Donovan Tindill: The Importance Of Cybersecurity

Introduction (00:01):

Welcome to forging connections, a podcast from Honeywell about the convergence of IT and Operational Technology for industrial companies. We'll talk about the future of productivity, sustainability, safety, and cybersecurity. Let's get connected. Hi everyone, and welcome to Forging Connections. I'm your host, Madison Lampert. In this episode, we have Donovan Tindill. Who's a Senior Cybersecurity Strategist here at Honeywell Connected Enterprise. Welcome Donovan!

Donovan Tindill (00:27):

Thank you, Madison. I'm so happy to be here! and Just a little bit about myself, I've spent about 17 years in industrial facilities. So this is across different types of industries like oil and gas, refining chemicals, power, and more. What I found is in the early part of my career, I spent most of my time connecting IT and OT (or operations technology, or control systems). You will hear me say OT or ICS, I'm talking about control systems and operations technology. In those early years, what happened is [ICS/OT] evolved from being just connectivity, into a cybersecurity practice. I have experience assessing, designing, integrating and providing advisory consulting to customers across these sectors and I've been in hundreds of facilities across my career.

Donovan Tindill (01:24):

I'm also an expert on 62443, which is an ISA/ISO standard on control systems cybersecurity. I was a former trainer, working group chair, an editor, and I've also contributed to many of the Standards. I also sit on both the ICSJWG Steering Team, which is an Industrial Control Systems Joint Working Group that is hosted by DHS/CSA out of the United States and a similar one [Advisory Committee] for Public Safety Canada. Now my current role, I'm a Subject Matter Expert and Strategist on our Honeywell cybersecurity marketing team.

Madison Lampert (02:11):

That's great, thank you for taking us through that, we are very lucky to have you! You mentioned before a little bit about that IT and OT systems and converging that we've seen cybersecurity stories coming up constantly, and we as individuals and organizations have an increasing dependence on it, and we're constantly covering what's on the IT­ side, but increasingly hearing more about that IT or Operational Technology piece of it. So what are your thoughts on how that IT-OT convergence is affecting or maybe increasing cybersecurity risks?

Donovan Tindill (02:40):

I want to begin by first maybe providing a standard definition of convergence versus integration, and I find that a lot of individuals or organizations will mix up the two. They think that IT-OT convergence is this new integration and convergence of technology. It's not new, and it's actually two different parts. The first is technology convergence, and that's actually happened for over 40 years. The basic way to think about it is that it’s IT technology (Ethernet, Windows, domains, virtual infrastructure, etc.) being used in an industrial control systems environment. Like I say, it's been for 40 years and it's going to continue in the future, but there is typically a 5-10 year lag. So brand new technologies (cloud, AI, machine learning), that have been out for a couple of years…

Donovan Tindill (03:37):

…we're now starting to see them appear in the control systems space. The second part of that is integration, and this is driven by business need. It's not just becauseit's new and fancy technology. There is a business need to connect control systems with IT systems for driving data. And they've been connecting these networks for over 20 years. Some of the early drivers were basic applications, historians and getting production data up into the enterprise resource planning or ERPs. Then we're starting to see Internet connectivity and trusting managed service providers (MSPs) and connectivity for AI and machine learning. So, when we think about IT-OT convergence and the cyber risks, what we're really doing is we are following the convergence of technology where IT systems are brought into control [systems environments] and the integration of these and the increased risk.

Donovan Tindill (04:42):

It's going to continue as powered by digital transformation. Where the risk comes in is now our environments and our businesses are more dependent upon these new technologies that are now converging, integrating, and connecting together. As we become more dependent, this is where we start to pay attention to what's happening in the news; the impacts of an incident are greater and that's what is starting to raise people's attention. IT-OT convergence is increasing our dependence on technology, and therefore the impact of cybersecurity incidents.

Madison Lampert (05:29):

You've worked really across all industrial spaces, oil, and gas refining, are there sort of risks in different spaces that are higher or people sort of quicker to get to that level of convergence?

Donovan Tindill (05:42):

Great question. I'll first talk about early adopters to convergence and maybe early adopters to cybersecurity. What I find is that the earlier adopters to control systems security are primarily dominated by safety. This is why chemicals, oil & gas, and refining, were one of the early adopters into cybersecurity and then also critical infrastructure because of the impact. There's health and large populations that can be affected. Early adopters into convergence are those that can get the biggest benefit out of this new technology: increased reliability, lower emissions, better production, increased quality, et cetera. Industries like pharmaceutical, definitely oil & gas, or anything with an aging facility (there's not too many new power plants and new refineries being built). So, without rebuilding that multi-billion-dollar facility, let's use technology to get more out of it.

Madison Lampert (06:55):

So really everyone should be paying attention and this really is an issue for everyone across the board in frankly, very similar ways.

Donovan Tindill (07:02):

Definitely!

Madison Lampert (07:04):

Interesting. You've said that cybersecurity isn't a destination, it's a journey. Which I love. Can you expand on that a little bit?

Donovan Tindill (07:11):

Yes. Overall, I've been in control systems cybersecurity for about 23 years and with each new company, customer, and individual I work with I find that everybody has a different starting point or different maturity. They may have just started; I know cybersecurity is, now my new responsibility, I don't know where to begin. Or, they could be on the other end of the spectrum; they're very mature, they've been doing this for some time and they need some advanced Advisory to help them tune, fill in a couple of gaps, or they're somewhere in the middle. So, there is this journey that organizations don't realize they're on at the very beginning. I kind of bucket [organizations] into three phases…

Donovan Tindill (08:07):

Those at the beginning are just focusing on Foundational items. They're getting assessments to understand what to do next and they'll often get an expert or a consultant to come help them (that's a service we offer). They're working on their network infrastructure & network perimeter, to get their control systems isolated & protected from the internet & business networks and some of those threats. Trying to deal with malware prevention, patching, some backups; but those in the earliest phases are really trying to reduce their risk having very little control systems’ knowledge.

The next bucket are those that are Improving. They've focused on the perimeter, basic blocking & tackling, they're moving onto training, and they're starting to change their cybersecurity processes and procedures. Change management procedures, document management & approval process that now includes cybersecurity. Reducing attack surface, basic detection capabilities, some dashboards to have reporting; when you're early on you have no data, you have no dashboards and you're starting to build some of that.

Donovan Tindill (09:20):

Maybe some automation of tasks, like patching, backups, and updates, etc. This is where you're increasing your knowledge of the control system and how to manage cybersecurity. I would say, the majority of organizations are in this middle zone [Improving], they're implementing all of these controls all over the place.

And then the more Progressive or Advanced. They're looking at contracts, they're embedding cybersecurity into their engineering processes (so that when they put in a brand new control system and it's deployed, they've addressed and managed cyber risk before it goes live). They're more risk informed, meaning they evaluate the risk of a new investment, a new technology, and they move into this mode of continuous improvement. You cannot get there overnight, it's not like a single destination. It's a journey of steps and phases, and that's actually where I’m having the most fun talking with customers and asking, “What have you done so far?” I kind of model them in my head to where they are in their journey, and then I can recommend what is the best next step for them to do next.

Madison Lampert (10:39):

And that brings me on my next question. Do you find that a lot of these organizations are inclined to keep a lot of this work in-house, and what are some of the reasons that an organization might be better served hiring managed security services (MSS)? And, is that what sets the “just started” versus “very mature” organizations apart?

Donovan Tindill (10:58):

Yeah. What I do find is that most organizations always begin with, “Let's solve this problem ourselves.” It's with existing skills, existing processes, they venture into this and say, “Okay, I think we can do this on our own.” But then, they start to realize that either the technology they need, the skills they need, the cost, the speed, the urgency that maybe they have to achieve these capabilities - is where they need to start seeking outside help. So, it might begin with assessments (to know what to prioritize) and as far as outsourcing control systems cybersecurity, or certain elements of it because then there could be a cost savings. Or, that provider is able to bring a leading capability in a matter of months; in what could take years for an organization to hire, train and establish on their own. A provider can bring in technology, they bring in experts, etc.

Madison Lampert (12:13):

I feel like organizations always have dedicated cybersecurity teams, but sometimes it can seem like it's a checklist item and not sort of a dedicated group of people. And it's only when that red flag comes up, where an organization thinks, “I really need to shore up our cybersecurity.” What are some of those red flags? It shouldn't be the case, it should be proactive instead of reactive. Nevertheless, we are where we are, but what are those red flags that might indicate a company should bump up their cybersecurity?

Donovan Tindill (12:43):

When I think of red flags, I think of lagging indicators. Something that could be a lagging indicator, of something that is maybe missing. One of them is ‘if you don't know what to do next’. If you don't know whether to invest in a technology, training, or improving some processes. That is where an assessment is great at helping prioritize what is next. That's where consultants and advisory organizations like Honeywell can help [provide] that assessment and help suggest what you should do one, 3, or 5 years out à Definitely [for] those organizations in the early foundational stage (they're just getting started). Other lagging indicators: out of date documentation; that's usually a lagging indicator of insufficient staffing.

Donovan Tindill (13:47):

If there's a large amount of rogue devices or shadow infrastructure that's appearing on the network; that's often a lagging indicator of engineering and approval processes that could be approved (to ensure that it's part of inventory and documentation, etc.) Or, you have a newly deployed technology or control system or endpoint, and it's vulnerable when you plug it into the network. And that's another lagging indicator [vulnerable devices] of cybersecurity engineering that could use some improvement.

These are some red flags I look for: no detection capabilities, or you're not monitoring 24/7. If you're not monitoring, then being unable to detect and respond is a huge risk. And by having that [24/7 monitoring], you can have a huge risk improvement, even for those that are just getting started.

Madison Lampert (14:37):

I think this probably answers this question itself. Why is early detection so key in cyber? Given, we don't want to react to these red flags?

Donovan Tindill (14:45):

With early detection we're moving into this mode of being proactive, instead of reacting to a fire. A fire is a good story or analogy because in fire safety you want to detect the smoke before there's fire, the heat source before it turns into a fire - and that's early detection. Similarly in cyber security, the ability to detect and investigate suspicious cyber behaviors, logins, network communications, use of tools, unauthorized software; These are all early indicators that if you can detect, you can actually intervene or take action before the “mission” or the “event” happens. So, “detecting smoke before fire detect” or “behaviors before the [cyber] incident”. And in both of those you're actually reducing the likelihood of the incident.

Donovan Tindill (15:49):

There's actually a follow on to that. If you can respond quickly to a small fire, you can prevent it from becoming a big fire. From going from the kitchen, to the whole house, or the house next door. And similarly in cybersecurity, you may detect malicious software on one endpoint. If you can detect, respond and contain quickly you might be able to reduce that impact to cleaning up one endpoint. If it goes undetected for a number of months (which is often what we're hearing about in ransomware and other more advanced campaigns, where they might have been within the environment for months), they've been distributing their software and when they carry out the mission, the impact is extremely severe. Early detection sets us up for reducing the likelihood of a cyber incident and responding quickly can help us reduce that potential impact. So, it's so important!

Madison Lampert (16:48):

That's super helpful context. You recently ran a cyber survey. Can you tell us what you learned from it and some of your key takeaways?

Donovan Tindill (16:56):

I was speaking at a number of events about how to justify early detection and cyber incident response. It was at the CISA ICSJWG Spring Meeting for the United States, the Public Safety Canada ICS Security Symposium on incident response, and recently at the Honeywell Users Group (HUG). I polled over 400 participants and I zeroed in on asset owners, and there was about 170 in the North American market.

The key takeaways were, and first the question (the first thing I asked) is: Are you proactively monitoring and responding today? Are you even doing any monitoring? And the, the options were anywhere from none to 24/7 or something in between.

Less than half of organizations today (of 170 asset owners) are doing 24/7 monitoring.

The next in line, about a quarter, are only doing about 8x5 (40 hours a week), which indicates to me that it's one person working full-time, or a couple of people that only work office hours, detecting and responding to cybersecurity threats. So they're unaware evenings and weekends.

Donovan Tindill (18:17):

Then the remaining quarter or 25-30 percent, they're maybe an hour a day or less, or none at all. There's a huge opportunity [to improve], and that's why I had to talk about justifying [cyber incident response].

The second half to that question, “If you are monitoring, how much are you monitoring? A hundred percent of your devices or less?” The bulk are 50 to 75 percent of their infrastructure they have visibility into. But there's still another quarter to half of it [25-50% not visible]. They have no data coming out of, they have no idea what's going on.

Madison Lampert (18:58):

I was going ask if it's getting easier to justify the need. But apparently not, tf this was the conversation you just had and numbers are still like this. That's really interesting!

Donovan Tindill (19:07):

The goal of this [survey] was to make people aware what your peers are doing, because that's often the biggest influencer, “Should we do better if my peers in my industry are doing this as well.”

Madison Lampert (19:22):

Yeah, absolutely. I understand you launched a new offering this year around cybersecurity detection and response. Can you tell us more about that?

Donovan Tindill (19:32):

Yes, we call it AMIR (Advanced Monitoring & Incident Response), you hear me say AMIR quite a bit. The best way to describe AMIR is a vendor-neutral (meaning Honeywell and non-Honeywell, other vendors, other control systems). It’s Managed Detection and Response (MDR) that's exclusively for control systems and OT infrastructure. (we are not offering this into the business environment). Our customers like that we have like turn-key supply, install, and maintain the technology stack. You don't have to provide a SIEM (security incident & event management) or SOAR (security orchestration & automated response) technology, which is the security log, incident and event management infrastructure. We [Honeywell] actually provide, maintain and tune it. That that's all part of our service for the infrastructure side.

And then we do the 24/7 monitoring, detection, investigation, which is, as I noted before, it's going to help us reduce likelihood of cyber incidents through that early detection and the ability to respond.

Donovan Tindill (20:30):

We're offloading a lot of the staffing constraints that organizations have because we will triage the majority of false positives and if we discover something, we'll [triage then] escalate it to the customer. When something happens, we will work with the onsite staff to provide recommendations on what to do. It is helping address some of the onsite [cybersecurity] skill shortages that industrial facilities have. And then providing recommendations to help reduce impacts if there's an existing team with existing skills; we'll just integrate into those and augment the team or where an existing security operations center (SOC) may exist.

Madison Lampert (21:25):

And from your standpoint, what's their reaction been to AMIR so far?

Donovan Tindill (21:29):

At first, they recognize that it is difficult to attract and retain individuals that want to look at security logs all day long. They are asking their existing staff, “can you just look at these logs?”; and it's tiring, it takes time, and it takes tuning. They appreciate the cost savings up to one-fifth (because of the economy of scale that we can provide). Their staff are able to focus on higher order activities, they enjoy what they're doing more. So very positive reactions, high demand, and a very necessary area for industry.

Madison Lampert (22:20):

Yeah. It's working smarter. We've talked a lot today and this has been fantastic. What else would you like to cover? What are some of the biggest things that we should be paying attention to?

Donovan Tindill (22:31):

A lot of the control systems and OT infrastructure that is out there is legacy and it's old. It could be 5, 10, 15, maybe even 20 years old - we call that technical debt. And I don't think most organizations have considered how they're going to get ahead of their legacy infrastructure and a get ahead of their technical debt.

I feel the expectation of installing a control system and [not] upgrading it for 20 years, is going away. One of my first observations is the nuclear industry which has been renowned for running their control systems the longest and having the strictest validation and verification. They're trying to move, we've got a couple of customers trying to move to a 5-7 year replacement of their control system, even inside a nuclear infrastructure. They are trying to get ahead of their technical debt, or avoid it by not neglecting the lifecycle upgrades of their system. Because if you ignore it longer, the greater debt, the greater vulnerabilities, the greater cyber risk, we're trying to get ahead of that.

Madison Lampert (23:57):

One of the most important, greater costs probably for many I feel they aren't really thinking about, but absolutely one of the biggest pieces.

Donovan Tindill (24:04):

One way of getting ahead of it is thinking about the lifecycle of the control system and long multi-year design projects. Engineering cybersecurity into the front-end to reduce the risk over the next 5-7 years that you are going to operate it. And then thinking about “What do I do in five to seven years? I need to replace it with something new. I need to modernize it.” So, moving into this mode of continuous evolution and trying to reduce the amount of technical debt inside the control system. And actually, taking advantage of the engineering that occurs in a control system. Because [engineering] is multiple years for a reason, it thinks about the long-term risk. Take advantage of that, address as much cybersecurity before the system goes live.

Madison Lampert (24:54):

So cyber really is a journey, as you said before. Donovan, I want to end with predictions. What are your predictions for the next couple years, the future, we can go with five to 10.

Donovan Tindill (25:07):

One of the things that has changed since I first started into control systems cybersecurity, was this rift that was generally accepted that IT and the controls staff don't get along and they never should. What I'm now seeing is this appreciation and recognition that cybersecurity skills, and when you converge the technologies (when you use IT technologies in OT) the IT group can add a lot of value. That is starting to drive an increased responsibility of the CIO and the CSO/CISO for control systems cybersecurity. Depending on the journey of the organization, if they're just getting started, they may still be in the mode of “the control system team doesn't cooperate and does their own [thing, and] doesn't cooperate with the IT team.”

Donovan Tindill (26:11):

But I'm seeing over time they're starting to cooperate more, integrate more, and some of that responsibility is actually moving all the way to the CIO; they are going to be responsible for cyber risk and finding solutions that can help with both control systems and cybersecurity.

One other [prediction] is increased regulations. Cybersecurity regulations in industries like pipelines we are already seeing it. Everyone's starting to recognize how dependent we are on technology. Not everyone is investing in cybersecurity voluntarily, and that is where regulation may help make that happen, especially for critical infrastructure. Some of the laws will probably be reactive at first, but I would foresee federal country-wide legislation. We're starting to see it in some countries; we are going to probably see it in most in the next 5-10 years, then cybersecurity goes from being voluntary to mandatory. Regulations are just one of those levers.

Madison Lampert (27:41):

Thank you Donovan, really appreciate you bringing your expertise here. This has been super insightful. We will have to bring you back to check on those predictions soon.

Donovan Tindill (27:49):

Thank you Madison, and thank you for having me.

Madison Lampert (27:54):

Thanks Donovan. Madison Lampert (27:54):

Outro (27:54):

This has been Forging Connections, a podcast from Honeywell. You can follow Honeywell Forge on LinkedIn and download new episodes from our website www.honeywellforge.ai. Thanks for listening.