Infrastructure and Cybersecurity: How to Secure Essential Systems, Networks, and Assets

At the 2022 Israel ICS Cybersecurity Summit, experts explained how government and business leaders can effectively and practically secure essential infrastructure systems, networks, and assets.

Air Date: June 27, 2022

Moderator: Danny Lacker, Head of the Water Security and Emergency Division, Israeli Water Authority, Yariv Halpern, Technology Strategist - IoT Security, Microsoft Defender, Israel Baron, VP of Customer Relations, Cervello

Featured Guests: Dadi Gertler, Executive Director of Technology Systems, Israel National Cyber Directorate (INCD), Ann Dunkin, Chief Information Officer, U.S. Department of Energy, Brian Gattoni, Chief Technology Officer, CISA, Yosi Shavit, Head, ICS Cyber Security Department, Israel Ministry of Environmental Protection, Dimple Shah, Senior Director for Global Technology and Privacy Policy, Honeywell International, Inc., Tung Nguyen, Director of Information Security, Denver Water, Christophe Blassiau, Senior VP Cybersecurity & Global CISO, Schneider Electric, Dan LaGraffe, Deputy Chief Information Security Officer, United States Department of Energy, Daniel Trivellato, Vice President, OT Product and Engineering, Forescout, Omri Lazarovich, ICS Cybersecurity and Infrastructure Team Leader, ICL Group, Matthew Bohne, Vice President, Chief Product Security Office, Honeywell Corporate, Jeff Farney, Vice President Information Technology, Southwest Water Company, Matthew Myrick, Lawrence Livermore National Laboratory (LLNL) Chief Information Security Officer, United States Department of Energy, Trevor H. Rudolph, Vice President for Global Digital Policy & Regulation, Schneider Electric, Eric Meyers, Vice President and Chief Information Security Officer, New York Power Authority, Antoine d'Haussy, OT Security Practice Head, EMEA, Fortinet, Rafail Portnoy, Chief Technology Officer, MTA, Tariq Habib, Chief Information Security Officer, New York Metropolitan Transportation Authority, Miki Shifman, CTO and Co-Founder, Cylus, Dhanya Thakkar, Senior Vice President, Asia Pacific, Middle East and Africa (AMEA), Trend Micro, Michael Dietz, Product and Solution Security Officer, Siemens Mobility Customer Service

As infrastructure becomes more reliant on technology, critical systems around the globe are facing more threats than ever. Energy, utilities, finance, healthcare, transportation, and smart cities are all at risk without a strong focus on cybersecurity from public and private sector leaders. Because these attacks are borderless, this is not an issue one country can address alone.

As part of Cyber Week 2022, world leaders and cybersecurity experts recently gathered at Tel Aviv University for the Israel ICS Cybersecurity Summit. Together, they discussed how government and business leaders could effectively and practically implement proper global cybersecurity initiatives amid current global challenges and threats.

Cybersecurity Threats Are Real and Urgent

Cybersecurity is often deemed a lower priority for governments due to its lack of visibility. Unlike infrastructure, supply chain delays, and war, the visible consequences of a lack of cybersecurity are not seen until it is too late. Dimple Shah, the Senior Director for Global Technology and Privacy Policy at Honeywell International, Inc., gave stark examples of just how important it is for governments to address this issue.

"There are real threats," said Shah. "These threats today have the ability to bring any civilization to its knees. If you poison the water well, the people will not have access to water. If you cut off a pipeline, people will not have access to oil and gas. [Honeywell has] seen proposals involving cyber incident reporting to governments [globally]."

Dan LaGraffe, Deputy Chief Information Security Officer of the United States Department of Energy, emphasized the point by advocating for more collaboration between governments.

"The threats are global, [and] the threats know no boundaries whatsoever," said LaGraffe. "In order for us to collaborate with allies, we would want to see a little bit more consistency with some of the requirements across the board so that we can better collaborate and better share information."

OT Threats Must Also Be Monitored

Many cybersecurity solutions are focused on information technology (IT) protections. However, cyberattacks such as the Colonial Pipeline breach are operational technology (OT) attacks. OT primarily refers to machine usage and hardware systems. And while in the past, government policy regarding cybersecurity has pertained to IT, Trevor H. Rudolph, the Vice President for Global Digital Policy & Regulation at Schneider Electric, sees this is beginning to shift.

"The schemes [of the EU Cybersecurity Act] really focused on IT," said Rudolph. "They're virtually silent on OT, in my assessment. What you're going to start to see over the next couple of years is horizontal legislation in the [EU]."

"[In] the resilience act that they're talking about already, the electricity code [is] essentially going to provide … a wrap-around to some of the existing regulation and target more OT systems and products to be more complimentary to the cybersecurity act," Rudolph continued.

Vendors Need to Work With IT and OT

Tariq Habib, Chief Information Security Officer for the New York Metropolitan Transportation Authority (MTA), stressed that IT, OT, and vendors need to work together to find solutions. Habib stated that currently, IT and OT work in separate silos, which is a countertenor to innovation and protection. To be fully protective, IT and OT need to be a symbolic triangle with key ventures to accomplish true security.

"The narrative has to change — OT and the vendors have to come together," said Habib.

He talked about how this is a major issue at larger companies, such as the MTA, where they keep IT and OT cybersecurity operations separate and use different internal and external vendors.

"These two entities within the larger vendor population are not talking to their cybersecurity team, the product integration, or the product teams in general," Habib continued. "So until those two people talk together, there's not going to be a conversation that's going to work."