Cybersecurity Experts: Conversation with Tripwire Robert Landavazo
You may have read prior expert bylines in our Industrial Cybersecurity blog. In this series, Tripwire experts share their perspectives on the state of industrial cybersecurity. You’ll also learn more about how they've worked with customers to help bolster their network security and optimize their uptime in today’s challenging environment.
In today’s interview, we feature Tripwire cybersecurity expert Robert Landavazo.
You are a relative newcomer to Tripwire. Where were you prior to joining the company?
Most recently I was working at an electrical utility, charged with helping optimize the cybersecurity posture at their facilities. As a matter of fact, it was there that I became familiar with Tripwire products. We used the Tripwire product suite for security and NERC CIP compliance, including Enterprise, Log Center, IP360 and several apps and extensions as well. We benefited greatly and I have to admit I became a huge fan of the tools and their capabilities. So when I had an opportunity to join Tripwire, I jumped at it. It’s been personally very fulfilling for me to be in a position to evangelize the capabilities of these products and help our customers succeed in much the same way as my colleagues and I did in my prior role.
As far as what brought me to the utility, before that I was working in public safety for state and local governments, helping manage 911 and other emergency communications. It was there that I got a taste for the demand for very high degrees of uptime—99.999999 and better. And that’s what got me interested in utilities, because they have that uptime demand on an even larger scale so it is a real challenge. And now here I am at an organization that can help industries of all kinds reach high levels of uptime—manufacturing, transportation, oil and gas and more. And the stakes are high—these verticals all have some mix of business concerns, environmental concerns, equipment concerns, safety concerns and more that are all riding on safe, reliable operation. I’ve been here a little over a year now and it’s been great.
So, you joined Tripwire after the business became part of Belden?
Yes, and that was very timely I think. Even above and beyond the excellent products I could tell that the culture of my new company was exciting and energizing. People were very enthusiastic. Belden, with its 100+ years of industrial experience, was enabling Tripwire—with its 20 years of cybersecurity insights—to readily turn its attention to industrial environments, and deliver proven cybersecurity solutions into an arena that was just burning for them. It was a new chapter for the industrial environment and a new chapter for Tripwire, so a very exciting time to be part of both.
How does the cybersecurity posture you’re seeing at these industrial facilities compare to that of the utilities?
Well, the utilities had the regulatory agencies on them with a whip—with threats of fines that could be a million dollars per day. So that forced them to be aggressive and proactive and dedicate the resources needed to move way, way ahead. Industrial organizations don’t have that “incentive.” In fact, I think it’s reasonable to say that in many ways today’s industrial organizations find themselves facing challenges similar to what utilities might have faced 7-8 years ago. In many ways they are starting their journey to cyber security success from scratch. And the fact that industrial organizations are not being “forced” to protect themselves like utilities were is a mixed blessing at best. They find themselves having to create a business case for implementing cyber security. They say “What’s my ROI?” And it’s hard to quantify. But the best way we have to answer that is to look at what the cost of an outage is for them, with loss of revenue, wasted materials, labor, missed deadlines and so on. A multi-day incident can easily represent millions of dollars in some industries, and it’s always multiple, multiple thousands. And frankly, the chance of a breach is almost a given at this point—it’s definitely a matter of “not if, but when.” So if the cost of protection is so much less than the cost of even a single modest outage, it seems that the ROI can be quite attractive. And executives are seeing that.
Don’t people in these industrial environments tend to think that they won’t be targets—believing “it's an IT problem and not an OT problem"?
There is still some of that, but incidents of ransomware like WannaCry have made most people realize that all networks are vulnerable, whether industrial OT or business IT. The evolution of that wishful thinking is OT people saying “well I’m a little industrial company I don’t have to worry. They will go after the big industrial companies.” But the big industrial companies are mostly very well protected at this point, so many medium and small industrial companies have become easy pickings and low hanging fruit for the hackers. “Hacker target practice” if you will, just honing their skills for a real challenge, and wreaking havoc on someone’s business without a second thought.
When you visit these industrial facilities, what cyber security vulnerabilities do you see looming largest and what can they do most easily to protect themselves?
It’s really back to basics. Like many times we see unprotected connectivity between business networks and the plant networks. And of course that’s a huge no-no. So network segmentation is vital. Securing remote access is another common issue. More and more outside vendors are being given access to work on a PLC or other device through a third party software solution. That can be valuable but it also opens up a huge vulnerability if it’s not done securely. Reluctance to patch and keep software up to date can lead to issues too. In a plant environment, people don’t want to take the time to stop a piece of equipment running 24/7 for updating. The result is that even commonly deployed pieces of commodity software like a free PDF reader sitting on an HMI can cause problems. I’ve seen people with versions that may be years old because they’ve never patched it and it can be vulnerable. If a technician brings in a laptop with an infected manual and opens it using the unprotected, outdated PDF reader, the network can become infected. Fortunately, all of these common situations are relatively easy to remedy. For example, you can keep the machine going 24/7 and protect it with a mitigating firewall that will help substantially even if you don’t keep software patched and up to date, so you can have your cake and eat it too.