Interview with Grant Geyer, Chief Product Officer at Claroty
Criminal groups are increasingly targeting operational technology (OT), the systems that control and monitor physical hardware and processes. We ask Grant Geyer, Chief Product Officer at Claroty, about the most important risk factors ahead, and what organisations should be focusing on in 2024 and beyond.
How do you see companies evolving in their understanding of the gaps in their OT security frameworks, and what measures do you anticipate being crucial to address these gaps as we approach 2024 and beyond?
As we enter 2024, I think companies are becoming more adept in identifying gaps within their OT security. Between cyber threats like ransomware and increasing regulatory demands from directives such as NIS2, there is a lot of pressure to get this right.
As ever, the most important factor is developing real visibility of the intricate relationship between IT and OT environments and creating an accurate risk assessment from this knowledge. Organisations cannot hope to secure their environments if they don’t fully understand their IT and OT assets and how they interact.
As business imperatives continue to drive the convergence of IT and OT environments, network segmentation and vulnerability management are two of the most important capabilities. We’re seeing encouraging signs that companies are progressing in these areas. In a recent survey of over 1,000 IT and OT professionals, most said their capabilities in these areas were moderate or mature.
With 80 per cent of organisations having a cyber insurance plan and 49 per cent having coverage exceeding half a million dollars, to what trends or factors do you attribute the significant increase in cyber insurance adoption, and how does this impact organisations’ overall approach to cybersecurity?
The rising cost of cyberattacks is one of the main factors in the huge surge in cyber insurance we’ve seen in the last couple of years. Threat actors are increasingly focusing on highly disruptive attacks, such as ransomware, that aim to cause as much damage and expense for their victims as possible. We see many enterprises turning to insurance as a way of softening the financial blow of an incident.
A comprehensive policy can provide a financial safety net to help the firms survive an incident. That said, it’s important for insurance to be seen as a complementary factor to risk management efforts, and not a replacement for them. In risk terms, we refer to this as a “risk transfer”. However, business leaders shouldn’t confuse insurance with having an effective control.
Insurers are starting to learn about OT security and controls and, at the same time, also becoming stricter as they seek to manage the amount of risk they take on. Most policies now include a prescriptive list of criteria that organisations must meet to obtain coverage, and security failings may disqualify them from claims. Firms must ensure they have strong access controls, vulnerability management, and other critical security capabilities. With insurers scrutinising applicants more closely, enterprises must be proactive here and cannot expect to get by on a “tick box” approach.
Given the increasing oversight of cybersecurity incidents by governments and regulatory agencies globally, how do you observe organisations adapting to these changes, especially in balancing the protection of critical OT operations with the need to comply with rigorous rules and regulations?
Regulations are extremely influential in driving OT security strategies. Nearly half of IT and OT decision makers in our research cited the TSA Security Directives as having a significant impact on their security investment plans. The regulatory landscape can be very complex and is continually evolving as new regulations are added or existing ones are updated. Organisations in fields dubbed “critical national infrastructure” (CNI) have particularly heavy compliance obligations due to their critical nature and will need to comply with NIS2 when it comes into effect in October 2024. The financial sector will meanwhile need to adapt to the recently created Digital Operational Resilience Act (DORA) ahead of January 2025, and some organisations will need to accommodate both.
One of the most challenging aspects of regulations for business leaders is the lack of harmonisation of standards from a variety of countries in which they operate and regulatory bodies. Security and risk leaders are left to take a “highest water mark” approach to ensure that all standards bodies are met.
As companies navigate the delicate balance between protecting OT operations and adhering to stringent rules, what challenges do you foresee emerging in terms of compliance, and what strategies can organisations adopt to overcome these challenges effectively?
One danger with regulations is the tendency to prioritise compliance over actual cyber resilience. While organisations need to meet all relevant regulatory demands, they cannot afford to mistake compliance for security. Regulatory and organisational compliance should be the byproduct of your risk programme.
The good news is that most regulations, particularly more recent ones, tend to be focused on core security capabilities that organisations should already be pursuing. NIS2, for example, has a strong focus on risk management, prescribing the creation of policies for risk analysis, incident response, and business continuity among others.
Firms feeling overwhelmed by overlapping regulatory obligations should take a step back to map the various expectations. They can then create and implement risk management frameworks that will meet multiple regulatory needs while also keeping the business resilient against cyber threats.
With a growing realisation of the importance of cybersecurity, especially in the face of diverse cyber threats, what best practices would you recommend for organisations to address the most critical pain points in their security posture, and how can these practices be implemented effectively?
While cyber threats are continually evolving, effective security usually boils down to the same handful of core measures. Getting these foundational elements right will greatly mitigate the risk posed by most attack tactics.
Firstly, conducting regular and thorough risk assessments is essential to identify and mitigate potential vulnerabilities. As we discussed earlier, it’s critical that firms understand how various systems – IT, OT, IoT, whatever they may have – interconnect and how this influences risk exposure.
This also has an important impact on patch management. Firms should be aware of their most critical systems and ensure they prioritise relevant updates.
Alongside this, implementing robust network segmentation is another crucial step, as it helps contain and limit the spread of malware or intruders within the network. This can be further enhanced by taking on a zero trust approach to further guard against unauthorised network access, as so many OT environments have third parties that support and maintain the equipment, and the enterprise can inadvertently inherit their risks if not properly controlled.
Considering the increasing variety of cyberattacks, from ransomware to supply chain attacks, what proactive measures and strategies should organisations prioritise to ensure a robust defence against the evolving landscape of cyber threats?
There has been a near-constant stream of high-profile cyberattacks in recent times, with a trend for highly disruptive attacks that hit hard and fast. Incidents like the ransomware attack on Clorox demonstrate how quickly an incident can bite into productivity and start racking up costs. Attacks on ports such as those in Canada and Australia also show the tendency to target critical infrastructure that will have a widespread impact.
Proactivity is essential against threats of this calibre. All too often, organisations are focused on threat monitoring tools. While these are important controls and have a critical role in monitoring for a cyber attack, the most important thing organisations can do is to reduce their attack surface area through patching and implementation of compensating controls. By reducing the large inherent risk associated with OT environments, organisations can focus a threat monitoring programme on the residual risk.
How do you see collaboration evolving among companies and industries to collectively strengthen cybersecurity defences, and what role can partnerships and information sharing play in mitigating the impact of cyber threats on critical OT operations?
Enterprises are necessarily guarded about their security strategy and controls. At the same time, we have witnessed strong governmental influence in encouraging best practices and information sharing. Notably a broad set of information sharing and analysis centres (ISACs) provide a hub where vertical-specific organisations can share intelligence and best practices. Additionally, governmental organisations have published a set of best-practice guides to serve as on-ramps for organisations that are nascent in their journey, such as CISA’s cyber performance goals.
Looking ahead to the future, what steps do you recommend for organisations to future-proof their security measures, considering the dynamic nature of cyber threats and the evolving technology landscape?
We anticipate some significant shifts in the year ahead, particularly when it comes to the Extended Internet of Things (XIoT), the umbrella that encompasses all connected technology. We’re seeing continued convergence in IT and OT, and a growing volume of IoT devices. Every network will be an XIoT network before too long. Combined with ongoing IT trends like cloud migration, environments are becoming more complex than ever.
One result will be an increasingly asset-centric approach to security that accounts for individual systems. Alongside this, there will be a greater focus on secure communication through segmentation and understanding “good” traffic patterns between assets.
These advancements will be fundamental in safeguarding interconnected devices and critical infrastructure.
Grant Geyer oversees Claroty’s product management, engineering, and research organisations, and is responsible for the company’s product strategy and development. Earlier in his career, Geyer served as a military intelligence officer for the US Army. He holds a BS in Computer Science from the US Military Academy at West Point and an MS in Engineering Management from the University of Maryland, Baltimore.