1 00:00:04,000 --> 00:00:06,919 Speaker 1: Somebody to take on the risk of installing it and 2 00:00:06,960 --> 00:00:10,240 owning it, but also trying to influence the cybersecurity metrics 3 00:00:10,279 --> 00:00:11,039 into that asset. 4 00:00:15,800 --> 00:00:20,239 Speaker 2: Welcome, there's the Industrial Security Podcast. My name is Nate Nelson. 5 00:00:20,559 --> 00:00:24,000 I'm here with Andrew Ginter, the vice president of Industrial 6 00:00:24,039 --> 00:00:28,199 Security at Waterfall Security Solutions, who's going to introduce the 7 00:00:28,239 --> 00:00:31,519 subject and guest of our show today. Andrew, how are you. 8 00:00:32,200 --> 00:00:35,159 Speaker 3: I'm very well, Thank you, Nate. Our guest today is 9 00:00:35,200 --> 00:00:40,840 Ian Fleming. He is a solutions architect for ot industrial 10 00:00:40,840 --> 00:00:46,560 control systems and cyber physical solutions at Deloitte, and today 11 00:00:46,600 --> 00:00:49,359 we're going to be talking about how the money flows. 12 00:00:49,359 --> 00:00:51,679 We're going to be talking about working the numbers, arranging 13 00:00:51,679 --> 00:00:55,000 the budget so that there is in fact budget for 14 00:00:55,119 --> 00:00:56,200 industrial security. 15 00:00:56,679 --> 00:01:00,240 Speaker 2: Then, without further ado your interview with Ian floh Me. 16 00:01:02,880 --> 00:01:05,879 Speaker 3: Hello, Ian, and welcome to the podcast. Before we get started, 17 00:01:05,879 --> 00:01:08,799 can I ask you to please introduce yourself and say 18 00:01:08,799 --> 00:01:10,879 a few words about the good work that you're doing 19 00:01:10,959 --> 00:01:11,799 at Deloitte. 20 00:01:12,439 --> 00:01:15,560 Speaker 4: Yeah, hello, Andrew, thanks for having me. My name is 21 00:01:15,599 --> 00:01:16,239 Ian Fleming. 22 00:01:16,439 --> 00:01:21,480 Speaker 1: I lead cybersecurity efforts with operational technologies at Deloitte. My 23 00:01:21,560 --> 00:01:25,319 team really focuses on helping organizations secure their industrial control 24 00:01:25,400 --> 00:01:30,760 systems like building, automation, physical infrastructure systems that are typically 25 00:01:30,799 --> 00:01:34,200 overlooked when it comes to cybersecurity. Prior to Deloitte, I 26 00:01:34,359 --> 00:01:38,319 worked for really heavily Empower. I did a lot of 27 00:01:38,359 --> 00:01:41,519 operational technology cyber was involved in a lot of NERK 28 00:01:41,599 --> 00:01:46,680 sipwork actually enabled a lot of some of the vulnerabilities 29 00:01:46,719 --> 00:01:49,079 that we're trying to patch today. So I feel like 30 00:01:49,120 --> 00:01:51,200 I've come into the consulting side to pay penance for 31 00:01:51,239 --> 00:01:52,280 what I've done in industry. 32 00:01:53,480 --> 00:01:55,920 Speaker 4: Lately, Delight, I've been working on. 33 00:01:55,879 --> 00:01:59,359 Speaker 1: Integrating security as part of a core operations, especially in 34 00:02:00,000 --> 00:02:03,640 industries and areas of government civil where the line between 35 00:02:03,680 --> 00:02:08,039 physical assets and cyber assets is becoming increasingly blurred. We 36 00:02:08,080 --> 00:02:11,000 also work to make sure our clients can effectively manage 37 00:02:11,080 --> 00:02:15,120 risk related to these systems, and just proper alignment between 38 00:02:15,159 --> 00:02:17,120 security investments with business goals. 39 00:02:18,120 --> 00:02:21,479 Speaker 3: Our topic today is budget, you know, shaking the money loose, 40 00:02:21,560 --> 00:02:24,840 managing the money. We don't get any anything done in 41 00:02:24,960 --> 00:02:28,560 most businesses unless there's a budget to get it done. 42 00:02:29,240 --> 00:02:31,439 And we're going to talk about sort of the OT 43 00:02:31,560 --> 00:02:34,599 security budget, the industrial security budget. But can we start 44 00:02:34,599 --> 00:02:38,319 with it? I mean, do IT teams have the same 45 00:02:38,479 --> 00:02:41,400 struggle for budget that we observe in the OT world. 46 00:02:42,360 --> 00:02:43,639 Speaker 4: That's a good place to start. 47 00:02:43,800 --> 00:02:47,560 Speaker 1: I mean, IT teams do face their challenges with budgets, 48 00:02:47,599 --> 00:02:51,639 but they're often more straightforward nowadays when compared to OT. 49 00:02:52,560 --> 00:02:55,280 I think an IT cybersecurity costs are generally tied to 50 00:02:55,319 --> 00:02:58,800 a business process or a system that the top top 51 00:02:58,840 --> 00:03:03,240 floor of the office understands pretty clear. But often like 52 00:03:03,319 --> 00:03:06,840 cloud based solutions, where information is an asset, they're easier 53 00:03:06,840 --> 00:03:10,639 to finance and frankly it does work more from a 54 00:03:10,719 --> 00:03:15,840 top down of the organization. It initially couldn't get funding. 55 00:03:17,159 --> 00:03:22,000 They've been able to really structure their sales pitch towards 56 00:03:23,840 --> 00:03:26,759 real business goals, which is a great You know, it's 57 00:03:26,800 --> 00:03:30,360 something that OT You think it would be easy for 58 00:03:30,400 --> 00:03:33,800 them to describe it, but they top floor tends to 59 00:03:33,800 --> 00:03:37,639 just throw money at those problems whenever things break, versus 60 00:03:37,719 --> 00:03:40,360 IT where they see it more as a strategic advantage. 61 00:03:41,039 --> 00:03:43,039 Speaker 4: If you move data between say cloud. 62 00:03:42,800 --> 00:03:47,919 Speaker 1: Provider cloud providers, you're doing upgrades of infrastructure relatively easy. 63 00:03:47,919 --> 00:03:50,280 In IT, you can handle the issues in a more 64 00:03:50,319 --> 00:03:53,719 agile way. At the same time, it has been rapidly 65 00:03:53,719 --> 00:03:57,759 transitioning from company owned data centers which were once inside 66 00:03:57,759 --> 00:04:03,280 of an office building, to cloud based, more operational expense 67 00:04:03,360 --> 00:04:06,759 type models where logical security nowadays we refer to it 68 00:04:06,759 --> 00:04:10,080 as security as code, it automates much of the security 69 00:04:10,120 --> 00:04:13,280 work in IT now. These models do allow IT teams 70 00:04:13,360 --> 00:04:16,959 to dynamically shift their resources and manage security through software, 71 00:04:17,399 --> 00:04:20,439 which works really well in environments where assets are entirely 72 00:04:20,519 --> 00:04:23,360 virtual and easy to scale, and that's the reason why 73 00:04:23,480 --> 00:04:29,040 operational expenses have really exploded in IT. But let's look 74 00:04:29,079 --> 00:04:31,399 at the other side, Like an OT where my clients 75 00:04:31,399 --> 00:04:33,519 are working in and where I'm focusing some of my 76 00:04:33,600 --> 00:04:37,199 time at Deloitte, we're dealing with physical assets like machines 77 00:04:37,279 --> 00:04:42,120 and sensors, industrial equipment, where failures mean real world space 78 00:04:42,199 --> 00:04:46,600 and time consequence. It goes beyond just the information. It's 79 00:04:46,720 --> 00:04:50,959 physical stoppage of production. So the problem is also compounded 80 00:04:51,000 --> 00:04:53,160 by the fact that it often has to compete with 81 00:04:53,199 --> 00:04:58,160 the physical maintenance budget for operations, which typically isn't really 82 00:04:58,199 --> 00:05:00,600 seen much in IT, especially with the advent cloud and 83 00:05:00,639 --> 00:05:05,519 everybody in IT moving that direction. As far as physical 84 00:05:05,639 --> 00:05:09,920 capital projects like industrial automation systems or infrastructure they are 85 00:05:09,959 --> 00:05:15,560 also fundamentally different. Most of the projects in OT are architected, 86 00:05:15,680 --> 00:05:19,519 designed and budgeted and financed over really long life cycles, 87 00:05:19,560 --> 00:05:24,519 like twenty year life cycles before refresh. When a capital 88 00:05:24,560 --> 00:05:28,199 projects such as you know, physical infrastructures initiated, all costs 89 00:05:28,199 --> 00:05:32,480 including materials, labor, maintenance, think of building a building or heck, 90 00:05:32,560 --> 00:05:35,800 even just renovating your kitchen in your house, they're budgeted 91 00:05:35,879 --> 00:05:39,040 up front and financing is typically secured through like a 92 00:05:39,160 --> 00:05:41,040 large one time capital expenditure. 93 00:05:43,959 --> 00:05:46,360 Speaker 3: So, Nate, you know, we're talking about budgets here. A 94 00:05:46,399 --> 00:05:49,480 lot of our listeners, I'm guessing are like me and 95 00:05:50,199 --> 00:05:54,480 have sort of a limited understanding of accounting and budgets. 96 00:05:54,480 --> 00:05:56,240 I mean, we tend to be focused on bits and 97 00:05:56,279 --> 00:06:01,759 bytes and buffer overflows and you know, cryptosystems. So let 98 00:06:01,759 --> 00:06:03,439 me let me give you just a little bit of 99 00:06:03,439 --> 00:06:07,399 background here. You know, when I started the episode, I 100 00:06:07,480 --> 00:06:13,439 had sort of a small business owner's understanding of accounting 101 00:06:14,399 --> 00:06:18,879 and budgeting here. You know, I've operated my own small 102 00:06:18,920 --> 00:06:21,680 business from time to time, and when you know, when 103 00:06:21,720 --> 00:06:24,439 I operated my own business, there's you know, there's two 104 00:06:24,519 --> 00:06:28,279 kinds of expenses. There's what's called capital expenses and operating expenses. 105 00:06:29,600 --> 00:06:34,079 If you buy, let's say, a delivery truck for a 106 00:06:34,120 --> 00:06:38,759 delivery business, the truck, you know, is going to deliver 107 00:06:38,959 --> 00:06:41,120 value to you. You're going to use the truck for 108 00:06:41,199 --> 00:06:46,600 like a decade, and so the government generally requires you 109 00:06:46,680 --> 00:06:53,120 to declare that large expense as a capital investment, which means, 110 00:06:53,160 --> 00:06:54,959 you know, I always thought it was sort of a 111 00:06:55,000 --> 00:07:02,360 liability to declare that because I have to. You know, 112 00:07:03,079 --> 00:07:05,279 what I'd like to do is reduce the amount that 113 00:07:05,319 --> 00:07:08,000 I pay in taxes. And so if I could claim 114 00:07:08,040 --> 00:07:10,759 the entire cost of the truck against my revenues that 115 00:07:10,839 --> 00:07:13,680 year as a small business owner, as a sole proprietor, 116 00:07:13,680 --> 00:07:16,279 I would pay less taxes. The government says, no, no, 117 00:07:16,319 --> 00:07:19,160 you can't do that. You have to, you know, assume 118 00:07:19,519 --> 00:07:21,839 a life span of three or ten years or something 119 00:07:21,839 --> 00:07:24,160 for the truck, and you can only claim a fraction 120 00:07:24,240 --> 00:07:27,199 of the expense against your taxes and reduce your taxes 121 00:07:27,319 --> 00:07:30,839 slowly over time because you are, you know, the asset 122 00:07:30,959 --> 00:07:35,480 is reducing in value over time. Expenses like gasoline that 123 00:07:35,519 --> 00:07:38,720 you use up you know, that day, or you know, 124 00:07:38,839 --> 00:07:42,199 the over the course of the next week, you can 125 00:07:42,319 --> 00:07:46,120 claim the entire amount of the expense against your income, 126 00:07:46,160 --> 00:07:48,560 you can reduce your taxes. This is sort of the 127 00:07:48,920 --> 00:07:53,439 naive model I had of capital expenses versus operating expenses. 128 00:07:53,480 --> 00:07:57,319 You can claim all of operating expenses right away. It 129 00:07:57,399 --> 00:08:05,079 turns out that in big business is claiming capital costs 130 00:08:05,199 --> 00:08:07,079 over a period of time. Let's say, you know, the 131 00:08:07,120 --> 00:08:12,040 delivery truck over ten years is an advantage because you know, 132 00:08:12,079 --> 00:08:15,439 big business wants to show a profit every year, wants 133 00:08:15,480 --> 00:08:19,600 to control their expenses every year, control the expenses. 134 00:08:19,120 --> 00:08:19,759 Speaker 4: That they claim. 135 00:08:20,240 --> 00:08:23,199 Speaker 3: And so if they have to buy you know, a 136 00:08:23,240 --> 00:08:27,560 fleet of trucks, a thousand trucks in a particular year 137 00:08:27,680 --> 00:08:32,279 and they're going to last ten years, then they don't 138 00:08:32,320 --> 00:08:36,759 want to show that they have negative profit in the 139 00:08:36,840 --> 00:08:38,320 year that they had to make that, you know, in 140 00:08:38,360 --> 00:08:40,799 the year that the money left the business, because it 141 00:08:40,879 --> 00:08:43,440 left the business that year to buy the thousand trucks. 142 00:08:43,960 --> 00:08:48,360 They want to show that, you know, to account for 143 00:08:48,440 --> 00:08:51,679 that expense over the life of the asset the trucks, 144 00:08:52,159 --> 00:08:56,639 so that they can show a consistent profit. So, you know, 145 00:08:56,720 --> 00:09:00,559 this is sort of capital versus operating as is different 146 00:09:00,600 --> 00:09:05,039 in small business versus large business. And you know in 147 00:09:05,679 --> 00:09:08,000 heavy industry, which is you know, industrial security. 148 00:09:08,039 --> 00:09:09,200 Speaker 4: We're all about industrial here. 149 00:09:09,519 --> 00:09:14,200 Speaker 3: In heavy industry, there tends to be extreme pressure to 150 00:09:14,320 --> 00:09:18,639 reduce operating expenses. When you build a mine, you invest 151 00:09:18,679 --> 00:09:21,759 I don't know, three billion dollars in you know, before 152 00:09:21,799 --> 00:09:27,200 the first shovelful of ore, you know, with gold or whatever, 153 00:09:27,240 --> 00:09:29,799 and it comes out of the mind. You invest a 154 00:09:29,840 --> 00:09:33,080 massive amount. This is your capital investment. And once you've 155 00:09:33,120 --> 00:09:37,840 made that massive investment, generally you're under pressure to minimize 156 00:09:37,879 --> 00:09:40,679 the cost of operating that asset over the course of 157 00:09:40,720 --> 00:09:44,120 the next thirty years because you're producing a commodity. You know, 158 00:09:44,279 --> 00:09:47,960 even gold is a commodity, and you know, you sell 159 00:09:48,000 --> 00:09:51,480 the gold at the world price for gold. Gold is interchangeable. 160 00:09:51,519 --> 00:09:54,240 Nobody cares if it's your gold or somebody else's gold. 161 00:09:54,519 --> 00:09:57,759 You're fighting with every other gold mine on the planet 162 00:09:57,879 --> 00:10:01,440 to produce gold. And you know, even gold gets more 163 00:10:01,480 --> 00:10:05,080 expensive every year to produce as the supply diminishes. To 164 00:10:05,120 --> 00:10:08,840 produce gold at uh, you know, at a price that 165 00:10:08,879 --> 00:10:11,879 will that will show you a profit. So operating expenses 166 00:10:11,879 --> 00:10:14,600 are always under extreme pressure in heavy industry, and they 167 00:10:15,039 --> 00:10:18,399 capitalize their investments. So that's sort of accounting one to one. 168 00:10:18,519 --> 00:10:21,840 When I came into this I have learned from Ian. 169 00:10:21,919 --> 00:10:24,480 So I'm thinking let's go back to Ian and learn, 170 00:10:24,720 --> 00:10:27,559 you know, the mistakes I've just I've just explained to 171 00:10:27,600 --> 00:10:33,159 you and sort of the naive understanding of accounting. Reflecting 172 00:10:33,200 --> 00:10:36,080 on what you just said, the thing that that I 173 00:10:36,200 --> 00:10:42,639 think I caught was that there's roughly two kinds of budget. 174 00:10:42,879 --> 00:10:47,039 There's capital expenses and operating expenses. You know, in the 175 00:10:47,080 --> 00:10:51,639 OT world, everybody wants to minimize operating expenses, and you know, 176 00:10:51,720 --> 00:10:53,879 capital is is kind of what it is in the 177 00:10:53,919 --> 00:10:57,600 IT world. I think I heard you say that everything 178 00:10:57,639 --> 00:11:03,440 is becoming operationalized, meaning it's all going into the opex budget, 179 00:11:03,519 --> 00:11:06,559 But you're saying that in you know, capital budgets are 180 00:11:06,559 --> 00:11:09,240 still really important in the OT space. 181 00:11:09,840 --> 00:11:12,000 Speaker 4: Is that the key difference here. 182 00:11:11,879 --> 00:11:15,200 Speaker 3: Between between these two spaces is the budgets. 183 00:11:16,000 --> 00:11:18,639 Speaker 1: Well, I think that's a it's a really good question, 184 00:11:18,919 --> 00:11:21,960 and it has been something that I've been struggling with, 185 00:11:22,039 --> 00:11:27,559 Like how to operationalize an OT cybersecurity program when it's 186 00:11:27,639 --> 00:11:30,679 being funded through what like I was talking about earlier. 187 00:11:30,679 --> 00:11:34,960 Typically on it is more of an operational expense budget. 188 00:11:35,080 --> 00:11:38,679 Speaker 4: You don't really tie the ongoing maintenance. 189 00:11:38,240 --> 00:11:41,399 Speaker 1: Of a computer system that's anticipated to run for five 190 00:11:41,519 --> 00:11:45,480 years on a capital expense. It's like replacing Oracle or 191 00:11:46,000 --> 00:11:50,159 a Salesforce application would be a CAPEX, unless, of course 192 00:11:50,159 --> 00:11:50,840 you're buying all of. 193 00:11:50,799 --> 00:11:51,919 Speaker 4: The software as a service. 194 00:11:52,320 --> 00:11:55,960 Speaker 1: See those those lines have been grade. But because those 195 00:11:56,000 --> 00:12:00,919 physical assets do have a long lifespan and the security 196 00:12:00,960 --> 00:12:03,679 typically and when I say security, it's also availability of 197 00:12:03,679 --> 00:12:07,200 those assets are tied to those those physical assets. So 198 00:12:07,840 --> 00:12:10,919 whether it's built into CAPEX or drawn down over time, 199 00:12:11,039 --> 00:12:15,840 it needs to be sustainable from a resourcing perspective, like, 200 00:12:15,919 --> 00:12:18,519 for instance, in power I worked in power systems for 201 00:12:18,840 --> 00:12:22,600 several years power delivery and distribution. We had a financial 202 00:12:22,679 --> 00:12:28,080 metric called TIER meant timed interest earned ratio and a 203 00:12:28,159 --> 00:12:30,279 pre CFO and a prior life taught me about this 204 00:12:30,320 --> 00:12:33,440 because I had no idea how to tie like a 205 00:12:33,480 --> 00:12:39,480 cybersecurity tool that was that was designed to protect an 206 00:12:39,519 --> 00:12:43,919 operational asset. So the tier measures a company's ability to 207 00:12:43,919 --> 00:12:47,919 meet its debt obligations by comparing its income before interest 208 00:12:48,000 --> 00:12:52,159 and taxes to the interest, expos and expenses on its debts. 209 00:12:52,440 --> 00:12:56,279 So basically the life cycle of that asset. You wouldn't 210 00:12:56,320 --> 00:12:59,559 be under the water, you know, underwater on your loan. 211 00:13:00,879 --> 00:13:05,120 So the tier ratio can indicate whether your organization has 212 00:13:05,159 --> 00:13:09,200 that profitability from that asset that's operational to cover its 213 00:13:09,240 --> 00:13:13,440 debt obligations and ongoing operational costs. When I figured that 214 00:13:13,559 --> 00:13:16,320 out with the CFO, and this is several decades ago, 215 00:13:16,519 --> 00:13:18,639 I was like, Okay, that's how I'm going to tie 216 00:13:19,200 --> 00:13:24,600 my cybersecurity program to a specific, a very specific operational asset. 217 00:13:24,639 --> 00:13:27,799 And when I say operational assets, it's in physically, it's physical. 218 00:13:27,919 --> 00:13:30,919 It has a physical a cyber physical component to it. 219 00:13:31,480 --> 00:13:38,639 That actually helped me budget long term ot cybersecurity measures 220 00:13:38,759 --> 00:13:41,679 towards the asset. And that's some of the work that 221 00:13:41,720 --> 00:13:46,240 I've been doing here at Deloitte is tying that by 222 00:13:46,279 --> 00:13:48,399 getting it down at the low level, like how is 223 00:13:48,440 --> 00:13:52,559 this asset being budgeted and financed in order to convince 224 00:13:52,600 --> 00:13:55,879 somebody to take on the risk of installing it and 225 00:13:55,919 --> 00:14:00,559 owning it, but also trying to influence the cyber security 226 00:14:00,600 --> 00:14:05,000 metrics into that asset to where the op X, the cost, 227 00:14:05,120 --> 00:14:08,600 the ongoing cost of protecting that asset from cybersecurity is 228 00:14:08,679 --> 00:14:14,039 also encompassed inside that operational the I'm sorry, the capital 229 00:14:14,080 --> 00:14:15,320 expense of that asset. 230 00:14:16,360 --> 00:14:24,519 Speaker 3: You talked about tying costs and interest to income. So 231 00:14:24,639 --> 00:14:29,679 when you say that you're tying cybersecurity to an asset, 232 00:14:30,600 --> 00:14:33,679 we're talking about an asset like you know, in a 233 00:14:33,679 --> 00:14:38,080 power plant, a generating unit, not an asset that generates revenue, 234 00:14:38,279 --> 00:14:42,000 not like a bolt or a PLC that represents only 235 00:14:42,000 --> 00:14:43,799 an expense. Is that the kind of is that the 236 00:14:44,360 --> 00:14:47,919 sort of size and classic asset that you're tying cybersecurity to. 237 00:14:48,679 --> 00:14:52,600 Speaker 1: Well, cybersecurity can be tied to any single component or 238 00:14:52,720 --> 00:14:54,759 group of components inside of the power plant. I'd like 239 00:14:54,799 --> 00:14:57,360 to think of the system itself. I do a lot 240 00:14:57,399 --> 00:15:01,080 of model based systems engineering at at Deloitte as well, 241 00:15:01,240 --> 00:15:06,639 and we don't typically look at each individual components as 242 00:15:06,679 --> 00:15:10,080 being completely autonomous from the process that it's designed too, 243 00:15:11,000 --> 00:15:11,399 you know. 244 00:15:12,039 --> 00:15:12,679 Speaker 4: To operate. 245 00:15:13,279 --> 00:15:15,759 Speaker 1: So it would it would be all the entire syst 246 00:15:16,360 --> 00:15:18,840 I mean, the whole idea of doing a capital improvement 247 00:15:18,919 --> 00:15:22,480 or a capital project is to account for also the 248 00:15:22,600 --> 00:15:26,480 you know, the financial risk you know of doing the 249 00:15:26,519 --> 00:15:29,559 investment or performing the investment on the asset, but also 250 00:15:29,639 --> 00:15:32,600 reducing the you know, proper engineering to reduce the total 251 00:15:32,639 --> 00:15:34,039 cost of ownership. 252 00:15:33,600 --> 00:15:34,360 Speaker 4: Of that asset. 253 00:15:34,759 --> 00:15:39,840 Speaker 1: If cybersecurity isn't tied in to those models. It makes 254 00:15:39,879 --> 00:15:42,279 it very difficult to not just bolt on because it's 255 00:15:42,320 --> 00:15:47,440 being designed without cybersecurity in mind. But like for your example, 256 00:15:47,480 --> 00:15:51,399 a PLC, if a PLC is designed inside of a 257 00:15:52,159 --> 00:15:55,279 power plant, let's just use that as an example, and 258 00:15:55,360 --> 00:15:58,759 there's no cybersecurity maintenance tied to that as part of 259 00:15:58,840 --> 00:16:05,480 the model for financial keeping, keep keeping that that asset functioning. UH, 260 00:16:05,799 --> 00:16:08,279 it's going to make it very difficult in the future, 261 00:16:09,320 --> 00:16:13,679 over years or even an adjustment to a thread or 262 00:16:13,679 --> 00:16:16,399 a risk to find financing for that. 263 00:16:17,200 --> 00:16:19,519 Speaker 4: And when you then you're running into the patching. 264 00:16:19,200 --> 00:16:22,200 Speaker 1: Problems, right, You've got to go through design assessments and 265 00:16:22,240 --> 00:16:23,240 everything all over again. 266 00:16:23,399 --> 00:16:25,919 Speaker 4: However, if if a device like a. 267 00:16:25,879 --> 00:16:28,960 Speaker 1: PLC was engineered and designed in that system knowing that 268 00:16:28,960 --> 00:16:32,120 it had to accommodate a twenty year life cycle, and 269 00:16:32,240 --> 00:16:35,600 there will be times that that they'll have to be 270 00:16:35,759 --> 00:16:41,639 system systematic updates and upgrades due to either compliance regulatory 271 00:16:41,679 --> 00:16:43,879 which is really difficult to plan for. But you know 272 00:16:43,960 --> 00:16:47,879 for a fact that the equipment itself is probably UH 273 00:16:48,559 --> 00:16:51,559 is probably going to be replaced over time. I did 274 00:16:51,759 --> 00:16:56,799 one project at for a client regarding a tunnel and 275 00:16:56,840 --> 00:17:01,000 that was one of their transportation tunnel and they were 276 00:17:01,279 --> 00:17:05,079 extremely concerned about that because they knew that the technology 277 00:17:06,400 --> 00:17:09,519 was going to improve over time. So as part of 278 00:17:09,519 --> 00:17:12,319 the capital improvement project, it was a fifty year life 279 00:17:12,319 --> 00:17:19,880 cycle creating a budget for cybersecurity improvements and functional improvements 280 00:17:19,960 --> 00:17:24,839 over time. Instead of creating another capital project in the future, 281 00:17:24,880 --> 00:17:27,720 it was just built into the maintenance of that capital asset. 282 00:17:28,640 --> 00:17:32,359 Speaker 3: You're saying that we need when there's a capital project, 283 00:17:32,920 --> 00:17:36,839 that's the time, not just you know, lots of people 284 00:17:36,880 --> 00:17:41,000 say it's you need to build cybersecurity into your stuff beforehand, 285 00:17:41,119 --> 00:17:44,200 not afterwards. It's always more expensive afterwards. What you're saying 286 00:17:44,240 --> 00:17:46,759 sort of in addition is that you have to build 287 00:17:46,920 --> 00:17:52,680 the cybersecurity budget into the capital budget. At least, that's 288 00:17:52,720 --> 00:17:55,079 what I'm hearing. You know, Have I got that right? 289 00:17:55,119 --> 00:17:57,519 And you know, if I may you you've been working 290 00:17:58,000 --> 00:18:03,759 you mentioned with building automation. You know when you when 291 00:18:03,759 --> 00:18:09,359 people try to tie the you know, to make that tie. 292 00:18:09,799 --> 00:18:13,200 How's that working in sort of in the parts of 293 00:18:13,240 --> 00:18:14,680 the industry that you're working with. 294 00:18:16,920 --> 00:18:19,160 Speaker 4: Sure, and I do. 295 00:18:19,559 --> 00:18:24,640 Speaker 1: Work a lot in government with a lot of government facilities, 296 00:18:24,759 --> 00:18:26,960 those types of things. When it comes to building automation 297 00:18:27,079 --> 00:18:32,920 systems so h VAC lighting, even even water treatment systems. 298 00:18:33,160 --> 00:18:35,920 Speaker 4: It's clear that that cybersecurity. 299 00:18:35,160 --> 00:18:37,759 Speaker 1: Is a is an after botom these systems we go 300 00:18:37,880 --> 00:18:44,119 in the UH, there's not a really clear point of 301 00:18:44,200 --> 00:18:47,359 reference for even what assets are on the network, and 302 00:18:47,400 --> 00:18:51,000 we are having to delve into like IT tools just 303 00:18:51,039 --> 00:18:55,000 to determine what physical inventory is out there. 304 00:18:55,839 --> 00:18:59,160 Speaker 4: And again it goes back to the whole it. Data 305 00:18:59,240 --> 00:18:59,839 is the asset. 306 00:19:00,000 --> 00:19:03,160 Speaker 1: It's easier to justify protecting the data because you can 307 00:19:03,200 --> 00:19:05,759 move it if there's a failure. But in OT such 308 00:19:05,759 --> 00:19:11,079 as HVS systems, refrigeration, those types of systems, food process 309 00:19:11,200 --> 00:19:13,720 and plant goes down, you're not just losing data, you're 310 00:19:13,759 --> 00:19:15,680 risking the physical assets. 311 00:19:15,279 --> 00:19:17,759 Speaker 4: Themselves, sport spoiled food. 312 00:19:17,599 --> 00:19:22,240 Speaker 1: Damage, machinery comes in the challenge that physical operations are 313 00:19:22,279 --> 00:19:26,920 always under pressure, reduced as operation expensive, and cybersecurity seen 314 00:19:26,960 --> 00:19:29,079 as an extra cost rather than essential part of keeping 315 00:19:29,079 --> 00:19:34,480 that system running safely and being available. Ironically, the way 316 00:19:34,480 --> 00:19:39,599 I feel about it is working in OT versus IT 317 00:19:39,759 --> 00:19:42,400 a lot like how cybersecurity was reviewed in the early 318 00:19:42,440 --> 00:19:45,319 to mid nineteen nineties. We didn't really have cybersecurity budgets 319 00:19:45,359 --> 00:19:51,319 back then everybody was just looking at it as operations. 320 00:19:51,359 --> 00:19:54,400 I just need the information and the product was more 321 00:19:54,400 --> 00:19:55,839 important than keeping it secure. 322 00:19:56,279 --> 00:19:59,160 Speaker 4: And I feel like a lot of these. 323 00:19:59,000 --> 00:20:03,880 Speaker 1: OT systems, such just building automation, that don't really have 324 00:20:03,920 --> 00:20:05,440 the cybersecurity component. 325 00:20:05,079 --> 00:20:05,720 Speaker 4: Added to it. 326 00:20:06,839 --> 00:20:10,599 Speaker 1: If we look at the way they're budgeted and the 327 00:20:10,640 --> 00:20:13,839 way that they're brought online as a capital investment, and 328 00:20:13,880 --> 00:20:18,480 you design in that cyber security component to it, whether 329 00:20:18,519 --> 00:20:22,680 it be in contract or through supply chain, you know, 330 00:20:22,920 --> 00:20:23,559 that is. 331 00:20:23,480 --> 00:20:24,599 Speaker 4: What sets the budget. 332 00:20:24,680 --> 00:20:28,559 Speaker 1: That's what gives us the big wins and integrating security 333 00:20:28,640 --> 00:20:33,079 as a core part of operations, particularly in industries where 334 00:20:33,079 --> 00:20:35,880 there's that vague line between where cyber can control or 335 00:20:35,920 --> 00:20:40,160 impact those physical assets. I mentioned the tunnel earlier, that's 336 00:20:40,200 --> 00:20:44,000 a great example. We recently worked on a tunnel maintenance 337 00:20:44,279 --> 00:20:46,960 project they had to address. They wanted us to address 338 00:20:46,960 --> 00:20:53,200 cybersecurity as a priority. They basically made us cyber physical 339 00:20:53,319 --> 00:20:57,279 commissioning agents. So any type of PLC or logic controller 340 00:20:57,759 --> 00:21:00,920 they was touching an Ethernet network or had some kind 341 00:21:00,960 --> 00:21:05,880 of routable protocol that was creating some sort of function 342 00:21:06,000 --> 00:21:11,880 inside this structure, this infrastructure. They wanted us to look 343 00:21:11,920 --> 00:21:15,519 at that from a not only a design perspective, because 344 00:21:15,559 --> 00:21:19,039 knowing what we've seen the TTPs that are happening today 345 00:21:19,079 --> 00:21:23,000 and in the past, how they can how we can 346 00:21:23,079 --> 00:21:26,319 make those cyber components more modular to where we know 347 00:21:26,359 --> 00:21:30,119 we're going to have to upgrade, say passive network monitoring. 348 00:21:30,240 --> 00:21:33,359 Well maybe we're doing passive network monitoring today, but in 349 00:21:33,400 --> 00:21:35,079 the future. 350 00:21:34,480 --> 00:21:36,000 Speaker 4: We might want to do active monitoring. 351 00:21:36,079 --> 00:21:40,279 Speaker 1: Just using that as an example, just designing those hooks 352 00:21:40,319 --> 00:21:43,920 in to where in the future wouldn't require a massive 353 00:21:43,960 --> 00:21:51,319 heavy lift. It's akin to, you know, having a spare 354 00:21:51,359 --> 00:21:56,880 tire or some sort of a designed a resiliency built 355 00:21:56,880 --> 00:22:01,839 in for cybersecurity purposes on an operational system. 356 00:22:02,039 --> 00:22:03,920 Speaker 3: So let me chime me in here, Nate. This is 357 00:22:03,960 --> 00:22:09,160 sort of my learning curve as I went through the episode, 358 00:22:09,519 --> 00:22:13,119 you know, start with it. One of the points that 359 00:22:13,240 --> 00:22:17,400 Ian made was that almost everything is becoming operational costs 360 00:22:17,440 --> 00:22:21,440 in it. You know, in years past, you know, twenty 361 00:22:21,519 --> 00:22:23,279 years ago, if I bought a laptop as part of 362 00:22:23,319 --> 00:22:26,640 my small business, I would have to you know, claim 363 00:22:26,640 --> 00:22:28,640 that as a capital expense, and I could only claim 364 00:22:28,680 --> 00:22:30,799 a third of the cost of the laptop every year, 365 00:22:30,839 --> 00:22:32,480 and I had to keep tracking it for three years. 366 00:22:32,559 --> 00:22:34,279 You know, to me it was annoying. But again to 367 00:22:34,319 --> 00:22:39,480 big business, they like capitalizing things. It normalizes their profits 368 00:22:40,720 --> 00:22:45,240 in the IT space. Though today you know, increasing the 369 00:22:45,960 --> 00:22:48,680 in many jurisdictions. If you buy a laptop for fifteen 370 00:22:48,799 --> 00:22:51,799 hundred bucks, you just claim the thing right then and there. 371 00:22:51,839 --> 00:22:56,200 It's not worth capitalizing. It's not big enough to drag 372 00:22:56,240 --> 00:23:00,200 out the accounting over three years. If you buy a 373 00:23:00,319 --> 00:23:03,680 server farm at a cost of fifty million dollars, you 374 00:23:03,720 --> 00:23:06,279 know you still are going to and you expect a 375 00:23:06,319 --> 00:23:08,279 life of five years out of the server farm. You're 376 00:23:08,720 --> 00:23:12,240 still expected to capitalize that. The thing is almost nobody 377 00:23:12,240 --> 00:23:15,720 does that anymore. People don't have You know, a lot 378 00:23:15,759 --> 00:23:18,640 of businesses don't have their own server farms anymore. They're 379 00:23:18,839 --> 00:23:20,960 renting the farms from someone else out of the cloud, 380 00:23:21,240 --> 00:23:24,440 and the rent comes out of the operating budget, not 381 00:23:24,599 --> 00:23:27,960 the capital budget. Because someone else owns the asset. You 382 00:23:28,000 --> 00:23:32,480 can't capitalize somebody else's asset, so you don't have big 383 00:23:32,559 --> 00:23:36,839 capital expenses in it anymore. And again, you know, when 384 00:23:36,839 --> 00:23:40,440 you apply that principle naively in ot you wind up 385 00:23:40,680 --> 00:23:44,119 fighting for capital or sorry for operating budget every year, 386 00:23:44,720 --> 00:23:47,880 and you lose sometimes and cybersecurity sort of falls by 387 00:23:47,880 --> 00:23:50,200 the waveside, and we have all these problems, and this 388 00:23:50,240 --> 00:23:54,160 is what we're trying to solve. The insight here is 389 00:23:54,240 --> 00:23:58,079 that what you want to do is associate the cybersecurity 390 00:23:58,119 --> 00:24:01,839 cost with the asset that you're protecting. And the asset 391 00:24:02,000 --> 00:24:06,160 is not the computer. The asset is the generating unit 392 00:24:06,279 --> 00:24:10,279 or the tunnel or you know, a physical asset. And 393 00:24:11,319 --> 00:24:15,519 you know, to me, that's counterintuitive. It's an ongoing expense 394 00:24:15,720 --> 00:24:21,000 every year. Yet it's part of the capital plan, the 395 00:24:21,039 --> 00:24:23,839 capital budget for the asset. Why does that make sense? 396 00:24:25,200 --> 00:24:27,519 And you know, he didn't quite say it in this 397 00:24:27,599 --> 00:24:29,960 many words, but in chatting with him, you know, he 398 00:24:30,039 --> 00:24:33,000 gave the example of a tunnel and maintenance. I mean, 399 00:24:33,039 --> 00:24:36,640 what do you maintain in a tunnel. There's equipment in 400 00:24:36,680 --> 00:24:40,039 a tunnel, you've got to blow in a long tunnel, 401 00:24:40,039 --> 00:24:42,079 you've got to put air down there, or you know, 402 00:24:42,400 --> 00:24:44,200 over time all you're left with his co two and 403 00:24:44,240 --> 00:24:46,559 nobody has anything to breathe, especially if you're driving through 404 00:24:46,559 --> 00:24:49,400 the thing. You have to drain water out of there. 405 00:24:49,480 --> 00:24:51,400 If the tunnel is low enough to be below the 406 00:24:51,440 --> 00:24:55,160 water table, you really need strong pumps. If the water 407 00:24:55,400 --> 00:24:57,680 if the tunnel is under a body of water or 408 00:24:57,759 --> 00:24:59,920 under a river. So you've got a lot of equipment 409 00:25:00,039 --> 00:25:03,599 in these tunnels, and what he's saying is that the 410 00:25:03,640 --> 00:25:07,960 cost of maintaining the equipment is part of the capital 411 00:25:08,000 --> 00:25:10,960 budget and I'm going really, and he says, yeah. The 412 00:25:11,000 --> 00:25:16,839 reason for that is because the asset the pumps for 413 00:25:17,240 --> 00:25:21,720 the water, the blowers for the air. The value of 414 00:25:21,759 --> 00:25:27,440 the asset depends on correctly maintaining that equipment. If you 415 00:25:27,480 --> 00:25:30,359 don't maintain the equipment, the value of the asset declines. 416 00:25:30,400 --> 00:25:32,799 You can't use the asset anymore, or the equipment wearas 417 00:25:32,799 --> 00:25:34,839 out faster than it's supposed to. It's supposed to last 418 00:25:34,839 --> 00:25:36,720 twenty years, it only lasts four years because you never 419 00:25:36,759 --> 00:25:41,960 maintained it. And so the maintenance cost is an ongoing 420 00:25:42,079 --> 00:25:45,720 cost every year. But it's part of the capital budget 421 00:25:46,559 --> 00:25:48,319 because it's essential to the asset. 422 00:25:48,359 --> 00:25:48,960 Speaker 5: And what he's. 423 00:25:48,839 --> 00:25:52,200 Speaker 3: Saying is that in the modern world, if you want 424 00:25:52,240 --> 00:25:57,960 to protect the automation that controls the equipment that's essential 425 00:25:58,000 --> 00:26:03,480 to your asset, cybersecurity protection should be part of the 426 00:26:03,720 --> 00:26:07,920 assets budget, not part of your you know, cut to 427 00:26:07,960 --> 00:26:11,559 the bone operating budget, which was you know, which was 428 00:26:11,640 --> 00:26:13,240 news to me. So this is this is sort of 429 00:26:13,240 --> 00:26:18,160 the theme going forward. You know, what I'm hearing is 430 00:26:18,160 --> 00:26:25,039 that we need to build cybersecurity ongoing costs into capital plans. 431 00:26:25,960 --> 00:26:29,240 It sounds contradictory, you know, capital sounds like one time 432 00:26:29,319 --> 00:26:33,680 and operational. You know, cybersecurity is ongoing, you know, Is 433 00:26:33,720 --> 00:26:36,359 this is this new? Is this something that there's there's 434 00:26:36,480 --> 00:26:39,759 precedent for in in the OT space already? 435 00:26:40,519 --> 00:26:40,720 Speaker 4: Oh? 436 00:26:40,880 --> 00:26:44,079 Speaker 1: Absolutely, that's a that's a really good point. I mean, 437 00:26:44,079 --> 00:26:48,119 that's most OT systems are designed and with under capital 438 00:26:48,200 --> 00:26:51,839 to account for operational expense over. 439 00:26:51,640 --> 00:26:52,680 Speaker 4: The life of that asset. 440 00:26:52,799 --> 00:26:56,319 Speaker 1: Like let's just use a you know, a contrarian example 441 00:26:56,359 --> 00:26:59,759 of what happened with with al Equippo OT breach that 442 00:26:59,799 --> 00:27:02,559 the water facility out in Pennsylvania. It's a great example 443 00:27:02,599 --> 00:27:07,680 of consequences when you know, potential consequences of cybersecurity in 444 00:27:07,720 --> 00:27:11,039 these types of OT environments, these these water treatment plants 445 00:27:12,119 --> 00:27:15,319 and uh water utilities, if it's not properly integrated to 446 00:27:15,359 --> 00:27:18,920 the long term financial planning and in life cycle management. 447 00:27:19,640 --> 00:27:22,920 Speaker 4: In the case, l equipment like remote access was added. 448 00:27:22,559 --> 00:27:25,799 Speaker 1: To a PLC, that PLC was exploited, led to a 449 00:27:25,880 --> 00:27:29,680 bridge and uh, you know, if we look at this, 450 00:27:30,480 --> 00:27:34,160 you know, it's pretty obvious that the there was a 451 00:27:34,200 --> 00:27:38,240 functional upgrade requirement they wanted to be able to remotely 452 00:27:38,319 --> 00:27:42,279 manage this PLC if it was managed, if that if 453 00:27:42,279 --> 00:27:45,960 that functional improvement to that capital asset was managed as 454 00:27:46,000 --> 00:27:50,319 a CAPEX project instead of an operational improvement like an 455 00:27:50,359 --> 00:27:55,400 OPEX budget, because it just adds you know, uh, remote 456 00:27:55,400 --> 00:27:59,079 control or interactive remote access as a day by day 457 00:27:59,240 --> 00:28:04,519 function for for regular maintenance of information technology systems. But 458 00:28:04,960 --> 00:28:08,680 if it was designed and built into the system from 459 00:28:08,720 --> 00:28:11,759 the very beginning as part of the overall project cost, 460 00:28:12,200 --> 00:28:15,319 the change would have been memorialized in documentation. There would 461 00:28:15,319 --> 00:28:17,440 have been a change to an as build of the 462 00:28:17,440 --> 00:28:21,519 function of that system. The architecture engineer, the system integrator, 463 00:28:21,759 --> 00:28:24,799 all the people that was involved in the original design 464 00:28:24,839 --> 00:28:27,359 of the system could have included in the initial setup 465 00:28:27,640 --> 00:28:31,640 of the interactive remote access feature that they wanted a 466 00:28:31,720 --> 00:28:35,160 long term security strategy that embedded that function into the 467 00:28:35,200 --> 00:28:38,839 life cycle of the asset. They could have also modulized 468 00:28:38,880 --> 00:28:43,759 that cybersecurity function for planned replacement as new remote access 469 00:28:43,759 --> 00:28:45,400 protocols came out. 470 00:28:46,000 --> 00:28:48,480 Speaker 4: Finance might also account for that expected. 471 00:28:48,079 --> 00:28:50,759 Speaker 1: Life of the asset, and if the cost was too much, 472 00:28:51,519 --> 00:28:54,279 whether the risk appetite was low, and say no, this 473 00:28:54,319 --> 00:28:56,279 isn't worth it. At least you'd have some sort of 474 00:28:56,319 --> 00:29:01,960 document that was showing what the cybersecurity expenses over that 475 00:29:02,000 --> 00:29:03,799 asset life cycle was going to be. You could have 476 00:29:03,880 --> 00:29:07,519 accelerated depreciation of that asset. It would have been more 477 00:29:07,519 --> 00:29:11,119 of a financial and a risk management decision versus, hey, 478 00:29:11,160 --> 00:29:16,039 we need to enable interactive mode access on this machine 479 00:29:16,200 --> 00:29:19,039 or on this this logic controller. Now it makes it 480 00:29:19,079 --> 00:29:23,039 a lot easier to inenforce cybersecurity policies and just general 481 00:29:23,079 --> 00:29:27,440 operations policies and adjust to new standards while maintaining existing 482 00:29:27,920 --> 00:29:30,799 protections without having to worry about annual budget constraints. 483 00:29:31,160 --> 00:29:34,920 Speaker 4: If say there's a bridge, there's two ways of bridge. 484 00:29:35,160 --> 00:29:37,319 Speaker 1: You want to you want to put more load on it, 485 00:29:38,079 --> 00:29:40,880 There's two ways to do it. You could just overload 486 00:29:40,920 --> 00:29:44,480 the bridge by changing out the weight limits sign right, 487 00:29:44,880 --> 00:29:49,279 or you obviously have to recreate the structure and reinforce 488 00:29:49,559 --> 00:29:51,960 the base of that structure to carry the additional load. 489 00:29:52,640 --> 00:29:57,000 In operational technologies, it's pretty clear that that's very unsafe doe. 490 00:29:57,359 --> 00:30:00,680 In information technology, it's not because there's not a intrinsic 491 00:30:00,759 --> 00:30:05,920 tie between the OT system and the context of operations 492 00:30:06,000 --> 00:30:09,680 that that system is operating under, and that the physical component. 493 00:30:09,839 --> 00:30:13,359 It's just like, okay, we're just installing interactive remote access here. 494 00:30:13,720 --> 00:30:17,839 Speaker 4: So if a project is budgeted through a capital. 495 00:30:17,440 --> 00:30:22,400 Speaker 1: Expense, it's going through like a long term plan of 496 00:30:22,480 --> 00:30:25,839 how long that asset is supposed to the last and 497 00:30:25,880 --> 00:30:28,480 how it's supposed to be maintained. It shouldn't be an 498 00:30:28,519 --> 00:30:34,000 opex budget that we're adding more I features to it 499 00:30:34,039 --> 00:30:36,759 without taking into context what that system was supposed to 500 00:30:36,759 --> 00:30:40,440 be used for, and if we're circumventing any of the 501 00:30:40,440 --> 00:30:47,039 controls by adding IT based cybersecurity and interact feature sets 502 00:30:47,119 --> 00:30:52,119 to that asset. I feel, Andrew, that's where most most 503 00:30:52,160 --> 00:30:55,920 of you know my past life I've gone wrong is 504 00:30:56,319 --> 00:30:59,680 taking the IT approach, which you know, hey, it's a VPN, 505 00:30:59,759 --> 00:31:03,480 it's it's it's it's encrypted, there's nothing wrong. But I'm 506 00:31:03,519 --> 00:31:05,480 not really looking at the operational context. 507 00:31:06,359 --> 00:31:08,960 Speaker 4: Uh that that. 508 00:31:08,079 --> 00:31:11,440 Speaker 1: That I'm that should be the attention that should be 509 00:31:11,440 --> 00:31:14,440 given to the opera operational context of the asset that 510 00:31:14,480 --> 00:31:16,000 I'm I'm modifying. 511 00:31:17,000 --> 00:31:18,720 Speaker 4: Does that Does that make sense? 512 00:31:18,759 --> 00:31:23,599 Speaker 1: I guess I'm I'm trying to tie that op X 513 00:31:24,200 --> 00:31:27,000 to the CAPEX budget and the asset, the long term asset. 514 00:31:27,200 --> 00:31:29,920 And I've seen this over and over again. It has 515 00:31:30,000 --> 00:31:33,839 been a pattern. Without using too many examples from clients 516 00:31:33,880 --> 00:31:37,440 that I've worked with, but those were most of the problems. 517 00:31:37,440 --> 00:31:42,000 If you're you're modifying code in a virtual environment, there 518 00:31:42,000 --> 00:31:46,599 there's very little physical consequence to that. Uh. But when 519 00:31:46,640 --> 00:31:48,920 you're when you're doing it to an operational asset, it's 520 00:31:49,079 --> 00:31:52,160 very very different set of consequences. 521 00:31:53,519 --> 00:31:58,680 Speaker 3: Let's assume we can get cybersecurity costs for the life 522 00:31:58,680 --> 00:32:02,160 of the asset built into the capital plan for the 523 00:32:02,200 --> 00:32:07,720 improvement whatever it is. You've got those costs built into 524 00:32:08,039 --> 00:32:13,680 the plan up front, how do you manage that financially? 525 00:32:13,720 --> 00:32:16,200 How do you how do you pull money out of 526 00:32:16,240 --> 00:32:20,599 that over time? And and what happens if you run 527 00:32:20,640 --> 00:32:24,079 out of the money that you budgeted or you know, 528 00:32:24,599 --> 00:32:27,359 you know, because cost to gook have gone up, or 529 00:32:27,400 --> 00:32:29,799 what you know, what happens if you if you use 530 00:32:29,880 --> 00:32:33,319 the physical asset not twenty years, you use it for 531 00:32:33,359 --> 00:32:36,200 thirty years, and you haven't got the number in there 532 00:32:36,240 --> 00:32:39,640 that you know is gonna you can draw down for it. 533 00:32:39,680 --> 00:32:41,720 Is it like a fixed number that you're drawing down 534 00:32:41,759 --> 00:32:43,640 and you have to guess right with the number or 535 00:32:43,680 --> 00:32:44,440 how does that work? 536 00:32:45,440 --> 00:32:48,839 Speaker 1: Yeah, the maintenance, the maintenance cost for you know, I'm 537 00:32:48,839 --> 00:32:53,400 not suggesting they need to be uh like, it's all 538 00:32:53,400 --> 00:32:56,720 going to be CAPEX. But if op X, yeah, I'm sorry, 539 00:32:56,759 --> 00:33:00,240 it's all going to be CAPEX. Maintenance is going to 540 00:33:00,240 --> 00:33:04,000 be an operational expense over the lifetime of the asset. However, 541 00:33:04,160 --> 00:33:09,119 if there's not a what I'm advocating for is cybersecurity 542 00:33:09,200 --> 00:33:14,279 being part of the CAPEX plan. So think of designing 543 00:33:14,279 --> 00:33:17,160 any type of physical asset. You're going to have components 544 00:33:17,160 --> 00:33:21,640 that are made to be pulled out replaced, like conveyor belts. 545 00:33:21,880 --> 00:33:25,720 There's a maintenance plan for that asset. Now what you 546 00:33:25,880 --> 00:33:29,680 just described. There is a problem. It arises when, like 547 00:33:29,720 --> 00:33:33,000 the TCO, the total cost of ownership metric, a financial 548 00:33:33,079 --> 00:33:37,119 metric remains static and doesn't account for either business growth, 549 00:33:37,200 --> 00:33:41,960 added functions demands, uh, you know, asset improvements, those types 550 00:33:42,000 --> 00:33:44,759 of things over time. For instance, we would install it's 551 00:33:44,799 --> 00:33:48,680 the whole overloading the bridge. We wouldn't replace just by 552 00:33:48,880 --> 00:33:50,799 moving the weight limit sides. We'd have to reinforce that 553 00:33:50,799 --> 00:33:53,240 structure itself because it's a it's a safe it's a 554 00:33:53,279 --> 00:33:58,440 safety issue stank thing with al equippa of water. The 555 00:33:58,480 --> 00:34:03,599 TCO will have to be dynamic when it's in the 556 00:34:03,720 --> 00:34:07,160 In the operational expense side, it has to adapt to 557 00:34:07,240 --> 00:34:10,840 the evolving functional demands of that asset and including a 558 00:34:10,880 --> 00:34:16,639 threat landscape of cybersecurity. But the CAPEX part the capital experiense, 559 00:34:17,320 --> 00:34:21,559 it reduces the operational expense considerably. If you plan for 560 00:34:21,599 --> 00:34:25,920 those systems to be replaced over time, you might have 561 00:34:25,960 --> 00:34:28,840 to accelerate the depreciation of a life cycle or the 562 00:34:29,400 --> 00:34:31,840 acceleration of that asset. 563 00:34:32,639 --> 00:34:35,440 Speaker 4: Uh, you know, replace versus fix. 564 00:34:36,840 --> 00:34:42,639 Speaker 1: If you don't build into the model componentry that needs 565 00:34:42,679 --> 00:34:43,880 to be replaced over time. 566 00:34:44,480 --> 00:34:47,119 Speaker 4: So I hear what you're saying. 567 00:34:47,159 --> 00:34:50,119 Speaker 1: I mean you kind of threw me an interesting one thereon, like, well, 568 00:34:50,119 --> 00:34:51,239 it has to be dynamic. 569 00:34:51,280 --> 00:34:52,400 Speaker 4: It's not all all. 570 00:34:53,000 --> 00:34:55,440 Speaker 1: I just hope being clear that I'm not I'm not 571 00:34:55,480 --> 00:35:00,920 advocating for the full operational technology secure of an. 572 00:35:00,760 --> 00:35:03,480 Speaker 4: OT asset to be fully capex. 573 00:35:03,880 --> 00:35:07,320 Speaker 1: The problem that I've seen is when people, when when 574 00:35:07,719 --> 00:35:12,400 asset owners deploy assets without even without even taking into 575 00:35:12,440 --> 00:35:18,239 account cybersecurity concerns during the development and the financing of 576 00:35:18,280 --> 00:35:19,320 that capital asset. 577 00:35:19,559 --> 00:35:20,199 Speaker 4: Think of it this way. 578 00:35:20,239 --> 00:35:23,760 Speaker 1: It's usually commissioned first, and then we go buy a 579 00:35:24,079 --> 00:35:28,320 product and call it, you know, cybersecurity vendor A, and 580 00:35:28,360 --> 00:35:30,639 we try to force force it on top of that 581 00:35:30,719 --> 00:35:35,840 asset and more. A better approach would be, Hey, we 582 00:35:35,880 --> 00:35:38,119 need to bring cybersecurity in on this. Let's look at 583 00:35:38,119 --> 00:35:41,199 the model of the system, figure out where the more 584 00:35:41,239 --> 00:35:46,199 significant risks are, and design the system to account for 585 00:35:46,239 --> 00:35:50,559 a cybersecurity UH over the life span of the asset. 586 00:35:51,039 --> 00:35:51,480 Speaker 4: It does. 587 00:35:51,559 --> 00:35:56,760 Speaker 1: It does create issues because it doesn't usually think that way. Remember, 588 00:35:56,760 --> 00:36:00,320 they're mostly capital I mean, they're mostly operational. You know 589 00:36:00,360 --> 00:36:03,119 if if if if azure comes out with something tomorrow, 590 00:36:04,360 --> 00:36:07,199 they'll shift over to it. If you make a decision 591 00:36:07,199 --> 00:36:11,559 today with a capital expense, you have to be able 592 00:36:11,559 --> 00:36:14,360 to live with that, with that UH, with that solution 593 00:36:14,840 --> 00:36:20,119 for a specific period of time, based on that based 594 00:36:20,119 --> 00:36:23,159 on your maintenance budget. Just just like a UH. 595 00:36:23,400 --> 00:36:24,000 Speaker 4: You know, if. 596 00:36:25,400 --> 00:36:29,760 Speaker 1: You know a high op X type UH component fails 597 00:36:30,239 --> 00:36:32,239 on a on a truck, you're you're going to replace 598 00:36:32,280 --> 00:36:34,119 it just to keep the capital ascid alive. 599 00:36:34,920 --> 00:36:36,559 Speaker 4: But there's better ways to deal. 600 00:36:36,400 --> 00:36:41,400 Speaker 1: With it than just continually UH raising that operational expense 601 00:36:41,440 --> 00:36:43,880 over time. I hope I'm being clear on that that 602 00:36:43,920 --> 00:36:49,800 I'm not advocating for the entiresire OT cybersecurity budget to 603 00:36:49,840 --> 00:36:54,159 be one hundred percent in the capital expense or the 604 00:36:54,199 --> 00:36:58,360 capital expense of that asset. It just OT Cyber needs 605 00:36:58,360 --> 00:37:01,800 to place the table to influence the design of that 606 00:37:01,880 --> 00:37:02,760 OT asset. 607 00:37:05,920 --> 00:37:07,920 Speaker 3: Let me time in here again. In sort of my 608 00:37:08,119 --> 00:37:13,119 learning curve, there's a difference between a capital expense and 609 00:37:13,199 --> 00:37:16,719 a capital plan. A capital expense is one where you 610 00:37:16,760 --> 00:37:18,840 spend I don't know, three billion dollars over the course 611 00:37:18,880 --> 00:37:22,239 of eight months, and then you reap the benefits of 612 00:37:22,280 --> 00:37:24,679 that over the next thirty years. Because you've built a mind, 613 00:37:24,719 --> 00:37:29,639 you've built a power plant, use you built something that's 614 00:37:29,679 --> 00:37:33,800 a capital expense. You spend the money once. A capital 615 00:37:33,920 --> 00:37:40,440 plan is setting money aside in future budgets, in my understanding, 616 00:37:40,480 --> 00:37:45,119 setting money aside in future budgets to deal with that asset. 617 00:37:45,280 --> 00:37:48,800 You've made a capital investment. You can't just spend the 618 00:37:48,840 --> 00:37:50,719 money and expect the thing to run. You've got to 619 00:37:50,760 --> 00:37:52,960 maintain this stuff, you've got to secure it, you've got 620 00:37:53,000 --> 00:37:56,280 to operate it. All of those costs are built into 621 00:37:56,360 --> 00:38:01,199 a plan for the asset, and from time to time 622 00:38:01,320 --> 00:38:04,559 the financial people have to reevaluate that plan. So for example, 623 00:38:04,840 --> 00:38:08,199 let's say, you know, we've just put a solar farming 624 00:38:08,880 --> 00:38:13,199 and you know, we've got I don't know, lithium batteries 625 00:38:13,199 --> 00:38:15,639 that we're using to store the power for the farm 626 00:38:16,440 --> 00:38:20,320 for you know, overnight use, and these batteries wear out 627 00:38:20,519 --> 00:38:23,000 every I don't know three years and have to be replaced, 628 00:38:23,159 --> 00:38:25,199 and the life of the solar farm is expected to 629 00:38:25,199 --> 00:38:28,559 be twenty years. If the price of lithium batteries got 630 00:38:28,599 --> 00:38:33,679 shoots through the roof, the cost of maintaining this asset 631 00:38:34,000 --> 00:38:37,840 has now shot through the roof, the numbers we put 632 00:38:37,880 --> 00:38:39,880 together saying the ASCID is going to pay for itself 633 00:38:39,880 --> 00:38:44,159 in twenty years don't work anymore. You know, it may 634 00:38:44,559 --> 00:38:45,960 there may be a point where we say, you know, 635 00:38:46,000 --> 00:38:48,440 we're going to shut this down and you know, wait 636 00:38:48,480 --> 00:38:50,320 for three years and see if the price of lithium 637 00:38:50,320 --> 00:38:52,920 comes back to normal, or you know, we're just going 638 00:38:53,000 --> 00:38:54,480 to shut it down and get rid of it. It's 639 00:38:54,559 --> 00:38:59,800 just it doesn't work anymore because you're reevaluating the capital 640 00:39:00,119 --> 00:39:03,880 plan for that asset, and you know, in a sense, 641 00:39:04,400 --> 00:39:05,639 you might have the same thing with. 642 00:39:07,320 --> 00:39:08,079 Speaker 5: Cybersecurity. 643 00:39:08,119 --> 00:39:11,360 Speaker 3: It's not like you've put maintenance money in a bank 644 00:39:11,400 --> 00:39:13,800 account to be drawn down over twenty years. It's not 645 00:39:13,840 --> 00:39:15,960 like you put cybersecurity money in a bank account to 646 00:39:15,960 --> 00:39:18,360 be drawn down out of twenty years and you might 647 00:39:18,440 --> 00:39:20,159 run out of money. That's not how it works. It's 648 00:39:20,199 --> 00:39:23,239 part of the capital plan. And if there's a sudden 649 00:39:23,679 --> 00:39:29,039 change or a permanent change in your expenses, for example, 650 00:39:29,360 --> 00:39:32,119 a new regulation comes down that makes cybersecurity for this 651 00:39:32,199 --> 00:39:35,440 asset much much more expensive than it used to be, 652 00:39:35,440 --> 00:39:38,000 so expensive that, you know, the asset was only performing 653 00:39:38,039 --> 00:39:41,039 marginally to begin with, and now we've tipped it over 654 00:39:41,119 --> 00:39:45,079 and it's just not profitable anymore, we might choose to 655 00:39:45,119 --> 00:39:47,840 shut the asset down. That's part of in my understanding, 656 00:39:47,880 --> 00:39:50,880 that's part of the capital plan for the asset that 657 00:39:51,199 --> 00:39:54,559 needs to be reevaluated in light of current conditions. It's 658 00:39:54,639 --> 00:39:57,559 not part of the capital budget. You know, the capital 659 00:39:57,559 --> 00:40:02,599 expense happened when you build the asset, but the plan persists. 660 00:40:02,639 --> 00:40:07,000 That's that's my limited understanding here of of of how 661 00:40:07,000 --> 00:40:07,519 this works. 662 00:40:08,760 --> 00:40:11,320 Speaker 2: Answer a couple of questions for you. You know, the 663 00:40:11,400 --> 00:40:15,920 more we talk about long term capital plans and twenty 664 00:40:16,000 --> 00:40:26,000 year timelines, and these these amortized cybersecurity budgets, are we 665 00:40:26,119 --> 00:40:32,360 then accounting for patching and upgrading legacy systems over these 666 00:40:32,480 --> 00:40:33,559 many of your timelines. 667 00:40:34,880 --> 00:40:37,679 Speaker 3: I did not ask Ian that question, but I think 668 00:40:37,719 --> 00:40:42,079 what what springs to mind is patching, you know, legacy systems, 669 00:40:43,000 --> 00:40:46,199 legacy automation, twenty year old automation, because that's how long 670 00:40:46,239 --> 00:40:48,480 the power plant lasts. You know, we put automation in 671 00:40:48,760 --> 00:40:52,119 place for that. The question, you know, question is should 672 00:40:52,159 --> 00:40:56,440 should money not have been set aside to upgrade the automation? 673 00:40:58,000 --> 00:41:01,079 And the answer is yes. If you need to upgrade 674 00:41:01,159 --> 00:41:04,239 the automation to reap the benefits out of the asset, 675 00:41:04,320 --> 00:41:07,559 then you have to budget for that. But when we're 676 00:41:07,559 --> 00:41:09,760 talking cybersecurity, I mean, part of the problem, I think 677 00:41:09,840 --> 00:41:12,719 is that it's an afterthought. But you know, even if 678 00:41:12,760 --> 00:41:16,559 you plan upfront and you look at a system and say, well, 679 00:41:16,599 --> 00:41:19,239 I'm going to take it down every five years for 680 00:41:19,559 --> 00:41:24,239 a for maintenance, for essential maintenance, and that's the opportunity 681 00:41:24,239 --> 00:41:27,199 to upgrade everything. And you know what do I do 682 00:41:27,280 --> 00:41:30,400 in between, Well, there's new vulnerabilities a week after we 683 00:41:30,480 --> 00:41:33,079 turn the asset back on, you know, can we patch 684 00:41:33,119 --> 00:41:38,079 those things? I think that comes down. I'm guessing it 685 00:41:38,119 --> 00:41:40,800 comes down you know, partly too is it in the plan, 686 00:41:41,079 --> 00:41:44,840 but partly as well, just cost benefit. If you can 687 00:41:44,880 --> 00:41:50,840 put compensating measures in, like strong network segmentation or you know, 688 00:41:51,280 --> 00:41:54,880 device encryption, or if you can put a compensating measure 689 00:41:54,960 --> 00:41:59,880 in that achieves the security objective and is cheaper than 690 00:42:00,239 --> 00:42:03,760 the really expensive patching process because of all the engineering 691 00:42:03,760 --> 00:42:07,360 this involved, maybe you should use the compensating measures, not 692 00:42:08,199 --> 00:42:11,039 you know, because you have no other choice, but because 693 00:42:11,039 --> 00:42:14,519 you've rationally looked at costs and benefits and said it's 694 00:42:14,599 --> 00:42:17,400 way cheaper to use compensating measure than it is to 695 00:42:17,480 --> 00:42:20,360 try and keep this, you know, the software up to 696 00:42:20,480 --> 00:42:22,599 date week by weeks as. 697 00:42:22,480 --> 00:42:23,639 Speaker 4: New vulnerabilities right now. 698 00:42:23,719 --> 00:42:27,159 Speaker 3: So that's again I didn't ask you in this, but 699 00:42:27,320 --> 00:42:30,159 you know, applying the principles he's laid out that, that's 700 00:42:30,239 --> 00:42:31,360 kind of what makes sense to me. 701 00:42:32,360 --> 00:42:36,039 Speaker 2: And the other question I had, as as Mike Tyson says, 702 00:42:37,039 --> 00:42:39,400 everybody has a plan until you get punched in the mouth. 703 00:42:39,760 --> 00:42:43,719 When you have a very long term cybersecurity plan in place, 704 00:42:43,960 --> 00:42:46,239 how do you account for all of the ways in 705 00:42:46,280 --> 00:42:48,960 which your needs are going to change and the threat 706 00:42:49,039 --> 00:42:51,039 landscape out there is going to change. 707 00:42:51,480 --> 00:42:53,239 Speaker 3: And that's a good question. And I think that's the 708 00:42:53,280 --> 00:42:56,400 difference between sort of a capital expense and a capital 709 00:42:56,559 --> 00:43:01,079 or an asset plan. You know, an expense happens one time. 710 00:43:01,199 --> 00:43:04,199 The plan is something that lives for the life of 711 00:43:04,239 --> 00:43:08,480 the asset, and as conditions change, you know, the cost 712 00:43:08,480 --> 00:43:12,519 of lithium changes, the threat environment changes, the plan might 713 00:43:12,559 --> 00:43:15,840 have to be reevaluated. Regulations change, you might have to 714 00:43:15,880 --> 00:43:20,800 reevaluate your plan. But you know, that's sort of part 715 00:43:20,840 --> 00:43:23,360 of the answer. A second part of the answer is 716 00:43:24,000 --> 00:43:29,519 engineers tend to be heavily involved in asset plans because 717 00:43:29,519 --> 00:43:32,400 they're designing the asset and they're the ones that have 718 00:43:32,440 --> 00:43:36,719 to design the asset to deliver the value over a 719 00:43:36,760 --> 00:43:41,000 ten twenty thirty year period, and so engineers are heavily involved. 720 00:43:41,360 --> 00:43:44,960 And this is I think why the engineering community that 721 00:43:45,320 --> 00:43:48,360 I see a majority of them, it's not universal, but 722 00:43:48,400 --> 00:43:51,760 a majority of them are really embracing cyber informed engineering 723 00:43:52,480 --> 00:43:55,159 because this is an upfront process that shows them how 724 00:43:55,199 --> 00:43:59,760 to subtly change their designs upfront in ways to just 725 00:44:00,079 --> 00:44:04,039 take certain entire classes of risks off the table. You know, 726 00:44:05,519 --> 00:44:09,199 the threat of a cyber attack causing a massive boiler 727 00:44:09,239 --> 00:44:11,480 to blow up in your face. You can take that 728 00:44:11,559 --> 00:44:14,360 off the table with a mechanical over pressure relief valve. 729 00:44:14,760 --> 00:44:16,599 You can take other kinds of threats off the table 730 00:44:16,639 --> 00:44:18,920 by subtly changing the design of your network, so the 731 00:44:18,960 --> 00:44:22,480 design of your automation and these changes in a sensor 732 00:44:22,599 --> 00:44:25,920 are permanent. They take those classes of threat off the 733 00:44:26,000 --> 00:44:30,880 table permanently, and so that simplifies long term planning. So 734 00:44:31,679 --> 00:44:36,079 you know, they're embracing CIE and you know, the asset 735 00:44:36,239 --> 00:44:39,440 plan is something that's reevaluated periodically over the life of 736 00:44:39,480 --> 00:44:43,360 the asset, and you know, new conditions about the cost 737 00:44:43,360 --> 00:44:46,519 of maintenance, the cost of security, the need for security, 738 00:44:47,239 --> 00:44:50,199 you know, the cost of insurance. All of these conditions 739 00:44:50,320 --> 00:44:55,280 are built into the periodic re evaluations of the asset plan. 740 00:44:55,400 --> 00:44:58,360 You don't have to get it perfectly right. Twenty years 741 00:44:58,360 --> 00:45:03,559 in advance. We've had lots of guests on the show 742 00:45:03,599 --> 00:45:07,199 over the course of one hundred episodes talking about, you know, 743 00:45:08,159 --> 00:45:15,280 building cybersecurity into technical plans for the management of automation assets. 744 00:45:15,760 --> 00:45:19,480 What I'm hearing you say is that you know it's 745 00:45:19,480 --> 00:45:23,719 not one number, it's not one time, it's that cybersecurity 746 00:45:23,840 --> 00:45:27,519 budgeting needs to be part is what I'm hearing needs 747 00:45:27,559 --> 00:45:32,039 to be part of the ongoing budgeting and capital and 748 00:45:32,199 --> 00:45:38,159 asset management process that you know large organizations have. Is 749 00:45:38,199 --> 00:45:38,800 that what you're. 750 00:45:38,639 --> 00:45:42,559 Speaker 1: Saying, well, that that is the intent of asset management 751 00:45:42,639 --> 00:45:46,440 in an operational construct, right, I mean it's it's about 752 00:45:46,480 --> 00:45:51,039 influencing the budget or influencing the books on inventory that 753 00:45:51,119 --> 00:45:54,440 you have on the shelf. That's where really good asset 754 00:45:54,480 --> 00:45:56,280 management forecasting come into play. 755 00:45:56,920 --> 00:45:57,960 Speaker 4: Even from an OT. 756 00:45:58,000 --> 00:46:00,960 Speaker 1: Or a cyber perspective, it just feels it's like there's 757 00:46:01,000 --> 00:46:04,000 a disconnect there because of the financing method and the 758 00:46:04,000 --> 00:46:09,719 way that things are operating with cloud and virtual virtual 759 00:46:09,760 --> 00:46:15,639 software that that's not operating inside of a DAATA center anymore. 760 00:46:16,320 --> 00:46:18,480 We need to be realistic about how long these assets 761 00:46:18,519 --> 00:46:20,639 will last and how long it will cost to maintain 762 00:46:20,679 --> 00:46:23,719 their security. A really good parallel can be drawn from 763 00:46:23,760 --> 00:46:25,840 the history of maritime insurance in this story and the 764 00:46:26,519 --> 00:46:30,880 shipping indust I've been working with the mts IAC lately, 765 00:46:30,920 --> 00:46:33,480 so I got a really good crash course on how 766 00:46:33,519 --> 00:46:38,199 the shipping industry. Vessels are classified based on build quality 767 00:46:39,079 --> 00:46:43,360 ongoing maintenance, which directly impacts their insurance premiums. Actually, it's 768 00:46:43,360 --> 00:46:45,199 one of the oldest. I think it was one of 769 00:46:45,199 --> 00:46:49,480 the first insurance companies that came to out of existence 770 00:46:49,559 --> 00:46:53,280 was the merit time. So, for instance, ships that receive 771 00:46:53,400 --> 00:46:57,480 high classification rating from a society that classifies. 772 00:46:58,119 --> 00:46:59,400 Speaker 4: The building rating. 773 00:46:59,559 --> 00:47:03,920 Speaker 1: Given a rating from the Lloyd's of London, it indicates 774 00:47:03,920 --> 00:47:08,000 a vessels a very high quality construction, well maintained. They're 775 00:47:08,079 --> 00:47:15,400 also from MTSISEC. They're even tying cybersecurity rating systems into vessels, 776 00:47:15,400 --> 00:47:19,280 which I thought it was fascinating. At the last ms 777 00:47:19,360 --> 00:47:23,760 IX I went to this actually is built just to 778 00:47:24,079 --> 00:47:28,559 lower or maintain or just put some sort of a 779 00:47:28,679 --> 00:47:32,599 marker on what the expected insurance premium will be, because 780 00:47:33,519 --> 00:47:37,320 the higher that rating, the lower the insurance premium would be. Conversely, 781 00:47:37,320 --> 00:47:40,199 the ships of the lower classification ratings from those societies 782 00:47:40,960 --> 00:47:43,199 or those that fail to maintain their rating will have 783 00:47:43,280 --> 00:47:47,960 higher premiums or they'll be considered out of class, which 784 00:47:48,000 --> 00:47:49,119 is unensurable. 785 00:47:49,679 --> 00:47:51,039 Speaker 4: So the same principle if it. 786 00:47:51,039 --> 00:47:53,960 Speaker 1: Would apply to OT cyber if the asset outlives its 787 00:47:53,960 --> 00:47:58,440 original budgeted timeline or a cybersecurity cost increase due to 788 00:47:58,480 --> 00:48:03,480 the threughaut of regulatory you know, landscape. The organization should 789 00:48:03,519 --> 00:48:06,760 have that process in place to reevaluate that cybersecurity posture, 790 00:48:06,840 --> 00:48:10,400 much much like how the ship's classification ratings would be 791 00:48:10,800 --> 00:48:14,519 reassessed over time. If this asset loses its high rating 792 00:48:14,760 --> 00:48:18,599 because of neglected security or added features that were taking 793 00:48:18,599 --> 00:48:21,360 into it, you know, bolted on over time, the organization 794 00:48:21,519 --> 00:48:24,039 would face increase risk and. 795 00:48:23,960 --> 00:48:25,440 Speaker 4: Higher cost re maintaining. 796 00:48:25,840 --> 00:48:30,199 Speaker 1: And I'm sorry for for mitigating those risks and not 797 00:48:30,760 --> 00:48:31,920 maintaining that asset. 798 00:48:32,599 --> 00:48:34,880 Speaker 3: Can I ask you an open question? You know you've 799 00:48:34,880 --> 00:48:37,840 been doing this for a while. What else should we know? 800 00:48:37,920 --> 00:48:37,960 Speaker 4: What? 801 00:48:38,199 --> 00:48:43,280 Speaker 3: What am I not smart enough to ask you about? Here? Oh? 802 00:48:43,559 --> 00:48:45,679 Speaker 4: You know the hard part. 803 00:48:45,920 --> 00:48:49,159 Speaker 1: I think Waterfall, I go, I go far back with 804 00:48:49,199 --> 00:48:54,480 you guys in prior lives working in power and I 805 00:48:54,559 --> 00:48:59,000 did like the approach with the data that diodes and things. 806 00:48:59,480 --> 00:49:03,239 One thing that that open my eyes working with Waterfall 807 00:49:03,360 --> 00:49:08,480 on other projects in my prior lives with utilities in 808 00:49:08,519 --> 00:49:13,639 an industry is the importance of the collaboration between an 809 00:49:13,679 --> 00:49:17,119 IT leader and those operations to people that are in 810 00:49:17,199 --> 00:49:21,199 the field working on things, and including that finance team. 811 00:49:21,679 --> 00:49:27,800 I think having that cybersecurity built into Capex it's not easy. 812 00:49:27,960 --> 00:49:30,159 It's a hard thing to describe. I think we've done 813 00:49:30,800 --> 00:49:34,159 a pretty horrible job at trying to describe it here today. 814 00:49:34,480 --> 00:49:37,159 But it does require that clear communications about the risks 815 00:49:37,199 --> 00:49:42,239 benefits long term cost savings, and I do feel like 816 00:49:42,599 --> 00:49:48,639 if we can explore this deeper, I hear a lot 817 00:49:48,679 --> 00:49:49,920 of the leader's. 818 00:49:49,559 --> 00:49:51,119 Speaker 4: Business leaders saying the same thing. 819 00:49:52,199 --> 00:49:56,840 Speaker 1: There's this disconnect between what's valuable in it cybersecurity, those 820 00:49:56,880 --> 00:50:01,119 metrics of those KPIs, you know, the number of vulnerability 821 00:50:01,719 --> 00:50:04,360 that we're searching for, or a number of threats that 822 00:50:04,400 --> 00:50:09,679 were thwarted, and it's disconnected from like actual production or 823 00:50:09,800 --> 00:50:14,039 you know, just just maintaining that business relevance with cybersecurity. 824 00:50:14,840 --> 00:50:17,639 Speaker 4: I feel like cybersecurity just. 825 00:50:17,639 --> 00:50:22,880 Speaker 1: In general is more like quality and engineering. The launer 826 00:50:23,199 --> 00:50:26,320 I've been in the industry, and because I'm finding myself 827 00:50:26,360 --> 00:50:31,719 focusing more on how to articulate the problem in financial 828 00:50:31,960 --> 00:50:35,440 terms and using historical references to tie all this stuff together. 829 00:50:36,320 --> 00:50:40,440 It's not really about the whiz bang, latest and greatest 830 00:50:40,599 --> 00:50:46,079 vulnerability or attack. While those are sensationalize, It's really about 831 00:50:46,079 --> 00:50:49,639 how do we sustain and how do we adapt, And 832 00:50:50,280 --> 00:50:55,280 as a cybersecurity practice, and specifically in operational technology and 833 00:50:55,320 --> 00:51:00,400 not even specifically just in cybersecurity in general. How we 834 00:51:00,440 --> 00:51:03,639 can look at this differently and how we can describe 835 00:51:03,679 --> 00:51:08,519 it differently to get attention that that the asset deserves, 836 00:51:08,599 --> 00:51:11,760 and our profession how we can make things better. So 837 00:51:13,360 --> 00:51:16,079 I don't know if that answered your question, but this 838 00:51:16,159 --> 00:51:19,559 has been something really top of mind for me for 839 00:51:19,599 --> 00:51:23,840 a while. It's I wish I could tell you all 840 00:51:23,880 --> 00:51:26,519 the things that I'm involved in there we actually do 841 00:51:26,639 --> 00:51:30,199 hear a light, but the ones that I did bring 842 00:51:30,280 --> 00:51:33,079 up during this call were published in either the Wall 843 00:51:33,079 --> 00:51:38,480 Street Journal or other places that they got some national 844 00:51:38,519 --> 00:51:43,000 attention put in for some awards. So it's just kind 845 00:51:43,000 --> 00:51:45,599 of a I'm just hoping that we can challenge everybody 846 00:51:45,599 --> 00:51:48,039 here to think a little bit differently about the cybersecurity 847 00:51:48,079 --> 00:51:52,559 problem and how it can how cybersecurity as a practice 848 00:51:52,599 --> 00:51:55,159 can address some of the some of the problems in 849 00:51:55,199 --> 00:51:57,039 our industries that we serve. 850 00:51:58,360 --> 00:52:01,280 Speaker 3: Before I let you go, can you can you you know, 851 00:52:02,079 --> 00:52:04,360 take us through the highlights? What what are the key 852 00:52:04,400 --> 00:52:07,360 takeaways from from you know, our discussion here? 853 00:52:08,119 --> 00:52:11,119 Speaker 1: Yeah, sure, Andrew, you know the key takeaways that I 854 00:52:11,119 --> 00:52:15,239 have just three, really, there's one OT cybersecurity is fundamentally 855 00:52:15,280 --> 00:52:18,880 different from it, mainly because it deals with those physical 856 00:52:18,920 --> 00:52:21,119 assets that can't be moved to the cloud, can't be 857 00:52:21,159 --> 00:52:22,360 replaced easily. 858 00:52:23,639 --> 00:52:24,159 Speaker 4: Or shifted. 859 00:52:25,599 --> 00:52:28,639 Speaker 1: The second one is budgeting for OT cybersecurity shouldn't be 860 00:52:28,639 --> 00:52:33,440 an afterthought for a capital project. Trying to integrate it 861 00:52:33,679 --> 00:52:36,400 into the physical the life of the physical asset, I 862 00:52:36,400 --> 00:52:40,239 think is key. That's what's going to keep your budgeted 863 00:52:40,719 --> 00:52:43,719 over the life of that asset. And the third try 864 00:52:43,760 --> 00:52:47,920 to seek out collaboration across it, not just inside your 865 00:52:48,320 --> 00:52:50,800 you know, the IT circles, but also the operations people 866 00:52:50,800 --> 00:52:54,800 that are designing e NA firms and include finance. So 867 00:52:54,880 --> 00:52:57,960 I think that's cfo's I think that's really essential for 868 00:52:58,000 --> 00:53:02,119 the long term success of of a cybersecurity program. You 869 00:53:02,199 --> 00:53:05,239 have to have a resourcing plan. That resourcing usually starts 870 00:53:05,239 --> 00:53:10,400 at finance. It's how everything gets gets it's maintained over time. 871 00:53:10,920 --> 00:53:13,599 And if you're struggling to secure that funding for those 872 00:53:13,920 --> 00:53:15,920 cyber don't don't don't. 873 00:53:15,639 --> 00:53:17,320 Speaker 4: Fight for op X every year. 874 00:53:17,480 --> 00:53:20,719 Speaker 1: Try to try to work design work to design that 875 00:53:20,800 --> 00:53:26,199 cyber maintenance into modulars for those modules for those capital projects. 876 00:53:26,280 --> 00:53:28,760 From the start, it's really a smarter way to secure 877 00:53:28,760 --> 00:53:31,800 your operations in a safer way to fund your ongoing 878 00:53:31,800 --> 00:53:34,639 maintenance of a physical operational asset over the life or 879 00:53:34,840 --> 00:53:36,360 over its operational life cycle. 880 00:53:39,320 --> 00:53:41,679 Speaker 2: Andrew, that was your interview with Ian Fleming. Do you 881 00:53:41,719 --> 00:53:44,159 have any final words to take us out with today. 882 00:53:44,679 --> 00:53:47,400 Speaker 3: Yeah, I mean I learned something here. I'm about sort 883 00:53:47,400 --> 00:53:50,239 of financing for big business. You know, I learned that 884 00:53:50,440 --> 00:53:55,280 that accounting for big capital expenses, accounting for those expenses 885 00:53:55,320 --> 00:53:57,559 over time is actually a benefit to get stabilized as 886 00:53:57,599 --> 00:54:01,719 your profits. And I learned that, you know, large assets 887 00:54:01,719 --> 00:54:06,679 tend to have a capital plan that associates critical recurring 888 00:54:06,719 --> 00:54:11,519 expenses like maintenance and insurance and cybersecurity, you know, couples 889 00:54:11,559 --> 00:54:14,440 those expenses to the asset, so you don't have to 890 00:54:14,519 --> 00:54:18,519 fight for those allocations every year. You know, you either 891 00:54:18,840 --> 00:54:21,320 spend the money or you retire the asset. They're part 892 00:54:21,400 --> 00:54:24,360 of the asset. I also learned that, you know, you 893 00:54:24,480 --> 00:54:27,159 kind of have to speak the financial language to make 894 00:54:27,199 --> 00:54:29,159 this happen. You've got to be able to communicate with 895 00:54:29,199 --> 00:54:32,039 the people who manage the budgets. You've got to be 896 00:54:32,079 --> 00:54:36,480 able to talk about assets and depreciation and management and maintenance, 897 00:54:37,280 --> 00:54:42,079 you know, use that language to work cybersecurity into that equation. 898 00:54:44,159 --> 00:54:47,480 And you know, the lesson is if if you can 899 00:54:47,559 --> 00:54:51,199 get cybersecurity into the asset plan, then you know you're 900 00:54:51,239 --> 00:54:54,039 going to have an easier time of managing cybersecurity and 901 00:54:54,360 --> 00:55:00,440 other sort of operational essential operational outlays for that asset 902 00:55:00,760 --> 00:55:04,440 over the life of the asset. And Ian didn't mention it, 903 00:55:04,920 --> 00:55:07,400 but he's on LinkedIn. You know, he has a lot 904 00:55:07,400 --> 00:55:09,679 of papers on this topic, and you know he does 905 00:55:09,719 --> 00:55:11,880 more general cybersecurity stuff. This is just a piece of 906 00:55:11,880 --> 00:55:13,800 what he does. He's got papers on that other stuff. 907 00:55:14,719 --> 00:55:17,440 If you're interested in digging deeper on these or other. 908 00:55:17,320 --> 00:55:19,840 Speaker 5: Sort of cybersecurity topics, there's a whole ot section at 909 00:55:19,880 --> 00:55:23,000 the Deloitte website and you can just connect Ian Fleming 910 00:55:23,320 --> 00:55:26,800 on LinkedIn at Deloitte and he'll be happy to point 911 00:55:26,840 --> 00:55:30,400 you to his you know, his writing and you know, 912 00:55:30,519 --> 00:55:31,960 help you dig deeper into the topic. 913 00:55:32,880 --> 00:55:35,039 Speaker 2: Well, thanks to Ian for speaking with you, Andrew. And 914 00:55:35,039 --> 00:55:37,199 Andrew is always thank you for speaking with me. 915 00:55:37,960 --> 00:55:39,360 Speaker 3: It's always a pleasure. Thank you, Nate. 916 00:55:39,960 --> 00:55:43,519 Speaker 2: This has been the Industrial Security podcast from Waterfall. Thanks 917 00:55:43,519 --> 00:55:49,159 to everyone out there listening. Thanks to everyone out there listening,