This time we will talk about maritime cybersecurity again with a real professional. To make the introduction short, ladies and gentlemen, interview with Matthew Dulcey.
Mateusz: Could You introduce yourself to our readers?
Matthew: My name is Matthew Dulcey, CTO of Procentec. Procentec is the global leader in diagnostic and monitoring solutions for OT networks based on internationally recognized protocols like PROFIBUS, PROFINET, and Ethernet/IP. For about the past 4 years I have been in various executive positions, focused on Innovation and bringing innovation to the portfolio.
I currently live in Delft with my family, which is perfect because this is also where our R&D office is located.
Maritime Cybersecurity – IT vs OT
Mateusz: Thank You for the introduction. Let’s start with the first question. What is the biggest difference between IT and OT security?
Matthew: The biggest difference we see between IT and OT security is the underlying maintenance & connection needs of the networks. For IT networks, they are in general connected at a much higher level. They also require less in-person maintenance. IT networks are often connected to higher-level central systems. This is making monitoring easier. They also do not require as much in-person maintenance. If a laptop is not functioning properly, it is not uncommon to mail that laptop to an IT department for repairs. How can I mail a VFD that may exist on a maritime vessel to a central IT department?
Since you can’t, this requires either an external or internal resource to perform device maintenance. Further, these systems are not typically connected to higher-level networks. They are remote. Locally connected to a SCADA, where the biggest concern is the production data, not necessarily the communication quality or security.
IT and OT
Mateusz: That is a really good explanation. I have to remember this example because it is very clear. However, time for the next question. Why it is important to secure both IT and OT?
Matthew: The importance of both stems from that they can equally shut down an operation. They can also cause significant damage to the financials, public reputation, or even potential safety concerns. OT security has in the past been easily overlooked. Now is coming into the forefront of requiring quick, accurate, and knowledgeable protection. Knowledgeable means protection by companies that understand the complexity and requirements to run an OT certified network, while still maintaining a high level of protection.
Mateusz: Indeed, industries miss OT Cybersecurity. The common argument, “Our IT and OT are separate. They do not talk to each other” We have several examples in the last months, that this wasn’t true. So knowledge of network architecture is highly important. What is the correct architecture of an OT network to provide good cybersecurity?
Maritime Cybersecurity – Architecture
Matthew: The correct design of an OT network is one that addresses the balance between potential risk and the required operational capabilities of the OT protocol. Example: IT network professionals will oftentimes ask that SNMP (Simple Network Management Protocol) is turned off in a network or that if on SNMP v3 is used. They may not know that turning off SNMP in a PROFINET network, makes the network not certified to be a PROFINET network anymore. Further, the requirement to have SNMP v3 implemented on all devices, is oftentimes not a reality of many OT network devices. This could be because of old chipsets on an existing network or because of the balance between performance and speed required. Either way, SNMP requires protocol by PROFINET.
So how do we bridge this gap? If your network is properly separate from your IT network, say via the use of a firewall. Which is only allowing recognized secure traffic like OPC UA or MQTT with TLS to exit the firewall. The risk from outside-in attack is less likely. A larger risk is contractors who are onsite performing maintenance, where their activities or insight into what they are doing is not properly being monitored. It is better to address this with technology or policies than a turn of SNMP on an isolated firewall-protected network.
This is where the Procentec security solution is positioned. To monitor these isolated networks, and provide insight into what a technician is doing on the network.
Industrial Cybersecurity – Weak spots
Mateusz: That’s very interesting. I was aware of the OPC UA solution, however, I have to study MQTT as well. From Your point of view, what are the weak spots in Industrial Cybersecurity? Where companies should focus first?
Matthew: The biggest weak spot is indeed the lack of clarity on larger OT or isolated networks. Often, many industrial companies have sprawling complicated networks, comprising legacy and non-legacy assets. Just having an understanding of what assets and where is a significant challenge. This is a weak spot. Uncovering what devices are installed in a network and what firmware they are using is a huge improvement to monitor for potential issues.
The other weak spot is not having a clear oversight of who is performing maintenance on your site, as mentioned in the previous question. The good thing is there are ready-made solutions to monitor and give insight.
Mateusz: This is especially common during lifetime updates. Personally, I have seen several times situation where the architecture of the OT network was correct. But only the documentation. However, updates, change everything.
IoT and IIoT Cybersecurity
In industrial applications more and more common are IoT and IIoT solutions. I see a lot of benefits, but there is the question about the security of this solution. Could You explain, as the expert? How the OPC UA protocol is working and what are the benefits?
Matthew: The benefit of a protocol like OPC UA is that it operates under a universal set of standards. That is the “UA” part, standing for Unified Architecture. This means that if you are using software to be the client [requesting/ receiving data] and the manufacturer is following the UA guidelines for their server [sending/ providing data] or is using recognized libraries, the connection is very easy. It also comes with a security layer. Layer has a certificate that must be accepted by both parties to establish a connection. Last, OPC UA is not a read/write protocol. As it is used to monitor a network or get data, not to allow changes to the device firmware or configuration.
Maritime Cybersecurity – Right solutions.
Mateusz: Great explanation. It’s good to be aware of the solutions. What do shipowners have to do, to select the right solutions for their cybersecurity?
Matthew: The shipowners should first start with what protocols they are using. What are the requirements to have a network operating at certified standards? This allows the IT department to clearly understand what must be in place to properly operate these networks. After understanding the standards, you should move the physical design. What physical design allows you enough ability to control and maintain the network, but highlights the biggest risks. For example: having a firewall does nothing, if you allow open ports on automation switches and no good oversight when someone connects, who, and why?
This is where having a monitoring solution that acts independently of the switch, such as Procentec’s Atlas2 Plus, comes into play as a good solution. It may add a small cost upfront. But to gain insight into the network is much more important in the long run.
So, start with understanding the needs and limitations of the protocol you are using. Move to the physical nature of the network, including the maintenance aspects. Last seek solutions that can target the scenarios which are the biggest risk to OT networks deployed, which may be significantly different from IT networks. So use IT network security to augment your OT security, not to be the only driving factor.
Where the market is going?
Mateusz: Vesselautomation has a lot of young readers. So I have the last question. What should be the focus of the young engineers? Which area they should develop?
Matthew: The focus of young engineers should be to not just dis-regard learning about a protocol like PROFINET. It may be a decade old. However, it will stay for years into the future. Learning in-depth about the requirements to properly operate their networks, will save a lot of time during your discussions with IT personal, and what you need on the OT side to properly operate and maintain the networks in your area of influence. It is always better to have some coverage, even if not perfect than to have no coverage because you are expecting to have a “perfect” solution.
Mateusz: Matthew, many thanks for the interview and Your time. It was great to talk with You. I have already my own thoughts, and new things to study. I hope everyone enjoys this interview!