Nick discusses the challenges faced by customers, including identifying assets, addressing vulnerabilities and managing risk efficiently, while highlighting the significance of mitigation over elimination of threats, as well as the need to reduce risks proactively.
BK: Hello and welcome to today’s podcast, Cybersecurity – the customer viewpoint, from Hexagon. Thank you so much for joining us. I am your host, Brian. And today we’re going to be discussing the latest cybersecurity topics from the point of view of Hexagon’s clients.
Joining me today is Nick Cappi, Vice President of Portfolio Strategy and Enablement, Cyber, with Hexagon’s Asset Lifecycle Intelligence division.
Nick, thanks for joining me. Appreciate it.
NC: Thank you, Brian, for having me.
Well, let’s get to know you a little bit. So, tell us about yourself, tell us what you do, what do you nerd out on, all that good stuff.
NC: Sure. So, I’ll give you a bit of background. I joined a company called PAS in 1995 and in that role I—or started off as a control systems engineer. And so, my background over the years has basically been in heavy processing industry, specifically process control, distributed control systems, and managing those systems, whether that’s building and implementing them, whether that is doing good configuration management of those systems and documenting how they work—
NC: —or providing things like security on those systems. So, my heritage and my lineage all goes back to, basically, the heavy processing industries and really focusing on process control, specifically automation and control systems.
PAS was acquired about two and a half years ago by Hexagon—
NC: —and we became the first cybersecurity solution, specifically targeting OT, within the division or within the company.
NC: And so, my mission in life is to make those systems more secure, reduce risk in those systems and hopefully make everyone go home safe at the end of the night.
BK: Nice. That’s good.
So do you nerd out on the whole kind of stuff, you know, when you get into personal side as well—
BK: —as professional, of course. But are you always kind of just sitting there going, “What else can I do? What else can I do to secure this?”
NC: Yeah. So, I get really passionate about a few topics. One is the challenges I think face our customers make me most passionate, and those are typically knowing what they have in their environment. I know that sounds like a relatively easy task.
NC: Well…But it, yeah, it becomes hard when you do that at enterprise scale.
BK: Yeah, absolutely.
NC: Helping customers address vulnerabilities and weaknesses within these systems, helping them put good configuration management in place, helping them reduce risk in the most optimal way possible, whether that’s cost or resources. And also helping them prepare for disaster recovery and the inevitable that a breach is probably going to happen, and how they respond and recover those systems is going to be critical to their business success.
I love all of those topics. I get excited about those topics. And it’s interesting for me to have those conversations with customers, and whether my wife likes it or not, but she probably gets a few of those conversations too.
BK: Absolutely. Well, I imagine it does take a lot of listening and really understanding, like you said, what they’re dealing with in that moment, because I think it’s easy to assume, “Oh, they need this,” but without really paying attention to truly what they’re needing and understanding them from a specific point of view, too.
NC: I think any good consultant has got to listen, whether that’s a doctor or lawyer or in this case OT cybersecurity. We’ve got to listen to what the pain points of that customer are and try to help them address them.
Security in general is about risk mitigation, and how do I mitigate risk to an acceptable level, the most efficient way possible? And every customer’s got their own definition of what an acceptable level of risk is.
NC: And how we go about minimising that is going to vary from customer to customer. So, we have to be very consultative—listening and understanding not just what their pain points are, but what their environment is, and trying to figure out, how do I actually buy down or reduce risk in the most optimal way possible? Because budgets aren’t infinite—
NC: —and resources aren’t infinite—
Nc: —and so risk reduction is a big part of any security programme.
BK: Absolutely. I love it. Well, good. I’m glad you are excited and passionate about this because that makes it even better and that makes you at your job that much better, too.
Well, you know, we hear a lot about the need for a centralised asset inventory, but who uses this? Who uses this data? What do they use it for?
NC: Great. That goes back to my first pain point, right, is knowing what you have in your environment.
NC: And I think this is a really good question, and if we listen to Kristian, who’s the business information security officer at Slovnaft, a centralised asset inventory helps the daily lives of engineers, plant operations, security analysts, and contractors to work safely, efficiently, by identifying system changes in a single platform for all changes or all configuration in industrial control system data. Kristian gave a presentation at HxGN LIVE called “A Slovnaft storie: Slovnaft using PAS OT Integrity as a plant-wide inventory system.” This presentation covered Slovnaft’s specific use cases around a centralised asset inventory. And you may not know, but Slovnaft is an industry leader in this space—
NC: —and Kristian gave a great presentation covering different use cases that just about every customer could benefit and learn from, about how to properly use an inventory, how management of change is a key enabler of a good inventory system.
BK: Very nice. Very nice. So safe and efficient. Does that mean that there’s a safety angle to a centralised asset inventory?
NC: It’s interesting that you asked that question. Personally, I think that safety and operational technology security are tightly linked, and they’re often viewed and talked about as separate activities. So even though they’re linked, we don’t really talk about them as one thing. We talk about them as safety or security.
NC: It was interesting to hear Robert Pina, the global process control technology leader at DuPont, talk about this in his presentation. He did a presentation at Hexagon Live talking about how management of change is a key deliverable of a good, centralised asset management system or inventory system.
NC: Management of change is a key component of OSHA 1910, part 119, and OSHA 1910, part 119, is closely tied with process safety management, or PSM. PSM is a systematic way for industries to manage hazards associated with processes to reduce the frequency and severity of incidents. Again, I think that operational cybersecurity is tightly linked with safety, and it’s easy to draw a correlation between properly managing asset inventory and process safety.
Okay, so with all of this asset inventory data, there’s a ton of information, and a lot of people are consuming it. Potential safety, quality, efficiency, productivity impacts, all of that. Let’s talk about the visibility here. I’m assuming that the visibility, the alerting and the reporting, even—let’s go in all this—on this data is critical. I’m assuming it is. But talk about how this is going to work, specifically running it in an industrial facility, but, you know, you can talk about it in any other examples as well.
NC: Sure. As a technology vendor in this space, I think it’s easy to toot our own horn and talk about—
NC: —how great we are in this space. But it’s probably more impactful to hear it from an actual end user. And Jefferi, who is a principal engineer at Petronas, provided an update at HxGN LIVE called—or on his project, which is called the Prime Project. And the Prime Project is a centralised remote monitoring and advisory programme at Petronas. He covered how a centralised asset inventory is a key enabler or enabling his project to positively impact process safety at Petronas. The visualisation and the reporting of the data that comes from PAS OT integrity is a critical part of that programme.
And so, we have to be able to properly identify assets. We have to be able to properly identify weaknesses within those systems. We have to be able to make sure that as we’re addressing weaknesses, the gains that we achieve aren’t lost over time because we don’t have good configuration management or change management in place. We have to make sure that we’re optimising risk reduction. We have to make sure that should something bad happen, whether that’s from a cyber-attack or whether that’s an inadvertent change or a natural disaster, that we’re able to respond and recover these systems appropriately.
And so, the visibility of that data is critical to the organisation. The ability to report on new weaknesses that are identified or unauthorised or undocumented changes is critical. And like I said, given enough time, businesses must assume that a successful attack is going to happen—
NC: —and their ability to respond and recover these systems is going to be critical to their business success.
BK: Absolutely. Well, you mentioned some good things there.
What advice, even some really specific steps that we should take right now, what advice would you give?
NC: Great. I may go back and I’m going to view this as a journey, not a destination. I don’t think customers are prepared to execute on all of these things at one time, but I do think as they go and they mature, that there’s a pathway that leads them into a better place. And that pathway typically starts—I’m going to go back to my five challenges. It starts with knowing what you have in your environment. You can’t do a risk assessment, you can’t do a vulnerability assessment, you can’t plan for obsolescence of technology if you don’t know what’s running within your environment. So, it’s the basis, it’s the building block for any good security programme.
NC: Then once you get a handle on knowing what you have, the next logical step is you want to start fixing issues. And that typically is reducing weaknesses, vulnerability assessments. You find very disjointed patching processes. You find lack of good periodic backups. And so, there’s things that we need to do there.
The third step on that journey is once we start addressing weaknesses and fixing bad configuration and all these things that we can do is that we need to make sure we don’t revert back over time.
NC: And that goes with that good configuration management and putting that in place. And that, again, ties directly back to process safety.
Ultimately, we want to reduce risk, and how do I do that efficiently? is the goal of any security programme. So that’s a big topic for customers. How do I efficiently buy down risk?
And then you got to prepare for the worst—
NC: —and you got to make sure you’re resilient in situations. And resiliency and reliability sometimes get confused. Reliability is dealing with uptime.
NC: Resiliency is how you respond to a bad event.
NC: And we need to make sure these systems are resilient. And that typically comes with being able to do forensic analysis. Should you have a successful attack, being able to have a good trusted restore point to bring these systems back up online. And we get caught up in the word security, and I don’t want to undersell it, but there’s a lot of other things that happen bad in a plant or processing industry that aren’t cyber-attacks that have the same kind of consequences of a cyber-attack. An inadvertent change that can bring down the process, well, that’s the same consequence of a cyber-attack. A natural disaster, a hurricane hits a facility and then they find out that they don’t have good backups, well, that’s the same consequence. “I’ve lost my system, and I need to be able to bring it back up.” So, whether the consequence or the adversary is a natural disaster, or whether the adversary is an inadvertent change this guy made by mistake and didn’t realise the consequence, or someone bad coming in from the outside, the consequences of those events are very similar. And so, we need to be able to respond and recover and bring those systems back up online.
BK: That’s great. I really appreciate you sharing all that. It’s great advice and a lot of good information. And by the way, thank you for the specific examples as well, because always good to know what others are doing and how they’re handling it.
So, you know, I like it. I like the words you said, but I really appreciate you taking the time and it’s just, I don’t know, I keep coming back to that mitigation. Instead of looking at it as just security, it’s mitigating the threat, you know. I like that because, you know, you can’t get rid of it all. So, I like looking at it as, how do you reduce it? How do you always stay ahead of it? Are you prepared for it? That’s great. It’s good stuff.
NC: Appreciate it. Thank you very much.
BK: Yeah, thank you, Nick. Thanks for taking the time. Thanks for being on the show.
NC: Thank you very much, again.
BK: Nick Cappi, Vice President of Portfolio Strategy and Enablement, Cyber, with Hexagon’s Asset Lifecycle Intelligence division. Thank you very much for joining us. Really appreciate it.
And for more information you can head on over to hexagon.com. Thank you for listening. Have a great day.