I spoke with Barry Mainz, CEO of Forescout, about the key trends impacting security in operational technology (OT), which is the process of using hardware and software to monitor and control industrial equipment. OT primarily interacts with the physical world, in contrast with IT deployments that focus on the software stack.
A core part of the OT process is, of course, cybersecurity. Mainz explained Forescout’s approach to OT security: “We provide the ability to take a look at what assets are on your network. We can classify them, tell you what they are, what version, and we help people assign risk to that.
“So based on the [network] behavior, is there a risk profile that you prefer and not prefer? We give companies the capabilities to detect and respond, and then we have control. If someone comes on the network and we don’t like what we see, we can block them.
“We do that for not only managed devices, but here’s what’s turning out to be really exciting: we also do that for unmanaged devices without an agent. So that could be OT devices or IoT devices.” This ability to managed a mixed set of devices enables a wider range of OT cybersecurity.
Watch the full interview or jump to select interview highlights below.
Interview Highlights: Forescout CEO Barry Mainz on Operational Technology and Cybersecurity
This interview took place at the recent RSA Conference in San Francisco. The comments below have been edited for length and clarity.
IT and OT: Working Together
Traditionally, there’s been a separation between the OT staff and IT staff, and Mainz sees this shifting in a positive manner.
“I think there are organizational structure changes that we’re starting to see. Because in a typical organization you have the IT folks, they report up through CISO, and there is an OT division, which often reports up to the COO or something different.
“And we’re starting to see some structural changes based on: we’ve got to bring these [two groups] together a bit. Maybe not completely, but let’s put in some routines that we build upon. Let’s ask, how do we measure risk? How do we do things as a company? Hey, the government has come to us and said, ‘we’ve got to disclose,’ what does that mean?
“And so I think we’re starting to see a lot of the routines change on how [management] looks at the business. I’ve even see one company, I thought it was pretty clever: they’re moving people from IT, moving them into OT.”
This sense of a combined focus on operations offers great potential, Mainz said. Companies are asking, “How should we be thinking about the reporting? What tools and technologies should we use? And that seems to be working. There’s three or four companies I know that are starting to do that.”
The Challenges of OT Security
“About 10 months ago it started popping up that the embedded operating systems were showing that they were being exploited. And the embedded operating systems are the ones that are in the critical infrastructure in planes, trains, and automobiles, they’re more vulnerable – they’re very vulnerable.
“And they’re hard to fix. Let’s say you have a bunch of PLCs (programmable logic controllers) in a device that’s in a manufacturing plant. You could have 4,000 of those things. How do you update? They’re hard-coded in. So it makes it more complicated and a little more challenging to say, ‘What do we do?’”
The problem, Mainz explained, is that OT staff may not even know the exact location of these compromised devices because they’re built in to a larger structure. “It’s in an industrial robot, for example. That’s a headache,” Mainz said. “It’s like I’ve got to take the thing apart to go find it. So there are some challenges, physical challenges, and I do feel like we’ve got to get our arms around it – let’s put together some solutions. Let’s be smart about it. And the good news is, at Forescout, we have solutions that can help them today.”