HxGN RadioPodcast

Operational Technology (OT) cybersecurity – the vital next step in digitalisation (Part 3)

In this episode, together with Owen Rooney, Vice President of Sales, Hexagon Asset Lifecycle Intelligence, and Syed M. Belal, Director – OT Cybersecurity Consulting Services, Hexagon, we’re talking about the importance of choosing the right strategic cybersecurity program for the critical infrastructure. This podcast series is created in partnership with Petroleum Economist and also broadcasts on PE Live Broadcasts, and this conversation is moderated by Karolin Schaps, a regular contributor to Petroleum Economist.

BKD: Hello and welcome to the third episode of our “Operational Technology (OT) Cybersecurity – the vital next step in digitalization” podcast series on HxGN Radio. I’m Beth Keener-Dent.

 In this episode, together with Owen Rooney, Vice President of Sales, Hexagon Asset Lifecycle Intelligence, and Syed M. Belal, Director – OT Cybersecurity Consulting Services, Hexagon, we’re talking about the importance of choosing the right strategic cybersecurity program for the critical infrastructure. This podcast series is created in partnership with Petroleum Economist and also broadcasts on PE Live Broadcasts, and this conversation is moderated by Karolin Schaps, a regular contributor to Petroleum Economist. Thank you for listening and we hope you enjoy.

KS: Hello and welcome to PE Live Podcast. My name is Karolin Schaps. I’m a regular contributor to Petroleum Economist, and it brings me great pleasure to present the final episode of this three-part podcast series titled, “Operational Technology (OT) cybersecurity – The vital next step in digitalisation,” brought to you in association with Hexagon. Today’s episode is titled, “The importance of choosing the right strategic cybersecurity programme for the critical infrastructure.”

Cybersecurity plays an important role in the field of operational technology. Securing critical infrastructure has become the biggest challenge in the present day. Whenever we think about OT/ICS cybersecurity, the first thing that comes to our mind is poisonous gas leaks affecting the environment and damaging people’s health and power cuts, which are increasing immensely day by day. Various governments and companies are taking many measures to prevent these OT/ICS incidents.

This podcast focuses on what should be the strategy to tackle the challenges faced by the critical infrastructure on a regular basis as new vulnerabilities and threats emerge. In this podcast, we’ll discuss why cyber risks are such a large threat to oil and gas companies, how to justify cybersecurity investments and why, and how to best protect critical infrastructure.

The first two episodes in this podcast series are available online now and to listen to on demand.

I’m pleased to be joined today by two members of the Hexagon team, Owen Rooney, vice president of sales, and Syed Belal, director of OT cybersecurity consulting services. Owen leads Hexagon’s OT cybersecurity team in Europe, and he has served a variety of technical and commercial roles with companies in the industrial control system market. With Hexagon’s acquisition of PAS OT cybersecurity, his focus is on helping oil and gas, chemical, and process industries and expanding their presence across the region.

Syed is the director of OT cybersecurity consulting services. Syed has more than 15 years of experience in industrial control systems and operational technology applications, with a focus on networking and cybersecurity. In his current role, he is responsible for the global strategy, growth and support of Hexagon’s OT cybersecurity business.

Hello to you both. Thank you very much for joining us today. Let’s jump straight into the questions.

First of all, I would like to know, why is it that cyber risks are such a large threat, particularly to oil and gas companies?

OR: Hey, good morning, Karolin, or good afternoon—wherever you are. This is Owen, here. Yeah, it’s an interesting question. I think really the top of people’s minds at the moment is, you know, if anything, the past nine months has taught us is, you know, how reliant we still are on oil and gas. And, you know, with the cost of living crisis across Europe, many people are now realising, hey, you know, you know, we’re still making significant investments in renewables. Many companies are making that transition. But still, unfortunately or fortunately, whatever way you want to look at it, we’re still very reliant on traditional fuels, oil and gas, etc. And I think when if you are a, you know, a nation state who wants to attack another nation state, quite often it’s not just in the field or, you know, and typical traditional methods of war. What we find out is many, many nation states are trying to attack critical infrastructure. And when you think about the financial and strategic value of assets that oil and gas companies have—should it be an offshore platform or should it be a refinery? —makes them a very vulnerable target.

And then one other point we need to consider as well is the strategic value for countries. It’s not just a commercial asset. We, you know, many of the companies that we deal with, you know, they’re viewed by the internal governments as a strategic asset. So, we think of Germany being quite reliant on gas coming from Russia and obviously removing that dependency is a lot of work and they’re making good inroads to do that. But if you’re a nation state who’s attacking another nation state, quite often there’s people looking to, you know, attack those high value assets where we’re very reliant upon.

So, you know, oil and gas companies are also a very, you know, prime target when you think also about where they’re going from a technology perspective, when you think about the threat landscape is quite wide and broad. So, there’s lots of opportunities there, both from an I.T. and an OT perspective to make them, they’re quite vulnerable in many aspects.

So, there’s many reasons. You know, part of its financial, part of it is actual economic, and part of it is very much around political. Some of the political things that’s happening in Europe that maybe was not so predominant, you know, two, three years ago. And, you know, we see that coming through all the time with many of our clients being hypersensitive on some of those threats.

KS: Thanks, Owen. And I think it’s interesting to put it into an international context, you know, considering what’s going on at the moment. So, thank you for that answer.

Syed, turning to you, what do you think are the best arguments to justify cybersecurity investments? And actually, how do your clients know whether they’re investments that they’ve made into cybersecurity provide sufficient security for their critical assets?

SB: Thanks, Karolin. To answer that question, you know, well, it depends. It depends on the current maturity stage of the operational technology network. When our clients have put us to justify cybersecurity investment, the first thing that comes to my mind is actually assessments to identify their maturity indicator level. Now, maturity assessments identifies the cyber safety controls that will add maximum value for them. It can be inventory management or vulnerability management for some clients, or it could be our training or building for some other clients.

The short answer is the maturity assessment will identify the best cybersecurity controls that will add maximum value for them and that will in fact justify their cybersecurity investment.

Now to know whether that investment provides sufficient security, it is recommended to conduct another maturity assessment after implementing the proposed cybersecurity controls and confirm if the maturity indicator level actually went high or not. Thank you.

KS: And Owen, back to you. The OT cyber sector is maturing very quickly. Things are moving very fast. What are the main practises that companies are adopting from your point of view?

OR: Hi, yeah. It’s interesting because we see a real, relatively speaking, from what, you know, two years ago was a really immature market. It’s pretty clear the market is maturing to the point where many oil and gas companies are, you know, have invested the money and the resource in developing a strategy and documenting and defining that strategy and ensuring that the OT cybersecurity strategy is something that is, you know, it’s embraced by all members of a should it be a refinery or an offshore platform. They understand the rules of engagement. They understand best practise. You know, the days of coming in with a USB key drive and plugging into your laptop, you know, they’ve all gone many years ago.

But essentially, you know, to my point, it’s a journey. So many of our many of the companies that we work with realise that there’s no silver bullet. There’s no silver bullet from a product perspective. There’s no real silver bullet from a persona perspective that, you know, you need a variety of people to help you, not just from a OT cybersecurity perspective, but also from an industrial control system perspective that, you know, your team understand the processes that are involved. They understand or at least have knowledge of the standards that you need to apply. And this is what we’re seeing in the marketplace.

And to my point that there’s no silver bullet from a product perspective or a solution perspective, they have to very often deploy a number of different types of solutions. You know, should it be a real time solution with a solution such as Hexagon, where it’s very much around, you know, backups, configuration management, inventory management. So, there’s a multitude of solutions that are required. And this has very much changed from where the market has been where many of our clients may have considered, “Hey, I’m going to buy. This one solution’s going to solve all my problems.” Many, you know, they all now realise that’s not best practise and it’s not to be relied upon, particularly when we think about, you know, the number of threats that are coming out at the moment.

You know, just recently this morning, I see that at Tata Steel, for example, you know, got hit with a significant ransomware incident. So, this is happening all the time. And, you know, the incidents that we are seeing and we’re hearing about in the press are, you know, very much a small number. It’s the iceberg situation where, you know, most of it’s under the water. And same thing with OT cybersecurity threats and incidences that many of them are actually going unreported for obvious reasons. But as I said, many of our customers are saying this is a journey and it’s a journey that never stops, essentially, because, you know, the bad boys are never stopping. They’re constantly developing new ideas and new ways to attack. And, you know, should that be an insider threat—it could be a worker or a cleaner or it could be somebody that’s getting access to the offices of a refinery, or it could be a nation state. But, you know, we are seeing a variety of different threats coming through with our customers.

KS: And Syed, turning back to you, typically, what are your clients most important assets and what do you recommend to them how they can best protect this critical infrastructure?

SB: Typically, the most important assets are the safety systems. Safety systems are considered the last line of defence. Our clients, such as critical infrastructures, want to run launch safely. However, after Triton, it was realised that even safety systems are not secure. Industrial standards such as IEC 62443 have a recommendation on how to protect safety systems.
Now, the critical assets may not be the same for all. They’re plants or units that do not have or require safety systems. The criticality of the assets is calculated after considering the importance, for example, for how long you can run the plant with this particular asset offline. If you cannot run for more than 5 minutes, then that is a critical asset. And if you can run the plant for more than three days, then that is not so critical.

So, it is difficult to protect all the assets that apply same level of security to all the asset of critical infrastructure. So, to protect or cyber secure critical infrastructure, first they need to identify the critical assets and then they need to apply appropriate controls to protect them. Thank you.

KS: And Syed, how is it that critical infrastructure actually detects these cyber-attacks? How does it detect them?

SB: Well, there are different tools in the market, you know, that can detect an intrusion. But to me, the most effective way would be training the automation team. The automation team is a regular user of the operational technology or industrial control system network. They need to be trained to identify what is normal and what is not. Definitely, they need different tools for change management or log management, like Owen mentioned, that they can use to identify what got changed. However, proper training is also required so that they can use those tools during a cyber-attack and limit the attack at an early stage. Thank you.

KS: And in a case of a cyber incidents, what should be the response and the recovery plan following that?

SB: To answer this question, you know, let me take it one step back. The critical infrastructures need to be prepared with a draughted incident response plan and procedures. The plan should include the contact details of the incident response team. It should also have on the step by step procedures for restoring different types of assets that they implemented. As I mentioned before, the automation team needs to be trained to detect the incident at an early stage. Oftentimes during an incident, the team cannot find the incident response plan or procedure. A compressed version of the procedure can be printed and laminated like a reference card that can be used during an incident. And if the team requires detailed procedure, you know, some steps that they’re unsure about, they can refer to the detailed procedure again. That will definitely help them to limit the incident at an early stage. And detecting controlling the incident at an early stage is very important because with time, as you know, the damage or cost of the incident will go high.

KS: And Owen, going back to you, could you please share some real-life examples of where clients have successfully implemented a solid cyber strategy and subsequently what benefits they reap from that?

OR: Sure. Obviously we will not mention the customers by name. But you know, we see many of our clients do a very much staged approach. So, crawl, walk, run of, you know, an OT cybersecurity strategy. You know, first of all, you know, document best practise, document what best practise means for you. Document how you’re going to apply the current standard. Should it be in this directive? for example, here in Europe. Or should there be another standard that you want to apply across your organisation? So being able to document that and having a delivery strategy around that is best practise.

Then, many of our customers will start, will get the foundational piece right. And that’s always best practise, we believe, because essentially you cannot, you know, you can’t protect what you can’t see. And, you know, many of our customers or many of the people we are engaged with quite often really have no idea what their inventory is. They don’t know what assets they have. They don’t know the type of assets; how many they are. So therefore, you’re not able to ascertain which vulnerabilities really apply to their organisation. And if you don’t know that, then you’re pretty open to a threat.

And what we see is many, many, many of the organisations that we work with now do understand that assets at level zero or level one are very much a, you know, an integral part of their business and they also need protected. So even if it’s not on a live network, it’s still open to abuse, should that be an insider threat, for example. And we see that moving forward, you know, in a—I should say—in a holistic way with the strategies that they develop and deliver. With some customers, you know, they’re realising that having an OT, having a correct OT cybersecurity strategy in place is actually good for business. Okay?

So, there’s many advantages to understanding what your inventory is, being able to, for example, if there is a configuration file that goes missing, being able to have that backup ready at hand to be able to get the system back up and play. You know, we’ve seen instances where maybe, for example, a disgruntled employee still has a laptop at home, still has passwords, still can get access to a system. We’ve seen best practise where we have seen that, where they’ve been able to access that system and be able to do some damage. So, we’ve seen best practise where a lot of those things are being clamped down on, but it’s still open for abuse.

But when you think about for the benefits to their business and benefits to the bottom line of having an OT cybersecurity strategy in play, you know, I think if things, for example, which is really important to the day to day operations of the assets and the businesses that we talk to, should it be a refinery, a chemical plant, an offshore platform. Many of our customers are able to ensure all the components remain supported by the vendors they deal with, being able to ensure the risks of their automation system. You know, it could be ageing and they could recognise actually there’s limited support for that automation system. Being able to ensure, you know, component failure rates are being monitored and captured to identify the most vulnerable parts of the system, should that be hardware, software. And also, really important to mitigate potential future difficulties and obtaining things like spare parts.

And one point that we didn’t touch on, it’s very much around process safety, being able to maintain a robust and reliable mission critical layer of control systems that delivers the required risk reduction from relative protective systems.

So, all in all, you know, the ability to mean that, you know, those security through updates and patches and reconfiguration of those files is really important and to ensure that many of those systems don’t become obsolete. I think those things are pretty vital and we see as best practise in the sector, where, you know, people who are developing and delivering best practise are also seeing real key benefits that are just outlined to their business and to their operations.

KS: And we’re nearly at the end of the podcast, so I think it’ll be interesting to hear what do you make of the future? Where do you both see the sector heading in the next five years?

OR: Yeah, that’s an interesting question. Well, you know, who knows? Obviously, if we’re talking about Europe from a European perspective, you know, there’s still lots of critical things at play for, you know, pretty obvious geopolitical reasons because there’s still a lot of dependency on Russian gas and oil. And obviously, we are weaning ourselves off that.

But I think one of the big things, the big things for many countries is security of supply. So, you know, we look at the UK, for example. You know, we’re looking at fracking. We’re looking at alternative markets. We’re shipping in a lot of gas from the U.S. And that all has implications for the consumer and also has massive implications for the industrial markets where they’re very much reliant on power and energy. And that has a big impact on where we see the market going in the next five years. There’s actually, you know, is it going to be a nation state threat still there? Is it going to be, you know, a resurge of insider threats? Is it going to be, you know, the threat landscape is getting much larger. Many of our customers are embracing digitisation. And when you get things more digital, it’s more prone to a threat and more prone to an incident.

So, we see the threat landscape and the whole digitisation of many of our clients increasing the possibility of being hacked or having a threat against them. So, we see the market increasing and many of our clients are investing in the right way. Some are investing quicker than others. But at the same time, you know, this has got board level attention. So, when a CISO, chief information security officers, have been asked tough questions at the board level. He can have the right answers. If he doesn’t have the right answers, well, he loses his job, obviously. But, you know, many of the boards are aware that having a threat or being attacked is not a good look, okay? So, there’s shareholders, there’s stakeholders within organisations that are very, very alert to these things happening. You know, we just think of the Colonial Pipeline incident. We think of Norsk Hydro. You know, all those things that are in the public domain. And Tata just this morning, Tata Steel.

So, over the next five years, yeah, it’s a good space to be in and it’s also a space that’s moving quite rapidly from a technical perspective. But again, to make my point that I made previously, many of the companies that we work with realise that they need to get the foundations right first.

KS: Thank you, Owen.

And Syed, would you like to give your point of view as well on where you think the market is heading in the next five years?

SB: Let me start saying that, you know, our Hexagon products are designed understanding the criticality of the industrial control systems. However, what I’m seeing now is the critical infrastructures are adapting more and more IT security techniques. The operation activity network, you know, I think we’ll have more IT tools such as 5G or zero trust network, etc.

Two things to consider there are the IT tools were not initially designed for the operational technology environment and they may need to be customised. Secondly, as we introduce these new technologies, the associated risk will be applied to the OT environment. Having IT techniques are good for user accessibility, but I want to end saying that the risk of implementing IT tools should always be calculated and like always said, you know, either avoided or minimised. Thank you.

KS: Well, thank you both very much. That was a very insightful session on the OT/ICS cybersecurity situation and where that’s going forwards.

Thank you all for downloading this episode. And don’t forget to subscribe to PE Live Podcasts to get notifications of our new series starting soon, as well as to listen to previous episodes on demand.