During his nearly two decades operating in the industrial cybersecurity space, Dr. Christopher Beggs has seen a number of changes in Operational Technology (OT) environments. Since the dawn of the 21st century, the frequency of cyber attacks on OT environments has increased drastically, and buy-in around cybersecurity efforts has increased as well.
“I think the threat is growing and the buy-in is a lot different,” says Beggs. “It’s becoming easier for businesses to secure budget for cybersecurity projects. Especially at the director level, they’re more aware that this is a problem that’s not going anywhere. The threat has been increasing over the last 20 years and people are realizing cybersecurity should be a part of business as usual.”
However, despite this increase in buy-in, Beggs says organizations often spend their cybersecurity resources on the wrong things. He says organizations focus on efforts like security testing, gap assessments, and cybersecurity products, but lack the foundation necessary to effectively secure their OT environments.
“What I’ve found in dealing with customers across water, power, oil and gas, and manufacturing industries is that they typically spend their money on tactical solutions…but 99 percent of the time they’re spending money on the wrong activities considering where they are in the lifecycle of their cybersecurity program,” Beggs says. “They don’t really have an OT security methodology to provide the best value.”
In 2010, Beggs founded SIS Industrial Cyber Security to address this issue. The company uses bespoke methodologies that are systematic and specific to OT. Their services cover the full threat lifecycle of industrial cybersecurity, from assessment to incident response.
“End users often think they know what they’re doing, but their methodology isn’t refined enough,” Beggs says. “When you’re trying to do things in-house you often don’t have the necessary level of experience. Our team has a proven demonstrated capability.”
According to Beggs, organizations “don’t know what they don’t know,” which can leave them vulnerable and expose them to risk. SIS has a proven methodology that ensures industry standards are applied properly and that organizations understand the unique threats to their specific environments.
“When you get down to the nitty-gritty of achieving compliance or actually understanding the application of these standards, organizations often don’t have the experience necessary to apply them,” Beggs says.
Most cybersecurity standards are broken down into three pillars: people, process, and technology. Beggs says people are often the overlooked ingredient in securing OT environments. To better secure their organization the corporate IT side and operations OT side of the business need to work together. In order to do this successfully, they often need someone to help them collaborate effectively.
“We provide a conduit between the different groups,” Beggs says. “It gets everyone on board with the approach, methodology, and strategy that the organization should be following to provide the best value. Instead of going off and doing things in isolation, having a facilitated process where all the different groups are following the target model, creates the best value. There’s only a handful of companies that are focused in this area at a dedicated level.”
SIS offers support throughout the three stages of what they call the ‘Threat Neutralization Lifecycle’ from assessment to incident response.
During the “assess and define” phase they help organizations assess critical systems, processes and procedures, to identify vulnerabilities and gaps when benchmarked to industry standards, for risk mitigation. Their services include site survey and asset inventorying, technical vulnerability assessment and security testing that includes red-teaming, threat and risk assessment, and maturity assessments.
“This phase is really about understanding the business requirements of the organization,” Beggs says. “It’s about understanding the types of systems they have, the asset inventory through site survey and building test plans to assess the environment in a controlled way. We look at technical issues, operational issues and management issues. That allows you to identify weaknesses and vulnerabilities within the infrastructure to get you into a position to create a roadmap to move forward.”
In the “design and implement” phase SIS use a proven methodology to design secure architectures for plants, and install and configure security products and technologies. This process involves establishing cybersecurity requirement specifications, designing security architecture, designing infrastructure layouts and security platforms, designing implementation plans and transition-state architectures, and installing and configuring security products and technologies.
“This is where we find most organizations lack the capability,” Beggs says. “During this phase, we start to integrate standards to build a security architecture model. It’s about building a target model that can be applied across different sites. We use detailed risk analysis to build security services that are delivered to systems according to their risk level.”
During the “operate and maintain” phase SIS helps organizations define the operational requirements necessary to maintain key security services such as security monitoring, patch management, change management, backup and recovery procedures. This includes cyber forensics, device robustness testing and assurance, and audit and compliance assessments.
“Once you’ve set up your target, you’ve selected products and technologies, how are you going to support and manage that?” Beggs says. “You’re going to be putting in different tools and technologies that need to be operated and maintained effectively. This is the management layer of the architecture that provides support for the tools that have been selected for implementation.”
SIS has worked with a number of organizations in the power, oil and gas, transport, water, health, and mining industries to safeguard key plant, critical infrastructure and control systems. Their vast experience includes enabling a U.K. power company to determine compliance to the EU NIS Directive, which requires operators of essential services to take appropriate security measures and to notify serious cyber incidents to the relevant national authority.
“We used the NIS to benchmark where their sites were against that standard and then built a roadmap of risk mitigation strategies from that,” Beggs says.
SIS also recommends organizations have a fully dedicated OT Security Operations Center that can protect complex industrial networks from the growing threat of cyber attack. SIS offers a 100 percent dedicated OT SOC that delivers managed OT security with real-time monitoring, analytics and reporting.
“Having an OT SOC means you’re focused and dedicated to that environment,” Beggs says. “If you go with a broader enterprise SOC, you’re looking at a corporate-based approach. The value proposition of an OT SOC is you’re looking at a focused team that are qualified, industrial led, and looking at the lower levels of the environment.”
Beggs says OT-specific expertise is essential due to the unique nature of OT environments.
“In OT environments, the equipment is fairly bespoke and really the insider threat is more likely than an external threat,” Beggs says. “People inside the plant itself who have access to the facility are typically a key avenue for how threats would materialize within the OT environment. With the equipment that’s being used it can lead to safety incidents more so than in a corporate environment.”
For this reason, in addition to its consultancy and managed services, SIS offers training for owners, operators or stakeholders of ICS/ SCADA critical infrastructure, engineers charged with designing ICS/ SCADA architectures, developers and project managers working on control system designs, and ICT professionals seeking to understand ICS/ SCADA cybersecurity. SIS also offers its own industrial cybersecurity certification.
For more info -> SIS Industrial Cyber Security