End-to-End OT SecOps Transforming from Good to Great

Transforming From
Good to Great
End-to-End OT SecOps

Jim Guinn, II
Accenture
Senior Managing Director
LinkedIn: @Jim Guinn, II | Twitter: @jimmy_guinn
Our improvement journeys are all
different, but our end goal is the same –
achieve operational integrity and cyber
resilience.
We are honored to have so many senior leaders
and cybersecurity OT experts involved with this
summit, sharing their experiences and insights
to help others achieve the goal. The outpouring
of support for this event has been amazing. It
demonstrates how important knowledge
sharing and community involvement are to
moving the needle on industrial cybersecurity.
What follows are key takeaways from each
session. Bold statements from OT cybersecurity
practitioners based on real-world experience
advancing programs and tackling the same
challenges facing your organization.
We all know a lot can go wrong in an OT
environment, which can impact health, safety
and the environment. The last year has
highlighted just how vulnerable our critical
infrastructure is to cyber threats. And there's
absolutely no question that if any of these
attacks are successful, HSE issues can ensue.
Cybersecurity can no longer be an afterthought.
It must be top of mind, always.
As you read through this document and listen to
the replays, think about your upcoming projects
and operational objectives and consider
reframing your discussions to incorporate
security.
For example: “As we adopt 5G to gain extra
bandwidth, how do we do that securely?”
“We are planning to increase production
securely.” “We need to enhance our operations
securely with the use of robotics.”
If we just embed the word security in everything
we talk about and in everything we do, it then
comes to the forefront of our minds.
Review this guide. Share the on-demand
content. And reach out if you have questions or
just need a sounding board. My team is ready to
collaborate to advance your program for
whatever is next.
Cheers,
“There’s absolutely
no question that if
any of these
attacks are
successful, HSE
issues can ensue.
Cybersecurity can
no longer be an
afterthought.
It must be top of
mind, always.”
Jim Guinn, II
Copyright © 2022 Accenture. All rights reserved. 2
Watch the summit >
Introduction

Session
Overview
The Cybersecurity Imperative: Why embrace it?
Transforming from
good to great
Building and growing an OT SecOps program
takes vision, buy-in and budget. This track
explores how to take your program to the next
level. The discussions are intended to spark
conversation and this guide highlights key
takeaways on what works, what doesn’t and
what’s next.
The agenda covers:
• starting strategically (where and what)
• harnessing innovation (tools and tech)
• pacing progress (expectations and comms)
• winning over stakeholders (and budget)
• reporting what matters (scope and scale)
Cybersecurity as a public-private team sport
Why automation is the future of OT security
How to survive transformation day 2
Win hearts, minds and funding for your projects
End-to-end cyber risk management
Automation—In promise, in practice
Opening Keynote
Operation: Next ‘22
Fundamentals & Structure
Innovation & Technology
Case Study
Project Execution
Investment & Risk
Closing Keynote
End-to-End
OT SecOps

It’s impossible to
have every angle
nuanced…
Get your four to
six critical assets,
critical processes
really understood
and quantify the
financial risk.”
Bob Dudley
“
Muqsit Ashraf
Accenture
Bob Dudley
Former CEO, BP
Speakers
The Cybersecurity Imperative:
Why embrace it?
Breaches continue to climb despite
billions invested in cybersecurity. Are
companies investing in the right
security priorities?
Bob Dudley provides his thoughts on why it has
taken so long for executives to wake up to the
challenges and what is needed to make
cybersecurity a strategic priority for executives
and the board.
Key takeaways:
• For a long time, cybersecurity was viewed as
a technical problem, rather than seen as an
operational risk and business continuity
concern.
• Priorities are changing as breach
implications become more significant,
including emerging case law that holds
boards and executives accountable.
Opening Keynote
• Boards need to understand the problem, the
language and the financial implications to a
company. Time to move away from showing
the board basic activity dashboards and
begin reviewing the critical assets and
business processes that are most vulnerable
and quantify that risk.
• Big wake-up call was when Accenture was
able within a few weeks to take over BP’s oil
refinery control systems. Immediately
created a world-wide task force to update
our asset security program. It took time and
significant culture change to implement.
• Crisis Management exercises helped our
executive teams understand the
communications process was far more
complicated than they expected.
Watch the full session on-demand >

“
Rick Driggers
Accenture
Angela Haun
ONG-ISAC
Speakers
This is just too
complex of an issue
and dynamic and
changing to go it
alone. You can’t
know everything, but
you can benefit from
what others know.”
Angela Haun
Cybersecurity as a
public-private team sport
It’s no secret that public-private partnerships are
complex and can be hard to manage, but with a
few changes and stronger involvement they can
be incredibly valuable to companies seeking to
improve their cyber resilience.
• There are many different partnership models
available. Companies need to determine what
models works for them and get involved.
• Information sharing, such as indicators of
compromise, and dispersing vulnerability
patches are scalable prevention strategies
that public-private partnerships can support.
• Govt. and other partners can help make
prevention measures that require greater
resources, such as tabletop exercises, more
accessible for those with limited resources.
Fundamentals & Structure
• DOE and DHS are conducting national exercises
to provide guidance and assistance to
companies.
• Greater investment in the 27 existing ISACs and
access to more intel is needed to help members
improve resilience.
• To assist SMBs, govt. needs to make it less
confusing about where to go for cybersecurity
guidance.
• It behooves large companies to share threat intel
and offer guidance to SMBs in their supply chain.
• To improve information sharing, the process
needs to be easy, simple and worth the effort.
This can include removing blame and
retributions for being a victim, which causes
many companies to stay quiet about incidents.

Involve the engineers.
When they have a real
sense of ownership of
the problems and
solutions, then you’re
definitely going to get
better adoption.”
Russell Richardson
“
Byron Chaney
Accenture
Jason Holcomb
Accenture
Trevor Houck
Accenture
Russell Richardson
Duke Energy
Speakers
Why automation is the
future of OT security
Are OT environments ready for SOAR?
Experienced panelists discuss the opportunities
security automation brings to OT asset inventory,
SOC operations and threat response, and how to
counter challenges from OT engineers.
Challenges
• Attitudes toward cybersecurity is the biggest
issue. Engineers are skeptical, concerned and
protective of their systems. Educating, listening
and building trust is the path to adoption.
• Build a test lab to replicate systems and
demonstrate that your tools will not break their
assets. Then move to a pilot at a small location,
building up to larger ones.
• Start with passive activities (log collection) to gain
acceptance, then move to active measures
(queuing devices).
• Introduce engineers to some form of cyber
informed engineering to help drive them to more
secure design.
Innovation & Technology
Automation in OT Asset Inventory
• With thousands, even millions of assets, complete
visibility is a significant challenge. Gathering details
can be a significant effort. Once compiled, SOAR
tools can be used to enrich that inventory data.
• Automation can take a vulnerability notice and
immediately search the inventory and identify
vulnerable assets replacing a manual effort.
Automation in SOC Operations & Threat
Response
• Can correlate security alert data from a passive
OMS network sensor with an existing data feed.
• SOAR tools include thousands of built-in IT
integrations. Python scripts can be written to
integrate OT devices.
• Tools include human-in-the-loop functions that
ensure no action is taken without human approval.
These can be set as simple or complex as you
need them to be, based on your IR playbooks.

“The CISO is only a
facilitator, an enabler
[for digitalization
efforts]. Ultimately,
it’s the business/risk
owner who must
make the decision
and has to set the risk
at the right level.”
Rosa Kariger
Ruud Gal
DSM
Rosa Kariger
Iberdrola
Samuel Linares
Accenture
Speakers
How to survive
transformation day 2
Companies have achieved some level of
digital transformation, now many are
reflecting on the real outcomes of their
efforts and asking, “what’s next?”
Two seasoned security leaders provide their
insights:
• Mature companies that focused on the technical
side of security now need to get the business
more involved.
• When dealing with digitization of existing
assets/programs, it’s important to assign clear
roles and responsibility for risk within the
business lines. They need to take the lead to
ensure security measures are embedded in their
projects.
• Need to make business lines aware of cyber risk
by explaining it in their language – security is
ultimately part of protecting their assets.
Business directors should be able to
communicate risk directly to leadership and
explain the cybersecurity measures in place.
Case Study
• In addition to defining technology and standard
architectures, spend time on change management,
update governance models and invest in training.
• To get board approval for investments, provide risk-
based plans with options for execution, along with
performance details on prior projects (demonstrate
your success).
Future Challenges/Needs
• Digitalization in operations will drive the company’s
agenda. Makes sure your strategy has cybersecurity
embedded into every aspect of your business.
• Security will become more complicated as the
ecosystem grows more complex.
• OT/IT convergence is happening and the OT
environment will move to the cloud.
• More important to understand and account for 3rd
party risk. Your future infrastructure must be in line
and ready to work with external parties.
• Work towards stronger collaboration and information
sharing with other companies.

It’s important to have
your facts grounded,
but many people are
influenced
emotionally and at
the same time…it’s
about having enough
credibility.”
Michael High
“
Andy Bochman
Idaho National Laboratory
Michael High
Shell
Laura Schepis
JEA
Speakers
Win hearts, minds and
funding for your projects
Expert panel offers advice on how to
get buy-in for cybersecurity projects
and role plays two request scenarios
using different approaches.
The IT/OT convergence conversation can be
painful, but worth it. Making change requires
both EQ and IQ. There are different ways to
persuade. Pathos, Logos, and Ethos are three
strategies commonly employed.
Pathos persuades using emotion.
• Align project benefits to a positive impact on
people.
• Use analogies to make an idea or issue
relatable.
• Acknowledge what issue you might
encounter and directly ask for involvement
to resolve.
Project Execution
Logos persuades using reasoning or logic.
• Present absolute risks versus relative risks.
• Identify what you have and how it limits you or
makes you vulnerable but avoid heavy technical
detail.
• If peers have invested in similar technology,
share how they are benefiting.
• Discuss the maturity of the program and if there
are limitations, how will they be resolved.
• The use of a pilot can be a great incentive to get
buy-in, as long as you don’t have a poor pilot
track record.
Ethos conveys credibility and authority.
• When it comes to getting funding, having a
successful pilot or implementation you can point
to and having enthusiastic users wins the day
when it comes to convincing stakeholders.

“Cybersecurity is not an
individual sport, it’s a
team sport, and we
need to push for more
collaboration,
information sharing
and having an
ecosystem attitude
toward cyber.”
Felipe Beato
Felipe Beato
World Economic Forum
Brent Hambly
Accenture
Jesus Sanchez
Naturgy
Speakers
End-to-end cyber
risk management
Diverse panel discusses industry
trends and key elements to improving
cyber risk management and resilience.
Trends
• World Economic Forum cybersecurity trends
report shows there is a significant gap between
business leaders and cyber leaders on where
they think their cyber efforts are.
• See a rise in cybersecurity as a business
priority.
• Emerging new tech, such as AI and
automation, will help transform cybersecurity,
as well as amplify business models.
• Some variation in the cyber resilience
definition across industries and countries – a
global taxonomy is needed.
Collaboration
• More collaboration between businesses,
organizations and providers is needed.
Information sharing can help inform strategies
and improve preparedness.
Investment & Risk
Risk Management
• Naturgy’s process included creating a risk manager
role, conducting a risk evaluation and business impact
analysis to prioritize assets, establishing regular risk
remediation meetings, and implementing KPIs to
measure performance.
• Business lines should lead their cybersecurity plans
and the risk process.
Resilience
• Resilience should extend to your supply chain.
• Having sufficient cybersecurity talent is another critical
piece to achieving resilience.
• Cybersecurity should be enmeshed throughout the
organization – it should be seen as part of the
business.
Engaging the Board
• Be proactive and transparent with your board about
cyber risks to the company and the strategy in place.
Don’t wait to engage until there is an incident.
• Showcase how your investments performed during an
incident and share your KPIs.
• Don’t limit your updates to the board. Share details
with your business line leaders to keep them involved
and invested.

Automation —
In promise, in practice
“We want to use
automation where we
can and then have
humans involved
where they need to
be.”
Paul Scharre
Gabby D’Adamo
Accenture
Jim Guinn, II
Accenture
Paul Scharre
Center for a New American Security
Speakers
There’s no question that automation
already plays a significant role in IT
and OT system cybersecurity.
As the threat landscape continues to grow,
what role could/should automation play in OT
security management?
Advantages of automation
• Helps systems be more efficient, more
effective and safer.
• Reduces tendency for human error.
• Propagates system updates helping improve
security.
• Works well for repeatable, predictable
processes.
Closing Keynote
Risks of automation
• Takes humans out of the process removing them
from potentially catching mistakes and issues.
• Increases potential risk if a hacker infiltrates a
system.
• Can’t build automated systems to work in
situations we can’t predict.
Going forward
• Automation adoption needs to be a risk-informed
decision.
• Start by looking for manual processes you can
automate that will free up humans to focus on
critical thinking problems.
• Humans will still play a role – they need to know
what automation is capable of and when to step in.

Ready to step into next?
Visit our website for expert
insights on OT cybersecurity
Discover more resources > Leverage our test facility > Engage our OT cyber team >
Learn about our purpose-
built OT Cyber Fusion Center
Partner with us to advance
your OT security program
Take a virtual tour >
Contact our team >

End-to-End OT SecOps Transforming from Good to Great

More Related Content

What's hot

Similar to End-to-End OT SecOps Transforming from Good to Great

More from accenture

Recently uploaded

End-to-End OT SecOps Transforming from Good to Great