“Cybersecurity is a never-ending journey. You never arrive and are all done because its technologies change daily. Bad actors are adept at using them, and so the cyber-threat surface is always there,” said Tayfun Kon, director and industry solutions owner at SoftServe, a software development and consulting firm. “As for readiness, I believe we’re getting there. The approach across all industries is more users are trying to adapt their posture to be ready for cyber-threats. The first step is admitting there’s a problem, and the second step is moving to defend engineering assets. More and more organizations are moving, so I think they’ll reach mature cybersecurity states sooner rather than later.”
This was the consensus conclusion reached by a panel of experts on the first day of Yokogawa’s YNNOW2024 users’ conference this week in Houston, that also included Allison Luedecke, internal audit VP, and CISO Mark Littlejohn, both of petroleum refiner and nitrogen fertilizer manufacturer CVR Energy (pictured) and Camilo Gomez, global cybersecurity strategist at Yokogawa’s U.S. Technology Center. Matt Malone, system consultant – cybersecurity, moderated the discussion.
Practical constraints
Despite this optimism, Littlejohn cautioned that effective cybersecurity often depends on company size, location, available personnel and revenue. “For instance, due to their existing security concerns, companies in the Middle East are typically on top of cybersecurity, and have air-gap procedures and policies that make certain no unauthorized communications get in or out,” explained Littlejohn.
“In general, U.S.-based firms are also doing well thanks to regulations and guidelines like NERC-CIP,” Littlejohn added. “However, their preparedness also varies widely, and some have no firewalls, software patching or other cybersecurity policies in place. This has a lot to do with funding because large multinationals can usually afford to do a good job on cybersecurity, while mid-sized companies can be very hit-or-miss.”
Luedecke reported that CVR Energy conducted a cybersecurity assessment five years ago, and initially struggled to gain support for proactive measures. However, more recently, its audit committee, executives and board members have been more receptive to their colleagues’ cybersecurity efforts, inquired about it, and considered how to address the risks. “We’ve even undertaken a cyber-risk assessment and internal audit,” added Luedecke. “Our internal audit is progressing, but there’s still a long way to go.”
Preparation, investment power fast, flexible responses
Because digital probes, intrusions and attacks shift so quickly, cybersecurity defenses must be equally adaptive, said Yokogawa’s Gomez.
“Not only is the cybersecurity landscape constantly changing, but we must also adapt due to increasing use of common technologies for managing security risks by IT and OT,” explained Gomez. “Many users on the OT side still don’t consider following cybersecurity standards and best practices, but ISA/IEC 62443 can help users and owners alike find the cybersecurity best practices that will suit their applications and give them the best protection.”
Gomez added that many users in the OT space and their process industry organizations are working towards cybersecurity maturity more quickly and effectively than they did before due to recent and well-publicized ransomware attacks, as well as increasing identity theft and other fraud incidents.
Not only did cyber-incidents increase in the wake of the COVID-19 pandemic, but malware and breaches also spread widely before and during Russia’s war in Ukraine, and also in connection with Israel’s war in Gaza and most recently in Lebanon. “When Russia took over Crimea years ago, Ukraine’s electrical grids were also disabled, and they responded with improved cybersecurity,” said Littlejohn. “This also enabled Ukraine to be better prepared for the cyber-attacks that accompanied Russia’s more recent invasion.”
Beyond geographical conflicts, Littlejohn reported that over the past 10-15 years, early cyber-attacks like Stuxnet, Triton/Trisis and subsequent versions spilled over into other industries. Despite the obvious risks, he added that cybersecurity professionals in many regions have mounted successful defense programs. “Users in Asia and Australia are good at cybersecurity because their OT and IT departments typically work hand-in-hand. Meanwhile, users in Europe believe in regulations and investing in cybersecurity,” explained Littlejohn. “Meanwhile, no one in the Americas appears to want any regulations, cybersecurity or otherwise, and they don’t seem to be spending on it either.”
Soft skills, standards aid resilience
Even though CVR Energy started with very siloed OT and IT departments, Luedecke reported that their cyber risk assessment initiatives began to gain momentum when they worked across the aisle and started meeting regularly. “This let everyone contribute their thoughts,” she said. “This allowed our cybersecurity efforts to move forward with everyone’s help.”
Littlejohn added that CVR Energy had a list of cybersecurity issues to address—and a budget to fix them—which isn’t available in many organizations. “We put these cybersecurity problems up on a board, so everyone could see them, and decided what to do as a group,” he said. “Many of these initial items were corrected, so they can be part of the follow up we’re doing now.”
Gomez reported that cooperative cybersecurity projects and learning to detect, avoid and respond to breaches—along with a boost from the ISA/IEC 62443 standard and other guidelines— combine to nurture the resilience required in the long run.
“Documenting programs like the TSA’s Pipeline Security Directive 2 shows how they learned to build and test protections,” said Gomez. “This can be very helpful to other cybersecurity programs that are just getting started because they’ll all need continuous practice to close the loop.”
