Subscribe to get the latest

#116 An Argument for a Holistic approach to Critical Infrastructure Security

on Wed Dec 14 2022 16:00:00 GMT-0800 (Pacific Standard Time)

with Darren W Pulsipher, Steve Orrin, Anna Scott,

Keywords: #criticalinfrastructure #iot #it/otconvergence #otsecurity #cybersecurity #edge

In this episode, Darren talks about the convergence of OT and IT cybersecurity with Security expert Steve Orrin and Industrial OT expert Dr. Anna Scott

There is a real threat to Critical Infrastructure

According to Dr. Scott, OT organizations still use the traditional Purdue Model, which leverages air-gapped and firewalled-off networks. However, this model is starting to fall apart as IT and OT networks converge. Businesses are trying to get better insight into what is happening in their operational infrastructure. As a result, they punch holes in the previously well-isolated networks, exposing them to cyber threats. Additionally, cybercriminals are finding ways to circumvent air-gapped and firewalled networks.

Steve argues that leveraging IT best practices can help, but OT professionals and IT professionals have different motivators and operating models. Continuing to isolate your network is still a good strategy but should be one of many tools used in critical infrastructure cybersecurity protection. OT security should look at IT cybersecurity best practices for ideas to improve their networks and infrastructure.

IT and OT differences impeding Best Practices

IT systems are traditionally updated quickly or continuously based on security profiles. One of the primary tools to improve security is basic security hygiene through patching operating systems firmware and software in the IT infrastructure. However, as Dr. Scott enlightens us, OT systems managing critical infrastructure cannot have downtime, and the window to update these systems is measured in years, not days. It is not uncommon in OT infrastructure devices that machines run for 5 to 10 years with no downtime, meaning no patch updates.

For example, in the oil and gas industry, refineries operate continuously for four to five years, have a one to three-week downtime for upgrades, and then operate again for four to five years. These operating models are not conducive to the traditional continuous security patching that IT organizations typically use. However, Steve elaborates on many other cybersecurity tools that should be leveraged when cybersecurity patches cannot be applied to existing devices due to their critical controlling infrastructure.

Best Practice Risk Assessment

the primary cybersecurity best practice is risk assessment. Even though risk remediation may be different, the risk assessment process can be leveraged equally across OT and its environments. Steve argues that the first step of the risk assessment process is getting a complete inventory of hardware, firmware, and software assets in your OT environment. This first step is critical in evaluating your cyber threat position and assessing the risk your organization is willing to take. The next step is to evaluate CVEs against your known inventory.

It is critical to recognize that this is a continuous process and not to be done just once or periodically. Some OT professionals have argued that their OT environments are static and do not require ongoing risk assessment evaluation. However, Steve points out that even though OT environments may be fixed, the threat environment constantly changes, and business factors can change the organization’s risk position. Therefore continuous risk assessment must be done to protect critical infrastructure from bad cybersecurity actors.

Dealing with OT Vendors

Another interesting factor in OT infrastructure is the shared security model with device vendors. In many cases, these embedded devices controlling multimillion-dollar critical infrastructure are managed to buy the vendor, not the OT professional. The vendor can only make cyber security patches and updates to the devices. This can sometimes lead to vulnerabilities in your OT environment, increasing the risk of cyber infiltration. Steve brings additional cyber security tools to help protect assets that cannot be patched with critical cyber security patches, including increase isolation of affected devices, deploying watchdog devices, and canary design patterns into the OT infrastructure. These tools can help protect and isolate the device to prevent the spread and access to compromised assets.

What to do when you are compromised

So what do you do when you have a critical infrastructure that has been compromised? Can the organization handle shutting down the infected infrastructure? What business continuity plans are in place when hazardous situations occur? Can this be used when a cyber security event happens as well?

The key here is to isolate the infection as quickly as possible to minimize the impact on the critical infrastructure. I am decreasing the effect on the operating reliability of the necessary infrastructure. The goal is to reduce the impact and protect the safety of people and the infrastructure involved.

Find out more

Continue to look for more podcasts on OT cybersecurity. Additionally, a whitepaper describes the challenges of converging OT and IT cybersecurity environments.

Podcast Transcript

Hello, this is Darren

Pulsipher, chief solution,architect of public sector at Intel.

And welcome to Embracing

Digital Transformation,where we investigate effective change,leveraging people processand technology.

On today's episode,an argument for a holistic approachto critical infrastructure securitywith our special guest, Dr.

Anna Scott and Steve Orrin.

Anna. Steve, welcome to the show.

Good to be here.

Thank you, Darren

I know it's hard to know who to go firstwhen I'm going to people.

To sort out at the same time say.

You guys have been on the showseveral times, Steve,

I think I think you're my number oneinterviewee.

I think. Anna, your second.

This is like your fifth time.

I think it's been a lot. Yeah. So.

And the reason I ask both of youon today was I wanted to geta different perspectiveon critical infrastructure security.

First off, from a former CSOand a security expert.

That's you, Steve, if you don't know.

And also from an industrial Iotexpert like you, Anna,because you've been in the trenchesin industry trying to work through theseand critical infrastructure environments.

So both of you on together,we should help figure out what's going onas far as criticalinfrastructure, cybersecurity.

So let's first get kicked off bywith you in a little bit.

Is is there a real threat to criticalinfrastructure, cyber security,or is that just a red herring or somethingwe're just hearing on the newsbecause there's nothing going onin the news cycles toknow.

It's a huge it's a huge concern. Right.

And it's a it's a huge threat.

It it does depend a lot onhow the individual companiesare dealing with their systems.


There's still a predominance of the wayyou protectreally critical systems isyou just don't let anything access themthroughthrough anything exceptbeing in the same room with them.

So that that's a great wayif you can control around insider threatsbecause you have a very limited attacksurfaceand you've got a great deal of controlin that space,there's all sorts of reasonswhy that just does not workwell in the modern world,because that tends to prevent takingadvantage of a lot of modern technology,especially when you get intowhat you can do with analyticsand analytics across different data sets.

So so yes, you can continuein that pattern, but you do thatat the expenseof not being able to take advantageof those tools and bring thatcompetitive advantage into your space.

But as soon as you do that and youconnected to the Internetor you can connect contributor systems,now you've got a whole different setof protections that you need.

And these tend to be things that are notwell understood and especiallywhere operational folks make the call,which is what happens in the space,then you have some real challengesjust in understandingwhat are the real threats, what are thereal tools for to protect against them.

And the question that you addressedwith your paper, Darren, which iscan we really use I.T tools in this spaceand use them to good advantage?

And I love that idea because I thinkthere's so much more that can be doneand much more that can be leveragedto just deal with the,the specific problemsthat happened in the operations.

So, so whatwhat I heard a little bit there in is thethe Purdue modelthat everyone's been using this isolationeitherfirewalled off or completely air gapped.

That's a naive approach in today'smodern things because I need the data out.

Yeah, I hate to use my because I thinkthere's some really good reasons for it.

And I, I guesshaving worked in situationswhere where my life has dependedupon the systems working and not having ithaving to be tampered withand, you know, having malicious intent,

I, I'm pretty comfortable with that.

But I do think that there's a big costthat goes that goes with that.

And so so it's really like gettinga good handle on your risk profile.

Like, I'm going to cite Steve herebecause I love this so much.


It's likeif you try and figure out how to dozero trust, what you have to start with iswhat's your real risk profileand what really matters, right?

Because if you take that type of approach,then that helps balance offwhat's really happeningwhen you do this connectivityand you bring these assetstogether. Right.

And so I thinkyou still have to do an assessment,which is do those new capabilitiesbring you enough value to overlay the riskof the vulnerability of those systems,especially when you know, one,you're going to be constantlytrying to keep up with the hackers and allof the new software and everything else.

And that is a pretty high requestand pretty difficult to do in some cases,especially with organizations that don'talready have that type of capability.

And so really having a handleon that relative towhat's the real benefit to your business.


So, Steve, she she quoted you,you got to come in and cyberand and also

I want you to address a little bit of

I call it naive and thank you, Anna, forfor correct me on it, but I still thinkthere's a little bit of false securitybehinda isolated network.

So, Steve.

So, Dan, I think Anna does hit it right.

It's understanding the risk profile.

I think one thingand maybe naive is not the right term.

I think the cat is out of the bag.

Those systems,that critical infrastructure is connected.

They're connected to IT systems.

They're being managedin a distributed fashion.

They are getting tappedinto from the outside.

They're interconnected amongst themselves.

So the notion of a truly isolatedenvironment or a critical infrastructureenvironment is actually a notionthat isn't true anymore.

In many cases, what's considered to bean air gap of the oldor where you physically had spaceis now more a virtual or logical air gap.

And then we're seeing attacks that canjump that virtual or logical air gap.

And in many cases, thewhat you thought was a logical or virtualair gap is not an air gap at all.

And sosystems are much more connectedthan they've ever been.

And so I wouldn't that's I call it naive.

I just say, like in some casesit's already happened.

And so the question isn't, well,should I open up my network,your network,because your systems are already open.

It's now how do I start to apply the rightcontrols and falling back on?

Well, I'mjust going to continually isolateand that's been a majorapproach is is a good one.

It's a tool.

It's not the only tooland it's not the complete tool.

It's one of the tools.

So encrypting the network trafficor providing logical firewalls to separatenetworks that do network segmentationis absolutely a great tool in the arsenal.

But it alone will not preventthis kind of threats that these

OT and criticalinfrastructure systems are seeing.

And so when you look at itfrom that perspective, it'sokay, let's understandthe risks of the OT systems, understandhow they're different from the I.T systemsthat many of thesesecurity products and technologieswere originally designed forand applythose security controls in an old fashion.

I think that's one of the learnings bothfrom from the paper that you publishedas well as what organisé tionsthat are doing this right now are seeingis leveraging its security capabilitiesand controlsin an way.

So I think glad you said in an odd way,because a lot of times I've seen the ITprofessional, the CSO come inwith a hammer on the operational guysand say you need to be secure,update all your patches,right?

Everything needs to be updated.

And Ana, is that doable?

Well, depends onhow old your equipment is, right?

Well, I mean, yeah,some of this equipment is 50 years old.


And then there's a lot of diversity in itas well. Right.

And so many of those systems were designedso that maybe you update the firmwareonce every ten years and you're going outthere with a USB stick to do that.

Right? Because it does.

Does that scare you, Steve,when you hear that ten yearsyou haven't updatedyour security patches in ten years?

And I wish it was somethingthat was novel, but we see this oftenin OT edge environments, even in systemsthat are supposed to be itrelated, but are driving those.

So that's actually an interesting pointis when you golook at an industrial manufacturing lineor you go look at a smart cityor any of these sort of operationaltechnology, critical infrastructure,and you go look insidethe cabinets, you go look,it looks like an I.T system.

There's a rack of servers in therenow that are driving those technologies,monitoring them, doing the thethe operations that once was very analog.

And so that the scary partis that those i.t systemsdo need to be patched regularly.

They do have vulnerabilities.

But as I pointed out, there's a reasonwhy they don't get patchedthe same cadence that standard i.t. Yeah.

And why is that a why?

So they really weren't designed,they weren't designed with this whole ideaof you're connectedall of the time and you need tobe constantly updated. It'swhat isthe difference betweenstreaming on your music, on your iPhone,right,where you're connected all of the timeand everything's completely up to dateand having an old iPodwhere you can load it up onceand then run that suckeruntil it died, right?

Or until it just really needed attention.

So and I shouldn't have you start becausethat's not how you fix the old system,but it's just kind of the idea.

It isit is a just a completely different world.

If you are living in a spacewhere you're constantly connectedand so much of the legacy equipment,it was never designed with that in mind.

It was it was hardenedin a way that once you install that,you could really keep it going for a very,very long period of time.

And so you have this much longer lifecyclelike so.

That the applicationsthat are being supported by the systemsare very different from it.

So if your email goes downfor a couple of hours, it's no.

Big deal.

Life goes on.

But many of these critical infrastructurethat are driving your power, watertreatment, you know, lifesaving devices inside hospitals,they're not meant to be taken downby a patch that, you know, that didn't do.

It's quality assurance to the same leveland the regular cadence of being ableto do things and bring things offlineand bring them back in.

That's a modern i.t concept,but these systems were meant to,like I said, run for 15 years nonstopand that's not something that is easily,you know, deployed patchesor to be able to do, you know, inspectionsand security tools that get in the wayof the operational technology.

And that's againwhy I talked about it in an odd way.

So it sounds to me like there'sa total mismatch in motivationand in in results in the space right?

High availability.

We're not talkingthree nines, we're talking 12 nines.


I don't want I don't want a heart monitoror a heart machineto oh, I need to rebootor I need to reboot every three days.

You don't want that.

Or even your power gridyou really don't want down.

So because thebecause the motivation is so different,can I really usethe same techniques in I.T in O.T.or, or do I just go and I understandthe isolate myselfbecause I don't want any change.

Things are working.

Don't bother me. Right.

Isn't that how it's done In a.

Probably way too often.


And there's definitely a risk associatedwith trying to fix your problems.


The same way there's riskswith just continuing to do nothingand keeping your fingers crossed.

There's a lot of very clever peoplethat still wantto find ways to disrupt systems,even the legacy systems.


And in some ways, many of the legacysystems are more vulnerablebecause they were designed beforemodern hacking was really happening.

Right. So there's just somesome real concerns there.

But I do think that there's a real placefor having the i.t.

Tools, right?

Like, there's a lot of tools that can sayi'm going to lookat the network, I'm going to identifyeverything that's on the network.

I'm going to identifywhat is the current level of firmware.

And then if it's set up properly,you can say what is,what should be the current versionand where do you have gaps insome of the tools where you're actuallysophisticated enough, where they can say,

What's your real risk associatedwith not having those updates in place?

And when you get into that levelof sophistication and that becomesvery, very valuable, right?

Because now you have a clear pictureof what's going onand then you have a wayto actually prioritize that risk.

Granted, I don't know that you ever wantto trust another company to do that.

You probably want to beat least understand very clearly howthe software made the decisionsabout where your risk really lies,because there's no way a softwarecompany knows what each of your individualcomponents are really controllingand how how critical those can be.

So so you got to stay very involved.


But if you have that type of assessment,at least you can start out and do that.

And my understanding is that's prettycommon on its systems, right?

There are tools that can do that, andthere's lots of tools that can do that.

So at least you're not just havingthis big black boxand a bunch of question marks.

You can say,let's start doing that assessment.

And if those types of toolscan find things on your network,that means somebody who's coming into thatenvironment can also find things, right?

So you really do want to understandwhat's discoverableand what is its current status andand then determine where you take this.

So that brings upone of the best practicesthat we know about in its cybersecurity,which is risk assessment.

And Steve, can you talk a little bitabout risk assessment?

Because I knowif we ran a vulnerability scan,there would be tens of thousands,hundreds of thousands in any company.

You can't do them all.

So this is wherethe risk assessment comes in.

So can you explain how I can leverage the

IT risk assessment?

Best practice in the OT space as well?


And so it really startswith what Hannah was talking about.

You can't secure what you don't know.

And so starting with the assetinventory, the discoveryto understand what your assets are,understand what's running inside the box,what you know, what firmware,what operating systems, what versionsyou need to create that asset inventoryto be able to do the next phase.

And before you even get to your securityconsiderations, the next piece of this,this is actually defined as partof the next cybersecurity frameworkis once you know what your environment is,understanding what's what they're doing,what is the purpose of those systems.

And this is important.

When you do your risk calculation,you need to know what are your missioncritical, what are the necessarysupport systems to keep those missioncritical systems operationalso that you can create that riskprofile and understand the prioritizationof applying the security.

So before you ever get to your firstencryption key or firewall, it'sknowing what you have in great detail,understanding what those systemsand processes and technologiesdo for your business,for your mission systems.

And then from thereyou can start to apply a risk calculus.

And that risk takesfrom published vulnerability.

So databases,there's new technology, new standardsand formats around softer builtmaterials and vulnerability.

And in our exchange called VEX, to be ableto give you information aboutwhat's the vulnerable stateof the components, there'sa lot of great information out therealready in the might or frameworksto let you dothe assessment of what you found.

So no, this version of Linuxhas got this level of vulnerabilityor this particular product over herehas these cves that I needthat haven't been patched in the version

I have.

So you get that information nowyou have what you have, what's it called,what's critical in your organizationand what the known vulnerability,the other side of the risk assessmentbesides the known form is understanding.

And this is where things like pentests, scanners and other kinds of toolsgive you an idea of whatyour overall threat landscape is.

Those come togetherinto understanding your risk profile.

So I understand what my current assetsare, what the known risk,what the potential risk,and then the what these thingsare usually important for helpsguide the prioritization of, okay, now

I need to start planning security tools.

And it's only at this last phasethat you start applyingprocess, technology and proceduresto do the compensating controls to reduceor mitigatethe risks that you've identified.

And that's your standard I.T flowthat I've been describingcan be absolutely appliedto the OT systems, understanding that thewhat you actually implement the process,the procedures have to be donein that way.

So it's not going to be well,

I'm just gonna push a buttonand patch everything or I can just put a,you know, an encryption system ontoor an enterprise producton to that, that PFC device.

You have to be able to applythe right kind of controls,but it's only at that last phase of theprocess of assessing the risk environment,your risk posture,and then the prioritizationthat your assets tell you about that,then you can start to make the decisionsand applying budgets and actually buildingyour capacity and capabilityto mitigate the controls.

And it's not a one and done this,not like we're finished.

We did our assessment. Okay, we can goback.

It's an ongoing, constant process becauseeven if you're in a nice, structuredenvironment, that never changes.

For 15 years,the threat landscape is always changing.

Your app threat, your risk appetiteis actually always changing.

What's happening in the macroeconomicworld changes regularly.

And so reassessing and reevaluating.

Are your controls sufficient?

What's next on the list

Prioritization list to be addressedand verifying that you're mitigatingcontrols are in fact doing what they saidthey do are all part of the ongoingprocess of securing your infrastructure.

Whether that's it or not.

I want to

I want to reemphasize what you said there.

Even if your own environment is static,the threat environment changesand your business motivatorscan be changing too.

So you have to constantly evaluateand nothing.

I like that you said to let's saythat I have a certain version of Linuxthat has a security vulnerabilityacross itand it doesn't mean

I'm patching everything on the outside.

It may be I can't patch thatbecause name the critical infrastructure,so I have to come upwith a different remediationfor that device, a.k.a locking it downcompletely as far as network and monitorthe firewall around that one devicemore rigidly.

That might be a different remediationthan doing the patch for example.

So Darren, so two things we've seensuccessful inside of environments.

These two terms

I'm going to use of that new kindof mitigating control when you can't justflip a switch and turn on encryption.

One is what I call watchdog approach,where you take a modern system,put it right up next to a legacy systemon the wire so that they can monitorand have the advanced inspectionand detection in.

Particular, watching everybody.

On behalf of the devicethat it's proxy in.

And the other approach that's often usedis what I call the canary approach,where if you've got an environmentwhere you have a segmented networkof legacy systems that are hard to patch,you can't get the rightthe tight security controls.

You put a detector in there on the networkthat hasthose does advanced detectionand B, it becomes the canary for that.

That segment.

So it will alert, whereas legacy systemsdon't have the capacity to alertor to tell you that something isbeing attacked or are being targeted.

And so that watchdog in Canarycombination is a differentkind of compensating controlthat is very popular in O.T.because it doesn't require goingand changing that policy itself.

It's about adding the right i.tcapabilities into that environmentto to proxy those systemsand to give them the capabilitieswithout impacting know missioncritical functions.

And there's also another thing I heard.

I was talking to our own

OT organizationand they were sayingwe actually can't patchsome of the devices in our infrastructurebecause we're not allowed tobecause it's the vendor, right?

It's their machine, right.

If we touch it, thenour warranty on this multimillion dollarparticle acceleratoror whatever it is, right,is is now null and void. Right.

We can't we can't enforcesome of our security thingson some of these embedded devices.

But we know that there'sa vulnerability in there.


Is that a common thing that you'reseeing as well, or is that just unique tothese really huge,you know, manufacturing or fab

OT systems?

So I think it can definitely bedefinitely be the case.

You know,like a lot of on the industrial side,what we really worryabout is the control systemsbecause because that's whereyou can go in and mess with things, right?

Otherwise you have to.

Be that's where you're messingwith the physical world.

Right. Exactly.

I'm sorry.

I just got a call. So.

So updating those control systems, you'renot going to be doing that in isolation.

You're going to be doing that in closecoordination with who the vendors areand make sure that you've got a planthat you've executed with with them.

The other thing I wanted to mention,because we haven't talked talked about ityet, is often in the oh two systems,your only window for really doing updatesis when you're shutting downfor planes, flat maintenance.

So that's another factor that comes intoit is you really do have to say,well, when I worked inrefining, we did turnaroundsbetween three andfive years, depending on the type of unit.

Literally all of the updatesto major systems had to fallwithin the three week period of turnaroundbecause that was the only timeit was really safeto go in and change those systems.

And it was also the only timewe could actually test them to say,

Hey, we've just made this change.

Is it really ready to come back online?

And so those intervals around the plannedmaintenance can alsobe extremely importantas well as the point that you brought up,which is then talk to your vendor, right,when they're part of thosecritical systems.

Because because they willthey will have strong opinions, Right?

I'm sure they will about. How to do thatproperly.

Now, in a refinery where you work,how how often are these turnarounds?

How often do you get to do that?

Once a year, six months, three years,four years?

Well, typically, thekind ofaverage cadence was about four years.

If you're really stretched onprofitability,you try and push it to fivejust because those areextraordinarily expensive.

But yeah, so about a four,four year time frame, right?

So if you can imagine,you've got a control systemthat's running everythingand you only get to touch it onceevery four years, right?

That's that's. Crazy. You touch it.

Now you've got a window that'smaybe if you're lucky, it's three weeks.

And if it's somebody you can do themaintenance maintenance on really quickly.

It's like one week, right?

So fit and everything.

You've got to change in a one week periodand you got to plan for that because youknow, your next opportunity for an updateis also going to be four years.

And it's a similar cadencein a lot of military systemsas well with the tech refreshas being once every three or more years.

One of the techniquesthat we're seeing being adopted bya lot of the more advanced organizationsand we're seeing vendorsactually supply this to their customersof some of theseenvironmentsis what's called a digital twin.

And the idea is that you havea digital virtual version of that physicalasset of that policy or that controllerthat you can apply changes,you can do patches too,and run simulations and basically run itthrough its paces to see what impactit may have on the digital twin version.

Now it's not you're still goingto want to do physical or testing,but allows you to do a whole lotof pre-loaded testsbefore you ever get to touching thatthat systemwhere you got that one week windowto do all of your testingand all of your patching.

And so we're seeing digital twins come up.

I've seen themin the construction industry.

I've seen, you know, in factswhere there's digital versions of thosethat are supplied along with the productfor the contractor to basically run theirtheir simulations both from a patching,but also test on load,be able to look at the environmentalconditions and changes thereand be able to do those testsin a virtual simulated environment.

That's one technique that can actuallybe applied to security patches as well.

You know, we're also seeing

I've been approached by a couple of stategovernmentsto set up a site in cyber rangewhere in theirprimary focushas been on the electrical grid system,which I found totally fascinating.


They want us to help themestablish a noticeable rangeso they can test outsome of these new architecturesthat we're talking about,like the watchdog, the canary,the the data diode and some new onesthat we're talking about aroundone is called thethe patch here or the patchairlock pattern,which is an interesting pattern as well.

Do you even with these things,we still have this long cycle timebetween being able to to updateand A, do you ever see uswhere we could do continuousupdateson these critical infrastructure systemsor is therejust too much risk involved in updating,you know, controllersas there as they're operating?

Yeah, And I think, yes, with time anda lot of it's redundancy of capabilities.

Okay. Right.

There's athe there's been work going on forit might even be seven years nowthat is the Open process automation forumand they have been leadinga consortium effort through the Open groupto really do a modernizationof control systemsfor not just refiningbut chemicals and pharmaceuticalsand kind of all the groups that usethose sophisticated control systems.

And there's specifically addressing this.


They've got a whole cybersecuritysubcommitteethat much of it is really coming downto what's the design,

How do you have the redundancy set upso that if you lose onecapability, do you have jail overwithin the timeframe?

That's important.

So that does it kick out your equipmentbecause a lot of equipment,if it loses a signal like ato a power failure or even a power blink,that'll just take it down.

So there'sthere's some real hard and fast rulesthere.

I think all of that is fantastic.

But I'll I'll kind of add on top of that,the next thing that has to happenis people have to trust those systems.

And so once they've got a good designand they start doing those testbeds,there's going to be a lot of rigoroustesting that goes on for yearsand then deployments will be in very lowrisk systems whereif you do have something, go on, go downthat it's know.

No one's going to get hurt.

No one's going to get hurt. Right.

So, yeah,probably start out with wastewaterbecause wastewater is prettyyou know, it's you don't it's smelly.

That's about. It.

Well, you can kill your bugs,but then it's easy to recover from,or at least it's recoverable in waysthat other other technologies aren't.

So, yes, I think we will get there.

But it's it is a slow process.

You know, we.

Can't put too much reliance onpatching is the only compensating control.

I know that the security createda lot of toxic patch.

Your systemand security hygiene is important.


But as we're as end is indicating,you don't you can't rely on thatas your only major compensating controland that's whywhen we look at an OT system security,it's got to be an overall evaluationfrom the security aspect,not just can I patch the operating system,the firmware.

Well, I think that's the number one toolthat it uses, right, for security?

It is. It's one of many categories.

And that's really the goalhere, is finding out the right securitycontrol, the right security toolto mitigate the risk.

It's not always going to be in the caseof what we're talking about,it often can't be it can't go for years.

And that's four years of riskthat you should not be,you know,are accepting within your organization.

So that's where, you know, segmentationencryption, strongauthentication inspection detectsand prevention, all these kind of thingscome into play, providing thesurrounding controls to compensatefor the one that you can't use, which.

Is that you can't touch them. No, no, no.

I like to add another thingin the OT space.

I know it's very different in i.t.

If we have an assetthat has been compromised,we typically we isolate it.

After we've done some forensics on it,we isolate it right?

Then we restart it,we clean it and restart it.

That's a typical pattern.

I can't do that in the old space.

Right. I can not.

Easily not knowwithout a great deal of expense.

And we're taking other thingsdown with it. Right.

So unless you're super lucky.


So what approachcan I use in the Iot space if I know that

I have a device that's been compromised,what do I do?

I if I can't take it downbecause maybe I ama policy controller in a refineryand we know once you set a refinery down,it takes a long time to bring it back up.


So what do I do andwhat techniques do I have at my disposal?

Yeah,and I'm trying to think through that.

And and I have to say,that is a really good questionand what I've never asked myself.

And so I'm hoping Steve hasn't.

I'm up all night worrying about stuff.

Like this, about this,because that's a that's a super tough onebecause besides higher monitoring youand then trying to add something elseinto the chain that allows you to seeto see if that is really being exploitedor it's what the real status is.

I have no good answers for you.

So let's make a distinctionbetween somethingthat you find to be absolutely vulnerableto an exploitand something that has beenhas been exploited.

Okay, that's fair enough.

So you've got a known vulnerabilitythat's active exploitation in the field.

There are controlsyou can put in place to isolatesignals and inspect the traffic toand from a deviceto monitor it for aberrant behavior.

There are things you can do todayand you can do that.

The IT world.

You can do that. The world.

Oftentimes you have to do thatwhen you have a known vulnerabilitythat doesn't have a patch.

But it's active exploitation.

In the case of a zero day,you don't have a patch, but you can turnon, you know, turn the dial to 11on the infrastructure of security.

Like long log log.

In the event that you have a OT systemthat has been compromised.

So you're detected the aberrant behavior.

You've detected the signatureof a OT style attackor you've noticedthe firmware has been swapped out.

That's where, you know, again,in the good parts of systems that they'rehighly redundant and often place.

So that's where you're going to kick inyour your process and proceduresthat you have forif it was a non cyber event, if it was a.

Physical,if it is a physical event. Gotcha.

So it's the same way iswhen if a power station goes downbecause of a weather storm,you have redundancybuilt the system to help handle the load.

If you're under active, explain your bet.

You have been attacked.

You've identified a a power generator ora transformer that has been compromised.

Kick in the processyou already have for dealing with theevery other kinds of outageand take that thing offlinebefore it can infect the neck.

And we've seenwhere cascading events can happen,where you get one OT system, in fact,because you don't haveoften the inspection tools,the lateral movementcan be a lot faster to the systemsthat it's connected to because again,there isn't the same level of controlsonce it's into that, you know, it'sthe old adage of the the egg,you know, you've got a harder shell,but once you get in, it's nice and soft.

OTI systems are often the same wayonce you get past the door on one of thosekey mission critical airsystems is compromised.

You may have to take a lot of itoffline, butagain, it's that'swhere you kick in the existing processes.

And one advice that we give to CISOsand organizations is game the systembefore you ever get a vulnerabilityor an exploit you have to deal with,run the war gaming on your environment.

Actually, you know, identify a policyand have it be quote unquotetaken out and run the courseand see what would be the problem.

Make sure you've covered all your basesand you know whatthe procedures and peopleall the way at the tactical edgeand at the executive levelall know their role in the eventso will makewhen it does that much smoother.

So what you're telling me is runmy own business continuity scenarios.

That's which makes.

Yeah. And I have to have them.

There's a really good contextfor doing that.

Every manufacturing facility,at least in the U.S., is requiredto do what they call has ups,and it's exactly what Steve described.

They don't tend to focus on cyber threats,although I'msure that's that is definitely evolvingand that is happening now.

It tends to be more, hey, this pump failsor we had a power failure or a.

Hurricane or tornado hit somewhere.

But it's very easyto take that methodology and say,now let's apply that to our system.

It's been hacked and it's been hackedin these particular ways.

Now, what does that really mean?

And what is going to be our response andhow can we design in mitigations, Right?

And how can we change our system?

So so if it does happen,there's much less vulnerability, right?

Or it's back to can wecan we live with that?

Because some things you can livewith. Right, right, right, right.

Guys, thishas been this has been very insightful.

As always. I love talking to you guys.

Any last words for our our listenerstodayon that are dealing with this opportunityso things what would your advicebe to them that are that are dealing withyou know this convergencethat we're already starting to see.

We'll go with you first, Steve.


So I think,you know, just restating what we saidearlier is that it is already happening.

It's not a wait and seewhen when this happens.

Your AT&T systems are blurring.

And so it's take to takethe measured approachof understanding your assets, providing,you know, doing the risk assessmentso that you can apply proper controlsand securityto the systemsyou have and start planning for it.

And then the key is get out of analysisphase, get into implementation.

So get, you know,knowing that this is going to be ongoing.

If you spend all your timeanalyzing your environmentand not only your time actuallyimplementing controls,you're never going to get anywhere.

It's a feedback loop.

So you you analyze and you go deployfeedback into the analysis and continue.

So it's going to constant processesand continuous security assessment.

Is not a one and done.

It's not a one and done and the you know,the key thing is to start deployingthe security now and getting thatvisibility into your environment.

Is that the first step in being ableto understand what's going onand what your risk posture isand what your risk and be able tothen managethat risk across your own enterprise.

Sounds good to Ana.

Yeah, and I would say on the O2 side,you as an operational companiesstart bringing in your I.T folksand treating them like they're partof your operations and make surethat they understand the implications,make sure they are equally involvedin all of these discussionsbecause the there is no longer,as you know, a reasonablethat treats them in ain isolation and just has themworried about your pieces.

They they need to be integrally involvedin what's happeningand they need to help bridge the gapbetween what we understandof the operational systemsand all the electronicsand all of the computethat's necessary to back that up.

Thanks, Santa.

I think that's that's absolutely critical,

I'd say on the CSO side as well.

Bring the OT guys to sit at the tableat the top of the table with youbecause I've seen this beforewhere C so mandates down to the OT guys,you will do this.

And they're like, No, we're not all right,

But if you're sitting at the tablewith them at the front of the table,then they have a say.

Then you can talk about the differencesand really take a look at the paper.

It is on on the website, we talk aboutthe differences between opportunityand how we're going to get over this,this division. So.

All right.

Thanks again,guys, for coming on the show.

Thank you, Darren

Thank you, Darren Pleasure as always.

Thank you.

Anna for your insights.

Thank you for listeningto Embracing Digital Transformation today.

If you enjoyed our podcast,give it five stars on your favoritepodcasting site or YouTube channel,you can find out more informationabout embracing digital transformationand

Until next time, go outand do something wonderful.