Industrial Control System Security Player PAS Raises $40M In Funding, Reaches Out To The Channel For Vertical, Facilities Expertise
PAS On The Security Challenges – And Channel Opportunities For IIoT
Industrial control system company PAS wants to tighten its security efforts around the Industrial Internet of Things space – with the help from new systems integrator partners.
The Houston-based company, founded in 1993 as a consulting firm for optimizing automation systems in Industrial IoT, serves the oil and gas, refined petrochemical, and power industries.
PAS CEO Eddie Habibi told CRN that the company is hoping to expand its channel reach to appeal to systems integrators with operational technology expertise. Following are excerpts from CRN's conversation with PAS' Habibi.
What is PAS' main focus with IoT?
We focus on cybersecurity for the industrial controls system, as well as operations management, situation awareness for plant operators as it applies to safety. Our mission is to protect process plants and power plants against cyberattacks and mitigate process safety incidents.
The macrotrends we see include proliferation of IoT sensors and actuators in an industrial center are becoming cheaper and more integrated. With the advent of interconnectivity, all these complex systems talk to each other, increasing the chance for cyber incidents, whether it's internal or external from outsiders.
Are Industrial customers aware of the security risks that IoT applications are exposing their companies to?
There is increasing awareness; I think some of the recent incidents have brought more awareness. It was late to come -- cybersecurity has been an issue in the IT world for a long time, and there are players in that center – but for the industrial sector it didn't become an issue until about five years ago in terms of awareness and initiatives.
There was a time when we would talk to our customers about security in the oil and gas only 10 years ago, and it was not on their mind. There were no initiatives. The power industry has been more engaged. We have seen over the past five years significant focus by major oil and gas companies. They are investing in it and they are driving them from the board-of-directors level. And why is that? Because the consequences of not having a security program is very bad. A major incident traced to security can lead to damage to a company's brand, it can affect their share price, government fines, and companies are concerned about being able to insure themselves. I would list safety at the very top.
What's the first step for customers to address security issues in their companies?
In our view, the very first step is understanding what you have, knowing what industrial control systems you have, and securing an inventory – a complete and accurate up-to-date inventory of these systems. If you can't see it, you can't secure it.
The thing that's unique about the industrial sector is that unlike enterprise IT, systems are not replaced on a regular basis. Some of these systems go back to the first generation of the control systems – from 1975. That legacy system is still in place because they are complex and they are expensive; they don't get changed out. So you have a couple of challenges. One is, you have systems from multiple generations still in place, and then a given corporation may have a variety of brands that they have to manage, and each of those systems operates differently. They are proprietary, they are highly complex, and they are from multiple vendors. So understanding a common inventory of what you have becomes very difficult and a 'normalized inventory' of these systems is necessary.
Talk about the divide between the IT sector and the operational technology industry.
There was a time when we had a serious divide between the two. They didn't talk to each other, or understand each other. Where we have seen success is where IT and OT actually work together. There is still a gap of understanding, but there is a realization that you can't secure the organization's assets -- whether information assets or physical assets – unless you work together. I think that gap is shrinking.
Generally, the board of directors appoints or mandates an initiative. The CIO typically appoints a security information officer [SIO] and they reach out to the automation leaders. The SIO generally comes from an IT background because they have a history of security. OT people understand the ICS [industrial control system] domain very well – you can't solve that problem without their involvement. But they are also new to security. So there is this co-dependency to get the job done – the IT background doesn't understand the OT environment, and the OT experts rely on the IT folks to help them with security.
Who can the IT executives expect to interact and collaborate with in the industrial sector?
The chief information security officer ultimately has responsibility overseeing the strategy and the implementation. The chief security officer needs to reach out and collaborate with operations managers, safety leaders, as well as automation leaders. You have to have the automation people involved – but you also have to have the support of the business community, or the operations management and control.
Beyond collecting an inventory, what are the other steps that industrial customers need to take to secure their processes and workplaces?
The first thing is an inventory of these controls systems. The second thing is, once you have the inventory, assessing the vulnerabilities. The way you do that is to look at the national vulnerability database, vendors vulnerability database, ICS cert vulnerability databases – and map those against the inventory of the assets that you have. And these assets are in the tens of thousands, so pinpointing where you have vulnerabilities is very important.
The third item is tracking and managing change in these systems because when the bad guys come in to do harm, they change the configuration of the system. And if you can't put in place workflow processes for authorized changes, or detect unauthorized changes, you're in deep trouble. So managing change and detecting unauthorized changes becomes very critical.
The fourth item that is very critical is that you have to assume you'll be breached – and you must have a way to recover. So backing up the systems and recovery becomes very critical.
How long does it take for companies to secure their workplaces?
It depends on the engagement. It can be as brief as two weeks for a single location – or it can be as long as six to nine months for a major corporation. It also matters what the scope is. If the scope involves defining policies and procedures, then engagement takes longer. So this is where traditional IT system integrators could play a role. They understand the operations of a given facility and can get in there and do a good job.
What's the biggest challenge, or difference, that IT will face in implementing security solutions with industrial companies, as opposed to more traditional enterprise customers?
Cultural change – I'd say the biggest challenge for companies is to go through a cultural change. That's where the system integrator or a company like ours can make a difference. Cultural change will come through education and understanding of the challenges and the risks associated with Industrial IoT.
You announced today that PAS raised $40 million in funding, and part of this will help bolster your channel strategy. Why is a channel program important for IoT security?
One of the reasons for our news [about the funding] is to establish and expand our channel strategy. We believe the channel partners play a critical role because they understand the verticals, and they have deep expertise within the facilities. They culturally understand the customer better, and they provide a reach that would be helpful for a company like ours. Especially if they have an operational technology background.
We're very aggressive about [building out a channel]. We're hopeful that by the end of the year we will have established a network of system integrators large and small.
Security is a multifaceted challenge that requires multiple disciplines, both IT and OT. It is layered with firewalls, anti-virus, configuration level, anomaly detection and breach detection – so it requires the various disciplines.
What's the Industrial IoT opportunity for channel partners?
The challenge from a market opportunity side is massive. There is an excess of $300 billion of control systems installed throughout the world. If you take just a fraction of that, just 10 percent, as the value of security spend that needs to go into the industrial sector, it’s a very large number. And a large portion of that has to be served by system integrators.
What role do traditional IT cybersecurity vendors play in industrial IoT?
Almost every one of the IT security providers is rushing to gain a foothold in the IIoT sector – the Palo Altos, the RSAs. The IT security space is saturated, and OT solutions are unique. The various vendors are coming at it with a common approach, using deep packet inspection to try to do things that are difficult to do in deep packet inspection – such as gaining the inventory of the control system, which is the foundation of what we need for security. ... They don't understand the OT layer because they're coming at it from an IT perspective, but you need their solution. We complement their solution – while they monitor the network, we capture the entire information and configuration of the systems, and complete inventory, and complete visibility from field sensors to the I/O cords, all the way to the proprietary controllers.
What will security attacks on industrial control systems look like? What are some examples from the past?
There have been some that have been publicized, but we believe there are more that companies don't want to publicize. The attacks that are public is Stuxnet, which is old; and the steel mill in Germany, the paper mill in Louisiana – and that's an example where we're happy to see there were consequences. This was a disgruntled employee who had been terminated and infiltrated through a back door he had created for himself to take the plant down. He was fined over $1 million and given 34 months in jail. We need more serious consequences to deter these attacks. We have seen statistics as high as seven times an increase since 2010. And, of course, the Ukrainian power plants. The weakness of these attacks is the implications of nation-state attacks, which brings up a good topic. That particular attack is attributed to Russia.
What's ultimately the potential risk for industrial customers, particularly from the angle of that nation-state example?
We believe cybersecurity attacks have the potential to be the next weapon of mass destruction. There's a big difference between an attack on the industrial sector and an enterprise. When a bank is breached, digital information is stolen, bits are moved. When a chemical plant is attacked, bits are moved in order to move molecules. And when molecules move in the wrong directions, bad things can happen, and you can end up having a hole in the ground. If that capability is there, and nations can do that, this whole notion of cyberattack is similar to what the U-boats could do in World War II – sabotage, and shutdown of the infrastructure, whether it’s a power plant, water treatment plant, or a refinery that fuels your cities.
What trends for IIoT security do you expect to see in the coming year?
We will see more investment. We're seeing indications that investments by oil and gas will increase because they are taking it very seriously. We will see an increase in regulations – there's an increase in power, I foresee that we'll see that in other industries.
We would like to see regulation on disclosures, where, similar to safety incidents, companies are required to self-report. We believe the industry will benefit from self-reporting, and that has two major benefits. Shareholders of those companies need to know to make wise investments, and the other part of that is learnings that come from sharing these incidents with others.