Pratum Blog

Information Security Consulting

What comes to mind when you hear security consultant? Maybe you’re thinking it’s a person who gives professional advice about security. While that is correct, security consulting is more than just swooping into your organization, providing the best security recommendations, calling it good, and riding off into the sunset. The more likely scenario is that your consultant will become a vital asset to your organization.

Giving great advice is only a cog in the security consulting machine. At the core of the operation is the drive to ensure your organization and its information are protected. Consultants become a trusted ally as you navigate your way through enhancing your organization’s security program.

Upon conducting an initial assessment of your security risks, the consultant begins to design a shield that is tailored specifically to your security needs. Possessing expert knowledge, maintaining an unbiased perspective, and being relationship focused all have a large part in the creation of this shield.

The security threat landscape is ever-changing, and a security consultant will ensure that your program is continuously evolving, too. It’s no secret that a security breach can have immediate and lasting effects on your organization and having someone on your team whose job is to constantly be aware of your risk offers substantial peace of mind. When a security consultant is watching your back, you have the power to focus on future business objectives.

Spreading security awareness is crucial to the strength of your organization’s security shield. Each individual in your company has the ability to make an impact on security, both in good ways and bad. Security consultants not only bring awareness to your company’s risks, but to the implications of those risks as well.

Ultimately, security consultants want to empower organizations to conquer their security threats. Gratification comes when security consultants witness change happening in an organization. “For companies that turn the corner with a mass of security-aware employees, things start to change. It’s fun to be involved in that.” says Tony Schwarz, Security Consultant at Pratum.

It might be easy to assume that security consultants just give security advice. However, giving advice is only the tip of the iceberg when it comes to security consulting. The level of dedication they provide to your organization makes them a necessary extension of your team.

OT Security with ICS, HMI and SCADA

A couple of weeks ago, Pratum’s Digital Forensics Manager, Bryan Burkhardt and Information Security Analyst, Chad Porter, delivered an Operational Technology (OT) Security presentation to a group of manufacturers and utilities titled “Jurassic Part: Evaluating Security While Systems Age.” The presentation was not only captivating and amusing, it also encompassed a very important message: Converging IT and OT introduces information security risk, but your security can evolve.

“Evaluating Security While Systems Age”

What does it mean to evaluate security while systems age? As your equipment gets older, you may find yourself modifying industrial control systems (ICS) or shop floor automations. These adjustments can alter the amount of risk you face. It’s generally not the intention of a company to implement a design that poses a high security risk, but companies often don’t consider their potential risk exposure. Even if you haven’t made these changes, the threat landscape itself is constantly changing around you.

The premise of Bryan and Chad’s presentation was to shed light on what the risks are, how they can affect an organization, and how to prevent/mitigate the risks.

Are You at Risk?

When OT and IT merge, the potential to cut costs and increase efficiency flourishes. Rehabbing or expanding functionality of your shop floor might seem like a no-brainer, but don’t forget to consider the new security vulnerabilities they may introduce. These modern technologies require connections to a network, and installing connected devices means that you’ve just introduced an offline system to the internet, or you’ve just networked an independent machine with other (potentially more vulnerable) machines. With that comes risk that didn’t exist before.

Programmable Logic Controllers (PLC) are the workhorses of industrial automation. These simple computers help streamline manufacturing and reduce the demand on human capital. If hacked, a PLC can be manipulated to perform an undesirable task, causing damage to equipment or quality of production.

Human Machine Interfaces (HMI) are used to monitor and control machines. HMIs can be programmed to perform almost any function that can be controlled, or information that can be monitored, by a PLC. HMIs and PLCs work in tandem to operate machines. These pieces of equipment are integral in industrial control systems used in manufacturing and utilities operations. When connected to the Internet, HMIs are no longer protected by isolated systems, introducing greater exposure to attack.

Who?

In a competitive industry, there’s always a chance that external parties, such as competitors or nation states, might want to infiltrate your organization. Maybe they want to wreak havoc on your company, forcing a shutdown and loss of clientele. They might want to steal inside information and blackmail your organization with their findings. OT used in Public Services or utilities may see actors attempting to provoke terror or fear. There are numerous reasons your organization may be a desirable target.

The addition of new technology can help protect, or audit, an old system, but be mindful that it can also provide an entry point for bad actors. Once a PLC or HMI is connected to an unprotected or inadequately protected network, there is potential for it to be hacked and information lost/stolen. Likewise, if an attacker gains access to the network that’s connected to the HMI on your machine, they may be able to control and monitor that machine.

Risk doesn’t always originate from outside forces; there can be threats within the walls of your organization. Employees often inadvertently create risk through carelessness or misunderstanding. It might be as innocent as an employee needing to charge their phone, seeing an open USB port on a machine, plugging it in, and unknowingly creating an opportunity for the network to be scanned by outside parties. Leaving default configurations or not applying appropriate embedded security controls are other examples of how employees can unconsciously put your organization at risk.

Sometimes employees may be aware of their wrongdoing but continue due to self-interest. Perhaps an employee wants to leave work early on a given day, so they alter (hack) functionality to speed up production.

Then, there’s the bad apple employee who deliberately wants to create chaos. Let’s say you have an employee who wants time off but can’t get approval the conventional way, or they feel underappreciated. They could decide to disrupt production by hacking the network (this hack doesn’t have to be very complicated or technologically advanced), causing a machine to malfunction. Now they get their time off, or possibly fix the machine to become a hero and feel adequately appreciated. Employees continue to baffle management with the lengths they will go to get their way.

Only YOU Can Prevent OT Threats

If your OT technology has been compromised, whether by an external force or someone within your company, the consequences are the same. Your organization could face broken machinery, health and safety concerns, or legal implications (loss of client information or hazardous waste spills).

Every day that goes by without implementing proper OT Security measures is another day of increased security risk. If an incident does happen, it can be detrimental. The time, resources, and cost of rebuilding can not only hinder a company’s production but put an end to it completely.

Having the correct OT Security controls in place can shield your organization and its production immensely. Here are just a few things you can do to increase your organization’s OT Security:

OT Network Monitoring and Asset Discovery (SIEM Reporting)
  • Help identify the source of an attack by proactively implementing thorough event logging within your environment.
Network-based Security
  • Utilize firewalls to help segment and segregate access between and within OT and IT networks.
OT Security Professional Services
  • Defend your OT by proactively performing risk assessments, strategic planning, policy development, and architecture and design

Conclusion

Keeping up in today’s world requires interconnectivity. Adding a new vector of access to a piece of equipment will likely enhance your entire operation. However, without proper security you also enhance your vulnerability to threats. The key to success when converging OT and IT is to evolve your security practices to keep up with the ever-changing threat landscape.

Cybersecurity Workforce

As the world become more interconnected, the need for protecting data grows. The cybersecurity industry is booming, and companies, both large and small alike, are looking to cybersecurity professionals for the protection they need. It’s critical that we have a powerful workforce to keep up.

In Iowa, many colleges and universities have responded to the demand by enhancing existing curriculum and adding new curriculum that’s molded around the need for cybersecurity. They seek guidance from professionals who are leaders in the cybersecurity industry to advise them on their courses. Who better to provide input than experts who know exactly what qualities and education the industry is looking for in an employee?

How One Individual is Getting Involved

Dave Nelson, Pratum’s President & CEO is one of the experts providing input. Nelson serves as the Co-Chair of the Cybersecurity Subcommittee of the DMACC IT Partnership and has since the subcommittee was formed. This subcommittee has established its goals: identify key technology skills that the industry needs to grow a powerful workforce, provide a pathway for people who want to further their education past a two-year degree, and attract/retain cybersecurity professionals in the state of Iowa. “Students who feel like they have support in Iowa are more likely to stay here,” Nelson says.

The cybersecurity subcommittee’s efforts have led to the creation of the Iowa Cyber Hub™ - a partnership between DMACC and Iowa State University that is geared towards cybersecurity. A well-suited name for this group that acts as a central location for cybersecurity resources. On the hub’s website, there are pathways for all levels of education: high school students, high school grads, associate’s degrees, and bachelor’s degrees. The hub fosters alliances with established cybersecurity professionals and partner schools through internships, training programs, and other projects.

Nelson’s contributions aren’t limited to the cybersecurity subcommittee. He’s spoken to the information assurance student group, and he mentors students who seek direction from established professionals. His most recent involvement is partnering with Drake University and other cybersecurity professionals to advise the college’s new post-baccalaureate certificate in cybersecurity.

You Can Make a Difference, Too

If you’re an information or cybersecurity professional looking to make a difference in the education of the future workforce, here are just a few ways to get involved:

  • Contact your local colleges and universities to see if they are needing members of an advisory board, subcommittee or other type of group that influences curriculum
  • Volunteer to be a guest speaker
  • Mentor students & advise them on their studies and coursework
  • Participate in surveys/polls requesting the needs of an employer and employees

The need for strong cybersecurity professionals won’t subside. As long as data is entering the world of the internet and technology, it will always require protection. It is the wisdom and guidance from established professionals that’s driving the future of cybersecurity and its workforce. With the proper tools and support, future cybersecurity professionals will be able to rise to the challenges of cybersecurity by reducing risks and keeping data safe.

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.