Episode Transcript
Aaron Crow (00:01.153)
All right. So welcome to the podcast protected all. Thank you for joining me. today I've got my friend Peter, who I happened to be at as for last year, I believe when you got coined for beer Isaac, which is really awesome to see. and just happened to be, another, I did a podcast episode yesterday with a gentleman, who was actually in Iraq.
so between you and him, y'all are definitely the furthest away from me here in Texas, as far as this. So it's what I love about technology is we can have interesting conversations and people, I've been fortunate enough to meet you in person, which is awesome. and I love, you know, kind of making those, those connections as opposed to just being online and just having that persona, but also like bringing that into the real world and having a beer and having a, having a coffee or a, you know, actually breaking bread. makes a big difference in the networking side. So Peter.
Thank you for joining me today. We tried to record this last week and I had all sorts of technical difficulties. So I apologize for that. Thank you for taking time again today. anyways, why don't you introduce yourself, tell us who you are and kind of your background.
Peter Jackson (00:54.882)
you
Peter Jackson (01:03.298)
Yeah, thanks Aaron and great to have the opportunity again. I really enjoyed my time at S4. Actually, I've got my S4 hat on today. I'm a real big fan of all the work that Dales does and has done for a long time and as you say, really great to meet around that S4 table and break bread as you say. We've got this thing that just runs through our veins. Those of us in O2 security, it's part of who we are, it's in our DNA and so having that sharing.
Aaron Crow (01:08.525)
Yeah.
Peter Jackson (01:31.194)
Time together is incredibly important, obviously kind of through the pandemic we had to go remote, but it's really great to be well post pandemic now and doing some things. But background on me. So as people might tell from my accent, I'm from New Zealand down under. Born and bred Kiwi. My background is in industrial automation and control systems, so I come from the world of PLCs. I don't know, just know how they are spelt.
Aaron Crow (01:35.235)
bright.
Peter Jackson (01:59.534)
Worked through kind of safety systems, alarm management, those sorts of kind of situational awareness aspects. Again, some common themes there around alert fatigue, alarm fatigue, low likelihood, high consequence events, those sorts of things. And eventually got put into a role for one of our customers looking after what we now call O2 cybersecurity. Fast forward a few years, I've built a team. I've built a New Zealand community. We've together fairly regularly.
Aaron Crow (02:12.353)
Hmm
Peter Jackson (02:29.07)
and yeah, a few years ago got acquired by a global multinational. So now sitting as a center of excellence within that. Along the way, met Robin Lee and he invited me to teach his class on a certified SAMS instructor for ICS 5.5. And yeah, do a few other things along the way. I tend to keep pretty busy as most of us in this industry do.
but do have a lot of fun supporting practitioners on their OT security journey. So yeah, great to be here and support yourself and all the work that you do in supporting our community. So thanks for having me Aaron.
Aaron Crow (03:09.591)
Yeah, man, absolutely. It's, a, know he kind of bridged over that, that, that history there, but there's a lot of knowledge and experience in those things. And it's, it's, it's easy to get caught up in, you know, five one and all the different things that, that we do and the experiences that we, that we've had and you've had Peter. but it, there's a reason why we're so passionate about this, right? It's because we came from.
Peter Jackson (03:25.838)
Mm.
Peter Jackson (03:30.539)
yeah.
Aaron Crow (03:31.477)
working, you know, having the hard hats and working in the plants and doing those types of things. I don't just know what a PLC is. Like you said, I love that. I don't just know how to spell it. I actually know what it's for. And I've seen it from the operational side way before there was anything called OT cyber security, right? Before we were ever doing those things, we were we were helping and making sure those things were able to do their job. And we're still doing that today. We're just doing it and adding that cyber risk and cyber lens on it. But ultimately,
Peter Jackson (03:36.515)
Mm.
Hmm.
Peter Jackson (03:46.54)
Yeah.
Aaron Crow (04:00.247)
The reason why OT is so different and why we're so passionate about is we know that the primary use case is for that PLC to do its primary function. And we can't allow cyber to get in the way of that or hinder that. That doesn't mean we do nothing, but we have to make sure that we remember that availability and safety is the most important thing.
Peter Jackson (04:06.062)
Yeah.
Peter Jackson (04:18.38)
Yeah, absolutely. think I would hope that IT security practitioners also understand that their mission isn't to just reduce security risk, but to reduce business risk with a lens on security. But in OT and again, we have these IT OT paradigms. We might get through some of those over the next kind of little bit. But our goals and ambitions aren't minimizing security risk. Our goals and ambitions are supporting safe, secure, reliable operations. That is our guiding light.
Aaron Crow (04:28.141)
Right. Right.
Aaron Crow (04:43.511)
Right. Yeah.
Peter Jackson (04:45.312)
And whether you're coming from the IT side of the house, OT side of the house, security, non-security, technical, non-technical, internal, external, service provider, technology provider, end user, and operator, our guiding light is safe, secure, reliable operations, and especially in critical infrastructure, because that's what matters to me and my family and you and your family. But even when we're outside of critical infrastructure, with operations and the manufacturing side, for example, that's critical to that business success.
Aaron Crow (05:13.059)
Correct.
Peter Jackson (05:13.806)
We're a driver and a supporter and an enabler of that, which is why we need to again have that mindset. And for me, that's what kind of breaks down these IT versus OT false paradigms, adversarial paradigms within different cylinders of excellence. Because when I talk about silos, we talk about cylinders of excellence and we go, hey, look, we have different perspectives and different roles and responsibilities in our organization, but we do have the same vision of safe, secure, reliable operations. So how do we?
work together to flesh out who's responsible for what, how we're going to look after secure infrastructure, how we're going to meet the goals and ambitions of our organization, especially increased connectivity, digitization, all the buzzwords which needs to come with that secure by design, secure by default, secure by deployment, those sort of mindsets. That's effectively what I see our core role is in driving good OT security mindset and success for.
for our community, our customers, and those sorts of things.
Aaron Crow (06:15.203)
One of the struggles that I always see and again for you and I, it's natural and we get it and it's because we've been there. one of the things I see that's another difference that we really experience in OT versus IT is IT, it's really easy to make a blanket, high level decision or plan like, we're going to lock workstations and you're going to have this
Peter Jackson (06:24.342)
Yeah.
Aaron Crow (06:43.501)
password authentication, you're gonna have multi-factor and you're use this operating system and you're gonna use this patching thing and blah blah blah blah blah, right? Because everything fits in that box. Everybody has a new laptop. If they don't, we'll get you one, right? You're not gonna run a Windows XP, we'll get you a brand new laptop, not a big deal. We're always doing those things, but in OT, even at a single site or within sites,
Peter Jackson (06:51.502)
Hmm.
Aaron Crow (07:08.579)
They're almost like individual businesses. And the way I really look at them is they really are, they're really individual businesses and they'll have different control systems. They'll have different needs. They'll have different assets. They'll have different, you know, they're in different life cycles. They have different vendors. They have different support. There's just so many variables within the same company. Two sites. And the analogy I've used many times is when I worked in power utility, we had a power, we had
Peter Jackson (07:11.864)
Yeah.
Peter Jackson (07:28.248)
Hmm.
Aaron Crow (07:35.437)
we acquired three different power plants from a third party company. we actually bought them from three different places. And all three of these plants were designed in the late eighties using the exact same company built all three plants. So they had the same control systems. They used the exact same schematics, the architecture, the design, the engineering drawings. They used one drawing and they built three plants using the exact, like they basically just rotated it depending on where it needed to fit, right? It was exact same design.
Peter Jackson (07:37.752)
Hmm.
Peter Jackson (07:41.166)
Hmm.
Peter Jackson (07:45.23)
Hmm.
Peter Jackson (07:49.528)
Yeah.
Peter Jackson (08:00.504)
Yeah. Yeah. Yeah.
Aaron Crow (08:03.265)
but three different entities owned those plants along those 20 years that they'd been running, right? So when we purchased it, we purchased one from Nextera, which is a very large power utility here in the US, right? And they had run it just like they did all their others. So they'd gone through upgrades and they'd done segmentation and they've life cycled it. They'd done control system upgrades and NERC SIP and all the different stuff along the way. And the two other plants were at different variations of that life cycle.
Peter Jackson (08:09.015)
Yeah, yeah.
Aaron Crow (08:32.059)
one of them being the most extreme in that it had not changed any, they had not changed any technology, not done any update whatsoever since it was commissioned in the eighties. Now all three plants ran, all three plants were profitable, but you could see a difference when you walked in. I knew exactly where the control room was. knew everything was because the design was the same, but the components and the things inside of those plants were vastly different. And only the people that worked there could walk me through the differences, even though I knew
Peter Jackson (08:41.486)
Yeah. Yeah. Yeah.
Aaron Crow (09:00.673)
roughly where it was supposed to be. It was all so different.
Peter Jackson (09:02.165)
Yeah, yeah, Yeah, yeah. I think it's interesting. There's obviously a few threads in there I'll pull on. One is I think the organizational risk and the individual risk kind of management tolerance philosophies, et cetera, right? As you say, out of those three plants that you dealt with, one obviously had a pretty low risk tolerance and a large organization that...
that invested and managed their risk accordingly and kind of proactively, right? They were trying to be at the top of the cliff and some of those organizations, again, they sweat their asset. think when we compare it against an IT, and I try and stay away from an IT versus OT, but when we look at kind of some of the differences in that corporate enterprise IT, I'm not having come from that world, but I can see that there's a lot more standardization, there's a lot more maturity. The 27K series has been around for a long time. You've got
such a quantity of practitioners and organizations all faced with the same issues. And so that standardization of that over time, right, that huge market, mature market has a lot more stability. So it is a lot more cookie cutter. As you say, every plant is different, right? And even when they're supposed to start off the same. Back when I was a controls engineer, used to love engaging with the various kind of people who were building the plants and go,
Hey, we want to implement this improvement here to improve gas out there gate to complete widgets off the line. And so we're going to copy A and B is going to be a little bit different, a little bit better. And then C is going to be a little bit different, a little bit better. E, F, G, H. We're going to go back and update A. They never go back and update A.
Aaron Crow (10:46.978)
Right.
Peter Jackson (10:47.694)
So you end up with A through to H or just being a little bit different and it's good business value, right? They're making really good. They're trying to make really good decisions about what's best for the organization. But you end up with that. Even if you don't have that conceptual awareness, do have like there's 10 different ways that we can program this. There's 10 different ways that we can set up this HMI or this PLC or this design or this network infrastructure, right? There's 10 different ways that we can interpret a Pudu Lycra, a Zonin Conjura or a...
or a DMZ type environment. And because we don't have that standardization of maturity, we haven't been doing it for 10, 20, 30 years. Especially in this kind of niche space where we sit in around OT security, because we've got a whole bunch of people that have been doing OT for decades. We've got a whole bunch of people that have been in security for decades, but the OT security piece, there's very few that kind of are able to kind of blend those worlds.
You and I kind of sit in between there. The team that I work in definitely sits in between there. We're just trying to kind of pull together. But almost always, again, I come back to that cylinder of excellence thing because very few organizations have a specific kind of OT security function. Those that do are probably like that first plant where they brought people in, solved for the problem and were able to kind of manage that well. Those that haven't...
Aaron Crow (11:48.899)
Sure. Yeah.
Peter Jackson (12:13.646)
still have a security function that may or may not have brought an OT person in or a OT function that may or may not have brought in really good robust security infrastructure networking kind of modernization pieces and varying degrees, right? So think that's for me that's some of the why behind where we've got to. And it also addresses some of the how of where we get from where we are now to where we want to be to go.
What have we got currently from people, process, technology? What have we got in terms of roles and responsibilities across different parts of the org chart? What is your business risk tolerance? And how do we, again, with a risk return on investment mindset, drive a really good three-year strategy and kind of get you more normalized in towards it? Again, SANs 5 Critical Controls for ICS is one of those kind of tools that we can do to go, okay, you've got other initiatives, you've got upgrades and things, but.
Let's just at the very basics make sure you're planning for a bad day. You've thought about defensible network architecture. You've got kind of thoughts on remote access and what that means to you. You've got some network security monitoring and hopefully risk based vulnerability management, which for lot of organizations is protect the programmer, protect the historian, ignore everything else for a little bit.
Aaron Crow (13:35.544)
Yep.
Peter Jackson (13:37.353)
yeah.
Aaron Crow (13:39.425)
Well, and beyond that, very true. And we even see within organizations, and again, I usually use power utility because it's just a, it's one that people seem to understand. I'm not going to do the same controls at a nuclear power plant as I am a wastewater or a small, you know, single combustion turbine, you know, old system that barely, you know, it's not even peak load. I only bring it on when.
power prices or demand is really high, then I spend this unit up. my, you know, my nuclear power plant, obviously there's a lot more risks. So the maturity level of the cyber program is going to be a lot higher and I'm going to spend a lot more effort and money and I'm going to more tools and people and processes at that higher risk environment. And it really, I think you've said it multiple times, but I really want to make sure that the audience hears this. It's all around your risk. It's around the risk to the business. It's not just a cyber.
Peter Jackson (14:19.906)
Yeah.
Peter Jackson (14:24.195)
Hmm.
Peter Jackson (14:32.821)
Hmm. Hmm. Hmm. Yeah.
Aaron Crow (14:37.283)
It's not just a cyber risk in a vacuum at this place because the cyber risk is the same or similar at all of my sites. But what is the risk to the business? this system go down? does my business and overall, especially when you're talking about critical infrastructure, what is the domino effect of that thing going down into the bigger system, whether it's my company or especially in power utility to the grid?
Peter Jackson (14:47.145)
Mm. Mm.
Peter Jackson (14:54.104)
Hmm.
Hmm.
Peter Jackson (15:01.39)
Yeah. Yeah.
Aaron Crow (15:02.147)
And does this, if I take down a nuclear power plant that has, you know, 3000 megawatts like that, that's a big problem. If I take down a unit that's got 50 megawatts, I mean, it's a problem, but it's not the same problem as one is not the same as the other. There is a different risk tolerance between those two things. talk about like scaling and maturity levels and, you know, different levels of effort, because I'm not going to spend the same $5 million for a cyber program at that 50 megawatt plant as I would at
3000 megawatt nuclear power.
Peter Jackson (15:34.766)
Yeah, absolutely. The consultative answer, it depends. Here are some of the things that it depends on. think I'll just put to one side the Greenfield plant build because that's got its own kind of fun and games. So let's just examine that we're looking at kind of the 90 % of where we're coming in to support organizations that have a Brownfield plant and Brownfield organization. Every organization's a Brownfield. Sometimes we get to work on Greenfield stuff, which is fun and games.
They already have existing everything, right? Existing program, existing people, processing technology. Quite often that's ad hoc or not documented or a whole bunch of things. But they come from that wide variety of spaces. The organization has a stated or unstated risk tolerance. Certainly at the top level, they have generally good understanding of business risk. I think often as we get into this kind of niche of O2 security,
There's a really poor understanding of where the current risk is and what the risk tolerance might look like. I think in security we just understand that kind of our standard is endpoint same EDR XTR security monitoring SOC. that all this. That's just almost standardization now. It's not really a risk based approach. It's just that's what we do. For OT we love to the asset right? And as OT practitioners we're pretty used to look.
Aaron Crow (16:53.517)
Yep. All right.
Peter Jackson (17:04.226)
this XP thing is holding together this turbine. We're not going to upgrade a turbine just to upgrade an XP. We're not going to get out of support and moving off XP. So we just end up with that risk tolerance and go, it's probably fine until someone like you or I comes along and goes, did you know that that turbine is kind of the most critical in the organization for impact and we've got no resilience around that? And so if you're unable to support that turbine system, your business is severely impacted. So guess what?
there is some risk-based return on investment that we can raise up with some good tools to the top of the organization and go, actually, this OT security risk as a subset of security risks, right? We're a niche within a niche. Ranks quite high because of our lack of time, and energy, right? Like our under investment, our under focus on, again, amorphous thing that we call OT, much less OT security. And so having those conversations and getting it kind of
to the attention of organizations. mean, one of the things that I like when I'm talking to kind of board C-suite exec type is go, you already know that cybersecurity risk is one of your top three risks, just like every single organization in world. You're an industrial organization, therefore your core business is OT and IT is a bolt on, right? Those two things are true for pretty much every industrial organization in world. So I've secured one of the top three risks, OT is their core business.
and for them to not have a good understanding of their OT risk, their OT roadmap, their OT strategy is just something that nobody really put it to them that plainly before. It does rely on people like you and I kind of going evangelizing around the place. Those practitioners that kind of have their eyes open to these sorts of things and those conversations. And as you say, in our critical infrastructure, kind of oil and gas, we usually kind of put oil and gas, energy utilities and
one bucket around their maturity and understanding their risk tolerance, their level of investment, their systems. We use footwater manufacturing in kind of a different space and so kind of our tool sets for those different things. And as they say, right, you do need to have that prioritization with your own OT or security. We're all very familiar with prioritization and so prioritizing efforts so that, yep, okay, this one's quite important in the portfolio.
Peter Jackson (19:28.43)
We're going to do some things here to reduce our biggest business risk by impact here first. If we want to try some things, if we're getting into active scanning or gently caressing our OTA environment, maybe we're going to start over here in our lower impact environment, for example.
Aaron Crow (19:47.787)
Well, and you said something right there that I want to double click in and it was really frustrating. Again, I was an asset owner at a power utility. You know, I supported 45 power plants for 10 plus years, rolled out control system upgrades and cybersecurity and all the things across those places. I had a team of six people and my plants were spread across Texas, which like Australia is a pretty big place, you know, from a geography perspective.
Peter Jackson (20:07.34)
Mmm. Mmm.
Peter Jackson (20:12.398)
Mm.
Aaron Crow (20:17.697)
So plants could be six, eight hours driving distance away from each other, right? So it's not like I can just hop in my car and be there in 15 minutes or something. And I had six people. Now I had some contractors. So if you include contractors, I probably had 15 people on my team that worked for me and supported those plants from a cyber and a technology perspective on all those, on the OT side. If you compare that to, again, this is a power company. That is their job. That's all they do.
Peter Jackson (20:44.354)
Yeah. Yeah. Yeah. Yeah.
Aaron Crow (20:45.623)
They don't have any other businesses. It's just a power company. You look at their IT side and they had hundreds of people, exchange admins and network admins and, you know, SharePoint admins and active directory and all of the things. And I'm not saying they shouldn't, but it's the budget, the IT security and IT technology budget compared to the OT budget was vastly skewed.
Peter Jackson (21:09.496)
Yeah. Yeah.
Aaron Crow (21:14.275)
And they were starting to grasp that. But so many organizations, it's the tail wagging the dog instead of. And you said it. This is an OT company. 90 % of your your all of your revenue. Everything comes from the OT side. Yet you don't invest in it. And do you see more businesses recognizing that and adjusting those budgets accordingly? Not that they should necessarily take away from it, but more invest in OT.
Peter Jackson (21:30.99)
Yeah. Yeah.
Peter Jackson (21:43.608)
Yeah, absolutely. When we first started, I mean, we first started doing kind of this around 2017 and a lot of our relationships on that were with the OT, the ICS automation side of the house. I feel like the security stack and the automation or operations, whatever your OT cylinder of excellence is called, sometimes multiple, that's some fun and games at the moment.
Their goals are supporting safe, secure, reliable operations, right? They're operationally focused. The security stack, right? CSO or CIO or CTO, that part of the stack is around supporting security. We've found, especially kind of 2020s, that it's more of the security stack being mindful of actually we can't just exclude OT from our security responsibilities, mandate, controls.
27k audited, etc. We have a responsibility for security across the organization. like if look at our Gentelers in New Zealand, we've got Gentelers, they do retail and generation. So they have a different philosophy for their corporate enterprise, for their real-time side, where they've got PII and they've got payment. And they've got a different strategy for OT. And the security function, again, sits across all of that. And where they've got kind of the ability to kind of share.
capabilities great and where they need to have a different approach or robust access or kind of that separation of IT and OT, right? Two different pieces of cheese, two different layers of protection. Then they have that. But the buck stops with that CISO or whoever is responsible for security. In my mind, most organizations will be working with in 2020. There's certainly 30 % of exceptions, but...
A lot of the time we're coming in on behalf of that security function and they know the OT is different, but they don't really know how and why and what they should be doing and where they should be spending their time and energy. You mentioned dollars, but I think before that is focus, right? And from focus, that's where we can and that awareness and have that conversation. To your point, we shouldn't necessarily be reducing security budget on corporate enterprise.
Peter Jackson (24:05.452)
because we want to to force adversaries through a well-defended, well-protected environment before they get into our OT, right? So all those investments do support OT. Obviously, we want to be optimized, right? So we can use technology better to support kind of, get the right level of technology up in that space, but increase that focus. And starting with that enablement. And as you say, right, a team of 100 compared to like a team of 15.
compared to core business. I would hope that that team of 100 starts to take on some of those more responsibilities, especially like in an OT DMZ. An OT DMZ I find looks more IT than OT. By its nature, it can't impact safe, secure, reliable operations, right? Otherwise it wouldn't be a DMZ, but it does impact that kind of support layer, the historian, the jump host, the WSUS or.
or whatever we're using for that conduit between IT and OT. We get some really interesting fun and games around MS manufacturing systems and ERP systems. Again, we've seen some maybe publicly North's Kedro as an example. Around that they weren't able to continue safe, secure, reliable operations because of their impact in their corporate environment, for example, right? And that management of OT and so understanding what that looks like. Again, it's a hard problem.
Aaron Crow (25:24.631)
Yeah. Yeah.
Peter Jackson (25:32.334)
It's a messy problem. It's a complex problem. You and I, think what keeps us going is that we really love applying those simple solutions to complex problems. We're both aligned on that kiss mindset as many of us in our industry, but actually understanding what that looks like in the solution set and the control set and the best course of action. Especially when we're dealing with kind of different personalities and history, right? Most times, especially in OT and sometimes in IT,
We've got that legacy and people have different philosophies and their own experience and potentially networks and environments developed after 20 years and you come in and you go, actually that's no longer within your business risk tolerance. We've got increased connectivity. We've got an increased threat landscape. So what you used to do around having no antivirus or unpatched antivirus on those endpoints doesn't meet your risk tolerance anymore. I this series of now targeting a lot of manufacturing environments like yours.
because they know that a lot of organizations haven't been focused on endpoint security because the system isn't the asset. The system is a distributed control system. But we do need to kind of get just some basics. And did you know your vendor actually supports good endpoint protection on those now? And your security team can do that monitoring for you. And so we kind of try and bring these folks together to, again, just reduce business risk.
Aaron Crow (26:43.725)
Correct.
Peter Jackson (27:00.704)
again informed by that threat landscape and warmed by the control set. And a lot of ICS vendors have come a long way. I they're all on their own kind of little maturity journey. But there's I've got good hope for that and we're heading in the right direction. think all of us, anyone working on security always knows that the organization will work slower and accept more risks than we really want them to. We're heading in the right direction and especially if we have those conversations across the org chart right top, middle and bottom.
Aaron Crow (27:23.683)
All right.
Peter Jackson (27:30.978)
technical, non-technical, the security function and the OT function. We can get some momentum, we can get some movement and make progress in our community. think I've got hope. I'm not cynical yet, which I'm really grateful for.
Aaron Crow (27:46.179)
No, I've seen a lot of growth. Obviously you and I've been doing this. I've got grays in my beard too. We've been doing this a long time and I've seen a lot of growth and a lot of movement in the right direction in this path. Again, from back to when I was an asset owner till now, that same organization, I still have connections there.
Peter Jackson (28:05.762)
Mm.
Aaron Crow (28:09.185)
you know, have friends there. It's I'm in Texas, so they provide power to my house. So it behooves me for them to to do it well, because I want my electricity to work at home. Right. And I see that. And to your point, like, I don't want to take away from the IT side, but I absolutely want to lean on them. Right. So my team, when we were doing that, we basically had a firewall at the site and all of the technology from that far, including that firewall, all the way down to the control system and the endpoints like the
Peter Jackson (28:09.262)
Hmm.
Peter Jackson (28:27.575)
Mm-hmm.
Peter Jackson (28:31.651)
Yeah.
Mm.
Mm.
Aaron Crow (28:38.115)
PLCs and the field devices, et cetera, my team supported all of that. So that was antivirus and patching and screw mode access and VMware and servers and networking and everything in between. And again, I had a very small team. So my team had to be a jack of all trades and be able to do firewall configurations and deploy VMs and patch systems and backups and antivirus and all of the things. Whereas on the IT side, they had individual dedicated
Peter Jackson (28:40.834)
Yeah. Yeah. Yeah.
Peter Jackson (28:49.064)
Yeah. Yeah.
Aaron Crow (29:05.261)
firewall team and a dedicated networking team. So, so what I always tell people is lean on those teams. It doesn't mean that you should just hand them the keys and say, go away. Cause that's there's danger in that because they don't necessarily understand OT and they, I have many war stories of why we don't do that and why there is a separate group that usually manages OT over IT. They just don't always get it, but that's not a good enough reason to just say, don't touch my stuff. You can't, this is mine.
you know, go home, this is my stuff, right? And that used to be the mindset. The same as it used to be, well, I've got a firewall or it's not connected to, you know, I've air gapped it. So I don't need any of this OT cybersecurity stuff because I'm not at risk anymore. my gosh, that's not true.
Peter Jackson (29:43.8)
Yeah. Yeah. Yeah. I think my favourite conversation on that, had, I was talking to a safety manager in a specific industry. won't get into the industry because it's not relevant for the question, but as part of the safety case, legislative, regulated, required safety case, they made some statements which maybe I agree with the intent, but the term I wouldn't have used in talking about air gap and things.
and had this conversation with them about what they'd said to the regulator and they said, where you get? And I said, your safety system is shown in your control room to the operators so that they can see what's happening, right? And that's on the same system that does your plant control and actually your historian has access to that information as well. And then in the business side, you've got access to the historian to see what's happening across the plant and what's happening there.
and on that business side you're also connected to the internet so that people can do the jobs, right? So all of those things are true, right? Yeah. So can you me where the air gap is between your safety system and the internet?
So, do you have good segmentation and segregation? Yes, for that organization that was not one of their findings. But again, to say that things aren't connected is a little bit of a fallacy. again, especially if you're non-technical, maybe you don't think about those things the way that we do.
Aaron Crow (30:55.715)
Do you have a troll taking the data from over here and taking it over here?
Peter Jackson (31:20.182)
Again, segmentation, segregation, I've got some community events over the next couple of weeks talking about OTNetsig and going here are some philosophies, here are some mindsets that we think and again making sure that we're catering for those early mid late stage. I think if I look at again kind of our corporate enterprise, I'd say that a lot of organizations are kind of at that maintain, right? They're going to have to continually evolve their controls and their
people in the process and keep up with their technology and those sorts of things. But maintaining their current security posture still requires effort, right? Risk is always increasing. So you're still trying to hold it down. I haven't found many organizations that have got up to that point with O2 security. I think there's still a lot of are correcting for underinvestment. Again, we're in a low maturity space, relatively speaking.
And so yeah, there's still a lot of work to be done to put in place some of those mechanisms around people, process and technology, but roles and responsibilities around security network infrastructure. I really liked again, and I see a lot of organizations moving in the way that you spoke about where the OT function, I spoke about it at a conference last year with Leslie Carhart. They were there and doing some presentations, so it's great to catch up with them. OT.
ICS is not OT. And it kind of separates that function to go Aaron and his team look after the infrastructure, right? The IT like things in an ICS type environment. And it actually frees up our ICS practitioners, right? Those control system engineers, automation professionals, those guys that really care about application, that really care about diving into detail of PLC logic in HMI, DCS and SCADA.
They can do application and offload some of those things. Some of the most frustrating organizations that we came in to help. Their automation team was spending 90 % of their time on chasing the patch, self-initiated denial of service, and spending very little time on actually improving operational outcomes because they were so drawn into supporting secure infrastructure. And so we're like, hey, look.
Peter Jackson (33:42.542)
Let's offload these functions. Your trade for 20, 30 years, you've been doing automation. We'll give you good supported infrastructure with an OT mindset. We know that we're not just going to push patches arbitrarily. We know that we're 24, 7, not an 8 by 5. Anything that we're doing, we're doing on a Tuesday morning, not a Saturday night. And again, we're going to be following some good mature philosophies.
We're making sure that anything that we do for on the OS layer on the endpoint layer is supported by the vendor, right? Whatever your latest vendor is and you like me, nobody's got 100 % single vendor, so we've got multi vendor environments. I did find a 90 % organization once, the 90 something percent, but they had a few package systems that were a bit weird and wonderful. But here's how we're applying an OT mindset to make sure that we're providing you.
Aaron Crow (34:14.659)
All right. Yep.
Peter Jackson (34:38.062)
with your requirements, which are safe, secure, reliable infrastructure to support safe, secure, reliable operations and separating out that OT function from kind of ICS or application. And it kind of aligns to where we've seen the corporate enterprise with this as a service model, right? A lot of organizations we now see is there's a kind of an OT infrastructure as a service. And up to the OS layer.
And then application onwards is there. And obviously there's some dependencies and requirements and conversations there. And to your point, like going back into the mothership to go, OK, we're doing these firewalls, but obviously we've got to talk to you if we need something to come out, because we've got to the policy, you've got to the policy, all that sort of stuff. The security monitoring side, obviously we want to make sure that the IT and OT have got at least some sort of convergence and security monitoring and.
Aaron Crow (35:29.773)
Mm-hmm.
Peter Jackson (35:33.094)
We see that when we're doing OT security monitoring. Quite often we've got a bit of a call to action when there's corporate enterprise thing firing off, especially if it's an OT user and the endpoints been compromised. OK, have they used the same password over here? Is that an ingress pathway? Do we want to increase our situation? Let's go look through our OT NIDS logs and do a bit of validation. And conversely, right, if we're dealing with an incident and of course in our tabletops, we also want to
Aaron Crow (35:48.749)
right.
Peter Jackson (36:02.144)
make sure that our IT incident response has our understanding the roles and responsibilities and we've got the right approach across the differences, right? There's a lot of similarities, but obviously we want to make sure we cater for those differences and how we're doing that treatment.
Aaron Crow (36:18.487)
Yeah. Yeah. And it's so true. I, ICS is not OT and my team was not, was not a control system engineers, right? We, we weren't controlling, we weren't programming the control system. weren't managing the control system. We were just managing the technology that supported the control system, right? That's all we did. We managed the technology, the network layer, the firewalls. made sure communications got back and forth. We were monitoring asset inventory, patching, all that kind of stuff.
Peter Jackson (36:36.898)
Yeah. Yeah.
Peter Jackson (36:43.299)
Yeah.
Aaron Crow (36:46.005)
And then we worked with the control system engineers to make sure that because they're if their thing didn't work, none of just like with IT, we talked about it being a bolt on. None of my stuff mattered. Like none of the stuff that I did mattered if I broke their stuff. Right. I had to make sure that their stuff worked first and then I could secure it. And if I made it so difficult, you know, little things like I didn't put passwords on the control system on the control in the control room.
Peter Jackson (36:54.146)
Yeah. Yeah.
Aaron Crow (37:09.463)
The operators should just be able to walk up and they're always logged in, right? Cause they need to be able to control the thing. And I don't want them fumbling on a password. Now I have other mitigated controls. had cameras, you lock the room, like only a select few people are allowed in there, but you would never do that in an IT world where you just leave computers unlocked in an office space. Like it's just a, but it's not the same. Like it's not the same risk.
Peter Jackson (37:12.814)
Yeah. Yeah.
Peter Jackson (37:29.688)
Yeah. Yeah, yeah, I think again, right for me and I love coming back to that. Our goals are safe, secure, reliable operations. know that. Let's let's let's let's come expanded out to that broader identity access management piece right? Usernames and password. And the control room certainly is a key example, but if we had 1000 different devices, which is a relatively small plant and they all had the same username and password combo.
that would likely be outside of business risk tolerance. And if we all had a thousand different username and password combos, that would likely be outside business risk tolerance. Much less trying to do named accounts on a thousand different devices, right? So somewhere in the middle between shared account, same with everything and unique username password combinations is the right answer, right? Again, this this nuanced niche thing.
Aaron Crow (38:14.53)
insane.
Peter Jackson (38:25.346)
which we can then go, okay, these classes of devices, we're use this and these classes and these ones are located here. So our physical security is a compensating control to allow us to again have this treatment around how our control room operators work and live and take bio breaks and go get a coffee and they're not locked out. Again, depending on that paradigm. Ideally our operators, again, our.
Aaron Crow (38:43.523)
All right. Yeah.
Peter Jackson (38:52.064)
engineers as de facto system administrators. Maybe we're treating them a little bit differently, right? And so that's part of that paradigm that operators can do this and engineers as administrators can do this and these guys we treat like this and these guys we treat like this. And I'm also an advocate for going, OK, what again, Greenfield, Brownfield, it exists. What do you currently do? What is the next logical step for you?
Because if we try and leap a few steps, we try and go from crawl to run. It'll be days, weeks, if you're lucky, months before we're back to crawl. Because you don't have that kind of history and we're not doing a really good nudge for you. And the next year, this is what we're to do. And it's tolerable to you and it's tolerable to the security function. And it's closer to business risk tolerance or that's our current what does good look like from a business risk tolerance perspective.
Aaron Crow (39:48.161)
Right. Yeah.
Peter Jackson (39:50.612)
and we're better than we were yesterday and we know we're on a bit of a journey. And I see some organizations trying to kind of get from crawl up to run vulnerability management, for example, right? Some organizations go, we want to get here. Well, you'll get there eventually, but actually all the time that you're doing in that space is a self-initiated denial of service, right? OT 24-7.
any patches of self-finishing antigen on service, almost undoubtedly. And you're doing more damage than adversaries have ever done in your environment.
So let's just come back to our goals being safe, secure, reliable operations, understand our risk paradigm, understand that we care about the system, not just the asset, and get to a point where we can move you guys forward in your journey on that pathway towards steady state. as I said, think for a few organizations, our right steady state is it. It's maybe my experience is a little bit different working out of APAC and across New Zealand and Australia.
Aaron Crow (40:54.755)
No, I have similar experiences. So it's not unique. It's very similar. In fact, I even see, again, over the years I've seen, there seems to be a distrust between the OT or the business side of the house and then the corporate and technology and IT side of the house. And that is not unique in any industry. It's been across manufacturing and transportation and
Peter Jackson (41:11.726)
Mm.
Aaron Crow (41:23.799)
critical infrastructure, you name it. Like it's always there. And it seems to be many times from the learned experience of they got burned or hurt because IT was trying to help them. And something they did broke something on the other side. then to your point, they tried to jump 10 steps ahead. So then they just say, nope, we're going back where we were. And the likelihood that you're going to get a second chance to make that same change is very, very, very slim.
Peter Jackson (41:25.614)
Mm. Mm.
Peter Jackson (41:33.699)
yeah. Yeah.
Aaron Crow (41:53.635)
So now you just, you did all that work, they undid it, and now they're very unlikely to let you do anything else because last time you did it, you broke it.
Peter Jackson (41:57.112)
Yeah. Yeah.
Peter Jackson (42:02.114)
Yeah, yeah, I suppose again like my my my collection bias, my framing and the people that I get to talk to. Right, if you're talking to kind of an OT security expert, you've already kind of got to a certain point, but some of the folks that we've talked to again there, they see the biggest risk is IT not adversaries, right? And so they're they're asking us, especially for coming in on that kind of ICS and OT side of the house to put in firewalls and help them do their own management of of that and going hey look, we know that.
Maybe they're on a different space of the journey. They're not OT aware. They're doing some vulnerability scanning across every VLAN that they can have access to. And so we want to put our firewall in so that they can doing that across our environment. And we want to manage that interface. Again, there's certainly some paradigms where there is that IT and OT adversarial. Even when you do start off with this, getting them on that same page of that shared vision of safe, secure, reliable operations.
Aaron Crow (42:44.056)
Right?
Peter Jackson (43:01.454)
how to do that and especially how to do the OT security aspects of that. There will be different mindsets and philosophies and often competing ones to go. Our OT team would rather do it this way. Our security function would rather do it this way. as OT security therapists, quite a few of them were coming around and going on the balance. Security, you need to kind of accept some risk or
OT, this is how we're going to frame this to achieve your outcomes, because you guys are the ones that are getting the call at two o'clock in the morning, not those guys. But again, the nature of your organization and the nature of the landscape and the nature of the risk and the threats and the connectivity and all the ambitions that your organization has means that we can't do the things that we've always done. And I think in OT and ICS, we have had that history, right? If you go back kind of 20 or 30 years,
you talk to a whole bunch of people that go, yeah, we're serial all the way. I go off with that Ethernet. No, thank you very much. And then like 10, 15 years ago, go, no, we won't be a medal. Virtualization, no, go away. Right. Now, today, whatever the topic of the day is for those cloud, cloud, absolutely, you're right. And there's still bona fide reasons to be hesitant around cloud.
Aaron Crow (44:13.356)
Exactly.
Aaron Crow (44:19.235)
cloud, AI, you name it, right?
Peter Jackson (44:29.678)
had a great conversation at a conference in Barcelona, and there's a few people that you and I both know that were there and hanging out with the old BRIC folks and talking about what does OT Cloud look like and Industrial Cloud and the paradigm and Cloud and Edge and those sorts of things and what does the future look like. We've got some organizations, my first assessment in an OT Cloud was a few years ago, but it was for an organization that their CIO said, we're going to be the first ones to run OT in the Cloud and
Basically the whole team did a collective facepalm and ended up interlending something, but they only run in it during the day. They've got an on-prem head end and it's ticked the box, but it hasn't really achieved the business value. We've got some organizations, they're national or global organizations, and they don't really have the concept of a control room, right? They're a distributor organization.
So their infrastructure necessarily has to be connected to something. They're not running their own fiber across the country. So they've got that connectivity and so kind of designing the fine and those solutions sets for those organizations and going actually here's how we're providing minimizing a business risk by actually leaning into a well secure, well defended, well architected cloud instance. Here's how we're controlling access in and out of that environment.
Here's how we're managing the connectivity back into the plant and making sure that only the right people have the right access to the right things at the right time. And yeah, your HMI system sitting in your cloud. That's how your operators interact with that. And there's some great tools now with web-based HMI and those sorts of things that can enable, again, a 2025 view that, especially for those newer organizations that aren't as restricted as an organization that's running legacy ICS and OT.
that have to really justify a business case for even just a major version update sometimes, much less moving off to a different platform, much less moving off to a different architecture. Sometimes there's a few different ways that we've done it, especially collaborating between the security infrastructure part of my business.
Peter Jackson (46:51.456)
And we still do automation and engineering as well as industrial safety and functional safety, process safety risk. So I get to have these conversations across internally within our organization, as well as with those customer stakeholders around what are the best outcomes for your organization, not just in this narrow lens of OT security, but safe to secure reliable operations in the future of what you define as good for your OT application, much less infrastructure and networking and security.
So some fun conversations along the way.
Aaron Crow (47:22.061)
Yeah, absolutely. you you hit the nail on the head also with we're really mediators. Like our job is to really mediate between the controls people and the cyber teams and the technologists, right? And really make sure it, I say it all the time that we're like translating, even though they're both speaking English or whatever primary language they speak, they're talking past each other, right? And they both think they're doing the right thing and they're trying to get the point across and the other side doesn't seem to understand them.
Peter Jackson (47:43.458)
Yeah. Yeah.
Aaron Crow (47:51.051)
and they're just not grasping at it. Sometimes it takes somebody like you and I that has experience on both sides that say, time out, what is the goal that you are trying to do? And how can we get there that doesn't impact and break their system while checking the box? And to your point, I can't go from a zero to a 10 in maturity overnight. So let's take a step in that direction without trying to get to a 10. Let's go to a two.
Peter Jackson (47:57.998)
Yeah. Yeah.
Aaron Crow (48:14.445)
How about that? Let's go, let's start moving. And as we get comfortable with the two, then we could go to a three, then we could go to a four, then we could go to a five. But if I try to go to 10 and it breaks, then you're to go back to zero and you're kicked out. You're not allowed back on the playground anymore.
Peter Jackson (48:14.744)
Yeah, yeah, yeah.
Yeah. Yeah. Yeah. Yeah.
Absolutely. I mean, I really like crawl, walk, run. relating that back, right, our ICSOT folk are really happy with their crawl. That's what they've been doing for the last 20 years. That's the environment they look after. The team are all happy. Everything's kind of equalized around a crawl. And all of a sudden you have a security function, a CSO that now realizes they're responsible for the security of this crawl and going, hey guys, we need to run. And so that, as you say, that mediation piece is...
appreciate the ambition, but we need to do walk. And then coming back to these guys and going, look, they've said run, but we disagree with that and we've got your back, you do actually need to walk. You need to get from Coral to walk. And here's why. And the why, think, in that therapy session and that evangelization and that consultancy session is so critical. Because if we don't have a compelling why, then we shouldn't do it. Right? And if the why is because
The standards say so. I don't care about the standards. They don't relate to my environment. They're 6443 series is on an ever evolving journey in terms of maturity. it's always, of course, to lag behind industry. If our government says so, right, our regulatory and legislative, it's a little bit different, right? I had an interesting conversation with a practitioner once and he said, actually, my cost of compliance is 100 million and the cost of my fine is 10 million.
Aaron Crow (49:34.872)
Right.
Peter Jackson (49:57.272)
So we're going to risk accept. And it was really interesting to kind of set up that paradigm to go actually from a business-based discern, we're going to be non-conforming, which obviously is an option, not one that we're obviously thrilled with. Most of our work, especially at kind of the top of the organization around driving strategy and roadmap and the vision and the principles and the outcomes.
is going, what is best for your organization? Right? Let's make sure it's aligned to NICSEP, aligned to ASOKI, aligned to NIST2. Those are things that you're either already obliged to or will soon be obliged to. But in the meantime, our focus and efforts are going to be driven by risk return on investment. Our focus and efforts are going to be about lifting you guys up to support safe and secure liable operations. And if and when
you get audited and what that looks like, you can demonstrate that you've thought about the things and actually the risk to the people that you serve in your community as a critical infrastructure operator are best served through this course of action. That's defensible and actually provides better outcomes as opposed to playing whack-a-mole based on standards of legislation or drivers.
We've had some good success with that. Your results may vary. And anyone listening to this, again, ignoring your legislation regulation, do that at your own peril. But if you're not guided by what's best for your organization, you're not doing a good job, informed by standards and legislation. But really, what does Safe, Secure, Reliable Operations mean to you? How do you need to have that compelling vision, strategically operational and technical tech tool?
What does that mean that you should be doing on a day-to-day, month-to-month, week-to-week, year-to-year basis to move the needle to get to reduce your risk and ideally improve your resilience? think resilience is an interesting word and it does get thrown around quite a lot. But for me, it takes that concept of robustness, right? Unlikely to fail and adds in that kind of right-hand side of the bow tie, that consequence reduction that
Peter Jackson (52:24.854)
If our controls do fail, we're able to recover. We've got the backups online, offline. We've got some set level of redundancy. We've got that ability to ride through the storm or recover quickly. I think historically a lot of our controls, and I'm not the only one in our industry, but maybe kind of my frame for it is that left-hand side of the bow tie likelihood reduction, right? Ear gap, segment segregate, protect prevent.
Aaron Crow (52:52.877)
Mm-hmm.
Peter Jackson (52:53.058)
has been, and we still need to obviously maintain those, but that ability to take response and recover, the right-hand side of the bow tie, those other pieces of Swiss cheese that take us from robust to resilient, where we see a lot of organizations, again, wanting to be prepared for a bad day, making sure that we've got that plan, making sure we've got some sort of detection so that we know whether we're compromised in our environment, whether it's through our corporate environment or through some other access mechanism.
Hopefully we've got some assurance that we're not already compromised because I think a lot of organizations don't if they're not already looking. We're talking 5 on 5 about Stuxnet. You can't not, but the framing is the adversaries in that scenario designed the attack based on what the defenders were doing and what they were looking at and not looking at. So any OT practitioner doing
kind of a modicum of OT security, Stuxnet would pop out in two seconds. But that's because we know that happened and we're looking for those organizations that aren't doing network security monitoring in their OT environments, for example, they're not going to see anything because they're not looking. And so if you can't even like 15, almost 15 years later, kind of detect what was obviously fairly sophisticated for the time, but hella noisy compromise like Stuxnet.
then you're probably not going to have good success around the crash override or a frosty group or even just your teenage down the road compromising your firewall or your internet connectivity that your system integrator uses to support safe, secure, reliable operations. yeah, fun and games.
Aaron Crow (54:39.447)
Yeah, absolutely. You and the easy analogy for that is, you know, an IT when we have a vulnerability, we patch it, especially in Windows, right? And we also know when we patch those things, it also sometimes causes blue screens of death and issues and all that kind of stuff, right? That's not the only way to mitigate that vulnerability. You can also disable it. You can block it. You can monitor it like there's all these other ways that you can do it.
And to your point, we need to come up with the right solution that doesn't lower the reliability and availability of the system just because it's a shiny new thing or because Microsoft released a patch or the vendor released a patch or whatever the thing is. You don't ignore it, but there's also, there's multiple ways to mitigate it. You don't just have to accept it. It's not binary. It's not patch or no patch. You're either safe or not safe. There is.
multiple ways to respond. And every time you need to be looking at that business justification of, is this make my system less secure? Is it actually applicable to me? Do I have other mitigating controls that, you know, make me safe in this space? Like I've disabled Telnet. Maybe it's a Telnet vulnerability. I don't have Telnet running, right? So, or if I do have it running, I'm monitoring it and I've got multiple firewalls and, you know, I've got these other three mitigating controls that monitor those things. We don't necessarily have to patch it.
Peter Jackson (55:45.646)
Mm.
Peter Jackson (55:53.29)
Yeah. Yeah.
Peter Jackson (56:03.778)
Yeah, let's go down this rabbit hole a little bit. And here's my philosophies around role vulnerability management. And I'll again kind of apply a crawl walker on low, medium, high maturity mindset. Low maturity mindset and appropriate for some is protect the boundary, protect the historian and anything else that's sitting across that ITOT boundary, ignore everything else. I got really upset with a national government cert.
security function that said, hey, you should be aware of this PLC vulnerability. And I said, no, they shouldn't be aware of that PLC vulnerability. The people that are looking at that sort of stuff don't need you to tell them. And everybody else has now just been pivoted in their focus to go, is our PLC vulnerable? That PLC vulnerability was discovered by a company that has an association, a detection company that has a vested interest.
that outcome. That PLC vulnerability is not going to be exploited in the wild, hasn't been exploited in the wild, and is about 1,723 on the risk scenarios compared to these top 100. So you asking people to go spend time, effort and energy? No, that's not appropriate. Don't do that. Protect the boundary, protect the systems that sit across it. And that's kind of low maturity.
And it's better than nothing, right? So the firewall and history and those sorts of things. Medium maturity is where you get into for me, how are our systems vulnerable, right? My corporate enterprise machine here. It is a system. It does everything it needs to do, right? So the asset is the system. So how that's managed and patched and secured and those sorts of things. Is there a trust world that we live in? As you say, Microsoft, all of the endpoint or the applications. That system needs to be.
protected, defended as an asset. In OT and ICS, we don't have that same concept. A system is not the asset. A distributed control system is a system of assets. Our safety instrument system, our PLC systems and subsystems, our turbine control system. So how are we protecting safe, secure, reliable operations of that system is different from the asset. And it usually comes down to those VLAN kind of network, zone and conduit type controls.
Peter Jackson (58:31.022)
And for me, that's why we spend so much time with energy on network based protection, not host based protection. At least in that kind middle maturity space to go, OK, we're going to reduce and restrict access and control that system. As a VLAN. The high maturity is where we get into more of those host base and we go.
We've solved for those network that system vulnerability. We're happy with our zone and conjoint model. We do like environment, whatever we define as ITOT and DMZ and those sorts of things. We're now getting into how do we kind of proactively and reactively manage that? mean, DHS put out the patch decision tree, what, 20 years ago, and it still stands the test of time to go, what is the risk? What is the impact? What are our compensating controls and what should we do about it?
I know a lot of folks that work in this space and Rob and Dragos and the team they do now next never or now next later. There's a lot of different strategies there. I really love Dale's patch decision tree. It hasn't really had much of a life because I don't think everyone's really picked it up, but I love the scalability there, especially with you dealing with 10,000 or 100,000. But for me it comes down to what's a very small subset, single digit percentages of what we should be paying attention to, right?
Getting rid of all the noise and going, this is what we should be paying attention to. What are we going to do in our next maintenance turnaround? We're not doing a self-initiated denial of service. And all of the rest of it, which should be 75 to 80%, are catered for by compensating controls. We're not exposed to that. Our exposure to that vulnerability is negligible or within our business risk tolerance. And that's why we don't care about vulnerabilities. And that's why patching is
I don't even care about patching much. And for a lot of the organizations that we work through, I care very little about vulnerabilities apart from how the system is vulnerable because that's what's going to drive safe, secure, reliable operations. That operator workstation in the corner, that testing machine, or even that one in the control room, you've got two of them. I don't care about that asset on the right. I care about the two of them and that shared vulnerability space. And quite often, again, that comes down to that VLAN. How is that VLAN vulnerable?
Peter Jackson (01:00:53.966)
How can we have something spreading? And again, all major, most minor and some small ICS IT vendors have thought about endpoint protection. So if you're just deploying Windows Defender out of the box, at least some of the scalability of these things goes away. And you can kind of pick that up later in maturity once you've again got someone like Aaron running a program and supporting Safeguard Reliable Operations and
You've sold for those things. In the meantime, you're not bugging the ICS team about trying to patch everything because it's a waste of time. maybe I should get off my soapbox. I'm not that frustrated. think it's just when it does come up, we do have to do that whack-a-mole to go, no, that's not worth time and energy. What I see at the most is some of our
Aaron Crow (01:01:29.091)
The sky's falling, there's a new vulnerability.
Peter Jackson (01:01:52.462)
IT, MSSP's and consultants and things, four and that, where they come in and they go, everything's vulnerable. And we have an organization that is unequipped to deal with that because that would be completely intolerable in corporate, but it's very tolerable in ICS and OT. The organizations that don't have the ability to argue against that poor advice.
That's probably the thing that frustrates me the most. Sometimes we end up being a remediation for an audit outcome to go like these five or six, these are really good recommendations. These ones here, no. And here's why. Not only are they not going to provide risk return on investment, but they will have increased your business risk. And here's the reasons. That's common sense. it makes, but again, maybe you've got to be doing it for a little while to be able to have that awareness to go.
Aaron Crow (01:02:25.677)
Yep.
Peter Jackson (01:02:48.76)
We're going to ignore this advice and here's a business case basis to ignore this advice. Yeah, better fun and games.
Aaron Crow (01:02:56.227)
I've literally, you I came from big four as well. So I've spent my time in those places and I've literally pulled back assessments before we sent it to the client. And it looked like, you know, in high school when, you know, I turned in an English paper and my teacher just, everything was red. Like everything was wrong. Like this doesn't help me. If we give this to them, they're just going to be overwhelmed with everything is vulnerable. Everything is your baby is ugly.
Peter Jackson (01:03:12.77)
Yeah. Yeah. Yeah.
Aaron Crow (01:03:22.051)
I'm surprised that the place hasn't burned down yet. Like this is not helpful. They can't do anything with this. They're going to take this report. They're going to throw it in a drawer and they're not going to call you next year when it's time to do another assessment because this one was worthless.
Peter Jackson (01:03:35.33)
Yeah, and actually they won't do anything. They just won't do anything and do you know what? In the next year or two they might not even have a compromise. And the wrong message that they're taking away is we had a security order, it told us to do a whole bunch of things, we didn't have to do anything, we didn't do anything and we're fine. Right? Now the problem comes where again that increase in security, again the degradation of security over time or the increase in risk, increase in threat landscape all of a sudden hits them.
Aaron Crow (01:03:37.685)
Right, exactly.
Aaron Crow (01:03:43.469)
Crit.
Aaron Crow (01:03:51.713)
and we're fine.
Peter Jackson (01:04:05.534)
and because they didn't invest in their security or resilience or robustness. And I mean, a lot of them have some good concepts of BCP and DR, right? Business continuity planning, disaster recovery, backups. One of my favorite tie ball tops. I said, cool, all right, we've got to the point where you need to recover. What does recovery look like? And they go, we'll recover from here. said, isn't that an online? Do you think your adversaries kind of left that one alone?
And one of the control system engineers said, I've got a copy of the PLC logic on my USB stick here. I'm like, that is awesome. That is an air gapped backup. It's probably about six months old, but that's a lot better than having to rebuild your systems from scratch because every single one of your backups were compromised before the adversary triggered something. Let's see if we can do a little bit better than the USB stick that lives in your gear bag in terms of being prepared for a bad day.
Yeah, so again that nudge from where are they now? What is the next logical step? Risk return on investment for me is a great guidance and it ends up with two main pathways. What are the quick wins? What are the things that we can do easily that are either going to have meaningful or even a minor impact but help us on that journey, help to build that trust between IT and OT, help us to be a little bit more resilient today than we were yesterday. Also, what are those things that we need to plan for?
Right. we see again, it is of course one of those major things where the market is mature and evolve over time. We've got really good stability and kind of the top echelon of technologies that we expect to stick around. And so they're going to be well supported. Most of the acquisitions have happened and those that stayed and those that have kind of to oblivion have done so.
And in the meantime we can get some visibility with good tools that are actually, for me, designed around a non-security OT practitioner. The best OT network intrusion detection platforms consider that really important user because they are the tier 3 escalation. Tier 1 often is that shared IT OT doing triage and false positive or requires further investigation. Tier 2 is someone like you or me or my team or your team to go, is this impactful?
Peter Jackson (01:06:30.318)
Or not as this of concern or not and most of the time it shouldn't be right We shouldn't be having our OT environments attacked fairly regularly But in that worst case scenario that tier 3 escalation is back to site back to the operations team back to the ICS team To go hey, we've seen this thing Was as expected or unexpected and again using that language using that knowledge the environment We had done one organization who on boarded our MSSP
for SOC services, including across OT. They used a tool that wasn't, that knew OT protocols, but not lot else. And the security and auditory practitioner would send an email to the OT non-security practitioner and say, is this good or bad? And the OT non-security practitioner goes, I don't know what that means. Peter and his team were here last week. It was probably them, I don't know. Add to baseline. Rinse and repeat.
Every single alert is this expected or Don't know, at the baseline. And they've got that again, of a translation layer in the middle, which is again, some of the work that we do in supporting especially those that are either diverged or converged SOC across OT. Fun and games, I do like what I do. I probably say fun and games way too much, but...
Aaron Crow (01:07:29.208)
Right.
Aaron Crow (01:07:58.787)
I do too. I could see, you know, it seems to be very common in the people that I run across and the people that we work with and are in this community. We're all very passionate about what we do. And the reason is because we believe in it. We believe that there's, it's almost like a calling to protect this environment in these spaces. because of the experiences we have, we know how vulnerable it is, not just, but to your point, and you said it earlier, most of the time the vulnerability is not from a bad actor or a nation state. It's usually from IT.
Peter Jackson (01:08:14.797)
Hmm.
Aaron Crow (01:08:27.971)
And it's not because they're maliciously trying to do anything bad, they're trying to help. Most of the time we see things that happen, it's because somebody made a mistake, a misconfiguration, they didn't know the implication that this was gonna push down from a group policy locking a screen to pushing a patch and rebooting a system at three o'clock in the morning on a Friday to a system that doesn't come back up when you touch it, right? Little things like that.
Peter Jackson (01:08:28.259)
Hmm.
Peter Jackson (01:08:51.266)
Yeah. Yeah.
Aaron Crow (01:08:52.311)
that seem insignificant to an IT person trying to do the right thing and they don't know what the bigger impact of that is. with that said, like what do you see in the next five to 10 years on the positive side, like exciting that you see come up over the horizon and maybe what's one thing that is concerning that could be coming up over the horizon with all that we talked about today?
Peter Jackson (01:09:15.65)
Yeah, yeah, before I cover off on that, do want to kind of frame that kind of lens on maybe the three different avenues for a failure in operations, right? Even CrowdStrike, right? It wasn't a cybersecurity attack, but there are some organizations that we work with that run CrowdStrike and OT. Their internal systems were compromised. Their external, their customer wasn't compromised. Critical infrastructure, they continued operations in spite of that, and their ultimate outcomes were achieved.
Aaron Crow (01:09:25.869)
Sure. Ugh.
Peter Jackson (01:09:45.23)
So regardless of kind of the mechanism by which our safe, secure, reliable operations is compromised, think it's broadly kind of three categories, right? Militias outsiders, our insider, especially inadvertent from our corporate enterprise IT side and also within our ROT side, right? Where we have maybe people that their experience and expertise is in and again that application layer or their training is in PLC HMI.
They've been forced to now set up an Active Directory. They've been forced to now manage a firewall even though they've never received training on it. Somebody said, we need a firewall. This is your job now. Some of them without a default deny. so firewall is not doing too much there, guys. It's just a router. But again, kind of their enablement. And so I think all organizations, those are the three kind of buckets that we should be making sure we design things around.
Aaron Crow (01:10:25.943)
Just a router.
Peter Jackson (01:10:40.302)
they've got really low maturity IT and IT are their biggest risk. Sometimes they're their own worst enemy around some of the systems that were built with all the best intentions, but no real training guidance, philosophies, enterprise grade kind of infrastructure, networking and security thought processes. Maybe even especially because they didn't trust the other side. And of course, we're not a self-licking ice cream cone. We work in the security business, the purpose for...
for really being here as adversaries that do seek to do us harm, right? The hundreds of different threat groups that are active globally who benefit from, again, a ransomware incident or a nation state or, that maybe I'll start with what worries me in the next five to 10 years. The thing that worries me in the five to 10 years is that third group, which up until now has been really the pointy end of the stick and
Generally, a lot of the compromises that we see in our experience and publicly are with sophisticated adversaries. And again, it's the exception. Most organizations have enough in their stack to do at least kind of basic to moderate protection and detection. Protection at least, maybe detection. But adversaries aren't as capable as even a
fairly basic defender, right? We could very easily defend against a Stuxnet, for example. But as our adversaries kind of pivot, and we see that from a threat landscape perspective, and as the tools that kind of start off at that APT nation state become commoditized and are accessible to financially driven adversaries, and actually we've now got some really interesting toolkits that can be used off the shelf by some very unsophisticated adversaries.
that landscape increases. And so the thing that worries me is our adversaries building out capabilities faster than our defenders. Right. And because it hasn't happened to me or it hasn't happened to people I know or the folks in my community didn't get compromised. There's that mindset that what we've always done we can continue to do. That's the thing that kind of worries me. The thing that gives me hope is that
Peter Jackson (01:13:04.366)
almost without exception most of the people that I talk to and again my collection bias, my framing provides a lens but whenever I meet somebody new they go yeah we know that our security risks are increasing we know that we need to do better we don't know what to do but we've at least got that A awareness and B intent to make sure that the next system we deploy or
the next generation of what we're doing at least has a modicum of security. And so we are heading in the right direction. Whether we're going fast enough or not, time will tell. And it's unknown, right? And almost unknowable, right? Those of us that kind of deal in the landscape perspective have some thoughts, but it's all analysis and all projection, right? And for some organizations, again, we'll see that.
Even the basics are enough for a while. Again, those with low risk tolerance, they're going to be investing a little bit more. And so what does that look like for me? It gives me a little bit of hope both on the work side of what we do as well as on the community side of what we do and all that. Yeah.
Aaron Crow (01:14:23.939)
Yeah, I dig it. It's so true. It's a big, know, how do you need an elephant? One bite at a time, right? Most of the time when I'm coming in and making observations or recommendations, it's usually not a sexy tool or process. It's usually something simple. Like it's starting with the basics, right? Do basic things well, segmentation, firewalls, asset inventory. Like those are basic things that everybody needs to do and most people can do better. And those things drastically improve or
Peter Jackson (01:14:30.839)
Mm-hmm.
Peter Jackson (01:14:39.608)
Yeah. Yeah.
Yeah, yeah, yeah.
Hmm. Hmm.
Aaron Crow (01:14:52.727)
They improve your security posture and lower your risk without a whole bunch of effort and time and resources spent. And then, you know, it's that 80-20 rule. You're going to spend the most time and effort on that last 20 % wherever your program gets to, to get it to perfect, right? And we're constantly, and the other piece to this that I always like to say, and I think people are starting to catch is there is no end goal, right? It's perpetual. It is constant improvement because the bad guys are constantly adjusting and learning and growing.
Peter Jackson (01:15:06.776)
Yeah. Yeah.
Peter Jackson (01:15:16.152)
Yeah. Yeah. Yeah.
Aaron Crow (01:15:22.795)
that means we have to constantly learn and grow. It's like, you you can't go to the gym one time and think that you're done. or you can't go on your diet and eat one good meal and then eat ice cream the rest of the day and expect to hit your goals.
Peter Jackson (01:15:33.39)
Yeah, my framing for that right security is a destination not a journey. think again we do need to have kind of that project phase and operator maintain phase. the project phase is correcting for that historical underinvestment and getting us from currently outside our business risk tolerance to within our business risk tolerance. SIS I think did some work last year I think it was on what does reasonable security look like? What does reasonable security look like?
As I said, for most organizations that we work with, they've got some project phase and each time they reach a new milestone, they've got some additional operator maintain functions. Very seldom as you shared, we're seeing organizations that have that are mainly in that operator maintain and just continuous improvement piece compared to that. We also want to be mindful that when we're talking to the board and the leadership and the people that do have to come up with funding.
because I think that's almost the only problem in OT security. If we solve for the funding problem, that's where, again, the other stuff, right, it's maybe simple, not easy, but everything else can come. And we go, well, here's one of the framings that I really enjoyed with and learnt really early is this is a level investment to get us within this risk tolerance, this level of investment, this level of investment, this risk tolerance, right? Dollars for risk.
You tell us what is your budget and what is your risk tolerance and high, medium, low. And this is how we're going to get there. I think being mindful that we don't want to end this bucket of money, but we do want pragmatism. We do need pragmatism. We do want to make sure we spend our security dollar wisely. And again, I think the analogy for me that's most useful in industrial organisations is health and safety.
And you go, you're far further down the health and safety maturity journey than you are on the security one, especially with that operational side. You have a health and safety department. They have a lot of ongoing operator maintain initiatives. They've got some other initiatives where they're looking at improvements in health and safety outcomes, but you will never not have a health and safety department. Ultimately, they're an enabling function. They're a facilitating function.
Peter Jackson (01:17:54.892)
because I know that when I'm on a plant, I'm responsible for the safety of myself and others. Enable through that team and some of the best well-performing security teams I've seen, understand that their roles aren't to do security for the organization, but for facilitating organizational security outcomes. And we don't separate what we do in security, we just do what we do securely. Just like the best, safest organizations don't say, here's our safety moment and our safety briefing and here's...
our operational manuals and how we do things. just go with integrated intrinsically safety in what we do and how we operate. From a technology perspective, that's where I see the best return on investment. It does come on that maturity journey. That's almost a running concept. And so for those that are currently a zero or crawl, you can't really get there because you don't have the people, process, technology for it. those that are high maturity, see.
integrating this is just secure infrastructure, this is just secure operations. It's not a separate thing, it's part of it and integrated and interwoven and so that security is invisible. It's not a barrier, it's not friction, it's just all the systems are secure by design.
Aaron Crow (01:19:10.935)
Yeah. Yeah. And to your point, safety meetings are part of every conversation that we have before we start the day off, the shift change, everything is with safety. Before I do a job, what is the safety briefing on this thing? We're going through, you know, there is a process and procedure in these mature organizations with their safety process. And it is part of absolutely everything. Safety first. That is the first thing we talk about. Before I'm going to go change this light bulb,
Peter Jackson (01:19:26.606)
Hmm.
Peter Jackson (01:19:32.92)
Yeah.
Aaron Crow (01:19:40.087)
I'm going to have a safety moment. What am I doing? What are the risks? Do I need to have a lockout tag out? Like all of these things are part of that process in absolutely every conversation. Even in the corporate office, when they're just having a meeting about marketing in a safety organization like that, safety is the first thing they kick off with, which is very odd when you're an outsider coming in and you haven't experienced that and you're just talking about marketing and you have a safety moment. like.
Peter Jackson (01:19:47.512)
Yeah.
Peter Jackson (01:19:52.494)
Yeah.
Peter Jackson (01:20:01.39)
Yeah.
Aaron Crow (01:20:04.543)
Look around the room, make sure there's no trip hazards, make sure that you're not standing on a chair to change a light bulb, like all that type of stuff. And it's an interesting culture. But when you look at that safety zero and everything, every decision that you do, you're doing it better if I'm doing it safely. And I'd rather not do it than do it unsafely.
Peter Jackson (01:20:23.886)
Yeah, absolutely. think there is a maturity step after that, And with some organizations that, again, are kind of accelerated safety maturity, and they've said, no, we're not going to do safety moments. The principle of safety moments is a tacit acknowledgement that safety is separate from what we do. Offshore, working on an offshore facility with an organization. And the briefing was, again, what are the... There was two main parts of it.
Part of it was, you're responsible for the safety of yourself and your crew and what you're working in. But when we get together in the morning and talk about things, it's how can the work that your crew's doing impact others? What are you two doing today and how can that impact others? And that impact could be safety, it could be operational, it could be working in the same space, could be sum ups, it could be a whole bunch of other things. But again, obviously the lens of being a safety enabled organization was, what are you doing and how can that impact others?
with an inherent safety kind of mindset. And the other thing that they talked about every day was their observation system. And again, the observation system was quality health and safety environment. And so if there was a quality health and safety environment thing, they talked about it. And again, there wasn't a separation of safety. It was integrated. And so I've worked with organizations like that, that they got rid of checklists because nobody's going to read a hundred page pack. Actually, here are the 10 things that you really need to be
acknowledge as part of your safe work in our environment. again, safety isn't a separate section, it's integrated every step. so as much as I say that, there's still some organizations that do have that separation of safety and they're their safety culture, they've got ambitions, but they're not really making traction because they are separating safety and it becomes this divergent thing, not a convergent thing.
Aaron Crow (01:22:03.541)
Every step. Yeah.
Peter Jackson (01:22:23.554)
Security again, I'm trying to drive organizations and we worked really successfully, especially in my team, right? My team, you could call us safety professionals, but a lot of time we're just building secure infrastructure and reliable robust resilient infrastructure, or designing or consulting or doing governance or writing standards, client standards or deploying. Sometimes there's kind of security specific initiatives like OTNIDS, but a lot of it is just how do we make sure that we've
Aaron Crow (01:22:37.133)
Sure. Yeah.
Peter Jackson (01:22:52.652)
We're providing a platform upon which this organization can be successful in their outcomes. It comes with secure by design, but we don't have a separate section on security. We just go as a design. So yeah, interesting along the way.
Aaron Crow (01:23:08.173)
I love it. Well, also Peter, I appreciate your time today. Tell everybody how to get ahold of you. Kind of call the action of where are you going to be? How do they get ahold of you? All the fun stuff that people might want to know.
Peter Jackson (01:23:21.57)
Yep, if you want to get in touch, hit me up on LinkedIn. I'm far more active there, although I'm not super active there. So if you want to get in touch or follow me, do that. I do run the New Zealand ICS Cybertechnical Network. We do have some non New Zealanders that are part of that, and we do do some really cool things and talk to people. We've got a hybrid event coming up, hopefully with Andre Shorry, who's the regional CISO for Schneider Electric. So that'll be going live.
anyone that wants to come in New Zealand and come to a conference, we've got certainly New Zealand's best ICS and OT and with BIAS, one of the best ICS OT conferences around the place, 26th of November, Rob Lym-Lee is going to be coming down and keynoting and he loves the community down here and so he'll be back, but we've got a few international presenters already kind of in the wings. But yeah, no real specific call to action. I'll keep the kind of commercial side, the commercial hat off.
for now, but yeah, really, really grateful for the opportunity to have a catch up with you and talk about these things that we love, Aaron, and yeah, really love the work that you do in the podcast. yeah, thanks again for the opportunity.
Aaron Crow (01:24:29.763)
Yeah, man. I appreciate it. I definitely put all the show notes there. Definitely check out the ICS environment in New Zealand. And this is a global effort that we're, you know, you and I don't see borders. I want to solve this problem for all of us, right? And, you know, your kids, my family, you know, all that kind of stuff, we care about those things and that's why we're so passionate about it. So thank you for your time. Look forward to seeing you get in person, have another beer. And until then, keep doing what you're doing and definitely don't hesitate to reach out if there's anything I could do to help you,
Peter Jackson (01:24:57.678)
Absolutely. Thanks, Aaron. Always a pleasure, mate. Thank you.
