Cyber Protection Magazine will, this year, focus on operational technology (OT) security and recently sat down, separately, with MS, CISO for Honeywell, and Nicole Darden Ford, CISO for Rockwell to discuss the burgeoning “security operations center as a service” industry. We found their collective view to be complementary and instructive. We wove the interviews into this single Q&A.
CPM — How do your SOC services work? Is it virtual? Is it actual or is it a combination?
Nicole Darden Ford (NDF) — So we meet our customers where they are. We have a converged SOC, both information technology (IT) and operational technology (OT), to support our customers. We can integrate with their SOC and we have our own SOC that we can use to support client, and help them support their own SOC if they already have an existing one or support a virtual SOC. Whatever they need, wherever they are, whether they are a mature customer or someone just starting without resources.
Mirel Sehic (MS)— Our expertise stems from operational technology solutions, whether it be the controllers for some physical activity, or the distributed control system or SCADA system that controls all of that plumbing and integrates all of those systems. When it comes to this fairly new notion of securing industrial IoT (iIoT), the challenges are a little bit different than that of IT, which is more of a commoditized view. A lot of vendors and providers are on the IT side, but not so much on OT. We are transitioning from a legacy infrastructure to perform isolated tasks like controlling a pump, controller, compressor, etc., to interconnected systems that previously never talked to each other.
We’re also moving the control systems to edge devices and the cloud. These may be great things, from a business contact context perspective. But what happens when you’re connecting these systems? It’s still treated as a legacy to these new digital innovative solutions, right? We have a complex situation when it comes to your threat footprint on the cybersecurity side. So to simplify, we’ve got these business improvement solutions, whether they be a device, IoT edge, or edge-to-edge cloud, all operating in a legacy framework that isn’t necessarily cyber secure. We saw that some time back and decided to do something about it. How do we have that conversation with our partners and customers around cybersecurity? Where do we start? Why is it important? And then we lead them down that path of cyber maturity. That’s pretty much how we look at operational technology and cybersecurity
CPM — A lot of companies don’t have CISOs. So if they’re buying your services, are you becoming their virtual CISO?
NDF — We’re advising them on what they need to do as part of the work that we do. Our consulting arm helps them understand, and work on a strategy, which is the first piece. Typically, organizations may have a security person, maybe not a CSO, but some security people working for them. And then they have their plant engineering team if they have a manufacturing plant. We help bring them together and help them develop the right strategy. and determine, “how do I start, how do I end, and what does maturity look like for me throughout my journey?
A lot of times, this is a three to five-year journey. Our goal is to really leave them with a solid roadmap, and a solid execution strategy, and help them drive decisions around security tooling, We use a process called to discover, remediate, isolate, monitor, and respond. That accelerates their progress, by giving them meaningful steps that they can take in their OT/IT journey to move the needle, especially in the area of cyber and for adequate protection.
CPM — You know, historically, the guy that gets the title of CISO is usually the guy who’s low on authority, and they are planning of firing him anyway. And this gives them a good excuse. So do you think partnering with companies like Honeywell or Rockwell is a good way to save your job?
NDF — I think for sure. So remember if you don’t have the information, go find somebody smart enough that does, right? We are that company, we have the background. We’ve been in this business for over 100 years.
CPM — How long have both companies been monetizing the SOC business?
NDF — We’ve been monetizing cyber services for a few years now. And most recently, SOC services, we just recently rolled that out as a service to our customers in 2022. We showcased the services at the Automation fair in November. Rockwell has been traditionally an industrial automation company. People didn’t see us in cyberspace. But when they were able to go to the booth and really experience what we’re able to do, it was just it was an eye-opener for many of our customers. And it’s in sparked a ton of conversation. So it really helped them to understand our cyber expertise and the amount of investment we’ve made in this space, and how we can support them in their journeys.
MS — We’ve been at this for about 10 years. Without going into too much of the lower-level details, you can think about business as kind of two distinct buckets. One is direct to the customer, hand on shoulder, we provide services. Another is through a Partner Network. So depending on which vertical we’re discussing, we have different go-to markets, but the message is consistent. And the message is one around, we need to improve the aging both mentality infrastructure and solution or view on operational technology, we need to apply some cybersecurity hygiene. So whether it’s direct or for partners, the message is consistent.
CPM — Are government regulations in the EU and the United States helping companies figure out where they can start?
NDF — It does. When the government got involved, especially under the Biden administration, that was huge. The Cybersecurity and Infrastructure and Security Agency (CISA) started providing guidance on what you need to do at a minimum to protect your organization. The “Shields Up” campaign was huge for a lot of organizations because I think it brought to light. Here are the actionable steps you can take, right? Most people get bogged down and how complicated cyber can be. As a result, people just don’t start.
The government said, “Listen, it’s not if, it’s when, and the time is now, and here are the things that you need to do to protect your organization.” For organizations like Rockwell, we now have something to lean into, right? We have this sense of urgency that hasn’t been there before that organizations are feeling. There’s a requirement to report cyber incidents in critical infrastructure that’s unprecedented. Companies are starting to look internally toes if they have the right resources to build these programs. If not, they can start to make the investment and Rockwell is uniquely positioned to support those organizations and help them give them a roadmap, a really clear, easy-to-follow roadmap that will get them well on their way to protecting their organization.
MS — Yeah, that’s a good question. I think, yeah, I think it’s across the board, right? And we are participatory, in both the review and write-up of some of these frameworks. So we are very much involved. I think speaking a common language is key. And these frameworks give us a common language, right? One of the things that tends to happen, especially in the cybersecurity space is that A, there are a lot of acronyms, and B, it’s a complex topic, to begin with.
So when you discuss these complex topics, just finding a common starting ground seems very, very difficult. So these frameworks to your point give us that gives us a common language that gives us that starting point. And just recently, I think, the CISA just released their critical infrastructure protection guidelines, which is voluntary, but it lists out a good chunk of our recommended recommendations on how to stop.
These cyber security performance goals provide us with a start and have the NIST cybersecurity framework where we have great frameworks to make a start. Then it’s digesting that for your particular industry, and your maturity cycle in that industry. Take an example of a hospital or a healthcare provider. Hospitals are critical infrastructure, but one hospital is not the same as another hospital. So even if you’re in the same industry, you may have different levels of cyber maturity. So you can go and pick these frameworks up, but you need to understand where you’re at from a starting ground perspective.
This is really where we typically get involved in terms of working out what the hospital’s risk appetite actually is. If your risk appetite is zero, you’re not willing to absorb or take on any risk. If your risk appetite is high, you’re willing to take on maximum risk, and you’re implementing minimal mitigating controls. We don’t want to see a high-risk appetite. That’s for sure. So depending on what industry, what industry you’re in, you can lean on each framework.
Depending on what maturity level you’re at, depending on your risk appetite, you can start to implement some of these guiding principles in these frameworks. That leads us to the budgetary discussion. It would be great if we could all have a risk appetite that’s very, very low, or not want to take on any risks. But that then comes with having to actually get services and, and solutions to reduce that risk and sometimes budgets are constrained. That’s a conversation that needs to be had across the board.
Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.
Pingback: SEC v. SolarWinds: a tipping point for consolidation? - Cyber Protection Magazine