Leaders of Industry is a series of conversations between operational technology, critical infrastructure (CI), and security experts from Armis and other leading companies and institutions. The series explores critical considerations for protecting the OT and CI assets that keep our manufacturing operations, public and private institutions, and cities humming.
This conversation on securing digital cities, campuses, and buildings features the following experts:
In Part 1, Keith Walsh and Thomas Rodgers discussed how Penn State has addressed security challenges related to connected assets across its facilities that span the Commonwealth of Pennsylvania.
Read Leaders of Industry, Part 1 here.
In Part 2, Keith and Mirel Sehic, VPGM / Head of Cybersecurity for Honeywell Building Technologies discuss managing the attack surface of our smart devices and building the foundations of what good cyber hygiene looks like.
In Part 3, we will outline 5 essential proactive steps for securing our digital buildings, campuses, and cities.
Welcome to the conversation.
Today, virtually every building, campus, and municipality is bursting with new and old connected devices. As our conversation with Thomas Rodgers of Penn State University exhibits, the reach can encompass hundreds or potentially thousands of buildings across significant distances. And given how smart devices include all sorts of communications modules that allow them to connect to any network, including the Internet, we now have an entirely new attack surface to manage.
In fact, it’s arguable that the front line of this new attack surface resides within the assets that we place on our networks. Since these devices often allow ingress into our networks, device manufacturers certainly bear some responsibility for device security. But even with effective built-in security, staying ahead of our adversaries is not an easy task. We must be right 100% of the time, whereas our adversaries only need to be right once.
To discuss managing this cyber-attack surface and ensuring the lifecycle of these devices is properly managed, I spoke with Mirel Sehic, General Manager, Cybersecurity for Honeywell Building Technologies (HBT). Honeywell is a Fortune 100 company that delivers industry specific solutions that include aerospace products and services, control technologies for buildings and industry, and performance materials globally.
Keith: Welcome Mirel.
Mirel: Hello Keith, great to speak again.
Keith: Mirel, when we think about the transformation of our buildings, campuses, cities and grids over just the last ten years or so, what stands out the most in your eyes? What’s been the driver for the reinventing of our ‘spaces’? Is it industry standards? Has there been an inflection point?
Mirel: Great question Keith. I think the biggest standout is the way we are utilizing our buildings, campuses, and cities—as individuals we are expecting more from these facilities and want increased visibility to know that the buildings we use are safe and rely on technology that keeps our well-being in mind. With these new expectations, buildings need to make changes from a standard operating model to a ‘smart’ and ‘connected’ model, meaning a greater emphasis on technology that intersects both laterally (devices in-building expanding to other devices in-building and ultimately to the edge) as well as interconnectivity with the cloud. As you would expect, taking these historically low cyber-hygiene environments and stacking this new technology can lead to a potentially larger cyber threat footprint.
Keith: Let’s talk about this new attack surface management and this new ‘cyber threat footprint’. Gartner has in fact coined a name for it, CAASM, or Cyber Asset Attack Surface Management. We are now having to manage this new digital footprint found within our enterprises, including BMS/BAS, IoT, and OT devices, alongside the more traditional IT, virtual, and cloud-based assets. How can we get our arms around a cyber footprint that now seems 10x what it was 5 years ago, and will likely be 10x in 5 years, if not sooner?
Mirel: It’s always a good idea to start with the basics. Build a program from the ground up. Prior to any new or substantial change to a building’s operating environment, we must ensure that a cyber assessment has been conducted; this is our starting point. Once we have assessed our environment, we can come to an understanding of what remediation actions need to be taken, be they hardening, network architecture review; endpoint protection, OT monitoring and assessment management, or incident response. Although it may seem simple, this assessment is what provides the blueprint for comfortably expanding the environment’s footprint and doing so securely.
Keith: Mirel, when you talk about the ‘basics’ of getting started, it sounds like you’re speaking about the fundamental understanding of communicating assets in the environment, their software and their interdependencies to determine the risks they pose. And with the explosion of devices, which brings a much larger software footprint, it’s not surprising 2021 was the year of the vulnerability. As we continually add new devices, we introduce even more software, which brings even more vulnerabilities, risks, and threats to our environments. Is vulnerability management a zero-sum game? Are we chasing the dragon? Is there a better way to protect our assets?
Mirel: Good cyber-hygiene is something that must be practiced. We strongly believe in the prevention-first approach to OT cybersecurity—meaning understanding a client’s risk appetite, and then through this understanding of the risk appetite, plan for an effective, in-depth defense strategy. The simple truth is that you plan for what you can afford to lose, and, if you are in a critical infrastructure industry, you need to plan effectively to reduce risk as far as reasonably practicable. Establishing a more robust OT cybersecurity posture often means, as you mentioned, correcting common vulnerabilities, like operating on outdated or unpatched software, or addressing a lack of stringent security measures around communication protocols.
Keith: It sounds like when we talk about good cyber-hygiene, our starting place is identifying and prioritizing the assets in our ‘protect-surface’, as not all devices and processes are created equal, which is understandable. On a campus or in a building, we may for example, deem fire suppression as our number one protect-surface. Flushing out the genetics of these interconnected devices, including the associated vulnerabilities and communication dependencies is a great place to start. It is certainly more manageable to address vulnerabilities in a subset of devices that affect the most critical processes than to become overwhelmed by the endless supply of vulnerabilities.
Lastly, does Thomas share some of the same challenges at Penn State University as you see across varying municipalities, buildings, and campuses?
Mirel: The challenges Thomas sees are very real and consistent across the OT domain. Today, conversations about cybersecurity still primarily focus on information technology (IT) systems and safeguarding data and assets. OT systems in facilities are often overlooked, but they are just as critical to a company’s security, processes, data, reputation and even employee safety.
Keith: Thanks, Mirel. When we talk about OT systems at times being overlooked, we can probably agree that with the interconnected nature of BMS/BAS, OT, IT, and the internet, “securing by obscuring” devices is no longer a fail-safe solution, especially when safety is on the line.
Mirel: Agreed. Thanks, Keith.
As we reflect on both conversations – PSU and Honeywell, there are certainly common themes around what good cyber hygiene looks like, especially when it comes to protecting critical infrastructure. Understanding our protect surfaces and their adjacent attack surface, our devices, and the risks they pose is not only a recurring theme we have heard here, but also the foundational step of every security framework as it is the springboard to deliver on additional use cases around vulnerability management, proactive threat remediation, and the inevitable recovery when things go sideways.
Join us for Leaders of Industry, Part 3 next week as we wrap our thoughts around the essential steps to secure and sustain digital cities, campuses, and buildings.
Additional information on Penn State University can be found at psu.edu.
Sign up to receive the latest news