1 00:00:06,360 --> 00:00:12,400 We have to apply a mix of different technologies, including cyber technologies, to 2 00:00:12,560 --> 00:00:27,320 begin shaving off our common fool product. Welcome everyone to the Industrial Security Podcast. 3 00:00:27,440 --> 00:00:31,199 My name's Nate Nelson. I'm here with Andrew Ginter, the vice president 4 00:00:31,280 --> 00:00:36,280 of Industrial Security at Waterfall Security Solutions, who's going to introduce the subjects in 5 00:00:36,359 --> 00:00:40,359 guests of our show today. Andrew, how are you? I'm very well, 6 00:00:40,359 --> 00:00:44,039 Thank you, Nate. Our guest today is Leo Simanovich. He is 7 00:00:44,119 --> 00:00:51,039 the vice president and global head of Industrial cyber and Digital Security at Siemens Energy, 8 00:00:51,679 --> 00:00:55,679 and our topic is AI in the energy transition. You know, the 9 00:00:55,799 --> 00:01:00,840 energy transition is decarbonization, AI and industrial security. When we're looking at the 10 00:01:00,960 --> 00:01:07,200 energy transition, then, without further Ado, here's your interview with Leo. 11 00:01:08,920 --> 00:01:12,359 Hello Leo, and welcome to the podcast. Before we get going, can 12 00:01:12,400 --> 00:01:15,840 I ask you to say a few words about yourself and about the good work 13 00:01:15,879 --> 00:01:19,959 that you're doing at Siemens Energy. Andrew, it's great to be with you. 14 00:01:21,319 --> 00:01:26,280 Thanks so much for the opportunity at SEAMS Energy. I leave the industrial 15 00:01:26,280 --> 00:01:33,200 cyber practice and I've spent building I've spent about ten years building this business. 16 00:01:33,359 --> 00:01:40,359 It's been a wild ride a lot has change in the space and we've innovated 17 00:01:40,799 --> 00:01:47,200 brought awesome products to market. And before that I was with a large consulting 18 00:01:47,280 --> 00:01:53,560 firm was Alan Hamilton, where I did cyber risk analytics for large utilities. 19 00:01:53,200 --> 00:02:02,719 Semens Energy has been on the journey. We became a standalone energy technology company 20 00:02:02,799 --> 00:02:12,039 covering the energy value chain as a spin out of larger Semens and we're hyper 21 00:02:12,080 --> 00:02:16,919 focused on the energy transition and at the core of that transition is the need 22 00:02:16,960 --> 00:02:29,159 to decarbonize, digitize and decentralize and that is all enabled by digital technologies and 23 00:02:29,240 --> 00:02:37,439 of course getting cybersecurity right. So we as a company have built a practice 24 00:02:37,879 --> 00:02:44,199 focused on operational technologies and industrial cyber and it is a practice that helps our 25 00:02:44,240 --> 00:02:52,159 customers get a better handle on their industrial cyber programs and it helps them get 26 00:02:52,159 --> 00:03:00,719 a better undertanding of their risk and helps them ultimately reduce their risks. It 27 00:03:00,800 --> 00:03:07,520 is just too important If we don't get it right, the consequences for the 28 00:03:07,599 --> 00:03:12,280 environment but also for operations and abilities to deliver energy or just too great. 29 00:03:13,360 --> 00:03:20,439 Our topic today is artificial intelligence and of course industrial security in the energy transition. 30 00:03:20,840 --> 00:03:23,400 Can you start us at the beginning, I mean everybody vaguely understands the 31 00:03:23,879 --> 00:03:28,919 need to decarbonize. What does you know? What does the energy transition mean 32 00:03:29,000 --> 00:03:34,879 to you and to you folks, For us as a company and for me 33 00:03:35,520 --> 00:03:43,280 personally, it is an existential challenge. We talk about they need to decarbonize, 34 00:03:43,319 --> 00:03:46,639 and the abstract we know that we need to reduce our combitenty for the 35 00:03:46,680 --> 00:03:51,840 print. What does that really mean? Well, we have a world out 36 00:03:51,840 --> 00:03:57,719 there that's pretty complex. You got a bunch of old stuff that is agent 37 00:03:58,479 --> 00:04:04,759 and it's built on fossil generation. You have renewables, and then of course 38 00:04:04,800 --> 00:04:15,560 you have the push to electrify everything. And what that means is that we 39 00:04:15,719 --> 00:04:23,600 have to apply a mix of different technologies, including cyber technologies, to begin 40 00:04:24,279 --> 00:04:29,759 shaving off our cove and for predut so we work with customers to help them 41 00:04:29,839 --> 00:04:34,120 rationalize what they do with their existing fleets and how they can maximize efficiency, 42 00:04:35,279 --> 00:04:43,879 how they can install additional capacity that is cleaner, and ultimately innovative technologies like 43 00:04:43,959 --> 00:04:47,839 hydrogen that are going to be groundbreaking. It's an above kind of it's an 44 00:04:47,839 --> 00:04:54,279 all of the above approach that we need to take to go after this problem, 45 00:04:54,560 --> 00:04:59,279 and it really requires a partnership between us and our customers. So that 46 00:04:59,319 --> 00:05:01,519 makes sense sort of in the abstract. Can you give me some examples. 47 00:05:01,519 --> 00:05:05,879 What what kind of you know, physical technology systems are are you folks working 48 00:05:05,879 --> 00:05:12,120 with? Yeah. The way to think about it is by looking at different 49 00:05:12,120 --> 00:05:16,800 parts of the energy value chain. So there's all in gas, there's power 50 00:05:16,800 --> 00:05:24,199 generation, and then there's the transport and of course distribution of energy. This 51 00:05:24,360 --> 00:05:30,560 oil oil and gas or it's electricity. We play in all in all the 52 00:05:30,879 --> 00:05:38,000 parts of the of the energy value chain. UH in upstream where oil gets 53 00:05:38,000 --> 00:05:42,879 taken out of the ground, we need to do a better job of not 54 00:05:43,360 --> 00:05:48,399 releasing carbon into the atmosphere and there one of the big challenges, of course 55 00:05:48,480 --> 00:05:54,800 is the flaring of gas. The other is what happens with on site power 56 00:05:54,879 --> 00:06:01,720 generation. So our technologies help capture carbon also produce on site generation, so 57 00:06:01,759 --> 00:06:08,040 we're not we're not burning burning diesel fuel. For example, we can install 58 00:06:09,439 --> 00:06:14,040 you know, small small wind micro grids UH that can produce energy right there 59 00:06:14,040 --> 00:06:21,600 on site. We can combine UH an offshore platform with UH with with with 60 00:06:21,720 --> 00:06:28,959 wind together and we do that in the north Sea in in midstream. Of 61 00:06:28,959 --> 00:06:36,000 course, it's it's about a more efficient way of transporting right and delivering electricity 62 00:06:36,600 --> 00:06:43,480 and oil and gas. And there we've gotta we are delivering next generation compression 63 00:06:43,480 --> 00:06:50,079 equipment and ultimately, you know, energy's gotta get to homes, and we 64 00:06:50,480 --> 00:06:57,800 have to have a grid that doesn't lose power as as that electricity gets gets 65 00:06:57,839 --> 00:07:06,680 transported. So we deliver software, We delivered transformers, and we deliver metering 66 00:07:06,680 --> 00:07:15,120 equipment to help our customers utilize their electricity in a in a more efficient way. 67 00:07:15,839 --> 00:07:20,560 So you know, when the sun shines, it's great, and you 68 00:07:20,600 --> 00:07:26,120 know, we we can deliver electricity straight to homes and the wind blows. 69 00:07:27,079 --> 00:07:31,920 But sometimes you know, uh, the weather doesn't just doesn't cooperate. So 70 00:07:32,920 --> 00:07:40,680 we uh, you know, we have capture electricity through storage by applying the 71 00:07:40,720 --> 00:07:46,319 latest and greatest battery battery applications to help capture electricity in using when it's needed 72 00:07:46,360 --> 00:07:55,879 most something that surprised me in Leo's answer. I had assumed that Semen's energy 73 00:07:56,000 --> 00:08:00,920 was all about, you know, the power grid and windmills and solar panels 74 00:08:00,959 --> 00:08:05,680 and and you know it is all that. But the examples that that he 75 00:08:05,720 --> 00:08:09,680 gave here were also in oil and gas. You know, oil doesn't it 76 00:08:09,839 --> 00:08:16,040 isn't found in convenient locations. It's found generally far away and you know, 77 00:08:16,160 --> 00:08:18,160 off the grid, and so you need power out there. So you know, 78 00:08:18,199 --> 00:08:24,079 they're talking about about windmills and solar panels and whatnot out in the boonies 79 00:08:24,199 --> 00:08:28,079 to support these remote installations in addition to you know, all of sort of 80 00:08:28,120 --> 00:08:33,399 the the expected. So it was it was broader than I expected. Our 81 00:08:33,440 --> 00:08:37,600 topic is AI and eventually industrial security in the energy transition. Can you talk 82 00:08:37,600 --> 00:08:41,360 about AI? I mean there's you know, chat GPT has been all the 83 00:08:41,399 --> 00:08:45,639 buzz. I have a chat GPT account myself. I've been playing with it. 84 00:08:45,679 --> 00:08:48,720 Is that what we're talking about when we're talking about AI? Or you 85 00:08:48,720 --> 00:08:52,519 know, is AI a bigger picture? Yeah, you're right, there's so 86 00:08:52,679 --> 00:09:00,960 much hype around AI. For for a very short word, there is so 87 00:09:01,080 --> 00:09:07,320 much that so much confusion that comes with it. I think for your listeners, 88 00:09:07,960 --> 00:09:15,279 they probably know AI as the latest and greatest innovation, which is CHATGBT. 89 00:09:16,120 --> 00:09:20,000 We all use it to ask a question, we all use it to 90 00:09:20,000 --> 00:09:26,080 plan our dinner menus, or to help plan the latest thing, greatest trip. 91 00:09:26,679 --> 00:09:33,039 The reality is that in industrial contexts, artificial intelligence has been used for 92 00:09:33,080 --> 00:09:46,960 some time to do things like help us find the UH the biggest reservoir of 93 00:09:48,360 --> 00:09:52,799 oil out there, or to help us deal with the problem that I talked 94 00:09:52,799 --> 00:09:58,440 about around kind of weather patterns and anticipating what those look like and optimizing the 95 00:09:58,519 --> 00:10:07,720 energy sys them to store electricity. Those applications of artificial intelligence, which is 96 00:10:09,039 --> 00:10:16,039 which is all about control and dispatch of energy, right, have been around 97 00:10:16,080 --> 00:10:24,519 for some time. They've been narrow and very specialized. What's different well with 98 00:10:26,720 --> 00:10:31,320 UH, with scalability of compute which is getting cheaper and cheaper, with advances 99 00:10:31,919 --> 00:10:43,759 in UH large language models, we can now drive optimization in that energy system 100 00:10:43,799 --> 00:10:46,639 which is getting more complex. We talked about it being old, we talked 101 00:10:46,639 --> 00:10:48,879 about it being new, We talked about it being more complex. We talked 102 00:10:48,879 --> 00:10:54,279 about the need for energy increasing, especially in the developing world. Right. 103 00:10:54,919 --> 00:11:05,879 So that's that complexity now needs to be optimized so that you as a consumer 104 00:11:07,279 --> 00:11:16,480 get the best price for your killer whate hour and commercial and industrial companies are 105 00:11:16,639 --> 00:11:24,960 able to utilize energy when they need it at the best rates. Artificial intelligence 106 00:11:24,960 --> 00:11:33,080 can do that now. From a security perspective, AI has a ton of 107 00:11:33,120 --> 00:11:39,960 problems. Italian I've seen an explosion of companies and capabilities all right, and 108 00:11:39,080 --> 00:11:45,000 you know we are the Industrial Security podcast. Can you can you connect the 109 00:11:45,039 --> 00:11:48,919 dots for us? What what are we worried about security wise? If we're 110 00:11:48,000 --> 00:11:56,080 using AI to you know, manage demand, to manage to manage power from 111 00:11:56,080 --> 00:12:01,200 a security perspective, there are two lenses through which we need to look at 112 00:12:01,240 --> 00:12:07,960 AI. The first is AI from a business perspective, an operational perspective, 113 00:12:09,679 --> 00:12:13,840 what is it doing to deliver electricity? But the other is how can that 114 00:12:13,919 --> 00:12:28,080 AI be manipulated, hacked and what can the bad guys do to cause damage. 115 00:12:31,600 --> 00:12:39,879 In the old world, much of energy production was air dept but increasingly 116 00:12:41,639 --> 00:12:48,000 with the need to digitize and drive better efficiency, better asset management, right, 117 00:12:50,840 --> 00:12:56,759 we are seeing what we have seen is an explosion of connectivity. And 118 00:12:56,799 --> 00:13:05,399 some of that connectivity, of course, can can be managed smartly with data 119 00:13:05,440 --> 00:13:11,559 diodes companies such as Waterfall, which have an excellent product, but some of 120 00:13:11,600 --> 00:13:16,440 it needs to be managed in a very different way and this is where atificial 121 00:13:16,519 --> 00:13:28,799 intelligence comes in. The bad guys are using it to craft malware that is 122 00:13:28,879 --> 00:13:35,519 smarter and it can cause more damage. They're using it also to get into 123 00:13:35,679 --> 00:13:41,639 energy systems and this is a product of nation states and makes subtle changes. 124 00:13:43,159 --> 00:13:48,799 Here's what fundamentally, and this is very important for listeners to hear, Here's 125 00:13:48,799 --> 00:13:56,440 what fundamentally is different, how the game is changed. Malware used to be 126 00:13:56,679 --> 00:14:09,559 all about digital manipulation of networks or endpoints. Now physical world commands are combined 127 00:14:09,679 --> 00:14:15,840 with digital commands. And guess what happens when you can create a piece of 128 00:14:15,840 --> 00:14:24,559 malware that tells a determined to spin faster, which tells electricity to flow into 129 00:14:24,559 --> 00:14:31,960 a different direction. And if you could do that at scale across multiple points 130 00:14:31,960 --> 00:14:41,240 in the system, that leads to those safety in catastrophic events that we all 131 00:14:41,279 --> 00:14:48,919 have feared. We've seen something that's come out in news lately with with hackers 132 00:14:48,919 --> 00:14:54,559 getting into the US grid using the latest and greatest malware, which we have 133 00:14:54,639 --> 00:15:01,720 not seen previously before. And I bet a lot of it crafted using AI. 134 00:15:03,559 --> 00:15:09,120 Andrew in theory, I can imagine AI playing an important part in cyber 135 00:15:09,120 --> 00:15:13,000 attacks. But the point that Leo's making there, it doesn't necessarily seem contingent 136 00:15:13,320 --> 00:15:20,000 on AI that one would make, say a highly spreadable malware that causes physical 137 00:15:20,039 --> 00:15:24,000 consequences. Yeah, I mean, you know, back in the day, 138 00:15:24,000 --> 00:15:28,159 this was thirteen fourteen years ago stucks med hit. It was the big news 139 00:15:28,679 --> 00:15:31,080 back then far as I know. You know, that kind of code would 140 00:15:31,120 --> 00:15:35,639 have been written by hand, and common wisdom back then and even today is 141 00:15:35,679 --> 00:15:41,519 that writing that kind of code is very difficult. It takes it takes an 142 00:15:41,519 --> 00:15:45,639 expert, you know, in sort of stepping back for a moment. In 143 00:15:45,759 --> 00:15:50,480 terms of attacking industrial sites, you know, the sort of the common terminology 144 00:15:50,559 --> 00:15:54,559 is there's stage one attacks in stage two attacks. Stage one is where you 145 00:15:54,639 --> 00:16:00,360 get into the IT network with a phishing attack or with you know, a 146 00:16:00,360 --> 00:16:04,440 a fake website or something. And you know, ais like chat GBT have 147 00:16:04,639 --> 00:16:11,039 been described by researchers as a useful tool for generating phishing emails for you know, 148 00:16:11,120 --> 00:16:18,440 for generating credible written content to you know, deceive victims. That's stage 149 00:16:18,440 --> 00:16:22,960 one. Stage two, producing the code that's going to connect to the PLC 150 00:16:22,159 --> 00:16:26,639 and you know, create a new firmware for the PLC that bricks the PLC. 151 00:16:26,360 --> 00:16:33,480 That's has been seen as much harder, and you know, there's research 152 00:16:33,519 --> 00:16:37,080 going on in the space. I cannot name names at this point, but 153 00:16:37,320 --> 00:16:44,759 I have been talking to people in private who are looking at using AI for 154 00:16:44,960 --> 00:16:48,240 stage two attacks. And the question they're asking, is, you know, 155 00:16:48,679 --> 00:16:52,840 bluntly, can a script kitty, you know, someone who knows almost nothing 156 00:16:52,879 --> 00:16:56,120 but knows how to use AI, can a script kitty produce let's say, 157 00:16:56,159 --> 00:17:03,320 stocksnet is the question, and thus far the answer seems to be no, 158 00:17:03,599 --> 00:17:07,119 you actually have to know what you're doing. But the bad so that's the 159 00:17:07,160 --> 00:17:14,359 good news. The bad news is that the research thus far suggests that if 160 00:17:14,400 --> 00:17:18,799 you know what you're doing, AI can speed up the process of creating a 161 00:17:18,880 --> 00:17:26,359 credible stage to attack enormously. We're talking huge advantages for the adversary here. 162 00:17:26,480 --> 00:17:30,400 It's a tricky thing because on one hand, it just seems so obvious that 163 00:17:32,400 --> 00:17:36,759 in the near future attackers will be able to write that stage two now we're 164 00:17:36,880 --> 00:17:41,039 using AI. But on the other hand, at least from what I'm hearing, 165 00:17:41,039 --> 00:17:45,000 and I'm not out in the field every day practicing this stuff, so 166 00:17:45,039 --> 00:17:49,319 I can't say, but AI has been one thousand percent more useful for cyber 167 00:17:49,400 --> 00:17:55,079 defenders thus far. I mean, whether it be anti virus detection response, 168 00:17:55,160 --> 00:17:59,400 what have you. We've been using AI in a way that attackers just haven't 169 00:17:59,400 --> 00:18:03,599 for a while. So the notion that this is some big problem that's awaiting 170 00:18:03,680 --> 00:18:07,559 us sort of. It's it's the reality versus the theory for me, am 171 00:18:07,599 --> 00:18:11,240 I wrong, No, there's there's all sorts of stuff going on, you 172 00:18:11,279 --> 00:18:15,680 know. Fundamentally, in the stage two world, the question is one of 173 00:18:15,720 --> 00:18:22,599 writing code. And there's a huge industry out there in the world for writing 174 00:18:22,799 --> 00:18:26,920 good code, writing word processes, writing operating systems, writing web servers. 175 00:18:27,559 --> 00:18:34,000 So there's a huge industry focused on producing and optimizing AI that will produce code 176 00:18:34,079 --> 00:18:40,720 more efficiently for all of the world's software vendors. And again I haven't been 177 00:18:40,759 --> 00:18:42,160 tracking this, but you know, just to give you sort of one example 178 00:18:42,200 --> 00:18:47,599 a taste of what's possible. You know, I'm aware of you know, 179 00:18:47,759 --> 00:18:51,480 chat GPT has its limitations. Like I said, I've been using chat GPT. 180 00:18:51,640 --> 00:18:55,000 It makes stuff up, it's you know, it has limitations. But 181 00:18:55,400 --> 00:18:59,079 here's the thing. There's a lot of different AIS in the world, and 182 00:18:59,119 --> 00:19:03,759 what we're seeing increasingly is these ais, in a sense daisy chain together. 183 00:19:03,079 --> 00:19:07,880 Now again I haven't done this to a degree, I'm making this up, 184 00:19:07,920 --> 00:19:14,759 but imagine an AI that's focused on understanding, you know, written documents about 185 00:19:15,720 --> 00:19:19,759 you know, PLC communication protocols and turning them into code. And it produces 186 00:19:19,960 --> 00:19:26,200 crappy code, and then you pump that code into an AI who's that's focused 187 00:19:26,200 --> 00:19:30,720 on detecting common programming errors. And then you pump the output of that, 188 00:19:32,119 --> 00:19:36,720 you know, into an AI that's focused on using that knowledge to correct the 189 00:19:36,759 --> 00:19:41,599 programming errors given the original specifications, and you pump that into an AI that's 190 00:19:41,599 --> 00:19:45,839 focused on you know, it's optimized for packaging code into modules into downloadable components, 191 00:19:47,079 --> 00:19:51,319 and you pump those modules into an AI that's focused on integrating the components 192 00:19:51,359 --> 00:19:57,279 into a comprehensive you know, this is happening. This kind of thing is 193 00:19:57,319 --> 00:20:02,519 happening, and these ais are are not static chat GPT is not the end, 194 00:20:03,000 --> 00:20:07,880 it's the beginning. And so in my estimation, the job of creating 195 00:20:07,920 --> 00:20:15,640 stage two attacks is getting much easier over time. So that's scary stuff. 196 00:20:15,960 --> 00:20:19,240 I know, there's a lot of researchers out there playing with the stuff, 197 00:20:19,240 --> 00:20:22,440 and you know, if the good guys are playing with it, you can 198 00:20:22,519 --> 00:20:25,720 be sure the bad guys are playing with it. You know, can you 199 00:20:25,759 --> 00:20:30,559 go a little deeper, what's possible? Your imagination can run wild. But 200 00:20:30,720 --> 00:20:44,599 what we have seen in working with our customers is the use of AI to 201 00:20:44,680 --> 00:20:52,799 develop malware that is frankly smarter, more tune, but that combines different elements 202 00:20:52,799 --> 00:20:57,440 of the attack leading to consequences faster. And what I mean by that is 203 00:20:57,920 --> 00:21:08,519 if you can begin to manipulate a particular process or a particular piece of equipment 204 00:21:08,640 --> 00:21:15,119 above a PLC, right, and you can use do that using digital commands, 205 00:21:15,200 --> 00:21:22,119 and you can combine to your point about kind of using multiple dimensions of 206 00:21:22,599 --> 00:21:32,960 attack, combine multiple processes together, then damage can be can can occur at 207 00:21:32,960 --> 00:21:37,640 a greater scale, and it can occur much faster. Believe it or not, 208 00:21:37,359 --> 00:21:44,119 it's easy to trip a power plant it is and have determined shut down. 209 00:21:44,160 --> 00:21:48,000 There are a lot of safety mechanisms to to manage human error. For 210 00:21:48,039 --> 00:21:57,039 example, it's a lot harder to manipulate a turbner or an oil refinery to 211 00:21:57,079 --> 00:22:04,759 cause a boom event or a safety of that. Right, Tricking those safety 212 00:22:04,759 --> 00:22:11,240 mechanisms is what AI is really good at, because it now is able to 213 00:22:11,279 --> 00:22:17,880 play the chess game on not just kind of a one dimensional level or two 214 00:22:17,920 --> 00:22:22,680 dimensional level, you can play it on a three dimensional level, moving multiple 215 00:22:22,720 --> 00:22:26,880 pieces all at this engine. How are we doing on the defensive side? 216 00:22:26,960 --> 00:22:30,359 What are we doing about this? What should we be doing about this. 217 00:22:32,799 --> 00:22:41,200 The consequences are real, and unfortunately we will not only see more and more 218 00:22:41,400 --> 00:22:47,400 times, but we will see those attacks feature an AI element, and this 219 00:22:47,599 --> 00:22:56,480 worries both customers and regulators that I talk to. They recognize that the playing 220 00:22:56,519 --> 00:23:02,880 field is changing, that this technology in the industrial context again we're not talking 221 00:23:02,880 --> 00:23:11,759 about RGBT UH is accelerating and because of that, we need to get a 222 00:23:11,759 --> 00:23:19,400 better handle on it. So the White House with its latest AI guidance UH 223 00:23:19,559 --> 00:23:33,039 and its cybersecurity strategy had specifically called down the dangers of AI when applied to 224 00:23:33,799 --> 00:23:45,519 industrial control systems. More broadly, there's recognition for UH for better visibility in 225 00:23:45,640 --> 00:23:52,839 better tooling on the defensive side. So the regulators now are saying, you 226 00:23:52,839 --> 00:23:57,400 know what you know. It used to be the cloud in operational contexts was 227 00:23:57,400 --> 00:24:03,400 a was a dirty word how you take operational data APT But if we're going 228 00:24:03,440 --> 00:24:07,880 to compete with the bad guys, then we need to have the same levels 229 00:24:07,920 --> 00:24:12,599 of compute. And so the regulators are now issuing guidance around cloud and emerging 230 00:24:12,640 --> 00:24:18,079 technologies, and specifically the thing that they're calling out and this is we where 231 00:24:18,119 --> 00:24:26,720 we semen's energy have been hyper focused they are calling out the need for visibility. 232 00:24:26,920 --> 00:24:33,480 This is very important because if you don't have basic visibility and understanding of 233 00:24:33,519 --> 00:24:38,440 your environment, then it's very very hard to know a whether you'd be an 234 00:24:38,440 --> 00:24:47,039 attacked, be going after those attacks at speed and then c being able to 235 00:24:47,480 --> 00:24:52,559 recover from them. And what we know for a fact is that AI is 236 00:24:52,599 --> 00:25:00,000 going to increase the speed of the attacks, and we on the defensive se 237 00:25:00,079 --> 00:25:04,880 I need to increase the speed of our response. We just need to play 238 00:25:04,880 --> 00:25:11,640 faster if the threat is increasing because of AI. Basically we should expect most 239 00:25:11,799 --> 00:25:17,079 cyber attacks to become more capable, or expect the high end to become more 240 00:25:17,119 --> 00:25:22,599 capable, and sort of everything trickled down. It sounds you know, I 241 00:25:22,680 --> 00:25:26,400 interpret what you said. Correct me if I'm wrong, as we need our 242 00:25:26,440 --> 00:25:32,359 defenses to become more capable pretty much across the board, and I have heard 243 00:25:32,680 --> 00:25:37,519 recently, I think Sands put out in twenty two you know a top five 244 00:25:37,519 --> 00:25:42,559 security controls for industrial control systems sort of the not here's everything you have to 245 00:25:42,559 --> 00:25:47,319 do, but here are the biggest gaps on average, and one of them 246 00:25:48,119 --> 00:25:53,920 was incident response. It does no good to detect incidents if you can't respond. 247 00:25:55,680 --> 00:25:59,920 You know, it has some value preventing the incidents, but you can't 248 00:26:00,440 --> 00:26:03,960 always prevent everything, and so you need a detection capability, you need a 249 00:26:04,000 --> 00:26:08,119 response capability, and it's important that we get all this right. We've got 250 00:26:08,119 --> 00:26:11,759 to fill in the gaps to make our systems more capable. You know, 251 00:26:11,799 --> 00:26:15,680 I'm putting words inarm us, but is that? What is that what we're 252 00:26:15,680 --> 00:26:26,160 hearing here? We have chased the capability of detection for some time. Our 253 00:26:26,200 --> 00:26:30,440 approach at Semen's energy has been different. We recognized a long time ago that 254 00:26:30,559 --> 00:26:33,519 you need to look both at the physical and the digital worlds together as a 255 00:26:33,599 --> 00:26:41,880 unified threat stream, that there needs to be context and smarter and more proportionate 256 00:26:41,920 --> 00:26:51,359 response. So our our approach has been uh to get out the context you 257 00:26:51,400 --> 00:26:56,119 need to get an operational data. The challenge, of course has been that 258 00:26:59,440 --> 00:27:04,119 when you have operational data, what to do with it. IT teams are 259 00:27:04,599 --> 00:27:10,640 not well prepared to interpret that data to know what's a threat and what's not 260 00:27:10,720 --> 00:27:15,720 a threat, to understand when to take action or recommend action to the plant 261 00:27:15,759 --> 00:27:23,720 operators. So being able to translate between the IT world and the operational technology 262 00:27:23,759 --> 00:27:33,400 world in a way that helps explain consequences is key because shutting down a planet 263 00:27:33,519 --> 00:27:41,480 is very very expensive. And yet the cost of an average industrial cyber attack 264 00:27:41,559 --> 00:27:47,720 and the energy sector, you know, can can be from anywhere from a 265 00:27:47,799 --> 00:27:52,759 million to six million a day. It's a lot of money. And so 266 00:27:52,200 --> 00:27:59,799 we have to somehow plenty this balancing act between taking proportionate response and taking some 267 00:28:00,279 --> 00:28:08,759 response that's informed by operational contents, right, and getting more speed, uh, 268 00:28:08,880 --> 00:28:14,000 and being able to detect and recover. So what else a you know, 269 00:28:14,000 --> 00:28:17,200 we're talking about AI, Andrew and what what does this all all this 270 00:28:17,319 --> 00:28:22,400 mean for AI? Right? And and what it means is that actually AI 271 00:28:23,440 --> 00:28:30,920 is really good at finding the needle and haystack in our world. You know, 272 00:28:30,960 --> 00:28:34,960 we built a platform that has monitoring and detection is really good and we 273 00:28:36,079 --> 00:28:44,000 have you know, large scale models that help detect that that that subtle change 274 00:28:44,480 --> 00:28:52,440 in the process and correlated against you know, your NetFlow data to say some 275 00:28:52,640 --> 00:28:59,160 we see something is weird, but would you do about it? Right? 276 00:28:59,519 --> 00:29:06,839 How can sequential is it? We have to understand how that potential particular threat 277 00:29:06,960 --> 00:29:12,400 could cascade through the environment and at a system level, what the impacts could 278 00:29:12,440 --> 00:29:18,880 be. So and this is where AI can have a really important role to 279 00:29:18,880 --> 00:29:22,559 play because we can look at you know, multiple misfirings as you may call 280 00:29:22,599 --> 00:29:29,160 them, or multiple alerts at different parts of the system, or how quickly 281 00:29:29,200 --> 00:29:33,440 something is propagating. So I can be really powerful in all this context. 282 00:29:33,559 --> 00:29:37,400 But taking the right approach that combines the physical and the digital world together, 283 00:29:37,920 --> 00:29:44,519 right, using AI smartly is key. And yet let me just let me 284 00:29:44,920 --> 00:29:55,000 pause in just a second. And yet we have energy companies, right, 285 00:29:55,039 --> 00:30:00,440 they're just getting basic visibility, they're just getting their asset inventories there, just 286 00:30:00,480 --> 00:30:04,720 beginning to pipe data into into their songs. Well as the bad guys right 287 00:30:06,680 --> 00:30:12,000 have have built a full stack of you know, of of malware factories that 288 00:30:12,079 --> 00:30:18,319 are AI driven. We have to get faster, uh at becoming more mature 289 00:30:18,240 --> 00:30:23,599 around this topic of detection. So Leo has been talking sort of at a 290 00:30:25,279 --> 00:30:30,440 very abstract level here. He's talked about you know, he's talked about finding 291 00:30:30,440 --> 00:30:33,160 a needle in a haystack, and I like, you know, I like 292 00:30:33,240 --> 00:30:41,279 that analogy. We have had other guests on talking about anomally based intrusion detection 293 00:30:41,000 --> 00:30:45,599 and you know, correlation of alarms, uh and using AIS in all of 294 00:30:45,640 --> 00:30:51,720 that. So we've actually had people on talking about AIS but using different words. 295 00:30:52,000 --> 00:30:55,799 You know, if you have I don't know, a gigabit per second 296 00:30:55,880 --> 00:31:00,160 of network packets in an industrial network that you're watching, there's a haystack, 297 00:31:00,200 --> 00:31:04,160 you know, a gazillion package coming by every second, and the AI is 298 00:31:04,200 --> 00:31:10,000 asking the question, are any of these messages? Are any of these patterns 299 00:31:10,000 --> 00:31:14,119 of messages indicative of an attack? And you can do it signature based, 300 00:31:14,119 --> 00:31:17,599 you can say I recognize that message, that message is always an attack and 301 00:31:17,680 --> 00:31:21,480 rais an alarm, or you can do it anomaly based, which is looking 302 00:31:21,519 --> 00:31:25,359 at sort of patterns of messages and saying, this is an unusual pattern, 303 00:31:25,559 --> 00:31:29,319 no idea what it is, raising alarm, It might be an attack because 304 00:31:29,319 --> 00:31:33,880 it's different, because it's unusual. So, you know, this kind of 305 00:31:33,920 --> 00:31:37,319 AI has been used forever. The same thing's been used in SEMs. In 306 00:31:37,559 --> 00:31:41,640 security information and event management systems. In your security operation centers, they get 307 00:31:42,160 --> 00:31:48,799 millions of alerts of you know, syslog messages, millions of messages per day 308 00:31:49,880 --> 00:31:55,559 from you know, one hundred and fifty of your plans, and again they're 309 00:31:55,599 --> 00:32:00,720 looking at this haystack and saying, do any of these messages add up to 310 00:32:00,759 --> 00:32:02,480 an attack? I mean, some of them are obvious. You are under 311 00:32:02,519 --> 00:32:07,880 attack exclamation mark, you know, out of one of your intrusion detection systems, 312 00:32:07,200 --> 00:32:13,119 but others are you know, Fred here just logged in from India. 313 00:32:14,160 --> 00:32:19,200 He lives in North America, and he logged in ten minutes ago from North 314 00:32:19,200 --> 00:32:22,079 America as well, and you can put together, you know, weirdness like 315 00:32:22,119 --> 00:32:27,000 this. So you know, we've been talking about this for for some time 316 00:32:27,079 --> 00:32:30,039 now, we've never gone into detail. I would I would welcome a guest 317 00:32:30,079 --> 00:32:35,960 coming on talking about how the AI under the hood of correlation engines and anomaly 318 00:32:36,039 --> 00:32:38,559 detection engines actually work. I mean I've heard words like Baysian and I have 319 00:32:38,599 --> 00:32:43,160 no idea what they mean. So you know, I'd love to have people 320 00:32:43,200 --> 00:32:46,359 on someday explaining how those AIS work. But you know, the whole the 321 00:32:46,359 --> 00:32:50,960 whole concept of AIS on the defensive side, finding needles in a haystack. 322 00:32:51,039 --> 00:32:53,079 Yeah, this is this has been done for a while, and it's it's 323 00:32:53,079 --> 00:32:55,279 going to get you know, bigger. There's going to be more of this. 324 00:32:59,160 --> 00:33:02,079 So that's a great introduction. You know, we we see the application, 325 00:33:02,240 --> 00:33:05,920 we see the problem. You know, we see some some hints towards 326 00:33:05,920 --> 00:33:10,519 solutions. Let me let's get specific. I mean siemens energy is active in 327 00:33:10,559 --> 00:33:14,960 this space. Can you say a few words, what do you guys have, 328 00:33:15,079 --> 00:33:16,880 what do you guys do? What? What can people call on you 329 00:33:17,000 --> 00:33:21,640 for? You know, in this in this problem area. Well, we 330 00:33:21,640 --> 00:33:30,079 we've been on a journey in our thinking around operational technology. AI has really 331 00:33:30,119 --> 00:33:37,680 evolved, you know, a bit of self reflection. We seemens it was 332 00:33:37,799 --> 00:33:44,319 our pocs that were impacted by stuffs. Now we saw the subtle manipulation of 333 00:33:44,480 --> 00:33:52,640 process and that event was a wake up call for us to get serious about 334 00:33:54,039 --> 00:33:58,759 industrial cyber and operational technology. This was a while back, of course, 335 00:33:59,119 --> 00:34:02,519 a lot of what are the bridge? Yes, we had to get serious 336 00:34:02,559 --> 00:34:09,559 about product security. We hired almost two thousand people around the world to support 337 00:34:09,639 --> 00:34:15,280 US product security managers, folks in incident response, folks that deal with vulnerabilities 338 00:34:16,360 --> 00:34:21,559 and guess what. The world around us at the same time was changing, 339 00:34:22,199 --> 00:34:25,519 and it's changed a lot. It's become more digital, as we've talked about, 340 00:34:25,800 --> 00:34:34,480 it's become more interconnected. We've become more dependent on our customers, and 341 00:34:35,000 --> 00:34:42,320 we recognized that it wasn't just about securing the box. What we needed to 342 00:34:42,400 --> 00:34:46,239 do was secure the operating environment, the whole operating environment, whether it was 343 00:34:46,280 --> 00:34:52,960 our stuff or somebody else's stuff. The customer just needed help and they were 344 00:34:52,039 --> 00:34:57,239 figuring things out at the same time as we were. We just had a 345 00:34:57,280 --> 00:35:02,079 little bit of a head start. So we developed a pract in industrial cybersecurity 346 00:35:02,119 --> 00:35:08,559 focused on this problem with visibility that I've talked to you about. We recognize 347 00:35:08,559 --> 00:35:16,679 that that going after the visibility problem from a technology perspective doesn't necessarily make us 348 00:35:16,679 --> 00:35:23,119 sifferent, because everybody talks about their latest and greatest silver bullet or their best 349 00:35:23,119 --> 00:35:29,800 detection box. What we saw is that there was also a human capital challenge 350 00:35:30,199 --> 00:35:37,800 in this space, that there were enough, not enough folks cross trained in 351 00:35:37,880 --> 00:35:44,400 control systems, in networking, in security, and now increasingly in data science. 352 00:35:45,400 --> 00:35:52,239 Those folks are still very rare. So what we've done is we've built 353 00:35:53,320 --> 00:36:00,760 a business and a practice in this space. What we offer to cause customers 354 00:36:00,320 --> 00:36:08,239 is fundamentally we are the trusted advisor. We don't know, we don't have 355 00:36:08,280 --> 00:36:15,079 all the answers, but we'll figure it out together and we'll be there with 356 00:36:15,239 --> 00:36:20,639 you along for the ride. Because as digital technologies get introduced, as there's 357 00:36:20,679 --> 00:36:25,679 a lot of hype around AI. As the threat landscape changes and the number 358 00:36:25,679 --> 00:36:30,559 of attacks increases exponentially, we will be there as we have for one hundred 359 00:36:30,599 --> 00:36:37,960 and twenty years. And so we've built a consulting practice, a managed service 360 00:36:38,000 --> 00:36:46,320 practice. We built the proprietary technology around detection, but ultimately what we do 361 00:36:46,360 --> 00:36:52,679 is we build bridges between IT teams and O team teams to work with one 362 00:36:52,679 --> 00:36:59,360 another because IT is going to take that into disciplinary approach and we hope to 363 00:36:59,400 --> 00:37:01,599 be in the center of it helping in the customers. We've talked about the 364 00:37:01,599 --> 00:37:06,559 problem, We've talked about some solutions. If we're starting at zero, I 365 00:37:06,599 --> 00:37:10,639 mean, we've got an energy customer. Do these customers know how much AI 366 00:37:10,719 --> 00:37:15,760 they're using? Do they know how much AI is coming after them? You 367 00:37:15,800 --> 00:37:17,519 know? Do they know how much trouble are in from both ends of it? 368 00:37:17,840 --> 00:37:21,320 And you know, whether they know it or not? Sort of what 369 00:37:21,440 --> 00:37:24,159 are the first steps? How do they get started dealing with this this new 370 00:37:24,199 --> 00:37:29,800 threat A There's a lot of hype around it, and I think there's general 371 00:37:29,840 --> 00:37:36,639 awareness within security teams, both on the I T side and the OT side 372 00:37:37,400 --> 00:37:45,159 that AI holds a lot of promise but could also be used for very very 373 00:37:45,199 --> 00:37:50,679 bad things. On the OT side. In particular, I said, there's 374 00:37:50,679 --> 00:37:57,920 a lot of skepticism. And the reason is is because plan operators need to 375 00:37:59,119 --> 00:38:05,000 uh uh be able to unlock the black box that AIRE present. They need 376 00:38:05,000 --> 00:38:10,639 to understand it. Maybe it's an engineering approach and engineers need to kind of 377 00:38:10,760 --> 00:38:15,960 understand what's happening. You need to be able to understand the methods. You 378 00:38:15,960 --> 00:38:21,320 need to be able to kind of trace the logic. And so when I 379 00:38:21,360 --> 00:38:27,119 talk to security folks within plants, they're they're skeptical of the latest and greatest 380 00:38:27,159 --> 00:38:32,440 tools, and they want to know, how do you detect something? What 381 00:38:32,599 --> 00:38:37,280 is this basian belief? It sounds very fancy, But if I can even 382 00:38:37,280 --> 00:38:44,480 do the basics, why should I go after this problem? So there's both 383 00:38:44,480 --> 00:38:51,119 skepticism and desire. And there's one more thing, which is the chief digital 384 00:38:51,119 --> 00:38:58,320 officers, chief innovation officers. The boards are telling security teams you got to 385 00:38:58,360 --> 00:39:01,280 you got to give me use cases around it, both from a business side 386 00:39:01,760 --> 00:39:07,599 and the security side. And I know some customers that need to deliver a 387 00:39:07,719 --> 00:39:12,400 use case a week to the board. That's how closely it's being monitored. 388 00:39:12,400 --> 00:39:17,519 If you think about that, you know, so sleepy giants are that have 389 00:39:17,639 --> 00:39:22,039 been doing things the same old way, extracting pumping oil all the ground, 390 00:39:22,280 --> 00:39:28,159 but the last fifty years the same old way are now being called to innovate 391 00:39:28,239 --> 00:39:31,000 in this space. And then there's kind of the middle of the pack, 392 00:39:31,639 --> 00:39:37,280 folks that are that fear they're going to be left behind. And then there's 393 00:39:37,599 --> 00:39:40,760 the small the small guys. And by the way, those are represented. 394 00:39:40,760 --> 00:39:45,559 If you look at the United States right, thirty five hundred utilities, once 395 00:39:45,639 --> 00:39:51,760 you get outside the to top two hundred, everybody's small kind of mom and 396 00:39:51,840 --> 00:40:00,280 pomp community distribution facilities, power plants. Those folks you don't even know how 397 00:40:00,320 --> 00:40:06,639 to get started. And to get to your question of how you get started, 398 00:40:07,159 --> 00:40:13,199 I think the basic question that one should be asking is first and foremost, 399 00:40:13,239 --> 00:40:16,760 what is important to me? What are the assets that are key that 400 00:40:17,119 --> 00:40:23,800 I need to get a handle on be being able to understand the risk, 401 00:40:23,960 --> 00:40:30,159 understand the vulnerability, understand the exposure, monitor it, and then build an 402 00:40:30,199 --> 00:40:32,920 AI layer around it. And by the way, those two things are very 403 00:40:32,960 --> 00:40:40,679 closely correlated. The assets that are really important to be monitored, assets that 404 00:40:40,719 --> 00:40:49,320 could benefit from applications of AI, assets that attracted the back guid and assets 405 00:40:49,320 --> 00:40:57,000 where a security AI use case is really valuable. So the first step is 406 00:40:57,039 --> 00:41:07,760 asking what's important. The second step is figuring out what data needs to travel 407 00:41:07,880 --> 00:41:14,559 to be able to get a basic context. And then the third step is 408 00:41:14,599 --> 00:41:20,800 the step that I call kind of advanced detection, where AI needs to play 409 00:41:20,840 --> 00:41:27,000 a role in understanding not just basic characteristics of a particular process or a particular 410 00:41:27,079 --> 00:41:34,320 asset, but kind of three dimensional behavior of production, right, and the 411 00:41:34,360 --> 00:41:37,360 manipulation of that to cause that boom event that you and I Andrew talked about. 412 00:41:38,239 --> 00:41:43,320 So Leo, this has been enlightening, a little distressing, but enlightening. 413 00:41:43,840 --> 00:41:46,239 Thank you for joining us up. Before we let you go, can 414 00:41:46,440 --> 00:41:50,519 I ask you to sum up for our listeners. What what what should we 415 00:41:50,559 --> 00:41:53,280 be taking away from all this complicated space? Well, first of all, 416 00:41:53,280 --> 00:41:59,960 it's not all doom and gloom. There's a lot of anxiety around this top, 417 00:42:00,079 --> 00:42:06,519 but it's definitely a journey. There are trust to partners that can help 418 00:42:06,559 --> 00:42:15,039 you don't get wrapped up in the hype and the chase for the use cases, 419 00:42:15,199 --> 00:42:21,880 just because the board is asking take a more measured approach to get a 420 00:42:21,920 --> 00:42:27,960 basic handle in your environment. Hey, I will come there. There are 421 00:42:27,960 --> 00:42:32,719 steps that you can take both around the business side, the operational side, 422 00:42:32,760 --> 00:42:42,199 and the security side to to measure where the AI can benefit you. It's 423 00:42:40,639 --> 00:42:46,079 not the it's not a down the line thing. However, most folks will 424 00:42:46,079 --> 00:42:52,079 say I'm not mature enough and therefore I should not dabble in it. The 425 00:42:52,119 --> 00:42:55,480 reality is this technology is getting too good and the gap between the defenders and 426 00:42:55,519 --> 00:43:01,880 the attackers is really widening, and so time short. So don't wait to 427 00:43:02,000 --> 00:43:09,360 get you know, other aspects of your OT cybersecurity program n begin to dip 428 00:43:09,400 --> 00:43:16,000 your toes into this space. Start by building some of these detection models. 429 00:43:16,840 --> 00:43:24,199 Start by picking assets that are important to you and getting a better understanding of 430 00:43:27,599 --> 00:43:35,400 their behavior. And then ultimately look out for the regulation that's coming down the 431 00:43:35,400 --> 00:43:45,199 pipe and work with your suppliers to make sure that you can demonstrate that you're 432 00:43:45,280 --> 00:43:52,159 taking smart steps to better prepare yourself for what's going to be an exciting future, 433 00:43:53,400 --> 00:44:00,599 in one where I think ultimately good guys will win. Andrew, that 434 00:44:00,760 --> 00:44:06,559 was your interview with Leo Somanovic. AI is a big topic in cybersecurity everywhere 435 00:44:06,559 --> 00:44:10,360 today. Do you have any final thoughts about the subjects To close out our 436 00:44:10,400 --> 00:44:15,400 episode. Yeah, I mean, you know, thinking about this a couple 437 00:44:15,440 --> 00:44:19,760 of things. One is that you know, historically, five years ago, 438 00:44:19,840 --> 00:44:22,719 AI was sort of the anomaly. There was a little AI and the detection 439 00:44:22,840 --> 00:44:29,519 algorithm. There was a little bit of AI sprinkled here and there. Increasingly, 440 00:44:29,840 --> 00:44:32,960 you know, AI is everywhere, and you know, in the industrial 441 00:44:34,000 --> 00:44:37,639 space, I think we all need to get used to the thought that AI 442 00:44:37,760 --> 00:44:43,280 is our future. You know what is what's the number one investment that people 443 00:44:43,320 --> 00:44:47,760 make routinely in industrial processes? Well, you know that engineering teams make routinely, 444 00:44:47,920 --> 00:44:52,800 they make investments to make the process more efficient. One of the ways 445 00:44:52,800 --> 00:44:58,400 you make processes more efficient is that you make decision making about the process more 446 00:44:58,440 --> 00:45:04,719 efficient, more accurate, more effects the faster. I think AI is essential 447 00:45:04,920 --> 00:45:07,360 in that process. AI is going to be essential to all of us to 448 00:45:07,360 --> 00:45:10,920 be making our processes more efficient. And this is just on the you know, 449 00:45:10,960 --> 00:45:14,199 the the in a sense, the mechanical side, just you know, 450 00:45:14,639 --> 00:45:19,960 doing things on the cybersecurity side, you know, the bad guys, I'm 451 00:45:20,000 --> 00:45:25,559 sorry, they're investing in making their attacks more efficient as well. And so 452 00:45:27,079 --> 00:45:30,320 on the defensive side, Yeah, we've been doing stuff in sort of intrusion 453 00:45:30,360 --> 00:45:34,880 detection for a long time. I think we need to get used to We 454 00:45:34,960 --> 00:45:42,239 need to invent ways to use AI to make our defenses more efficient. Everyone 455 00:45:42,599 --> 00:45:45,199 is, you know, bad guys and good are using AI to make everything 456 00:45:45,239 --> 00:45:50,320 more efficient. I don't think we can ignore this anymore. I think this 457 00:45:50,440 --> 00:45:53,400 is you know, this is this has to become sort of the common language, 458 00:45:53,400 --> 00:45:57,800 the common wisdom of the space going forward. So, you know, 459 00:45:57,880 --> 00:46:02,360 I'm grateful to Leo, and you know I look forward, fortunately or unfortunately 460 00:46:02,519 --> 00:46:06,199 to you know, thinking about AI a lot more in the years ahead. 461 00:46:07,519 --> 00:46:09,760 Yeah, it feels like a topic that we might have more episodes about in 462 00:46:09,800 --> 00:46:13,599 the next few years than we have in the past few even though we have 463 00:46:13,719 --> 00:46:15,960 covered it at times. Anyway, thank you to Leo for bringing that up 464 00:46:15,960 --> 00:46:19,960 with us. And Andrew is always thank you for speaking with me. It's 465 00:46:20,000 --> 00:46:22,800 always a pleasure. Thank you, Nan. This has been the Industrial Security 466 00:46:22,840 --> 00:46:32,440 Podcast from Waterfall. Thanks to everybody out there listening.