The Intersection of IT and OT: Highlights from S4 Conference with Jori VanAntwerp

Episode 49 March 17, 2025 00:59:40
The Intersection of IT and OT: Highlights from S4 Conference with Jori VanAntwerp
PrOTect It All
The Intersection of IT and OT: Highlights from S4 Conference with Jori VanAntwerp

Mar 17 2025 | 00:59:40

/

Hosted By

Aaron Crow

Show Notes

In this episode, Aaron is joined by Jori VanAntwerp live from the s4 conference. Together, they unpack the intricacies of networking at industry events, the challenges and opportunities in OT cybersecurity, and the evolving technologies and strategies that are reshaping the field. 

From the significance of understanding asset owner needs to the promising future of AI and blockchain in cybersecurity, Aaron and Jori cover it all. Whether you're a seasoned professional or new to the field, this episode is packed with insights that will keep you informed and ahead in the ever-evolving cybersecurity landscape. 

So, tune in and get ready to explore the essential strategies for protecting it all.

Key moments: 

04:38 Asset Owner's Conference Dilemma

08:14 "Business at Speed of Trust"

10:45 Career Transition Acceptance

16:09 Limited Solution Compatibility Issues

18:41 Exploring Blockchain for Data Integration

20:47 Adapting to Imperfection with Technology

25:12 Dynamic Detection in Modern Substations

28:28 Rethinking Staffing for Power Utilities

31:45 Retiree Saves Power Plant Upgrade

35:37 Ford F-150 Taillights Theft Spike

39:08 Modular Redundancy in OT Security

42:20 "Advocating for Chipset Optimization"

45:32 "Call for Advanced PLC Monitoring Chip"

48:12 Complicated Security Measures Challenge Efficiency

49:28 Balancing Security and Operational Needs

52:57 IT Policy Disrupts Control Room Ops

56:43 Bridging OT and IT Teams

About the guest : 

For nearly two decades, Jori has enabled industrial and IT organizations to be successful in reducing risk, increasing compliance, and their overall security efforts. Jori has the ability to quickly evaluate situations and determine innovative solutions and possible pitfalls due to his diverse background in security, technology, partnering and client-facing experience. Approaching situations with intuitive insight and methodology, leveraging his deep understanding of business and technology, ranging from silicon to the cloud. He had the pleasure of working with such great companies as Gravwell, Dragos, CrowdStrike, FireEye, McAfee, and is now Founder and Chief Executive Officer at EmberOT, a cybersecurity startup focused on making security a reality.

How to connect Jori : 

Website : https://emberot.com/

Linkedin : https://www.linkedin.com/in/jvanantwerp/



Connect With Aaron Crow:

 

Learn more about PrOTect IT All:


To be a guest or suggest a guest/episode, please email us at [email protected]

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: You're listening to Protect it all, where Aaron Crowe expands the conversation beyond just OT delving into the interconnected worlds of IT and OT cybersecurity. Get ready for essential strategies and insights. Here's your host, Aaron Crow. Protect it all today with Jory. We're here at S4. This is Wednesday, so we're about halfway through the conference. I know there's so much here. There's so many people from vendors and asset owners and all the things. So how have you been so far with S4? And I know you're lobby conning it this year, but there's so much to do and see. So have you been so far with it? [00:00:41] Speaker B: S4 has been fantastic. And we had the inaugural BSides ICS, which is actually just before S4, which is another great show. It's been a great year. And I have to say, we've been in Miami for as long as I can Remember. Going to S4 and the switch to Tampa at first was a little shady, but I'm enjoying it. I like that. I like the venue. And I feel like it's been easier to bump into people just with how the floors are set. [00:01:05] Speaker A: Right. Yeah. The lobby's smaller, the rooms, even though it's split between multiple levels, there's more levels. But yeah, I agree there's a lot of people. But it really flows well. It's easy to see everyone. It's not overwhelming. So what is your goal when you came here this week? To kind of focus on at S4 this year? [00:01:24] Speaker B: So this year I've actually really been focusing on bringing on board some new clients for my business. My business is focused in OT cybersecurity, Ember ot. But I'm here to really network with folks in oil and gas and advanced manufacturing. I want to see how we can help them. Yeah. So a lot of my efforts have been really focused around that. And honestly, this is the best place to do it. I mean, I love coming to S4 in general. This year was so busy, like you said. I'm actually just sitting in the lobby when I don't have a meeting. But it's been. It's been really good conversation so far. It's exciting to see so many folks. I just bumped into a gentleman I haven't seen since a conference called ONS in Norway 2018. [00:02:06] Speaker A: Right. [00:02:07] Speaker B: Just the people that you run into here is amazing. And we do have quite a bit of asset owners that are actually here at the show, which is incredibly important for those of us that are in OT security because they're the ones that actually keep the lights on, keep things running. [00:02:21] Speaker A: Yeah, you know, we were talking about that yesterday, actually. As you know, I was an asset owner, as you know, and I didn't really ever have access to come to these things. Right. So I would. It was. It was difficult to get a budget for going to a conference. The value prop just wasn't necessarily there because I was in a power company, I wasn't an engineer. I was doing the cyber thing. So we were talking with somebody with EPRI yesterday, and I mentioned how a lot of the engineers went to EPRI conferences and EPRI trainings and all that kind of stuff. But going to a conference was difficult. I really had to fight for it. And I started out going to defcon and Black Hat and things like that. And I had heard of S4, but I had to prioritize because I could only go to one a year. And I made it so that my team could go to kind of whichever one they wanted. And we kind of split, divide and conquer type thing. But it's so powerful. We don't want to just have vendors and sponsors here. We want to have conversations with Asinine and we want them to be here and not feel like they're going to be bombarded with, you know, used car salesmen, which you don't get here, which I love. But some conferences, it's that way. I don't feel it's that way here. You know, I've been in an asset owner, I've been in a. In a sponsorship position, you know, vendor side, like. Like you, of course. But I don't feel that here. I don't feel anyone's when I walk by the booze. It's more about conversation, it's more about networking and talking about opportunities and capabilities more than just, hey, buy my thing. Wow. How do you feel about that? [00:03:49] Speaker B: Absolutely. And actually a former partner of mine put it the best. He actually said that here's where you do jersey swaps. We all wear different jerseys at different times, and it is a much friendlier community. And even in the vendor space, we compete. It's the same with major vendors, ge, Siemens, et cetera. But we are all part of the same community and you really feel that here. And I have to give a shout out to Dale. Dale's done a fantastic job of trying to keep S4 for asset owners as much as he can, and it's been pretty impressive. The B sides ICS was really good as well, because it had a little bit of that grassroots coming back. Definitely a lot of asset orders, which was great to see. But I agree. I'm actually curious. When you switched from being an asset owner to the vendor, was it easier to come to these conferences? [00:04:38] Speaker A: Yes. Again, as an asset owner, I never came to this particular conference, but a lot of the conferences I went to, I felt like I was, you know, hanging meat that people saw and they'd see the company that I worked for, and I would just get mobbed because everybody wanted my attention. I was the OT cybersecurity manager at a large power utility in Texas. And, you know, I would get, you know, I feel like. I'm sure some of the CISOs feel at RSA or Black Hat or some of those places where, oh, you're a ciso. And they. That's why usually at Black Hat, when I. When I put my badge on, I don't usually put my title or the company I'm with. I'm not necessarily trying to hide it, but I only want to tell it to you if I see value in it. I don't want to just broaden it to the world because again, you leave Black Hat and you get 50,000 emails from, hey, you came by my booth and you got some socks. Let me sell you something. [00:05:27] Speaker B: Gone to their booth, right? No, we're completely inundated. I mean, the industry as a whole, even on the, you know, the vendor side or if you're working at a company, we're completely inundated with marketing. And it. To me, it's actually become so noisy that we have, you know, CISOs and people that have to make decisions that are jaded at this point. So having any conversation with them is difficult because they've already got their blockers up right. They're ready to just walk away. And it's a lot of times for vendors that are really trying to make a difference or an impact in the community, and as a whole, we're more focused on what the needs are. I need to have a conversation with someone and understand what their challenges are, what the needs are in their environment before we even get to, can I solve them? It's not. I'm going to come up to you. Oh, I can solve everything. I slice bread, we make pizza. Everybody loves cookies. We've got it all. Yeah, but that just. We. And this isn't even just ot, it's the it Cybersecurity as well, have just overdone that for years. And it's funny, we're. We're at a conference, but I have to say, we used to Play bingo for words at like RSA or black hat. What's going to be the word blockchain? AI, like observability. [00:06:43] Speaker A: It's convergence. [00:06:45] Speaker B: And suddenly everyone does that. And it makes it really hard for the people that need our products to even understand which one to get. And that's something that I do a lot around FUD fighting, because it's been a pain for mine because I sat on that side, not ot, but on the IT side. And sifting through what products say in their marketing material and what they actually do is difficult because we started to spin that marketing material. [00:07:12] Speaker A: Right. [00:07:13] Speaker B: So I try to stay away from that personally. But you definitely, you're dead on. Like, you just as a vendor as well. Like, you can't just march up to. [00:07:24] Speaker A: A CISO and start talking about assessments. No, no. Well, and you know, you and I have talked about this a lot, and I talk about this a lot on the podcast and, you know, on LinkedIn, et cetera. I think that it's a time for a shift. People want something different. You know, it's not that the bagels. And my partner Neil says this a lot. You know, we do the loan start driver shootout. Right. And we're doing that because we want to do something different. We want things to be more like S4, more network and connection based. And then the sales come from that. Right. So, you know, we charge CISOs to come to our event, which is not common for that type of thing. Right. You know, we do. It's all based on connections and relationships and doing activities and breaking bread. Like the old way that we actually connect with you. You don't get to know somebody in five minutes in an elevator pitch. I don't want to just hear what you have to sell me. I want to know who you are. I say this a lot, but we do. We do business at the speed of trust. So the faster that you and I build some kind of trust, like obviously trust but verify, but the more that I trust you, the quicker I'm going to be able to hear what it is that you have to offer and say, and vice versa, where you're not just trying to sell me something, you're willing to listen to my problems as an asset owner before you say, I've got your solution. A lot of times as a CTO or a salesperson or a vendor, I find myself saying, yeah, I don't think I'm the right product for you, or capability or offering. [00:08:45] Speaker B: It's the best thing you could say, yeah. [00:08:47] Speaker A: And they want to hear that. And it's refreshing. The funny thing is, is it actually entices them to want to come back and talk to you more when they do think that maybe you'd have something to offer where you would assume it would push them away. But I don't experience that. Like, do you agree? [00:09:00] Speaker B: Oh, absolutely. And I have really good relationships with a lot of organizations that I've built over years with those folks. They've changed from organization to organization, but that I've been doing business with for almost 18 years at this point. And it's because you have to know that you're paying it forward. You have to know when your product is not the right fit, you may not have the correct solution. And frankly, I'd encourage you to point them at something that does. [00:09:27] Speaker A: Yeah. [00:09:27] Speaker B: That will actually help them with their problem. But I completely agree. And I'm a steal ad, by the way. The speed of trust is a really, really good way to put it, because building that rapport, I have to be able to understand what your needs are, which means it's almost like being in a relationship. You've got to be vulnerable and talk about what your needs are and, frankly, what your budget is, because those are the two things that matter to both of us. If I can't make it affordable to you. And again, it doesn't fit your needs. We're in a bad situation in the same way. If I'm. I'm too expensive, but I fit your needs. Like, how can we come together? And it's a partnership, and people talk about this all the time, but I feel like very few of us are really practicing finding partnerships instead of just finding customers. [00:10:19] Speaker A: Right. [00:10:19] Speaker B: You know, the speed of trust is going to stick with me for a while. [00:10:22] Speaker A: Well, it's. It's so funny. How many places have you been or worked with or people that have changed roles? And they're still here like, they're still OT practitioners, but they were a vendor and now they're an asset owner. Maybe they're working for a government agency and then we're cycling through. It's not because they're, you know, doing anything wrong. It's because a new opportunity came up or maybe, you know, a company spun out or they had problems, like. But the. The connections are here. Like, again, last year I came right after leaving Industrial Defender, and I was kind of in between roles. I think I just started with Morgan Franklin, but I was still brought in and accepted by everyone because I was still me. Like, I still have the knowledge that I have. I still have the experience that I have and I've made those connections. So everybody's excited that I was here, even though I was in a different role. Like before I was a product offering and now I'm doing consulting stuff again. Right. So it doesn't matter. And maybe next year I'm going to be an asset owner. Like, I doubt it, but, you know, it could happen. But the thing to your point is, like, I see this as something that we're playing on a sports team. Right. It's like you're offense and I'm defense. But we're on the same team, we're in the same jersey. Yes, you may be a competitor to me, but there's plenty of opportunity. There's so many folks, asset owners, agencies. I work a lot, obviously, in critical infrastructure. There's 17 critical infrastructures. There is more work out there that needs to be done than any of the vendors here can support. There's so much that needs to be done. If we had a blank check and could go fix all of the problems in OT across all the. We'd need more people than are even here. [00:11:54] Speaker B: There's something that do when we talk about competition, especially internal to my company, honestly, even when I'm speaking to other folks in the field. And that's really to express predecessors. Because the fact is we're new, you know, we're taking a different approach. That doesn't. Yes, there's competition, but you don't need to make it combative. Sure, Right. It can be that the predecessors are doing a great, you know, a great job at X, Y and Z. But here, let me show you how I can pivot things. [00:12:22] Speaker A: Sure. [00:12:22] Speaker B: And maybe we'll look at Z and Y or we look at A, B and C. But how, how do we pivot that mindset? I think it's important, you know, vendor side. I've been here for almost 20 years on the vendor side. And you are absolutely right. You cannot have that kind of animal. It's not good to have animosity like that. It's actually more fun and you are more productive. You innovate better when you are having that, that like friendly competition with whomever it is that you're competing with. Yes, you're going to go and compete. But again, we're all people. We all work in the same field. We could be wearing the exact same jersey tomorrow. [00:12:57] Speaker A: Right. [00:12:58] Speaker B: We don't know what's going to happen. So I think it's incredibly important to really remember these are just people. Right. And the companies. There's a Reason that those companies exist, why people started those companies. There's a mission behind that, which in most cases is a good mission. So it's not good to knock other people's products, other people's things. Everybody's here trying to do the same thing. And, you know, being in security specifically, we're all here trying to protect something. [00:13:28] Speaker A: Yeah. [00:13:29] Speaker B: It's the name of your podcast. [00:13:31] Speaker A: Right. [00:13:32] Speaker B: We're all here to protect something. And you need to remember that. We're all defenders. [00:13:36] Speaker A: Well, and the other piece, again, going back to my time as an asset owner, it goes beyond just this, like, at home, even, like you're looking at a product and, you know, AT&T or T Mobile or Verizon or if all you have to say is something negative about your. [00:13:51] Speaker B: The only time I've seen it work where I. I actually paid attention is this is fast food, which I don't really eat anymore. But the sign wars. [00:13:57] Speaker A: Right. [00:13:58] Speaker B: God, I used to love the sign. [00:13:59] Speaker A: Yes. [00:14:00] Speaker B: That's good stuff. And I think it's good to have that cheeky. [00:14:04] Speaker A: Yes. [00:14:04] Speaker B: Like, have some fun with it. But you're absolutely right. You don't want to expect. Don't disparage. [00:14:08] Speaker A: Right. [00:14:08] Speaker B: There's no reason to disparage. [00:14:10] Speaker A: Yeah. [00:14:10] Speaker B: Like I said, we're all here for the same reason. You know, we. Just before we got into the podcast, we were actually talking about home networks, and I'm kind of in a similar vein as you. It sounds like you've gone towards ubiquity. [00:14:22] Speaker A: Yes. Yes. [00:14:23] Speaker B: So I haven't made the jump yet. It's a little hodgepodge of open source and other things. But the way that I looked at purchasing those products, one of the things that really caught me is the marketing on those particular products you'll find for home routers. And, I mean, there's tons of brands out there, but those brands are always telling you how much faster they are than the other brand. [00:14:47] Speaker A: Sure. [00:14:47] Speaker B: And if you're as geeky as we can be. [00:14:49] Speaker A: Right. [00:14:50] Speaker B: I'm, of course looking at chipsets. What's in this thing? Pretty much the same across the board, which is why I kind of pick a hodgepodge. I think it's similar for solutions. It's a struggle when people are trying to make a decision around a particular solution, because it would be easy if you could get one solution that did 70% of what you needed. But a lot of times we end up in this mesh of, here's a product that does 40, here's one that does 10, here's one that does 20. And I think going back to the competition is if we can collaborate a little bit more on that, we can actually help the customer by expanding how much percentage of what they need we can do so that we can get these folks down. [00:15:35] Speaker A: Yeah. [00:15:36] Speaker B: From a product perspective, because in many cases there just isn't that 70% product. It's, it's, it's just not possible. [00:15:41] Speaker A: There's no silver bullet. [00:15:42] Speaker B: Yeah. [00:15:43] Speaker A: Well, and I came from power utility. You go to a power plant and even on one unit, so not to mention there's multiple units at a power plant many times. But even in that one unit, I'm gonna have multiple control systems a lot of the time. I was talking about this with a gentleman last night at the dinner happy hour thing and that same environment. So I can buy from a control vendor, Honeywell, Schneider, Foxborough, all these places, and they have control, cyber, cyber controls that they offer through their offering. But it only works on, it's only tuned for their environment. It doesn't work on the third party controls, it doesn't work on the other systems that are there. So that, that coverage, like they'll do maybe 80 or 90% of the stuff that they brought to the table, but all the other stuff, they're like, yeah, it's not my problem. I don't know what to do about that. Right. But me as an asset owner, I care about it all. So how do I deal with that? Right. So looking at this and knowing that maybe I have to have multiple solutions, unfortunately, when I started, we had three different antivirus solutions and three different backup solutions and three different active directories because every vendor brought their own. Again, this was a long time ago, 2010 or so, but I finally had to have a conversation with the vendors, the control vendors. And I'm like, look, I know you guys have your offerings, but I don't want to manage three antivirus solutions for one control system. Like, I don't, I can't do it. It's a manpower problem. So you're gonna have to work. We're gonna choose this one, xyz, whatever it is, vendor X. And you're gonna have to work with it. We don't support that. I don't care. You're gonna support it because this is about what I have. And it's better for me to have a system that you don't have support that I can manage with the staff that I have, than to have a perfect architecturally or coverage product. But I can't support it because I don't have enough people and it's that people process and technology. It's easy to go buy a widget, but then I have to support it. It's the same reason I went to Ubiquity at home. It' Ubiquiti is the best product in the world. I think my old network that I had that was a hodgepodge like what you have was probably faster. But as we talked about this morning, I couldn't support it remotely. So as long as I was home I could get it back up and running. But as soon as I travel, my wife is not technical at all. So it didn't work anymore. [00:17:46] Speaker B: It's a cycle goes through the hodgepodge. Amazing, right? But then supportability goes out the window. [00:17:52] Speaker A: Exactly. [00:17:52] Speaker B: And then you go back to more mainstream. I cycle through that constantly. Constantly. You know, you brought up something about all the different controllers, types of vendors, you know, their controllers in a particular environment. And it hit something with me that I don't think we've talked about yet, which is I'm really looking at how we do baselining completely differently now. And it's where I'm really starting to see a lot of, of well, success on our side. And that's a lot of times we look at the network traffic and it's just the network traffic and that you can inherently baseline things you don't want. [00:18:33] Speaker A: Sure, right. [00:18:34] Speaker B: So it's hard to create a clean baseline unless you just have an unplugged brand new fresh system all from scratch. [00:18:40] Speaker A: Greenfield. Yeah. [00:18:41] Speaker B: So how do we get around that? And so something that I've been pivoting to is, and we just talked about, that's a buzzword blockchain, but that type of distributed ledger or mesh if you will, is something that we're really experimenting with. And I'm curious what your thoughts are, but the idea is that it's not the trust of one sensor, one aggregator, one what have you. And it's not just our product, but what can we integrate in to create a mesh where we can have things that if you know, product X says hey, I see something suspicious and the six other things you have in that environment don't. There's actually a really good chance that the six of them, so it's not to make that go away, but we should have more of an alarm style management. [00:19:33] Speaker A: Checks and balances. [00:19:34] Speaker B: Yeah. So it's there, you can see the alert, but it's not brought immediately to your attention until it can be cooperated. We're playing with the threshold on, but it's reaching out and creating that mesh and having that ledger so that things can talk and check with each other to make sure you're not just throwing erroneous alerts at an operator. Because that's something, frankly, as an asset, you didn't have time for that. [00:19:57] Speaker A: You turn it off. [00:19:59] Speaker B: It needs to be something that's useful. It doesn't have to even necessarily be actual, although that's our goal. But I'm really moving towards, instead of baselining, we're actually, we'll say micro baselining at the asset level and then trusting multiple sources. I shouldn't say trusting, corroborating with multiple sources in the environment. Curious if you've seen anything like that in the field. [00:20:21] Speaker A: Yeah, I have. Definitely. There's so many technologies and again, you heard the buzzwords for so many years around blockchain and crypto. And again, AI. Just because it got overused and people like assume that it's, excuse my language, bullshit when people talk about it, that doesn't mean there's not value in it. So to your point, let's dive into that. Right? So we all know that there is no silver bullet. I don't care whose product is out there. Again, I was an asset owner. My product wasn't perfect. There is no perfect product. Right. As soon as you find a perfect product, the adversary changes things and it's no longer perfect. Right. So it's a constant battle that we're having to. To continue to get better, to progress, to improve. So how can we use things like blockchain, how can we use things like AI to have a better picture? And to your point, you may have six different data sources. They may say six different things, or they may say all of them say one thing except that one off. So is that one off? Obviously, I want to look at it because maybe it is true. But, you know, it also could be the most obvious answer, could be that one is actually the wrong one. The other five are actually. Right. So how do you, how do you dig into that and really know how to kind of train it and understand what you're looking at and be able to pull that up over time and get more value to the asset owners? Because ultimately that's what we're looking for is like we've got passive monitoring. Awesome. We've got some kind of asset inventory, maybe. Okay, yeah. I've got segmentation, I've got a firewall. I want to constantly improve my, my cyber posture. Not necessarily with a, with a sine curve going off the end of cost and Resource requirements. So how can I do it more efficiently, get more value add? Because to your point, if I just overload my SOC analyst or my, my ot, my cyber security, people with millions of alerts, they're gonna ignore them, they're gonna. It's gonna hit mute. I can't pay attention to that, Right? So it's, it's, it's worth. It doesn't matter that I detected everything. It's so much overload. I've had examples of this where we turned on alarms in a control system. Again, not cyber security, but actual alarms from instrumentation and the alarm server just overwhelmed. It was like giving 10,000 alerts a second or something like that. And they just unplugged it. They're like, yeah, it's not true. I don't know what's going on, but we're just gonna unplug it because I can't run my plant that way. So how do you, how do we dig into that and start doing some of these cooler things that are not just buzzwords? [00:22:42] Speaker B: I think so. A lot of this actually comes down to the operator. They know the environment. The asset owner, they operator, they know the environment better than anyone else. And AI is interesting because it can build dynamic models that are always continuing to change, doing the best it can. The issue that I see right now in that is that One cost on. [00:23:06] Speaker A: GPUs is they're not cheap. [00:23:08] Speaker B: In most of these environments, we're. It's unlikely to leverage the cloud, right? And you don't want to have a giant AI server on site. So how do we take what we can do with AI and make it more digestible? And so one of the ways that we've been experimenting with that is actually combining old school and new school. So using data that we have and the we'll say hypothesis that we have. And so we start training models, right? But then it's just the model that goes on site, so everything stays on site. So we're not, it's not active AI in certain areas just because there's not enough horsepower, especially at the edge. But we can still benefit from what AI can do, how fast it can process. That's something we've been doing now with my feeling on sites as a whole, is we're gonna have to rely on the operator to actually train a little bit of this. So we can't be 100% positive on whether that one is correct or the other five. We can give you that. Everyone see the slider bar, right? Like, well, we're 60% positive, we're 70% positive of what it is and it's a little helpful. But the only way that we get better at that is with user interaction or time. If people are willing to share data, that's great. But a lot of these, you know, the environments that we're installing, it's just not an option. So we've been trying to work with the metadata that operators themselves can train so that we know when something's gone wrong. But it's submitted manually. [00:24:46] Speaker A: Right. [00:24:46] Speaker B: It's not just sent off to the willy nilly. Right. Say, hey, we had an incident where this particular machine was correct, these other five were not. And let's say the confidence score was 40% sure. And we want to make sure that that comes to the top next time. And so having just that little bit of input, even without the raw data coming off of the network or out of that environment, is enough for us to actually tweak the model. So it's a little bit of that almost static, it's dynamic detection, but it's a static mindset of like, here's your next content up there. I think we'll evolve past that. But some of that's going to be based on the environment itself. Most likely not going to happen in an environment that's 20 years old. [00:25:29] Speaker A: Sure. [00:25:29] Speaker B: Right. But if it's a newer substation that was built in the last five years, or if it's, it's a, you know, newer plant or advanced manufacturing has to have a little more horsepower, then you can, we can actually start running some of those models on site. That's where dynamically you can see what those five machines said when a single machine said. And there can actually be some thought behind it. I don't know how else to put it, but dynamically around it, that's how we're, we're tackling the problem. It, I think it's something that we really need to look for. And I'm glad you brought up AI blockchain again because I think everybody in the industry is kind of tired of hearing AI blockchain. What I want us to be careful of is don't let the pendulum swing. [00:26:11] Speaker A: Right? [00:26:12] Speaker B: Right. So let's not go completely, completely negative. There are tons of uses, you said, for AI, but how do we retrofit how AI functions today to fit into these critical infrastructure environments that don't have the horsepower, may not have connectivity, or frankly may just not be okay with blockchain and AI? How can we make it more comfortable, make it understandable and useful in the environment. [00:26:36] Speaker A: Well, I think there's also a fear of again, Power Utility, right? You, you have, you know, regulations that restrict you from what you can do, what data can go where, being able to use technologies. Like even just the cloud, which to me the cloud is just a relative term. It's just somebody's server in a data center. Like what difference? Obviously there's a difference, but my point is, is like there's really not a whole lot of difference. I can have on prem cloud that's I own and it's on my iron in my data center. Technically that's a cloud. Like so. So that technology opens the door to do more things. Blockchain, AI, things like that. I'm sure Power Utility will be one of the last that'll ever use that kind of technology. But I know there's other things. You look at the global companies that do shipping. I don't want to name names, but you know who I'm talking about. Other companies are more open to putting their process control networks not on the Internet and maybe not even directly in a cloud, but having data going to the cloud from these environments to be able to utilize tools like that. So we're not that far away from that stuff, even down to potentially a power plant. I remember even before I left as an asset owner, we were looking at doing a centralized control room between multiple. Now they were solar plants and wind and renewables. It wasn't like, you know, moving equipment, generator type stuff that you would see it like a nuclear power plant or something like that for obvious safety reasons. But the imagine the not need to have staff physically at a facility to control it. Right. You have it be a regional control center. We do this in all other industries all the time. Obviously there's a safety reason we haven't done that in many of these process control environments. But the more that we have AI and robotics and automation, it opens us up. It's not that you wouldn't necessarily have any staff. You'd still have people on site. You need operators to touch things and you know, do maintenance and PMs. But do I need to have the full staff? Can I go from, you know, a big staff to a smaller staff and then I have my, my intellect in bigger areas. The other part, especially in power utility is, you know, a lot of these power plants, they're never in a populated area right there in the middle of nowhere for obvious reasons. Nobody wants a power plant in their backyard. So it's a talent problem as well. I say this all the time, but It's a people process of technology. The people aspect of that is like, how can we find people that are willing to go work and help solve these problems but are willing to move and live in this small town in Texas or Ohio or wherever the place is. If I could do that and have them be regionally in Phoenix or Dallas or Austin or San Francisco or wherever, it opens the door for me to have more intellect and solve the problems differently than we've done. And I get so tired of hearing people say, well, this is the way we've always done it. We'll never do that. That'll never, never happen in ot. We're never going to converge, we're never going to use AI, we're never going to use. I get so tired of hearing that like, yes, we're not there yet. And I'm not saying that we should be doing it today. But to your point, we can't let the pendulum swing all the way over to the side and say we're never going to do that. Because I think that's short sighted. I don't think that's going to be true. It's just a matter of when and how do we do it in a safe way. Right. [00:29:42] Speaker B: And I think you kind of touched on something is forefront for a lot of people, which is how does this affect my job? And I want to be clear at least in my feeling on this, which is that AI isn't here to replace people and it's nowhere near capable of doing that. Even some of the most fantastic AI projects that I've been involved in or on the periphery of, it's not there yet. So what I see the power as and how I want to change people's view of it is that it's not taking a job or placing an operator. What it can do is make an operator more efficient, less stressed, more focused if they know how to use the tool. And again, I don't know if you see this in your area. Where I live, we actually have an issue with operators aging out. Not a lot of people are actually coming in and doing internships and getting involved. And so what we're seeing is there's a massive experience gap. So the people that are coming in are, are young and there's literally people retiring out the door without much over no bridge right. To actually help them. So I think one of the areas outside of cyber security as a whole that it could be helpful is scaling up the knowledge of a brand new. You know, I just got done with my apprenticeship and now I'M off. I'm an operator and this can help me right if. But the only way that happens is if these folks that are aging out are willing to help train the model for, you know, their particular organization. Because we don't want all that experience to go away. And we do really have that. It's a massive issue, at least in the Southwest, where folks are coming in like, you know, 20, 22 years old and we have people that are 65, 70 years old that are just there out the door like it's, it's just one for one replacement without that overlap. But I think AI is more focused on enhancing at this point. That's the, that's the way that we need to approach it, in my opinion, versus replace it. [00:31:45] Speaker A: Yeah. Well, I told you a story last night about, you know, my father was. He was in the power industry for 40 something years and retired in his 60s. And you know, the company he worked for actually bought a new power plant and they were in the middle of a control system upgrade and they didn't have the resources to kind of get it to where they needed to go. So they brought him out of retirement and he came and helped them because they didn't have anybody else that could do it. You know, the knowledge that he has, it's, it's invaluable in that situation. And it's not that the people that they hired weren't good. They just had never done this before. Right. And they didn't understand what it was going to take to get from where they were to where they needed to go. And they had a very short time windows and an outage and obviously it was going to be very costly if they missed their outage for a lot of reasons. So, you know that, that type of thing is. We've even seen it in it when we did the mainframe thing right back in the day, right when we got off of the mainframe. And part of the reason many people, obviously it was expensive, but also it was hard to find resources that understood how to keep it up and running. There's still banks and things that use mainframes today. The S400 is still everywhere it is. But I remember we did a big mainframe migration in the power company and went from a mainframe to Maximo for process and work orders and things like that. But it was a giant shift to go into that. And they had going from green screens at all the power plants to do PMs and stuff to using Maximo and it was a big lift and shift. It Was expensive capital project. But the biggest problem was we didn't have anyone that could support the mainframes anymore from an IT perspective. So the plant guys had used this stuff for 40 years, and now we had to change and change the way they do work and process and everything about it was different. And it was a struggle. Anytime you do something different, it makes it hard. And people are terrified of change. [00:33:31] Speaker B: We have to be respectful. Like, you're saying we can't have someone come and say we're never going to do that. [00:33:36] Speaker A: Right. [00:33:37] Speaker B: We've always done it this way. But also, you can't forget one or the other and a little off of, you know, what you and I do. My dad is a machinist. He's not retired, but he was a machinist for nearly 50 years. And he can still work with manual dials. [00:33:53] Speaker A: Right. [00:33:53] Speaker B: And so there was a shop that he worked for. He just recently went back and worked almost an entire week. They had the controller. So the actual. A CNC controller for a particular mill that still had manual available went down. No one at the shop knew how to. How to actually use the dials. [00:34:09] Speaker A: Right. [00:34:09] Speaker B: So he came back and actually trained a bunch of. Bunch of the. The younger machinists and helped them run parts off of the dials. There has to be balance somewhere, Right. There's a reason that they do things that we figure out why that. What that reason is. Right. So we have it as our fallback, our playbook. [00:34:24] Speaker A: Yeah. What are you gonna do in that scenario when nobody knows how to do it manually? Right. And you got to go back to that and fail back to that. So it's amazing that there's. There's so much, you know, it. We've solved a lot of these problems from segmentation and a lot of the things. We're usually behind the eight ball intentionally. The analogy I like to give is like, it's. I'm a big Toyota fan, right. I love Toyota vehicles. I think they're great. They're always reliable. You know, they last a long time. But you look at it at a Toyota especially, you know, I think the. The 4Runner was. Was around for the last generation, was 15 years or something like that. Right. And they didn't change the technology in it during that time, but everybody loved it. Why is that? Because it was reliable. But if you get in it, it didn't have all the creature comforts of a brand new, you know, Chevy or a Ford or a Mercedes or something. It didn't have, you know, Bluetooth like it had Bluetooth, but it wouldn't have Apple CarPlay. It wouldn't have a lot of those creature comforts, cooling seats and things like that. But there's a reason behind that, right? And the reason is because once Toyota, before they deploy something, they want to make sure they understand it and it's reliable. They fix all the bugs. Whereas Chevy and GM's model and many of the other manufacturers are more. We want to be first to market. We want to have the best technology, we want to have the best option. Correct. And then we ended up testing on those things. Like, I saw something this morning on the news, and it was talking about, you know, the Ford F150 truck in Texas in the last and this year, I think they said is they've stole $90,000 worth of tail lights. Like, I guess the tail lights are so expensive on the Ford F150s that people are just walking around stealing them because to buy new ones, it's like $3,600 for just tail lights. Because the modules in them and they've got like, sensors for other vehicles and lane change and all that kind of stuff. So people are just walking around, walking up, and within, you know, two to three minutes or less, they can take your tail lights. So they're doing this all over the place, right? But it's little things like that that people think about. Yes, it's awesome to have the sensors in, but then when you make it so expensive to replace, then people are stealing. It's why people were stealing catalytic converters, because of the raw materials that are in it. And there's consequences. It goes back to the CIE thing, like I talk about all the time, right? It's designing our systems to be with security in mind, which is easy to do in a greenfield, like we mentioned before. But how do you retrofit that in an older environment? Right? [00:36:42] Speaker B: What I always tell people to go back to the car analogy, right? In the old day, right, it was really easy to swap a light bulb. It was your brake light. It was really easy. A lot of times now it's actually quite difficult. A lot more work to it. But I think that we need to design our security infrastructure to be the same way if we can, modularly, so that if you get to a point where there is the later and greater thing and you're ready to move on, you should be able to easily disconnect the sensor and put in a different one, right? Or the latest one, but to build yourself a highly agile environment. And I say that now because as we know, I mean harbor refreshes and it can take a long time. But starting to get ahead of that, putting in infrastructure so that you can be modular, it's going to make your life a little bit easier because we basically did the same thing in cyber security and OT and it where it's like oh well, I have splunk. Great, good luck getting off that right once you're on it, even if you like it or not. And I know personally I'm all about people should own their data and be able to do what they want with it. Make it easy. Yeah, needs to be easy. If I do a good job for you, you will keep me. [00:37:53] Speaker A: Sure. [00:37:54] Speaker B: If I don't, that's on me. [00:37:56] Speaker A: I shouldn't have to be strong armed to keep you. And that's, that's a mindset that's a little different. But it's true. It's one of the things I love about this conference. One of the things I love about the way I interact with people is it's all about again going back to the networking, right? It's all about the personal connections that you make. The sales stuff will come when you build that trust with people and they realize that you're there to really try to help them and we can solve problems. But when you're designing those systems like again all the way back to 2010, I was designing the system that I could replace a sensor with another sensor but the data was still going to the same place. So yes, the first time I had to have an outage. The second time I didn't because all the stuff was out of band. It wasn't had anything to do with the process network. So then I could replace a sensor with another one. I could replace Splunk or I could replace Dragos or whatever the thing is that's there not because it's bad, but maybe they have a new sensor, maybe they have a new offering, maybe it looks different, a different form factor. Hardware goes virtual like any. Whatever those things are, start thinking about those things as you're designing them again, not because you're trying to, you're assuming that you're going to kick out your vendor, but more so what's the next thing that's going to come up that isn't available now? And I want to add a new sensor, a new capability that is not available today. [00:39:08] Speaker B: We're seeing a lot of OT companies actually go in that direction. One of my customers actually spent the last it's got to be like five or six years specifically putting in infrastructure where they could swap or, you know, if they wanted two different tools, they could have two tools in that particular environment. And it adds some redundancy. And again, it adds to that mesh. What are both of these seeing if you get to a point where you have the, you know, the bandwidth and frankly the budget to do that, we all know security in depth and layers is better. It's. And I think having that modular approach makes it even easier to do that when you get to a certain point. But I. Yeah, I love that. I love it. And the. We actually have three customers that are designed like that. And it also makes it very easy for the vendors. [00:39:51] Speaker A: Sure. [00:39:51] Speaker B: Just to. To say thank you to the customers out there. It makes it very easy for us because when I deploy, the infrastructure is there. [00:39:59] Speaker A: Right. [00:39:59] Speaker B: They already know where they want it. They're already getting the data where they, you know, where they want to be. They know how they want it to integrate. [00:40:05] Speaker A: Sure. [00:40:05] Speaker B: And so deployments go from being months to a week. [00:40:09] Speaker A: Right. Or a day. [00:40:10] Speaker B: Yeah, it is. It is fast. [00:40:12] Speaker A: Yeah. And that's. That's so powerful to be able to do that and be able to deploy that technology fast and recover and change and adjust as new threats and vulnerabilities come out. I can adjust my hardware and technology. That's really cool. So what do you see coming up next? Like, what is the next step? So we've talked about AI, we've talked about blockchain, we've talked about designing and architecting, We've talked about people and process and technology. What else. What else do we need to do that maybe we're not focusing on, or there's not as many people out there focusing on that maybe we need to probably think about for next. [00:40:42] Speaker B: This is an area that I'm really curious about, which is actually, at some point we're going to need to be able to have some type of security, whether it's a combination of encryption, types of detections, or even something more robust on the device itself, like at the chip level. [00:40:56] Speaker A: Okay. [00:40:57] Speaker B: That's an area that I think we've. We've been tentatively exploring, you know, as a community, but no one's really dived in because it's a lot of work. [00:41:06] Speaker A: Sure. [00:41:06] Speaker B: But the. At this point, when we talk about how we monitor OT environments, much of that monitoring has to be done at the network level or the log level. [00:41:15] Speaker A: Sure. [00:41:15] Speaker B: Because you can't. I should say you can't. But in many cases, it's nearly impossible to install some type of agent edr shim et cetera, on a plc. And that's the area where I think interesting things can happen. We've seen all sorts of. Technically, they've been PoCs, but attacks that come from the I. O side. [00:41:34] Speaker A: Sure. [00:41:35] Speaker B: We've seen things where a communication will go to the plc, the PLC doesn't do the action and reports back the. That it did. [00:41:43] Speaker A: Yeah. Stuxnet, for instance. [00:41:44] Speaker B: Exactly. So the, the. Not that it's completely infallible, but I think at some point we've got to get as low as we can down on the hardware side. That almost a. I think passive monitor on chip side. [00:41:56] Speaker A: Yeah. [00:41:57] Speaker B: You need to be able to see what's going on and confirm whether or not when. When the command went to the plc, did it actually go out the IO. And there's some other folks that are concentrating in other areas. There's a company whose name is slipping me that actually uses electromagnetic antennas to see what comes out the other end. But it's still. It's new. [00:42:15] Speaker A: It's. [00:42:16] Speaker B: It's been hard to train. I'm really, really thinking that the chip is the way to go, at least in my opinion. [00:42:20] Speaker A: Sure. [00:42:21] Speaker B: What are your thoughts? [00:42:22] Speaker A: Yeah, so I've seen some things like this. Right. So, you know, really monitoring the. The IO, the 4 to 20 milliamp that's coming out the back end, the hardwired stuff, but also down to the power consumption on the system and really, you know, almost doing a baseline on the gear and the hardware and, you know, voltage and things of that nature. But the chipset, that. That's amazing. I didn't think about that. Right. Is it's getting down to those, those lower levels of our Purdue or not Purdue, our OSI model. Right. And all the way down to networking, getting at that physical. You know, in networking, we're always like, where do you troubleshoot? You start at the. At the physical layer. Right. If I can bypass or if that breaks, nothing else matters. [00:43:00] Speaker B: Right. [00:43:00] Speaker A: IP doesn't matter if the case cable's not plugged in. Right. So it's the same concept. Right. The biggest thing I've seen in some of those offerings that's come over and maybe from my perspective, why I feel they haven't really taken on is people are overwhelmed by it. If I'm going to have to replace all my chips, especially in a lot of these places, because in ot, we don't replace chips ever. We don't replace our control system or our computers every three to five years like we do in it. It is probably even faster than that now. But in OT, those systems are really designed to run for 20 years and they weren't doing upgrades or even if they're upgrades or upgrading software, not necessarily ripping and replacing everything in the site. That gets really difficult and you've got to physically wire things. But that being said, it doesn't. To your point before, we don't need to necessarily let this pendulum swing and say it's not something we need to pursue. Just like how can we do it? You know, look at it for new, new sites as I'm doing an upgrade in retrofitting places. Do critical systems within a system, you don't have to upgrade necessarily everything because you know, the other analogy I give is like I've got two PLCs. They're the same model make, model one's controlling the ice maker in the break room. And once controlling a turbine, they have the same vulnerabilities, they're running the same firmware, they're running the same all the things from, from a cyber perspective, they look identical, but they're not the same risk to my business because if one goes down the ice machine, I've got operators are upset because they can't put ice water in their, in their drink, but the plant still works, runs as. [00:44:28] Speaker B: Long as you got coffee. [00:44:29] Speaker A: Exactly right. But they're not the same risk to the business. And that's a differentiation between just the risk to the process and a risk to just the asset. Right. The asset is just an asset. And that's why it goes beyond just having an asset inventory. Right. It's really understanding what those assets are and why they're critical to that point. That's where you can say, hey, this is a really critical system. We should have a, you know, some, some security around the process and the processor and make sure the end to end is protected. Whereas the ice maker, yeah, if it goes down, it goes down. I don't care as much about that one. [00:44:59] Speaker B: And like you said, this is, this is about phasing it in. If we get to a point where 15, 20 years down the road, everybody's had a hard refresh and we actually have this available on chip, there's other applications besides security. Think about, you could actually see when PLC start to have an issue. [00:45:10] Speaker A: Right. [00:45:11] Speaker B: You could see degradation on the I O side. [00:45:13] Speaker A: Right. [00:45:13] Speaker B: You can get ahead of many maintenance issues. And I always, I always think it's important as security practitioners that we remember that not everybody's insecurity or completely worried about that. But we're looking at data that can be Valuable for other things inside the business. But the chip idea, really, it's an area that I'm really interested in. I haven't seen a lot of people go after it and personally, I'm not a hardware guy, but I would love to see someone create a chip or a chip set that we could have in a PLC that frankly, at first it could be a passive sensor. It's monitoring what's actually happening at the kernel level. How are things passing on the board? Am I seeing things funky things happen? Because while today we haven't corroborated or actually seen, found yet something on a PLC that came in through the I O side or even some of the physical things we haven't seen that I really, truly believe it's because we're not looking in the right place yet. And that's why the chips, the chip idea really interests me. And there's a few people talking about it, but it would. Hardware guys, if you're out there, it would be wonderful to see if you could, you could figure something out. Even if it was an add on, if there was a way to plug it into a particular critical like a module. [00:46:29] Speaker A: Yeah. [00:46:30] Speaker B: To, you know, maybe sitting off the back plate on, you know, a plc. If there's a way that we can do that, I think it'd be incredibly useful. [00:46:36] Speaker A: Oh yeah. I mean, again, we've got to continue to innovate in these spaces and figure out different ways to, you know, to do it and be more efficient and. And I love the point you just brought up. It reminded me when I, when I deployed this again, when I started this in, in critical infrastructure, it wasn't called ot. It wasn't. We weren't doing cyber security. I got budget because I was bolted on for regulatory requirements around NERC sip. But the thing that I pitched to the plants was operational availability and reliability. I wasn't telling them cybersecurity because I didn't care. Again, in 2010, nobody cared about cybersecurity, especially those people, because it just wasn't a problem for them. It wasn't in the news. People weren't hacking OT environments. They didn't really understand the risk. Maybe it was happening, but it wasn't in the news and people didn't know about it. And the answer always got, anytime cyber security is brought up is like, well, I've been running my plant for 40 years and nobody's ever hacked it. Why would it happen now? Right. And if that's the case, I'll just take it off the Internet. Right. I'LL just, you know, disconnect it. And so when I changed that message, and I can't take credit for it, my boss really helped to drive that message because we realized that we were, you know, kind of beating our head against the wall trying to push the cybersecurity narrative that nobody cared about when we changed it to, hey, we can, we can help you see redundancy failures. We can help you see be more nimble and respond quicker to incidents that happen in the environment. We can give you data on your environment, make sure they're more. They're running efficiently, all those types of things. They're like, oh, well, I like that. That's value add. Because many times cyber security is just a cost center. Makes things difficult, it makes things expensive. You know, it adds a whole bunch of, you know, processes and people requirements around things that already run. And I'm not. It's not like, you know, going back to the car analogy, it's not like I'm putting a turbo and now it's faster. I'm actually probably taking a wheel off and having to figure out how to drive it with three wheels because it's more difficult. Many times in a lot of the times that we deploy all this stuff, it actually makes things more difficult. Especially you look at secure mode access, which is super important that we have. But it's harder to do many times than it is to just pull up something and VPN into a network or plug a laptop directly into an environment. It doesn't mean we shouldn't do it, but we have to acknowledge that it is harder. And if we make things so hard and again, it goes back to things like password. Everybody's had a long, complex password. Now we have password managers and all that kind of thing. But if you make a password requirement that's 30 characters long, nobody's gonna remember that. So what are they gonna do? They're gonna write it down and they're gonna put it in a sticky note on the, on the monitor. And I've seen it every power plant in the country that I've ever been to, right? And it's. So the policy and the idea of it seems logical. A harder password would mean it's harder to hack. But it only works if I don't write it down and it's not obvious and I don't just tell everybody about it and then I never change it and all that kind of stuff. Like, I. I'm defeating the purpose when I make it so complex that nobody uses it and they just find a way around it. Like they bypass the network, they disconnect it, they put in a wireless card, they put in a 5G card. They just find a way. Because. Because at the end of the day, the most important thing in these environments is that safety and availability. Right? So they want, it's more important that the plot, the process works and it functions. Because if it doesn't, then all the security stuff we did just doesn't matter. Because if they can't make their widgets and they can't make profit on it, we're just gonna shut the plant down and then none of this cybersecurity stuff matters anyways. Doesn't mean we shouldn't do it. It just means that we have to make sure we remember we're the tail, not the dog. Like we've got to remember we're a support organization helping to reduce risk. But we are not the only risk. And we're probably not even the highest priority risk in these environments. Many times we're just a risk that gets a lot of attention because it's in the news and it's, we like it and it's sexy and we spend a lot of time in it. But it's not always the best or most risky environment that they have or process or problem that they have in these spaces. [00:50:36] Speaker B: Yeah, I completely agree. There's. There's actually a kind of some interesting things just going back to the fact of, you know what you've seen in an environment and all the big ones crash over it's bull, typhoon, etc. There's actually not that many public that we know about hacks and a lot of times that we see them, they end up being on the IT side. [00:50:57] Speaker A: Right. [00:50:57] Speaker B: What I don't think many of the vendors talk about is what we see normally is it's not a full on breach. We're not seeing a full on breach. We're seeing is reconnaissance. [00:51:09] Speaker A: How does this work? [00:51:10] Speaker B: Because all of these environments are different. So they have to figure out how it works. That's been very enlightening over the last eight years. Just how many times we've run into. They found their way in, they're just listening and trying to figure out how that works, which is scary in itself, which it's incredibly important to have a robust system behind that. But the, the fact that the reconnaissance is going to lead to something someday. I think people should be really aware of what they're doing from a visibility stance just so that they can see when people are poking around. And a lot of these, they Gain access through the second half of what you were talking about, where folks are just trying to do their job. It's not like the guy who plugs in a wireless router out of, you know, oil derrick or substation is trying to cause issues. He's trying to do his job faster in most cases. And if we can open up communication between IT and OT and all those systems so that we understand when they're having those problems, that's something that we can fix. But we may have to balance. It may be technically less secure. [00:52:20] Speaker A: Right. [00:52:21] Speaker B: But if you're getting the job done, you know, is the juice work worse? [00:52:25] Speaker A: The squeeze? Well, we see that all the time with patching. Patching is an easy one that should be very simple to solve. But we don't patch in OT very often and we do, but it just looks different. Like I'm not patching every Tuesday like you do in it. I'm not. I've got Windows XP machines running in my environment and it's. I'm not going to get rid of them because they're the only way that I can run whatever process that I'm running. And, and as it cybersecurity people, it blows their mind. What do you mean? You have xp, you're not patching. That's blasphemy. But it's not because again, it goes back to if I break this thing and I make it so difficult, simple thing like I did this at a. Or it did this to us at a power plant where we had these desktop computers that were in the control room and they were not control system machines, they were just desktops, but they had OSI PI dashboards and graphs on it. So the operators used it to make decisions on things they could see, you know, levels and tanks and cooling temperatures and anyways, a bunch of different things that they used in their, in their daily job. Well, it rolled out a new Active Directory group policy that said, okay, well everybody, if you, if you walk away from your machine and you leave it inactive for five minutes, we're going to lock the workstation, you know, put a screensaver on and make you log back in. Well, these operators, it was just a single machine. They didn't have a login. Like they didn't know what it was. Obviously there was a login, but it's not like they were individually logging into these machines. They were just running 247 because it's always staffed. So when they lock the screen, like I had to fight with it to explain to them why it was. It was not, okay, that they did what they did and that they need to undo it and put us in a different group, a group ou so that we could not get that group policy. And I had to explain to them and justify like, okay, we're in a secure room they have to badge to get into, and there's only like 10 people that have access. So it's, it's a very, very low risk. It's not zero, but it's a very low risk that those machines are going to be used for nefarious reasons. And if somebody walks in and puts their hands on that keyboard and they're not one of the people they're supposed to be there, they're going to get noticed and recognized really quickly. [00:54:26] Speaker B: Operators are very good at that. [00:54:27] Speaker A: They're very good at. You don't walk in their environment, sit down at their computer and touch their screen without their permission because they will escort you out in a hurry. But it's little things like that that we've got to be able to get that. And I talk about it on here all the time. Sometimes the problems that we solve are not even the fun stuff or the technology, the cool stuff like the chip security and all that blockchain and AI like those things need to come, but we also just need to do the basic stuff and remember, you know, again, going back to the tail and the dog, like we're the tail, like, we need to make sure that we're not breaking their stuff because otherwise it just doesn't matter. [00:55:03] Speaker B: It's such a massive paradigm shift. For those of you who are in IT and ot curious and you want to come over, there will be a point where you have this. It's a paradigm shift in how you're thinking about the systems that you're protecting. Because a lot of times when we're talking in it, it's all around redundancy. Or if I take this system down, so and so can't get to a printer or it goes back to revenue as well, you lose productivity. But the systems that are in ot, if a system goes down and they can't get it up, power goes out, right? And hats off to our operators because at least where I live in Phoenix, Arizona, I haven't had a power outage in two or three years. It's been a long and last time we had a power out, I think it was out for 30, 35 minutes. I mean, they're all over it. But if we're putting barriers in place like that, that screensaver's on. That's locked and something happens. It's not a good place to be. So you start to really change your opinion and that's where you get to the cyber physical side like you were talking about. If it's in a secure area and we know who's in there and who can't be and it's tightly secured, then I believe, personally I feel that, that mitigation. The risk of having a login. [00:56:18] Speaker A: Correct. [00:56:19] Speaker B: But we in it. When I was over there, it's no, no, no, this is the best policy. What if somebody walks in that room? But it's because we don't know. [00:56:27] Speaker A: Right. [00:56:27] Speaker B: We haven't been there. So if you work, if you work for an OT company and you're in the IT side, even if you don't want to go into ot, I would highly suggest going out, meeting your operators, see what's going on. Yeah, take, take a tour, go to a site, see what they have to deal with on a daily basis because it'll help you secure and better. [00:56:43] Speaker A: Yeah, yeah. And that goes both ways too. I think our OT teams need to be reaching out to their IT teams because even back when I was, you know, I had a team and you know, I had six or so folks that supported 45 power plants. Like it was a small team and we supported everything from firewalls to VMware and networking gear and kind of the patching servers and the backup servers and antivirus and all the stuff. So we had to be kind of a jack of all trades to do all of those things. On the IT side, they had a dedicated VM team and they had a dedicated firewall team and they had a dedicated networking and switching team. So we built relationships with those teams and they weren't supporting us as far as like hands on keyboard for us, but we would send them firewall configs, right. And say, hey, could you guys take a look at this? This is what we're looking to implement. This is how we're doing it and get their feedback right. Because we're on the same team. Again, I don't want them controlling my control system or my firewall and I don't want them pushing active directory policy to my environment. But that doesn't mean I shouldn't use them for as a resource because they have the knowledge, they have a lot. That's all they do. It's like, you know, you go to a handyman that kind of does a little bit of everything or you go to a finished carpenter, like do you want cabinets or do you want cabinets. Like, there's a difference between the quality. It's not that the handyman can't make good cabinets, but he's not going to be as good as a guy that that's all he does. He does finish cabinets and that's all he does. The quality of his work is just going to be superior every single time. Right. It's just the way it is. So focus. [00:58:09] Speaker B: Focus is incredibly key. [00:58:11] Speaker A: And experience. Right. [00:58:12] Speaker B: The experience and some of these operators that we're starting to lose, it makes me sad, man. They. They know things that you'd never think of. Right. Because they've been there and it's hard to document that even. It's almost like guilty knowledge. [00:58:26] Speaker A: Right. [00:58:26] Speaker B: As that person has that experience and you're starting to leave, how do you know. Know where to document what. [00:58:31] Speaker A: Where the body said? [00:58:32] Speaker B: Right down. Right. Because it's, it's almost instinctual with them. So I really hope if you've got some older operators in, in the, in the environment that you're in, sit down. [00:58:43] Speaker A: Take them to lunch. [00:58:44] Speaker B: Yeah. [00:58:44] Speaker A: Buy them a donut. [00:58:45] Speaker B: Yeah. [00:58:46] Speaker A: Try to glean knowledge off of them as best you can. Well, hey, man, thanks for the time today. Really excited to see you here at S4. It's been a great conference. Dale, thank you so much for, for the opportunity to do this recording. And definitely, if you haven't been to S4, I highly recommend that you come check it out. B sides, ics. Hopefully they'll be doing that again next year. We'll be in Miami again next year. But definitely, you know, check out ICS Village, check out Ember, OT and Jory. Definitely LinkedIn all the things. We'll put it in the show notes. But thanks for your time today. Thanks for joining us on Protect it all, where we explore the crossroads of IT and OT cyber security. Remember to subscribe wherever you get your podcasts to stay ahead in this ever evolving field until next time.

Other Episodes

Episode 39

January 06, 2025 00:19:02
Episode Cover

Key Conferences and Networking Opportunities for Cybersecurity Professionals in 2025

Happy New Year 2025. In this episode, host Aaron Crow  guides you through the evolving cybersecurity landscape impacting everything from power utilities and transportation...

Listen

Episode 38

December 30, 2024 00:22:56
Episode Cover

How to Protect Yourself and Loved Ones from Cyber Scams

In this episode, host Aaron Crow delves into the increasingly sophisticated world of cyber scams that aim to steal money and identity. Discussing real-life...

Listen

Episode 33

November 25, 2024 00:47:40
Episode Cover

The Future of Automation and AI in Operational Technology with Shane Cox

In Episode 33, Aaron Crow explores the transformative impact of automation and AI in the Operational Technology (OT) sector, joined by industry expert Shane...

Listen