1
00:00:04,599 --> 00:00:09,320
I mean, cybersecurity is not just
a technical discipline. You need to add

2
00:00:09,599 --> 00:00:25,039
the additional procedural pods in your way
of securing your OT environment. Welcome everyone

3
00:00:25,120 --> 00:00:29,399
to the Industrial Security Podcast. My
name is Nate Nelson. I'm here with

4
00:00:29,480 --> 00:00:35,159
Andrew Ginter, the vice president of
Industrial Security at Waterfall Security Solutions. He's

5
00:00:35,200 --> 00:00:39,200
going to introduce the subject and guests
of our show today. Andrew, how's

6
00:00:39,240 --> 00:00:43,200
it going. I'm very well,
Thank you, Nate. Our guest today

7
00:00:43,320 --> 00:00:49,520
is Joan Hartig. He is the
CEO and strategic advisor at Security OT in

8
00:00:49,719 --> 00:00:53,759
Denmark, and he's going to be
talking about deciding what to do next.

9
00:00:53,880 --> 00:01:00,560
This is a next step decision support
tool that security OT is working on for

10
00:01:00,719 --> 00:01:07,200
industrial security. All right, then
let's get right into it. Helloy,

11
00:01:07,439 --> 00:01:10,400
and welcome to the podcast. Before
we get started, can you say a

12
00:01:10,400 --> 00:01:14,000
few words about yourself for our listeners
and about the good work that you're doing

13
00:01:14,120 --> 00:01:18,159
at SECURITYOTA. Sure, Andrew,
and thank you for having me on the

14
00:01:18,239 --> 00:01:22,079
show. So my name is Joan
Hartig. I am a manager director in

15
00:01:22,239 --> 00:01:30,200
Securito T and strategic advisor. We've
been working with the production companies and utility

16
00:01:30,239 --> 00:01:38,959
services for now six years. We
have been helping them making risk assessments on

17
00:01:38,079 --> 00:01:45,400
their OT. Cybersecurity Security T is
a pure play OT security company where we

18
00:01:45,519 --> 00:01:52,879
are originated in Denmark, but covering
the Nordic part of Europe and also having

19
00:01:53,640 --> 00:01:57,719
global companies as our customers that are
in for instance, European countries and the

20
00:01:57,840 --> 00:02:05,920
US. Our topic is risk and
decisions. When I you know, you

21
00:02:05,959 --> 00:02:09,919
mentioned that that security does risk assessments
routinely. You know, when I look

22
00:02:09,960 --> 00:02:15,039
at sort of generic risk assessments,
most of you know, a fifty or

23
00:02:15,080 --> 00:02:19,199
seventy five or one hundred and fifty
page report, most of it seems to

24
00:02:19,240 --> 00:02:23,280
be a long list of assets and
whether they've been patched and you know when

25
00:02:23,319 --> 00:02:29,719
the last time they password was changed? Is this? You know? Is

26
00:02:29,759 --> 00:02:32,960
it? What is this what we
need in in risk assessments? So you

27
00:02:34,000 --> 00:02:38,439
know what what is the need over
and above you know the asset inventory.

28
00:02:38,599 --> 00:02:44,960
So so what we believe in is
that that I mean, cybersecurity is not

29
00:02:45,120 --> 00:02:53,039
just a technical discipline. You need
to add the additional procedural parts in your

30
00:02:53,400 --> 00:03:00,120
way of securing your OT environment.
So like what is the criticality of an

31
00:03:00,199 --> 00:03:05,680
asset in the production line should be
the core consideration that you have, but

32
00:03:06,919 --> 00:03:14,080
the things around procedures for backup,
about your spare part stock, about incident

33
00:03:14,159 --> 00:03:20,400
response plans, and in a patching
procedure, whether the components are part of

34
00:03:20,439 --> 00:03:27,840
that. That's normally not a part
of an asset inventory database. Normally you're

35
00:03:27,960 --> 00:03:31,199
just having a focus on the devices, but you haven't really put in the

36
00:03:31,280 --> 00:03:37,159
aspect around how critical is this device. So if you have an offline printer

37
00:03:38,039 --> 00:03:40,639
that is in the database, but
you haven't really said, well, should

38
00:03:40,680 --> 00:03:47,960
we have another printer to do the
labels for whatever the medicine or can we

39
00:03:49,039 --> 00:03:52,639
live without it for a period of
time, And that should be a part

40
00:03:52,719 --> 00:03:55,560
of the decision mating for the factory
manager saying where do we actually need to

41
00:03:55,599 --> 00:04:00,159
put in our money depending on the
criticality of the device. Okay, so

42
00:04:00,439 --> 00:04:05,479
you know we understand how we need
to understand how important each asset is.

43
00:04:05,719 --> 00:04:09,680
If the printer goes down, do
we have to stop the production line because

44
00:04:09,680 --> 00:04:16,959
we can't label the goods anymore?
Once you sort of understand importance, what's

45
00:04:17,040 --> 00:04:23,959
what's the next step? What are
you using this information for? So the

46
00:04:25,120 --> 00:04:30,399
methodology that we have made is basically
to try and to calculate a risk score.

47
00:04:30,680 --> 00:04:33,720
So the risk gore is based on
the importance or the criticality of device

48
00:04:34,240 --> 00:04:40,120
versus the part that we actually have
versus the things that we actually done for

49
00:04:40,399 --> 00:04:46,120
either protecting it or being able to
recover, respond or or detect an actually

50
00:04:46,040 --> 00:04:50,680
attack against the device. So we
have looked into the cybersecurity framework with the

51
00:04:51,439 --> 00:04:57,720
four phases with the protected, respond, and recover. So like protect,

52
00:04:57,759 --> 00:05:02,000
we would look into the technical protection
of the printer or the PLC or the

53
00:05:03,079 --> 00:05:09,600
HMI. It could be is it
put in in a different different network segment

54
00:05:09,920 --> 00:05:14,879
or do we have remote access capabilities
with would be a negative thing to have

55
00:05:15,199 --> 00:05:19,720
on a device, or we will
also ask into the process around this.

56
00:05:20,000 --> 00:05:25,600
We'll also on the detection side,
we would look into do we actually monitor

57
00:05:26,000 --> 00:05:30,879
the device or the the network for
incidents that could occur or do we have

58
00:05:30,920 --> 00:05:34,319
a respond plan? Do we have
incidents respond plan for this? Do we

59
00:05:34,360 --> 00:05:39,519
know the ownership of the component or
do we have SLA on the spare part

60
00:05:39,600 --> 00:05:43,560
saying well we have one on stock
or we can call a vendor and they

61
00:05:43,600 --> 00:05:47,439
would be here within four hours with
a new printer for instance. Finally,

62
00:05:47,480 --> 00:05:51,680
we look into the recovery part about
for instance, backup frequencies, do we

63
00:05:51,720 --> 00:05:59,040
have ever tested the backup? Or
where do the backup resides? So,

64
00:05:59,199 --> 00:06:04,199
depending on how you're answering the questions
around these things, we would calculate a

65
00:06:04,319 --> 00:06:11,160
risk go and that LWITSCO would be
a kind of an equation between the criticality

66
00:06:11,800 --> 00:06:18,040
and the different things you've done around
an asset. Andrew, I can't recall

67
00:06:18,199 --> 00:06:21,720
exactly when or who, but I
feel like we've talked about at least one

68
00:06:21,839 --> 00:06:27,279
or two risk tools on this show
in the past. What's different with the

69
00:06:27,319 --> 00:06:33,040
one we're talking about here? What
I see different here is sort of a

70
00:06:31,399 --> 00:06:39,160
deep, a deeper dive into availability. Joan mentioned it a bit, and

71
00:06:39,279 --> 00:06:41,240
you know he's going to touch on
it again later in an interview. He

72
00:06:41,240 --> 00:06:45,160
talked about spare parts. He talked
about our backups available. He said,

73
00:06:45,439 --> 00:06:48,920
do we have agreements with the vendors
to replace components within within a handful of

74
00:06:48,959 --> 00:06:54,000
hours if they fail? You know, we're talking about availability. We're talking

75
00:06:54,000 --> 00:06:58,120
about keeping production lines up. We're
talking about keeping the lights on in power

76
00:06:58,120 --> 00:07:01,800
plants. You know, we're talking
about address seeing risks to production. And

77
00:07:01,839 --> 00:07:05,079
this is what a lot of engineering
teams in a lot of sites focus on.

78
00:07:05,800 --> 00:07:10,680
You know they yet they sort of
have they figure they have safety under

79
00:07:10,720 --> 00:07:15,279
control, and what they're thinking about
top of mind day in, day out

80
00:07:15,360 --> 00:07:19,839
is availability, is reliability, is
keeping uh you know, production going in

81
00:07:19,879 --> 00:07:25,079
the face of you know, routine
equipment failures and and you know, occasional

82
00:07:25,160 --> 00:07:28,759
errors and omissions and this kind of
stuff. And so you know, to

83
00:07:28,879 --> 00:07:33,120
me, this seems to be a
way to engage those teams in cybersecurity by

84
00:07:33,160 --> 00:07:41,120
pointing out that you know, uh, cyber security risks are relevant to availability,

85
00:07:41,399 --> 00:07:46,600
and if you can build up sort
of a big picture of risks to

86
00:07:46,680 --> 00:07:51,319
availability, of risks to reliability and
position cybersecurity in there, you know,

87
00:07:51,439 --> 00:07:55,319
down the road, it's going to
be easier to take the next step about

88
00:07:55,360 --> 00:07:58,279
saying, well, what other cyber
risks are there? How could they reach

89
00:07:58,360 --> 00:08:01,480
out of the reliability realm. I
don't know, into your safety realm or

90
00:08:01,480 --> 00:08:05,839
your equipment damage realm. But you
know, given the focus of a lot

91
00:08:05,879 --> 00:08:15,560
of businesses on reliability, it makes
sense to me to build that focus into

92
00:08:15,600 --> 00:08:20,160
a cyber risk tool and you know, deliver in a sense. Uh,

93
00:08:20,519 --> 00:08:24,519
you know, a couple of benefits, benefits for cybersecurity as and uh,

94
00:08:24,600 --> 00:08:31,040
you know, benefits in terms of
increased confidence and increased insight into the reliability

95
00:08:31,040 --> 00:08:35,759
of our production processes. So criticality
is important. You know, does the

96
00:08:35,759 --> 00:08:41,600
production line have to stop if the
printer malfunctions because we can't you know,

97
00:08:41,759 --> 00:08:50,360
label the product anymore. But you
know you're gathering you know what Once we

98
00:08:50,480 --> 00:08:54,440
understand criticality, you know what else
is there? How do we use that?

99
00:08:56,559 --> 00:09:05,039
So our methodology is looking in two
different aspects of how to evaluate the

100
00:09:05,200 --> 00:09:11,360
risk of the asset. So we
are relying on or looking into the cybersecurity

101
00:09:11,399 --> 00:09:16,240
framework with the three different phases.
It is the protect, detect, respond,

102
00:09:16,279 --> 00:09:20,639
and recover phases. So when we're
looking on one component, we are

103
00:09:20,639 --> 00:09:26,120
looking about the protection pat saying do
we have the technical protection in place like

104
00:09:26,320 --> 00:09:31,840
firewalling, antivirus, network segmentation.
But we will also look into the more

105
00:09:33,679 --> 00:09:35,919
soft pat so to say, the
procedures around it, saying well, do

106
00:09:37,000 --> 00:09:41,039
we actually have a PATS and vulnerability
process around these devices. On the detection

107
00:09:41,159 --> 00:09:46,759
side, we would look into saying
do we actually monitor would we discover an

108
00:09:46,799 --> 00:09:52,559
attack against the printer or the sorder
or the HMI or the PLC. Where

109
00:09:52,559 --> 00:09:56,039
does the alarms go? Do we
have a lock for this? On the

110
00:09:56,080 --> 00:09:58,759
response pat we will look into the
more soft parts saying well, we need

111
00:09:58,799 --> 00:10:03,720
an incident response plan. Is that
is this component a part of that?

112
00:10:05,759 --> 00:10:09,759
Do we actually have ownership on the
component? Do we have s l a

113
00:10:09,759 --> 00:10:18,440
about about the replacement of the device, is it end of life? And

114
00:10:18,480 --> 00:10:22,440
to support these issues and on these
components, and on the recover side,

115
00:10:22,440 --> 00:10:26,000
we'll say, well what about backups? Do we do backups? Do we

116
00:10:26,039 --> 00:10:31,279
do the do we do a test
of the backup? And where is it

117
00:10:31,360 --> 00:10:33,480
located? Actually, if we need
it, can we get it? And

118
00:10:33,559 --> 00:10:41,960
we're using all these information to kind
of put it into an algorithm or algorithm

119
00:10:41,039 --> 00:10:46,720
where we where we calculate the risk
or so by doing the risk or calculation,

120
00:10:46,879 --> 00:10:50,399
we can actually go in in and
say, well these components have a

121
00:10:50,440 --> 00:10:56,799
high the most negative risk or and
thereby we should start to make decision making

122
00:10:56,879 --> 00:11:01,519
about getting these risk goores on a
on a sceptable level. Okay, so

123
00:11:01,600 --> 00:11:07,120
that that kind of makes sense in
the abstract, But you know, I

124
00:11:07,200 --> 00:11:11,840
understand you do this all the time. You have a tool, you know

125
00:11:11,240 --> 00:11:15,879
in your world when you're doing a
risk assessment, when you're putting all of

126
00:11:15,919 --> 00:11:18,639
this information together, where does the
data come from? Do you do You

127
00:11:18,720 --> 00:11:22,759
press a button and it appears,
so how magically do you? You know?

128
00:11:22,840 --> 00:11:26,039
Do you enter the data manually?
What you know? Where? How

129
00:11:26,080 --> 00:11:28,480
do you? How do you do
this? We do when we go out

130
00:11:28,639 --> 00:11:33,120
making these assessments, we do see
a lot of spreadsheets going on, so

131
00:11:33,519 --> 00:11:41,240
people are putting in ASID information in
different spreadsheets and having that as a as

132
00:11:41,360 --> 00:11:48,399
as A as their as IT management
inventorial lists. So that is that is

133
00:11:48,320 --> 00:11:54,639
we in the tool we are enabling
the import of these spreadsheets. It could

134
00:11:54,679 --> 00:12:00,759
also be that we have a structured
as IT management platform that we can that

135
00:12:00,840 --> 00:12:05,679
we can import information from. We
also see seeing from some customers where we're

136
00:12:05,679 --> 00:12:09,799
done the assessment that they don't have
any idea about what is out there.

137
00:12:11,279 --> 00:12:16,399
So what we see is also going
out making an active scan where we're using

138
00:12:16,480 --> 00:12:22,679
like nosoumi to do and as smart
pulling uh run where we are getting information

139
00:12:22,840 --> 00:12:26,840
back from poc s, h m
i S and scale and twitch and things

140
00:12:26,919 --> 00:12:31,480
like that. So we are building
up the asset database from that play.

141
00:12:33,320 --> 00:12:37,799
So it's different ways that we can
import into our tool and then starting up

142
00:12:39,000 --> 00:12:43,960
a base of of assets. The
other side is that that we might when

143
00:12:43,000 --> 00:12:52,120
we go out. We do manual
registration of OG devices. So we do

144
00:12:52,279 --> 00:12:56,720
go out and having the tool.
It's it's able, it's can it is

145
00:12:56,840 --> 00:13:01,039
enabled on a on a on an
iPad where you actually can go out and

146
00:13:01,039 --> 00:13:07,200
and and register devices that might not
be connected so you can't see it on

147
00:13:07,320 --> 00:13:11,480
the scan. But it also can
be new devices that have not been been

148
00:13:11,559 --> 00:13:16,679
been registered yet in the original database. So we do have different ways of

149
00:13:16,720 --> 00:13:22,840
getting information into the into the into
the application. That makes sense, you

150
00:13:22,879 --> 00:13:26,000
know, it sounds like you're importing
stuff. There's some you know, some

151
00:13:26,080 --> 00:13:33,320
manual data entry. Can I ask
you know how often does this data set

152
00:13:33,919 --> 00:13:39,159
change? I mean and and and
how do you in a sense, how

153
00:13:39,159 --> 00:13:43,519
do you track those changes? If
if the business implements an incident response plan,

154
00:13:43,799 --> 00:13:48,720
that's not something that you can scan
the devices and discover that suddenly there

155
00:13:48,799 --> 00:13:52,519
is an incident response plan for these
devices, whether they used to be you

156
00:13:52,519 --> 00:13:54,960
know, how how often does this
change? And how do you keep track

157
00:13:54,000 --> 00:14:00,519
of it? So so the the
idea with the tool is that it's not

158
00:14:00,840 --> 00:14:07,480
just an at risk assessment tool that
you're doing once a year or once a

159
00:14:07,639 --> 00:14:13,600
requarter. This should be a continuous
work where the operator of the production line

160
00:14:13,679 --> 00:14:18,200
are registering changes so or it could
be on a more global scale. Let's

161
00:14:18,200 --> 00:14:24,879
say that they have done an initial
risk assessment and figuring out that well,

162
00:14:26,000 --> 00:14:28,679
on the backup part, we don't
have any backups. It's clear when we

163
00:14:30,080 --> 00:14:33,559
walk through the three hundred OT components
on the factory floor that we don't have

164
00:14:33,600 --> 00:14:39,600
a backup. So we going out
through the decision making of the report saying

165
00:14:39,639 --> 00:14:43,399
well, we need to buy a
backup solution. And when that backup solution

166
00:14:43,559 --> 00:14:48,080
has been implemented, basically you're going
into the tool and making a bulk update

167
00:14:48,120 --> 00:14:52,159
saying, well, all the devices
on production line five, they are now

168
00:14:52,240 --> 00:14:56,600
a part of backups, so you
can make a bulk update saying well,

169
00:14:56,639 --> 00:15:03,720
now we have this production line enabled
on backups, automatic backups, and thereby

170
00:15:03,759 --> 00:15:09,120
you can see that your maturity and
your security level would be better due to

171
00:15:09,200 --> 00:15:13,720
the fact that your risk or would
be better because you have entered that now

172
00:15:13,759 --> 00:15:18,519
we have a backup solution implemented on
the factory flaw. So that's the idea

173
00:15:18,559 --> 00:15:22,519
about this that this is not just
a one shot, but it's a continuous

174
00:15:22,559 --> 00:15:33,200
work with enhancing our resiliency and our
ways of working with cybersecurity in ot Okay.

175
00:15:33,240 --> 00:15:35,759
So we have the data, you
know, it's a wide variety of

176
00:15:35,840 --> 00:15:43,519
data. We are maintaining the data. You know. A truism that I

177
00:15:43,639 --> 00:15:50,200
try to go by is it's only
worth acquiring and tracking data if you're going

178
00:15:50,279 --> 00:15:54,279
to use it. Otherwise it's wasted
effort. So can you tell me once

179
00:15:54,320 --> 00:16:00,039
you've got an accurate, up to
date inventory understanding credit? Can the understanding

180
00:16:00,039 --> 00:16:03,679
all of these other characteristics of the
security program and how they apply to each

181
00:16:03,720 --> 00:16:08,200
of the assets. Once you have
all of this, you know, arguably

182
00:16:08,279 --> 00:16:11,159
valuable data set. How do you
make it valuable? How do you use

183
00:16:11,200 --> 00:16:17,440
it? What do you use it
for? So actually we've been running a

184
00:16:17,480 --> 00:16:21,840
beta tist at the customers right now. Hopefully the tool would be released in

185
00:16:22,480 --> 00:16:27,440
the binning beginning of next year in
twenty four. The experience that we had

186
00:16:27,519 --> 00:16:33,080
from the tool and the beta customers
is that they actually like like and can

187
00:16:33,120 --> 00:16:40,679
see a great value in a structured
and a centralized way of making reports.

188
00:16:40,759 --> 00:16:45,519
So we have some of the customers
that are in the beta program inable to

189
00:16:45,879 --> 00:16:52,320
go out and say we would like
to kind of compare five or six different

190
00:16:52,519 --> 00:17:00,720
factories and by having KPIs like we
would like to see the number of the

191
00:17:00,840 --> 00:17:04,960
number of unsupported hardware that are more
than five years old, for instance,

192
00:17:06,000 --> 00:17:10,799
and we might put in a KPI
in the factory on the factory level saying

193
00:17:10,880 --> 00:17:15,759
well, we won't have a critical
infrastructure that are more than five years old.

194
00:17:15,799 --> 00:17:19,359
That that that's not that's a a
KPI we're putting in as a measurement

195
00:17:19,519 --> 00:17:23,359
for saying that's where we need to
go in and make an investment so we

196
00:17:23,400 --> 00:17:30,079
can keep this KPI. And and
that's what people like that. It's it's

197
00:17:30,200 --> 00:17:34,000
it's done in a structured way,
and they can track how far they are

198
00:17:34,240 --> 00:17:37,640
on the on the goal, so
to say. And they can kind of

199
00:17:37,680 --> 00:17:44,200
measure one period where they had made
an assessment and then they're going out the

200
00:17:44,279 --> 00:17:48,440
year after maybe making a new one, so they have a track on what

201
00:17:48,680 --> 00:17:53,000
has actually been improved here. So
that that's that's a that's a key point

202
00:17:53,039 --> 00:17:57,319
that we're seeing from our beta data, Beta sister, that that that's a

203
00:17:57,359 --> 00:18:03,359
great value for them. Okay,
so you know the the inventory and this

204
00:18:03,480 --> 00:18:08,240
sort of standard set of characteristics and
standard calculations gives you a ruler. It

205
00:18:08,359 --> 00:18:14,079
lets you measure the you know,
Compare the strength of your security on one

206
00:18:14,119 --> 00:18:18,359
part of your production line versus another. Compare the strength for your security between

207
00:18:18,480 --> 00:18:22,680
factories. Report to your management team, you know, key performance indicators.

208
00:18:22,039 --> 00:18:25,839
Is that is that the main benefit
is that what you use the tool for.

209
00:18:26,079 --> 00:18:30,599
So so the main benefit here is
that that we can kind of look

210
00:18:30,680 --> 00:18:38,799
into how the risk score is is
is deciding which investments that are done from

211
00:18:38,799 --> 00:18:45,319
a management perspective. So so driving
the risk gord to an acceptable level would

212
00:18:45,359 --> 00:18:51,920
be would be the reports would be
included in the reports about what's your next

213
00:18:52,039 --> 00:18:56,799
step be. So, Nate,
let me recap just a little bit here.

214
00:18:57,160 --> 00:19:04,680
I heard sort of two benefits out
of this risk scoring system. One

215
00:19:04,839 --> 00:19:10,640
is that you get a number out
of the process at the end saying,

216
00:19:10,920 --> 00:19:15,440
you know, sort of adding up
all of the risk of downtime at at

217
00:19:15,440 --> 00:19:19,160
a facility, and you know,
the number kind of makes sense. You

218
00:19:19,160 --> 00:19:23,359
assign a number to every device in
the facility, add it all up.

219
00:19:25,519 --> 00:19:29,799
What does this mean? Well,
it means larger facilities with more stuff are

220
00:19:29,920 --> 00:19:33,839
at greater risk of downtime, you
know, all everything else being equal.

221
00:19:34,039 --> 00:19:38,599
It gives you a ruler to sort
of measure risk of downtime across facilities,

222
00:19:40,000 --> 00:19:44,559
you know, so that you can
you can again make investment decisions. Where

223
00:19:44,599 --> 00:19:47,720
should I if I want the biggest
bang for my investment dollar in terms of

224
00:19:47,759 --> 00:19:52,319
reduced downtime due to cybersecurity risks,
due to reliability risks, where am I

225
00:19:52,359 --> 00:19:56,519
going to put my next dollar?
Well? Which facility is at greatest risk?

226
00:19:56,599 --> 00:20:00,920
Okay, now that I figured out
the facility within the facility, and

227
00:20:00,960 --> 00:20:03,960
I say, well, which components
in the facility are contributing the most?

228
00:20:03,599 --> 00:20:07,400
Those are the components I should focus
on. What are the characteristics of those

229
00:20:07,440 --> 00:20:11,039
components that are contributing to most?
Is it that they're not backed up?

230
00:20:11,160 --> 00:20:15,720
Is it that they're old equipment that
we can't buy on, you know,

231
00:20:15,759 --> 00:20:19,000
from the vendor anymore, and we
don't have spares for anymore. Is it

232
00:20:19,240 --> 00:20:22,440
that, you know, multiple vendors
are remoting into the same device, and

233
00:20:22,480 --> 00:20:26,039
if any one of them makes a
mistake, there's going to be finger pointing

234
00:20:26,039 --> 00:20:29,240
and it's going to take forever to
figure out what happened. You know,

235
00:20:29,279 --> 00:20:33,960
these are all characteristics that contribute to
risk. And you know, here's a

236
00:20:33,279 --> 00:20:37,519
sort of a score sheet that lets
us figure out, you know, if

237
00:20:37,559 --> 00:20:42,680
we've got x dollars to spend this
year on on risk reliability, risk from

238
00:20:42,799 --> 00:20:48,400
cybersecurity to you know, normal equipment
failures. Where should I focus that and

239
00:20:48,599 --> 00:20:53,279
how do I drill down and you
know, select the components that that need

240
00:20:53,359 --> 00:21:00,519
upgrades, that need that need remediation. So what you're saying thing is that

241
00:21:00,839 --> 00:21:06,920
a key output is the actual risk
score for a production line or for a

242
00:21:06,960 --> 00:21:11,720
set of assets, and if that
score is unacceptable, then you know the

243
00:21:11,759 --> 00:21:18,400
next step is obviously to fix it. Do your customers understand the meaning of

244
00:21:18,400 --> 00:21:22,039
a risk score? Do they understand
the difference between a plus seventeen and a

245
00:21:22,079 --> 00:21:26,759
minus four hundred and thirty two?
Do these numbers mean anything? So the

246
00:21:26,799 --> 00:21:33,559
tool gives you the ability to look
into what is actually causing a negative risk

247
00:21:33,640 --> 00:21:41,359
on and thereby making decisions based on
that knowledge. But clearly the numbers is

248
00:21:41,200 --> 00:21:48,640
mostly for the decision may make us
saying well a bad risk gore is probably

249
00:21:48,680 --> 00:21:52,160
not good, so we need to
look into those. So basically, when

250
00:21:52,160 --> 00:21:56,039
we're doing these assessments, you will
make us a sort at the end saying

251
00:21:56,200 --> 00:22:02,160
well, which one are the worst
ones? Do they have any characteristics the

252
00:22:02,279 --> 00:22:06,680
ones with a bad risk on?
And do we see a kind of a

253
00:22:06,759 --> 00:22:10,799
trend saying well, we don't have
an incident response plan, or we don't

254
00:22:10,799 --> 00:22:15,960
have necessary backups, or we don't
have spare parts in so can we as

255
00:22:17,000 --> 00:22:21,480
a company on a seal on a
global scale saying well, we need to

256
00:22:21,519 --> 00:22:29,680
look into either a technical solution or
we need a procedural part like incident response

257
00:22:29,759 --> 00:22:33,720
saying well, from a global perspective
in a company, we need to go

258
00:22:33,799 --> 00:22:41,720
out and develop an incident response plan
because the risk or showing that that we

259
00:22:41,759 --> 00:22:45,079
don't have that. So so that's
the kind of way you're going from a

260
00:22:45,119 --> 00:22:48,839
detailed level on the component part and
kind of putting it up to a more

261
00:22:48,920 --> 00:22:55,359
global consideration about where should we put
in our efforts because we can see all

262
00:22:55,400 --> 00:23:00,799
the factories are missing whatever. So
that's also the idea that that the risk

263
00:23:00,799 --> 00:23:03,640
WORE can be used on different levels
in the company, not only for the

264
00:23:03,680 --> 00:23:11,119
operator but also for the factory manager
but also for the whatever. The risk

265
00:23:11,160 --> 00:23:15,680
governance sports saying well, we can
see that there's an issue about this all

266
00:23:15,720 --> 00:23:18,680
over the place, so we need
to do something about it. Okay,

267
00:23:18,759 --> 00:23:23,799
So so the tool you know,
shows you what is sort of sticking out

268
00:23:23,839 --> 00:23:32,640
as as most exposed or most you
know, consequential. Can we do what

269
00:23:32,680 --> 00:23:37,240
if scenarios? I mean, let's
say we define an insert response plan for

270
00:23:37,279 --> 00:23:41,960
production line for or we h you
know, deploy antivirus throughout factory number three.

271
00:23:44,480 --> 00:23:47,960
Can we see how the risk score
will change as result of those those

272
00:23:48,000 --> 00:23:52,880
actions or will change if we if
we carry out those actions. It is

273
00:23:52,960 --> 00:23:56,480
on our wisk list to have that
on a on a on a future version.

274
00:23:56,519 --> 00:24:00,519
It's not there yet, but but
still what we can can can tell

275
00:24:00,559 --> 00:24:08,559
the customers is how does the which
part of the questions are actually impacting the

276
00:24:08,640 --> 00:24:14,640
risk orre most? So we can
go out and and and saying like whatever

277
00:24:15,000 --> 00:24:19,359
a negative or backup gives you a
negative of minus fifty or whatever. So

278
00:24:19,359 --> 00:24:25,559
so we can show the customer how
have we defined the algorithm behind it,

279
00:24:25,680 --> 00:24:30,119
saying which one do we see as
the as the most critical part that gives

280
00:24:30,279 --> 00:24:36,519
a bad risk orre And we also
in the process for looking into whether the

281
00:24:36,559 --> 00:24:41,839
customers should be able to give input
to how the risks score should be calculated.

282
00:24:41,920 --> 00:24:48,720
So our definition of the risk or
might not be suitable for another customer,

283
00:24:48,759 --> 00:24:51,319
but it's not in the in the
in the play right now to go

284
00:24:51,400 --> 00:24:56,839
out and and kind of tailorize the
risk or for a specific company. But

285
00:24:56,920 --> 00:25:00,920
we can tell the customer how is
the risk or def and what what how

286
00:25:00,200 --> 00:25:04,559
how does for instance, backup or
spare parts of our missing incident response plan

287
00:25:06,079 --> 00:25:10,079
impact the risk on we We can
do that, but we don't have the

288
00:25:10,440 --> 00:25:17,839
the what if kind of play in
the application yet. You folks are in

289
00:25:17,880 --> 00:25:22,599
the European Union, You're in Denmark, and this too is the big news

290
00:25:22,759 --> 00:25:27,319
in the Union, you know the
last couple of years. Does this tool

291
00:25:27,400 --> 00:25:33,359
give your customers a leg up on
this too? I think the thing that

292
00:25:33,640 --> 00:25:38,079
when you're looking into this two,
the headline for NIS two is basically doing

293
00:25:38,119 --> 00:25:45,480
a risk based approach and using that
as a as a decision making for how

294
00:25:45,519 --> 00:25:51,279
do you how do you secure your
your utility service or your production or whatever

295
00:25:51,319 --> 00:25:55,920
your bank and including in that this
too there's a lot of focus on for

296
00:25:55,960 --> 00:26:02,680
instance, asset management, vulnerability management, incident management, and and other important

297
00:26:02,680 --> 00:26:08,519
disciplines. So it will be enforced
here in in October twenty four and and

298
00:26:08,640 --> 00:26:12,640
we believe that that the methodology and
the tools that we have can can help

299
00:26:12,720 --> 00:26:18,640
complying with these requirements from this too, These to also request that that that

300
00:26:19,400 --> 00:26:25,799
management the management team of the organization
have authority understanding about the security level of

301
00:26:25,839 --> 00:26:30,160
the company. And we believe that
that putting in a key performance indicators about

302
00:26:30,200 --> 00:26:37,559
where you are as a company from
a cybersecurity perspective is important for the management

303
00:26:37,640 --> 00:26:45,359
team to to have the insight and
the capability is to approve new incentives where

304
00:26:45,400 --> 00:26:48,759
they can say, well, it's
not it's not good with a negative risk,

305
00:26:48,880 --> 00:26:52,279
or it's it's it's you need we
need to do something. So the

306
00:26:52,400 --> 00:26:56,519
questions about how you can can equip
the customer the sea level with with the

307
00:26:56,559 --> 00:27:04,160
right knowledge, that's that's one of
the key the key the key outputs from

308
00:27:04,359 --> 00:27:10,000
from a risk assessment tool as ours. But again it's not just doing risk

309
00:27:10,000 --> 00:27:15,839
assessments, also doing the as a
continuous work around cybersecurity. How can we

310
00:27:15,880 --> 00:27:19,359
improve, where can we improve and
also track the improvements in the tool.

311
00:27:22,319 --> 00:27:26,759
You know, Andrew I. Risk
has been an important theme of our podcast,

312
00:27:26,839 --> 00:27:32,319
especially recently. But when we use
terms sometimes in this area, like

313
00:27:32,519 --> 00:27:36,519
risk based approach, it just kind
of seems a little bit vague and open

314
00:27:36,559 --> 00:27:41,400
to interpretation. Oh it's it's very
much open to interpretation. I mean,

315
00:27:41,920 --> 00:27:47,240
in you know, I'm familiar with
the North American market in some parts of

316
00:27:47,279 --> 00:27:51,400
the market. You know, sort
of in common usage, risk based is

317
00:27:52,160 --> 00:27:57,880
you know, synonymous with doing whatever
you want. Because risk based says I

318
00:27:57,920 --> 00:28:03,200
assess the risk, I decide how
at risk I am. I determine my

319
00:28:03,559 --> 00:28:11,599
business is risk tolerance. And so
you know, anything I do is by

320
00:28:11,680 --> 00:28:15,200
definition risk based. Because I've assessed
the risk, and because I've determined the

321
00:28:15,240 --> 00:28:18,559
tolerance, I can set the tolerance
bar. I can tolerate as much risk

322
00:28:18,599 --> 00:28:22,039
as I want and therefore spend as
much or as little as I want on

323
00:28:22,079 --> 00:28:29,960
cybersecurity. That's sort of the common
usage. The thing is that that common

324
00:28:30,079 --> 00:28:36,720
usage and regulations don't jive. This
too, is, you know, a

325
00:28:36,839 --> 00:28:41,319
directive from the European Union to the
Member States. The Member States, to

326
00:28:41,359 --> 00:28:45,839
comply with the directive, have to
define regulations for critical infrastructure for cybersecurity,

327
00:28:47,039 --> 00:28:51,480
and the regulation that the directive instructs
the Member States to produce regulations that are

328
00:28:51,559 --> 00:28:53,359
risk based. The Member States are
not going to say you can do whatever

329
00:28:53,400 --> 00:28:57,960
you want. The Member States are
going to do something that says you have

330
00:28:59,039 --> 00:29:03,160
to have you know, you have
to provide evidence that you have assessed the

331
00:29:03,240 --> 00:29:07,519
risk and that you're taking steps to
address the risk. And here's a tool

332
00:29:07,880 --> 00:29:14,160
that provides evidence. You know,
this is a tool that's that that you

333
00:29:14,200 --> 00:29:15,839
know, auditors are going to look
at and say, yep, you have

334
00:29:15,880 --> 00:29:18,960
done the risk assessment, you have
identified what's most at risk. You have

335
00:29:19,279 --> 00:29:22,920
so this is you know, this
is a step in the right direction.

336
00:29:22,960 --> 00:29:29,960
It sounds like so you said that
the tool is coming out in Q one,

337
00:29:30,440 --> 00:29:33,960
but it you know, it sounds
like you've been using something like this

338
00:29:34,079 --> 00:29:38,960
tool for some time, you know, previous versions of it. Whatever.

339
00:29:41,200 --> 00:29:45,880
How has the tool been received by
your customers? I mean they they've presumably

340
00:29:45,880 --> 00:29:49,200
been using beta versions, you know. How how what what value do they

341
00:29:49,240 --> 00:29:53,000
see in it? So so,
first of all, they like the idea

342
00:29:53,079 --> 00:30:02,519
about having the the the aspect around
how can we secure how can we protect

343
00:30:02,839 --> 00:30:08,400
the availability of a production flow or
utility service with the with the pump station

344
00:30:08,480 --> 00:30:14,480
and things like that, So having
a clear view on how do we protect

345
00:30:14,519 --> 00:30:21,160
these things from and sorry, having
the availability availability of running for either the

346
00:30:21,200 --> 00:30:26,400
production line or the utility service,
and and and people like the idea about

347
00:30:26,599 --> 00:30:30,599
adding information to the traditional asset management
tool where they have what we say,

348
00:30:30,759 --> 00:30:38,000
kind of static data or a non
kind of critical information added to their their

349
00:30:38,359 --> 00:30:44,359
the data from from the assets.
So they have perceived it very well.

350
00:30:44,440 --> 00:30:48,920
And yeah, normally we see that
that it's it's been using. They have

351
00:30:48,000 --> 00:30:56,400
been using spreadsheets which are somewhere or
somebody has updated it somewhere at some point

352
00:30:56,400 --> 00:31:03,920
of time. So they like the
idea about a structured way, one place

353
00:31:03,039 --> 00:31:07,200
to have the data and they can
work with them. We have built a

354
00:31:07,200 --> 00:31:15,359
solution around traditional Microsoft platforms like ESQL
and power BI, so they can can

355
00:31:15,440 --> 00:31:22,279
get a good insight and have a
structured approach to how data are covered and

356
00:31:22,720 --> 00:31:27,799
and stoed. So this makes sense. You know, a tool to automate

357
00:31:27,799 --> 00:31:33,279
the process of tracking you know a
lot of security characteristics. A tool that

358
00:31:33,319 --> 00:31:37,279
you can press a button and say, well, where is the next investment

359
00:31:37,319 --> 00:31:41,440
in security that's going to pay off
the most in terms of increased reliability of

360
00:31:41,880 --> 00:31:45,799
manufacturing and critical infrastructure. Thank you
for joining us. This this all makes

361
00:31:45,839 --> 00:31:49,079
sense. Before we let you go, you know, can you sum up

362
00:31:49,079 --> 00:31:53,480
for our listeners what are the most
important lessons here and you know what should

363
00:31:53,480 --> 00:31:57,200
they be thinking about going forward?
Yeah, well, from our experience and

364
00:31:57,480 --> 00:32:01,079
also what we hear all the time
is that if you don't know your OT

365
00:32:01,240 --> 00:32:07,920
infrastructure, you're not able to protect
it, and we believe that is true

366
00:32:07,480 --> 00:32:13,039
when we're doing assessments. About ninety
percent of the assessments that we've done we

367
00:32:13,079 --> 00:32:19,759
have found components that were not registered
or even the operator didn't know it was

368
00:32:19,839 --> 00:32:22,920
dangerous. And that's I guess that's
also our learning here saying that the whole

369
00:32:22,960 --> 00:32:29,720
thing about awareness on the factory floor, about putting in modems or putting in

370
00:32:29,839 --> 00:32:36,519
devices that can actually help the operator
for being more effective might have an impact

371
00:32:36,640 --> 00:32:45,559
on the security in the factory flow. So having a structured approach about as

372
00:32:45,799 --> 00:32:51,480
management from a rich perspective will help
the customers to do the right decisions.

373
00:32:51,720 --> 00:32:55,960
And we believe that there's a need
for going into the details here, having

374
00:32:55,960 --> 00:33:02,319
the specifications on a component level to
make that decisions. So I mean we're

375
00:33:02,400 --> 00:33:07,960
just seeing I mean you need to
put in also not only the technical protective

376
00:33:08,079 --> 00:33:15,000
solutions, just as network segmentation or
whatever anti virus of monitoring, you also

377
00:33:15,039 --> 00:33:23,640
need to look into the overlaying procedures
for maintaining at the right level of cybersecurity.

378
00:33:23,720 --> 00:33:28,640
I mean, just the reason attacks
that we've seen on water utilities in

379
00:33:28,960 --> 00:33:37,880
the US and in Ireland and where
vulnerabilities were used to lay down water utilities.

380
00:33:38,160 --> 00:33:45,279
Also actually in Denmark will be seen
an attack against twenty two energy companies

381
00:33:45,680 --> 00:33:52,119
just recently where vulnerability in a firewall
were utilized. It all makes sense to

382
00:33:52,200 --> 00:33:58,880
go out and actually look into the
procedures and that can help us protecting the

383
00:33:58,920 --> 00:34:05,400
infrastructure regardless of its utility, service
or production. So and that's I think

384
00:34:05,440 --> 00:34:09,559
that's important output from this that we
don't only only look on the technical part,

385
00:34:09,639 --> 00:34:15,320
but also having a focus on who's
actually doing what in our companies.

386
00:34:15,960 --> 00:34:20,880
So about the tool, I mean
reach out on LinkedIn. We would like

387
00:34:20,960 --> 00:34:28,440
to have customers onboard to evaluate the
solution and you can see more on our

388
00:34:28,480 --> 00:34:35,559
websites. But thank you very much
Andrew for having me here. Andrew,

389
00:34:35,559 --> 00:34:37,440
that seems to be the end of
your interview with Yan. Do you have

390
00:34:37,599 --> 00:34:40,760
any final word you'd like to take
us out with today? Yeah, I

391
00:34:40,760 --> 00:34:45,159
mean I learned something here. I
mean this this tool sounds like a step

392
00:34:45,159 --> 00:34:50,360
in the right direction in my understanding. It does three things. It identifies

393
00:34:50,679 --> 00:34:54,719
all risks to reliability to reliable operations
from the mundane you know, lack of

394
00:34:54,760 --> 00:34:59,960
spare parts to the cyber you know, lack of an incident response plan.

395
00:35:00,840 --> 00:35:05,719
It gives you a ruler to compare
risks across sites. Again, it helps

396
00:35:05,760 --> 00:35:12,320
with investment decisions, which site is
most in need of reliability investments, which

397
00:35:12,320 --> 00:35:16,199
site is most in need of security
investments. It helps make decisions about how

398
00:35:16,239 --> 00:35:22,639
to spend those security dollars most effectively. And it provides the kind of evidence

399
00:35:22,880 --> 00:35:28,320
that we're going to need for this
two rate regulations, evidence of disciplined,

400
00:35:28,719 --> 00:35:37,159
risk based decision making, not handwaving, but actual numbers and justification for security

401
00:35:37,159 --> 00:35:40,079
investments. All right, Well,
with that, thank you to Jan Hartik

402
00:35:40,119 --> 00:35:44,840
for speaking with you, Andrew.
And Andrew is always thank you for speaking

403
00:35:44,880 --> 00:35:47,320
with me. It's always a pleasure. Thank you, Nan. This has

404
00:35:47,360 --> 00:36:00,159
been the Industrial Security podcast from Waterfall. Thanks to everybody out there listening. B