Episode Transcript
[00:00:00] You're listening to protect it all, where Aaron Crow expands the conversation beyond just ot delving into the interconnected worlds of it and Ot cybersecurity.
[00:00:11] Get ready for essential strategies and insights.
[00:00:15] Here's your host, Aaron Crow. Hey, y'all. Welcome to another episode of protected all podcast.
[00:00:23] I'm your host, Aaron Crow. Today we're going to dive into a topic. I think it's critical for everyone involved in OT specifically.
[00:00:32] We have this problem everywhere, and it's around funding, specifically in OT cybersecurity, especially around critical infrastructure sectors like energy, manufacturing, transportation, you know, all of those 17 critical infrastructures, it's often an afterthought compared to it, the cyber, the cybersecurity side of things.
[00:00:54] But with the increasing risk of attacks targeting OT systems, we're seeing more and more of that in the news lately. Organizations, they can no longer underfund in this area. In this episode, we're going to cover why securing OT cybersecurity is challenging, how you can align cybersecurity efforts with your organization's business goals, how to prioritize investments and get the most out of the dollars that you're spending. And then obviously, real world examples of, you know, how myself and others in the industry have kind of navigated this, this challenge.
[00:01:28] But let's dig in first with, you know, why is funding for OT cybersecurity challenging?
[00:01:35] Legacy thinking in OT, and I've heard this so many times, is, you know, it's isolated, it's air gapped, it's, you know, the vendor designed it securely, et cetera, et cetera, et cetera. You have a vendor designing a system, and maybe they bring in security for that system, but they don't always and rarely do they ever integrate the other systems, like again in a power plant. And you may have a balance of plant, you know, main control system, but then you also have a turbine control system that is separate many times. And then you've got these third party controls. You've got, you know, all these other things that are PlC's or etcetera, but they're not included. You know, vendor a brings in a security platform, vendor b brings in a security platform, but they only care about themselves because they just can't know all the different things that are there. But someone within the organization needs to understand and that umbrella of cyber.
[00:02:31] So in it, we know that as we bring in commercially off the shelf products, as we're integrating into the cloud, as we're installing applications, we're always looking at it from a how do we make sure this is secure? How do I make sure that this isn't going to at risk or that I at least understand that risk, and then how do I mitigate that risk? A lot of the times in the OT space, unfortunately, the folks that are making the decisions are looking at it from a, from a operations perspective, making sure that, you know, the car drives.
[00:03:04] My goals are, you know, that it can get there, it can get there safely. And, you know, I get, you know, a certain mile per gallon as an example with a Cardinal. But from a safety perspective, they don't always necessarily think, especially if you look at the newer cars today, they're not looking at, oh, well, can I hack this? Like, can I get shut down from a bad actor using the cyber and the technology side? So we really have to start thinking about these things differently in OT.
[00:03:37] And that tide has started changing, but the cost has not been really looked at. The understanding the risk of the environments, again, disconnecting your environment is not enough. Air gap is not enough. Installing a firewall is not enough. The other big one that we've seen over the past five to ten years is, I've got an asset inventory, or I've got network monitoring. I've got passive monitoring in my environment. That's great. All these things are good things to do. Firewalls are great. Air gapping is great, secure mode access, like all of the things, but it's not a silver bullete. We have to really start understanding. Inl has come out with, and I've talked about it many times, even talked about it at a talk at Defcon, the ICS village with cyber informed engineering as we design these systems, cybersecurity and just availability, reliability has to be looked at and making sure that we have the right folks at the table with that. One of the reasons with budgets is competing priorities. All the way back to when I started doing this, I don't know, 2010, I think, was the first ot cybersecurity quote unquote project that I did. I was going to these locations, and I didn't have a budget. So when I was going in saying, hey, I have $300,000 of scope that I need to get added to this upcoming outage, and I don't have any money, but you have to do it. It's not optional. So that meant that they were deprioritizing. They were not doing bowler maintenance or I XYZ. They weren't building this new thing. They were, they were, they were having to choose where to get that money because it's not like they just came up with new money. So really prioritization and really the only way you can prioritize those things if you truly understand the risks to the, to the organization. And unfortunately, a lot of times in OT, we don't really understand those because they just don't understand the assets and how they can impact and how one system can take down.
[00:05:35] Many organizations, especially in critical infrastructure sectors, have limited budgets.
[00:05:40] And when it comes to investing in new production capabilities versus cybersecurity, OT is often going to lose out.
[00:05:47] OT is not a efficiency. It's not going to add capabilities necessarily. If you just look at the cyber perspective. The other piece to this is when I was deploying this and going to those plants, I was not selling it as cybersecurity. Now, yes, there was a compliance thing. It's NIRC, it's regulated, it's critical infrastructure. But also I was, I was deploying this as this is operational availability. Like, what can we give that would make the plant run more efficiently, then have more visibility into their environments? Cybersecurity is going to get part of that. But when you start looking at logging and monitoring on those systems, you, you, there's a lot of things that you can provide that can give, uh, give the plant the, the environment, the ot systems, more, um, reliability. Right. And that, that helps with justifying those costs beyond just a, a cost center of oT, cybersecurity, um, misalignment between cyber and business teams. We see this a lot, especially in OT. And it, the business comes on site and says, hey, we have to, we have to do this thing. Um, you've got a Windows XP machine in your environment and we've got to patch it or you can't patch that. So we've got to replace it. And they just don't understand.
[00:07:04] That's not the answer.
[00:07:07] Yes, but on the flip side, the plant doesn't, can't just say, no, we're not going to do that and not do anything.
[00:07:15] It's got to be a healthy balance of, okay, I can't replace the Windows XP machine because it's the only way this thing works. And replacing it would be super expensive, et cetera, et cetera. How else can we mitigate this? I can't put in windows eleven. I can't put in windows ten. We can't patch it. What else can we do, right? And then sit down at the table. Understanding the ultimate goal is reducing the risk. The ultimate goal is not replacing the XP machine. The goal is to get rid of the risk or at least reduce the risk to a place that we're acceptable. So really understanding and looking at those OT risks in a different light and making sure you have, you know, the OT team should be working with closely the IT teams. They have firewall teams. They have network guys. They have all of those capabilities that are not necessarily held at the OT sites. Right. They don't necessarily have that, those skill sets in house. But unfortunately, I see it a lot is the OT, and it. They just don't talk and they don't trust each other. It tries to cram things down the OT OT folks throat and vice versa. And then they're. They're. They're against each other. Right. They're. They're. They're adversaries instead of, hey, we're on the same team. We need to find a solution to this problem, right. That there's often a communication gap between OT cybersecurity teams and business execs, or even just OT teams in general. And it cybersecurity teams. Right. Cybersecurity leaders are speaking in terms of threats and risks, while the business are focused on revenue and operations availability.
[00:08:43] So, you know, it's critical to learn how to translate and make sure that you're speaking the same language. Especially, again, coming from corporate into these production spaces, these critical infrastructure environments, you're using different vernacular and different languages to be able to get across the message and be able to, again, communicate that you're focused on reducing risk.
[00:09:11] One of the things I say a lot, but it's, we do business at the speed of trust, building those relationships between those. It, those OT, the business, the corporate, like, all of those things, we have to build that trust. Because then when I walk in the plant and I say, hey, we have this problem. This is the concern I have. This is a new vulnerability bullet. Whatever it is, then we can sit down together. And I'm not dictating how the plant needs to run their operation. At the same time, they understand if I wouldn't come to them unless it was a really big deal, and I'm willing to work with them to figure out a solution that doesn't break their environment, and we'll fix the problem that we're looking at. Right. Next is how to align ot cybersecurity with business goals.
[00:09:56] Risk based approach to funding.
[00:10:00] Again, looking at this, there is no silver bullet. I can't put in product a or product b. I love firewalls. I love that, you know, all these things, they're great products, but it needs to be a bigger picture. Understanding of what's going on in the environment, right? So I need to have that risk based approach. That way I could prioritize, and I'm not going to necessarily do the same thing at all locations.
[00:10:21] A site that's low impact to my environment or to my business, I'm not going to spend the same amount on technology and people and resources. You know, people process the technology as I am my crown jewel. You know, the nuclear power plant is not going to, is going to have a lot bigger budget and different requirements than the, you know, the mine or the, you know, the coffee house. Right? What? It's just going to be different. So one of the key ways to secure funding is to take that risk based approach instead of just talking about the technical vulnerabilities, focus on the operational and financial impacts of a breach or downtime.
[00:10:58] Another common example is, you know, I've got two PlC's. They're the exact same model, make same firmware, everything about them. One controls a turbine and one controls the ice machine in the break room, they have the same vulnerability. So if I just focus on the technical vulnerability, they're both the same risk. But when I look at the downstream of what they do, it's a complete different use case, right? Yes. Somebody will be upset if the ice machine goes down in the break room, but it's not going to impact the business, not to the same level. Right. So I'm going to spend and take different effort. I may say, yeah, I'm not worried about this one. We're going to isolate it. I'm going to mitigate it in different ways or I'm going to accept that risk. Whereas the one that's controlling the turbine or the manufacturing line or whatever the thing is, maybe I need to do a different mitigation for. Right. Ransomware attack that shuts down production in a manufacturing plant for two days. The loss revenue for those two days could be far higher than the cost of cybersecurity measures. So it's really just being able to translate those costs and understanding the risk to the business. Colonial pipeline is a great example of that as well. It wasn't even an OT device or attack, but it impacted Ot. There's too many times we're fighting and arguing on whether or not it was an OT attack or not. At the end of the day, did it impact Ot? Did it impact the business? Did it impact your ability to sell your product, whether it's electrons or gas or widgets or whatever the thing is. Right.
[00:12:25] And that really gets back to being able to speak in dollars and downtime. Right. Business leaders respond to financial impacts. If I'm going to communicate to a business leader, I can't say, hey, there's x number of vulnerabilities. What does that mean? Right.
[00:12:38] I don't know what to do with that. Right. When pitching cybersecurity investments, explain how much a downtime event could cost the organization and how cybersecurity could help reduce that risk or reduce the likelihood of that. Right.
[00:12:52] Obviously, it's not an exact science, but being able to understand, hey, if these things go down, this site, this one site is x number of dollars per hour per day. And this, this one critical update, or lack thereof, this vulnerability could bring down the entire environment. I did an assessment at a manufacturing facility not too long ago, and they had multiple lines and they had network switches that supported multiple lines and they had no redundancy. Now, this isn't a cyber issue. But again, looking at this from a risk understanding, if one of those switches goes down, loses power, just fails for whatever reason, then multiple lines are down. And that they're not, they're not producing product. Right. So that lack of redundancy or even a cyber attack, if somebody updates firmware, whatever, something goes bad, then those things go down. Right. You can lose millions of dollars per hour if those production systems are taken offline. So articulating those costs of downtime helps you to under. Well, we just installed those switches. Well, okay, but if it goes down, it's going to be a million dollars a day, and it's going to cost $100,000 to fix this. So it doesn't do it. Is it worth it to you? Right. And what's the likelihood that that could happen, you know, and then, you know, being able to show the math and not, you know, fear selling, but realistically, what is, what is the likelihood of those things happening?
[00:14:22] And then, you know, there's a common problem in OT with asset inventory, or lack thereof, not really understanding what assets I have in my environments, which there's a lot of products out there. We talked about passive monitoring and even active to be able to help with that asset inventory and understanding the assets that are in your environment.
[00:14:43] But once, once I have an asset inventory, let's say I've got the best products in the world, and I know all of my assets, and I have a complete list of every asset that's on my network, that's in my OT environment, that's not enough. And I used the analogy a minute ago, two PlC's, right?
[00:14:57] Not every system is equal. I need to understand the asset inventory is the first step. The second step is understanding what each of those assets are in, what they do, what their function is, and then being able to tie that back to the risk. Right. So again, those two PlC's, I explained, right. One is in the break room and one is controlling the turbine. What is the risk to the business? They're going to be vastly different. So being able to understand that and classify that. Right. And utility company protecting the SCaDA system that controls water flow or electricity distribution should take precedence over securing a non essential OT device like the ice machine in the break room.
[00:15:38] Or again, you're probably not controlling the ice machine in the break room, but it's just an explanation of drastic differences between two devices that could be the same type of device. Right.
[00:15:52] How do you prioritize cybersecurity investments?
[00:15:57] Many times I see, again, I came from the vendor space, a sold product of a CTO.
[00:16:03] And a lot of times vendors are focused on, you know, we're the best of this and that and whatever, right. But at the end of the day, when you're looking, when I walk into a place looking at their OT cyber, many times, it's not the super fancy, sexy tools and technology or even people that you need. It's. It's starting with basic. What are the fundamental things that you have to do? So focus on those things. Like, if I had a dollar to spend, what is the most efficient place to put it, that would get me the most return on investment as far as reducing risk and securing my investment environment. Many times that's starting out with an asset inventory. Many times, that's a walk down. Many times that's, you know, putting in a firewall or locking down a firewall, because many times firewalls are already there. But maybe they're really porous and they're more like a router than they are a firewall. So focusing on those fundamental cybersecurity measures that can give you the most protection for that dollar. Network segmentation, access control, secure remote access, monitoring, logging, you know, again, firewalls, basic, basic type things, even training and people, do you have people that are looking at this stuff? Do they understand what they're looking for? Like, do they, do they, do you have people, you know, processes and procedures that know, hey, if I see these types of events, what happens? Right? So all of those types of things are foundational, that many don't even have those, and that those are not always necessarily expensive. Those are things that you can do with a fairly, you know, small budget, but gets huge, huge value on the backside.
[00:17:38] Choosing solutions with a high ROI. There's a lot of products out there that are ot specific and there's good reason for them. Again, with monitoring, especially packets, when you're looking at the network, a lot of these OT devices, the IT products, just don't speak those industrial protocols and all that, right? But at the end of the day, you need to be looking at products that'll give you the biggest bang for the buck. So if I look at a firewall, right, firewall does more than just block packets. It can do a lot of different things from, especially these next generation. They're reading packets and they're looking at the protocols and all that same thing with screw mode access. I'm doing screw mode access, but I'm also stopping people from pivoting. I'm stopping people from being able to copy files for data loss prevention.
[00:18:23] I'm stopping the attack vector of being able to bring in a USB drive because nobody ever actually plugs in antivirus. Those are again, looking at those simple things.
[00:18:34] They're not always the most complex or the most sexy. Before I start worrying about AI, I want to make sure that I've got network segmentation, that I've got asset inventory that I'm monitoring my network, adding AI or any of these newer awesome capabilities, great things to have. But before I ever start talking about those, I better have a really advanced and mature ot environment that I've got automation and I've got everybody trained and it's already doing those basic funding foundational things.
[00:19:05] An asset management system can help a power plant track aging equipment, reducing the risk of failure, lowering maintenance costs while improving cybersecurity. Right. There's, there's an example.
[00:19:15] Asset, asset, asset. I under. I need to understand what my environment is and it's not just from a vulnerability and being able to patch it. It's also just where are these things? What are they doing?
[00:19:26] Do they need to be updated? They need to replace what is my maintenance schedule on them?
[00:19:31] Incremental improvements versus huge capital investments. You don't have to solve everything. Day one, again, this recent assessment I did, newer company, manufacturing environment, they have very little done yet.
[00:19:50] And that's okay because they're willing to start. They know they can't. How do you eat an elephant? One bot at a time, right? Focus on incremental improvements a little bit at a time. Like start adding team. You don't, you don't. Day one, hire 100 people, you hire two and you train them. You get them really good, and then you onboard more and more and more, because if you hire 100, most of them are just gonna be standing around because you don't know what to tell them to do. It's the same thing with technology. You don't have to go out and buy all these things because who's gonna run them? Who's gonna support them? What value are you gonna get out of them? If I bought every tool available and had all of the holes plugged, NiST CSF, and had a solution or a mitigation for absolutely everything in there, who's going to run it? How do I get it done? Like, how do I. When do I start getting value from those systems? It's beyond just having the tools. The other analogy I usually say is I can have the nicest woodworking tools in the world and they can sit in my garage, but they're not going to build me any furniture. I have to be trained and understand how to use them and then go actually use them. I have to get materials, and then I have to get the value out of the tools. The tools themselves are not going to solve my problem.
[00:20:53] So instead of asking for a full overhaul like all of the problems, the sky's falling. I need $10 million or $100 million or $300 million to fix all the problems. Start small.
[00:21:04] That doesn't mean if there's big problems that you shouldn't ask for more. But it's okay to start with small projects and fix one thing at a time. Multi factor authentication, secure remote access, make sure your backup and recovery is good. Network segmentation, like these basic things, again, they don't necessarily sound sexy. They're not the ones that they're necessarily going to be talking about at black hat on the main stage a lot of the time, and especially in the vendor pavilion, they're not the ones that have all the marketing behind them, but they're the ones that real world are probably going to be the most value add in the short term for your organization.
[00:21:43] The kind of conclusion and call to action there is.
[00:21:47] There is no single solution. There is no silver bullet. There is no one one size fits all solution you can have. Even within an organization, you can have multiple, multiple sites of the same type. And I'm going to handle things differently. So really look at those and understand there is uniqueness to what you're doing. And it's okay to have, you know, the expectation is not to be, you know, perfectly mature, 105 on everything as far as maturity goes in an SCSF assessment, right. You're not. You don't need to be perfect. The goal is not to be, you know, you're not platinum coding. It's not gold. You know, it's not gold plated. It's doing what is needed. And your business will be different than your competitor. It'll be different than, you know, people in other critical infrastructures. So know that, like, that doesn't mean you can't learn from others. But you also need to adjust based upon your, your needs.
[00:22:47] Emphasize those critical incremental investments that you can help improve security without overwhelming your budget. And then again, start small. Build your case for larger initiatives. Show value, build something, do something. Come in with an assessment, and then go into deploying a product and then show value from that and expand it. Hey, if we had this, we could do these other things and just continue to build on that and show that extra value.
[00:23:15] And then, you know, you'll be amazed how quickly it can grow and justify those funding. As more and more events are happening in the news, I think it's going to be easier, at least to be having conversations with the board, with executives around this, because it's something that they're hearing constantly. So thank you today for tuning in. Hope you found these insights valuable.
[00:23:41] Whether you're struggling to secure funding for your OT environment, get it started. You don't know where to start or, you know, you. You face the same thing and you've beat your head against the wall because you. You know the problems. You've. You've tried to pitch it up and. And it keeps getting kicked down. So let me know. Any funding strategies you guys have had. Anything's worked for you, maybe something that hasn't worked for you. Love to hear about them. Definitely reach out. Any way that. That I can connect with you folks, just let me know. Stay safe and secure out there. Thanks for your time today. Thanks for joining us on protect it all, where we explore the crossroads of it and Ot cybersecurity.
[00:24:23] Remember to subscribe wherever you get your podcasts to stay ahead in this ever evolving field. Until next time.
