Blog

It certainly is an interesting time to be in industrial security. This year we’ve seen exploits published for OPC, vulnerability signatures made public, an increase in scans against known control protocol ports, and the rise of a number of new security standards and regulatory requirements. Now nearly every major vendor is offering industrial security services as well, and a number of companies have started in this space. The question is, “what does this mean for industrial automation and critical infrastructure?”

Clearly, there is a need. I have never been to a customer site that told me that they have NOT had a security problem in the industrial side of the business. Several have expressed that they did not wish to share on this subject, which is usually evidence enough. The body of knowledge is increasing as well. The blackhat community is discussing industrial protocols, and there have been some very clear cases of theft, denial of service, software piracy aimed at industrial applications… the list goes on. The challenge is that despite this mounting body of evidence, it would seem that many in management, those with the buying power to actually improve security, still have not seen the light. One of the principle reasons is that when comparing cyber security to something like physical security or fraud, it is intangible and difficult to comprehend.

Management sees control characters and screens fly by when viewing a “hacking” demonstration, and unless they are aware of computers and programming techniques, it often just looks like any other screen. I have personally been in these demonstrations and heard things like, “so what, if I’m right there at the computer I’m going to hit it with a hammer rather than ‘hack’ into it!” No one is doing anything wrong here; it is just a question of what can be measured. If it can be measured and observed correctly, it can’t be improved.

Joining Wurldtech was a deeply personal decision, and one driven with a growing recognition that awareness just is not where it needs to be. It is clear that security is hard to “measure” but that is quickly changing thanks to companies like Wurldtech and pioneering researchers aiming to find ways to quantify security risk more effectively and measure performance. Personally, I find industrial settings much easier to measure benefit from security. If there are fewer problems on the network, less unplanned maintenance, and fewer process faults, then the result is greater machine efficiency, greater uptime, lower costs, and higher yields, all of which CAN be effectively measured.

One of the greatest benefits that I have seen in Wurldtech and the Achilles platform is that it removes doubt. While viewed often as a “product,” I tend to think of Wurldtech more as a product-enabled service company. Capable security experts are few and far between, and certainly not something typically companies keep on staff all the time, especially industrial security staff. Capitalizing on the multi-vertical and multi-vendor specialists at Wurldtech, companies are afforded a great opportunity to work with industry leading personnel to understand just how systems may fail, and what to do about it.

These are not limited to just security threats, either. Measuring device performance under high network loads, excessive fragmentation, high amounts of ARP traffic, UDP flooding, etc… all of which can happen under abnormal conditions on a network that may not necessarily be related to security faults. Understanding these variables, when a device fails, what happens when it does, and how critical the failure is. Management can now see very clearly what problems exist, removing doubt from their minds and hopefully driving them to make enabling decisions for industrial process improvement.

This is precisely the benefit to the asset owner community. Being able to perform failure mode and criticality analysis helps us define and create more resilient industrial processes. Putting devices under test and then interpreting the results and providing feedback helps engineers understand how best to design the process to avoid problems in the first place. This results in measurable and attainable benefit to the business.

The Achilles evaluation platform and certification program are fantastic for the vendor communities. Testing shortens development time, identifies more problems before they become problems, and creates a greater sense of confidence from customers. Customers benefit from this approach in that they can have more confidence in the selected solution. Now with Achilles Satellite about to hit the market, these capabilities are now much more realistic for the asset owner communities as well.

I am extremely excited to join Wurldtech as the Vice President of Professional Services. Being able to leverage technology found in Achilles is a tremendous tool to add to the belt when working with asset owners or vendors. Those that know me know I have spent much of my time working directly with the asset owner communities in recent years. I hope to leverage this experience as well as the Achilles platform now and into the future to help the industrial automation and critical infrastructure sectors raise the bar even higher. This is not just theory, in the weeks since I’ve joined the company we have already started executing on this vision with asset owners that are very pleased with the results. The objective of these services is clear: Test the devices, remove doubt, design and implement protections, and measure success.