This week on the PrOTect OT podcast, we had the privilege of interviewing Dennis Murphy, Lead OT Security Engineer at National Grid. National Grid runs a variety of operations including, liquified natural gas plants, gas distribution, electric distribution, election transmission, and power generation. With a wealth of experience in protecting critical infrastructure across a variety of sectors, Dennis offered valuable insights into the challenges and opportunities of bridging the gap between IT and OT. We also delved into the importance of understanding your OT environment and the role that data plays in OT security. Below is a quick excerpt of our discussion. If you're interested in these topics, be sure to listen to the full episode and subscribe to the PrOTect OT Cybersecurity Podcast.
Aaron: What’s your biggest focus or problem that you're wanting to attack in the next 1-3 years?
Dennis: It's summarized by IT OT convergence. I remember in 2015 thinking, oh, IT is never gonna be in charge of OT. And I'm going to stand by that statement, but with a caveat, right? It's like the networking components need to be worked with or worked on with the IT groups because they can bring some sort of rational, clear security mandates that can be utilized across the whole company. You know, in trying to secure a utility where it used to be like seven or 10 different utilities. But at the end of the day, the corporate umbrella company, we're not going to run 20 different security tools. Right? We can run a couple, but we're doing everything we can to try and bring it down to one technology that the company is going to implement across the board. So we have better management and oversight of it. So that's really been the challenge, trying to explain the value of that to the operators in the field. And on the IT side, explain to them that that whole global control set that has 200 and umpteen controls, that you don't just load those down there. It doesn't work that way.
Aaron: And you can't just take the IT ones and push it down on them either, right?
Dennis: Correct. And so we take the risk-based approach, what controls clear out the biggest risks for us and apply those. The other challenge is trying to explain to IT is that the tool you use to manage all of their endpoints, and Windows and laptops and everything, or even Linux servers or some Linux tools they utilize and they're like – that it doesn't work the same in OT. They’re not used to the amount of machine to machine communication that's going on in OT network layer 1, 2, 3 of the Purdue model. And so we're trying to explain to IT why you do need a separate set of tools to actually implement security down at the OT level.
Aaron: There has to be tools that understand the environment and can work in the architecture and be able to talk to the devices and not, you know, break things. Because in those spaces safety and availability are more important.
Dennis: Yeah, and not only that. They might want to put an agent on every endpoint. And it's like, well you're not gonna put it on that VFD or that PLC. You bring an IT person down into the field and then they're like, what is this?. And finally, you know, we find the HMI and there’s your Windows machine. But even then sometimes, we have done tests in our lab and if you take an IT tool and put it on a Windows endpoint, the tool is going outside of the Windows environment to start do things to help understand what's going on. In the network and other endpoints. And we've had things shut down in our lab. So we cannot utilize that tool just as is bring it down, we have to tune it, we have to understand how to configure it and we're working with those vendors to try and set up those configurations that are more rational for the OT area.
Aaron: So I know one of the things that you're really working to attack is that asset inventory and that having an accurate asset inventory around OT for all the reasons you just said: I can't just push an IT tool down, even if it just has an agent and it does support it, because it may go out from that device and try to scan or talk to things around it, which can cause harm in an OT environment as we know. So how are you trying to look at that and solve that?
Dennis: Yeah, so right now the standard is to bring in an outside consultant. And we have a few companies that do this for us and do walk downs of the sites. But it's like security by Excel spreadsheet. It's stuck in a point solution of that inventory. And even if they pull one region together and put it in one spreadsheet, well that still doesn't help us from a security standpoint. By the way, you need asset inventory for many things. Not just security. For Finance, we have over 1,200 substations at National Grid. And every single one of those we have to pay real estate taxes on. So in order to do that, they want to know, well, what's the value of that? Just like your house. And the value of that is based also on the assets that are installed.
Then the operations and maintenance folks need to know, what do I need for spares? So they need that information for preventive maintenance, but security needs it for a different purpose. And one thing we're struggling with now is trying to understand are there opportunities to have a single asset management database? And I, I think the answer is no. At this, you know, like in my lifetime I don't think it's going to be there. You know we need to create one specifically for OT / security.
You know, OT security engineering has an asset management system and you can find all this information in these design documents that are in a document management system. And so when I say, “but how do I know what I have in the blueberry substation?” They'll come back and go, “Here's our engineering substation scope document. Here's where it all is.” But I'd like to know, because of my vulnerability management query, where these relays are. You'd have to then go through what 1,200 documents to find that. We need a relational database.
So what we're trying to do is first of all, get the company in an agreement that we need another solution in the OT. And then to define how we're going to do it. We're really looking at this as two parts. There's asset discovery and discovery can happen both in an active or a passive manner. So we have a couple of tools that we're thinking about using down there. A passive system, an active system. And then where you're going to keep that data itself, that could be the same tool or it could be Splunk. At the end of the day, to really see and understand what it is that they have when they need to triage any alerts, if it's right there in Splunk, triage can happen very quickly and everybody feels more confident with it.
This has been an excerpt of a PrOTect OT Cybersecurity Podcast episode (edited for clarity). For the full conversation, listen and subscribe here: https://podcasts.apple.com/us/podcast/the-protect-ot-cybersecurity-podcast/id1662081824