1 00:00:05,759 --> 00:00:12,160 Speaker 1: Large scale destructive attacks on big machinery. It's not something 2 00:00:12,160 --> 00:00:14,359 that I would consider a credible attack. 3 00:00:19,679 --> 00:00:24,199 Speaker 2: Welcome, Everyone's the Industrial Security Podcast. My name is Nate Nelson. 4 00:00:24,679 --> 00:00:28,120 I'm here with Andrew Ginter, the vice president of Industrial 5 00:00:28,160 --> 00:00:32,119 Security at Waterfall Security Solutions, who's going to introduce the 6 00:00:32,159 --> 00:00:35,799 subject and guest of our show today. Andrew, how are you. 7 00:00:36,759 --> 00:00:39,359 Speaker 3: I'm very well, Thank you, Nate. Our guest today is 8 00:00:39,520 --> 00:00:43,399 Kenneth Tittelstad. He is the chief commercial Officer at Omni 9 00:00:44,320 --> 00:00:48,560 and he's also the chair of the Norwegian International Electrotechnical 10 00:00:48,640 --> 00:00:52,840 Committee Subgroup working on sixty two four four to three. 11 00:00:52,920 --> 00:00:56,119 So this is the Norwegian delegation to the IEC that 12 00:00:56,200 --> 00:00:59,359 produces the widely used IEC six two four four three standard. 13 00:01:00,479 --> 00:01:04,519 We're going to be talking about credible threats, what should 14 00:01:04,519 --> 00:01:07,560 we be planning for security wise? And by the way 15 00:01:08,319 --> 00:01:11,560 I happened, I had an opportunity to be in Norway 16 00:01:12,079 --> 00:01:15,879 and I visited Kenneth at the OMNI head office where 17 00:01:15,879 --> 00:01:19,200 they have a lovely recording studio. So we recorded this 18 00:01:19,280 --> 00:01:22,359 face to face in their studio in their head office. 19 00:01:23,000 --> 00:01:26,840 Speaker 2: Then let's get right into your conversation with Kenneth. 20 00:01:29,879 --> 00:01:33,040 Speaker 3: Hello, Kenneth, and welcome to the podcast. Before we get started, 21 00:01:33,079 --> 00:01:34,799 can you tell our listeners give us a bit of 22 00:01:35,239 --> 00:01:38,120 information about your background, about what you know, what you 23 00:01:38,200 --> 00:01:40,400 went up to, and the good work you're doing here 24 00:01:40,400 --> 00:01:41,319 at Omni Security. 25 00:01:41,959 --> 00:01:45,560 Speaker 1: Thank you so much, Andrew, and welcome to Norway and 26 00:01:45,680 --> 00:01:48,760 our office. I'm so glad to have you visiting us. 27 00:01:49,560 --> 00:01:53,359 So my name is Kenneth Tiklestad and I'm working as 28 00:01:53,400 --> 00:01:58,799 a chief commercial officer in OMNI and I've just started 29 00:01:58,840 --> 00:02:01,760 as a commercial officer in Omni. I went over from 30 00:02:01,840 --> 00:02:07,519 Supersteria where I was heading up OT cybersecurity. I've been 31 00:02:07,519 --> 00:02:11,240 doing that for six years. Before that, I was working 32 00:02:11,280 --> 00:02:14,759 in ecuinor also working on OT cybersecurity. So I've been 33 00:02:16,039 --> 00:02:19,280 working in the field now for almost fifteen years. And 34 00:02:19,360 --> 00:02:21,759 also for the last five or six years I've been 35 00:02:22,240 --> 00:02:26,159 chairman for the Norwegian Electrotechnical comedy the group that hand 36 00:02:26,840 --> 00:02:28,680 is Handling I C. 37 00:02:29,159 --> 00:02:30,360 Speaker 3: Sixty two four four three. 38 00:02:31,159 --> 00:02:34,919 Speaker 1: So I've been diving deep into OT cybersecurity now for 39 00:02:35,000 --> 00:02:41,439 quite many years. Yeah, and at Omni we are developing 40 00:02:41,479 --> 00:02:47,639 a software platform for handling cybersecurity and security for critical infrastructure. 41 00:02:48,199 --> 00:02:52,360 It contains us a security knowledge graph and AI that 42 00:02:52,479 --> 00:02:57,319 provides actionable insights into security for critical infrastructure. So it's 43 00:02:57,360 --> 00:03:00,560 about it OT and physical structure. 44 00:03:01,560 --> 00:03:06,800 Speaker 3: Our topic today is creditibility. Now this is talking about risk. 45 00:03:08,240 --> 00:03:11,080 You know a lot of people think risk is boring. Okay, 46 00:03:11,120 --> 00:03:13,520 A lot of people when they enter the industrial security space, 47 00:03:13,560 --> 00:03:15,680 they want to know about attacks, they want to know 48 00:03:15,680 --> 00:03:18,439 about the technical bits invites. You tell me that you 49 00:03:18,520 --> 00:03:21,039 got interested in risk a very long time ago. Can 50 00:03:21,080 --> 00:03:23,080 you talk about that? Where where did that come from? 51 00:03:23,439 --> 00:03:28,840 Speaker 1: Absolutely, I'm not sure if I when I considered it 52 00:03:28,960 --> 00:03:36,080 as a risk or as as a. 53 00:03:34,520 --> 00:03:35,599 Speaker 3: Field of expertise. 54 00:03:36,120 --> 00:03:40,719 Speaker 1: So when I was just a small boy, Actually, my 55 00:03:40,840 --> 00:03:44,599 dad he worked as a control room technician offshore at 56 00:03:45,080 --> 00:03:48,280 in Conico Phillips or back then it was called Phillips. 57 00:03:48,919 --> 00:03:52,479 So when I was only two years three years old, 58 00:03:52,520 --> 00:03:56,199 in nineteen seventy seven, he was working at the Bovo 59 00:03:57,560 --> 00:04:00,680 offshore oil and gas platform and I I don't remember 60 00:04:00,719 --> 00:04:04,960 this of course back then, but it was always a 61 00:04:05,000 --> 00:04:08,639 topic around the dinner table at my home where he 62 00:04:08,960 --> 00:04:11,280 talked about how it was working in the oil and 63 00:04:11,280 --> 00:04:15,080 gas business. So in nineteen seventy seven, he was on 64 00:04:15,120 --> 00:04:19,519 his way out to the platform when the big horbo 65 00:04:19,879 --> 00:04:24,120 blowout happened. He was not actually he hadn't arrived at 66 00:04:24,120 --> 00:04:26,519 the platform, but he was on his way out there. 67 00:04:27,000 --> 00:04:30,680 So it really was a big topic around the dinner 68 00:04:30,720 --> 00:04:36,720 table all the time about safety risks involved in oil 69 00:04:36,720 --> 00:04:42,839 and gas. So I was always listening with my small 70 00:04:42,879 --> 00:04:46,279 ears back then, being a bit fascinated about this world. 71 00:04:46,360 --> 00:04:49,600 I didn't see the real danger in it, but I 72 00:04:49,720 --> 00:04:53,360 was trying to picture it in my mind what it 73 00:04:53,519 --> 00:04:58,800 was to actually work in these kind of environments. So 74 00:04:59,680 --> 00:05:02,040 I was was kind of primed back when I was 75 00:05:02,319 --> 00:05:06,319 just a small small boy, and later on when I 76 00:05:06,360 --> 00:05:10,920 moved into the I was more into computers, so I 77 00:05:10,959 --> 00:05:14,079 did a lot of gaming and programming on Commodore sixty 78 00:05:14,160 --> 00:05:17,360 four and I started to work in equinor on the 79 00:05:17,399 --> 00:05:21,800 IT side. But I was still fascinated, fascinated about the 80 00:05:21,839 --> 00:05:25,120 core business being oil and gas and production and exploration. 81 00:05:25,720 --> 00:05:29,639 So when I actually got my first trip offshore, I 82 00:05:29,720 --> 00:05:33,000 kind of felt that the circle was closed and I 83 00:05:33,040 --> 00:05:36,439 saw the big world, the industrial world that my dad 84 00:05:36,920 --> 00:05:40,319 had been talking about for several years, and the kind 85 00:05:40,319 --> 00:05:43,480 of the risk perspectives also kicked in the first thing 86 00:05:43,600 --> 00:05:46,040 you meet when your step on board such a platform. 87 00:05:46,160 --> 00:05:49,319 Is the HC focus a lot of focus on HC, 88 00:05:49,879 --> 00:05:53,519 and it's for a reason. And I fully got to 89 00:05:53,600 --> 00:05:57,920 understand that first when I actually came on board such 90 00:05:58,000 --> 00:06:01,680 a facility, I understood why it's so important because it's 91 00:06:01,839 --> 00:06:05,000 it can be really dangerous if you don't have control 92 00:06:05,079 --> 00:06:08,360 over what you're doing. So that's when I actually saw 93 00:06:08,439 --> 00:06:11,920 the big scale of risk as a perspective. 94 00:06:12,639 --> 00:06:15,920 Speaker 3: Yeah, offshore platforms are intense. I've never set foot on 95 00:06:15,920 --> 00:06:20,920 one myself, but I've I've heard the stories. It's yeah, yeah, absolutely, 96 00:06:21,079 --> 00:06:26,120 environment and this is I mean we're talking about industrial 97 00:06:26,279 --> 00:06:31,639 cyber security. So you know offshore platforms are intense in 98 00:06:31,720 --> 00:06:35,279 terms of physical risk. Can you talk about cyber risk? 99 00:06:35,720 --> 00:06:41,240 Speaker 1: Yeah? Absolutely, it's an emerging topic. So when I was 100 00:06:41,279 --> 00:06:44,680 working in Statle when it was called Statyle now it's Equinor, 101 00:06:45,439 --> 00:06:51,800 we started to look into that area around twenty ten, 102 00:06:51,920 --> 00:06:55,600 twenty and eleven. I still remember the day when people 103 00:06:55,680 --> 00:06:58,639 came charging into the meeting room and they started talking 104 00:06:58,639 --> 00:07:02,360 about the news of stucks net. So that was I 105 00:07:02,360 --> 00:07:05,600 think we got to hear about it. In twenty ten, 106 00:07:05,720 --> 00:07:08,240 I was working on the IT side and I was 107 00:07:08,480 --> 00:07:12,920 responsible for large part parts of our windows infrastructure in 108 00:07:12,959 --> 00:07:16,800 the company, and we started to I started to look 109 00:07:16,839 --> 00:07:21,160 into what this KATA things, what is it. I didn't 110 00:07:21,160 --> 00:07:24,279 know about PLCs. I had never seen a PLC. I 111 00:07:24,319 --> 00:07:27,600 didn't know that there was actually other kind of digital 112 00:07:27,639 --> 00:07:33,879 equipment operating critical infrastructure. So with stucknt, I started to 113 00:07:33,920 --> 00:07:38,240 dive into the landscape of OT cybersecurity and also as 114 00:07:38,240 --> 00:07:42,759 a company, we started a big journey back then on 115 00:07:43,560 --> 00:07:48,920 really making OT much more cybersecurity, and stuck Net was 116 00:07:49,279 --> 00:07:51,160 kind of a kickstart for it. 117 00:07:54,600 --> 00:07:59,360 Speaker 2: Andrew, it feels like maybe there are certain kinds of 118 00:07:59,680 --> 00:08:03,120 SEM and all the cybersecurity incidents in the OT world 119 00:08:03,680 --> 00:08:07,000 we talk, we reference often the two thousand and seven 120 00:08:07,040 --> 00:08:12,519 Aurora test, maybe you know Triton and Destroyer, But Stuck's 121 00:08:12,600 --> 00:08:16,920 net is that foundational thing that you know, set the 122 00:08:16,959 --> 00:08:18,600 timeline for everybody. 123 00:08:18,199 --> 00:08:23,959 Speaker 3: Right indeed, and you know I was active in the space. 124 00:08:24,000 --> 00:08:27,519 I mean I was leading the team at Industrial Defender 125 00:08:27,879 --> 00:08:31,079 building the world's first industrial SEM at the time, so 126 00:08:31,160 --> 00:08:34,039 stucksnet was big news. I did a lot of work 127 00:08:34,080 --> 00:08:36,279 on stucks Net. I had a blog at the time, 128 00:08:36,399 --> 00:08:38,600 you know, every time I learned something new about it, 129 00:08:38,639 --> 00:08:41,759 because somebody had published a report, somebody had published another blog. 130 00:08:41,799 --> 00:08:44,879 I'd done a little research on my own, I'd published this. 131 00:08:46,240 --> 00:08:51,879 I published a paper on how stucks net spread because 132 00:08:51,919 --> 00:08:55,279 you know, analysis had been done of the artifact, you know, 133 00:08:55,480 --> 00:08:59,120 the malware, but it had been done by it people 134 00:08:59,240 --> 00:09:02,039 at semana tick at, I think E set a bunch 135 00:09:02,039 --> 00:09:05,120 of people had analyzed the malware, and you know, that's 136 00:09:05,159 --> 00:09:07,600 work I couldn't do. I'm not a I'm not a 137 00:09:07,639 --> 00:09:12,679 reverse analyst. But I sat down with Joel langel I, 138 00:09:12,720 --> 00:09:17,919 sat down with Eric Buyers, and we investigated the impact 139 00:09:17,960 --> 00:09:20,480 that stucks net would have in a network. What would 140 00:09:20,559 --> 00:09:22,080 what would happen if you let this thing loose in 141 00:09:22,080 --> 00:09:25,639 a network? Given our understanding of the Semen systems. Joel 142 00:09:25,679 --> 00:09:28,360 was an expert on the Seaman systems, you know, Eric 143 00:09:28,399 --> 00:09:31,279 and I were sort of more expert more generally on 144 00:09:31,279 --> 00:09:36,039 on you know, firewalls and industrial systems. So we all 145 00:09:36,080 --> 00:09:38,799 contributed to this paper and you know, said, here's what 146 00:09:38,799 --> 00:09:42,480 happens if you let loose stucks net into an industrial network. 147 00:09:44,080 --> 00:09:47,679 And you know, in hindsight, I have to wonder if 148 00:09:47,879 --> 00:09:51,039 we didn't do you know, more damage than than good. 149 00:09:51,600 --> 00:09:54,120 You know, because a lot of people learned stuff about 150 00:09:54,120 --> 00:09:57,720 sucks net, but there was only one outfit that benefited, 151 00:09:57,840 --> 00:10:00,799 and that was Iran's nuclear weapons program was the only 152 00:10:01,440 --> 00:10:03,840 you know, site in the world that was physically impacted. 153 00:10:03,879 --> 00:10:06,840 So I, you know, I regret some of the stuff 154 00:10:06,879 --> 00:10:08,679 that I published about about stocksnet. 155 00:10:09,559 --> 00:10:12,799 Speaker 2: Do you recall if that research got traction, whether it 156 00:10:12,919 --> 00:10:14,679 might have gotten over there or is there no way 157 00:10:14,720 --> 00:10:15,080 to tell? 158 00:10:15,480 --> 00:10:19,440 Speaker 3: I have no way to tell. I do recall a conversation, 159 00:10:19,600 --> 00:10:22,799 you know, sometime later, you know, because I'm a Canadian, 160 00:10:22,919 --> 00:10:26,799 I work with the Canadian authorities. I remember a conversation 161 00:10:26,879 --> 00:10:32,840 with Canadian Intelligence services and I remember, you know, asking them, 162 00:10:33,279 --> 00:10:37,519 you know, I've I've stopped, you know, at one point, 163 00:10:38,039 --> 00:10:40,759 when I figured out that there's only one place in 164 00:10:40,799 --> 00:10:44,720 the world that's physically benefiting from my research, I stopped 165 00:10:44,759 --> 00:10:49,240 publishing anything about stucksnet. And I remember sometime after that 166 00:10:49,399 --> 00:10:52,879 talking to Canadian intelligence saying, you know, I've stopped publishing 167 00:10:52,879 --> 00:10:55,000 anything about stocks neet. You don't have to tell me 168 00:10:55,039 --> 00:10:59,480 nothing in the future. If you ever see me putting 169 00:10:59,559 --> 00:11:04,039 out in that's helping our enemies, tap me on the shoulder, 170 00:11:04,039 --> 00:11:06,720 would you and tell me shut up? Ginter, you're doing 171 00:11:06,759 --> 00:11:09,960 more harm than good and I will shut up. So yeah, 172 00:11:10,000 --> 00:11:12,279 I you know, I look back on stucks net with 173 00:11:12,679 --> 00:11:15,200 mixed emotions. It was a wake up call for the industry. 174 00:11:15,519 --> 00:11:17,639 You know a lot of people learned about cybersecurity because 175 00:11:17,639 --> 00:11:23,960 the stucks net. But who benefited because of all that research? Okay, 176 00:11:24,000 --> 00:11:25,919 so that's you know, stucks net is how a lot 177 00:11:25,919 --> 00:11:27,840 of people got started in the AT space. It was 178 00:11:27,919 --> 00:11:33,799 the big news. Yeah, fifteen fifteen years ago. Can I 179 00:11:33,840 --> 00:11:36,840 ask you, you know, let's let's talk about industrial security 180 00:11:36,879 --> 00:11:40,879 and the work you're doing. You the work you've been doing. 181 00:11:42,240 --> 00:11:44,600 Stucks net is where it got started. Where have you 182 00:11:44,600 --> 00:11:46,080 wound up? What are you up to today? 183 00:11:46,919 --> 00:11:50,279 Speaker 1: Yeah, it's it's as you say, it's fifteen years and 184 00:11:50,360 --> 00:11:53,759 it's been for me. I think it's been a very 185 00:11:53,759 --> 00:11:58,159 interesting journey. So but back in twenty ten, when when 186 00:11:58,240 --> 00:12:02,600 stucks net hit the news, I wasn't immediately immediately diving 187 00:12:02,600 --> 00:12:06,200 into OT cybersecurity full time. I was working on the 188 00:12:06,240 --> 00:12:11,080 IT side, trying to secure windows environment in a large 189 00:12:11,080 --> 00:12:16,159 oil and gas company. But shortly after a while I 190 00:12:16,320 --> 00:12:19,320 moved more and more over to OT cybersecurity, and I 191 00:12:19,360 --> 00:12:22,919 had my first trip offshore oil and gas platform. I 192 00:12:22,960 --> 00:12:25,799 think that first trip was in twenty thirteen, so actually 193 00:12:25,879 --> 00:12:28,399 three years after this dug Net. But then I was 194 00:12:28,440 --> 00:12:31,679 going out just to do some troubleshooting on a firewall. 195 00:12:32,559 --> 00:12:37,639 So but more and more I was moving into OT cybersecurity, 196 00:12:37,960 --> 00:12:40,559 and at the end I was I moved over to 197 00:12:40,600 --> 00:12:44,279 Supersteria I think it was in twenty seventeen, and at 198 00:12:44,279 --> 00:12:49,799 the end I was really working hard on finding really 199 00:12:50,000 --> 00:12:56,799 proper solutions for OT cybersecurity. When when potential nation states 200 00:12:56,840 --> 00:13:01,120 are targeting, what do you then do if you must 201 00:13:01,440 --> 00:13:05,600 sort of have their mindset of assume breach and these 202 00:13:05,679 --> 00:13:08,240 kind of systems with the PLCs and or they are 203 00:13:08,279 --> 00:13:10,879 really really vulnerable, what do you do when you are 204 00:13:11,120 --> 00:13:17,200 being targeted? So then I started to look into I 205 00:13:17,240 --> 00:13:20,240 heard rumors that could there could be something that was 206 00:13:20,320 --> 00:13:25,360 non hackable, so I started investigating into UNI directional data 207 00:13:25,440 --> 00:13:29,399 diotes was exposed to Waterfall. That was one of the 208 00:13:29,440 --> 00:13:33,240 first examples of where I heard about non hackable stuff. 209 00:13:34,039 --> 00:13:39,799 And also I got to hear about the Crown Jewel 210 00:13:39,919 --> 00:13:45,240 analysis cyber informed engineering. Back then it was consequence driven 211 00:13:45,360 --> 00:13:49,600 cyber informed engineering. But those kind of topics really really 212 00:13:50,080 --> 00:13:52,919 sparked an extra interest for me because then I saw 213 00:13:54,159 --> 00:13:57,240 on some attack vectors, on some of the risks. I 214 00:13:57,279 --> 00:14:00,919 saw actually a solution that could remove risk instead of 215 00:14:01,039 --> 00:14:02,120 just mitigating it. 216 00:14:02,840 --> 00:14:06,720 Speaker 3: So your first sort of for a you know, everyone 217 00:14:07,080 --> 00:14:09,639 was interested in stock step, but you started working on 218 00:14:09,679 --> 00:14:13,679 the problem. You said, with a firewall, And you know, 219 00:14:13,960 --> 00:14:16,879 to a degree that makes sense. I mean the firewall, 220 00:14:17,000 --> 00:14:21,399 the ITOT firewalls often the boundary between the engineering discipline 221 00:14:22,000 --> 00:14:26,240 on the platform in the industrial process and the IT discipline, 222 00:14:26,279 --> 00:14:29,240 where information is the asset that needs to be protected, 223 00:14:30,519 --> 00:14:33,759 and so that boundary is something that both the engineers 224 00:14:33,799 --> 00:14:37,519 and the IT folk care about. So that kind of 225 00:14:37,519 --> 00:14:40,360 makes sense. I'm curious. You know, you got out to 226 00:14:40,440 --> 00:14:43,679 the platform, you were tasked with the firewall. What did 227 00:14:43,720 --> 00:14:44,360 you find there? 228 00:14:44,840 --> 00:14:49,480 Speaker 1: Yeah, it was actually kind of a long long lasting 229 00:14:49,519 --> 00:14:51,960 ticket we had in our system that was a firewall 230 00:14:52,039 --> 00:14:55,279 between IT and OT that was noisy. So it was 231 00:14:56,120 --> 00:15:01,679 creating a lot of events and alert on traffic that 232 00:15:01,879 --> 00:15:05,559 it shouldn't have. So I was tasked to go out 233 00:15:05,559 --> 00:15:10,320 there and try to trouble shoot this. We we absolutely 234 00:15:10,399 --> 00:15:13,679 didn't think that it was a cyber attack or or 235 00:15:13,759 --> 00:15:18,279 kind of evil intent, but it was incorrectly configured firewall rule. 236 00:15:18,639 --> 00:15:22,519 But when I got out there, I could see that 237 00:15:22,720 --> 00:15:30,480 it was it was just incorrectly configured fire world was nothing, 238 00:15:30,159 --> 00:15:35,440 not anything dangerous or a cyber attack involved. But I 239 00:15:35,559 --> 00:15:40,240 also got to think of a scenario where if it 240 00:15:40,360 --> 00:15:44,879 had actually been a cyber attack and one that created 241 00:15:45,000 --> 00:15:48,399 so much noise as well on a security boundary, a 242 00:15:48,480 --> 00:15:54,360 security component sitting on the outskirts of OT, shouldn't the 243 00:15:54,399 --> 00:15:57,919 OT environment do something to sort of shut down or 244 00:15:58,000 --> 00:16:00,399 go into a more failed safe situation. So I got 245 00:16:00,639 --> 00:16:05,679 kind of interesting in actually the instrumentation behind your security 246 00:16:05,759 --> 00:16:11,120 components on the outskirts of OT. So that's a topic 247 00:16:11,240 --> 00:16:15,559 I continued to explore for several years, having in the 248 00:16:15,600 --> 00:16:20,240 back of my mind cyber informed engineering, non hackabal approaches, 249 00:16:20,399 --> 00:16:26,559 unidirectional mechanisms, And on S four last year, I talked 250 00:16:26,559 --> 00:16:31,720 about the safety instrumented system because safety has always been 251 00:16:31,720 --> 00:16:37,159 a particular interest of mine, so I talked about the 252 00:16:37,320 --> 00:16:43,159 cyber informed safety instrumental system. Shouldn't the safety instrumented system 253 00:16:43,600 --> 00:16:47,279 at some point when you're under an attack, shouldn't the 254 00:16:48,360 --> 00:16:51,039 sort of the big brain in the room, shouldn't that 255 00:16:51,120 --> 00:16:55,799 actually take an action, an instrumented automated action, and going 256 00:16:55,840 --> 00:16:59,879 into a more not necessarily failed safe only, but a 257 00:17:00,200 --> 00:17:04,799 more fail fail over to a more safe and secure situation. 258 00:17:05,839 --> 00:17:08,319 Speaker 3: So that makes sense in theory. I mean, if the 259 00:17:08,359 --> 00:17:11,319 firewall was saying help, help, I'm under attack over and 260 00:17:11,359 --> 00:17:15,240 over again, should some action not have taken place on 261 00:17:15,279 --> 00:17:17,920 the OT side. But let me ask you this, it 262 00:17:18,039 --> 00:17:20,640 was a false positive. Yes, it would have shut down 263 00:17:20,640 --> 00:17:26,079 the platform, you know, a very expensive platform unnecessarily. Can 264 00:17:26,160 --> 00:17:32,279 we detect cyber attacks reliably enough to prevent this kind 265 00:17:32,319 --> 00:17:37,440 of unnecessary shutdown? You know? And you know if we 266 00:17:37,519 --> 00:17:40,519 do shut down whenever there's a bunch of alarms, is 267 00:17:40,519 --> 00:17:44,119 that not a new sort of denial of service vulnerability? 268 00:17:44,119 --> 00:17:46,400 The bad guys don't even need to get into OT. 269 00:17:46,960 --> 00:17:49,359 They just need to launch a few package that firewall, 270 00:17:49,440 --> 00:17:52,279 generate some alarms, and the whole thing shuts down without 271 00:17:52,319 --> 00:17:55,559 them even bothering to break into OT. Is that really 272 00:17:55,599 --> 00:17:57,240 the right way forward? No? 273 00:17:57,720 --> 00:18:01,279 Speaker 1: I totally agree, it's not a good coach going forward. 274 00:18:02,720 --> 00:18:05,640 But at the same time, I think to shut down 275 00:18:05,799 --> 00:18:09,680 one too many times is better than not actually doing it. 276 00:18:09,960 --> 00:18:16,880 So we should be kind of overreacting and going into 277 00:18:16,920 --> 00:18:22,039 failed safe situation and it could cause unnecessary downtime and 278 00:18:22,079 --> 00:18:25,839 it could it's the vulnerability on the production side, but 279 00:18:25,920 --> 00:18:29,599 I think it's much more dangerous with the false negatives 280 00:18:30,160 --> 00:18:35,119 where we actually don't see any attacks, but it's it's 281 00:18:35,359 --> 00:18:38,920 actually happening, so false positive. We need to reduce them. 282 00:18:38,960 --> 00:18:42,480 But it's much more important to actually reduce the false negatives. 283 00:18:45,720 --> 00:18:48,319 Speaker 3: So Nate just listening to the recording here. I mean, 284 00:18:48,319 --> 00:18:50,640 this is not something I discussed with Kenneth, but we 285 00:18:50,640 --> 00:18:55,799 were talking about, you know, automatic action when we discovered 286 00:18:55,799 --> 00:18:57,960 that an attack might be in progress, for example, because 287 00:18:57,960 --> 00:18:59,960 there's a lot of alarms coming out of the firewall. 288 00:19:01,640 --> 00:19:05,519 You know, he agreed with me that shutting down the 289 00:19:05,559 --> 00:19:09,680 platform is probably an overreaction because you know, that introduces 290 00:19:09,720 --> 00:19:11,759 a new attack vector. The bad guys just need to 291 00:19:11,799 --> 00:19:14,680 send a few packets against the firewall, generate a few alarms, 292 00:19:14,839 --> 00:19:18,319 and the whole platform shuts down. I agreed with him 293 00:19:18,359 --> 00:19:22,319 that something should be done, but we didn't really figure 294 00:19:22,319 --> 00:19:26,880 out what. You know, here's an idea. In hindsight, A 295 00:19:26,960 --> 00:19:31,240 number of jurisdictions are introducing what they call islanding rules, 296 00:19:31,559 --> 00:19:37,119 meaning if it is compromised, you need to you know, basically, 297 00:19:37,200 --> 00:19:40,519 I don't know, power off the it OT firewall, nothing 298 00:19:40,880 --> 00:19:45,039 gets through into OT anymore for the duration of the emergency, 299 00:19:45,319 --> 00:19:49,680 so you have the ability to shut off all communications 300 00:19:49,720 --> 00:19:52,519 into OT. This is part of you know, the regulation 301 00:19:52,599 --> 00:19:54,359 says you must be able to island, So now you 302 00:19:54,400 --> 00:19:57,240 have that capability. You know, I wonder if it isn't 303 00:19:57,359 --> 00:20:04,359 reasonable to trigger islanding when when you discover, you know, 304 00:20:04,480 --> 00:20:07,200 automatically discover a whole bunch of alarms coming out of anything. 305 00:20:07,240 --> 00:20:10,559 Because the modern attack pattern most of them of modern 306 00:20:10,640 --> 00:20:12,440 day attacks are not like stocks net where you let 307 00:20:12,480 --> 00:20:14,160 it loosen, it does its things. Most of modern day 308 00:20:14,200 --> 00:20:17,039 attacks have remote control from the Internet. And if you island, 309 00:20:17,039 --> 00:20:20,519 if you break the connection between it and OT, if 310 00:20:20,599 --> 00:20:23,319 there was an attack in the OT network, the bad 311 00:20:23,359 --> 00:20:25,759 guys can no longer control it, they can no longer 312 00:20:25,799 --> 00:20:29,160 send commands. So and this is not this is not new. 313 00:20:29,200 --> 00:20:32,240 The term islanding is a little bit new. The concept 314 00:20:32,359 --> 00:20:35,839 of sort of an automatic shutoff has been bandied about 315 00:20:35,839 --> 00:20:39,880 for many years. But again, given that the regulators are 316 00:20:39,880 --> 00:20:44,680 demanding an islanding capability, you know, maybe engaging it automatically 317 00:20:44,680 --> 00:20:47,640 from time to time is not the worst thing that 318 00:20:47,640 --> 00:20:51,000 can happen. It increases our security and the impact on 319 00:20:51,079 --> 00:20:56,920 operations is minimal because you've you've deployed the ability to 320 00:20:57,079 --> 00:21:02,279 island already, you've developed the capability of running EUROT system 321 00:21:02,319 --> 00:21:06,400 independently and so uh, you know, interrupting that communication for 322 00:21:06,440 --> 00:21:08,359 a period of hours at a time while you track 323 00:21:08,400 --> 00:21:11,160 things down and say, oh, that was a false alarm. 324 00:21:12,079 --> 00:21:17,079 I'm guessing is you know, minimal cost. So there's an idea. 325 00:21:18,880 --> 00:21:22,440 Let's come back to our topic here. The topic is credibility. 326 00:21:24,000 --> 00:21:27,720 You know, we're talking about the risk equation. The typical 327 00:21:27,799 --> 00:21:33,559 risk equation is consequence times likelihood. Uh, you know, generally 328 00:21:33,559 --> 00:21:36,200 we do it qualitatively, but we we wind up with 329 00:21:36,240 --> 00:21:39,799 a number coming out of that to compare different different 330 00:21:39,880 --> 00:21:43,400 kinds of risks, you know, high frequency versus versus high 331 00:21:43,440 --> 00:21:49,720 impact risks. You know, can you talk about that? Where 332 00:21:49,720 --> 00:21:52,799 does credibility fit in that equation? 333 00:21:53,519 --> 00:21:57,279 Speaker 1: I think it fits very well into that equation because 334 00:21:59,039 --> 00:22:01,920 when we when we talk about it likelihood or the 335 00:22:01,920 --> 00:22:04,839 probability part of it, the left side of the equation. 336 00:22:05,319 --> 00:22:11,000 It's always a very very difficult conversation to have when 337 00:22:11,039 --> 00:22:15,480 you try to identify the risk or the risk levels 338 00:22:15,480 --> 00:22:18,240 we are talking about, or you try to identify the 339 00:22:18,319 --> 00:22:23,279 consequence levels involved. It's sad to see that a lot 340 00:22:23,279 --> 00:22:27,240 of the conversations they go astray due to not being 341 00:22:27,319 --> 00:22:30,759 able to put the number on the probability or the likelihood. 342 00:22:31,240 --> 00:22:35,319 And I think the conversation gets to be much more 343 00:22:35,319 --> 00:22:39,079 fruitful if we can get rid of that challenge on 344 00:22:39,160 --> 00:22:41,640 trying to figure out the number on the probability or 345 00:22:41,640 --> 00:22:48,039 the likelihood. Credibility gives us tools in our language to 346 00:22:48,160 --> 00:22:51,559 actually be able to talk about the left part of 347 00:22:51,640 --> 00:22:56,200 the equation. So it's something that is a bit more 348 00:22:56,240 --> 00:23:02,000 analog and analog value where we can moved more towards 349 00:23:02,039 --> 00:23:06,839 the consequence approach, the consequence driven where the right side 350 00:23:06,839 --> 00:23:10,519 of the equation is more important to talk about. As 351 00:23:10,599 --> 00:23:13,960 long as you get if you consider it being credible, 352 00:23:14,359 --> 00:23:19,319 then okay, let's stop the discussion there and focus on 353 00:23:19,440 --> 00:23:21,440 identify the consequence levels. 354 00:23:22,160 --> 00:23:25,960 Speaker 3: Well, you know I have to agree. You know, I've 355 00:23:26,319 --> 00:23:31,480 argued in my previous in my last book, that likelihood 356 00:23:31,519 --> 00:23:35,960 is flawed, that the high end of cyber attacks, not 357 00:23:36,000 --> 00:23:38,799 the low end. The low end. Likelihood actually works the 358 00:23:38,920 --> 00:23:43,599 high end. The outcomes of cyber attacks are not random. 359 00:23:43,880 --> 00:23:47,160 If the same ransomware hits a factory twice, and we've 360 00:23:47,160 --> 00:23:49,400 always done is restore from backrupt. It took them down 361 00:23:49,480 --> 00:23:52,839 the first time. We restore from backup, we make no changes. 362 00:23:53,559 --> 00:23:55,839 It hits again, They're going to go down the same way. 363 00:23:55,920 --> 00:23:59,960 It's not random. I argue that on the high end, 364 00:24:00,519 --> 00:24:04,759 Nation state targeting is not random either. You know, it's 365 00:24:04,759 --> 00:24:07,720 not that they try for a while and they if 366 00:24:07,759 --> 00:24:10,200 they don't succeed, they you know, go try somewhere else. 367 00:24:11,799 --> 00:24:17,519 Nation state threat actors keep targeting the same target until 368 00:24:17,519 --> 00:24:20,880 they achieve their mission objective. It's not random. Once they've 369 00:24:20,920 --> 00:24:25,720 targeted you, it's not random. So you know, randomness, to me, 370 00:24:25,799 --> 00:24:32,119 doesn't work at the high end. Credibility makes more sense. 371 00:24:32,200 --> 00:24:35,440 You know, is the threat credible? Is the consequence credible? 372 00:24:35,440 --> 00:24:37,559 If this threat comes after us, it's this attack comes 373 00:24:37,559 --> 00:24:40,920 after us. Is it reasonable to believe? You know, credibility 374 00:24:41,000 --> 00:24:44,119 is what's reasonable to believe, not who what's reasonable to believe? 375 00:24:44,160 --> 00:24:46,720 Is it reasonable to believe that the consequence will be realized? 376 00:24:48,799 --> 00:24:50,839 You know, I think it makes a lot of sense, 377 00:24:50,880 --> 00:24:54,440 but it's it's new. I don't see the word credibility 378 00:24:54,440 --> 00:25:01,000 in a lot of standards. You know, where does this it? What? What 379 00:25:01,559 --> 00:25:05,319 you know? Is this is this something people are talking about. 380 00:25:06,480 --> 00:25:06,720 Speaker 1: Yeah. 381 00:25:06,759 --> 00:25:07,400 Speaker 2: Absolutely. 382 00:25:08,920 --> 00:25:12,799 Speaker 1: In my work with with the clients I've been working 383 00:25:12,839 --> 00:25:15,759 with and also the professionals I've been working with, we 384 00:25:15,880 --> 00:25:19,839 have discussed for some years now that the or we 385 00:25:19,920 --> 00:25:23,039 have discussed the big challenge of the likelihood or the 386 00:25:23,039 --> 00:25:29,000 probability part of the equation, and we've we've without actually 387 00:25:29,039 --> 00:25:35,759 having having without following standards or best practices, we've seen 388 00:25:35,839 --> 00:25:39,640 that we need to skip the discussion on the probability 389 00:25:39,759 --> 00:25:42,559 or the likelihood and talk about the consequence side of 390 00:25:42,599 --> 00:25:47,079 it first, and then we revisit the likelihood and probability afterwards. 391 00:25:47,319 --> 00:25:50,000 But I also see in ie C sixty two four three, 392 00:25:51,200 --> 00:25:56,119 especially with three dash two, it actually talks about consequence 393 00:25:56,240 --> 00:26:05,960 only risk analysis, So that's giving opportunity to actually move 394 00:26:06,000 --> 00:26:09,759 away from the discussions on probability. And also, of course 395 00:26:09,799 --> 00:26:13,640 with the consequence driven approach with cyber informed engineering, we 396 00:26:13,720 --> 00:26:17,039 start to see more focus on the far right side 397 00:26:17,079 --> 00:26:21,519 with the consequence consequence side, but leaving out. 398 00:26:22,759 --> 00:26:24,599 Speaker 3: What to do with the likelihood. 399 00:26:24,880 --> 00:26:29,519 Speaker 1: And I think with credibility we get some language based 400 00:26:29,599 --> 00:26:34,519 tools to actually place it where we talk about it 401 00:26:34,720 --> 00:26:38,200 in a qualitative manner instead of having to force it 402 00:26:38,599 --> 00:26:39,599 into a number. 403 00:26:40,799 --> 00:26:45,519 Speaker 3: I have the sense that over time, in the course 404 00:26:45,559 --> 00:26:51,519 of time, cyber attacks become more sophisticated, More sophisticated attacks 405 00:26:51,559 --> 00:26:54,759 become credible. Attacks that were dismissed a decade ago as 406 00:26:54,960 --> 00:26:59,279 theoretical have actually happened. Do you see that, you know, 407 00:26:59,319 --> 00:27:02,279 what do you see coming at us in terms of 408 00:27:02,519 --> 00:27:04,960 sophisticated attacks in the near future? 409 00:27:05,000 --> 00:27:10,640 Speaker 1: Here, I think that's a really challenging question looking far 410 00:27:10,720 --> 00:27:14,480 into the future or or far into the into the 411 00:27:14,559 --> 00:27:19,519 history to try to extrapolate what could we expect from 412 00:27:19,559 --> 00:27:20,079 the future. 413 00:27:20,480 --> 00:27:21,640 Speaker 3: We see with with. 414 00:27:21,759 --> 00:27:29,599 Speaker 1: The stocksnet, the attacks against Ukraine, Triton, the colonial pipeline, 415 00:27:30,039 --> 00:27:34,720 we see incidents that have had a really high impact, 416 00:27:35,160 --> 00:27:38,960 but there's not very many of them. So but but 417 00:27:39,119 --> 00:27:46,039 we see it's those kind of capabilities are being explored 418 00:27:46,359 --> 00:27:50,759 and are being put into different tools so they can 419 00:27:50,799 --> 00:27:55,559 be used by not only nation states but also criminal groups. 420 00:27:56,279 --> 00:28:00,359 So with with that kind of analysis, we can expect 421 00:28:01,039 --> 00:28:05,720 more and more sophisticated attacks and also buy more and 422 00:28:05,880 --> 00:28:10,720 more non sophisticated groups. So we should expect increase in 423 00:28:11,799 --> 00:28:13,519 high impact incidents. 424 00:28:13,519 --> 00:28:16,039 Speaker 3: So if we're not talking likelihood, we're not talking probability, 425 00:28:16,279 --> 00:28:20,400 we're talking credible. How do we decide what's credible? How 426 00:28:20,400 --> 00:28:22,519 do we decide what's reasonable to believe? 427 00:28:24,000 --> 00:28:29,440 Speaker 1: Yeah, that's a good question. So we need to have 428 00:28:29,559 --> 00:28:34,039 some grasp of what is credible and what is not credible. 429 00:28:34,640 --> 00:28:42,160 I'm also of the opinion that the credibility part of 430 00:28:42,200 --> 00:28:47,200 the equation. It's a qualitative thing. It's not a zero 431 00:28:47,440 --> 00:28:51,640 or one. It's something that is attached to a kind 432 00:28:51,680 --> 00:28:56,400 of a slippery slope, not easily defined. But what we 433 00:28:56,440 --> 00:29:02,599 could say, if we are trying to see credibility as 434 00:29:02,599 --> 00:29:06,640 a zero or one, what is credible? Things that have happened, 435 00:29:06,880 --> 00:29:10,319 actually have happened once or twice or three times, they 436 00:29:10,359 --> 00:29:16,400 are credible. So the Triton incident or a safety only 437 00:29:16,759 --> 00:29:21,880 type of cybersecurity attack, that's now a credible attack because 438 00:29:21,920 --> 00:29:25,640 it has happened. And also near misses. That's something that 439 00:29:26,200 --> 00:29:28,759 Triton was kind of a near miss. They didn't actually 440 00:29:28,880 --> 00:29:35,000 cause this destructive attack, but it could have happened, and 441 00:29:35,079 --> 00:29:40,680 so we also have other near missus incidents that we 442 00:29:41,079 --> 00:29:44,799 should be considering as credible attacks. 443 00:29:45,519 --> 00:29:49,119 Speaker 3: Credibility sounds like a judgment called how do we decide what's. 444 00:29:48,960 --> 00:29:55,920 Speaker 1: Credible's that's a good question. I think there's a good 445 00:29:56,960 --> 00:30:00,680 recommendations in sixty two four for three for instance, three 446 00:30:00,759 --> 00:30:06,960 thatsh two. It talks about, like I said, the consequence 447 00:30:07,079 --> 00:30:09,839 only as an example on how how you can approach 448 00:30:09,920 --> 00:30:14,480 the risk equation. But it also talks about the need 449 00:30:14,680 --> 00:30:20,200 for focusing on worse case consequences. So there's it talks 450 00:30:20,240 --> 00:30:23,920 about essential functions, which basically it could be the safety 451 00:30:23,920 --> 00:30:29,079 functions for instance, you need to investigate the consequence if 452 00:30:29,119 --> 00:30:33,200 those are are actually attacked and compromised, what could be 453 00:30:33,240 --> 00:30:37,000 the worst case consequence? So you begin there and then 454 00:30:37,359 --> 00:30:41,039 once you identify the worst case consequences, then you move 455 00:30:41,079 --> 00:30:47,440 over to the probability or likelihood dimension. And then then 456 00:30:47,480 --> 00:30:49,000 you need to consider other factors. 457 00:30:49,480 --> 00:30:50,319 Speaker 2: So what are the. 458 00:30:50,359 --> 00:30:54,960 Speaker 1: Vulnerabilities involved, what are the safeguards and or what the 459 00:30:55,000 --> 00:30:59,400 standard is talking about your compensating countermeasures, you consider that 460 00:31:00,119 --> 00:31:04,640 you consider the function or the asset as well that 461 00:31:05,319 --> 00:31:09,279 if there's if there's no actual interest in the asset, 462 00:31:09,440 --> 00:31:16,119 then the vulnerability could be also non interesting to address 463 00:31:16,680 --> 00:31:21,839 or analyz. So but you start with the consequence side. 464 00:31:22,319 --> 00:31:24,759 Then you start to look at the likelood and probability, 465 00:31:26,359 --> 00:31:31,200 and you are informed by the consequence approach. 466 00:31:31,920 --> 00:31:34,799 Speaker 3: Okay, so let me challenge you on that. I've read 467 00:31:34,960 --> 00:31:39,039 the c IE Implementation Guide. It says start with the 468 00:31:39,079 --> 00:31:43,279 worst case consequences. It says those words. I've not seen 469 00:31:43,319 --> 00:31:46,079 those words in three dash two. Are you sure that 470 00:31:46,400 --> 00:31:49,160 you're not reading in the three dash too to be there. 471 00:31:49,640 --> 00:31:52,720 Speaker 1: I've been searching for that specific part of three dish 472 00:31:52,759 --> 00:31:56,200 too many times because because I've heard others say that 473 00:31:56,359 --> 00:32:00,799 the same, and it's actually there. It's really gold nuggets 474 00:32:00,839 --> 00:32:05,200 in three dish two talking about the essential functions, specifically 475 00:32:05,240 --> 00:32:09,400 saying the worst case consequence and also specifically saying that 476 00:32:09,519 --> 00:32:13,400 you can choose to do a consequence only risk assessment. 477 00:32:13,559 --> 00:32:20,160 So that's really really important. Single words or single sentences 478 00:32:20,279 --> 00:32:24,880 in three dish two so worth highlighting in the three 479 00:32:24,960 --> 00:32:25,359 dish two. 480 00:32:26,440 --> 00:32:29,480 Speaker 3: Okay, so that makes sense in the abstract. Can you 481 00:32:29,519 --> 00:32:33,519 give me some examples what you know applying these principles, 482 00:32:33,680 --> 00:32:36,240 what should we regard as credible? 483 00:32:36,960 --> 00:32:41,039 Speaker 1: Yeah? Interesting question. I think that the things that come 484 00:32:41,079 --> 00:32:48,720 to mind first is, for instance, the Triton incident before 485 00:32:48,839 --> 00:32:51,880 twenty seventeen, where when it actually happened, we didn't think 486 00:32:52,000 --> 00:32:55,759 it was credible that someone would actually target a safety 487 00:32:55,799 --> 00:32:59,240 only system or cause a safety incident with a cyber 488 00:32:59,240 --> 00:33:04,240 attack with Triton it we actually saw the first first 489 00:33:04,279 --> 00:33:10,720 of its kind and the threat became obviously credible. And 490 00:33:10,759 --> 00:33:14,519 then Solo Winds as well. It's a very interesting study 491 00:33:15,000 --> 00:33:19,160 where the way they actually compromised the Solo Winds update 492 00:33:19,319 --> 00:33:30,240 mechanism suddenly massive, massive deployment of kind of malware within 493 00:33:30,759 --> 00:33:35,440 critical and non critical infrastructure became a really credible threat 494 00:33:35,599 --> 00:33:36,039 as well. 495 00:33:36,559 --> 00:33:37,680 Speaker 3: And also near misses. 496 00:33:37,720 --> 00:33:41,079 Speaker 1: Of course, we should be informed by things happening out 497 00:33:41,119 --> 00:33:45,480 there and coming on the news that are near misses 498 00:33:45,640 --> 00:33:48,200 that can talk about talk to us about what is 499 00:33:48,240 --> 00:33:51,799 a credible threat. Another kind of near miss that I 500 00:33:51,839 --> 00:33:56,480 think or it's not a near miss, but it's scenarios 501 00:33:56,599 --> 00:34:00,519 or incidents that could talk about credibility is is where 502 00:34:00,559 --> 00:34:05,480 we actually have a safety incident. For instance, we have 503 00:34:06,200 --> 00:34:08,519 had lots of them in Norwegian oil and gas and 504 00:34:08,559 --> 00:34:12,719 in oil and Jazz gas in general. Is safety incidents 505 00:34:12,800 --> 00:34:16,639 where we which is not cyber related at all, but 506 00:34:16,760 --> 00:34:20,199 where we see that it's it could be able to 507 00:34:20,280 --> 00:34:24,039 be replicated by a cyber attack. So that's something that 508 00:34:24,079 --> 00:34:28,519 we should be considering as a credible threat going forward, 509 00:34:28,840 --> 00:34:33,840 where we actually could replicate the cyber or the incident 510 00:34:34,320 --> 00:34:38,960 with the cyber course on credibility, I also think we 511 00:34:39,000 --> 00:34:43,440 need to put have in the back of our mind 512 00:34:43,559 --> 00:34:46,840 or in the analysis, we have to have focus on 513 00:34:47,280 --> 00:34:51,719 the technology evolution to development and sharing of new technology. 514 00:34:52,039 --> 00:34:55,599 So I see it as a graph where where we 515 00:34:55,639 --> 00:35:00,760 are exposed to more and more heavy machine or heavy 516 00:35:01,800 --> 00:35:05,480 software that can be used on the adversary side, So 517 00:35:05,639 --> 00:35:10,639 with Kali, Li Nux, metasploit nowadays also AI. So what 518 00:35:10,760 --> 00:35:15,480 is being becoming a credible threat threat is more and 519 00:35:15,559 --> 00:35:22,159 more sophisticated stuff due to development of technology. So AI 520 00:35:22,480 --> 00:35:26,599 now is on both sides of the table, both as 521 00:35:26,639 --> 00:35:31,840 an attacker, as a tool that makes more more attacks credible, 522 00:35:32,480 --> 00:35:34,599 but also on the on the defensive side where we 523 00:35:34,679 --> 00:35:40,679 actually need to use it to to protect against more 524 00:35:40,679 --> 00:35:42,480 and more sophisticated attacks. 525 00:35:45,320 --> 00:35:47,199 Speaker 3: Let me go just a little bit deeper into into 526 00:35:47,280 --> 00:35:50,079 Kenneth's last example. I remember talking to him about this 527 00:35:51,039 --> 00:35:57,119 two days before I recorded the session with Kenneth. I 528 00:35:57,280 --> 00:36:01,960 was at another event, you know, I had a half 529 00:36:02,039 --> 00:36:04,800 hour speaking slot. I was, you know, listening politely to 530 00:36:04,840 --> 00:36:08,000 the other speakers, I remember, and one of the speakers 531 00:36:08,039 --> 00:36:10,599 was a penetration tester. I remember asking the pen tester 532 00:36:10,719 --> 00:36:14,280 a question about AI and his answer alarmed me. And 533 00:36:14,320 --> 00:36:16,679 you know, I discussed it with Kenneth. I disgusted with 534 00:36:16,840 --> 00:36:22,039 other people, since you know, the future is is difficult. 535 00:36:23,440 --> 00:36:26,159 I asked the AI you know, the pen tester, so 536 00:36:26,239 --> 00:36:28,639 you know you touched on AI. What should we look 537 00:36:28,679 --> 00:36:31,519 for from AI going forward? And I asked, you know, 538 00:36:31,559 --> 00:36:35,519 should we worry about about AI crafting phishing attacks because 539 00:36:35,800 --> 00:36:37,679 I've heard of that happening. Should we worry about AI 540 00:36:37,880 --> 00:36:41,440 helping the bad guys write malware to write more sophisticated malware, 541 00:36:41,440 --> 00:36:44,199 because I've heard of that happening, you know. And I paused, 542 00:36:44,679 --> 00:36:47,639 and his answer was, Andrew, you're not thinking hard enough 543 00:36:47,639 --> 00:36:51,000 about this problem. You know. Yeah, that stuff's happening. But 544 00:36:51,079 --> 00:36:55,079 what you need to worry about is somebody taking a 545 00:36:55,159 --> 00:36:59,400 Cali limit Linux ISO image. This is the Linux disc 546 00:36:59,440 --> 00:37:02,719 image that every body uses. All the pen testers use 547 00:37:03,400 --> 00:37:10,000 lots of attack tools, he says, taking that gigabyte of isoimage, 548 00:37:10,440 --> 00:37:13,719 you know, coupling it, adding it together with two gigabytes 549 00:37:13,880 --> 00:37:17,480 of AI. Model and the model has not been trained 550 00:37:17,480 --> 00:37:20,599 on natural language and creating phishing attacks. The model has 551 00:37:20,639 --> 00:37:27,400 been trained by watching professional pen testers attack OT systems 552 00:37:27,800 --> 00:37:29,480 mostly in test beds. I mean, this is what pen 553 00:37:29,559 --> 00:37:32,360 testers do. They take a test bed that is a 554 00:37:32,400 --> 00:37:34,519 copy of a system that they're supposed to be, you know, 555 00:37:34,840 --> 00:37:36,679 doing the pen test on No one that does the 556 00:37:36,679 --> 00:37:38,280 pen test on a live system. They do it on 557 00:37:38,320 --> 00:37:40,960 a test bed. They use the calilinux tools, They attack 558 00:37:41,039 --> 00:37:43,840 the system and demonstrate how you can get into the 559 00:37:43,880 --> 00:37:47,719 system and cause it to bring about simulated physical consequences. 560 00:37:47,719 --> 00:37:50,920 So you've taught this AI model how to use the 561 00:37:51,000 --> 00:37:54,599 calilinux tools to attack OT systems, to brick stuff and 562 00:37:54,599 --> 00:37:59,079 bring about physical consequences. You take that training model, couple 563 00:37:59,079 --> 00:38:01,159 it with the image, wrap it up in you know, 564 00:38:01,320 --> 00:38:03,880 enough code to run the image as a sort of 565 00:38:04,159 --> 00:38:08,000 kind of embedded virtual machine to run the the the 566 00:38:08,039 --> 00:38:14,559 AI model, the million by million matrix of you know numbers, 567 00:38:14,599 --> 00:38:17,760 that is a neural network. Run the neural network, run 568 00:38:17,800 --> 00:38:21,320 the KELLAI Linux image, and have the AI operate the 569 00:38:21,360 --> 00:38:24,960 tools to attack a real OT system. Drop that three 570 00:38:25,079 --> 00:38:27,239 three and a half gigabytes of attack code on an 571 00:38:27,239 --> 00:38:31,920 OT asset, start it and walk away, and it will 572 00:38:32,000 --> 00:38:34,719 figure out what's there. It will figure out how to 573 00:38:34,760 --> 00:38:36,840 attack it. It will figure out how to bring about 574 00:38:36,840 --> 00:38:42,519 physical consequences. I heard that and I thought, crap, that's nasty. 575 00:38:42,960 --> 00:38:45,840 You know, back in the day, stucksnitt was autonomous. It 576 00:38:45,960 --> 00:38:50,639 did its thing, but it was a massive investment to 577 00:38:50,920 --> 00:38:54,840 produce an asset, a piece of malware that did its 578 00:38:54,880 --> 00:39:00,440 thing without human intervention. This strikes me as again, something 579 00:39:00,440 --> 00:39:03,199 that will do its thing without human intervention and it 580 00:39:03,199 --> 00:39:05,880 will figure out as it goes. It's one investment you 581 00:39:05,880 --> 00:39:11,880 can leverage across hundreds of different kinds of targets. I 582 00:39:11,960 --> 00:39:15,199 was alarmed. This is something I'm thinking about going forward. 583 00:39:15,960 --> 00:39:19,400 You know. It's to me, this is a credible threat. 584 00:39:19,400 --> 00:39:21,280 This is something we only need to worry about. I 585 00:39:21,280 --> 00:39:25,760 don't know that this thing exists yet, but I'm pretty 586 00:39:25,760 --> 00:39:31,679 sure it will in five years. Is everything credible? What, 587 00:39:32,239 --> 00:39:34,440 in your mind is not a credible threat? 588 00:39:34,480 --> 00:39:40,000 Speaker 1: At this point, I would think that large scale destructive 589 00:39:40,119 --> 00:39:44,840 attacks on big machinery is not something that I would 590 00:39:44,880 --> 00:39:48,719 consider a credible attack. But it also goes back to 591 00:39:49,000 --> 00:39:52,000 the motivation of the threat actor. For instance, if you 592 00:39:52,079 --> 00:39:56,719 have a small municipality, I would see that really heavy 593 00:39:56,840 --> 00:40:01,440 sophisticated cyber attacks, a lot of them wouldn't be actually 594 00:40:01,599 --> 00:40:05,159 credible due to the target not being interesting for such 595 00:40:05,159 --> 00:40:10,880 a threat actor. So large scale destructive attacks is something 596 00:40:10,960 --> 00:40:14,920 that in a lot of scenarios wouldn't be a credible attack. 597 00:40:15,679 --> 00:40:22,639 And then we have, for instance, large scale blackout is 598 00:40:23,960 --> 00:40:26,960 quite an interesting story nowadays because a couple of weeks ago, 599 00:40:27,039 --> 00:40:30,480 I would think that it wasn't actually a credible attack. 600 00:40:31,719 --> 00:40:35,519 Once we now see that it can happen. For instance, 601 00:40:35,599 --> 00:40:39,079 with Spain, it wasn't probably not a cyber attack, but 602 00:40:39,239 --> 00:40:43,199 it was something that happened on the consequence side. If 603 00:40:43,199 --> 00:40:46,559 we can show that or identify that it actually can 604 00:40:46,599 --> 00:40:50,360 be caused by a cyber attack, then that suddenly, nowadays, 605 00:40:50,760 --> 00:40:55,559 within the last week, has become a credible attack. And 606 00:40:55,599 --> 00:41:00,960 also swarm kind of attacks. I hear discussions on that 607 00:41:01,119 --> 00:41:04,880 from time to time where they see talk about whether 608 00:41:04,920 --> 00:41:09,280 it's a credible thing where you attack at millions of cars. 609 00:41:10,760 --> 00:41:13,000 As of now, I don't see that as a credible attack, 610 00:41:13,119 --> 00:41:17,719 but things can change, you know. 611 00:41:17,760 --> 00:41:21,960 Speaker 2: It's an interesting statement he made there that large scale 612 00:41:21,960 --> 00:41:26,519 attacks on heavy machinery isn't credible. You know, when I 613 00:41:26,559 --> 00:41:29,400 think about what we're talking about on this podcast. The 614 00:41:29,400 --> 00:41:34,360 purpose of OT security presumably is that there are significant 615 00:41:34,440 --> 00:41:39,760 risks to really important machines at large scale. But maybe 616 00:41:39,800 --> 00:41:45,159 at this point we've covered that. 617 00:41:45,199 --> 00:41:48,159 Speaker 3: That's a good point. I think one of the lessons 618 00:41:48,159 --> 00:41:50,880 here is that determining what is and is not credible 619 00:41:51,119 --> 00:41:54,519 is a judgment call. Okay, different experts are going to disagree. 620 00:41:56,239 --> 00:41:59,360 I've you know, a few years ago, I saw research 621 00:41:59,400 --> 00:42:06,039 published saying, look, here's let's take for the sake of argument, 622 00:42:06,119 --> 00:42:08,320 the possibility of attacking a I don't know, a chemical 623 00:42:08,360 --> 00:42:12,239 plant and you know, causing a toxic discharge. And the 624 00:42:12,280 --> 00:42:16,760 researchers concluded that it was theoretically possible, but it was 625 00:42:17,119 --> 00:42:20,199 such an enormous amount of effort on the on the 626 00:42:20,199 --> 00:42:22,440 part of the adversary, all of which would have to 627 00:42:22,440 --> 00:42:24,960 go on undetected by the site. They said, you know, 628 00:42:25,039 --> 00:42:27,320 in the end, I just don't know that this is 629 00:42:27,639 --> 00:42:31,159 reasonable to believe that this will ever happen. So, you know, 630 00:42:31,199 --> 00:42:35,559 that was one site, one one data point. But again, 631 00:42:36,119 --> 00:42:39,039 you know, there are the experts. Experts disagree. This is 632 00:42:39,039 --> 00:42:42,079 the what I learned on the very first book I wrote. 633 00:42:42,159 --> 00:42:47,800 I got wildly different feedback from different internationally recognized experts. 634 00:42:49,679 --> 00:42:57,079 Here's here's an insight to me. This means that when 635 00:42:57,119 --> 00:43:01,840 we make judgments about credibility, we probably have to be 636 00:43:01,920 --> 00:43:03,480 We have to make you know, if we're going to 637 00:43:03,519 --> 00:43:05,679 make a mistake, make a mistake on the side of caution, 638 00:43:05,960 --> 00:43:10,360 error on the side of caution. Because different experts have 639 00:43:10,400 --> 00:43:14,320 different opinions, we might be wrong. You know, every expert 640 00:43:14,480 --> 00:43:17,559 has to be honest enough to admit that we might 641 00:43:17,599 --> 00:43:21,400 be wrong and build a margin for error into their 642 00:43:21,519 --> 00:43:25,880 judgment of what's credible. So even if we don't believe that, 643 00:43:26,000 --> 00:43:28,400 you know, an attack that I don't know destroys a 644 00:43:28,440 --> 00:43:32,880 turbine is credible, we might want to take some reasonable 645 00:43:33,039 --> 00:43:38,280 defenses to against you know, such a not terribly credible 646 00:43:38,320 --> 00:43:41,480 attack in our opinion, But we might want to deploy 647 00:43:41,960 --> 00:43:47,880 defenses anyway, just because we might be wrong. And you 648 00:43:47,880 --> 00:43:50,880 know this, this is something that is also being discussed. 649 00:43:50,880 --> 00:43:53,000 It's how big a margin for error do we need 650 00:43:53,039 --> 00:43:56,840 to build into our planning. I mean, I talk to 651 00:43:56,840 --> 00:44:01,039 a gentleman who produces who designs pedestrian bris. I said, 652 00:44:01,440 --> 00:44:03,880 how do you calculate the maximum load? He says, that's easy, Andrew, 653 00:44:03,840 --> 00:44:06,400 you build a barrier to either side of the bridge. 654 00:44:07,119 --> 00:44:10,599 Vehicles can't get on the bridge. Most people are less 655 00:44:10,599 --> 00:44:12,840 than two meters tall. Most people are mostly water. You 656 00:44:12,960 --> 00:44:15,119 model two meters of water the width of the bridge, 657 00:44:15,119 --> 00:44:17,039 the length of the bridge, that's your maximum load. And 658 00:44:17,079 --> 00:44:20,199 then he says and then he says, you multiply that 659 00:44:20,239 --> 00:44:22,719 by eight, and you build the bridge to carry the 660 00:44:22,800 --> 00:44:26,679 multiplied load. Because these are people we're talking about, it 661 00:44:26,760 --> 00:44:30,960 is unacceptable for the bridge to fail under load. And 662 00:44:31,000 --> 00:44:34,360 so this is the margin for error that engineers routinely 663 00:44:34,400 --> 00:44:39,480 build into their safety calculations. I believe we as experts 664 00:44:39,480 --> 00:44:42,199 in cybersecurity need to build a margin for error into 665 00:44:42,199 --> 00:44:47,360 our security planning as well. One of the things that 666 00:44:47,760 --> 00:44:52,280 appeals to me very much about the credibility concept is 667 00:44:53,039 --> 00:44:57,599 using the concept to communicate with non technical decision makers 668 00:44:57,639 --> 00:45:01,440 like boards and directors. You do this, you have experience 669 00:45:01,480 --> 00:45:03,119 with this? Can you talk about your experience? 670 00:45:03,760 --> 00:45:06,079 Speaker 1: Yeah. I think it's interesting when when we talk to 671 00:45:06,559 --> 00:45:13,840 talk to board members and the c xos in different companies, 672 00:45:13,880 --> 00:45:18,480 they then they don't necessarily go into details about risk, 673 00:45:18,599 --> 00:45:22,039 but they know that they have a special accountability. So 674 00:45:22,599 --> 00:45:26,639 when we talk about credibility for those kind of people, 675 00:45:26,880 --> 00:45:30,920 they are getting more on board with the discussions. They 676 00:45:30,960 --> 00:45:35,800 know they have a special accountability. They draw the line 677 00:45:35,840 --> 00:45:39,880 in the sand. For instance, if the potential consequence is 678 00:45:39,920 --> 00:45:45,480 that somebody would die, then that's a non acceptable risk 679 00:45:45,920 --> 00:45:49,519 and they take on that kind of position due to 680 00:45:49,599 --> 00:45:54,920 their accountability as board members or heads of the company. 681 00:45:55,599 --> 00:46:03,320 And they also are being accountable for from from the 682 00:46:03,320 --> 00:46:07,679 the government and from this for the society. So some 683 00:46:07,920 --> 00:46:11,239 some risks when it comes to the consequence side. If 684 00:46:11,280 --> 00:46:16,039 if we talk about people dying, then that's absolutely not 685 00:46:16,639 --> 00:46:21,400 acceptable risk for the society. And the representatives for for 686 00:46:21,800 --> 00:46:27,159 that kind of approaches is elected persons in the government 687 00:46:27,840 --> 00:46:31,719 and they put the heads of the company or the 688 00:46:31,719 --> 00:46:34,960 board of directors as accountable for that on top of 689 00:46:35,039 --> 00:46:35,519 the company. 690 00:46:36,320 --> 00:46:41,280 Speaker 3: So that makes sense. You know, boards care about consequences 691 00:46:41,400 --> 00:46:44,719 that the business or the society is going to find unacceptable. 692 00:46:45,159 --> 00:46:47,719 You didn't use the word credible. How does credibility fit 693 00:46:47,840 --> 00:46:50,519 into acceptability when you're communicating with the board. 694 00:46:51,719 --> 00:46:55,320 Speaker 1: Yeah, we don't have to defend against all possible cyber attacks. 695 00:46:55,360 --> 00:46:58,920 What we do have to protect against is the credible ones. 696 00:46:59,360 --> 00:47:02,480 So when we bring credibility in as a concept, then 697 00:47:02,559 --> 00:47:08,880 it's something that communicates communicates much better for the board 698 00:47:08,880 --> 00:47:11,960 of directors and the head of head of the companies. 699 00:47:13,599 --> 00:47:16,719 Speaker 3: This has been good, but you know, it's it's a 700 00:47:16,760 --> 00:47:19,400 field big enough that I fear we've missed something. You know, 701 00:47:19,679 --> 00:47:22,119 let me ask you an open question. What should I 702 00:47:22,159 --> 00:47:22,920 have asked you? Here? 703 00:47:23,760 --> 00:47:28,320 Speaker 1: We've been talking about credibility. Credibility is what is reasonable 704 00:47:28,400 --> 00:47:33,280 to believe. But it's not enough to talk about reasonable attacks. 705 00:47:33,400 --> 00:47:37,760 We also need to be talking about reasonable defense. So 706 00:47:37,840 --> 00:47:40,920 what is a reasonable defense. We then need to be 707 00:47:41,320 --> 00:47:44,360 considering or taking all the tools. 708 00:47:45,599 --> 00:47:46,519 Speaker 3: We need to use, all the. 709 00:47:46,480 --> 00:47:50,920 Speaker 1: Tools at our disposal for a reasonable defense, and nowadays 710 00:47:51,400 --> 00:47:55,719 that also obviously includes AI on the defensive side, not 711 00:47:55,760 --> 00:47:59,440 only on the offensive side. This is also a very 712 00:47:59,440 --> 00:48:02,480 important part part of me of the reason for me 713 00:48:02,760 --> 00:48:08,280 joining Omni. So Omni is built on our security knowledge graph, 714 00:48:08,559 --> 00:48:12,039 So it's a data model where we can put all 715 00:48:12,079 --> 00:48:15,800 information we need about our assets, on the vulnerabilities, on 716 00:48:15,840 --> 00:48:19,880 the network topologies, on the threats, the threat actors. So 717 00:48:19,920 --> 00:48:23,039 it becomes a digital representation or a digital twin of 718 00:48:23,119 --> 00:48:27,079 our assets. Combining that with AI, which we have built 719 00:48:27,079 --> 00:48:30,960 in from the beginning, we get a very strong assistant 720 00:48:31,079 --> 00:48:34,599 on security where it matters most. 721 00:48:35,639 --> 00:48:38,079 Speaker 3: This has been great. Thank you Kenneth for joining us 722 00:48:38,840 --> 00:48:40,519 before I let you go. Can I ask you to 723 00:48:40,599 --> 00:48:43,119 sum up for our listeners? What should we take away 724 00:48:43,119 --> 00:48:44,199 from this episode? 725 00:48:44,960 --> 00:48:47,280 Speaker 1: Thank you Andrew for having me, and thank you so 726 00:48:47,400 --> 00:48:50,519 much for being here in Norway and visiting us at 727 00:48:50,559 --> 00:48:55,079 our office. So we've had a good conversation about consequence, 728 00:48:55,599 --> 00:49:01,440 the focus on the worst case consequences, where we moved 729 00:49:01,440 --> 00:49:09,639 over to talking about credibility, replacing the likelihood concept with credibility, 730 00:49:09,800 --> 00:49:14,320 especially for high impact stuff where we don't have the 731 00:49:14,360 --> 00:49:19,400 probability or the data to talk about it. We also 732 00:49:19,440 --> 00:49:28,000 talked about reasonable attacks and reasonable defenses, So what is 733 00:49:28,039 --> 00:49:38,800 a reasonable defense against increasingly credible, sophisticated attacks with high consequences. 734 00:49:39,360 --> 00:49:43,559 So it's been a really good discussion about all of 735 00:49:43,599 --> 00:49:48,119 these topics. If people wanted to know more about these 736 00:49:48,199 --> 00:49:55,239 topics or they want to discuss them, please connect with 737 00:49:55,320 --> 00:49:59,000 me on LinkedIn Message me there. I'm more than a 738 00:49:59,000 --> 00:50:03,280 happy discussion to discuss these topics. Please visit our webpage 739 00:50:03,800 --> 00:50:08,480 omnisecurity dot com. Our platform addresses most of these topics 740 00:50:08,519 --> 00:50:09,719 we talked about today. 741 00:50:13,159 --> 00:50:15,880 Speaker 2: Andrew, that just about does it for your conversation with 742 00:50:16,079 --> 00:50:19,360 Kenneth Tittelstadt. Do you have any final words you would 743 00:50:19,360 --> 00:50:21,920 like to take out our episode with today. 744 00:50:22,840 --> 00:50:25,760 Speaker 3: Yeah, I mean we've we've talked about about credibility, and 745 00:50:25,880 --> 00:50:28,599 this is a concept that is relevant to sort of 746 00:50:28,599 --> 00:50:31,840 the high end of sophisticated attacks, the high end of 747 00:50:32,840 --> 00:50:39,000 of consequence. But you know, I'm not sure. Let me 748 00:50:39,159 --> 00:50:41,559 let me try and and and give a very simple example. 749 00:50:41,599 --> 00:50:44,159 I mean, I was I was raised in Brooks, alberta 750 00:50:45,119 --> 00:50:47,639 little town, you know, ten thousand people in the middle 751 00:50:47,679 --> 00:50:51,599 of nowhere, literally an hour's drive from any larger population center. 752 00:50:53,440 --> 00:50:56,079 You know, in terms of cyber threats, do let's pick 753 00:50:56,159 --> 00:50:58,159 let's pick on I don't know the Russian military. Does 754 00:50:58,159 --> 00:51:02,880 the Russian military have the money to buy three absolute 755 00:51:02,960 --> 00:51:06,840 cyber gurus, train them up on water systems, plant them 756 00:51:06,880 --> 00:51:10,000 as a sleeper cell in the workforce of the town 757 00:51:10,039 --> 00:51:12,719 of Brooks water treatment system, have them sit on their 758 00:51:12,719 --> 00:51:15,920 hands for three years, and after three years, using the 759 00:51:15,920 --> 00:51:19,199 passwords they've gained, the trust they've gained and the expertise 760 00:51:19,239 --> 00:51:22,280 that they have, have them launch a crippling cyber attack 761 00:51:22,360 --> 00:51:25,039 that the damages equipment, that takes the water treatment system 762 00:51:25,079 --> 00:51:29,760 down for forty five days. Is that a credible threat? Well, 763 00:51:29,840 --> 00:51:33,000 the Russians have the money to do that it's you know, 764 00:51:33,039 --> 00:51:36,400 they have the capability to do that, but you have 765 00:51:36,480 --> 00:51:39,719 to ask, why would they bother? I mean, this is 766 00:51:39,760 --> 00:51:42,280 a little agricultural community, there's a little bit of oil 767 00:51:42,280 --> 00:51:46,599 and gas activity. Why would they bother? That does not 768 00:51:46,800 --> 00:51:49,480 seem to be It does not seem to be reasonable 769 00:51:49,519 --> 00:51:52,679 to launch that kind of attack against the town of Brooks. 770 00:51:52,960 --> 00:51:55,400 It just makes no sense. I don't see that as 771 00:51:55,440 --> 00:51:59,320 a credible threat. Is that a credible threat for the 772 00:51:59,360 --> 00:52:02,400 water treatment system in the city of Washington, d C? 773 00:52:02,920 --> 00:52:06,840 Home of the Pentagon. I do think that's a credible threat. 774 00:52:06,920 --> 00:52:10,039 So the question of what's credible is an important question 775 00:52:10,159 --> 00:52:12,880 that I see one and more people asking in risk 776 00:52:12,880 --> 00:52:15,960 analysis going forward. You know, we have to figure out 777 00:52:15,960 --> 00:52:20,599 what's credible for us? You know, are what capabilities do 778 00:52:20,679 --> 00:52:24,480 our adversaries have? What kind of assets are we protecting, 779 00:52:24,480 --> 00:52:27,320 what kind of defenses do we have deployed? What makes sense? 780 00:52:27,360 --> 00:52:30,199 What's reasonable to believe in terms of the bad guys 781 00:52:30,280 --> 00:52:33,119 coming after us? This is an important question going forward, 782 00:52:33,440 --> 00:52:36,400 and I see lots of people discussing it. I'm grateful 783 00:52:36,440 --> 00:52:39,800 for the chance to explore the concept here with with Kenneth. 784 00:52:40,440 --> 00:52:43,159 Speaker 2: Well. Thanks to Kenneth for exploring this with us, and 785 00:52:43,159 --> 00:52:45,360 Andrew is always thank you for speaking with me. 786 00:52:46,039 --> 00:52:47,320 Speaker 3: It's always a pleasure. Thank you, Nick. 787 00:52:48,360 --> 00:52:52,480 Speaker 2: This has been the Industrial Security podcast from Waterfall. Thanks 788 00:52:52,480 --> 00:53:00,760 to everyone out there listening inst