Industry Professional

Launching Security into the Cyber World

• By Ralph C. Jensen
• Apr 01, 2016

Putting the cyber security world into perspective, and in tandem with the physical security side, takes a little know-how, elbow grease and brain power. To make it all easier to understand, I have posed a few questions to Paul Rogers, the president and CEO of Wurldtech, a GE company and general manager of GE Industrial Cyber Security.

Q. Your group offers security and quality testing for operational technology. This is specific and demanding. How did your security and test professionals plan, design and build operational resilience into the physical security world?

A. Wurldtech began with some of the best “white hat” hackers on the planet who recognized there is an incredible amount of risk in our critical infrastructure. Now connected, these industrial networks have been left vulnerable. Our hackers tested all the possible ways these machine-to-machine networks could be infiltrated to identify where vulnerabilities exist and determine how to protect against them.

Once we had enough data, we created a comprehensive cybersecurity solution, OpShield, to help provide protection for critical infrastructure against the persistent and dynamic cyber threats that challenge production environments, transportation systems and healthcare operations. If a system is successfully hacked, OpShield can help stop that attack from getting to the Internal Internet where it can wreak havoc on the factory, grid or drilling station.

Q. Only recently has the term “Security for your Security” popped up. This is about protecting those things that protect you. What are your technologies and processes to protect any industry?

A. That is absolutely correct. But, first, let’s understand the difference between IT (information technology) security and OT (operational technology) security. IT security lives in the context of an IT stack with tools from many vendors, network, servers, storage, apps and data. It’s in a periodically updated ecosystem where most hosts are talking to lots of other hosts and where there are frequent patch cycles, in weeks or, sometimes days, in response to expected and known cyber threats. IT security basically protects data (information), not machines.

In OT, high-value, well-defined industrial processes, such as in factories, pipelines and airplanes and which execute across a mix of proprietary devices from many different manufacturers, need protection, not data. Many of the devices and software used in operational environments are 10 to 30 years old. Many were not designed to be connected, have not been patched very often and were not devised to withstand modern attacks. Surprisingly, many operators don’t know what’s actually transpiring on their Industrial Internet and, even if hacked, have no knowledge of the assault.

Q. You deliver security operations to Fortune 500 customers. How do you help them protect their brand reputation, and what verticals seem to be the most vulnerable?

A. Let’s look at the background. During the RSA security conference last year, Frank Marcus, Wurldtech’s director of technology, led a peer discussion that underscored the heightened profile of cyber security in the age of the industrial Internet. Addressing the audience of global critical infrastructure experts, Marcus spoke about the evolution of threats against critical infrastructure. While enterprise cyber attacks may grab bigger headlines, cyber attacks on physical infrastructures can have greater consequences, including environmental damage and human safety.

The classic incident discussed in OT circles is that of the German steel mill whose attack was first disclosed through a report issued by Germany’s Federal Office for Information Security (BSI). It explained that the attackers gained access to the steel mill through the plant’s IT network, then successively worked their way into production networks to access systems controlling plant equipment.

The attackers infiltrated the corporate network using a spear-phishing attack, sending targeted email appearing to come from a trusted source. The spear-phishing emails tricked the recipient into opening a malicious attachment or visiting a malicious web site, where malware was downloaded to a company computer. Once the attackers gained a foothold on one system, they executed a lateral attack and explored the company’s networks, eventually compromising a “multitude” of systems, including industrial components on the OT network.

While the primary goal in IT is to protect data, OT security strives to keep the process running. Whether from outside threats like hackers, or inside threats like human error, in an environment where companies are operating drills, electric grids, MRI’s or locomotives, unplanned downtime is simply not acceptable. This is especially true for industries such as oil and gas, energy producers, health facilities and transportation systems in which even a couple minutes of downtime can yield tens of thousands of dollars lost.

Q. Security is a 24/7 business. When a security professional goes home for the day, they hope the system in place will do its job. How do you handle the demand for security, especially for critical processes and controls?

A. Once the OpShield solution is installed, Wurldtech can provide a security and quality testing service that simulates attackers challenging the customer’s system. It makes sure that the customer is controlling who is talking to whom.

We can provide a service to the manufacturers of mission critical devices to assure that they have been tested to repel cyber attacks. We determine if they have had their products monitored to both network and operational parameters, allowing vulnerabilities to be discovered and faults to be reproduced, isolated and identified before they introduced this or these products to the market. We can certify them to help ensure that they are secure.

Q. Since our readership is generally involved in physical security, how do your products and services tie into that market?

A. OT security and physical security intersect. Here’s how:

The cornerstone of IT enterprise security is the use of software patching to eliminate underlying implementation vulnerabilities. However, patch management is a particularly painful operation in an OT system; many organizations don’t have the infrastructure for qualifying patches to ensure they do not impact any of the software running on their system and, so, have to depend on their vendors to test and ensure new patches will not impact control of their processes. That takes a lot of time.

Many of the security controls that are effective in IT are not effective in OT; they have to be adapted to the technical requirements of OT systems.

To apply the patch to an OT system usually means the operation must be shut down. To eliminate turning off the operation when patching, hot patches must be delivered to a security solution that resides directly in front of the control unit while the system continues to produce. And, since that solution, OpShield, is hardware, we’ve now found the intersection of physical security and cyber security.

Let me answer in another way, one your readers can leverage. Sponsored by the Security Industry Association (SIA), the inaugural Connected Security Conference is to be held right on the same exhibit floor as this year’s ISC West. Those attending ISC West and who are not familiar with cyber security, OT, the Industrial Internet and the controlled infrastructure will be able to visit the leading vendors and attend informative sessions of why they need to understand this environment.

This article originally appeared in the April 2016 issue of Security Today.