Danielle Jablanski is an OT Cybersecurity Strategist at Nozomi Networks; Nonresident Fellow, Atlantic Council Digital Forensic Research Lab and at the Industrial Security Conference 13-15 November you can hear an interesting keynote presentation with Danielle on a Cross-Sector Methodology for Ranking OT Cyber Scenarios and Critical Entities.
Danielle will discuss the limitations in current standards for prioritization across critical infrastructure cybersecurity, focusing on operational technology (OT), and outlines a methodology for prioritizing scenarios and entities across sectors and local, state, and federal jurisdictions.
Before the conference you can read an intriguing interview with Danielle here.
What is your background? And how do you work with industrial security on a daily basis?
I began my career as a policy analyst researching the impacts of emerging technologies on nuclear weapons doctrine and use. I was particularly interested in the supply chain, attack surface, and communications components of nuclear weapons command and control. That led to an interest in learning ethical hacking, and then a move into cybersecurity for energy and power technology as a consultant.
At Nozomi Networks I work with diverse stakeholders every day to understand the safety, availability, and reliability needs of operational technology and industrial control systems, and how to apply what we know about attack surface management and risk mitigation to the industrial or cyber-physical industries. On any given day I assist security practitioners, business leaders, government officials, SCADA technicians, IT experts, security researchers and more.
What do you see as the biggest opportunities and challenges in connection with cyber- and industrial security?
I think the biggest opportunity today is the ability to raise the baseline level of cybersecurity across OT/ICS networks in multiple sectors. We understand what is most at risk and how those systems, equipment, processes, and people are targeted. Focusing on crown jewel analysis, defensible architectures, and vulnerability management, a rising tide can actually raise all of the boats.
Despite the growing maturity of security programs in OT/ICS, the nuanced deployments, architectures, multi-vendor ecosystems, patchwork of security software solutions, multiple local, federal, and international standards and regulations, etc. has created a vortex of complexity for organizations. With limited time and resources, it is increasingly challenging to plan ahead and strategically execute programs.
When looking forward just 5-10 years, what do you think will be different within security?
I think OT and ICS will become less bespoke, and the community of stakeholders – technical, business oriented, responsible government bodies, insurance providers, etc. – will coordinate efforts to decrease the challenge of complexity we see today. This is a crucial first step for what I think will also happen, which is the ability to prioritize issues and efforts more thoroughly in the future.
I believe the interoperability of systems, security by design efforts and certified products from vendors, harmonization of security best practices, standards, and government regulations will begin to align toward a more dedicated and determined path forward in terms of measurable security outcomes.
From your point of view, how do you think we get more diversity in the industry?
It is vital to continue to be inclusive of multidisciplinary backgrounds, and to encourage technical and business-oriented talent to dive into additional areas of expertise that interest them and can benefit from their skill sets. Many organizations look to recruit talent and expertise while they have the ability to train and educate existing passionate and capable individuals within their company.
We also need to embed OT and ICS education deeper into academic programs, starting from grade school to community college and apprenticeship opportunities to longer term degree programs where SCADA and cyber-physical connectivity is relevant in computer science, engineering, and vice versa.
What are your own expectations for the conference? And which keynotes are you looking forward to hearing?
I am most eager to listen and learn from an international audience, and to see how my colleagues and friends respond to these questions as well. I am looking forward to the disaster response session as well as the practical FAT/SAT session. Also the surprise keynote has my attention!
What will your keynote be about, and which learnings are you hoping the participants take with them?
My research covers why OT is so different from IT and how those hurdles translate into regulation. The number of systems deployed and their potential configurations, programming languages, protocols, etc. results in incongruent attack surfaces, making defensible architectures that much more important.
I also developed a methodology for prioritizing critical infrastructure entities and scenarios. The methodology has 2 key purposes: first, to help asset owners choose and prioritize the right OT scenario to prepare for and run TTX on, and second, to provide a standardized priority score, which can be used by government and industry stakeholders to compare entities, locations, facilities, or sites within any jurisdiction (by geography, sector, regulatory body, etc.).
Do you want to hear more about xx from Danielle Jablanski?
At the Industrial Securitry Conference 13-15 November you can hear a fascinating keynote presentation from Danielle on critical Infrastructure Cybersecurity Prioritization. She will present a Cross-Sector Methodology for Ranking OT Cyber Scenarios and Critical Entities which has 2 key purposes. Find Danielle’s Keynote presentation in the program.