In this episode of Rhebo's OT Security Made Simple, Matthias Maier from SIEM system provider Splunk explains why an OT security strategy at management level is essential in order to make the right investment decisions when selecting tools. He explains the individual steps and once again highlights the responsibility of the management when it comes to OT cyber security, particularly with regard to NIS2 and Co.
Listen to us:
Transcript
Klaus Mochalski
Hello and welcome to a new episode of the OT Security Made Simple podcast. Today I'm delighted to welcome my guest Matthias Maier from Splunk [note: the company develops and operates the Security Information & Event Management (SIEM) system Splunk]. Matthias, please give our guests a brief introduction of yourself.
Matthias Maier
Hello Klaus, hello to all listeners. My name is Matthias Maier. I've been with Splunk for over ten years, I'm a Market Advisor for cyber security, I often get to work with top cyber security teams in Europe. Super exciting. I'm a Certified Ethical Hacker myself, which means I love the command line, I love breaking things, but I'm also a CISM [note: Certified Information Security Manager], for example. That means I also enjoy the topic of risk acceptance.
Klaus Mochalski
Splunk has a very specific view of the market due to the products you offer. We talked in advance – and as I understand it, this is also an increasingly important topic for you – about which [OT] topics you work on with customers.
We have also been observing this at Rhebo for years that customers are naturally becoming more mature and are taking a more targeted approach when selecting tools and embedding the whole [OT security] thing more strongly in the overall corporate strategy. In your opinion, what is an important aspect that you frequently observe in your engagement with your customers at the moment?
Matthias Maier
In recent years, we have unfortunately often seen failed projects where we were only called in afterwards, or where outsourcing security projects have failed or where the security benefit simply did not materialize. And what we are currently seeing on a massive scale is that companies are drawing up a security monitoring strategy and then having it signed off by management before they get started with any tools or any security operational issues.
Klaus Mochalski
That sounds like an interesting buzzword: security monitoring strategy. So that's what companies need. Could you briefly explain what that means? That sounds obvious at first. Of course, you need a strategy. It's about security monitoring. But what does it mean from your point of view?
Matthias Maier
The security monitoring strategy is the bridge between the technicians – technically highly complex networks, complex architectures – and management. Explaining [to the latter] why we need something and having the management sign off on it. Or to let them choose how much IT security is good enough for us? And is that also within our budget? This is the IT security monitoring strategy, where it is adapted to the company.
What do we need? Everything else is then derived from this. The IT strategy for IT security operations is then derived from this. In other words, do I need my SOC [note: Security Operation Center] 24/7 or not? Yes, what is my risk appetite?
This in turn results in a security management strategy. In other words, which data, which systems do I monitor? Which tools do I perhaps also need from Rhebo in the OT area in order to correlate this up?
But it starts with the security monitoring strategy, which is a bit high level and sets this mission statement for security operations, for SOC operations, for the location, for monitoring.
Klaus Mochalski
That sounds very sensible and intuitive at first. I think this is often a mistake that many people make. First looking at tools and using a seemingly powerful, perhaps even nice-looking tool – in the hope that you will quickly achieve these initial results, but without having a clear picture of how this fits into the overall strategy, as you explain. And also how to secure operations there in the long term and then, of course, how to extract the value. That there is also a return on the investment you make. There is also a lot of talk about this. Return on investment even for security tools.
I had a guest in a previous episode where we talked at length about how companies that are becoming more mature in their strategic planning in this area are increasingly embedding the OT security part in the overall corporate strategy. If you look at the company hierarchy now, you can see how the bottom-up approach that was often used in the past – i.e. the specialist department that made or drove the decisions – is being driven more towards a top-down strategy that is informed by intelligence from the specialist departments. So that, if you define it in terms of a role, the corporate CISO is actually responsible for the overall strategy, for all risks in the company and, in particular, for OT risks. Is that what you mean by a monitoring strategy at Splunk?
Matthias Maier
So the CISO is generally not responsible for all risks, only for cyber risks. That's about cyberattacks, and mostly for cyberattacks from external actors. So insider threats etc. are a slightly different topic, as is fraud detection.
But what we are seeing more and more frequently is that the CISO is organizationally attached to the Chief Finance Officer and this then becomes a kind of money issue, a risk assessment. And the CFO then ultimately bears this risk. However, with NIS2 compliance with more and more compliance regulations, management is of course now also personally liable in some cases or can even be taken out by the state in case of doubt. So it's not just fines.
And that's where this top-down approach comes in. And of course, if you exceed a certain threshold of investment in cyber security or in monitoring operations in terms of tool investments, security investments or where company processes need to be adapted, this will of course also be considered quite quickly by the Board of Directors. So this is also an essential management issue and not just for the CISO. Instead, the CISO only has an advisory role and then looks at it: Okay, this is our risk appetite. That's a risk, you have to accept or this is a risk that cannot be accepted under any circumstances.
Klaus Mochalski
Yes, what I wanted to say was that the CISO is also responsible for information security in the broader sense for OT. However, he doesn't make silo decisions, but considers the whole thing within the overall risk framework of the company and, ultimately, investment decisions are also driven by risk considerations. What is the risk for my business operations?, so to speak.
And so every single investment decision, every investment in all areas is considered, regardless of whether it is IT, whether it is OT or whether it is a completely different business area. And this is where the CISO has a very central role to play. And this area is also an important area of responsibility, perhaps a new one in many areas.
So what do you think is part of a good and balanced OT monitoring strategy? What are the essential elements that must be considered and included?
Matthias Maier
Exactly. So I would start with an OT security monitoring strategy at a high level. That doesn't go into the tools yet, but [discusses the questions], what do we need to protect and what do we need to protect ourselves against. That you really define that. And then also, why are we protecting ourselves from the whole thing and what happens if we don't do it? What compliance rules do we have to fulfill, observe or perhaps even provide evidence in regular audits? And once you have answered these questions – quite fundamentally – investment decisions can be made, from which you can then derive the whole process of implementation.
And it helps to take a look, for example: What OT or IT policies are in place? Where are "acceptable use" and "unacceptable use" issues, for example in the OT area? How is change management being driven forward? Is there a ticket when a service technician comes from the Siemens control system, plugs in a USB stick and performs a firmware update on the machine? We can detect this with a monitoring, right? But is there a process? Is there a support ticket? Is there a change ticket that you can perhaps correlate this [support ticket] with so that you don't get a false positive [note: an incident alert for an activity that is actually legitimate and not security-relevant]? And in the OT area, it is a wonderful use case that is always super easy to implement and super effective, because as soon as there is a change in such an OT area without a change ticket, it makes it super difficult for cyberattackers.
We are already deep into all these technical issues. But that has to be defined in terms of processes first. Once you have that, this monitoring and implementation – that I get the data via an OT security monitoring tool when someone plugs something in; decisions on how I get this data or what my standards are there, i.e. what is normal [in my OT communication] – is much easier. And that's because it's more of a purely technical implementation instead of [the fundamental question], what do we want to achieve in the first place?
This intermediate step is often missing. And this is where a security monitoring strategy fits in perfectly. You can include detection afterwards, for example for unauthorized changes without a change ticket.
Klaus Mochalski
How do I proceed as a company? If I now want to start defining such a strategy as part of my overall security strategy. Do I focus heavily on standards? Do the standard security frameworks, such as IEC 62443 in the industrial sector, help me? Do I need to look at what the requirements of NIS2 are? Can I pick my favorite security framework or is this something completely different that we need to look at? Does it go beyond what is required and specified in these standard frameworks?
Matthias Maier
I think that's a level of maturity. There are many different approaches. I believe that something like malware tech, for example, is already too technical, too detailed. I see that more at the management level. Yes, then comes the operational level with security monitoring operations and, at the very top, the security monitoring strategy. What fits in very well is NIS2, for example. It is very clearly defined:
What is the scope, which environment?
What are the times, the investigation times, the reporting times?
What are the consequences if I do nothing?
What are the requirements, i.e. proactive security monitoring instead of just reactive? Reactive is more like end-point protection with standard signatures etc. Proactive is, for example, something like change management monitoring.
That I implement something like this. It also includes the regular audits that have to take place. Either as a self-audit or by a third-party company or that someone comes in every two years or whatever on the cycle is, and performs the audit accordingly. This person naturally wants to check all these topics. The German Federal Office for Information Security (BSI) also has wonderful audit protocols that work in both IT and OT and are then used accordingly.
Klaus Mochalski
Is it best to do this myself or should I not do it myself and get external help in the form of a consultant or service provider so that I don't see the wood for the trees because of all the knowledge I have about my own infrastructure? What is the better approach from your point of view?
Matthias Maier
Unfortunately, I don't have a model solution. I think that if you familiarize yourself with the subject and stick to the 20-hour rule – if you focus on something for 20 hours – you can learn anything. Maybe not perfectly. Or you might get external support for management, because consulting firms, when they put their stamp of approval on a concept like this, certainly also have experience and do this very, very often. That also helps, of course. Even if you are then criticized from outside, perhaps by the authorities. Of course, it depends on your position in the economy and as a company. Then it can also help to say: Okay, in the incident response procedure is often done on a technical level, which means that external experts get involved, then it certainly helps to work through this strategy with them.
But at the end of the day, [external consulting companies] can't do it [completely] for you, because it has to be adapted to the company – similar to an ISO 27001 certification. Your own risk appetite has to play a role. Your own financial resources, including for investments in implementation, play a role. What percentage of my IT budget do I want to spend on security monitoring? We currently calculate – spoiler alert! – 5-6% of the IT budget for cyber security. 5% of IT employees work in cyber security on average. So if you have 100 employees in the IT department, five should be doing cyber security, as a benchmark. But there are always new figures, and of course it has to be the right size. And that's why external support is good, of course. But the illusion that they can do it all for you won't work.
Klaus Mochalski
Yes, I'm right there with you. The figures you mention are interesting. I researched the recommended budget for cyber security for a presentation a while ago. And it always ranges between 5 and up to 10 %, depending on the sector. If it's a highly critical sector or in the banking sector, I think it's close to 10%. But it shouldn't fall significantly below 5 %.
And if companies take a critical look at themselves, I think they are still understaffed, especially in the relatively new or probably new OT security area. In other words, you should look at your own skills and expertise in-house. And then it makes sense to want to understand your own infrastructure from the outset. And I believe that these security frameworks – perhaps ISO 27001 as a first step, then more specifically the industry-based IEC62443 or the NIS2 directive – can help. Even if you only use them as a checklist in the first step to ensure that you look at all aspects and don't forget anything. Because if you start now and think about what the risk is in my OT infrastructure, you are sure to forget something. But if you go through these lists, these requirements, you are very likely to be complete and won't forget anything. There are certainly areas [in the security frameworks] where you can say that this is not relevant for us right now. But you can definitely make sure that you don't forget anything.
That's why we always recommend: If you have the resources, find out for yourself, familiarize yourself with it and look for a security framework. In many areas, you will no longer have a choice with NIS2 in the future. You also have the specification of what you should start with. And then I think it's a very good idea.
To summarize: an OT security strategy is simply an important prerequisite for planning the implementation of measures, including the selection of tools. A detection & monitoring tool like [the one from Rhebo], but also a SIEM system like [the one from Splunk].
Nevertheless, I would like to end with a perhaps somewhat religiously technical question. Over the last two or three years, I've had many, many discussions that have swung in one direction or the other about how to establish a central security dashboard. Let's say I have a SIEM system – and Splunk can also be seen as a SIEM system in the broadest sense – and I have a SIEM system in use in the IT department. I have a Security Operations Center there that operates it successfully and also has experience in this area. And now I would also like to introduce the whole thing in the OT area, for example in my production plant or as an energy supplier in my power plant areas, i.e. in technical areas. Should I try to set up a consolidated IT/OT SOC with an underlying consolidated IT/OT SIEM system? Or should I deliberately separate them? Or is it perhaps also a step-by-step process? I don't have the right answer there either. I have heard many opinions and many good arguments in one direction or the other. What is your personal opinion there? Or is there perhaps something like the official Splunk opinion?
Matthias Maier
The official opinion is: We are flexible. Whatever makes the most sense for the customer in terms of organizational separation. Whatever the customer wants. That's the beauty. I've seen it all. Generally speaking, that's the case in the cyber security sector.
For example, there were cyber attacks on petrol station networks in the USA. The petrol station network still worked, but they could no longer issue invoices. Now the question is where does digital resilience end? If I can no longer issue invoices or write delivery bills, I naturally no longer want to deliver goods. And suddenly the flow of business comes to a standstill, even if it's not an OT environment.
In other words, you really have to take a close look. Organizationally, what we are seeing right now, for example at BMW, they have invested massively in cyber security and built it up over the last few years. They have an IT SOC, which is a central SOC. And below that, there are some who are responsible for the production SOC. Some are responsible for vehicle IT and their systems – which virtually unlock the vehicle, manage the mobile app, etc. A lot of cloud applications. And then there are those who are responsible for IT. Because this is also a wide variety of expertise, in terms of the technology stacks. And then, of course, which attack vectors or how cyber attackers are on the move. And the risk appetite could also be completely different, depending on the area. And here we have a model of sorts.
For smaller companies, I think you can take advantage of the efficiency and consolidate and combine them. With energy providers such as transmission system operators, for example, we see that [IT and OT] are simply combined because there is not this volume and the overview is sometimes a little easier.
But what I think is certain to come – and we in Europe are perhaps ten years behind, in Israel it's been around for a long time – is sector CERTs [note: sector-specific Computer Emergency Response Teams]. Today, with NIS2, everyone reports their cyberattacks to the [central national authority]. I believe that in the future, we really will have sector-based CERTs in five or ten years' time, which will also receive telemetry data in real time. This means that the log data will also be sent there. This already exists in Israel, where there is an Energy CERT – also a good customer of ours. There, anyone who produces over a certain amount of energy per year falls under this directive and must then send their VPN access to its OT network, all administrative activities, traffic in the OT network, everything really, these logs to this central location. And they then do anomaly detection, this change issue with the tickets. If a VPN access does not receive a change ticket, the CISO of the site or the provider receives a message about what is going on.
And then they can also answer: Are we seeing a cyberattack on our energy sector, yes or no? Because even with NIS2, the BSI can only do this if they somehow report something or issue an indicator for a compromise. And then it will probably take a week for everyone to give feedback again: "We see this or we don't see this in our sector". They have no picture of the situation. And that's why I believe in five to ten years' time the next step will be [sector CERTs].
Klaus Mochalski
A very exciting topic. You can also use this network effect to potentially use the attack that is seen in one place, the signatures, to immediately detect these attack scenarios elsewhere and be one step ahead.
There are actually already approaches in Europe. In Denmark, I know that there is a CERT in the energy sector [note: SektorCERT], to which all distribution system operators or the country's largest distribution system operators are connected and where a central body actually monitors the entire energy market, i.e. the country's entire distribution system space. This is certainly easier to implement in a small country like Denmark. But it is a very, very powerful tool. It's a very exciting topic, and I think we can definitely take a closer look at it in a future episode. Thank you very much for the exciting discussion, and also for the brief outlook at the end. That was very helpful and I was delighted to have you on the podcast.
Matthias Maier
Thank you very much, Klaus.
Klaus Mochalski
You are welcome. Bye, Matthias.