June 27, 2022
Executive Director of Technology Systems, Israel National Cyber Directorate (INCD)
Chief Information Officer, U.S. Department of Energy
Chief Technology Officer, CISA
Head, ICS Cyber Security Department, Israel Ministry of Environmental Protection
As infrastructure becomes more reliant on technology, critical systems around the globe are facing more threats than ever. Energy, utilities, finance, healthcare, transportation, and smart cities are all at risk without a strong focus on cybersecurity from public and private sector leaders. Because these attacks are borderless, this is not an issue one country can address alone.
As part of Cyber Week 2022, world leaders and cybersecurity experts recently gathered at Tel Aviv University for the Israel ICS Cybersecurity Summit. Together, they discussed how government and business leaders could effectively and practically implement proper global cybersecurity initiatives amid current global challenges and threats.
Cybersecurity Threats Are Real and Urgent
"There are real threats," said Shah. "These threats today have the ability to bring any civilization to its knees. If you poison the water well, the people will not have access to water. If you cut off a pipeline, people will not have access to oil and gas. [Honeywell has] seen proposals involving cyber incident reporting to governments [globally]."
Dan LaGraffe, Deputy Chief Information Security Officer of the United States Department of Energy, emphasized the point by advocating for more collaboration between governments.
"The threats are global, [and] the threats know no boundaries whatsoever," said LaGraffe. "In order for us to collaborate with allies, we would want to see a little bit more consistency with some of the requirements across the board so that we can better collaborate and better share information."
OT Threats Must Also Be Monitored
Many cybersecurity solutions are focused on information technology (IT) protections. However, cyberattacks such as the Colonial Pipeline breach are operational technology (OT) attacks. OT primarily refers to machine usage and hardware systems. And while in the past, government policy regarding cybersecurity has pertained to IT, Trevor H. Rudolph, the Vice President for Global Digital Policy & Regulation at Schneider Electric, sees this is beginning to shift.
"The schemes [of the EU Cybersecurity Act] really focused on IT," said Rudolph. "They're virtually silent on OT, in my assessment. What you're going to start to see over the next couple of years is horizontal legislation in the [EU]."
"[In] the resilience act that they're talking about already, the electricity code [is] essentially going to provide … a wrap-around to some of the existing regulation and target more OT systems and products to be more complimentary to the cybersecurity act," Rudolph continued.
Vendors Need to Work With IT and OT
Tariq Habib, Chief Information Security Officer for the New York Metropolitan Transportation Authority (MTA), stressed that IT, OT, and vendors need to work together to find solutions. Habib stated that currently, IT and OT work in separate silos, which is a countertenor to innovation and protection. To be fully protective, IT and OT need to be a symbolic triangle with key ventures to accomplish true security.
"The narrative has to change — OT and the vendors have to come together," said Habib.
He talked about how this is a major issue at larger companies, such as the MTA, where they keep IT and OT cybersecurity operations separate and use different internal and external vendors.
"These two entities within the larger vendor population are not talking to their cybersecurity team, the product integration, or the product teams in general," Habib continued. "So until those two people talk together, there's not going to be a conversation that's going to work."