Bridging IT and OT for a Safer Future
Del Rodillas: Invest in relationships. Invest in making sure that your leadership is aligned to the initiative of OG security, and make sure you start thinking about the future in terms of your technology stack. [ Music ]
David Moulton: Welcome to Threat Factor, the Palo Alto Network's podcast, where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, Director of Thought Leadership. [ Music ] Today, I'm speaking with Del Rodillas, Distinguished Product Manager for Industrial Cybersecurity at Palo Alto Networks. Del brings over two decades of experience working at the intersection of critical infrastructure, industrial operations, and cybersecurity. His passion is in helping asset owners and operators protect the industrial assets that our societies and economies depend on. From his work at Palo Alto Networks to leading roles with other major tech firms, Del has focused on guiding industrial organizations in their journey towards cyber resilience. Today, we're going to talk about strategies for strengthening OT security. Operational, technology, or OT environments which power critical infrastructure like energy grids, manufacturing plants, and water systems are increasingly under attack from sophisticated cyber threats. As these systems become more connected, the stakes for securing them have never been higher. We're excited to dive into this critical topic and explore strategies for building stronger defenses. Del Rodillas, welcome to "Threat Vector." Thanks for coming on and talking to me today.
Del Rodillas: Pleasure being here, Dave.
David Moulton: Del, tell me how you got into OT security.
Del Rodillas: You know, when I first started my career, I was really in OT, looking at it from the standpoint of how do we increase our manufacturing yield? How do we keep our yield up and running? And when things crash, how do we recover? You know, I was really in that mode of uptime and safety when I first got out of college, and fast forward, you know, 15 or so years later, I really had this opportunity to join Palo Alto Networks and start up our practice, if you will, or our focus on industrial cyber security, ICS, and SCADA. And I thought, hey, this would be a pretty cool place to look at manufacturing and electrical engineering, but from a standpoint of cyber security. That kind of changed my view on where my career was headed, kind of made things fresh again. And still, I'd be involved in technology, but just from a different standpoint. So I jumped on it, and I've been doing it for the last 11 years or so, just focusing on OT security.
David Moulton: So same game, but different lens. I like that.
Del Rodillas: Exactly, yep.
David Moulton: It lends a certain authentic credibility to your opinion when you're thinking about security, because you've been there on the other side where you said safety and efficiencies and uptime were really the name of the game. But obviously, hooking your OT into the corporate network and exposing it to the internet changes the game a little bit on what can impact safety and efficiency and uptime.
Del Rodillas: Yeah, and at that time, at least, there wasn't all this buzz around AI and semiconductors, but it kind of became saturated, and the other thing I liked about getting into the whole cybersecurity space was just the mission of really trying to help organizations be protected from the baddies and keep critical services and economies around the world up and running. That whole tie to critical infrastructure security really resonated with me. So it was pretty much an easy decision to make that jump from bits and bytes to the bigger system and protecting asset owners' standpoint.
David Moulton: For sure. I think there's something about cyber security that ticks a box for certain folks.
Del Rodillas: Yeah.
David Moulton: You know, when I moved from design of applications and software apps and enterprise apps to working on the security side, there was a mission side of it. It was a do-good side of it. I enjoy that. What are the foundational elements of a robust OT security framework?
Del Rodillas: You know, that's an interesting question, David, in that OT security from a framework standpoint is not so different from, you know, what you would expect from an IT standpoint. I think it's really about the context and the adaptations. You're going to have your risk assessment and management aspects, you know, the controls around the network and the endpoints, continuous monitoring, so on and so forth, and you'll even have the compliance, governance, training, and supply chain. So everything is there from a key pillar standpoint. When I talk about context, I'm really thinking about adaptations in terms of, hey, you know, there's a really, really high sensitivity to uptime and safety, and how does that implicate the programmatic aspects? How about the fact that you have all of these legacy systems that are either unpatched and unpatchable? You can't scan the network as you would typically do in an IT environment regularly, right? You might not even be able to do that, period. So you need to consider that, and there's also the aspect of the unique protocols and OT and IoT devices that are there. Regulations certainly are another aspect that you need to consider. There's things that are even vertical-specific around utilities, oil and gas, and other very, very critical industries. And the other aspect, when you think about how the OT threat landscape has evolved today, is just the scope of the relevance. It's not just within OT anymore. It's really a program that cuts across IT and OT where you need to consider that complete threat model, especially since most of the attacks are these so-called pivoted attacks, right?
David Moulton: Yeah. When I've talked to folks that are driving the floor or are on the OT side, you know, they're looking for that safety, that efficiency, or that productivity, and the IT side tends to be focused on uptime and, you know, looking for ways of getting optimization, and now those two worlds have started to collide. Del, how can organizations bridge that gap between IT and OT teams and then enhance security overall?
Del Rodillas: Yeah. I think from what I've seen most of the time, when I ask the question, okay, what's holding your program back? Why haven't you gotten as far as you've wanted to with your OT program? The answer is often around people, not, again, around the technology or the processes, which may sound great, but if, you know, the leadership, when I say leadership, the leaders of the business units, the product owners, the IT leaders, even the board, they're just not aligned, right? Or they don't even know that this should be a top-of-mind issue. So it's really trying to make sure that those stakeholders are aligned and investing in getting the top-level people aligned there. And then because they can drive things downward. You know, the COO can drive the operations side, CIO, the IT side, and the board kind of keeping these leaders accountable, and with that in place, I think you need to have some incentives for the leadership, especially on the business side, because the business side has been traditionally used to running things in isolation or in a silo and doing whatever they want. Now they need to answer to a centralized approach to OT security. If they don't really have incentives, you know, whether it's more of a carrot or stick-based approach, whatever the case may be, they need to have some accountability in it and also benefit in terms of aligning with the centralized OT security approach. There's also an element of education and cross-pollination where you have, you know, maybe an IT person learning the ropes on OT and vice versa. And within your OT SOC, maybe pulling in some OT people to bring that domain knowledge to your analysts so that they can make better sense of the alerts and logs that now are being pulled in, right? So there's also that aspect.
David Moulton: All right. So cross-pollination, making sure that your executives and your leadership understand what's going on. Dare I say visibility? But I mean that from a business standpoint into your OT environments and the needs that they have around security, not necessarily an analyst needing visibility into some of these OT systems, which inherently are tough to look at. They weren't necessarily designed with security in mind, you know, some 20 years ago or whatever it might have been.
Del Rodillas: Yeah.
David Moulton: Del, how can organizations effectively implement, say, like a zero-trust architecture in those OT environments?
Del Rodillas: Yeah, I mean, that's the interesting part about zero-trust for the OT domain is it's very, very foreign, right? And when you boil it down to the key elements, I think the first thing is around understanding and prioritizing the risk. And it's very, very high risk considering, you know, what happens if a power grid went down or, you know, your money-making factory stopped producing widgets, right? So it's an exercise, I think, in terms of not trying to secure all of your estate but focusing on the ones that matter the most. So some kind of prioritized risk ledger, working with the stakeholders to understand this view of asset and their related risks. And from there, I think it's much more easy to implement programmatically the awareness, visibility of your assets and their communication. This really informs the fundamental approach for zero-trust in terms of, okay, trying to minimize your exposure by locking down the communications and the way users interact with your network, your assets, the data, from a least-privileged role-based access standpoint, right? And then implementing the segmentation. So typically, what I've seen as best practice is starting with the IToT perimeter, you know, biggest bang for the buck there, right? And as you kind of have that stronger perimeter, work your way in and kind of segment further, but not to the point where it's operationally impractical, right? You might say, you know, stopping at that level where I'm securing good groupings like a manufacturing line or, you know, certain group units of a power plant, you know, turbines and whatnots. Instead of going to the individual industrial controller level, that's just not going to operationally be effective at all. It's just too much overhead.
David Moulton: So striking that balance between --
Del Rodillas: It's striking a balance.
David Moulton: -- how far you take that zero-trust approach versus how do you continue to deliver power? How do you continue to deliver output from your factory or whatever your OT environment is built to do?
Del Rodillas: Yeah, 100%, and it's just, you know, there is going to -- you're going to find that balance. Eventually, the engineering guys will push back. It's like, I'm not going to put a firewall in between every workstation and industrial controller. That's, from a cost standpoint and an operation, standpoint, just not --
David Moulton: Untenable.
Del Rodillas: Not practical. Yeah. So ratchet it back, right, to something that makes more sense.
David Moulton: Del, what role does continuous monitoring play in OT security?
Del Rodillas: It's very important. Again, coming back to my earlier point around adaptations, you really -- you want to implement it, but you want to make sure that the capabilities are correct because you do have that specialization in the communications, the protocols that are very specialized to these industrial devices and also being able to even fingerprint what these devices are versus saying, you know, you may have a lot of tools that can say, yeah, this is a Windows workstation, but you know, you have these devices now that you need to distinguish, for example, from vendors who may not be part of the IT mainstream, the Rockwells, the Siemens, and the kind of devices that they are, like PLCs, RTUs, and HMI. You know, things that a lot of companies have not invested in the capabilities to profile them, but that's all changed with the influx of new OT-specific security tools and visibility tools. And these are what you want to make sure you implement to have that good understanding of the estate and the way they're interacting on the network. [ Music ]
David Moulton: How important is vendor selection in building a comprehensive OT security strategy?
Del Rodillas: I think it's really important to think about vendors from -- first of all, it's very important, right? I think, but that said, when you think about your vendors, there's, to me, three things that you need to consider. Number one is the capabilities. Obviously, there's a specialization that comes with OT security. We talked about the devices, the communications, and the mindfulness in terms of considering availability and uptime, for example, and the patching or, you know, protecting legacy devices. But beyond that, we've seen the stack from an OT standpoint also become convoluted and complex. So you need to have vendors that ideally can provide more than just one aspect of that security stack, just that they can provide you the complete platform in a cohesive, integrated manner, right? And the third piece is just the staying power. Obviously, if the vendor is just a point solution vendor or a startup, they may not be around in the long term to continuously give you that security you need. So you want an organization that ideally has this mature platform where the capabilities are just a feature that you can turn on, and they've established their presence, their market presence and staying power. I think with these key concepts in mind, you're setting yourself up for success in terms of your OT program.
David Moulton: Del, talk to me about how organizations can balance their security and operational efficiency in those OT environments.
Del Rodillas: Yeah, again, if you think about the key consideration for zero trust, which starts with a risk-based approach, it's always trying to prioritize the risk, understand risk and prioritize that such that you're not trying to boil the ocean and you're protecting the crown jewels and, you know, focusing where you think you can get the best bang for the buck. So starting with a risk-based approach is key. I think the other aspect, especially on the operational efficiency side, is how can you leverage automation? And automation in the OT world is not necessarily about automating the response to stop threats. In fact, a lot of OT asset owners don't want to do that. But at the same time, you can still leverage automation to better disseminate and highlight the alerting process such that you at least know that there's an issue and have the option to take action, if you will, and the other aspect is leveraging AI to baseline the behavior. Some will argue that OT is more predictable than IT, and with that, it's a little bit easier to detect anomalies, and so you can leverage tools that can baseline your traffic, detect anomalies, and again, it could save you a lot of effort in terms of trying to define the policy because you've used AI to really profile what's normal and also detect when things go awry. And the other thing is using a more standard approach to your policies for OT and leveraging that central management approach and leveraging templates such that you can more easily scale the segmentation approach and the hardening approach to your OT security policies. I think all of these can be used in your security operations to better scale and be more efficient.
David Moulton: Del, what are the common pitfalls to avoid in OT security implementations?
Del Rodillas: Yeah, David, I think we've touched on both of the ones I'm going to call out in some form already. I think the first one is around the governance. I think most organizations underestimate how big of a hurdle that can be, and they don't invest enough time and effort to develop those relationships to make sure there's alignment at the top and to put in the incentives for the stakeholders to align and execute on the enterprise-wide plan. So I think that's something you should probably spend more time than you think you'd need to in terms of building that governance framework and making sure that it gets executed. I think the other aspect is not really prioritizing the security investments and trying to just do it more as an ad hoc or trying to cover all the bases in one shot. It's perfectly fine to think about it from a risk standpoint where you prioritize where you think you'd get the most returns or, you know, where you think you need to secure first. For example, focusing on the most substantial money makers if you're a manufacturer from a plan standpoint, and then working your way from, you know, the perimeter of the OT environment down to, you know, the lower layers where segmentation might make sense and kind of, you know, deciding as a business that this is your risk tolerance, and you get a good ratio of payback to the effort and investment.
David Moulton: How can organizations stay ahead of emerging threats in the OT landscape?
Del Rodillas: Yeah, I think it's important to leverage the community. When I say community, there's a lot of vertical-specific ISACs, manufacturing ISAC, electricity ISAC, energy ISAC. There's just a wealth of knowledge about security-best practices and threat intelligence sharing that you could get by being members of these communities. I think also from the government agencies, CISA has developed OT-specific type of threat intel sharing and advisories. And even the tool chains that you have implemented, I think, make sure that they're also capable of ingesting these intelligence sources and also as a vendor providing additional OT-specific threat intel. And to a certain degree, there's also AI tools that are continuously thinking about the zero days that nobody has ever seen before. And it's important to have the capabilities to also detect new threats that have not shown up in your IPS or IDS. And really, this concept of sandboxing is even more important, especially as attackers start to use AI.
David Moulton: Del, thinking about our conversation today, what's the most important thing somebody should take away?
Del Rodillas: I think the most important thing is that you should not wait to get started in your journey to OT security. There's certainly a lot of benefits that you could get by starting small, and I would say by starting small is, you know, making sure that that perimeter between your IT and OT interface is secure, and you can get more sophisticated thereafter, but you can get a good payback just by starting with the basics at the boundary. And never ignore the fact that the security is also involving people, and when it involves people, you need to make sure that there's alignment, especially between the IT leadership and the OT leadership. So invest in relationships. Invest in making sure that your leadership is aligned to the initiative of OT security, and make sure you start thinking about the future in terms of your technology stack and not trying to add point solutions together. Think about a platform approach, which will allow you to achieve all of these capabilities in a more cohesive fashion, in a manner that spans across IT and OT, such that there's kind of a homogeneous, more coordinated methodology in terms of implementing a comprehensive security program. [ Music ]
David Moulton: That's it for today's episode of "Threat Vector." I certainly learned quite a bit from our discussion on OT security and hope you, our listeners, have as well. Del, thanks so much for sharing your expertise and insights on how organizations can better protect their critical infrastructure. It's been a pleasure to have you on the show.
Del Rodillas: You know, my pleasure. Thanks, David.
David Moulton: If you've enjoyed today's conversation, please subscribe wherever you listen to podcasts, and don't forget to leave us a review on Apple Podcasts or Spotify. Your feedback really helps us understand what topics you'd like to hear more about. And also, please feel free to reach out to me at threatvector@ paloaltonetworks.com with any ideas or feedback. I want to thank our executive producer, Michael Heller, as well as our fantastic content and production teams, which include Kenne Miller, Joe Bettencourt, and Virginia Tran, and a big shout out to Elliott Peltzman, who edits the show and mixes our audio. We'll be back in a week with more insights on the latest in cybersecurity. Until then, stay secure, stay vigilant. Goodbye for now.
