#107 Securing Critical Infrastructure

Subscribe to get the latest

on Mon Sep 19 2022 17:00:00 GMT-0700 (Pacific Daylight Time)

with Darren W Pulsipher, Carla Trevino,

Intel’s Darren Pulsipher, Chief Solutions Architect, Public Sector, and Carla Trevino, Solutions Architect, Irdeto, talk about the importance of security in critical infrastructure.


#criticalinfrastructure #hotms #irdeto #otsecurity #edge #cybersecurity #technology #process

Listen Here

Carla is originally from Mexico, living in Amsterdam after living in several countries, including Germany, over the past four years. She studied industrial and mechatronic engineering, then after working for a few years in the field, she earned an M.S. in mobility systems engineering, where she focused on autonomous vehicles.

The definition of OT critical infrastructure is any point that can trigger chaos in the real world. This is very different from IT infrastructure; IT lacks vital infrastructure. In the OT world, people can die if things go wrong. There can undoubtedly be chaos in the IT world, but the problem can be solved by fixing things. When there is chaos in critical infrastructure such as transportation, accidents can happen, and people’s lives are at stake.

There has been an uptick in the importance of security in critical infrastructure in the last five years, and certainly during the COVID pandemic; critical infrastructure has been relentlessly attacked in some cases. This can be attributed to people becoming bored and more creative, but also because the attack surface increased with the sudden shift to remote work, which broke down some of the security measures previously in place.

In transportation, part of the issue is the increase in connectivity, which brings potential attacks. Customers want more services, and companies want more data and access to information. With that comes opening up the transport network. The air gap, which previously offered safeguards, is diminishing.

The industry cannot use security measures that IT has been using for years because IT and OT are entirely different. It is generally standardized, whereas OT is not. OT has a massive ecosystem with significant differences in devices that follow other protocols and implementations. For example, every country has different implementations. OT is also on another level because lives are literally on the line.

Another difference between IT and OT critical infrastructure is that in IT, if there’s a problem in your network, you can isolate it and even shut it down and move the workload elsewhere. That is not possible in critical infrastructure, so the approach is different.

The danger is that IT and OT networks have collapsed because of the desire for more connectivity, and at the same time, there has been an increase in cyber threats. Irdeto seeks to educate the industry on the complexities of these problems and offer solutions. It’s all about preventative solutions, not reacting after a disaster strikes.

Carla says organizations must have experts for security. Developing security in-house based on mandated standards is not good enough as the standards run behind the development.

Irdeto has been securing critical infrastructure for 50 years. They have about 1,000 employees, and 70 percent of them are in research and development to keep on top of what type of attacks are happening today and what kind of attacks can exist in the future. Irdeto strives to be one step ahead or future-proof. Their services evolve as the system evolves.

Irdeto can help customers who know what they need, whether PKI, keys and credentials, lifecycle management, or software protection. They can also help customers who do not know what they need and provide lasting solutions as threats evolve.

For more information about Irdeto, go to their website www.Irdeto.com/connected-transport to learn more about their products or contact them directly.

Podcast Transcript


Hello, thisis Darren Pulsipher, chief solutionarchitect of public sector at Intel.

And welcome to Embracing

Digital Transformation,where we investigate effective change,leveragingpeople, process and technology.

On today's episode, the importanceof Security and Critical Infrastructurewith special guest

Carla Trevino from IRDeto.

Carla, welcome to the show.

Thank you very much, Darren,and thank you for having me here.

Excited for our talks.


So Carlaand I've been working together on a jointeffort between Intel on your demo.

Carlos The solution architect.

I'm a solution architect.

So we got two real geeky people onon today, on the episode,which should be a lot of fun.

And we're working together onsecurity in the Iot space,which is really fascinating stuff.

But first, Carla,before we get into the geeky stuff,tell us a little bit about yourself.

Yeah, thank you very much.

Yeah. So, Carla Trevino, my name.

I'm originally from Mexico.

I'm currentlyliving in Amsterdam in the Netherlands.

I've had interesting path on my careerinternational wise.

I've lived in several countriesthe past four years.

I was living in Germany.

I know very much what it isabout working cross-culturaland living cross-cultural.

I can say that

I'm an engineer from background,so we are geeky.

Would be the nice term.

I studied industrialengineering and mechatronics engineeringand after a couple of years of working,

I decided I wanted to studymore engineering.

So I did a master's in Sciencein Mobility Systems Engineering,and where I focused in autonomous drivingcars, vehicles and so on.

So yeah, I love technology engineering.

That's somethingthat I'm into pretty much.

All right.

Finally, a real engineer on the show.

I've had others, but it's great to havesomeone that just you love learning.

I can tell Carla.

Yes, definitely. Yeah.

And then also a little bit going tothis is you don't know.

I'm going to ask this question.

What has been some of the hardest thingswhen you move to a new culture?

Because you said you've moved todifferent cultures throughout the world.

It sounds likeyou've been a lot of places.

What's one of the hardest thingsto get used to when you first move?

I would say, firstof all, if you don't know the language,that's a great barrier.

So when I moved to Germany,

I couldn't speak any German,so that was hard part to start on.

It's been really hard. Yeah.

But getting used to people'sbehavior,like people acting on different way.

The typical things that you don't know,as if you have to tip the serverswhen you go to a restaurant.

What are the normal like?

How do people behavein certain circumstances or thingslike that, or critical conversationslike maybe politics?

How do people talk about those things?

That's hard.

And then I always miss Mexican food,so that's.

All I was going to say.

I love Mexican foodbecause I live in Californiaand I'm a I'ma fourth generation Californian.

So we have a lot of Mexican foodin California.

And I've been to Europe.

There is no good

Mexican food in Europe. Now,

I can only confirms.

You can you can confirm that.

That's good to know.

All right.

Let's let's dove right into this.

First off, what first off,what is critical infrastructure?

When we say that term criticalinfrastructure, what do we really mean?

Well, when we talk aboutcritical infrastructure,it talks about anyopen point that can lead.

Or let me see, how do I not getso technical into answering this question?

You get technical.

Let's start being basic.

So critical infrastructurecomes from criticalright on what can bring chaosif it's exposed, what can be.

When when some when you'remanaging something, when you're managinginfrastructure, if something goes wrongin certain points or in certainparts, that is definitely somethingthat is critical to start with.

We can we can start with the definitionpart of it.

So any point that can bethat can be a triggerfor chaos can be considered critical.

So in this case, when wetalk about it, we're talking about chaosin the real world. Yes.

Audience, not in the virtual world. Right.

This is very different than I.T.infrastructure.

There's very little criticalinfrastructure in the IT world.

In the OT world, critical infrastructure.

I mean, people die rightif things go wrong.

Right. Exactly.

I mean, chaos on like our on a peoplelevel, let's call it like that.

So I mean,it's you world, but it's chaosthat you can solve by fixing some things.

When there is chaoson critical infrastructure or when you'retalking about transportation,when there's chaos, people can die.

Accidents can happen.

Yeah. Yeah.

So we've seen an uptick in the importanceof critical infrastructureover the last probably five yearsand a little bit pre-COVID,but absolutely during peak during COVID,we saw critical infrastructurebeing attacked relentlessly.

In some cases.

Have you guyshave you noticed that, too,in the transportation world as well?

Definitely. More attacks more?


I think it's a combinationof probably people where bored fromnot being able to be able to flyand started to get creative.

People got very I mean, creativitymoved into like fears for other people.

So probably that was somethingthat was generated for being lockedin the time that we were locked in COVID.

Definitely this had started before.

So we would likeyou would see certain creativitythat would harmor that would look into peoplejust testing out, Hey,what happens if I do this?

And but this creativity,

I think went beyond what we hadseen on the COVID period.

It can be a combination of peoplebeing bored, of people having more timeto get creative while being at home orof yeah, of more fears coming outfrom people's mind and people's mouth.


I think that had a lot to do with it.

The, you know, societyas a whole was kind of disrupted, right?

With COVID worldwideand people started toying around.

I think boredom was part of it.

I also think with more peopleworking from home,we also increased the attack surface.

So now there were more people workingremote, even people that were workingin managing criticalinfrastructure were working remote now.

And I think that broke down some of thesecurity measuresthat we used to keep in place.

Definitely. And I mean.

What are your thoughts on that?

I mean. I am I can only agree.

And I think the fact that the companieshad to adjust so quickto everyone working from home,they had to adjust their networks.

They had to adjust the workloads.

They had to adjust so many things.

And on a sure like we can say in a very,very short period of timeand this opened the possibilities forattacksinto different levels than before, becausethen if you were living in a buildingand you hadlet's say in that building,you could have access or you could havea pretend like you knew everyone was thereand you knew everyone was working.

And you probably talkto your neighbors before.

So it opened up the possibilityof getting into more layersthan it would have been before.

So let's talk specific.

Let's drill down a little bitinto transportation.

Um, specifically and how, how is thatchanged over the last three or four years?

And, and what kind of threat vectorsand what kind of threatsare we seeing in that area?

Well, I would talk about maybe.

Yeah, what has happened istransportation is becoming more connected.

You have more servicesthat are being offered.

You have more connectivityin vehicles and infrastructure.

And with connectivity,there always comes the potential.

I mean, there comesall the beauties that there are with them.

You can control them,but if you can control them,you can control them for the goodor for the bad.


And and this comes I mean, this comes fromfrom the services that the providersare giving to the final customers,those that are being transported, thatthey want to have more digital services.

But also the servicesthat are being offered to the transportsuppliers or providersfrom their suppliers themselves.

Everyone wants to become more digital.

Everyone wants to have more connectivity,more access to data, more accessto information.

And all of that comeswith opening your transport network,which was formerly not open.

So what we know as air gap,so it was not connected, it was safeper definition, right.

So and I think this is interestingbecause you said servicesto the customers.

So services like wi fi on the train,other digital services likestreaming video and entertainment,all those sorts of things.

I think people don't understandall those sorts of things provide.

You need connectivity to do that.


And what you're saying isthey've broken down that air gap thatoriginally the train was connected,but that was control systems.

Those were critical systems. Right.

Controlling the train.

All of a sudden,those those there's connectivity betweenthose critical infrastructure and alsoall this other connectivity that I have.

Is that what I'm hearing?

Yeah, exactly.

Yeah, that's that's exactly the point.

So what's soand so why not just use the ITsecurity stuff we've been doing for yearsand just put that on the train?

Why why doesn't that work?

Well, there are several aspects to that.

First aspect is when you talk about it,when wewhen we talk about like the devicesthat are using it and the world of it,we can say it's a worldthat it's pretty standardized.

That's not true for the old world.

We have a huge ecosystemwith huge differencesin devices, fielded devices and suchthat are following differentprotocolsthat are implemented on different.

Even if you go like internationally,every country has a different wayof implementing and so on.

So it's not standardized, it'snot a mobile device. Andand thereforefrom that side, it's alreadya very different level from that.

It second level is what we discussedbefore thethe differences in criticalinfrastructure in talking about, well,if you're on the trainand you're a personand something happens to the train, well,there's a possibility of personsgetting injured or worse.

So you have to from one sidehandle it on a different levelbecause we're talkingabout different things completely.

And why are you talking aboutdifferent thingsand the complexities that come with thatgo with the standardize the differentdevices,the different everything that there isnow. Ilove how you said it's not standardized,so it's highly heterogeneous.

So I can't applyjust one security standardand just go with everyeveryone needs to just follow this.

So that's one aspect.

And then the other one I kind ofwant to pick out a little bit, and that isif there's a problem in your i.t.

Network, a security problemisolated in a quarantine, it.


And then I shut it down.

I can't do thatin critical infrastructure, can I? No.

I mean, what are you going to do?

Are you gonna isolate, trainand shut it down?

And, I mean.

Yeah, that's a big problem, right?


You can't just shut it down in and movethe move the workload somewhere else.

It's on a physical. Device and you cannotfreeze it until we see what's going on.

So the approach,it sounds like the approach in O.T.and critical is very, very different.

It is. It is.

And I think this is one of the things thatthe industry and everyone aroundit has to first of all, understandwhy it's different, but also understandthe differences between it not.

I think sometimes this is not so clearfor certain persons or.


So first.

Especiallyif you're a cybersecurity expert, right?

If you're a cybersecurity expert,you just come in and say,oh, that's a cybersecurity problem.

This is what we do, right?

We identify, we detect, we quarantine,we do forensics on it.

Then we you can't do that in O.T.so it's a completely different space.

Exactly. Yeah.

So this sounds to me like a disasterjust waiting to happen.


We've collapsed the 90 networks togetherin some aspectsbecause I want more connectivity.

I want more data coming out of thosetrains to run analytics on.

And at the same time, we've seen an uptickin cyber threats and cybermalfeasance, if that's a word.

And so and people that don't havea real good knowledge onhow to do ot security.

Sounds like a disaster waiting to happen.

Is that true?

Well, we hope we don't get to that point.

So this is exactly whatwe're trying to do.

We're trying to work togetherwith the industry,educate on the complexities, educate.

We don't want to bring fear.

It's not about bringing fearto the industry.

It's about opening the eyesbefore the disaster happensand looking at cybersecurity.

I mean, you can we sometimes dothis comparison.

It's a sad comparison, but you can seecybersecurity kind of like an insurance.

You don't want to have the insuranceafter your house burnt down.

You want to have it before it burned down.

You want it not to burn down,of course. Yes.

You don't want it to have her down. Yeah.

You don't want to get to the pointwhere your house is on fire.

But if your house is on fire,you want to have an insurance.

And this is exactly what cybersecurityis going to prevent.

The having the fire, let's say so.

I mean, it'sa different level of complexity.

But we we think there's athere's a lot of educationthat needsor that is happening that at the moment.

And we're working togetherwith a lot of players.

And I think this is

I mean, the cybersecurity on the old side,

I think we are all on the same side.

We're all wanting to educate the industryto help them be aware of what there isso that they consciously decidethat they need somethingand take preventive measuresbefore that something happens.

These attacks are getting moreand more complex.

Does that mean if I do have criticalinfrastructure that I need to hirea cybersecurity expert or

I need to hire a firm to help me do that?

Or can I do it on my own?

Is it is it can I educate myself to do iton my own or not?

Well. What would you say?

I would say it's very hard to educateyourself in topics that you don't know.

So from one side,

I mean, if you're confidentthat you are an expert on the matterand that you can do it on yourselfbecause you have the expertize,then it can be that you build it.

But if you're trying to say, hey,this is something that I mean,you need experts and experts are onlygoing tobe experts if they've done it before,if they know what they're talking about.

So there are, of course, standards,which is I mean,we all work on I mean, industry works onstandard basis, right?

Sadly, what we're seeing todayis that the standardsare running behind the developmentthat is coming with the industry.

So of course, you can followif you want to develop things in-house,you say, well, I'm following the standardsthat are mandated.

The question is, is that enough?

And if you're not able to answer thatby your own,probably you don't have the expertizeto assesswhetherwhat kind of cybersecurity solutionsyou need, what kind of protectionsdo you need where you're vulnerable,what are your vulnerabilitiesand things like that?

So this is where your data comesin, right?

You guys have a long historyof securing critical infrastructure.

And so

I'm sure you guys have seen an uptickin business in the last couple of years.

I would guess you have.

Is that true to say?


Well, your data, it's a companythat started doing cybersecurityand that is five zero, not one five.

So we've built time.

You know.

It's more than I've been alive,

I can tell you that. Sowith we have expertsand we have expertizethat has been evolving as industrieshave been evolving as thismalicious attacks have been evolving.

And we're no there's no end point to this.

There's going to be new wayspeople are going to get more creative.

Technology is advancing and there'sgoing to be new ways of attacking.

But companies like our company,we are a company,we have around about 1000 employees,but 70% of them are in researchand development and they're looking intowhat kind of attacks existtoday, but also what kind of attackscan exist in the future.

And we're doing the research into thatand we're making surethat we are future proof.

We want to be one step ahead.

We want to make sure that our customersare going to be protectednot only the moment that they get asecured system, but also ask the security.

As the system is evolvingand the new use cases are coming, that ourour services are also evolving with themand that they're going to be securedin the future as well.

So it's not something that you just buyand you implement it today.

You can't just buy it and say,oh, I'm secure right now.

That makes sense.

And I like how you said

I mean, everything's evolving, right?

The cybercriminalsare getting really sophisticated.

We saw that with the Centennial Pipelinebreach.

That was very interesting.

And there's been several others as wellthat thatthe people thought they were air gapped,but they weren'tbecause cyber criminalshave figured out how to bridge air gaps.

Now in creative, very creative ways.

So tell me a little bitabout the types of youmentioned tools that you guys have,but what's your approachwhen when you talk about securingcritical infrastructure, what are the keytenantsthat you guys have put into place, bothin in process and technology?

Because I know you guys do both. Right.

And so tell tell us a little bitabout your portfolio,what you guys have availableto help people?

Well, there is let's say there are alwaysthe two sides of the story, right?

When it comes to, hey, I'm a customer,

I need some support.

So there are and there are differentlevels where the customers are.

There are customers that really knowwhat they want and what they need.

And you can talk very straightforwardinto the solutions that they need.

And this is where we can talkabout portfolio, about specifics.

So what do you need?

Are you talking about you need PKI?

I do need some kind of keysand credentials.

Life cycle management.

Do you need are you looking intoprotecting your network?

Do you need an anomaly detection system?

These are all solutions that we offer.

We offer, for example,software protection as well.

But there's also customersthat are kind of more into

I don't know what I need.

I don't know what else. Yeah.

You don't know what you don't know, right?

That's tough.

So, I mean, we have expertizeand we're more than happyto walk with our customers,to walk with the andwith what kind of solutionsare there in the industry?

There are several practicesthat you can have that you can implement.

For example, when you're talking about,

I want to protect my asset,we can make some kind of guidelineslike device hardening todetect where the vulnerabilities areand detect what kind of solutionsare needed to mitigate those peoplein our abilities that the customers have.

So we can we mostly work on implementingmanaged servicesbecause we do believethat the customer needsus to work together with themand give them a solution.

As I said before,not that, hey, here's what you need.

Put it on your on your system.

And there you go.

You're good to go because the thing thatthe threats are evolving,the hackers are getting more creativetechnologies evolving.

So we want thatour solutions evolve with them.

We want to make sure that our expertizeis being offeredthroughout the lifespan of theof the asset that we're protecting.

But we can also offer what there isbefore some kind of professional servicesthat might be neededso that they're awareof what they need to implement beforehand.


And I love that you guys have that servicebecause you're right, a lot of peopledon't know how to even securetheir critical infrastructure.


Maybe they just use the Perdue model,which is just air gapped itand then someonewalks in with a USB keyand sticks it into a deviceand all of a sudden you've got malwarespread throughout the whole OT network.

We've seen that time and time again.

So you guys understand the crime,the criminal element,let's call them what they areor the nation state that's tryingto disrupt your critical infrastructure.

So it's good to have you guys come inand kind of do an assessment, right?

This is where you're at.

These are the tools that you needand so on and so forth.

I love the approach.

I think it's it's very valuableif people want to find out moreabout this approach and what your datacan bring to the table, where do they go?

Because are going to our websitethat your death tollyou spell it irtet0 dotcom slash connected dash transport.

There you can find some informationabout our products. Definitely.

There's also an optionto contact us directly from there.

And then you can likewe can schedule the first callto get to knowyou, that you get to know usand that we start understandingwhat the requirements are.

So, I mean, you can get a good understanding of our products from the website, butdon't be shy to ask forfor getting in contact with usand we will make sure to givethat information more in accordanceto what the customerspecifically is needing or the company.

Oh, that's great.

Also, you guys, we work together, Inteland your dad, we're working togetherso that you guys can even make your toolseven more secure by using Intel'stechnology under the covers.

So a great partner here. Ditto.

And Carla, thank you.

It's been it'sbeen very enlightening today.

I learned a lot of things.

Yeah. Thank you very much for having me.

And yeah, I'mlooking forward into our collaboration.

I think Bringing

Security Foundation from hardwareplus adding extra layers of softwareon the security in top of it,what Intel has to bring, plus whatyour data has to bring will definitelyhelp the industry get one step furtherinto being more secure.

Thank you for listening to Embracing

Digital Transformation today.

If you enjoyed our podcast, give it fivestars on your favorite podcast insideror YouTube channel.

You can find out more informationabout embracing digital transformationand embracingdigital.org until nexttime, go out and do something wonderful.