At the most recent ARC Industry Forum in Orlando this past February, I had the pleasure of interviewing Eddie Habibi, Founder and CEO of PAS. You can see the video here at our YouTube Channel. We had a chance to discuss a wide range of topics, from the convergence of cybersecurity and safety to the importance of having a good backup and response plan in case of a cyber-attack. PAS has grown to be one of the leading OT level cybersecurity management suppliers as outlined in this ARC report. The company’s Cyber Integrity solution was developed to help industrial companies overcome major obstacles to effective maintenance of control system cybersecurity. Features include automation of critical activities, like asset inventory and vulnerability management, automatic detection of endpoint changes, and risk analytics for situational awareness and program management.
Safety and Cybersecurity: Consequences of an Event Can be Similar
Alarm management is directly related to process safety, which puts PAS in a unique position as an independent supplier to address both realms holistically. According to Mr. Habibi, “If you look at the consequences of a safety event or a cybersecurity event, they're very much similar. The end result of a cyber-attack, when successful, is very similar to when a safety incident occurs. Damage to equipment, loss of production, and consequently possibly catastrophic events that can damage the business. Cybersecurity risk is another risk that management has to worry about….and it needs to be taken very seriously.”
On the Importance of Building Accurate ICS Asset Inventory
“In the world of cybersecurity, building and maintaining a complete and accurate ICS asset inventory a challenge. Many end users do not know what they have installed in terms of ICS assets what is unique about the PAS approach to providing inventory visibility one of the reasons people come to us for getting control over their the inventory of their assets is that we take a totally different approach from the traditional approach that some of the other companies take to identifying the inventory of their assets, and that is we take a back-end OT centric approach to collecting backup files and system databases to create that inventory.”
“Why is that important? The reason that's important is that you must have a hundred percent of your asset inventory. You have to know what you have, otherwise you can't manage it, you can't protect it. It makes no sense to say ‘I have an inventory, but oh well it's 90 percent or 95 percent.’ it needs to be a hundred percent, and our approach is the only approach that can deliver that kind of result.”
“The other approach that the rest of the marketplace seems to take is network monitoring approach, whether it's passive or active listening to the wire, or pinging the devices on the level 2 network and trying to understand what devices exist there. Well, you're not going to pick up all the devices at level 0, level 1, level 2, if you take that approach.”
What are the Three Most Important OT Cyber Security Considerations that Asset Owners Must Consider in the Coming Year?
“…inventory is very foundational. You can't run a cybersecurity program without having a complete inventory of your OT assets. That is absolutely a given that needs to be the focal point of solving the cybersecurity problem for the OT environment. The area that we are seeing a lot of traction with our clients coming to us and asking for that kind of solution is the management of the configuration of these.”
“One of the realizations for folks, especially people coming from the IT side, is that there's a distinct difference between breaches of the IT systems and that of the OT. When somebody attacks an OT system, their intention is to move molecules, not just move digital bits….to cause harm, to close a valve that's not supposed to be closed, to stop a pump that's not supposed to stop, and where they go to impart that attack is the configuration of these control systems, and unless you are managing a baseline of these configurations as well as managing change on the configurations, you can't protect these systems. You can't detect these problems and you can't protect them.”
“Another advantage of having a deep understanding of the configuration of these systems is being able to run forensics as to where the configuration was altered so you can reverse it, so the third part of this is backup and recovery. So, in our view, the three most important things in addressing OT cybersecurity are an inventory, a complete inventory, not 99%, a hundred percent inventory of the assets. Understanding the configuration of the system and managing change on these systems, and thirdly having a backup and being able to recover from an inadvertent mistake or an attack.”
On the Importance of a Recovery Plan
“We have to assume eventually there will be an attack. We have to assume that eventually, we lose the system. You have to have the ability to come back.”
“We run into a lot of people that don't really have a recovery plan. That's not something that usually comes into people's minds as they're building a cybersecurity strategy is how do we recover if something happens.”