then being understood. So it's about asking questions and really spending time in the plant, with engineers, in the control room, to understand exactly what people are doing in the plant, what their focus is, what the type of technology is. But really, a lot of it is about people. So we talked about those soft skills. It's about understanding, communicating with people on their level and within their environment.
And then, yes, on the technical side, it helps a lot if you can understand what the pieces of the operational technology do, right? If you understand the difference between a PLC and an ITU and SCADA and DCS, et cetera. But I think that the key is building that trust. And it's kind of like the lower you go in the tech stack, trust sort of merges in with that technical knowledge. So it's about understanding the people on the factory floor and really trying to understand and help them understand that they're on the front line of protecting their production lines from cyber incidents. Well, it's about getting everybody to understand these risks within their environment.
And sometimes those discussions can be very, very technical. And again, depending on the size of the company organization you work for, some of the teams will be much smaller. Sometimes it's the same person that takes care of the IT security and the OT security, and that mows the lawn on the weekend. But in some cases, the teams are bigger. So it really depends on how engaged you are and how big your team is to how technical you need to be. But definitely, you have a much greater advantage, particularly with clarifying and understanding the worldview of people in the production, in the plant, if you understand a bit more than the basics of OT.
But I think the idea in the end, to build trust is asking a lot of questions and really taking that on board and not just walking in there saying, Okay, we're here to secure the environment. Let me show you how to do it. It's really about understanding before you make any decisions. And building a team is about building collaboration and trust, both from a technical point of view, all the way up to aligning that with the business goals.
Klaus Mochalski
That's true. And so it could well be that in a large organization, you're not looking at a single position. You're not looking at the CISO doing all of it. You may have a CISO who cannot have this informed discussion with a PLC engineer, but for this trust-building exercise that you mentioned, it may be necessary. And so you need to have the right roles at the CISO level and the CISO team, let's call it that. So that you can facilitate these discussions to build this trust, because I can also imagine that otherwise it becomes really difficult. That you may get certain information, but not all the information that you need to have this overall top level picture on the business and the risk to the business that you need across all of the different areas.
Jonathan Gordon
Yeah, it's a difficult position. In the end, the business is here to create value. That's the mission, and it's the mission for everyone, whether you're in a large company or a smaller company. And the idea is to create this clear vision for every stakeholder, whether they're in the control room or in the boardroom. So it's about enabling them and securing that. So it's that productivity, the reliability, the safety and cybersecurity and how that all fits together. In the end, it's about enabling the business and safeguarding that at the same time. Right.
Klaus Mochalski
So this is, I think, a very important message to our listeners to finish this off. From your experience with the companies you have worked with over the past, you said six to twelve months: What kind of effort and investment do we have to look at, if you are a company that is reasonably mature in regard to IT security? Let's assume we have some OT security measures in place. We've done our network segmentation. We have firewalls between the different segments. We may even have looked into OT monitoring tools and SIEM systems, particularly for the OT environment.
But if you now want to embark on this top down journey and make this part of the entire risk assessment, the entire organization, what do you [have to do], or can you give an estimate of how long would it take and how many resources would it roughly involve?
Jonathan Gordon
Wow, that's the million dollar question. I guess the answer is, it really depends on that jump in maturity. You outline a company that's relatively mature. So they've already deployed some network compensatory controls, maybe endpoint security, and they're looking to take the next best step to reduce particular risk. So I think there are still quick wins that you can do at whatever level you're at. But the question is really to identify the next milestone or where you want to get to with regards to maturity. There'll be people that are just starting off, and there'll be people that are more mature from where they are.
They typically tend to be larger organizations. So quantifying is quite interesting. It's actually that a lot of these approaches about identifying the risk and identifying that value of risk to the organization that actually help you understand this elusive concept of ROI [note: Return on Investment] within cybersecurity. So when you're talking about how do we quantify the budget or the time or even the skill sets that we need to have on board, taking this risk-based approach of identifying and quantifying the consequences can help you sort of create that budget, I guess, for that next step.
So whether you're looking at putting in MITRE ATT&CK path analysis, or you're looking to put in some sort of platform that will help you identify vulnerabilities, et cetera, looking at it from what's the next best step that we can do to address the risks that we've identified that have the highest consequences and likelihood to the organization, that's the best way to get to that answer, if you like. Right?
Klaus Mochalski
So, of course, no easy answer to such a question, but you shouldn't be afraid as an asset owner to take the first or let's say the next step. There are quick wins to gain. And at the end, the overall business will benefit, and it will not just create additional cost. The overall business will benefit from the program that you're running in the OT if it's tied into a larger security strategy.
Jonathan Gordon
Yeah. In the end, it's about merging this top down approach, strategic approach, business-focused approach with that technological – that bottom up – approach, and sort of meeting in the middle, but making sure that everybody understands what we're doing and why we're doing it and how it affects and impacts them. Very good.
Klaus Mochalski
I think that's a great final sentence and we should finish with it. It was very interesting talking to you. I hope we could carry the point to our listeners that the top down approach is something that you should definitely consider and that it's a sign of a mature operation with regard to security in all areas. And that's only something that we, that you particularly can recommend. Jonathan, thank you very much for being on the show. It was a pleasure having you.
Jonathan Gordon
Thank you very much. Thanks for having me. Bye.
