Making risk-based decisions in a rapidly changing cyber climate

Nicole Darden Ford is Global VP & CISO at Rockwell Automation. As the company’s cybersecurity leader, Nicole is entrusted to protect enterprise IT assets with scalable, future-ready platforms that enable the business. In addition to building cybersecurity programs for organizations across industries, including manufacturing, healthcare, and legal, Nicole has helped position two enterprises for IPOs.

In this Help Net Security interview, Nicole reveals the three key indicators she uses to assess an industrial organization’s cybersecurity readiness and provides valuable insights for businesses and governments on fortifying their critical infrastructure against cyber threats. She also shares her expert perspective on the ever-changing cybersecurity landscape, highlighting the latest trends and developments.

As a seasoned CISO, what are the top three factors you evaluate to gauge an industrial organization’s cybersecurity posture?

To defend and protect our respective organizations from cyber threats, our role as CISOs begins with exercising the discipline needed to make smart decisions that accelerate progress in a rapidly changing threat environment. Governments worldwide are recognizing growing cyber risks and we are seeing a shift from what was voluntary to mandatory. This rising regulatory pressure for greater accountability means cybersecurity leadership is pivotal to an organization’s ability to reduce risk.

I look at the following three points to gauge cybersecurity posture for industrial organizations:

• Alignment to a standard industry framework (e.g., NIST CSF, IEC 62443). It starts with rigor so you can adapt as adversaries increase their capabilities and measure your progress.
• Assessment of the OT environment. Without an assessment and understanding of assets and what they’re connecting to, we’re aimless. This is about having intimate knowledge of what’s in the environment and knowing what we’re trying to protect. We’re here to close gaps and mature capabilities.
• Presence of a solid OT cybersecurity plan. Where an organization is on its OT cyber journey is an important way to gauge progress. What works on the carpet floor doesn’t necessarily work on the shop floor. Are we dedicating the people, process, and technology investments needed to address the cyber risks in the manufacturing environment? We must be thoughtful in creating a roadmap that optimizes financial resources and addresses the real impacts of an OT cyber-attack.

Cyber-attacks targeting critical infrastructure have been on the rise since the start of the pandemic. What can businesses and governments do to prepare for this year?

Organizations must make risk-based decisions in a cyber climate that has become a race against time. As geopolitical forces use cyber as a weapon, we must conduct our own geopolitical analysis as part of cyber risk assessments. Understanding the drivers of attacks on critical infrastructure will help determine cyber defense measures.

I prioritize the following actions to improve our readiness:

• Connect – Establish strategic public-private partnerships (e.g., CISA’s Cybersecurity Information Sharing & Collaboration Program) to improve intelligence and information sharing on the threats that impact your organization.
• Engage – Bring in the right expertise and people who support your mission.
• Act – Have a plan that you can readily execute. It will take having the right talent in place and understanding the risks to your organization. Whether you’re a large or small organization, we’re all in this together and need to be ready.

Regardless of technology and available budget, CISOs can only sometimes access and control the invisible, even after identifying it. What advice would you give to security leaders protecting critical infrastructure? How should they approach securing their networks?

The escalating threat to critical infrastructure is concerning and nothing short of an understatement. Last year, we saw Microsoft double their number of nation-state notifications to critical infrastructure. So, we need to consider who the adversaries are, what they’re after and how they operate. And, pay close attention to identify those exploited vulnerabilities and weaknesses in supplier relationships.

Don’t let OT security be daunting. A bias toward action is important.

What we can do is focus on simplifying the process by following a disciplined approach that focuses on being brilliant at the basics. I use a CISO playbook for OT security that I like to refer to as “DRIMR,” which includes four steps that are fundamental and adaptable to any OT cybersecurity roadmap.

Step #1: Discover – Know where you stand. Conduct a security and risk assessment and log all issues and review progress against findings. Remain committed to extensive network discovery and asset inventory.

Step #2: Remediate – Prioritize assets you need to eliminate, upgrade or replace. This will look different based on what you discover in step 1.

Step #3: Isolate – Establish a perimeter physically and logically. This can include firewalls, setting policies to protect OT assets, control third party access and secure endpoints.

Step #4: Monitor & Respond – Enable real-time OT network monitoring and continuously view and react to the data. Set up an OT SOC and integrate your IT and OT cyber event response team.

From your expert perspective, how is the cybersecurity landscape evolving? What are the most pressing cybersecurity concerns for industrial organizations?

The last 12-24 months have shown us that attacks on manufacturing and critical infrastructure are here to stay. Many organizations still don’t fully understand the magnitude of OT cyber threats and cost impacts of an attack.

The U.S. government released its National Cybersecurity Strategy in March, which serves as yet another call to action. We see a shift in greater responsibility to owners and operators of systems that hold data and make our society function.

Knowing that manufacturing is the most targeted of all sectors, we must act and address the following security concerns in the manufacturing environment:

• Inability to patch aged equipment – The time to resolve tech debt is now. Don’t take the risk of having critical open vulnerabilities exploited by threat actors. There’s no need to incur more costs.
• Lack of visibility of assets – You can’t protect what you don’t know.
• Inability to rapidly remediate – This falls back to not having an accurate and comprehensive asset inventory.
• Not having OT talent and expertise – Need to find people who know digital convergence. Recognize that cross-skilling and upskilling is necessary.