Utilities have operational technology needs that differ from the data-centric needs of other types of companies.
by Samara Lynn
What utility companies like electric, water/wastewater utilities are really concerned with is “availability and the safety of folks operating those systems,” said Bill Moore, CEO of industrial control systems/operational technology (ICS/OT) cybersecurity firm Xona.
Utility companies are also subject to a host of regulations. Recently, the U.S. Environmental Protection Agency released a new cybersecurity procurement checklist as well as several other new guidelines for water and wastewater facilities.
Moore, who founded Xona seven and a half years ago, has experience in OT, network engineering, data governance, and cybersecurity.
Xona’s first customer was a natural gas utility, he said.
“We worked with them, and we developed our platform. We’re in over 40 countries globally,” Moore added.
Xona “provides a secure, remote access solution” built for OT, he said.
Moore touched on how utility companies, in particular, more resource-strapped midsize facilities, can navigate through the ever-shifting world of regulations and what Xona’s capabilities can provide, in a recent interview via Zoom with MES Computing.
Can you give an overview of Xona and what it can offer utility companies?
[With utilities] it’s not so much the confidentiality and integrity of the data because a lot of that data is not really personal identifiable information. It’s more telemetry and things that are going on with different processes.
It’s more about making sure those systems cannot be accessed by somebody nefarious.
The way we do that is [we] have a platform that isolates the communication protocols and keeps those in the control network, or if you will, the operational technology network and doesn’t allow protocols. Many times, there are transient endpoints used by third-party contractors, OEMs – whether it’s GE or Siemens … Schneider Electric … if it’s not part of your organization, it’s a third party coming in, so we make sure that that access is protected and the important machines that are in that network are not exposed to the outside world.
How does Xona’s offering align with the new EPA regulations?
Outside of water and wastewater there are very stringent regulations around power generation. Their [regulations] are not as specific as some of the other critical infrastructure providers.
What kind of struck me right off the bat with that [new EPA] checklist was it was for integrators or MSPs.
I immediately thought there are many of these [water facilities] that are rural. Small populations. Sometimes it’s the scale supervisor that’s also the cybersecurity guy, and sometimes that person is the mayor of the town.
It’s very challenging for smaller, rural areas to try to implement something like what EPA is saying when they don’t have an MSP – they can’t afford one.
We always tell our customers that you are going to massively reduce your cyber risk with us because you are reducing the attack surface. But you’re also increasing your operational efficiency and reducing the exposure of critical network protocols.
Why can regulations be a burden on midsize and smaller utilities?
[With] all of our critical infrastructure sectors there is either some industry-specific regs that they have to follow … there are auditors or they are following generalized guidelines out of NIST.
The problem is being able to do all of these things that are really required to effectively secure those systems with the budgets they have and understanding that they have to modernize, at least, their security stack.
We see in the industrial sector, utilities, whether it’s water and wastewater or electrical … they have systems that have been set it and forget it. You’ll see things running .. like Windows 7 or even something like Windows 95.
Do you categorize Xona as a cybersecurity firm?
We do. We provide secure access management and privileged access management to very critical systems.
Read the original article here: Operational Technology Versus Information Technology Security Needs: Xona’s CEO Breaks It Down.