1 00:00:04,080 --> 00:00:07,599 Speaker 1: That's really the key is understanding your assets gives you 2 00:00:07,639 --> 00:00:10,039 the ability to understand your attack service. 3 00:00:14,119 --> 00:00:18,239 Speaker 2: Welcome listeners to the Industrial Security Podcast. My name is 4 00:00:18,320 --> 00:00:21,559 Nate Nelson. I'm here with Andrew Ginter, the vice president 5 00:00:21,640 --> 00:00:25,679 of Industrial Security at Waterfall Security Solutions. He's going to 6 00:00:25,760 --> 00:00:28,879 introduce the subject and guest of our show today. Andrew, 7 00:00:29,160 --> 00:00:29,640 how's it going. 8 00:00:30,120 --> 00:00:32,520 Speaker 3: I'm very well, Thank you, Nate. Our guest today is 9 00:00:32,600 --> 00:00:36,439 Brian Derico. He is the founder of Trident Cyber Partners, 10 00:00:36,960 --> 00:00:40,719 and he's going to be talking about using asset inventory tools. 11 00:00:40,719 --> 00:00:42,799 I mean, we've had a lot of people on vendors 12 00:00:42,799 --> 00:00:46,640 mostly talking about what's available, how it works. He's going to, 13 00:00:46,840 --> 00:00:48,359 you know, look at the problem from the point of 14 00:00:48,439 --> 00:00:50,960 view of the user using these tools, and you know 15 00:00:51,039 --> 00:00:52,960 why using these tools turns out to be a little 16 00:00:52,960 --> 00:00:54,039 harder than you might expect. 17 00:00:54,640 --> 00:00:59,159 Speaker 2: Then, without further ado, here's your conversation with Brian de Rico. 18 00:01:01,880 --> 00:01:05,599 Speaker 3: Hello Brian, and welcome to the podcast. Before we get started, 19 00:01:05,640 --> 00:01:07,959 can I ask you to say a few words of introduction, 20 00:01:08,000 --> 00:01:09,959 tell us a little bit about yourself and about the 21 00:01:10,000 --> 00:01:12,840 good work that you're doing at Trient Cyber Partners. 22 00:01:13,200 --> 00:01:17,760 Speaker 1: Good morning, Andrew, Brian de Rico been in the critical 23 00:01:17,760 --> 00:01:22,159 infrastructure sector for about fifteen years. Spent my entire career 24 00:01:22,159 --> 00:01:26,159 at a large utility solely focused on the cybersecurity requirements 25 00:01:26,200 --> 00:01:30,280 for nuclear power plants, and my last role there was 26 00:01:30,319 --> 00:01:34,239 actually was the program manager responsible for the entire cyber 27 00:01:34,280 --> 00:01:38,120 program across the fleet, again all really dealing with OT 28 00:01:38,359 --> 00:01:43,799 type stuff and regulatory requirements. I left in October, started 29 00:01:43,799 --> 00:01:46,560 my own business, Tried and Cyber Partners, and mainly aim 30 00:01:46,680 --> 00:01:50,719 to help other critical infrastructure sectors with their cyber problems. 31 00:01:51,359 --> 00:01:56,040 Speaker 3: Thanks for that, And our topic eventually is going to 32 00:01:56,079 --> 00:02:00,400 be acid inventory. But you know, let me ask you. 33 00:02:00,400 --> 00:02:04,439 You've spent a lot of time working at nuclear You've worked, 34 00:02:04,640 --> 00:02:08,960 you know, in very old plants in you know, you've 35 00:02:09,479 --> 00:02:12,319 done some work recently with very modern plants. Can you 36 00:02:12,400 --> 00:02:16,240 talk about, you know, in terms of automation, what's the 37 00:02:16,319 --> 00:02:20,360 difference between sort of very old automation and very new 38 00:02:20,400 --> 00:02:22,240 automation that you've been exposed to. 39 00:02:23,400 --> 00:02:25,960 Speaker 1: Yeah, so there's there's a lot of similarities. Right at 40 00:02:26,000 --> 00:02:27,840 the end of the day, whether it's a new plant 41 00:02:27,919 --> 00:02:30,639 or an old plant, it is still a nuclear power plant. 42 00:02:30,759 --> 00:02:34,400 So there is a nuclear reaction that is heating some water. 43 00:02:34,680 --> 00:02:37,759 That water is heating some other water, and a secondary 44 00:02:37,800 --> 00:02:41,240 loop that is flashing to steam spending a turbine making electricity. 45 00:02:41,719 --> 00:02:45,280 So that is nuclear power one oh one. It doesn't 46 00:02:45,319 --> 00:02:47,599 matter how new or old the plant is. They've all 47 00:02:47,759 --> 00:02:50,719 generally worked that way for a long, long period of time. 48 00:02:51,319 --> 00:02:54,159 To your point, what you do see is the amount 49 00:02:54,199 --> 00:02:58,680 of digital assets in those plants is drastically different from 50 00:02:58,680 --> 00:03:01,919 new to old. So in my previous role, I had 51 00:03:01,960 --> 00:03:04,840 done some industry benchmarks to try and figure out what 52 00:03:05,000 --> 00:03:08,280 is sort of the average number of you know, digital 53 00:03:08,319 --> 00:03:11,120 devices that are in a plant, and it came in 54 00:03:11,199 --> 00:03:15,479 around seventeen or eighteen hundred per unit. These new plants 55 00:03:15,479 --> 00:03:19,400 that they're building, they're an order of magnitude larger than that. 56 00:03:19,479 --> 00:03:22,919 There are you know, potentially ten thousand devices on a 57 00:03:22,960 --> 00:03:27,520 single unit because everything is digital. You know, I don't 58 00:03:27,560 --> 00:03:30,000 know how many people have had an opportunity to tour 59 00:03:30,080 --> 00:03:33,400 a nuclear plant. I would certainly advise if you have 60 00:03:33,479 --> 00:03:36,360 that opportunity, is a really really cool thing to see. 61 00:03:36,680 --> 00:03:40,599 And most plants are all analogy. There is a lot 62 00:03:40,599 --> 00:03:43,960 of analog equipment, a lot of analog indication, and the 63 00:03:44,000 --> 00:03:48,000 new plants that's not that case anymore. So trying to 64 00:03:48,199 --> 00:03:51,800 keep track of all of your digital devices becomes a 65 00:03:52,000 --> 00:03:56,199 very important and critical problem. For example, you know, and 66 00:03:56,319 --> 00:03:58,599 some of the older plants that we worked in, you know, 67 00:03:58,639 --> 00:04:01,240 as you're going through getting asked at inventory, you open 68 00:04:01,319 --> 00:04:03,680 up a cabinet, you kind of look for what is digital? 69 00:04:03,759 --> 00:04:05,639 What are the blinky lights? And you know, you go 70 00:04:05,759 --> 00:04:07,759 through and that is generally a manual way that we 71 00:04:07,840 --> 00:04:10,759 did a lot of asset inventory. These newer plants, you 72 00:04:10,840 --> 00:04:14,879 open the racks and everything inside is digital. Everything inside 73 00:04:14,879 --> 00:04:18,439 could be considered, you know, an attack pathway, and you know, 74 00:04:18,480 --> 00:04:21,839 there were some discussions and there's some thought process out 75 00:04:21,879 --> 00:04:26,120 there that essentially calling locations critical is going to be 76 00:04:26,160 --> 00:04:29,199 an easier way to do it, because saying this entire rack, 77 00:04:29,319 --> 00:04:30,879 no matter what's in it, is going to be a 78 00:04:30,879 --> 00:04:34,120 critical digital component, is an easier way than trying to 79 00:04:34,240 --> 00:04:37,720 label an inventory all fifty or sixty devices. So that 80 00:04:37,879 --> 00:04:41,360 was a thought process that was considered. But again, at 81 00:04:41,399 --> 00:04:43,839 the end of the day, every device was considered on 82 00:04:43,839 --> 00:04:45,639 a case by case basis. But it kind of gives 83 00:04:45,680 --> 00:04:49,199 you an idea of just the scale of how much 84 00:04:49,319 --> 00:04:52,439 digital equipment there are in newer plants nowadays. 85 00:04:55,920 --> 00:04:59,279 Speaker 2: Andrew, I'm glad we're getting the opportunity to talk about 86 00:04:59,519 --> 00:05:05,120 nuclear because it seems like a pretty relevant and highly 87 00:05:05,160 --> 00:05:09,639 important field, and yet it never seems like we get 88 00:05:09,759 --> 00:05:12,000 a guest on who wants to talk about it. So 89 00:05:12,480 --> 00:05:16,920 where does nuclear stand in the paneple that is industrial security? 90 00:05:17,759 --> 00:05:18,319 For you? 91 00:05:19,120 --> 00:05:21,360 Speaker 3: We're going to be talking mostly about asset inventory, but 92 00:05:21,480 --> 00:05:23,439 let's talk about nuclear for a while. I mean, you know, 93 00:05:23,480 --> 00:05:26,319 Brian said a few words, you know, in a sense 94 00:05:26,319 --> 00:05:29,240 he's lived a lot of this stuff, you know, without 95 00:05:29,279 --> 00:05:34,680 even knowing how unusual it is. Nuclear is an extreme. 96 00:05:35,399 --> 00:05:38,319 You know, when we talk about worst case consequences of compromise, 97 00:05:38,399 --> 00:05:40,639 what's the worst case The worst thing that can happen 98 00:05:40,680 --> 00:05:45,879 in a coal fired power plant? A boiler bowson, people die. Okay, 99 00:05:45,959 --> 00:05:48,399 what's the worst thing that can happen in a nuke? 100 00:05:49,639 --> 00:05:54,439 The nuclear core explodes, you know, Chernobyl and hundreds of 101 00:05:54,439 --> 00:05:59,600 square kilometers become unlivable for centuries. Oh that's very bad. 102 00:06:01,319 --> 00:06:04,279 So you know, the consequences drive the intensity of your 103 00:06:04,319 --> 00:06:07,439 security program. And nukes are an extreme. I mean, the 104 00:06:07,439 --> 00:06:10,920 only thing I can imagine that's possibly more sensitive than 105 00:06:11,000 --> 00:06:14,720 nukes's I don't know nuclear weapons targeting systems and you know, 106 00:06:14,839 --> 00:06:19,000 launch launch protocols. It's just it's that extreme. You know, 107 00:06:19,000 --> 00:06:21,600 what does that mean for cybersecurity. Well, you know, let's 108 00:06:21,600 --> 00:06:24,480 start with physical security. In different parts of the world, 109 00:06:24,480 --> 00:06:26,319 there's different rules. In a lot of the world, you 110 00:06:26,360 --> 00:06:29,160 need a security clearance to visit the site. You know, 111 00:06:29,319 --> 00:06:31,680 in North America you can get tours of the site. 112 00:06:33,160 --> 00:06:35,199 But you know, in a lot of places, you you're 113 00:06:35,519 --> 00:06:37,360 a lot of stuff is classified. I don't have a 114 00:06:37,360 --> 00:06:42,480 security clearance. I've never seen network diagrams for a nuclear site. 115 00:06:42,519 --> 00:06:45,040 I'm guessing a bunch of this stuff is classified. It's 116 00:06:45,399 --> 00:06:48,279 you know, it's national secrets. It's it's it's that intense. 117 00:06:49,759 --> 00:06:53,600 On the cybersecurity side, again, I talk to people, uh, 118 00:06:53,759 --> 00:06:58,920 you know, we we serve nuclear customers at Waterfall, and 119 00:06:59,480 --> 00:07:03,240 you know, they do things that seem, again, seem extreme. 120 00:07:04,680 --> 00:07:07,560 They might have all of their OT systems in one 121 00:07:07,639 --> 00:07:11,079 room in one building, and all of their IT systems, 122 00:07:11,160 --> 00:07:13,920 all our IT servers, email servers and whatnot. They do 123 00:07:13,959 --> 00:07:16,720 have IT networks. You know, in nuclear plants you need 124 00:07:16,800 --> 00:07:19,160 to you need to schedule work crews, You've got to 125 00:07:19,199 --> 00:07:22,879 pay your people. So they have IT networks and all 126 00:07:22,879 --> 00:07:24,839 of the IT servers are in a different room, in 127 00:07:24,879 --> 00:07:30,839 a different building. Why. Because they cannot afford someone any 128 00:07:31,079 --> 00:07:34,399 time someday to make a mistake and plug a cable 129 00:07:34,639 --> 00:07:37,720 from an IT network into an OT asset. That's completely 130 00:07:37,839 --> 00:07:42,000 unacceptable cybersecurity wise, And so they physically separate it so 131 00:07:42,079 --> 00:07:44,639 that as much as possible, they make these kinds of 132 00:07:44,879 --> 00:07:48,759 errors impossible. You can't do it, you can't plug the 133 00:07:48,759 --> 00:07:52,759 wrong cable and it's in a different building. You know. 134 00:07:53,160 --> 00:07:55,839 Another example, you might imagine that there would be multiple 135 00:07:55,879 --> 00:07:59,240 security levels. You might imagine that the technology that controls 136 00:07:59,279 --> 00:08:01,720 the core, you know, the control rods into the core 137 00:08:01,720 --> 00:08:05,120 that keeps the core from exploding, is more sensitive than 138 00:08:05,160 --> 00:08:09,040 the OT systems that control the steam turbines. I mean 139 00:08:09,040 --> 00:08:12,360 a coal power a coal fired power plant has steam turbines. 140 00:08:12,680 --> 00:08:16,439 Steam turbines have steam turbines, you imagine. In fact, again, 141 00:08:16,480 --> 00:08:19,079 when I talk to these people, a lot of nuclear sides, 142 00:08:19,120 --> 00:08:24,160 in my understanding, have only two security levels absolutely highest 143 00:08:24,160 --> 00:08:30,199 critical and business, and nothing in between. Again, why why 144 00:08:30,199 --> 00:08:33,639 would the steam turbines be protected to the same degree 145 00:08:34,240 --> 00:08:39,039 as the core control system? In part, it's because you 146 00:08:39,080 --> 00:08:42,600 know the physics of these systems the steam, you know, 147 00:08:43,159 --> 00:08:48,279 there are distant physical connections. You know, the liquid from 148 00:08:48,279 --> 00:08:52,559 the core heats up the liquid in the steam, and 149 00:08:52,639 --> 00:08:56,559 so you know there's a theoretically a risk that something 150 00:08:56,600 --> 00:08:59,639 happening to the steam turbines could leak back into the core. 151 00:09:00,639 --> 00:09:04,360 But more fundamentally, these people just say, we cannot afford 152 00:09:04,559 --> 00:09:07,639 to make mistakes with security, and so we're going to 153 00:09:07,720 --> 00:09:09,559 dumb it down. We're not going to have seven or 154 00:09:09,559 --> 00:09:12,320 eight or thirteen security levels. And you have to remember 155 00:09:12,360 --> 00:09:14,240 which is which and apply the right policies to the 156 00:09:14,279 --> 00:09:19,279 right equipment. It's going to be absolutely critical or business, 157 00:09:19,919 --> 00:09:22,200 end of story, and you know which room you're in. 158 00:09:23,000 --> 00:09:26,320 That's the policy you apply again as much as possible. 159 00:09:26,360 --> 00:09:31,879 They eliminate human error. You know regulations. I'm most familiar 160 00:09:31,960 --> 00:09:35,080 with the North American regulations. You might imagine. I mean 161 00:09:35,159 --> 00:09:40,120 NERKSIP handles the power grid. If you fail to live 162 00:09:40,200 --> 00:09:42,600 up to your obligations under NRKSIP, what happens you can 163 00:09:42,639 --> 00:09:44,919 be fined as much as a million dollars a day. 164 00:09:45,039 --> 00:09:47,440 It's never been levied, but you know, you get fined 165 00:09:48,240 --> 00:09:50,440 with the nukes if they fail to live up to 166 00:09:50,639 --> 00:09:54,879 their regulations. They're shut down, they lose their license to operate. 167 00:09:56,679 --> 00:10:00,360 It's that simple. If you cannot operate safely, you cannot operate. Bang, 168 00:10:00,480 --> 00:10:04,759 you're down. So again, intense attention is paid to the 169 00:10:04,840 --> 00:10:07,960 detail of cybersecurity and cybersecurity regulations. 170 00:10:08,600 --> 00:10:08,679 Speaker 1: Uh. 171 00:10:08,759 --> 00:10:13,240 Speaker 3: You know another example, I'm not aware of any nuclear generator. 172 00:10:13,240 --> 00:10:15,440 Now I might, I don't know all the generators in 173 00:10:15,480 --> 00:10:18,320 the world. I'm not aware of any nuclear generator that 174 00:10:18,399 --> 00:10:23,919 has any kind of OT remote access period. Nothing remotely 175 00:10:23,919 --> 00:10:26,360 gets into OT. You want to touch OT, you walk 176 00:10:26,399 --> 00:10:30,120 over to the server room. So again intense in a 177 00:10:30,200 --> 00:10:32,639 sense though, you know what I what I what I 178 00:10:32,720 --> 00:10:36,879 see of the nukes is that they are leaders in 179 00:10:36,919 --> 00:10:42,159 the cybersecurity field. You know, they they do things extremely intensely, 180 00:10:42,279 --> 00:10:45,919 and as other parts of the field other you know, 181 00:10:46,279 --> 00:10:50,159 power plants, other refineries, other you know, high consequence sites. 182 00:10:50,840 --> 00:10:55,120 As the threat environment continues worsening, as cyber attacks keep 183 00:10:55,120 --> 00:10:58,360 getting more sophisticated, they look over at what is nuclear 184 00:10:58,399 --> 00:11:02,200 doing and they pull one after another technique out of 185 00:11:02,240 --> 00:11:07,679 the nuclear arsenal and start applying it in their in 186 00:11:07,720 --> 00:11:11,399 their circumstance. So you know, even if you're not required 187 00:11:11,440 --> 00:11:14,759 to follow the nuclear rules, I would encourage people to read. 188 00:11:15,600 --> 00:11:21,120 You know, it's ANYI the Nuclear Energy Institute eight nine 189 00:11:21,440 --> 00:11:26,039 standard or the NRC Nuclear Regulatory Commission five seventy one. 190 00:11:26,240 --> 00:11:29,320 I'd actually recommend eighth nine. It's it's more readable, it's 191 00:11:29,320 --> 00:11:32,440 got more examples. The five dots seventy one is sort 192 00:11:32,440 --> 00:11:34,879 of more terse and saying here's the regulation. Follow it. 193 00:11:35,320 --> 00:11:37,919 But yeah, they are leaders in the space, and over 194 00:11:38,000 --> 00:11:41,879 time I see people drawing on their expertise and the 195 00:11:41,919 --> 00:11:48,879 way they do things. And our topic is asset inventory. 196 00:11:49,200 --> 00:11:52,639 And so you know, we're talking about how much automation 197 00:11:52,720 --> 00:11:54,879 there is, we're talking about how hard it is to count. 198 00:11:55,759 --> 00:11:59,240 Can we back up a minute, you know, in principle, 199 00:11:59,399 --> 00:12:03,720 you know, the the truism is you cannot defend what 200 00:12:03,759 --> 00:12:06,399 you don't know you have. And so that's why we 201 00:12:06,480 --> 00:12:09,240 do inventory. Is that it or is there more to it? 202 00:12:09,279 --> 00:12:11,759 Why are we doing these inventories? What good is an 203 00:12:11,799 --> 00:12:12,759 asset inventory? 204 00:12:13,559 --> 00:12:15,600 Speaker 1: So it's a great question, and I'm going to give 205 00:12:15,720 --> 00:12:19,399 two answers, right, So one is on the nuclear space. 206 00:12:19,519 --> 00:12:22,279 The first answer is we have to right, and sometimes 207 00:12:22,320 --> 00:12:24,879 that is an answer. I don't think it's a good one, 208 00:12:25,559 --> 00:12:29,480 but it is an answered. So we do have regulatory 209 00:12:29,519 --> 00:12:32,960 compliance around an asset inventory because to your point, it 210 00:12:33,000 --> 00:12:37,559 does sort of fuel other aspects of your cyber programs, 211 00:12:37,639 --> 00:12:41,679 such as supply chain vulnerability management, configuration management, et cetera. 212 00:12:42,519 --> 00:12:44,919 The flip side is, it's just it's a smart thing 213 00:12:44,960 --> 00:12:49,120 to do, right. You can't build a vulnerability management program 214 00:12:49,240 --> 00:12:51,679 if you don't know what software is out there that 215 00:12:51,720 --> 00:12:55,799 you're potentially vulnerable to. So trying to build a vulnerability 216 00:12:55,799 --> 00:12:58,519 management program when you don't know what's out there is 217 00:12:58,639 --> 00:13:01,799 it's a fool's errand because you're never going to be 218 00:13:01,799 --> 00:13:06,320 able to understand your total risk. And that's really the 219 00:13:06,440 --> 00:13:09,759 key is. Understanding your assets gives you the ability to 220 00:13:09,879 --> 00:13:13,759 understand your attack surface. And once you understand your attack surface, 221 00:13:13,840 --> 00:13:16,679 you can then figure out what are my vulnerabilities? What 222 00:13:16,759 --> 00:13:19,200 do I need to mitigate? What is a you know, 223 00:13:19,440 --> 00:13:23,200 possible you know threat vector an adversary could use to 224 00:13:23,320 --> 00:13:26,759 attack you know, this device or this process. And you 225 00:13:26,799 --> 00:13:30,879 can't do any of that without having the asset inventory first. 226 00:13:32,159 --> 00:13:35,200 Speaker 3: There's tools out there to do asset inventory. You know, 227 00:13:35,240 --> 00:13:37,559 we don't have to do a manual walk down and 228 00:13:37,639 --> 00:13:41,240 count the blinky lights in the cabinets, you know, do 229 00:13:41,360 --> 00:13:43,840 the tools not solve the problem is is there still 230 00:13:43,879 --> 00:13:45,799 a problem when you've deployed one of these tools. 231 00:13:46,480 --> 00:13:48,960 Speaker 1: Yeah, So there are a number of tools that do 232 00:13:49,000 --> 00:13:51,919 this and some are better than others. Right, make sure 233 00:13:51,960 --> 00:13:54,519 of the these but they do a great job of 234 00:13:55,039 --> 00:13:59,679 asset inventory. So I currently do professional services for a 235 00:14:00,159 --> 00:14:03,399 software company and a lot of their deployments in the 236 00:14:03,399 --> 00:14:06,279 OT space are generally for people that want to use 237 00:14:06,320 --> 00:14:11,879 the tool as their asset inventory. Now, the issue is 238 00:14:12,320 --> 00:14:15,799 sort of becomes a couple of pieces. One that comes 239 00:14:15,879 --> 00:14:18,360 up can come up often, and I saw this in 240 00:14:18,480 --> 00:14:21,759 nuclear all the time. Is a lot of those tools 241 00:14:21,759 --> 00:14:24,840 that we're talking about, they depend on network traffic, right, 242 00:14:24,919 --> 00:14:28,399 so they're looking at source and destination and they're passively 243 00:14:28,440 --> 00:14:30,960 trying to piece together these are their assets on your network, 244 00:14:30,960 --> 00:14:32,639 and this is what they do and how they do it. 245 00:14:33,039 --> 00:14:35,879 So one problem is going to be you have assets 246 00:14:35,879 --> 00:14:39,320 that are not networked. If you have safety critical devices, 247 00:14:39,519 --> 00:14:41,639 they may be isolated. So you're not going to be 248 00:14:41,720 --> 00:14:44,200 able to deploy a tool to do that. So you 249 00:14:44,279 --> 00:14:47,320 are going to have to manually enter those in and 250 00:14:47,440 --> 00:14:50,360 manually keep track of those in some way, shape or form. 251 00:14:50,799 --> 00:14:53,039 And then the second piece is a lot of these 252 00:14:53,039 --> 00:14:56,639 tools that we talked about, they can't just be deployed instantly. 253 00:14:56,759 --> 00:14:58,720 You can't just throw a box in a rack and 254 00:14:58,840 --> 00:15:02,399 you call it macaroni. You know, there are architectural changes 255 00:15:02,440 --> 00:15:04,360 that have to happen to your network. You have to 256 00:15:04,399 --> 00:15:07,720 get traffic from switches, you have to open span port, 257 00:15:07,840 --> 00:15:10,720 you have to deploy sensors, and that's where things can 258 00:15:10,759 --> 00:15:13,639 get a little difficult on the ot side of the house. 259 00:15:14,960 --> 00:15:19,320 Speaker 3: Modern switches, any kind of managed switch has got a 260 00:15:19,360 --> 00:15:22,519 span port or a mirror port. You lug into the switch, 261 00:15:22,559 --> 00:15:25,039 you turn on mirroring, and off you go. You can 262 00:15:25,039 --> 00:15:26,840 start seeing the traffic, and you know, a lot of 263 00:15:26,879 --> 00:15:30,159 these these asset inventory tools can start figuring out what 264 00:15:30,200 --> 00:15:33,519 are the assets based on their traffic. You know, I 265 00:15:33,519 --> 00:15:37,799 get that some some systems are are not on the network, 266 00:15:37,840 --> 00:15:41,159 the safety systems. That makes sense, but is it is 267 00:15:41,159 --> 00:15:44,799 it more complicated than that? I mean, I imagine you're working 268 00:15:44,799 --> 00:15:47,679 with some older systems, older switches, or you know, do 269 00:15:47,759 --> 00:15:49,960 any of these plants use non managed switches? 270 00:15:50,960 --> 00:15:53,320 Speaker 1: So I'm sure there are some non managed switches out there. 271 00:15:53,399 --> 00:15:55,480 I would not be surprised if there are some, you know, 272 00:15:55,559 --> 00:15:59,919 hubs that are still out there and kicking. While in theory, yeah, 273 00:16:00,200 --> 00:16:03,879 opening up a span port is a is a simplistic idea. 274 00:16:04,000 --> 00:16:07,480 Where that turns into and where it becomes difficult is 275 00:16:07,559 --> 00:16:11,600 a lot of these OT vendors and even environments that 276 00:16:11,639 --> 00:16:15,360 you're in. Nobody wants to change the system without vendors 277 00:16:15,399 --> 00:16:19,720 involvement because everybody scared about what are the consequences, Because again, 278 00:16:19,799 --> 00:16:22,480 this isn't an IT system, this is an OT system. 279 00:16:22,519 --> 00:16:26,000 There could be some huge process changes in huge impacts 280 00:16:26,039 --> 00:16:29,440 and risk if whatever you want to do doesn't go 281 00:16:29,480 --> 00:16:33,159 according to plan. And that's where I have seen the 282 00:16:33,639 --> 00:16:36,879 most amount of struggle come from. Is you know, you 283 00:16:36,960 --> 00:16:39,279 want to get some a span port. You reach out 284 00:16:39,320 --> 00:16:41,279 to the vendor, you say, hey, this is what we're 285 00:16:41,320 --> 00:16:43,720 looking to do. We just want to span this traffic. 286 00:16:43,960 --> 00:16:47,600 And the vendors don't want to budget. The vendor, you know, 287 00:16:47,720 --> 00:16:50,080 hasn't deployed that they don't know what that's going to 288 00:16:50,120 --> 00:16:52,519 look like. They tell you that, hey, we're going to 289 00:16:52,600 --> 00:16:55,480 have to refat the entire system. You know after making 290 00:16:55,480 --> 00:16:59,960 this change. Now you know, meanwhile, is there going to 291 00:16:59,960 --> 00:17:03,519 be an impact? No, we can look at switch utilization 292 00:17:03,639 --> 00:17:06,119 and see, you know, hey, even if we double. You know, 293 00:17:06,359 --> 00:17:09,559 we'll double the switch utilization. You know, you're not going 294 00:17:09,599 --> 00:17:11,599 to see a huge impact to that because your switch 295 00:17:11,640 --> 00:17:14,480 is only at five or ten percent utilization. But it's 296 00:17:14,519 --> 00:17:19,359 just it's the there isn't an understanding on the vendor side. 297 00:17:19,440 --> 00:17:22,359 So for some of these big control system vendors, it 298 00:17:22,400 --> 00:17:26,480 becomes difficult for them to bless as it were making 299 00:17:26,519 --> 00:17:29,920 these changes. And that's where we have seen the most 300 00:17:29,960 --> 00:17:34,279 amount of struggle. And we even had projects where we 301 00:17:34,359 --> 00:17:37,200 had to provide a lot of the testing and we 302 00:17:37,279 --> 00:17:41,079 provided you know, this is what needs to happen because 303 00:17:41,079 --> 00:17:44,559 the vendor just didn't have the knowledge. And I think 304 00:17:44,559 --> 00:17:48,079 as time goes on, for you know, the control system 305 00:17:48,160 --> 00:17:50,200 vendors that are out there, I think that's going to 306 00:17:50,240 --> 00:17:53,160 be more and more of an issue because more and 307 00:17:53,200 --> 00:17:56,519 more of their deployments are going to have a requirement 308 00:17:56,680 --> 00:18:01,400 for some form of higher detection capability. We can't just say, 309 00:18:01,599 --> 00:18:04,880 you know, these things are you know, they're in an 310 00:18:04,880 --> 00:18:08,640 OT environment, they're safe, that this system the case right 311 00:18:09,680 --> 00:18:12,880 There needs to be higher level of detection and the 312 00:18:12,960 --> 00:18:15,880 vendors need to be more willing to work. And as 313 00:18:15,920 --> 00:18:19,440 time goes on, I think it'll be easier but retrofitting 314 00:18:19,759 --> 00:18:25,079 this sort of technology in existing systems becomes increasingly difficult 315 00:18:25,119 --> 00:18:28,240 because nobody wants to touch the system that isn't broke. 316 00:18:31,799 --> 00:18:34,599 Speaker 3: So a couple of quick points there. You know, Brian 317 00:18:34,720 --> 00:18:38,400 used a couple of acronyms people might not recognize. He said, 318 00:18:38,480 --> 00:18:40,559 you know, you might have to refat the entire system. 319 00:18:40,559 --> 00:18:44,839 What's that FAT is factory acceptance test. It's set everything 320 00:18:44,920 --> 00:18:50,680 up and test every function of the system, emergency recovery 321 00:18:50,880 --> 00:18:53,359 every function of the system, and make sure that it 322 00:18:53,400 --> 00:18:56,440 meets the requirements that were laid out when you issued 323 00:18:56,480 --> 00:19:02,200 the contract to get the system built. Typically days you 324 00:19:02,200 --> 00:19:04,799 have to shut the plant down to do it. So 325 00:19:04,880 --> 00:19:07,599 nobody wants to refat anything. So that's that's what the 326 00:19:07,680 --> 00:19:10,000 vendors are threatening, saying, well, if you make a change 327 00:19:10,000 --> 00:19:12,000 that we haven't tested, we have to retest it, don't 328 00:19:12,039 --> 00:19:16,680 we You know. Another point he made was about bandwidth. 329 00:19:17,079 --> 00:19:20,319 And you know, for anyone who's not real familiar with 330 00:19:20,319 --> 00:19:22,799 how mirror or span ports work, you've got to switch 331 00:19:22,839 --> 00:19:24,480 with I don't know, twenty four ports on it forty 332 00:19:24,519 --> 00:19:26,559 eight ports. It has to be a managed switch. You 333 00:19:26,640 --> 00:19:28,599 log into the switch with a username and pass word 334 00:19:28,599 --> 00:19:30,119 and you can configure the switch. And one of the 335 00:19:30,160 --> 00:19:33,519 things you can configure is it's called a mirror port 336 00:19:33,599 --> 00:19:36,920 or a span port. It's a port or you know, 337 00:19:37,039 --> 00:19:42,519 multiple ports where you send copies of stuff. So typically, 338 00:19:42,519 --> 00:19:44,160 if you're going to do an asset inventory, you can 339 00:19:44,200 --> 00:19:47,680 figure one port and say every message that anybody sends 340 00:19:47,720 --> 00:19:50,319 to anybody else on the system, send a copy of 341 00:19:50,319 --> 00:19:53,680 the message out this port. And now the asset inventory 342 00:19:53,680 --> 00:19:55,680 system can look at the messages and say, oh, there's 343 00:19:55,720 --> 00:19:58,079 IP addresses in use. I wonder what kind of machine 344 00:19:58,119 --> 00:20:01,079 this is. It's using this t CP port number, and 345 00:20:01,119 --> 00:20:03,920 it figures out what kind of stuff is on the 346 00:20:03,920 --> 00:20:06,359 network based on the network traffic, and the mirror port 347 00:20:06,480 --> 00:20:10,000 gives you that traffic, and the throughput consideration is you know, 348 00:20:10,680 --> 00:20:12,880 I thought, and now I'm not an expert on switches, 349 00:20:12,920 --> 00:20:16,599 I assumed that modern switches you would put you know, 350 00:20:16,640 --> 00:20:19,400 they have ports twenty four ports out the front, and 351 00:20:19,480 --> 00:20:22,680 every message that comes in goes onto a backplane. It's 352 00:20:22,720 --> 00:20:25,640 a very high speed backplane. And I thought that the 353 00:20:25,680 --> 00:20:27,880 message went to every one of the other ports, and 354 00:20:27,920 --> 00:20:30,200 the ports decided do I send this out or not, 355 00:20:31,039 --> 00:20:32,720 and so it would go to the mirror port as well. 356 00:20:32,720 --> 00:20:34,960 That's what I assumed, And so you know, turning on 357 00:20:35,000 --> 00:20:40,160 the mirror port would not in fact increase the amount 358 00:20:40,160 --> 00:20:44,119 of traffic on the backplane because every message is visible 359 00:20:44,160 --> 00:20:48,039 to every port. You know, what I didn't get clarification 360 00:20:48,200 --> 00:20:50,000 from from Brian, but what it sounds like is at 361 00:20:50,079 --> 00:20:53,319 least some of the switches he's dealing with, if you 362 00:20:53,480 --> 00:20:56,200 enable the mirror port, then the source. If Port A 363 00:20:56,759 --> 00:21:00,000 is sending a message to Port B, it first puts 364 00:21:00,119 --> 00:21:03,480 on the backplane address to Port B, and a second 365 00:21:03,559 --> 00:21:06,359 time puts the same message on the backplane addressed to 366 00:21:06,400 --> 00:21:08,920 the mirror port, because it's been configured to send everything 367 00:21:09,000 --> 00:21:11,039 to the mirror port, and that would tend to double 368 00:21:11,440 --> 00:21:14,039 the amount of traffic on the backplane. But these backplanes 369 00:21:14,079 --> 00:21:18,079 are massively high speed because they have to support all 370 00:21:18,119 --> 00:21:22,000 of the twenty four ports simultaneously. So he's saying, look, 371 00:21:22,319 --> 00:21:27,319 your average backplane is, you know, barely loaded, and doubling 372 00:21:27,359 --> 00:21:31,720 the load is immaterial. What he did not say was that, 373 00:21:31,880 --> 00:21:34,680 you know, configuring the switch causes the switch to malfunction. 374 00:21:34,720 --> 00:21:38,680 I would imagine ancient switches that you know, were were 375 00:21:38,720 --> 00:21:41,400 around sort of at the beginning of the concept of 376 00:21:41,440 --> 00:21:44,359 mirror ports and span ports might have defects in their 377 00:21:44,400 --> 00:21:46,799 software that if you turn on the mirror port it 378 00:21:46,880 --> 00:21:49,480 might malfunction. But you know, he didn't say that. I 379 00:21:49,519 --> 00:21:51,400 forgot to ask him, and the fact that he didn't 380 00:21:51,400 --> 00:21:53,720 say it says to me he's never run into it, 381 00:21:53,839 --> 00:21:55,640 or you know, he would have mentioned it. So that's 382 00:21:56,039 --> 00:21:58,200 I'm putting words in his mouth there. But I'm guessing 383 00:21:58,240 --> 00:21:59,920 that's not so much a concern. The concern is to 384 00:22:00,160 --> 00:22:02,720 put The concern is testing. That's just you know, people 385 00:22:02,759 --> 00:22:05,680 worry about things working the way they're supposed to if 386 00:22:05,680 --> 00:22:08,599 you make a change that has not been anticipated. This 387 00:22:08,680 --> 00:22:11,799 is the essence of the engineering change control discipline that 388 00:22:11,920 --> 00:22:16,400 is again used intensely at nuclear sites and used but 389 00:22:16,519 --> 00:22:19,640 maybe just a little less intensely at other critical infrastructure 390 00:22:19,680 --> 00:22:25,279 sites in the modern day. You're saying, you know, the 391 00:22:25,319 --> 00:22:32,160 control system vendors don't get acid inventory. I mean span ports, 392 00:22:32,160 --> 00:22:36,000 mirror ports. They're also used for intrusion detection systems. This 393 00:22:36,160 --> 00:22:41,319 is what Dragos uses, this is what Nasomi uses. You know, 394 00:22:42,160 --> 00:22:45,720 the six pillars of the cybersecurity framework, and this framework 395 00:22:45,799 --> 00:22:48,240 include detect, respond recovery. You've got to be able to 396 00:22:48,240 --> 00:22:50,200 look at what's happening on the hosts. You got to 397 00:22:50,200 --> 00:22:53,680 be able to look at what's happening on the networks. Really, 398 00:22:53,720 --> 00:22:55,920 you know, the the vendors in the modern day don't. 399 00:22:55,759 --> 00:23:01,039 Speaker 1: Get this credit where it's due. Do get it better 400 00:23:01,079 --> 00:23:04,680 than others. However, you know, there have been some vendors 401 00:23:04,759 --> 00:23:07,079 we've worked with that did not want to make any 402 00:23:07,200 --> 00:23:09,799 changes because they just wanted to give us the same 403 00:23:09,880 --> 00:23:13,119 system that they gave us twenty years ago, you know, 404 00:23:13,200 --> 00:23:16,319 with one version you know, higher than what we deployed 405 00:23:16,440 --> 00:23:20,400 again decades in the past. And you know, when pressed, 406 00:23:20,759 --> 00:23:24,880 while the people on the vendor side are experts in 407 00:23:24,920 --> 00:23:27,599 what they are doing, they are experts in safety design, 408 00:23:27,680 --> 00:23:30,400 they are experts in PLCs and how all of these 409 00:23:30,440 --> 00:23:34,599 things talk together, they're not IT people. So when you 410 00:23:34,680 --> 00:23:37,519 start talking, you know, hey, I want to open up 411 00:23:37,519 --> 00:23:41,839 a standport, it's different. They don't understand. They think it's 412 00:23:41,839 --> 00:23:45,319 going to cause an impact to the system. Meanwhile, as 413 00:23:45,759 --> 00:23:48,519 people with an IT background, we can see that, Hey, 414 00:23:48,680 --> 00:23:51,519 you know you're using managed switches, you can enable a 415 00:23:51,559 --> 00:23:56,279 stand port. The inputs are one hundred meg and you know, 416 00:23:56,440 --> 00:24:02,400 even if all of your PLCs are completely maxing that throughput, 417 00:24:02,880 --> 00:24:05,359 the backplane of the switch is going to be nowhere 418 00:24:05,400 --> 00:24:10,200 near utilization and even doubling that, you're not going to 419 00:24:10,200 --> 00:24:13,440 see a decrease. And it just it takes a long 420 00:24:13,559 --> 00:24:17,599 time to get the vendors on board. And again, you know, 421 00:24:17,839 --> 00:24:22,240 we even offered to do some testing and show what 422 00:24:22,279 --> 00:24:26,279 the utilization changes were, and you know we have seen 423 00:24:26,319 --> 00:24:29,359 that again with some vendors are better than others. But 424 00:24:29,720 --> 00:24:31,759 you know, I feel like at the end of the day, 425 00:24:31,960 --> 00:24:34,119 it's we just want to give you the same system 426 00:24:34,160 --> 00:24:37,640 that you've already had, and mayking changes to that as scary. 427 00:24:38,160 --> 00:24:42,119 And you know, we're an isolated system, so you know, 428 00:24:42,200 --> 00:24:45,000 we don't need to deploy a lot of that technology 429 00:24:45,039 --> 00:24:48,079 because we're just going to stay isolated and not connected 430 00:24:48,119 --> 00:24:51,680 to anything. And the reality is that isn't as effective 431 00:24:51,680 --> 00:24:57,240 either because you while you lose the sort of network 432 00:24:57,279 --> 00:25:00,920 attack path, you still have several other such as physical 433 00:25:00,920 --> 00:25:05,519 supply chain and portable media. So having detection capability is actually, 434 00:25:05,559 --> 00:25:08,200 in my opinion, it's worth the risk of plugging that 435 00:25:08,240 --> 00:25:10,920 thing in as long as you have a sound architecture. 436 00:25:11,039 --> 00:25:13,799 And that's where some of the struggles begin with, with 437 00:25:14,119 --> 00:25:17,200 changing sort of that mindset from on the vendor side. 438 00:25:17,680 --> 00:25:21,480 For example, you know, some of the control system vendors 439 00:25:21,480 --> 00:25:25,160 that you know there's workstations and stuff there. They understand that, yes, 440 00:25:25,200 --> 00:25:28,119 there are detection pieces. You're going to deploy some level 441 00:25:28,160 --> 00:25:30,839 of network contrusion detection. You're going to deploy some level 442 00:25:30,839 --> 00:25:33,640 of scene agent. Right, so I need to sense this 443 00:25:33,799 --> 00:25:36,920 log and we've had good luck, you know, again with 444 00:25:37,000 --> 00:25:41,440 particular vendors. There. Some vendors will actually included with their 445 00:25:41,480 --> 00:25:45,319 control system they will also include a security suite, so 446 00:25:45,400 --> 00:25:48,079 they will have their own you know, hids or nids, 447 00:25:48,079 --> 00:25:50,720 your seam and that's all included. You know, they have 448 00:25:50,759 --> 00:25:55,319 a patching server that distributes you know, Microsoft quick fixes 449 00:25:55,359 --> 00:25:56,079 and all that stuff. 450 00:25:56,079 --> 00:25:56,559 Speaker 3: It's great. 451 00:25:57,480 --> 00:25:59,920 Speaker 1: However, when you get to that lower level of your 452 00:26:00,079 --> 00:26:03,400 PLC type stuff where you know, again we were working 453 00:26:03,400 --> 00:26:06,279 with a PLC vendor and they would not bunch. They 454 00:26:06,279 --> 00:26:09,640 did not want to change their design. They thought that 455 00:26:09,880 --> 00:26:13,680 the switch there would be a loss in time of 456 00:26:13,680 --> 00:26:17,400 communication which would affect the safety related aspect of the design, 457 00:26:17,720 --> 00:26:18,839 and they did not want to budge. 458 00:26:19,880 --> 00:26:20,880 Speaker 3: And you know, it. 459 00:26:20,880 --> 00:26:24,839 Speaker 1: Took two years for us to work with them, for 460 00:26:24,920 --> 00:26:29,359 them to understand that we have requirements and you know, 461 00:26:29,480 --> 00:26:33,240 when the programs were implemented, specifically across nuclear it was 462 00:26:33,359 --> 00:26:35,240 understood that you're not going to go in and bolt 463 00:26:35,240 --> 00:26:38,319 this stuff onto existing systems. But when you're starting fresh, 464 00:26:38,400 --> 00:26:41,319 when you're building a system from the ground up, it 465 00:26:41,440 --> 00:26:44,079 has to have all of these components. You know, there 466 00:26:44,160 --> 00:26:46,599 is no longer an excuse to say, oh, you know, 467 00:26:46,680 --> 00:26:49,200 it's already working. You know, we're not going to go 468 00:26:49,279 --> 00:26:51,680 play around with it. It's going to that could obviously 469 00:26:51,759 --> 00:26:55,119 cause issues. Everything has to be baked in from the 470 00:26:55,160 --> 00:26:59,200 ground up. The cybersecurity keys has to be foundational. And 471 00:26:59,240 --> 00:27:01,720 again with the p LC vendors, we found it to 472 00:27:01,799 --> 00:27:05,519 be again one particular vendor, very difficult for us to 473 00:27:05,559 --> 00:27:08,680 get that through and it took a number of people 474 00:27:09,359 --> 00:27:12,680 you know, trying to work there. You know, the PLC 475 00:27:12,720 --> 00:27:17,200 engineers through why this is okay, you know, we promise here, 476 00:27:17,519 --> 00:27:20,160 you know, here's some data to back it up, and 477 00:27:20,200 --> 00:27:23,680 they finally did agree to use the architecture that that 478 00:27:23,759 --> 00:27:25,920 we were you know, we had kind of specified from 479 00:27:25,960 --> 00:27:26,720 a design. 480 00:27:26,480 --> 00:27:30,160 Speaker 3: Perspective, we sweat blood, we fight with the vendors, we 481 00:27:30,319 --> 00:27:34,039 get our asset inventory system deployed, we you know, augment 482 00:27:34,119 --> 00:27:37,799 it with with manual inventory for the air gap or 483 00:27:37,839 --> 00:27:43,119 the isolated networks, and we use it for managing patches 484 00:27:43,119 --> 00:27:46,079 and vulnerabilities. Is there anything else we use it for? 485 00:27:46,960 --> 00:27:51,440 Speaker 1: Yeah? Absolutely, to your point, vulnerability management is a big one, 486 00:27:51,519 --> 00:27:53,359 right because I think at the end of the day, 487 00:27:53,480 --> 00:27:57,720 your asset inventory is going to give you what your 488 00:27:57,960 --> 00:28:01,039 you know, what your risk profile is, what your attack 489 00:28:01,119 --> 00:28:05,319 surface is. Vulnerabilities is one part of that. You know. 490 00:28:05,359 --> 00:28:08,799 There there is uh, you know, another piece of it 491 00:28:08,960 --> 00:28:12,119 that is supply chain, right, so we talked about that 492 00:28:12,200 --> 00:28:15,000 a little earlier. Being able to understand what are the 493 00:28:15,039 --> 00:28:17,839 important devices that I Am going to produce, you know, 494 00:28:17,960 --> 00:28:22,079 procure h and procure those with certain sets of requirements. 495 00:28:22,119 --> 00:28:25,000 That's also critical. Another thing that we would use it 496 00:28:25,079 --> 00:28:30,440 for is configuration management. So understanding what is your configuration? 497 00:28:30,720 --> 00:28:33,400 You know, you can build tools, You can use tools 498 00:28:33,799 --> 00:28:36,720 that tell you, you know, this is the configuration on 499 00:28:36,759 --> 00:28:40,160 the device. And some of those tools out there, you know, 500 00:28:40,200 --> 00:28:43,160 some of those network contrusion systems that are OT centric 501 00:28:43,599 --> 00:28:47,640 can also give you alerts and understandings on you know, 502 00:28:48,359 --> 00:28:51,359 what is when changes happen. You know, you have a 503 00:28:51,400 --> 00:28:55,440 code download to a PLC, is that expected? And then 504 00:28:55,519 --> 00:28:57,680 also you know, this is the running code of that 505 00:28:57,759 --> 00:29:00,160 PLC and this is what changed, and you would have 506 00:29:00,279 --> 00:29:03,960 visibility into all of that and again all based on 507 00:29:04,119 --> 00:29:07,200 their asset inventory and having as much information as you 508 00:29:07,319 --> 00:29:08,799 can about those assets. 509 00:29:09,880 --> 00:29:12,079 Speaker 3: You know, the latest automation systems have a lot of 510 00:29:12,119 --> 00:29:17,839 devices and acid inventory counts them. This is great, but 511 00:29:18,000 --> 00:29:20,880 there's a lot more we need to do with the information. 512 00:29:21,119 --> 00:29:23,599 So you've talked about patching. You know, there's a lot 513 00:29:23,640 --> 00:29:26,160 of We've had people on the show talking about s 514 00:29:26,240 --> 00:29:30,640 bomb uh, you know, software bill of materials, keeping track 515 00:29:30,720 --> 00:29:34,480 of sort of embedded software when vulnerabilities are announced. Is 516 00:29:34,480 --> 00:29:41,160 there automation for tracking s bombs and vulnerabilities? And you know, 517 00:29:41,319 --> 00:29:45,839 doing the mechanics of patching, and you know, arguably counting 518 00:29:45,880 --> 00:29:49,319 the asset is the easiest part of managing the inventory. 519 00:29:50,440 --> 00:29:53,000 You know, is there more in sort of that we 520 00:29:53,039 --> 00:29:54,799 can expect of modern tools. 521 00:29:55,559 --> 00:29:59,039 Speaker 1: I think there is. And you know, vulnerability management is 522 00:29:59,079 --> 00:30:02,160 always going to be one of the most difficult things 523 00:30:02,200 --> 00:30:06,480 to conquer because if you don't have an updated software inventory, 524 00:30:06,720 --> 00:30:08,720 you're never going to know what's out there. You can 525 00:30:08,759 --> 00:30:11,599 do all the Windows patches in the world, but you know, 526 00:30:11,759 --> 00:30:15,279 there are obviously tens and tens of thousands of non 527 00:30:15,400 --> 00:30:21,000 Windows vulnerabilities where if you're running again insert whatever software 528 00:30:21,039 --> 00:30:25,000 product right, there are huge vulnerabilities around a lot of those. 529 00:30:25,079 --> 00:30:28,839 So can you automate it? I think it comes down 530 00:30:28,839 --> 00:30:32,759 to you can automate the visibility right, so you can 531 00:30:32,799 --> 00:30:37,319 at least understand and have up to date dashboards of this. 532 00:30:37,480 --> 00:30:40,400 These are the devices that you need to worry about, right, 533 00:30:40,720 --> 00:30:43,920 this particular device has five critical vulnerabilities, and then that 534 00:30:43,960 --> 00:30:47,519 gives your you know, your internal cyber engineers something to 535 00:30:47,599 --> 00:30:51,160 go after to mitigate to overall reduce that risk. I 536 00:30:51,200 --> 00:30:54,799 also think it's important from a business perspective to understand 537 00:30:54,839 --> 00:30:56,039 what are we going to do? 538 00:30:56,240 --> 00:30:56,400 Speaker 3: Right? 539 00:30:56,480 --> 00:30:59,359 Speaker 1: On the IT side, there's a lot of patching processes, 540 00:30:59,519 --> 00:31:02,400 and there's you know SLA is associated with is your 541 00:31:02,759 --> 00:31:05,720 you know, is the vulnerability critical, high, medium, low, et cetera. 542 00:31:06,160 --> 00:31:11,480 On the OT side, in general, OT is very adverse 543 00:31:11,599 --> 00:31:15,519 to patching and mitigation. And I agree with that in 544 00:31:15,559 --> 00:31:18,640 some senses, and I don't agree with that in other senses. 545 00:31:18,720 --> 00:31:21,400 And I think as a business, you guys like you 546 00:31:21,519 --> 00:31:24,559 need to understand what is your tolerance for that risk? 547 00:31:24,640 --> 00:31:28,160 What are you willing to accept and are there areas 548 00:31:28,200 --> 00:31:31,039 where you know, yes, we we're comfortable we're not patching 549 00:31:31,079 --> 00:31:33,359 because we have all these controls in place, and you know, 550 00:31:33,440 --> 00:31:35,559 in order to get the device, you know, there's guns, 551 00:31:35,599 --> 00:31:38,440 gates and guards in the middle of it. You know, 552 00:31:38,480 --> 00:31:41,279 but hey, maybe if something really, really really big comes out, 553 00:31:41,319 --> 00:31:42,680 we are going to take care of it. And we 554 00:31:42,759 --> 00:31:45,400 do have to come up. So I don't think there 555 00:31:45,480 --> 00:31:47,960 is a way to fully automate it, but you can 556 00:31:48,000 --> 00:31:51,839 at least automate the visibility so you don't have people, 557 00:31:52,039 --> 00:31:55,200 you know, just manually searching NVD with a software list 558 00:31:55,279 --> 00:31:57,799 that they don't even know as accurate. You can get 559 00:31:57,839 --> 00:31:59,960 that part out of the way. There are tools out 560 00:32:00,039 --> 00:32:02,680 there that will help you, and then becomes a business 561 00:32:02,680 --> 00:32:06,119 decision and sort of a business process around Okay, with 562 00:32:06,200 --> 00:32:09,519 all that information, here is your overall risk profile. What 563 00:32:09,519 --> 00:32:13,160 are you going to do about it? And that, you know, 564 00:32:13,200 --> 00:32:16,920 that becomes the deeper discussion again around what specifically the businesses, 565 00:32:17,039 --> 00:32:19,440 how much risk tolerance you do have, how much risk 566 00:32:19,440 --> 00:32:21,759 avoidance you want to have, and you know kind of 567 00:32:21,759 --> 00:32:22,279 go from there. 568 00:32:23,160 --> 00:32:25,440 Speaker 3: Well, Brian, thank you so much for joining us today. 569 00:32:25,880 --> 00:32:27,599 Before I let you go, can I ask you can 570 00:32:27,640 --> 00:32:29,799 you sum up for our listeners, what should we take 571 00:32:29,839 --> 00:32:32,599 away in terms of you know what we're doing with 572 00:32:32,640 --> 00:32:33,519 asset inventory? 573 00:32:34,119 --> 00:32:39,079 Speaker 1: Absolutely, I would say asset inventory is the most important 574 00:32:39,160 --> 00:32:41,920 part of your program because if you don't know what 575 00:32:42,000 --> 00:32:44,160 assets are out there, you're never going to be able 576 00:32:44,160 --> 00:32:47,440 to protect your organization from somebody that maybe they know 577 00:32:47,480 --> 00:32:51,119 what's out there and you don't. So asset inventory is critical. 578 00:32:51,200 --> 00:32:55,799 You cannot build upon your internal program without understanding what 579 00:32:55,839 --> 00:32:59,759 your attack service is. I think another point is there 580 00:32:59,759 --> 00:33:03,200 are tools to help you. This is not something that 581 00:33:03,240 --> 00:33:06,119 we need to do manually anymore. You do not have 582 00:33:06,160 --> 00:33:08,640 to go into cabinets and count every single blinky light. 583 00:33:09,400 --> 00:33:12,680 There are tools and you know, products out there that 584 00:33:12,720 --> 00:33:15,279 will help us get closer to where we want to be. 585 00:33:16,119 --> 00:33:18,200 And then at the end of the day, you still 586 00:33:18,240 --> 00:33:22,960 need an internal team that understands what the information coming 587 00:33:23,000 --> 00:33:27,319 back gets. So if if you you know, if you 588 00:33:27,400 --> 00:33:30,680 do need help in deploying these tools or selecting tools 589 00:33:30,799 --> 00:33:34,200 or understanding what the risk is, I'd be happy to help. 590 00:33:35,079 --> 00:33:38,000 You can connect with me on LinkedIn. Brian de Rico. 591 00:33:38,359 --> 00:33:41,160 I'm I think I'm the only one, uh and I 592 00:33:41,200 --> 00:33:44,559 can help you with those problems because again once we 593 00:33:44,759 --> 00:33:47,400 once we conquer assets and get the tools in place, 594 00:33:47,640 --> 00:33:51,400 a lot of pieces of the program become a lot easier. 595 00:33:51,880 --> 00:33:56,079 And my goal and what I love is just driving efficiency. 596 00:33:56,240 --> 00:33:59,319 So let's automate, automate, automate, use tools to kind of 597 00:33:59,319 --> 00:34:03,319 help us see what we can't and just do what 598 00:34:03,359 --> 00:34:05,200 we can to protect vertical infrastructure. 599 00:34:08,599 --> 00:34:12,960 Speaker 2: Andrew, that just about concludes your interview with Brian. Do 600 00:34:13,039 --> 00:34:15,599 you have any final thoughts about what he talked about 601 00:34:15,679 --> 00:34:18,000 there that you can leave our listeners with? 602 00:34:19,239 --> 00:34:21,119 Speaker 3: What I took a wave here is is you know 603 00:34:21,119 --> 00:34:24,280 the importance of inventory and the need for automation. I mean, 604 00:34:25,239 --> 00:34:28,559 if a modern nuclear generator has you know, ten thousand 605 00:34:28,599 --> 00:34:31,519 plus devices in it that have CPUs in them that 606 00:34:31,639 --> 00:34:33,559 have to be managed, that have software that have to 607 00:34:33,559 --> 00:34:37,800 be managed, you know, I don't know that a nuclear 608 00:34:37,840 --> 00:34:42,079 generator is that much more heavily instrumented than the average 609 00:34:42,440 --> 00:34:45,800 industrial thing. If you buy a steam turbine, it's a 610 00:34:45,920 --> 00:34:49,559 modern turbine is heavily instrumented. If you buy any kind 611 00:34:49,559 --> 00:34:52,039 of physical equipment, it's going to be heavily instrumented. This 612 00:34:52,119 --> 00:34:54,880 is you know, there's there's three hundred plus CPUs and 613 00:34:54,920 --> 00:34:58,679 a modern automobile and that's you know, that's something that 614 00:34:58,760 --> 00:35:02,599 fits in your living room. We're talking about massive installations. 615 00:35:03,440 --> 00:35:05,679 You know, I would imagine that a big refinery has 616 00:35:05,800 --> 00:35:09,280 as many as one hundred thousand plus devices if it's 617 00:35:09,320 --> 00:35:12,679 been upgraded recently. You know, when was the last time 618 00:35:12,719 --> 00:35:16,480 you tried to manage a spreadsheet with ten thousand rows 619 00:35:16,519 --> 00:35:18,199 in it? When was the last time you try to 620 00:35:18,239 --> 00:35:20,280 manage the spreadsheet with one hundred thousand rows in it? 621 00:35:21,679 --> 00:35:25,760 Just manually counting the blinking lights takes a long time. 622 00:35:26,719 --> 00:35:30,480 Automation to me is essential. I mean this is you 623 00:35:30,519 --> 00:35:34,840 look at the cybersecurity framework sort of the grand compendium 624 00:35:34,880 --> 00:35:38,000 of everything that is cyber what's the first thing you do? Well, 625 00:35:38,119 --> 00:35:40,960 the first thing you do is figure out who's responsible 626 00:35:40,960 --> 00:35:43,920 for the program and you know, assigned budget responsibility. Okay, 627 00:35:43,920 --> 00:35:46,119 what's the second thing you do? You take asset inventory. 628 00:35:46,159 --> 00:35:49,880 You've got to understand what you're protecting. So yeah, this 629 00:35:49,880 --> 00:35:52,239 this all makes sense that you need the inventory and 630 00:35:52,480 --> 00:35:54,480 in the modern world you need automation. There's no way 631 00:35:54,519 --> 00:35:57,760 you can do this anymore manually. So you know, my 632 00:35:58,920 --> 00:36:01,679 thanks to to Brian we Go and you know, learn 633 00:36:01,719 --> 00:36:02,920 something here. 634 00:36:03,320 --> 00:36:06,760 Speaker 2: Yes, our thanks to Brian and Andrews always thank you 635 00:36:06,800 --> 00:36:07,480 for speaking with me. 636 00:36:08,000 --> 00:36:09,320 Speaker 3: It's always a pleasure. Thank you, Nan. 637 00:36:10,159 --> 00:36:14,119 Speaker 2: This has been the Industrial Security podcast from Waterfall. Thanks 638 00:36:14,159 --> 00:36:15,960 to everyone out there and listening.