The Industrial Security Podcast

We've been hacked. Everything is down. Or more mundane - there was a power surge and 5% of our cyber gear is fried. How do we get back into operation fastest? Stephen Nichols of Acronis joins us to look at rapid recovery of OT systems - from the mundane to the arcane.

We know there are problems in our security systems, but we can't and shouldn't fix everything. What do we fix? Who decides? How do we explain what's reasonable to people who do decide? Kayne McGladrey, CISOIn Residence at Hyperproof, joins us to explore risk, communication, and a surprising role for insurance.

Yes the device has to be safe to use on patients, and yes it has to produce its results reliably, but patient / data confidentiality is also really important. Naomi Schwartz of Medcrypt joins us to explore the multi-faceted world of medical device cybersecurity - from MRI's to blood sugar testers.

If you can touch it, you can hack it, usually. And having hacked it, you can often more easily find exploitable vulnerabilities. Marcel Rick-Cen of Foxgrid walks us through the basics of hacking industrial hardware and software systems.

Asset inventory, networks and router / firewall configurations, device criticality - a lot of information. How can we USE this information to make useful decisions about next steps to address cyber risk? Vivek Ponada of Frenos joins us to explore a new kind of OT / industrial digital twin - grab all that data and work it to draw useful conclusions.

We don't have budget to fix the problem, so we accept the risk? Tim McCreight of TaleCraft Security in his (coming soon) book "I don't sign s**t" uses story-telling to argue that front line security leaders should not be accepting multi-billion dollar risks on behalf of the business. We need to escalate those decisions - with often surprising results when we do.

NIS2 legislation is late in many EU countries, and the new CRA applies to most suppliers of industrial / OT computerized and software products to the EU. Christina Kiefer, attorney at reuschlaw, walks us through what's new and what it means for vendors, as well as for owner / operators.

Hundreds of subsystems with the same IP addresses? Thousands of legacy devices with no modern encryption or other security? Constant, acquisitions of facilities "all over the place" network-wise and security-wise? What most of us need is "network duct tape". Tom Sego of Blastwave shows us how their "duct tape" works.

Safety defines cybersecurity - Kenneth Titlestad of Omny joins us to explore safety, risk, likelihood, credibility, and deterministic / unhackable cyber defenses - a lot of it in the context of Norwegian offshore platforms.

How did they get in? How did we find them when they got in? What can we do in future to clean up the mess faster? Chris Sistrunk reflects on a decades' industrial cyber incident response experience at Mandiant (Google).

Asset inventory tools have become almost ubiquitous as main offerings or add-ons to OT security solutions. In this episode, Brian Derrico of Trident Cyber Partners walks us through what it's like to use these tools - different kinds of tools in different environments.

Industrial incidents can be cyber attacks, or equipment failures, or physical equipment leaking product because of metal fatigue or incorrect welds. OT incident responders need to know a lot. Doug Leece of Enbridge explores what is OT incident response and what you look for recruiting people into that role.

For safety-critical operations or for critical national infrastructures, would you rather base your system on a code that people have tested as best they can, or would you rather base your system on a platform that has been proven correct? Daly Brown and Nick Foubert of Metropolitan Technologies look at a new approach to designing OT systems.

Most of us struggle to get funding for industrial cybersecurity. Ian Fleming of Deloitte explains how - because cybersecurity is essential to sustaining the value of industrial assets - how we can embed up to 20 or 30 years of cybersecurity budget into capital plans, rather than fight for budget every year.

Nation state threats are often portrayed as the "irresistible forces" of cyber threats, with little qualification. Joseph Price of Deloitte joins us to dig deeper - what are nation states capable of, what are they up to, and how should we interpret the information that is available to the public?

Security automation needs a machine-readable vulnerability database. Carmit Yadin of Device Total joins us to look at limitations of the widely-used National Vulnerability Database (NVD), and explore a new "data science" alternative.

Tomomi Aoyama translated the book Countering Cyber Sabotage - Consequence-Driven, Cyber-Informed Engineering - to Japanese. Tomomi recalls the effort of translating CCE to Japanese and looks forward to applying CCE and OT security principles to industrial cloud systems at Cognite.

Compromise a cloud service and tens thousands of vehicles can be affected at once. Matt MacKinnon of Upstream Security walks us through the world of cloud security for connected vehicles, transport trucks, tractors, and other "stuff that moves."

The bad guys keep getting better at what they do, and so must we defenders. Gary Southwell of Aria Cyber joins us to look at using AI to get ahead of constantly-changing malware.

The CIS Top 18 is widely used in IT, and Jack Bliss of 1898 & Co. has adapted that list for OT/industrial, adding a lot of industrial context and lists of related OT-centric tools and technology.

Airports really are small cities. Eric Vautier, CISO of all 3 Paris airports looks at what is an airport and how are thousands of airports changing because of NIS2 and the regulatory environment more generally.

Ransomware is the most common cyber attack causing OT outages - all Windows machines encrypted. What if we could "press a button" and have everything working again in seconds or minutes? Alex Yevtushenko of Salvador Technologies joins us to look at new technology for rapid recovery.

The Mitre CWE - Common Weakness - database talks about kinds of problems that can show up in the future - future zero days - rather than CVE that talks about what vulnerabilities were discovered in the past. Susan Farrell walks us through the CWE and how both vendors and owners & operators use it.

AI is coming and industrial security is an issue. Join us as Leo Simonovich VP at Siemens Energy joins us to look at both in the context of the energy transition - burning fewer fuels to achieve the same industrial process goals.

How hard is it for an attacker to dig around in my network? Robin Berthier of Network Perception joins us to look at new network segmentation evaluation and visualization technology that lets us see at a glance how much trouble, or not, we're in.

Precision farming is heavily automated, as are the "food factories" essential to feeding the world's population. Marcus Sachs at the McCrary Institute at Auburn University joins us to look at the threats, the challenges and opportunities to secure our food supplies from cyber risk.

From supply chain to Active Directory to segmentation designing security into ICS products is hard. Jake Hawkes walks us through how security gets built into AVEVA Enterprise SCADA.

We have a security program, we have a risk assessment, we see gaps and we have a limited budget. How do we use that budget most effectively? Jørgen Hartig, CEO at SecuriOT joins us to look at a decision support tool to help answer the question.https://securiot.dk/securiot-irt

You plug in a USB drive and your laptop starts smoking - nasty. Mario Prieto Sanlés of AuthUSB joins us to look at the nastiest of USB attacks, and what we can do about them.

Smart meters, smart cities and the IIoT - when thousands of systems of millions of low-power devices need to talk to each other, and talk between systems, managing trust is hard. Dr. Chris Gorog of BlockFrame walks us through the problem and the work BlockFrame and the University of Colorado have been doing to solve the problem.

Moving from IT or engineering roles into OT security is harder than it should be. Mike Holcomb of Fluor has written eBooks & provides a newsletter to help people with that transition. In this episode, Mike reflects on his own evolution into OT security and gives advice to others looking at making the move.

Our enemies cooperate, and so must we. Aurelio Blanquet walks us through the activities of the European Energy ISAC, with a focus on building the trust that is essential to enabling the cooperation that we need to work together. Aurelio Blanquet - EE-ISAC Nov 21

The industrial security initiative was triggered by the 9/11 attack on the World Trade Center. Aaron Turner, on the faculty at IANS Research, helped investigate laptop computers used by 9/11 attackers and joined up with Michael Assante to persuade government authorities to launch what has become today's industrial cybersecurity industry. Aaron takes us through the formative years - from 9/11 to the Aurora generator demonstration.

Cybersecurity and IEC 62443 are increasingly relevant to building automation. Parking garages contain safety-critical CO2 sensors that control fans, the MGM breach is in the news and standards bodies are debating minimum security levels for different kinds of systems. Kyle Peters of Intelligent Buildings joins us to look at IEC 62443-2-1 style security assessments of modern buildings and what we can learn from those assessments.

Adversaries who can physically touch a target have a huge advantage when it comes to compromising that target. Mike Almeyda of Force5 joins us to look at tools for physical security that support cybersecurity, especially for the North American NERC CIP standards.

From aging equipment to regulators who must approve every patch, securing safety-critical rail systems is hard, but has to be done. Miki Shifman, CTO and Co-Founder at Cylus, joins us to talk about the problem and what many owners and operators are doing solution-wise.

Job seekers say there are no OT security job postings. Hiring managers say nobody is applying to their posts. Amanda Theel and Eddy Mullins of Argonne National Labs walk us through recruiting issues, especially for fresh grads.

Data centers are critical information infrastructures, with a lot of associated physical infrastructure. Vlad-Gabriel Anghel of Data Center Dynamics Academy walks us through these very recent additions to critical infrastructures, and digs into industrial / OT security needs and solutions for the space.

Active defense or "intrusion prevention" deep into industrial networks has long been thought of as not workable. Youssef Jad - CTO at CyVault - joins us to talk about a new approach to OT active defense that is designed for sensitive OT / industrial environments.

Patching is hard in many industrial / OT systems - the risk the new code poses to operations is comparable to the risk of a cyber attack. But - the vulnerability does not go away just because patching is hard. Rick Kaun, VP Solutions at Verve Industrial joins us to look at what to patch, when to patch, and automation to help make the whole process faster, easier and cheaper.

Modern automobiles contain hundreds of CPUs and a CANbus network or three connecting these devices. Thieves are hacking the CANbus to steal cars. Worse is possible. Ken Tindell, CTO at Canis joins us to look at the problem and at what the automobile industry is doing about these embedded control systems.

NERC CIP, the new TSA pipeline and rail directives and other regulations can be very expensive - to comply with and to prove to an auditor that you comply. Kathryn Wagner of Assurx joins us to look at what and how we can automate this process to save time and money.

All physical processes involve risk - sometimes very big risk. Dr. Janaka Ruwanpura from the University of Calgary joins us to look at where cyber risks fit into the big picture of risk at industrial organizations, and at roles and responsibilities for managing risk throughout an organization.

OT systems are critical to mining safety. Rob Labbe, the chair of the Metals and Mining ISAC joins us to look at six steps to integrating IT & OT networks and security programs in this very sensitive environment.

Risk assessments are a staple of industrial security programs. Paul Piotrowski, a Principal OT Cybersecurity Engineer at Shell, walks us through a deep dive into his experience using IEC 62443-3-2 risk assessments and the lessons he's learned, with lots of examples.

Getting an industrial site started on the cybersecurity road can be hard. Matthew Malone of Yokogawa joins us to look at strategies to shake loose funding, trigger conditions that can jump-start investments, and stumbling blocks and how to address them.

SSVC is a new standard decision process for deciding what to do about new vulnerabilities and patches. Thomas Schmidt of the German BSI joins us to look at how SSVC decision trees work, and where and why to use them.

Different kinds of organizations in different stages of their cybersecurity evolution need to look for different kinds of people to contribute to their industrial security programs. Jason Rivera a Director at Security Risk Advisors joins us to look at workforce capability gaps and different approaches needed to fill those gaps in different scenarios.

The new US Department of Energy Cyber Informed Engineering Strategy includes unhackable safeties, manual operations, and other engineering-grade protections, in addition to traditional cybersecurity. Join Cheri Caddy, USA Deputy Assistant Cyber Director as we look at a strategy to develop a discipline of security engineering.

Windows and Linux operating systems provide a lot of detail as to what software & versions of the operating system, applications & libraries are installed. Most firmware provides almost nothing - only a single firmware version number. Thomas Pace, Co-Founder and CEO of Netrise joins us to look at gaining visibility into industrial device firmware and vulnerabilities.