Skybox Security’s Chief Revenue Officer Rob Rosiello has been in the IT network, applications, and security industry for over 25 years. Working with some of the largest organizations and government agencies globally, he knows firsthand how functional silos impede the ability of companies to secure their network successfully. In addition, he sees how organizational mandates that often are at odds amongst security and IT teams leave the most critical part of their business — namely their OT infrastructure— vulnerable to attacks.
During unprecedented cyberattacks on critical infrastructure and supply chains, we asked Rob to discuss the details of a new report by Skybox Security that highlights imperatives for OT security. The study found that 83% of manufacturing, energy and utility companies have experienced an OT breach in the last 36 months. Yet, despite this alarming finding, not much has been done to protect OT. Rob explains why there’s a greater need now more than ever to overhaul and reimagine IT and OT security from a holistic perspective.
The Skybox study found that functional silos are a top challenge that Architects, Engineers, CIOs, CISOs, and Plant Managers face when securing OT infrastructure. A lack of central oversight is also viewed as a barrier to improving OT security. Does that surprise you?
Rob Rosiello: No. NetOps struggle to provide the most effective access and often think there is an over-rotation on security – impeding the network. Security teams believe there wouldn’t be a need for all these controls if the network team designed their networks more effectively. Cloud makes both of their jobs more complex. When you add OT into the equation, those functional silos become even more problematic because now you’re dealing with the supply chain — the functional, revenue-generating pieces of the business. And with all the shifting of blame or metrics on what each team has to deliver, hackers quietly wedge in, exploiting that organizational dysfunction caused by functional silos. Bad actors find their way into organizations in many ways, whether ransomware, phishing, malware, or old-fashioned brute force attacks.
The report also found that 48% of CISOs and CIOs said disjointed networks across OT and IT environments as one of their top security risk concerns.
RR: There’s no doubt that OT explodes the attack surface. But unfortunately, security is often not considered at the core of OT implementations, which historically has relied upon security on the network perimeter using firewalls to monitor ingress and egress. A backdoor into an expanding attack surface is a backdoor, whether through IT or OT. For example, the hackers who attacked the Florida water plant infiltrated via an application in a network environment that the security & network teams thought had been fully decommissioned. Functional silos across the IT stack and OT are a critical problem. The need to secure OT and reimagine a modern holistic security strategy is an emergency that needs to be addressed by executives immediately. It’s not technology or security, just for the sake of it — it’s core to the business, core to our society, and core to human safety.
Over 78% of OT organizations struggle with multivendor complexity. Are you surprised by that?
RR: No, think about the diversity in the number of network assets: switches, routers, firewalls, load balancers, desktops, mobile devices, as well as the staggering number of OT devices that need oversight. Large enterprises are not homogeneous. And with mergers/acquisitions/divestments and an ecosystem approach to 3rd party supply chain delivery, I do not envy the task of any player in the technology stack. Now, add OT into the mix and attack points are exponentially higher than traditional network assets.
Securing, equipping, and enabling these assets is absolutely paramount to the success of industry 4.0 and the digital transformation of business. And that comes back to this notion of unionization, normalization, and making technology an enabler of business.
Maintaining compliance with regulations and requirements was the most common top concern of all respondents.
RR: In my opinion, a common misconception amongst OT organizations is that compliance equals security. Compliance has tons of ramifications, of which security is just one of those ingredients. So, to say that I’m compliant does not necessarily mean I am secure. It just means that I’ve done whatever sets of things I needed to do to check those boxes. I may or may not be secure, or perhaps I’m secure enough to meet today’s compliance. What happens with tomorrow’s compliance? Just like technology is changing, compliance requirements and regulatory requirements are changing. So, the real question is, how do you get ahead from a security and technology team perspective?
What is the business impact of OT security breaches?
RR: Many manufacturers are dealing with M&As, insurance, intellectual property protection, B2B commerce, third-party risk assessment in addition to corporate assets — and that does not include OT, which is often the enabler to the company’s crown jewel (the products and services that create revenue). If these companies cannot fulfill production contracts, they lose billions of dollars. Therefore, there is a necessity to elevate the construct of IT and OT security to a corporate imperative. As I said before, the danger is not solely to individual businesses; it’s a danger that can have a material impact on our economies, society, and human lives in the case of public utilities and hospitals.
How does Skybox Security solve OT security challenges?
RR: We’re going much deeper than just scoring the security risk. We’re giving companies critically important exposure analysis. And why that is important is that some of a company’s smaller assets are the most vulnerable and have the most significant financial impact on their business. So, for example, with one client, they had tens of thousands of vulnerabilities in just one environment. So, we used exposure analysis to determine that only four or six assets had vulnerabilities that could have cost them tens of millions of dollars if compromised.
In contrast, the other 10s of thousands of vulnerabilities impacted just eight hundred thousand dollars. So, it is not a pure volume issue; it is the context behind these vulnerabilities and the critical impact. The ideal paradigm for securing IT and OT comprehensively is to have a solution and strategy that pinpoints and prioritizes critical vulnerabilities and can determine the business impact of a breach. That’s the dream. And that’s what we do. It’s just that many security professionals are only now waking up to that realization. The benefit that Skybox brings to the table is that we’re looking more at policy and vulnerability related to the business perspective — not just the underlying device or equipment. So, we’re considering the business impact of what those exposures could be. And that’s essential for everyone.