Leveraging ICS Cybersecurity Services

Posted by Joe Perino on Mon, Sep 20, 2021

Last April, we wrote about the market twists and turns in the dynamic cybersecurity software market and the challenges and barriers to progress. More recently, we published an M&A update that noted the acquisition of PAS Global by Hexagon AB. Recent conversations with end-users, cyber-software, and automation vendors have highlighted the importance of not just the software but of the associated set of services so vital to implementing and maintaining cyber protection. This raised the question of the best way for most end-users to approach this, get the right help, and bridge the cyber gap between IT and OT. The answer is less a technical discussion than it is about strategy, standards, policies and procedures, and partnering services.

Key issues

There are a number of issues facing end-users in deciding how to deal with cybersecurity:

  1. As we noted in our April blog, cybersecurity is gaining attention. However, at most firms, it still hasn’t been elevated to the level of other risk management strategies that normally demand the CFO’s and senior management's attention. This has started to change with the ransomware incidents at Colonial Pipeline and JBS. Colonial got the money back, but JBS paid $11M and got a lot of negative publicity. Cyber-attack prevention, mitigation, and recovery must be part of business continuity plans and actions. Traditional unsystematic risk management approaches used in asset management or finance are insufficient for managing cybersecurity.

  2. IT typically owns the responsibility for cybersecurity, and OT relies on them for direction, but the goals, priorities, and languages differ. Here are a few examples:
    1. IT focuses on privacy, data, and IP protection, while OT holds asset safety, reliability, and security sacred.
    2. IT doesn’t like downtime but can tolerate some. OT does not want any downtime…keep production and the supply chain going and revenue-generating.
    3. IT is seen as a cost center, while OT sees itself closely associated with Operations. In defense of IT, they are often pressured to cut costs, when in fact, companies may be underspending on IT. The real question is where their focus and associated spending should go. More to come on this in future blogs.
    4. IT speaks SOAR and SIEM, terms mostly foreign to OT who is used to operating on the other side of the air gap.
    5. With its multiple and varied data types, speeds, and specialized protocols, the OT world is an unexplored jungle for many in IT. Yes, common technologies like Ethernet are used by both, but not always in the same way.
    6. IT tends to have a better inventory of everything it owns, while OT often does not.
    7. And, metrics of the two groups are not well-aligned.
  3. The new OT Ecosystem means lots of IT in OT...and new digital technologies from Cloud, Edge, and on-premise to wireless sensors and communications to drones and cobots. Architecting this ecosystem means both IT and OT must work together to secure this evolving environment.
    IT and OT working together
  4. Standards like NIST, IEC 61511, and 62443, along with IEC 27001/2, set the foundation but are not enough. Education, awareness, policies, procedures, and audits must be specific to the operating companies' situations. Industry organizations like ISA (of which I am a Life Member) and specialized cybersecurity consultants can help greatly with this effort.

For example, see the excellent article by Exida’s Patrick O’Brien in the August 2021 issue of Chemical Engineering Progress.

  1. The support challenge...who responds, when, and how? When Operations calls at 3 a.m. on Saturday with a control system problem, they need OT to help ASAP and sometimes on-site, not a ticket filer on the other side of the planet who will schedule someone else’s help. Unfortunately, most IT services firms lack the OT know-how to do much more than report the problem. Operations and OT need skilled and responsive 24/7 support. The, “I’ll get to it on Monday,” response doesn’t cut it.

We are sure the reader could add to this list.

So, what do we do about it? What’s the right way to bring IT and OT together to support Operations? And, who should be your partners?

Alternatives

Cybersecurity scope

First, the good news is that LNS Research increasingly sees IT and OT cooperation on a number of fronts and, in particular, Industrial Transformation (IX) programs. IX Leaders tend to have converged organizations, including IT and OT, to help co-architect the foundations for scalable solutions, with cybersecurity being an integral part of the scope. In addition, OT is learning more and more IT and vice-versa, and cybersecurity is now becoming part of the routine HAZOP process.

Nevertheless, this still leaves open the question of how to support plants and supply chain operations across a wide geographic footprint and range of simple to complex operations and associated systems.

There are five main choices:

  1. Internal company resources
  2. IT services firms
  3. System Integrators (SIs)
  4. Independent cybersecurity firms
  5. Automation companies

Let us clarify that the large IT services firms do system integration, but we are talking about SI services at the OT level, ISA 95 levels 1 to 3. Also, I am not counting cybersecurity software vendors here because they primarily want to sell software and no more services than necessary to guarantee uptake.

Colonial-Pipeline-CEO---Quote-box

Corporate IT resources are always limited and, thus, likely focused on supporting the back-office applications, the corporate network, business continuity operations, and managing major IT vendors relationships, including outsourced services and cybersecurity software selection. OT resources are even thinner as IT services have been used to handle problem resolution, plus retirements of senior personnel intimately familiar with the locations, equipment, and technologies. The Colonial Pipeline case is a good example. CEO Joseph Blount is quoted as saying, “workers who know how to manually operate the Colonial Pipeline and other infrastructure have mostly retired or died.

IT services firms are natural partners to help corporate IT with the aforementioned tasks but struggle to support real-time OT systems. They typically lack the depth of skills to do so, the local presence, if needed, and find it difficult to make a business of OT support. Some have made moves to acquire OT services, but in general, independent SIs are reluctant to be acquired by IT services firms. For example, more than one LNS Research client has told us that they cannot find services firms that can span IT, OT, and understand manufacturing and supply chain operations.

The vast majority of system integrators in North America and Europe are small companies with less than 100 employees. Generally, they pursue project work and not 24/7 support services. There are exceptions, of course. A few have large footprints, including international offices, which could fit the bill. They have added cybersecurity to their portfolio of skills and, thus, are a viable option.

Another alternative is to use an independent cybersecurity firm that specializes in managing OT systems. These firms might fit the bill for companies with smaller footprints and have the advantage of true neutrality. They typically have roots in the system integrator space so they, too, understand the OT world. Their limitation may be that they may not have the OT wherewithal and reach to serve large companies with significant geographic footprints. True, much of the work can be done remotely, but on-site capabilities are always an advantage. Nevertheless, this option is worth consideration.

The best alternative, particularly for global companies, are those firms already in the 24/7 OT support business - the automation companies. The major suppliers: ABB, Emerson, Honeywell, Rockwell, Schneider, Siemens, and Yokogawa have all made significant investments in being able to support the new OT Ecosystem, as a result of client demand as well as the move to Edge and Cloud with their products and services, including cybersecurity. These firms have either acquired cyber software companies or partnered with a leading ICS cyber supplier, such as Claroty, Nozomi, Dragos, ThreatConnect, and many others. For example, LNS Research has long relationships with all seven companies and has done specific cybersecurity work for Honeywell and Schneider Electric. Together, they bring their ecosystem of partners for various functions, for example, CISCO, for networking. In addition, to working with a client’s specific suppliers, say Splunk.

New OT Ecosystem updatedFigure 1 - The New OT Ecosystem

The other advantage is that some can support a Level 2 multi-vendor environment because they acquired SIs who still work with competitors’ systems. Such is the case for Rockwell Automation® who acquired Maverick, and Emerson, who acquired The Automation Group (TAG). With their increased IT capabilities paired with deep OT and industry domain knowledge, they are well prepared to take the 3 a.m. call. Perhaps the only area they may lack fluency in at present is being able to support the wide variety of the wrap & extend IIoT solutions now being proffered in the market. But then again, who can?

Recommendations

For owners and operators, it pays to look at cybersecurity through the same managed service lens that you already use for sourcing help at both the IT and OT levels, be it networking, Cloud, and desktop support at the corporate level or automation, maintenance, and engineering at the plant level. Avoid trying to grow the corporate IT organization into OT, instead, take a managed team approach by partnering with those organizations that can best serve manufacturing’s needs. The right partners can relieve a lot of 3 a.m. headaches.

Second, automation vendors and SIs are learning the IT environment. Why? Because they have to deliver the new OT Ecosystem. IT is not expected to learn how to cyber-protect PLCs, but OT knows PLCs inside and out and, thus, has trained IT personnel in OT environments for exactly that reason. When you absolutely have to, you do.

Check-List-161-x-210px-1

Third, recognize who your internal client is and align your metrics accordingly. Keep score the right way. Most IT metrics like process compliance, percentage of revenues, and SLAs are internally focused on IT, not OT or Operations. A mere 1% increase in production or a 1% decrease in downtime is likely worth far more than a 20% savings in IT spend. Spending on cybersecurity is no exception and is probably underfunded across both IT and OT.

For cybersecurity services providers, you must have value propositions for both IT and OT. You can make a powerful argument to partner with IT and OT to deliver a more secure business. But don’t rely on OT to sell you to IT. You must engage IT on their territory and check off all of their criteria. Yes, again, you will run into DIY as nearly all vendors do, so show how you compliment IT, not compete with them.

One additional challenge that the automation service providers will face is that they have built partnerships with the leading OT cyber vendors but they also rely heavily on their big IT partnerships – Microsoft, Cisco, HPE, etc. – and both Microsoft and CISCO have bought competitive OT cyber software vendors, that may not have had commercial success but did have the technology. So, this is a channel conflict that will have to be managed.

In summary, addressing cybersecurity is a critical part of risk management, and hence, achieving sustainability. It cannot be left as a contention point between IT and OT that is not properly and fully addressed. Choosing the right partners can go a long way to ensuring the safety and continuity of the business.

Note: For more information on cybersecurity from ISA, please follow these links:

EHS 4.0 Innovate Operational Risk Management with Digital Technologies


All entries in this Industrial Transformation blog represent the opinions of the authors based on their industry experience and their view of the information collected using the methods described in our Research Integrity. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

Categories: Risk Management, Information Technology, Industrial Internet of Things (IIoT), Industrial Transformation / Digital Transformation, IT/OT, cybersecurity