1898 & Co. has opened its Advanced Threat Protection Center (ATPC) in Houston, Texas, which represents a new level of security for critical infrastructure environments. The ATPC mitigates emerging and growing threats to the United States critical infrastructure.
In a recent online roundtable discussion, Jason Christopher, vice president of cybersecurity and digital transformation at Energy Impact Partners, Victor Atkins, director of industrial cybersecurity security and risk strategy at 1898 & Co. and former U.S. intelligence and energy official, Gabe Sanchez, director of the security operations center at 1898 & Co., Marco Ayala, president of InfraGard Houston, and Jonathon Gordon, senior analyst at TP Research, all suggested that the ATPC is likely to have a broader focus. “It’s mostly about energy – primarily electric utilities – but there are also participants from oil and gas, chemicals, and at least some manufacturing,” they revealed.
The Houston center will also serve smaller utilities. The American Public Power Association (APPA) will be involved here. It is quite large, with around 2,000 members, mostly from municipalities. One of the APPA representatives is a former employee of INL (Idaho National Laboratory) who helped design and build some of their managed security services. “You may be familiar with Essence, a platform that focuses more on the OT side, while CRISP is more IT-centric,” they added.
The executives revealed that the threat type is becoming much more targeted. “We’re seeing a lot of attacks on business email that are hitting the IT network. Then we’re seeing the next kind of logical transition: Why stop there? If they’ve already compromised the network? They can still get quite a bit of value by trying to get into the operational technology space and make an impact there. Right. They’re still often motivated by financial goals, like you think with the typical ransomware. But we’re seeing this transition where threat actors aren’t just stopping at compromising business email. They’re now trying to get into the additional networks to see how they can leverage that for money as well.”
On the topic of IT-OT convergence, executives noted that “there are still a lot of, believe it or not, OT systems that are calling IT. Maybe they’re calling the service now or they’re calling another piece that rests and sits in the typical IT domain.”
They also acknowledged that hostile attackers don’t necessarily have to take down OT directly. “It could be collateral damage on the IT side that still has the same effect. I don’t know if that’s the reason. Yeah, I mean, the threat actors are getting really good at handing over access when needed to groups that can specialize more in that operational technology, and so they can sell the access.”
They added: “So that’s becoming more and more important as OT becomes more and more interconnected with IT. But yeah, absolutely. If they can sow the slightest doubt that in OT, as you said, they potentially have the same influence if security is paramount in operational technology, they’re going to try to potentially shut that down and have the same influence if they don’t have that visibility or ongoing operations. So that’s definitely a trend.”
The executives agreed with a suggestion from Gordon, who said that over the next 12 months, the main impact on financial reputation will increasingly be on non-OT aspects. “Compared to IT systems, this seems significantly more sophisticated and to some extent better protected,” he added.
As for regulatory issues, the executives noted that “2022 and 2024 have been the busiest years for ICS, OT, cybersecurity standards and regulations, and having been in this industry for 20 years, we’ve never seen this much activity. That includes things like NIS 2, of course, but there’s also a lot of design team activity that’s happening at that lower level. I’ve talked about what good security looks like, ICS and OT. So it’s almost like you’re caught in the middle with security. I would say the U.S. side, looking at not only the typical FERC and TSA discussions, but the SEC. They’re extremely busy talking about how they look at CISOs.”
“But I would even go as far as what happened just recently with United Healthcare, where now a CEO had to testify before Congress because he was very influential,” they added. “And the conclusion from that was that CEOs and boards can be responsible for who they put in charge of cybersecurity, not just the standards and regulations themselves. So I think a lot of regulators are still grappling with what ICS security looks like. There are some agencies like FERC that have been doing that for many years, and some that haven’t. And I think that as a result of that, you’re going to see this evolution of learning.”
They added: “It also impacts insurance and credit bureaus because they’re looking at regulations and standards that look good. For example, MFA. I’ve never seen testimony before Congress until this year. They talk about multifactor authentication and a senator writes a letter to the SEC mentioning multifactor authentication. So that terminology is obviously catching on. And then you look at insurance products and the main control they point to is multifactor authentication. So there’s this bubble effect where technical controls are now coming up in board discussions that never did before.”
Gordon emphasized that many people get caught up in acronyms without really understanding them. He cited Zero Trust as a prime example, noting that while the term has gained a lot of attention due to executive orders and wide-ranging discussions, many do not fully understand its implications, especially in the context of OT. “What exactly is Zero Trust in OT?” he asked, pointing out that the concept remains open to interpretation, limiting its practical impact.
Gordon also addressed the growing number of industry standards emerging alongside established frameworks such as NIST and IEC 62443. “With so many acronyms and standards popping up, do we really need more? And will we ever see a convergence of these efforts?” he asked.
In addition, Gordon pointed to the proliferation of industry standards, noting that numerous others have emerged alongside established standards such as NIST and IEC 62443. He questioned the need for these additional standards and wondered whether there would eventually be convergence in this ever-expanding field.
Executives noted that “a lot of that is because standards like 62443 are really about the control engineer. Yes, speak their language. It’s about the automation side. And you know how the cybersecurity framework does a lot of the mapping for you. So you saw even in API 1164 or 3 that it’s built into 62443 because it’s aimed at the control engineering.”
Gordon noted, “In our research, we track various technology categories, such as asset discovery, network monitoring, perimeter protection, and secure remote access. In total, we track about eleven technical categories and an additional six service categories. It’s already a complex landscape for practitioners, especially those moving from the automation or operations side or from IT to OT. Also interesting is the ongoing skills shortage. The skills required are so broad that it’s difficult to find sufficiently trained staff.”
On the topic of training, executives said, “If you turn back the clock, 15 to 20 years ago there were no courses on this at all, now there are. So we’re seeing a lot of different course options. We have college courses now, we have continuing education for people who are working as operators, for people who are moving from there into OT. So I’m sure that makes us 1000% better at it than we used to be. And I think the workforce is probably just getting started, because no matter where you are on the solution side, if you have a trained workforce, they can tell you what to spend your next dollar on, whether it’s processes, a risk assessment, or buying the technology.”
