Securing Industrial Operations!
In the industrial operations sector, where technology and operational integrity converge, cybersecurity resilience emerges as a critical necessity. Protecting operational technology (OT) and industrial control systems (ICS) becomes increasingly essential as industries evolve. This domain, filled with complexities, requires both technical expertise and a profound understanding of operational contexts and business constraints.
In this challenging sphere, seasoned strategists like Camilo Gómez play a pivotal role in handling obstacles and fostering resilience. As Global Cybersecurity Strategist at Yokogawa, Camilo’s journey reflects the evolution of cybersecurity in industrial settings. With a background rooted in managing service delivery and leading secure technical integrations, his course highlights the crucial role of cybersecurity in shaping operational landscapes.
His experiences, spanning diverse environments from onshore oil & gas facilities to offshore platforms, shed light on the diverse nature of cybersecurity within industrial operations. In the pursuit of cybersecurity excellence, strategy is as crucial as execution. For Camilo, driving cybersecurity resilience into every phase of the OT business lifecycle is not just a slogan but a guiding principle.
As industries navigate evolving threats and technologies, his unwavering commitment to nurturing collaboration, embracing advancements, and championing resilience reflects a transformative approach to cybersecurity in industrial domains.
Let’s explore Camilo’s journey in cybersecurity from intriguing challenges to operational integrity:
Journey into the World of Cybersecurity
In the late 1990s, after several years of developing data network & telecom solutions and services in support of oil & gas field operations in the US, Latin America, and the Caribbean, Camilo was tasked with leading the secure technical integration of corporate networks during the business merger and acquisition of an oil & gas major. This involved ensuring secure, full integration on day one of the merger and acquisition.
Subsequently, as the internet became adopted as a connectivity alternative by corporations, Camilo focused on designing and implementing regional extranets to securely interconnect the corporation with engineering firms and construction sites involved in building O&G onshore and offshore production facilities.
It was then, during a cybersecurity assessment of the IT infrastructure of an offshore platform at a construction site, that a project manager approached Camilo. He noticed that the equipment in the process control rack for the facility oddly resembled the equipment in the IT rack and wondered if it should also be cybersecurity evaluated.
Navigating the Challenges of Industrial Operations
Initially inspiring Camilo to specialize in OT/ICS, cybersecurity was the intriguing combination of challenges and experiences posed by computing and communication technologies, perceived, at first, as black boxes. The complexity of these technologies, not only in terms of cybersecurity but also in maintaining operational integrity, fascinated him deeply.
Moreover, his firsthand experience supporting field operations in incredibly demanding environments further fueled his interest. He has supported industrial operations situated in regions of high geopolitical volatility, frontier areas with harsh weather conditions, and even deep-sea installations inaccessible to humans. Such hazardous environments handled materials vital for producing and transporting energy and other essential resources, which were critical for society.
OT/ICS cybersecurity goes beyond textbook knowledge—it requires a deep understanding of business intricacies, operational contexts, and constraints associated with industrial environments where the OT technology is implemented. This expertise is gained through direct experience and an immersive understanding of the operational landscape. This is a field where the “had been there and done that” approach is crucial.
The most rewarding aspect of working in OT cybersecurity for Camilo is the opportunity to effect positive change and contribute to larger-scale improvements. By enhancing cybersecurity practices in critical infrastructure and operational environments, he can play a role in making these systems safer and more resilient, ultimately benefiting society.
The Continual Process of Cybersecurity
Cybersecurity is often perceived as highly complex and challenging, yet its foundational principles have been established for over two decades with minimal changes. Despite this, organizations do not consistently practice or fully implement and maintain these principles.
Cybersecurity is not a one-time endeavor for Camilo; it’s a continual process akin to other critical business functions. It demands discipline—requiring careful planning, design, correct implementation, ongoing support, and maintenance. Just like safety, organizations must exercise cybersecurity continuously to remain effective.
Many organizations focus solely on prevention, neglecting the fact that cybersecurity is fundamentally risk management. Being prepared to respond to cyber threats is equally important for Camilo. Ignoring this reality can lead to severe consequences, including costly cyber compromises.
Cyber risk management encompasses both proactive and reactive strategies for Camilo. The process starts with implementing robust preventive measures and response protocols to strengthen defenses and address vulnerabilities, thus mitigating cyber threats.
It involves developing detection capabilities to rapidly identify breaches and responding promptly to contain incidents, minimizing business disruptions. Following containment and recovery efforts, post-incident reviews are conducted to glean insights for refining future response strategies and enhancing overall risk management.
Balancing Diverse Viewpoints on Cybersecurity
acing challenges is a constant part of the career of every cybersecurity professional. A recent example is Camilo’s engagement with the Open Process Automation Forum (OPAF), where he is Co-Chairing the Security Subcommittee and editor of Part 2 – Security of the Open Process Automation Standard (O- PAS).
OPAF is not only standardizing the next generation of process control technologies but also paving the way for easier adoption of IT technologies into the OT space. The forum consists of end-users of OT technologies, OT system integrators and product suppliers, IT system integrators and product suppliers, and others eager to participate in the OT space. OPAF has demonstrated a steadfast commitment to cybersecurity since its inception. However, it faces the common challenge of accommodating diverse stakeholder viewpoints on cybersecurity. Some stakeholders prioritize security as an end-user prerogative, believing that not all scenarios require stringent security measures. On the other hand, some view security as paramount, advocating for a comprehensive approach with security integrated from the outset, incorporating the highest levels of security capability.
Leading stakeholders to recognize that cybersecurity is an enabler, not a roadblock, that the functionality defined by the O-PAS standard is built around cybersecurity capability, and that having a baseline level of cybersecurity is necessary to enable interoperability of the functionality defined has been a journey for Camilo.
This is a successful journey where cybersecurity thinking is fully ingrained and developed everywhere in the O-PAS standard development process, from the definition of functionality to the certification of products.
The Fundamental Role of Cybersecurity Standards
The role that cybersecurity standards play is fundamental not only for building cybersecurity in organizations and products but also for stepping up what Camilo calls end-to-end supply-chain cybersecurity. This is one where one person’s ceiling is another person’s floor and where everyone is both a consumer and a supplier.
The ISA/IEC 62443 Cybersecurity for Industrial Automation & Controls Systems Series of Standards is the most compelling example. A standard initially developed for the process industries in the O&G and chemical sectors was rapidly adopted by electrical, transportation, manufacturing, pharma, and others, including other standards.
The success of the ISA/IEC 62443 series is precisely due to the fact that it addresses cybersecurity for all stakeholders: end-users, system integrators, service providers, and product suppliers. It effectively helps organizations with all levels of cybersecurity maturity, from those looking to build cybersecurity for the first time to those looking to enhance their maturity.
In times when supply-chain cybersecurity is a hot topic, one of the most overlooked is the role that the ISA/IEC 62443 standard and product certification have played in building and stepping up cybersecurity in the OT end-to-end supply-chain, from end-users to product suppliers, in comparison with the IT space where certification and standard consensus is not prevalent.
An integral part of Yokogawa’s strategy and commitment to cybersecurity is illustrated by their continuous contribution to the development of cybersecurity standards and cybersecurity certification of products for the O T/ICS space. Yokogawa has been actively contributing to the international committees developing the ISA/IEC 62443 standard since 2005 and is a founding member of ISCI, the consortia developing the ISASecure Certification since 2007.
Embracing Cybersecurity Advancements in the OT Industry
For Camilo, staying updated implies being both outward and inward-looking: looking outward to the OT industry and IT technology developments and looking inward to Yokogawa’s internal innovation developments, as well as the adoption of emerging IT technologies and cybersecurity advancements.
Staying aware of the advancements in the OT industry, the cybersecurity space, and emerging IT technologies are all very important to him. This is a time when the adoption of IT technologies and cybersecurity advancement in OT solutions are at inflection points. Today, the so-called IT technologies such as AI, cloud, virtualization, and containerization, for example, permeate both IT and OT solutions. It is not that solutions in the IT space and the OT space are converging but that they both use the same underpinning technologies.
In O T/ICS cybersecurity, both technology and operational context are very important to him. After all, one cannot secure what one doesn’t understand. There are several concurrent advancements in the OT space, such as Industry 4.0, NAMUR, OPC UA, and OPA. They all incorporate cybersecurity in some way or fashion, from requirements to specified, mandatory security capabilities. However, in context, they may differ, augment, or complement each other. Interestingly, they are all aligned or mapped to security capabilities in the ISA/IEC 62443 standard.
Similarly, the development of Yokogawa’s innovative solutions, such as distributed control systems, safety instrumented systems, and a collaborative information server, which unifies data across an enterprise, fully incorporate cybersecurity in some way or fashion, from cybersecurity capabilities to supporting managed cybersecurity services and solutions. Typically, Yokogawa has obtained ISASecure certificates for those sorts of platforms and ISASecure SDLA for the development process.
Yokogawa also focuses on delivering long-term lifecycle services while understanding customers’ challenges and working continuously for improvements in a close partnership. Yokogawa follows one overall objective: to minimize risk and maximize corporate values according to the self-commitment as a lifecycle value partner. Yokogawa aims to become the end-user’s #1 trusted partner and achieve long-term, stable, and secure operations.
The broad-based lifecycle cybersecurity services include consulting services and an IT/OT security operations center (SOC). The SOC provides a proactive defense with the detection of known and unknown risks and rapid response to incidents.
Integrating Cybersecurity Resilience into Business Lifecycle
One of the most inspiring aspects of Camilo’s management of cybersecurity in the OT space is the mitigation of cybersecurity risks that can escalate from corporate impacts to broader societal consequences. This underscores the importance of integrating cybersecurity resilience into every stage of the business lifecycle—from the capital projects implementing OT technologies to multiyear field operations utilizing them. Each stage of the business lifecycle presents a vital opportunity to ensure that cybersecurity is seamlessly integrated into the design, implementation, and operational processes.
An important business consideration often overlooked by organizations, as observed by Camilo, is the significant disparity in budget allocation between capital projects and ongoing operations, particularly in operational technology (OT) environments. Capital projects typically receive higher budgets compared to operational phases. Thus, the opportunity to do cybersecurity right from the beginning starts with the projects, not in operations.
Delaying cybersecurity conception, design, and implementation until the operational phase can pose substantial challenges and result in increased costs, as per Camilo’s observation. Cybersecurity then becomes an added layer rather than being integrated from the start, which can be less effective and more costly to retrofit into existing systems.
Fostering Collaboration through Cybersecurity Integration
For Camilo, a key strategy to foster collaboration and alignment is integrating cybersecurity thinking into business processes, starting with those he can directly influence. In his role, he works with other strategists researching and developing advancements in OT technology such as Open Process Automation (OPA), industrial automation to industrial autonomy (IA2IA), robotics integration platforms, and several others.
He influences and assists internal product and solutions development teams, advises project and engineering teams, and builds reference architectures. He supports cybersecurity conversations with customers and motivates and inspires others to follow.
In his experience, decomposing cybersecurity complexity to make it simple and relatable has been instrumental in influencing his direct stakeholders to ingrain cybersecurity thinking in their business processes and helping him promote cybersecurity thinking throughout the whole organization.
Understanding OT Systems
As Camilo has mentioned before, OT cybersecurity is not something one can simply learn from a book. Thus, if one doesn’t already have the background, it’s important to learn what OT systems do and how they work. One should understand what PID is and the difference between closed-loop and open-loop, for example. It’s crucial to learn how OT environments operate. One should get acquainted firsthand with the operational intricacies of OT environments, such as safety, permit to work, management of change, and operational excellence, among many others. This is a challenging function that requires discipline. It is very rewarding to make a difference and help others practice cybersecurity. Like safety, cybersecurity is everyone’s responsibility and something we should exercise continuously.
The Role of Strategy in Cybersecurity Improvement
Camilo’s guiding principle is to embed cybersecurity resilience into every phase of the OT business lifecycle. “Effective cybersecurity starts with a robust foundation and thrives through continuous support and maintenance,” is his motto.
In his view, a carefully planned and diligently executed cybersecurity strategy forms the basis for continuous improvement. An adeptly crafted OT cybersecurity strategy evolves seamlessly with technological, operational, and business changes, promoting continuous adaptation and enhancement.