Robert M. Lee, CEO and Co-Founder, Dragos reveals top industry trends and gives advice to companies for 2023.
What are some of the top trends in the industry
At a macro level, one of the biggest trends in the industry–digitisation and the associated hyper connectivity of industrial environments– while ultimately a good thing for the sector, is also driving a lot of the risk.
Prior to digitisation, you’d have a refinery or electric substation in one part of the country which would have almost nothing in common with a refinery or substation in another part of the country, let alone another country altogether. This caused problems for businesses in terms of moving people from one facility to another, as they needed to learn a whole new technology and a whole new stack of equipment, making it very difficult for the business to scale.
Now with digitisation and hyper connectivity, we have moved from heterogenous to homogeneous infrastructures. This allows for a more equitable system wherein we can attract talent from around the world and take advantage of modern technologies, and ultimately make our systems more productive.
But it also creates more risk. Adversaries were previously more limited by having to create extraordinarily boutique OT cyber attacks for specific organizations. Now they are also able to create threats that can be more broadly employed against a range of organizations. This is something we saw with the PIPEDREAM malware earlier this year: a capability that could scale easily and impact and disrupt lots of different industries.
What advice would you offer companies heading into 2023
For industrial companies, executives need to align on what OT risk scenarios they want to focus on. Executives should be thinking about what kind of events they want to prepare for as a company. Is it ransomware that impacts the OT networks, and attacks to safety systems? Whatever those concerns are, they need to be identified. Once that is done, then the security staff can carry out their jobs effectively and advise on the best approach and security systems needed to mitigate those risks.
To that end, cybersecurity teams should be focused on implementing the most important security controls for their OT environment. In my role outside of Dragos at the SANS Institute, I co-authored the whitepaper “The Five ICS Cybersecurity Critical Controls” with fellow senior instructor Tim Conway, to help organizations establish an ICS/OT cybersecurity strategy that is flexible to their risk model. These controls can be mapped to existing standards and frameworks such as IEC62443 and NIST Cybersecurity Framework.
My other piece of advice for executives is that the next time they are being briefed by the CSO and their teams, ask the question: Is the security program enterprise-wide, or is it enterprise IT? In other words, is the state of the operations environment represented in what is being presented? And if not, it needs to be. Very often CSOs are addressing the health of the enterprise IT networks, but that’s not the full enterprise.
