To help provide a flavor of the insights and experience that Tripwire makes available, we’re conducting one-on-one interviews with several Tripwire in-house experts. You may have seen some of their bylines in Belden’s industrial blog over the past couple of years, but in this new series we want to provide a more direct glimpse into each expert’s individual industry purview. Each of them will discuss their own personal views on the current state of cyber security in the industrial environment. You’ll learn more about how they have been working with Belden industrial customers to help bolster their network security and optimize their uptime in today’s challenging environment.
Last time we sat down with Randy Esser. In today’s interview, we feature Tripwire cyber security expert Robert Landavazo. Please feel free to ask Robert any questions or start a conversation by emailing him at email@example.com. He and all his Tripwire and Belden colleagues are always at your service.
You are a relative newcomer to Tripwire; where were you prior to joining the company?
Most recently I was working at an electrical utility in the western U.S., charged with helping optimize the cyber security posture at their facilities. As a matter of fact, it was there that I became familiar with Tripwire products. We used the Tripwire product suite for security and NERC CIP compliance, including Enterprise, Log Center, IP360 and several apps and extensions as well. We benefitted greatly and I have to admit I became a huge fan of the tools and their capabilities. So when I had an opportunity to join Tripwire, I jumped at it. It’s been personally very fulfilling for me to be in a position to evangelize the capabilities of these products and help our customers succeed in much the same way as my colleagues and I did in my prior role.
As far as what brought me to the utility, before that I was working in public safety for state and local governments, helping manage 911 and other emergency communications. It was there that I got a taste for the demand for very high degrees of uptime—99.999999 and better. And that’s what got me interested in utilities, because they have that uptime demand on an even larger scale so it is a real challenge. And now here I am at an organization that can help industries of all kinds reach high levels of uptime—manufacturing, transportation, oil and gas and more. And the stakes are high—these verticals all have some mix of business concerns, environmental concerns, equipment concerns, safety concerns and more that are all riding on safe, reliable operation. I’ve been here a little over a year now and it’s been great.
So you joined Tripwire after Tripwire became part of Belden?
Yes, and that was very timely I think. Even above and beyond the excellent products I could tell that the culture of my new company was exciting and energizing. People were very enthusiastic. Belden, with its 100+ years of industrial experience, was enabling Tripwire—with its 20 years of cyber security insights—to readily turn its attention to industrial environments, and deliver proven cyber security solutions into an arena that was just burning for them. It was a new chapter for the industrial environment and a new chapter for Tripwire, so a very exciting time to be part of both.
How does the cyber security posture you’re seeing at these industrial facilities compare to that of the utilities?
Well, the utilities had the regulatory agencies on them with a whip—with threats of fines that could be a million dollars per day. So that forced them to be aggressive and proactive and dedicate the resources needed to move way, way ahead. Industrial organizations don’t have that “incentive.” In fact, I think it’s reasonable to say that in many ways today’s industrial organizations find themselves facing challenges similar to what utilities might have faced 7-8 years ago. In many ways they are starting their journey to cyber security success from scratch. And the fact that industrial organizations are not being “forced” to protect themselves like utilities were is a mixed blessing at best. They find themselves having to create a business case for implementing cyber security. They say “What’s my ROI?” And it’s hard to quantify. But the best way we have to answer that is to look at what the cost of an outage is for them, with loss of revenue, wasted materials, labor, missed deadlines and so on. A multi-day incident can easily represent millions of dollars in some industries, and it’s always multiple, multiple thousands. And frankly, the chance of a breach is almost a given at this point—it’s definitely a matter of “not if, but when.” So if the cost of protection is so much less than the cost of even a single modest outage, it seems that the ROI can be quite attractive. And executives are seeing that.
Don’t people in these industrial environments tend to think that they won’t be targets—saying “that’s an IT problem, not an OT problem?”
There is still some of that, but incidents of ransomware like WannaCry have made most people realize that all networks are vulnerable, whether industrial OT or business IT. The evolution of that wishful thinking is OT people saying “well I’m a little industrial company I don’t have to worry. They will go after the big industrial companies.” But the big industrial companies are mostly very well protected at this point, so many medium and small industrial companies have become easy pickings and low hanging fruit for the hackers. “Hacker target practice” if you will, just honing their skills for a real challenge, and wreaking havoc on someone’s business without a second thought.
When you visit these industrial facilities, what cyber security vulnerabilities do you see looming largest and what can they do most easily to protect themselves?
It’s really back to basics. Like many times we see unprotected connectivity between business networks and the plant networks. And of course that’s a huge no-no. So network segmentation is vital. Securing remote access is another common issue. More and more outside vendors are being given access to work on a PLC or other device through a third party software solution. That can be valuable but it also opens up a huge vulnerability if it’s not done securely. Reluctance to patch and keep software up to date can lead to issues too. In a plant environment, people don’t want to take the time to stop a piece of equipment running 24/7 for updating. The result is that even commonly deployed pieces of commodity software like a free pdf reader sitting on an HMI can cause problems. I’ve seen people with versions that may be years old because they’ve never patched it and it can be vulnerable. If a technician brings in a laptop with an infected manual and opens it using the unprotected, outdated pdf reader, the network can become infected. Fortunately, all of these common situations are relatively easy to remedy. For example, you can keep the machine going 24/7 and protect it with a mitigating firewall that will help substantially even if you don’t keep software patched and up to date, so you can have your cake and eat it too.
Cyber Security Experts At Your Service: A Conversation with Tripwire’s Steven Sletten
Cyber Security Experts at Your Service: A Conversation with Tripwire’s Brian Jackson
Belden Industrial Cyber Security Solution Webpage
Industrial Cyber Security for Dummies
Robert Landavazo is a Systems Engineer at Tripwire where he focuses on helping customers secure their Industrial Control Systems. He has a background in in the electric utility sector, most recently working to implement a NERC Critical Infrastructure Protection (CIP) internal compliance program leveraging Tripwire’s own product suite. While at this utility, Robert worked in Operations Technology to support SCADA in Distribution, Transmission and Generation. Prior to his tenure in utilities, Robert worked in Public Safety, managing emergency communications infrastructure like Next Generation 911, IP Radio and Computer Aided Dispatch systems.