Tune in to this episode of Ask A CISO to hear:
- The origins of the OT/IT convergence
- Zero Trust and the OT/IT convergence
- People, Process, and Technology challenges for an OT/IT environment
- The advantages and disadvantages of OT/IT convergence
- The benefits of this convergence for organizations
- The future of OT/IT convergence - will the lines between OT and IT be erased down the road?
About The Guest: Mel Migriño
Mel is the Vice President and Group CISO of MERALCO, the largest Power Distribution Conglomerate in the Philippines.
She has more than 15 years of combined experience in Cyber and IT Governance, Application and Infrastructure Security, Operational Technology (OT) Security, Business Continuity, Privacy, IT Audit, and Project Management across multiple industries.
Mel has led the PCI-DSS Certification for the largest payments network in the Philippines.
Further, through her leadership, Meralco’s Fintech Subsidiary, Bayad won the W Media Awards for Southeast Asia under Cybersecurity Implementation in 2021.
She is part of the Executive Committee of the ASEAN CIO Association. She is concurrently the Chairman and President of the Women in Security Alliance Philippines (WiSAP). She is the former Cyber Security Leader of a Big 4 auditing firm and the largest fintech in the Philippines. She has been cited as a 2022 Influencer by the International Security Journal and has been recently cited by Technology Magazine, Energy Digital, and Cyber Magazine as a leading CISO among global cybersecurity leaders and a regular contributor to Women in Security Magazine in Australia.
Mel earned several recognitions in 2021, including:
- IFSEC Global Influencer for Security and Fire Top 5 under the Security Executives category
- Ranked #2 in the 2021 CISO ASEAN+ HK Awards by IDG and CSO Online
- 2021 CISO of the Year by Women in Governance, Risk and Compliance Awards
- 2021 Top 30 Women in ASEAN
- Top 30 Women in ASEAN
About The Host: Paul Hadjy
Paul Hadjy is co-founder and CEO of Horangi Cyber Security.
Paul leads a team of cybersecurity specialists who create software to solve challenging cybersecurity problems. Horangi brings world-class solutions to provide clients in the Asian market with the right, actionable data to make critical cybersecurity decisions.
Prior to Horangi, Paul worked at Palantir Technologies, where he was instrumental in expanding Palantir’s footprint in the Asia Pacific.
He worked across Singapore, Korea, and New Zealand to build Palantir's business in both the commercial and government space and grow its regional teams.
He has over a decade of experience and expertise in Anti-Money Laundering, Insider Threats, Cyber Security, Government, and Commercial Banking.
Transcript
Mark
Welcome everybody to another installment of Ask A CISO podcast where we are helping you guys navigate the tricky waters of cyberspace and get your ship where you want to go.
I am your host today, Mark Fuentes, and I have a really, really exciting guest. Hopefully, I'm I, as well as everyone out there will be learning a lot of cool stuff today from our guest. I'd make it up myself, but I think I couldn't do it any justice, so I will just read the official bio of our guest, Mel Migriño.
She's joining us here today as the Vice President and group CISO of Meralco, which is the largest power distribution conglomerate in the Philippines. She's a part of the executive committee of the ASEAN CIO Association. She's currently the Chairman and President of the Women In Security Alliance, Philippines. also pronounced WiSAP, right, Mel?
She's also the former cybersecurity leader of a big four auditing firm in the largest FinTech in the Philippines. She's been cited as a 2022 Influencer of the International Security Journal and has been recently cited by Technology Magazine, Energy, Digital and Cyber Magazine as a leading CISO among global cybersecurity leaders and a regular contributor in Women In Security Magazine in Australia.
That's quite impressive already. I guess I could go on and say you've been in the field for about 15 years in cyber and IT governance, and she's joining us today to talk a little bit about OT.
So welcome, Mel. I appreciate you giving us some of your time.
Mel
Yeah, yeah. Hi Mark. Good morning, and good morning to all of our online viewers.
Mark
Yeah.
Mel
Glad to be in the session.
Mark
All right. All right. So I guess we'll just jump right into it.
You know, for many years, a lot of us in IT and IT security folks, we have rarely really ventured into that OT space. We've always largely incidentally kind of in a silo. So maybe you could tell us a little bit about what's new and exciting in the OT space and what we can all get excited about.
Mel
Okay. Thank you for your question, actually, that one is pretty interesting.
I think majority of our viewers would really want to know what's really happening within the Operational Technology space. So surely OT or operational technology work in inside silo for decades. I would say in the notion of, of many is that it can survive in that same state for, even for the years to come, but with the call of Industry 4.0 which refers to the convergence of the physical and the cyber-physical worlds, the proliferation of the IT and OT convergence vis-a-vis digital transformation in the industrial control systems or ICS has also exposed global critical infrastructure assets to security vulnerabilities that could be disasters, I would say, could have hampering consequences.
I see it opens more doors to external entities and systems. So looking at a zero-trust per se, it is more on the extensive security framework that requires all system users, including computing devices to be continuously authenticated and authorized prior to granting or maintaining access to the different systems and publications, as well as data.
Zero trust operates under the notion of, you know, least privilege principle which translates to providing minimal system access to the extent of users and ICS operators being able to actually perform the required system functions.
Hence the point that I'm driving at here is: zero trust is not a new concept. You know, when we talk about industrial control systems or operational technology, I know some of the, you know, I think older practitioners, I would say, they would say that it's actually very hard to undergo a zero-trust journey within operational technology, but it's practically, we're not saying that we put the whole chunk of zero trust, right, into your OT.
I mean, you need to do, actually, you need to understand the landscape. You need to do a risk assessment. You need to do asset prioritization. And then, and then slowly, little by little, you can adapt this new framework within the cybersecurity space. So the ZT architecture is fortified by a combination of security technologies. So for those who have already, you know, go through the IT and OT convergence route or journey, you can already integrate MFA and also strengthen your access management through IAM solutions.
Also crucial, right, I think even prior to adoption of zero trust is the network segmentation following the Purdue model, and then the next-generation endpoint security operations, such as your network firewalls, and intrusion prevention systems, all of which are now actually available for ICS assets actually in most of the industry verticals.
So I think in terms of cybersecurity, these are actually where, you know, cybersecurity within the context of operational technology will actually evolve or eventually transform.
Mark
There's a couple of things you said there that are interesting to me, like number one, I mean, it's kind of generally accepted that with the IT/OT convergence, IT has kind of opened up new doors for attackers to access OT systems and ICS systems.
But another thing you mentioned there, and it kind of spoke to me was that there's that side of it. But on the other side, the the OT/IT convergence has also, because of some of the security features of IT, has also allowed for great advances in security technology into OT, such as enabling better adoption of zero trust, you know, better adoption of different security features that we didn't use before.
Is that, would you say that's safe to say?
Mel
Yes.
Because before, the network in OT is really flat, right? And, and not even all, I would say, power companies or energy companies have also adopted the Purdue Model. But for those who would actually wanted to strengthen their cybersecurity, then eventually go to the route of the Industry 4.0, the more that they need to adapt zero trust.
Hence my comment earlier, Mark, that maybe the older practitioners, right? They would comment like it's very hard to implement ZT, we did the OT space or never, you can, you know, do it, but technically you can. It's just that you need to, you need to do it by phases, right? And ZT will actually apply.
If you are really in the open infrastructure, the more you need to apply the context of zero trust.
Mark
Yeah.
Because there's definitely, it's definitely changed the attack landscape, right, for OT systems. Now, you know, we've said it a couple of times now, we've touched it on a couple of times, just for a lot of us out there who are new to the concept, I'd like to drill down a little bit more into the OT/IT convergence.
Maybe you could talk a little bit about that. Where do you think it started? Where it came from? Just for our, you know, for our benefit.
Mel
Okay. Okay. So IT and OT convergence, right, so that actually sums up practically the industrial OT or IOT. So it emerged through the growing demands of the customers for better user experience, right? Specifically when you are in the utilities segment.
Why?
Because the, because this system such as your SCADA, your standalone SCADA, ADMS, right? So they practically thrive within the systems within utilities. Businesses have started to strategize to have better visibility on the data. Enhance the system as well as look at the ROI of the respective obligations or software while enhancing security and stability in the context of convergence in the IOT. We started to see new spectrum of, I would say, connected operations across industries and manufacturing companies, and the aim is actually to increase the efficiency, improve service level agreements.
Of course, together with that we also need to look at the cost. We need to look at lowering the cost, helping the management team to make better decisions in all aspects of your production line. So by joining the process control, measurement and safety systems at the production sites with IT infrastructure, I would say industrial companies can achieve remote connectivity and access to real-time data, both of which are critical to, you know, maximizing the value.
So this move is crucial to digital transformation, but unlocking the benefits can be difficult to achieve, obviously. So we've experienced that as well. Industrial companies are navigating through values, I would say, a structural changes in response to the strained supply chains and continue with the global growth to actually meet the changing business goals.
So practically it's really driven by the business. I mean, you know, the IT/OT convergence.
Mark
When you say there are a number of challenges to adopting the idea, you know, riding this IT-OT convergence wave, would you say, you know, among people problems, technology problems, and process problems, which would you say take up the largest amount of those, those challenges that you're talking about?
Is it a people problem, largely? Is it a process problem? Is it a technology problem or what do you think?
Mel
Okay. Ah, actually, Mark, that's a very tricky question.
Because as far as people, process and technology, they all have a fair share in the pie.
So let me start off talking on the, on the process per se. So I think one of the challenges there would actually fall under the lack of process visibility. So very specific on the context of cybersecurity, right? I mean, in the olden times, we really don't know what's actually happening inside, what's happening inside the substation in your SCADA master, right? Is there, you know suspicious process or a malicious process or a suspicious activity, right? That's actually, that's actually performed by one of your OT engineers. We don't know that, right? Practically, we lack process visibility. Right? And because of that we cannot detect the soonest time. Right? If there are actually incidents already.
And then I think part of that is part of your process visibility, right, vis-a-vis with that is actually assets. Right? Because it's always like that. I mean, to me, assets and actually processes, right, they always go hand in hand. So if you lack process visibility, right, in most cases, right, there is also a high possibility that you, there's also lack of asset visibility. Right? So, because it's practically the assets, you know, the components with their substations right, their RTUs, or if you guys are still using PLCs, right? So or, or I think worst case, right, if you're talking in the context of a, let's say, a smart grid, right? So you wouldn't know if there is a rogue meter that's trying to connect to your network. Right? So, so I think these are some of the areas of concern on the, on the process side.
Now on the technology side. Well, so since there is really no visibility on processes on data, right? Hence there is also a lack of technology to really, I would say, implement or operationalize the detection mechanism as well as the containment mechanism within your huge IT/OT or converged infrastructure.
So I think here I am referring also to your endpoint security. You can also look at your intelligent teams or maybe others would call it an XDR or EDR in our case. We have really started and we're making pretty good progress on that, right, like really having visibility through instituting intelligence teams right to XDR to really integrate the security platforms, right, within a, to actually integrate the security platforms within our intelligence teams.
Not only that, but also get the security logs from the different applications and servers within your core infrastructure.
And then I think the next, I would want to touch on people. Since we are already in the road of converging IT and OT. Right. We need to ensure that there is actually knowledge exchange from all parties concerned, right? Meaning, right, if you want to have visibility on your data, eventually you would want to get into a point that you would have a very rich analysis and correlation, right? So that, let's say from a cybersecurity perspective, you can real-time detect and contain, but others from a business perspective, you want it to have insightful data.
So that's the reason why you wanted to actually open up the doors of your rich data lake going to your IT. Why? Because practically that's the job of your data scientist, right? But can you imagine, if you are a data scientist who doesn't even understand the processes, the components within the operational technology, so ...
Mark
What does the data even mean?
Mel
And so, I mean, that's going to be chaotic, right? I mean, it will defeat the purpose. In the same way, from a cybersecurity perspective, like in our case, we do we do knowledge sharing session. We do a lot of handholding to them, right? To these OT experts.
Why?
Because you want them to have an appreciation of, oh, so this is what's happening about their side of the world in cyber security. Oh, I mean, these are, you know, some of the critical use cases, right? Some of the threats that we can actually, you know, remediate, right, if we actually deployed the specific cybersecurity platform. That's an IT/OTS for that matter, right?
Or let's say an IOT anomaly detection. So that being the case, so I think it's really about people, process and technology. And I think the last one are revolving around the process and technologies, the ability to test.
Well, I think a majority would actually agree with me on that because you know, coming up with a test environment in an OT, it's actually very expensive. I mean, if you are just saying that, okay, I will just need to test this specific endpoint, right? Regardless if this endpoint is a server or a laptop, right? So that's quite easy. Right? But really trying to do testing, let's say for an ADMS and something like that. Oh, let's say an Outage Management System, right? In most cases you leverage on the capabilities and the resources of your service provider rather than creating your own.
So hence you see there, you know, limited testing. Why? Because every time that there could be rediscussed you do not have the luxury of time to really test as compared to our IT environment. We do have the luxury of time. Right. And you can test, you know, every now and then for as long as you like until you get the results that you wanted to implement to production.
So I think those are some of the challenges.
Mark
I think I hear when you, when you talk about those challenges, it's funny to me because they all, they're all age-old problems of IT security. Right? First of all, with the people, like when you said you have to, you have to give OT people an appreciation of cybersecurity.
It's the same if you have to talk to a bunch of software developers or you have to talk to a bunch of crypto people, you know, they have that side expertise and then you have to give them that cybersecurity kind of appreciation. So that's something we see on all fronts as well. And then when you talk about, well, you know, when you talk about XDR, you talk about, you know, automation and better, better response, right? And putting in all of this great technology, the biggest challenge there is all of this, all of this automation and all of this XDR stuff, it's not really going to work that great if you don't do the simple things right like asset management, like data classification, if you don't do all these things that people will find a little less fun then the XDR won't work as well as you would want.
It all depends on the basics, the foundational stuff ...
Mel
Because I think the key there is really how extensive your implementation would be and how extensive would actually, you know, go back to your basic math equation, like your assets and processes.
Mark
Exactly. Right.
And you know, I, my next question was actually all about what it means for security folks, but, you know, you just answered it right there. So I'm going to skip down the list. So we're talking about like the melding together of these two universes, the IT universe and the OT universe, which obviously would come with good things and bad things.
So maybe, so it's actually two questions: What is like the coolest thing you can think about when you think about OT/IT convergence and what is probably the most problematic thing about it?
Mel
Hmm. Okay.
I think what is good about the convergent infrastructure is that it focuses on efficiency through streamlining of the different processes, improving your as a lace or you want to call it overlays? Right? I mean, in the olden times they call it ...
Mark
Yeah.
Mel
It may also mean retooling or adapting new learnings, right? New technologies, new processes, echoing from my prior explanation coming from both IT and OT and understand as well where cybersecurity is, which is an enabler towards a secure and stable end state.
So what is not so good, I would try to say that rather than saying what's worse. So what is not so good, of course, is the legacy systems that we can no longer support, that we can no longer patch.
If we can no longer patch, we can no longer secure. Right? We have limited changes actually, in terms of securing them, thus making it vulnerable, but I don't want to speak actually, Mark, in absolute terms here.
Yes. These legacy systems could really be hard to secure, but we can always think of alternative solutions to actually secure them. It may not be really like, you know, you can install an agent, right, but I think you can look at trying to monitor the traffic. Your east-west traffic, as well as your north-south traffic.
So what I'm saying is, to me, my perspective is that it's not going to be a zero thing in terms of implementing possible cybersecurity controls. Even when you are dealing with legacy systems, there is always a way. It's just that maybe the most ideal, right, or the targeted solution for that, like you need maybe to do, let's say a film where thought, or so maybe you can do that, right.
Because of technology innovation. But you need to look at as a security leader or as a solutions architect, per se, what is actually the surrounding components, right, that goes through it, right, or let's say coming from that legacy system, it, and then it connects to another system. Right? So you need to look at securing the environment if you cannot secure the target asset, right?
Because most ICS devices were designed to run fairly autonomously. I think I with actually agreed to that. So performing explicit functions and that require little to no maintenance, that's practically the mindset for decades. Right? And that's how this intelligent systems were designed. But with this, but with this emergence, OT needs to support new connectivity options, right?
New connectivity integrations over converged infrastructure, over converged networks and that opens up your attack surface. Examples are actually, you know, your access control systems such as your passwords, where either are non-existent or mostly hardcoded. Or always left actually, whatever is the vendor default password.
Also the connectivity combined, I would say with the lack of ability to patch that the bugs or the vulnerabilities within the ICS systems deployed in the field will also result, could also result to possibly remote code injection, unauthorized access and other modification of the configuration, those attacks and many more.
So I think those are some of the good things and not so good.
Mark
One thing that you said, you know, you're talking about having to make perhaps find ... And I, I totally agree with you.
You said, you know, you don't want to call it the worst thing, or maybe it's just a difficult thing is having to deal with systems that may become obsolete by these new advances, right?
And then you also talked about how that's not really the end of the story, right? Sometimes, you know, you can come up with different types of remediations or other ways to secure these systems. And I think that's where we live, right? That's where a lot of us live where we, you know, we really like to be in front of these unique problems, you know, problem cases.
But I wonder like, for some of these, and I've always wondered this about OT, When you talk about systems like these, systems that were designed to work autonomously, systems that were designed to, you know, it seemed to me that a lot of the attitude was to avoid patching, avoid upgrades because of, you know, possible problems with the underlying systems, right?
When do OT people decide that, okay, okay, this thing is... We have to absolutely build a brand new system for this. Like we have to, we have to start from scratch and build a new system.
Is there something that drives them? That type of idea?
Mel
Yeah. Well, I think that realization would actually come in as influenced by the experts at digital transformation. Right. And I think they've seen that I mean, admittedly, in the tradition, in the older times of OT, they're actually, you know, very important things like, for example, what's the status of, let's say this nationwide blackout, right?
I mean, are we nearing restoration or what's the, or, I mean, in terms of restoration, like where are we? Are we at even 50%, right? Or are we at, let's say 80% and we anticipate, let's say, in the next hour that it's going to be a hundred percent restored? The, you know, the compliance reports, right, that you need to furnish, that your regulatory bodies. Right?
I mean, those reports, right, in the older times will actually take you so much time to do. I think, even up to now, for some of the organizations, if I am not mistaken, right, it will take hours. Right. But with this, right, with the context of, you know trying to have real-time data, right, and then, you know, improving the, improving the customer experience, wherein, you know, instead of like reverting back to your customers after three hours, after half day, you know, I mean, you can already revert to them in a matter of, I don't know, maybe like 30 minutes or so if the, if the query is not that, it's not that difficult, and you know, data is there already, the information is there already, you know, in a matter of seconds you can already provide them that information.
So it's really about driving better customer experience, right. And really about getting insightful data. Why? Because if you, if you have a very good customer journey, I mean, the experience per se. And you have a rich analysis of your data where you can introduce like, you know, or improve or introduce new services that will be beneficial to them because you can already analyze what's their typical behavior, what are their needs? What actually irate them the most?
So those are the things that you may want to actually produce. Of course, it will boost, you know, your brand, right? Your image, the trust. And eventually your bottom line. Right? So ...
Mark
You know, that's, so, I don't, that's so surprising for me to hear. It's not what I expected to hear from an OT person. I mean this customer-centric ... I've always, I've always, I don't know. I guess it's, you know, not being ignorant of the field. I've always assumed that you had more of like an availability or services availability approach in OT, but I've never really thought that you guys really had this customer-centric approach, this thing about, you know, creating a better customer journey.
I don't know why, but I always felt like you guys are like, well, as long as they get their electricity, they should be happy.
Mel
Yeah. Yeah, true.
Mark
But that's very interesting.
Mel
Do you remember that?
Do you remember the InfoSec triad? The CIA, right?
So that's your Confidentiality, Integrity, Confidentiality, Integrity, Availability. And of course the non repudiation, right? You think always availability, because availability is the typical mindset of an IT guy. Same mindset, right? More so, a stronger mindset if you're an OT guy, right? It's really about availability, availability, continuity of service, right.
Regardless of what the thing is. But if you look at your ... and non-repudiation. Those are actually the core principles if you're a cybersecurity guy, but I think given this new business objectives, so there's really a push, hence the manner that organizations should actually craft their strategy, it has to be very well thought of, and there, there should be a strategy across, you know, there has to be a technology strategy, organizational strategy, production strategy and so forth.
It's not only about technology. or it's not all ...
Mark
You know, I feel like we could do an entire episode about this, this exact subject matter. Very, very fascinating to me. I I, that, that threw me for a loop. But yeah, I don't see why it did, now thinking about it, that makes sense. That there should be business drivers all the time. But yeah, let me just to, just to close it off, I have one last question about the OT/IT convergence.
So now we're seeing this blurring of the lines between OT and IT, and I was wondering in the future, do you foresee that perhaps we'll erase that line altogether? And OT and IT will just be one thing?
Mel
Yes. Yes, because that's the only, that's the only way to go. Yeah. Because if you will not dive into the context of dX and dU, dX is really more of IT, E-commerce, right, sophisticated payments. And dY in the manufacturing and let's say power, even oil and gas, then ... maybe there's going to be something wrong with the organization eventually.
So it's really about driving innovation, data, and customer experience. Right? I think all of these will actually come together. Even the traditional companies. Even though they don't like it, but, you know, I think slowly, you know, they will feel that, you know, they will feel that they are slowly going to that direction.
And of course it's so, so after saying all of these nice things, right, so I think from a cybersecurity perspective, there are also standards, right, wherein practitioners can actually adopt. I think my, my personal take on the standard and framework, I do like standards and frameworks, but to me, I don't do like cut-pasting so I try to read and understand the framework and the standards, right.
And, and then I try to localize it. I put the local flavor on how it should best fit, right? In different things. How it should best fit in terms of the business objectives, how it will best fit in terms of my convergent infrastructure and how it would best fit in terms of my risk appetite, vis-a-vis my culture.
Mark
No, a hundred percent, I think you know, number one, I, you know, I've had this conversation with many, many leaders as yourself.
Number one, standards and frameworks are just a place to start. Like you said, they shouldn't be cut and paste. You should not take them as for granted, you know, you should really think about how they fit best for your specific situation. Right.
And definitely anyone, you know, as a consultant, you know, I'm not gonna lie. I do have a lot of customers who cut and paste standards. They take, they'll take on you know, in the interest of time, or maybe they just don't care. They'll just take a bunch of templates and then throw them in the G drive somewhere and then forget about it altogether. Right.
And that's, you know, I do advise against that and I'm sure you do as well. So yeah, I'm definitely a hundred percent behind you on that.
But we've reached, we've reached kind of the top of the hour here. We're getting, we got to the, the end of the session. So maybe I'll just leave it to you, maybe some last words, anything, if those out there who are listening to us want to take one thing away from this session, maybe one crucial message from you, Mel.
What do you think?
Mel
Well, I think a good shout on that I think it's really about revisiting our strategies, right? For us to revisit our strategy, we also need to change our approach or the manner that we do the risk assessment. I mean, gone are the days where the traditional risk assessments on technology, regardless if it's enterprise IT or Operational technology, we need to do data-driven risk assessment, right?
And then from there revisit our strategies. we need to calibrate our strategies and a critical component in calibrating our strategies is really open mindset, because if ...
I mean, if we do not think objectively, if we are not open to the fact that, you know, these components, these segments are actually evolving, then any initiative would actually have a hard time, you know, to succeed.
Mark
No, definitely a hundred percent. Adapt or die, right? Adapt or die.
Wow. That's yeah, that was a great session. I, you know, again, I can think of a couple more. I'd love you to come back. You know, give us a little bit more, a little bit more from the great mind of Mel Migriño. That would be great.
As for everyone out there, thank you for joining us. We'll catch you on the next one.
