Skybox Systems Director of Systems Engineering Terry Olaes has more than 20 years of experience in IT. His expertise includes IT/OT convergence, audit and compliance, data breaches, and incident management. Working on the ground floor at a manufacturing plant, serving as a systems engineer, and managing large security teams have given Terry a unique perspective on fortifying IT/OT security posture.
With cyberattacks on critical infrastructure and supply chains on the rise, we asked Terry to discuss his perspective on a new Skybox Security research study highlighting imperatives for Operational Technology [OT] security. The study found that 71% of utility organizations are highly confident that they will not experience a breach next year. Yet, 87% of utility companies have experienced at least one breach over the past thirty-six months. It sounds like a strange contradiction, right? However, Terry explains why he’s not surprised by this finding and what energy and utility companies need to do to ensure the security of their “OT crown jewels.”
Although 87% of utility companies have experienced at least one breach over the past thirty-six months, 71% of utility companies believe they’re safe. Isn’t that an odd contradiction?
Terry Olaes: I’m not surprised by this finding for these two reasons:
Because of a breach, organizations will correct compensating controls to ensure that the violation doesn’t happen. Compensating controls could be user education, security tools, enhanced processes, or an audit regiment. In addition, the lessons learned from the breach often help leadership teams to neutralize the threats confidently.
Additionally, as a leader of an organization, you must believe that you have the tools and people to prevent a breach. By nature, the question will cause great reflection. If I were asked whether my organization might have a breach in the next year and I answered “yes,” I would have to answer to “What am I doing to prevent a breach in the next year?”
Utilities are highly regulated and have significant compliance requirements. However, being compliant doesn’t equate to being secure. Were you surprised that ‘maintaining compliance with regulations and requirements was the survey respondents’ most common top concern?
TA: It’s easy to preach that compliance/regulation does not equal security. Still, the simple fact is that most leaders have nothing else to measure their security preparedness. We’ve all heard about the shortage of talent in the cybersecurity industry. Without solid, knowledgeable personnel, leadership must lean on compliance to help protect against OT breaches. This gap between strategic leaders and tactical personnel quickly leads to a disconnect between what’s happening in the field and what leadership believes is the state of information security. Add to this dilemma, the processes and controls for security inhibit the business’s ability to operate, especially in OT/ICS environments. Very much like we see with “Shadow IT” scenarios in the enterprise environment, OT/ICS environments will do whatever it takes to keep the business running.