1 00:00:06,320 --> 00:00:09,480 There was so frustrating for me to get into the field, and I don't 2 00:00:09,519 --> 00:00:13,679 want people today to feel that level of frustration and it just shouldn't be that 3 00:00:13,800 --> 00:00:29,280 hard. Welcome everyone to the Industrial Security Podcast. My name is Nate Nelson. 4 00:00:29,559 --> 00:00:34,280 I'm here with Andrew Ginter, the vice president of Industrial Security at Waterfall 5 00:00:34,320 --> 00:00:38,280 Security Solutions. He is going to introduce the subject and guests of our show 6 00:00:38,359 --> 00:00:41,880 today. Andrew, how's it going, I'm very well, Thank you, 7 00:00:41,960 --> 00:00:47,159 Nate. Our guest today is Mike Holcomb. He is a fellow for cybersecurity 8 00:00:47,280 --> 00:00:53,600 at FLOOR and he's the global lead for Industrial Control System and OT cybersecurity practice, 9 00:00:54,240 --> 00:00:57,880 and he's going to be talking about changing careers. He's going to be 10 00:00:57,880 --> 00:01:00,679 talking about making the move from wherever you want are in engineering and it somewhere 11 00:01:00,679 --> 00:01:06,439 else, making them move into OT security. Then, without further ado, 12 00:01:06,560 --> 00:01:11,879 here's your conversation with Mike. Hello Mike, and thank you for joining us. 13 00:01:12,480 --> 00:01:15,200 Before we get started, can you say a few words about yourself and 14 00:01:15,319 --> 00:01:21,400 about the good work that you're doing at Floor. Sure, Thanks, thanks 15 00:01:21,400 --> 00:01:23,319 for the opportunity to come on the show, Andrew. And yeah, for 16 00:01:23,400 --> 00:01:27,480 those that don't know me, my name's Mike Holcombe. I'm the fellow for 17 00:01:27,519 --> 00:01:37,519 Cybersecurity at FLOOR as well as the ICSOT or Control Systems Cybersecurity practice at FLOOR 18 00:01:37,560 --> 00:01:42,239 globally for those of you that don't For those that don't know about FLOOR, 19 00:01:42,319 --> 00:01:47,200 we're one of the world's largest engineering and construction companies in the world, so 20 00:01:47,519 --> 00:01:51,719 we get to build and I get to work in some of the world's largest 21 00:01:51,760 --> 00:01:56,319 industrial control environment. So I'm very fortunate not only to work in these large 22 00:01:56,400 --> 00:02:00,480 environments, but also work with some of the greatest engineering mind in the field 23 00:02:00,560 --> 00:02:05,799 today. So it's really exciting and I can ask for a better place to 24 00:02:05,840 --> 00:02:13,639 be in wanting to work in cybersecurity and in security and all these unique environments. 25 00:02:14,039 --> 00:02:19,400 And our topic today is getting started in the OT security space. You 26 00:02:19,400 --> 00:02:21,800 know, can we start at the beginning? How did you get started? 27 00:02:22,199 --> 00:02:25,960 For when I got started, I go back to twenty ten and getting into 28 00:02:27,520 --> 00:02:34,319 OT cybersecurity. So now I've been a long time IT cybersecurity practitioner twenty five 29 00:02:34,360 --> 00:02:39,120 plus plus years. It was twenty ten when stexsnet was first announceder got the 30 00:02:39,159 --> 00:02:46,240 news about this new I was just amazed at this technical, technological marvel that 31 00:02:46,960 --> 00:02:57,879 had been created to reach out in the world and manipulate something out in the 32 00:02:58,360 --> 00:03:02,199 real world. And I was just really fascinated with that concept. And of 33 00:03:02,199 --> 00:03:07,719 course we had always thought about different types of attacks and things of that nature, 34 00:03:07,960 --> 00:03:12,400 but here is where we actually saw it. It pulled off and it 35 00:03:12,479 --> 00:03:15,039 was very, very real all of a sudden, and then started asking the 36 00:03:15,159 --> 00:03:22,879 questions about you know what, what about power plans and water treatment facilities or 37 00:03:23,240 --> 00:03:28,919 railways right what happens there, And started asking those questions, and then started 38 00:03:28,960 --> 00:03:32,280 reaching out to folks to have those conversations. And of course back in twenty 39 00:03:32,319 --> 00:03:37,400 ten, there weren't a lot of folks that wanted to have those conversations. 40 00:03:37,439 --> 00:03:42,319 You know, you had it people that didn't care about OT, which didn't 41 00:03:42,319 --> 00:03:46,479 even really necessarily call it OT back then, and then you had the folks 42 00:03:46,960 --> 00:03:52,240 in OT environments that they didn't want to talk about cybersecurity because I don't think 43 00:03:52,280 --> 00:03:55,919 a lot didn't want to let on that they weren't doing anything for cybersecurity back 44 00:03:55,960 --> 00:04:01,479 then and just didn't understand it. So it was it was a struggle. 45 00:04:01,599 --> 00:04:06,039 Initially for me, it was really really frustrated. I think that was probably 46 00:04:06,039 --> 00:04:10,680 for a lot of folks, you know, at that time, and I 47 00:04:10,840 --> 00:04:15,960 just ended up twelve and a half years ago getting a call to go work 48 00:04:15,000 --> 00:04:19,199 at Floor. Like I mentioned, we're one of the world's largest engineering and 49 00:04:19,399 --> 00:04:24,720 construction companies. And so after about the first year of working there, you 50 00:04:24,720 --> 00:04:27,800 know, keeping my head down, trying to learn the ropes of the new 51 00:04:27,879 --> 00:04:31,240 job and get my feet under me, I started to realize, yeah, 52 00:04:31,240 --> 00:04:38,120 we probably have some control systems around here, and started making those connections with 53 00:04:38,439 --> 00:04:43,879 different engineers and in the company. You know, right now we have four 54 00:04:43,959 --> 00:04:48,160 thousand control system and electrical engineers, for example, and so there's a lot 55 00:04:48,240 --> 00:04:54,199 of folks we work with all over the world, and there's quite a few 56 00:04:54,319 --> 00:04:59,839 that are always very willing to lend a hand, have a conversation in, 57 00:05:00,120 --> 00:05:03,160 to jump on a call. And so I've been very fortunate just to build 58 00:05:03,199 --> 00:05:09,920 that knowledge kind of organically, kind of grassroots movement since you know, probably 59 00:05:10,000 --> 00:05:15,120 the last especially the last ten years, and getting into you know, working 60 00:05:15,160 --> 00:05:18,279 with the different departments, and then you know, really starting to build out 61 00:05:18,319 --> 00:05:26,120 what a cybersecurity practice for a company like Floor looks like, to where we're 62 00:05:26,240 --> 00:05:35,399 helping our clients build right a cybersecurity program for their environments, whether it's a 63 00:05:35,439 --> 00:05:42,480 power plan, whether it's an LNG port facility, whether it's a like commuter 64 00:05:42,600 --> 00:05:46,560 rail or open pit mine manufacturing, and the list goes on and on. 65 00:05:47,160 --> 00:05:53,040 But you know, we're clients didn't necessarily want to have those conversations even a 66 00:05:53,040 --> 00:05:58,240 couple of years ago, whereas after clonal pipeline that really changed the landscape, 67 00:05:58,240 --> 00:06:01,160 and all of our customers are very engaged and want to have those conversations. 68 00:06:01,600 --> 00:06:06,519 So for each of those projects, we look at building out the cybersecurity SPACs 69 00:06:06,519 --> 00:06:14,160 again to work with a client to understand their risk tolerance, their risk threshold 70 00:06:14,319 --> 00:06:21,319 and budgets and help them design again the right cybersecurity program for their environment. 71 00:06:25,360 --> 00:06:28,600 So let me contrast that with my own experience, and so we have you 72 00:06:28,639 --> 00:06:32,560 know, two data points here. I got started, I had a computer 73 00:06:32,600 --> 00:06:36,199 science degree. I got started doing software development for the first i don't know, 74 00:06:36,240 --> 00:06:43,800 fifteen twenty years of my career, eventually developing industrial control system product, 75 00:06:44,879 --> 00:06:47,360 you know, rising through the ranks of the development team, winding up managing 76 00:06:47,399 --> 00:06:53,079 teams. At one point I was responsible for the IT security of the local 77 00:06:53,120 --> 00:06:56,920 office, and so I had dabbled a bit in the security space. This 78 00:06:57,079 --> 00:07:00,360 was you know, back before security was a real thing. Like in the 79 00:07:00,759 --> 00:07:05,160 mid nineteen nineties we're talking about. You know, the big news that I 80 00:07:05,279 --> 00:07:11,279 remember was Y two K. HY two K was the big thing. You 81 00:07:11,279 --> 00:07:15,519 know, it was in a sense non news. Nothing happened, but there 82 00:07:15,560 --> 00:07:19,279 was enormous preparation on the industrial side that went into that, you know, 83 00:07:19,680 --> 00:07:27,319 uh rebuilds, patching everything. It was. It was amazing. And then 84 00:07:27,360 --> 00:07:30,120 there was of course nine to eleven, which you know, if you remember 85 00:07:30,240 --> 00:07:33,639 the Aaron Turner episode a couple of episodes ago, you know, he talked 86 00:07:33,639 --> 00:07:38,680 about how the nine eleven event, how he was part of the process of 87 00:07:38,720 --> 00:07:45,839 that turning into today's industrial cybersecurity initiative. You know, in about two three, 88 00:07:46,000 --> 00:07:49,120 I was still working on the io T middleware that was connecting a lot 89 00:07:49,120 --> 00:07:54,439 of control systems to SAP, connecting a lot of these networks together, you 90 00:07:54,480 --> 00:08:00,720 know, in hindsight, contributing to the security problem. And you know, 91 00:08:00,920 --> 00:08:03,639 the business that I was part of was sold off the the you know, 92 00:08:03,680 --> 00:08:09,639 the new management said we're taking this into industrial cybersecurity, and I said, 93 00:08:09,879 --> 00:08:13,639 really, that's a thing, because this was you know, this was two 94 00:08:13,000 --> 00:08:18,120 three, it was the very earliest days of that. You know, I 95 00:08:18,240 --> 00:08:22,199 finished up the IoT middleware project, while you know the rest of the business 96 00:08:24,279 --> 00:08:28,800 took our control system product and moved it to se Linux Security Enhanced Linux. 97 00:08:28,800 --> 00:08:31,279 So I wasn't part of that. I sort of I saw that from the 98 00:08:31,320 --> 00:08:35,039 outside. I thought, wow, that's a lot of work. It was 99 00:08:35,120 --> 00:08:37,919 a lot of work, and as far as I can tell, nobody, 100 00:08:37,120 --> 00:08:41,840 zero points, zero sales. That was not what the world was looking for. 101 00:08:43,039 --> 00:08:48,200 You know, I got pulled into the the project to build the world's 102 00:08:48,200 --> 00:08:52,600 first industrial SEM security information and event management system. You know, in control 103 00:08:52,600 --> 00:08:54,879 systems terms, it was. It was a single pane of glass. It 104 00:08:54,879 --> 00:09:01,080 was an HMI for cybersecurity of your control system. And that was how I 105 00:09:01,120 --> 00:09:05,080 got involved. You know, that project went on for a long time. 106 00:09:05,919 --> 00:09:11,039 Eventually I got pulled into promoting that project out in public, talking to you 107 00:09:11,039 --> 00:09:18,960 know, prospective customers at conferences and face to face about the cybersecurity problem landscape, 108 00:09:18,080 --> 00:09:22,240 the solution landscape where the you know, the Industrial Defender SEM fit into 109 00:09:22,320 --> 00:09:26,240 that. Industrial Defender has long since moved on. This was, you know, 110 00:09:26,480 --> 00:09:31,200 fifteen years ago. I don't think the SEM exists anymore. But that 111 00:09:31,320 --> 00:09:35,039 was my own genesis, you know, dabbled a bit on the IT side, 112 00:09:35,039 --> 00:09:39,840 heavy into software development, very technical, and got pulled into the product 113 00:09:39,919 --> 00:09:46,919 development side of industrial cybersecurity in sort of the mid two thousands, almost to 114 00:09:46,000 --> 00:09:50,759 my surprise, because somebody else did the market research to figure out there was 115 00:09:50,759 --> 00:09:54,279 a market here. This was a thing that was happening because I'd never heard 116 00:09:54,279 --> 00:09:58,279 of it. It was it was very early days. So that was that 117 00:09:58,320 --> 00:10:01,600 was twelve years ag go. You know, very few people were doing this 118 00:10:01,639 --> 00:10:07,360 stuff. It was possible to sort of drift into it, just show some 119 00:10:07,480 --> 00:10:11,200 interest and you know, become part of the evolving field. What's your advice 120 00:10:11,279 --> 00:10:16,519 today if you've got people who want to get into the OT security space. 121 00:10:16,480 --> 00:10:20,399 I definitely have a lot to say about about that subject, one of my 122 00:10:20,440 --> 00:10:24,320 favorite to talk about, since it was so frustrating for me to get into 123 00:10:24,360 --> 00:10:28,679 the field, and I don't want people today to feel that level of frustration. 124 00:10:28,919 --> 00:10:31,200 It just shouldn't be that hard. And so, you know, when 125 00:10:31,200 --> 00:10:37,480 you talk with folks with it backgrounds like like myself, there's to get help 126 00:10:37,519 --> 00:10:41,639 get started. Really there's a focus on needing to think like an engineer. 127 00:10:41,840 --> 00:10:46,759 I just go back to when I took my first stands ICs O T course 128 00:10:46,200 --> 00:10:50,840 the g c SP. It was it was really fascinating. The best thing 129 00:10:50,840 --> 00:10:54,799 about the class was it was half IT people and half OT people. And 130 00:10:54,840 --> 00:10:58,320 I remember a gentleman in the front of the class asked a question and it 131 00:10:58,360 --> 00:11:03,879 was really what I thought was a really basic question around networking. It's like, 132 00:11:03,919 --> 00:11:07,919 oh, I could answer that, but it was the way he asked 133 00:11:07,919 --> 00:11:11,759 it. It was completely different on how I would have thought about it. 134 00:11:11,480 --> 00:11:16,679 And started talking with him, you know, and he was an engineer in 135 00:11:16,039 --> 00:11:22,200 a water treatment facility, and that was really a first time I had talked 136 00:11:22,200 --> 00:11:26,960 with somebody from from that world and really starting to look at things from his 137 00:11:26,120 --> 00:11:31,320 perspective. And so I think that was a great experience. And so coming 138 00:11:31,360 --> 00:11:37,000 from the IT world, we have to learn to think like an engineer, 139 00:11:37,200 --> 00:11:41,440 see how they see the plant, how the plant works, and understand each 140 00:11:41,559 --> 00:11:46,639 plant. Each you know, OT environment is completely unique right there. They 141 00:11:46,639 --> 00:11:50,879 have their own physics. Even you can go to two different power plants and 142 00:11:50,879 --> 00:11:56,240 they can be completely different. And so being able to understand how that plant 143 00:11:56,279 --> 00:12:01,240 operates, that's that's a first part of not only helping understand how best to 144 00:12:01,360 --> 00:12:05,399 protect it, where we're focused on how do we ensure physical safety of on 145 00:12:05,480 --> 00:12:11,480 site personnel in the general public and environmental safety and then of course the operations 146 00:12:11,519 --> 00:12:18,360 of the plan. And that's very much, very different from the IT world, 147 00:12:18,679 --> 00:12:22,679 but it's the engineering world. And so when you look at learning to 148 00:12:22,720 --> 00:12:28,039 think like an engineer and then the other really is just I think a it 149 00:12:28,039 --> 00:12:37,200 can feel like a very unsurmountable hurdle to people is learning about different OT systems 150 00:12:37,759 --> 00:12:41,600 and you get caught up. At least for me, I remember, you 151 00:12:41,600 --> 00:12:46,279 know I cs OT, SKAT and like what you know r TU, HMI, 152 00:12:46,480 --> 00:12:50,200 PLC, is what are all these things? And it's like, oh, 153 00:12:50,240 --> 00:12:54,159 you can learn some acronyms, but and then you can start to read 154 00:12:54,200 --> 00:13:01,320 about it, but it's it's it's challenging right at first you can really start 155 00:13:01,360 --> 00:13:05,759 to get your head wrapped around the concepts and understand how each of these different 156 00:13:05,799 --> 00:13:16,519 assets works and how you use that to build and run OT facility. Right, 157 00:13:16,559 --> 00:13:20,279 So I always like to focus on you when I do a couple free 158 00:13:20,279 --> 00:13:26,039 classes every every quarter. That is we focus on how we build a power 159 00:13:26,080 --> 00:13:33,000 plant from start to finish and walking through that process because it helps people not 160 00:13:33,159 --> 00:13:39,080 only think like an engineer and understand the physics of how we're generating electricity in 161 00:13:39,120 --> 00:13:43,399 this facility, but we can also look at all the components that go into 162 00:13:43,679 --> 00:13:50,879 building out that facility, and we can then really learn about PLCs and hmis 163 00:13:50,960 --> 00:13:54,639 and dcs and what each is doing and what they really mean. And I 164 00:13:54,720 --> 00:13:58,639 think that really helps to click in the place for it people. But it's 165 00:13:58,799 --> 00:14:01,440 very foreign. It was at least for me, you know, when first 166 00:14:01,440 --> 00:14:07,320 getting into two OT so, so that makes sense in a sense in the 167 00:14:07,360 --> 00:14:11,519 abstract. Learn about the physical processes that you're you're you're looking at, learn 168 00:14:11,559 --> 00:14:16,960 about the automation systems. Do you have concrete advice? Is there stuff you 169 00:14:16,960 --> 00:14:20,600 know? Would you read about these things? Do you take courses? What? 170 00:14:20,879 --> 00:14:24,200 So? What are concrete steps people can do to achieve those those goals, 171 00:14:24,200 --> 00:14:26,440 those learning goals? Sure? No, A great question, and I 172 00:14:26,480 --> 00:14:30,960 actually should mention I So I wrote a couple of free e books that I 173 00:14:31,000 --> 00:14:35,320 published and they're on LinkedIn and my website mike qulcom dot com where people can 174 00:14:35,320 --> 00:14:39,840 find them and so, and they're not too involved, and mostly it's a 175 00:14:39,919 --> 00:14:46,240 list of different resources and some I guess tips and tricks and a lot of 176 00:14:46,279 --> 00:14:52,399 those go into some of those practical tips, right, so suggestions on different 177 00:14:52,440 --> 00:14:56,000 books that you can read. There are some great books that are out there. 178 00:14:56,039 --> 00:14:58,279 They're not a ton, but I think there's there's definitely a few that 179 00:14:58,360 --> 00:15:03,279 everybody should it should be reading, even books like Sandworm, just to get 180 00:15:03,279 --> 00:15:07,519 an understanding of the importance of IC S O T cybersecurity. I'm a big 181 00:15:07,559 --> 00:15:11,039 fan of a few others, you know, so I don't, I guess, 182 00:15:11,120 --> 00:15:16,399 go too far down that rabbit hole. But you know, between your 183 00:15:16,440 --> 00:15:22,960 books, I honestly take a lot of value out of podcasts. I listened 184 00:15:22,000 --> 00:15:26,840 to your podcast before. There's a few others in the space I also listened 185 00:15:26,840 --> 00:15:30,440 to. You have a lot of great guests that come on and share a 186 00:15:30,519 --> 00:15:33,639 lot of practical knowledge that people can learn from. I remember I was starting 187 00:15:33,799 --> 00:15:39,399 a new mining project at floor and I had not worked in mining before, 188 00:15:41,080 --> 00:15:46,600 and just at the time, you actually had somebody from mining on the show, 189 00:15:46,639 --> 00:15:50,440 and I was able to pick it up and I learned so much from 190 00:15:50,440 --> 00:15:56,000 that conversation. And so that's that's one way trying to get hands on experience, 191 00:15:56,039 --> 00:16:00,200 I understand, you know. I was very fortunate that it wasn't too 192 00:16:00,200 --> 00:16:06,159 long before I was able to go on site and be in an actual power 193 00:16:06,159 --> 00:16:10,480 plan that we were building. Uh, that's luxury, I understand a lot 194 00:16:10,519 --> 00:16:14,440 of people don't have. But you're trying to get some type of hands on 195 00:16:14,600 --> 00:16:18,080 experience, right, So it's building out a home lab, you know, 196 00:16:18,200 --> 00:16:22,159 getting a PLC, starting with some basic PLC programming, maybe hook up in 197 00:16:22,320 --> 00:16:26,759 HMI and start to build that out. So those are some of the things 198 00:16:26,799 --> 00:16:30,399 that definitely suggest So, yeah, there's there's books out there, and I 199 00:16:30,440 --> 00:16:36,759 really take a lot from some of the podcasts out there and including your own, 200 00:16:37,279 --> 00:16:41,679 uh, and then trying to build into that hands on experience of if 201 00:16:41,720 --> 00:16:45,600 you don't have the luxury of already working in OT or maybe you can find 202 00:16:45,600 --> 00:16:49,600 a mentor and that works in OT and that they can bring you on site. 203 00:16:49,720 --> 00:16:55,039 Sometimes I hear that that happening from from time to time, and that's 204 00:16:55,720 --> 00:17:00,200 a lot of experience, especially people from it. That's that's experience that you 205 00:17:00,440 --> 00:17:07,799 just can't even pay for. So at this point, we've talked about how 206 00:17:07,960 --> 00:17:11,279 Mike started off in the industry and how Andrew you started off in the industry. 207 00:17:12,920 --> 00:17:17,400 I don't participate in the industry to the same degree that you guys do, 208 00:17:17,559 --> 00:17:22,359 but of course I do in a tangential sense. And I recall that 209 00:17:22,400 --> 00:17:26,519 when I was getting first started, I had a little bit of background in 210 00:17:26,839 --> 00:17:30,559 it knowledge, but I didn't know the first thing about industrial security. And 211 00:17:30,960 --> 00:17:37,119 I, as Mike suggested, picked up a book. It was a read 212 00:17:37,160 --> 00:17:40,720 book. It was your book on a long flight, I believe it was 213 00:17:40,759 --> 00:17:45,200 an eleven hour flight. I read through, pushed through most of your read 214 00:17:45,240 --> 00:17:48,759 book, and by the end of it, I had a good enough sense, 215 00:17:49,160 --> 00:17:55,400 a good enough base to start talking about these subjects, mostly just asking 216 00:17:55,440 --> 00:18:02,920 you questions, and so I can empathize and agree with Mike's general sentiment. 217 00:18:04,599 --> 00:18:10,240 The latest numbers in the twenty twenty three Threat Report on OT cyber incidents show 218 00:18:10,279 --> 00:18:14,559 that the threat environment has changed fundamentally. At the beginning of this decade, 219 00:18:15,240 --> 00:18:21,119 OT cyber attacks with physical consequences have changed from a theoretical problem to a very 220 00:18:21,160 --> 00:18:25,720 real problem, more than doubling every year. The new report is focused on 221 00:18:25,799 --> 00:18:30,400 deliberate cyber attacks in the public record. These are attacks that cause physical consequences 222 00:18:30,400 --> 00:18:36,480 in process industries and discrete manufacturing. Most of these attacks are ransomware, though 223 00:18:36,480 --> 00:18:41,559 the fraction of activist attacks is growing, and the report's appendix includes a complete 224 00:18:41,599 --> 00:18:45,920 list of all cyber attacks since Stuxnet that meet these criteria to see how today's 225 00:18:45,960 --> 00:18:49,799 OT cyber threat environment has changed. I invite you to download the report, 226 00:18:51,240 --> 00:18:56,200 a joint effort between Waterfall Security and the ICs drive OT Incident Repository. You 227 00:18:56,240 --> 00:19:02,920 can download the report at Waterfall dash the Caqureecurity dot Com SLASH twenty twenty three 228 00:19:03,359 --> 00:19:07,960 dash Threat dash Report, or just go to the resources menu at the Waterfall 229 00:19:07,000 --> 00:19:14,160 Security site and click on white papers and ebooks. So to put the shoe 230 00:19:14,200 --> 00:19:17,680 on the on the other foot, you know, you came for sort of 231 00:19:17,720 --> 00:19:22,519 from the from the IT space into industrial control systems and OTE security. Do 232 00:19:22,559 --> 00:19:26,599 you have advice the other way around if people are coming out of out of 233 00:19:26,640 --> 00:19:30,160 engineering or other sort of aspects of the OT space and and want to get 234 00:19:30,720 --> 00:19:36,599 you know, up to speed on cybersecurity. Sure, sure definitely. And 235 00:19:36,640 --> 00:19:38,720 I and I get with that disclaimer, right, I am, you know, 236 00:19:38,880 --> 00:19:42,240 tried and true. You know I have an IT cybersecurity background, but 237 00:19:42,559 --> 00:19:45,599 I do work with a lot of folks in the OT space, and I 238 00:19:45,680 --> 00:19:48,680 work with you know, I get and meet a lot of folks on LinkedIn 239 00:19:49,119 --> 00:19:56,920 and elsewhere to to have conversations with and help and and so whether it's at 240 00:19:56,920 --> 00:19:59,799 the office or elsewhere, you know, I always talk about, you know, 241 00:19:59,799 --> 00:20:03,680 for folks coming from an OT background, one of the things that really 242 00:20:03,720 --> 00:20:07,119 surprised me is a lot of OT people or that come from different aspects of 243 00:20:07,160 --> 00:20:12,359 automation, they don't necessarily have the fundamentals of networking down. I was really 244 00:20:12,400 --> 00:20:17,519 surprised. You know. I always think, you know, of engineers, 245 00:20:17,519 --> 00:20:22,400 they know everything in the world, and you found a lot of engineers aren't 246 00:20:22,400 --> 00:20:26,839 that familiar with with networking. I was really surprised. So that's so it's 247 00:20:26,880 --> 00:20:32,640 just like anybody coming into it cybersecurity. The first thing I always suggest they 248 00:20:32,759 --> 00:20:37,359 learn is networking, especially of course with tcp IP since that's you know, 249 00:20:37,400 --> 00:20:41,720 the main protocol that we use on all of our internal networks, right even 250 00:20:41,720 --> 00:20:45,200 in OT for better or for worse, and the Internet of course, so 251 00:20:45,240 --> 00:20:53,480 that's that basic foundation for connecting our systems together and then learning the basics of 252 00:20:53,880 --> 00:21:00,480 cybersecurity. So I always tell folks to really look to the security plus stification 253 00:21:00,519 --> 00:21:04,599 that Comtia has and even if you don't necessarily look to get certified, even 254 00:21:04,640 --> 00:21:10,400 though I suggest people always do, but just the knowledge that you can pick 255 00:21:10,519 --> 00:21:15,000 up from picking up one of those steady guides or going through a Security Plus 256 00:21:15,039 --> 00:21:23,200 course or except you get the basics the fundamentals of cybersecurity from the IT perspective, 257 00:21:25,039 --> 00:21:27,640 and then that really gets us to where now we're on this kind of 258 00:21:27,680 --> 00:21:33,359 common playing field where we can have folks from the OT side of the house 259 00:21:33,640 --> 00:21:38,359 and the IT folks from their side of the house really come together. And 260 00:21:38,480 --> 00:21:41,880 I talked about it, it's we always talk about these different sides of the 261 00:21:41,920 --> 00:21:47,519 house, but we always forget that it's the same house that we're all living 262 00:21:47,599 --> 00:21:52,519 in and trying to protect. And so we can come together with kind of 263 00:21:52,519 --> 00:21:59,880 this basic understanding of networking in cybersecurity and learn from each other's perspectives and then 264 00:22:00,000 --> 00:22:03,759 and you kind of put together to build out that plan on Okay, how 265 00:22:03,799 --> 00:22:08,720 are we going to protect our house from somebody trying to break in and do 266 00:22:08,799 --> 00:22:15,839 harm. So you mentioned the Security Plus certification. A question that I get 267 00:22:15,880 --> 00:22:21,559 regularly and have you know, limited insight into into answering is sort of the 268 00:22:21,799 --> 00:22:26,680 more general question about certification. What should I be certified on if I want 269 00:22:26,680 --> 00:22:32,039 to practice in the OT the industrial security space. You know, you've mentioned 270 00:22:32,079 --> 00:22:37,319 security plus. Can you know is there are more general answer yeah, and 271 00:22:37,400 --> 00:22:42,119 we talk about you know, OT cybersecurity. There's there's there's The certification landscape 272 00:22:42,400 --> 00:22:48,799 is somewhat limited compared to the IT world, but but there definitely are some 273 00:22:48,799 --> 00:22:55,160 some certifications that are worthwhile for people to pursue. I think in my opinion, 274 00:22:56,160 --> 00:23:00,319 you know, I always struggle sometimes because I always want to make sure 275 00:23:00,559 --> 00:23:07,960 focus people really are are working on gaining the knowledge and the experience to work 276 00:23:08,119 --> 00:23:14,039 in you know, OT cybersecurity and not just trying to go take a quick 277 00:23:14,079 --> 00:23:18,519 course and take a certification exam. And then I don't imply that they know 278 00:23:18,599 --> 00:23:23,279 everything about OT cybersecurity, because certification, that's that's not the goal, right, 279 00:23:23,319 --> 00:23:27,519 that's not the end game for for the certifications. But there are some 280 00:23:27,559 --> 00:23:32,599 great you know certifications out there, you know, from the typically, especially 281 00:23:32,640 --> 00:23:37,559 in the US perspective, we look to Sands and not only the Sands Institute 282 00:23:37,599 --> 00:23:42,160 and and their courses and certifications that we can we can mention I have all 283 00:23:42,200 --> 00:23:48,880 three of those, in part partly going through the master's program and also just 284 00:23:48,440 --> 00:23:53,759 being a longtime Sands student and having taken those courses that have been very fortunate 285 00:23:53,920 --> 00:24:00,599 to do so. And then the is s the I S a I C 286 00:24:00,920 --> 00:24:06,680 six two four four three series as well that I say created. So I 287 00:24:06,680 --> 00:24:12,160 think for for me personally, the knowledge in the Sands courses is bar none. 288 00:24:12,400 --> 00:24:17,799 I also realized that I was very lucky when I took the Sands Grid 289 00:24:17,839 --> 00:24:21,799 course with Rob Lee. It was actually at the exact same time that the 290 00:24:21,920 --> 00:24:26,160 Trisis incident was happening. So not only am I sitting in class with Rob 291 00:24:26,240 --> 00:24:32,160 Lee who's teaching and you would get to have cyber conversations and go to dinner, 292 00:24:32,200 --> 00:24:38,319 and but also his company is responding to one of the most important cybersecurity 293 00:24:38,319 --> 00:24:42,680 incidents in the OT world still today, and so we were getting you know, 294 00:24:42,720 --> 00:24:47,720 played by play in what was going on behind the scenes, which that's 295 00:24:47,880 --> 00:24:51,000 you know that you still can't you can't pay for an experience like that, 296 00:24:52,200 --> 00:24:56,039 which does bring up the fact that the Sands courses are very expensive these days, 297 00:24:56,759 --> 00:25:00,519 and I understand that not a lot of people can afford them. Again, 298 00:25:00,960 --> 00:25:06,240 the knowledge is second to none. Robbie still teaches his incidentt Detection Response 299 00:25:06,279 --> 00:25:11,079 course for OT a couple of times a year. I personally think, you 300 00:25:11,119 --> 00:25:14,279 know, to be able to be in the room with him and engage and 301 00:25:14,319 --> 00:25:18,519 ask questions you can't. You know, that's in valuable experience. But again, 302 00:25:19,480 --> 00:25:22,480 you know, ten thousand US dollars essentially now to take a class and 303 00:25:22,519 --> 00:25:27,480 the certification exam is hard for a lot of people. And I'm very fortunate 304 00:25:27,480 --> 00:25:32,720 to work for a company that has provided me those opportunities. So the is 305 00:25:32,960 --> 00:25:37,960 A series is a very valid alternative. I think a lot of people, 306 00:25:38,119 --> 00:25:45,960 and especially engineers, have have the is A certifications. They have four courses 307 00:25:47,279 --> 00:25:49,960 that you take and then you have to take the course to take the exam, 308 00:25:51,000 --> 00:25:53,319 and it's about eight thousand dollars if you're not an is A member. 309 00:25:53,599 --> 00:25:59,039 So for their entire series, right, it's already less than one, Sayan's 310 00:25:59,519 --> 00:26:03,079 course. And so I think the one thing to keep in mind about those 311 00:26:03,119 --> 00:26:12,880 courses is that they're designed to teach ot professionals some basics about cybersecurity and introduce 312 00:26:14,680 --> 00:26:19,440 the six two four four three standard. It's not going to and unfortunately the 313 00:26:19,920 --> 00:26:25,119 master certification. Right when you pass all four exams, they give you a 314 00:26:25,359 --> 00:26:32,079 what they call the ISAIC two six two four four three Expert Cybersecurity Expert Certification, 315 00:26:32,680 --> 00:26:36,799 which is a horrible name because I think we could probably all realize that 316 00:26:37,759 --> 00:26:41,920 if you take what is it about twenty four thirty hours even for let's say 317 00:26:41,960 --> 00:26:45,799 forty hours of course materials, and you pass a couple exams, it doesn't 318 00:26:45,799 --> 00:26:51,480 make you an expert in anything. So I think it's it's it's not a 319 00:26:51,519 --> 00:26:59,160 great name, but it's it's a certification that shows that you have a basic 320 00:26:59,319 --> 00:27:04,839 understanding of cybersecurity and different aspects of cybersecurity and how they're implemented in the OT 321 00:27:06,039 --> 00:27:11,920 world. So if you're looking at getting certified and demonstrating that basic level of 322 00:27:11,960 --> 00:27:15,160 knowledge, then I think the say you Know series is going to be the 323 00:27:15,200 --> 00:27:21,680 most effective for people, in part because of the cost and in part just 324 00:27:21,720 --> 00:27:26,559 because of the time and that there is learning involved and there is good, 325 00:27:26,680 --> 00:27:32,160 good information that to get out of it. And for me, Sands, 326 00:27:32,279 --> 00:27:36,079 you know, it's people always joke about, you know, drinking from the 327 00:27:36,079 --> 00:27:40,359 fire hose when you go to a Sands course and you're just flooded with information. 328 00:27:40,759 --> 00:27:45,319 And they have some of the greatest thought leaders in the industry that lead 329 00:27:45,359 --> 00:27:49,519 those courses, like Rob Lee and Tim Conway and with Michael Leesante you know 330 00:27:49,640 --> 00:27:56,440 before them and Derek Harp had was on that original team. So you can't 331 00:27:56,440 --> 00:28:00,200 beat the Sands materials. It's just the cost is so expensive. So and 332 00:28:00,240 --> 00:28:03,559 then there are other alternatives out there. There's the folks in Germany. I 333 00:28:03,599 --> 00:28:07,920 think it's called TUV or TV ryland. I one day I'll figure out how 334 00:28:07,920 --> 00:28:11,920 they pronounce that, you know. I start to see you know, more 335 00:28:11,960 --> 00:28:17,960 individuals with those. Uh, we have some engineers at floor and I've seen 336 00:28:18,039 --> 00:28:22,200 others with the Exodus certifications. So that are a little bit like the I 337 00:28:22,400 --> 00:28:26,599 s A six two four four three, you know, but a little bit 338 00:28:26,759 --> 00:28:32,279 you know Sands and you know, bit more from the vendor perspective with with 339 00:28:32,400 --> 00:28:37,400 dedicated courses at again, like is a you know, you know, reduced 340 00:28:37,400 --> 00:28:41,920 costs, right, relatively less expensive than than Sands courses, but not as 341 00:28:42,079 --> 00:28:48,039 much knowledge or information. So let me dive a little deeper. You mentioned, 342 00:28:48,319 --> 00:28:52,160 you know, people coming to a lot of training and you know, 343 00:28:52,440 --> 00:28:59,720 desires to learn about cybersecurity without basic networking. I've observed that as well, 344 00:28:59,759 --> 00:29:02,680 you know, some years, depending on when the course runs. I teach 345 00:29:02,720 --> 00:29:07,240 a course at Michigan Technological University. The audience is mostly engineers. It's a 346 00:29:07,279 --> 00:29:15,480 graduate course in engineering, and yeah, I find it necessary to burn you 347 00:29:15,519 --> 00:29:21,000 know, two three maybe four hours of a forty hour pool of lectures, 348 00:29:21,880 --> 00:29:26,920 you know, and assigned reading and exercises on the basics of networking. What 349 00:29:27,039 --> 00:29:30,319 is the ethernet? What is a frame? What is you know, the 350 00:29:30,480 --> 00:29:33,960 art protocol? How do you resolve IP addresses? How does IP rite on 351 00:29:34,039 --> 00:29:37,359 top? You know, once you leave the ethernet into the internet, what 352 00:29:37,400 --> 00:29:41,480 does IP look like? Is this? Is this what you mean? I 353 00:29:41,519 --> 00:29:45,279 mean, how how much of that in your estimation? How much? How 354 00:29:45,319 --> 00:29:48,880 deep on that do you really have to go? I would say very similar 355 00:29:48,920 --> 00:29:52,640 when I do do those types of classes, you know, at least a 356 00:29:52,680 --> 00:29:57,119 couple of hours, and I do training also with our engineers at floor on 357 00:29:57,160 --> 00:30:00,160 a regular basis, you know, definitely at least a couple of hours. 358 00:30:00,240 --> 00:30:03,880 But I think that's the same concept or the way I look at it is 359 00:30:03,920 --> 00:30:10,519 this idea that if we want to understand how to protect our environments from the 360 00:30:10,559 --> 00:30:15,519 attackers, and we have to understand how they're getting into the environment and how 361 00:30:15,640 --> 00:30:22,000 they're actually conducting and pulling off these attacks, and of course they're doing this 362 00:30:22,319 --> 00:30:27,160 over the network, and so we need to be able to understand the fundamentals 363 00:30:27,160 --> 00:30:33,079 of networking to be able to ultimately better understand how to protect our environments, 364 00:30:33,319 --> 00:30:38,480 so we do cover everything from again focus on TCPIP since that's going to be 365 00:30:38,480 --> 00:30:42,640 the main protocol we're using in all of our environments, and of course that 366 00:30:42,720 --> 00:30:48,079 opens us up to the wonderful world of Internet connectivity for better or for worse, 367 00:30:48,680 --> 00:30:52,200 and down to you know, we start to look at things like how 368 00:30:52,240 --> 00:30:59,480 does our work and how does IP routing work, and then that leads into 369 00:30:59,480 --> 00:31:03,039 the conversations like when we start talking about well, how do we best protect 370 00:31:03,039 --> 00:31:07,720 our OT network, well, we always are going to suggest we start with 371 00:31:07,920 --> 00:31:14,519 secure network segmentation. So you can't have those conversations about things like network segmentation 372 00:31:14,759 --> 00:31:21,079 and putting a firewall or a firewall to DMZ between IT and OT before we 373 00:31:21,160 --> 00:31:26,400 already at least have the basic understandings of networking. So that's why it's it's 374 00:31:26,440 --> 00:31:30,640 always definitely a big focus for me is we need to understand the fundamentals of 375 00:31:30,720 --> 00:31:36,039 networking to be able to understand how all these components talk together within IT, 376 00:31:36,440 --> 00:31:41,359 within OT and now it T with OT and then also on top of that, 377 00:31:41,480 --> 00:31:44,839 how we're connected to the Internet, all in ones that some way shape 378 00:31:44,920 --> 00:31:51,519 or form, and so how do we be able to protect the network from 379 00:31:51,559 --> 00:31:55,799 attack. But again, we have to have at least a basic understanding of 380 00:31:55,880 --> 00:32:01,240 networking before you can really start getting into those fundamental so especially like things like 381 00:32:01,519 --> 00:32:07,559 how do we do secure network architecture? Now you've mentioned standards six two four 382 00:32:07,559 --> 00:32:12,640 four three. How big a role should standards play? How you know? 383 00:32:12,839 --> 00:32:15,559 How familiar you do you figure that people on both the you know, coming 384 00:32:15,559 --> 00:32:20,160 from the I side or the engineering side into OT security, how how familiar 385 00:32:20,160 --> 00:32:24,000 do they need to be with standards? You don't have to know them in 386 00:32:24,119 --> 00:32:28,839 and out necessarily unless your job requires you to. But I think they're great 387 00:32:29,039 --> 00:32:32,680 references, especially for people that are getting into cybersecurity. They're great references to 388 00:32:34,839 --> 00:32:38,759 starting to learn about the different aspects and all the different domains, everything that 389 00:32:38,839 --> 00:32:51,079 comes together to create a fully functioning cybersecurity management program in OT environments. And 390 00:32:51,119 --> 00:32:59,160 whether it's a power plant or a manufacturing facility or railway, it it doesn't 391 00:32:59,440 --> 00:33:02,680 matter the environment. But the standards will show you all the parts that you'll 392 00:33:02,759 --> 00:33:07,720 use no matter what type of OT environment you're in. So six two four 393 00:33:07,759 --> 00:33:13,319 four three is the gold standard everybody looks to today, but it's not you 394 00:33:13,400 --> 00:33:16,079 have to pay, you know, to get the full copy, So it's 395 00:33:16,119 --> 00:33:21,720 not something that's probably is rarely available to everybody, even though it's still a 396 00:33:21,759 --> 00:33:24,440 lot of great information. I think that one can be a little overwhelming at 397 00:33:24,519 --> 00:33:29,359 first as well for some people, at least I know it was for myself. 398 00:33:29,920 --> 00:33:36,079 It just didn't come across as to me as kind of a straightforward standard, 399 00:33:36,119 --> 00:33:40,200 I think because it's written more from an engineering perspective. So for OT 400 00:33:40,640 --> 00:33:46,880 folks it probably is. It probably feels it makes a lot more sense than 401 00:33:46,920 --> 00:33:52,720 for folks coming from an IT background. I suspect at least that's that's for 402 00:33:52,799 --> 00:33:57,440 me, well kind of what I was thinking. So I can also gravitate 403 00:33:57,480 --> 00:34:01,680 towards NIST, you know, so we have nis ice in OT uh and 404 00:34:01,720 --> 00:34:05,559 so people can also look to that as a standard. I think that has 405 00:34:05,599 --> 00:34:09,079 a much more kind of familiar look and feel if you're coming from the IT 406 00:34:09,679 --> 00:34:15,960 cybersecurity world, uh and so, and it's freely available, so it's something 407 00:34:15,960 --> 00:34:20,519 that you can access today and you can look through it to see an all 408 00:34:20,599 --> 00:34:27,480 the different components that go into building a cybersecurity program for an OT environment. 409 00:34:27,559 --> 00:34:30,199 So I do think there's there are they can make some great references and then, 410 00:34:30,280 --> 00:34:35,119 of course, depending on if you work in an OT environment today, 411 00:34:35,159 --> 00:34:39,719 you might also have you either requirements to adhere to those standards or frameworks, 412 00:34:39,920 --> 00:34:45,119 or you might also have other regulations like if you're empower generation or transmission in 413 00:34:45,199 --> 00:34:50,639 North America and the United States and Canada, you have to be very familiar 414 00:34:50,639 --> 00:34:53,719 with nerk zip. So all all great resources for either people that are in 415 00:34:53,760 --> 00:35:01,760 the field or for those that want to learn more about OT cybersecurity. So 416 00:35:01,960 --> 00:35:06,480 you know, good list of resources there. The is a standards you know, 417 00:35:06,559 --> 00:35:08,280 ie C six two four four three standards. They're the same thing. 418 00:35:09,119 --> 00:35:14,360 You do have to pay for them. I don't pay for them legally. 419 00:35:14,880 --> 00:35:17,719 What I do is I buy an is a membership. I just renewed my 420 00:35:17,800 --> 00:35:22,960 membership. You know, if you renew early you get a twenty percent discount. 421 00:35:22,960 --> 00:35:27,000 I think I paid eighty five US dollars to renew. You pay this 422 00:35:27,079 --> 00:35:31,239 every year and you get online access to the standards. You cannot download them, 423 00:35:31,519 --> 00:35:35,719 you cannot print them, but you can read them. This is this 424 00:35:35,800 --> 00:35:37,039 is what I do. I don't have copies of all the six two four 425 00:35:37,079 --> 00:35:40,719 fourth three standards when I need you know, the standard as a resource I 426 00:35:40,920 --> 00:35:45,360 log in on my ISA account, and you know, Mike mentioned NIST. 427 00:35:45,760 --> 00:35:49,920 Let me go just a little bit deeper on this. Uh, this eight 428 00:35:49,960 --> 00:35:53,320 hundred and fifty three DASH fifty three is sort of the the IT standard that 429 00:35:53,559 --> 00:36:00,639 everyone uses. The this cybersecurity framework is you know it ISH every one uses 430 00:36:00,679 --> 00:36:05,119 it. Missed. Eight hundred DASH eighty three just came out. Version three 431 00:36:05,159 --> 00:36:08,400 of it just came out, and it's focused on applying all that stuff into 432 00:36:08,400 --> 00:36:13,480 the industrial space, and so it's much more industry focused. You know, 433 00:36:13,559 --> 00:36:17,440 I use it routinely. It's got really a very readable first one hundred pages 434 00:36:17,440 --> 00:36:23,039 of kind of introduction. So I recommend very much the eight hundred DASH eighty 435 00:36:23,079 --> 00:36:34,119 three standard courses standard certifications. Is there anything else that we've missed you? 436 00:36:34,239 --> 00:36:37,239 What would you encourage people to do to make the transition. I think the 437 00:36:37,280 --> 00:36:42,000 other big thing that we didn't talk about that I like to focus on because 438 00:36:42,000 --> 00:36:47,960 I see how rewarding it can be is to get people involved with the community 439 00:36:49,360 --> 00:36:52,559 as as a whole. So different, completely different type of networking that we've 440 00:36:52,559 --> 00:36:59,719 been talking about. But when you look at and I understand, at least 441 00:37:00,039 --> 00:37:04,519 speaking from my own experience, I'm an extreme introvert, I don't want to 442 00:37:04,880 --> 00:37:09,920 get out and talk to people as much as I might seem to and and 443 00:37:10,000 --> 00:37:15,039 so the last thing necessarily I want to do is is is get out and 444 00:37:15,639 --> 00:37:20,679 talk. And at the same time, it's so amazing when whether you go 445 00:37:20,760 --> 00:37:24,800 to a class or you're you're on social media like LinkedIn right, and you're 446 00:37:24,800 --> 00:37:30,400 getting to talk with people from all over the world from different backgrounds and different 447 00:37:30,440 --> 00:37:35,079 perspectives, and they come they work in it and OT and they get they 448 00:37:35,079 --> 00:37:38,880 have different experiences and they work in different types of environments. You can learn 449 00:37:39,400 --> 00:37:44,480 from so many different people that are out there, and you can also share, 450 00:37:44,840 --> 00:37:49,079 you know, from your own experiences and give and they can learn as 451 00:37:49,119 --> 00:37:52,880 well. So it's it's really amazing experience. You can also see that when 452 00:37:52,880 --> 00:37:55,480 you go to conferences. So I just encourage people whether you try to go 453 00:37:55,559 --> 00:37:59,920 to you know, some of the larger conferences like the sands I C s 454 00:38:00,079 --> 00:38:04,000 on it or S four, or maybe even some of the smaller, more 455 00:38:04,039 --> 00:38:09,360 local conferences like b Sides. You know that you can get together with people 456 00:38:09,599 --> 00:38:15,559 and everybody's there really just to learn and share and have a good time. 457 00:38:16,440 --> 00:38:20,559 It's just very easy. And I see this all the time for people in 458 00:38:20,599 --> 00:38:23,760 both IT and OT, where we're just doing their job. We're keeping our 459 00:38:23,760 --> 00:38:29,360 head down, got the blinders on, we're just getting things taken care of. 460 00:38:30,280 --> 00:38:35,159 But if we're not out there, you know, only learning and sharing 461 00:38:35,199 --> 00:38:38,920 with each other, but also you know, understanding what's evolving out there in 462 00:38:39,000 --> 00:38:43,840 the world. Right, we need to make sure we're staying current and understanding 463 00:38:44,639 --> 00:38:52,920 what's going on. I'm the ICs OT cyber security landscape has changed drastically over 464 00:38:52,960 --> 00:38:55,159 the last two two and a half years. I would say even more so 465 00:38:57,280 --> 00:39:00,519 in just the last couple of months, if not just a lot couple of 466 00:39:00,559 --> 00:39:05,159 weeks. Right, we had news of the power being turned off in the 467 00:39:05,320 --> 00:39:08,039 Ukraine again back in twenty twenty two, even though they just announced it. 468 00:39:08,199 --> 00:39:13,639 Not sure why it took so long, but you know, that's definitely an 469 00:39:13,679 --> 00:39:22,000 involvement or evolution to understand how that was not ICs specific malware that was living 470 00:39:22,039 --> 00:39:25,280 off the land techniques that were used in that attack, Right, That's something 471 00:39:25,280 --> 00:39:30,159 that we need to be aware of as OT defenders. We can look at 472 00:39:30,280 --> 00:39:37,400 the Danish coordinated attack by I think allegedly Sandworm, right, which was detected 473 00:39:37,400 --> 00:39:43,880 by the Sector Serve team, Right, and that alone has other implications that 474 00:39:43,920 --> 00:39:47,920 we all need to understand and be aware of as OT cybersecurity defenders. So 475 00:39:47,960 --> 00:39:52,559 if we're not, if we're just doing the job keeping our heads down and 476 00:39:52,599 --> 00:39:55,280 we're not out there talking in the community, we're not in you know, 477 00:39:55,320 --> 00:40:00,800 on social media like on LinkedIn, sharing information and reading the latest news and 478 00:40:00,400 --> 00:40:06,280 out there going to the conferences, listening to the podcast, reading the books. 479 00:40:06,800 --> 00:40:10,400 If we're not staying update, we're not staying current, then then ultimately 480 00:40:10,559 --> 00:40:21,360 we're not doing our jobs as cybersecurity defenders of our OT environments. You know, 481 00:40:21,480 --> 00:40:25,440 Andrew, had Mike not have said that, I haven't necessarily had the 482 00:40:25,480 --> 00:40:30,800 feeling that lately industrial security has changed all that much. If anything. One 483 00:40:30,840 --> 00:40:37,119 of the cases that he's referencing there in Ukraine was sort of a rehash of 484 00:40:37,159 --> 00:40:40,719 a few instants that had occurred between Ukraine and Russia before. I don't know, 485 00:40:40,800 --> 00:40:44,159 do you disagree with me? Do you feel like things are really rapidly 486 00:40:44,199 --> 00:40:47,119 moving these days? I don't know about rapidly, but things are changing, 487 00:40:47,119 --> 00:40:52,639 and I'm not sure that you know a lot of practitioners are tracking these changes. 488 00:40:52,840 --> 00:40:57,639 So the change you mentioned was living off the land, you know, 489 00:40:57,719 --> 00:41:00,679 for anyone out there who doesn't already know what that is. It's using, 490 00:41:01,159 --> 00:41:05,840 you know, instead of writing your own malware, your own remote access trojan, 491 00:41:05,960 --> 00:41:08,000 your own virus, your own who knows what, instead of writing your 492 00:41:08,000 --> 00:41:14,400 own attack tools that have signatures that anti virus might detect. That, you 493 00:41:14,400 --> 00:41:19,880 know, are artifacts of code that can be detected on a machine. You're 494 00:41:20,000 --> 00:41:22,960 using the tools that are already built into Windows or Linux or whatnot. I 495 00:41:22,960 --> 00:41:28,039 mean, Linux is a treasure trove of tools, and so if you look 496 00:41:28,079 --> 00:41:31,480 at a compromise machine, there's really no evidence there's nothing installed on the machine 497 00:41:31,519 --> 00:41:36,159 that shouldn't be there. If you look at network traffic, it's the traffic 498 00:41:36,320 --> 00:41:39,679 that sort of normal allowed tools are putting on the network, and so it's 499 00:41:40,079 --> 00:41:45,119 it's sort of more devious than average. Is it new? Well, I 500 00:41:45,119 --> 00:41:47,079 mean people have been talking about this in the IT space for a while. 501 00:41:47,119 --> 00:41:52,599 I think it's new ish in the OT space. You know, something else 502 00:41:52,639 --> 00:41:58,440 that's changed that people are not tracking is you know, the latest Waterfall threat 503 00:41:58,440 --> 00:42:04,960 report shows that this decade, since twenty twenty, the attack world has changed. 504 00:42:05,440 --> 00:42:08,960 We've gone from a state for a whole decade where cyber attacks with physical 505 00:42:08,960 --> 00:42:12,960 consequences. You know, the lights go out as in the Ukraine, or 506 00:42:13,079 --> 00:42:17,000 equipment is damaged as in the you know, the steel mill in in Germany. 507 00:42:17,519 --> 00:42:23,079 A decade ago. These attacks used to be sort of trickling along at 508 00:42:23,400 --> 00:42:28,079 you know, one or two or three a year, and now we've we're 509 00:42:28,079 --> 00:42:30,559 starting to see what looks like exponential increase. We went from you know, 510 00:42:30,840 --> 00:42:36,760 five in twenty nineteen to eighteen to twenty three to fifty seven last year. 511 00:42:37,280 --> 00:42:40,639 You know, the world has changed. Is it dramatic and fast? I 512 00:42:40,639 --> 00:42:46,840 don't know, but we do have to keep track of these It's it's been 513 00:42:46,880 --> 00:42:52,159 great. Thank you for joining us. Before we let you go, can 514 00:42:52,199 --> 00:42:54,559 you can you sum up for us? Can you you know what what should 515 00:42:54,599 --> 00:42:58,800 we take away? What are the most important things to remember? If you 516 00:42:58,800 --> 00:43:01,800 know we're either on the ITS to the engineering side, wanting to make the 517 00:43:01,880 --> 00:43:07,760 leap into OT security. Sure think I think the main points is it doesn't 518 00:43:07,760 --> 00:43:13,760 matter if you come from IT like myself, if you come from OT background 519 00:43:13,880 --> 00:43:17,199 like many of my colleagues. It's it's the IT side of the house. 520 00:43:17,239 --> 00:43:21,559 It's the OT side of the house. We all live and work in the 521 00:43:21,599 --> 00:43:23,679 same house. We all want to protect the same house. We have to 522 00:43:23,719 --> 00:43:28,519 work together to be able to do that. You know, not everybody in 523 00:43:28,559 --> 00:43:31,920 IT wants to learn about OT and not everybody in OT wants to learn about 524 00:43:31,920 --> 00:43:37,519 cybersecurity. So if you're one of those people that does, and when you 525 00:43:37,679 --> 00:43:45,159 encounter others that are like you and that they do as well, learn and 526 00:43:45,320 --> 00:43:50,079 work with each other and share and encourage each other, because it's going to 527 00:43:50,159 --> 00:43:55,719 take all of us together to protect our very unique and critical environments. Because 528 00:43:55,760 --> 00:44:00,440 as we just touched on, you know, just real briefly, the threat 529 00:44:00,519 --> 00:44:07,239 landscape has started to change dramatically and it's only going to get worse from here, 530 00:44:07,599 --> 00:44:13,239 and it's going to be on all of us to make sure that we 531 00:44:13,280 --> 00:44:19,039 protect our environments, to help ensure right that we're protecting the world around us 532 00:44:19,239 --> 00:44:24,280 right for our families and our friends, and no matter where in the world 533 00:44:24,360 --> 00:44:28,360 we live, we're all in this together. I always like to talk about, 534 00:44:28,360 --> 00:44:31,280 you know, and protecting the world, but it does take us all 535 00:44:31,360 --> 00:44:37,400 all working together. So but I appreciate you you having me on the podcast, 536 00:44:37,920 --> 00:44:43,519 but I do appreciate the time for being on the podcast the INFI it 537 00:44:43,559 --> 00:44:49,159 was great to get to come and talk with you and share with everybody real 538 00:44:49,239 --> 00:44:53,199 quickly. If anybody's looking for us down the road, of course, you 539 00:44:53,199 --> 00:44:57,760 can find floor at Flora dot com. You can check out jobs dot flora 540 00:44:57,760 --> 00:45:00,800 dot com. I think we have about thirteen hundred opening right now for it, 541 00:45:01,199 --> 00:45:06,920 and of course ot engineering professionals all around the world, so definitely check 542 00:45:06,960 --> 00:45:08,320 out the site there. And if you're looking for me, you can find 543 00:45:08,320 --> 00:45:13,119 me on LinkedIn. I'm always on LinkedIn, and you can also find my 544 00:45:13,280 --> 00:45:17,519 resources at Mike hocom dot com. But again, reach out anytime. But 545 00:45:17,599 --> 00:45:28,000 I appreciate the time and for everybody for listening to the episode. Andrew, 546 00:45:28,199 --> 00:45:30,960 that was your interview with Mike Holcom. Do you have any last word that 547 00:45:31,000 --> 00:45:35,960 you'd like to take us out with today? Sure, I mean what what 548 00:45:36,039 --> 00:45:38,679 Mike sense you know makes perfect sense. Take training if you can afford it. 549 00:45:39,079 --> 00:45:42,800 You know sands or is a or you know. I wasn't aware of 550 00:45:42,840 --> 00:45:49,239 the tuv rhineland or the exited training. Read the standards. I especially recommend 551 00:45:49,320 --> 00:45:52,880 the free NIST eight hundred Dash eighty three that is focused on industrial systems. 552 00:45:52,880 --> 00:45:57,159 It's free, it's readable. You know, when you have opportunity, try 553 00:45:57,159 --> 00:46:00,800 to attend some conferences you know, there tend to be comfort which is more 554 00:46:00,880 --> 00:46:04,559 local and more distant. You know, controls your travel costs. And when 555 00:46:04,599 --> 00:46:07,679 you're at a conference, network ask people questions and you know, maybe to 556 00:46:07,719 --> 00:46:10,719 expand on that last one just a little bit. You know. I've been 557 00:46:10,840 --> 00:46:16,119 attending conferences for over a decade because that's part of my job. I'm a 558 00:46:16,199 --> 00:46:22,440 techie, though I struggle with networking. I had a really great networking experience 559 00:46:22,559 --> 00:46:24,880 at the ICs conference in Denmark just a couple of weeks ago. It's been 560 00:46:25,000 --> 00:46:30,360 fifteen years, but I may finally have figured this out. When you get 561 00:46:30,400 --> 00:46:32,239 an expert in front of you with you know, a beer in their hand 562 00:46:32,239 --> 00:46:36,920 and a snack in the other, you know, yes, introduce yourself, 563 00:46:36,960 --> 00:46:40,559 ask what they do, and then you know, from your knowledge of the 564 00:46:40,559 --> 00:46:45,559 field, ask a controversial question. I mean I sat down with the folks 565 00:46:45,559 --> 00:46:50,719 at the Sector assert they were at the event in Denmark a couple of different 566 00:46:50,760 --> 00:46:53,400 times, continued the conversation on LinkedIn. You know, eventually it was bold 567 00:46:53,519 --> 00:47:02,039 enough to ask the question, this attackted Danish critical infrastructure. Why was there 568 00:47:02,079 --> 00:47:07,159 no report of any other infrastructure in the world being targeted? These firewalls that 569 00:47:07,159 --> 00:47:15,280 were exploited are used widely. The the you know, the the vulnerabilities were 570 00:47:15,280 --> 00:47:21,440 well known and I got a useful answer. Now, it wasn't a clear 571 00:47:21,519 --> 00:47:25,760 answer because there's confidentiality agreements. There's only so much these people, these experts 572 00:47:25,840 --> 00:47:30,840 can tell me. But I was always afraid of asking people controversial questions, 573 00:47:30,400 --> 00:47:36,719 and don't be experts love to talk about what they're doing. If they cannot 574 00:47:36,920 --> 00:47:40,840 tell you something, they will explain why they cannot tell you something. And 575 00:47:42,360 --> 00:47:47,480 that context in itself was useful for me in terms of understanding the scenario. 576 00:47:47,599 --> 00:47:51,599 So, you know, I would encourage people to sign up to the skato 577 00:47:51,679 --> 00:47:57,519 sect mailing list or sign up to the ISASP ninety nine Standards Committee mailing lists. 578 00:47:57,719 --> 00:47:59,800 You get a lot of stuff. You don't have to read everything on 579 00:47:59,840 --> 00:48:02,480 the lists, but what you get is a sense of what people argue about 580 00:48:02,599 --> 00:48:07,320 and what's controversial, so that you have ammunition at your next, your next 581 00:48:07,320 --> 00:48:10,800 networking session. So that's that's my little nugget of you know the I had 582 00:48:12,159 --> 00:48:17,159 three really interesting, you know, conversations at networking at this event in Denmark 583 00:48:17,559 --> 00:48:22,320 by asking questions that are a little bit controversial. Well, with that, 584 00:48:22,639 --> 00:48:25,320 thank you to Mike for speaking with you Andrew, and Andrew, thank you 585 00:48:25,360 --> 00:48:29,480 for speaking with me. It's always a pleasure tonight. Thank you so much. 586 00:48:30,000 --> 00:48:34,719 This has been the Industrial Security Podcast from Waterfall. Thanks to everyone out 587 00:48:34,719 --> 00:48:35,719 there listening.