What’s Next? A Decision Support Tool for Industrial Security | Episode 121

Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Nathaniel Nelson
Welcome everyone to the industrial security podcast. My name’s Nate Nelson I’m here with Andrew Ginter the vice president of industrial security at waterfall security solutions. He’s going to introduce the subject and guest to our show today Andrew has gone.

Andrew Ginter
I’m very well, thank you. Our guest today is Jørgen Hartik. He is the CEO and strategic advisor at SecuriOT in Denmark and he’s going to be talking about deciding what to do next. This is a a next step decision support tool that SecuriOT is is working on for industrial security.

Nathaniel Nelson
All right? then let’s get right into it

Hello Jørgen, and welcome to the podcast. Before we get started, can you say a few words about yourself for our listeners and about the good work that you’re doing at SecuriOT?

Jørgen Hartig
Sure, Andrew, and thank you for having me on. So my name is Jørgen Hartig. I am a managing director in SecureiOT and strategic advisor and we have been working with the production companies and utility services for now six years. We have been helping them making risk assessments on their OT cybersecurity security is a pure play OT security company.  We are originated in Denmark, but covering the Nordic part of Europe and also having global companies as our customers in, for instance, European countries and the US.

Andrew Ginter
So thanks for that. And our topic is risk and decisions. It’s when I, you know, you mentioned that that security does risk assessments routinely. You know, when I look at sort of generic risk assessments, most of you know 50 or 75 or 150 page report, most of it seems to be a long list of assets and whether they’ve been patched. And you know when the Last time the password was changed. Is this you know? Is it what? Is this what we need in in risk assessment? So you know what? What is the need over and above you know the the asset inventory?

Jørgen Hartig
So. So what we believe in is, I mean, cybersecurity is not just a technical, discipline. You need to to add the additional procedural parts in your way of securing your OT environment. So like, what is the criticality of? Yeah. At an asset in the production line should be the core consideration that you have, but. The things around procedures for backup about your spare parts stock about incident response plans and in a patching procedure, whether the components are a part of that. That’s normally not a part of an asset inventory database. Normally you’re just having a focus on the devices, but you haven’t really put in the aspect around. How critical is this device. So if you have an offline printer that is in the the database, but you haven’t really said well, should we have another? The printer to do the the the the labels for whatever the medicine or can we live without it for a period of time and that should be a part of the decision making for the factory manager saying where do we actually need to put in our money? Depending on the criticality of the device.

Andrew Ginter
OK, so you know we understand how we need to understand how important each asset is. If the printer goes down, do we have to stop the production line because we can’t label the goods anymore? Once you sort of understand importance, what’s what’s the next step? What are you using this information for?

Jørgen Hartig
So so the methodology that we have made is basically to trying to to calculate a risk score, so the risk score is based on the importance or the criticality of the device versus the part that we actually have versus the things that we actually have done for either protecting it or being able to recover, respond or or or detect and actually attack against the device. So we have looked into the cyber security framework with the the four phases with the protectors, protect respond, recover. So like protect we would log into the technical protection of the printer or the PLC or the the HMI. It could be, is it put in in a different different network segment segment or do we have remote access capabilities with would be a negative thing to have on a device? Or we will also ask into the process around this. We’re also on the on the detection side, we would look into, do we actually monitor the the device or the network for incidents that could occur or do we have a respond plan? Do we have incidence response plan for this? Do we know the ownership of the component or do we have SLA on the spare parts saying well we have one on stock or we can call a vendor and they would be here within 4 hours with a new printer for instance. Finally, we look into the recovery part about, for instance, backup frequencies. Do we have ever tested the the, the the backup or do where do the the backup resides? So depending on how you’re answering the questions around these things, we would calculate the risk score and that Which goal would Be and and kind of a equation between the criticality and the different things you’ve done around the asset.

Nathaniel Nelson
Andrew I can’t recall exactly when or who but I feel like we’ve talked about at least 1 or 2 risk tools on this show in the past. What’s different with the one we’re talking about here.

Andrew Ginter
Well what I see different here is sort of a deeper deeper dive into availability. Um, you know. Jan mentioned it a bit and you know he’s going to touch on it again later in the interview he talked about spare parts. He talked about are backups available. He said do we have agreements with the vendors to replace components within within a handful of hours if they fail. Um. You know we’re talking about availability. We’re talking about keeping production lines up. We’re talking about keeping the lights on in power plants. You know we’re talking about addressing risks to production and this is what a lot of engineering teams in a lot of sites focus on um, you know they? yeah they sort of have they figure they have safety under control. And what they’re thinking about top of mind day in day out is availability is reliability is keeping you know production going in the face of you know, routine equipment failures and and occasional errors and emissions and and this kind of stuff and so you know to me this seems to be a way to engage. Those teams in cybersecurity by pointing out that you know cyber security risks are relevant to availability and if you can build up sort of a big picture of risks to availability of risks to reliability. And position cybersecurity in there. You know down the road. It’s going to be easier to take the next step about saying well what other cyber risks are there how could they reach out of the reliability realm I don’t know into your safety realm or your equipment damage realm. But you know, given the the focus of a lot of businesses on reliability.

Andrew Ginter
It makes sense to to me to to build that focus into a cyber risk tool and you know deliver in a sense. You know a couple of benefits benefits for Cybersecurity. Yes, And. you know benefits in terms of increased confidence and increased insight into the reliability of our production processes. So so criticality is important, you know, does the production line have to stop if the printer malfunctions? Because we can’t, you know, label the product anymore? But you know. You’re gathering. You know what? Once we understand criticality, you know. What else is there? How do we use that?

Jørgen Hartig
So our methodology is looking into different aspects of how to, evaluate the risk of the asset. So we are relying on or looking into the cybersecurity framework with the three different phases. It is the protect, detect, respond and recover phases. So when we’re looking on one component, we are looking about the protection part says. Thing do we have the technical protection in in in place like Firewalling, antivirus, network segmentation? But we will also look into the the more soft part so to say the procedures around and saying well, do we actually have a patch and vulnerability process around these devices? Are the detection side we would look into saying. Do we actually monitor what we discover an attack against the printer or the sorter? Or the HDMI? Or the PLC? Where does the alarms go? Who do we have a lock for this on the respond part? We would look into the more soft part saying well we need an incident response. Plan is that is this component a part of that? do we actually have the ownership on on the component? Do we have SLA? about the about the the the replacement of the device? Is it end of life end of support these issues and on these components? And on the recover side, we would say, well, what about backups, do we do backups, do we do the, do we do a test of the backup and where is it located? Actually if we need it, can we get it and we’re using all these information to. Kind of. Put it into a a algorithm or yeah algorithm. Where we where we. Calculate a risk score. So by doing the risk score calculation, we can actually go in and say well, these components have a high the most negative risk score and thereby we should start this make decision making about. Getting these risk goals on an acceptable level.

Andrew Ginter
OK, so that. That kind of makes sense in the abstract, but you know, I understand you do this all the time. You have a. Tool you know, in your world when you’re doing a risk assessment when you’re putting all of this information together, where does the data come from? Do you, do you press a button and it appears somehow magically? Do you, you know, do you enter the data manually? What you know where, where, how do you, how do you do this?

Jørgen Hartig
We use when we go out making these assessments. We do see a lot of spreadsheets going on, so people are putting in, acid information in different spreadsheets and having that as a. As as a as their asset management inventory list. So that is that is. We in the tool we are enabling the the import of these spreadsheets. It could also be that we have a structured asset management platform that we can, that we can import information from. We also see seeing from some customers that where we’ve done this, the assessment that they don’t have any idea about what is out there. So what we see is also going out, making a an active scan where we’re using like Nozomi to do a smart polling run. Where we are getting information back from PLCS, HMIS and scaling switches and things like that. So we are building up the the the asset database from that play. So it’s different ways that we can import into to our tool and then starting up a a base of of assets. The other side is that that we might when we go out, we do. manual registration of OG devices. So we do go out and having the tool it’s it’s able it is it can. It is enabled on a on a on a iPad where you actually can go out and and and register devices that might not be connected. So you can’t see it on the scan. But it also can be new devices that have not been, been been registered yet in the original database? Uhm, so we do have different ways of getting information into the into the into the application.

Andrew Ginter
So that makes sense. You know, it sounds like you’re importing stuff. There’s some, you know, some manual data entry. Can I ask you know, how often does this data set change, I mean, and how do you, in a sense, how do you track those changes if if the business implements an incident response plan, that’s not something that you can scan the devices and discover that suddenly there is an incident response plan for these devices where they didn’t used to be, you know, how how often does this change and and how do you keep track of it?

Jørgen Hartig
So, so the the idea with the tool is that it’s not just an at risk assessment tool that you’re doing once a year or once every quarter. This should be a continuous work where the operator of the production line are registering changes. So or it could be on a on a more global scale. Let’s say that they have done a an initial risk assessment and figuring out. But well on the backup part, we don’t have any backups. It’s it’s clear when we walk through the the 300 Ogg components on the factory floor that we don’t have a backup. So we going out through the decision making off the report saying well we need to buy a backup solution and when that backup solution has been implemented. Basically, you’re going into the tool and making a bulk update saying, well, all the devices on production line five, they are now a part of backups, so you can make a a bulk update saying well now we have this production line enabled on backups, automatic backups, and thereby you can see that your your maturity and your your security level would be better due to the fact that your risk score would be better because you have entered that. Now we have a backup solution implemented on the factory floor. So that that’s the idea about this, that this is not just a one shot, but it’s a continuous work with enhancing our resiliency and our our our ways of working with cybersecurity in OT.

Andrew Ginter
OK. So so we have the data, you know it’s a a wide variety of data. We are maintaining the data you know. A truism that that I try to go by is it’s only worth acquiring and tracking data if you’re going to use it. Otherwise it’s wasted effort. So you tell me once you’ve got an accurate, up-to-date inventory understanding, criticality, understanding all of these other characteristics of the security. And how they apply to each of the assets once you have all this, you know arguably valuable data set. How do you make it valuable? How do you use it? What do you use it for?

Jørgen Hartig
So. So actually we’ve been running, a beta test at the customers right now. Hopefully the tool will be released. in in the binning beginning of next year in 24 uh. The experience that we had from from the tool and the baited customers is that they actually like like and can see. A great value in in a structured and a centralized way of making reports. So we have some of the customers that are in the beta program are unable to go out and say we I would like to kind of compare five or six different factories and by having KPI’s like we would like to see the number of the number of of unsupported hardware that are more than five years old. For instance, and we might put in a A KPI in effect in on the factory level saying, well, we won’t have, critical infrastructure that are more than five years old that would, that that is not that’s, KPI we’re putting in as a measurement for saying that’s where we need to go in and make an investment so we can eep this keep KPI and that’s what people like that it’s it’s it’s done in a structured way. And they can track how far they are on the on the goal, so to say, and they can kind of measure one period where they had made an assessment and then they’re going out the year after maybe making a new one. So they have a track on what has actually been improved here. So that’s a a key point that we’re seeing from our beta beta beta test that that, that that’s a a great value for them.

Andrew Ginter
OK, so you know the the inventory and this sort of standard set of characteristics and standard calculations gives you a ruler. It lets you measure the you know, compare the the strength of your security on one part of your production line versus another, compare the strength of your, your security between factories. Report to your management team. You know, key performance indicators is that is that the main benefit is that what you use the tool for.

Jørgen Hartig
So the main benefit here is that that we can kind of look into how the risk score is, is is deciding which investments that are done from a management perspective. So so driving the risk score to an acceptable level would be. It would be the the the reports would be included in the reports about what should next step be.

Andrew Ginter
Ah, so Nate let me recap just a little bit here I heard sort of 2 main benefits out of this risk scoring system. Um, one is that you get a number out of the process at the end saying. You know, sort of adding up all of the risk of downtime at at a facility. and you know the number kind of makes sense. You assign a number to every device in the facility you add it all up. Um, what does this mean? Well it means larger facilities with more stuff. Are at greater risk of downtime. You know all everything else being equal. it. It gives you a ruler to sort of measure risk of downtime across facilities. You know so that you can you can again. Make investment decisions where should I if I want the biggest bang for my investment dollar in terms of reduced downtime due to cybersecurity risks due to reliability risks where am I going to put my next dollar well which facility is at greatest risk. Okay, now that I figured out the facility. Um. Look within the facility and I say well which components in the facility are contributing the most those are the components I should focus on what are the characteristics of those components that are contributing to most is it that they’re not backed up is it that they’re old equipment that we can’t buy you know from the vendor anymore and and we don’t have spares for anymore.

Andrew Ginter
Is it that you know multiple vendors are remoting into the same device and if any 1 of them makes a mistake There’s going to be finger pointing and it’s going to take forever to figure out what happened you know these are all characteristics that contribute to risk and you know here’s a sort of a score sheet that lets us figure out you know if we’ve got. X dollars to spend this year on on risk reliability risk from cybersecurity to you know, normal equipment failures where should I focus that and how do I drill down and you know select the components that. That need upgrades that need that need remediation pause.

Andrew Ginter
So So what you’re saying is that, you know, a key output is the actual risk score for a production line or for a set of assets, and if that score is unacceptable, then then you know the next step is obviously to fix it. Do do your customers understand the meaning of a risk score. Do they understand the difference between a + 17 and a -? 432, you know, do these numbers mean anything?

Jørgen Hartig
So so the tool gives you the ability to to look into what is actually causing a negative risk and thereby making decision based on that knowledge. So so, but clearly the the the numbers is. Is mostly for the decision may make us saying, well, a bad risk score is probably not good, so we need to look into those. So basically when we we’re doing the these assessments you make as a sort of at at the end saying well. Which one are the worst ones and do they have any characteristics the the ones with the with the a bad risk? Or do we see a kind of a a trend saying? Well, we don’t have an incident response plan or we don’t have necessary backups or we don’t have spare parts in in. So can we as a company on a seal on on a global scale saying, well, we need to look into either a technical solution or we need a procedural part like incident response saying well from a a global perspective in a company we need to go out and and develop incident response plan because the the risk score showing that that we don’t have that. So. So that’s the kind of where you’re going from a detailed level on the component part and kind of putting it up to a more global consideration about where should we put in our efforts, because we can see all the factories are missing. Whatever. So that’s also the idea that that the risk score can be used on different levels in the company. Not only for the operator, but also for the factory manager, but also for the whatever the the risk, governance sport saying, well, we can see that as an issue about this all over the place. So we need to do something about it.

Andrew Ginter
OK, so the tool you know shows you what is sort of sticking out as as most exposed or most, you know consequential. Can we do what if scenarios I mean let’s say we define an insert response plan for production line 4 or we you know deploy antivirus throughout factory #3 can we see how the risk score will change as a result of those those actions or will change if we if we carry out those actions?

Jørgen Hartig
It it is on our wish list to have that on a on a, on a future version. It’s not there yet but but still what we can can can tell the customers is how does the which part of the the the questions are actually impacting the risk score most so we can go out and and and saying like whatever a negative or a backup gives you a negative of -50 or whatever. So so we can show the customer. How have we defined the algorithm behind it saying which one do we see as the as the most critical part that gives a bad risk or and we also in a process for looking into whether the customer should be able to to give input to how the risk your score should be calculated. So our definition of the disco might not be suitable for another customer, but it’s not in the in the in the play right now to go out and and kind of taylorized the risk score for a specific company. But we can tell the customer how is the risk score defined, what, what, how, how does for instance backup or spare parts are are missing. Incident response plan impact the risk score we we can do that but the we don’t have the the what if kind of play in in the application yet.

Andrew Ginter
So that makes sense. And you folks are in the European Union, you’re in Denmark and NIS2 is the big news in the Union. You know, the last couple of years. Does this tool give your customers a leg up on NIS2?

Jørgen Hartig
I think to think that when you’re looking into NIS2, the headline for these two is basically doing a risk based approach and and using that as a as a decision making for how do you how do you secure your yeah your utility service or your production or whatever your bank and and including in that is too. There’s a lot of focus on for instance asset management. And ability management, incident management and and other important disciplines. It will be in fourth here in in October 24 and and we believe that that the methodology and the tools that we have can can help complying with these requirements from NIS2. These two also request that that that management, the management team of the organization have authority understanding about. The security level of the company and we believe that that putting in key performance indicators about where you are as a company from a cyber security perspective. Is important for the. See the the management team to to have the insight and the capabilities to approve uh, new incentives where they can say well it’s not. It’s not good with a negative risk or it’s it’s it’s you need we need to do something. So the questions about how you can equip the the the C-level with with the right knowledge. That’s that’s one of the key outputs from from a risk assessment tool as ours, but again, it’s not just doing risk assessments. Also, doing the as a continuous work around cybersecurity, how can we improve? Where can we improve and also track the improvements in the tool.

Nathaniel Nelson
You know Andrew risk has been an important theme of our podcast especially recently. But when we use terms sometimes in this area like risk-based approach. It just kind of seems a little bit vague and open to interpretation to me.

Andrew Ginter
Oh It’s It’s very much open to interpretation I mean you know I’m familiar with the the North American Market in in some parts of the market. Um, you know sort of in common usage risk-based is you know, synonymous. With doing whatever you want because risk-based says I Assess the risk I decide how at risk I am I determine my business’s risk tolerance and so um, you know anything I do. Is by definition risk based because I’ve assessed the risk and because I’ve determined the tolerance I can set the tolerance bar I can tolerate as much risk as I want and therefore spend as much or as little as I want on cybersecurity that’s sort of the the common usage. Um, the thing is that that. You know, common usage and regulations don’t jive. This too is you know a directive from the European Union to the member states the member states to comply with the directive have to define regulations for critical infrastructure for Cybersecurity. And the regulation that the directive instructs The member states to produce regulations that are risk-based the member states are not going to say you can do whatever you want. The member states are going to do something that says you have to have you know you have to provide evidence that you have assessed the risk and that you’re taking steps to address the risk. And here’s a tool that provides evidence. you know this is a tool that’s that that you know auditors are going to look at and say yep, you have done the risk assessment you have identified what’s most at risk you have so this is you know this is a step in the right direction. It sounds like.

Andrew Ginter
So you’ve said that the the tool is coming out in Q1, but it you know, it sounds like you’ve been using something like this tool for some time, you know. Previous versions of it, whatever, how has the tool been received by your customers? I mean they they’ve presumably been been using beta versions. You know how how, what value do they see?

Jørgen Hartig
So so first of all, they they like the idea about having the aspect around. How can we secure? How can we protect the availability of a production flow or utility service with the with the pump station and things like that. So having a a clear view. On how do we protect these things from? And sorry, having the availability availability up running for for either the production line or the the the utility service and and and people like the idea about adding information to the traditional asset management tool where they have what we say kind of static data. Or a non kind of critical information added to the data from from the assets. So they have perceived it very well and yeah normally we see that that it’s it’s been using they have been using spreadsheets which are are are somewhere or somebody has updated it somewhere at at some point of time. So they like the idea about as a structured way, one place to have the data and they can work with them. we have built a solution around traditional Microsoft platforms like SQL and Power BI so they can can get a good insight and have a structured approach to how data are are, are covered and store.

Andrew Ginter
So this makes sense. You know a a tool to automate the process of tracking. You know, a lot of security characteristics, a tool that you can press a button and say, well, where is the next investment in security that’s gonna pay off the most in terms of increased reliability of of manufacturing and critical infrastructure. Thank you for joining us this. This all makes sense Before we let you go, you know, can you sum up for our listeners what what are the most important lessons here? And you know, what should they be thinking about going forward.

Jørgen Hartig
From our experience and and also what what we hear all the time is that if you don’t know your OG infrastructure you it’s it’s it’s not a you’re not able to protect it and we believe that is true when we’re doing assessments about 90% of the assessments that we’ve done, we have found components that were not registered or even the operator didn’t know it was dangerous and that’s, I guess that’s also a learning here, saying that the whole thing about awareness on the factory floor about putting in modems or putting in devices that can actually help your operator for being more effective might have impact on the the the security in the in the in the factory floor. So having a structured approach about asset management from a risk perspective, will help the customers to do the right decisions and and we believe that there’s a need for. Going into the details here, having the specifications on a on a component level to make that decisions. so I mean just seeing, I mean you need to put in also not only the the technical protective solutions, just this network segmentation or whatever. Antivirus or or monitoring. You also need to look into the overlaying procedures for maintaining at the right level of of of cyber security. I mean just the the reason the attacks that we’ve seen on water utilities in, in the US and in Ireland and where vulnerabilities were used to lay down.water utilities. Also the in in actually in Denmark will be seeing an attack against 22 energy companies just recently where? vulnerability in a firewall were utilized. It all makes sense to go out and and actually look into the procedures and and.

That can help us protecting the infrastructure, regardless of its utility, service or production. So.

And that’s I think that’s important. output from this that we don’t only only log on the technical part, but also having a focus on on who’s actually doing what in our companies. So about the tool I mean reach out on LinkedIn we would like to have customers on board to evaluate the solution and and you can see more on our websites. But thank you very much Andrew for for having me here.

Nathaniel Nelson
Andrew that seems to be the end of your interview with Jørgen. Do you have any final word. You’d like to take us out with today.

Andrew Ginter
Yeah I mean I learned something here I mean this this tool sounds like a step in the right direction it it in my understanding it does 3 things. It identifies all risks to reliability to reliable operations from the mundane. You know, lack of spare parts to the Cyber, know lack of an incident response plan. Um, it gives you a ruler to to compare risks across sites again. It helps with investment decisions which site is most in need of Reliability investments. Um, you know which site is most in need of of security investments. It helps make decisions about how to spend those security dollars most effectively and it provides the kind of evidence that we’re going to need for NIS2 right regulations evidence of disciplined risk-based decision-making not hand waving but actual numbers and you know, ah. Justification for security investments.

Nathaniel Nelson
All right? Well with that. Thank you to yon hardtick for speaking with you Andrew and Andrew is always thank you for speaking with me this has been the industrial security podcast from waterfall. Thanks to everybody out there listening.

Andrew Ginter
It’s always a pleasure. Thank you Nate.