CNI

Our Radical Approach to Marketing & Sales : CISOs are tired

This article is by Awen Founder & CEO Daniel Lewis.

CISOs are fatigued, annoyed and irritated by marketing and sales approaches used by cyber security companies. They’re genuinely tired of it… even more so in the industrial sector, where there are a lot of bold claims made by some industrial cyber security software companies which can stretch the truth a little too much.

We know the truth because we’ve been investigating industrial cyber security before we even considered starting a commercial company.

The truth is that all CISOs in Industrial sectors know that Operational Technology (OT) / Industrial Control Systems (ICS) / SCADA / Industrial Internet of Things (IIoT) are full of potential cyber security vulnerabilities, especially the closer they get to an IT network. The truth is that no single cyber security product is going to solve it all.

The truth is that this is going to take time to become more secure, and it’s going to take software and techniques built from the ground-up, and not software repurposed from IT security.

The truth is that this requires an approach which is not forced upon engineers by people trained in IT or general cyber security, but an approach which is wholeheartedly applicable to engineers and the specific industrial sectors.

The truth is that there is a lot of legacy equipment, and that legacy equipment isn’t going anywhere for a while, despite the desire to work towards Industry 4.0 - “if it works, and it’s enabling the operation of the service, then why change it?”

The truth is that these industrial companies quite often don’t have the budget to make significant changes which would support some of these industrial cyber security software products, particularly within critical infrastructure sectors which have a non-profit ethos. The truth is that these cyber security software products are sometimes looking too far into the future.

Every business, even Awen, has to do marketing and sales in order to survive. But we’ve decided to take a different approach, one of radical truth. This Radical Approach to Marketing & Sales (RAMS) means that we might tell you that we can’t do something yet, and this will be the truth, and our hope is that you will understand this and we, together, use this truth as a basis for further mutually beneficial collaboration. For example, coupled with our agile and empathetic approach to software development, we would certainly take a new feature request on board and even develop it rapidly specifically for you. We will also tell you the truth about the other products on the market, what they cannot do well and what they do well. We want to work with you on industrial cyber security, and not force you into a specific way of working. As a business; Awen is flexible — and as a product; Dot has the flexibility to be deployed based on the way that you work - not a set of requirements dictated by us.

If you’re in an industrial company and are looking for cyber solutions, then contact us today- we’re not going to hard-sell you, or stretch the truth.

Cyber Attacks on OT on the rise, and why we should be concerned

Last week, cyber security experts Fortinet published a report on security trends within Operational Technology, again putting the spotlight on these highly vulnerable and increasingly attacked systems, many of which are responsible for providing critical services to society worldwide.

There was an indication that bespoke OT cyber attacks are on the increase, targeting specific vulnerabilities within SCADA and ICS systems. Whilst this is certainly a serious concern, almost more shocking is that the majority of attacks on OT systems are via IT-based legacy attacks which would no longer be effective on modern IT systems. These OT systems are comprised of aging hardware, running unpatched software, and leaving them highly vulnerable to even basic IT-based cyber attacks. This leads to an ability for bad-actors to be able to effectively disable an OT environment with no specialist or prior knowledge of the specific systems involved - leaving no specific ICS/SCADA devices secure, regardless of vendor, software or hardware involved.

There also seems to be continued ongoing neglect of basic cyber-hygiene within ICS and SCADA environments, with almost a third of OT devices directly connected to the internet, and another third accessible from the internet via the IT enterprise. Whilst there is an acknowledgement that there are many benefits from connecting the OT environment to the IT network to increase efficiencies and visibility, leading to optimisations and significant cost savings, these are in direct opposition to the increased security risk. These findings seem to point towards a scenario where potential cost savings are considered above the cyber-risk by the decision makers within these organisations, leading to the highly vulnerable situation that Fortinet are now reporting on.

To add to this, it is reported that more than 8 in 10 respondents to a survey stated that they are unable to identify all the devices connected to their OT and IT networks. How can OT operators begin to mitigate the cyber risk within their environments when they don’t even have the visibility into the devices they need to protect? This is something we are keenly aware of at Awen Collective, and we’re here to help. Our asset and risk discovery software, Dot, exists to provide a deep level of understanding of an OT environment, highlighting key concerns and helping cyber security, OT engineering and corporate compliance teams to manage their responsibilities with the best information available to them.

What the report doesn’t focus upon is the environments where these systems are operating, and the potential affects on the operators and their clients. Whilst many these systems exist within manufacturing facilities, and naturally there are huge costs associated with attacks within the manufacturing sector, there is more at play here than just monetary loss by large-scale manufacturers. ICS and SCADA systems are a key part of how providers of critical national infrastructure deliver their services to society. This includes the provision of electricity, water, sewerage, transportation and healthcare. If any of these services were interrupted or disabled due to a cyber attack, there’s a strong likelihood of widespread disruption, potentially leading to societal destabilisation and loss of life.

There has been an effort by EU legislators to address this concern, introducing the NIS Directive and ensuring that all EU states bring into law that critical national infrastructure operators are considering their cyber security across their entire IT and OT estates, and embedding good cyber security practice at all levels of their organisations. Based on this report, there should be some significant hurdles for CNI operators to overcome to get themselves entirely compliant with the directive. With fines of £17 million or 4% of annual turnover due to be levied against operators not found to be compliant, it should be a strong wake-up call for business decision-makers across CNI organisations. To help, Awen Collective offers Profile – a compliance checking tool for the NIS Directive, allowing a CNI organisation to easily and quickly determine their current compliance level, identify weaknesses to overcome and get advice on next steps.

We’re thankful to Fortinet for their report, and we’re looking forward to continuing to help ICS and SCADA operators solve the cyber security issues they have. If you’re looking for cyber security solutions for your OT environment, reach out to us at hello@awencollective.com.