In this final episode of our three-part cybersecurity series with Matt Malone, ICS/OT cybersecurity consultant at Yokogawa, we talk about team strategy and old notions.
Q: Our first two episodes, we covered the why and how cybersecurity. Now let's talk about the who, and I'm not talking about Pete Townshend and Roger Daltrey, although “Won't Get Fooled Again” could potentially be a theme song for this whole series. But let's talk about who needs to be involved and why.
A: Oh, absolutely. So you asked me a question about this on, I think it was episode one of this series, and I briefly touched on some of the people who might be in the position of creating a cybersecurity program. I'll just go back to that and then I'll expand on it. So the sites that I've been to, there have been some folks that have more or less been thrust in this position, voluntold, so to speak. And it may be somebody that is from the IT side that's now in charge of OT security, it may be one of our process control engineers or chemical engineers that's wearing four hats and the plant manager says, "Oh, by the way, I need you to do cybersecurity as well." And so I'm not going to beat around the bush, that's a tough spot for anyone to be in.
And I would also recommend having somebody from process safety as well. And so now you've built this coalition of folks within your plant that have all these little different expertise or these areas of DMZ level one. And the reason why that's important is because whenever you take that team to management with your proposal, with your budget, with your cybersecurity roadmap, you carry the weight of all of that political capital behind you when it comes to... Let me put it this way, it's very hard for somebody in management to say no to four leaders within their organization than it would be to one.
And so especially when it comes to cybersecurity and you've got, "All right. Well, hey, here's the output of our assessment. We had a third party that came in and gave us this information, they gave us these recommendations, we developed this roadmap, here's our priority list. And now I've got somebody from IT, I've got somebody from process safety, I've got somebody from process control. They're all saying we need to do this. This is the budget outline for year one. This is our perspective budget for year two," you build that case and that makes it really hard for management to say no.
Q: Excellent advice there and great points. Talking about putting together this cross-functional team, this force to be reckoned with, can facilities go at it alone in terms of designing and executing a cybersecurity plan?
A: Oh, I wouldn't recommend it. And my heart goes out to anybody who's ever had to do that because they're out there. Like I said, there's some folks that at the same time they're bailing out their lifeboat we've got somebody from management that throws them in anchor at the same time. And so if it is somebody from facilities, reach a hand out and I guarantee you that it's not going to come back in vain. There are folks out there if you go to them and you ask for help. Just because I've seen it so many times in my own work, I'll come in for a consultation meeting and it won't be just, "Okay. Hey, I'm Jim. I'm the chemical engineer for plant X. We need to do this."
No, it's Jim who's the chemE and then I've got Mike over here who is their IT manager. And so it's usually people that have a vested interest in these things anyway because it affects their daily job and that's why they have an interest in this. So if you have, right now... I don't think I've been in a meeting in over a year where somebody from the enterprise IT side hasn't sat in on a cybersecurity consultation call dealing with their OT network. I think we're past that point of IT/OT convergence. It's converged, we're there.
And because of that, the folks on the IT side, they've got a vested interest of what's going on in the DCS. Same with your facilities folks, same with your field engineers, this is all going to be downstreamed and it's going to affect their job as such. That might be even a way to ask their help, saying, "Hey, the boss told me we've got to do this for cyber. I know this might mess you up maybe not in six weeks, but maybe in six months, and I just want to make sure I've got your inputs on this before I send this plan out." Okay, so now you've got that person's buying it. So the more leaders that you can find. Maintenance... I think that I'm leaving somebody out. I hope I don't get a nasty gram from somebody saying, "Hey, you didn't mention me." But those are the folks I'd recommend just top of my head.
Q: You're talking about the leaders getting everybody at the table and talking about what needs to be talked about. Let's think about training and what does effective training entail.
A: Man, so that really depends on what the outcome is going to be. If you're looking for a specific type of certification, that is going to be part of that program. So if you're developing this cybersecurity program and your program says, "We require this many number of people with this background and this type of certification," then you're going to have to go through CompTIA, GIAC, ISACA I think is another one, some of these global certification bodies. You're going to have to pay for those classes and then pay for the testing and then you might have to pay for the retesting, hopefully not, cross your fingers, depending on how all that goes. So that part, there's no way around that. If that's what the program says and that's what the company wants you to abide by, you've got to go that route.
Otherwise, there is a lot of great informal training that can be done. And I remember there was a phrase back around like 2010, 2012, about the great crew change. And I think you had a lot of folks maybe from the boomer generation that were retiring and everybody was bemoaning and bewailing. There was gnashing of teeth, "We're losing all of this intellectual capital that we've built." And it didn't have to be that way. And so having some of these informal training situations once a month I think is fantastic because you can almost kill two birds with one stone. So you've got mandatory training probably for phishing email attacks and everything like that. Okay, well let's couple that. We can cover that in five, 10 minutes.
Let's use the rest of that time for cyber awareness and say, "Okay, this is what it would look like if somebody is taking control of your work station." It's not just going to be somebody moving your mouse around. It can be stuff like if you hear all your fans, kick it up to 11, something odd is happening, we want one of them to go check that out. And so there are two avenues. There are also some companies out there, we're one of them, we provide training that is a little bit more regimented in terms of we've got learning objectives, learning outcomes, slide decks based off of each subject within the greater cybersecurity sphere itself. So there's a couple of avenues approach that companies can take depending on what their outcomes are.
Q: And I like that hybrid approach, talking about the formal stuff and then getting informal and getting those nuggets of knowledge that they wouldn't even realize and just shooting the breeze in and really disseminating all of the good bits that they can then take and apply in case of emergency. And I think that's a wonderful [inaudible 00:10:07].
A: Oh, absolutely. Yeah. I may know a little bit, I'm still learning about cybersecurity. I try to learn more every day, but I'm definitely not a subject matter expert when it comes to your plant. The operator that's been there for 10 years, he can probably take a good sniff of the wind and he can tell, "Okay, I need to adjust my set point over here, the burner's a little too high." That type of tribal knowledge, I'm never going to be able to touch that and that's the stuff that can be dealt with in some of those informal training stuff.
Q: Let's talk a little bit about some of the challenges in terms of personnel and what's at stake.
A: Like I said, this is a young space, OT cybersecurity. About once a month I'll get a youngster that maybe they're in year or three or four of college, they've majored in cybersecurity and they're looking for, "Hey, what do I need to do next? What's a good company to go work for?" They're really gung-ho about cybersecurity and I think that's a promising outlook on the future. Unfortunately, the folks that are qualified and interested in OT cyber are kind of hard to find right now. And so there's two ways we can go about that. And if you're of the HR persuasion out there, I understand if you don't want to hear this and that's fine, but the first thing and the easiest thing is going to be upping the pay scale for your cyber folks. Because money talks, that's going to be the biggest thing for folks to either move companies from another company or if you're trying to hire somebody who maybe just got certified, maybe they just graduated, something to that effect.
And the other avenue of approach would be to train folks internally. And we've dealt with that in both ways at Yokogawa. We had to turn it up a notch in order to get some more cybersecurity engineers brought in just because it's a competitive field right now. And we're also taking some folks that have a fantastic history of DCS engineering from all levels, from the DMZ all the way down to the field instrumentation level, and now we're just adding in the cyber aspect, we're getting them certified for GICSP and now we're basically making a cybersecurity engineer that has a fantastic resume in terms of OT networking and OT engineering. So that's not an easy answer, but that's an answer.
Q: Exciting times for sure. You and I have been together now for three episodes and I want to toss out a question for you. Anything you'd like to add that we maybe not have touched on that you think is important across the board in terms of cybersecurity?
A: Okay. Yeah. So if we have any folks out there that are going to clutch your pearls, now's your chance. Air gaping is a myth. I try to be soft or nurturing whenever I hear a client say that because I don't want to just blurt out, "Well, your baby is ugly," kind of a deal. I think most people that I'm having conversations with, they understand their baby is ugly, they just don't want to hear it from another person. So I'll just say this, don't trust in air gaping. It's not functionally possible anymore. It's just not. That's just something we've got to let go. We closed the door on being able to air gap our technology whenever we went off proprietary systems. And I mean the old proprietary days where if you wanted a DCS then it was a Yokogawa monitor, it was a Yokogawa server, or geez not even a server back then.
But you know what I'm saying, everything came from a Yokogawa factory or the other OEM factory. Today, everything is COTS running the OEM proprietary software on it. Well, at least it is in the DMZ level one, level two, PC and things like that. It's different when you get down to your controllers and down to your field instrumentation, but for the most part, the networking is done on commercial off-the-shelf hardware and the associated software with that. And ever since then, everything is wanting more data backup to the enterprise side for business purposes and things like that and it's just not doable anymore. We need to bury it and just move on as an industry thinking that we can ever rely on air gaping ever again.
Traci: Well, Matt, you've proven to be the most valuable tool in terms of understanding cybersecurity risks and what's needed to mitigate them. I appreciate the candor in everything that you've discussed with us. On behalf of Matt and the team at Yokogawa, I'm Traci Purdum and this is Solutions Spotlight. Thanks for listening.
