Industry Professional

Launching Security into the Cyber World

Putting the cyber security world into perspective, and in tandem with the physical security side, takes a little know-how, elbow grease and brain power. To make it all easier to understand, I have posed a few questions to Paul Rogers, the president and CEO of Wurldtech, a GE company and general manager of GE Industrial Cyber Security.

Q. Your group offers security and quality testing for operational technology. This is specific and demanding. How did your security and test professionals plan, design and build operational resilience into the physical security world?

A. Wurldtech began with some of the best “white hat” hackers on the planet who recognized there is an incredible amount of risk in our critical infrastructure. Now connected, these industrial networks have been left vulnerable. Our hackers tested all the possible ways these machine-to-machine networks could be infiltrated to identify where vulnerabilities exist and determine how to protect against them.

Once we had enough data, we created a comprehensive cybersecurity solution, OpShield, to help provide protection for critical infrastructure against the persistent and dynamic cyber threats that challenge production environments, transportation systems and healthcare operations. If a system is successfully hacked, OpShield can help stop that attack from getting to the Internal Internet where it can wreak havoc on the factory, grid or drilling station.

Q. Only recently has the term “Security for your Security” popped up. This is about protecting those things that protect you. What are your technologies and processes to protect any industry?

A. That is absolutely correct. But, first, let’s understand the difference between IT (information technology) security and OT (operational technology) security. IT security lives in the context of an IT stack with tools from many vendors, network, servers, storage, apps and data. It’s in a periodically updated ecosystem where most hosts are talking to lots of other hosts and where there are frequent patch cycles, in weeks or, sometimes days, in response to expected and known cyber threats. IT security basically protects data (information), not machines.

In OT, high-value, well-defined industrial processes, such as in factories, pipelines and airplanes and which execute across a mix of proprietary devices from many different manufacturers, need protection, not data. Many of the devices and software used in operational environments are 10 to 30 years old. Many were not designed to be connected, have not been patched very often and were not devised to withstand modern attacks. Surprisingly, many operators don’t know what’s actually transpiring on their Industrial Internet and, even if hacked, have no knowledge of the assault.

Q. You deliver security operations to Fortune 500 customers. How do you help them protect their brand reputation, and what verticals seem to be the most vulnerable?

A. Let’s look at the background. During the RSA security conference last year, Frank Marcus, Wurldtech’s director of technology, led a peer discussion that underscored the heightened profile of cyber security in the age of the industrial Internet. Addressing the audience of global critical infrastructure experts, Marcus spoke about the evolution of threats against critical infrastructure. While enterprise cyber attacks may grab bigger headlines, cyber attacks on physical infrastructures can have greater consequences, including environmental damage and human safety.

The classic incident discussed in OT circles is that of the German steel mill whose attack was first disclosed through a report issued by Germany’s Federal Office for Information Security (BSI). It explained that the attackers gained access to the steel mill through the plant’s IT network, then successively worked their way into production networks to access systems controlling plant equipment.

The attackers infiltrated the corporate network using a spear-phishing attack, sending targeted email appearing to come from a trusted source. The spear-phishing emails tricked the recipient into opening a malicious attachment or visiting a malicious web site, where malware was downloaded to a company computer. Once the attackers gained a foothold on one system, they executed a lateral attack and explored the company’s networks, eventually compromising a “multitude” of systems, including industrial components on the OT network.

While the primary goal in IT is to protect data, OT security strives to keep the process running. Whether from outside threats like hackers, or inside threats like human error, in an environment where companies are operating drills, electric grids, MRI’s or locomotives, unplanned downtime is simply not acceptable. This is especially true for industries such as oil and gas, energy producers, health facilities and transportation systems in which even a couple minutes of downtime can yield tens of thousands of dollars lost.

Q. Security is a 24/7 business. When a security professional goes home for the day, they hope the system in place will do its job. How do you handle the demand for security, especially for critical processes and controls?

A. Once the OpShield solution is installed, Wurldtech can provide a security and quality testing service that simulates attackers challenging the customer’s system. It makes sure that the customer is controlling who is talking to whom.

We can provide a service to the manufacturers of mission critical devices to assure that they have been tested to repel cyber attacks. We determine if they have had their products monitored to both network and operational parameters, allowing vulnerabilities to be discovered and faults to be reproduced, isolated and identified before they introduced this or these products to the market. We can certify them to help ensure that they are secure.

Q. Since our readership is generally involved in physical security, how do your products and services tie into that market?

A. OT security and physical security intersect. Here’s how:

The cornerstone of IT enterprise security is the use of software patching to eliminate underlying implementation vulnerabilities. However, patch management is a particularly painful operation in an OT system; many organizations don’t have the infrastructure for qualifying patches to ensure they do not impact any of the software running on their system and, so, have to depend on their vendors to test and ensure new patches will not impact control of their processes. That takes a lot of time.

Many of the security controls that are effective in IT are not effective in OT; they have to be adapted to the technical requirements of OT systems.

To apply the patch to an OT system usually means the operation must be shut down. To eliminate turning off the operation when patching, hot patches must be delivered to a security solution that resides directly in front of the control unit while the system continues to produce. And, since that solution, OpShield, is hardware, we’ve now found the intersection of physical security and cyber security.

Let me answer in another way, one your readers can leverage. Sponsored by the Security Industry Association (SIA), the inaugural Connected Security Conference is to be held right on the same exhibit floor as this year’s ISC West. Those attending ISC West and who are not familiar with cyber security, OT, the Industrial Internet and the controlled infrastructure will be able to visit the leading vendors and attend informative sessions of why they need to understand this environment.

This article originally appeared in the April 2016 issue of Security Today.

Featured

  • New Report Reveals Top Trends Transforming Access Controller Technology

    Mercury Security, a provider in access control hardware and open platform solutions, has published its Trends in Access Controllers Report, based on a survey of over 450 security professionals across North America and Europe. The findings highlight the controller’s vital role in a physical access control system (PACS), where the device not only enforces access policies but also connects with readers to verify user credentials—ranging from ID badges to biometrics and mobile identities. With 72% of respondents identifying the controller as a critical or important factor in PACS design, the report underscores how the choice of controller platform has become a strategic decision for today’s security leaders. Read Now

  • Overwhelming Majority of CISOs Anticipate Surge in Cyber Attacks Over the Next Three Years

    An overwhelming 98% of chief information security officers (CISOs) expect a surge in cyber attacks over the next three years as organizations face an increasingly complex and artificial intelligence (AI)-driven digital threat landscape. This is according to new research conducted among 300 CISOs, chief information officers (CIOs), and senior IT professionals by CSC1, the leading provider of enterprise-class domain and domain name system (DNS) security. Read Now

  • ASIS International Introduces New ANSI-Approved Investigations Standard

    • Guard Services

  • Cloud Security Alliance Brings AI-Assisted Auditing to Cloud Computing

    The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today introduced an innovative addition to its suite of Security, Trust, Assurance and Risk (STAR) Registry assessments with the launch of Valid-AI-ted, an AI-powered, automated validation system. The new tool provides an automated quality check of assurance information of STAR Level 1 self-assessments using state-of-the-art LLM technology. Read Now

  • Report: Nearly 1 in 5 Healthcare Leaders Say Cyberattacks Have Impacted Patient Care

    Omega Systems, a provider of managed IT and security services, today released new research that reveals the growing impact of cybersecurity challenges on leading healthcare organizations and patient safety. According to the 2025 Healthcare IT Landscape Report, 19% of healthcare leaders say a cyberattack has already disrupted patient care, and more than half (52%) believe a fatal cyber-related incident is inevitable within the next five years. Read Now

Most   Popular

New Products

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation.

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.