How Armis CTO Carlos Buenano’s OT Security Journey Led to Zero Trust
Last year alone, the two industries with the highest increase in cyberattack attempts were utilities, increasing 200%, and manufacturing, increasing 165%, according to The Anatomy of Cybersecurity report by Armis. These are also two industries where operational technology (OT) is vital to operations. This highlights why the overlap of OT and cybersecurity is more critical than ever.
In the latest episode of The Segment: A Zero Trust Leadership Podcast, I spoke with Carlos Buenano, the Chief Technology Officer of OT at Armis. Continue reading to learn about his journey into OT security, the pivotal role Zero Trust principles play in safeguarding industrial environments, and the challenges to get there.
About Carlos Buenano: CTO of OT at Armis
Carlos Buenano is the Chief Technology Officer for OT at Armis, a leader in asset intelligence cybersecurity. With over 30 years of experience in control systems and telecommunications, Carlos has held diverse roles such as solutions architect, principal engineer, and ICS cybersecurity consultant. Over the past five years, he has focused on implementing cybersecurity solutions within industrial networks.
Tackling legacy systems in OT environments
OT environments often use legacy systems that are typically powered by outdated, end-of-life software like Windows NT. These systems were designed to function for 30 years, a lifespan that justifies the substantial upfront investment. But this longevity can introduce challenges when key components fail.
Carlos shared an incident to illustrate the issue: "One time, a production line failed because a card that had been end-of-life for ten years broke down. We contacted the vendor, and they said, 'We stopped producing it ages ago.' We had to resort to buying the part on eBay. This situation triggered a project to replace the outdated equipment."
Systems run continuously, making updates challenging. Changes must be meticulously planned and executed during limited shutdown windows which are often scheduled only once a year. It's easy to see the complexity of managing these environments — one that is only further complicated by cybersecurity.
“You can imagine that with all the longevity design [in legacy systems], they have these different challenges when it comes to modifying and updating systems,” Carlos explained.
Securing legacy systems and planning for future infrastructure is a dual challenge. Because OT drives business-critical services, they’re a prime target for cybercriminals. In the past, just "air gapping" OT and IT systems was enough to secure them. It kept them operating without any physical connections. But today, OT environments are getting more complex, and air gapping OT and IT systems can't keep up with modern business. It's also hard to see which networks are air gapped and which are not, creating security gaps in core technology.
Zero Trust in OT environments is a journey, not a destination
For Carlos, Zero Trust is the answer to the security challenges posed by OT environments and their legacy systems. In our conversation, he emphasized the importance of honesty and boundaries in network security. The path to using a Zero Trust model without making big changes to the existing network is complex and long-term. It’s a journey, not a quick fix.
Securing a network requires creativity and a deep understanding of the network's communication pathways. It's crucial to gain visibility into the network, perform risk assessments, maintain continuous communication for operational benefits, and gain buy-in from those who understand the processes best.
Carlos outlined a step-by-step approach to achieving Zero Trust:
- Create visibility: Understand what resources are critical to the business and need protection.
- Isolate critical resources: Secure the most important components first. Do this by segmenting them from the rest of the environment.
- Build Zero Trust: Expand the Zero Trust approach programmatically across the network, from most to least critical.
AI in the OT space: Opportunities and challenges
Carlos noted that AI is a "very, very powerful tool," noting its significant benefits when used correctly. AI can enhance production systems by correlating information, generating reports, and improving efficiency through automation. This results in better data management and overall positive outcomes.
However, he cautions about the dual nature of AI. While it offers substantial benefits, it also presents risks if misused. Pointing out that AI can be exploited to take advantage of vulnerabilities in legacy systems, sometimes even enabling cyberattacks without direct access to the machines.
"AI is great so long as we use it for good in the way it is designed,” Carlos said. “Like everything, we can use it to improve production and security, but we need to be very careful because if not implemented properly and it gets into the wrong hands, it can work against us.”
Listen, subscribe, and review The Segment: A Zero Trust Podcast
Want to learn more? Listen to the full episode with Carlos on our website, Apple Podcasts, Spotify or wherever you get your podcasts. You can also read a full transcript of the episode.
We'll be back with more Zero Trust insights soon!