December 20, 2024 • 27 mins
Cybersecurity is a constant game of iteration, adaptation and innovation. Don’t let your system get left behind—stay on top of what’s new, and remember the bad actors are learning just like you.
Shelby Skrhak speaks with Luis Palacio, Director, OT Channels at Fortinet, about:
To join the discussion, follow us on X @IngramMicroUSA #B2BTechTalk
Listen to this episode and more like it by subscribing to B2B Tech Talk on Spotify, Apple Podcasts or Spreaker.
Shelby Skrhak speaks with Luis Palacio, Director, OT Channels at Fortinet, about:
- The definition of operational technology (OT)
- Insights from Fortinet’s annual OT report
- Best practices for addressing key concerns across cybersecurity
To join the discussion, follow us on X @IngramMicroUSA #B2BTechTalk
Listen to this episode and more like it by subscribing to B2B Tech Talk on Spotify, Apple Podcasts or Spreaker.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:08):
You're listening to B to B Tech Talk with Ingram Micro,
a place to learn about how to grow your business
and stay ahead of technological advances before they become mainstream.
This episode is sponsored by ingram Micro's Expantage, the next
Level way to transform your business's potential and reshape how
customers see you through advanced transactional data.
Speaker 2 (00:26):
Let's get into it.
Speaker 3 (00:30):
Welcome to B to B Tech Talk with Ingram Micro.
I'm your host, Shelby Skirhawk, and our guest today is
Lewis Palasio, director of OT Channels for Fordinet.
Speaker 2 (00:39):
Lewis, welcome, well, thank you, thank you for having me
appreciate it.
Speaker 3 (00:42):
Well, Before we dive into our chat today, we want
to tell listeners a little bit about what Fordinet does.
Speaker 2 (00:49):
Yeah. Fordinet is a global cybersecurity leader headquartered in the
US Sunnyvale, California. We provide secure networking, unified SAASE and
security operations as part of a little more in fifty
solutions that we call the security fabric. My area of
focus is the OT Security Platform, which is an extension
(01:11):
of the fabric built around you know, same course solutions,
but really purpose built for OT right operational technology. So
the twenty plus solutions in the OT security platform. They
work seamlessly within the security fabric which enables IT and
OT convergence and vendor consolidation.
Speaker 3 (01:32):
So in quickly, I want to make sure we understand
so OT and IT what's that difference there? Really quick?
Speaker 2 (01:39):
So when you look at networks and how data works
within the organization IT, think of that as as your
networks and all your sort of legacy computing power on
the carpeted side of the enterprise. Okay, it's going to
be like your sales and intellectual property and your HR
records and all that kind of stuff. OT operational technology
(02:04):
is the networks on your critical infrastructure systems or the
quote unquote cement floor side of the enterprise. So in manufacturing,
for example, it would be the plants plant floor, right,
oil rigs, water waste water stations, you know, pumps, valves, fans,
(02:26):
that kind of stuff. So it's the systems that power
those critical infrastructure systems that is the O T side.
Speaker 3 (02:32):
Got it? And so how are OT and IT converging? Then?
I guess let's talk about what the challenges are between
the I T and industrial control side of the business.
Speaker 2 (02:44):
I guess, right, So you know, traditionally IT and and
the way and the way security kind of you've evolved, right,
cybersecurity evolved around the IT side over time was where
you had as IT networks sort of grew in technology proliferated,
it did so on the IT side, but not really
(03:05):
in the same way on the OT side. So in
OT you had things were not really connected outside to
the Internet. They were typically what they call air gapped,
so they were networks sort of within and unto themselves,
and they had their own technology maturity process. They went
from these sort of individual machines that then became networked
(03:27):
sort of unto themselves, not really connected outside of the network,
So there was an inherent security built into it. But
now through digital transformation programs, what's happening is you're now
getting data that's not only really converging from IT to
OT going back and forth. Okay, But as digital transformation
(03:47):
is occurring on the OT side, you are now seeing
efficiency being driven by leveraging modern technology which means connecting
to the outside world okay, and leveraging technology which means
what your attack surface is growing exactly right, So on
the surface, you know, many of these best practices the
(04:08):
security best practices are going to be the same. But
there's a lot of cultural differences between IT and OT, okay,
And that's really where it's it's different. Okay. So for example,
in IT availability requirement and in real time requirement, we accept delays,
we take things down to patch and fix and so
(04:28):
forth in IT. In OT, that doesn't happen because it's
all about productivity, it's all about uptime. Things don't shut down,
and if they do, it's maybe once a year for
a short period of time, and it's scheduled well well
in advance okay, component lifetime. We're always upgrading systems every
three to five years in IT, right, that's pretty common.
(04:50):
In OT, that doesn't happen. You know, you have you
have systems, you know powering, you know a lot of
these PLCs which are the computers, and you know those
are the things that actually drive like the pumps and
the valves and the fans and so forth. But those
systems they could be there for twenty plus years, right,
which means what really old OSS, Yes, patching application rarely
(05:10):
happens on the OT side. It's scheduled on the IT side, right,
security awareness it's increasing on the OT side. But that's
been something that you know, we've been in the game.
That's how we've all made a living last twenty five years.
But the single biggest thing I'd say is the design authority,
right the IT department. They are in charge of their
design and what products and solutions are going to happen
(05:33):
or go in on the IT side, whereas on the
OT side, the folks that run those networks, they don't
do that. It's the OEMs and the integrators that do that.
Because on the OT side, the folks that run the networks,
they're all they care about two things, like I said,
uptime and safety. Really safety first, so that in terms
(05:54):
of what though in okwell, so take for example, processes
on the OT side. Okay, you can't just simply block
things and stop processes, and sometimes things have an orderly
shut down, and if you don't shut them down in order,
you could create potentially a disastrous and dangerous situation.
Speaker 3 (06:14):
Got it.
Speaker 2 (06:15):
Okay, if you go to a typical manufacturing plant, you
know you will likely see or at a construction site
or things like that, you'll generally see a sign and
it'll say, you know, like safety first. There hasn't been
and then a rolling daily number accident in X days. Right,
(06:36):
So it's safety and uptime are really central components, two
processes on the OT side where you don't necessarily see
that on the IT side.
Speaker 3 (06:48):
That makes sense.
Speaker 2 (06:49):
That makes sense.
Speaker 3 (06:50):
Well, let's talk then about the state of cybersecurity. I
mean that's top of mind for everybody. So what is
the state of cybersecurity and in OT and operational technology
right now?
Speaker 2 (07:03):
Right? So you know, it's a real tug of war
at the moment, I would say it's in it's mostly
in its infancy, right, It's not nearly as far along
as it is on the IT side, and I think
most people will realize that and understand that. And to
give you an idea, right, Fortinet produces an annual report
on this very topic, okay, and it's very comprehensive. Among
(07:25):
its respondents, we have over five hundred and fifty respondents
from companies all over the world. And these are fairly
sizable companies, right. The requirement has to be at least
a thousand employees or more, and these are all customers
of ours. It's from around twenty different countries and then
the actual market, right, so we get a nice cross
response from manufacturing, oil and gas, transportation, life sciences, water, waste, water,
(07:50):
among others. Right, So we got a wide sample and
we noticed in this year's report, which came out late summer,
we noticed three trends that from this report. One, intrusions
and their impact on organizations have worsened over the past year. Two,
responsibility for OT cybersecurity is elevating within the executive leadership ranks. Right,
(08:13):
that's a good thing. And then three, OT security postures
are maturing in key areas, right, but it remains a
work in progress. So to break that down a little bit,
nearly one third of respondents reported six or more intrusions
into their OT network. That was compared with eleven percent
(08:34):
last year. Huh, okay, that's up twenty percent. Two thirds
reported three or more, okay. And what kind of stood
out was organizations that have advanced maturity levels reported higher
intrusions for this cycle. Right, So what is that saying.
It's saying that, yes, people are improving their security posture,
(09:00):
but the bad actors are also upping their game, right, Right,
That's kind of what makes it, you know, a bit
of a tug of war. So the intrusion types, so
all intrusion types have increased. Right, with an exception, we
did see a decline in malware, but that was still
reported by fifty six percent of respondents. So over half
reported having a malware intrusion. So what's kind of dominating
(09:24):
the landscape there? Phishing and business email intrusions were the
most common type, and phishing emails jumped from forty nine
to seventy six percent among respondents year over year to.
Speaker 3 (09:36):
Seventy six percent of respondents had a phishing attack some
type of that was successful or just that was attempted.
Speaker 2 (09:44):
Well, that was at least attempted. That that let's just
say that was caught and noticed, got it right? Okay,
So basically intrusions are getting worse across the board, and
it's really impacting in all categories. And so what does
this effect have on organizations? Right? We well, about half
of our respondents, fifty two percent, they saw a steep
(10:05):
increase in degradation of brand awareness. And now that that
fifty two percent is up from thirty four percent in
twenty three, Right, what.
Speaker 3 (10:13):
Do you mean by a degradation of brand awareness?
Speaker 2 (10:17):
Then their reputation took a hit, got it? It's basically
what that means. Yeah, and then of course you have
loss of business critical data and productivity right because something stops,
production goes down. So that was another notable trend, up
from thirty four to forty three percent year over year,
so not huge, but not moving in the right direction.
(10:39):
Now there is good news, right. This year's survey also
showed that there have been increases at both ends of
the security maturity spectrum. Okay, so if you look at
the basic level, right, people that are sort of just
getting into the game, they've they've you know, established simple
sort of proactive passive security measures like establishing visibility on
(11:03):
their networks and then simply segmenting their network or even
segmenting it from OT. That would be the basic level.
That's up people you know, participating in doing that. Then
of course you have at the highest level of maturity
leveraging orchestration and automation capabilities. That's also up right, So
awareness is really getting attention and we're moving in the
(11:26):
right direction. There's one more thing I'd like to say
about that. And then a clear sign of increasing maturity
also comes from a steady growth that have rolled out
OT security underneath a sea level officer so a CISO. Now,
in twenty twenty two that was only ten percent of
respondents had that. Then in seventeen this year it's twenty
(11:47):
seven percent of respondents said that they have now implemented
OT security at the C level all right, so that's
up seventeen percent two years. That's good. That means they're
driving awareness at the highest level. So the bottom line
is progress has been made over the last twelve months
in in security posture and investment in tools and capabilities,
(12:08):
but there's more work to.
Speaker 3 (12:10):
Be done, definitely, and that does that seems like a
real tug of war there, So what then can be
done moving forward?
Speaker 2 (12:21):
So you know, every company or entity or group or whatever,
they move and mature their security posture differently, so it's
a question of you know where either where do you
start if you haven't started, or where are you and
where do you keep up and go. The key thing
to note is OT risk is proportional to OT connectivity, Right,
(12:48):
so how connected, whether it's by number of let's say
and manufacturing number of plants, or really the level of
connectivity you have within any particular plant, it's basically the
size of your attack surface. So risk is proportional to connectivity,
and so the customer needs to establish where they are
(13:09):
currently on the security journey, right, then they need to
have a risk and assessment of sorry, a risk assessment
and management plan, and then there are very basic steps
that can be able quickly to make you know, make
that difference. So what does the security journey look like? Well,
you've got to figure out where you are. Are you
in phase one kind of an awareness Are you aware
(13:31):
that you is this something that you are taking seriously
or not because a lot of people aren't. And then
phase two would be something like asset discovery and mapping
out your network topology. Do you know what's on your network?
Usually that leads to when they do that, whoa, we've
got unmanaged devicenketed everywhere. Yeah, you know, my network isn't segmented.
(13:53):
There's open ports everywhere. Oh my gosh, Windows XP security.
So about four percent of organizations are there. And then
of course you move into that next phase, which is
like a firefighting phase, right, so that's where you you know,
you use basic things segmentation and sort of simple passive
(14:13):
what do I need to do to kind of band
aid this immediately? And then that usually leads to a
decision point, right, is that good enough? Is your risk tolerance?
Have you met the threshold of your risk tolerance? And
then if you make a decision to move forward, that
will go to five and six, which is integration and
optimization of more advanced security measures. So that's what the
(14:33):
journey looks like, okay, and then once you understand where
you are on that journey, then you have to create
a roadmap with a step by step approach. And so
what does that look like? I broke it out really
in four steps. One a strategy review, So that's where
you would have leadership interviews, in stakeholder alignment. What is
(14:54):
your current risk approach? What is your current cybersecurity strategy?
Do you understand the stakeholder needs? Are your IT folks
and your OT folks? Are they collaborating? And who owns what? Okay?
So you've got to create an alignment around a single
vision for a cybersecurity framework. Then you need to identify
the opportunity. Probably visit plants or sites, whatever locations are,
(15:17):
conduct assessments, come up with a standards review, right, do
a vulnerability assessment and asset inventory. That's your visibility piece, right,
and then you need to determine which areas across the
attack surface are your primary focus. Then you need to
establish a business case and cost estimates. Okay, And I
(15:37):
mean that's pretty simple, right, I mean it's at least
conceptually plan costs and resourcing requirements, determine financial stakeholder approval
cycles and requirements, et cetera, et cetera. Then the last
bit is develop a roadmap. Okay, and that should include
working with cybersecurity experts and consultants. Right. It could be
(15:58):
for the net, it could be an integrator, be you know,
really whoever. But there you need to align organizational stakeholder
on outcomes. You need to sequence projects or facilities that
meet the investment requirement, and then plan for your CAPEX
and op X over multi year stages. This isn't like, hey,
I've got a security problem, I'm going to go fix it.
(16:19):
This is a constant assessment fine tuning what's changing, what's new,
what's going on outside of my environment that's going to
impact inside? What am I doing inside that's going to
impact that capability? Right, So the bottom line is securing
critical infrastructure. It's a waited, long term process based on
(16:41):
a prioritization of risk and tolerance.
Speaker 3 (16:45):
Okay, So the roadmap then you said, you know, strategy review,
you know, talking to leadership and figuring out what, you know,
what that cybersecurity strategy looks like right now, to identify
the opportunity. That's site visits and assessments, your vulnerability assessment.
(17:05):
You said three was established business case and cost estimates,
and then four is develop develop that roadmap with experts
because this isn't this doesn't seem like a very easily.
This seems complicated, and it seems like, you know, there's
a lot of permutations here.
Speaker 2 (17:22):
So yeah, So I mean basically you can go around
in circles pretty easily if you don't have somebody that's
done this many times. And and you know, because it
is so this market, the industrial control systems market is
so early in the cybersecurity gain okay, that there's a
(17:46):
lot of analysis by paralysis going on. People don't know
where to start, and that's why having experts and consultants
from the outside coming in and helping not only to
determine where you are, but what direction you know you
want to go based on again, what your risk tolerance is. Okay,
(18:09):
So I mean, certainly I wouldn't go at this alone.
And you know, the good news is a lot of
these organizations they already have these expertise on the IT side.
But typically the IT folks and the OT folks they
don't collaborate and they don't talk, and when they do,
they usually argue a lot. I mean, I tell you
from first hand experience. I mean, I'm in the cybersecurity business,
(18:29):
but I have been in the quote unquote marriage consulting
business as well. You know, when you get two sides
kind of saying no, you can't possibly do that, what
you have to do this? Now, you can't. Typically when
you get an expert in the room and you start
to break it down, they each side knows that they
need to take a closer look at the other. They
(18:50):
just don't always know how to do it. So to
have that more person, yeah, you know, walk them through it,
you know, the marriage counselor.
Speaker 3 (18:57):
Right right, right exactly? That's fun true.
Speaker 2 (19:01):
Yeah.
Speaker 3 (19:02):
Well so okay, so then when looking at the industry
industry as a whole, I mean, what what are those
I guess we're starting to look big picture, but you know,
what are those primary industry concerns?
Speaker 2 (19:12):
Then yeah, okay, so yeah, let's let's just you know,
back this up and if you're going to you know,
get a roadmap and and kind of address this what
is it that you're what is it that you're addressing
that people are seeing? Well, we're seeing really five key
concerns and I mentioned two of them already, and that
that is what I call ground zero. This is the
starting you know, the basic starting point, and that is
(19:35):
concern is limited visibility to applications, users and devices on
the network. Oftentimes OT network directors didn't even know what's
on their networks. Okay, So there's there's that that visibility.
And then once you have that visibility, flat network architectures
without separation or controls between it and OT. Okay, that's
(20:00):
a key concern. But then also within OT okay, are
you segmented within your OT network? Because your OT network
it's broken into three zones, right, so you have an
enterprise zone, a sort of management process zone, and then
a control area zone. Okay, and that's starting to go
down a totally different rabbit hole around the perdume model.
(20:23):
We're not really going to go there, suffice suffice to say,
there are simple segmentation recommendations based on how those networks
are laid out, that could inherently drive security by simply
blocking off and only allowing that data and those people
(20:45):
who need to be in those areas. Okay, right now
it's a wide open parking lot, free for all, So
we need to kind of close that up. So that's
that addresses the flat network architecture concern. Then you start
moving into finding legacy and often unpatched equipment. The industrial
(21:06):
control networks are littered with Windows XP. We see Windows
NT believe it or not, still okay, and so then
it becomes well, why don't you just kind of patch
it up? And whoa wha, whoa, whoa whoa. We're now
going back to the cultural differences here. A lot of
these systems to patch. What does that mean? Generally it
(21:26):
means you need to reboot. They don't reboot, okay, But
there are techniques things like virtual patching, for example, and
there are measures that can be taken to shore up
security around old and unpatched equipment. The bottom line is
you want to stave off attacks and potentially ransomware, for example,
(21:47):
so endpoint protection that that is a concern, and then
the other two network optimization, So the increasing cost of
running mpls across geographically disperse sites just to connect to
all these places up. I mean, nobody's really taking a
look at that. In years. They got it all connect
up in an old school methodology on old school technology,
(22:10):
and so there's really you know, little software to find
networking for example. So optimizing your network. We find that
when when you're looking at digital transformation programs, Actually, much
to my surprise, a couple of years ago, I saw
a lot of customers saying, hey, if we're going to
go do this, then we probably should optimize our network
(22:31):
a little better. Because what they're really thinking is latency.
Right if I'm adding new capabilities and I have latency
and then things start to kind of slow down or
stop again, now you're back to that productivity issue. There
is an awareness and frankly more often than I had
thought at network optimization. And then the fifth and this
(22:51):
is the big one, this is this is the most
in demand thing we're seeing right now. I was at
a big industry conference three weeks ago out California, and
two thirds, over three day period, two thirds of the
conversations I had was about secure remote access. It's hot
right now. So what does that mean. Well, again, you
(23:12):
used to have these systems that were you know, kind
of air gapped and you know, cornered off, but now
largely through digital transformation programs. Okay, and so for example, what, well,
there's there's a lot of cloud capability coming in now
and offloading requirements to systems, if not within that particular network,
(23:35):
perhaps elsewhere within the enterprise. Okay, So you're now seeing
a need to access from the outside into those industrial
networks that you didn't see before. And frankly, the pandemic,
you know, the COVID nineteen pandemic, kind of hastened that
and drove it along as well. So that's a big
deal right now. And those are the five things that
(23:56):
we're seeing in terms of industry concern.
Speaker 3 (23:59):
Yeah. Well, so as we do start to wrap up
our episode, I guess you know what message then would
you leave our listeners?
Speaker 2 (24:09):
Well, I know it sounds a little cliche, but cybersecurity
is a journey, not a destination, and that really is
very true in this regard, So keep keep that in mind.
It's about recognizing, fine tuning, it's about adapting. Okay, when
you make a change, and the report that I talked
about that we're seeing that as people are adopting these
(24:33):
good and better and best practices, the bad actors are
adapting too. So remember that it's something that's always ongoing.
If you haven't identified and assessed your critical systems yet,
now is the time. If you haven't segmented your network yet,
now is the time. Also, restricting and monitoring outbound communication
(24:56):
is an important addition to segmentation, so you need to
be think thinking about that as well. You know, Bob
down on the plant floor as he's pushing the lever
forward in the nuclear power plant, you know, might not
be able to access Facebook at lunch. And that's actually
a poor example because that's probably not happening in those plants.
You know, let's say it's a food manufacturing plant anyway.
(25:20):
But if you haven't deployed a backup strategy for your
critical assets, find a good cybersecurity consultant and begin securing
your critical assets as soon as possible, okay, because that's
going to if and when, and generally it's a matter
of when not if you get breached. You want to
be way ahead of that potential calamity. Okay, And having
(25:42):
a good backup strategy is part of that. And the
last thing I'd like to add is our cybersecurity report
that is accessible to the public. You can go to
Fortinet dot com, fort Net f O R T I
N E T dot com and then you can search
for state of Operational Technology in cybersecurity and you'll be
(26:07):
able to access that report and take a look at it.
Highly recommend it. It's absolutely fantastic, excellent.
Speaker 3 (26:14):
Well, Lewis, I appreciate your time and your insight today.
Thank you so much for joining me.
Speaker 2 (26:19):
Well, thank you, and I really appreciate you having me
and we love to talk O T and security, so again,
thank you very much.
Speaker 3 (26:27):
Excellent and thank you listeners for tuning in subscribing to
B to B Tech Talk with Ingram Micro. If you
haven't subscribed already, be sure to do so and don't
forget that you can find all of these episodes on
the ingram Micro Expantage platform. Until next time, I'm Shelby Skirhawk.
Speaker 1 (26:43):
You've been listening to B to B Tech Talk by
Ingram Micro. This episode was sponsored by Ingram Micro Exvantage.
B to B Tech Talk is a joint production between
Sweetfish Media and ingram micro. To listen to this episode
and many others, Visit ingrammicro dot com
You're listening to B to B Tech Talk with Ingram Micro,
a place to learn about how to grow your business
and stay ahead of technological advances before they become mainstream.
This episode is sponsored by ingram Micro's Expantage, the next
Level way to transform your business's potential and reshape how
customers see you through advanced transactional data.
Speaker 2 (00:26):
Let's get into it.
Speaker 3 (00:30):
Welcome to B to B Tech Talk with Ingram Micro.
I'm your host, Shelby Skirhawk, and our guest today is
Lewis Palasio, director of OT Channels for Fordinet.
Speaker 2 (00:39):
Lewis, welcome, well, thank you, thank you for having me
appreciate it.
Speaker 3 (00:42):
Well, Before we dive into our chat today, we want
to tell listeners a little bit about what Fordinet does.
Speaker 2 (00:49):
Yeah. Fordinet is a global cybersecurity leader headquartered in the
US Sunnyvale, California. We provide secure networking, unified SAASE and
security operations as part of a little more in fifty
solutions that we call the security fabric. My area of
focus is the OT Security Platform, which is an extension
(01:11):
of the fabric built around you know, same course solutions,
but really purpose built for OT right operational technology. So
the twenty plus solutions in the OT security platform. They
work seamlessly within the security fabric which enables IT and
OT convergence and vendor consolidation.
Speaker 3 (01:32):
So in quickly, I want to make sure we understand
so OT and IT what's that difference there? Really quick?
Speaker 2 (01:39):
So when you look at networks and how data works
within the organization IT, think of that as as your
networks and all your sort of legacy computing power on
the carpeted side of the enterprise. Okay, it's going to
be like your sales and intellectual property and your HR
records and all that kind of stuff. OT operational technology
(02:04):
is the networks on your critical infrastructure systems or the
quote unquote cement floor side of the enterprise. So in manufacturing,
for example, it would be the plants plant floor, right,
oil rigs, water waste water stations, you know, pumps, valves, fans,
(02:26):
that kind of stuff. So it's the systems that power
those critical infrastructure systems that is the O T side.
Speaker 3 (02:32):
Got it? And so how are OT and IT converging? Then?
I guess let's talk about what the challenges are between
the I T and industrial control side of the business.
Speaker 2 (02:44):
I guess, right, So you know, traditionally IT and and
the way and the way security kind of you've evolved, right,
cybersecurity evolved around the IT side over time was where
you had as IT networks sort of grew in technology proliferated,
it did so on the IT side, but not really
(03:05):
in the same way on the OT side. So in
OT you had things were not really connected outside to
the Internet. They were typically what they call air gapped,
so they were networks sort of within and unto themselves,
and they had their own technology maturity process. They went
from these sort of individual machines that then became networked
(03:27):
sort of unto themselves, not really connected outside of the network,
So there was an inherent security built into it. But
now through digital transformation programs, what's happening is you're now
getting data that's not only really converging from IT to
OT going back and forth. Okay, But as digital transformation
(03:47):
is occurring on the OT side, you are now seeing
efficiency being driven by leveraging modern technology which means connecting
to the outside world okay, and leveraging technology which means
what your attack surface is growing exactly right, So on
the surface, you know, many of these best practices the
(04:08):
security best practices are going to be the same. But
there's a lot of cultural differences between IT and OT, okay,
And that's really where it's it's different. Okay. So for example,
in IT availability requirement and in real time requirement, we accept delays,
we take things down to patch and fix and so
(04:28):
forth in IT. In OT, that doesn't happen because it's
all about productivity, it's all about uptime. Things don't shut down,
and if they do, it's maybe once a year for
a short period of time, and it's scheduled well well
in advance okay, component lifetime. We're always upgrading systems every
three to five years in IT, right, that's pretty common.
(04:50):
In OT, that doesn't happen. You know, you have you
have systems, you know powering, you know a lot of
these PLCs which are the computers, and you know those
are the things that actually drive like the pumps and
the valves and the fans and so forth. But those
systems they could be there for twenty plus years, right,
which means what really old OSS, Yes, patching application rarely
(05:10):
happens on the OT side. It's scheduled on the IT side, right,
security awareness it's increasing on the OT side. But that's
been something that you know, we've been in the game.
That's how we've all made a living last twenty five years.
But the single biggest thing I'd say is the design authority,
right the IT department. They are in charge of their
design and what products and solutions are going to happen
(05:33):
or go in on the IT side, whereas on the
OT side, the folks that run those networks, they don't
do that. It's the OEMs and the integrators that do that.
Because on the OT side, the folks that run the networks,
they're all they care about two things, like I said,
uptime and safety. Really safety first, so that in terms
(05:54):
of what though in okwell, so take for example, processes
on the OT side. Okay, you can't just simply block
things and stop processes, and sometimes things have an orderly
shut down, and if you don't shut them down in order,
you could create potentially a disastrous and dangerous situation.
Speaker 3 (06:14):
Got it.
Speaker 2 (06:15):
Okay, if you go to a typical manufacturing plant, you
know you will likely see or at a construction site
or things like that, you'll generally see a sign and
it'll say, you know, like safety first. There hasn't been
and then a rolling daily number accident in X days. Right,
(06:36):
So it's safety and uptime are really central components, two
processes on the OT side where you don't necessarily see
that on the IT side.
Speaker 3 (06:48):
That makes sense.
Speaker 2 (06:49):
That makes sense.
Speaker 3 (06:50):
Well, let's talk then about the state of cybersecurity. I
mean that's top of mind for everybody. So what is
the state of cybersecurity and in OT and operational technology
right now?
Speaker 2 (07:03):
Right? So you know, it's a real tug of war
at the moment, I would say it's in it's mostly
in its infancy, right, It's not nearly as far along
as it is on the IT side, and I think
most people will realize that and understand that. And to
give you an idea, right, Fortinet produces an annual report
on this very topic, okay, and it's very comprehensive. Among
(07:25):
its respondents, we have over five hundred and fifty respondents
from companies all over the world. And these are fairly
sizable companies, right. The requirement has to be at least
a thousand employees or more, and these are all customers
of ours. It's from around twenty different countries and then
the actual market, right, so we get a nice cross
response from manufacturing, oil and gas, transportation, life sciences, water, waste, water,
(07:50):
among others. Right, So we got a wide sample and
we noticed in this year's report, which came out late summer,
we noticed three trends that from this report. One, intrusions
and their impact on organizations have worsened over the past year. Two,
responsibility for OT cybersecurity is elevating within the executive leadership ranks. Right,
(08:13):
that's a good thing. And then three, OT security postures
are maturing in key areas, right, but it remains a
work in progress. So to break that down a little bit,
nearly one third of respondents reported six or more intrusions
into their OT network. That was compared with eleven percent
(08:34):
last year. Huh, okay, that's up twenty percent. Two thirds
reported three or more, okay. And what kind of stood
out was organizations that have advanced maturity levels reported higher
intrusions for this cycle. Right, So what is that saying.
It's saying that, yes, people are improving their security posture,
(09:00):
but the bad actors are also upping their game, right, Right,
That's kind of what makes it, you know, a bit
of a tug of war. So the intrusion types, so
all intrusion types have increased. Right, with an exception, we
did see a decline in malware, but that was still
reported by fifty six percent of respondents. So over half
reported having a malware intrusion. So what's kind of dominating
(09:24):
the landscape there? Phishing and business email intrusions were the
most common type, and phishing emails jumped from forty nine
to seventy six percent among respondents year over year to.
Speaker 3 (09:36):
Seventy six percent of respondents had a phishing attack some
type of that was successful or just that was attempted.
Speaker 2 (09:44):
Well, that was at least attempted. That that let's just
say that was caught and noticed, got it right? Okay,
So basically intrusions are getting worse across the board, and
it's really impacting in all categories. And so what does
this effect have on organizations? Right? We well, about half
of our respondents, fifty two percent, they saw a steep
(10:05):
increase in degradation of brand awareness. And now that that
fifty two percent is up from thirty four percent in
twenty three, Right, what.
Speaker 3 (10:13):
Do you mean by a degradation of brand awareness?
Speaker 2 (10:17):
Then their reputation took a hit, got it? It's basically
what that means. Yeah, and then of course you have
loss of business critical data and productivity right because something stops,
production goes down. So that was another notable trend, up
from thirty four to forty three percent year over year,
so not huge, but not moving in the right direction.
(10:39):
Now there is good news, right. This year's survey also
showed that there have been increases at both ends of
the security maturity spectrum. Okay, so if you look at
the basic level, right, people that are sort of just
getting into the game, they've they've you know, established simple
sort of proactive passive security measures like establishing visibility on
(11:03):
their networks and then simply segmenting their network or even
segmenting it from OT. That would be the basic level.
That's up people you know, participating in doing that. Then
of course you have at the highest level of maturity
leveraging orchestration and automation capabilities. That's also up right, So
awareness is really getting attention and we're moving in the
(11:26):
right direction. There's one more thing I'd like to say
about that. And then a clear sign of increasing maturity
also comes from a steady growth that have rolled out
OT security underneath a sea level officer so a CISO. Now,
in twenty twenty two that was only ten percent of
respondents had that. Then in seventeen this year it's twenty
(11:47):
seven percent of respondents said that they have now implemented
OT security at the C level all right, so that's
up seventeen percent two years. That's good. That means they're
driving awareness at the highest level. So the bottom line
is progress has been made over the last twelve months
in in security posture and investment in tools and capabilities,
(12:08):
but there's more work to.
Speaker 3 (12:10):
Be done, definitely, and that does that seems like a
real tug of war there, So what then can be
done moving forward?
Speaker 2 (12:21):
So you know, every company or entity or group or whatever,
they move and mature their security posture differently, so it's
a question of you know where either where do you
start if you haven't started, or where are you and
where do you keep up and go. The key thing
to note is OT risk is proportional to OT connectivity, Right,
(12:48):
so how connected, whether it's by number of let's say
and manufacturing number of plants, or really the level of
connectivity you have within any particular plant, it's basically the
size of your attack surface. So risk is proportional to connectivity,
and so the customer needs to establish where they are
(13:09):
currently on the security journey, right, then they need to
have a risk and assessment of sorry, a risk assessment
and management plan, and then there are very basic steps
that can be able quickly to make you know, make
that difference. So what does the security journey look like? Well,
you've got to figure out where you are. Are you
in phase one kind of an awareness Are you aware
(13:31):
that you is this something that you are taking seriously
or not because a lot of people aren't. And then
phase two would be something like asset discovery and mapping
out your network topology. Do you know what's on your network?
Usually that leads to when they do that, whoa, we've
got unmanaged devicenketed everywhere. Yeah, you know, my network isn't segmented.
(13:53):
There's open ports everywhere. Oh my gosh, Windows XP security.
So about four percent of organizations are there. And then
of course you move into that next phase, which is
like a firefighting phase, right, so that's where you you know,
you use basic things segmentation and sort of simple passive
(14:13):
what do I need to do to kind of band
aid this immediately? And then that usually leads to a
decision point, right, is that good enough? Is your risk tolerance?
Have you met the threshold of your risk tolerance? And
then if you make a decision to move forward, that
will go to five and six, which is integration and
optimization of more advanced security measures. So that's what the
(14:33):
journey looks like, okay, and then once you understand where
you are on that journey, then you have to create
a roadmap with a step by step approach. And so
what does that look like? I broke it out really
in four steps. One a strategy review, So that's where
you would have leadership interviews, in stakeholder alignment. What is
(14:54):
your current risk approach? What is your current cybersecurity strategy?
Do you understand the stakeholder needs? Are your IT folks
and your OT folks? Are they collaborating? And who owns what? Okay?
So you've got to create an alignment around a single
vision for a cybersecurity framework. Then you need to identify
the opportunity. Probably visit plants or sites, whatever locations are,
(15:17):
conduct assessments, come up with a standards review, right, do
a vulnerability assessment and asset inventory. That's your visibility piece, right,
and then you need to determine which areas across the
attack surface are your primary focus. Then you need to
establish a business case and cost estimates. Okay, And I
(15:37):
mean that's pretty simple, right, I mean it's at least
conceptually plan costs and resourcing requirements, determine financial stakeholder approval
cycles and requirements, et cetera, et cetera. Then the last
bit is develop a roadmap. Okay, and that should include
working with cybersecurity experts and consultants. Right. It could be
(15:58):
for the net, it could be an integrator, be you know,
really whoever. But there you need to align organizational stakeholder
on outcomes. You need to sequence projects or facilities that
meet the investment requirement, and then plan for your CAPEX
and op X over multi year stages. This isn't like, hey,
I've got a security problem, I'm going to go fix it.
(16:19):
This is a constant assessment fine tuning what's changing, what's new,
what's going on outside of my environment that's going to
impact inside? What am I doing inside that's going to
impact that capability? Right, So the bottom line is securing
critical infrastructure. It's a waited, long term process based on
(16:41):
a prioritization of risk and tolerance.
Speaker 3 (16:45):
Okay, So the roadmap then you said, you know, strategy review,
you know, talking to leadership and figuring out what, you know,
what that cybersecurity strategy looks like right now, to identify
the opportunity. That's site visits and assessments, your vulnerability assessment.
(17:05):
You said three was established business case and cost estimates,
and then four is develop develop that roadmap with experts
because this isn't this doesn't seem like a very easily.
This seems complicated, and it seems like, you know, there's
a lot of permutations here.
Speaker 2 (17:22):
So yeah, So I mean basically you can go around
in circles pretty easily if you don't have somebody that's
done this many times. And and you know, because it
is so this market, the industrial control systems market is
so early in the cybersecurity gain okay, that there's a
(17:46):
lot of analysis by paralysis going on. People don't know
where to start, and that's why having experts and consultants
from the outside coming in and helping not only to
determine where you are, but what direction you know you
want to go based on again, what your risk tolerance is. Okay,
(18:09):
So I mean, certainly I wouldn't go at this alone.
And you know, the good news is a lot of
these organizations they already have these expertise on the IT side.
But typically the IT folks and the OT folks they
don't collaborate and they don't talk, and when they do,
they usually argue a lot. I mean, I tell you
from first hand experience. I mean, I'm in the cybersecurity business,
(18:29):
but I have been in the quote unquote marriage consulting
business as well. You know, when you get two sides
kind of saying no, you can't possibly do that, what
you have to do this? Now, you can't. Typically when
you get an expert in the room and you start
to break it down, they each side knows that they
need to take a closer look at the other. They
(18:50):
just don't always know how to do it. So to
have that more person, yeah, you know, walk them through it,
you know, the marriage counselor.
Speaker 3 (18:57):
Right right, right exactly? That's fun true.
Speaker 2 (19:01):
Yeah.
Speaker 3 (19:02):
Well so okay, so then when looking at the industry
industry as a whole, I mean, what what are those
I guess we're starting to look big picture, but you know,
what are those primary industry concerns?
Speaker 2 (19:12):
Then yeah, okay, so yeah, let's let's just you know,
back this up and if you're going to you know,
get a roadmap and and kind of address this what
is it that you're what is it that you're addressing
that people are seeing? Well, we're seeing really five key
concerns and I mentioned two of them already, and that
that is what I call ground zero. This is the
starting you know, the basic starting point, and that is
(19:35):
concern is limited visibility to applications, users and devices on
the network. Oftentimes OT network directors didn't even know what's
on their networks. Okay, So there's there's that that visibility.
And then once you have that visibility, flat network architectures
without separation or controls between it and OT. Okay, that's
(20:00):
a key concern. But then also within OT okay, are
you segmented within your OT network? Because your OT network
it's broken into three zones, right, so you have an
enterprise zone, a sort of management process zone, and then
a control area zone. Okay, and that's starting to go
down a totally different rabbit hole around the perdume model.
(20:23):
We're not really going to go there, suffice suffice to say,
there are simple segmentation recommendations based on how those networks
are laid out, that could inherently drive security by simply
blocking off and only allowing that data and those people
(20:45):
who need to be in those areas. Okay, right now
it's a wide open parking lot, free for all, So
we need to kind of close that up. So that's
that addresses the flat network architecture concern. Then you start
moving into finding legacy and often unpatched equipment. The industrial
(21:06):
control networks are littered with Windows XP. We see Windows
NT believe it or not, still okay, and so then
it becomes well, why don't you just kind of patch
it up? And whoa wha, whoa, whoa whoa. We're now
going back to the cultural differences here. A lot of
these systems to patch. What does that mean? Generally it
(21:26):
means you need to reboot. They don't reboot, okay, But
there are techniques things like virtual patching, for example, and
there are measures that can be taken to shore up
security around old and unpatched equipment. The bottom line is
you want to stave off attacks and potentially ransomware, for example,
(21:47):
so endpoint protection that that is a concern, and then
the other two network optimization, So the increasing cost of
running mpls across geographically disperse sites just to connect to
all these places up. I mean, nobody's really taking a
look at that. In years. They got it all connect
up in an old school methodology on old school technology,
(22:10):
and so there's really you know, little software to find
networking for example. So optimizing your network. We find that
when when you're looking at digital transformation programs, Actually, much
to my surprise, a couple of years ago, I saw
a lot of customers saying, hey, if we're going to
go do this, then we probably should optimize our network
(22:31):
a little better. Because what they're really thinking is latency.
Right if I'm adding new capabilities and I have latency
and then things start to kind of slow down or
stop again, now you're back to that productivity issue. There
is an awareness and frankly more often than I had
thought at network optimization. And then the fifth and this
(22:51):
is the big one, this is this is the most
in demand thing we're seeing right now. I was at
a big industry conference three weeks ago out California, and
two thirds, over three day period, two thirds of the
conversations I had was about secure remote access. It's hot
right now. So what does that mean. Well, again, you
(23:12):
used to have these systems that were you know, kind
of air gapped and you know, cornered off, but now
largely through digital transformation programs. Okay, and so for example, what, well,
there's there's a lot of cloud capability coming in now
and offloading requirements to systems, if not within that particular network,
(23:35):
perhaps elsewhere within the enterprise. Okay, So you're now seeing
a need to access from the outside into those industrial
networks that you didn't see before. And frankly, the pandemic,
you know, the COVID nineteen pandemic, kind of hastened that
and drove it along as well. So that's a big
deal right now. And those are the five things that
(23:56):
we're seeing in terms of industry concern.
Speaker 3 (23:59):
Yeah. Well, so as we do start to wrap up
our episode, I guess you know what message then would
you leave our listeners?
Speaker 2 (24:09):
Well, I know it sounds a little cliche, but cybersecurity
is a journey, not a destination, and that really is
very true in this regard, So keep keep that in mind.
It's about recognizing, fine tuning, it's about adapting. Okay, when
you make a change, and the report that I talked
about that we're seeing that as people are adopting these
(24:33):
good and better and best practices, the bad actors are
adapting too. So remember that it's something that's always ongoing.
If you haven't identified and assessed your critical systems yet,
now is the time. If you haven't segmented your network yet,
now is the time. Also, restricting and monitoring outbound communication
(24:56):
is an important addition to segmentation, so you need to
be think thinking about that as well. You know, Bob
down on the plant floor as he's pushing the lever
forward in the nuclear power plant, you know, might not
be able to access Facebook at lunch. And that's actually
a poor example because that's probably not happening in those plants.
You know, let's say it's a food manufacturing plant anyway.
(25:20):
But if you haven't deployed a backup strategy for your
critical assets, find a good cybersecurity consultant and begin securing
your critical assets as soon as possible, okay, because that's
going to if and when, and generally it's a matter
of when not if you get breached. You want to
be way ahead of that potential calamity. Okay, And having
(25:42):
a good backup strategy is part of that. And the
last thing I'd like to add is our cybersecurity report
that is accessible to the public. You can go to
Fortinet dot com, fort Net f O R T I
N E T dot com and then you can search
for state of Operational Technology in cybersecurity and you'll be
(26:07):
able to access that report and take a look at it.
Highly recommend it. It's absolutely fantastic, excellent.
Speaker 3 (26:14):
Well, Lewis, I appreciate your time and your insight today.
Thank you so much for joining me.
Speaker 2 (26:19):
Well, thank you, and I really appreciate you having me
and we love to talk O T and security, so again,
thank you very much.
Speaker 3 (26:27):
Excellent and thank you listeners for tuning in subscribing to
B to B Tech Talk with Ingram Micro. If you
haven't subscribed already, be sure to do so and don't
forget that you can find all of these episodes on
the ingram Micro Expantage platform. Until next time, I'm Shelby Skirhawk.
Speaker 1 (26:43):
You've been listening to B to B Tech Talk by
Ingram Micro. This episode was sponsored by Ingram Micro Exvantage.
B to B Tech Talk is a joint production between
Sweetfish Media and ingram micro. To listen to this episode
and many others, Visit ingrammicro dot com
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.