février 6, 2024

EP 45 – OT Security’s Digital Makeover

In this episode of Trust Issues, the conversation revolves around the challenges and transformations in operational technology (OT) security. Guest Mike Holcomb, the Fellow of Cybersecurity and the ICS/OT Cybersecurity Lead at Fluor shares insights with host David Puner on securing legacy systems, the impact of generative AI – and the evolving threat landscape. From addressing security challenges in manufacturing plants to the skills gap in OT cybersecurity, the episode provides an overview of the current state and future prospects of securing critical infrastructure. Holcomb also emphasizes the importance of identity in OT security and offers practical advice for organizations looking to enhance their cybersecurity posture. Check out the episode to explore the dynamic intersection of IT and OT – and how it spotlights the urgent need for robust cybersecurity measures in an evolving digital landscape.

[00:00:00.300] – David Puner
You’re listening to the Trust Issues podcast. I’m David Puner, a Senior Editorial Manager at CyberArk, the global leader in Identity Security.

[00:00:09.860] – David Puner
Hello, and welcome to another episode of Trust Issues. Today, we’re focusing on operational technology, or OT, which is the term used to describe the systems that control physical processes and devices in the industrial environments that run the world around us, like power plants, oil and gas facilities, railways, and water treatment plants.

[00:00:50.100] – David Puner
In turn, OT security protects these systems from cyberattacks that could disrupt operations, damage equipment, harm the environment, or endanger human lives. OT cybersecurity is critical for keeping critical infrastructure secured. Vital.

[00:01:07.010] – David Puner
Often, these OT environments have weak or outdated security in place. While threat actors may not target OT environments as frequently as corporate IT environments, when attacked, the impact can be massive. OT cyberattacks have become more frequent and diverse in recent years involving ransomware groups, hacktivists, and other malicious actors.

[00:01:28.740] – David Puner
This brings us to today’s guest, Mike Holcomb, who’s the Fellow of Cybersecurity and the ICS/OT Cybersecurity Global Lead at Fluor, one of the world’s largest engineering, procurement, and construction companies.

[00:01:42.770] – David Puner
One of the main questions Mike addresses in conversation is, what makes OT cybersecurity different from IT cybersecurity? He explains that OT systems have particular characteristics and challenges, that require a different approach and mindset from IT security.

[00:02:00.140] – David Puner
In the end, identity is a common denominator, who and what are assessing resources and systems, and when. He also assesses the current state of OT cyber maturity and gaps and opportunities for improvement, sharing best practices and recommendations for OT cyber defense.

[00:02:18.150] – David Puner
He discusses how OT cyber threats have evolved over time and current trends and challenges. Let’s head into OT. Here’s my conversation with Mike Holcomb. Mike Holcomb, welcome to Trust Issues.

[00:02:36.810] – Mike Holcomb
Thanks, David. I appreciate it.

[00:02:37.820] – David Puner
Thanks very much for coming on to the show. Today, we’re going to talk about OT or operational technology. As the fellow of cybersecurity and the ICS/OT Cybersecurity Global Lead for Fluor, one of the world’s largest engineering procurement and construction companies, I think it probably makes sense to talk to you about that a little bit today.

[00:03:03.960] – David Puner
To start things off, maybe you could briefly take us through a quick tour of how you got into OT and ultimately to your current role and what it entails?

[00:03:14.999] – Mike Holcomb
For me, I’ve grown up a computer nerd since day one, so that’s always what I’ve been and done. I had always also had a focus on security just in the background. It was just always in the back of my mind.

[00:03:28.120] – Mike Holcomb
As I started to get into IT and progress through my career, I just gravitated towards cybersecurity. As I became a cybersecurity practitioner, it was in 2010 where the news of Stuxnet came out. That was where we had the United States and Israeli, two nation states, had targeted a uranium facility in Natanz, Iran. We had two nation states targeting another.

[00:03:57.250] – Mike Holcomb
I wasn’t necessarily concerned with the geopolitical considerations there, but I was really fascinated with how this malware not only got into this type of facility, but how the malware took control over the systems, actually called controllers, that were hooked in to these centrifuges, and the centrifuges that would spin the uranium gas and enrich it to essentially make nuclear weapons.

[00:04:24.590] – Mike Holcomb
I was just really fascinated with that. Then it became this question about, well, how does this work in power plants? How does it work in water treatments? What about airports and railways? The list just goes on and on, and just started to think and look in everywhere in our daily lives what’s impacted.

[00:04:46.390] – Mike Holcomb
I started having conversations with people that worked in these environments and that maintained and that were maybe supposed to be responsible for cybersecurity. Again, this was back in 2010, 2011.

[00:04:59.770] – David Puner
It should be pointed out probably that wasn’t just your moment of awareness with all of this. It’s generally considered to be the moment when IT tech and its inherent complexity and risk came to light in a greater sense, right?

[00:05:14.120] – Mike Holcomb
Exactly. It was that big watershed moment, I think, for a lot of people around the world, from nation-state attackers to definitely cybersecurity professionals. That at least for those of us that are interested, becoming interested at that point in time for sure.

[00:05:32.160] – David Puner
At this point in the conversation, it’s probably good to level set and to ask you what OT is actually, and how OT cybersecurity has evolved in the last few years. Presumably, digital transformation has played a role in some of this?

[00:05:49.580] – Mike Holcomb
Digital transformation is a big part of that conversation. When we talk about operational technology as a whole, I always think of in its most simple form a smart thermostat these days.

[00:06:04.500] – Mike Holcomb
Smart thermostat is just another computer. It’s got a processor, it has memory, little storage. Then that computer is a little bit specialized in that it has additional wires that go out into the real world and then connect into other systems. It’ll connect into, let’s say, a sensor to be able to tell what the temperature is in the room.

[00:06:27.430] – Mike Holcomb
Then on the computer, on the thermostat, it has what you call a set point. You can set the desired temperature that you want in the room. I always wanted 70 degrees in the room. If it was my girlfriend, it would be 65 degrees. That way, we set the thermostat.

[00:06:45.820] – Mike Holcomb
Then if the room becomes too warm, if we go above that set point, then the logic, the programming in the thermostat will send a signal out that wire that’s connected to the air conditioning unit and talk to the air conditioning unit, and then it’ll turn it on. Then at the same time, the computer or alluded to a programmable logic controller or a PLC.

[00:07:14.580] – Mike Holcomb
It’s just sitting there, and it’s running this logic saying, « What’s the temperature? Are we too high, too low? » Or, « Okay, now we’re back to, let’s say, 70 degrees, send a signal to turn off the air conditioner. » That’s operational technology in a very simple example. Then you can take that and apply it to other places in the world, like a power plant.

[00:07:35.910] – Mike Holcomb
I can have OT, or then when we get into, I think, a little higher or industrial-type environments, that’s usually when we talk about industrial control systems, but they work exactly the same way. That you have a computer, that it’s wired into all these different types of systems and processes. That way, when I want to, let’s say, generate electricity at a power plant by bringing in maybe natural gas, and I mix that with oxygen, and I’m going to go ahead and create some steam, and I’m going to turn a turbine, and then turns a generator to actually generate electricity, all of those systems and all those processes are automated through operational technology.

[00:08:20.100] – David Puner
You mentioned wiring. How then, if you take the wires out of the equation, and you bring IoT into the equation and IoT devices with that smart thermostat, how does that factor into OT and OT security?

[00:08:33.930] – Mike Holcomb
It’s a much bigger conversation. We try to separate… With IoT, I like to focus on IoT for the most part as consumer devices, or we can say at least they’re devices that require internet connectivity really for their full functionality at the end of the day. We don’t typically are going to see IoT in OT or industrial control environments.

[00:08:59.410] – Mike Holcomb
What we are seeing, and this is one of those changes that you were starting to ask about, is we are seeing what we call industrial internet of things. That’s where we are taking at least data from the OT environment, so the power plants and the petrochemical facilities and the railways of the world, and pumping them up to the cloud. That way we can do things like predictive analytics to determine when those parts are going to break down, and we want to replace them before they fail. That’s one way to look at it.

[00:09:32.100] – Mike Holcomb
That is definitely a change. Then, of course, we talk about, « Yeah, we’re just going to hook up our power plant or a train or a railway to the internet. It doesn’t necessarily sound like a great idea, so we need to make sure we do that as securely as possible. »

[00:09:48.070] – David Puner
Are you doing all these things at Fluor? You’ve got a very long title as the fellow of cybersecurity and the ICS/OT, cybersecurity global lead for Fluor. I need to take an extra breath to say it. Are you doing all these things?

[00:10:01.640] – Mike Holcomb
Yes. The IIoT is definitely new. We work with some of the larger customers in the world, the Shells, the BPs, the Saudi Aramco, and SABICs. We build and maintain and operate some of the largest control systems, networks, and environments in the world.

[00:10:20.100] – Mike Holcomb
We are seeing, and this has really just picked up over the last couple of years, along at the same time as all the cybersecurity has really started to become highlighted and a concern for the owners and the operators of these environments.

[00:10:37.150] – Mike Holcomb
It is interesting that security is getting a much bigger, I guess, plug these days. At the same time, we are seeing this, really, the explosion of other technologies and architectures like industrial internet of things and being able to send data to the cloud to do things like predictive analytics.

[00:10:56.130] – David Puner
You probably get to interact with an awful lot of things going on in the world in that role. One of the things that struck me as I was diving into the prep for this episode is it seems that OT is somewhat overlooked in a sense. Maybe, and I don’t know whether you agree or disagree with that, I’ll have you hold your thought for just a moment, maybe it might be worth exploring that and how OT differs from IT, which seems to get quite a bit more attention?

[00:11:28.110] – Mike Holcomb
Yeah, and those are all fair to I say. I’ve been in IT for 25 plus years with almost all that in cybersecurity. Then in OT, let’s say 10 years. Being an OT today reminds me of how IT was about probably 20 years ago or so, maybe a little less these days. To me, it reminds me of when we had the Target Breach.

[00:11:53.000] – David Puner
Okay, how so?

[00:11:53.840] – Mike Holcomb
In IT, back then, prior to the Target Breach, at least for me, I remember not a lot of companies still really took cybersecurity seriously.

[00:12:03.420] – David Puner
This is what, 2014-ish?

[00:12:06.310] – Mike Holcomb
Yeah, that sounds about right. About 10 years ago. There were some, I worked for companies that did, definitely, and especially you had finance firms. I used to work in financial services. You’d have others that, yes, they were on top of the game.

[00:12:20.350] – Mike Holcomb
On the other organizations, I went to telecoms and I worked as a consultant for a year and went in to see different environments. Yeah, most companies started to realize after the Target Breach, they needed to do something about cybersecurity. That’s where we’re at in the OT world. Since we had what they call the Colonial Pipeline event about two and a half years ago.

[00:12:43.810] – Mike Holcomb
Colonial Pipeline is the operator of the largest gasoline pipeline in the United States, and they were taken offline, not by a nation state, but a ransomware group. The back office became infected with ransomware. Someone clicked on the wrong link, opened up the wrong attachment. The entire IT operations, entire IT environment, completely consumed by ransomware, shut down, and then the pipeline went offline.

[00:13:10.770] – Mike Holcomb
The pipeline was down for 10 days, and there were real world repercussions that people could see. Where I live in Greenville, South Carolina, you would go to the gas station, and for that 10-day period, there’d be no gas at that one gas station.

[00:13:25.300] – Mike Holcomb
Now, you could go around the corner and there was a gas station. There was just a super long line if you didn’t go at three o’clock in the morning. It was a lesson where I think a lot of people could actually then see, « Oh, yes, we need to start looking at cybersecurity in OT environments. » Because while there have been things like Stuxnet, Stuxnet didn’t have a real-world impact to us in our daily lives. That was the US and the Israelis going after the Iranians on the other side of the planet. Much different when you go to the gas and there’s no gas.

[00:14:02.460] – David Puner
Suddenly, you’ve got an influx of threat actors trying to exploit OT system vulnerabilities and potentially poor cyber hygiene practices. Is that the gist of it?

[00:14:13.820] – Mike Holcomb
That’s exactly what the position we’re in today is because of the Colonial Pipeline breach. Before then, the only attackers we primarily worried about in OT was the Nation States. You were only worried about China or Russia or the Americans coming after you if you had a power plant or a water treatment facility.

[00:14:36.490] – Mike Holcomb
Now, it’s not only, sure, nation states, that’s almost inconsequential now compared to all the ransomware group operators. We see a lot of hacktivist activity these days, especially between Russia, Ukraine, Israel and Hamas, and other hotspots around the world, as well as just about every other type of attacker out there that wants to get into the fight in some way, shape, or form.

[00:15:01.350] – Mike Holcomb
It’s really a fascinating time to be able to see all these different types of attackers come. Then the other point you mentioned, a lot of these environments haven’t thought about cybersecurity before.

[00:15:13.740] – Mike Holcomb
A lot of them, they don’t have the basics. They have systems that are exposed to the internet with default passwords. The list can go on and on, but we get the idea. A lot of the especially older environments that cybersecurity just wasn’t thought of, or if it was, the bare minimum was done.

[00:15:34.640] – Mike Holcomb
We see a lot of people now that are trying to be able to go in and fit security in where they can in these older environments, which definitely can be a challenge, especially if you have a 30-year-old power plant that you don’t want to make any changes because if it’s not broke, we don’t fix it. It’s that mentality.

[00:15:53.750] – David Puner
It would seem that because of the nature of what OT is, these are potentially super dangerous threats. Not that other cyber threats out there aren’t, but we’re talking about real-world life and death type situations?

[00:16:10.150] – Mike Holcomb
The potential there, yeah, definitely, is for drastic deadly consequences. We try to leave out the FUD and just-

[00:16:18.430] – David Puner
Fear, uncertainty, and doubt, for those who don’t know what the FUD is.

[00:16:22.640] – Mike Holcomb
Yeah, we don’t want to use that fear, uncertainty, and doubt and try to scare you and say, « Oh, the Russians are going to come in, and they’re going to be able to blow up a nuclear power plant. » The chances with that are a trillion to one.

[00:16:34.330] – Mike Holcomb
Now, can you go and cause a local blackout for probably your local neighborhood? Yeah, you can do that really easily. Two different sides of the spectrum. Could somebody bring down the power grid? You hear all these horror stories in the newspaper, but we try to keep it realistic where there’s risk there. The threats are out there. These environments are vulnerable. They are being targeted.

[00:17:03.390] – Mike Holcomb
It’s just a matter of the damage that the attackers have the capability and knowledge to enact and what they actually want to do. These environments are not easy to get into as far as being able to take control over them to a degree where you could cause something to, let’s say, blow up or maybe melt down.

[00:17:25.690] – Mike Holcomb
Maybe I wanted to cause a turbine in the power plant to overload and potentially cause a fire. That could potentially happen. Yeah, it goes back to ultimately in OT versus IT, and I think this is one of the earlier questions, where the compare and contrast.

[00:17:42.280] – Mike Holcomb
In IT, we always talk about ensuring confidentiality of data, integrity of data, availability of data and systems, where in the OT world, it’s physical safety. We’re worried about the people on site. We want to make sure everybody goes home at the end of the day. We want to make sure general public that live in the vicinity are safe. If you live next door to, let’s say, a petrochemical facility, you don’t want to necessarily have to worry about it blowing up in the middle of the night.

[00:18:09.910] – David Puner
Just shifting gears for a moment, is there a friendly rivalry among IT and OT cybersecurity professionals, like cops and firefighters, softball, a situation going on?

[00:18:23.880] – Mike Holcomb
I wish. It’s actually typically the other way around, unfortunately, where it’s It can be a very contentious relationship more often than not, which is unfortunate because I get to see a lot of different environments, mostly larger environments. I see where IT and OT work really well together, and you have a very secure environment.

[00:18:44.520] – Mike Holcomb
Then I’ve seen the other end of the spectrum where they’re either going at it, just fighting all day, every day, or they’re just not talking. It’s like a bad relationship. If you’re not talking or if you’re fighting all the time, you’re not getting anything done, and only the attackers are winning.

[00:19:03.340] – Mike Holcomb
One of the most important aspects of any OT cybersecurity program is getting IT and OT to work together, to be able to secure the environment. What that looks like is very different in each of these environments because every OT environment is completely unique.

[00:19:23.110] – Mike Holcomb
You can go into any IT environment, they’re roughly the same. You got some servers, you got some workstations, you have users, and applications. There’s an internet connection and some data. In OT, you go into a power plant, it’s very different than a petrochemical facility.

[00:19:40.140] – Mike Holcomb
You can go into a power plant, it’s very different than another power plant right just down the street. Every environment looks different. How IT and OT work in these environments is always very different, but we need to work together to be able to secure the environment rather than being at each other’s throats or just not talking because nothing’s getting done.

[00:20:04.460] – David Puner
A lot of what we’ve discussed already has involved critical infrastructure. How much are you thinking about the definition of a critical infrastructure is, considering it’s different across the globe from region to region, country to country? Is there any issue surrounding clarity around what critical infrastructure is?

[00:20:28.310] – Mike Holcomb
It can be confusing at times for people that are just getting into the industry. Sometimes it can be confusing for people like politicians that they’re the ones writing policies and regulations that we have to follow. Sometimes that could take us down interesting pathways. But I think overall, just to think of your critical infrastructure, typically are those industrial control environments. It’s not the thermostats or a small manufacturing facility that creates some type of toy. It’s not something we need to rely on. It’s not critical. We don’t need it for our daily lives.

[00:21:06.350] – Mike Holcomb
But power plants, water treatment facilities, railways, and then you can even get into things like hospitals or like you mentioned, each country defines critical infrastructure sectors for them. The US has 16 right now. For example, India had just added health care, like with hospitals and doctors and offices, etc, as a critical infrastructure. I think in the US, there’s still a big push to make space a new critical infrastructure sector.

[00:21:34.870] – David Puner
That’s interesting.

[00:21:35.500] – Mike Holcomb
Because of all the highlights around, especially, cybersecurity in satellites and other implications in space. It’s a really fascinating area as well.

[00:21:44.170] – David Puner
Are there any particularly unusual examples of what country is determined to be critical infrastructure?

[00:21:49.950] – Mike Holcomb
I haven’t heard of anything particularly strange. Maybe there’s some out there, and I’m just familiar with, and Fluor does business… We build these environments and critical infrastructure in just about every country on the planet. I haven’t heard of anything too crazy. Usually, I think that the crazy thing is just the fact that you might look at a country and they either don’t recognize critical infrastructure or they might recognize one or two things as critical infrastructure. Whereas, again, in the United States, we have 16 critical infrastructure sectors, which includes things like telecommunications and emergency services and even technology, like think massive data centers that allow the internet to run.

[00:22:35.140] – David Puner
Yep. There’s a lot to think about and a lot to cover, that’s for sure. How do you handle security challenges posed by legacy OT systems?

[00:22:43.920] – Mike Holcomb
I always apply the lesson that I learned early on in my career. I had a great mentor that I got the privilege to work for my first real full-time IT cybersecurity job. Dan Crow, he was an ex-Delta Force, ex-Army officer, and he also was a great IT mind. Wi-Fi had just come out at that point. The business is screaming for Wi-Fi. I’m the security guy saying, « No way. This is so [inaudible 00:23:12]. There’s no encryption. Somebody could jump on your network. » I remember Dan was saying, « They’re going to get it one way or the other. The CEO is just going to override you. You want to work with them to do it as securely as possible. » That’s just really stuck with me. When it either came to BYOD in the IT early days or anything, really, it’s going to the cloud or some of those great examples, it’s like, okay, there are risks, or there’s a lot of risk in doing this, but let’s do it as securely as possible.

[00:23:43.240] – Mike Holcomb
That’s the same thing in OT. It’s, okay, I understand that you need to do this. Like manufacturing environments, they want to poke a lot of holes in your infrastructure that introduces potentially a lot of risk.

[00:23:57.720] – Mike Holcomb
It’s one of those, I understand this is what you need to do to allow the manufacturing plant to run and to create what it creates. Let’s just make sure we can do it as securely as possible. We look at what controls can we wrap around it to make it as secure as possible, just understanding there’s risk. It’s just like we were mentioning the IIoT or the Industrial Internet of Things, and this idea of connecting your power plant to the Internet. As soon as you’re doing this, there’s risk that’s introduced, but we’re not going to be able to say no, so let’s do it as securely as possible. That’s a big part of my job.

[00:24:39.910] – David Puner
Thinking in terms of today and parallels today, how is generative AI and machine learning impacting OT security, and what’s the next big challenge for OT cybersecurity?

[00:24:54.140] – Mike Holcomb
With AI, especially, the focus on… We can see a lot of positive steps. It’s one of the things I keep looking towards. What are people doing with AI to help protect OT? A lot of it can be similar to IT. You see a lot of people uploading their policies and having them reviewed to see, does this align with something like 62443? What are we missing? What do we need to add? I’m like, « Okay, that’s a great use. » It’s not something I want to do as a person. We’ll let AI do it. We can use AI in OT, just like in IT, for helping our SOC analysts do their job more effectively, be that force multiplier.

[00:25:34.400] – Mike Holcomb
You do some amazing things from a network security monitoring perspective. It’s very similar from that. What I’m always concerned with is what the attackers are using it for. We don’t have really insight into that today from a true OT perspective. In the IT world, we understand, we can see criminals using AI to generate the most realistic phishing emails and the malware to go with it.

[00:26:03.250] – Mike Holcomb
It’ll be interesting in a good and bad way to see what the future holds for us from that perspective.

[00:26:12.740] – Mike Holcomb
I think from an overall challenges perspective, and we can have those AI conversations and what’s coming down the pipe, but I’m more concerned with the here and now, very practical person. Just want to get in and get the job done and make sure everything is secure, and I think most environments still today, it’s going back to the target days.

[00:26:37.310] – Mike Holcomb
There are a lot of environments out there that are way behind in implementing just even the basic fundamentals of OT cybersecurity, which can be in times very different from IT. We have a lot of environments out there. I’m very fortunate. I get to work with some of the best companies in the world that have some of the most strongest cybersecurity programs imaginable. I get to learn a lot from them, which is great. But I also realized those types of environments, they’re very few and far between.

[00:27:11.640] – Mike Holcomb
Most of the OT in the world around us, it is the manufacturing plants and the smaller ones. It is the water treatment facilities that they don’t have a budget to go out and spend a million dollars on a threat and maybe an incident detection system and threat and vulnerability management platforms.

[00:27:32.060] – Mike Holcomb
They don’t have those resources.

[00:27:34.620] – Mike Holcomb
They don’t even have somebody within the company thinking of cybersecurity. They’re that small, and yet so many people depend on it. There was just an instance where there was a water treatment facility in Ireland that was compromised just one asset, and you had 160 people without water for two days, which doesn’t sound like the end of the world, but what if it’s 160,000 people and it’s 20 days? The repercussions just can go off the scale pretty quickly.

[00:28:04.490] – David Puner
How much of what you do is thinking about those what-if scenarios?

[00:28:10.480] – Mike Holcomb
Oh, I do a lot of that, yes. But then that’s where I have to always try to reel myself back. Again, I always try to say it’s at-risk conversation. These are things that could happen. Now, the chances, the probability of these occurring is very, very small. But they can occur, and we’re at this point since Colonial Pipeline… Before Colonial Pipeline, you would have a major OT cybersecurity incident on average once every four or five years, where now we’re having them pretty much almost on a weekly basis. If not, almost a daily basis.

[00:28:57.580] – Mike Holcomb
It’s just… Let’s talk about the rate of the event is accelerating, and the impacts are increasing. It’s one of those. It’s a very fascinating, interesting, exciting time to be in OT cybersecurity because of everything we talked about. We have so many environments out there that aren’t prepared. The number of attackers is only growing exponentially day by day.

[00:29:22.400] – Mike Holcomb
We only see that many more attacks, and we’re seeing the impacts. We’re seeing power plants go offline, water being interrupted on a small scale, but they happen. Telecommunications going down in the Ukraine. There was another blackout caused by the Russians in the Ukraine last year in 2023. They’re just happening more and more and that trend is not going to slow down. That’s where we’re at today, trying to look forward.

[00:29:52.130] – David Puner
Thinking about identity and OT, and identity and OT security as an identity factor into OT security, and what are some of the challenges and common scenarios?

[00:30:04.700] – Mike Holcomb
Talk about identity in OT. Identity in IT is a very core component of what we do in IT cyber these days, and that’s not necessarily the case in OT. The main reason is if I work in, let’s say, a power plant, and if I’m going to go and there’s an emergency situation and I need to log into a system, and all of a sudden, I’m not able to log into that system because of a username or a password or some difficulty, or the system that’s used to do authentication is offline, and I’m locked out of that system, and then all of a sudden, either the plant shuts down, and now you have the operator losing potentially millions of dollars a day, or what if there is some type of physical issue where there’s something explodes and somebody on-site dies, or at least they’re hurt?

[00:30:57.330] – Mike Holcomb
Most of the network that you’re going to see, it’s all Windows systems. The nice thing is we always focus on things like with active directory, being able to focus on identity and ensuring authentication and authorization of individuals when they’re logging in and accessing resources.

[00:31:16.010] – Mike Holcomb
As you get down and lower into the systems that are actually controlling the process, that are actually doing the job of generating electricity in a power plant or moving trains down the track or mining ore out of the ground, when you get to those lower systems, then typically, those are the ones we don’t want to touch. But at all those higher levels and all those systems that the attackers are going to come across first, if they’re on the network, that’s where we do want to make sure that we are implementing and securing the identity of the counts in the environment.

[00:31:52.050] – David Puner
Are there particular OT-specific challenges when it comes to third-party vendors or third-party supply chain?

[00:31:59.170] – Mike Holcomb
OT has the same issues with supply chain as… If you’re implementing software, and I always think of SolarWinds. If you bring in a malicious update, you’re compromised. That’s a concern in OT just as in IT, it’s just… Remember, OT has so many other things they’re still working on. Supply chain is… Security is going to be near the bottom of the list, unfortunately. They’re probably more worried about purchasing counterfeit equipment than the next SolarWinds breach, realistically.

[00:32:32.560] – David Puner
I think this is probably a good opportunity then to segue into what organizations should do when it comes to OT security and what they should be doing to ensure systems in OT environments are updated and protected.

[00:32:46.690] – Mike Holcomb
There’s two things. When you look at cybersecurity as a whole, and not every organization is ready to go out and say, « Hey, I’m going to go and get the 62443 standard and start implementing it. » That would be the right answer to do. Where do I start? I actually created an adapted version of the critical security controls from IT. I love that when it originally came down because it’s not only, here’s this list of security controls that you can implement, and it’s written very plainly that people can understand, but it was also that prioritized list. It’s like, here’s where you start. You’re going to start here because this has the most impact into reducing risk in your environment.

[00:33:28.830] – Mike Holcomb
We always talk about the first place you start is secure network infrastructure. It was my LinkedIn post yesterday talking about how we not only create an IT, OT, DMZ between the IT and OT networks, but then how you further do segmentation within the OT network. We’re ultimately trying to slow down an attacker, give us time to be able to detect them, get the basic blocking and tackling done, and you’ve addressed the vast majority of risk. That’s what we’re seeing underway today, which is very positive. The industry has come a long way in just a few short years. We just have a long way to go.

[00:34:10.430] – David Puner
What about for organizations that are trying to be proactive with audits to help them navigate compliance and regulatory requirements?

[00:34:18.190] – Mike Holcomb
That’s always an interesting conversation because there’s not a lot of regulatory requirements in OT, which, believe it or not, because I remember, it’s like, What do you mean? There’s not a lot of regulation around a petrochemical facility or water treatment?

[00:34:34.440] – David Puner
Yeah, you would hope there would be.

[00:34:36.370] – Mike Holcomb
Yeah, exactly. It’s the only true… We talk about cybersecurity requirements, regulations we have is what they call NERC or NERC CIP, and that’s for entities that do power generation and transmission in North America, primarily US and Canada. Then there’s a nuclear version for that as well. Then, if you work in, let’s say, water. Water is you have these general requirements that say you have to deliver clean water to the public, but there’s not where you’re going to have an auditor come in and look at the environment.

[00:35:09.990] – Mike Holcomb
There’s this whole complicated story, but you’re not going to have an auditor come in and look at your cybersecurity controls to ensure that an attacker wouldn’t be able to come in and introduce you deadly levels of chemicals into the water and have that go out to the general public. You see that in a lot of the other environments.

[00:35:31.090] – Mike Holcomb
The only thing that has changed since Colonial Pipeline, from a true cybersecurity regulation perspective, is the TSA in the US since Colonial Pipeline, they actually have now regulations for pipeline operators, which makes sense. Then they also added that to rail. That way… Because if your pipelines are down, the only other way you’re going to be moving large amounts of anything is going to be rail.

[00:35:55.070] – Mike Holcomb
I’ve actually been doing a lot of work in rail projects over the last couple of years because of that. But yeah, it’s unfortunate we hear a lot of more regulations that’s going to come down the pipeline, like in water, potentially. There were regulations for water that they let lapse, ultimately because people were complaining about having to become compliant with them. It’s very, very strange, very bizarre.

[00:36:22.570] – David Puner
Shifting gears to, we’ve already talked a little bit about OT professionals and IT professionals. We’ve, of course, in the industry, heard a lot about the cyber skills gap. As someone who’s taught cybersecurity at the college level, I’m thinking this subject may be particularly pertinent to you. Where does that issue land when it comes to OT security?

[00:36:46.870] – Mike Holcomb
It’s a hard one. There’s no easy fix because the people you want working in OT cybersecurity, you want them to understand the OT aspects of things like engineering and how the plant works, at least at a fundamental level. You don’t have to be… Like, I’m not an « engineer » engineer. But at least over time, I’ve got to work with a lot of engineers and start to be able to learn the basics.

[00:37:12.750] – Mike Holcomb
You need to understand the physics of the environment you’re protecting, but then also understand how cybersecurity works from really the IT world. You either need to learn IT cybersecurity and then learn OT like I have, or you need to learn OT and then learn IT cybersecurity. We have people coming from both sides and then trying to meet in the middle. We want these people that have both of those skill sets. Not everybody wants to go through all that work. Then, when you tell IT people that OT pays a lot less, they’re like, « Oh, never mind. »

[00:37:52.030] – David Puner
So it does pay less.

[00:37:52.980] – Mike Holcomb
It does, yeah. Then the OT people, they’re like, « Oh, I can make more in IT? » You see people actually leaving the power plants and the railways because they can make more money in IT environments doing cybersecurity.

[00:38:09.160] – David Puner
Well, not to get all « FUDy » on you, but that’s concerning.

[00:38:12.450] – Mike Holcomb
It is, very much so. I’ve seen multiple instances of that. I think the people that you see in OT that stay in OT or the people that transition into OT, they believe in the mission, and they want to be there, which is amazing. At the end of the day, I can’t blame somebody, though, for going to take more money, especially… You got mouths to feed at home, or I guess just want more money at the end of the day. I’m not going to blame you.

[00:38:39.960] – David Puner
Do you think that that salary disparity is something that will be ironed out in the near future?

[00:38:44.180] – Mike Holcomb
It’s changing, and we’ve already seen… At least from what I’ve seen, there definitely have been changes to me. I’ve been talking with others. It’s going to be probably a couple of years before it’s on close parity, but hopefully it’ll get there sooner than later. Because if you’re in IT, why would you want to move to OT if you’re not going to get paid at least as much? You have to believe in the mission if you’re going to make that move.

[00:39:11.850] – David Puner
Is that part of the reason why you teach or have taught?

[00:39:15.050] – Mike Holcomb
Yeah, it’s a big reason. There’s lots of reasons. I grew up very poor, and I know how working in IT and cybersecurity has transformed my life, not only through my salary, but yeah, the idea of mission and being able to help and protect people. Actually, I also have a free 20+ hour course on how to get into ICS/OT cybersecurity that I put out on YouTube for free.

[00:39:42.420] – David Puner
Yeah, I was going to ask you about that. What inspired you to do that, and what’s the response been and why free?

[00:39:49.210] – Mike Holcomb
Yeah, it was one of those things that I had recorded. Started doing it in some live sessions, had a couple of hundred people online, and then I also had hundreds of others from all over the world saying, « I would love to participate, but I also need to sleep in the middle of the night. » It’s like, « Hey, I completely get that. » It really was just being able to take that and re-record it and put it out on YouTube. It’s great to see people watching.

[00:40:13.430] – Mike Holcomb
I think the first part is already, like 2,500 people have already watched at this point, or I guess they’ve probably clicked the page. I don’t know how many people have actually watched the whole thing, but you see the numbers going up on all the parts. Some people are out there watching them, I get a lot of nice notes from people saying, « Hey, I use this in my work, or this is exactly what I was looking for. Oh, this is perfect timing. » Those things, they mean a lot, and it makes it all worthwhile.

[00:40:43.390] – David Puner
Mike Holcomb, thanks so much for coming on to Trust Issues. Really appreciate the time.

[00:40:48.670] – Mike Holcomb
Yeah. Thanks, David. I appreciate it. Thanks for the invite.

[00:40:51.400] – David Puner
Thanks for listening to Trust Issues. If you like this episode, please check out our back catalog for more conversations with cyber defenders and protectors. Don’t miss new episodes. Make sure you’re following us wherever you get your podcasts. Let’s see. Oh, yeah. Drop us a line if you feel so inclined. Questions, comments, suggestions, which, come to think of it, are comments. Our email address is [email protected]. See you next time.