The experts agree—now is a pivotal moment for protecting your organization from bad actors.
What’s new in the world of cybersecurity? The answer seems to be everything.
Cybersecurity experts from every industry recently gathered at ServiceNow’s annual Knowledge conference in New York City. Through roundtables, panels, talks, and live demonstrations, they shared what they’re seeing on the front lines of cybersecurity—and what lies ahead. Here are the highlights.
Manufacturing is on high alert
Robert Rash has been working in manufacturing for more than 20 years. From oil and gas to chicken farming, ServiceNow’s manager of manufacturing systems architecture has seen it all. These days, he spends most of his time raising alarms about how executives are neglecting cybersecurity on their factory floor.
“People are realizing how easy it is to hack the average factory, and it’s about to get a lot worse before it gets better,” Rash told interviewer Paul von Zielbauer.
Most of the tech that powers the factory floor is operational technology (OT): devices like temperature sensors and HVAC systems. Although IT devices—laptops, tablets, phones—are typically well-secured, OT devices are not. The oldest devices even predate modern cybersecurity.
“They’re ticking time bombs,” said Rash. “They’re built to last, but they’re not built to be secure.”
In fact, some of the most high-profile cyber attacks in recent memory exploited OT devices and supply chain vulnerabilities. The Colonial Pipeline attack and the SolarWinds hack both compromised critical infrastructure.
Rash thinks there’s more where that came from. “It doesn’t take a lot of expertise to hack these devices. A layperson could learn how to do it from watching YouTube videos,” he said.
The solution to this problem might seem obvious: secure all those OT devices. But Rash said it’s not that simple. Before pricing cybersecurity vendors and trying out potential solutions, manufacturers must first solve a cultural problem. “IT and OT don’t talk to each other,” said Rash. “I’ve been on calls with IT and OT teams, and it’s the first time the two sides have talked.”
“OT is eight to 10 years behind what IT is doing. That’s a huge problem.”
On the one hand, IT teams lack visibility into the devices OT teams use on their factory floor. On the other hand, OT teams don’t share a common vocabulary with IT, so they can’t tell them what they need to secure. To avoid disaster, Rash argues that the two functions must learn how to communicate.
“OT is eight to 10 years behind what IT is doing,” said Rash. “That’s a huge problem.”
Security leaders trust no one
What’s the number-one rule in cybersecurity? For Will Coffey, senior manager of digital platforms at Accenture, the answer is “trust no one.”
Coffey is part of a community of cybersecurity experts who advocate for a zero-trust approach. Speaking to a large audience of executives, Coffey explained that mature organizations continually monitor, verify, and authenticate users who are trying to gain access to applications and data. That’s the heart of zero-trust.
Zero-trust is especially important in today’s world of work, where employees do their job on the go: at home, in coffeeshops, at conferences, on laptops, ipads, and iphones, and in and out of VPNs. Remote and hybrid work create a fluid environment. With so many people and devices constantly coming and going, it’s hard to know who should and should not be accessing which assets.
Creating a zero-trust perimeter requires four steps, according to Coffey. Step one is understanding the environment. That means cataloging every asset in an organization’s network. “You can’t protect what you can’t see,” he said.
Step two is putting systems in place that continuously authenticate users who are accessing the system. “Set up the least permissive access,” Coffey said. “Don’t grant someone access to the whole server when you can grant them access to one folder.”
Continuous authentication is necessary for the final two steps: preventing “lateral movement,” when a user can move across the network and access files they’re not supposed to see, and reducing the attack surface, or the opportunities a user has to move across the network and look for vulnerabilities.
Coffey isn’t the only one encouraging security teams to build a zero-trust security architecture.
Threat actors don’t sleep, so cybersecurity shouldn’t either.
At a roundtable on security and risk, executives agreed on the importance of always-on security. In a free-flowing conversation, leaders from manufacturing, IT, and telecommunications shared wisdom and aired their frustrations. The consensus was clear: threat actors don’t sleep, so cybersecurity shouldn’t either.
Participants agreed that too many executives invest in a tool or hire a vendor and think they’re done with security. Instead, organizations should constantly be looking for ways to push the envelope on security, and leaders should invest in tools that always monitor assets for threats.
With so many emerging technologies and cyber threats, where should organizations begin? Accenture’s Coffey and manufacturing expert Robert Rash had the same advice: “Start small.”
Both experts agreed that the foundation for good cybersecurity is a configuration management database (CMDB) that helps the organization store information about what hardware and software they’re using. In other words, start by taking stock of what you have—before hackers do the same.
This article was originally published on ServiceNow's Forbes BrandVoice page.
© 2022 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.