In a recent podcast interview with Zack Hack, Host of Cybercrime Magazine, Robert E. Johnson III, Cimcor CEO/President, discusses the latest views on securing operational technology environments. The podcast can be listened to in its entirety below.
Zack Hack here. Welcome to The Data Security Podcast sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
Q: Joining us today is President and CEO, Robert Johnson III. Robert's been a pioneer in the development of next-gen system integrity monitoring, self-healing systems, and cyber security software.
Welcome back, Robert. It's great to be talking with you again. How've you been?
A: I've been great how about you, Zack?
Q: Things are well, things are well. Today, we're going to talk about securing operational technology. I'd like to discuss that topic. It's not something you normally hear about, but why is it so important?
A: Operational technology is the software and hardware that evolved into monitoring or control of industrial processes or industrial equipment. So, let me give you a couple of examples. Think about the SCADA systems and control systems that add a utility plan, or those automated systems, or automated paint systems, for instance at an automotive plant. Or some HVA system, an advanced building HVAC system, and there are lots of other examples.
Now, sometimes you'll hear this referred to by other terms, the one that you might be familiar with is, say IIOT, Industrial Internet of Things. That's really operational technology, and before it was called operational technology, this whole realm was called "process automation and control." So, the reason that we don't hear about them is that they generally are not in the public view.
These are complex systems that work automatically, day in and day out at manufacturing facilities, manufacturing plants, and other industrial facilities. In fact, these systems are not even managed by the CIO, even though they have an IP address, they are actually performing computations. They are not generally managed by the CIO of an organization. They are usually managed by a completely different team.
So, you may not hear about operational technology in the news often. But these are specialized systems that drive our economy, increase our activity, efficiently make the products that we all use and depend on and ultimately boost our GDP.
Q: Important aspects and important information, but what exactly can we do about it? Do our existing tools help or not?
A: I believe that enterprises need to think a little bit differently about their OT environments. Historically, enterprises were slow to upgrade or even patch their OT systems because there was this fear that this upgrade could break that process for which it controls. This is compounded by the fact that typically, the process control and automation divisions that were responsible for operational technology, did not have sufficient budget for cybersecurity, and, in fact, to be honest, many times they had no budget for cybersecurity.
We need an entire shift - a shift in attitude toward operational technology. Then, we need to see investments being made to properly secure them.
You also asked about the tools. Many of the cyber security tools that currently exist, can help in this OT environment. However, there needs to be some vetting process. Everything can't help because there needs to be some caution in this type of environment. For example, intercepting and modifying packets in the OT network can have a very negative effect on an OT environment and the process that might be controlled.
Many of the SCADA systems, or control systems, and man-machine interfaces are based on Windows or Linux. So, those create these wonderful opportunities that many of the cybersecurity tools that you're familiar with, can actually help. However, some of these operational technologies, those assets, use specialized networks, specialized network protocols, run a specialized hardware, and those are more difficult to handle. And for those systems, the only way to mitigate those risks, are by implementing other compensating controls.
Q: Okay, so, what if you're in an air-gapped environment? Many connected to the cloud, or many leverage the cloud, but a lot of OT environments are air-gapped. What should they do?
A: Well, I personally prefer air-gapped OT environments, but sometimes that just isn't practical. But, even if your environment is air-gapped, it's critically important to not have this confidence that shouldn't be there. It's important to have all the proper security controls in place.
Now, our product, CimTrak, is great because it can be used to monitor operational technology environments, whether you're an air-gapped environment or not. CimTrak can help you detect unexpected changes to servers, SCADA systems, network devices, and so much more that might be in your OT environment.
Now, this is critical, because even in the air-gapped environment, because people are often the carrier threats and this air-gapped environment, you need those types of controls in place. Furthermore, often people are the threat. You know 80% of network outages are a result of human error. So, having a tool like CimTrak, where you have complete visibility into all the changes in your network is critical to ensuring and maintaining uptime in your operational technology environment.
Q: Robert, excellent information. Thank you so much for joining us today on the show. Always a pleasure to talk with you.
A: Great to be on your show again and look forward to the next time we're together.
September 20, 2022