Con Edison Deputy CISO Discusses Critical Role in Cybersecurity Strategy

NEW YORK, NY – In a candid interview for Dark Reading’s Virtual News Desk, Carmine Valente, deputy Chief Information Security Officer (CISO) at Con Edison, provided insights into his expansive role within one of the nation’s largest energy utilities. Valente highlighted his responsibilities in ensuring continuity for the CISO, managing the firm’s cybersecurity strategy, and overseeing the overall cybersecurity program.Valente’s tenure at Con Edison sees him deeply involved in crucial aspects of the company’s digital defense. His remit encompasses the strategic direction of cybersecurity efforts, the effective management of ongoing programs, and the evaluation and implementation of essential security tools. Moreover, Valente plays a key part in the execution of various internal projects and initiatives, as well as managing the financial aspects of the cybersecurity department.

Before assuming his current position, Valente’s career in security was noted for its considerable breadth, a trajectory that has evidently prepared him for the multifaceted challenges of protecting a critical infrastructure provider.His deep understanding of the security landscape positions him to safeguard Con Edison’s operations in an increasingly complex threat surroundings.

the full discussion, including further details on the convergence of IT and OT security, is available on Dark Reading.

what are the potential consequences of a successful ransomware attack on an OT environment, beyond just financial loss?

Bridging the Divide: IT and OT Security in a Connected World

The Convergence Challenge: Why IT & OT Security Must Unite

For decades, Information Technology (IT) and Operational Technology (OT) existed in largely separate spheres. IT focused on data and networks, while OT controlled physical processes – manufacturing, energy grids, building automation. This segregation provided a natural security boundary. However, the rise of the Internet of Things (IoT), Industrial IoT (IIoT), and Industry 4.0 has shattered that barrier. Now, these systems are increasingly interconnected, creating a complex landscape were vulnerabilities in one area can cascade into critical failures in another. This convergence demands a unified approach to cybersecurity, moving beyond customary IT security measures to encompass the unique requirements of OT environments. Industrial control systems (ICS) are now prime targets.

Understanding the Fundamental Differences: IT vs.OT

Before diving into solutions, it’s crucial to understand why IT and OT security have historically been treated differently.

Priorities: IT prioritizes confidentiality, integrity, and availability of data. OT prioritizes the availability and safety of physical processes. A system outage in IT is inconvenient; in OT, it can be catastrophic – leading to equipment damage, environmental disasters, or even loss of life.

Lifecycles: IT systems are typically updated frequently, with shorter lifecycles. OT systems often have decades-long lifecycles, making patching and upgrades challenging. Legacy systems are a significant concern.

Environments: IT environments are generally well-defined and controlled. OT environments are often harsh, with specialized hardware and protocols.

Protocols: IT relies on standard protocols like TCP/IP. OT utilizes specialized industrial protocols like Modbus, DNP3, and profinet. ICS protocols require specialized security tools.

Key Threats Targeting IT/OT Convergence

The interconnected nature of IT and OT creates a wider attack surface, attracting a diverse range of threats.

Ransomware: Increasingly targeting OT environments, disrupting operations and demanding hefty ransoms. The Colonial Pipeline attack in 2021 serves as a stark reminder of the potential impact.

Supply Chain Attacks: Compromising vendors and suppliers to gain access to target organizations.

Nation-State Actors: Targeting critical infrastructure for espionage, sabotage, or disruption.

Insider Threats: malicious or negligent actions by employees or contractors.

Distributed Denial-of-Service (DDoS) Attacks: Overwhelming systems with traffic, disrupting operations.

Zero-Day Exploits: Attacks leveraging previously unknown vulnerabilities. Vulnerability management is critical.

Building a unified Security Strategy: Best Practices

Successfully bridging the IT/OT security divide requires a holistic strategy.

1. Risk Assessment: Conduct a thorough risk assessment to identify vulnerabilities and prioritize security efforts. This should include both IT and OT assets.
2. Network Segmentation: Isolate OT networks from IT networks using firewalls and other security controls. Implement zero trust network access (ZTNA) principles.
3. Intrusion Detection & Prevention Systems (IDS/IPS): Deploy IDS/IPS specifically designed for industrial protocols.
4. Security Information and Event Management (SIEM): Integrate IT and OT security logs into a central SIEM for comprehensive monitoring and analysis.
5. Endpoint Protection: Implement endpoint detection and response (EDR) solutions on critical OT systems.
6. Patch Management: Establish a robust patch management process, balancing the need for security updates with the stability of OT systems. OT security patching requires careful planning.
7. Multi-Factor Authentication (MFA): Implement MFA for all remote access to OT systems.
8. Regular Security Audits & Penetration Testing: conduct regular security audits and penetration testing to identify and address vulnerabilities.
9. Employee Training: Provide comprehensive security awareness training to both IT and OT personnel.

The Role of Standards and Frameworks

Several standards and frameworks can guide your IT/OT security efforts.

NIST Cybersecurity Framework (CSF): A widely adopted framework for improving cybersecurity posture.

ISA/IEC 62443: A series of standards specifically focused on industrial automation and control systems security.

CIS Controls: A prioritized set of actions to improve cybersecurity defenses.

ISO 27001: An international standard for information security management systems.

Benefits of a Converged Security Approach

Investing in a unified IT/OT security strategy yields significant benefits.

Reduced Risk: minimizes the likelihood and impact of cyberattacks.

Improved Compliance: Helps organizations meet regulatory requirements.

Enhanced Operational Efficiency: Streamlines security operations and reduces downtime.

Increased Visibility: Provides a comprehensive view of the security landscape.

Cost Savings: Reduces the cost of security incidents and remediation.

Practical Tips for Implementation

Start small: Begin with a pilot project to demonstrate the value of a converged security approach.

Collaboration is Key: Foster collaboration between IT and OT teams.

prioritize Critical Assets: Focus on protecting the most critical assets first.

Automate Where Possible: Automate security tasks to improve efficiency and reduce errors.

Stay Informed: Keep up-to-date on the latest threats and vulnerabilities. Threat intelligence is crucial.

##