Discover critical insights from Takepoint Research as we delve into conversations with cybersecurity experts defending industrial enterprises. Get the full complimentary report here
The landscape of industrial cybersecurity is rapidly evolving, influenced by the increasing convergence of IT and OT, and the rising sophistication of cyber threats. As a Cybersecurity Manager at CitiPower and Powercor, Justin Nga offers a unique perspective on these challenges, shaped by his extensive experience and strategic approach. This article delves into Nga’s insights on cybersecurity strategy, team composition, threat evolution, risk management, and the necessity of survivable architecture in OT environments.
Introduction
In today’s interconnected world, the cybersecurity of operational technology (OT) is more critical than ever. The integration of IT and OT systems presents new opportunities for efficiency and innovation, but also exposes organizations to heightened risks. Justin Nga, Cybersecurity Manager at CitiPower and Powercor, shares his approach to navigating this complex landscape, emphasizing strategic planning, proactive risk management, and the importance of a well-rounded team.
Understanding the Role and Its Influence on Industrial Cybersecurity
Nga’s role involves a blend of strategic oversight and hands-on management. Reporting directly to the technology manager and the CIO, Nga is responsible for shaping the cybersecurity infrastructure and controls of the organization. His daily tasks include preparing quarterly reports for the board, addressing vulnerabilities, managing identity systems, and ensuring a robust security posture.
With a background in control systems, Nga brings a historical perspective to his role, understanding the evolution of OT security from its early days to the present emphasis on a ‘shift left’ approach. This proactive stance ensures that security is integrated into the development stages of any new project, avoiding the pitfalls of retrofitting security measures post-deployment.
The Composition and Expertise of the Industrial Cybersecurity Team
A diverse and skilled cybersecurity team is vital for addressing the multifaceted challenges of modern OT environments. Nga’s team comprises experts with varied backgrounds, from PhDs in network systems to seasoned control systems engineers. This mix of technical prowess and strategic insight enables the team to tackle complex issues effectively.
For instance, the team’s network systems expert provides a deep understanding of intricate networking challenges, while Nga’s control systems expertise ensures a grounded approach to operational security. Additionally, a team member with a strong IT infrastructure background complements the overall skill set, and the latest addition, an analyst with fresh perspectives, brings valuable data analysis capabilities.
Evolving Threat Landscape and Lessons from Past Industrial Cybersecurity Incidents
Cybersecurity threats are continually evolving, with recent incidents underscoring the need for vigilance and adaptability. Nga highlights notable examples such as the Maroochydore Shire insider threat and the MOVEit hack. These incidents emphasize the importance of understanding supply chain vulnerabilities and the interconnected nature of IT and OT risks.
The Maroochydore Shire incident, for instance, involved an insider who retained access due to inadequate deprovisioning processes, highlighting a critical supply chain risk. Similarly, the MOVEit hack, which affected the company indirectly through a consultant breach, showcases the dangers of third-party data sharing. These cases illustrate the need for a comprehensive approach to cybersecurity that considers the broader context and potential indirect impacts of supply chain vulnerabilities.
Risk Management in IT and OT: Convergence and Challenges
Risk management in industrial cybersecurity involves more than just network integration; it requires a convergence of technologies and methodologies. The adoption of IT protocols and operating systems in OT environments introduces new vulnerabilities, necessitating a balanced approach to risk management.
Nga points out that while IT often has more resources, it still faces breaches, challenging the assumption that adopting IT tools can fully safeguard OT environments. This reality underscores the need for a nuanced approach that considers both the unique characteristics of OT systems and the lessons learned from IT risk management practices.
Addressing industrial cybersecurity Concerns with the Board
Engaging with the board on cybersecurity matters requires a strategic and clear approach. When Nga first joined the company, he was tasked with developing a comprehensive cybersecurity program. He shifted the board’s focus from fear-based concerns to a rational risk management strategy, detailing how funds would be allocated over three years to manage identified risks.
By breaking down risks into components such as threat actors, vulnerabilities, and potential consequences, Nga was able to secure board approval for targeted investments. This methodical approach, emphasizing areas within the organization’s control, helped the board understand the rationale behind each investment, leading to sustained support and funding.
Survivable Architecture in OT Environments
The concept of survivable architecture is central to maintaining operational resilience in OT environments. Nga explains that a survivable architecture ensures that systems can continue functioning even if certain components are compromised. This principle is particularly important for OT systems, where local control is crucial and over-reliance on cloud-based solutions can introduce significant risks.
Adopting new technologies, such as those associated with Industry 4.0, necessitates a careful evaluation of cybersecurity risks. Nga uses the analogy of modern car braking systems to illustrate the trade-offs between technological advancements and potential vulnerabilities. Understanding these risks and preparing accordingly is essential for making informed decisions about cybersecurity risk appetite.
Collaborative Risk Management and Organizational Challenges
Effective risk management requires collaboration across IT and OT divisions. Historically, IT personnel were often viewed as outsiders in operational environments, creating a divide that hindered cooperative efforts. However, there is a growing recognition of the need for a unified approach, integrating IT and OT into a cohesive technology framework.
This shift is driven by external pressures, such as geopolitical events and the push towards Industry 4.0, which emphasize the benefits of IT-friendly practices in manufacturing and beyond. Despite challenges and resistance, fostering open discussions and collaboration is crucial for addressing organizational risks effectively.
Inherent Challenges of Organizational Cyber Risk
Assessing and communicating risk levels within an organization involves transparency and clarity. Nga describes how his team evaluated the impact of their multi-factor authentication (MFA) strategy, determining that it reduced risk to a manageable level. This assessment was communicated across the organization, ensuring alignment and understanding of the risk posture.
Sharing cybersecurity practices internally and externally poses challenges, especially concerning the timing and extent of information disclosure. Nga emphasizes the importance of responsible knowledge sharing, whether discussing frameworks like the SANS Institute’s guidelines or pursuing further education to stay informed about risk management and governance.
Assessing and Prioritizing Industrial Cybersecurity Risks
Prioritizing risks involves evaluating the likelihood of various threat vectors. Nga explains that while the risk of physical network access by an attacker is lower, internet-based attacks pose a higher likelihood due to their anonymity and ease of execution. This understanding guides investment in security measures, focusing resources on mitigating the most significant risks.
Technologies like attack path analysis and automated penetration testing are gaining interest, but Nga stresses the importance of foundational work in understanding critical assets and consequences. This focus ensures that efforts are directed towards the most significant risks, avoiding distractions from less critical vulnerabilities.
Conclusion
Navigating the industrial cybersecurity landscape requires a strategic, proactive, and collaborative approach. Justin Nga’s insights from his role highlight the importance of integrating security early in the development process, fostering a diverse and skilled team, and maintaining clear communication with the board. By understanding the evolving threat landscape, adopting survivable architectures, and prioritizing risks effectively, organizations can enhance their cybersecurity posture and resilience.
This post was originally published on the 3rd party site mentioned in the title of this this site