IT, OT, and The Future of Machine Security
The line that historically separated Information Technology (IT) and Operational Technology (OT) is disappearing as businesses across industries continue to employ connected equipment on worksites. Disruptor, innovator, and IT rockstar, Todd Dekkinga, shares his insights on what this means for the future, and why security is crucial for the future of machine operations.
Working to execute IT strategies for some of the world's foremost pharmaceutical, biotech, and high-growth startups, Todd Dekkinga helps companies embrace new technologies and manage associated risks. He has worked on developing and deploying enterprise architectures from the ground up for companies including Airgap Networks, Armis, and more.
Currently, Todd is the CISO of both Zurli and Scrut Automation. He also chairs CISE, Consortium of Information Systems Executives, and the Bay Area Biotech CIO Group where he collaborates with industry peers on best practices in technology.
Members of the FORT team, including VP of Product Nivedita Ojha, and CTO Nathan Bivans, sat down with Todd to discuss security in the world of IoT (Internet of Things,) the impact of downtime, and why security is such a critical concern in today’s machine landscape.
FORT: Let’s talk about OT and IT security. From what we’ve seen, the OT world is extremely varied in its understanding of security. For IT folks, it’s obviously on the tip of everyone’s tongue– everyone’s thinking about security whenever they add or change anything. But what is your understanding of the state of security in the OT space?
Todd Dekkinga: In the OT world, security is very young; it’s still very immature. The reason OT is separated from IT is that the IT folks don’t get it.
With these 20 or 30-year-old machines, the only way you can connect to them is through a serial port. And the IT folks want to say “Hey, why can't we just stick a USB or USBC on machines, and then we can have a lot more control over them?” It just can't happen. It doesn't work. And so OT ends up being a separate function, even though it should fall under security.
FORT: If the only way you connect to these machines is through a serial port, what’s the exposure? How risky are they, and what’s the solution?
TD: Well, network cards are being plugged into machines now, and now they're exposed to the internet. So that's the biggest problem. Companies want to remotely control devices. They want to access them from different places, things like that. That's why they were all activated.
The biggest solution out there is network detection and response. Companies like Claroty are doing this, and other players include Armis and Dragos. They watch the traffic and spot anomalies– they say, “something isn’t doing what it’s supposed to, so you might want to check that out.” But the question is, can you catch it in time, or is it too late at that point?
I worked at a company called Airgap Networks, which was intended to protect corporate networks from ransomware and zero-day threats, among other attacks. The concept was to put each device in a network of one. This would prevent machines from spreading viruses because if you have these really noisy Windows machines where nobody turns off any of the ports or anything, you’ve got a huge security risk on your hands. So, if somebody clicks on a Phishing email and gets bad stuff, and tries to go from machine to machine, the attack stops immediately and can't go anywhere.
When the pandemic hit and no one was in the office anymore, Airgap pivoted. We talked with the CISO of a manufacturing company and said “this makes sense for you as well, right? Because you have all these industrial control systems that are plugged into the network now.” Those machines are making all kinds of noise, and anyone can connect to them if you don’t set your network right.
So basically, we isolated each one of those machines to its own network, and there’s a basic rule set on top that says, this Windows machine in this specific protocol can talk to this ICS. We send the data over this port to this database server, and that’s the only permitted communication. So if a technician comes in with a USB drive to update the firmware and they have a virus on their drive, it can’t spread. The kill chain is on that machine.
FORT: You’re touching on one of the biggest challenges we’re hearing about: no one wants to put machines on critical networks, exactly for the problem you’ve just stated. They’re always apprehensive, so they’re putting their machines on mini networks so that if a machine gets infected, it’s not infecting other machines. It’s a challenge because it’s forcing people to do this micro-segmentation.
TD: Exactly. As an example, my background is in biotech pharmaceutical. That's what I've been doing for almost 20 years. I had a CLIA-certified lab with million-dollar robots in it, run by Windows 95, Windows 98, and 2000 if we were lucky. I wasn't allowed to update them. I wasn't allowed to patch them. I wasn't allowed to install any agents, antivirus, or anything on them. Otherwise, it would break the firmware and the communication with the machine.
So what I did was create a separate VLAN, put this lab behind it, and didn't allow internet access. I thought I was good; I thought I was doing the right thing. A technician came in, plugged in a USB drive, infected one machine, and spread through the whole lab. It was terrible because we had about ten different vendors. I had to come back, rebuild all those machines, and make sure the firmware was correct. But the worst part was, in biotech and pharmaceutical, you have to revalidate every machine, and that's at least a three-month process; it took us almost four. So imagine, our primary financial revenue was affected for four months.
If we had a solution that isolated the threat, it wouldn’t have spread. I would have had one machine that was down, and we could have fixed it with no big deal.
Here’s another example: I was with a company and we were getting hacked all the time. With one particular attack, we couldn't figure out where it was coming from. It turned out, we were getting hacked through our cameras. So the threats can come from anywhere.
FORT: You raised a very important point about the camera. New machines, and even some retrofitted machines, have cameras and Lidar on them. Those are ports; there’s data going in, and they can be hacked. Do you think the OT world is aware that these open ports can be such big vulnerabilities, or do they not believe it can happen? What’s the mindset?
TD: It’s different depending on who you talk to. Imagine that you’re coming off a deserted island– which is basically what people have been doing with industrial control systems– and you’re suddenly back in the population. Suddenly, everything can talk to [your system] and it can reach out everywhere and talk to anything it wants.
So now, what do we do? They’re basically taking their old approach, and trying to apply it to the new world, which doesn’t work. Some may say “Oh, we take a layered approach,” or “We follow NIST,” but it may not really stop anything. You can have every compliance in the world and still not be protected.
We have to keep coming up with new solutions.
FORT: What’s keeping companies from taking security more seriously? Is it apathy? Or do they not perceive the risk?
TD: It blows my mind!
I talk to all these CISOs and I’m like, “come on, snap out of it!” Why is every single company getting hit by ransomware? It doesn’t make sense. Why is it affecting you? Why are you paying ransoms? Why is it shutting down all your systems? We have to do something about it. And I can only think of a few solutions that can stop it.
FORT: Is downtime due to ransomware the biggest impact that people are worried about? How widespread are those attacks?
TD: Take what you read about in the press and multiply it by a thousand! You’re only hearing about the ones that are really important. Hospitals that are forced to shut down and go back to paper systems, things like that. How much does that actually cost?
But nobody will admit it. At Airgap, we’d talk to people who said they didn’t need our solution. Six months later they’d call us back and say “Hey, what’s that thing you guys do?” All of a sudden, it was a priority. But they wouldn’t admit that they’d been nailed by ransomware. Nobody will admit to it unless you’re a public company, or some kind of company that has to disclose any kind of breach, then it’s going to be in the paper.
That’s why education is so important. When they see a similar company get nailed by ransomware, they think “This can happen to me too.” I don’t like to use scare tactics, but read the paper… it’s going to happen.
At conferences, I’m screaming at people yelling, “Come on! Seriously”
For information about Todd Dekkinga visit his LinkedIn.
Learn more about FORT’s preventative approach to safety and security. To better protect your investment, contact a FORT expert today.