Many industrial companies are considering converging their IT and OT cybersecurity programs to address security gaps, optimize use of limited cybersecurity resources, and enable secure deployment of digital transformation programs. At the same time, they recognize that convergence can be challenging given the differences in culture, goals, and environments.
ARC Advisory Group devoted two sessions to this important issue at the 2019 ARC Industry Forum in Orlando, Florida. In this, the second part of this two-part report, we discuss the presentations given on the second day of the Forum by three CISOs who lead convergence pro-grams.
These three presentations illustrate the universality of industrial cyber-security challenges and the general applicability of IT/OT cybersecurity convergence. Whether a company produces specialty chemicals, electrical equipment, or bathroom fixtures it has to deal with diverse security program requirements, resource constraints, and cultural differences between IT, OT, and operations groups. The way these companies are overcoming these hurdles can provide guidance for others that want to build effective integrated IT/OT cybersecurity programs.
The Evolution of Rockwell Automation’s IT/OT Cybersecurity Strategy
Dawn Cappelli, VP Global Security and CISO of Rockwell Automation, is responsible for protecting Rockwell Automation and its ecosystem of customers, suppliers, distributors, and partners from the ever-changing global threat landscape. Her team, Global and Information Security (G&IS), serves as thought leaders and a center of excellence for global, integrated cyber and physical security. The team develops and executes a series of strategic security frameworks in partnership with Information Technology, the Product Security Office, and a network of business and function liaisons from across the company. Her presentation described the company’s journey from various disparate IT and OT cybersecurity programs to its “Connected Enterprise Security Strategy.”
Ms. Cappelli’s journey began in 2016. The prior CISO had already established an extended security team with business and functional liaisons and a partnership with IT. They also had three foundational pro-grams in place that included secure development environment, insider risk program, and third-party risk program. The G&IS team built on this foundation to establish risk-based strategies for information and manufacturing security using the NIST Cybersecurity Framework as the basis for both programs. This enabled common terminology and metrics for managing security across the organization. Collaborative work-shops were held with plant managers and OT cybersecurity teams to develop a manufacturing security strategy based on the framework’s principles.
While these strategies supported IT/OT convergence, major cyber incidents in 2017–2018, like NotPetya, Wannacry, and Trisis made it clear that this was not enough. These attacks did not involve Rockwell Automation products, but they exploited automation company systems and services as attack vectors. Protecting customers from such attacks is vitally important to Rockwell Automation and led to the development of the company’s expanded Connected Enterprise Security Strategy that spans all of aspects of its business.
While the company still manages internal security with the NIST Cyber-security Framework, it recognized the need for different standards for products and interactions with customers and third parties. The additional standards include ISA/IEC 62443 and ISO 27001.
Ms. Cappelli closed her presentation by highlighting the importance of involving operations, engineering, and business leaders when evaluating cyber risks and prioritizing security investments. Top management can’t ignore recommendations that are mutually endorsed across the company. She also offered advice to others involved in IT/OT convergence: A holistic strategy is essential for securing your IT/OT ecosystem; a standards/risk-based approach is best; and, cross-functional teams need to build the strategy together.
Spinning Securely at Versum Materials
Tammy Klotz, Information Security Director for Versum Materials, is responsible for the company’s entire cybersecurity program including Information Risk Management, Plant Cyber Security, and IT Security, Risk & Compliance. Versum Materials, which produces special materials for the electronics and semiconductor industries, is a spinoff of Air Products & Chemicals. Conditions of the spinoff meant that Ms. Klotz’s team only had twelve months to set up a complete IT/OT cyber-security program or be forced into a costly extension of its transition services agreement with Air Products & Chemicals. Her presentation highlighted the key factors underlying their success.
Build Strong IT/OT Partnerships for IT/OT Cybersecurity Convergence
C-Level Executive Sponsorship is critical. At Versum the program was co-sponsored by the CIO and COO. This ensured shared goals and objectives, shared responsibility for outcomes, and constant awareness of the criticality of plant operations and the business impact of an outage. This partnership philosophy was also reflected in the project team which included resources from corporate IT, corporate OT, and site process control engineering.
Extensive face time between corporate and plant personnel reinforced partnership perspectives. As building trust was crucial, IT people made visits to every facility in the corporation. Listening and learning was encouraged to ensure that everyone had a good understanding of each product, process, and system.
Know What You Have and Want
A key step in the transition was to ensure that every cyber system was identified and equipped with appropriate security measures. A physical inventory was made at each site and a standard tool kit used to drive development of specific, detailed migration task lists. Decisions were based on design principles and standards defined by the team. This included common OT cybersecurity recommendations like segregation of OT networks from corporate networks; least privilege access controls at a site and process level; no unnecessary cross-zone, cross-site communications; and no access to the internet from OT networks.
Conduct ICS Risk Assessment
Engineering, in cooperation with Security and Safety organizations per-formed risk assessments at every site. Risk elements included: product hazard; location and community; lost revenue; PC operating systems and hardware; and, control system software and hardware. This result-ed in product and location risk scores.
Enable Informed Decision-making and Prioritization
Risk assessment results were used to prioritize remediation activities. Prioritization was essential since everyone accepted that “We can’t do it all.” Independent risk assessments allowed business leaders to deter-mine the level of risk they were willing to accept. This also helped ensure that new capital projects included the cyber-resiliency requirements.
Make Security Synonymous with Safety
Like at most other companies, safety is the #1 priority at Versum Materials and the team worked hard to raise security to the same level. The team focused on the fact that safety and security controls need to work together to mitigate risk and minimize the business impact of any incident. Security has now become a part of the corporate safety program and is recognized in training curriculum.
Keep It Real
Sustaining the security program is considered equally important. The company is addressing this through bi-weekly IT-OT-ICS team meetings that review current issues, new demands, and changes to applications. Versum also instituted a cyber management of change program that forces consideration of security in all changes to ICS systems. These requests may be initiated by IT, OT or plant personnel, but approval is required by all three parties. Annual refresh of risk assessments, access control privileges, ongoing communications with plant operators and site visits are other parts of their strategy to maintain relationships.
ARC Advisory Group clients can view the complete report at ARC Client Portal
If you would like to buy this report or obtain information about how to become a client, please Contact Us
Keywords: Information Technology, Operational Technology, Cybersecurity, IT-OT Convergence, CISO, ARC Industry Forum, ARC Advisory Group.