1 00:00:05,040 --> 00:00:09,960 Yorkship. Non compliance can cause fines of up to one million dollars per day 2 00:00:10,359 --> 00:00:21,239 per violation, so that's that's a lot of money. Welcome everyone to the 3 00:00:21,280 --> 00:00:25,760 Industrial Security Podcast. I'm Nate Nelson. I'm here with Andrew Ginter, the 4 00:00:25,839 --> 00:00:30,760 vice president of Industrial Security at Waterfall Security Solutions, who's going to introduce the 5 00:00:30,800 --> 00:00:35,200 subject and guest of our show today. Andrew, how are you? I'm 6 00:00:35,320 --> 00:00:38,679 very well, Thank you, Nate. Our guest today is Katherine Wagner. 7 00:00:38,759 --> 00:00:45,560 She is the VP of Industry Solutions for Energy and Utilities at ASSURES and our 8 00:00:45,640 --> 00:00:49,679 topic is compliance. I mean compliance can be a very expensive process. We're 9 00:00:49,679 --> 00:00:53,280 going to be talking about automation. How to automate you know, some or 10 00:00:53,320 --> 00:00:57,880 most of this compliance work so that it doesn't cost us so much. All 11 00:00:57,960 --> 00:01:00,799 right, then, without further ado, here's your our interview with Katherine. 12 00:01:03,239 --> 00:01:07,680 Hello Katherine, and welcome to the podcast. Before we get started, can 13 00:01:07,760 --> 00:01:10,599 I ask you to say a few words about yourself and about the good work 14 00:01:10,640 --> 00:01:14,319 that you're doing at a SHOREX. Yeah, good morning, Andrew. I'm 15 00:01:14,400 --> 00:01:17,920 very happy to be here. I am Katherine Wagner, the vice president of 16 00:01:17,959 --> 00:01:22,519 Industry Solutions for Energy and Utilities at a shorex SO. I have a background 17 00:01:22,519 --> 00:01:29,920 in engineering and an also software development and management. I have nearly thirty years 18 00:01:29,920 --> 00:01:34,159 of experience with systems integration from the compliance and a bunch of industries. Used 19 00:01:34,159 --> 00:01:38,120 to be a bunch of manufacturing and now it's a mostly energy. For the 20 00:01:38,159 --> 00:01:42,519 last eleven years, I've been with a shorex helping our customers implement solutions for 21 00:01:42,640 --> 00:01:48,159 NERT and other quality and compliance related requirements while being a product manager for our 22 00:01:48,280 --> 00:01:53,359 for NERT compliance and related systems that focus on a reliability and resilience. I 23 00:01:53,439 --> 00:01:59,439 also help guide the strategic vision and seek expansion opportunities into other regulated industries within 24 00:01:59,480 --> 00:02:04,719 the energy sector or even other critical infrastructure sectors. A no doubt assure x 25 00:02:04,920 --> 00:02:07,800 SO Assures has been a leader in quality and compliance management systems for over twenty 26 00:02:07,879 --> 00:02:13,800 years. We operate in highly regulated industries such as energy and utilities, which 27 00:02:13,840 --> 00:02:17,000 is my part of it, SO, pharma and biotech, medical devices, 28 00:02:17,360 --> 00:02:22,240 manufacturing, and food and beverage, and those are things I don't really deal 29 00:02:22,280 --> 00:02:25,039 with all the time, but our company does, so thanks for that. 30 00:02:25,960 --> 00:02:30,759 We're going to be talking about compliance management in just a minute, but I 31 00:02:30,840 --> 00:02:36,240 understand that you folks got started you know years ago in the space of quality 32 00:02:36,360 --> 00:02:42,919 management. Are the two fields related, Yeah, andrew their natural their natural 33 00:02:42,960 --> 00:02:47,199 evolution from one to the other. So quality management involves things like managing documents, 34 00:02:47,719 --> 00:02:53,319 processes, procedures, issues, nonconformances, kappas, which are corrective and 35 00:02:53,360 --> 00:03:00,280 preventive, corrective and preventive actions, you know, audits, suppliers, customed 36 00:03:00,360 --> 00:03:06,280 changes, risk workflows, approvals, so all those things to meet regulatory obligations 37 00:03:06,280 --> 00:03:12,759 and optimize quality. So compliance management, you know, has similar elements but 38 00:03:12,840 --> 00:03:15,120 with a different language. That's the way I like to think about it. 39 00:03:15,400 --> 00:03:19,520 For example, you know, in the quality space, manufacturers must manage their 40 00:03:19,560 --> 00:03:24,080 suppliers. They have supplier risk assessments, contracts, contacts, what parts they 41 00:03:24,120 --> 00:03:29,680 supply, communications with those suppliers. And in the utility world, we must 42 00:03:29,719 --> 00:03:34,280 manage vendors. So that requirement is defined and SIP thirteen supply chain risk management, 43 00:03:35,080 --> 00:03:38,919 but it includes things like vendor risk assessments, vendor contacts, vendor contracts 44 00:03:39,840 --> 00:03:46,039 so the hardware, software and service that that vendor supplies, and vendor communications. 45 00:03:46,240 --> 00:03:50,039 So it's a different terminology but very much the same. So that makes 46 00:03:50,080 --> 00:03:53,479 sense, you know, And this brings us to our topic, which is 47 00:03:53,599 --> 00:03:58,599 compliance management? I mean, you know, I was introduced to the idea 48 00:03:58,680 --> 00:04:01,680 of compliance and management with NERK SIP back in the day. And of course, 49 00:04:01,759 --> 00:04:04,319 you know you're in the electric sector. You you know much more about 50 00:04:04,319 --> 00:04:08,560 this than I do. UM, can you talk a bit about NERK You 51 00:04:08,599 --> 00:04:11,439 mean, you know you read NERK and it on the surface, it looks 52 00:04:11,479 --> 00:04:16,720 like any other security standard. Um, you know what you know? But 53 00:04:17,360 --> 00:04:21,160 you know, I imagine you have to comply with the security standard. What 54 00:04:21,160 --> 00:04:25,360 what is compliance in the NERK ship context context? But you know what is 55 00:04:25,399 --> 00:04:28,680 what is NERK? How does this work? So? You know, NERK 56 00:04:28,759 --> 00:04:32,759 SIP is all about cybersecurity. It's cybersecurity as it relates to energy folks. 57 00:04:33,199 --> 00:04:38,319 So that is, you know, making sure that you have controls so that 58 00:04:39,079 --> 00:04:44,199 your your power facility or your UM, your substations and your control centers so 59 00:04:44,240 --> 00:04:46,399 that they're all secure so they're not going to get hacked, so that the 60 00:04:46,399 --> 00:04:51,000 grid stays up ultimately, and you know, it really involves protecting the people, 61 00:04:51,160 --> 00:04:57,600 processes, assets and data uh that keep the grid running. And you 62 00:04:57,639 --> 00:05:01,560 know, the NERK SIP is really about the cybersecurity. But compliance with the 63 00:05:01,639 --> 00:05:06,000 NERVE TIP is what happens when the auditors show up, right, you've got 64 00:05:06,000 --> 00:05:12,279 to be able to produce all the data and evidence that those auditors want as 65 00:05:12,319 --> 00:05:15,920 it relates to the ship standards. So that involves this thing called the ART 66 00:05:15,160 --> 00:05:21,240 so it's Evidence Request Tool the auditors. Over recent years they've produced the spreadsheet 67 00:05:21,279 --> 00:05:25,600 so that everybody reports in the same way. So it makes it easier both 68 00:05:25,680 --> 00:05:31,040 on the regulators and on you the entities that are being in compliance. So 69 00:05:31,079 --> 00:05:36,680 that Evidence Request Tool people spend hours and hours filling it out. The first 70 00:05:36,720 --> 00:05:42,439 it comes in two parts. So the first part is a bunch of lists 71 00:05:42,439 --> 00:05:46,480 of data. So they list out their sites, they list out the cyber 72 00:05:46,519 --> 00:05:49,120 assets at those sites, They list out all the people interacting with it, 73 00:05:49,240 --> 00:05:53,920 who has access to those things, and a couple other parameters, you know, 74 00:05:53,959 --> 00:05:58,879 physical security parameters, electronic security parameters, data storage locations, vendors and 75 00:05:59,680 --> 00:06:04,800 other things. But all that data is supplied in lists at the first part 76 00:06:04,800 --> 00:06:10,560 of the audit. And then the next thing that they do is the auditors 77 00:06:10,600 --> 00:06:15,079 pick sample sets from those lists, okay, and then they request more data 78 00:06:15,319 --> 00:06:21,120 from the entities so they you know, they have these They have at least 79 00:06:21,120 --> 00:06:26,680 seventy five different reports that they ask for, which is very detailed. Data 80 00:06:26,759 --> 00:06:31,160 on every single requirement is in the nerdship standards. So some examples of those, 81 00:06:31,600 --> 00:06:35,000 like, you know, was this location commissioned or decommissioned during the audit 82 00:06:35,000 --> 00:06:39,480 period. You know, they might want to know all of the access authorization 83 00:06:39,519 --> 00:06:44,120 records for a set of individuals, all security patches that were released, evaluated, 84 00:06:44,199 --> 00:06:47,600 applied for a set of assets, Evidence that the full configuration change process 85 00:06:47,720 --> 00:06:51,560 was followed for any kind of you know, patch installation, you know, 86 00:06:53,879 --> 00:06:59,480 incidents, cybersecurity incidents, UM that the response plan was followed for each incident 87 00:06:59,519 --> 00:07:03,199 that they they asked you about. So all this data is very challenging to 88 00:07:03,319 --> 00:07:06,560 organize. UM. You know, it's not trivial at all to pick out 89 00:07:06,560 --> 00:07:12,600 this data. I've heard some horror stories from our customers that it takes weeks 90 00:07:12,639 --> 00:07:16,160 and weeks of pulling data from different systems. UM, you know, the 91 00:07:16,480 --> 00:07:20,120 learning management system, the HR system, the asset management system, you know, 92 00:07:20,160 --> 00:07:25,759 pulling all this data and then they have to manually cross reference and reform 93 00:07:25,800 --> 00:07:28,639 at it so that it fits in the CRT so that the auditors are happy. 94 00:07:30,720 --> 00:07:33,240 So Nate, let me just jump in here. I mean, you 95 00:07:33,240 --> 00:07:40,040 would you would think from listening to to Catherine's description, you know, thank 96 00:07:40,040 --> 00:07:44,040 you NRK for thoughtfully providing a spreadsheet, which is, you know, a 97 00:07:44,120 --> 00:07:46,920 template. It's got lots of tabs, one for each kind of asset, 98 00:07:46,079 --> 00:07:49,199 got all the columns of all of the information for all the assets you got 99 00:07:49,199 --> 00:07:54,959 to put in there. You wouldn't think that was a lot of work, 100 00:07:55,040 --> 00:07:59,000 but you know, I have personal experiencing in another realm, this is a 101 00:07:59,079 --> 00:08:03,160 much simpler project. You know, at Waterfall we just finished I was working 102 00:08:03,160 --> 00:08:07,240 with a bunch of colleagues finishing our annual threat report, and part of that 103 00:08:07,399 --> 00:08:13,120 process was putting a spreadsheet together of about a hundred security incidents with about a 104 00:08:13,160 --> 00:08:20,680 dozen characteristics of each security incident and just getting the data into that What looked, 105 00:08:20,879 --> 00:08:24,040 you know, seemed like a simple spreadsheet, seemed like a simple job. 106 00:08:24,920 --> 00:08:28,839 Just seemed to take forever. And you know, with a nerk Hip 107 00:08:28,920 --> 00:08:33,600 spreadsheet, we're not talking a hundred rows. We're talking, you know, 108 00:08:33,440 --> 00:08:37,519 probably five times that many for each one of your plants. You know, 109 00:08:37,600 --> 00:08:43,799 if you've got seven hundred substations and computers and network devices and whatever in those 110 00:08:43,120 --> 00:08:48,840 that's a lot of data. And you know, firsthand experience you know, 111 00:08:48,879 --> 00:08:52,480 I get it now. I've I've heard people complain about spreadsheets in the past, 112 00:08:52,519 --> 00:08:56,240 and having struggled within myself for the last several weeks, I get it 113 00:08:56,279 --> 00:09:01,240 now. I you know, I see why putting that volume of data and 114 00:09:01,240 --> 00:09:07,559 go spread to to something that really does beg automation. Okay, so there's 115 00:09:07,639 --> 00:09:09,320 there's a lot of data, and it makes sense, you know, when 116 00:09:09,320 --> 00:09:13,080 you're dealing with large amounts of data, makes sense to automate that process. 117 00:09:13,639 --> 00:09:16,799 Um. But can I ask you sort of a subtlety here, Um? 118 00:09:16,279 --> 00:09:20,720 You know, the people who are looking at automation for compliance is the main 119 00:09:20,799 --> 00:09:24,159 motivation here? Saving money, you know, reducing the cost of gathering all 120 00:09:24,159 --> 00:09:26,519 the data, or you know, is there something else at work? You 121 00:09:26,559 --> 00:09:31,039 know, does the does the machine? Would you know, would a machine 122 00:09:31,120 --> 00:09:35,120 gathering of the data sort of do a more thorough job? And I don't 123 00:09:35,120 --> 00:09:37,399 know, reduce your compliance risk somehow, the risk of an auditor saying you 124 00:09:37,399 --> 00:09:41,200 have missing data. Absolutely. You know, companies want to save money and 125 00:09:41,240 --> 00:09:45,360 that is a huge motivator. But there's a bunch of different aspects to that. 126 00:09:45,799 --> 00:09:48,440 You know, the first aspect is kind of obvious. They want to 127 00:09:48,440 --> 00:09:54,480 avoid regulatory penalties um and I think everybody knows that with everybody in the industry 128 00:09:54,519 --> 00:09:58,720 knows that NERKSIP non compliance can cause fines of up to one million dollars per 129 00:10:00,519 --> 00:10:03,720 per violation. So that's a lot of money. And there has been some 130 00:10:03,759 --> 00:10:07,480 examples in the past. You know, there was one entity that got charged 131 00:10:07,519 --> 00:10:11,919 something like, you know, ten million dollars for cybersecurity non compliance. You 132 00:10:11,919 --> 00:10:15,960 know. The second motivation is really, you know, what is the cost 133 00:10:16,120 --> 00:10:20,279 of poor cybersecurity, And that really says, you know, if you're not 134 00:10:20,320 --> 00:10:22,399 secure that the hackers can get in, and those hackers cost money, whether 135 00:10:22,440 --> 00:10:26,480 it's ransomware or you know, they start controlling your equipment like they did over 136 00:10:26,559 --> 00:10:31,440 in the Ukraine a couple years ago. They can cause damages which houses you 137 00:10:31,480 --> 00:10:35,679 know, the money to go and fix that up. But you know, 138 00:10:35,840 --> 00:10:41,320 not just the fixing the problem that those hackers caused, but also it damages 139 00:10:41,360 --> 00:10:45,000 the utility's reputation. And that's a really subtle cost. It's hard to put 140 00:10:45,000 --> 00:10:48,120 a finger on a number, but it's out there. You know. The 141 00:10:48,200 --> 00:10:52,240 last thing that affects the cost and why we want to do some of these 142 00:10:52,720 --> 00:10:58,279 better management of compliance is a desire to reduce workload and improve efficiency. You 143 00:10:58,279 --> 00:11:03,000 know, without a good program, people spend hours and hours preparing for audits 144 00:11:03,519 --> 00:11:07,600 and then doing compliance tasks. I've heard over and over again over the years. 145 00:11:07,600 --> 00:11:11,000 How you know their users, you know, hate doing compliance. They 146 00:11:11,000 --> 00:11:13,240 don't want to do it. They save it to the last minute. The 147 00:11:13,320 --> 00:11:16,639 compliance team, you know, it's hard to force them to do that work. 148 00:11:16,039 --> 00:11:18,600 If you get a system in place, then you you know, make 149 00:11:18,639 --> 00:11:24,720 it minimal impact on the SMEs and then the compliance team has everything in a 150 00:11:24,759 --> 00:11:30,200 central location. So that I've heard that there's been incredible savings preparing for audits 151 00:11:30,240 --> 00:11:33,720 because of having a good program. So there's the three different ways that I 152 00:11:33,759 --> 00:11:39,240 feel that utilities are saving money with a program, avoiding regulatory penalties, having 153 00:11:39,240 --> 00:11:43,480 good cybersecurity, and then reducing the workload of their employees. Okay, so 154 00:11:43,960 --> 00:11:48,200 you know automation makes sense. You know, saves money, makes the job 155 00:11:48,240 --> 00:11:52,080 more thorough, um, you know, makes us more secure actually arguably. 156 00:11:52,840 --> 00:11:54,759 But you know it's one thing to wave a magic wand and say let's automate 157 00:11:54,759 --> 00:11:58,039 the whole thing. Uh, you know, it's another thing to actually do 158 00:11:58,120 --> 00:12:01,399 it. What what is this automation actually look like? You know how does 159 00:12:01,440 --> 00:12:05,159 it feel to use it well, Andrew, The real goal is to make 160 00:12:05,200 --> 00:12:09,360 sure that you stay in compliance year round, you know, not just waiting 161 00:12:09,000 --> 00:12:11,919 till the audit to go find out if you were in compliance or not. 162 00:12:13,600 --> 00:12:16,159 You need to be able to prove it at any point in time on short 163 00:12:16,240 --> 00:12:20,519 notice. And that's why people use compliance management software. Now, any good 164 00:12:20,559 --> 00:12:26,960 compliance management software is going to include features for managing the compliance data and protecting 165 00:12:26,960 --> 00:12:30,639 it so that the right people get access to it and the wrong people stay 166 00:12:30,639 --> 00:12:37,080 out. Tracking responsibility, knowing who's responsible for what tasks for what regulations and 167 00:12:37,120 --> 00:12:43,240 then documenting that, managing documentation and evidence, managing risk, issue tracking, 168 00:12:43,279 --> 00:12:46,879 incident tracking, and then the mitigation plans are corrective action plans to resolve those 169 00:12:46,919 --> 00:12:52,759 issues. Task management, and especially important is the notifications, reminders and escalations 170 00:12:54,080 --> 00:12:58,000 so if those tasks, those compliance tasks are not getting done or not getting 171 00:12:58,039 --> 00:13:01,679 logged into the system, that people are reminded and people are aware and there's 172 00:13:01,759 --> 00:13:07,320 visibility to those tasks so that they do get done on time. Audit reporting 173 00:13:07,799 --> 00:13:13,799 is you know, the output of the compliance management system when you're dealing with 174 00:13:13,200 --> 00:13:18,320 NERK. You know, there's two pieces of it. There's the SIP Evidence 175 00:13:18,360 --> 00:13:20,600 Request tool that I talked about earlier for all that SIP data. But then 176 00:13:20,600 --> 00:13:26,639 there's also the management of the R SAUCE, which is the older the other 177 00:13:26,000 --> 00:13:31,519 the other NERK standards have to do these R sauce. They're Reliability Standard Audit 178 00:13:31,519 --> 00:13:37,720 worksheets and they're really filling in a narrative and listening out the evidence that they've 179 00:13:37,720 --> 00:13:41,559 collected to meet that requirement. And those are time consuming. So software will 180 00:13:41,559 --> 00:13:46,360 help pull that data together and help you report on it when it's necessary. 181 00:13:48,200 --> 00:13:50,399 Okay, so there's there's a lot of stuff that needs automation. But how 182 00:13:50,399 --> 00:13:54,720 do you actually do the automation? I mean, you know these records, 183 00:13:54,200 --> 00:13:58,200 do you pull them from I don't know, the brains of the PLCs or 184 00:13:58,320 --> 00:14:00,960 do you you know? How do you how do you? You know? 185 00:14:00,960 --> 00:14:05,679 What? What does automation actually do in terms of gathering and organizing the data 186 00:14:05,720 --> 00:14:09,200 for you. There's a lot of different ways that automation can help you, 187 00:14:09,279 --> 00:14:11,960 and there's a lot of different forms that that can take. Let's look at 188 00:14:13,000 --> 00:14:16,639 an example. Okay, so for one of the requirements says that you have 189 00:14:16,720 --> 00:14:22,559 to verify at least once every calendar quarter that the individuals with active electronic access 190 00:14:22,919 --> 00:14:28,679 or unescorted physical access have authorization records, so you're comparing you know what they 191 00:14:28,720 --> 00:14:33,799 have access to based on access lists too, you know what they've been authorized 192 00:14:33,799 --> 00:14:37,159 to do. So that might really involve two different systems, well many different 193 00:14:37,200 --> 00:14:45,960 systems because they have access to many different networks or um OT devices or you 194 00:14:45,960 --> 00:14:50,320 know it devices and so on, and you know the access card system to 195 00:14:50,320 --> 00:14:54,919 get into different areas of the plant. So you can do you can set 196 00:14:54,000 --> 00:14:58,480 up the automation to help with that in a couple different ways. So one 197 00:14:58,519 --> 00:15:01,240 of those is a very manual way. If you set up some sort of 198 00:15:01,240 --> 00:15:05,240 a scheduled task that once a quarter somebody is going to be required to remember 199 00:15:05,279 --> 00:15:09,919 to go out and pull the asset lists manually from the devices and then pull 200 00:15:09,960 --> 00:15:16,759 the authorization you know information from that system, and then manually compare those two 201 00:15:16,759 --> 00:15:20,759 lists together and see TOULD for any animalies. So that's awfully manual, but 202 00:15:20,840 --> 00:15:24,960 it is automated because they're automating that task every quarter. You could also set 203 00:15:24,039 --> 00:15:28,399 up something that you know, you have a quarterly task initiated, but it 204 00:15:28,480 --> 00:15:33,399 uses integration to automatically pull that data from the various networks and other software out 205 00:15:33,440 --> 00:15:37,799 there or the devices themselves to get those asset lists, you know, and 206 00:15:37,879 --> 00:15:41,720 automatically pull the data from you know, whatever is tracking the authorization records. 207 00:15:43,519 --> 00:15:46,360 And then either you could have a person do the comparison between the two now 208 00:15:46,360 --> 00:15:52,360 that they've automatically got the information, or maybe you're clever enough to put together 209 00:15:52,440 --> 00:15:56,000 some sort of uh, you know, computer program to do the comparison and 210 00:15:56,080 --> 00:16:02,159 perform that validation automatically as well. The last way that I can see, 211 00:16:03,120 --> 00:16:07,039 the last good example I have setting up automation to help you out, is 212 00:16:07,679 --> 00:16:12,879 setting up a daily feed or daily pulling of information from those other sources, 213 00:16:14,480 --> 00:16:19,360 pulling it into the compliance management software so that you always have the ability to 214 00:16:19,399 --> 00:16:23,879 report on or see the two different things and make that validation. And you 215 00:16:23,919 --> 00:16:29,159 could even go further than that and set up controls so that the system can 216 00:16:29,240 --> 00:16:33,679 detect some discrepancy between the two and it can alert on it, send out 217 00:16:33,759 --> 00:16:37,080 emails, or show it up on a dashboard, or even initiate other tasks 218 00:16:37,080 --> 00:16:41,480 and workflows to get that accomplished. So, you know, that's a good 219 00:16:41,480 --> 00:16:45,320 example of a couple of different ways that you can do automation within the NERK 220 00:16:45,399 --> 00:16:49,159 set environment, and I have a list of examples here, things like you 221 00:16:49,200 --> 00:16:53,679 know, pulling the network for asset lists and open ports, querying assets for 222 00:16:53,720 --> 00:16:59,000 baseline information, connecting to an HR system to get your up to date employee 223 00:16:59,000 --> 00:17:02,799 information, you know on the learning management system to get your training information, 224 00:17:03,200 --> 00:17:07,400 patch discovery services to obtain patch information, and then things like scheduling document review 225 00:17:07,400 --> 00:17:11,559 when evidence collection tasks. So a number of different ways to leverage automation. 226 00:17:15,039 --> 00:17:18,759 In the beginning of the industrial security revolution, engineers were told to use it 227 00:17:19,200 --> 00:17:23,880 security principles, protect the information. We were told. We knew this was 228 00:17:23,920 --> 00:17:27,519 a poor fit, but it was all we had. Today. The top 229 00:17:27,559 --> 00:17:33,759 security priority at industrial sites is safety. Don't kill anyone, don't cause an 230 00:17:33,839 --> 00:17:40,960 environmental disaster. And the second priority is reliability. Do not shut down our 231 00:17:41,000 --> 00:17:47,960 factory or infrastructure. Today, safe and reliable operations use unhackable protections from cyber 232 00:17:48,039 --> 00:17:52,519 risks, not just cyber security. For a deeper look at the evolution of 233 00:17:52,559 --> 00:17:57,559 the revolution, we invite you to download Waterfalls report on the Emerging Consensus for 234 00:17:57,680 --> 00:18:03,680 Industrial Security engineering. You can access the report at the Waterfall website, Waterfall, 235 00:18:03,920 --> 00:18:10,400 dash Security dot com, slash Engineering, dash Consensus, or just go 236 00:18:10,480 --> 00:18:15,720 to the resources menu and click on white papers and ebooks. So andrew, 237 00:18:15,759 --> 00:18:21,079 it sounds like luckily a lot of this long and arge risk process can be 238 00:18:21,359 --> 00:18:26,039 automated. But is there anything outside of the scope here, Like what do 239 00:18:26,079 --> 00:18:30,440 you still really need to do by hand? That's a good question. There's 240 00:18:30,519 --> 00:18:33,799 there's a couple of answers to it in terms of what's possible today and what 241 00:18:34,000 --> 00:18:38,599 could be possible in the future. Let's take you know, just a simple 242 00:18:38,680 --> 00:18:44,599 rule. There's a requirement to change passwords every I don't know, twelve months 243 00:18:44,680 --> 00:18:49,920 or eighteen months or something like this. And you know if I mean if 244 00:18:49,920 --> 00:18:53,680 a PLC even has a password. But you know, network switches have passwords, 245 00:18:53,839 --> 00:18:57,799 firewalls have passwords. A lot of gear nowadays has passwords. May not 246 00:18:57,839 --> 00:19:02,599 be per user, maybe aired, but still a password to password, and 247 00:19:02,960 --> 00:19:04,319 you know, if it exists in the in the SIP world, it has 248 00:19:04,319 --> 00:19:11,279 to be changed periodically. Um, it's one thing to ask the question of 249 00:19:11,319 --> 00:19:15,880 the device. You know, do you have a password? Who who's got 250 00:19:15,880 --> 00:19:19,400 accounts? You know, list the accounts on the device that you know that 251 00:19:19,400 --> 00:19:25,319 that's sort of a more common feature of devices that you're able to figure that 252 00:19:25,359 --> 00:19:29,640 out. But you know, trying to figure out when did the password change? 253 00:19:29,640 --> 00:19:33,160 I mean, does the device even keep track of when the password changed 254 00:19:33,200 --> 00:19:36,839 the last time? Is not even something you can ask the device? So 255 00:19:37,200 --> 00:19:42,400 you know some of the data? Can you know is some of the data? 256 00:19:42,440 --> 00:19:45,599 Is there? Some of the data you just have to keep track of 257 00:19:45,640 --> 00:19:48,920 manually. You've got to make a note in your compliance tool or something saying 258 00:19:48,920 --> 00:19:53,880 I change the password because the device can't tell you when things happened, when 259 00:19:55,000 --> 00:19:57,000 was the last patch applied? You might be able to ask the device which 260 00:19:57,000 --> 00:20:03,640 patches are applied, but can you ask it when we're applied? So you 261 00:20:03,640 --> 00:20:06,319 know, that's a long way of saying, you know some of it you 262 00:20:06,359 --> 00:20:08,480 can automate. Some of it you have to keep track of yourself in your 263 00:20:08,519 --> 00:20:11,960 system. You can either keep track of it on a sticky note, you 264 00:20:11,000 --> 00:20:15,400 can keep track of it in a software system. But down the road, 265 00:20:15,160 --> 00:20:18,799 you know, it seems to me that all of this stuff can be automated 266 00:20:18,799 --> 00:20:22,640 in the long run. Now you might need the cooperation of the device vendors, 267 00:20:23,000 --> 00:20:27,480 you might need to upgrade the versions in the device vendors. It seems 268 00:20:27,480 --> 00:20:33,000 to me there's sort of nearly infinite opportunity to like innovate and create new software 269 00:20:33,039 --> 00:20:37,200 to simplify this process here. And you know, it strikes me that over 270 00:20:37,240 --> 00:20:42,680 time you're going to see more and more of that happen because there's just so 271 00:20:42,759 --> 00:20:49,240 much money being spent by the electric utilities on this compliance task. And if 272 00:20:49,279 --> 00:20:55,000 they're spending the money doing it manually, you know they are open to spending 273 00:20:55,119 --> 00:21:00,440 less money getting it automated, and you know, spending more money on automation 274 00:21:00,640 --> 00:21:03,799 on you know, newer versions of devices that keep track of some of this 275 00:21:03,799 --> 00:21:08,799 stuff automatically, newer versions of automation tools that can poll the data from devices. 276 00:21:10,079 --> 00:21:11,720 So it sounds to me like it's an area that's that's sort of right 277 00:21:11,799 --> 00:21:18,039 for innovation. So that's a lot of stuff that that a compliance manager could 278 00:21:18,079 --> 00:21:22,960 do. And you folks produce these products. You you know, you you 279 00:21:22,079 --> 00:21:27,200 produce sella a compliance manager for Nerve, SIP among others. U can you 280 00:21:27,279 --> 00:21:32,680 talk about you know sort of not just you know, what does your stuff 281 00:21:32,680 --> 00:21:33,839 do, but in a sense how does it do it? I mean, 282 00:21:34,599 --> 00:21:38,200 you know, if I say yes, I'll take three of the assurance things. 283 00:21:38,680 --> 00:21:41,839 What am I buying you know, seats in the cloud or you know, 284 00:21:41,920 --> 00:21:45,839 agents that that snuggle up to the PLCs together data. What what does 285 00:21:45,839 --> 00:21:51,920 your system look like? Yeah, so you know assured software. We do 286 00:21:52,000 --> 00:21:56,759 have cloud options and on premise options. I will say that most of the 287 00:21:56,799 --> 00:22:00,480 nerve entities that use our software have it on pre ms due to the sensitive 288 00:22:00,559 --> 00:22:04,240 nature of the data that they're trying to manage, and it is probably a 289 00:22:04,279 --> 00:22:10,119 little bit easier to secure the integration with those third party devices and so on 290 00:22:10,480 --> 00:22:15,759 and other software if you're all on premise. So what does it look like? 291 00:22:15,960 --> 00:22:19,599 So we have a user interface which is browser based, and behind there 292 00:22:19,640 --> 00:22:25,400 there's a database and a server. You can configure those in all different architectures 293 00:22:25,440 --> 00:22:29,599 so that you have load balancing and fail over and all sorts of things. 294 00:22:29,799 --> 00:22:33,799 We typically have things like a development environment, a testing environment, and a 295 00:22:33,839 --> 00:22:38,200 production environment. And our software. We have the asharts platform, which has 296 00:22:38,200 --> 00:22:44,279 all the features to create solutions, any solutions, whether they're energy solutions or 297 00:22:44,799 --> 00:22:48,960 life sciences and manufacturing solutions. That platform gives you the ability to create unlimited 298 00:22:49,039 --> 00:22:53,160 dashboards and forms, has the security, has the database layer, and it 299 00:22:53,200 --> 00:22:57,160 does all the code or has all the code in it. Everything that you 300 00:22:57,200 --> 00:23:00,480 do with a sure XS point and clip Dragon draw up easily configurable, et 301 00:23:00,519 --> 00:23:06,359 cetera, et cetera, and then we use those features on our platform to 302 00:23:06,480 --> 00:23:11,839 create the whole suite of these NERK compliance management solutions. So we we call 303 00:23:11,880 --> 00:23:15,960 that eCos a Surex Energy Compliance System, and that is a full suite of 304 00:23:17,000 --> 00:23:22,839 solutions that does both the OWNP NERT compliance management and the SIP compliance management, 305 00:23:22,279 --> 00:23:25,640 and then it can be extended to do a bunch of other things as well. 306 00:23:26,279 --> 00:23:30,359 So what our customers do is they install the you know, they get 307 00:23:30,359 --> 00:23:34,359 the platform installed, then they load up our solutions. Some of them focus 308 00:23:34,440 --> 00:23:37,559 in one area, some of them focus in a different area. We provide 309 00:23:37,559 --> 00:23:42,119 all of them, and then the customers configure our system. Our confis a 310 00:23:42,200 --> 00:23:48,680 sure X is highly configurable, and you know they adapt the forms and the 311 00:23:48,720 --> 00:23:52,960 workflows to meet their needs. Okay, So and that's where you can do 312 00:23:53,079 --> 00:23:56,480 all of it without integration. You know, human is interacting with things. 313 00:23:56,559 --> 00:24:00,920 Tasks are assigned to humans to go and do things, or you can start 314 00:24:00,920 --> 00:24:06,480 plugging in that integration to pull the data and interact with all the third party 315 00:24:06,480 --> 00:24:11,640 software. So you know that ECO solution is focused on NERT compliance and all 316 00:24:11,640 --> 00:24:15,599 their compliance management aspects. And I do want to say that, you know, 317 00:24:15,640 --> 00:24:19,160 we're expanding our offerings so not only to do with NERK SIP, but 318 00:24:19,920 --> 00:24:25,960 things like the TSA pipeline security directives. You know a lot of our customers 319 00:24:26,039 --> 00:24:30,519 are you know, energy customers, but they also do gas and that makes 320 00:24:30,519 --> 00:24:36,920 the guests pipeline very applicable. And those TSA regulations are similar enough to the 321 00:24:36,960 --> 00:24:41,440 NERK SIP regulations that our existing solutions can be easily adapted to meet those needs. 322 00:24:41,839 --> 00:24:45,160 And of course after we do that, you know, then there's the 323 00:24:45,880 --> 00:24:49,640 It probably makes it easy to expand into like the ner or the TSA, 324 00:24:49,880 --> 00:24:57,559 the rail and the airport directives since they're similar as well. In this episode 325 00:24:57,640 --> 00:25:03,519 we're talking about these specialties you know, energy um, when you talk about 326 00:25:03,640 --> 00:25:11,000 NERK SIP, but what about other industries? Andrew, Yeah, you know, 327 00:25:11,720 --> 00:25:15,000 you might imagine that, you know, NERK SIP is what twelve or 328 00:25:15,119 --> 00:25:19,359 fifteen documents by now with a lot of detail in them. You might imagine 329 00:25:19,359 --> 00:25:23,000 that if you have sort of a compliance system set up for NERK SIP, 330 00:25:23,079 --> 00:25:27,839 you could use the same system for you know, other industries, because you 331 00:25:27,839 --> 00:25:33,519 know, if you've already got fifteen standards in the NERK package, is that 332 00:25:33,599 --> 00:25:38,519 not everything you might need for everyone? And the answers No. I mean 333 00:25:38,599 --> 00:25:44,799 the the TSA, you know, like six weeks after the Colonial incident came 334 00:25:44,839 --> 00:25:51,279 out with a new security directive for pipelines and it was only I don't know, 335 00:25:52,119 --> 00:25:53,279 you know, it was as long as one or two of the NERK 336 00:25:53,400 --> 00:25:56,759 of the fifteen NERK standards put together, so it was like only a fraction 337 00:25:56,799 --> 00:26:03,880 of NERK, but still it covered different stuff. Concrete example, it it 338 00:26:03,000 --> 00:26:07,240 talked about dependencies. It said, if your OT system depends on your IT 339 00:26:07,599 --> 00:26:12,759 system, then you have to get rid of those dependencies. And if you 340 00:26:12,799 --> 00:26:15,359 can't get rid of them, you have to document them, you have to 341 00:26:15,400 --> 00:26:19,279 report them to the TSA, because every one of those dependencies means that if 342 00:26:19,319 --> 00:26:25,000 you cripple the IT network and you cripple the systems of OT depends upon, 343 00:26:25,680 --> 00:26:30,640 then you've crippled the OT system because the OT system needs the crippled IT systems 344 00:26:30,640 --> 00:26:33,160 to work. None of those words exist in nerks SIP. This is sort 345 00:26:33,160 --> 00:26:37,000 of a new concept in the TSA. You know, in spite of the 346 00:26:37,279 --> 00:26:42,599 NERK ZIP documents being much bigger than the TSA document, that might beg the 347 00:26:42,680 --> 00:26:51,839 question if we have these characteristically different regulatory needs and standards and whatnot. Are 348 00:26:52,279 --> 00:26:56,319 they equally or more or less automatable, you know, like for talking about 349 00:26:57,519 --> 00:27:03,759 power versus water tree or whatever. Would Cathy's kind of approach work in an 350 00:27:03,839 --> 00:27:08,759 equivalent way elsewhere? And that's a good question, And in fact I asked 351 00:27:08,839 --> 00:27:11,960 Cathy that question, so you know, let's let's go back to her and 352 00:27:12,559 --> 00:27:18,519 see what she says. And you did mention the the TSA directive, And 353 00:27:18,559 --> 00:27:22,920 I mean, I've I've been looking at the TSA directives over the last several 354 00:27:22,920 --> 00:27:27,279 weeks. They seem very different from NERK SIP. I mean, they're they're 355 00:27:27,359 --> 00:27:33,039 structured differently. You know, the the TSA director has, for instance, 356 00:27:33,119 --> 00:27:37,200 a section in the requirements that says, your goal as a pipeline operator is 357 00:27:37,279 --> 00:27:42,279 to keep the pipeline running at necessary capacity, even if the I network is 358 00:27:42,680 --> 00:27:47,200 crippled. And you know, they don't define necessary as whom it means, 359 00:27:47,200 --> 00:27:49,599 you know, necessary to the business or necessary to the society. You know, 360 00:27:49,640 --> 00:27:52,880 a lot of these pipelines are critical infrastructure. You don't have to keep 361 00:27:52,880 --> 00:27:57,640 it running at full capacity. At necessary capacity, I'm going how can you 362 00:27:57,640 --> 00:28:00,279 you know, how can you utter it against but you know, I look 363 00:28:00,279 --> 00:28:04,799 at the thing and it has that's sort of a high level requirement, and 364 00:28:04,839 --> 00:28:08,640 then it's got a bunch of much more specific requirements that seem sort of much 365 00:28:08,680 --> 00:28:15,000 more auditable. Can you talk about you know, this seems like a fairly 366 00:28:15,000 --> 00:28:18,440 different animal from NERKSIP. Can you talk about what can you track in that 367 00:28:18,480 --> 00:28:22,079 space? Well, Andrew, I want to say that we're not trying to 368 00:28:22,079 --> 00:28:26,599 control the OT or the IT network or any of the devices that operate on 369 00:28:26,599 --> 00:28:29,759 it. You know, We're really focused on pulling in and gathering that data 370 00:28:29,839 --> 00:28:33,839 that we're gonna need for compliance purposes. And we also are able to coordinate 371 00:28:34,000 --> 00:28:40,039 activities that may result from the interruption to the network or even just some changes 372 00:28:40,079 --> 00:28:44,880 to the network like firmware updates and security patches and access changes so on. 373 00:28:45,839 --> 00:28:49,359 You know, among other things, the TSA Security Directive mandates that you must 374 00:28:49,480 --> 00:28:55,519 have a cybersecurity Incident Response Planning. Okay, this is very similar to SIP 375 00:28:55,559 --> 00:28:59,960 eight, which is the Cybersecurity Incident Reporting and Response Planning, So same idea, 376 00:29:00,039 --> 00:29:02,599 and you have to have a plan for dealing with things. Both of 377 00:29:02,640 --> 00:29:07,599 them require an update, up to date, documented plan for responding to cybersecurity 378 00:29:07,599 --> 00:29:11,240 incidents. You know, that includes the procedures for what needs to happen, 379 00:29:11,880 --> 00:29:15,720 but it also includes the roles and responsibilities of all the people that are going 380 00:29:15,759 --> 00:29:21,119 to be dealing with those incidents, and then of course notifications to whoever needs 381 00:29:21,160 --> 00:29:23,200 to be notified after the incident. I want to end with you know, 382 00:29:23,200 --> 00:29:26,839 sit it's a little bit more prescriptive and that it says within ninety days you 383 00:29:26,880 --> 00:29:32,200 must document the lessons learned from the incident and then update the plan accordinally making 384 00:29:32,240 --> 00:29:34,839 sure that each person who has a role in the plan is notified of those 385 00:29:34,920 --> 00:29:38,960 updates. Well, thank you, Catherine, this has been great. Before 386 00:29:38,960 --> 00:29:41,920 we let you go, can you sum up for us? I mean, 387 00:29:41,960 --> 00:29:47,480 what's what's the most important thing to remember about the world of compliance automation. 388 00:29:48,319 --> 00:29:52,279 Well, compliance automation, especially with cybersecurity things like NERK SIP, it's challenging. 389 00:29:52,440 --> 00:29:56,200 There's a ton of data to coordinate, there's a ton of people to 390 00:29:56,279 --> 00:30:02,400 coordinate, and it makes sense to automate those tasks and gathering up that data. 391 00:30:02,799 --> 00:30:06,519 Anytime you can take the human element out of it, you're you're improving 392 00:30:06,599 --> 00:30:08,480 things. Um. So we do, of course have the software to help 393 00:30:08,519 --> 00:30:15,000 you with that. If you'd like. We also have experienced people that you 394 00:30:15,000 --> 00:30:18,279 know, we've worked in a lot of different industries to help with quality and 395 00:30:18,319 --> 00:30:22,240 compliance. So please, you know, reach out to us our website of 396 00:30:22,279 --> 00:30:29,359 courses www dot ass u RX dot com, and then you can always reach 397 00:30:29,400 --> 00:30:33,240 out to me on LinkedIn if you want. I'd love to hear from people 398 00:30:33,960 --> 00:30:37,880 and talk about how we can help solve your problems. So thank you Andrew 399 00:30:37,920 --> 00:30:40,480 for having me here today on your podcast. I really enjoyed it. It's 400 00:30:40,519 --> 00:30:45,279 been a lot of fun. All right, Andrew, that was your interview 401 00:30:45,279 --> 00:30:48,599 with Katherine. Is there anything that you can take us out with today. 402 00:30:49,000 --> 00:30:56,039 Yeah. I mean I remember seeing the very beginning of the compliance automation space 403 00:30:56,079 --> 00:31:00,680 when I was at Industrial Defender over a decade ago, and you know, 404 00:31:00,720 --> 00:31:03,960 I have to confess that at the time, I really did not recognize sort 405 00:31:03,960 --> 00:31:08,000 of the business opportunity that the space you know represented. You know, I 406 00:31:08,039 --> 00:31:14,039 thought the big challenge back then was designing the security system, making things secure 407 00:31:14,039 --> 00:31:18,359 and not proving that you're following the policy that you've set up. I thought, 408 00:31:18,400 --> 00:31:22,599 you know, that's I just I was dismissive of it, I recall 409 00:31:22,079 --> 00:31:26,799 as a younger man, but you know, this space, to me, 410 00:31:26,920 --> 00:31:30,720 is not going to go away. This is a space that you're just going 411 00:31:30,759 --> 00:31:36,640 to see more and more demand for as regulations increase, as the cyber threat 412 00:31:36,680 --> 00:31:40,559 environment gets worse, We're probably going to see more and more governments all over 413 00:31:40,640 --> 00:31:44,880 the world issuing more and more regulations. And I'm sorry, they're all going 414 00:31:44,920 --> 00:31:49,279 to be a little bit or a lot different, but you know, every 415 00:31:49,279 --> 00:31:53,400 one of them, every regulation is going to demand that you prove that you've 416 00:31:53,440 --> 00:31:57,119 complied with the regulation. And you know, as I said, it's not 417 00:31:57,160 --> 00:32:00,680 just a matter of sort of housekeeping. Get you know, put put some 418 00:32:00,720 --> 00:32:05,519 automation in there so that you can get rid of the horrible spreadsheets. But 419 00:32:05,680 --> 00:32:09,880 there's opportunities to gather the data automatically from a huge variety of it systems, 420 00:32:09,960 --> 00:32:15,000 of industrial systems. You know, this to me sounds like a space with 421 00:32:15,400 --> 00:32:22,200 a lot of opportunity because businesses are going to spend money on reducing their need 422 00:32:22,440 --> 00:32:27,079 to spend labor and money, you know, doing the stuff manually. So 423 00:32:28,279 --> 00:32:31,359 you know, I think this is a an industry, a piece of the 424 00:32:31,400 --> 00:32:36,119 industry that's got a bright future ahead of it. All right, Well with 425 00:32:36,240 --> 00:32:38,960 that, thanks to Catherine Wagner for speaking with you, Andrew, and Andrew 426 00:32:39,039 --> 00:32:43,200 is always thanks for speaking with me. It's my pleasure. Thank you name. 427 00:32:43,799 --> 00:32:47,519 This has been the Industrial Security podcast from Waterfall. Thanks to everybody out 428 00:32:47,519 --> 00:32:49,440 there listening.