How to secure the Industrial IoT: A QA with GE's CISO
- 02 October, 2017 22:00
Most of the discussion around cyber security focuses on the role of enterprise IT, how it can best protect corporate and customer data. Companies in the manufacturing and industrial space, however, have to take a much broader approach to security as their products and equipment become connected to the internet. The growing industrial internet of things (IIoT) make those products and the assets used to manufacture them potential points of a cyberattack.
The challenge is getting stakeholders on the IT and operational sides within these companies working together on executing a unified security strategy. One company meeting that challenge is GE. A manufacturing giant itself, the company also sells technology to help other manufacturers secure and run their operations. Predix, which GE calls the industrial internet platform, is at the core of those offerings.
CSO recently spoke with GE Global Chief Information and Product Cyber Security Officer Nasrin Rezai about the company’s efforts to meet the IIoT security challenge and her views on the state of cyber security in the industrial space. Rezai is responsible for both product and enterprise cyber security across GE’s nine business units. She started at GE about two-and-a-half years ago as CISO of GE Capital. Prior to that, she worked in Silicon Valley at HP and Cisco Systems, and she also served as chief technology risk officer at State Street Bank.
How do you balance your role between the product and enterprise sides of the business?
Rezai: For the longest time, CISOs focused primarily on the enterprise side. We knew that the physical and digital coming together of cyber incidences was inevitable. In 2015, a few incidences solidified for us that the IT and OT [operational technology] convergence is making it a necessity for CISOs, CIOs, and boards of directors to think about cyber security not just in the terms of the IT shops they run, but all products—anything that potentially exposes the company to a cyberattack.
Take, for example, the attack at [domain name registry] Dyn. Hundreds of cameras were used to do a DDoS [distributed denial of service] attack against several small and large cloud providers. Who would have thought that a simple camera can be involved in a cyberattack? From an enterprise responsibility perspective, the scope of the CISO now becomes much broader.
I break the industrial space into three parts. The first is what I call OT security. If you have discrete manufacturing like building airplane engines or parts, or process manufacturing like an oil refinery or water purification plant, those manufacturing sites were very much air-gap environments. They were highly isolated and not network enabled. You could be OK with a hard-coded credential or an HMI [human-machine interface] or PLC [programmable logic controller] that had a vulnerability because it was sitting in a very controlled environment. For a lot of industrials, that has now become a problem because a lot of IT has been merged into the management of the OT.
The second issue is consumer devices coming into enterprises. They can be components of a large-scale DDoS attack that ultimately impacts the company. Putting those two elements together, a lot of CISOs, CIOs, and boards of directors are asking, “How do I think about this holistically?” It’s no longer about protecting the enterprise, it’s about protecting the company’s assets as a whole.
This is not necessarily an organizational construct change between product and enterprise cyber security. Rather, it’s about bringing the risk management strategy together – knowing the critical assets, knowing the reference architecture, having done a risk assessment, having control elements built around that, and creating confidence in your risk posture that the leadership team can live with in terms of dealing with those kinds of attacks.
Finally, at the end of the day, it’s about readiness. If you run cyber drills, do you have your manufacturing personnel as part of those exercises? Does everybody know that if a breach occurs that impacts manufacturing, there are safety practices that IT needs to be educated on? What about the reverse? The need to bring a higher level of readiness into our practices and processes with OT security is absolutely critical.
How do you work with the product groups?
Rezai: I’ll talk about people, process, strategy, and organization. I report to IT on the enterprise side of the house and to the CTO of the company, who sets the strategy and direction for the product side. Product security leaders in every business unit have responsibility to ensure that our cyber policy around product and implementation plans—goals that we set annually around protection of our products—get implemented.
I also have dedicated leaders whose job is to build the risk management processes around protection. I report that back to the board on a regular basis. We have done some aspects through merging parts of the organization, and some by working across business units with product security champions. They, in turn, work with product managers in each business to make sure product cyber security is prioritized across the company. We govern it through ongoing review across the company.
So security is an integral part of the product lifecycle process, not something added on later?
Rezai: Yes. Cyber security is one of our top risks. We take it extremely seriously, and we believe that as a leader in IIOT, it’s a competitive advantage for us. We have capabilities around asset performance management, service management, and a full lifecyle of industrial optimization. What we bring to the table in IIoT is the capability for our customers to use their data combined with their applications and or platform to get productivity optimization in new ways.
There are a couple of models of how this could happen with our industrial customer. One could be that they put all their data consumed by their applications on top of our Predix platform. Another is they go into a mix model. For example, they could do edge processing at the boundaries of their enterprise and some of it in the cloud. The notion protecting that information and having cyber security at all layers of the stack is strategic, and it’s our competitive advantage. We put tremendous focus and investment in ensuring that those trust and authentication services are built in for customers so they can build their critical capabilities on top of our platform (Predix).
What are some of the biggest challenges you face in delivering on this vision?
Rezai: Let’s go back to OT security--securing manufacturing and the introduction of consumer devices. Putting my practitioner hat on, the challenge is to understand what we have as a footprint. Having a view into the assets in the environment, knowing which risks we are exposed to, and being able to put programs in to monitor and defend against them or to respond to them in the case of an incident.
The challenge is the very, very large footprint that GE has, as do many of the other industrials or large enterprises. The opportunity is good risk management practices, prioritization of what we go after, and having good defense in the model where you rely on multiple control points to protect yourself from those kinds of attacks. On the IIoT side, we’ve put a lot of investment in building a secure end-to-end platform with Predix and the applications that sit on top of Predix.
What needs to happen in the industry as a whole to better respond to breaches when they occur?
Rezai: One of the good practices is knowing your weak points. Red-team your environment; behave as a threat actor and attack the same set of control points to understand the weaknesses. Combine that red teaming with drills and exercises that bring the human element into the process.
Security incidents and breaches are a reality and fact of life for most enterprises. At the end of the day, successful companies that work through the issues respond better and respond fast to their customer base. Customers are understanding and will work with you, if you’re on top of it, knowing that we have exercised all our capabilities to understand all our vulnerabilities and practices and that we have a plan to address.
A common practice among CISOs is sharing intelligence with each other, and I think that’s key. Technology changes constantly, and there are many ways threat actors are getting into enterprises these days. Really understanding those threat actors, knowing their methods and procedures, simulating those methods and procedures, and getting the right people in the right roles who know how to respond are critical success factors for CISOs and the business leadership.
How does the sharing of OT threat intelligence compare with the enterprise side?
Rezai: It’s getting better. If I were to compare the maturity of threat intelligence tactically and operationally, we’re better on the enterprise side. For example, there are mature research practices and processes on the enterprise side. It’s getting better on the IoT side.
Again putting my practitioner’s hat on, because of the nature of OT, there are so many things that have to come together around detection and protection for industrial protocols. Industrials still lack network and scanning capabilities inside OT environments. It remains challenging for OT and IT managers to say “These are my unmanaged devices, these are my managed devices, and this is my state of patching.”
Sometimes you have very old products, multi-generations behind. They are still fully functioning. A lot of the goals and objectives for manufacturing are to get as much capability out of these devices as possible. The challenge is that now they are getting connected to IT networks, and their exposure is greater.
Some maturity is being built. Better practices need to come together, but I’m hopeful, because I see a lot of younger, innovative technology players offering capability in the OT space. At GE we are working on OT risk management practices to continually optimize manufacturing protection, detection, and response capabilities.
Second, and from an industry leadership perspective, GE views cyber security as a competitive advantage and essential in industrial IOT leadership. Our digital industrial applications such as APM and ServiceMax combined with Predix platform enable customers to leverage their industrial asset based information, and further optimize their service lifecycle management. Those end to end models need to also be secure.
It’s improving in both sharing of intelligence and new, innovative ways some companies are tackling it. The wrapper is risk management where CISOs, CIOs, heads of manufacturing come together and make it a company level agenda. Then cyber security improvement will be achieved across the board.
What makes you the most optimistic about the future of cyber security in the industrial space?
Rezai: Number one, I see among my peers the IT/OT convergence is happening not just at the practical, but also at the strategic level. We’re putting our arms around this and looking at it at the enterprise level issue. I’m optimistic that when we do it strategically we’ll find solutions.
Number two, the innovation I’m seeing in the OT space is going to close some of these gaps around network visibility, asset management, vulnerability management and threat intelligence sharing that we haven’t had in the past.
What in the industrial cyber security world keeps you up at night?
Rezai: What keeps me up at night is what keeps most CISOs up. Do we have coverage and understanding of our footprint? Do we know all of our risk exposures? Do we know all the challenges that are ahead? Do we have a good enough lens to see some of the political and regulatory dynamics around us?
Do we have the right set of automation capabilities built into our practices so that as we broaden our footprint, our response processes can be shortened over time? Are people ready? Do people feel comfortable in a time of crisis? Can they respond well? Have we educated our leadership to some of the challenges? Those are all the things that keep me up at night. I constantly cross-check them against what we are doing and prioritize and reprioritize and communicate. The job is fun, but sometimes nerve-wracking.