arthead - stock.adobe.com

Honeywell weighs in on OT cybersecurity challenges, evolution

TechTarget Editorial sat down with Honeywell's Paul Griswold and Jeff Zindel to discuss the rapid growth and evolution of the operational technology cybersecurity industry.

ORLANDO, Fla. -- The practice of securing operational technology environments is changing rapidly, and Honeywell is changing with it.

The technology conglomerate this week held its Honeywell Connect 2022 user conference, which showcased the company's latest offerings and new strategies across its extensive product lines. Though the conference focused on various aspects of Honeywell's business in the operational technology (OT) space such as industrial performance monitoring and sustainability analytics, Honeywell Connect featured a strong focus on OT cybersecurity that included a pair of new announcements.

Honeywell's Advanced Monitoring and Incident Response (AMIR) solution, launched last year, introduced a new dashboard that provides customers increased visibility into any potential incidents detected as well as any active responses to said incidents. The other announcement is an update to its vendor-agnostic whitelisting tool as well as its rebranding from Application Whitelisting to Cyber App Control.

Honeywell cybersecurity chief product officer Paul Griswold described AMIR's new dashboard as a way to compensate for the skill gap organizations face because "it's very hard to find OT people who understand both cybersecurity and the OT environment." He said the tool lets customers see what Honeywell is seeing in real time rather than solely seeing reports after an incident is responded to.

Though it is only one part of their overall business, Honeywell is one of the earlier vendors to enter OT cybersecurity, the sub-industry of dedicated to technologies like industrial control systems and, somewhat more recently, the internet of things (IoT).

TechTarget Editorial sat down with Griswold as well as Jeff Zindel, Honeywell's vice president and general manager of cybersecurity, to discuss how the young space of OT cybersecurity has evolved in recent years.

Paul, you've been with Honeywell for about three years, and for you Jeff, nearly a decade. How has OT security evolved since you joined the space?

Jeff Zindel: I can tell you that over the last nine years, there has been a dramatic change. At the time I joined, there was very little awareness. All the attention was on IT cybersecurity, and "OT security" was hardly being used as a term, if at all. Nine years ago, we were talking about "industrial cybersecurity." Now, people commonly refer to this thing as OT cybersecurity, but then, people didn't have a clue what we were talking about. There was a lack of understanding of these industrial environments. And the prevailing belief was that they were air-gapped, so you didn't need to worry about them.

There were attacks like Stuxnet, which was kind of an eye opener. But I think many people thought it was a one-off nation-state attack. I would say that the awareness was extremely low, and the number of providers in the space focused on industrial or OT cybersecurity was very low. Today, awareness is pervasive. It's widespread. And that's an awareness of, I think, the number of attacks on these OT environments, and the potentially devastating or costly consequences of an incident in the OT environment. Now we have awareness at the board level and C-suite on down.

Paul Griswold: I started Honeywell on Jan. 21, 2020. In the three years I've been here, one of the things that I've seen is the acceleration of remote operations. Secure remote operations were really driven by COVID-19, which started six weeks after I joined. For example, some environments that were previously air gapped now needed connectivity. That's a big thing. I also think events like the Colonial Pipeline and Oldsmar attacks are opening the eyes and gaining the attention of boards of directors. And they're coming in and saying that they can't have disruption to production or a disruption to distribution. They're also saying that to the CIOs and CISOs, not the plant-level guys, which gives the enterprise group, so to speak, the ammunition and, a lot of times, the budget to start having conversations and to get an idea of their security posture. And a lot of times, they'll be kind of scared of what they find. But it at least drives things forward.

The common reasons cited for OT security lagging are that industrial equipment is built to last decades rather than years, that unplanned patching can shut down critical equipment for days at a time, and that many organizations in the OT space don't have developed security postures. Is this gap getting smaller?

Generally speaking, OT cybersecurity is still in its infancy. If you look across the landscape, many of the fundamentals that you take for granted in IT cybersecurity are not yet in place in the OT world.
Paul GriswoldHoneywell cybersecurity chief product officer

Griswold: I think it depends on the company. There are still a lot of companies out there who aren't doing patching or antivirus at all on the OT side. They suddenly get visibility into all the things they've been missing, and at least they have something to work with. But at the same time, they have that knowledge of what needs to be done. Every company is at a different point in their journey. I think as a trend overall, yes, it is it is getting better. But you still have the same challenges.

Zindel: Generally speaking, OT cybersecurity is still in its infancy. If you look across the landscape, many of the fundamentals that you take for granted in IT cybersecurity are not yet in place in the OT world. Network segmentation is still being worked on. There are still flat networks out there, and there's no clear delineation between IT, OT and IoT. And while the awareness has increased -- and I think that the need and desire is increased -- the actual implementation of OT security is still lagging significantly. The good news is that the recognition is there, and people are starting to embrace it.

To some extent, though, do you think one potential sign of the industry maturing is that organizations are starting to have conversations about converging their IT and OT security operations into a single security team?

Zindel: Absolutely, and there are so many benefits to that. You've got IT, which has been doing security for a long time in every one of these organizations -- years or even, sometimes, decades. The OT side can learn from them and benefit from that experience and expertise. That's one benefit. The other is visibility.

Griswold: There are great conversations happening. Some of the worst experiences that we have seen with our customers is where IT comes up with an edict and says, 'This is what we're going to do, and we're going to make all the plants do this,' when they have no idea what a plant even looks like. That's where you have cloud-connected backup solutions showing up and the plant [staff] says, 'We don't have an internet connection.' I think it's about getting past that where it's not it saying 'thou shalt' -- it's really more about saying, 'This is the problem we need to solve, and [let's figure out] the best way to solve it for OT.' And then it's about staffing up a team and having people with the knowledge and credibility to actually make it happen versus just being a written policy nobody looks at.

What are people on the ground floor talking about right now in terms of OT security?

Zindel: We are seeing a big demand and a need for greater visibility around threat detection as well as indicators of compromise. While the focus continues to be around protection, there's a heavy emphasis now on detection. Whether it's continuous monitoring or whatever the solution may be, organizations want eyes on vulnerabilities, threats and risk so that they can accelerate the time to eradicate, remediate or contain. That's a big, big shift in demand, and we're getting requests from customers about how we can help them. And that's good, because they realize they can't protect everything and that they need to have a better sense of what's happening in their environment in order to rapidly respond.

Griswold: I agree with that. I think the other thing is that we're seeing people talk more about asset discovery. The people running the processes know the assets and they can name them off, so that's not necessarily a new thing for them. But on the corporate side, they don't know the asset. It kind of goes from night to day -- where, at first, you had no visibility in this completely dark environment. And now you're getting a bunch of additional information. I think that discussion is more on the corporate side, but that enterprise view of the assets is certainly something that's gaining a lot more steam.

Editor's note: This interview was edited for clarity and length.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Network security