ICS/OT Cybersecurity: Events, Networking, and Industry Discussions with Mike Holcomb

Episode 34 December 02, 2024 00:50:39
ICS/OT Cybersecurity: Events, Networking, and Industry Discussions with Mike Holcomb
PrOTect It All
ICS/OT Cybersecurity: Events, Networking, and Industry Discussions with Mike Holcomb

Dec 02 2024 | 00:50:39

/

Hosted By

Aaron Crow

Show Notes

In this episode, host Aaron Crow is joined by special guest  Mike Holcomb to discuss the intricate realm of Industrial Control Systems and Operational Technology (ICS/OT) cybersecurity. The episode also spotlights the upcoming event B Sides ICS, an open and community-centric conference set to run alongside the prestigious S4 conference in Tampa.

 

Mike Holcomb provides insights into the much-anticipated ticket sales for the event and underscores the importance of submitting papers or presentations by the end of the year. The discussion emphasizes the significance of expertise in OT, cyber, and enterprise operations for top-level management and how events like B Sides ICS and S4 promote networking, learning, and professional development.

 

Listeners will gain a deeper understanding of the origins of B Sides events, the excitement surrounding B Sides ICS, and the impactful discussions and innovations poised to shape the future of ICS/OT cybersecurity. Whether the audience comprises newcomers or seasoned professionals, this episode offers valuable takeaways for everyone.

 

Key Moments: 

 

00:00 Educating and supporting ICS & OT cybersecurity communities.

04:28 Passionate about learning and sharing cybersecurity knowledge.

08:59 B Sides: Global community-focused conference events.

10:43 Bringing B-Sides to Greenville increased attendance.

16:29 Promote diverse perspectives in OT cybersecurity.

19:01 Active Directory challenges in IT-OT integration.

21:07 Active Directory simplifies system management, poses risks.

28:57 Lean on IT for the correct Active Directory setup.

31:52 Availability is crucial in an OT environment.

34:14 Integrating IT and OT for enhanced cybersecurity collaboration.

36:16 IT and OT integration needs improvement.

40:54 Exploring cybersecurity in ICSOT across various sectors.

 

About the guest : 

 

Mike Holcomb is the Fellow of Cybersecurity and the ICS/OT Cybersecurity Global Lead for Fluor, one of the world’s largest engineering, procurement, and construction companies. His current role provides him with the opportunity to work in securing some of the world’s largest ICS/OT environments, from power plants and commuter rail to manufacturing facilities and refineries. He has his Masters degree in ICS/OT cybersecurity from the SANS Technology Institute. Additionally, he maintains cyber security and ICS/OT certifications such as the CISSP, GRID, GICSP, GCIP, GPEN, GCIH, ISA 62443, and more.

He posts regularly on LinkedIn and YouTube to help others learn more about securing ICS/OT and critical infrastructure.

 

How to contact Mike: 

Website : https://www.mikeholcomb.com/

Youtube :  https://www.youtube.com/@utilsec

LinkedIn: https://www.linkedin.com/in/mikeholcomb/

 

Connect With Aaron Crow:

 

Learn more about PrOTect IT All:

 

To be a guest or suggest a guest/episode, please email us at [email protected]



Please leave us a review on Apple/Spotify Podcasts:

Apple   - https://podcasts.apple.com/us/podcast/protect-it-all/id1727211124

Spotify - https://open.spotify.com/show/1Vvi0euj3rE8xObK0yvYi4

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: You're listening to Protect it all, where Aaron Crow expands the conversation beyond just OT delving into the interconnected worlds of IT and OT cybersecurity. Get ready for essential strategies and insights. Here's your host, Aaron Crowe. [00:00:19] Speaker B: All right, excited for this one, Mike. Thank you for joining me. You've been on the podcast before, so. But for those that may not have heard that previous episode, why don't you introduce yourself, tell us who you are and what it is that you do in this OT cybersecurity world. [00:00:34] Speaker C: Thanks for having me back. I appreciate it, Aaron, as always. And yeah, for me, my name is Mike. In my day job, I get to work and design security for some of the world's largest industrial control environments. I get to really work with some of the world's best engineers in the control system space. So I'm very, very privileged there. And then outside of the day job, a lot of it is being able to take the information I learned there and from others in the community and being able to make that, I think a little bit more accessible to folks, whether it's on YouTube with a free course around how to get started in industrial control cybersecurity, which is really a focus for me, it really just sharing with people and helping not only bring new folks in to the community, but also for folks that want to learn more about ICS and OT cybersecurity, why it's important, why asset and owner operators, they kind of get stuck and a lot of them don't have a lot of resources either to build their programs and might not know where to start. So a lot of my goals is to help not only bring new people into the community, but also to help I guess essentially build up or strengthen those environments out there that already exist where again, especially for those that they're not like a shell or a BP with larger budgets, they're probably small mom and pop shops or medium sized organizations that they just don't have all those resources and don't even know where to start. So that's a big part of, you know, what I share on YouTube and on LinkedIn. [00:02:32] Speaker B: And it's such a valuable and needed thing, right? Is not everybody is Duke, not everybody shell, not everybody's FedEx, not everybody's Amazon, right? There's varying levels of budgets and complexity and staff like all those things and you have to start somewhere. Like there's plenty of organizations that are in the beginning stages and they don't know where to or they, they're, they're, they've started and Maybe they've gotten to the 10 yard line and they don't know how to get it, you know, that, that much further and what's that low hanging fruit and all those things are valuable, you know, and coming from, you know, working at a big four and nothing against the big four, I loved working there. I'm glad I have that in my, you know, that feather in my cap. But at the same time, you know, some of these smaller organizations can't pay a big four to come in and advise them. Right? They just can't. They can't even pay, you know, smaller boutique firms like they just don't have that budget or so sometimes they have to do the best with what they've got. And sometimes I'm an engineer, maybe I'm the smartest engineer in the world at my controls and automation, but that's a different skill set than cybersecurity. And that's the thing that we, a lot of the times you and I are talking to those really capable, amazing engineers and trying to give them some of the knowledge they need to kind of in this realm that they're not from. They didn't come. That's not their training. They've been doing this for a long time. But the cyber thing is different and many times it gets bolted on because they're the smartest guy or girl in the room. They're the ones that are, that are left with the, hey, you do it, you know how to do all this stuff, Figure it out. [00:04:07] Speaker C: Right? Yeah, no, it's very, very true. I used to think, you know, engineers knew everything and no, they, they don't. You know, so it's, you know, they are, they are human just like, just like the rest of us. [00:04:21] Speaker B: Sometimes they seem superhuman and they are, but there, there is still limitations to their all knowingness. [00:04:28] Speaker C: Very much so. And that's a big part of what I like in working in ICS and ot, you know, today. And I think this is not just because of me and my day job because I get to have a lot of other conversations with engineers and other folks in automation and OT around the world, but just getting to share with them and help them learn from a cyber perspective, right, how to design or how to secure their environments. But then I also get to learn, learn from them as well. So I'm always constantly learning. I learned so much every day from people again from all over the world that it makes it really exciting. Where yeah, I'm an old IT cybersecurity person. I've been doing IT cyber for 30 plus years. Right. And it's nothing against the folks in IT cyber. It's kind of gets old after a while though, I guess. Like everything. But you go to most IT environments, right. They're very similar from environment to environment where you step into OT and every environment is completely different even if you go into, you know. Right. Even go into two different power plants. Right. They can be very different internally. Right. From a kind of a control systems and networking perspective and the different systems and assets that they have and how those processes operate. So that's. [00:05:58] Speaker B: You can even see it within a single plant between multiple units where they've done upgrades at different times, they've added third party controls differently across IT because of budgets or needs or whatever. And it's crazy to see even at the same site owned by the same company, ran by the same people, the same engineers. Right. And there's a vast. A difference between block one or unit one and block two. Unit two. Right. And it's just that level. And usually it's not night and day. It's not going to be GE and you know, Toshiba. But usually, usually it's ge, but it's different levels of ge. It's, you know, I've upgraded this one two years ago and this one's still waiting to be upgraded. So I'm dealing with all these different things. And that sounds simple, but on the scale that we're talking about, it can be really complex to really understand the intricacies of patching and support and how it all works. Because that version could change the. The interconnection between PDH and ud. I mean, there's all sorts of things that can change between those things that are beyond just an operating system that we deal with. And on the IT side. Right, right. [00:06:59] Speaker C: It can be a lot more complex and try to keep everything. And when I look at ICS and OT from a cyber perspective, I always try to keep it as simple as possible. But. Yeah, but those are definitely some of the areas that can trip people out. They can get complex and they can get complicated because of all those different values and systems that we see out there. Yeah. Some of our projects, you know, they take five, six, seven years to build. We have an LNG facility that we just started bringing commission or bringing online right now. And we build the first two lines that took seven years to get done. Of course, Covid was, was in the middle of that, which didn't help, but. And now we're about to start work on the next two lines which is going to still take another right. Four or five years. So there's going to be definitely some small differences, at least between. Between those two that kind of, like you point out, like everybody needs to be aware of from the engineering side, but also, you know, the folks that are leading the cybersecurity at the site. [00:08:02] Speaker B: Which, which leads us to. Part of the reason that I wanted to bring you back on this week is give you an opportunity to talk about this. This upcoming thing that you guys are doing, which is BSides ICS. It's going to correspond with S4 in Tampa. And it's a. It's an independent organization. Everybody's probably heard of B sides, but why don't you give us a little thing of what is B side, what is BSides ICS and why are you putting this together? [00:08:27] Speaker C: Sure, yeah. No BSides. For those that aren't familiar. It came out of the IT cybersecurity world and it was really a couple of folks that they were applying to the larger conferences out in Vegas like Black Hat and defcon. And I think it was primarily defcon and all quality folks had great talks, didn't get accepted for the conference. And they said, hey, I'm still really passionate about sharing this information. I really still want to get it out there. So a bunch of folks just met at a bar the day before the main conference, just hung out and talked about what they wanted to share. And BSIDES was born and now they have events in, I think it's over nearly 100 countries around the world. I actually run the BSIDES Greenville event down in Greenville, South Carolina, where I'm at, and we get about 400 folks every year. And it's really, I think our event, like many of the B sides, it's really just about bringing people together. And yeah, there's, there's talks. Most have a lockpick village. You might have some other, maybe a capture the flag that somebody's doing. But really, I think BSIDES is really just focused on the community, right. Bringing the people together and just making those connections with. Whether it's somebody that you just talk to for five minutes, you might talk to somebody for, you know, the next five or 50 years, you know, depending on that connection that you make. And we see a lot of that. There's. There's been even just with like B sides Greenville. We've seen other security groups and other conferences spin out just out of the B sites Greenville area where I took mine. We started B Sides Greenville because I went to the B sides Augusta conference and said this is awesome. And to me, it's still the best cybersecurity conference on the east coast, if not in the country, personally. And I always was trying to get people to go to besides Augusta from Greenville because it's a two hour drive. [00:10:42] Speaker B: Sure. [00:10:43] Speaker C: I could only get like less than a handful of people to go, though. So I realized the only way to get, you know, Greenville people to bsides is to bring BSIDES to Greenville. And that's actually somewhat the same approach to, with BSides, ICS, OT. Because we did add, you know, some OT content to BSides Greenville this year, and it was really well accepted. I think we had as many folks in the OT talks as we did in the IT talks, which was really exciting to see because we had some, some folks that had been in the field for a little while and then, you know, but we had a lot of people that have no clue what ICS or OT is and they wanted to learn. And so that was really exciting to see. And so when we look at, well, we have S4 conference and this is. I've applied to speak at S4 and you know, the last couple years it's been, you know, nice try. And Dale who, you know, Peterson, who runs the conference, he's actually. I'm really impressed because he gets back to everybody really quickly. [00:11:46] Speaker B: He does. [00:11:46] Speaker C: He tries to work with you and say, like, hey, we can tweak this or, you know, maybe, you know, it'll be a good fit or maybe next year. And, and like, I think my topic, you know, just, you know, wasn't going to be a good fit for, for S4. And so it kind of made me think, I'm like, yeah, that's kind of how like B side started. You know, it was just like you had these guys that, you know, had. Had wanted to speak at a conference and they just wanted to get together and it's like, you know what? We should do the same thing, you know, just in, you know, with, with S4. Right. Because with S4 you have, you really do have, like, the expert and thought leaders of, you know, globally coming to, you know, arguably the most important, you know, largest ICSO t cybersecurity conference that there is. And like, well, everybody's coming and. But we also want to, you know, kind of help grow the community and bring new people in and also make it not only more accessible for new folks, but also for asset owners and operators. Right? The people that own these environments or that run these plants. Right. They. You can't go to S4 and get a Lot of real world, practical information that you can take back to the plant the next day and help secure or run the environment. Right. That's just not going to happen. And I talk with a lot of owners and operators these days. And so that's really kind of this idea behind B size ICS is bringing in the community to kind of tapping into S4. Right. Because we have all the experts in town, but also bringing in new people to get them exposed to some of the. Not only these experts, but just people that work in the field as well and anybody that wants to, you know, share and then also make it very practical and approachable for asset owners and operators. Yeah. And it's a $30 ticket. Right. Compared to, you know, over $2,000. Right. For S4 right now for three days. So it makes it much more approachable. Yeah. I think. And making it affordable and making it so people can come and learn more about ICS and OT Cyber. [00:14:11] Speaker B: Well, it's one of those things where BSides does not take away. Because BSides, they do, these correspond with Defcon and Black Hat and RSA and all these big conferences have these BSides. And it doesn't take away from it. It's not to take away from the main conference. [00:14:27] Speaker C: Yeah. If anything, it's the opposite. Yeah. Because you'll have people that end up going to both. So, you know, ideally, if you were able to continue doing B size ics because we actually had to get special permission from B size to be able to do a specific conference focused on one topic. And because that's not something that they've done, they've done like three or four out of their entire history. And those were one off events. [00:14:54] Speaker B: Sure. [00:14:54] Speaker C: And so, yeah, being able to have folks at both S4 and B sides ics and kind of going back and forth and you have a lot of people today that might come to the first B size ICS and they're just starting to learn, but maybe in a couple years you do see them at S4 because they're ready to make that jump and then they can come back and also get back to the community. [00:15:23] Speaker B: Well, and it's, it's. You know, you and I have talked a lot and we have similar aspirations. Like the reason I launched this podcast, the reason you do your YouTube training, the reason you do your stuff on LinkedIn, the reason I do. Obviously we have personal reasons from building our own brand. Obviously. But, but the, but that only matters if we're providing content and value. Right. My. Our intention is to grow the network Right. To have different. You know, I've been doing this a long time. You've been doing this a long time. You know, at the same time, I don't that my ideas are always the best. Believe it or not, like I've been wrong before. It doesn't happen that often, but it's happened. Right, but. And it's not about being wrong or anything like that. [00:16:04] Speaker C: Right. [00:16:04] Speaker B: It's. It's about bringing more people into the industry. Right. We know cybersecurity is not going anywhere. We know the importance of ICS and really having that understanding. So whether you're coming out of college, you're still in high school, you're trying to figure out what you want, or you've been in it, like both Mike and I were for many years. And you're wanting to bridge that gap from IT to ot. And it's a hard transition, but it's not. It's not undoable. Right. I've done it. You've done it. Many of us came from other worlds because there was no such thing as OT cyber security. So it's not like anybody has 40 years experience doing OT cybersecurity because it just wasn't called that. Now granted, we have. Because we were working in this industry kind of adjacent. It just wasn't called that. Right. So. So all these things, the entire intention is, is to bring more visibility, more understanding, to be open so that we're having diversity of thought and having more people's opinion. And to your point, Dale has to be really intentional about who gets on the S4 stage because everybody wants to be there. Right. So he has to really be picky on who's there and does it fit with the theme and. And do they. Are they good on stage and all those types of things? Because everybody expects that higher level of thing. Whereas at A B Sides, not to take anything away from B Sides, but you can have people that have never talked on stage before get up there and that's okay. Like that's the benefit. And the value there is that no matter where you are in your career, you can present it B Sides, which is a great opportunity for you and the community because we get to hear your idea, even if it's not polished enough to be mainstay just for. Doesn't mean that there's not good value in it. [00:17:35] Speaker C: Right, exactly. And that's, I think with the schedule we're looking at putting together, that we want to make sure that there is that kind of diversity across the board. Right. It's not going to be, you know, the typical, like, like old, old white guys. Right. Like myself. Just speaking for myself. Right. But you know, also, you know, with, with a large focus on, you know, a big focus for me is bringing more women and other underrepresented, you know, groups into. Into the community. For sure. And so. And then also with B sites. Yeah, it's. And we have slots for new speakers. Right. Someone that hasn't actually shared. That's actually one thing that we ask on the forum is have you presented this before? And like an S4, they probably are looking for somebody that has presented before in some respects. Right. We're kind of the opposite. We want those new folks that are really passionate about sharing their message and want to get it out there. [00:18:37] Speaker B: Yep. Yeah. And we know. And to dive back into some of the content so we know the value and the vast difference between IT and ot. Right. And we know you posted something the other day that, that really triggered people and I think is still a valuable conversation. Active Directory. Right. So we look at Active Directory. Active Directory is a good thing. I've got some horror stories and war stories about using Active Directory. I was an Active Directory Administrator at AT&T and on the IT side. Right. You know, supporting 100,000 plus users and, you know, Active Directory and Exchange and all those types of things. But those capabilities have got brought into these OT spaces. Right. And we don't, you know, that. That Control Engineer we just talked about before is not an Active Directory admin. So they're just taking whatever configuration came from the vendor and they're hoping it worked. Right. And we see a lot of organizations that are trying to make trust relationships or instead of having a separate Active Directory, they just integrate with their, with their IT1. Because I can understand at a high level how it makes sense in their mind because it's more difficult to manage multiple environments. And all the, all the. And again, that. That Control Engineer is not an Active Directory admin. He doesn't know how to really manage it from that level. But there's all sorts of risks that come with that. So talk to me about how you feel about Active Directory at OT and the whole ITOT convergence thing. [00:20:06] Speaker C: Sure, sure. Yeah. And this is coming from somebody like yourself. I've been doing Active Directory since it was first a thing. Right. 1998 and 1999 was when it started really picking up out of beta. And then of course, when Windows 2, you know, officially launched, I helped design Active Directory for the Naval Marine Corps Intranet, which was not, you know, a small Small environment when you're talking the entire Navy and the entire Marine Corps and then just carrying that, that forth. So yeah, there's this idea and I think a lot of people, if you're new to ICSO T, you don't realize this is something I had no clue before I stepped foot in. My first plan was there's Windows everywhere. And the plant manager was giving me a tour and he's like, oh, here's all of our data historians, they're running Windows and Microsoft SQL Server and here's our Active Directory domain controller. You have domain controller? Well, shoot, I know Active Directory. So it was definitely something a, that I could even bring more to the table to help them with and help them understand because like you said, they don't have that, that background. But when you look at Active Directory, it is a great tool to be able to put user accounts and passwords and be able to use group policies to push out security and other settings across the environment and be able to administer systems. Especially in the larger the environment, the more benefit you get out of, out of it. The problem, you know, is when you have your IT Active Directory and then let's say you have your manufacturing facility and they also have of course again, all those Windows systems in the plant. And so, oh, we want to manage those as well with user accounts and passwords and group policies for all of our settings. So I think the initial instinct is, and mine would be 15 plus years ago would be, oh, let's just tie them all together, right? That's the beauty of ad. Like I can do everything from one central location. The problem that you run into is think if an attacker or something like ransomware gets into the IT environment, really especially with ransomware today, right? It just spreads like wildfire, right, from system to system instantaneously. Everything is compromised. If you have that connection between IT AD and the OT environment, that infection, that ransomware, or if it's just an attacker, they're just going to move from IT right into OT and take out or compromise all of the systems. And I hear about it, it's almost like I get somebody at least on a weekly, you know, basis talking about, yeah, that happened to us, right? And they had to learn the lesson the hard way. So yeah, a big part of that post is so hopefully people ever designed in a new environment, right? Hopefully you don't have to learn things the hard way. And if you have an older environment that's sharing ad and I kind of get a sense that it's probably about 20% of the environments out there. I don't know what you've seen, but that's kind of what I. At least from my exposure. You know, a lot of folks still still have it, and I think they're just, you know, just okay. It's just like I always. I'm from California, right. And the wildfires are crazy, right. You know, so you're always worried about it. It just feels like the same type of, you know, situation where you're just sitting on massive acres and acres of just dry weeds and brush and it's just waiting for a spark, for everything to ignite and go up. Yeah, that's. That's what it feels like to me. They're just waiting for that one person to click on a link or open up an attachment infector system, and then that, that ransomware is off to the races and it takes out again IT and ot, right? And then your operations are. Are completely, completely down. [00:24:25] Speaker B: Well, you know, we've done this in business where we have, you know, delegation of authority, right? We have, you know, we separate so that, you know, my IT administrator can't, you know, write a check. You know, my finance people can't see, you know, everything. Not one person has that full rights. I've also seen a lot of operational reasons why segmentation and having separate systems. And it's exactly the things that you talked about, right? It's. Hey, it is rolling out this new group policy because it's better security to make sure that all the screens are locked within five minutes of inactivity. Right? And this was a disconnected environment where the actual OT systems were not sharing active directory, but they had. What do all plants use? PI. And usually those PI systems are many times sitting on a corporate desktop because it's just displaying information, right? It's not control. It doesn't need to be in the ot technically OT environment. But as we all know, it's really hard for a plant to manage their environment because they put so much into PI. It's half the dang screens in the control room is some kind of pie manipulation, right? So the IT side implemented this new group policy that dropped these corporate machines into this thing. So the screen locked after five minutes. The operators don't have a login. It's just a screen. It has no keyboard. Like there is a keyboard, but it's like hidden somewhere else. They never log into it. They've never once logged into it. So when the screen went dark, they can't control it and they have no idea how to get to it Right. And they. So once they finally got to it and then it happened again, then they're screaming like, what is going on? Yeah, it didn't know they were doing this. They didn't know the impact. But that's the bigger problem. That's the thing that we have to understand is it's not just, yes, the ransomware thing is huge. And yes, being able to pivot down in these environments with one login that could then with a trust relationship or anything else, then I have access into these OT spaces. It's also so somebody can make a mistake in it or push something they think is a good idea and it's not. On paper it is, but it doesn't work in the OT environment for many number of reasons. Like for instance, I don't want my operator to have to log into a screen ever, because they need to be able to control that thing at a heartbeat. Right. I control access differently in a control room than I do on a machine that's sitting out in the middle of somewhere else. Right. I need that access instantly. No hesitation. I don't want them to fumble with a password, no fingerprint. It's just, just there. They sit in the chair, they control the thing. Right? Yep. [00:26:59] Speaker C: Yeah, no, it's very true, very true. And I think it's one of those big differences, you know, just between IT and ot and that's why. Yeah, it's just kind of one of those reasons. They are very different. And so, yeah, we don't need it. AD and OTAD connected together. You know, the biggest argument to that is, well, now I have to manage IT ad and I have to manage OT and ad. Like, Like. Yes, you do. But A, you've reduced the risk that there, that's there substantially. [00:27:28] Speaker B: Sure. [00:27:28] Speaker C: Right. And I don't know, I've administered AD in really large environments. It's not that hard and it doesn't take that many resources. And once you set it up in ot, Right. OT is just very static. It's not like you're getting into AD every day, you know, making changes all day. It's, you know, I just, I just don't see that as a, as a valid argument, I guess a concern completely. Right. I just don't. I think it's one that. It's not insurmountable at all. [00:28:03] Speaker B: No, I agree. And that's the bigger thing to always remember is, yes, you have to manage all these different environments, but you're also not managing the environment very often. Like we're not getting new accounts constantly. We're not installing things, nobody's browsing the Internet like there, once it's set that like most of these environments don't change for years. I mean, usually don't even have people coming in and out. Yeah, yeah. I mean you're, you're doing an annual review to make sure people change their password like basic things. But you're not installing new things, you're not adding new devices, nobody's plugging in or unplugging, nobody's installing new applications on things like it's, it's very, very static. You know, Sun Tzu, Art of War, things don't change and they're not updated constantly. So that's a, that's an issue. But on the inverse then I should be able to notice when things change. Right. So it's very simple. Once I set up Active Directory and the argument I always come back with is this, it's no, I don't want you to have one environment. Yes, I think you should allow it to advise to make sure that the Active Directory environment is set up correctly. And what that means is not to push all the IT policies down into ot. It just means they don't have a default password, they don't have the standard things that should be taken care of and secured and made sure it's configured to best practices. You should lean on your IT team that does Active Directory for a living. They do this at very large organizations and very large environments. You should have them come and look at your environment. Just because the vendor set it up does not mean they're an Active Directory expert. I hate to tell you, but they're not. So have some outside third party review of that and make sure that they didn't leave a back door or you know, enable something. You know, for instance, like you should never log in as Domain Admin ever, ever, ever to anything other than a domain controller. Like, and many times when I've seen, when these vendors give you their service account, that service account is Enter Admin and Schema Admin and Domain Admin of course. [00:29:57] Speaker C: Right. [00:29:58] Speaker B: And you're logging into all these machines with all those things and we know that there's a, there's a Kerberos issue and all sorts of ways that that can be taken advantage of because you're just using it improperly. [00:30:09] Speaker C: Yeah, yeah, right. If you have an attacker in the environment, they're just sitting there waiting for somebody to log in with those credentials and they take them and they, they're off to the races. [00:30:18] Speaker B: Yeah. [00:30:18] Speaker C: And it doesn't have to Be a state adversary. You know, we see state adversaries in many of our environments or at least they're trying to get into requirements. Right. And they're very much after floor in my day job because they don't care about our data. But they do want shells data or bps or Saudi Aramcos. But it's also, it's ransomware. And the common attackers and the hacktivists as well use all the same tactics and techniques, right. The little tricks, they'll just sit there. Same thing, right. They'll just sit there and wait for one of those accounts that has, has massive, you know, godlike privileges essentially in the environment. And yeah, it's off to the races. And they just take control over everything. [00:31:03] Speaker B: Yep. And it, and it happens so easily. And, and this gets back to, you know, CIE and cyber informed engineering and really looking at all these systems and really understanding what they're supposed to be and making sure you have the right team and all that. Right. And this goes back to the whole theme of this, you know, ICS and B sides is really making sure that people are informed and tr. And there's no way that you would know why all of. Because it's very easy to say no, you could never do that noti without explaining. Right. And why the battle scars. I've seen personally firsthand that Active Directory literally tripped a working power plant because they lost access. Right. And it was done by a vendor. Long story, and I've said it before, but people coming into the environment don't understand because they haven't seen those things. So having them sit down and let me explain to them why. And I'm not saying you can't ever do it. I'm just explaining the difficulties that I've experienced and why I say no and why I say segmentation is important and why I've seen, I've been burned by this, this way and this way and this way and this way. And these are the concerns that we have. Because at the end of the day, in an OT environment, availability, safety and availability is the most important thing. It trumps all the other CIA triad, right. It's not even a close second. It is availability 100% of the time. So as long as I can safely operate it and continue it. If I never had Active Directory like all these plant managers would throw all this crap out if they could just run their plant safely, right? Obviously we need these things because it makes it more efficient, blah, blah, blah, all the things, right? But at the end of the day, many of the cyber things that we do, we struggle to find the ROI on it. And sometimes you have to look on the inverse of. If I implement this thing, I can actually make it less available. I can actually make it less reliable because of things like this. And yeah, it's a once in a lifetime thing, but I've seen it multiple times, so it's not a once in a lifetime thing. It can happen. And it's not just me. Ask other people. There's a reason why people are so scared of scanning, you know, OT networks. It's not because vendors have told them that. It's because somebody scanned and it caused a problem. Like, it, it's, it's not, it's not a fear, it's not an unrealistic fear, let's put it that way. [00:33:17] Speaker C: For sure. Yeah. I actually had a, an industrial CISO one time tell me, you know, in his environment, he's like, if you scan that PLC with a, with an map and he. Very serious, dead serious. He's like, it will leave a crater in the ground three miles wide. [00:33:32] Speaker B: Right? [00:33:33] Speaker C: Like, yeah, yeah. Probably won't be doing active scanning in this environment. Right. But, but I can, you know, think back to, you know, me, you know, 15 years ago, you know, it's like, oh, I'll come in and I'll run NMAP and I'll run nessus, right? To find vulnerabilities and map out your network. And yeah, that's, that's not how it works in, in ot, but there's. That just points to, you know, how there are a lot of similarities between IT and OT cybersecurity. Right. They're more similar than they're not. But when they're different, that's where we have to help folks from IT understand those, those differences. While also IT help, you know, is helping kind of like the example with ad, right. Helping out OT folks. Understand. Okay, well, how do we secure, you know, ad, Right. How do we use it to secure the environment? Right. And that really speaks to how we get it and OT to work together. Right. And I think that's also a big, you know, going back to like B size ics. It's this idea of being able to bring IT and OT people together. You know, my goal is hopefully we have, you know, half of the group is IT folks and half is OT folks. Folks. Yeah. And that we find a way to, you know, meet in the middle and work together because. Yeah, the biggest thing that always my biggest pet peeve is when people say, like, it, cyber security is not OT Cyber security. And I get the like, the idea behind it. Just like we're saying. Yeah, they're very different in many ways. But again, to me they're more, they have more in common than they don't. [00:35:11] Speaker B: I agree. [00:35:12] Speaker C: Yeah. And it shouldn't be the IT side of the house and the OT side of the house. It's the same damn house that, that we're trying to protect. Yeah. We need to, you know, we need to work together to, to make that, that happen. Yeah. And I think awareness and education is, and bringing people together is, is the only way that we can get past, you know, all these, these problems we see out there. [00:35:35] Speaker B: Yeah. 100. It's, you know, the way I've said it before is like we're on the same team, we're in the same jersey. Like, yes, you're IT and you have a different, different job than I do as an OT person. But that we're on the same team and we should be working together to secure this thing and make it more available and efficient and, and have the ROI and all the things. So we should use, you know, if you've got a guy in the corner that's the best firewall guy in the business, why aren't you using him? I'm not saying that he should control your firewalls, but you should at least advise from him. You know, you should at least get his opinion because he, he is good at what he does. You still get to make the final decision, but you should at least opinion. Right. Same thing on Active Directory. Same thing on SQL. Same thing on, you know, thin clients. We're using thin clients and all these control rooms and, and you know, with the terminal server, like we have the same systems running in it. Why are we not. And we, we're sending that team to training and they're dedicated and all they do all day long is eat, breathe, sleep, networking or firewalls or front end servers or whatever the thing. And the fact that we're not all using those to at least advise on our OT environments as they're being deployed. Okay. The vendor's bringing in Active Directory and they're bringing in XYZ firewall and they're bringing in these types of switches and they're bringing in this. And here's the configurations. Is there anything that we're missing? As we know, sometimes those configurations will leave telnet running and they've got a standard password installed and they're not encrypting the passwords On a Cisco iOS, it's just clear text on so I can look at the configuration, see what the password is. I mean they leave SNMP running like all the different things that on an IT side we've, we've disabled 15 years ago on an OT side many times we walk in and it's still there. It's running XP, it's got a, it's got a, you know, a 3G card directly plugged into it. It's multi home, so it's plugged into multiple networks. So it's bypassing the firewall. There's all these things that we do in OT that are just no nos and it, but we do them every day in ot and we have to, we've got to get to a place where we feel comfortable to reach out to our, our, our team on the other side of the fence. Because we're like you said, we're all into the same house. Like we're all working towards the same goal. And the more that we can use that knowledge together for a shared end goal, the better off we're going to be in the long run. [00:38:00] Speaker C: For sure. Yeah. Do, do we need people that understand both? For sure. [00:38:05] Speaker B: Yeah. [00:38:05] Speaker C: Right. But to get to that point, it takes years, it takes decades for somebody. Like I'm working on that path and I've been doing it for a long time. But yeah. I'm still not an expert, you know, and I would never say I'm an expert in, in ICS or OT anything. Yeah. And, and I'm not an engineer. Yeah. And I'm learning again, more than one thing, you know, every, every day. [00:38:29] Speaker B: Sure. [00:38:29] Speaker C: So we have, we have to work together until there's that time where. Sure. You have, you know, and I don't think it'll actually ever happen. You, you just have a field of people that understand it and OT together. And again, I think those people are going to be rare and few between and I think that's always going to be the case. [00:38:53] Speaker B: Well, it's like you build a house, you hire a general contractor and then that general contractor gets subcontractors, he gets an electrician, he gets a plumber, he gets a foundation guy, he gets a cabinet guy, he gets a, you know, paint and mud guy, like, you know, all that type of stuff. Yes. He's, he's somewhat knowledgeable in all those different areas enough to say, hey, subcontractor, that's not the quality work that we're doing. That's not what we're trying to do. But at the same time you don't want him doing all the work in those areas because he's not a craftsman, he's not an expert in all those areas. But you don't need him to be, you need him to be able to understand enough that he can say hey electrician and we're not using aluminum wiring in this house. Like I don't care how cheap it is, I'm not doing aluminum. Right. And we're going to put it into code and here's the code and all that stuff. Right. It's no different in OT and cyber and our enterprises. We need to have somebody at that top level that has the enough understanding like you and I that aren't necessarily experts in all these things but we've been around and we've seen enough that we can say hey, you're missing, missing something there or no, that's not how we're going to do this. It. We are not pushing GPOs down into these, these products and locking their screens because it's going to cause a problem. This is why. Right. You know, and it's, it's the battle scars from my hard hats up there that you know, I've been there, I've, I've seen it and we've done it and, and pulling together and learning that, that, that root cause analysis, the, the after action, whatever you want to call it is so valuable that, that, that knowledge being pushed into bsides. So what is, what is, what are some of the things that you guys are going to be talking on? Like what is there, is there a theme or focus on on the event other than just ICS in general? [00:40:33] Speaker C: Yeah, I mean it's, it's one with B sides and it's kind of like you build it and they will come trip over especially for the first one. But you know, already talking with folks that want to participate to come share, we have our keynote speaker locked in. We can't announce quite, quite yet but I'm really, really excited. Hopefully a lot of other people will be as well. I know we'll be touching on subjects like. And I think there's a couple of ways to look at it because with icsot, right you want to look at, there's kind of the cybersecurity, I guess principles or practices like if you want to learn about ICSOT pen testing, how does that work in, in an OT environment and how it's different from it. Right. That could be an example. But then at the same time we also look at the OT world and from a perspective of different sectors as well. So you could have somebody Come in and talk about like how does the power grid work. Right. How. How does control systems and cybersecurity work in a power plant. [00:41:42] Speaker B: Right. [00:41:43] Speaker C: Versus you someone like we're talking about Kristen. Right. You know, come in and talking about how cybersecurity impacts food and agriculture. [00:41:53] Speaker B: Yeah. [00:41:53] Speaker C: Which is not, I mean it's one of those areas I didn't think about a lot because I don't, you know, I haven't worked in food and agriculture. Right. You know, so it's kind of this whole just bringing in different people that want to come can't share from first time speakers to people that have probably been doing this for yeah. 30 plus years and everything in between and they can be talking about cyber from different perspectives from the different sectors they can be looking at it from. These are the different practices in ot, how they are different in it and just kind of a big mishmash or mashup of all that is typically what BSides will turn out to be. [00:42:42] Speaker B: Yeah, that, that's awesome. Yeah. I mean definitely anybody that's out there listening, you know, maybe you've submitted something for S4, you didn't get your talk heard or maybe you did and you still want to share with, with more folks like definitely reach out. I'll be part of it. Definitely volunteering and helping out where I can. There's, there's some cool stuff coming that when they are announced I think everybody will be excited to see. I know you guys are still working on the venue. Hopefully that's, that's found out pretty quick as well. But it'll be somewhere in that S4 area that I'm sure that, that people will be. If you're going to one, you'll be able to get there from, from the other. Is that right? [00:43:20] Speaker C: Yeah, I think the furthest location we're looking at and we should have it locked in hopefully by the end of the year or the end of the month right after Thanksgiving. I want to go down there. But yeah, I think the furthest away is like a 10 minute drive from where S4 is. So it's perfect, not horrible. [00:43:38] Speaker B: So how do folks submit to be a talk or sponsor or volunteer? Like what, what's the kind of call to action for folks is if they want to be involved or you know, just participate or just attend even. Sure. [00:43:51] Speaker C: No, I appreciate that. Yeah. So besides ics.org is the site to go to and then you'll see the links. There's links there for the CFP and for tickets. I would say right now we're actually probably already about 20% sold out. Which is, which is really good. Yeah. To see. So we'll have a great group. And then on the site you'll also see the info@begin besides ics.org so that's the best email for if you want to go through the official channels or anybody can feel free to ping me on LinkedIn or send me an email@Mike Holcomb.com. sure. And we'll give, you know, folks want to volunteer, we'll get you on the list. We've already got like yourself and, and some others from the community, which is really exciting that are coming to help out for the day and then trying to think what else. I'm probably missing something, but it should be a great event. We'll have a speaker dinner and volunteer dinner the night before. We're planning on an afterparty that night. We're also working with Kristen and Nejo to host a reception for women in ICS cybersecurity that night. It was something that essentially 4 had done previously and they're not doing it this year for whatever reason. So we were going to pick that up. So. So I think that's definitely something also to look forward to, especially for, for any of the women, whether you come to S4 or B sides or, you know, one or the other or both. You know, definitely love to have you at the, at the reception that, that night. So. [00:45:36] Speaker B: Absolutely. [00:45:36] Speaker C: Yeah. [00:45:37] Speaker B: That's exciting. Yeah. And all this stuff, we'll share all the, all the links and content down in the show notes there. But definitely reach out, you know, if you have questions, don't hesitate to reach out to me. Reach out to Mike directly. Happy to do it. But I, I really challenge all the listeners out there. If you haven't spoken, if you, if you've got something and you want to get in there and submit something, maybe you've tried at S4Defcon or any of the others, or maybe you haven't. Maybe you've been sitting on the sidelines and you haven't stepped up to stage. I really challenge you to take this. Right. And it's a good opportunity, it's a good skill. You know, Mike and I talked about it a little earlier around, you know, kind of business development versus engineering. And you know, part of my job as, as a consultant is to do, you know, to sell. Right. And, and one of my mentors a long time ago told me all businesses are people business. Right. You have to be able to sell your idea to people whether, whether you're A true salesman. You know, people think sales and they think car salesman, but it's really. We're always, all of us are always selling. Selling to our wives, to our kids, to our boss, to our, you know, the, the plant manager. You're. You're constantly selling your idea and, and why it's a valuable idea and why. How you understand and how it's going to benefit them like that. That's what we're doing. Right. So, so getting on stage and honing that soft skill is valuable to all of us engineers, all of us network people, cyber people. Like, that's a skill set that isn't necessarily trained at a CISSP or anything like that, but it's a valuable skill to have for your career and to just better the community in general to have those dialogues and conversations. Because, you know, Mike, some people may disagree with you and I on the whole segmentation and itot convergence, and I'm happy to sit down and talk to them about it and just talk about my concerns, but that doesn't mean I'm against hearing their perspective as well. [00:47:28] Speaker C: For sure. Yeah, most definitely. [00:47:30] Speaker B: So when, when's the deadline? When do. When do tickets. Tickets, like how often or how quickly do people need to jump before they lose the opportunity to attend? [00:47:41] Speaker C: Yeah, it's hard to know since it's our first year as far as tickets selling out. I suspect we will sell out, though, especially once we release our keynote speaker. But we're going to try and get as many folks in there as possible. So we'll sell tickets up to the day. But again, they probably. I would have. Are going to sell out. Yeah, gotcha. And then the cutoff for the call for paper or presentations is the end of the year. So you have until New Year's to get that in. And then we'll have a really quick turnaround where the advisory board looks through those. They don't know who submits what, so it's a blind review and then take all that into consideration. And then, yeah, we'll finalize the schedule and let folks know. So that way for those that are especially coming from out of town to Tampa this year, that they'll have. Have time to be able to make those arrangements. [00:48:39] Speaker B: Awesome. That's awesome. Anything else you want to share with everybody to know before we wrap it up and tell people to just sign up and let's go. [00:48:48] Speaker C: Yeah, I mean, that's really, you know, that's really it. Right. We want to make it as big as possible because we don't want this to be the one and only. Besides ics, we've already had folks reach out from the UK and India and a couple other places that they want to do their own version, which is awesome and which is what we want to have happen. We just have to make the first one a success so that the BSides overall community supports us continuing with this. You know, BSides ICSO T in name, which I think a lot of people are really excited about. And even though maybe they don't care about ICSO T and that's okay, not everybody does. I think at the same time they can see the value value in the mission and, and support that. So there's a lot of excited people out there. And so yeah, so I'm really excited for, for February to come and put on a really great show, have as many people there again, sharing, connecting, learning, just getting to know each other and, and kind of take that back out into the real world and make a difference. [00:49:53] Speaker B: Awesome. Yeah, that's exciting, man. Well, definitely have all those show notes. I'm excited to be there, be part of it and experience the first first one and help it be as successful as possible. So thank you for your time today, Mike. I really appreciate it and I look forward to February and kicking this thing off for sure. [00:50:10] Speaker C: Yeah, it'd be great to have you there for sure. Thanks, Aaron. [00:50:13] Speaker B: Thanks Aaron. [00:50:14] Speaker A: Thanks for joining us on Protect it all, where we explore the crossroads of IT and OT cybersecurity. Remember to subscribe wherever you get your podcasts to stay ahead in this ever evolving field. Until next time.

Other Episodes

Episode 15

July 08, 2024 01:03:13
Episode Cover

Navigating Cybersecurity in OT: Challenges, Tools, and AI Integration with Joseph Perry

In this episode, Aaron Crow and special guest Joseph Perry dive deeply into the evolving landscape of cybersecurity. The episode explores the integration of...

Listen

Episode 1

January 23, 2024 00:03:08
Episode Cover

Welcome to PrOTect IT All

In this episode, Aaron discusses: His background in IT, cybersecurity, and operational technology The vision of bridging the gap between OT and IT The...

Listen

Episode 16

July 15, 2024 00:18:12
Episode Cover

Understanding IT OT Convergence: Dealing with Challenges and Building Trust

In this episode, host Aaron Crow delves into IT OT convergence, a crucial yet often misunderstood topic. Listeners will gain insights into the distinct...

Listen