CISOs Take on OT Security Threats to Critical InfrastructureRockwell Automation's Mark Cristiano on Why New Reporting Requirements Are Vexing
Responsibility for industrial operations and the many OT devices that run them used to fall on the shoulders of plant managers. CISOs now understand and appreciate the complexity of protecting the OT environment and how it differs from the IT attack surface.
IT and security leaders increasingly want to get their arms around operational technology-specific threats affecting both critical infrastructure and industries such as food and beverage and transportation, said Mark Cristiano, commercial director for Rockwell Automation's global cyber services business. Rockwell Automation, one of the largest makers of IoT devices used in critical infrastructure environments, is the only supplier that can help clients across the entire security life cycle - from risk assessments and asset identification on the front end to technology deployment and ongoing managed services after a purchase is made, he said.
Cristiano said he hears many more informed questions from IT leaders around OT security these days, and he evangelizes about the need for better security controls. The company stepped up from RSA Conference attendee in 2022 to exhibitor in 2023 with a booth on the show floor dedicated to industrial defense and IIoT (see: Debunking the Myth: Securing OT Is Possible).
"The volume and the quality of the discussions that we had with customers was really, really encouraging," Cristiano told Information Security Media Group. "What was really appealing was our ability to meet them where they were at - regardless of industry and regardless of where they are at from a cyber maturity perspective."
How to Avoid Confusion Around Reporting Requirements
Cristiano said public sector organizations struggle to understand what's needed from them to satisfy a proliferating set of regulations around industrial cybersecurity. As the government disseminates security directives, he said, Rockwell Automation works with public sector agencies on reporting requirements as well as the countermeasures they need to deploy.
Rockwell Automation has worked with customers as well as the U.S. Cybersecurity and Infrastructure Security Agency to address the ambiguity around new reporting requirements and determine exactly what companies need to demonstrate to prove compliance. Cristiano said there's an opportunity for regulators to get a little more granular around what firms should report to demonstrate compliance.
"We actually had a great conversation with CISA at the booth at RSA to try to give them feedback in terms of what we're hearing from some of these industrial customers about what it really takes to be able to report confidently on their compliance against some of these regulations," Cristiano said.
At the municipal level, many areas of critical infrastructure such as wastewater have assets dispersed across an entire city, he added. That broad attack surface can make deploying countermeasures more challenging. Although the public thinks about water and electricity when it hears the words "critical infrastructure," the space includes everything from life sciences to food and beverage, Cristiano said.
A Road Map to Securing Industrial Organizations
Businesses too often take years to get mobilized since the process of attempting to formulate the perfect cybersecurity program ends up paralyzing them, Cristiano said. To combat paralysis by analysis, he urged industrial organizations beginning their cybersecurity journey to focus on asset identification since deploying effective countermeasures requires visibility across the entire attack surface (see: Rising Industrial Attacks Require Suppliers With OT Smarts).
From there, organizations should get a quantifiable risk profile of their assets as well as a holistic risk assessment that examines the company's policies, procedures and governance structure, Cristiano advised. An effective analysis of a business's organizational structure creates realistic expectations around its capacity to support a multiyear cyber program, according to Cristiano.
On the back end, Rockwell Automation's incident response retainer not only helps clients dig out after a security incident via its partnership with Dragos but also delivers proactive services for the duration of the contract focused on improving the customer's cyber hygiene. Proactive services bundled with the retainer include tabletop exercises, pen testing and vulnerability and risk assessments, he said.
"You have to plan that you're going to be attacked," Cristiano said. "I know that's somewhat of a sobering statement, but you have to have a disaster recovery plan. And that starts with a robust incident response plan."
Going forward, Cristiano said, Rockwell Automation plans to aggressively ingest multiple additional data sources into its OT SOC managed services to augment the skills gap in areas such as threat detection. The company also intends to use tools and partnerships to help companies quantify their business risk so that customers can make a sound business case associated with launching a multiyear cyber program.
"We're really leaning into our OT SOC managed services," Cristiano said.