New York-based Claroty is part of a growing crop of companies specializing in industrial control systems (ICS) cybersecurity. With all the attention on threats to the U.S. power grid, Claroty co-founder Galina Antova cuts through the clichés to talk about the biggest tasks ahead for the ICS sector.
CyberScoop: When it comes to ICS security, visibility into the OT [operational technology] network is a constant challenge. Why do you think this has been a persistent hurdle to the industry?
Galina Antova: Most OT networks are invisible to operators because most OT networks are not monitored. Unlike the IT side of the house, OT devices communicate via a variety of protocols, many of which are proprietary and therefore difficult to dissect. Also, due to real-time and uptime requirements, the traditional endpoint security products are not really applicable to OT networks and neither is active scanning of those networks. Many notes on those networks are not even IP-based – they communicate on serial/fieldbus connectivity, so traditional visibility tools are also not applicable.
CS: Tell us about the updated approach to ICS security that Claroty has been working on. What problem are you trying to solve and why?
GA: At Claroty we believe that you can’t protect that which you can’t see. In partnerships with the ICS vendors themselves, we’re trying to solve the problem that most asset owners face: the rising ambiguity of what is happening on their operational networks. Doing this requires going beyond asset management and understanding the behavior of every device on the network, to include legacy and serial devices at the lowest end of the stack. It’s getting easier for a range of actors to attack industrial networks — we’re working to reverse this trend.
CS: Coordinated and responsible disclosure of ICS vulnerabilities is a work in progress. What are the big shortcomings in that disclosure process, and how can the industry measure progress in this area?
GA: Our philosophy when it comes to vulnerability disclosure is always to put customers, vendors, and end-users first. One of the biggest shortcomings is the release of vulnerability data before the vendor has a reasonable opportunity to develop and distribute a patch. Too often organizations or individuals rush to disclose the information, subjecting end-users to significant risk. By contrast, we always err on the side of safety. After all, unlike with an IT system, an exploited OT system can result in dangerous physical conditions for plant operators and others.
CS: Has there been a watershed moment in ICS security that brought it into the “mainstream,” making IT security folks who otherwise might not pay close attention to ICS security do so? In other words, is there sufficient awareness on the convergence of IT and OT security?
GA: The one-two punch of WannaCry and NotPetya were indeed watershed moments for the ICS security industry. It’s unfortunate that it takes such malicious events to grow awareness, but there is now a consensus among IT and business leaders that OT security is a critical component of managing enterprise risk. Likewise, from a governance perspective, these events also caught the attention of board members across multiple industries. The most important lesson of both WannaCry and NotPetya is that you don’t have to be the target to be the victim — what those attacks showed is that OT networks can be impacted even if they are not targeted. Of course, on the other side of the spectrum, the nation-state attacks on the Ukraine power grid and on the Triconex safety systems are examples of how attacks on OT networks can be leveraged as tools in geopolitical conflicts.