1898 & Co. has launched its Advanced Threat Protection Center (ATPC) in Houston, Texas which is a next-level capability for securing critical infrastructure environments. The ATPC mitigates emerging and expanding threats to U.S. critical infrastructure.
In a recent online roundtable discussion, Jason Christopher, vice president for cybersecurity and digital transformation at Energy Impact Partners; Victor Atkins, director for security strategy and risk of industrial cybersecurity at 1898 & Co., and a former U.S. intelligence and energy official; Matt Morris, global managing director for security and risk consulting at 1898 & Co., Gabe Sanchez, director of security operations at 1898 & Co.; and Marco Ayala, president of InfraGard Houston, and Jonathon Gordon, directing analyst at TP Research, the executives indicated that the ATPC is expected to have a broader focus. “It’s mostly energy, including oil and gas, chemicals, power utilities, pipelines, water, and manufacturing companies as well,” they revealed.
The Houston center will also serve smaller utilities. The American Public Power Association (APPA) will be involved here. They’re quite sizable, with around 2,000 members, mostly from municipalities. One of the representatives from APPA is a former INL (Idaho National Laboratory) employee who helped design and build some of their managed security services capabilities. “You might recognize Essence, a platform that focuses more on the OT side, whereas CRISP has been more IT-centric,” they added.
The executives revealed that the threat type is becoming much more targeted. “We’re seeing a lot of business email compromises that are hitting the IT network. Then, the next kind of logical transition we’re seeing is, well, why stop there? If they already compromise the network? They can still get quite a bit of value now trying to enter into that operational technology space and cause some impact there. Right. They’re still motivated many times by financial goals, the typical ransomware that you would think of. But we are seeing that transition where threat actors don’t just stop at a business email compromise. They’re now attempting to get into the additional networks to see how can they leverage that also for money. “
On the issue of IT-OT convergence, the executives identified that “there’s still a lot of, believe it or not, a lot of OT systems that make calls out to the IT. Maybe they call out the service now or they call out to some other piece that is resting and sitting in the typical IT domain.”
They also acknowledged that adversarial attackers do not necessarily have to take the OT down directly. “It could be collateral damage that happens on the IT side that still has the same effect. I don’t know if that’s why. Yeah, I mean the threat actors are getting really good at passing access if needed to groups that can specialize more in that operational technology and so they can sell the access.”
They added “So that’s becoming a thing as the OT interconnects more with the IT. But yeah, absolutely. If they can plant a seed of doubt that there’s a possibility that they are in the OT, like you said, the same impact of, you know, safety being number one in operational technology, they’re going to try to potentially close that off and have the same impact of not having that visibility or running operations. So that is absolutely a trend. “
The executives agreed with an assumption raised by Gordon who said that over the next twelve months, the primary impact on financial reputation will increasingly involve non-OT aspects. “It appears to be significantly more challenging and, to some extent, better protected compared to IT systems,” he added.
Moving to regulatory issues, the executives identified that “2022 and 2024 were the busiest years for ICS, OT, cybersecurity standards and regulations, and sort of being in this industry for the past 20 years, we’ve never seen that much flurry of activity. That obviously includes things like the NIS 2, but there’s also a lot of drafting team activity that’s taking place from that lower level. I was discussing what good security looks like, ICS, and OT. So it’s almost like you’re being squeezed in the middle for sure. I would say the US side, not just looking at the typical FERC, and TSA discussions, but also SEC as well. Extremely busy with talking about how they are looking at CISOs.”
“But I would even look so far as to what just recently happened with United Healthcare, where you saw now a CEO testifying before Congress because of a very large impact,” they added. “And the takeaway from that was that CEOs and boards can be accountable for who they are putting in charge of cybersecurity, not just the standards and regulations themselves. So I think that a lot of regulators are still grappling with what ICS security looks like. You have some agencies like FERC that have been doing it for a lot of years and some that haven’t. And so I think that you’re going to see this evolution of learning as a result of that.”
They added “To see a ripple effect from that too, on insurance and credit bureaus as well, because they’re looking at regulations, they’re looking at what are the standards that look good. For example, MFA. I’ve never seen congressional testimony until this year. They talk about multifactor authentication and a senator writing a letter to the SEC to say multi-factor authentication. So obviously that terminology is getting there. And you then look at insurance products, and that the number one control they point to is multi-factor authentication. So there’s this bubbling effect that’s happening where technical controls are now finding themselves as boardroom conversations that never existed before.”
Gordon highlighted the concern that many people are getting caught up in acronyms without fully understanding them. He used zero trust as a prime example, noting that while it has gained significant attention due to executive orders and widespread discussion, many do not fully grasp its implications, especially in the context of OT. “What exactly is zero trust in OT?” he questioned, pointing out that the concept remains open to interpretation, which limits its practical impact. Gordon also raised the issue of the growing number of industry standards emerging alongside established frameworks like NIST and IEC 62443. “With so many acronyms and standards popping up, do we really need more? And will we ever see these efforts converging?” he asked.
Moreover, Gordon pointed out the proliferation of industry standards, noting the emergence of numerous standards alongside established ones like NIST and IEC 62443. He questioned the necessity of these additional standards and pondered whether there would eventually be a convergence in this ever-expanding field.
The executives observed that “a lot of that is driven from the fact that standards such as 62443 really revolves around the control engineer. Yes, speak their language. It’s the automation side. And you know how the cybersecurity framework does a lot of the mapping for you. So you’ve seen even in the API 1164 or three, it’s baked in 62443 because it does speak to control engineering. “
Gordon noted, “In our research, we track various technology categories, such as asset discovery, network monitoring, perimeter security, and secure remote access. Overall, we track around eleven technical categories and an additional six service categories. It’s already a complex landscape for practitioners, especially for those transitioning from the automation or operations side, or from IT into OT. What’s also interesting is the persistent shortage of skilled professionals. The required skill sets are so broad that it makes it challenging to find adequately trained personnel.”
Moving to the training side, the executives said “If you rewind the clock, 15-20 years ago, we didn’t have courses on this at all, and now we do. So seeing multiple different options of courses. We have college courses now we have continuing education for people who are operators, for folks who are coming from it going into OT. So for sure, I think that we are 1000% better at this than we used to be as a result of that. And I do think the workforce is probably at first starting because no matter where you are on the solution side, if you have a trained workforce, they can tell you where to spend your next dollar, whether it processes, doing a risk assessment, or buying the technology.”