Dimple Shah talks OT Cyber Legislation
Join us today to learn more about government regulations surrounding cybersecurity. Dimple Shah, Honeywell’s Senior Director, Global Technology and Data Policy at Honeywell talks with Tim Verras on legislation and the differences in IT and OT security. Listen in now!
Welcome to Forging Connections, a podcast from Honeywell about the convergence of IT and operational technology for industrial companies. We'll talk about the future of productivity, sustainability, safety and cybersecurity. Let's get connected.
Dimple, welcome. Thanks for joining the podcast today.
Dimple Shah (00:24):
Ah, thanks so much for having me here.
Tim Verras (00:26):
Yeah, absolutely. So, I kind of like to start with kind of a simple question, which is what, what got you into cybersecurity in the first place? Talk to me a little bit about your journey.
Dimple Shah (00:35):
Yeah, sure. Well, I guess my first week of law school, 9/11 happened, and it really changed the face of what policymakers were focusing on. I was in law school in Washington D.C., and essentially by the time I graduated, I realized that many of the jobs were in national security law. And originally, I thought I was gonna be some big international lawyer. I'm dating myself, but on the heels of all these international tribunals at the time, felt that that would be the focus of the work. But really the nature of the beast shifted, and there were real concerns globally with regard to national security issues. And so, I wound up going into a new-found department called the Department of Homeland Security, and I worked in the Department of Homeland Security space both on The Hill and at the actual department over a period of 16 years. When I entered the department, a lot of the threats were basically related to terrorism, and people, places, and goods, and so that was the nature of the threats. But as you can imagine, the threat vectors change, and they evolve over time. And so, I walked in with this terrorism, immigration, criminal portfolio and walked out with cybersecurity 16 years later, coming from the Cybersecurity and Infrastructure Security Agency.
Tim Verras (01:48):
So, Dimple Shah, you got a lot of experience really quick in this kind of new field. So, talk to me a little bit about kind of how that, those threats and that look kind of look at national security from a cybersecurity perspective, how that's evolved in sort of the post-9/11 landscape.
Dimple Shah (02:05):
Well, it's really interesting, you know, when you think about the 9/11 hijackers and the conduct that they engaged in. You know, based on where we are with technology and cybersecurity threats, if they were really sophisticated with regard to their cybersecurity skills, you know, they would've never had to board a plane. They would've never had to go to flight training school. They could've actually attacked the grid with the airlines itself, right? So, the threat vectors have changed. And I point out the airlines because really, we see overall the governments are really energized with regard to operational technology and critical infrastructure. When you look at the threats, if you have an attack on critical infrastructure and its assets, you really bring to bear a lot of the concerns of a nation's national, economic and public health and safety security concerns. So, threats have really evolved over time, and the players are still seeking to do substantial damage, but they have a new vehicle and a new tool to do it. And I'm not trying to scare you, but again, I came out (laughs) of the national security space, and you know I spent 16 years in DHS and dealt with a lot of these issues.
Tim Verras (03:17):
Yeah, yeah, absolutely. And it's interesting because we hear a lot about cyberattacks in the media, but typically those are more like customer data, right? Credit cards and things like that. But this is kind of a whole other universe. So how are those kinds of threats different than the threats we might, may hear from like a customer data prospective?
Dimple Shah (03:38):
No, that's exactly right. I mean, you're kind of hitting the nail on the head with that question. You're making a differentiation between IT and OT, operational technology. Five years ago, a lot of lawmakers didn't even know the term. But I note from the onset, when you look at cybersecurity attacks on IT, there are results in loss of data, impacts on the systems and their availability, and there can be ransomware. All of this actually applies to the operational technology setting. But you're looking at cri- critical infrastructure, and these systems are actually cyber and physical. So, an attack will have the impact on safety and security, and it can result in potential injury and death. Now, that's the worst side of it. The better side of it is, well, you have loss of service, but even that has broad impacts. If you just think about Colonial Pipeline and in the wake of that, just on the East coast people having gas shortages for over a week was impactful across the board. So, you have to have operations, and you have to have continuity of operations when you look at OT and the impacts are broader as opposed to IT.
Tim Verras (04:44):
Yeah. So, let's play that out a little bit. You kind of mentioned that lawmakers and legislators are just now kind of learning the difference between IT and OT environments. So how have you seen that play out kind of from a regulatory perspective? It, has it added a lot more regulations and noise to the industry? What are you seeing?
Dimple Shah (05:03):
Yeah, there's definitely a lot of onus on critical infrastructure, and there's kind of two buckets that we're starting to see legislation with regard to OT, and one of the main proposals that we're seeing is cyber incident reporting. Essentially the governments want more information on cyber incidents with an emphasis on critical infrastructure owners and operators. They want to see what they're seeing and learn more about the mitigations and remediations. And we've seen this globally. It's not just in the US. Yes, we're seeing it in the US. The US recently enacted legislation on this and CISA, the Cybersecurity and Infrastructure Security Agency, just launched a request for information as part of a rulemaking stemming from this legislation. But it's in India. It's in the UK. It's in Singapore. It's in the EU. It's in Japan. It's in Canada. And the breadth of this is growing, and we're going to continue to see it grow because, as you know and as many of us know, cybersecurity threats know no borders. The threats are uniform across the globe and us and our allies will see the same threats and have the same concerns and ultimately when things go wrong, we'll have the same impacts. And so, if things are going to go wrong and we can have the same impacts, we also have to come up with similar regimes for remediation.
Tim Verras (06:20):
Right, 'cause I would imagine that, you know, with all these different countries kind of, for now, just kind of coming to terms with their cyber strategies, there's probably a lot of different regulations for a lot of different countries, and that could probably be hard for a global company like Honeywell to manage. So how do we navigate those corridors?
Dimple Shah (06:38):
So, that's a really good point. As I highlighted, the breadth of these regulations are global, but everybody's doing different things, right? And we're a global company. Other companies who deal with these threats operate globally also. We have mitigations, and we may face the threats, but we also have the ability to provide solutions, right? And what we've really been advocating for is, is uniformity and systematic harmonization and there, that there must be consistent standards and norms, say for example, with, with cyber incident reporting. So that has to happen. And you know, when we look at the US, just alone, in the US we have 80 congressional committees and sub-committees. All claim jurisdiction over cybersecurity. In some policy, some way, shape or form, they seem to seek legislation or regulation on it. And, and you know, as we're looking at this, we also have to layer on that globally all these countries are seeking to take action. And so there is that urgent need, honestly, for cooperation between government and business. There must be global public-private partnership, and we must align global cyber regulations, and we must ensure that we're also safeguarding data and privacy, 'cause we can't forget that the flip side of cybersecurity is data security and privacy. What are we actually seeking to protect, right?
And so we have to continue to work globally. And how do we get our hands on this? I will say that we do work collaboratively with industry partners. We work through industry associations. And as one of the proposals, I highlighted with OT you have incident reporting where we work on harmonization and uniformity of a position. There's a lot of back and forth, and takes some time to come to cohesion, but we do have cohesion on incident reporting. And another item that I - when I said there was two buckets, the, the other item is, is critical infrastructure and in designating what is critical infrastructure. The governments are looking at the sectors and what sectors are subject to pervasive threats and what threats will have broadest impact on the public. So, those are kind of the two buckets of legislation we're seeing, what is critical infrastructure and then how do you report on incidents that impact critical infrastructure, assets, owners, and operators? So we work collaboratively through industry associations, and, and we come to, we come to positions, and we seek to advocate those positions globally, not just in the US.
Tim Verras (09:00):
That's fascinating. And, yeah, I would think that for companies like Honeywell or other, you know, multi-national companies, having to navigate all those different regulations, there's kind of probably a new focus on data transparency, right, because we have to report out. And that's interesting because it's kind of antithetical to the way companies tend to operate, which is they don't like to share information with each other. But that's sort of absolutely necessary in this landscape of cybersecurity so we can stay on top of the latest threats. So how, how do they kind of change their thinking in relation to that?
Dimple Shah (09:30):
Well, I mean, with regard to the threat vectors, we really do have to have both sharing amongst companies, but also sharing with the government. The government also has access, and there really needs to be significant public-private partnership in that the government may have threat intelligence, but private sector has amenity, the ability to remediate the threat, address it, and if the threat actually comes to fruition, we can also address it and minimize any impacts, right? And so, we have to work collaboratively a lot of times through our company brethren, and we do that often through associations. We come to a uniform position, and we also work through associations to work with the government, because then there's objectivity in the process, and you want objectivity. And as you said, if you come to a cohesive, holistic position and then you engage government, you also have the ability to protect proprietary data. So sorry, took a second to come full circle, but you know, the, everybody's worried about protecting their own data, and I'll just say that's also another area that we're seeing growing legislation in, that government wants our data, right? And it's unclear how the government will necessarily protect, proprietary information, confidential information, information that allows to innovate and create solutions and also ensure that there's still competition, because competition fosters growth.
So, yeah, we've also seen a lot of proposals coming from government which kind of are concerning with regard to data protection, retention, storage and who has access and who has use to data. And this is a little bit broader as it really impacts software as a service and the ability to provide solutions to various consumers. So we're starting to see a lot of that and we're also starting to see companies facing more regulation with regard to data being localized in the country. I.e., say a country has a data privacy proposal. Well, it's really a localization proposal and they want all data to be hardened and maintained only in-country with regard to their consumers.
Tim Verras (11:39):
So, from a fast perspective, that means that it's a lot harder to have kind of one simple hosting solution that works globally. You've got to have kind of a country-by-country look at how you're hosting that data from a SaaS architectural perspective?
Dimple Shah (11:54):
No, that's exactly right. Everything becomes on-prem, and then it becomes bi-furcated, and then there becomes challenges to actually cross-border, transfer the data and use, which was the original intent, right, and purpose.
Tim Verras (12:07):
Yeah. And talk to me a little bit...Let's be a little bit more specific about Honeywell itself. So, where does Honeywell fit into this picture? So, we are also an industrial company, but then we also help our customers with their OT cybersecurity. So, how does kind of Honeywell play both of those roles in the industry?
Dimple Shah (12:27):
Yeah. No, thanks for that question, because here in D.C. my role's 18 months old, something like that. And usually when I talk to people and I tell them I handle cyber data privacy and AI policy for Honeywell, you know, lawmakers and others look at me with a raised eyebrow, like Honeywell, the thermostat company? You know. And many, many, many do know that we are an OEM, you know, original equipment manufacturer, and they're well aware of that. And they know that we operate in plants. But they didn't realize, or they don't know that we have actually substantial, you know, cyber capabilities. You know they're not aware that we have quite a bit of expertise. Not only do we operate in the plants and we build the plants, we actually have the capabilities to secure the plants, right? And, and so, you know, Honeywell Connected Enterprises, you know, it definitely accelerates software development with regard to IOT solutions, but we have solutions that include a series of vendor-agnostic products and services, specifically on OT cybersecurity, that help reduce cyber risk and better protect against the threat of cyberattacks. Indeed, folks don't know that Honeywell has over 20 years of experience in OT cybersecurity. We actually have thousands of projects in cybersecurity in the OT space delivered in 130 countries or more.
We have the full life cycle of vendor-neutral solutions, and we have experts in OT cybersecurity for critical infrastructure and protection. We have over 400 employees that are dedicated to OT cybersecurity, and we have over 600 customer sites with managed security services. You know, that's just the start of what we're doing, and I know we want to do more. We're interested in expanding because we believe we have capabilities, we can provide services and we can mitigate risk and loss to owners, operators, integrators and vendors. So-
Tim Verras (14:16):
Yeah, and I would imagine because OT cyber is sort of a newer field, especially when compared to IT cyber-
Dimple Shah (14:23):
Tim Verras (14:23):
That there's probably a lack of talent in the industry. It's probably hard to find people. So, are you seeing a lot of governments and other companies just really kind of struggling even to find the people that know how to do this?
Dimple Shah (14:35):
Well, yeah, definitely. There's a major shortage and there's also misunderstandings. I think there's a lot of misunderstandings. There's definitely major shortage with talent. We see it across the board, but you can see it in the policy lanes here in D.C. There's not as many people who are familiar with OT cybersecurity threats and mitigations, remediations and who the key-players are. That's definitely a part of it. You see lawmakers trying to get at the problem and they try to provide funding, but they still don't know what's needed to really address the problem. You can provide money and that helps. And you can have an education effort through CISA, which is the main civilian agency, but it doesn't change the fact that you have to partner with private sector and you have to also partner with academia and kind of educate folks on what the need is, what the breadth is, what the jobs are and skills are required to execute. So, so there needs to be almost a consortium of efforts in order to really deliver and to address some of the problems that we're facing with regard to cybersecurity talent shortages. And it's across the board. It's in both OT and IT.
Tim Verras (15:39):
Right. And I imagine it, it's also both technical and, and non-technical, 'cause-
Dimple Shah (15:43):
Tim Verras (15:44):
I imagine if OT cyber technical people are rare, I'm going to guess that people in your shoes that have a legal perspective are even rarer.
Dimple Shah (15:52):
Tim Verras (15:53):
That kind of reaches the end of the questions that we had on this list. Dimple Shah, now, I know you kind of got your start in DHS in the US, but obviously we're looking at things from a global perspective. So l- we've talked about the US a little bit. Talk to me maybe about what's going on in Europe right now, especially around cybersecurity. I know there's been a lot of focus in Europe recently. So, talk to me about how that's evolving over there.
Dimple Shah (16:18):
Yeah, we've seen a lot of action in the EU. There's this series of proposals that are new and we're continuing to engage. And I'll start with the first one, which involves what I've already talked about, which is incident reporting, but it starts with incident reports and gets a lot broader from there. So, the incident reporting directed in EU is called NIS 2, and basically the goal of this regulation is a second iteration of its previous predecessor, which is NIS 1, and it seeks to basically increase the scope from existing regulations to further strengthen the overall posture of the cybersecurity in the EU. And so, it requires security management systems and processes for which management is accountable under the directive. And one of the things that I want you to be aware of is that this is an incident reporting scheme that focuses on critical infrastructure owners and operators, and it requires general report within 24 hours and a more full-some report within 72 hours. I'll note that the industry standard that we developed in coordination with other industries and other associations is essentially a 72-hour reporting requirement.
And so, we had worked with others to influence this regulation, because originally they had a blanket 24-hour reporting requirement, and somebody asked, "Why would you want...Why wouldn't you report as soon as you're aware of something?" Well, a lot of times when you become aware of something, you, you don't know the entire ramifications. You can be involved with mitigation and also sometimes when you become aware within a short time period, it turns out not to be what you thought it was or not as bad as you thought it was. So that's why there is the request in industry best-practice that reporting be within 72 hours. But this regulation basically has cross-business impact and we would basically look at our products and see what's impacted and make decisions as to how to implement it and will continue to work with EU policymakers to advance security of the related policy approaches and ensure that policymaking norms essentially drive predictability to the greatest extent possible.
So, this is a proposal that we worked on heavily and is one of the incident reporting regimes, but we also have the EU Artificial Intelligence Act, which is a EU-wide horizontal regulation on artificial intelligence, and it basically aims to protect EU citizens from "harm" caused by AI. The draft legislation has numerous prohibitions on AI use across the board. And essentially it has a risk-based approach, designating certain forms of AI as low, medium, and high risk. And basically providers of high-risk AI systems will be subject to numerous substantive obligations. There'll be impacts across businesses, across the board, and businesses will need to make risk assessments. Essentially this proposal is continuing to be worked on and the draft report was unveiled in April. The vote for the report is scheduled November 22nd and the legislation will be finalized by the end of 2023 and effective between 2024 and 2025. Like incident reporting, this is essentially going to be a situation when, which comes about a lot in the EU. We will also have to look to see what the member states do and what the impact is with regard to the member states. For example, with NIS 2 we have a 21-month implementation period for the member states, and the member states may have disparate enforcement also. So-
Tim Verras (20:02):
So, I mean, this, this could have sort of like a GDPR level effect on business and industry kind of globally, even though it's in Europe, because everyone will kind of have to be subject to these laws if they are, you know, enacted in the future.
Dimple Shah (20:17):
Tim Verras (20:18):
That could kind of affect us globally.
Dimple Shah (20:20):
Yeah, and one of the other challenges, I guess I highlighted the AI regulation because essentially with AI, the technology is still developing itself, right? And we have regulation that's already seeking to address the technology. And of course, we want to ensure that there is indeed trust in AI, that AI is reliable, AI is accountable, but at the same time, we don't want a situation where essentially the regulators are hamstringing innovation as they make certain assumptions in the effort to address what they believe are threats with the technology. So, so that's one of the major concerns. I mean, we want to ensure that everyone is working in a place that advances innovation, competition, and allows technology to develop. And we recognize that there can be problems and threats even from the advent of technology, but we have fully, the breadth of the technology available to understand its impact and what the needs are. So-
Tim Verras (21:19):
That's right. Interesting.
Dimple Shah (21:20):
Tim Verras (21:21):
Dimple Shah (21:22):
And there's more in the EU, but I won't, I won't continue. I just will summarize like each one in a quick snapshot. We also had the data act. We talked about data proposals. We have the EU Data Act. And basically, this is a proposal that seeks to ensure fairness in the allocation of data in the data economy and wants to foster broader access and use of data. And essentially, data generated by the product must be available quickly and free of charge where applicable, continuously in real time. And again, enforcement will be defined at the member state level. So, this is another situation where, you know, they are seeking to regulate data use and access and it has the ability to cause concerns with regard to the competitive data market. So, that's one and then the other one is EU's Cyber Resilience Act. The consultation was just opened, and the consultation will end in November, November 14th, to be precise. And basically, this creates cybersecurity requirements for placing products on the EU market. It's basically almost a certification scheme, where companies must provide risk assessments and systematic documentation of cybersecurity risk and vulnerabilities for the life cycle of a product, so, pretty broad impact for anybody who could potentially be selling in the EU.
Tim Verras (22:42):
Yeah, yeah. That's huge. So, with all that, you've thrown a lot at us. This is fascinating stuff. Let's try to do what we can to boil it down maybe into a couple of salient points here. So, if there's an organization, whether it's a government or a, you know, a multi-national company and they're sitting down to kind of craft their cybersecurity strategy, what are some things you'd want to leave them with, some tips or kind of ways that they can approach this problem?
Dimple Shah (23:10):
Yeah. I think one of the main things to craft your cybersecurity strategy is to be aware that there's major demand signals coming from government. And in these demands, there's both potential for risk and loss, and there's also quite a bit of opportunity, right? If we look at the incident reporting schemes, for example, if we had incident reporting regime that is challenging to implement, it definitely poses concerns, both for a corporation to address, keep up with and comply with, but on the flip side, if you have cyber, cybersecurity capabilities, you want to make sure that it is able to be implemented, because you have opportunity with regard to the product, right? So, that's one thing I would highlight from the onset, that there's a tremendous demand signal coming from government as government seeks to grapple with threats. That's one thing. The other thing is the threats are sector-based, right? That's why we're seeing legislation or regulation trying to identify what sectors are. And staying with the previous comment, with regard to the sectors and addressing the status with regard to cybersecurity threats, there can be potential for loss and adverse impact on a company, but there also can be opportunities if you have the ability and capability to mitigate the threat that the governments are seeking to address.
So I think those are two big picture items I would highlight with regard to a corporate strategy to address what is going on and really address government and its’ drivers.
Tim Verras (24:45):
Awesome. Well, Dimple Shah, thank you so much for your time today. This is all awesome stuff. Really unique perspective that we don't hear a lot about. So thank you so much for your time today. I appreciate it.
Dimple Shah (24:54):
Okay. Thank you so much for having me. It was a pleasure.
Tim Verras (24:56):
Alright, thank you.
This has been Forging Connections, a podcast from Honeywell. You can follow Honeywell Forge on LinkedIn and download new episodes from our website at honeywellforge.ai. Thanks for listening.