Debunking the Myth: Securing OT Is PossibleRockwell Automation's Mark Cristiano on the Importance of Securing OT Systems
OT attacks have nearly doubled year-over-year. Amid an increase in the number of attacks, companies are struggling with the complexities of protecting their OT infrastructure, said Mark Cristiano, global commercial director of cybersecurity services at Rockwell Automation.
Debunking the misconception that industrial control systems are insecure by design, Cristiano advised that organizations can develop a strategic approach to OT security that aligns with their risk profile, cyber maturity and ability to absorb change.
"The first step is getting your arms around what assets are out on that shop floor. That's cyber 101, and IT professionals can help OT with that," he said. "It's identifying those assets, first and foremost. It's quantifying the risk associated with those assets and then prioritizing them. Not every asset needs to be protected the same way."
In this video interview with Information Security Media Group at RSA Conference 2023, Cristiano also discusses:
- How the conversation around OT security has evolved;
- How traditional IT security personnel can secure their OT systems;
- How Rockwell Automation is helping customers with their cyber journeys.
Cristiano focuses on developing industrial IoT and cybersecurity programs and managed services for Rockwell's connected services growth initiative, with an emphasis on facilitating IT and OT convergence. He has 30 years of experience in information technology, including 15 years of enterprise and manufacturing systems leadership.
Tom Field: Hi there, I'm Tom Field. I'm senior vice president of Editorial with Information Security Media Group. Topic of the conversation, we're mythbusting - you can secure OT. Here to tell you how is Mark Cristiano. He is commercial director - global, cybersecurity services business with Rockwell Automation. Mark, it's a pleasure to have you here in the RSA Conference studio again.
Mark Cristiano: Thank you for having me, Tom.
Field: So it's a return to RSA conference for you. How has the OT security conversation changed since the last time you were here talking about it?
Cristiano: We are excited to be here this year. We sent a relatively small team last year to recon the show to see if there was an opportunity for Rockwell to help customers on their OT journey. And I was amazed that even though that we had a smaller presence, the engagement of the conversations and the quality of the conversations that we had with customers last year, made me go back to leadership and say we need to go big. So this year, Rockwell is going to go big. We've got a booth, we've got a demo. I think what we're seeing is an increase again in OT attacks. They've almost doubled year over year from last year. And the complexity associated with protecting the OT, infrastructure is something that our customers are struggling with. That's where we come in to help. And I am looking forward to having discussions with customers to help them on their cyber journey.
Field: Well, talk more about this. What is the RSA Conference mission? If you were to sum it up, why is Rockwell Automation here?
Cristiano: I think we have an opportunity. When you look at the demographic of the attendees of RSA, they typically are focused on IT for just reason. We think that we've got an opportunity to differentiate ourselves and to help our customer base with that complexity of the OT environment, the remediation that's required, which is very different from IT. That's all we do is we help customers with their OT remediation. We don't go up into the IT space. We've been in plants for 120 years. We know criticality of availability. And that's what we're going to try to help our customers with.
Field: Now I know that you've got a huge presence on the show floor. And already there's a lot of buzz about Rockwell Automation - your presence here, you're talking with people. What are the things that people are eager to discuss with you?
Cristiano: I think the most common question that I still get is, where do I start? I think there's the complexity that I alluded to in terms of OT remediation is somewhat foreign to CISOs and to IT providers. And unfortunately, there's no right answer. It all depends on three factors. What's your risk profile? What's your cyber maturity? Meaning, have you created procedures? Where are you? And then what's your organization's available ability to absorb change? Because these programs take a top-down approach. And I think those three things are the most common advice that I give to customers, but where to start is definitely the No. 1. And I think No. 2 is, how do I get my arms around the protect surface? The assets that are on the OT side of the infrastructure are dispersed. They're 20 years old, in some cases, very different from the IT side. So two most common things that I hear are: where to start, and how to identify and quantify the risk associated with my protect service.
Field: And often, you get cultural silos to deal with too. What I hear.
Cristiano: We do. IT and OT that's the classic. And I think that my most successful customers are ones where IT and OT have teamed up early on, and identified the fact that OT needs IT. And IT needs to understand the complexities associated with OT. And we have workshops that we run from a Rockwell perspective, not selling anything, just educating both sides to make sure that they are organized as effectively as they can. That's a big challenge.
Field: And timely enough, we have a theme here at RSA Conference, "Stronger Together." Who would be stronger together than IT and OT.
Cristiano: Exactly, yes.
Field: Rockwell has got a speaking session. Now, it's interesting, because one of the sort of myths that is out there in the market is, you can't secure OT. You hear that far too frequently. But your session is called: You Can Secure OT. And you're going to explore how traditional IT security people can get started securing their OT systems. Now we keep hearing ICS is insecure by default, by design. What are some steps that can be taken to secure industrial control systems?
Cristiano: Well, I go back to that first step of getting your arms around what assets are out on that shop floor. And that's kind of like Cyber 101 is what I call it, and IT professionals can help OT with that. It's identifying those assets, first and foremost. It's quantifying the risk associated with those assets, and then it's prioritizing them. Not every asset needs to be protected the same way. So that's the advice I think that Ahmik in that session will be providing. It also there's basics, just policies and procedures. There are things that IT is very well versed in that they've done in the past that are applicable to OT with some subtle differences. And I think IT has an opportunity to help OT organizations as they start to mature in their cyber journey.
Field: Now you hinted a bit about your booth presence, which is phenomenal. What are you going to be showing there?
Cristiano: So we have a demo that will be simulating a water system attack. We're going to have red team people who are trying to get in; we're going to have blue team people who are trying to stop it. I think it's impactful because it's going to show the entire paradigm of the NIST standard, which is identify, detect, and then respond and recover. So we'll see how they try to get in. We'll see how we'll detect it. And then we'll show how we have remediated and recover from that breach. We'll be running that every hour on the hour. And we'll be at booth 2233. And I encourage everyone to come by have a conversation and see the demo.
Field: And unfortunately, this is not fiction. This is based on a true story.
Cristiano: This is reality.
Field: Yes, exactly.
Cristiano: It's increasing exponentially, too.
Field: Now, you mentioned you'd be back here for a second year in a row. OT security has a bigger presence than ever. And a lot of vendors are addressing OT security explicitly now. How does Rockwell Automation stand up and differentiate itself in that crowd?
Cristiano: We are a pure-play OT provider, meaning a lot of other organizations started in IT. And they've seen the requirement and they've started to go down into OT. We've never done that. As I said, we're 120-year old OT company. And we've got specialized skill sets of our cybersecurity engineers and our SOC analysts. That's a huge differentiator. Second is we're global. We're in well over five to 700 facilities globally, that we've deployed cybersecurity countermeasures. And our big customers that's what they want. When we deploy a countermeasure in North America, they want it to look exactly like it does in Romania. So that standardization and globalization in scalability that we provide is important. And then lastly, and I'm trying to dispel this notion in the market, we are technology-agnostic. Well, I'm in plants where there are no Rockwell controllers whatsoever.
Cristiano: As long as it speaks Ethernet, we are prepared to put down countermeasures and provide managed services associated with those. So those are some of the key differentiators that we're bringing to the market. We're going to be talking to customers about this week.
Field: Excellent! Mark, appreciate the time, and appreciate your insight. Good luck with your experience at RSA Conference.
Cristiano: Thank you, Tom. Thanks for having me.
Field: Again, we've had Mark Cristiano, with Rockwell Automation, here talking with us today about OT security. For Information Security Media Group, I'm Tom Field. Thank you very much for giving us your time and your attention today.