Guarding the Grid: Cybersecurity Strategies for Operational Technology and Infrastructure

Show Notes

Embark on a critical journey into the heart of cybersecurity as MVR sits down with Michael Murphy from Fortinet to dissect the frontlines of operational technology and infrastructure protection. This episode guarantees a rich exploration into the sophisticated strategies required to shield our interconnected critical systems from the increasingly perilous cyber landscape. Michael unpacks the motivations driving hackers, ranging from monetary incentives to ideological battles, and their potential to disrupt our physical world. Discover how the expanse of operational technology widens the attack surface, and learn why partnerships like those with Fortinet are pivotal in curating a secure future.

As we peel back the layers of IT-OT integration, Michael highlights the delicate balance needed to apply IT security without hampering the essential operations of our infrastructures. We analyze the Critical Infrastructure Act's role in promoting exceptional cyber hygiene and the government's proactive measures to enhance national security. Through Michael's expertise, we uncover the essence of swift incident response and the collaborative efforts encouraged among various industry sectors. Tune in for an enlightening session that not only informs but offers tangible steps for organizations to bolster their defenses against the cyber threats lurking in the shadows of our digital age.

Chapters

• 0:00: Securing Connected Critical Infrastructure
• 7:43: Understanding IT-OT Convergence and Cybersecurity
• 15:11: Enhancing OT Cyber Hygiene Compliance

Transcript

Michael Murphy: 0:00

I ultimately saw the mouse moving around on the screen behind this engineer and kind of pointed out to him and his perspective was immediately to say it's just the it team that's actually doing some some investigation and research into this. They're just connected remotely and immediately. That obviously said some pretty strong red flags in our direction and what we discovered was it was malicious activity being performed by an external threat actor Well, through what was known as a remote access Trojan or rat in a world where every device is communicating, we're no longer concerned only with connection, but protection.

Michael van Rooyen: 0:36

Welcome to securely connected everything, your gateway to understanding the intertwined worlds of connectivity and security. We have a great conversation today, so stick around and we'll jump right in. Today we are having a discussion with Michael Murphy, the head of operational technology and critical infrastructure at Fortinet . Welcome, michael. Excellent, it's wonderful to be here. Thank you, before we start for the listeners, can you give a bit of a brief overview of your role at Fortinet, your involvement in with operational technology and critical infrastructure prior to that? Absolutely.

Michael Murphy: 1:16

So I've been very fortunate to Ultimately head up and build the strategy and execute upon that strategy at Fortinet for Ultimately protecting our critical assets within Australia across the nation. Historically I was a practitioner so ultimately I went in when when all the fires were blazing, to kind of assess when is the compromise come from? Is it internal threat? Is an external threat? And ultimately, how can we mitigate any malicious manipulation to that environment?

Michael van Rooyen: 1:43

Right, great, and some of those roles that you had a prior to Forti net were obviously very specific to that industry, and I think there is a Kind of a lack of people who come from understanding operational technology and then trying to adopt you know it standards, cyber standards. Is that something that you've seen a lot of and you know have that same position from a skills capability point of view? Yeah, absolutely.

Michael Murphy: 2:12

I believe that we live in this world where, suddenly, there have been critical assets that have been neglected from protection, and that's for a range of different reasons. Ultimately, what we need to observe and consider through this process is well, why have these assets been neglected? Why have people failed to take into account connectivity that's taken place within this modern world, and how can we appropriately assess that? I think what we've also seen is there are different aspects that are influencing operational technology and when we think about it operational technology for the very simple perspective of Anything with the digital input to a physical outcome and one of the key aspects of that is really when we assess and we look at, well, what's driving the change? Why? Why do we feel that we need to pay attention to this area and why are we potentially more exposed?

Michael Murphy: 3:06

And again, I think that comes from what we've observed through things like covid, where there've been brittle and broken supply chains. Um, the requirement for competitive advantage has increased. We certainly need the capability now to pull telemetry out of these legacy and brittle environments to make informed and strategic business business decisions. Um, and and these have all kind of come to a point where, historically, they haven't necessarily been on the radar.

Michael van Rooyen: 3:30

And, uh, you know from, from a critical infrastructure point of view, for many years, you know, these systems have been kind of built in a silo fashion, normally, you know, developed or deployed by the contractor might be the electrical contractor or the building management Contractor and over many, many years we've seen a lot of it input into that. So bringing in, uh, you know, systems to monitor and maintain, manage and control trolley systems, which is obviously brought connectivity. We all know those stories about people saying, oh, there's an air gap, which we know is, is factually very hard to prove. These days Everything is connected and people want connectivity for the convenience and reporting.

Michael van Rooyen: 4:11

Uh, so, from a security point of view, we know that we've got a large footprint and it'd be interesting to get your thoughts, but from my perception is the ot footprint is much larger than the corporate networks or enterprise networks I should say. Um, so cyber has become a real consideration for for these, and what are the drivers behind that? Is it? Is it what people worried around? Um, their Systems going offline, data infiltration, what? What are the key motivators behind the cyber drive?

Michael Murphy: 4:38

Yeah, there are two aspects to kind of unpack that. Uh, I believe. First, what we need to really deeply assess is Kind of the fundamental aspects of motivation. So what we know is that many different threat actors will form a mechanism associated with actually performing an adverse impact on an organization, but the key motivators that we normally see primarily to profiteer financially profiteer. They may disagree with the mechanism in which a good or a service is generated or delivered and that can be maybe associated with green initiatives or going against the grain of green initiatives.

Michael Murphy: 5:21

We also see that there are threat actors that simply want to create disruption to critical infrastructure environments. They want that cloud and that credibility within their, their circles or their syndicates. I think one of the other things that's probably front of mind for us right now is the simplicity of compromising these critical systems as well. You don't necessarily have to Go to some form of highly advanced Threat actor to formulate an attack and compromise a critical system. It can be very simple, commodity based malware that causes just as much damage, and that's kind of something that we've observed, where Disruption leads to downtime, downtime leads to revenue loss and then revenue loss can lead to irreversible brand damage.

Michael van Rooyen: 6:02

Yeah, fair enough. Fair enough to, fair enough to, I think. I think I read an interesting statistic from Gartner and you may be familiar with it, but Something about, I think, by 2030, 2035 somewhere, tom, or 2050, whatever the long time was but Threat actors are actually trying to cause physical harm. To really prove, prove the point is what I read, which is concerning right. So, so there's that. There's that, from a Fortinet point of view, we obviously work closely with Forti and from an Orro perspective and one of the main drivers from us is Working with Fortinet because of the approach that Forti is taken to operational technology security is probably one of the one of the most Largest investments we've seen from a, from a vendor, into really focusing on their own, obviously yourself, and quite a big investment globally. Can you, can you talk a little bit about what, what Fortinet is trying to solve in that area, is it? You know they obviously identified it, but, but hey, you know what the, what the approach is and what the long-term Investment in that area is yeah, absolutely.

Michael Murphy: 6:58

So you can kind of break that down into two parts. One is the technology. So we know, within corporate IT enterprise networks you have IP based traffic, simple to Ultimately encrypt and difficult to intercept. And then you have, within the OT realm, ot traffic which historically is unencrypted, it's easy to intercept and it's very simple to manipulate. So that's the first challenge that we've addressed Through our networking capabilities and software to make sure that we can provide comprehensive Visibility to both IP based traffic and OT traffic. The second component of that is kind of training people to be familiar with the fact that OT is very different.

Michael Murphy: 7:37

It Protecting critical infrastructure is, without question, a very noble objective. But what we also observe is when you have seasoned IT practitioners that go charging in to the OT landscape to apply IT security controls, um, it can lead to ultimately negative ramifications as well. So it's really important that we look at what's the technology doing to make sure it's fit for purpose and addressing the actual challenges that we observe, and then, from a people perspective, we're ensuring that they're appropriately enabled to understand well, what are some of the core frameworks that can be addressed and adopted, what are the technologies that can be deployed that won't break critical operations as well?

Michael van Rooyen: 8:14

Yeah, so what you're saying there is fundamentally, under the hood, similar type of technologies from a security design architecture point of view, and we know there's lots of drive in that area now around architecture and standards and the essential aid even drove quite a bit of that, and also we'll touch on SOC in a minute but what you're saying is that the skills required are slightly different. So we've all seen those scenarios where enterprise security comes in and may break infrastructure, but I'm not really understanding the importance of the way they operate. Is that, then, a gap that we've got? We've already got a skill shortage in the country from a technology cyber point of view. Is that something that needs to be additionally focused on that? The approach of kind of engineering and cyber together?

Michael Murphy: 9:01

With that question. I mean, I think when we do look at the eagerness of IT, cyber security practitioners and professionals that are interested in OT, one of the key things that's important to highlight is, ultimately, the ramifications of when things go wrong. So we have almost become fatigued through the process of understanding that maybe a laptop is some form of ransomware present. We simply send it back to our support desk or our critical incident response team. They reformat that system and you're back up online within half a day. Right, we've become very efficient at that. But we've also become familiar with the fact that we can respond to things with a sledgehammer right, ultimately pull the cable and shut it down.

Michael Murphy: 9:38

Within the OT landscape we just don't have that luxury, and that's something as a practitioner within the landscape, especially throughout APAC, we've observed time and time again. So you may very well walk into a energy generation plan and there is some form of malware that's running rampant throughout that network. You simply don't have the luxury to shut down all those systems. I mean one. It can adversely impact, kind of what that good or service is generating and facilitating to the community. The second aspect is, sometimes these systems can take months to get back up online, and that's something that we constantly work around. So that's where that visibility piece is so important to understand what is happening within your network. What are the critical systems and what are the levers that I can have at my disposal to respond with a scalpel approach rather than that?

Michael van Rooyen: 10:24

sledgehammer, of course. Of course great. And so you know Fortinet, I know, is doing quite a lot in design architecture. You know, I guess on my early point, around the investment you guys are making. I think you've even done a number of IDC. You know specific pieces of work to really validate it. You know, certainly you're well leading in the garden of quadrants from a security point of view. But for customers who are considering this IT-OT convergence some of them are embarking this journey today, but some of the life cycles are way more significant than enterprise IT you know how's Fortinet facilitating some of this convergence to you know, and insurance still, that they meet the security robustness that is required on both sides of the fence.

Michael Murphy: 11:08

Yeah, so I mean, when we look at IT-OT convergence, I mean, ultimately, the key factors that have driven that are the availability of connectivity through the processing control vendors and the technologies that they're allowing customers to actually adopt, and the simplicity of obtaining data remotely. I think the other component of that is really around the fact that the network and security solutions that we facilitate and we offer for many of the core products, you don't need to go and buy an IT-based firewall and an OT-based firewall. It's one and the same. So you can leverage a Fortinet firewall to do your segmentation and micro segmentation. You can align to industry standards such as IAC62443.

Michael Murphy: 11:52

I think one of the things that I'm conscious of when we talk about convergence and we talk about the air gap is, again protecting critical infrastructure is a noble objective and it's fundamental that we don't alienate organizations that are endeavoring to do so. And when we look at organizations that we speak to and customers that we talk to, they actually are required and mandated to still maintain an air gap in many different instances. Yes, we certainly respect the fact that air gap is beginning to diminish and there are many different passionate perspectives on that, but I think we need that approach where we don't alienate OT or critical infrastructure providers, we can go in there. We understand. What are their crown jewels, what are the critical services that they facilitate? How can they maybe adopt this concept of convergence to maybe reduce the impact on health and safety aspects associated with people that maybe had to go into very remote and hostile locations? How can you automate some of these activities?

Michael Murphy: 12:54

Yes, so what we see is, silo by silo. We've got a very measured approach in a pragmatic manner to draw on industry best practice frameworks. We leverage things like the MITRE ATT&CK framework for ICS, Again, the Purdue model from IC62443,. We've seen the latest iteration of NIST For OT recently come out. It's third iteration, third revision and these are all factors that come into play. We're simply not going in there saying, hey, you can go buy one product and that's going to resolve all your challenges right, of course, and that's the right approach.

Michael van Rooyen: 13:27

Right, we certainly afforded it and many customers expect that. I've had an investment in the past, want to continue to leverage that. Obviously, some critical infrastructure providers build with different contractors depending on the lifecycle of their assets. We see that with roads, where builders build different sections of the motorway. Factories may be built by different subcontractors, slash system integrators at different times. So multi-vendor approach is great. What you're saying is the architecture approach really working through. That is the way that you're doing it and obviously Ford has been very focused on this for a long time.

Michael van Rooyen: 14:05

What I'd be interested to also talk about is a lot of this is the customer is investing. The customer is doing that. Of course, it's their data, it's they got to protect their reputation. All those good things to talk about. You touched on this, the newer version, nist. For me, until recently, australia has been really lacking from a government point of view, the leadership in that area around. What are we doing? Are you able for the listeners to talk a little bit about the SOCI Act, what they're trying to fill which we don't have a NIST, australian NIST. It's very American driven, which a lot of people base it on. But can you talk to about what the government's doing, because I think that's kind of a really good part that Australia's trying to achieve and the implications of that?

Michael Murphy: 14:47

Yeah, absolutely so. I think the core initiative from the Australian government has been incredibly powerful. I think that long standing voice where, historically, we have had a critical infrastructure act that was initially kind of designed, developed and implemented for four critical industry verticals in 2018, has since obviously expanded into what it is today, across 11 industry verticals and 22 sub asset classes. When I look at the critical infrastructure act, ultimately it highlights what we should observe as good OT cyber hygiene and I use the word hygiene reluctantly within the cyber landscape, but again, if we kind of break it up right, what we can see is that phase one is really about discovery capabilities and comprehensive visibility of both your IT and OT assets. From that, you then have the capability to apply these sub filters to look at what is a critical asset within my environment where, if it is susceptible to malicious manipulation, it can cause negative ramifications for the nation or even the state, for instance. The second component of that is understanding well of the assets that I'm now familiar with and aware of within my OT network. Have I got the capability right now to discern and decipher if something is operating in a manner that it should not be? Is that asset simply malfunctioning? Has it gone through that process of degrading over time to the point that it doesn't work, or is it indeed a cybersecurity attack? Is it a cyber malicious activity that's taking place? And from that, the Australian government has rolled out some pretty stringent time requirements. So, upon discovery of an incident, you've got 12 hours to report that to the ACSE. Now, when you do report that, you also do have the option to actually request some assistance as well, which I think is beneficial. And what that highlights is the government is saying look, we understand and we respect that this is a sophisticated domain and we understand and respect that there are going to be certain discoveries as part of taking this journey on. But we're here to support you through that and we're here to pragmatically approach this challenge with you. It's not simply the teeth are out and we're just going to crucify anyone that doesn't actually conform and comply to it.

Michael Murphy: 17:08

The next component of that is really down to what's known as the systems of national significance, the SONs. Now, sons must adhere to enhanced cybersecurity obligations and that's very much centric around, or centered and centric around, end user awareness, training, performing vulnerability assessments, adopting dynamic playbooks. It's really that awareness piece. And then, finally, you have the critical incident response management plan and now what that does is looks at the measurement of the application of security and resilience within your network and how you can measure that over a year's period. So that's an annual requirement based on the financial year in which OT organizations or critical infrastructure providers must actually submit this document to the Australian government. The Australian government has said the first round is very much something that we do recommend that you actually submit, independent of the maturity level, so there can be some feedback and then moving into the next iteration will be more formally assessed and addressed.

Michael van Rooyen: 18:09

Right, right. And from your perspective, being again a firefighter in the early days now, obviously really driving a strategy from a vendor point of view Do you think the government's going far enough with that act? Obviously it's first iteration. Do you think it's the right move? Do you think we can improve it? What would your recommendations be if you were to be part of that committee?

Michael Murphy: 18:31

Yeah. So I think the powerful component of the way that the Australian government is engaged with the industry is opening up channels of conversation. Each time they release the latest iteration of perhaps some legislation to be reformed, or each time there's a new initiative in play, what they're doing is they're actually going out and saying look, provide your feedback to us, let us know whether this is something that's fit for purpose in your environment. Is this something that maybe overlaps with some pre-existing legislative capabilities that are in play? So communication is number one. Because each industry vertical is different. The Australian government has also opened up basically the network of sharing, so that different industry verticals can connect with their peers to communicate and share challenges that they're observing when taking on some of these new obligations, and I think that's a powerful component as well that needs to be taken into consideration In terms of has it gone far enough at this point in time?

Michael Murphy: 19:32

This is a journey, like anything, and I think once you address the core fundamentals, then you can begin building upon that right. I think we don't want a situation where it's suddenly too difficult, too hard and people don't make that personal invested interest, and when I look at OT, I think it's something that we do need to be personally invested in. It is something that affects our immediate family, our friends, our cultural aspects that we're associated with in, maybe within the area that we live or the areas that we frequently travel within. This needs to be a personal initiative rather than something that's just a tick box activity.

Michael van Rooyen: 20:13

Four customers that are really lagging in their OT security measures. What steps would you advise them to take immediately from the next steps embarking on the journey to securing the infrastructure? What would you recommend?

Michael Murphy: 20:28

Yeah, so there's probably two key things. One, many people are familiar with the tool known as Shodan. It's a web-based search engine that allows you to look for OT-based assets right.

Michael Murphy: 20:41

So don't fall into the trap of feeling that you have to go and spend half a million dollars on a risk assessment. Immediately Look at the assets that you have present within your network and find out which ones are actually connected physically to the open internet. So Shodan's a very powerful way of doing that. I mean, that's evidently a very rudimentary first step. The second step is take the time to do an assessment of your OT architecture. What we recommend is performing this, known as an OT C-tap.

Michael Murphy: 21:10

So you can actually look for OT-based traffic that may be traversing your IT enterprise network. There's so much focus on protecting IP traffic, as we mentioned earlier, yes, but are you familiar with OT traffic within your network? So do some discovery based on that. And then, finally, I think it is a partner challenge to address, right? We have found that we work really well as a team with either the customer, someone like yourself, and then also the processing control vendor as well, so don't take this challenge on alone. I think that's kind of where we've seen the biggest challenges.

Michael van Rooyen: 21:46

Yes, yeah, farron, farron, it's certainly a good start right. And for those people who haven't seen Shodan or know it, obviously it's very well known in the cyber industry. But for general listeners, certainly look up Shodan, have a bit of a poke around. It is very, very cool in one way, but very scary in the other and certainly something to look at. So I appreciate that. So, visibility, get to know yourself, work with partners, really deploy a bit of a strategy, know where you are before you know where you need to get Absolutely OK, great. And the last couple considering the critical I guess the critical nature of infrastructure that we've been discussing today, what are your key messages for, or takeaways for people listening?

Michael Murphy: 22:31

Yeah, I think there's a couple of things. So Dr Diane Vaughan is a professor in the US that ultimately has done a lot of investigation into serious catastrophes that have taken place, whether it is regarding the space shuttle the traffic control or even relationships, and one of the things that she highlights is that any clearly unsafe practice that does not lead to immediate catastrophe ultimately is a pretty dangerous thing.

Michael Murphy: 22:59

right? Yes, and with that, I think what we need to acknowledge is that it's very easy with human nature to wait for a compelling event of something that has happened before you take action. Yes, I think maybe take this moment to listen to this and kind of think right, well, rather than waiting for that compelling event of being compromised, let's actually hug the cactus, so to speak, and take on the challenge right now and put some baby steps in play to make sure that we're on a pathway and we've begun our journey. I think that's probably the key thing from my perspective that puts organizations in good place.

Michael van Rooyen: 23:33

And then, finally, where can people again listening or viewing really go and look more into Fortinet around their operational technology and critical infrastructure offerings, around security? Suggest the Fortinet website as a particular location. Obviously, we're their partner. Where would help customers? But for those who aren't, is it?

Michael Murphy: 23:53

Yeah, I think there's a couple of different avenues. We have a national team which is pretty broad, which is quite unique, specific to OT. We understand that with these OT challenges, you need an OT team, and that's what we've done. Ultimately, reaching out to yourself or even our team directly is probably going to be your best pathway, but also reaching out to the processing control vendors, right, I mean, we've worked very closely with them, especially organizations like Schneider Electric, siemens, and we have referenceable architects that's actually built in. So you may very well be using our solutions and not necessarily be aware of it.

Michael van Rooyen: 24:25

You're great, michael, appreciate the time today. Thanks for coming in Excellent. Thank you so much for having me have a good day. Thanks, go, go, go, go go.