[00:00:00] Speaker A: You're listening to Protect it all, where Aaron Crowe expands the conversation beyond just ot delving into the interconnected worlds of IT and OT cybersecurity.
Get ready for essential strategies and insights.
Here's your host, Aaron Crowe.
Hey everyone. Thank you again for joining me on the Protected all podcast. I'm very excited for my guest today. We've had to reschedule it a few times from I think I was sick. I think you were sick in business and just life. So it always happens. But I always love when we actually finally able to connect and record these things, always enjoy them. So why don't you introduce yourself, tell us who you are, the company you're with and kind of what you guys are doing.
[00:00:45] Speaker B: Awesome. Thanks Aaron. Really happy to be here and glad we kind of found the time that clicked.
So I'm Anoush Iyer. I'm the CEO and founder of a company called Corsha in the Washington D.C. area.
A little bit about my background. I've been in the cyberspace for a little over, I guess 20, 25 years at this point and a little bit new to ot and that's what intrigued me a little bit about this podcast is, you know, you are really trying to find that bridge between the two and think the perspective of starting on more the IT side and you know, learning what protocols like OPC Way and Modbus and BACNET and all of that means has been a fun journey the past few for myself in particular, a little bit about Corsha. So the reason we actually got into this space is we are focused on identity and access management for machines. Right. So think of it like trying to build that missing piece of identity like an identity provider like Okta or Ping, but focused entirely on systems and started the company and then, you know, a lot of my background has been on the department, U.S. department of Defense Intelligence side and things like that. I started at the Naval Research Lab in the D.C. area. So I had some connections from the Air Force that came to me and they're like, okay, you guys are talking about machines. Can you do real machines?
Right. And that's how we got our foray into the OT space. It's been a really eye opening journey in terms of what the disparities are between IT and OT and just what the unique challenges are in the space. Right. So we're building this platform that is trying to embody zero trust principles that are anchored in identity security to protect life cycles, authenticate, manage identities and even bring concepts like multifactor authentication to machine to machine communication. Right. So to protect, to really foster automation, secure data movement across hybrid environments like this. And it's fascinating to see where some of these gaps are and excited to play in the space a little bit.
[00:03:08] Speaker A: Yeah, it's incredible. How so? My career is similar. I talk about it a lot but I have a lot of history in IT working at big companies and tackle electronics and AT&T wireless and AT&T and a lot of State Farm and banking and stuff like that. But also, you know, probably half of my career has been spent in critical infrastructure and critical manufacturing and power plants and stuff like that. And sometimes it's difficult when people come out of it because they try, they keep those IT lenses on and they bring in well, let's just do it this way. Like you know, we have an outage on, on you know, every Friday night where I can just reboot stuff like no you can't do that like.
And once you understand the differences, the why is, you know, the technology is the same. Not the same, but very similar. Many times we're dealing with the same, you know, commercially off the shelf equipment. Especially now we're dealing with Cisco switches and Windows servers and linux boxes and VMware and you know, firewalls and, and all that kind of stuff and, and especially. And I know we're going to get into it, I don't want to jump ahead too much but one of the things that we assume and for, for decades is, is like everything at the plant, like I'm trying to keep things out. So I've got a firewall, I've got an edge device but everything inside I'm not worried about because they have to, I have to get them here. Like I'm air gapped. I'm, I'm, you know, there's, there's a, there's a hard, you know, everything. I just worry about North South. I'm not worried about East West. In fact nerc zip even recently came out and is adjusting their, their criteria where before it was only north south focused and now they're really looking at that east west traffic in their latest update and people are a little panicked that because they don't know, they don't know what they don't know. Right. And, and, and it's a big gap.
Like if we were gonna, you know, design a system from the ground up, I wouldn't, you know, if I'm designing security system at my house, I don't want to just monitor the front door and assume that that's good enough. Right. I Want to assume. Okay, well, what happens if somebody gets past that? What happens if somebody's already on the inside? What happens if one of the people I let inside does something bad? Even if it's not like a state actor, but still they do something they shouldn't. They misconfigure something. There's a lot of scenarios that go into that that open those doors. And up until now, a lot of times the OT folks and staff have just. I assume we're good, so I'm not worried about that.
[00:05:37] Speaker B: Yeah, yeah, yeah. It's funny you bring up the house analogy, right? Because when we talk about zero trust, it is oftentimes like a house. And, and that's what I'll tell people is even if you let people in your front door, do you want them going into every room of your house?
[00:05:52] Speaker A: Right.
[00:05:52] Speaker B: And you know, anybody, well, teenagers will tell you more than half the time they'll leave the front door wide open. So what is, what does that leave you with? So you kind of need to, to, you know, segment access, control identity. I feel like identity really is the, the true perimeter that you can count on. Right. And kind of contextual based access.
[00:06:16] Speaker A: Well, so, so 100% and, and people, most people will probably understand the concept of ident as a user. So, you know, we all have a user account and a password. You know, some of us use tokens, whether it's like a Yubikey or some kind of multi factor authentication, something that I have, something that I know, you know that if you've got your CISSP or you've been in cybersecurity for more than, you know, a few years, you get that concept. But talk to me, the difference about the concept of giving a machine an identity and how is that different and how does that enhance. And you know, especially in the OT space where we're really dealing with more machines than we are, people like users are, they're looking at the output, but they're not really in the conversation of the transaction itself. That's all machine to machine.
[00:07:05] Speaker B: Yeah, absolutely. I mean, I think, you know, it's probably even more amplified in the OT space. But you know, we see statistics of really over 90% of traffic is system to system. Right. And machines outnumber, whether they're workloads in the cloud or robotic controllers on a manufacturing floor kind of out number humans, oftentimes 45 to 1.
But they, when you think about an identity provider. So you know, let's take whether it's Okta or Ping or Microsoft Active Directory, the First class citizen in there is the human. And we have all these mechanisms of doing, like you said, mfa, right, or role based access or defining what an identity for a human looks like on the machine side, especially on the OT side, it can sometimes be simplified all the way down to an IP address or a Mac address or something that honestly is spoofable. Sometimes it could be certificates, tokens, API keys. Oftentimes we find that some of these operational technology systems with these vendors don't have any concept of identity or authentication built in at all. So then you've got to retrofit some of that into it. And so when we think about machine identity, you have to sort of have that parallel of, okay, you may have that search or that key or token or whatever that primary factor is. Think of that like your system password. Sure, Right. And then the additional factors could be along the lines of one time use credentials. So there's no reason we can't do MFA for machines just like we require it in I think nercxip details. Okay, if you're having secure remote access, you need to have MFA enabled.
But more often than not, especially today when we're talking about all of the convergence of environments and data, movement and analytics and digital engineering systems, like you said, that communication isn't this even the secure remote access isn't coming from a human, it's coming from another machine.
When we think of identity, it's really much broader than just that secret that's being used to access a system at a point in time. There's context involved, there is policy involved. Mfa that's really where I think we can start making machines first class citizens in terms of identity access management.
[00:09:49] Speaker A: So one of the, one of the problems that I see a lot in OT is I walk into these spaces and these engineers are amazingly, incredibly intelligent and know their process and how everything works from a process side. They know how you know the widget gets made, they know how the valve gets turned, they know how to control that and program that. But when it comes down to, you know, machine A and machine B, they know they need to talk, but they don't know. They're not technology people, they're not cybersecurity people, they're not networking people. So to them it's just like I have to, because I don't know what to restrict. I just have to enable all communications between these two endpoints because that's the only way I know to make it work. And then the last time it came in and tried to help me and lock Things down, they caused problems. So we remove that. Right. So, so how have you guys been successful in figuring out what the engineer doesn't know? Like they don't necessarily know the ways that those two devices are supposed to communicate and what protocols and who is supposed to initiate. And that this, that endpoint should never initiate, should always just respond. Which means I don't need to enable that like to walk us through what that looks like and how to be successful. Because I know from an OT perspective wearing that hard hat back there, right. As an, as an asset owner, the very first concern that they're all going to say is, well, how do I know you're not going to break my system?
[00:11:16] Speaker B: Yeah, yeah. You know, it goes back to.
We like to think of it as like sort of building trust with data.
[00:11:24] Speaker A: Right.
[00:11:24] Speaker B: And so the first thing that we always start with is hey, put us in place. No enforcement, do the discovery and visibility. Did you know these communications are coming into this hmi?
[00:11:39] Speaker A: Correct.
[00:11:39] Speaker B: Right.
Did you know that, you know, the traffic flow is actually getting initiated here when really it should be flipped the other other way around. And I feel like that really can be super eye opening. And so then when. Because today like they don't really. The reason they're not thinking about it is because it's not front and center.
[00:12:04] Speaker A: Sure.
[00:12:06] Speaker B: Starting with kind of the visibility of all of the traffic that's moving across the network at different protocols. I think the other aspect to it is, and this goes back to right tool for the right job type of thing is especially when you think about identity access management, it has to be tailored towards ot. Right. Which means that it understands the protocol, specific security that's necessary in these settings. It's not enough to just say all right, everything is basically HTTPs and this is how it's supposed to work. And Right. Like it just doesn't work like you're optimizing for completely different constraints. So you know, in an IT network when a violation happens, you can maybe immediately halt the access from a particular client or to a particular service and triggers an alert and someone will figure it out down the ch.
In an operational world that's not an option always. Right. Or really ever. You might just notify alert on what's going on, which in and of itself can be a challenge in air gapped environments. But you're just optimizing for different things like safety, availability.
So it's kind of one of the reasons we've built in to again build trust that we understand this domain concepts like safe halting into the Platform where you get potentially an egregious enough violation and the policy can say, okay, don't just stop the controller as soon as you see it. Perhaps at that point you can make the code aware that there's an opportunity to halt its safe points and it checks. So it's looking at that approach of, yeah, this is a different domain that has different, different things we're optimizing for.
[00:14:07] Speaker A: Right, sure, yeah. Because I mean, if you really think about it, some of these systems are going to be safety systems. So if I, if I just stop communication because I see some cyber thing going on and then I shut down the ability for me to enable a safety system which, which could put lives at risk. Right. I can, I can damage equipment. I can. You know, the analogy I always like to give to folks is, or one of the anal pieces is, you know, if you're, if you're doing, you know, you, you're, you've got your control, let's use antivirus for, or patching. There's something simple patching. You're going to patch all of your OT systems and, and we're, we're on an airplane and there's, there's an available patch and you're in the air. Are you going to patch that airplane while it's in the air with a bunch of people in it?
[00:14:48] Speaker B: Probably not if I'm not on that flight. Exactly.
[00:14:51] Speaker A: Maybe it all goes perfectly. You know, Tesla is doing really well at over the air updates on their, on their cars. Awesome. But they're also on the ground, right?
[00:15:01] Speaker B: Yes.
[00:15:01] Speaker A: I, I still don't want my, my car updating, driving down the road, but I definitely don't want it while I'm in the air. Right. So that, that's the type of thing that we're dealing with in ot. There has to be. You know, again, like you said, like, if I brought a Windows 95 machine to an Enterprise and plugged it into the network, they're going to lock it out, they're going to kick it out, they're gonna, the policy is going to block the port, like all that type stuff. Go home. You cannot put this on my network. Under no circumstances. We have that stuff all the time in ot. Right. And it's running critical systems and it's XP and Windows NT351 and, and Sun Microsystems old, old, old, old stuff that we can't just kick out. Right. So we have to continue, we have to work with what we have. But things like this are, are exciting to me because you can work around the, the, the limitations that you have, I can't patch. Okay. What else can I do to mitigate? Okay, well, if, if I can mitigate this and say RDP is a great example vulnerability on every Windows machine, especially Windows xp, all that kind of stuff. Right. Well, if I lock down so that, yes, it's a, it's a vulnerability, but I lock down on the networking side and, and you know, zero trust like this, that nobody can access that anyways beyond the firewall. Like, even if they're on the inside, they can't, they can't get that. Okay, so do I care that I can't patch that? No, because I mitigated it another way. Patching is not the only way to mitigate a control. And that's where things like this and, and having that bigger picture in OT is super important to understand. You know, you start getting into zero trust and, and really diving into those and why that's so powerful. It's hard, especially in an environment that's, that's been around for a long time. But that doesn't mean it's not value add. And, and I think that's the direction that we're going is, is, yeah, it's easy to do it because you're designing a new system, but going back into the, all these others, just because it's hard doesn't mean it's not what we need to do.
[00:16:52] Speaker B: Yeah, and I would say I completely echo that. It doesn't feel like it's an option anymore. Right. Like it is the direction that all of these industrial networks and control systems are going. We just have to figure out a way to make it work. Otherwise you're leaving too much on the table in terms of opportunity. Right.
And that's. Yeah. I mean, in terms of zero trust, I think, you know, I've heard you mention it a few times on the. Your podcast of there's no silver bullet. It's not a single solution, it's not a single platform. It really does have to be defense in depth, where, okay, I know I've got to run that 95, Windows 95 system. Chances are I'm going to have to run it for another five years until my procurement cycle changes.
But that doesn't mean that I can not integrate it into the broader network or not get the most out of the data that I need from it. Right. So I think, you know, I will say with respect to zero trust, yeah, it's, it's definitely achievable. It seems like a lot of the focus is on Micro segmentation. Right. Particularly across levels of the Purdue model. And so much of it is like software defined networks or next gen firewalls that where it's really important to obviously isolate the north south. But just like you alluded to earlier, we need to have a story for lateral movement and I think a stronger story for identity. Right. So when you think about defensive depth, it really has to be okay, I want to get access from one system to another system, wherever that may be. How do I manage the identities and access, whether those systems are running in cloud or whether they're running at Purdue Level 2. Right. On my shop floor.
[00:18:51] Speaker A: Right.
Yeah. And it's super important to, to understand.
Too many times I think I walk into these spaces and they're accepting risk when they don't really truly understand the risk they're accepting. Right. They don't. You know, you know, I'm air gap, so I'm good. Or I've got a firewall, I'm good. I've got antivirus loaded on my systems. I'm good. You know, none of those things are silver bullets. Not I love firewalls, I love antivirus. Like you should have all of those things. I'm just saying it's just like with anything, you know, same. We talked about the house analogy before. I don't just have a lock on my front door because if I don't lock my back door then that doesn't matter. And they can come in windows. If I leave my windows wide open, like what's the point of locking the front door? And like we can go down this rabbit hole all day long. And security, you know that the overall design of a security system is really the same. It's just looking at the, the needs and the availability and understanding it and then making sure that I'm mitigating for all the controls and I can't necessarily. And that to me is the biggest difference between OT and IT is the mitigation. How I mitigate those. Those risks are going to be different in OT than it. And you alluded to it earlier. Right. I may just kick something off on the IT network, on the OT network I may notify instead. I'm not going to kick it off because I don't want the system to fail and lives to get hurt or a turbine to blow up or any number of things that happen. But it doesn't mean I don't care. It needs to be just a different control, a different response, but it still needs to have some control around it.
[00:20:24] Speaker B: Yeah. And I mean that's a great point. Right. When you talk about I may just notify, you have to have the structure in place to even notify. Right. And I think that's where I'm, if it feels promising, I'm seeing a lot of promise of, you know, folks that traditionally were starting off with well, I will never network my systems together, are now seeing the value out of it, even from a security perspective.
But it just has to be done thoughtfully. Right. Carefully. So, you know, I'll tell you, I, like I said, I came out of this world in the D.C. area from Naval Research Lab and other places where so much of the work at the time and still today is done in private networks. Totally off the grid. Right. Like, you know, the, the sensitivity warrants it and all of that. So when I, I left the public sector, I was so weary of doing anything in the cloud. Right. It was like this scary place where bad things happen and you know, and, and I realized that that bias was actually holds you back. Right. Like when you think about connectivity and sort of the capability of some of, you know, whether it's AI, whether it's analytics, whether it's using kind of cloud based remote access, you almost have to understand the domains by using them in order to protect yourself from them. Because inevitably, you know, we talk about air gap networks, but do they, are they really air gapped? Like what happens when that vendor comes in with their laptop to apply updates? Where else is that laptop fit? Or you know, the extra router that has to be put in on the weekend just to get the job done or you know, how you, you apply updates or patches in a regular fashion. So it's almost like, let's embrace the risk so that we can understand it and kind of continually chip away at it.
[00:22:34] Speaker A: Yeah. One of my, my previous managers in the power utility space, we'd have these conversations and you know, the plant manager or the vendor or whatever be like, well, it's, it's, this is how it is. And his, the way he always responded was, except where it's not. So we have no secure remote access or we have no remote access except where we do and we don't know where those things are. And somebody bypassed it on Friday night because something wasn't working and they just, they plugged the thing from here to here and now it's working and now they don't want to touch it because they don't know why it's working or why it wasn't working before. They just know it's working and they don't Want you to touch it because it's going to potentially bring down their stuff. Right. So we see that all the time where there's a modem, there's a 3G card, there's a, there's a bypass going around the firewall, there's you know, software loaded that allows them to VPN out and tunnel through everything so you can't see what's like this happens. And none. Most of these things are not malicious. Most of these things are because the people are trying to get their job done and they're trying to fix the thing. It's not like a bad actor, it's not a nation state attacker, it's just, it's just an engineer trying to do his job, his or her job. Right. So, so we have to know that. And, and that's the other piece to these cyber tools when we're implementing technologies and processes and policies is we can't make it so hard that the end user can't do their job. Because what's going to happen like when we make a pat, like passwords, for an example, if I make it where you have to have 25 character password, are you going to remember that? 25 character password? Most people are not. So what are they going to do? They're going to find a workaround, they're going to write it on a piece of paper and they're going to stick it on the model monitor. Right. You made it that difficult on purpose. Like you thought that that was increasing your security. It actually decreased your security.
[00:24:16] Speaker B: Yeah, yeah, totally, totally. I mean we used to have, I think, you know, one of the places I was at, they required that we had a Yubikey for the TV and the OS connecting it. Right. So you know, we tried to manage the Yubikey as a method of like, okay, pass it around, this person has it, you check it, whatever you've got to get online for a meeting. The end of the day when it's happening, it's just plugged in all the time because it's not possible. Like, so what's the point?
Right, exactly, exactly.
You know, but it is exciting to see some of the vendors start to embrace security. Right. So you know, we were looking and I think that's where there's the opportunity because there's a lot of lessons and parallels we can bring in from the IT side if the building blocks are in place. Right. So we were recently looking at an integration with like bacnet. Right. And obviously like widely used and, and there is a version of bacnet called Bacnet sc.
With that, they actually have some pretty good principles around. Let's put PKI on all of the clients and actually use TLS based authentication. Fantastic. Right? And what we've learned, I think on the IT side is that's great. The challenges are around lifecycle management of those certificates, right? So we can take solutions from there and then bring it into this world. It's just, it's a journey, right? It's, and I think it's got to be kind of a thoughtful journey where it can't be mandates from integrating it into ot where it becomes impossible.
[00:26:09] Speaker A: And that is so important, right? As a software vendor, as, as a, as a solution provider, as, as a, you know, a cyber security professional or an end user, right? We can't make this stuff where it's broken. It's easy to buy a technology, it's easy to implement a technology, but somebody is gonna, I'm gonna have to hand the torch to someone to manage it. And to your point, if, if I, if a certificate get, doesn't get updated two years down the road and the people that implemented the technology are gone and the person that knows about it is gone and it wasn't done correctly, now the process is broken because of, of a certificate, that's going to be a problem because now I'm not building widgets or I'm not creating electricity or, or whatever and they're going to be like, I remove that. Like, right. The, the availability and safety trumps all of the other things, right? So we can't put a thing in there and it's a, it's a sticky dichotomy of I have to put in security tools and, and protections. I can't just have it be wild west because I, I want available things because the opposite is true too. If I just open it to the Internet, then I'm going to lose availability because bad actors are going to come in and do bad things, right? So it's that, it's that balancing act of I have to protect it, but I can't make it so hard that the normal layman's, the normal everyday users of, of the technology can't use it and it's that they plug the Yubikey in and just leave it there. Right? That defeats the whole purpose.
[00:27:38] Speaker B: Yeah, yeah, totally. Yeah, it's, it's, it's, it's definitely a dance, right? So a little bit of like give and take and risk assessment. Like, you know, anybody that tells you they'll get you to 100% security is probably selling a little bit of snake oil. Right. It's just not a thing. It's a continual process like right now. So, you know, we do a lot of work with the Air Force and, and you have to obviously get some authorities to operate and authorization and stuff to operate in some of those manufacturing settings. And so, you know, a lot of times what also happens is you get a point in time assessment of where you are.
[00:28:21] Speaker A: Yeah.
[00:28:22] Speaker B: And what is so important with security and any sort of risk assessment is it's got to be continual, you know, because the posture changes constantly in some of these environments. And so that idea of, you know, how do you put in tools and controls that are a little bit self assuring.
[00:28:46] Speaker A: Right.
[00:28:46] Speaker B: So you don't, you, you don't run into that problem of two years down the line, you have some stray certificate that expired and now somehow your pipeline. Right, right, right. So I think that's really the trick, especially in some of these automated environments is whatever you pick kind of has to be self assuring.
[00:29:07] Speaker A: Yeah. So, so we talked about a few times, but I want to dig in now. We talked about air gap networks. So you talked about, you know, federal spaces where they, you know, they're got, their networks are completely air gapped. You know, power plants are like that a lot of times, especially in the nuclear space, a lot of these spaces. That has been the first step. Step.
I know it is. But let's talk about why that's not enough and why air gapping is a great thing. I'm not saying it's bad, but that in and of itself does not mean I'm secure. So we talked about a lot of potential problems with that. But in those spaces where we have this false sense of security of, you know, well, I'm air gap, so I don't have to worry about that. I mean, obviously we could talk about Stuxnet, but everybody talks about that. But that's just a prime example of those were air gap networks too, and they still got in.
[00:29:55] Speaker B: Yeah, yeah. But you know, it's, it's interesting.
I think recently CISA actually just like a couple weeks ago, put out guidance around secure by demand. Right. For OT owners. The reason I bring it up is it. And that combined with some of the statistics we've seen recently, like if you took a look at the, like the SANS 2024 State of ICS and OT Cyber Survey. Right. I think one of the highest priorities in there was around building defensible architectures.
[00:30:31] Speaker A: Sure.
[00:30:31] Speaker B: Right. And so when you think about an air gapped network. And you think about put that side by side with what a defensible architecture looks like. Right. The secure by demand is actually calling for things like proper configuration management, logging in the product and the overall system using open standards, protecting data, secure communication, strong authentication. None of that is actually easy in an air gapped system.
How do you actually build a defensible architecture if you've shut everything out effectively? What you're doing is you're creating kind of a frustrating environment where people will look for workarounds. Right. So everything from visibility to monitoring to alerting backups, running updates becomes substantially harder if you can't connect to other systems.
[00:31:36] Speaker A: Yeah, 100%. Working in nuclear power, like everything was air gapped for obvious reasons. I get it. But they had had. It was a lot more expensive. Anything we wanted to do was harder. Right. It we had to go through data diodes and we had to be in a secure room and like all this different type of stuff. And again, same thing with the military. I'm sure there's a lot of reasons to do that in a lot of different environments, but not every environment is that the right option. Right. And that it adds so much complexity and so much paperwork and so much resource demand and just all of these things that are stacked on top of again, it's a great architecture if you can afford it. If you can afford. And it's not just a technology thing, it's the people, process and technology. Because by doing that design that, that impacts everything else you just talked about. For how I patch, how I update, how I get logs out, how I secure mode. I can't really secure mode access. There are a couple of technologies, but still the point is, is everything is harder, everything is more expensive. Like it's just. And again, there are scenarios. A nuclear power plant is an example of those where it makes sense. At, you know, some small municipality wastewater facility, they're not going to have the money to do that type of thing. So they, they have to find other ways.
And air gapping or you know, firewalls, those are. There is no. And I'm not counting on any technology. There's no single silver bullet that's going to fix all your problems. Like this has to be defense in depth. And we've known that in the IT world for so long, it's starting to come around on the OT side better. In the last, you know, five to 10 years, I've seen a lot of movement in that direction. We still have a long ways to go.
[00:33:13] Speaker B: Yeah, yeah.
[00:33:16] Speaker A: So it's Interesting. It's always fun to see these, you know, with sans coming out and you know, seeing that availability and the secure by demand and all of that is, is so much. It's, it's so good to see. It's why I do this podcast. It's why I talk to people like you. It's like getting that message out there. So everybody's situation is different and their environment is different and their needs are different and all that kind of stuff. And whatever it is, you can secure it. And there is a way to do it where it doesn't break the bank and it doesn't make it so difficult. You can't do your thing and you can't train your people and they're not throwing their hands up and saying this is stupid and walking away or writing the password on the monitor. Like all those things are possible. It's just looking at it from different perspectives.
[00:33:54] Speaker B: Totally, totally. Yeah. I mean it's, it's, it's, you know, people processes, not just systems, but also like risk and resources. Right. Like it's that trade off and oftentimes like good deterrence goes a long way. Right. You just, you don't want to be the shortest rung in that fence.
I feel like that is certainly a strategy, maybe not provably secure, but effectively practically secure. Right. And so I think, you know, the alternatives to air gapping are obviously rooted in zero trust principles. So strong segmentation as you mentioned, like firewalls, secure remote access, but a good story around identity and automation and like secure data movement for just system to system.
[00:34:50] Speaker A: Well, definitely.
[00:34:51] Speaker B: That's the big piece of it. Right.
[00:34:52] Speaker A: It's all about the data 100% and it gets to. You know, I led this off in the beginning when I was talking about, I go to a lot of places and they don't know, know how machine talks to machine. Like they know. Yeah. They're using a protocol, but they don't really understand it. And, and it's one of those that I've been saying it for years. Like, you can't, I can't defend bad unless I know what good looks like. Like I have to start out with what is normal. What is a normal communication? What is normal interaction? What does normal look like? So that I can set the bar. Okay, all of this is good. Okay. So anything that is not this, I need to look at. Not necessarily saying it's bad, but it's not part of what I said was good. So then I need to focus on it. Right. And that's the part where technologies like what you guys are doing and having that machine identity thing, it's going to be difficult a lot of places because they don't know what good looks like. And that's part of the lesson that you just talked about, is that's how you start. You start out with just saying, I'm gonna, I'm just gonna observe, I'm not gonna block anything. I'm gonna implement this stuff. And we're gonna say, hey, this, we're gonna run it for six months, we're gonna run it for, for two weeks, whatever that number is.
And we're going to say, hey, this guy always talks to him. That's good. This guy talks to that guy. That's okay too, right? I don't want this person trying. This, this box is. Person, this box is trying to get out to Microsoft. Obviously, I don't want that to happen. That's, that's a no, right? And you can start locking those things down as you feel comfortable.
But at the end of that, beyond the cyber things that you're doing now, you have a better understanding a data flow of how your system actually works on the networking layer, on, on, you know, you know that. And that is hugely valuable in troubleshooting and, and really redesigning your environment or replacing that Windows XP box or Windows 95 box in the future, because you know who it talks to and which devices it's doing, what protocols it's using, like all those things. Beyond cyber security, from an availability perspective, understanding how your actual environment and your system works or is supposed to work, it helps you in so many ways beyond just cybersecurity. Obviously it helps you in cyber and reducing that risk, but it's all about reducing risk. And the better you understand your system, the better you're going to be able to reduce all risks, not just cyber risk.
[00:37:07] Speaker B: Totally, totally. And prioritizing, right? Because resources are, you've got fixed resources, right. And so prioritizing where you spend that time starts with understanding where most of your traffic is happening, where most of the data is moving, you know, and it's a really good point around behavior and what normal looks like. Like, if you go to any of the major banks today, right, they'll tell you that they know it's you coming in and logging into your account from a browser well before you ever put your username, password in.
[00:37:40] Speaker A: Sure.
[00:37:41] Speaker B: Because of all of the behavioral analytics that's happening. Right. And so, you know, I think there's this really cool opportunity in the OT space with operational systems because they probably get to normal a lot faster and that's what we're finding than humans do.
[00:37:58] Speaker A: Yeah, well, and the other thing, you know, Sun Tzu, Art of War, you know, use your strengths as weaknesses and weaknesses and strengths. Ot you don't change much. I'm not bringing in devices off the shelf. I'm not, you know, surfing the Internet. I'm not going, I shouldn't be going to Facebook or Instagram or all that type of stuff. Twitter, YouTube, you know, from my control system stuff. So the cool thing with that is that I'm not patching all the time. I'm not installing new software. There's not a whole bunch of new users. It's pretty static environment. It, which means once I get it to a known good state, it's kind of just set and forget for the most part. Right. I'm not changing things now. Obviously there's going to be PLCs and one's going to fail and I'm going to replace it with a different one. And I need, I need to have a process to. Okay, I'm replacing this, this thing with this thing. It's the same function. It's, it's just a different Mac address, right? It's same IP address, same name. It's got a different Mac. So I need to be able to go through a process to do that quickly so that I can get the process back up and running. But at the same time, it's, it's not that difficult because I don't do those things very often. Like, some of these systems have been running for 20 years and they've never been upgraded, they've never been patched, they've never done any of these things because they're just, they do their function. They're very focused on the things that they do and they only do those things. They're not doing a thousand things. They're not doing AI, they're not doing any of that stuff. So in these environments, that's where it's really powerful. Powerful for technologies like what you're talking about. Because yes, the, the curve will be high at the beginning to get that learning curve in of what, what good looks like. But once it's there, things don't change in ot. So it's, it's, it's easy once it's there to, to maintain normal.
[00:39:33] Speaker B: Right, right. Yeah. I mean, you get to the steady state pretty fast.
[00:39:37] Speaker A: Right.
[00:39:38] Speaker B: And. But what it unlocks when you do that, when you have that kind of, of visibility and identity management and all of that, is it unlocks the ability to optimize these systems. Right. To do things like predictive maintenance, to share models across the different systems where right now it's so cumbersome to do with respect to configuration management, folks are generally doing it one off for every enclave they have. But that, you know, I think putting that effort in up front of the defensible architecture, the identity based approach. Yeah. I mean it unlocks so much in terms of efficiency. It's oftentimes rare that doing something on the cyber side can translate into roi, which is kind of what's fun about this space. Right. It's actually measurable the impact it can have.
[00:40:35] Speaker A: And I, I've preached that for. So when I, when I deployed technology at the power company, you know, this was before cyber was huge. We didn't even call it OT back then. It was, you know, we were just doing nerc. SIP was out and we were doing stuff. But when I went to these plants and I was pitching the, the work, the things that we're doing, I wasn't selling them on cyber security because especially back then, they didn't care. This is like 2010 time frame, like nobody cared, especially in OT about cyber security. I would tell them, I would get them visibility, you know, information about their network space, like all of those ancillary things. Would you be, would you have value in knowing when you've got a problem in your system, when you're redundant, switches down, like when you've got ports that are damaged or you've got machines that are rebooting, like all that type of stuff, they're like, oh, yeah, that's helpful. Right? A lot of these technologies, yes, they provide cyber mitigations and, but they also provide systems and availability information to these things that are hugely beneficial. And as a salesperson, many times I see so many of them, they focus on, well, we get you this and this cyber. Those are great if you're talking to a cyber person, but when you're talking to a plant manager or, or the end user, those are not languages that excite them. Now if you tell them they have more information about their system and they can run it more efficiently or they'll know when they're, they're in a, in a not good state, they'll listen. You're telling me that I have the ability, I can make it more reliable. Yep. Oh, okay, you're talking my language now.
[00:42:06] Speaker B: Yeah. Or produce things faster or, you know, not have to tweak the same model 10 times. Right. Like all of that, I feel like, yeah, it Unlocks capability, right? Absolutely.
[00:42:19] Speaker A: It's.
[00:42:20] Speaker B: I think it's exciting to be in the space mostly for those reasons. Right. We're not. It's not.
Yeah, it's not about the, the fear mongering or the, you know, that the kind of FUD that you sometimes see on the cyber side, it really does like bring the space up to another level if we can get this right.
[00:42:41] Speaker A: So I'm a throw you on the spot if you want to tell us a war story of something where you've done this and again and leave the names out. Not looking for, you know, dropping names of anything but some. What's the coolest story you've had in this space with what you guys are doing of where you provided value? It was a cool project, that kind of thing where it's a real world example of, of kind of a space in this ot stuff that y'all are doing.
[00:43:04] Speaker B: Yeah, absolutely. I mean, I can, I can speak to a little bit of the work that we're doing with one of our defense customers right now. Right. And in fact, I think we kind of got to see some of the benefits of it. We sort of wrapped up some of the integration just about a couple of weeks ago. And like I said, it was a long time coming to get the authorization to actually do it and all of that. And so the promise to them was, you know, there's a sort of very forward leading robotics subject matter expert there and really interested in bringing new tech to the shop floor. And it's like sustainment operations and things like that. So really awesome SME there and always getting kind of hampered by the cyber security process. Yep, right. And so went to him and we were like, look like we can, we can unlock this for you.
We get the cyber piece and we'll make that part go away so you can actually use the tech that you want to use.
What we were able to do was actually get him the ability to put big data analytics in a crawl walk, run approach where we actually have servers running Kubernetes clusters running our platform right on the shop floor. Now he's not only moving robotic models across enclaves, but even starting to bring in like AR VR capabilities.
[00:44:41] Speaker A: Wow.
[00:44:42] Speaker B: Right. And so it's, it's pretty fun to watch. And like I said, you know, even the, with Corsha, like we kind of started it very cloud focused, very like traditional workloads and you know, Kubernetes and all of that and have adapted it to be, to speak ot so to be able to do things like you know, they're running modbus traffic and to be able to say, okay, well we can add MFA on that modbus traffic and actually see it happening real time, it's pretty fun. Like, it's been a really cool journey to just go through that whole life cycle of actually giving them something that they didn't have before. Just because we solved the cyber problems.
[00:45:27] Speaker A: That, that is awesome. So that's, that's super as well. Like talk a little bit about. You don't have to go super deep. But how do you give a machine an mfa? How does it, how does it do that? Process?
[00:45:39] Speaker B: Yeah. So you know we're all familiar with like authenticator apps, right. So you have a Google Authenticator or Microsoft Authenticator and I probably open that up many more times than I care to in a day. Right?
[00:45:55] Speaker A: Yep, me too.
[00:45:56] Speaker B: Yeah.
So effectively it's the same thing. Take an engineering workstation and we're able to push an authenticator app to it.
[00:46:07] Speaker A: Sure.
[00:46:08] Speaker B: Then it just basically, I know you've got a deep networking background, so I'll double click in here. It acts like an egress proxy.
What you do is, let's say it's an engineering workstation that's connecting to an hmi. Now the protocols that you want to pass through it, you've got basically an egress proxy there and you have an ingress proxy in front of the HMI app which can be software or hardware based. And that proxy in front of the equipment is going to force the check of the additional credential. And it's just an extra header on the request.
So because it's this one time use extra header, it's actually pinning. It's the something you have in MFA speak, it's actually pinning communications to only that system that has the authenticator.
[00:47:01] Speaker A: Sure.
[00:47:03] Speaker B: So it comes in, you check the one time use credential. If it matches the identity that you expect for that machine, you let the call through. It can be one time use on a per request basis, which sometimes makes sense. Or it can be session based. If there's like a lot of sensitivity around timing, latency, real time operations and you know, so really just trying to analogize with something, we know how it works on the IT side.
[00:47:32] Speaker A: Sure. Yeah. I mean, simple, right? It's a simple process.
I give a machine the ability to check, you know, a credential, I put in a request, it asks for a code back, I get that, machine gives that code code. It's the same process. It's just not me copying and pasting from a text message or from, you know, my, my Authenticator app. It's the machine doing it for me. Which is, which is awesome. Like that's a, it's a very simple thing that is not everybody should understand it. And it's an easy, easy thing to, relatively easy thing to implement. I'm doing air quotes there. If you're, if you're just listening, all this stuff is hard, but that doesn't mean it's not value add. Right. And, and it's a simple concept to explain and, and fairly relatively easy to think about and implement again once I know what good looks like. It's easy to be able to say, hey, let's lock this down and make sure that this, this is only able to communicate this way when I'm, when I'm mfa. Right, that's, that's an amazing. So how, how has it been received as far as implementation and, and, and throughput and, and you know, availability and, and end users actually understanding and, and utilizing?
[00:48:41] Speaker B: Yeah, I mean it's been, it's, it's actually been pretty seamless I would say. You know, I think some of the unique aspects are supporting the breadth of protocols on the, the OT side. So you know, things like modbus over tcp, things like opc, ua, as I mentioned, bacnet and things like this. So you know, I think that's where some of the, the integration is, is understanding the types of traffic that are running across the environment. But otherwise it's like super invisible. Right. And, and I think the trick here is like you kind of nailed it of it's this journey to adoption. Once you know where your assets are, then you can do it over time in a comfortable way. Right, right.
[00:49:31] Speaker A: And you can prioritize. And this is the way I've rolled out almost every technology in OT is I start in a safe space. I'm going to start, start with my secondary machines and I'm going to start with my, my processes that are not as critical. Right. And then as I get comfortable with those, then I can roll them to the other ones. And to your point, like you said before, I can also start out with just alerting. I'm not going to block anything, I'm just going to alert. Right. So that way you're comfortable. You know, same way when I implement a firewall rule, I implement, you know, the old school port and protocol rule, but I also put the new application aware rule above it with the intention of after six months, nothing should be going across the old rule. And I'll Just disable it, but it's still there to catch the overflow in case I configured something incorrectly or. Or whatever. Right.
We just have to do it a little differently in these spaces, for obvious reasons. But as long as you're thinking with that mindset of, of how to implement this safely, it just takes a little bit more time. It's not overnight. I'm not flipping a switch and. But once it's there, it's easier to go to the next one. The second one's easier than the first one, and the third one's even easier than that. And then you're just ramping up and going faster at the end.
[00:50:39] Speaker B: Totally, totally. Right? And, you know, you gotta also think about where, if you're a plant manager, where do you want your folks spending their time? Right? Like, do you want them spending time on moving the posture forward, right. And making use of more assets and data and all of that, or do you want them still spending time on, like, sneaker netting data across different environments and, you know, kind of the. What some of those rote things that maybe folks have gotten used to doing. But it's time to look up and see if there's another way.
[00:51:19] Speaker A: I could tell you from, you know, work again, a lot of this is working in manufacturing or power plants and things, and they would just, you know, we do updates.
We got a patch or update firmware or whatever, and we have to walk machine to machine to machine, system to system, system manually with a CD ROM or a DVD or a USB drive and do them one at a time. What happens with that? I'm. I'm making a mistake. I forget one, you know, I think I check it off the box, but it doesn't complete, you know, it. Not to mention the time aspect of it takes me a long time because especially it needs a reboot. But I'm just having to sit at this machine and I'm not doing multiple. So I'm doing one at a time. Time. Maybe I've got multiple people and then I can do it. But it's, it's a, It's a, it's a time loss, right? And an efficiency loss. Whereas on the flip side, I can, you know, in it, I just patch everything at once. But also there's. There's a lot of errors with that. People are rebooting in the middle of the day, all that kind of stuff, right? So there has to be a happy medium. But too many times I, I see OT people saying, oh, we'll never do that because it failed two years ago or I heard horror stories or whatever. We've got to be willing to consider and look at things and how can I do it safely? I'm not saying that you do it the way it does it, but how can I, I can't just stay here because this is comfortable and I have to be able to move forward because it's too risky not to. So how can I do it in a safe way? And you talk about a lot of the ways that you can do that in technologies and capabilities like this. And you just need people and champions that understand it and are willing to push for it. And again, find the, the, the system that's over to the side. Start there. Started. Not your, your crown jewel site. Like, start at a smaller site that's easier to implement and you know, start at the place where you have people that understand it. So all these are, it's the same no matter what technology. But seeing things like this is, is fun and exciting for me because it's, it's where we need to go. It's just a matter of explaining. A lot of times you get new technologies that are beyond people's understanding. It's hard, hard to get them to get it. The cool thing with what you're talking about is they already understand mfa. They already understand identity. It's just about, oh, well, I can give my machine identity. Yeah, okay, that, that makes sense to me. I understand the concept of identity. I understand the concept of mfa, so it's easier to understand and, and put that into an OT lens and say, okay, well, that makes sense to me. Like, how do we do this and safe, safely do it? I, I can log in using MFA to Facebook and my bank. Why can't my computer do it just like, just like me, right?
[00:53:49] Speaker B: Totally, totally. And when most of the traffic is actually from device to device, like, you know, it's kind of where you want to put your focus on the identity side anyway. Right, so.
[00:54:01] Speaker A: Correct.
[00:54:01] Speaker B: Yeah, it's, it's. Yeah, I think it's exciting times. It's, it's really. There's a lot of opportunity out there to, to propel some of these, these systems and networks forward. Right?
[00:54:14] Speaker A: Absolutely.
[00:54:15] Speaker B: Equate with actually concrete roi, which is.
[00:54:18] Speaker A: Rare, which is huge. That's a huge differentiation in my opinion. If you can show ROI to the end users and get them beyond just cybersecurity and you start adding some other values that they can measure, why wouldn't they choose it right over something that's just a cost center or makes their job harder? So with that, all we said is next five to 10 years, what's one thing that you, that you're excited about coming up over the horizon? And maybe one thing that's concerning in the cyberspace and ot?
[00:54:48] Speaker B: Yeah, I mean I would say definitely what's exciting is seeing some of the connectivity and convergence between IT and ot. I think there's a lot of, not just lessons to be learned like you said, you know, parallels of how we know things work on the maybe human side that we can bring into this world, but also just the ability to actually utilize this equipment and utilize these machines and systems in a way we haven't been able to do before without the connectivity. Right. So super exciting there to see all of this come to life in kind of a secure way is I think where the opportunity is for the next five to ten years.
[00:55:32] Speaker A: Yep.
Now what about on the other side, the negative, the scary side?
[00:55:38] Speaker B: You know, I would, I would say it's actually probably the same thing. It's the connectivity and the convergence. Right. So it's an expanded attack surface. Right. You, you suddenly have to really have strategies for this stuff and like you said, like kind of pin it down, know the environments which I think we have to invest in much more now is what's that known good look like.
And still ot there's always going to be the challenge of integrating legacy systems with modern. Right. And no ability to sort of apply the same kind of modern security measures onto those legacy systems. But we can't afford to leave them behind.
[00:56:25] Speaker A: Correct.
[00:56:26] Speaker B: And then remote access. Right. There's a huge rise in remote monitoring management.
It just increases risk of unauthorized access, exploitation. Whether it's, you know, state level actors or whether it's like a front door inadvertently left open. It's.
Yeah, we definitely need strong strategies, visibility, monitoring, control over all of that. And to me that's rooted less on the human side and more on the machine to machine. Is that the, the. There's just an explosion of like system to system communications?
[00:57:04] Speaker A: Yeah, especially in OT. That's, that's 90. Like you said, 95% of the communications is just machine to machine. And it's going to continue to be that way like the human. The whole point is the human is just monitoring and advising the systems do their reasons called automation. It's doing it themselves. Like there is machine, there is human interaction. But you know, for the most part it's the, the PLCs are doing their thing. Whether or not the operator changes anything, it's going to continue to run as in normal state. In perpetuity, assuming that all the inputs are the same and it's within the nominal side, it's just going to keep running by design. So. Awesome. So what is what a call to action. Like, how do people get a hold of you guys? Like, what are you guys doing? Fun, cool stuff that's coming up on the horizon. If people want to know more about your company, what you guys do, they want to have a poc, all that kind of stuff. Give us, give us the details and we'll also put all this in the show notes as well.
[00:57:51] Speaker B: Well, awesome, awesome. Yeah, I mean, definitely, you know, like I said, I am, I'm super excited about the space. If you want to reach out to me, I will kind of give you a calendly link, Erin, so that you can include that in the description. But I'm on LinkedIn, you know, reach out to me. I'll give you kind of a way to set up and just talk. And then if you want to learn more about our platform and the identity provider, you can hit our
[email protected] and put in a request there. And happy to tell you more.
[00:58:25] Speaker A: Absolutely. That's awesome. Well, it's, I'm glad we finally were able to schedule this and get it done. Great conversation. Super exciting stuff that you guys are doing. You know, obviously we're, we're working in the background to, you know, bring this to customers and opportunities and stuff. So it's super exciting to see. And again, it goes back into that whole, you know, you need multiple layers of protection in these spaces and some are more critical than others. So if this sounds like something that you're interested in, definitely reach out. It's really cool, capable technology and again, it's really easy to explain to the end user and the user. So that's always a fun thing. And the fact that there's some ROI behind it as well.
A win, win, win, right all the way around. So thank you so much for your time today. I really, really look forward to more conversations and until next time.
[00:59:14] Speaker B: Awesome. Thanks. Take care.
[00:59:17] Speaker A: Thanks for joining us on Protect it all, where we explore the crossroads of IT and OT cybersecurity.
Remember to subscribe wherever you get your podcasts to stay ahead in this ever evolving field. Until next time.
