Video and podcast: Closing Gaps in Risk Management: Technologies to Ditch Your Old Processes

Smart Industry's guest on Feb. 22 was Christina Hoefer, VP of global industry enterprise at Forescout, a cybersecurity company that continuously monitors, identifies, and protects all connected IT, IoT, IoMT, and OT assets against cyber threats and ensures compliance with incident response, threat intelligence, and dynamic segmentation.

IT and OT are converging everywhere in industry, at increasingly measurable rates. At a lot of manufacturing companies, however—especially small and medium-size ones—these personnel and departments still are siloed from each other and work with manual processes that are years old (such as sporadic cyber risk assessments) and account for asset inventories using Excel spreadsheets.

The overall message from Christina Hoefer during our SI presentation: "We cannot do this on paper anymore. Attackers are automating their steps. So, companies should be doing this, too. IT and OT cannot be this siloed."

The audio from the Feb. 22 program with Christina Hoefer also appeared in our podcast series, Great Question: A Manufacturing Podcast.

Transcript of this program

Hello, good morning and welcome to our latest Smart Industry livestream. Today, we are going to discuss “Closing Gaps and Risk Management: Technologies to Ditch Your Old Processes.”

I am Robert Schoenberger, editor in chief of Smart Industry, and I'm filling in today for Scott Achelpohl, who is one of the many people in the U.S. today stuck with internet outages because of the AT&T problems, hopefully this will get solved sometime soon.

Our guest today is Christina Hoefer, and she is vice president of global industry enterprise at Forescout, a cybersecurity company that continuously monitors, identifies, and protects all connected IT, IoT, IoMT, and OT assets against cyber threats and ensures compliance with instant response, threat intelligence, and dynamic segmentation.

IT and OT are converging everywhere in industry. At a lot of manufacturing companies, however, especially small and midsize ones, these departments are still siloed from each other and work with manual processes (such as sporadic cyber risk assessments) and account for asset inventories using Excel spreadsheets.

The message from our guest today: We cannot do this on paper anymore. Attackers are automating their steps. They should be doing the doing the same IT and OT cannot be siloed.

Welcome to the program, Christina.

Christina Hoefer: Thanks, Robert, for having me today on your program.

Over the last 15 years or more, I had the pleasure to work with several critical infrastructures, manufacturing organizations, to secure their digital transformation and especially the OT environments. So this is a big, big topic.

Robert Schoenberger: Let's just move right into the questions here. Digital transformation really gained momentum in 2023, and it looks like it will keep rolling in 2024, especially for small and midsize manufacturers. Can you give us your take on beginning to break away from these analog processes? Where should companies begin?

Christina Hoefer: Yeah, that's correct. So, it's no longer sufficient to just look at, you know, analog processes, siloed teams, and tools. The thing is digitalization brings a lot of competitive advantages and improves the process. The whole production gets more efficient because we can have analytics. But you know it also exposes vulnerable systems, and it connects those OT systems that were never designed to be connected, for that whole connectivity with corporate systems or internet facing to even work. So that leads to an increased attack surface that we need to monitor and secure, and the first steps that organizations can take is to, well, gather these insights, you know, into assets, how they connect, do they have connectivity?

Did vendors potentially bring in remote access solutions? We see this a lot of times, that there are actually a lot more connectivities. From OT systems out of the network, you know to remote sites, to contractors and this, of course, means that we have increased. And I don't mean let's do this with pen and paper. The best thing is to have some database or monitoring system where we can consolidate this information because we might have to go back to this information when there is a cyber risk to make sure we aren’t exposed to this threat. What do we need to do? I don't know if you know, but there was this incident somewhere in some hardware system where OT was to shut down preemptively because they just didn't know if it would be affected if there would be a way for the IT attack to spread through the network and affect OT.

Robert Schoenberger: I've talked to companies a few times who refer to their pen and paper systems as more secure because you can't hack my notepad, but this whole protection from obsolete by obsolescence doesn't seem to really jive well with the need for improved operations and efficiency in modern manufacturing.

Christina Hoefer: Oh, for sure. I mean, attackers are automating their steps, so we also need to be automating the other side, right, the protection.

Robert Schoenberger: So, moving on, it's obviously important for data and cybersecurity if vulnerabilities in mixed digital and analog environments are addressed and automated. What are examples, the most egregious, of gaps in risk management? What are the ones that are what are the ones to NO LONGER do or to try to get away from?

Christina Hoefer: Well, the first problem that we often see is that, you know, suddenly the CISO is responsible for managing OT security, and then the security teams bring in their IT tools without considering the context of the OT system. You know, patching may not be possible. It may not be compatible with the operating systems. So, we must take into account that OT systems may need different controls, different ways to secure.

The second part is working in silos, you know, like letting the OT folks figure out the security for their systems, letting IT do their part. And then you often have gaps in … those mixed environments, but also the OT guys, they're responsible to keep the production process running, the factories safe. We don't have a security background, so it's best if we work together. Everybody's leveraging their strengths. That way, we can succeed.

I've talked a lot to people over the past few years about the cultural differences. Yeah, the OT mandate for the past 50 to 75 years has been getting more product out of the door. Anything that slows down production is the worst thing that can happen. And you mix that with the IT mindset of we need to protect our systems as much as possible there. There's this disconnect between the two.

Robert Schoenberger: I've heard from OT asset owners that they are running systems with a very old malware still on the system because it doesn't affect the process. So, for them, that's secure. It's not connected. But yeah, there's definitely a change in mindset required.

So, going on, what automated processes should be “automatic” to adopt? Assume that you would recommend continuous risk assessment, but what are the best processes to adopt?

Christina Hoefer: The first step is to build a good foundation with real-time asset inventory monitoring, and … there now tools that can automate this. For OT environments, you would use something like deep-packet inspection, for passive monitoring of the network traffic to extract all the information about the systems that are connected. These systems are very talkative. They share things like the configuration, their status, so they can be used to build an inventory of the lower future levels.

But if you look at other systems, you can leverage some of the IT ways also in OT, but it needs to be done considering the context and security, so we can query some of the network infrastructure. For what is connected, we can query some of the endpoints to get more asset details and, of course, API integrations or control. The system itself can lend a lot of information about the assets, so that's where we should start, you know, automating, collecting, monitoring, and tracking this.

And then you mentioned risk assessment. So yeah, that is ultimately where we want to move towards, we need to look at what are the risks of these devices. So, the asset inventory is the first place to start, but then we can start assessing the next steps.

Robert Schoenberger: Looking at those next steps, what should risk assessments consider in an IoT or an IT environment?

Christina Hoefer: So, we need to look at what types of devices are in OT. It's very important to consider the function of the device and the criticality for the process. We look at the configuration, of course, like the firmware version, we can match that with vulnerability information to figure out where there are vulnerable services or functions. And then, of course, the behavior also. Does it connect to the internet? Does it require this connectivity? And then if we have this context, we can start to automate this? We can start to automate assessing and monitoring the risks, right?

Suddenly there's a system that is connecting to the internet. Never required this access. Suddenly there's an IP camera and talking to a process controller that shouldn't happen, right? So, we can monitor for these kind of changes and then be more proactive. Also to fix some of these things. And that way we minimize our exposure, and the best is, of course, to do this without impacting the process control system.

Robert Schoenberger: It’s part of that process to really identify which components need to be connected to the internet. I think of this big cyber tech a few weeks ago that was announced that it was using internet-connected toothbrushes as a format for a denial-of-service attack. By having all these IP connected toothbrushes (I think it was one of the Scandinavian countries where it originated) it just got to why do we have so many internet-connected toothbrushes in the first place?

Christina Hoefer: Yeah, it's about understanding what is connected to the network and then how it's connecting, but also the dependencies because you know, attackers will use anything they can find. Often, it's compromised IT access, somebody’s leaked credentials. So, they're found from there. You just try to get to whatever is connected. IoT assets and OT assets, they're not built with that security in mind and, therefore, they’re an easy target. Often passwords are just the default, and you can find that in the user manual.

Robert Schoenberger: Everybody knows that patching in OT can be a challenge. As IT and OT converges—you sometimes have to go machine by machine with the USB thumb drive or something like this as OT and IT converge—but what common processes can be adopted between them and where do we need other approaches?

Christina Hoefer: We always need to consider the device context and, once we have that, we can start to leverage some of the processes we're using in IT. And for others, it's better to review that first. Patching, for example, is often not possible because the OT systems are so old, they no longer are patches being produced. In that case, we just need to look at other measures like, for example, segmentation, making sure that the device is really just allowed to talk to what it should be talking to, and it doesn't have access to any other system.

Systems patching can be automated, for the more modern systems. It might be on more up-to-date operating systems, and that's where we need to work together, right, IT and OT need to collaborate. OT knows best when the next maintenance is. That window … is a good time to reboot the systems to install the patch, whereas IT might have the experience on how to do this. So, it's really collaboration that is key.

Robert Schoenberger: That's great. It's a fascinating time to watch this. We've joked at our various brands here at Endeavor Business Media, with Smart Industry and IndustryWeek and Automation World, that cybersecurity has been something we've written about for years, but it generates very little interest. That is until I'd say about September, October of last year, at which point everyone started paying attention all at once. I think maybe the Clorox hack was a big moment for the industry in realizing exactly how much risk there was to losing productivity, to losing your basic functions, if you don’t pay attention.

Thank you so much for joining us today, Christina. Thank you for your expertise and thanks to Forescout for sending you along and giving us your time today.

And that's a wrap. Thank you all for joining us at Smart Industry, and we look forward to presenting more livestreams in the future to discuss these important topics. Have a great remainder of your day.