By Gregory Hale
When it comes to cybersecurity in the manufacturing automation sector, there are plenty of product hypesters out there saying their solution will solve your security issues. But getting a firm grasp on the basics will win out in the end.
“Don’t get distracted by the ‘silver bullet’ and the shiny new product of the future and do the intitial work,” said Renaud Deraison, co-founder and chief technical officer at Tenable during a session last Thursday at the Future of Cybersecurity event sponsored by Siemens which was a part of National Infrastructure Week hosted by Bloomberg in Washington. “Instead, know what the assets you have, and make sure they are up to date and you will get great results.”
What has been happening over the past few years is the movement toward a fully digital automation environment where IT and OT have been connected together and they are centralizing information, but that does present a security issue where more and more layers are adding on to the network.
“When you talk about security these days, all these layers tend to add latency,” Deraison said. “So, manufacturers don’t use the security because it will slow it down. When all these systems are connected, these industrial control systems become a high value target and it is low hanging fruit. The technology is way behind.”
“The problem is systems have not been designed with security in mind,” he said. “There is no idea of cyber hygiene and there is no segregation between the operating systems versus the network.
Deraison said there are two big security gaps companies are facing: The software itself and how it is being deployed.
“If you look at the software industry over the past 20 years, a lot of changes happened to make software more secure. New security practices, testers probed the software and vendors reacted and made software more secure. It has gotten way better. How you deploy it, you look at the segregation between the servers and firewalls. In plants, you have a bunch of devices and connect them together and users connect them to the network along with printers. What you see is nobody knows what they have. The lack of basic cyber hygiene. Making sure systems are up to date, making sure there is segregation between production versus end points. That work has not really been done. It is happening, which is a good thing, but it is far behind.”
Talking about the downside is one thing, but Deraison, whose feet are planted firmly on the ground, also looked to the future and one of the latest buzz word technologies, artificial intelligence (AI), was part of the discussion.
“You can use AI in many ways in cybersecurity. But first, you have to do conventional work and foundational work to maintain good cyber hygiene. Just make sure the system is up to date. Making sure when the vendor issues a critical security patch it is deployed. That is still very far behind. Before you talk about AI; we really believe AI can become a distraction. The industry has been looking for a silver bullet for a long time. If you maintain a system, if you know what your systems are, if you make sure they are up to date, you can take care of 95 percent of the issues. Once you do that, then AI can become interesting. There are multiple uses of AI. Some companies use AI as a way to interpret behavior. If you detect a change in behavior, you can see if the system is connecting to some host in China for the first time and that is weird. Some others use AI for automation. AI doesn’t take any initiative. AI is all about known situations and the next time it sees something, it can help find an attack. Still a lot of research that needs to go into AI.”
Solid Software Security
While AI may be a ways off to be an effective security tool, software vendors today are starting to become more solid.
“There is a wake up call for cybersecurity. We are adding layers upon layers of security on top of software,” Deraison said. “There is a maturity for software that is starting to get secure. We are not there yet, but we really believe it is the way to go instead of adding layers and layers of security.”
In the end, manufacturers need to understand the basics of cybersecurity and then grow from there.
“There is a lot of conventional work that should be done around the basics of cyber hygiene, which seems boring but it needs to be done,” Deraison said. “Just doing that right reduces exposure and cyber risk by orders of magnitude.”