19 October 2021 Line

Companies need to work with threats and risks in a structured matter to make the right decisions

Jørgen E. Hartig is Managing Director & partner in SecuriOT and is one of the keynote speakers at this year’s first international industrial security conference in Copenhagen 15-16-17 November. At the conference Jørgen will be talking about IEC 62443 and how you should handle the new “reality”, and how IEC62443 standards can help you close the gap.

Read an interview with Jørgen Hartig here.

How did you get into working with security and how did it develop throughout your career?

My first job was as product marketing assistant in a network and security company in the early days of the Internet era (I’m not going to tell you when 😊) Since then I have been working with many different aspects of cyber security including technologies, cyber security services, security risk assessments and compliance. In 2018, I jumped over the fence from IT cyber security to OT cyber security, which has been very exciting to explore this discipline.

 

What are the biggest challenges within cybersecurity in your eyes?

From an OT cyber security perspective, the most challenging parts are the awareness, organizational anchoring and understanding of the threats within the companies. The C-level is starting to focus on OT-security, because they hear about the consequences from other incidents that they can relate to. It costs money to be down in the factory line, but if the companies don’t understand the threats and the risks against their own company, they can’t mitigate them. We often hear: “Why should the hackers go for us? We do not produce anything interesting…” or “the production has been going for 25 years, and we haven’t had an issue” or “there is no connections between IT-systems and OT-systems, so… (?)” the last statement will be challenged dramatically within the next 5-10 years. Vendors will come out with new technology and solutions that will utilize cloud-enabled application and 5G connections to the factory floor, so they will be no “air-gap” in the future. I am not saying, it is wrong. I am just saying that the companies need to work with threats and risks in a structured matter, so the right decisions will be made.

 

How do we get ahead of ‘the bad guys’?

Well, I believe the maturity level on OT-security in many companies is 5-6 years behind from maturity level of IT-security in the same company, so it will take some time before we get ahead of them if that will ever happen. The most important disciplines are to create a high level of visibility, create defense in depth and layered security in the OT-infrastructure and deploy simple and understandable processes/policies. By the way: Don’t forget to train and maintain “the Human Firewall” at the factory floor.

 

When looking forward just 5-10 years, what do you think will be different?

More digitalization will be deployed in the OT environment, because the companies want to work smarter and extract more information from the OT and IT devices and provide better services to customers. It will require the OT security is taken to the next level in the companies.

 

Besides more funds for security, what do you think would make a difference in the industry?

Money is good, but I think that awareness, understanding and information sharing are key. Some companies are ahead within OT Cyber Security and the experience from how they increased their maturity level will be very fruitful for more other companies to know. By having this insight, the companies know how to spend them in the right way. There are many communities in Denmark and globally, where this type of information and experience are sharing, and this event is also a part of this.

 

What will your keynote be about, and which learnings are you hoping the participants take with them?

OT cyber security is not just fixed with a product or full-featured firewall. OT cyber security is a discipline, but how do you start and improve the disciplines in your company ? One of the standards, that many production and utility companies are looking into, when it come to OT cyber Security, is the IEC62443. It is 800 pages, it is America, and it is hard to find out, where to start and how use it. I will talk about the experiences, that we have had with helping customers to use the standard. So hopefully the audience will get a better understanding for the standard and hopefully be inspired to use it in their own company, when are looking into the new threat and risks, that the companies are faced.

 

What are your own expectations for the conference?

I am looking forward to some great talks with the other attendees –  face2face – and not just through TEAMs or other virtual platform. Since it is a real OT-community, I except to have lot of information sharing about this great topic.

 

And which keynotes are you looking forward to hearing?

There are a lot of great sessions, but especially the sessions with customer cases are of highest interest.

 

Do you want to hear more about IEC62443?

Join the international Industrial Security Conference. Read more here and sign up here.