Executive Perspective Building an OT Security Program from the Top Down
- 2. LinkedIn: @Jim Guinn, II | Twitter: @jimmy_guinn
Jim Guinn, II
Accenture
Senior Managing Director
Our improvement journeys are all
different, but our end goal is the same –
achieve operational integrity and cyber
resilience.
We are honored to have so many senior leaders
and cybersecurity OT experts involved with this
summit, sharing their experiences and insights
to help others achieve the goal. The outpouring
of support for this event has been amazing. It
demonstrates how important knowledge
sharing and community involvement are to
moving the needle on industrial cybersecurity.
What follows are key takeaways from each
session. Bold statements from OT cybersecurity
practitioners based on real-world experience
advancing programs and tackling the same
challenges facing your organization.
We all know a lot can go wrong in an OT
environment, which can impact health, safety
and the environment. The last year has
highlighted just how vulnerable our critical
infrastructure is to cyber threats. And there's
absolutely no question that if any of these
attacks are successful, HSE issues can ensue.
Cybersecurity can no longer be an afterthought.
It must be top of mind, always.
As you read through this document and listen to
the replays, think about your upcoming projects
and operational objectives and consider
reframing your discussions to incorporate
security.
For example: “As we adopt 5G to gain extra
bandwidth, how do we do that securely?”
“We are planning to increase production
securely.” “We need to enhance our operations
securely with the use of robotics.”
If we just embed the word security in everything
we talk about and in everything we do, it then
comes to the forefront of our minds.
Review this guide. Share the on-demand
content. And reach out if you have questions or
just need a sounding board. My team is ready to
collaborate to advance your program for
whatever is next.
Cheers,
“There’s absolutely
no question that if
any of these
attacks are
successful, HSE
issues can ensue.
Cybersecurity can
no longer be an
afterthought.
It must be top of
mind, always.”
Jim Guinn, II
Copyright © 2022 Accenture. All rights reserved. 2
Watch the summit >
- 3. The Cybersecurity Imperative: Why embrace it?
Building an OT
security program
from the top down
Designed for executives, this non-
technical track addresses key
components of a successful OT security
program. The discussions are intended to
spark conversation and this guide
highlights key takeaways on what works,
what doesn’t and what’s next.
The agenda spans:
• organizational structure
• vendor selection
• OT SOC design
• reporting strategy
• communication imperatives
Session
Overview
Developing the next industrial cyber workforce
Navigating the booming vendor landscape
OT SOC Debate: Dedicated vs Integrated
How to execute at speed and demonstrate value
Communicating risk and reward to the board
Automation—In promise, in practice
Opening Keynote
Operation: Next ‘22
Fundamentals & Structure
Innovation & Technology
Case Study
Project Execution
Investment & Risk
Closing Keynote
Executive
Perspective
- 4. It’s impossible to
have every angle
nuanced…
Get your four to
six critical assets,
critical processes
really understood
and quantify the
financial risk.”
Bob Dudley
“
Muqsit Ashraf
Accenture
Bob Dudley
Former CEO, BP
Speakers
The Cybersecurity Imperative:
Why embrace it?
Breaches continue to climb despite
billions invested in cybersecurity.
Are companies investing in the right
security priorities?
Bob Dudley provides his thoughts on why it has
taken so long for executives to wake up to the
challenges and what is needed to make
cybersecurity a strategic priority for executives
and the board.
Key takeaways:
• For a long time, cybersecurity was viewed as
a technical problem, rather than seen as an
operational risk and business continuity
concern.
• Priorities are changing as breach
implications become more significant,
including emerging case law that holds
boards and executives accountable.
Opening Keynote
• Boards need to understand the problem, the
language and the financial implications to a
company. Time to move away from showing
the board basic activity dashboards and
begin reviewing the critical assets and
business processes that are most vulnerable
and quantify that risk.
• Big wake-up call was when Accenture was
able within a few weeks to take over BP’s oil
refinery control systems. Immediately
created a world-wide task force to update
our asset security program. It took time and
significant culture change to implement.
• Crisis Management exercises helped our
executive teams understand the
communications process was far more
complicated than they expected.
Copyright © 2022 Accenture. All rights reserved. 4
Watch the full session on-demand >
- 5. We’ve got to begin
thinking how do we
take people…and
prepare them to
engineer, design or
defend these critical
systems.”
Sean McBride
“
Sean McBride
Idaho State University
Speakers
Developing the next
industrial cyber workforce
Arguably the most universal OT
security challenge is acquiring and
retaining talent.
Meeting the demand for industrial
cybersecurity professionals starts with
preparing a future workforce.
• Idaho State University (ISU), in partnership
with the International Society of Automation
Global Cybersecurity Alliance and Idaho
National Laboratory, have created a
curriculum for industrial cybersecurity.
• First draft of Building an Industrial
Cybersecurity Workforce is available at
inl.gov/icscop
Fundamentals & Structure
• Guide outlines roles, tasks, knowledge needs,
and evidence-based curriculum.
• Already being used at ISU and available to
high schools, community colleges and
others to create career paths for students.
• Adopted by Siemens Energy for its
Cybersecurity Apprentice Program.
• Input is needed from practitioners to further
enhance and improve this guide
• Join the INDUSTRIAL CYBERSECURITY
COMMUNITY OF PRACTICE at inl.gov/icscop
Copyright © 2022 Accenture. All rights reserved. 5
Watch the full session on-demand >
- 6. The [vendors] that are
going to be successful
are the ones that have
a service element that
is difficult for an IT
company to replicate.”
Dale Peterson
“
Bob Ackerman
AllegisCyber Capital
Dino Boukouris
Momentum Cyber
Rich Mahler
Accenture
Dale Peterson
S4 Events
Speakers
Navigating the booming
vendor landscape
With thousands of new security
technologies available (and more
being added), where should you invest
your money and confidence?
It’s been a record year for M&A financing deals
in cybersecurity. Many undifferentiated
solutions in the market create a lot of noise for
those tasked with evaluating vendors. What
should you look for?
Key takeaways:
• Expertise: Look for someone who has OT
domain expertise. They will better
understand the unique requirements and
challenges of this space.
• Services: With the shortage of OT security
expertise, look for someone who can offer
complimentary services to augment your
team, e.g., incident response teams.
Innovation & Technology
• Have realistic expectations. Unlikely any
solution will last more than 3-5 years given
the aggressive M&A activity.
• Understand your future plans. If you have
plans to augment or implement newer
technologies into your production
environment, you might lean towards
technologies that converge OT and IT.
Copyright © 2022 Accenture. All rights reserved. 6
Watch the full session on-demand >
- 7. “The ongoing
collaboration
between IT and OT
is critical—the full
integration is
optional.”
Jason Holcomb
James Costello
Freeport McMoRan
Jason Holcomb
Accenture
Tony Souza
CenterPoint Energy
Speakers
OT SOC Debate:
Dedicated vs Integrated
The OT SOC is a culmination of other
investments made in an OT program.
What is the best SOC build model and
how do you get there?
Three security experts share their experiences
and advice for building an OT SOC.
Key takeaways:
• If you don’t have monitoring, detection and
response functions for your OT environment,
you need to start that journey.
• Cyber threats towards OT will continue, while
regulations are rapidly expanding across OT.
Without proper instrumentation, it will be
difficult to respond to these demands.
• Industrial digital transformation will also
continue, which will require IT/OT be
integrated.
Case Study
• Ongoing collaboration between IT/OT is
critical. This starts by building trust between
the two organizations.
• You don’t have to be integrated to be
effective, but there are efficiency gains. IT is
better positioned to manage firewalls, threat
detection, etc. enabling OT to focus on
operations.
• When selling leadership, focus on the
business building capabilities that come with
OT security. You can leverage operational
visibility to help the business, e.g., run more
efficiently, improve performance, etc.
• Ways to staff your SOC include recruiting OT
business staff to join security, cross training
IT & OT staff, internship and apprenticeships.
Copyright © 2022 Accenture. All rights reserved. 7
Watch the full session on-demand >
- 8. Every single site has
its own set of
challenges.
Establishing a realistic
plan that accounts for
those nuances, is
essential.”
Doug Wylie
“
Paul Brownlee
Accenture
Ray Griffiths
Accenture
Kevin Jackson
Accenture
Doug Wylie
Accenture
Speakers
How to execute at speed
and demonstrate value
Companies on the journey to secure
hundreds of sites face challenges common
across industry and geography.
How we balance the speed of progress with the
speed of business and the criticality of operations is
the key to keeping business operations owners
engaged and supported.
• Establish a starting point and have a realistic plan
that accounts for the many variations across sites.
• Understand your critical threats and actual risks
and focus on those to protect your company.
• Board level understanding is still incomplete.
Using adverse simulations can be a powerful way
to demonstrate to executives how a proposed
investment can reduce risk.
• When expressing value, use language that
resonates with the business such as availability,
reliability, up time and improving efficiencies.
Project Execution
• To maintain momentum, set up your program to
demonstrate value from day one. Start with the easy
stuff and use what you already have (don’t reinvent
the wheel).
• Federated models that push implementations to
local sites can be a powerful way to accelerate the
process.
• Regularly report on “metrics that matter” and revisit
them throughout the implementation to ensure they
are still valid and relevant given various changes
across the landscape.
• To balance speed and technology rigor, you need to
thoroughly evaluate proposed tools and ensure they
are “fit for purpose.”
• To fill the skills gap, look internally for ways to
reapply/redirect skills to support the effort or
outsource where suited.
Copyright © 2022 Accenture. All rights reserved. 8
Watch the full session on-demand >
- 9. “You can make all sorts
of investments—
and feel good about
them—but if you don’t
understand where the
weakest links are…there
are going to be all sorts
of problems.”
Yanni Charalambous
Jim Guinn, II
Accenture
Yanni Charalambous
Oxy
Speakers
Communicating risk and
reward to the board
As operational technologies and
automation evolve, how do you get the
risk and reward balance correct when
making new investments?
Yanni Charalambous believes a mindset of
continuous improvement is critical to success.
And when it comes to cyber risk and resilience,
“if you like a challenge, you’re in the right place.”
Key takeaways:
• Need to understand the risk profile of your
assets and have that profile drive your
investments.
• Improvements are continuously needed to
address ongoing and evolving external and
internal risks.
• If you approach security as a checklist, you’ll
find yourself behind.
Investment & Risk
• Boards want to know the risks to a company.
Three discussion points to communicate:
• what threats are happening in the
industry
• what measures you have in place
• what the outcome would be if those
measures failed, e.g., loss of life, loss of
property.
• For our board, we focus on the top 10 assets
in the company that we need to make
investments in to keep them secure.
Copyright © 2022 Accenture. All rights reserved. 9
Watch the full session on-demand >
- 10. Automation —
In promise, in practice
“We want to use
automation where
we can and then
have humans
involved where
they need to be.”
Paul Scharre
Gabby D’Adamo
Accenture
Jim Guinn, II
Accenture
Paul Scharre
Center for a New American Security
Speakers
There’s no question that automation
already plays a significant role in IT
and OT system cybersecurity.
As the threat landscape continues to grow,
what role could/should automation play in OT
security management?
Advantages of automation
• Helps systems be more efficient, more
effective and safer.
• Reduces tendency for human error.
• Propagates system updates helping improve
security.
• Works well for repeatable, predictable
processes.
Closing Keynote
Risks of automation
• Takes humans out of the process removing them
from potentially catching mistakes and issues.
• Increases potential risk if a hacker infiltrates a
system.
• Can’t build automated systems to work in
situations we can’t predict.
Going forward
• Automation adoption needs to be a risk-informed
decision.
• Start by looking for manual processes you can
automate that will free up humans to focus on
critical thinking problems.
• Humans will still play a role – they need to know
what automation is capable of and when to step in.
Copyright © 2022 Accenture. All rights reserved. 10
Watch the full session on-demand >
- 11. Ready to step into next?
Visit our website for expert
insights on OT cybersecurity
Discover more resources >
Learn about our purpose-
built OT Cyber Fusion Center
Partner with us to advance
your OT security program
Leverage our test facility > Engage our OT cyber team >
Take a virtual tour >
Contact our team >