Pub 2 2020-2021 Issue 3

The DHS’s Cybersecurity and Infrastructure Security Agency (CISA) regularly puts out threat alert information to relevant critical infrastructure sectors and supports the various sectors, including their Information Security and Analysis Centers. CISA is a good resource for best practices and other information; however, it is up to each individual organization to secure their networks and devices. What are the best ways for companies to protect themselves from ransomware attacks? Based on our experience in the field, we believe that organizations must first understand their own risks and how their environment interacts with technology (environmental vulnerabilities). For example, at Woodstar Labs, we have a dedicated process to identify, classify, and quantify risks. Once risks are identified, we can help prioritize these risks and understand ways to either mitigate, transfer, or avoid the risk. This process will build an in-depth defense perspective, ensuring that resources are allocated to the highest priorities. By establishing this process, we help organizations understand unknowns and how they may af fect their business. In the OT and the critical infrastructure environment specifically, key processes must function without digital dependence. That is, there should always be an analog fallback to ensure that critical functions can still operate if or when digital assets are compromised or unavailable. Although the analog functions will lack efficiency and might be more resource-intensive, they will allow for key initiatives and processes to continue until the primary systems are recovered. What training is needed for someone to be a cybersecurity expert? Becoming an expert in any field involves a dedicated journey that requires someone to commit time and personal development to master. However, cybersecurity is a great field to start at any point in one’s career. There are several entry-level certifications that someone can take to gain an initial understanding and foundation. For example, AUI has several certifications (entry-level, intermediate and advanced) and training courses that someone can take to advance their current career or start a new career in cybersecurity. It is a growing field and one that requires all organizations to attract those with the skills and the talent. The DoD maintains a list of certifications that they commonly require in their 8570 publication. If an organization is looking for a list of recommended certifications, that ’s our go-to reference. Are there any other comments about cybersecurity you would like to make? Leadership must prioritize cybersecurity to ensure that their organizations are successful at establishing good cyber hygiene. As organizations grow, they will be more visible, and they will need to ensure that their risks are identified and Mr. Horn serves as the Director of Operational Technology (OT), leading the OT Cybersecurity Department for AUI & Woodstar Labs. Mr. Horn operates across AUI to set the strategic direction for the OT research portfolio in areas relating to industrial control systems (ICS), industrial internet of things (IIoT), building control systems (BCS), Smart Grids and Supervisory Control and Data Acquisition (SCADA). He is responsible for identifying new and evolving opportunities in basic and applied OT research; and leads AUI Labs business development resources on the most relevant and timely opportunities. He is also responsible for the organization’s cybersecurity maturity model certification (CMMC) efforts related to business development, education initiatives, and program growth. At Deloitte, he served as a SME for ICS cybersecurity. Project work included testing, analysis, cybersecurity, and DoD Risk Management Framework (RMF) accreditation support for the Navy’s NAVFAC Smart Grid project. In addition, he provided cybersecurity services for critical asset discovery, governance, security control implantation, and cybersecurity audit analysis for process control networks for several major U.S. commercial refineries and NIH. As a lead engineer at Booz Allen Hamilton, he served the federal client in ICS and as an overall SCADA/DCS SME. He provided guidance and recommendations for ICS topics related to cybersecurity and vulnerability analysis. In addition, he supported the concept of machine learning applications to OT cybersecurity architecture. Previously he served as a chemical engineer at Eastman Chemical Co., led roles in process improvement, resource & energy efficiency, project management, safety analysis, manufacturing support & troubleshooting, industrial controls, research & development, environmental operations and personnel management. As an Army Major, he served as a leader in the Army Engineer Corps and Army Aviation. Positions include Company Commander, Operations & Plans Officer, Aviation Maintenance Officer, Battalion S3, Battle Captain and Platoon Sergeant. Leadership experience includes Combat service in both Afghanistan and Iraq. Education: University of Kentucky MBA, Gatton College of Business B.S., Chemical Engineering Certifications & Security Clearances: • Professional Engineer (P.E.) • Project Management Professional (PMP) • Certified SCADA Security Architect (CSSA) • Security+, Network+ • FAA Certified Commercial Pilots License (CPL) • Six Sigma Green Belt • Active TS Clearance mitigated. In addition, organizations must evolve with the technology and the changing threat landscape. If organizations do not have the skills or talent in their own teams, they must reach out and find great partners to help them in the cybersecurity journey. We also should note that there are many resources available to help organizations improve their cybersecurity posture that won’t break the bank. For example, AUI is establishing an apprenticeship program focused on assisting manufacturers across the state of Utah. We’re partnering with Davis Technical College, the University of Utah’s Manufacturing Extension Program, and ImpactUtah to create and launch this program this fall. If any readers would like to get involved, please just reach out and let us know! For more information, please contact Mr. Horn at (517) 378-6834 or tahorn@aui.edu . Continued from page 9 ... there are many resources available to help organizations improve their cybersecurity posture that won’t break the bank. 10 UP DATE