23 October 2023 Line

Engineering-Grade OT Security: A manager’s guide

At the Industrial Security Conference 13-15 November you can meet Andrew Ginter, the VP Industrial Security at Waterfall Security Solutions. Andrew just launched his third book, Engineering-Grade OT Security: A manager’s guide, and at the conference, you can meet author Andrew Ginter and receive a signed copy of the book. 

Before the conference, you can read an interview with Andrew here.

Can you start by introducing yourself and your company?

Certainly – and thank you for hosting me at the up-coming Industrial Security Conference in Copenhagen. I’m Andrew Ginter, the VP Industrial Security at Waterfall Security Solutions. Waterfall Security is an OT/ICS technology vendor. We produce a family of products, and our flagship is the Unidirectional Security Gateway. At Waterfall, I lead a small team of experts who work with the world’s most secure industrial enterprises.

What do you see as the biggest opportunities and challenges within the industrial security industry right now?

The biggest challenge I see is that cyber incidents with physical / OT consequences in manufacturing and critical infrastructures – these incidents are increasing rapidly – exponentially. If nothing changes in the industry, I see these incidents increasing to crisis proportions somewhere between 2026 and 2028 – not very long from now.

The biggest opportunity I see is a new way of looking at the problem. Much of that new perspective is captured in the new Cyber Informed Engineering (CIE) initiative that Idaho National Laboratory is leading with funding from the US Department of Energy. CIE sees OT / ICS security as something like a coin with two sides. One side of the coin is cybersecurity – teach engineering teams about cyber risks and cyber mitigations. This side of the coin is no surprise – we’ve been singing that song for nearly 20 years now. The other side of the coin is engineering – understand consequences and make very small changes to the design of industrial processes and industrial automation to take the biggest cyber risks entirely off the table.

My colleagues and I at Waterfall are contributing as much and as directly to this initiative as we are able. And when I explain the initiative and the perspective to industrial owners and operators, I am very encouraged by the response. The response is more or less “what a good idea – this makes so much sense – why haven’t we been doing this all along?” Cybersecurity solutions – whether guided by IEC 62443 or ISO 27001 – cybersecurity solutions have long been seen as a difficult fit for industrial operations. CIE offers a perspective that makes a lot more sense to engineering teams and to their leadership.

Interesting – can you tell me more. What’s different about CIE?

Well the classic example is an over-pressure relief valve. If you were a technician in a power plant responsible for a half dozen massive five-story boilers, and the explosion of one of these boilers would kill you and everyone else nearby, how would you prefer to be protected from a cyber attack that over heats the furnaces under your boilers? Would you prefer a mechanical pressure-relief valve that, when the boiler pressure is too high, is forced open and the steam escapes? Or would you prefer a longer password on the computer controlling the furnace?

Most people would prefer the mechanical valve, thank you – the valve has no CPU in it and so is in a real sense “unhackable.” Those truly in the know tell me that I’ve asked them the wrong question. They want the valve, or three of them since these things do wear out, and they want the password, and they want a boatload of other security mechanisms besides. This is their life we are talking about after all.

Stepping back from the example, safety engineering, protection engineering, network engineering and other engineering disciplines have for decades addressed physical risks to public safety and worker safety. And I know there are practitioners out there who use these tools to address cyber risks as well, but this is not the norm. CIE seeks, in addition to teaching engineering teams about the importance of cybersecurity, seeks to assemble a body of knowledge of how to use these powerful engineering tools to consistently and systematically address cyber risks, as well as physical risks. After all – where is the over-pressure valve in ISO 27001? In the NIST Cybersecurity Framework? In IEC 62443? These cybersecurity standards are blind to engineering mitigations.

In short, I see the dramatically increasing number of OT cyber incidents as a crisis coming down the tracks at us. I do not believe that we can build a cybersecurity wall on those tracks that is big enough or strong enough to stop that train. CIE gives us a way to step off the tracks.

You are about to launch your third book, Engineering-Grade OT Security: A manager’s guide. What is the book about and what will it explore?

I am indeed launching the book. My first book signing event was at GovWare in Singapore. My first European event will be at ICS Copenhagen in November.

The book introduces engineering-grade designs to address cyber risk. This is a big part of the CIE initiative – it is integral to the “engineering side of the coin.” But the real goal of the book is to answer the question how much is enough? How much security? How much engineering? In which kinds of industries and networks and circumstances? And more importantly, Why? Why is this enough in each of these circumstances?

Given the threat environment, and given the threats that cyber attacks pose to public safety, to worker safety, to national security and to corporate finances, the answer to how much is enough? is changing rapidly. The book looks at the problem from the engineering perspective – a perspective that produces pretty clear answers pretty quickly. The engineering profession has after all been tasked with addressing physical risk to public safety for over a century – this is why the profession is a legal, self-regulating entity in many jurisdictions, just like the medical profession, or the legal profession.

Engineering-Grade OT Security: A manager's guide at ISC-CPH

So work with me – can you go to the next level of detail? What is “Engineering Grade” and how is it going to solve anything?

Well again – imagine – imagine that a new suspension bridge design is riddled with harmonic frequencies. Even just people walking across the bridge will start the bridge oscillating increasingly, in a way that risks tearing the bridge apart. So – the engineers who designed the bridge designed it with active vibration dampers. AI’s control the dampers. When walking or driving across the bridge it feels rock-steady, because of the dampers.

How happy would you be using the bridge every day if you knew that the design engineer hoped  that if there was a cyber attack on the AI controlling the dampers, that the attack could be detected before it crippled the AI? How happy would you be if you knew that engineer hoped that if the attack was detected, we could scramble an incident response team fast enough to prevent compromise? How happy would you be knowing that the design engineer hoped that if the incident response team could not prevent compromise, that they could at least restore the functionality of the AI fast enough to avoid the bridge tearing itself to pieces.

Hope is not what we expect of the engineering profession. Hope is not good engineering. We expect that our bridges will support a specified load, in a specified operating environment, for a specified number of decades. Similarly, when worst-case consequences are unacceptable, we should expect that our automation systems support a specified threat load, for at least as long as it takes us to design and deploy a more powerful risk management system, with a large margin for error.

This is engineering-grade OT security – a body of solutions that are deterministic, mathematically model-able and in a real sense, unhackable.

Cool. I look forward to reading the book. But tell me – you’ve been at this for a long time. What is your next project?

My next project? That’s hard to say. I see retirement coming at me some time in the next half decade or so – I suffer increasingly from the boring complaints of the aged. This is my third book – I may have another one in me, I may not. If I do not write another book, then this was my last opportunity to scrape together what bits of wisdom I have in hopes that the next generation of practitioner can benefit from them somehow. I hope my readers find this material persuasive, and if not persuasive, then at least useful.

At the Industrial Security Conference, you will attend with your new book. What are your expectations for the conference and what do you look forward to?

At the conference I look forward to hearing what other experts and speakers have to say. But even more I look forward to the opportunity to chat with attendees and practitioners face to face. In truth, I don’t invent most of what I write about – I gather knowledge from others much closer to the problem than I am. I think about what I’ve learned and I try to make sense of it. Sometimes I try to invent a terminology to gather up these bits of wisdom and connect them into a consistent whole – a consistent perspective.

So when I run into people at an event like this I try to ask them questions like “What do you do?” “What are you working on?” “How is that going?” And more importantly, “What have you learned from that?” For that matter, these are questions I recommend to all attendees at your kind of event – these are important questions. It is a truism in the industry that our enemies cooperate – we the defenders need to cooperate as well and share with each other each of the bits of wisdom and learnings we’ve picked up in our work, however humble.

Do you want to meet Andrew Ginter and recieve his newest book, Engineering-Grade OT Security: A manager’s guide?

Join the Industrial Security Conference on the 13-15 November and join the networking reception, where Andrew will host a book launch event with his newest book, Engineering-Grade OT Security: A manager’s guide. Sign up for the conference here and read more about Waterfall Security Solutions.