Ongoing digitalisation has introduced new risks to historically ‘secure’ industrial networks. This convergence of IT and OT – and the potentially catastrophic consequences should a hacker gain access to critical national infrastructure – requires a fresh approach to cybersecurity. Here Marcus Josefsson, Director – Middle East, Africa and Russia at Nozomi Networks, tells us about the key threats, how Nozomi is helping to mitigate against them and how CISOs can build a successful OT security strategy.
What kind of challenges have been created by the convergence of IT and OT?
Prior to this convergence and digitisation, OT had an air gap – it wasn’t connected to anything. That’s not there anymore so that is a big challenge. All of a sudden we are now seeing networks that were never connected, being connected.
The second challenge is that a lot of devices that were previously 100% proprietary are now becoming more mobile IoT devices.
And of course, this opens you up to exactly the same challenges that you’re having in IT but the stakes are higher.
Here it’s critical national infrastructure (CNI) or airports or waterworks or the electricity grid. So if something goes wrong, the stakes are higher. In IT, someone doesn’t get an email, which is not great, but if electricity stops flowing then we have bigger problems.
How targeted is CNI and why – what is the motive of attackers?
There are two different threat scenarios. One is the typical threats like ransomware and attacks from organised crime groups motivated by money or doing it for fun. That is very similar to IT.
But then we also have nation state attacks. Being able to attack OT is just another weapon in their arsenal. They’re constantly trying to get into the network, they’re scanning, they’re building reconnaissance, etc.
How are organisations in the region responding?
They’re responding faster. If you take a country like the Kingdom of Saudi Arabia (KSA) or the UAE or other countries in the Gulf which have a big oil production for instance, it’s such a big part of the economy.
If something happened to these infrastructures, that would have such economic disruptive effects.
The second thing is, due to the political instability, everyone’s ramping up both offensive and defensive capabilities. Because it’s a race out there and we see certain states which have military units that do offensive and defensive ICS cybersecurity, quite publicly as well, they churn out a lot of graduates so that’s something at the forefront of minds.
How important this Middle East market for Nozomi Networks?
The Middle East is incredibly important for us. I think it’s the second or third largest market for us globally. Companies here are investing quicker due to current events etc. We’ve grown from a one-person team to a 10-person team in a year in the region and as a company we grew 500% last year. We see tremendous growth from both the customer and partner side of things.
For us, the Middle East is very much top of mind and we will continue to invest in the region.
Can you give an overview of the kinds of solutions that you’re offering?
If we look at OT security 10 to 15 years back, there were a couple of issues. First was cost – it would cost maybe US$500,000, as an example, to secure a plant.
The other challenge is that devices have to be put inline to the network. And these networks can be very sensitive, the operators are very wary of any disruptions to the stuff that they’re doing.
We do two things differently. First, all the data and everything we collect is completely passive. We look at the network traffic and based on that we provide full visibility of the infrastructure. You can have no security without visibility.
We see the assets on the network, what the network looks like and the industrial process itself.
Then we have cybersecurity controls, the typical ones that you would see such as signatures, sandboxing, things like behavioural analytics and threat feed intelligence.
Usually for us, following the initial approach from a customer, we’ll try to go as quickly as possible and speak to the operators, the guys in the plants or pipeline or airports, or whatever it is, and say: ‘you guys probably don’t want to do cybersecurity, because you have an operation to run. But what if I can help you with asset management, troubleshooting, predictive maintenance, etc.’ So we are able to add that value to the operators.
I think we’re in a kind of unique position where we start off as a cybersecurity solution and then the people that are typically less keen on cybersecurity usually become the biggest proponent.
But it’s very straightforward – it’s basically an appliance that sits on the side of the network, looking at a copy of all the network traffic.
We have the visibility to identify vulnerabilities and detect the attacks and then there’s other devices such as a Fortinet firewall for instance or Palo Alto firewall or network access control system that is able to go in and take the action.
What advice would you offer to CISOs that would like to implement this technology or look for an OT security solution?
I think the first step is to go and speak to the operators to involve them very early on and make sure you build that rapport. Having an IT cybersecurity discussion in your own circles without involving the operational team can be a big pitfall.
Try to find other benefits so you’re not just putting in cybersecurity controls for the sake of it, you’re able to help the operations team with efficiencies too.
How important are security partnerships for these kinds of technologies?
We are an extremely partner driven company. We are a small company by comparison to the likes of Schneider Electric for example.
One aspect of our partnerships is that they lend us a lot of credibility. But we’ll also know things that they don’t and vice versa so we really complete each other from a technical perspective. And it’s also about keeping the focus on OT.
One of the key takeaways from running a Security Operations Centre for OT is that nothing speaks to each other. So the ability for us to do what we do and then go in and say we can do detection, Fortinet, for instance, can do mitigation, Schneider owns the complete solution stack inside a big refinery or a big oil company or utility company so they already understand the infrastructure and can be a good translator between the two worlds.
If you come from IT then you would struggle to understand OT. If from OT you would struggle to understand the cyber piece. Any way that we can bridge that gap is very useful.
Are there any trends are emerging trends in this area that CISOs should be planning for?
One of the trends that I would focus on is how it’s not only about oil and gas and utilities anymore. We see aviation, transportation, pharma, building management for instance, all impacted by this convergence.
To give an example, if you think about building management systems, if the air conditioning stops working at a trade show for example it’s not the end of the world. But if we go to an airport or the Burj Khalifa or Mall of the Emirates, for example, the stakes are much higher.
There are so many OT networks in the world but you just need to decide which ones to focus on. I read in a report that there are 10 times as many OT networks as IT networks in the world, which makes sense.
But the question is which are the ones that are critical? I think that is another thing that customers are starting to wake up to.
They’re discovering that they have this OT infrastructure that they have never thought about from a cybersecurity perspective, but these are actually what keeps the business running.
And then suddenly what’s traditionally OT as in industrial control systems suddenly becomes IIoT, and even IoT devices – wehich you’d typically find in an IT enviroment.
These things are merging so we’re seeing customers coming to us and saying ‘can you help us with CCTV systems for instance? Can you help us with the metering systems?’ Things that we would traditionally not look at.
We will be looking at substations, refineries, pipelines and customers will say ‘I also have other networks that are critical to me. They are very adjacent to what you do can help us with that?’
And that is something that we’re getting increased requests about. And I think that’s going to keep changing over the next few years.