28 August 2023 Line

NIS2 is a driving force to move forward with industrial cybersecurity

At the Industrial Security Conference you can hear an interesting keynote presentation from Dieter Sarrazyn, Freelance OT Security Expert, Secudea about Practical security FAT/SAT. He will show the different test components that should be part of a security Fat/SAT testing program and what pitfalls there might be when dealing with program managers that don’t see the benefit of this. Tools/equipment needed to perform such testing is mentioned during the talk.

Read an interview with Dieter here.

What is your background? And how do you work with industrial security on a daily basis?

 

I’m an industrial electrical engineer from education and are working within information security since the beginning of my professional career in 1997.

First installing firewalls, antimalware solutions, vpn setup and performing support on these installations.

Followed by being a security consultant doing mainly penetration testing and security assessments on existing environments (including SCADA environments) – for that company I was also doing the Network administration of the internal network as well (next to my daily job as consultant) and I was also the team lead of all penetration testers (almost 15 people)

That company was acquired (I like to say assimilated) by one of the big 4’s through which I was continuing my consultancy job combined with being team manager of +/- 30 security testers.

As of 2008 I am providing most of my time security consultancy to organisations with SCADA environments within various sectors (Energy, Utilities, Nuclear, Mining, Transport, Food…)

This through my own company as of 2015 and very recently through my new startup Securiacs.

 

What do you see as the biggest opportunities and challenges in connection with cyber- and industrial security?

I used to state that this would be the cooperation between IT and OT teams. However, I do see a (disturbing) rise of Management negligence and reluctance to do anything within industrial environments – so back to the “It is running, do not touch it anymore” approach that people are taking again within OT environments.

This might be because a lot of people are taking IT approaches and just apply these to OT environment without taking OT sensitivities into mind within those environments. I do see a lot of opportunities for both worlds if they just start to cooperate more and talk to each-other. But most importantly, IT people need to understand OT and OT people need to understand IT.

This is an opportunity and a challenge at the same time. Another challenge is to get more people thinking about and getting involved into industrial cyber security.

The fact that NIS2 is there might help re-enforcing this as Management will be held liable for issues/incidents etc… within those environments. The time that only availability is important with industrial environments is long past as more environments are getting opened up.

When looking forward just 5-10 years, what do you think will be different within security?

NIS2 is a driving force to move forward with industrial cybersecurity in the next decade. I think (and I hope) that industrial cybersecurity will be more accepted and embedded within industrial environments and that (finally) people are starting to realise that cybersecurity is everywhere (not just for email servers and websites) and there to stay. This is even more important as more and more (directed) attacks on specific parts of industrial installations might surface.

From your point of view, how do you think we get more diversity in the industry?

Getting more diversity in the OT cybersecurity industry is only possible if we get more people aware and educated on the risks for their environments and the impact these risks might have if exploited. This is not only important for I&C or other OT people, but for the organisations as whole. Everybody is part of the cybersecurity culture that needs to be established. Everybody has their own point of views and experiences to bring to the table. I also think that spreading the word on non-cybersecurity conferences will be important as well, or at C-level roundtables.

What are your own expectations for the conference? And which keynotes are you looking forward to hearing?

My expectations for the conference are two-fold:

first learn from others and their insights mentioned in their talks

Second learn to know new people and meet friends from within the industry

To me, conferences are all about learning, sharing experiences, knowledge and networking. This can help in reaching out when you are stuck on certain aspects and questions, and yes this works both ways, when people have questions for me I’m happy to help them out.

Keynotes I’m looking forward to are:

  • NIS2 related talks
  • A case study for developing OT disaster recovery plan
  • Critical infra cybersecurity prioritization

What will your keynote be about, and which learnings are you hoping the participants take with them?

My keynote is about the practical part of performing security tests as part of Factory Acceptance Testing and Site Acceptance testing. My goal is to show that one must be sure to tackle every aspect security testing to really know all potential issues so these can be dealt with in an appropriate way. Afterall security Fat/Sat testing is part of a risk management approach which makes it important to performing testing not only by running vulnerability scanners but also by performing other aspects and looking at the environment in which a system resides into. I will show what pitfalls there might be when dealing with program managers that don’t see the benefit of this as well as tools/equipment needed to perform such testing is mentioned during the talk.

I’m hoping that participants will be triggered to revisit (or create) their own fat/sat testing programs and also that vendors (if any present) will be triggered to have a FAT/SAT ready solution when delivering these to their customers.

Do you want to hear more from Dieter?

At the Industrial Security Conference 13-15 November Dieter will show the different test components that should be part of a security Fat/SAT testing program and what pitfalls there might be when dealing with program managers that don’t see the benefit of this. Read more about the conference and sign up here.