More Related Content Similar to OT Security Architecture & Resilience: Designing for Security Success (20) OT Security Architecture & Resilience: Designing for Security Success2. Jim Guinn, II
Accenture
Senior Managing Director
LinkedIn: @Jim Guinn, II | Twitter: @jimmy_guinn
Our improvement journeys are all
different, but our end goal is the same –
achieve operational integrity and cyber
resilience.
We are honored to have so many senior leaders
and cybersecurity OT experts involved with this
summit, sharing their experiences and insights
to help others achieve the goal. The outpouring
of support for this event has been amazing. It
demonstrates how important knowledge
sharing and community involvement are to
moving the needle on industrial cybersecurity.
What follows are key takeaways from each
session. Bold statements from OT cybersecurity
practitioners based on real-world experience
advancing programs and tackling the same
challenges facing your organization.
We all know a lot can go wrong in an OT
environment, which can impact health, safety
and the environment. The last year has
highlighted just how vulnerable our critical
infrastructure is to cyber threats. And there's
absolutely no question that if any of these
attacks are successful, HSE issues can ensue.
Cybersecurity can no longer be an afterthought.
It must be top of mind, always.
As you read through this document and listen to
the replays, think about your upcoming projects
and operational objectives and consider
reframing your discussions to incorporate
security.
For example: “As we adopt 5G to gain extra
bandwidth, how do we do that securely?”
“We are planning to increase production
securely.” “We need to enhance our operations
securely with the use of robotics.”
If we just embed the word security in everything
we talk about and in everything we do, it then
comes to the forefront of our minds.
Review this guide. Share the on-demand
content. And reach out if you have questions or
just need a sounding board. My team is ready to
collaborate to advance your program for
whatever is next.
Cheers,
“There’s absolutely
no question that if
any of these
attacks are
successful, HSE
issues can ensue.
Cybersecurity can
no longer be an
afterthought.
It must be top of
mind, always.”
Jim Guinn, II
Copyright © 2022 Accenture. All rights reserved. 2
Watch the summit >
3. The Cybersecurity Imperative: Why embrace it?
Session
Overview
Architectural imperatives for cyber resiliency
Technology and innovation in modern OT networks
What’s old is new – Using IEC 62443 for IIoT SDLC
OT security resilience myths busted
Centralizing OT cybersecurity management
Automation—In promise, in practice
Opening Keynote
Operation: Next ‘22
Fundamentals & Structure
Innovation & Technology
Case Study
Project Execution
Investment & Risk
Closing Keynote
Designing for
security success
Resiliency is the new imperative for OT
environments. This track provides
valuable insights for building a security
architecture to meet the business
challenge. The discussions are intended
to spark conversation and this guide
highlights key takeaways on what works,
what doesn’t and what’s next.
The agenda covers:
• zero-trust building blocks
• cloud and IIoT integration
• OT security program maturity
• technology investments
• risk and safety
Architecture
& Resilience
4. It’s impossible to
have every angle
nuanced…
Get your four to
six critical assets,
critical processes
really understood
and quantify the
financial risk.”
Bob Dudley
“
Muqsit Ashraf
Accenture
Bob Dudley
Former CEO, BP
Speakers
The Cybersecurity Imperative:
Why embrace it?
Breaches continue to climb despite
billions invested in cybersecurity. Are
companies investing in the right
security priorities?
Bob Dudley provides his thoughts on why it has
taken so long for executives to wake up to the
challenges and what is needed to make
cybersecurity a strategic priority for executives
and the board.
Key takeaways:
• For a long time, cybersecurity was viewed as
a technical problem, rather than seen as an
operational risk and business continuity
concern.
• Priorities are changing as breach
implications become more significant,
including emerging case law that holds
boards and executives accountable.
Opening Keynote
• Boards need to understand the problem, the
language and the financial implications to a
company. Time to move away from showing
the board basic activity dashboards and
begin reviewing the critical assets and
business processes that are most vulnerable
and quantify that risk.
• Big wake-up call was when Accenture was
able within a few weeks to take over BP’s oil
refinery control systems. Immediately
created a world-wide task force to update
our asset security program. It took time and
significant culture change to implement.
• Crisis Management exercises helped our
executive teams understand the
communications process was far more
complicated than they expected.
Copyright © 2022 Accenture. All rights reserved. 4
Watch the full session on-demand >
5. Cyber resilience is
not a technology
challenge, it’s a
business imperative.”
Rob Boyce
“
Rob Boyce
Accenture
Speakers
Architectural imperatives
for cyber resiliency
Data, infrastructure and access—
three components, when combined,
can achieve a more comprehensive
and resilient architecture.
Organizations that have demonstrated cyber
resilience success have taken leading practices
from IT and OT and brought them together.
These include:
• Detailed understanding of your end-to-end
value chain. The better your understanding,
the easier it is to develop and implement
strategies to secure the chain.
• Updated IR and Disaster Recovery Plans.
Often companies have plans that have not
kept pace with changes in their value chain.
• Understand what needs to be protected,
where it is located, and how it is accessed.
Fundamentals & Structure
Companies make significant investments to
make their data more accessible and
actionable, but do not make similar investments
to secure it. As a result, threat actors are
placing more value on data.
Design factors to safeguard data include:
• Have strong segmentation between
systems
• Create snapshots of key infrastructure
applications
• Implement strong identity and access
management practices
Copyright © 2022 Accenture. All rights reserved. 5
Watch the full session on-demand >
6. “Any time we get to a
single vendor solution
for how to do visibility
and intelligence
sharing, we take a big
risk on what that
company can do in the
future.”
Jon Taylor
Robert Marx
Accenture
Marysol Ortiz
Accenture
Jon Taylor
Accenture
Speakers
Technology and innovation
in modern OT networks
Discussion of the threats, trends, innovations,
and needs for improving OT security.
Innovations
• Security automation is being used to reduce
incident response time.
Trends
• Companies have increased their OT security
but government mandates, e.g., 100-day
cyber sprints, are accelerating this.
• Vendor awareness is growing as they realize
that threats like ransomware are a risk to
their own businesses and ability to deliver.
They are now coming to sites with the
expectation that security access protocols
will be in place, which they will have to meet.
Innovation & Technology
Needs
• Need to adopt a standardized, open-source
application for network visibility. Open
source generally leads to better security
results. Additionally, clients are feeling the
pain of proprietary protocols when changing
vendors.
• Need to greatly improve intelligence sharing
across companies and industries.
Threats
• Vendors rarely track their hardware and
software component and there is a lack of
vulnerability information being shared.
Clients need to be proactive and demand
contract security be in every agreement.
Copyright © 2022 Accenture. All rights reserved. 6
Watch the full session on-demand >
7. “The existing
cyber risk is
underestimated,
especially
in the OT.”
Jan Kwiatkowski
Bjorn Haan
Accenture
Jan Kwiatkowski
Accenture
Oliver Moeller
Accenture
Speakers
What’s old is new—
Using IEC 62443 for IIoT SDLC
Our OT security pros clarify IEC 62443 standard’s
syntax, requirements and extended application
with additional conversation on business
continuity management (BCM) in the OT space.
Key takeaways:
IEC 62443 is more than a holistic framework.
• It considers governance as well as operational
and technical architecture guidelines. It can
also be leveraged to build secure products in
the digital area.
• In combination with ISO 27K, it’s a solid
foundation to align and build agile, IT/OT
converged governance and operating models.
Bridge the cultural divide between IT and OT.
• OT cybersecurity and IT/OT converged
cybersecurity governance and operations
require appropriate awareness and training for
all impacted IT and OT stakeholders.
Case Study
Business Continuity Management:
• Review and analyze your business processes
and associated risk.
• Are your supplier SLAs current?
• Do you have staff available and trained to
switch to manual processes?
• Have an eye on environmental changes to
your business.
• Have a holistic point of view of your OT
systems and supporting IT systems and have
an umbrella plan in place.
• For OT, you need business impact advisors in
your processes, including OT, IT and the
needed network technology to connect
everything.
Copyright © 2022 Accenture. All rights reserved. 7
Watch the full session on-demand >
8. Plans aren’t worth the
paper they’re written
on if they’re not
exercised.”
Tina Slankas
“
Michelle DeLiberty
Accenture
Rouzbeh Hashemi
Accenture
Bryan Singer
Accenture
Tina Slankas
Accenture
Speakers
OT security resilience
myths busted
Accenture OT security pros discuss common
resilience myths and what is really needed to
achieve security resilience.
Myth #1: Tools Will Save Us
• As soon as you put a tool in place it begins to
age if you’re not actively maintaining it.
• There is no tool that solves a problem; tools
simply enable you to solve a problem. If you
don’t have a strategy in place for how a tool
should be used, you won’t get the benefits it
provides.
• There is no one category that does it all.
Companies need to have threat prevention,
detection and response controls in place.
Myth #2: Architecture Will Save Us
• Threat actors are continuously evolving their
tactics, which puts static architectures at risk.
Project Execution
• Better approach is to shift to a proactive,
dynamic architecture that has security
integrated from the start.
Myth #3: Compliance Will Save Us
• Compliance measures are based on historic
information. Threat actors are evolving faster
than compliance measures evolve.
• Compliance means you’ve created a
checklist; it doesn’t mean you’ve achieved
confidence you can recover from an
incident.
• Having a plan and tools for recovery aren’t
enough. You have to test and practice that
plan so everyone knows their responsibility
and can act quickly once an incident occurs.
Copyright © 2022 Accenture. All rights reserved. 8
Watch the full session on-demand >
9. “Being able to leverage
the cloud can really
help with some things
that are historically the
biggest challenges
getting security
programs right.”
Justin Vierra
Brad Hegrat
Accenture
Luis Luque
Accenture
Justin Vierra
Accenture
Speakers
Centralizing OT
cybersecurity management
In an environment where introducing
new tools can bring new risks, achieving
cyber resiliency weighs heavily on good
cyber hygiene and a properly
engineered architecture.
Here are some critical components:
• As a bare minimum, introduce some type of
Windows infrastructure management into your
environment.
• Understand what components are required
within your complex systems and service those
first.
• A managed infrastructure is critical to
understanding exactly how traffic is moving
through your network.
• An application whitelisting agent is a cheap,
easy way to get endpoint protection for your
OT network.
Investment & Risk
• Without a properly engineered on prem
architecture, migrating to the cloud is going
to complicate things.
• Journey to the industrial cloud must
encompass security from the start.
• Adding a virtualization environment platform
within your OT space will pay dividends for
projects and projects to come.
• Successful disaster recovery for OT is
understanding how and what to recover, and
in what order.
• Right size your network infrastructure to the
industrial process by mapping individual
subnets to a segment or sub segment of
your industrial process. This will allow you to
start tracking things, not by IP address but by
subnet.
Copyright © 2022 Accenture. All rights reserved. 9
Watch the full session on-demand >
10. Automation —
In promise, in practice
“We want to use
automation where we
can and then have
humans involved
where they need to
be.”
Paul Scharre
Gabby D’Adamo
Accenture
Jim Guinn, II
Accenture
Paul Scharre
Center for a New American Security
Speakers
There’s no question that automation
already plays a significant role in IT
and OT system cybersecurity.
As the threat landscape continues to grow,
what role could/should automation play in OT
security management?
Advantages of automation
• Helps systems be more efficient, more
effective and safer.
• Reduces tendency for human error.
• Propagates system updates helping improve
security.
• Works well for repeatable, predictable
processes.
Closing Keynote
Risks of automation
• Takes humans out of the process removing them
from potentially catching mistakes and issues.
• Increases potential risk if a hacker infiltrates a
system.
• Can’t build automated systems to work in
situations we can’t predict.
Going forward
• Automation adoption needs to be a risk-informed
decision.
• Start by looking for manual processes you can
automate that will free up humans to focus on
critical thinking problems.
• Humans will still play a role – they need to know
what automation is capable of and when to step in.
Copyright © 2022 Accenture. All rights reserved. 10
Watch the full session on-demand >
11. Ready to step into next?
Visit our website for expert
insights on OT cybersecurity
Discover more resources >
Learn about our purpose-
built OT Cyber Fusion Center
Partner with us to advance
your OT security program
Leverage our test facility > Engage our OT cyber team >
Take a virtual tour >
Contact our team >