Launching Security into the Cyber World
- By Ralph C. Jensen
- Apr 01, 2016
Putting the cyber security
world into perspective,
and in tandem with the
physical security side, takes a
little know-how, elbow grease
and brain power. To make it
all easier to understand, I have
posed a few questions to Paul
Rogers, the president and CEO
of Wurldtech, a GE company and general manager of
GE Industrial Cyber Security.
Q. Your group offers security and quality testing
for operational technology. This is specific and demanding.
How did your security and test professionals
plan, design and build operational resilience into
the physical security world?
A. Wurldtech began with some of the best “white
hat” hackers on the planet who recognized there is an
incredible amount of risk in our critical infrastructure.
Now connected, these industrial networks have
been left vulnerable. Our hackers tested all the possible
ways these machine-to-machine networks could
be infiltrated to identify where vulnerabilities exist
and determine how to protect against them.
Once we had enough data, we created a comprehensive
cybersecurity solution, OpShield, to help provide
protection for critical infrastructure against the
persistent and dynamic cyber threats that challenge
production environments, transportation systems
and healthcare operations. If a system is successfully
hacked, OpShield can help stop that attack from getting
to the Internal Internet where it can wreak havoc
on the factory, grid or drilling station.
Q. Only recently has the term “Security for your
Security” popped up. This is about protecting those
things that protect you. What are your technologies
and processes to protect any industry?
A. That is absolutely correct. But, first, let’s understand
the difference between IT (information technology)
security and OT (operational technology) security.
IT security lives in the context of an IT stack with
tools from many vendors, network, servers, storage,
apps and data. It’s in a periodically updated ecosystem
where most hosts are talking to lots of other hosts
and where there are frequent patch cycles, in weeks or,
sometimes days, in response to expected and known
cyber threats. IT security basically protects data (information),
In OT, high-value, well-defined industrial processes,
such as in factories, pipelines and airplanes and
which execute across a mix of proprietary devices
from many different manufacturers, need protection,
not data. Many of the devices and software used
in operational environments are 10 to 30 years old.
Many were not designed to be connected, have not
been patched very often and were not devised to withstand
modern attacks. Surprisingly, many operators
don’t know what’s actually transpiring on their Industrial
Internet and, even if hacked, have no knowledge
of the assault.
Q. You deliver security operations to Fortune 500
customers. How do you help them protect their brand
reputation, and what verticals seem to be the most
A. Let’s look at the background. During the
RSA security conference last year, Frank Marcus,
Wurldtech’s director of technology, led a peer discussion
that underscored the heightened profile of
cyber security in the age of the industrial Internet.
Addressing the audience of global critical infrastructure
experts, Marcus spoke about the evolution
of threats against critical infrastructure. While
enterprise cyber attacks may grab bigger headlines,
cyber attacks on physical infrastructures can have
greater consequences, including environmental damage
and human safety.
The classic incident discussed in OT circles is
that of the German steel mill whose attack was first
disclosed through a report issued by Germany’s
Federal Office for Information Security (BSI). It explained
that the attackers gained access to the steel
mill through the plant’s IT network, then successively
worked their way into production networks to access
systems controlling plant equipment.
The attackers infiltrated the corporate network
using a spear-phishing attack, sending targeted
email appearing to come from a trusted source.
The spear-phishing emails tricked the recipient into
opening a malicious attachment or visiting a malicious
web site, where malware was downloaded to
a company computer. Once the attackers gained a
foothold on one system, they executed a lateral attack
and explored the company’s networks, eventually
compromising a “multitude” of systems, including
industrial components on the OT network.
While the primary goal in IT is to protect data, OT
security strives to keep the process running. Whether
from outside threats like hackers, or inside threats like
human error, in an environment where companies are
operating drills, electric grids, MRI’s or locomotives,
unplanned downtime is simply not acceptable. This is
especially true for industries such as oil and gas, energy
producers, health facilities and transportation
systems in which even a couple minutes of downtime
can yield tens of thousands of dollars lost.
Q. Security is a 24/7 business. When a security professional
goes home for the day, they hope the system in
place will do its job. How do you handle the demand for
security, especially for critical processes and controls?
A. Once the OpShield solution is installed,
Wurldtech can provide a security and quality testing
service that simulates attackers challenging the customer’s
system. It makes sure that the customer is
controlling who is talking to whom.
We can provide a service to the manufacturers of
mission critical devices to assure that they have been
tested to repel cyber attacks. We determine if they
have had their products monitored to both network
and operational parameters, allowing vulnerabilities
to be discovered and faults to be reproduced, isolated
and identified before they introduced this or these
products to the market. We can certify them to help
ensure that they are secure.
Q. Since our readership is generally involved in
physical security, how do your products and services
tie into that market?
A. OT security and physical security intersect.
The cornerstone of IT enterprise security is the use
of software patching to eliminate underlying implementation
vulnerabilities. However, patch management
is a particularly painful operation in an OT system;
many organizations don’t have the infrastructure
for qualifying patches to ensure they do not impact
any of the software running on their system and, so,
have to depend on their vendors to test and ensure
new patches will not impact control of their processes.
That takes a lot of time.
Many of the security controls that are effective in
IT are not effective in OT; they have to be adapted to
the technical requirements of OT systems.
To apply the patch to an OT system usually means
the operation must be shut down. To eliminate turning
off the operation when patching, hot patches must
be delivered to a security solution that resides directly
in front of the control unit while the system continues
to produce. And, since that solution, OpShield, is
hardware, we’ve now found the intersection of physical
security and cyber security.
Let me answer in another way, one your readers
can leverage. Sponsored by the Security Industry Association
(SIA), the inaugural Connected Security
Conference is to be held right on the same exhibit
floor as this year’s ISC West. Those attending ISC
West and who are not familiar with cyber security,
OT, the Industrial Internet and the controlled infrastructure
will be able to visit the leading vendors and
attend informative sessions of why they need to understand
This article originally appeared in the April 2016 issue of Security Today.