1 00:00:05,519 --> 00:00:21,399 Cyber tool Framework is the ot or ICs version of CIS Top eighteen. Welcome 2 00:00:21,440 --> 00:00:26,480 everyone to the Industrial Security Podcast. My name is Nate Nelson. I'm here 3 00:00:26,519 --> 00:00:31,320 with Andrew Ginter, the vice president of Industrial security at Waterfall Security Solutions, 4 00:00:31,519 --> 00:00:35,880 who's going to introduce the subject and guest of our show today. Andrew, 5 00:00:36,039 --> 00:00:39,159 how are you? I'm very well, Thank you, Nate. Our guest 6 00:00:39,159 --> 00:00:44,880 today is Jack Bliss. He is an industrial cybersecurity consultant at eighteen ninety eight 7 00:00:44,880 --> 00:00:51,039 and Coal, and he's just published a cyber tool framework. This is an 8 00:00:51,119 --> 00:00:57,399 adaptation of the CIS, the Center for Internet Securities. They have a well 9 00:00:57,439 --> 00:01:03,960 known Top eighteen critical scity control So he's adapted the CIS Top eight team to 10 00:01:03,120 --> 00:01:08,480 the needs of ot and industrial sites based on his field notes of working in 11 00:01:08,519 --> 00:01:11,959 the space for a number of years, you know, capturing his best practices. 12 00:01:12,040 --> 00:01:15,359 So this is what we're going to be discussing his contribution to the field 13 00:01:15,400 --> 00:01:21,719 here. All right, then let's get into it. Hello Jack, and 14 00:01:21,799 --> 00:01:25,079 welcome to the podcast. Before we get started, can I ask you to 15 00:01:25,239 --> 00:01:27,879 say a few words about yourself and about your background and about the good work 16 00:01:27,879 --> 00:01:32,760 that you're doing at eighteen ninety eight and Co. Yeah, thanks for having 17 00:01:32,799 --> 00:01:36,480 me, Andrew. My name is Jack Bliss and I'm an industrial cybersecurity consultant 18 00:01:36,879 --> 00:01:41,799 with a teny eight CO. My cybersecurity career started in twenty sixteen junior year 19 00:01:41,799 --> 00:01:46,799 of high school when I joined a competition called Cyberpatriots, which is a nationwide 20 00:01:47,319 --> 00:01:52,400 computer networking and system hardening competition. In that year, we actually won nationals, 21 00:01:52,400 --> 00:01:55,920 making us the first team in Missouri to do so. In college, 22 00:01:55,959 --> 00:02:00,239 I worked as a computer networking consultant for IT organization, and finally, for 23 00:02:00,280 --> 00:02:04,439 the past five years, I've been at at on yat and Co working as 24 00:02:04,480 --> 00:02:08,719 an industrial cybersecurity consultant, which has been an interesting journey. I think my 25 00:02:08,840 --> 00:02:13,919 mom had a certain sense of security that I would be typing away in a 26 00:02:13,919 --> 00:02:16,479 cubicle. But after just a couple of years in the job, I was 27 00:02:16,479 --> 00:02:21,360 off to get underwater helicopter safety training, which is required to go out to 28 00:02:22,000 --> 00:02:24,360 oil rigs. But yeah, when I started, we were a team of 29 00:02:24,400 --> 00:02:29,280 eight and now we're a team of eighty. So going like crazy, and 30 00:02:29,319 --> 00:02:32,680 I couldn't be more grateful to work for such an amazing organization in such an 31 00:02:32,680 --> 00:02:38,280 impactful role. The experience I've gained during this time. Learning from some really 32 00:02:38,280 --> 00:02:46,199 great mentors and colleagues has been invaluable. Nate. We don't usually comment this 33 00:02:46,240 --> 00:02:52,919 early in the episode, but Jack mentioned the offshore training and sort of the 34 00:02:52,960 --> 00:02:55,919 difference between the desk job and what you do on the ot side. I've 35 00:02:57,000 --> 00:03:00,159 never done the training, but I've heard about it, and it's something else. 36 00:03:00,680 --> 00:03:06,680 If you physically want to travel out to an offshore platform and let's say 37 00:03:06,680 --> 00:03:10,520 the Gulf of Mexico or you know, the North Sea. I've never done 38 00:03:10,560 --> 00:03:14,520 it, but I'm told that, Yeah, there's a bunch of classroom training, 39 00:03:15,080 --> 00:03:22,199 and then the test is they put you in your life jacket and your 40 00:03:22,360 --> 00:03:28,400 whatever into a dummy helicopter, you know, a helicopter cabin. They put 41 00:03:30,000 --> 00:03:34,719 physically a dummy beside you, set up the same way you are, and 42 00:03:35,120 --> 00:03:38,439 they have a crane drop you into a swimming pool full of ice cold water. 43 00:03:39,599 --> 00:03:44,000 Your job is to get out of the helicopter and get back to the 44 00:03:44,039 --> 00:03:50,639 surface with your partner dummy who has been rendered unconscious by the fall. If 45 00:03:50,680 --> 00:03:53,039 you do it, you pass and you can go out to the platform. 46 00:03:53,680 --> 00:03:57,919 If they have to send the divers after you to save your life, you 47 00:03:58,080 --> 00:04:02,120 fail. Go do the training again. So yeah, you know, people 48 00:04:02,120 --> 00:04:10,360 imagine cybersecurity is a desk job. Sometimes it's not. And our topic today 49 00:04:10,840 --> 00:04:15,199 is the cybertool framework. This is something that you put together. It's available 50 00:04:15,199 --> 00:04:20,040 at cybertoolframework dot com. Can you tell us what is it? Where did 51 00:04:20,079 --> 00:04:24,720 it come from? Sort of what's what's the genesis of this thing? Yeah? 52 00:04:24,759 --> 00:04:30,079 So in one sentence, cyber tool Framework is the ot or ICs version 53 00:04:30,079 --> 00:04:32,680 of CIS Top eighteen. So it takes the CIS Top eighteen, which is 54 00:04:32,680 --> 00:04:40,199 an IT focused framework but is easily digestible compared to other frameworks and standards such 55 00:04:40,199 --> 00:04:45,360 as NIST ISO or six two four four three, and aligns those eighteen controls 56 00:04:45,600 --> 00:04:51,360 or really requirements to OT cyber tools and practical insights, being more digestible. 57 00:04:51,680 --> 00:04:58,480 This better speaks to small or medium sized critical infrastructure organizations. So the structure 58 00:04:58,639 --> 00:05:02,560 is as follows, with with the top eighteen requirements in column one, matched 59 00:05:02,600 --> 00:05:11,040 to cybersecurity tools in column two, including OT specific options where applicable and complemented 60 00:05:11,040 --> 00:05:15,279 by field modes and best practices in column three. Throughout, I emphasize meeting 61 00:05:15,319 --> 00:05:21,199 these controls across three levels people, processes, and technology, while reflecting real 62 00:05:21,279 --> 00:05:28,839 world scenarios. There is maturity referenced in some of the recommended controls, So 63 00:05:28,879 --> 00:05:31,319 if you're a small organization, start with X. If you're a more mature 64 00:05:31,439 --> 00:05:36,000 organization, you should aim to hit this threshold, etc. Free tools are 65 00:05:36,040 --> 00:05:43,279 also provided for each requirement, catering to organizations looking to bootstrap their cybersecurity efforts. 66 00:05:44,600 --> 00:05:49,519 The idea for cyber tool Framework came from the fulfillment in consulting and consulting 67 00:05:50,439 --> 00:05:55,319 we get to work with a broad range of clients in different maturity stages and 68 00:05:55,399 --> 00:05:59,120 help them be successful, and so cyber tool Framework is really an extension of 69 00:05:59,120 --> 00:06:02,040 that. It's a resource that can reach a bigger audience and make a bigger 70 00:06:02,079 --> 00:06:08,720 impact than myself individually. So cyber tool Framework helps to address the growing need 71 00:06:09,160 --> 00:06:15,000 for ot cybersecurity education and enablement, particularly among organizations in the early stages of 72 00:06:15,040 --> 00:06:23,959 developing their cybersecurity programs. It aims to empower these organizations and practitioners to make 73 00:06:24,399 --> 00:06:30,079 informed decisions and cut through the noise of shiny marketing white papers. I strongly 74 00:06:30,439 --> 00:06:36,920 believe that education and enablement outside of furthering regulation or mandating secure cyber design, 75 00:06:38,680 --> 00:06:44,040 education and enablement is one of the big pushes that can improve our overall cyber 76 00:06:44,120 --> 00:06:51,199 resilience across critical infrastructure, helping organizations and people make the right decisions at the 77 00:06:51,279 --> 00:06:56,680 right time, utilizing what they already have, i e. Working smarter, 78 00:06:56,839 --> 00:06:59,839 not harder. And at the core of this is knowing what you have, 79 00:07:00,319 --> 00:07:04,000 knowing how it functions or communicates, Understanding what systems or risk cause the worst 80 00:07:04,000 --> 00:07:08,560 case scenario, and then going through a risk reduction process like six two four 81 00:07:08,600 --> 00:07:14,720 four three three TOASH two PHA or CCE that reduces risk to an acceptable level 82 00:07:15,000 --> 00:07:19,319 as you select these mitigated controls to get to an acceptable level. Cyber tool 83 00:07:19,360 --> 00:07:26,519 Framework could be one of these many resources to help organizations or practitioners navigate that 84 00:07:26,639 --> 00:07:33,639 landscape. I don't have outstanding statistics on who listens to this podcast other than 85 00:07:33,720 --> 00:07:39,399 you know, we get about three thousand downloads per episode, but anecdotally, 86 00:07:39,480 --> 00:07:45,639 just talking to people at events and whatnot, the sense I get is that, 87 00:07:45,720 --> 00:07:49,560 you know, maybe one third, give or take of our audience here 88 00:07:49,720 --> 00:07:57,199 is engineers who are coming into cybersecurity responsibilities and have to come up to speed 89 00:07:57,240 --> 00:08:03,519 on cybersecurity issues and approach you know, again, roughly one third give or 90 00:08:03,519 --> 00:08:07,759 take is it people who have become responsible or are becoming or are interested in 91 00:08:07,800 --> 00:08:13,839 becoming responsible for OT security and have to come up to speed on OT issues 92 00:08:13,879 --> 00:08:20,040 and you know, OT mitigations and one third is other. But to those 93 00:08:20,079 --> 00:08:26,319 two audiences someone coming from it, someone coming from engineering, let me ask 94 00:08:26,360 --> 00:08:30,199 you, can you explain for the people coming from the engineering side of thing 95 00:08:30,199 --> 00:08:33,320 who may not have heard of the CIS top eighteen, what is the CIS 96 00:08:33,440 --> 00:08:37,080 top eighteen, you know, before we talk about how you adapted it, 97 00:08:37,120 --> 00:08:41,320 what is it? And you know, for the other sort of third who 98 00:08:41,320 --> 00:08:46,320 are coming from it, who might know the CIS top eighteen cold. You 99 00:08:46,320 --> 00:08:48,080 know, first tell us what is the CIS top eighteen? And then can 100 00:08:48,120 --> 00:08:52,960 I ask you why does it need to be adapted for OT? Yeah, 101 00:08:54,080 --> 00:08:58,879 that's a that's an amazing question. So in security, there are different types 102 00:08:58,039 --> 00:09:03,840 of security frameworks. There are control based frameworks such as COBIT ISO twenty seven 103 00:09:03,919 --> 00:09:11,679 thousand and two CIS. There are risk based frameworks like NIST CSF or standards 104 00:09:11,720 --> 00:09:13,960 such as six two, four, four three three TOSH two. There are 105 00:09:15,000 --> 00:09:20,600 threat intelligence based frameworks like MITER, etc. CIS Top eighteen is a control 106 00:09:20,639 --> 00:09:26,799 based framework created by the Center for Internet security. The same organization that maintains 107 00:09:26,840 --> 00:09:31,399 the CIS benchmarks, which are very popular for system hardening control based frameworks, 108 00:09:31,559 --> 00:09:37,000 give it to you straight. There's no high level process flow chart or models 109 00:09:37,080 --> 00:09:41,519 or hundreds of pages of reading material to follow. They are fairly prescriptive, 110 00:09:41,600 --> 00:09:46,000 requirement based frameworks that list out the what and roughly the how. And the 111 00:09:46,039 --> 00:09:52,799 case of CIS top eighteen, it lists out the top eighteen things organizations should 112 00:09:52,799 --> 00:09:56,960 accomplish from a cybersecurity perspective, again straight to the point. It's one PDF 113 00:09:58,000 --> 00:10:01,600 that's fifty four pages, so it's really digestible. Now, as I mentioned 114 00:10:01,600 --> 00:10:05,039 and as as you know sort of alluded to there, it's tailored to IT 115 00:10:05,480 --> 00:10:11,080 environments, so OT specific controls and guidance are missed. But the CIS top 116 00:10:11,080 --> 00:10:18,399 e te creates a great foundation for OT cybersecurity and tools as well as guidance 117 00:10:18,440 --> 00:10:22,120 to be aligned to. So so that makes sense sort of from the engineering 118 00:10:22,159 --> 00:10:24,799 perspective, what is the c I s A teen? Why is it important? 119 00:10:24,879 --> 00:10:28,559 You know? How does it differ from from other documents in the space. 120 00:10:28,639 --> 00:10:31,440 Can you can you address the engine or sorry, the the the I 121 00:10:31,799 --> 00:10:35,399 audience, you know it people coming into the o T space. You know, 122 00:10:35,440 --> 00:10:39,360 in my experience, often the first question they ask is is, uh, 123 00:10:39,440 --> 00:10:41,279 you know, why not just use everything I know already? I already 124 00:10:41,360 --> 00:10:46,000 know the CIS top eighteen apply it. Why do they need in a sense 125 00:10:46,200 --> 00:10:52,799 application notes for O T Why not just apply it? Yeah, So there's 126 00:10:52,080 --> 00:10:58,639 you know, there's a different methodology in how the CIS top eighteen or cyber 127 00:10:58,639 --> 00:11:03,759 tool framework in this example, would be applied in IT. It may be 128 00:11:03,879 --> 00:11:11,039 reasonably feasible to blanketly apply these these eighteen controls, and you know you would 129 00:11:11,039 --> 00:11:16,519 do so in a risk based approach. However, in OT there are different 130 00:11:16,559 --> 00:11:22,559 tools that it doesn't have. There are many different IDs solutions, such as 131 00:11:22,559 --> 00:11:28,799 Clarity and Drego's, but there's also a different risk based approach in OT that 132 00:11:28,840 --> 00:11:33,440 doesn't exist in IT. We're talking about systems that have different security capabilities, 133 00:11:35,600 --> 00:11:39,840 and we're talking about systems and environments that have different goals, and those goals 134 00:11:39,879 --> 00:11:46,559 are safety and availability first and security second. So you can't just take the 135 00:11:46,600 --> 00:11:50,159 top eighteen and start to address them sequentially one through eighteen. You have to 136 00:11:50,159 --> 00:11:58,799 go first through a thorough risk based process and address them in that sort of 137 00:11:58,320 --> 00:12:05,399 methodology. And so all those lessons learned, all those lessons learned, the 138 00:12:05,519 --> 00:12:13,399 risk based methodology as well as how you can apply these eighteen controls in an 139 00:12:13,440 --> 00:12:22,039 OT environment for OT organizations are outlined on the Cybertol framework website. Andrew, 140 00:12:22,039 --> 00:12:28,120 everything that Jack is talking about thus far makes perfect sense to me, But 141 00:12:28,000 --> 00:12:35,519 it strikes me that this top eighteen and his specific cybertool framework is yet another 142 00:12:35,759 --> 00:12:41,480 framework. In years of doing this podcast, we've discussed so many. He 143 00:12:41,600 --> 00:12:46,519 mentioned a few of them in his answer there, I need a framework for 144 00:12:46,600 --> 00:12:50,279 frameworks here? When should I be focusing on? What? And how do 145 00:12:50,399 --> 00:12:54,519 these all fit in together? Good question, So let's pick it apart. 146 00:12:54,600 --> 00:13:01,480 What is a framework? A framework is a fancy word for a checklist. 147 00:13:01,080 --> 00:13:03,960 Okay. A framework is not a standard that says you must do X, 148 00:13:05,000 --> 00:13:09,000 you must do why you can do Z. A framework is not a regulation 149 00:13:09,120 --> 00:13:13,519 that says you must do X, Y and Z or you'll be fined. 150 00:13:15,159 --> 00:13:18,799 A framework is a checklist saying, have you thought about your wireless? Have 151 00:13:18,919 --> 00:13:24,480 you thought about anti virus? And so when you look at the frameworks out 152 00:13:24,480 --> 00:13:28,360 there, the checklists out there, which of them should you use? Well, 153 00:13:30,600 --> 00:13:33,399 you're going to use most of them eventually. The question in my mind 154 00:13:33,440 --> 00:13:37,720 is where do you start. Do you start with the cybersecurity framework? Well, 155 00:13:37,960 --> 00:13:41,879 you read the framework, and what I got the first time I read 156 00:13:41,000 --> 00:13:46,879 NYST Cybersecurity Framework was the five pillars now six pillars six sort of things, 157 00:13:48,039 --> 00:13:50,679 big picture things you have to think about, and then when you get into 158 00:13:50,720 --> 00:13:58,279 the individual specifics, they refer you to other standards. Oh so it really 159 00:13:58,320 --> 00:14:01,799 is very high level, very abstract, and you know it's it's a bit 160 00:14:01,799 --> 00:14:07,120 hard to use because you have to keep flipping to these other standards. You 161 00:14:07,159 --> 00:14:09,919 know the beauty of So let me let me say as well, you know 162 00:14:11,080 --> 00:14:13,240 i C six two four four three is a standard, not a framework. 163 00:14:13,279 --> 00:14:16,679 You can think you can use it as a framework if you want. You 164 00:14:16,679 --> 00:14:20,919 can go through every security control that six two four four three recommends, and 165 00:14:20,960 --> 00:14:22,720 let's say the three dash three standard. You can go through every one of 166 00:14:22,720 --> 00:14:26,559 them and say should I use this? Where would I use this? But 167 00:14:26,600 --> 00:14:31,120 it's a lot to go through. The value that the CIA Top eighteen brings 168 00:14:31,679 --> 00:14:37,080 is they give you what you know, the experto who develop the framework. 169 00:14:37,120 --> 00:14:41,919 They give you the eighteen security controls to consider. They don't say you have 170 00:14:41,960 --> 00:14:45,159 to use them, they say you should think about them. That's why it's 171 00:14:45,159 --> 00:14:48,440 a framework, not a standard. And they say, these are the ones 172 00:14:48,480 --> 00:14:52,159 that, in our experience tend to be the most valuable. If you're just 173 00:14:52,279 --> 00:14:56,919 getting started, what's the first thing you should do once you start thinking about 174 00:14:56,000 --> 00:15:01,399 security controls? Hit the top eighteen, go through the and you know, 175 00:15:01,480 --> 00:15:05,000 once you kind of wrapped your head around them and sort of the high value 176 00:15:05,000 --> 00:15:07,200 stuff you've got to do, you can take the next step and become more 177 00:15:07,240 --> 00:15:11,240 comprehensive. So this is this is it. You know, framework's a checklist, 178 00:15:11,279 --> 00:15:16,159 and here's a checklist to get you started. You'll keep it in your 179 00:15:16,200 --> 00:15:20,679 pocket as you become more experienced, as your system becomes more mature. But 180 00:15:20,759 --> 00:15:24,000 if you know, if you're a consultant, going into one side after another, 181 00:15:24,039 --> 00:15:28,879 starting from zero, you might wind up using it more often than not. 182 00:15:31,480 --> 00:15:37,120 Okay, so you've taken this sort of very popular almost standard document in 183 00:15:37,159 --> 00:15:39,159 the IT space. You've applied it to the OT space. One of the 184 00:15:39,159 --> 00:15:43,039 things you did was you added a whole column on tools. And I'm not 185 00:15:43,159 --> 00:15:46,759 you know, I've looked through the document. You know, for for anyone 186 00:15:46,759 --> 00:15:52,039 who hasn't looked at it yet, each row, each column of tools is 187 00:15:52,080 --> 00:15:56,320 not one or two tools. You've got dozens listed for each of these security 188 00:15:56,320 --> 00:16:03,720 controls in some of these these rows. On the other hand, if I 189 00:16:03,759 --> 00:16:07,600 look at the next column over sort of the industry application, you almost don't 190 00:16:07,600 --> 00:16:11,240 mention the tools in the industry applications. That seems to be a different topic. 191 00:16:11,639 --> 00:16:17,159 The title of the document is you know, cybersecurity tools. Can you 192 00:16:17,240 --> 00:16:21,240 talk about tools? What's what's important about tools? What you know? How 193 00:16:21,240 --> 00:16:25,600 do we use that that column of tools there? Yeah, so the tools 194 00:16:25,679 --> 00:16:29,679 in version one or the the you know, the m v P Minimal viable 195 00:16:29,720 --> 00:16:33,879 product stage of cyber tool framework. It just has the tools listed in alphabetical 196 00:16:34,000 --> 00:16:40,679 order, and that's to get rid of any any any bias and so later 197 00:16:40,720 --> 00:16:44,840 in a in a version two, we could potentially start to organize those tools 198 00:16:45,480 --> 00:16:48,279 based on certain common criteria. But you'll notice there's paid tools as well as 199 00:16:48,320 --> 00:16:53,080 free tools for each of the controls, and so you know the difference looking 200 00:16:53,120 --> 00:16:59,120 at O T versus I T tools, you can really be seen looking at 201 00:16:59,200 --> 00:17:04,279 something like networking monitoring and defense and network monitoring. In defense, data diodes 202 00:17:04,440 --> 00:17:14,640 are really prevalent and a strong remediation mitigating control on the network side. You 203 00:17:14,720 --> 00:17:18,799 also have, of course, just like IT, you have next gen firewalls 204 00:17:18,799 --> 00:17:23,119 like Cisco Firepower, Fortigate, Palo Alto. But in the third column there 205 00:17:23,279 --> 00:17:30,279 the field notes and best practices considerations. I reference that Fortigate is oftentimes a 206 00:17:30,359 --> 00:17:37,759 really popular firewall in the OT space because of the number of OT protocols that 207 00:17:37,799 --> 00:17:45,640 it understands in its IPS, and so there's nuance to some of these controls 208 00:17:45,640 --> 00:17:49,480 and tools that are referenced that are specific to OT and not to IT. 209 00:17:51,400 --> 00:17:56,119 Continuous vulnerability management is another one, and that's sort of synergistic to asset inventory 210 00:17:56,480 --> 00:18:03,759 where tools like Clarity Drego's Industrial Defender for SCALT, these are tools that help 211 00:18:03,119 --> 00:18:11,599 with asset management, vulnerability management and also act as an idea IDs in these 212 00:18:11,039 --> 00:18:18,799 critical infrastructure organizations. Again, tools entirely unique to the OT space and and 213 00:18:18,839 --> 00:18:23,200 their implementation is unique as well. So there's there's some examples there of the 214 00:18:23,240 --> 00:18:30,880 different tooling that exists in the platform and how that differs from from IT to 215 00:18:32,039 --> 00:18:36,759 OT, the tools call them. I was struck by what you added there. 216 00:18:37,920 --> 00:18:42,359 I was also struck by what you did not add. I mean you 217 00:18:42,440 --> 00:18:47,839 mentioned in your introduction you mentioned, you know, safety and protecting equipment and 218 00:18:48,000 --> 00:18:52,480 you know, environmental safety as as priorities for physical processes that are are being 219 00:18:52,519 --> 00:18:59,920 automated automated by control systems. But you know, you did not mention that 220 00:19:00,559 --> 00:19:07,880 in the the UH in the document, I don't see a row a section 221 00:19:08,079 --> 00:19:14,200 on safety in the document. On the other hand, in the CISA teen, 222 00:19:14,240 --> 00:19:18,480 there's a whole section on UH, you know, protecting web browsers and 223 00:19:18,559 --> 00:19:22,079 protecting email systems and you know, teaching people not to click on links, 224 00:19:23,119 --> 00:19:30,599 which seems irrelevant to the OT space because in OT networks, nobody can route 225 00:19:30,759 --> 00:19:34,319 packets to their email servers. So I'm you know, it seems to me 226 00:19:34,400 --> 00:19:38,880 that there's still something missing here, right, agreed. So you know Version 227 00:19:40,000 --> 00:19:45,200 one was strictly tied to the CIS top eighteen to make it recognizable. As 228 00:19:45,240 --> 00:19:49,240 you mentioned, there's certainly room to add requirements to make it more OT centric. 229 00:19:49,559 --> 00:19:55,119 Safety would certainly be something added to a version two. Supply chain security, 230 00:19:55,599 --> 00:20:00,200 even secure control network and system design. Legacy system security, which is 231 00:20:00,200 --> 00:20:04,680 a huge pain point, comes up in almost every assessment all of these organizations 232 00:20:04,759 --> 00:20:08,759 due to the system life cycle time and the cost to replace a system under 233 00:20:08,759 --> 00:20:15,839 OEM support contract is insanely expensive, so replacing legacy systems aren't always an option. 234 00:20:15,319 --> 00:20:19,920 How do we live with these legacy systems? Maybe even assessment methodology. 235 00:20:21,680 --> 00:20:26,240 Some of the assessment methodology is described under Control eighteen, which is penetration testing, 236 00:20:26,240 --> 00:20:30,519 where I describe how an OT the approach is different than a penetration test 237 00:20:30,519 --> 00:20:36,559 in it. But it's really important that organizations looking to higher third parties know 238 00:20:36,640 --> 00:20:41,119 what criteria to look for so that they get their expectations met. And even 239 00:20:41,319 --> 00:20:45,240 the other controls like physical security could be one that's added. So there's certainly 240 00:20:45,279 --> 00:20:48,160 room to grow these out. And I'm sure you're well aware that there is 241 00:20:48,640 --> 00:20:55,240 a top twenty secure POC Coding Practices resource or standard out there. We actually 242 00:20:55,240 --> 00:20:57,599 have consultants on our team that contributed to that. So maybe down the road 243 00:20:57,640 --> 00:21:03,720 cyber tool framework more and is something similar its own standalone resource or standard. 244 00:21:03,720 --> 00:21:07,240 Can you give us a couple of examples, you know, in a sense, 245 00:21:08,079 --> 00:21:12,799 what are sort of the the the most striking examples in your mind of 246 00:21:14,160 --> 00:21:19,599 of sort of it versus OT differences in applying the cis a team what you 247 00:21:19,640 --> 00:21:25,880 know, what are some of the the uh the key takeaways for you know, 248 00:21:25,920 --> 00:21:27,279 one or two year rows. Can you give us some examples as to 249 00:21:27,480 --> 00:21:33,720 as to the value people get from looking up the document and reading through it. 250 00:21:33,720 --> 00:21:38,680 Absolutely? Yeah. So, taking vulnerability management as an example, there 251 00:21:38,720 --> 00:21:45,480 seems to be a big push or emphasis on cve based vulnerability management in OT 252 00:21:45,799 --> 00:21:51,440 without any additional context. This is evident in the branding of tools that are 253 00:21:51,440 --> 00:21:55,960 sold, the marketing white papers you see floating around on LinkedIn, and and 254 00:21:56,119 --> 00:22:00,640 as we go about our day to day consulting buyer tool and go chase your 255 00:22:00,640 --> 00:22:04,440 tail trying to remediate p cvs. The cvees sentiment is that we mirror the 256 00:22:04,480 --> 00:22:11,000 approach. We loosely mirror the approach of it. However, in IT everything 257 00:22:11,039 --> 00:22:14,640 that is tied to tenable, everything is kept up to date using WSUS and 258 00:22:14,720 --> 00:22:18,880 system refreshes that occur every three to five years. That's a different landscape and 259 00:22:18,920 --> 00:22:22,759 OT and that approach just won't work. This is due to several reasons. 260 00:22:22,759 --> 00:22:30,240 The extended life cycle fifteen twenty year life cycle means that many OT environments operate 261 00:22:30,480 --> 00:22:36,440 with outdated hardware and software that can't easily be patched upgraded, so naturally, 262 00:22:36,559 --> 00:22:44,039 version based cvees can't be widely addressed and security measures must therefore be tailored to 263 00:22:44,200 --> 00:22:49,279 these constraints. You'd probably be better off focusing on other minigating controls such as 264 00:22:49,400 --> 00:22:55,160 network segmentation or allow listing as an example. However, getting back to cvees, 265 00:22:56,119 --> 00:23:00,680 even running agent based scans like tenable and combination with other solutions like AD 266 00:23:00,839 --> 00:23:07,960 and w SUS could in some cases introduce additional cyber fragility into the environment that 267 00:23:08,039 --> 00:23:12,200 could affect the overall availability of the process. So there's a balance to this. 268 00:23:14,079 --> 00:23:18,240 The systems may not be able to support tenable, a D or w 269 00:23:18,400 --> 00:23:22,799 SUS you know, think obsolete operating systems, Windows, CE, or industrial 270 00:23:22,799 --> 00:23:29,200 control systems. And finally, frequently our security teams double as engineers, you 271 00:23:29,200 --> 00:23:33,119 know, take a small utility. We've worked with plenty where network or system 272 00:23:33,119 --> 00:23:37,599 admins who are wearing the cybersecurity hat. They have limited time, knowledge, 273 00:23:37,640 --> 00:23:45,480 and resource, and so all of these real world reality scenarios shapes why are 274 00:23:45,519 --> 00:23:51,039 approach to CBEs has to be different. To fix version based cvees. Patching 275 00:23:51,759 --> 00:23:56,240 will help in some cases, but another is a system refresh is required as 276 00:23:56,240 --> 00:24:00,039 a system itself is too old and so both of which patching or replacing the 277 00:24:00,079 --> 00:24:06,160 system could require OEM approval, and when approved by the OEM, upgrades can 278 00:24:06,200 --> 00:24:12,440 be prohibitively expensive. Miny OT organizations upon analyzing their cyber al, which is 279 00:24:12,519 --> 00:24:18,440 analyzed lost expectancy i e. How much cyber risk they're exposed to on an 280 00:24:18,440 --> 00:24:22,480 annual basis, this cost isn't justified. You wouldn't want to spend more than 281 00:24:22,519 --> 00:24:27,079 your AL on cyber to address that risk, and so you could spend several 282 00:24:27,119 --> 00:24:33,319 hundreds of thousands, if not millions of dollars conducting widespread patching and system refreshes. 283 00:24:33,160 --> 00:24:37,119 Just one of your mini system vendors alone could charge a couple hundred thousand 284 00:24:37,160 --> 00:24:44,279 dollars to upgrade a few of their systems when your organizational cyber al could be 285 00:24:44,359 --> 00:24:48,119 less than that as a whole. Therefore, the cost just doesn't make sense. 286 00:24:48,160 --> 00:24:52,160 A lot of the time you're spending more than your cyber risk warrants, 287 00:24:52,359 --> 00:24:56,319 so you could see the vast difference between IT and OT. So what's one 288 00:24:56,319 --> 00:25:00,960 approach to effective vulnerability management and OT. First we focus on security measures that 289 00:25:02,200 --> 00:25:06,200 reduces our risk, and these oftentimes may not be related to CVS, but 290 00:25:06,200 --> 00:25:11,640 they're important to point out. These are related to reducing catastrophic risk scenarios, 291 00:25:12,000 --> 00:25:18,480 safety system segmentation, secure network design, application whitelisting, et cetera. But 292 00:25:18,519 --> 00:25:22,400 you know, getting back to cvees, we can prioritize high risk, high 293 00:25:22,440 --> 00:25:26,880 risk systems where we may get a great ROI for replacing these legacy systems, 294 00:25:26,920 --> 00:25:33,319 because sometimes replacing these legacy systems isn't just about security, it's the added benefit 295 00:25:33,359 --> 00:25:38,400 of increased availability. And so naturally by doing this we will then greatly improve 296 00:25:38,519 --> 00:25:44,720 our cve tick or so to speak. And then next organizations need to prioritize 297 00:25:44,839 --> 00:25:48,200 cvees that are being exploited in the wild, starting with high risk system high 298 00:25:48,319 --> 00:25:53,559 risk systems. Working their way down. These could be version based or configuration 299 00:25:53,640 --> 00:26:00,000 based cvs. But now we've sort of narrowed down the cvees to a number 300 00:26:00,039 --> 00:26:07,640 that is more approachable by the organization and remeding remediating cvees that will address real 301 00:26:07,759 --> 00:26:15,920 risk, hopefully without spending more than the organization's alite so vulnerability tools vendors they 302 00:26:15,960 --> 00:26:22,799 won't provide this context. It's about addressing cvees within the organizational constraints and within 303 00:26:22,319 --> 00:26:27,440 our OT restraints that exists in the real world. But all of that type 304 00:26:27,440 --> 00:26:34,880 of context or guidance is offered by cyber tool framework. So let me add 305 00:26:34,880 --> 00:26:38,599 something here, Nate. You know, as someone who's worked in the field 306 00:26:38,640 --> 00:26:45,400 for god, it's forty years now and pretty much all of my career representing 307 00:26:45,480 --> 00:26:48,680 vendors, you know, let me let me speak up sort of in defensive 308 00:26:48,720 --> 00:26:55,799 vendors. Jack has indicated that yes, and he's right, patching sort of 309 00:26:55,839 --> 00:27:02,400 what he calls the common vulnerability explosure, the CVE approach. Hatching security updates 310 00:27:03,079 --> 00:27:10,079 can be very expensive. Having you know, industrial vendors approve these updates, 311 00:27:10,200 --> 00:27:14,680 or even you know, test and deploy these updates is very expensive. In 312 00:27:14,920 --> 00:27:18,759 my experience, it's not because you know, the vendors are gouging the owners 313 00:27:18,759 --> 00:27:23,759 and operators. It's because of the different way that you evaluate risk in industrial 314 00:27:23,799 --> 00:27:30,000 networks. And Jack mentioned this that the buzzword he did not mention is engineering 315 00:27:30,160 --> 00:27:37,640 change control. Here's the thing. Every change to a safety critical system, 316 00:27:37,680 --> 00:27:42,440 every change to a critical infrastructure, risks messing something up. You risk making 317 00:27:42,440 --> 00:27:47,759 a mistake. If you make a mistake in a safety system, it's possible 318 00:27:47,799 --> 00:27:52,440 that people die. If you make a mistake in a reliability critical system, 319 00:27:52,480 --> 00:27:57,599 it's possible that you have unplanned shutdowns of your critical infrastructure. And so before 320 00:27:57,640 --> 00:28:02,559 engineers, and we've discussed as many times, before engineers patch anything, before 321 00:28:02,559 --> 00:28:06,240 they make any change in a system, they study the change, they test 322 00:28:06,559 --> 00:28:11,200 the change, and this study, this engineering study, and this engineering testing 323 00:28:11,279 --> 00:28:15,920 is a very expensive process. It doesn't matter if the people at site do 324 00:28:15,000 --> 00:28:18,200 it or the vendors do it, and you buy the test and components from 325 00:28:18,200 --> 00:28:22,200 the vendors. Someone has to do it. It's a very expensive process because 326 00:28:22,920 --> 00:28:30,119 the consequences of making a mistake are unacceptable. And so this is why patching 327 00:28:30,200 --> 00:28:33,599 is expensive. This is why you have to do it differently. This is 328 00:28:33,680 --> 00:28:37,680 why all these compensating measures are so much more important in the OT space, 329 00:28:37,759 --> 00:28:42,200 in the IT space. His framework got it right. He's got the compensating 330 00:28:42,240 --> 00:28:48,240 measures in there that you have to evaluate. He, you know, maybe 331 00:28:48,359 --> 00:28:51,039 was a little bit soft on the why, but you know that's feedback for 332 00:28:51,519 --> 00:28:59,759 Jack that we can provide for future versions. Can we talk about I don't 333 00:28:59,759 --> 00:29:06,720 know, applicability. A small shoe factory is a very different animal to secure 334 00:29:06,839 --> 00:29:11,960 than you know, a high speed passenger rail switching system. Do you mention 335 00:29:12,160 --> 00:29:17,640 this in this version of the document is sort of the the the difference between 336 00:29:17,680 --> 00:29:23,279 the different sort of consequentialities, if that's a word, is that sort of 337 00:29:23,279 --> 00:29:29,920 taken into account? Yeah, great question. The and this really ties back 338 00:29:29,960 --> 00:29:34,960 to al which we we just discussed. These these organizations, depending on you 339 00:29:36,000 --> 00:29:41,480 know, their sector or or their size, they have different anulyzed lost expectancy 340 00:29:41,519 --> 00:29:47,319 and so you don't want to spend more on cybersecurity to remediate risk that that 341 00:29:47,359 --> 00:29:51,079 would cost more than your your al E and you know in a in a 342 00:29:51,160 --> 00:29:55,920 version two, I think it would be interesting to sort of create a baseline 343 00:29:56,559 --> 00:30:02,480 of of controls for different size of organizations. So if you're a small if 344 00:30:02,480 --> 00:30:06,160 you're a small organization, you should aim to do these three things. If 345 00:30:06,200 --> 00:30:08,359 you're a medium sized organization, you should aim to do these five things. 346 00:30:08,640 --> 00:30:12,440 I think something like that would make cyber tool Framework that much more actionable. 347 00:30:14,079 --> 00:30:17,880 But no matter what size of organization now you are or what sector that you're 348 00:30:17,920 --> 00:30:22,759 in, when you're using a tool like cybertool Framework, the first step should 349 00:30:22,759 --> 00:30:30,880 be conducting a thorough risk assessment to identify the most effective mitigating controls. So 350 00:30:30,960 --> 00:30:37,960 let's suppose this risk assessment determines network monitoring and defends as a priority the organization 351 00:30:37,039 --> 00:30:41,200 already knows what they have. They documented data flows, they determine that there's 352 00:30:41,240 --> 00:30:45,720 too much bleedover from it to OT. Maybe a DMZ makes sense. The 353 00:30:45,759 --> 00:30:52,240 network infrastructure itself isn't hardened, we aren't using centralized authentication like radius we're missing, 354 00:30:52,559 --> 00:30:56,960 or we're using S and m P version one, etc. So the 355 00:30:56,079 --> 00:31:02,440 organization would then reference cyber tool Framework to understand and how to implement this requirement 356 00:31:02,480 --> 00:31:07,880 comprehensively. Addressing this requirement from a people, processes and technology standpoint, the 357 00:31:07,920 --> 00:31:14,000 governance driven by the people defines the organization's risk, appetite, standards, and 358 00:31:14,039 --> 00:31:19,000 budget, which then in turn influences the selection of technology, and then these 359 00:31:19,039 --> 00:31:26,319 processes then guide how the chosen technology is implemented and maintained. So this integrated 360 00:31:26,319 --> 00:31:30,319 approach is how cyber tool Framework is used effectively, not a rigid checklist, 361 00:31:30,319 --> 00:31:38,319 but a flexible resource reference to help organizations identify specific risks. The cybertool Framework 362 00:31:38,559 --> 00:31:45,880 preface emphasizes that the eighteen requirements aren't meant to be addressed sequentially from one to 363 00:31:47,000 --> 00:31:49,799 eighteen. Instead, it should be based on risk, so risk really answers 364 00:31:49,839 --> 00:31:56,400 how these controls are ranked or applied however, risk aside. You know, 365 00:31:56,480 --> 00:32:00,759 yes, there is a sort of natural ranking in my and I would follow 366 00:32:00,799 --> 00:32:06,079 the nest CSF identify, protect, detect, respond, recover functions in order. 367 00:32:06,880 --> 00:32:10,759 Requirements like inventory and control of hardware and software assets would likely be first. 368 00:32:12,200 --> 00:32:16,039 Knowing what you have leads a good foundation for you to now address other 369 00:32:16,079 --> 00:32:22,279 requirements like secure configuration of enterprise assets and software, which would fall under the 370 00:32:22,319 --> 00:32:28,240 protect function, and then of course under each of these requirements. I do 371 00:32:28,359 --> 00:32:30,799 discuss maturity loosely, but again I think this could be further built out. 372 00:32:31,240 --> 00:32:37,119 For example, looking at network monitoring and defense, a small organization may aim 373 00:32:37,200 --> 00:32:44,359 to establish it and OT segmentation best practices like a DMZ BEMN segmentation have their 374 00:32:44,359 --> 00:32:49,880 configurations and rules audited by a third party your SaaS where medium to large organizations 375 00:32:49,880 --> 00:32:54,319 that may have a higher risk profile should aim a little bit higher, such 376 00:32:54,359 --> 00:32:59,440 as sending firewall logs to a SIM or using something like a data diode, 377 00:33:00,200 --> 00:33:07,759 Analysts or an MSS analyze these logs continually deploying an IDs and the DMZ and 378 00:33:07,799 --> 00:33:12,799 then subsequently other network zones, and then you know, using things like active 379 00:33:12,839 --> 00:33:19,079 defense measures like honeypots. Maybe something like finist canary. So future enhancements Decyber 380 00:33:19,079 --> 00:33:23,400 tool Framework will include, like like I mentioned, more detailed baselines that tie 381 00:33:23,440 --> 00:33:29,559 to organizational size size to these reference controls. But this is still a work 382 00:33:29,559 --> 00:33:34,039 in progress. If I might switch gears, let me ask you a hard 383 00:33:34,319 --> 00:33:37,440 marketing question. You know, it's it's great, it's tremendous that you're out 384 00:33:37,519 --> 00:33:43,039 there creating this knowledge, But bluntly, you know, those of us who 385 00:33:43,440 --> 00:33:47,200 write things down create knowledge that's of limited use if nobody ever reads it. 386 00:33:49,000 --> 00:33:51,519 How do you get the word out? How do you tell you know? 387 00:33:51,519 --> 00:33:55,039 How do you how do you let people know that this resource exists? Another 388 00:33:55,039 --> 00:34:00,880 great point, you know, right now we have analytics on side vibertool framework. 389 00:34:00,960 --> 00:34:06,039 So last month around one hundred people we're using the platform. So there's 390 00:34:06,039 --> 00:34:10,519 a natural progression and growth there. But down the road, Cybertol framework, 391 00:34:10,599 --> 00:34:15,639 the aim is to have it be integrated with other solutions that I believe could 392 00:34:15,679 --> 00:34:21,639 add a lot equally add a lot of value to the community, again, 393 00:34:21,760 --> 00:34:29,159 particularly in the education enablement of OT security. This will enhance the overall impact 394 00:34:29,519 --> 00:34:34,719 of these resources being unified and give it more weight if you will. But 395 00:34:34,760 --> 00:34:37,559 you know at NY eight keeps me pretty busy, so I don't plan to 396 00:34:38,039 --> 00:34:45,199 embark on a major marketing tour for the time being. However, there is 397 00:34:45,239 --> 00:34:49,039 that old marketing saying that a great product is free marketing, and so as 398 00:34:49,079 --> 00:34:53,119 I enjoy putting these resources together, I truly hope that they help other people 399 00:34:53,199 --> 00:34:59,079 and organizations navigate the OT security landscape. And you know, right now I'm 400 00:34:59,159 --> 00:35:04,199 content with that. Can I ask you looking forward? You've talked about a 401 00:35:04,360 --> 00:35:07,440 version two a couple of times, and what might be in there. You 402 00:35:07,480 --> 00:35:13,480 know, we've talked about about getting the word out. I mean there's other 403 00:35:14,119 --> 00:35:16,039 I don't know, there's other podcasts you could consider. I would I would 404 00:35:16,079 --> 00:35:20,559 recommend you when any any of the listeners go on your cell phone to the 405 00:35:20,599 --> 00:35:22,840 Beer I Sack podcast. It's not really a podcast, it's a list of 406 00:35:22,880 --> 00:35:27,599 other podcasts. Every industrial security podcast that I've produced is in that list. 407 00:35:28,159 --> 00:35:31,960 But it's a list of other you know, useful content out there in the 408 00:35:32,039 --> 00:35:37,960 in the podcast space and who puts it out. So can you talk about 409 00:35:37,000 --> 00:35:40,199 the future, What is the gleam in your eye for version two and how 410 00:35:40,239 --> 00:35:45,320 you're going to get the word out for it. I definitely feel cyber tool 411 00:35:45,360 --> 00:35:52,760 Framework deserves a version two where we first introduce ICs specific controls as you mentioned, 412 00:35:52,320 --> 00:35:59,239 safety safety system segmentation, secure control, network and system design, legacy 413 00:35:59,440 --> 00:36:05,599 systems, curious assessment methodology, etc. Second, we could loosely rank the 414 00:36:05,639 --> 00:36:09,920 requirements on a maturity scale, and then within each requirement we could create baseline 415 00:36:10,000 --> 00:36:15,239 or sub requirements that align to organizational size. And we discussed this earlier, 416 00:36:15,239 --> 00:36:20,679 but I think this would make this resource more actionable and tailored. So if 417 00:36:20,679 --> 00:36:23,480 you're a small organization, you should be able to meet this threshold. If 418 00:36:23,480 --> 00:36:28,320 you're a medium sized organization, there's a higher threshold for you, and so 419 00:36:28,400 --> 00:36:32,519 on and so forth. Finally, maybe there's a methodology for ranking the cyber 420 00:36:32,559 --> 00:36:37,960 tools themselves. Right now, all the tools are alphabetical to keep any bias 421 00:36:37,000 --> 00:36:40,840 out, But down the road, it would be interesting to rank them based 422 00:36:40,920 --> 00:36:46,239 upon some sort of common criteria. But before or maybe after version two, 423 00:36:46,320 --> 00:36:52,800 as I mentioned, I want to look to implement other resource ideas and sort 424 00:36:52,880 --> 00:36:57,639 of combine them and do a rebranding to control Shield, which I think is 425 00:36:57,679 --> 00:37:01,440 a sexier name than cyber Framework. But for now, I'm just having fun. 426 00:37:01,599 --> 00:37:05,599 I'm you know, I'm learning and organizing my thoughts as I put these 427 00:37:05,920 --> 00:37:13,719 resources together, growing as a consultant and hopefully giving back. Andrew, I 428 00:37:13,719 --> 00:37:19,440 think I know even less about marketing than about industrial cybersecurity. So where do 429 00:37:19,519 --> 00:37:22,880 you start when you're thinking about how to get the word out. It's a 430 00:37:22,920 --> 00:37:27,239 good question, you know. I get questions like this on a regular basis. 431 00:37:27,280 --> 00:37:30,159 We do a lot of face to face events. People come up. 432 00:37:30,440 --> 00:37:32,239 You know, I'm very active in this space. I write a lot of 433 00:37:32,320 --> 00:37:37,360 articles. I've written three books. I didn't start by writing a book. 434 00:37:37,480 --> 00:37:42,239 I started by writing a blog. I started by writing little articles. Today, 435 00:37:42,559 --> 00:37:45,480 what I recommend is put the articles on LinkedIn. Do an article on 436 00:37:45,840 --> 00:37:51,440 OT security every couple of weeks. Get your buddies to comment on the article 437 00:37:51,519 --> 00:37:53,519 that raises the profile of the article. You know, develop a following. 438 00:37:54,559 --> 00:38:00,960 Use that following when you produce your first big piece like fifty page framework and 439 00:38:01,079 --> 00:38:07,480 post it somewhere. You know, get your buddies to diligently, you know, 440 00:38:07,599 --> 00:38:14,559 amplify the comment on and like your your big announcements. That sort of. 441 00:38:15,039 --> 00:38:20,280 If you're on your own, if you're working for somebody, do a 442 00:38:20,280 --> 00:38:23,800 couple of articles and show them to your marketing team. It's their job to 443 00:38:23,840 --> 00:38:27,599 do marketing. You know, more than half the time, they're likely to 444 00:38:27,599 --> 00:38:30,239 come back to you and say, this is this is good stuff. We 445 00:38:30,599 --> 00:38:34,719 want to promote this stuff, and they will work with you to put it 446 00:38:34,760 --> 00:38:39,400 on the corporate blog or amplify it on LinkedIn or whatnot. More fundamentally, 447 00:38:39,639 --> 00:38:44,480 you know, the question is what do you write about? Jack? Here 448 00:38:44,599 --> 00:38:47,320 is someone who came from it, so had some background and has spent five 449 00:38:47,360 --> 00:38:52,119 years in the OT space. And what's he writing about? Well, you 450 00:38:52,199 --> 00:38:54,599 know, he doesn't have thirty years in the OT space like I do, 451 00:38:54,679 --> 00:39:00,280 and he's writing textbooks. He's writing about what he's learned. He's you know, 452 00:39:00,559 --> 00:39:07,159 he's developed a checklist of knowledge and tips and tools that he uses in 453 00:39:07,199 --> 00:39:13,880 his everyday work. This is information he's assembled because he needed it. Well, 454 00:39:14,239 --> 00:39:15,679 frankly, if he needed it, other people are going to need it 455 00:39:15,719 --> 00:39:21,239 too, especially other people coming through the same sort of learning chain as he 456 00:39:21,320 --> 00:39:25,320 did coming from it into OT. And so whatever learning chain you're coming from, 457 00:39:25,800 --> 00:39:30,320 your learning stuff, as you learn stuff, whatever you find interesting in 458 00:39:30,440 --> 00:39:34,280 you know, stuff that you learned that week or two weeks, that's worth 459 00:39:34,320 --> 00:39:37,199 writing about because if it was useful to you, it's going to be useful 460 00:39:37,199 --> 00:39:39,039 to someone else. That's how you get started. And then once you've got 461 00:39:39,239 --> 00:39:44,440 sort of a history of writing and a theme that you've developed, you can 462 00:39:44,440 --> 00:39:47,960 think about next steps and larger assets. But by all means, do get 463 00:39:49,000 --> 00:39:53,519 started. Thank you Jack for joining us. Before we let you go, 464 00:39:53,679 --> 00:39:57,719 can you sum up from us? You know, what are the main points 465 00:39:57,719 --> 00:40:00,960 that we should take away from your cyber tool framework? Yeah, in relation 466 00:40:01,000 --> 00:40:07,440 to cyber tool Framework, it's really in its MVP or minimal viable product stage. 467 00:40:07,679 --> 00:40:10,400 It's currently about forty pages of total content and there's certainly more detailed ad 468 00:40:10,440 --> 00:40:15,599 I have some of this documented for twenty twenty four edits and other version two 469 00:40:15,760 --> 00:40:19,400 edits that we talked about Andrew in this episode. I hope that in its 470 00:40:19,440 --> 00:40:24,320 current form it helps those trying to navigate this nuanced space that is OT security. 471 00:40:24,559 --> 00:40:28,920 You know, those IT folks that are familiar with CIS top eighteen will 472 00:40:29,000 --> 00:40:34,840 be very familiar, and there'll be OT centric guidance for how you adopt CIS 473 00:40:34,880 --> 00:40:42,360 top eighteen for OT and for OT engineers or practitioners that are aiming to digest 474 00:40:42,599 --> 00:40:49,320 more of the IT centric information. CIS Top eighteen is a very digestible framework. 475 00:40:50,199 --> 00:40:54,880 So again, I hope that a resource like this helps to navigate the 476 00:40:55,280 --> 00:41:00,239 OT security landscape. If I may, I'll give a quick overall elevator pitch 477 00:41:00,239 --> 00:41:05,480 to organizations out there. Keep it simple, document your assets and parallel, 478 00:41:05,480 --> 00:41:09,800 and more importantly, document the connectivity both physical and logical. You can manually 479 00:41:09,880 --> 00:41:15,280 cable trace. You could use protocols like CDP, l dp S and m 480 00:41:15,320 --> 00:41:20,440 P. You know, even Mac address tables to help run packet captures at 481 00:41:20,519 --> 00:41:24,760 various segments of your network. To start to develop this high level diagram, 482 00:41:24,800 --> 00:41:29,880 it doesn't have to show every device and a color coordinated visio, but get 483 00:41:29,880 --> 00:41:32,880 a good understanding of your environment. If you can achieve these things, you're 484 00:41:32,880 --> 00:41:37,360 ahead of seventy five percent of organizations at your level. Now look at this 485 00:41:37,440 --> 00:41:42,079 documented environment and break it down into zones. One for IT, one for 486 00:41:42,159 --> 00:41:45,719 IT O, T D MC if you have one one for the OT your 487 00:41:45,760 --> 00:41:50,920 process network, one for each Wi Fi zone and each system zone. Start 488 00:41:50,960 --> 00:41:54,639 there, and now begin a risk assessment approach to identify what can cause a 489 00:41:54,639 --> 00:42:00,440 catastrophe in each of these zones. Focus on those risks, and finally break 490 00:42:00,480 --> 00:42:05,000 down your mitigating controls into two categories. Cyber based and non cyber based. 491 00:42:05,199 --> 00:42:08,599 What barriers can you put in place to prevent this catastrophe from both pools? 492 00:42:08,880 --> 00:42:14,719 Now we get to this level, you deserve a trophy, but finally a 493 00:42:14,760 --> 00:42:20,119 shameless plug for atany eightenco at A Tiny eight and COO. We help organizations 494 00:42:20,159 --> 00:42:24,360 throughout the security life cycle, from governance to technology. We assist clients in 495 00:42:24,440 --> 00:42:30,760 starting and improving their cybersecurity programs from the inception of materializing funding, writing policies 496 00:42:30,760 --> 00:42:37,960 and procedures, implementing technology, and conducting continuous assessments vulnerability, risk and pen 497 00:42:37,039 --> 00:42:42,719 testing. We also, of course do advising and recently finished our MSS or 498 00:42:42,840 --> 00:42:46,480 SoC based in Houston. So if you'd like to learn more or have feedback 499 00:42:46,519 --> 00:42:51,639 from me on cyber tool framework that's cybertolframework dot com. You can leave feedback 500 00:42:51,679 --> 00:42:54,159 directly on the site where you can find me on LinkedIn at jack Blitz. 501 00:42:58,639 --> 00:43:01,360 So that just about does it. Andrew for your interview with Jack Bliss, 502 00:43:01,480 --> 00:43:05,280 Do you have any final thoughts that you might want to take us out with 503 00:43:05,400 --> 00:43:10,719 today? Yeah, I mean the resource here is a great resource if you 504 00:43:10,760 --> 00:43:15,360 want to find it. It is on the web. Cyber tool Framework No 505 00:43:15,480 --> 00:43:22,920 spaces, no dashes, cybertolframework dot com. You know the framework. It's 506 00:43:22,039 --> 00:43:27,320 it's short, it's sweet, it's usable, it connects the worlds of it 507 00:43:27,719 --> 00:43:31,519 and OT. It's a great place to get started with concepts you know that 508 00:43:31,639 --> 00:43:37,920 lead into more advanced risk management and other advanced OT topics. And I think 509 00:43:37,960 --> 00:43:42,559 it's great that Jack is doing this. I wish more people would write down 510 00:43:42,800 --> 00:43:45,559 what they're learning, write down, you know, the knowledge that they use 511 00:43:45,639 --> 00:43:51,719 every day for other people to come up to speed and take advantage of. 512 00:43:52,800 --> 00:43:55,199 Well, thanks to Jack for sharing his knowledge with us. And Andrew, 513 00:43:55,239 --> 00:43:59,599 thank you as always for speaking with me. It's always a pleasure. Thank 514 00:43:59,639 --> 00:44:04,800 you name. This has been the Industrial Security podcast from Waterfall. Thank you 515 00:44:04,880 --> 00:44:06,800 to everybody out there listening.