To help provide a flavor of the insights and experience that Tripwire makes available, we’re conducting one-on-one interviews with several Tripwire in-house experts. You may have seen some of their bylines in Belden’s industrial blog over the past couple of years, but in this new series we want to provide a more direct glimpse into each expert’s individual industry purview. Each of them will discuss their own personal views on the current state of cyber security in the industrial environment. You’ll learn more about how they have been working with Belden industrial customers to help bolster their network security and optimize their uptime in today’s challenging environment.
Last time we sat down with Steven Sletten. In today’s interview, we feature Tripwire cyber security expert Brian Jackson. Please feel free to ask Brian any questions or start a conversation by emailing him at firstname.lastname@example.org. He and all his Tripwire and Belden colleagues are always at your service.
Brian, you have more than a decade of technical sales experience under your belt. How do the technical hats and sales hats work together to help customers?
As a sales professional, I’m often the first stop for potential OT customers looking to make inroads with their cyber security situation. Having a technical background helps me speak informatively to discover what they need and if and how we are a good fit to work together for mutual benefit. We talk challenges and how Tripwire technology can be brought to bear to help them, and if things look good, I’ll usually team with an engineer to take the next steps and do demos onsite and so on. But I think having a sales professional proficient in the technology of cyber security allows the customer to determine pretty readily if we’re a good resource for them in one easy conversation. It’s efficient and respectful of their limited time and keeps them from having to make a lot of additional calls. And it allows them to move that much faster to protect their operation too.
What do you say in those initial conversations to effectively help someone who is in the early stages of their cyber security implementation process?
Early on I tell them about The Center for Internet Security’s Critical Security Controls for Effective Cyber Defense. It’s a list of 20 best practice guidelines for computer security published as an industry service by CIS, with each broken down into a series of very practical actions. It’s very up-to-date, with their seventh update in less than 10 years. And it’s from a well-respected third party industry association, so customers know that it’s not Tripwire marketing telling them the most important actions; it’s an independent group of cybersecurity experts. I’ll direct them to the website and we can go over the list together on the phone. It really helps focus the conversation.
What are the main takeaways from the list?
It’s very detailed and comprehensive; in fact, relatively few organizations, even highly sophisticated ones, have all the 20 points fully covered. But the good news is that implementing just the top 4-6 can effectively mitigate about 80% of their risk, so it’s very powerful. I find that a lot of people, especially newcomers to cyber security, know how important firewalls are but maybe not much more beyond that. For example, the first few CIS points direct people to take actions including inventorying all the authorized and unauthorized devices and software on their network; identifying critical vulnerabilities in those assets; examining their administrative privileges; and configuring all devices for optimum security and continually monitoring for any changes. Tripwire has especially strong capabilities in all of these areas because our experience has shown us how vitally important they are. For example, when they do their first vulnerability scan, many organizations are surprised to find hundreds or even thousands of identified vulnerabilities in a large network. So it can be overwhelming. But Tripwire products provide a very accurate and well-prioritized report so users can make the most of limited resources and confidently take the most high impact actions.
What do you find motivates people to start the ball rolling?
Often, a company may have had an incident that has gotten C-level attention and therefore, at last, a budget for cyber security, and the caller is charged with spearheading that effort. Also common are calls from those that have been driven by regulation, especially electric utilities, and we work with more than 150 of those. I see regulation as an increasing trend. The U.S. Department of Homeland Security has designated several industries as critical infrastructure—including chemical processing, oil and gas, water and transportation, and I think it’s only a matter of time before those industries see regulations demanding that effective cyber security protections be put into place at their locations. Some of these organizations see the writing on the wall and want to get ahead of the curve before they are forced to either by regulation or by having been breached and are forced to play catch up. And of course some OT organizations are looking for a competitive advantage from a business perspective. Like they might set a strategic goal of being fully compliant with “x” CIS points by “y” date and make it a corporate initiative to differentiate their brand against competitors that are not as security conscious. Being that cyber security incidents are escalating, they can easily cost a million dollars or more, and planning ahead can be so effective in stopping them, it seems like prudent action to take and a non-traditional way to gain a valuable competitive edge.
What do you think gives Tripwire and Belden a competitive edge?
Cyber security in the industrial environment is fairly new, so by definition there aren’t any companies who have been in the field for too long. Some small players entering the field may call people up and say “we’re the OT experts, we do all OT.” And they may be perfectly fine but they certainly don’t have much of a track record to show, and not everyone is willing to be a guinea pig in something as crucial as cyber security. Once they get their long-awaited funding they want to move ahead with confidence. I think we’re unique in that Belden has more than 100 years in industrial environments and Tripwire has 20 years in cyber security from IT to utilities to heavy industrial, providing solutions really since the early days that private cyber security existed. So I think together we offer a pretty unique level of insight and experience and expertise for OT environments.
Do you find that OT professionals often turn to IT experts in their organizations?
Not nearly enough, although we are seeing a trend in the last year or so of IT more often “lending” expertise to the OT side of the house. Unfortunately, IT and OT can often be like the Hatfields and the McCoys. They have different objectives. OT is traditionally all about uptime, very slow moving and methodical. IT is very security minded, maybe even at the expense of uptime, so you can see where they might bump heads sometimes. But the bottom line is that there is extraordinary risk in the new OT environment, and organizations need to be more aggressive in fighting back, using whatever resources, internal or external, that are at their disposal.
Related LinksCyber Security Experts At Your Service: A Conversation with Tripwire’s Robert Landavazo
Cyber Security Experts At Your Service: A Conversation with Tripwire’s Randy Esser
IT/OT Convergence Means Greater Resources for Both
IT-OT Convergence and Conflict: Who Owns ICS Security?
The Human Attack Surface: The Weakest Link in Your ICS Security
A 1-2-3 Approach to Industrial Cybersecurity
ICS Security: Essential Firewall Concepts
Three Ways to Improve Your IP Network Security
SCADA Security: Securing DNP3 Communications with Defense in Depth
Belden Industrial Cyber Security Solution Webpage
Industrial Cyber Security for Dummies