CS4CA USA Summit 2024: IT and OT security leaders share insights on cyberattack mitigation and recovery strategies
The 12th annual Cyber Security for Critical Assets (CS4CA) USA Summit began Tuesday in Houston, Texas bringing together IT and OT (operational technology) security leaders across different sectors of the U.S. critical infrastructure. Attendees can participate in two specialized streams tailored to their specific interests, and plenary sessions that facilitate collaboration between professionals from both IT and OT groups.
The opening panel at the CS4CA USA 2024 event shared insights on mitigating, responding to, and recovering from cyberattacks. Reflecting on the impact of the Colonial Pipeline incident, they discussed the lessons learned and implemented within their organizations. The panelists also exchanged mitigation strategies with their peers, detailed their recovery and restoration plans post-cyber attack, and highlighted their approaches to event reporting, log review, event analysis, and incident handling and response.
The panel was made of Joseph Couture, regional information security officer for Americas and CISO for United States at Ørsted was the moderator, while the panelists were Blake Gilson, industrial cybersecurity operations manager at ExxonMobil; Jeff Cornelius, EVP and SME for cyber-physical solutions at Darktrace; Dean Macris, CISO at Dispel; and Anthony Souza, VP and CISO at Corteva Agriscience.
Addressing the sort of changes made in the organization and what sort of changes expects the future to hold, especially about structures, Macris said he taught at the U.S. Coast Guard Academy. “I presented a project called Openbridge, which does NEMA 2000 analysis on canvas interfaces. So that’s like a maritime version of canvas and control of a rudder. Those systems on certain ships, certain types, are pretty trivial, and I think that it just highlights the need to. I’m kind of a build-the-clock-and-tell-the-time kind of guy. I just happen to have the title of CISO because I like breaking things. And, I think that’s kind of a salient thought I always have, is we need to consider everything that’s moving around us, right, as a system that is a potential target.”
“We oftentimes don’t put enough emphasis on the bridge between IT and OT and understanding where that risk resides,” Cornelius pointed out. “What’s the ultimate risk? It’s not some person failing to write a particular PC code. It’s the failure of a human in the process. So where does that human touch the most IT systems? We need to really begin to think. We’re not beginning already.”
He highlighted that “we need to think more diligently about how the human in the system affects that IT system that ultimately gets to that OT so that we build that resiliency for OT systems that are so critical to all of us.”
Going back a bit, Souza said that he “started working on OT inside critical infrastructure and utilities a little over ten years ago, and were early on in that effort around 2018, that started to pick up, and I started a new job. I also started getting a lot of calls from pure utilities, but then other large industrial global companies asking what we were doing about a program. So there’s a lot of interest, a lot of trying to figure things out.”
Souza added then “You throw in a Colonial. Out of Colonial comes new regulations. So now, you’ve got to try to balance this regulation with not just the federal government, but if you’re a global company, international regulations and regulations overseas, as well as just the myriad of reporting requirements, and they all have different thresholds. So you put all that together, it creates a very complex challenge.”
He added “When you get into that critical infrastructure and OT space, just having visibility into the systems, that’s where it starts. So what sometimes we refer to as no good, know what good looks like. And then from there, you can identify what bad looks like when it happens. And then from that comes your incident response.”
Gilson pointed out that “one of the big learnings from the Department of Home Security, the Transportation Security Administration surface team, was the amount of education that industry, through industry groups, interacted between companies and the group was education was to explain how the initial items of some of the SD ones and SD two could have damaged our focus to be able to achieve operational integrity. Those education sessions should have happened a long time before.”
Couture inquired about the direction of regulations and their suitability during the panel discussion. He noted the prevalence of public-private partnerships as a common theme at such conferences. Within the critical infrastructure industry, the question arises whether organizations advocate for more regulations or fewer regulations.
Macris said that he has “always worked in high compliance, kind of high assurance type environments from the DoD. So I think that at a high level, regulation is necessary to get the ball moving. I think that the idea that we’re going to motivate every organization to align in a certain manner is probably not feasible.”
“So I think public-private partnerships are a step,” according to Macris. “That being said, I think all the rules are out there, right?”
“Recent events have shown the need for more, public-private partnerships and collaboration across diverse industry verticals to obtain collective success,” Gilson noted. “By sharing insights, learnings, and leading strategies, we collectively fortify our defenses and ensure a resilient operational process. This need for collaboration goes beyond organizational boundaries, fostering an exchange of knowledge, education, and innovation to obtain both public and private sector goals. Every group has something to share that can add value to the community at large.”
“Regulation in and of itself is a significant challenge. But regulation for regulation’s sake, I’m going to dig my own grave in my job here,” according to Cornelius. “Regulation for regulation’s sake is not valuable. You have to put parameters around it. You have to put practice and protocol around it. I’m also very fortunate to be advising the DoD CIO’s office for Zero Trust. And, one of the challenges zero trust brings to a marketplace like this is.”
He added “Zero trust means totally different things, right? For me, zero trust is my dogs can’t go out that door unless I open the door. That’s zero trust. I do not trust. They’re not going to go chase a squirrel, right? But that’s not functional for the real world. That’s not functional for a business, that level of zero trust. So you have to apply that to each of your businesses. And that’s one of the challenges with regulation coming from the federal government. We can’t have EOs all day, executive orders all day long.”
Related
