Before the breach: Are your critical electrical systems cyber secure?

Maryann:

As our world becomes increasingly interconnected through digital technologies. The need for robust cybersecurity measures grow more critical than ever to protect against evolving threats. In this episode, I'm joined by our senior OT cybersecurity expert, Matthew Cosnek, to talk about the importance of regular cybersecurity assessments, prioritizing investments, and staying compliant with evolving standards and regulations that aim to protect critical infrastructure.

Maryann:

We have ten questions in ten minutes, so let's get started. Hi, Matt. Thanks for joining us today.

Matthew:

Thanks, Maryann, happy to be here.

Maryann:

Yeah, really excited to pick your brain on this topic. So let's just start with the basics. What is OT cybersecurity.

Matthew:

Well first the OT stands for operational technology. And I think to understand OT cybersecurity it's easiest to start with IT cybersecurity which most people are familiar with. IT cybersecurity primarily focuses on protecting data and information systems. Think about emails, databases, work laptops, things like that. It ensures that sensitive information remains confidential and secure. Whereas OT cybersecurity is more focused on protecting physical operations.

Matthew:

So these are things that Eaton does, like industrial control systems, electrical power management systems, and sometimes even data. These are things used in industries like manufacturing, utilities. Cybersecurity is unique from it, and that a cyber attack on an OT system could disrupt critical infrastructure. This would lead to potential physical damage, safety concerns, and impacts to communities.

Maryann:

Yeah, super important to understand that distinction. Thanks for breaking that down.

Matthew:

Yeah. It's because of that difference in focus and potential impact that we separate the two and think about them differently.

Maryann:

And it seems like every year there's more and more reports of cyber incidents specifically targeting critical infrastructure.

Matthew:

Absolutely.

Maryann:

So what are the new threats that you're seeing and what can we do to defend against those.

Matthew:

As far as the kinds of threats we see? Ransomware continues to remain the most prominent. However, there are concerning tactics that are trending up. For example, federal agencies have previously reported on a foreign state sponsored threat group known as volt typhoon. What authorities are finding is that volt typhoon is gaining undetected access to systems and then laying dormant, possibly waiting for a future moment to leverage that access to gain.

Matthew:

But beyond new threats, I think the biggest takeaway is that we are just seeing a general increase in cyber attacks. Many criminal groups and organizations have grown highly sophisticated in. They are businesses with org charts, payrolls, etc.. So for them, something like ransomware is seen as a revenue stream. Illegal, yes, but it is a way they make money.

Matthew:

Another reason attacks are rising is that many organizations are experiencing a digital transformation.

Maryann:

And pause you right there. Matt, can you shed some light on why the industry might call digital transformation a buzzword, but why it's important not to lose sight of what that means?

Matthew:

Yeah, that's a good call. It is not just a catchy buzzword. It is a real thing. So digitizing our equipment has a lot of real benefits. But as we integrate more digital technologies into these OT environments, we also increase the attack surface.

Maryann:

Attack surface. Is that another buzzword?

Matthew:

Yeah, you're keeping me honest. All that means is we are introducing more connected smart devices that could potentially be compromised and lead to a cyber attack.

Maryann:

So I guess now the obvious next question is what can be done to prevent the cyber attack?

Matthew:

So that is the ultimate question. And it is challenging because there is no one size fits all solution. Each industrial system is unique with different objectives and varying potential threats. Most customers, in fact, argue arguably all don't have the luxury of deploying every cyber security recommendation. Therefore, it becomes an exercise in understanding the return on investment, which is tricky because cyber security doesn't generate revenue directly from a financial perspective, it functions more like insurance.

Matthew:

It's about cost avoidance. However, it is not unsolvable. At Eaton, we believe there are core tenants that every organization, including our own, should prioritize. These include using firewalls to protect OT networks and critical assets, hardening equipment upon installation, maintaining up to date asset inventories, keeping detailed drawings, having complex passwords, and having good backups with incident response plans. Beyond these foundational steps, organizations need to conduct a cybersecurity assessment.

Maryann:

And Matthew, when we say assessment, cybersecurity assessment, what does that really mean?

Matthew:

A cybersecurity assessment is an evaluation of an organization's environment to identify vulnerabilities and risks. These assessments can come in different forms initial, comprehensive, customized, etc. but generally they all involve several key steps. Identifying which assets or systems are most critical to operations. These are often called crown jewels. Identifying potential threats and vulnerabilities. Specific to the organization, and analyzing current security measures against industry best practices to rank those findings.

Matthew:

At Eaton, we recommend assessing systems at least once a year, though this can vary.

Maryann:

Sure, and with connected devices reaching over 16 billion just this past year, it's going to be critical to implement a regular assessment. So let's dive into then specifically the importance of this assessment. Why should organizations be doing them?

Matthew:

Well, as we talked about previously, the attack surface for cyber threats has expanded significantly, making assessments more crucial than ever. The importance of regular assessments lies in their approach, which includes an analysis of people, processes and technology. Regular assessments provide a clear understanding of an organization's security posture, highlighting the areas needing improvement and helping to prioritize that investment, which, if all done right, will safeguard against disruptions, safety incidents, financial losses and reputational damage.

Maryann:

You've talked a couple times about prioritizing investment. Can you explain that more? What makes that piece so important or difficult?

Matthew:

Yeah, because that's really important. Prioritizing investment in cybersecurity is crucial because resources are often limited and not all vulnerabilities pose the same level of risk. However, determining which areas will provide the most significant protection for the investment. It isn't always obvious. I mean, the reality is plant owners and executives face the real challenge of deciding where to prioritize investment across all their operations, not just cybersecurity.

Maryann:

A balancing act.

Matthew:

Yep. Exactly. They need to balance the budget between enhancing cybersecurity and all the profit generating activities they have. This is exactly what cybersecurity assessments should be helping to address.

Maryann:

Right. So you've done the assessment. You have the results. How does somebody use that information to be impactful.

Matthew:

Well a couple things should be done after an assessment has been completed. The assessment should be used to identify and rank vulnerabilities based on their potential impact and likelihood. Then a roadmap should be created to address those risks. Maintenance plan should be reviewed and include cybersecurity tasks to reduce costs and then ensure that security measures are regular. Updated.

Matthew:

And finally, assessment findings should be integrated into training programs, ensuring that employees are aware of security practices and understand their role.

Maryann:

Matthew, one thing we haven't really touched on is how codes and standards tie in to all of this. What are those? Same.

Matthew:

That is a great and very relevant question. In fact, it was just recent that cybersecurity language was added to the 2023 National Lecture Code. It now includes provisions that mandate cybersecurity, particularly for critical systems outside of the NEC, frameworks like the Cybersecurity Framework and IEC 62443. They offer guidelines for protecting environments. And then you have federal agencies like the EPA, NSA, Cisa.

Matthew:

They all provide recommendations and sometimes regulations to enhance cybersecurity across various critical sectors.

Maryann:

Sounds mostly specific to the US.

Matthew:

Yeah, those agencies I rattled off. Yes, those are specific to the US.

Maryann:

What about, the EU or other regions?

Matthew:

Well, usually each country has their own rules by which they play. It is admittedly sometimes a lot to keep up with, certainly. But the important takeaway is that they exist and they are becoming more prevalent.

Maryann:

Okay, how about some common misconceptions about what cybersecurity.

Matthew:

A couple common misconceptions I would highlight are, you know, many believe that OT systems are completely isolated from IT. Networks and the internet. While this might have been true in the past, this just isn't true anymore. In my career, as many facilities as I visited, I have yet to see a system that is truly 100% isolated. Another misconception I would add is, you know, some believe that cybersecurity is a one time effort, such as installing a firewall or antivirus software.

Maryann:

So the reality of it is cybersecurity requires continuous monitoring.

Matthew:

Exactly. Continuous monitoring, regular updates and ongoing assessments to adapt to an evolving threat. Cybersecurity like electrical maintenance. It's a journey, not a destination.

Maryann:

Last question here. What's happening in the next 12 to 18 months? What is your future outlook?

Matthew:

Well, in the next 12 to 18 months, as industries continue their digital transformation, the number of connected devices will increase, expanding that attack surface and increasing the relevance of OT cybersecurity. One key focus and I realize this isn't groundbreaking breaking anymore, but it would be around AI. We can't ignore the potential impacts of it, both positive and negative.

Matthew:

On the positive side, I will help us find and fix problems faster. On the downside, cybercriminals can use AI to enhance their strategies. On top of all that, I would expect regulations and standards to continue to improve, both becoming more enforceable yet more practical.

Maryann:

Awesome. This has been incredibly insightful. Matthew, thanks again for your time. We really enjoyed your insights today.

Matthew:

Of course. Thanks for having me.

Maryann:

To learn more about how Eaton is securing Intelligent Power Management Systems and other OT environments, visit us at eaton.com backslash cybersecurity services.