Q&A: Deloitte Exec On Bolstering Business And Building A Team Around Industrial Control System Security

The Industrial IoT Opportunity

As more manufacturing floors secure their machines, Deloitte has built up its business around the Industrial Internet of Things through offering security for industrial control systems.

The company has worked over the past few years to build up a platform to help customers secure their industrial control systems, through hiring new talent and securing key partnerships. Deloitte in May unveiled a partnership with cybersecurity firm Dragos to help expand its cyber-risk platform for end-to-end operational technology security.

CRN talked to Sean Peasley, partner at Deloitte where he serves as the Consumer and Industrial Products leader for the Cyber Risk Services practice, about the security risks that industrial customers face and how Deloitte can help.

What are the security risks for customers on the operational technology side?

Generally, companies have really invested a lot in the past 20 or 30 years around security for the enterprise. So think about the IT and business networks. Most now have a chief information security officer – but most haven't as comprehensively addressed their operational environments, like their ICS [industrial control system] environments. And this is specific to certain sectors, like oil and gas, power utilities, manufacturing companies, life sciences companies. They have these embedded systems to manage the production of products, but they haven't addressed it as holistically as they've addressed the enterprise.

How are industrial customers with operational technology different than customers with IT environments when it comes to security?

The chief information officer doesn't own the operational environments, so you're really at the mercy of the people on the plant side to try to secure things. They probably don't have that security background or mind-set, and aren't focused on taking a standards-based approach. So it's somewhat maybe more of a patchwork than it might be on the enterprise side. That's where the space is coming from in terms of the industrial internet – they're playing catch-up now.

If an operational network comes down, they cannot produce products or ship them to their customers – so the implications are significant in terms of making sure that they're aware of the cyber risk and monitoring if adversaries are able to get in to the environment.

How have you made steps to build up your business around operational technology security – as opposed to IT?

We've definitely hired people that have significant ICS security experience. So there's some people – probably about 2,000 globally – that have deep experience in industrial control system security. We started several years ago hiring folks with that specific experience, and it's a little different – it might be more like electrical or mechanical engineers running security.

It's not your traditional IT security professionals who just learn ICS, it's a combination of people who understand the plants and these operational technologies. We have experienced industry hiring to make sure we're building a strong team.

What key partnerships have you secured to address industrial control system security?

We teamed up with Dragos to extend our offering around managed threat services for the last five-plus years – where we've helped companies in the IT domain or enterprise networks. We've really focused now on the industrial control system environments as well.

Dragos has specific technologies that can collect, index, manage and visualize data using advanced analytics and automation to give people in those operational environments the tools to find and stay ahead of those adversaries. That's why we teamed with them to bring them into our extended managed threats services platform.

What steps do you take to help customers secure their operational technology?

As our organization looks at this challenge and helping companies manage their cyber risk, we look at it as a very broad challenge because there are so many techniques and avenues for adversaries to get into the OT environments. We look at the different layers of the technology stack, helping companies to assess the risk, develop their program around maturing their capabilities, and then implementing the types of security solutions. Those are critical steps but it's not sufficient -- adversaries can still get in. So we want to help customers be vigilant.

That's a challenge the ICS environments have had – they haven't been able to be as resilient. They've not been able to address security and keep patches up to date. The solutions we offer our clients will address all these issues.

What do customers on the OT side think about security? Is it a high priority for them?

Most companies are behind where they want to be and they see that they need to invest. In the past, many some companies have seen it as insurance so it might not have the highest priority in terms of return on investment.

I think it's changed a lot in the past four or five years with some of the highly publicized breaches. The visibility at senior levels has changed and they are all asking questions. There's an expectation now that cybersecurity is a top risk. It's starting to get the attention and following that are the investments to make sure that companies are making the right steps.