An interview by we.CONECT Global Leaders with Grant Geyer, Chief Product Officer at Claroty
we.CONECT: Why is cybersecurity for operational technology and IIoT assets such a big focus of concern now compared to the past?
Grant: In the past, OT and IIoT assets were physically separated from the corporate IT network. As digital transformation creates new efficiencies and competitive advantages, the benefits of establishing connections between these environments and the cloud are too great to ignore. While the benefits are clear, organizations frequently fail to fully appreciate that if not properly architected, these new connections can expose OT assets to cyber attacks. As many OT assets have long depreciation periods, and can only be patched during specific change windows, obsolete and vulnerable assets are ripe targets for threat actors to accomplish their criminal or geopolitical objectives.
we.CONECT: What are the top challenges that enterprises operating cyber-physical systems need to be addressing right now with respect to security?
Grant: Most importantly, organizations need to understand that cyber risk is just another form of operational risk, and need to be managed the same way that the leadership team thinks about liquidity risk or supply chain risk. With that framing, we see the same challenges playing out across asset intensive enterprises:
- Obsolescent and vulnerable assets. Due to the long depreciation periods of OT assets, it is not uncommon to come across assets that are no longer supported by the vendor, or for which the vendor is no longer in business. Even assets that are supported by the vendor may be infrequently patched, making them vulnerable to attacks. While not all of these assets can be replaced or patched frequently, organizations can leverage compensating controls to mitigate the inherent risk.
- Insecure remote access to OT environments. While many organizations have established remote connections to their OT environments for many years to enable operating efficiency, this trend only accelerated during the pandemic. It’s also common that both the enterprise’s employees and third-party automation vendors and contractors need remote access, expanding the risk that an attacker can get access. What’s particularly surprising—albeit common—is how many of these remote access connections rely on a simple username and password for access, rather than requiring multi-factor authentication. While remote access is a business imperative, it needs to be implemented securely.
- Rapid device expansion increases exposure: Organizations are connecting previously isolated operational technology systems to corporate IT systems and the internet. These OT systems manage, monitor, and control industrial operations. At the same time, companies are also bringing more IoT, industrial IoT (IIoT), and Internet of Medical Things (IoMT) devices into their newly converged OT/IT environments. Although these changes are aimed at increasing operational efficiency and reducing costs, this means that the cyber-physical systems used to run hospitals, power grids, oil pipelines, water utilities, and many other kinds of critical infrastructure are becoming exposed to new kinds of cyber threats that they were never built to withstand.
- Increased frequency and severity of attacks: Cyber-physical systems are attractive targets for threat actors because of their criticality levels and vulnerabilities that leave them open to attack. While compromised IT networks and security breaches that exfiltrate personal data are very costly and have other financial implications, they don’t threaten the physical world we live in and the systems we depend on. Lives and livelihoods are at risk when cyberattacks spill over into the OT realm and have a physical impact. Some examples of threats associated with cyber-physical systems include:
- Malware: Targeted attacks against a Ukrainian electricity provider using Industroyer2, a variant of the 2016 Industroyer malware.
- Ransomware: The ransomware attack on Colonial Pipeline compelled operators to shut down oil and gas delivery to millions of people to mitigate impact to the OT network.
- Unauthorized Remote Access: The Oldsmar, Fla. water treatment facility was breached by a remote attacker that managed to gain access to systems via desktop-sharing software.
- Distributed Denial-of-Service (DDoS) Attacks: Russian threat actors launched a series of DDoS attacks against commercial satellite networks to disrupt Ukrainian command and control with spillover impacts on other European countries.
- Service Tampering: White-hat hackers have demonstrated vulnerabilities in IoMT devices that allow them to increase dosages or manipulate treatments that may result in sudden death.
- Supply Chain Attacks: The SolarWinds Orion software attack enabled a threat actor to establish a foothold in Orion users’ networks and move laterally to gain access to other network domains in order to steal data or exploit other vulnerabilities.
- Increased skills gap between IT and OT staff: A significant breadth and depth of domain knowledge is required to understand how best to secure each environment while operating within the models and methods unique to each. IT security teams typically prioritize confidentiality of data over integrity and availability, while teams that run OT networks prioritize availability (or uptime) over integrity and confidentiality. Respecting those priorities within the paradigms of each sector is paramount.
we.CONECT: How do operators need to evolve to overcome these challenges?
Grant: Every company is on a journey to better and more efficient protection of cyber-physical systems. The most successful companies do a great job of understanding where they are on the journey and how to structure their next steps. One framework that is especially useful towards this goal is the Gartner OT/CPS Security Journey.
I believe the most important step is awareness of the state of cyber security, and the operational risk that it creates for the business. This can be accomplished by conducting a risk assessment with a specialized cyber security consulting firm, or by leveraging tools specialized for visibility and risk assessments. I also believe it’s critical that this be driven from an organization’s top leadership, such that the results can be governed in the same way other operational risks would. However be forewarned: conducting a risk assessment will transition an organization from ignorance to negligence if the results are not acted upon.
we.CONECT: How is the U.S. Government responding to the risks?
Grant: In the United States, so many organizations that are designated as critical infrastructure are owned and operated by the private sector. For years, the stance of the U.S. Government was that free market forces would force private sector enterprises to manage their cyber risk, or they would suffer brand and reputational loss. As an outcome of the economic impact of the Colonial Pipeline breach, or the public safety risk associated with the water treatment plant hack in Oldsmar, Florida, it has become clear to policymakers in the executive branch and Congress that free market forces are not working and the government needs to step in. Over the past couple of years, we’ve seen TSA implement regulations on the pipeline operators, and we expect much more to come in other sectors. CISA has also released cross-sector cyber performance goals (CPGs), and is planning to release sector-specific CPGs across all 16 critical infrastructure sectors. We’ve also received a clear signal that cybersecurity continues to be a bi-partisan and bi-cameral issue, so we expect to see more legislation come out of Congress.
we.CONECT: What role can organizations like Claroty play outside of providing commercial solutions?
Grant: There are a lot of different ways to solve the myriad of challenges facing cyber-physical systems owners and operators—there’s no one-size-fits-all and there is no silver bullet. This means that Claroty and other solution providers need to work together with public sector entities to achieve our common goal of making cyber-physical systems safer and more efficient.
One way that Claroty has been doing this is by joining together with a diverse group of cybersecurity leaders to form the OT Cyber Coalition. The coalition advocates for vendor-neutral, interoperable, and standards-based cybersecurity solutions, and works collaboratively with industry and government stakeholders on how to best deploy data-sharing solutions that enhance our country’s collective defense. Its efforts support the notion that competitive solutions promote innovation and strengthen our national security.
Grant Geyer
Chief Product Officer
Grant Geyer oversees Claroty’s product management, engineering, and research organizations, and is responsible for the company’s product strategy and development. He has had a successful career as an operator in the cybersecurity industry for over 20 years. Most recently, he worked as an Executive-in-Residence at Scale Venture Partners, where he assisted the firm in analyzing cybersecurity markets and ventures. Prior to his work with Scale, Geyer held the role of Senior Vice President of Products for RSA, responsible for both traditional and SaaS product offerings. Prior to RSA, Geyer served as Vice President at Symantec, which he joined through its acquisition of Riptech. Earlier in his career, Geyer served as a Military Intelligence officer for the U.S. Army. He holds a B.S. in Computer Science from the U.S. Military Academy at West Point and a M.S. in Engineering Management from the University of Maryland, Baltimore