It might not have the impact of a Super Bowl game, but a new service from 1898 & Co., the consulting arm of Burns & McDonnell, the engineering, construction, and architectural firm, will put the cybersecurity resiliency ball on the field .
Under the Managed Threat Protection & Response heading, the company offers a “proactive threat hunting and response capability” – a one-stop shop – for companies with critical infrastructure, from electricity and water utilities to oil refineries and oil rigs to pipelines . The new capability is an addition to its existing Managed Security Services (MSS) solution.
1898 & Co. customers receive 24×7, 7×7 monitoring of all potential vulnerabilities in their systems, with a focus on the harder-to-detect intrusions into their operational technology (OT) into their industrial control systems (ICS), which are a critical part of the infrastructure and require special attention.
IT and OT “more networked”
Gabriel Sanchez, Manager of Security Operations Center (SOC) Operations and Incident Response, told me that over the years, IT and OT have become increasingly interconnected, increasing the vulnerability of operating systems as IT attackers find they are hacking systems in more sophisticated and difficult ways to attack can recognize ways.
The weakness of OT and ICS is that they can often be made to malfunction without immediate detection. The prime example of this was Stuxnet, the US cyber attack on Iran’s uranium enrichment centrifuges. This attack left Iranian engineers stunned as they watched their centrifuges inexplicably spin out of control.
Sanchez cited a substation as an example. In order to sabotage it, you had to physically get inside once, he said. Now it can be done by an IT professional with malice and skill.
The response to an IT threat and an OT threat can also be different. As Mark Mattei, director of industrial cybersecurity at MSS, explained, when you have a computer attack, an IT attack, you want to stop it immediately. But with OT, that might not be the smartest thing to do.
Consider this: If the attack is in a limited part of a facility or system, you don’t want to shut down the entire facility or system. If a substation should have an OT dip, you don’t want to shut down the entire grid. If a refinery pump suffered an ICS breach, you don’t want to shut down the entire plant.
Mitigation of damage to OT
Matt Morris, Managing Director of Security and Risk Consulting, said 1898 & Co.’s response to OT and ICS intrusions was, “What can we do to mitigate the damage?”
24-hour monitoring and immediate proactive response are the keys to the company’s new service. 1898 & Co has been advising on cyber security for years and Burns & McDonnell has a uniquely deep understanding of it having built so much critical infrastructure. 1898 & Co. operates in environments it is familiar with and over time has developed “playbooks” to identify threats and mitigation approaches.
For utilities, refineries, and municipal systems such as sewage and water, as well as some other municipal government functions, the new cybersecurity package, including OT and ICS, provides security and economic savings.
Mattei explained, “We have a follow-the-sun model, 24/7, 365 days a year, including holidays.” He said that a company installing equivalent surveillance capacity would cost about $12 million for the surveillance function alone US dollars per year and rising. Casting it – finding the talent – would be difficult, he added.
Company is building a SOC in Houston, starting with an initial roster of 60+ professionals. They chose Houston because it is central to much of the critical infrastructure and because of the large talent pool.
Chris Underwood, Vice President and General Manager, said, “Security management for ICS and OT for security is a rare skill for a reason: Critical infrastructure is a highly complex environment.
“Our consultants live and breathe critical infrastructure. We have worked in the industry and for the industry, so we have a deep understanding of its challenges.”