Episode Transcript
[00:00:00] Speaker A: You're listening to Protect it all, where Aaron Crowe expands the conversation beyond just OT delving into the interconnected worlds of IT and OT cybersecurity.
Get ready for essential strategies and insights.
Here's your host, Aaron Crow.
Hey, welcome to the show. This is the Protect it all podcast. I'm really excited about this episode. I think you may be as far as distance away from me, the furthest away guest that I've ever had on my podcast. Thank you very much. Why don't you introduce yourself, tell us where that you're sitting today and and a little bit about your background in, in OT and cyber security.
[00:00:40] Speaker B: Thank you, Aaron, for, for having me. My name is Suleiman Alhasawi. I'm from Kuwait.
I've started my, I started my journey in OT security in 2012 when I did my PhD in Liverpool, UK and since then I'm still doing this mainly research. I also have a product called or website icsrank.com It's a search engine for OT devices.
I'm also the founder of ICS Arabia podcast where I interview audio professional people like, like Aaron. Like hopefully you'll be my guest one day. Of course. So that's it in a nutshell.
[00:01:26] Speaker A: Awesome. So, so you, you got started in this and always love this. We all have these different ways that we get into this space. Like, so I came from I T and technology background and got thrown into OT because I was working in power plants and critical infrastructure. So I came at it from that lens. I, I didn't cut, you know, I had electrical engineering background. Right. So I didn't really come at it from a, from a, from a, you know, collegiate or, or book side of things or research side. So I always love the perspective of, of, of how you come into it in different, in these different ways. And it just goes to show there's, we talked about it before. We can always learn from each other. Like we all have different perspectives and different experiences and different, different ways that we got into this. And all of those values and experiences are so valuable to, to the greater community and being able to learn from each other because again, you're going to have experienced and seen things that I haven't and vice versa. And if we can sit down and put our egos aside and you know, I don't have a PhD, like I don't have any of those things, but I know that I can provide value because of my experiences. And you have all a lot of experiences that you can provide value. That's what I love about this community and this, this space. Cybersecurity seems to be a unique place that, that people, practitioners and experts from different backgrounds are, are willing to put the, put their differences aside and really work towards the goals of, of improving the cyber posture of whatever thing they're trying to protect.
[00:02:56] Speaker B: Sure man, absolutely. I totally agree with you. We all learn from each other, we share knowledge together. And I like the community. Really, I love it. It's very different than the other cybersecurity communities.
[00:03:09] Speaker A: Yeah.
So, so what, what made you start with the ICS Rank? So I love the idea. So why don't you tell us a little bit about a More listeners may or may not know what it is. Why don't you dive into a little bit about what that is and what the purpose and, and kind of goal of why you started it and what it's turned into.
[00:03:25] Speaker B: Okay, so ICS Rank idea, but goes back to my research. My study it wasn't, I mean it was deeper than that. During the research, the idea was to develop a framework to assess the OT devices on the Internet. I remember in 2014 I looked at Shodan, I think it just came out maybe.
And I saw PLCs and SCADA and Ekama, you name it. And I said wow, that's, that's interesting. So I had a question how to rank those devices. I mean how secure are they, how to assess them? So I developed a methodology like using open source intelligence data.
So the more data about a device, maybe it could show you the posture or the security or the criticality of this device and thus the risk of this device that can be had.
So times goes on and then I finished the framework, my, my study. Then I said why don't I make it real? So I, so, so I, I, I developed a tool, a simple tool. Now it's still small, it's still not has the all the functions that I mentioned in my research. But the idea of it was to find the devices like hmi, scada, whatever, using major search engines like Shodan Senses, Zoom Eye and other search engines of course that I could have my own my hand on.
So the idea or the motivation was to make it easier for asset owners to filter out devices by their vendor names, product names. Because if many asset owners, they don't know how to find the ICS devices and they don't know if they are exposed or not. So that was the idea.
I know Shan has done this very well, but still Shan don't give you the categories listed like, like I do in my, my tool Right. And the tool is still small. The next version, the next version will be out maybe this month. It will, it will have more features, more capabilities. Of course. So that's the idea.
[00:05:44] Speaker A: So, so thinking. So first that, that's amazing and you're so right. Like these asset owners, they have so many devices that they don't exactly always even know which versions they have. And sometimes just narrowing it down to Rockwell or GE or Schneider Yokogawa or whatever the thing is, really helps them to say because you look at showdowns or, or a lot of these alerts that come out and it's just like all of these things, the sky's falling. I don't even know where to start. Can at least narrow that down just a little bit. Hey, I only have Rockwell or I only have, you know, Emerson Delta V or whatever that thing is. If I can start narrowing those things down and we also know that site to site, even within the same company, they're going to have different, you know, vendors and, and, and hardware that's in their space. So understanding those risks and what the real, what the real risk and understanding the, the vulnerabilities in those spaces helps them to make decisions on how do I configure things, do I need to update things? Like all that type of stuff is invaluable because they have just so much over. It can be overwhelming to look at all the things that I have to do in an environment.
[00:06:49] Speaker B: Yeah. The idea of ICS rank in my research was to cover all the information about the device. Like, like you said, CVE's right. Web interfaces, if they exist, default credit shells.
[00:07:01] Speaker A: Sure.
[00:07:02] Speaker B: Any news about the device? So when you, once you filter a device then it will give you everything available on the Internet about this device. Whether there are exploits, whether there are, you name it, you name it. Anything that could jeopardize the, the device. But still the current one is simpler than the research. It's because it's still one man job. I'm still doing it alone. That's why it's slow. And as you know, I'm a family guy, so.
[00:07:30] Speaker A: Absolutely. Yeah. And, but, but ultimately what, what I love about that story is all it takes is an idea. And we all have, I believe that everybody has those ideas and has great things to offer and, and, and, and value to bring to the, the organization that they're in the, the, the larger community.
And ultimately, I know it kind of sounds woo woo, but even the world, right as we can make a change, you know, even a small pebble thrown into a Big lake makes a ripple. And that ripple can start out small, but if you, if you throw enough small ones in and you time them in the right place, those ripples can get really big and they literally go across the ocean and, and it just goes to show that we can make an impact. Right. And little things make a difference. So yes, you're a small thing and, and it started out with an idea in your head, but how many people have that idea in their head and don't actually take that action and take it and make it to be something like you could have stopped at your research and said, oh, that's a cool idea and put it on a shelf and it could have been a book on a shelf in the back. And nobody but you ever got the, the value of it right. But instead you took it that next level. And that's where I challenge people. So I, I get a lot of folks that are reaching out. You know, how do I get into the industry? How do I, you know, I don't have experience. I didn't come from, you know, that background. I came from IT or I came from the military or I came from whatever. That doesn't mean that they don't have value to bring. So think about those types of things. Make, come up with an idea and make something right. With chat, GPT and AI and all these things, the, the, the ability to take your ideas and turn them into reality are that much easier. Right. It doesn't make it easy, it just means some of those barriers. You don't have to be a perfect coder to be able to build a website, to do certain things or build a database. Like there's so many tools out there that can help us and do it so quickly and fast.
[00:09:22] Speaker B: Yeah, totally agree. I mean I was lucky also that AI came along, so it did help me.
[00:09:29] Speaker A: Sure.
[00:09:29] Speaker B: And developing the website and I mean the current version is coming and it has more feature with the help of AI of course, because I don't have to search now those website or they read a lot of documents. It just give it the idea and it will show you the code. You just have to be familiar a little bit with the, with the, with the programming. But I have a computer science background, so it wasn't true.
[00:09:55] Speaker A: So, so what, what's one of the, the most interesting things if you could think of that you found in this process of building this ICS rank And maybe it's a, it's one of the vulnerabilities or one of the assets or some, something that you found along the way that is interesting or scary or, or funny or, or I'm sure something comes to mind.
[00:10:15] Speaker B: Yeah, yeah. I mean because I've been using and digging Shodan and Google of course since 2012 or 14. I. I discovered many things. Well now it's not as it's used to. Now there are less devices that are exposed when I start.
[00:10:33] Speaker A: Sure.
[00:10:33] Speaker B: When I started I used to find the Windows XPS that's running ics. I took snapshot just, just for memory.
[00:10:45] Speaker A: Right.
[00:10:46] Speaker B: I found the default credit essentials. Many of them I could. I managed to enter to.
[00:10:51] Speaker A: I'm.
[00:10:52] Speaker B: I'm exposing now myself. So.
[00:10:53] Speaker A: Sure. Yeah.
[00:10:55] Speaker B: So yeah.
Yeah. I also managed to find the devices that, that shows who are the asset owners.
[00:11:05] Speaker A: Right.
[00:11:05] Speaker B: That gives hints because they have some domains and you could tell this is water utility.
[00:11:11] Speaker A: Sure.
[00:11:11] Speaker B: I wasn't, I was amazed and I wrote an article about that because I also write articles and blogs.
[00:11:16] Speaker A: Sure.
[00:11:16] Speaker B: So I wrote an article and that article went boom. Because it's not easy to attribute devices to. To. To the who's the owner.
[00:11:28] Speaker A: Right.
[00:11:28] Speaker B: But because it always show you the ISPs that's those devices are running. So. But that, that those devices, they had the clues that who. Who was the owner?
[00:11:41] Speaker A: Right.
[00:11:42] Speaker B: So yeah. Like I told you.
[00:11:44] Speaker A: Yeah. Yeah. Well, you know that, that's the funny thing. And again, I, I get this a lot and many times it comes from the smaller waste utility, wastewater or you know, water utilities or. Or even small, you know, manufacturing or whatever. And these owners or these plant managers are like why would somebody want to come after me? We're a small paper mill or we're a small water.
Just hit the nail on the head. Right. Is a lot of times it's just because they found it. It's because it showed up on Shodan or they ran across something or somehow it came in their sphere and they're just attacking it because it's there. They're attacking it because they can. They don't necessarily even know what it is or what it does. They're just. It's opportunity, it's there, it's available. I'm going to see what I can do with it. And then sometimes they get lucky and it happens to be at a wastewater or water utility or you know, something like that. Like, oh, okay, I hit the. I hit a jackpot here because I'm in something that's really valuable instead. You know, a vending machine that's, you know, or the break room ice machine. Right. You know, you just never know what the device is because the PLC could be controlling a turbine or it could be controlling, you know, an ice machine in a break room. And you really have no idea. Just by a plc, you can't tell the difference between them unless they actually say, you know, turbican turbine at, you know, power plant A. And sometimes they do.
[00:13:01] Speaker B: Exactly. Yeah, yeah. I also saw a joke, you know, from Twitter when I posted that article. Yeah. I don't know, maybe he was an asset owner. He said, oh, oh man, you put this tool. I see it's like now I cannot play hide and seek.
Because he was trying, he thought that he was hidden, but he was.
[00:13:21] Speaker A: No, he wasn't. Like the ignorance is not, is not security. Right. Obscurity by secure, you know, that, that, that, that whole mindset of it is, is long gone. Because again with tools on the flip side, bad actors are able to use these same tools, AI etc that we're talking about. Shodan, you know, they can be used for good or they could be, you know, the hammer is, is not good or bad. Just like a gun isn't good or bad. A knife isn't good or bad. Any of those, they're just, they're just inanimate objects. It's what I do with it. I can build a house or I can hit somebody over the head with it. Right. Either those are two different outcomes with the same tool. It's not the tool's fault, it's what I do with it. Same thing with Shodan. Showdown of itself is not bad, but in used in the wrong way. It can be used for malicious activities.
[00:14:04] Speaker B: Yeah, I, I also had this criticism sometimes from some people. They say why you write about these art exposing devices, why you develop these tools. And sometimes, you know, you, you go and ask yourself, do I really want to.
[00:14:20] Speaker A: Right.
[00:14:21] Speaker B: Share this knowledge? But you're right. I mean in cyber security you have to share this kind of knowledge because whether you hear it or not, the attackers are doing it. So.
And the number of devices now has decreased, which means that asset owners. You know about this.
[00:14:35] Speaker A: So. Right.
[00:14:36] Speaker B: Kind of knowledge is good. This kind of information is good.
[00:14:39] Speaker A: Absolutely. Ignorance is, Ignorance is not going to help you. Not knowing that you're exposed does not make you more secure than knowing you're exposed and actually doing something about it. Right? Yeah, yeah, absolutely. So, so what you, you spent a lot of time, so obviously ICS rank and, and this. But you also spend a lot of time doing, you know, ot hu researching into those findings. So, so how do those things align and how do you, how do you, you know, kind of dive into finding those vulnerabilities in these OT spaces and, and really going after that type of stuff?
[00:15:13] Speaker B: Yeah, what I do, you know, I, my job, I play different roles in Northeast. Sometimes I'm the researcher, sometimes I'm the coder. Sometimes I'm sure podcast or whatever.
[00:15:24] Speaker A: Yeah.
[00:15:24] Speaker B: But when I'm, when I have a researcher, Pat, you know, I just go and find the new filters that Shodan hasn't covered or nobody has covered. And I managed to do that by reading the manuals of famous, you know, vendors. Sometimes by crafting a keyword from each vendor and test them out, you eventually end up finding a device.
And sometimes it's not classified as its in Shodan.
[00:15:52] Speaker A: Sure.
[00:15:53] Speaker B: Because so when I find a finding, you know, I sometimes I ask myself whether, whether, whether I want to include it in ICS Rank only or just share it and write about it.
[00:16:04] Speaker A: True.
[00:16:05] Speaker B: I decided to do both. You know, if, if it's, if, if I have the time. Yeah.
So my writing, if I write. No, I go more details. I, I just do the style that I, I did in my research, doing study. So I just, I, I show how I, I found this device. What are the filters and if There are any CVEs related to this one. Right. What's the impact and Right. And, etc. You know, just, just to make the article valuable for. And a simple language for even for the asset owners to understand.
[00:16:41] Speaker A: Sure.
[00:16:42] Speaker B: Yeah. So this is, this is the relation between my blog and my, my tool.
[00:16:48] Speaker A: Right.
[00:16:49] Speaker B: They complement each other sure.
[00:16:52] Speaker A: Well and that's powerful. And again, you hit something there I want to double click on and that's. It's really easy. In the cyber world, I talk with a lot of folks that are super intelligent, they're super capable, but it doesn't matter how smart you are or I am, if we can't make the asset owner understand. Right. If we talk over their head or we talk down to them, it's not going to help them improve their cyber posture. So we have to take these really complex, you know, because not everybody has a, has a, you know, computer science engineering background or even electrical engineering background or whatever their background is. But we have to make it where anybody can take that information and. Okay, what the. So what, what do I do with this? Like what? All of this stuff is awesome. I'm glad that all that's there. At the end of the day, what I really need to know is, okay, I have this device. Yes. Mine is, it is applicable to my device. What can I Do about it? Is there a cv? Can I patch it? Can I turn off a notification? Can I monitor like what is the mitigation that I do for this risk in my environment? If I have that risk. Right?
[00:17:56] Speaker B: Yeah, exactly. And I, I write ver various articles for various search engines. Sometimes sometimes I show them how to find these devices in Shan, sometimes in Zoom. I I know it's Chinese and sometimes using Census and not just the operator. Sometimes I show them if there are issues with the web interfaces, if they're exposed for this product and if there are default credentials I try to my best to, to show it. And also if there are open for other ports like could also jeopardize the the device like Telnet or FTP.
[00:18:34] Speaker A: Sure.
[00:18:36] Speaker B: Because some, some of them have Telnet and, or many of them have.
[00:18:45] Speaker A: Telnet and default credentials and you know, HTTP like and you know, insecure protocols. Like it's just like a laundry list of all the vulnerabilities or potential vulnerabilities in these spaces. And you know, that's the other piece in this world that we live in in ot, we can't just go replace it, you know, in it, you would never put a Windows XP machine on the enterprise network. Right? They just kick it off. They give you a new laptop here, take a brand new Windows 11 or a MacBook or whatever it is. But they would never allow a Windows XP machine in their environment. But we know, and you said it earlier, sometimes Windows XP is running a critical system in production. Not sometimes, many times a Windows XP machine is running in these spaces and you can't just rip it out. And I've talked about this multiple times, but we have to know that and, and it doesn't, it doesn't mean that it can't be secure. It just means I have to know those vulnerabilities and how do I protect against those things. Right. Not everything is, is, you know, has perfect security and you know, it doesn't even matter if, if Windows 11, if I've patched it 100 there could be a zero day that nobody knows about. There's a vulnerability on my Windows 11 machine. So yes, Windows XP or you know, Vistra and a lot of those different older, older operating systems have a laundry list of vulnerabilities that are known.
I guess the argument can say, you know, Sun Tzu, Art of War. Use your weaknesses and strengths as straightness, as weaknesses. I know the vulnerabilities of Windows xp. There's a boatload of them and I can protect, I can mitigate against them. Yeah, I may not be able to patch for them, but I can, I can isolate, I can take, make sure it's not on the Internet. I can put, you know, air gaps in between things. I can monitor those devices for those vulnerabilities. Hey, I know it has a telnet. I know it has this, I know it has that. I can't disable it, so let's monitor it. I only want to allow telnet from this one IP to this thing. Nothing else should be using telnet on this network. And if it is, boom, I want to notify on those things. Like those are things that we can do that when we can't just replace a Windows XP machine or patch it because there's not a patch to fix the vulnerability.
[00:20:50] Speaker B: Right, exactly. Totally agree. I mean, the defensive depth, like you mentioned.
[00:20:55] Speaker A: Right.
[00:20:56] Speaker B: Walking around the device is a way to protect these devices. Zoning and segmenting the networks and not exposing it to the Internet, of course it is still happening.
[00:21:12] Speaker A: It's amazing how not too long ago we were putting these devices, I think many times, even by accident, we were putting these devices directly on the Internet. Right. Directly available for access. And these are devices that are controlling physical processes sometimes in really important environments like power plants. And if, you know, you could actually kill someone or spin a turbine or break, you know, damage equipment at least. And all. We had no idea that we were doing these things or the people that were doing them, they weren't doing it maliciously. They were just trying to get their job done. Like ultimately, every time I've come across a problem or any of these things, it almost never has it been a malicious act. It's always been, well, we were trying to get our job done. It, it was 3:00 in the morning on a Friday and we had to get this done. The plant was down, we had to get it back up and running. It was critical. So we, we did what we could. We didn't realize that we also connected it to the Internet when we did this. We were just trying to make it work.
[00:22:06] Speaker B: Yeah. So that's.
[00:22:11] Speaker A: But it happens a lot. And, and part of this is because we don't really, we don't always have a computer engineer or a cyber security person at the plants making these decisions. Right. These, these are very capable people. And you mentioned it before, you wear multiple hats. You've got your journalism hat and you've got your ICS rank hat and you've got your researcher hat and you've got your practitioner hat.
We're all wearing multiple hats. You, you go into these OT spaces and these people are, they're not just, they're not just a cyber security person, an OT that's sitting on the corner just doing OT cyber security stuff. They're running the plan plant. They're, they're going out and they've got a hard hat and steel toe boots and they're, they're in the plan and they're, they're engaging with the equipment, they're physically running stuff and they're turning valves and they're doing all of this stuff. And also, they have to also be the person that's responsible for that OT cyber security stuff. It may not be their experience. They may just be the most technical, technically capable person at the site. And somebody said, you're it.
But it's a, it's a, it's a priority of time. It's also a lack of knowledge. Just because they haven't experienced it or had that background, they haven't been able to devote time to do it. It's not, they're not capable. It's that just, they haven't spent that much time. Like, I, I've never done, you know, vulnerability research. You would not. Could I do it? I'm sure I've done a lot of stuff that's similar, but that's never been something I've done. So you wouldn't want me doing those things. I'd rather come to you and say, hey, why don't you research this thing for me, because I'm not going to do it as well as you. Maybe I want to learn from you, but I don't. You don't want me doing that by myself because that's just not my experience and my specialty. Right?
[00:23:45] Speaker B: Yeah, I totally agree. I mean, and you don't blame them sometimes because they don't have the resources. I mean, they have to get the job done. So who, who to blame? And maybe how do you educate them right. To, to whether to outsource this or train the, the guys and house?
Well, that's what, what we're trying to do. I mean, if you cannot afford it. Because I heard once in one of your podcasts, the podcasts are for the asset owners who cannot afford to just come and tune in to Aaron and listen and learn correct for free.
[00:24:27] Speaker A: Yeah. So, yeah, 100. And that's why I do this. That's. I'm sure that's why you do it as well. Is, you know, obviously it, it helps me and my brand and all that kind of stuff, but ultimately the reason I do this. This. This is a lot of work. Like, I. This comes out of my pocket. Like, I pay for this editing. I pay for the software. I pay for the, like, this is time out of my day that I'm not doing other things.
And it's. It's not free. And I do this because I want to make an impact. I want to make a difference, and I want people to learn and. And it's a. It's a way that I learned. So I do this as much for me. So I'm constantly growing and learning from awesome people like you. But also we're getting to share that with. With. With the greater community that could. We can come back and look and listen to this and watch it and learn for themselves. Like, hey, how. How can I use ICS Rank in my space, in my environment, to. To better understand the vulnerabilities that I have in my environment so that I can better protect them. So that if. If one person listens to this podcast, goes to your website, finds one device that was vulnerable that they didn't know was vulnerable, and makes a change to their architecture to make their environment more. More secure, then this podcast was worth the time that you and I dedicated, in my. In my opinion, because one person made a difference in one device and that. That has it. It's that. That small pebble in the big pond. It makes a ripple all the way across it. Even though it seems insignificant at the surface level, it could have had a big impact that we don't even know about, which is awesome. And I love doing this. And so I get so passionate and I'm smiling about it. I love doing these episodes and, and just want to continue doing them.
[00:26:02] Speaker B: I feel it. Yeah. Never underestimate what you do.
[00:26:05] Speaker A: I mean, right.
[00:26:06] Speaker B: Like you said, even one person is. Is enough.
[00:26:09] Speaker A: 100. 100.
In your environment and your. And your community and, and your peers and in. In your. In your company, but also in a bigger. In a better perspective. We're literally across the world from each other. You know, I'm in, you know, the US And Texas and, And you're. You're in a different climate, a different time zone, like in a different way continent, like, all of the things. Yet we're able to have this conversation and talk about things that we, We. We have a lot in common. Like, I'm a father. I have kids. I do this because I want a future where my kids can grow up and they can, you know, depend on power and water and have clean water and all those things. Ultimately, I Want that for all of my listeners. Right. I want everybody to have that ability to protect their environment and, and make sure that they can run, you know, water systems and run power plants and all those kind of things without it getting turned off or, you know, having the vulnerabilities because they didn't have the resources to hire, you know, somebody to do it. That doesn't mean you can't make a difference. Right, of course.
[00:27:09] Speaker B: I mean, this is a social responsibility. I mean, what we're doing now, we, we, we, we want to protect the critical infrastructure, which is important for everybody. And this is like, very, very critical. You know, I've been asked a lot during, I was in television, I was a radio also. They asked me, what's the impact effect? What if something goes wrong? I, I, I always ask them back, can you afford not to have electricity?
[00:27:33] Speaker A: Right.
[00:27:34] Speaker B: Or like, water? He said, no. It says, this is what we're doing. This is so much serious, you know, serious work. It's very critical. And I think asset owner should look at it this way, that cyber security isn't a, a luxury or an expense. It's, it's your responsibility to, to protect it as long as you have it. You have to learn how to protect anything, you know. Yeah. If you drive a car or ride or go on a plane, they teach you safety and what, what to do, what not to do. This should be also the mentality or the, or the mindset of asset owners. Yeah, you have a asset, so how you gonna protect it? How you assume?
[00:28:14] Speaker A: 100. Yeah, it's, I believe it's asset owner's obligation to, to make sure that it's safe, reliable, and effective.
And, and cyber has become part of that conversation. It's one of the risks to the business. It's not just cyber security for cyber security sake. It is literally, you know, it is a risk to the business process and understanding the safe, reliable and effective running of an environment, whether it's a manufacturing facility, but especially in critical infrastructure where people's lives depend on it. Like, if you lose electricity, you lose water. People, people can die from that. Right. Directly, indirectly, you know, having no running water, you sick, you know, having no electricity and hospitals, and, you know, that, that, that's a big, big impact. And, you know, backup, backup power only lasts so long. And, you know, it's, it's a big deal. And that's why, you know, ot, I've, I've done it. And ot, you know, I do both of those conversations. I spend most of my time focused in ot and that's mainly the reason I'm super passionate about it. Because, you know, in it, your email server goes down or your web server goes down and you can't sell a widget. Yes, it's going to hurt you financially, but people are not directly impacted. And when I say that, I don't mean they're not impacted. Obviously, if you lose your job, you know, if you can't make, you can't buy food, there's obvious impact, but it's a different impact than, you know, people are directly killed or our lives are lost because there's no electricity, there's no running water, you know, I can't do surgeries. There's all these different, direct, very. One level of separation with OT cyber security that is, that is, is very impactful and very huge and, and is a big risk to the world, to your point, like, to the global people on this planet, we're all humans. Like, we look different, we have a different background and experience, we have different thoughts and opinions. But again, I'm a father. I. I have kids. I have a wife, I have a mother, I have a sister. Like, I'm a human. I'm on this planet and I want to help other humans to be safe. And I think if we, you know, I don't want to sound Pollyanna or whatever or anything, but, you know, it's. It's really just if we can weed back all the other stuff that you and I may not agree on or understand or align on, if we can focus on the things that we do, it's easy to have a conversation like this and not get into the weeds of the other things. Right.
[00:30:33] Speaker B: Yeah, exactly. I mean, I'm. I'm also thankful to discover OT security or ICS security.
[00:30:39] Speaker A: Yep.
[00:30:40] Speaker B: Because I didn't know it. You know, I was an IT guy since the 90s, 90s maybe. Maybe like you.
[00:30:46] Speaker A: Yeah.
[00:30:46] Speaker B: We share the same page.
And in 2012, when I visited this university in Liverpool, I asked to do PhD. Then he, the supervisor told me, go read, go read this. He gave me some papers.
[00:31:02] Speaker A: Okay.
[00:31:02] Speaker B: And I look at the papers. It says, SCADA security back then. So what's kind of security? So I took it home and I read it, and it was something, something I. I fell in love. You know, I couldn't understand most of it, but I. I loved it. So I said, okay, I'm in. I told him, I'm in. So I. It took me maybe one year or more just to learn the OT stuff, you know, because I'm not an engineer. So I had to read, you know, the learning curve was a bit high, you know. Yeah, I cannot proceed in cyber security if I don't understand the theory of ot. So that's what I did, you know, theoretical help.
But later on, back the end of the study, I, I, I started to visit, you know, factories and stuff like that to confirm my studies and stuff like that. But, yeah, I'm thankful I discovered it. And since 2012, I'm, I'm here and I feel I'm, I'm happy, you know, with the community like you guys and.
[00:31:59] Speaker A: Yeah, yeah, it's, it's different, you know, and, and again, very similar background in that. I, I came from it, and it was about 2010, I think, when I, when I really kind of transitioned, I'd spent time, but it wasn't called OT when I, when I started in ot, it wasn't called ot. It was, you know, cybersecurity or compliance or whatever, just technology.
And I just happened to be the guy that understood the networking and the technology side of things. And they said, hey, we need help over there. Go do it over there. So I'm just showing up at power plants like, okay, what do I do here?
But I've had an awesome fun time doing it and learned so much from doing that and working outages and power plants and doing control system upgrades and segmentations and, and all the things, and manufacturing facilities and, you know, over my career, I've been, I've been fortunate to, you know, go from everything from a nuclear power plant to solar and wind, you know, critical manufacturing, auto manufacturing, you know, pharmaceuticals, like, you name it, I've kind of seen a little bit of it all, and it's been really awesome to see. At the end of the day, it's just ot. It's just a plc. It's just doing the same thing. Like, it's sending a signal and says somebody wants it to do something. It has a threshold. And if it sees this, then it does this action. It just happens. Is it moving an arm? Is it, you know, adding fuel to a turbine? Is it spinning things differently? Like, it's just the same process in a different business. Right? It's really no different. OT is, OT is. Now, granted, I need to understand the business side of it, too, but as far as just the technology side of ot, it doesn't really matter what, what vertical you're in. They're very, very, very similar.
[00:33:42] Speaker B: Totally agree. You know, I noticed that OTS is very simple. They use a similar language, right. In all kind of OTS industries, because I've spoken in my podcast to medical industries.
[00:33:53] Speaker A: Sure.
[00:33:53] Speaker B: You name it. Oil, gas, water, they always think the same. You know, it's. I think, I think the OT is very simple. Simpler than I. It. Sure, it's not as complicated, it's not as diverse. So even, even I know there are many vendors, but. But they still speak the same language. And it made cyber ot, cybersecurity simple and like you said, routine. Like. Yeah, it affected our mentality, you know, we. I people, you know, I don't know, somehow.
[00:34:24] Speaker A: So, so, so what do you see coming in? Like, the future trends of things? Obviously, Ottoman is, is. I agree. It's. It's simpler. It's. It's different. And, and part of the reason that those different vendors, they speak the same language is because they're going to be intermingled. Right. That you've got vendor A and vendor B and vendor C all in the same space, doing different things on their own, different assets, but they all have to be able to, to talk together because it's one ultimate process. It's one planner, it's one manufacturing facility. And they have to work together because at the end of the day they like, they're doing this process and then the other one does this next step, but they still have to send. Okay, I'm done. Done. You're. It's your turn now, right? It could be as simple as that.
[00:35:05] Speaker B: Yeah, yeah. I mean, I've, I've read a lot that those vendors, they want to unify the communication, for example, by developing OPC and.
[00:35:18] Speaker A: Sure.
[00:35:20] Speaker B: And that. And I think there is a setup. Setup called neom. Neom. I can't remember the name, but the idea behind it was to make it standardized, you know, like, like, like a language, uniform language between the ot. But I, I'm not sure how far it went.
So.
Yeah, I mean, like you said, you know, even the protocols are different, but they meet in one.
[00:35:50] Speaker A: Sure.
[00:35:51] Speaker B: They meet somewhere. They meet somewhere. Yeah.
[00:35:54] Speaker A: Yeah. I mean, on the business world, you would look at that like, as an integration, whether it be an API call or something like that. Right. It's a way that I can get data from, say, SAP into my ERP system or, you know, data from my, you know, my network switches into splunk. Like, you know, we use syslog, and there's a lot of ways, you know, that we, we send that data, snmp, et cetera. On the cyber side, we need to do that in the OT space, which is why I, you know, the other piece to that in the OT side is, is we care more about availability and speed than we do. That's why we don't normally encrypt our, our protocols at that space. I'd rather protect the whole network and not let you see the network traffic at all than encrypt the network and add, add complexity and overhead to that environment because that impacts the ability for it to do what it's supposed to do. Like, again, how you. I usually go to the extreme to tell my story, but, but when I'm in a nuclear power plant, I care more about that they could control that, that reaction than I do anything else. That's the only thing I care about. Right. I want to make sure that, that, that reaction is kept in control. And it's the same thing I always say when, when we talk about patching. I said, okay, you're, you're on a 747, you're in the air, and it's, it's a, the control system in the, in the plane needs a patch update. Do you want them to patch it while you're at 30,000ft feet, or do you want to wait till they land and do it in, in maintenance mode? I mean, for me, I want them to land. I don't want them to do it while I'm in the air. Not if I'm in the plane or my loved ones. Right. I'd rather them wait. And that's why we don't patch the same way in OT that we do in it. Because you patch an IT and your laptop reboots and you're in the middle of a zoom call. Nobody dies. Right? It's, it's frustrating, it's annoying, but nobody dies. You reboot your laptop and you're all good, and worst case scenario, it crashes your laptop, they send you a new laptop. Laptop, you're up and running. You don't lose data. All your data is in the cloud anyways that happens in an OT space. People could literally die. Right. We've seen planes that have crashed here recently. The helicopter that, that hit in the United States, they say that May had a control system issue, that they couldn't control it. Like there's all sorts of little things like that. And I don't think it was a cyber issue whatsoever. I'm not saying that, but I'm just saying little things like that can impact and actually cause direct human life loss and, and damage to physical equipment and, and all sorts of bad things. It's, it's, it's a different impact and A different reason why we do things differently in ot, Right?
[00:38:17] Speaker B: Yeah, yeah, yeah, exactly. Totally agree. I mean patching, I think is not the top priority sometimes, you know, for OT people because. Or for ot. Sure, because like you said, you know, the operation and the business must keep going, you know.
[00:38:34] Speaker A: Yeah.
[00:38:34] Speaker B: And even I, I know an organization here in Kuwait when they want to apply patch, you know, they, they do it in a, like they have a lab, like a demo, you know, they test it there sometimes and, and maybe when the right time comes, you know, maybe they apply it if it succeed in the, in the, in the lab.
[00:38:55] Speaker A: So that's a great method. Right? That's, that's a great way you should do it.
[00:39:00] Speaker B: Yeah.
[00:39:01] Speaker A: Anyways, right. I've built labs for these environments, critical infrastructure. And that's exactly the reason I'm going to test it in my lab before I test it in production. And even when I do it for tested production, I'm going to test on one system and then I'm going to wait till that one's done and then I'll test it on the second system and then the third, like I'm not in it. I would just push it to everybody. And in ot I'm going to be like I'm doing on one and I'm going to wait a day and then I'll do it on the next one maybe tomorrow. And it may take me a week to roll it all out. But, but I, I know that I could continue running the plant in that time. Worst case scenario, I lost one system. I've got two or three backups so I'm good.
[00:39:34] Speaker B: Yeah. Even at it sometimes, you know, the patching could lead to problems like.
[00:39:40] Speaker A: Yes.
[00:39:41] Speaker B: You remember. Yeah. You remember the crowd strike, you know. Oh yeah, it was.
[00:39:47] Speaker A: Yeah.
[00:39:48] Speaker B: Like domino. Like domino. You know, like airports and air flight.
[00:39:53] Speaker A: Stopped and banks stopped all around the world.
[00:39:57] Speaker B: Yeah. Just from one single update, you know.
[00:40:00] Speaker A: Yep. 100. So what do you see? So obviously I'm in the States. I, I do, you know, some international with UK and, and some places but from, from what do you see across, you know, other countries and, and other, you know, how are they approaching OT and are they, are you seeing as big of a trend? You know, obviously US is really big where we constantly are getting nation after us etc. Uk, you're seeing a big effort. Germany etc. What are you seeing internationally with the, the OT response and, and asset owners really are they, are they seeing the value? Are they, are they taking heed? Are they making changes? Like what, what are you seeing in International space.
[00:40:40] Speaker B: Yeah. I mean I can talk about my country and the Gulf region where I belong. Yeah. I mean my, the. The region it was hit by.
By attacks as you remember the, the Tron. The Tr. The traces.
It was in Saudi Arabia. So since, since. And the Shannon. I think the Shannon and Aramu. So yeah. I mean the OT security now is getting better in the region because they witness those attacks. They know that it could reach them. Not just the US and the West. Sure. Now there are many conferences. The government of Saudi for example, they are restricting all industries to come to follow practices like best practices. And they developed their own standards and they find them if they don't do it. And sure, it's like a rule. So yeah. I'm seeing the region is. Is getting better. Now I know there are some small entities that still not catching up. Most of those who are and who are securing the. Their network or the OT are the oil people. Most of them because they have the money.
I've seen food industries here in Kuwait and simple factories. They. They. They still don't know what's going on. Even they don't know the term OT security.
[00:42:05] Speaker A: Right.
[00:42:06] Speaker B: So it's just. But anyway it's getting better for them. The majority. That's good.
[00:42:11] Speaker A: Yeah. I mean honestly it's. It's really no different here in the States or UK or etc. Right. Is. It's the bigger companies that have the money that are spending the most time and effort and it's the smaller organizations that don't have the money that they are. They have to prioritize where they're spending their money and their efforts and their people. So it's, It's a. It's a common.
Across geographies and borders. It seems to be a similar, A similar problem that we're still experiencing that regulation has helped with. With you know, grants and funding is helped with but we're still. It's an uphill battle for a while. That again, I don't want to discourage anyone but you know, it still means. It doesn't mean you can't do nothing. Right. Even with a small budget, limited budget, one person can make a difference. Right. You look at tools like ICS rank like, like he's talking about. Like it's there. Look at that. Like take no. Take some action. Like know where your vulnerabilities are and what can you do about those things. A lot of times it doesn't mean you have to have a staff. It doesn't mean you've got to go buy expensive tools. A lot of things that you can just disable telnet or, you know, turn off telnet on your firewall, make sure you're not on the Internet. Like little things like that make a big difference.
[00:43:18] Speaker B: Yeah. Like you said, you know, it's a, it's a process, it's a sprint. Small steps, step by step. Read more. Follow the community Read. Watch what podcast.
It's not a rocket science, really.
[00:43:31] Speaker A: Yeah.
[00:43:33] Speaker B: Especially if he's an IT guy. It's simple for him to help in this direction. If they have IT people, of course.
[00:43:40] Speaker A: Correct.
[00:43:41] Speaker B: They have. They could help in this without interfering, of course, with the ocean process.
[00:43:47] Speaker A: Sure.
[00:43:48] Speaker B: Yeah.
[00:43:49] Speaker A: So what in the next. We've talked about a lot of things. So in the next five to 10 years, what's one thing coming up over the horizon? You see, maybe that's concerning and one thing that's exciting.
[00:44:02] Speaker B: Well, I think the coming 10 years will witness more. Of course we see this and more integration with the cloud. Yep. I don't know whether this is good or not, but we'll see.
[00:44:17] Speaker A: Yeah.
[00:44:17] Speaker B: And I'm seeing the big vendors like Siemens as those big companies. They are going to the cloud, they're pushing it. Yeah. So I think the asset owners maybe will have to catch up one day with them.
[00:44:28] Speaker A: Sure.
[00:44:29] Speaker B: Depends.
So this means more integration with the Internet, more opening. Opening more.
So this could increase the risk, of course, but it. It depends. It depends how they. They implement it. So yeah, following the technology is. Is not good. It's not black and white. It's not bad. Ugly. It depends how you use it, how you implement it, how you design it, how you ar. Segment the network, whatever.
So yeah, I'm seeing maybe AI, you know, I'm seeing some research there using AI to help in dissecting the.
For detection, you know, in the network. And also they making AI understand more about the processes, which is I've seen lately in some research which could help the human because instead of reading all that or looking for many alerts, the AI can speed enough. Gonna speed this up for you. So, yeah, this is what they call digital transformation.
[00:45:36] Speaker A: Yeah.
[00:45:37] Speaker B: Yeah. So the bad things, maybe, I'm sure the attackers, I'm sure they're coming better now. Yeah. Because AI, of course, it helps them to understand the processes better.
So if you don't catch up with the bad guys or the attackers, maybe, maybe this is bad news for the community.
So it has to be. You have to do your homework and educate yourself.
[00:46:05] Speaker A: Yeah.
Awesome. Yeah. So this is the, the call to action time. So how could people find out about. Obviously we'll put all the show in all the show notes. But tell us about your podcast. Obviously you already mentioned about ICS Rank. How can people find out more information on that and, and use it in their, in their, in their workplace and, and learn more. Just kind of give us all the, all the things that people can go to find you and, and all the things about you guys.
[00:46:31] Speaker B: Yeah, I mean I'm active in LinkedIn.
You just type Al Hasawi and you will find me. I'm also active in my podcast ICS Arabia. I interview people. Well, it's called Arabia because I, I'm, I'm trying to. Would provide the Arabic content.
[00:46:51] Speaker A: Sure.
[00:46:51] Speaker B: For, for the region, but I also interview people from around the world. No problem.
ICS Arabia, you can find me in YouTube. Also my tool ICS Rank is free to use. Even the next version will be free but there will be some maybe paid thing things but it's mostly, mostly free and I will update it of course with new vendors, with new products every time I get my hands on new findings.
[00:47:23] Speaker A: Sure.
[00:47:24] Speaker B: That's it.
[00:47:25] Speaker A: Awesome. Hey, I really appreciate it was an awesome conversation. Again, I love the fact that you and I are on and literally different worlds across the world. Right. And we're able to, we, we're still fighting the same problems and issues in our spaces again from from different perspectives and different backgrounds. But we seem, we've seen a lot of the same issues and have a lot of the same struggles and also doing a lot of the same things to try to fight for the good. Right. And to help in these spaces. So thank you very, very much for your time very much. Hope I get to shake your hand and have a coffee or something with you sometime soon at a conference or at a speaking opportunity or something like that in the future. Thank you very much for your time and joining me today day.
[00:48:10] Speaker B: Thank you for having me and I'm really happy to see you and meet you and the camera. Yeah, you're doing very good job. Great job. Really podcast. Good luck with it.
[00:48:21] Speaker A: Thank you very much, sir. I really appreciate it. Thanks for joining us on Protect it all where we explore the crossroads of IT and OT cyber security.
Remember to subscribe wherever you get your podcasts to stay ahead ahead in this ever evolving field. Until next time.
