Earlier this year Honeywell launched its first industrial cybersecurity centre of excellence (COE) at its Middle East headquarters in Dubai. At the opening CTS met up with Jeff Zindel, vice president and general manager, Honeywell Industrial cybersecurity for critical infrastructure & IIoT, to discuss the industrial cybersecurity landscape
Connected Technology Solutions (CTS): Does the increased threat of cyberattacks negate the value of connected technology?
Jeff Zindel (JZ): The benefits of digital transformation and the power of connected technology are tremendous as we know in enhancing productivity, unleashing new value for companies, but critical is enabling it securely. Cybersecurity should be considered upfront in all digital transformation or IoT initiatives. The good news is that with Honeywell being a leading expert in the area we’re here to assist companies where they don’t have those specialities in-house.
CTS: Does size matter when it comes to cybersecurity?
JZ: I believe cybersecurity should be embedded and layered on top for all customers. Whether it be in high or low risk assets it really comes down to their tolerance of risk and the consequence of an incident or cyberattack and what that might result in. Based on the varying levels of cybersecurity controls and maturity we recommend depending on their risk profile and risk position. For us it is not so much about the size of the company or the size of the facility but the risk, whether it is a process disruption risk or a risk to the brand.
CTS: Is a layered approach to cybersecurity still valid?
JZ: We totally believe in layered cybersecurity because you have got to have different levels of protection and different levels of defences to protect you across an enterprise. But a defence in depth strategy is core to our view of cybersecurity and it is just a matter of the maturity of the site or customer.
CTS: Are people still the weakest link in cybersecurity?
JZ: People are and will be involved in most cases, so we advocate taking a holistic approach to cybersecurity addressing people, process and technology. It is critical to have the right policies, training and awareness in place, but again that is not enough. We advocate putting the right technologies in place, the right architecture to mitigate or minimise the impact a malicious or accidental action by an employee, vendor or visitor can have. We believe again to put in layered controls and technologies to minimise the risk of a cyberincident by a person or should unfortunately an incident occur, then to minimise the impact and layer in recovery actions, continuous monitoring in a way that provides insight. If you can’t block the action at least have the visibility into the action to be able to react quickly.
I refer to them as insider threats, bad people meaning to do harm, and then there are insider risks, which is more often the case when you have an unsuspecting employee, contractor, vendor or visitor who is introducing malware or risk without knowing what they are doing. For the most part they are people trying to do a good job, but if you don’t have the right cybersecurity technologies and controls in place you are opening yourself up to tremendous risk.
CTS: How does the move to autonomous operations affect cybersecurity?
JZ: It is essential to have continuous monitoring in place, to have visibility into what is happening, to understand and baseline what I would call normal operations and be able to identify those process upsets or those anomalous activities or behaviours that would flag a concern or a risk. For us it is about continuous monitoring, we have developed a platform called The Industrial Cybersecurity Risk Manager that provides real-time visibility into vulnerabilities and threats, we also offer managed security services to our customers to provide 24/7 secure and remote monitoring and expert support to complement their staff or unmanned operations.
CTS: How important will machine learning be to cybersecurity?
JZ: It is part of our connected strategy across the corporation in connected plant. We are embedding cybersecurity technology in concert with our machine learning and analytics platforms to capture data in real-time and to gain insights.
CTS: How should industrial companies measure their risk?
JZ: This is all based on proprietary, patented Honeywell industrial and OT cybersecurity understanding. What we are doing on a real-time basis is capturing information from devices and network flows to identify vulnerabilities, threat, and through algorithms translate those into indicators of risk. We are then scoring those risks and tying that risk back to concepts and industrial environment zones. We are looking at it from a perspective of zones and devices or areas or processes of greatest risk. We are scoring that and presenting that in a simple manner that a control engineer and all the way up to a cybersecurity expert of CIO could benefit from.
CTS: Some people still question the validity of the cyberattack threat. What would you say to them?
JZ: The threat is real. We are operating in industries and countries around the world and we are certainly seeing an increase in the number of attacks and the number of incidents in industrial environments. The good news is that we have solutions and there are technologies being introduced to help industrial customers. With digital transformation comes an increased focus by corporate leaders to move forward and protect assets and increase awareness to move forwards in a smarter way than they have in the past.
CTS: How can you marry the different security approaches between IT and OT?
JZ: With digital transformation comes an ever-increasing drive towards IT and OT convergence. That is the marrying of information technology with operations technology. We are increasingly seeing the digitisation of what were previously analogue instruments. To us the cybersecurity principles still hold and there is still separation. If you segment networks correctly, you separate them and put the right monitoring in place, put the right cybersecurity controls in place and you can certainly move forwards in a safe and secure manner. It requires in-depth understanding of industrial environments to safely and securely deploy cybersecurity technologies. As you know they are different worlds. You have plants that are running on five, 10 or 20-year-old technology in some cases. IT networks are different, they are not so concerned about the downtime so that is something that differentiates. We live, eat and breathe OT environments and enable that effective convergence with corporate networks.
CTS: Is there a different approach between greenfield and brownfield facilities when it comes to cybersecurity?
JZ: Legacy equipment creates its own unique challenges because productivity, safety and reliability is the name of the game. You must be very smart about what technologies you deploy, what architecture changes we make and when we make them, how we operate within their operating environment when they have shutdowns and when we can make changes. Certainly, there are solutions for continuous monitoring, to proactively identify vulnerabilities and threats and build those layers of cybersecurity technology on top of that brownfield site. It is challenging but that is what we have been doing for 15 years. Over that time, we have learnt a lot and developed our own methodologies, solutions and own software to address some of these challenges.
CTS: Are we winning the cybersecurity battle?
JZ: I would never want to address the question as a battle. What we are doing is helping our customers significantly enhance their cybersecurity resilience and defences and drastically reduce the chance of accidental attacks. There are incredibly sophisticated state-sponsored attacks and it’s an ongoing challenge and an ever-changing environment.
Nation state attacks can be very well funded and are very sophisticated. It’s a challenge though that we look at when we work with customers to step back and take steps to not only increase their protection but to their resilience and recovery. If an incident can occur, what are the policies and procedures as well as recovery mechanisms in place to recover from that? We assume the worst with customers that have a risk profile that warrants it and then we plan back from that. An example is we work with customers on actual attack scenarios to identify what happens, who does what, what policy is in place, who has decision-making authority. Another simple example is testing the backups, not just making the backups but making sure you can restore the system. It’s an ever-increasing, challenging environment that we operate in but that’s not going to change.
CTS: Why do we need physical centres in the virtual world?
JZ: This Middle East cybersecurity centre is critical because it allows customers from a range of countries to come in and see cybersecurity technologies demonstrated, see actual attacks, train their employees on how to protect and defend against those attacks. It is valuable in having that personal engagement.
On the virtualised front, this centre is benefiting from other centres around the world. On a virtual basis we are carrying out joint research with our Atlanta centre, our Singapore centre and research facilities around the world. As we develop solutions and work to enhance our capabilities we are doing that on a virtual basis.
CTS: What is the level of awareness when it comes to industrial cybersecurity?
JZ: I think there is a tremendous awareness and understanding by customers on a broad scale now of the need for cybersecurity in industrial environments. At the same time there is a tremendous shortage of industrial cybersecurity talent; there is a great shortage of skilled resources who understand the intricacies of operating technology in industrial environment. If they know cybersecurity they might just be an IT networking professional; they don’t know anything about the OT side. On the OT side you may have several process engineers, many of whom have grey hair today and they don’t understand IT network technology and cybersecurity. What we strive to do is to partner with customers, be they the most developed enterprise or a small individual plant, to help complement their teams of their lack of skill.
CTS: What does the future hold for cybersecurity?
JZ: In the future it is going to be leveraging the power of connection for cybersecurity to provide that visibility and real-time insight of what’s happening and to leverage the experts that can’t be everywhere at once. It’s also, though, to be looking at cybersecurity increasingly at a system of systems level rather than at a product, device or component level. While those are important at the core you have to have security embedded in each of your devices, more important is the interaction of those across a network or system. With the proliferation of connected devices, the need for cybersecurity across and over the top is more important.