Zero-trust is a good way to prevent hackers from gaining control of our infrastructure and energy industries, expert says.
TechRepublic’s Karen Roby spoke with Greg Valentine, solution director for Capgemini, about cybersecurity in the energy sector. The following is an edited transcript of their conversation.
SEE: Security incident response policy (TechRepublic Premium)
Karen Roby: Greg, we talk a lot about now more than ever, the energy sector and cybersecurity, and people are realizing more and more just how vulnerable different pieces here in our communities, how vulnerable we really are. And it’s a scary thought when you break it down. Let’s talk a little bit about this recent executive order from President Joe Biden. Let’s start with that. The impact you think that will make on getting people in the right mindset and moving forward with cybersecurity.
Greg Valentine: Sure. I think this all stems back to the criticality of the country’s infrastructure basically. And there’ve been some recent breaches around the country that have significantly impacted the country and the citizens, honestly. And so, President Biden came out with the executive order and basically said, “If you want to do business with the federal government, then you need to improve things.” And it’s pretty specific actually on some of the elements, zero trust architecture is one of those, which I happen to be a big believer in as well as sharing of information, getting rid of some of the barriers to sharing threat intel, etc. So depending on where you are on the political spectrum, either you think this is a great thing because the government’s leading the way. Great. Let’s go. Or you’re more on the other side and not pro-government and let’s catch up, right? Let’s catch up to what the government is saying where we should be and even excel past at it when we can.
Karen Roby: Greg, it seems like politics should be left out of this, right? Our beliefs in one way or the other, because when it comes down to it, this is such a huge issue, and it impacts every company and government entities and school systems and healthcare systems. So zero trust, though, to me, seems very logical. And that also is a topic that we’re talking more and more about. Do you see zero trust being embraced more?
Greg Valentine: I do. The term zero trust has been around for at least a decade, I think just around 10 years, maybe 11 now. And the idea is solid in the sense that it’s an approach to security, right? It’s not an actual product you can go by or a service you can go by, it’s basically bearing in mind the fundamental idea that nobody is inherently trusted. Everything has to be verified and validated before you’re given access. So, instead of a traditional castle and moat, where you have a strong boundary around the organization, but then once you get through that boundary, everything’s open and available, i.e. ransomware or any other breach. Zero trust, you only have access with the minimum amount of privileges that you need to get the job done to the systems that you need to get the job done. So, that greatly limits the impact of a successful breach, be that ransomware attack or some other, just getting the keys to the kingdom, so to speak. Zero trust is great at minimizing your attack surface.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
Karen Roby: Which again, seems very logical to me as just the idea of sharing threat intel, right? Where do we stand with embracing that as well?
Greg Valentine: Threat intel, everybody looks at that as IP basically, and now we need to take it and protect it and guard against it. But in reality, if you think about it, if you share intel with others, now you’re greatly minimizing the effectiveness of the attacker. And isn’t that ultimately the goal for everyone? You want to take away the advantage that the bad guys have. And one of those ways is by sharing threat intel.
Karen Roby: Greg, when we talk about how the criminals and hackers, the bad actors have evolved and are moving into a direction where it’s if there’s nation backed organizations and whatever to where they’re going to where they can really cause harm. It’s not just about getting in, getting out, finding someone vulnerable, getting money from them. Real-world, serious implications, consequences for citizens of a country, and when we’re talking about our infrastructure, critical infrastructure, it’s pretty frightening.
Greg Valentine: Absolutely. And one thing that everyone has to consider is the attack surface, as I was saying earlier. Traditionally, the way that bad guys gained access to the OT infrastructure is by going through the enterprise and then finding their way into the industrial control system, factory or refinery or whatever it happens to be. That connectivity is getting bigger now, not smaller, because the business of the enterprise needs to have access to the revenue generating side of the organization. So, that makes sense. So the organization really has to take proactive measures to minimize the risk for the overall organization.
If somebody does reach the enterprise some way, well, if you were using zero-trust fundamentals on the enterprise side, they won’t be able to get to the industrial control system side, but let’s say they haven’t done that yet. And there is a way to see if the plant or the refinery, or what have you, has now implemented zero trust, now the same idea kicks in. The damage that can be done is greatly minimized. And yet you will be able to discover the attack, add that to your threat intel, etc., and hopefully share that with others.
Karen Roby: Yeah, most definitely. And I remember Greg, it was about two and a half years ago, I interviewed a former military member who was in intelligence. And I remember him saying his big push was, we need cybersecurity experts sitting on boards, big boards, because so many of them were clueless as to the threats that are looming and what’s to come down the road. I remember him saying how much resistance when he would say this he would be met with. Are we seeing now the shift though in that, that they’re thinking, “Oh, wait, we do need cybersecurity experts to be involved here in our decision-making?”
Greg Valentine: We are, we are seeing much more cyber being considered from the ground up, which is great. That’s fantastic. I don’t know. I can’t speak to why that is. Maybe it’s because of all of the front-page news headlines that have been going on for a while.
Or maybe there’s some other, but traditionally cybersecurity has been seen almost as an insurance policy. It’s difficult to measure ROI, etc., for it. But now everybody understands, it seems to me, that they absolutely can proactively protect themselves with good cybersecurity guidelines and projects.
Karen Roby: From your seat there and in talking about this everyday, what concerns you the most? Do you think it’s just the idea that the criminals tend to be one step ahead?
Greg Valentine: It’s always a cat-and-mouse game. There’ll be times when the criminals are one step ahead, and then we discover what they’re doing and we’re one step ahead. And I don’t see that ever changing. That’s just always going to be cops-and-robbers. Somebody’s going to be ahead at any given point in time. The biggest fear I have just coming back to OT in general is human safety, basically. These facilities are the types of facilities where not only do you have to worry about downtime and production and revenue loss, but there are actual physical implications as well. Chemical factories, oil and gas, energy, there could be loss of human life. And that escalates everything. Of course, that trumps everything. So that’s my biggest fear, honestly, is the potential loss of life.
Karen Roby: When you look back, what silver lining do you see going ahead and from where we’ve come; do you think just people in general being more aware, especially when things are plastered on the headlines, is that a good thing that’s helping us move into the future?
Greg Valentine: I’d say it’s a couple of things. One is yes. The realization at the higher levels of an organization that cybersecurity is important and critical, I would even say, in the sense that you can take proactive measures to protect your organization, to protect your OT facilities. Now, to do that, one of the elements that I’m very excited about is the zero-trust architecture concept, which gives you an approach. What do I keep in mind as I’m going down that protecting my OT assets? And if you follow the zero-trust methodology or more a philosophy, I think then you are in a significantly safer place than if you’re going through the more old school moat-and-castle approach to cybersecurity.
Subscribe to TechRepublic’s YouTube channel for all the latest tech information and advice for business pros.