The Industrial Security Podcast

We've been hacked. Everything is down. Or more mundane - there was a power surge and 5% of our cyber gear is fried. How do we get back into operation fastest? Stephen Nichols of Acronis joins us to look at rapid recovery of OT systems - from the mundane to the arcane.

We know there are problems in our security systems, but we can't and shouldn't fix everything. What do we fix? Who decides? How do we explain what's reasonable to people who do decide? Kayne McGladrey, CISOIn Residence at Hyperproof, joins us to explore risk, communication, and a surprising role for insurance.

Yes the device has to be safe to use on patients, and yes it has to produce its results reliably, but patient / data confidentiality is also really important. Naomi Schwartz of Medcrypt joins us to explore the multi-faceted world of medical device cybersecurity - from MRI's to blood sugar testers.

If you can touch it, you can hack it, usually. And having hacked it, you can often more easily find exploitable vulnerabilities. Marcel Rick-Cen of Foxgrid walks us through the basics of hacking industrial hardware and software systems.

Asset inventory, networks and router / firewall configurations, device criticality - a lot of information. How can we USE this information to make useful decisions about next steps to address cyber risk? Vivek Ponada of Frenos joins us to explore a new kind of OT / industrial digital twin - grab all that data and work it to draw useful conclusions.

We don't have budget to fix the problem, so we accept the risk? Tim McCreight of TaleCraft Security in his (coming soon) book "I don't sign s**t" uses story-telling to argue that front line security leaders should not be accepting multi-billion dollar risks on behalf of the business. We need to escalate those decisions - with often surprising results when we do.

NIS2 legislation is late in many EU countries, and the new CRA applies to most suppliers of industrial / OT computerized and software products to the EU. Christina Kiefer, attorney at reuschlaw, walks us through what's new and what it means for vendors, as well as for owner / operators.

Hundreds of subsystems with the same IP addresses? Thousands of legacy devices with no modern encryption or other security? Constant, acquisitions of facilities "all over the place" network-wise and security-wise? What most of us need is "network duct tape". Tom Sego of Blastwave shows us how their "duct tape" works.

Safety defines cybersecurity - Kenneth Titlestad of Omny joins us to explore safety, risk, likelihood, credibility, and deterministic / unhackable cyber defenses - a lot of it in the context of Norwegian offshore platforms.

How did they get in? How did we find them when they got in? What can we do in future to clean up the mess faster? Chris Sistrunk reflects on a decades' industrial cyber incident response experience at Mandiant (Google).

Asset inventory tools have become almost ubiquitous as main offerings or add-ons to OT security solutions. In this episode, Brian Derrico of Trident Cyber Partners walks us through what it's like to use these tools - different kinds of tools in different environments.

Industrial incidents can be cyber attacks, or equipment failures, or physical equipment leaking product because of metal fatigue or incorrect welds. OT incident responders need to know a lot. Doug Leece of Enbridge explores what is OT incident response and what you look for recruiting people into that role.

For safety-critical operations or for critical national infrastructures, would you rather base your system on a code that people have tested as best they can, or would you rather base your system on a platform that has been proven correct? Daly Brown and Nick Foubert of Metropolitan Technologies look at a new approach to designing OT systems.

Most of us struggle to get funding for industrial cybersecurity. Ian Fleming of Deloitte explains how - because cybersecurity is essential to sustaining the value of industrial assets - how we can embed up to 20 or 30 years of cybersecurity budget into capital plans, rather than fight for budget every year.

Nation state threats are often portrayed as the "irresistible forces" of cyber threats, with little qualification. Joseph Price of Deloitte joins us to dig deeper - what are nation states capable of, what are they up to, and how should we interpret the information that is available to the public?

Security automation needs a machine-readable vulnerability database. Carmit Yadin of Device Total joins us to look at limitations of the widely-used National Vulnerability Database (NVD), and explore a new "data science" alternative.

Tomomi Aoyama translated the book Countering Cyber Sabotage - Consequence-Driven, Cyber-Informed Engineering - to Japanese. Tomomi recalls the effort of translating CCE to Japanese and looks forward to applying CCE and OT security principles to industrial cloud systems at Cognite.

Compromise a cloud service and tens thousands of vehicles can be affected at once. Matt MacKinnon of Upstream Security walks us through the world of cloud security for connected vehicles, transport trucks, tractors, and other "stuff that moves."

The bad guys keep getting better at what they do, and so must we defenders. Gary Southwell of Aria Cyber joins us to look at using AI to get ahead of constantly-changing malware.

The CIS Top 18 is widely used in IT, and Jack Bliss of 1898 & Co. has adapted that list for OT/industrial, adding a lot of industrial context and lists of related OT-centric tools and technology.