Cyber Security for Critical Assets kicked off it’s virtual Industrial Cyber Security Summit USA. As part of the two-day event, virtual attendees heard from senior security professionals from the country’s oil and gas, energy, chemical, utilities, and other critical industries.
Among the summit’s events was a live panel discussion with security experts in the energy industry. During the event, panelists discussed how energy organizations can adapt their cybersecurity models for the digital era. They also tackled the role of government regulation in driving digital transformation.
“I don’t really see legislation driving a lot of things,” said Kent Knudsen, Supervisor of Information Security at Plains All American Pipeline. “It tends to hamper more than anything.”
As more and more countries adopt regulations to better secure energy organizations undergoing digital transformations, security professionals are left to juggle new and constantly shifting requirements. The panelists said this can hinder innovation.
“I think regulation should be used for providing a baseline,” said Apurva Mohan, Global IoT Security Manager at Schlumberger, an oil and gas company. “It is important to have some baseline control, but on the other hand if you do excessive regulation it doesn’t help because it creates a compliance mindset. When people are just trying to comply with the bare minimum of what a regulation is asking, it hampers innovation…And as we know compliance and security are not equal. You can be secure but noncompliant and you can be compliant but not secure.”
In addition to regulation, the panelists also discussed other challenges facing digital transformation in energy organizations.
“When you’re looking at digital transformation in the energy industry, like anything else, it’s a people, process and technology thing,” Mohan said. “People starts with not only getting your board and executive leadership teams to sponsor these initiatives but also involving the people who are involved in these processes and trying to create a consensus so you can drive these efforts.”
The panelists said that since many in operational technology environments have a negative attitude toward digital transformation, it’s important to proceed with caution in order to establish trust.
“A lot of people think digital transformation is all technology and certainly technology is a key component but you also have to think about the people and I think that’s the part that gets overlooked,” said Knudsen. “When you come into a shop and you start talking about digital transformation people start to get nervous.”
Knudsen said it’s important to introduce digital transformation as an opportunity to automate lower level tasks within an organization in order to give workers more time for higher level tasks. The panelists agreed that In order to minimize fear around digital transformation, workers need to understand the value of these initiatives.
“You really have to be very collaborative not only with the business side of the house, but you also have to get the people on the sites on board and make sure they understand what the security controls that you’re bringing in are and how they’re going to make their lives better, not how it’s going to make it more difficult,” said Paul Brager, Director, Global OT Security Programs at Baker Hughes.
“This is a marathon, not a sprint,” Brager continued. “You’re transforming environments that have operated a certain way for a really long time. You have to take those people into account and make sure they are very clear on what you’re trying to accomplish. you can do small things to help them gather confidence that you are there to help them, not to harm them or make their lives more difficult. If you can do that, you’ll have a lot more success pushing whatever digital transformation initiative your organization has.”
Another challenge of digital transformation in industrial environments is that these initiatives cannot cause downtime for critical infrastructure.
“We’re having to basically build these security constructs under these organizations as they’re operating,” Brager said. “Because of that, we have to be very selective around the controls and understand the environment well enough to be able to adopt controls that actually affect the overall security posture.”
The panel was moderated by Ted Gutierrez, Co-Founder & CEO at SecurityGate.io., an operational technology risk management company.