Interview to Vicente Segura Gualde, Head of OT & IoT Security, Telefónica.
In 2022, cybercriminals delivered a wave of cyberattacks targeting countries like Ukraine and Costa Rica. Other countries also faced high-profile attacks and data breaches. And experts predict new opportunities for cybercriminals in 2023 as digital transformation speeds up. How can Chief Information and Security Officers (CISO) prepare for this new, complicated threat landscape? Vicente Segura Gualde is convinced that opting for a proactive detection and for developing incident management procedures is key for the success of any cybersecurity solution.
At IOTSWC23, you said that manufacturing is the sector that tops attacks rankings right now. It wasn’t that way before the pandemic. What has changed?
The entire society is in the midst of a digital transformation process manifested as a sequence of technology waves: information technology (IT), bring your own device (BYOD), the cloud and, now, the Internet of Things (IoT). This last wave offers undeniable opportunities for the industry. On one hand, it is possible to create new services that leverage IoT devices (i.e., anything you can think of can be improved by adding computing capabilities and internet connectivity). On the other hand, the productivity of legacy industrial environments can also be increased by centralizing management through interconnection and providing remote access capabilities. The biggest cybersecurity challenges are precisely in this last scenario because these environments weren’t originally created with these use cases in mind. As a result, it is unwise to implement these digital transformation projects without a proper cybersecurity strategy.
In which way does this new scenario change the role of CISOs?
Traditionally, the cybersecurity risks have affected mainly information technology (IT) assets because the operation technology (OT) assets, i.e., the assets that manage and control the manufacturing processes, have remained isolated with limited internet connectivity. Those same projects, however, are forcing an IT-OT convergence which is blurring the red line that has previously separated both areas. As a result, the responsibility domain of CISOs is expanding to properly manage the cybersecurity risks of this new landscape.
While it is true that new cybersecurity threats appear daily and end up in sophisticated attacks, most of the incidents take advantage of the easiest-to-exploit vulnerabilities. So, what should companies do in the first place?
We always recommend starting with the basics. Imagine you are a CISO and you have also assumed the responsibility for the organization’s OT infrastructure. The first thing you should do is to assess the organization’s cybersecurity posture. In the OT space, it means knowing the infrastructure and identifying and assessing its risks. For instance, it is key to have an asset inventory and an updated network architecture, as well as to find out whether there is potential malware activity in the network plant, unknown remote accesses or internet connections from OT devices. In Telefónica Tech we typically start with what we call industrial cybersecurity assessment. It aims at providing this information in a report that also comes with a set of recommendations for improving its cybersecurity posture.
Once the CISO knows and assesses the risks, they can start deploying cybersecurity solutions such as the segregation of IT/OT networks to protect the OT environment from attacks that reach the IT network; the segmentation of OT networks to block lateral movements that simplify attacks; remote access solutions to control and monitor who accesses the OT environment and cybersecurity monitoring to provide continuously updated visibility and detect potential threats, just to mention the most relevant actions.
You mentioned technology solutions. But is technology enough to fight cybersecurity threats? What about the human factor?
Although technology is key to keeping up with the last cybersecurity threats, it’s only one piece of the puzzle and most of the time, not the most important. Typically, we also need to consider processes and people. When implementing technology, it’s key to define how it’s used, i.e., how it’s integrated with the current processes of an organization. For instance, if we want to deploy a remote access solution, users will need to know how to utilize this solution, what credentials they might use and how they should request the remote access authorization. All of these are processes that must be defined and implemented.
On the other hand, people’s awareness is also important. The users who are supposed to follow the new remote access procedure must be aware of what remote really implies, understand the reason they need to use it and learn how to do it.
The three elements of this triad are key to the success of any cybersecurity solution.
Interview by: Anna Solana