The Industrial Security Podcast

Industrial network monitoring and intrusion detection tend to start at the highest level networks - the ones closest to the IT network. Ron Fabella, CTO and Co-Founder of Synsaber joins us to look at the problem the other way around - at how important and how useful it is to monitor our lowest level networks - the edge networks closest to the physical process.

How does secure software development work for industrial products (SDLC) and what is a zero-trust supply chain? Gonda Lamberink of Fortress Information Security leads us on a deep dive of what's new in secure software development, and especially how supply chain security is impacting that lifecycle.

Worst-case consequences of compromise determine government and societal policies, so consequences matter, especially for critical infrastructure security. Danielle Jablanski, OT Cybersecurity Strategist at Nozomi Networks joins us to look at threats, consequences and policies for critical infrastructure security.

Supply chain security is bigger than one standard or one approach. Supply chain has fingers into remote access and cloud services and many other things beyond SBOMs and vendor questionnaires. Pedro Fernandes of Accenture joins us to look at the big picture and at what it takes to really commit to supply chain security.

Cybersecurity investments, like safety investments, involve ROI calculations. But unlike safety, security ROI is not baked into engineering practice. Wally Magda - a senior standards and security instructor, advisor and former NERC CIP auditor joins us to look at today's ROI problems and what to do about them.

Complex networks "drift" over time - maintaining an original security vision is hard. Robin Berthier, CEO and Co-Founder of Network Perception joins us to look at a new technology for understanding what's happening to our networks.

Forescout's recent Icefall report documents 56 new OT vulnerabilities, many in certified "secure" industrial equipment. Daniel Dos Santos, Head of Security Research, joins us to look at the vulnerabilities and at what they mean for industrial security.

The big picture of industrial security programs is why we do security, who does what, and to what standards or risk tolerances. Darren Conway of Capula joins us to look at documenting industrial security policies and programs, not just technology.

Moving target defence is increasingly used for remote access systems and other high risk connections between and into systems. Ian Schmertzler, President and Co-Founder of Dispel joins us to dig into the technology.

Many people ask "why can't we just encrypt all those industrial protocols?" It turns out it's harder than it looks. Andrew West of Subnet Solutions and the Technical Chair of the DNP User group looks at Secure DNP3 - take three.

Relationships, humour and a complete lack of creepiness - Laura Torres and Sarah Jennings of FoxGuard join us to look at the art of marketing industrial security solutions.

Building automation cybersecurity is starting to happen, but most buildings are way back of their industrial peers. Mirel Sehic, Cyber Practice GM for Honeywell Building Technology, joins us to look at security for building automation, smart cities, and the results of a recent survey re: state of the practice.The full survey report is available at https://buildings.honeywell.com/us/en/solutions/healthy-buildings/trends-report

Jens Wiesner of the German BSI joins us - new German critical infrastructure laws demand immediate reporting and certified state-of-the-art attack detection.

"Silent" cyber coverage has vanished in most insurance policies, and you can't get cyber insurance any more without cyber security. Georgina Williams, Senior Cyber Underwriter at Murich RE joins us to look at how insurers are digging deep into both engineering and security aspects of industrial cyber risk.

A lot can go wrong - Enrique Martinez Technical Solutions Architect for OT Security at WWT joins us to look at common mistakes when deploying OT asset inventory, IDS and other visibility solutions - and how to avoid them.

Industrial security programs have to touch all the bases. Alexandru Suditu of the Enevo Group joins us to look at - not everything - just the tricky bits.

Demand for skilled industrial / OT security people has increased dramatically over the last couple of years. Join Meg Duba, Senior Technical Recruiter at Idaho National Labs for an update on the market.

Greg Hale - Editor and Founder of ISSSource and ICSStrive joins us to look at his new OT / industrial incident repository, and a new report using the data in the repository, analyzing industrial cyber incidents with physical consequences.

Standardization and consolidation increase the consequences of cyber attacks - these are unexpected insights from applying the CCE methodology. Jodi Jensen, President of Secure SCADA Solutions joins us to look the experience of using Consequence-Driven, Cyber-Informed Engineering

The widely-used 62443-3-3 standard is being updated. One big change is making security levels risk-based. Join Alex Nicoll, co-chair of the ISA committee updating the standard, to look at what this means and how it will work.

Functional vs operational safety, profiles, deep connections to IEC 62443 and more. Tom Aubuchon, Principal Consultant at Ethosecure Consulting and Suzanne Lemieux, Director Operations Security and Emergency Response Policy at the American Petroleum Institute join us to look at API 1164 Rev 3 - a complete rewrite of a pioneering cybersecurity standard.

Which is better - security or compliance? Suzanne Black of Network Security Technologies brings a new perspective to this old question and covers a lot of other ground in the latest NERC CIP standards.

Safety, insiders, external attacks, remote access, zero trust and more. Serkan Yusuf at Applied Risk explores a new report based on a survey of over 1000 industrial security practitioners.

A special episode where Nate and Andrew look back at what we can learn from cyber attacks on industrial sites in 2021 and what we should expect to come at us in 2022 and 2023.

Graham Speake (semi-retired) reflects on a career in industrial security. He points out industrial networks were always connected and observes that we should all get more credit for material improvements in industrial security and security technologies in the last 2-3 decades.

The IEC 62443 security standards are evolving. Eric Cosman, co-chair of the ISA SP-99 committee that creates the 62443 standards joins us in this episode. Eric looks at how experience using the 62443 standards is driving change in a number of key areas.

"Lenses" are preconceived notions that limit our ability to evaluate and accept solutions. Dr. Art Conklin from the University of Houston joins us to look at lenses in industrial security and what to do about them.

Change is a risk in industrial operations, but at least on the security side of things, rapid change is the order of the day when connecting an acquisition to a new owner's infrastructures. Anthony Morrone and Marianne Swarter of Level5Cyber join us to look at issues and solutions for mergers, acquisitions and divestitures of industrial operations.

Vulnerability handling costs a lot of time and effort - finding the announcements, evaluating them, comparing to our systems, planning & managing deployment and more. Jens Wiesner of the German BSI joins us to explore a new standard that promises to automate much of this task - the Common Security Advisory Framework.

Ernie Hayden joins us to walk through the big picture of risk assessment as documented in his new book - Critical Infrastructure Risk Assessment. The book is a "how-to" for assessing risks ranging from hurricanes to safety systems to cyber attacks.

OT / industrial cyber risk is tricky. Ask questions about probabilities like we did 10 years ago and you get answers that just don't work well. Mark Fabro, President & Chief Security Scientist at Lofty Perch joins the podcast to look at the modern way to model risk.

Maritime systems are unique in some senses - eg: both having safety critical aspects and being reliant on wireless satellite communications . But these systems are familiar too - PLCs, HMIs and remote access. Marco Ayala, Director of ICS Security at 1898 & Company walks us through the space.

No one person has all the answers. Bill Lawrence, CSO at SecurityGate.io joins us to look at industrial risk assessments in modern, complex environments.

EnergySec is working with colleges & others on the world's first industrial security apprenticeship program. Join Steve Parker, president of EnergySec to see why electric utilities cannot hire the people they need, and what's being done to fix that.

A tool for more secure layer 1 devices is available - The Top 20 Secure PLC Coding Practices. Sarah Fluchs and Vivek Ponnada, two leaders of the initiative, join us to talk about the practices and how to use them.

''Repost (sound problems repaired) Explore how to work with boards of directors on industrial security issues with Level5Cyber industry veterans Anthony Morrone (former CISO @ DuPont) and Michael Piccalo (former Director @ Forescout)

Commodity vs specialty chemical manufacturing is different in kind, not just quantity. Sameer Koranne, Global OT Lead for IBMs X-Force incident response team talks about manufacturing, safety and security.https://www.ibm.com/security/services/ibm-x-force-incident-response-and-intelligence

In boxing, amateurs get hit and go down. Professionals get hit and keep fighting. Join us as Ofir Hason of CyberGym explores how to turn entire organizations from amateurs into professionals when it comes to cyber attacks.

The new cyber rules for sites in Israel handling hazardous materials are the strongest in the world. Join Yosi Shavit, Head of the ICS Cybersecurity Department in Israel's Ministry of Environmental Protection to see what's new and different.

Encryption is everywhere, but making it work in industrial settings is harder than it looks. Join Sam Elsner, Senior Manager for the Kepware-focused applications engineering team at PTC to do the deep dive on how modern systems are connected and encrypted.

Measuring future security costs is easier than measuring today's security benefits. Donovan Tindill, Senior Cybersecurity Strategist at Honeywell Connected Enterprise joins us to explore how to manage industrial cybersecurity spend over the life of industrial automation projects.

Yosi Shneck, long, time CSO at Israel Electric Company, talks about his experience leading cybersecurity efforts in a very difficult threat environment, and about Israel Electric's new initiative to share the company's expertise with other utilities and industrial enterprises.

Sarah Freeman at Idaho National Laboratories and co-author of the new book Countering Cyber Sabotage joins us to discuss the CCE methodology, attacker requirements and "unhackable" mitigations.

So very much about mining and about automation in mining is about safety. Greg Jones, an industrial security specialist at PPLTEK takes us through some unique physical processes and security challenges.

The SolarWinds supply chain breach is arguably the biggest hack in history. OSIsoft's Security Architect, Bryan Owen, joins us to explore the breach and what it means for industrial security.

Like civil engineers building bridges, security engineers should have quantitative goals: How secure must the system be when commissioned? (How much load must the bridge carry?) How long must the system maintain that security level without major maintenance? (How long must the bridge carry that load reliably between major repairs?) Join Terry Ingoldsby to explore the science of security.

CIP-013 is intended to reduce supply chain risks. What are the rules? What are they costing? Are they working? Dr. Joseph Baugh, Managing Consultant at Guidehouse joins us to explore CIP-013, the executive order and other timely NERC CIP topics.

Ed Amoroso of Tag Cyber, former CSO of AT&T talks about the IT perspective & approach for OT security - where to start and what to watch for.

There are those who say that "Industrial" and "Cloud" and "Security" really don't fit together - but is this really true? Our guest today is Andrea Carcano from Nozomi Networks explaining how cloud-based security systems really do improve industrial and IoT security.

Markus Braendle, head of Airbus Cybersecurity, and Falk Lindner, lead architect for Industrial Cybersecurity at Airbus Manufacturing join us to talk about industrial security monitoring and management at one of the most complex industrial enterprises on the planet.