Fireside Chat: Defending Operational Frontlines with... with Doug Leece, Jason Maynard, Austin Scott

[Music] Yeah. So, I'm excited about this one. Uh, we're Listen, we we've got some experience. we're in the industry, but we're coming it from it from a community perspective, right? We're we're here to help elevate uh security specifically in the operational environment. So, that's the goal of of the session. Um, obviously excited to have two of my friends here to hang out. Um, out of curiosity, how many people are 100% on the OT side? I suspect it's going to be low but yeah, it's actually higher than I thought. You guys, they let you out of the field. Like I I can't even believe they let you out of the field. >> Oh, you came out for Austin. Good. Good.

>> Yeah, the rest that 20 bucks later. >> Yeah. Well, the rest came out for me. But anyways um no um yeah so again most people are probably in it and then there obviously a strong presence in security and so what we want to get out of the session is kind of just talk about you know a variety of of of subjects get some feedback from each um and then um obviously if you have any questions or comments please interject. So with that maybe the first one uh so it you may have heard you may have recalled the US government had identified some uh you know some things within solar panels that look nefarious or potentially

nefarious. Um, so some some supply chain risk certainly there. Uh, and obviously there's some scary things when you start thinking about what you know OT can do in in an environment, never mind critical infrastructure, but now it's become everyday, right? It's it it's in our home environments as well. What do you guys think? Is it fluff or the scare tactic or is it real? So, I'll go to Doug and then I'll go over to Austin. >> Uh, no. I I 100% think if it's running on a computer and it's possible to instruct that computer to do something, you can probably add an extra instruction or two in there. And I think I think I was down in Houston

when there was that Rockwell bug where the malware was running below the visible cycle in the HMI. So, you know, we've had bugs in BIOS for years. We've had bugs in network cards. Anywhere there's silicon and a microprocessor, there's a potential for malicious behavior. And you know, something like an inverter where it's widely distributed, the adversary they're putting behind this plays a very long game. So, it's like, well, I'm going to make something and, you know, I'm going to turn it off in 10 years. I need eight years to get it to market. And I don't think that's far-fetched at all. >> Awesome. >> So, what we're talking about here is solar inverters and batteries where 4G

uh chips were installed covertly in the equipment. Uh so one thing we try to do at DRAOS is fight against fear, uncertainty, doubt uh in the industry. There's a lot of that today, but this is not that. This is a very >> No, no, this was uh this was very real. And in fact, we just learned a couple weeks ago that these were exercised in December 2024 and they shut down remotely from a country that manufactured these devices uh these solar inverters and batteries. Uh so this this someone exercised that ability uh just last year. So it's it's very real. This this case is is a very real case of uh embedding malicious device uh

into uh critical infrastructure. >> I'm still getting some panels anyway. But and here's one thing I will leave you with, right? Is it real or not? Just think what happened with the pagers. That's a long game, right? >> So certainly real, right? Obviously I don't carry pagers. You got one on you. But uh but yeah, they're certainly playing the long long game there. Um here's the next one. Colonial pipeline made it very difficult decision to shut so you know remember the big compromise, right? The the pipeline in eastern US had to shut down or they made the decision to shut down. Now you know the threat wasn't in the operational environment at least everything I've

read. You might know something different. uh but they made the decision to shut down that that pipeline which I think is 45% of all fuel goes through that pipeline in eastern U US right uh or the entire east coast and I think the other thing too is when they start up the process it's not something like okay reboot and we're back up in line like it takes weeks and weeks so they they had people I think you saw in the news filling up gas in their pickup trucks with lined with plastic like some crazy stuff in the US >> um but Uh yeah. So what are your thoughts on that particular event? Again, we're not trying to pick on

Colonial or anybody else. Obviously, they've already been run through the ringer on this, but uh what what are your thoughts on that particular event? >> Um well, yes, I I think they made the right decision to shut down, and we use the words abundance of caution. Uh I'll leave it at that. Um the the problem is they didn't know. M >> they didn't know if it went further or not. And that really is on them because they had plenty of guidance, some of it from very knowledgeable people like the folks at Draos on understand your environment, know how things work, know that the kneebone is connected to the thigh bone, that this app talks to this

app. But there is another subtle piece to that that is sort of missing. So even if they had segmented off that environment, a lot of their ability to operate, like you said, 45% of the fuel goes through there, somebody actually has to pay for that. So there's a whole billing systems and everything else. And when you talk to a lot of people in the OT environment, they say, "Well, we'll just isolate from it." And it's like, "So are you going to answer the phone and say, "Ship me 50,000 barrels of crude, or is there an app for that?" And of course it's all these uh we call it OT adjacent like these business functions that are there in the IT

environment to drive and support the business. You know they don't when's the last time you guys filled out an invoice? You don't do that. There's other departments that do that, right? But if you're not doing the work, there's nothing to sell. So it's the there's there's a dependency on both. So, did they cut it off because they couldn't sell the gas or did they cut it off because they weren't sure? It was a bit of both. >> So, just some perspective, right? It was VPN, no MFA. That's where it all started, right? They they got initial access. And I've said this before, right? What do they do? They got to break out of that system or move

laterally. So, there's tremendous opportunity for defenders to detect the activity in the environment and maybe not have to shut it down, but again, cautionary. I'm sure they they went and evaluated that. Some other notes it was 4.4 4 million in ransomware that right they paid they got 845% back with from the FBI but I think they were also fine millions like I I think there was a massive fine so you're thinking yeah we got the money back no you didn't someone else it got redirected right but talking about after right so they are compromised um Austin what do you think what are some good OT specific incident response plans look like right and how they might differ

from it >> this was a lob like I couldn't ask a question that's perfectly suited for Austin that one. >> Well, yeah, it was an interesting case certainly and I I believe they did the right thing because they lost the ability to understand what was in the pipeline. It wasn't a direct operational impact from the the dark side ransomware group. It was their ability to see what was in the pipe, what was in the line pack, what was getting delivered to customers. And if you don't have visibility into that, even though it's more of an IT system, you can't operate your your pipeline. So they they were really quick. They shut down right away. and they were able to come back within

15 days which isn't isn't terrible but they would have been a lot faster had they had visibility had they been able to really understand the overall impact uh and if they had uh probably more planning around incident response more of a exercise between IT and OT ahead of time could have really helped them out when you're working in an operational environment it's very different than doing incident response in an IT environment often you're under the gun to get that system online as quickly as possible because every hour is millions of dollars or hundreds of thousands of dollars or it adds up real quick. So, you're not too concerned about forensics. You're not too concerned about trying to figure out who did it.

Just trying to get back online and trying to more importantly keep everyone safe, ensuring everyone can go home safely. So, that's that's some of the key things you need to do in an IC incident response plan. And it's not something that you write down and and just put in a a drawer somewhere. It's something that you need to practice. Right? These two groups, the ICS folks and the uh and the IT folks, they don't always get along. They've they've had maybe some bad experiences in the past where the IT folks come up to the site and flip-flops or something like that. And they're running network scanning uh against their their environment, knocking systems over, and that impacts

the bonuses of people running the plant. That's their Christmas bonus. going out the window with that downtime. So, you know, there there may be some um resentment there. So, you want to make sure before game day you practice, you know, you get those folks together who may have difficulty getting along. You got to exercise that together and make sure that uh you know, when that happens because it's just a matter of when, it's not if, I'd say, uh you're prepared uh to to run that playbook. >> Sounds like fun. >> Yeah. Yeah. Yeah. >> Okay. Bill C26, right, was big talk. I I know there was lots of sessions by people saying, "Get ready, Bill C26

coming and then they scrapped it, right? And now it's Bill C8, but a lot of it still remains." Any thoughts on that? Any takeaways from the Bill C8, formerly Bill C26? I'll go. >> Yeah. >> Doug first. >> I read it. >> Yeah. >> Yeah. Painful. >> I'm that guy. >> Yeah. >> And and then I summarized it with chat GPT as well, just to make sure I understood what I read because I'm not a lawyer. The parts that I took away were10 to$15 million a day for a company that's found in breach of this. My favorite part is where they're allowed to kick in the door and look around. That's kind of cool. Uh the other big takeaway is there's six

critical infrastructure elements. And guess what for Alberta? Yep. Power, oil, gas. Yeah, we're in there. Um what what's interesting compared to the TSA which was very prescriptive and just leave it at prescriptive uh they say in C8 that you need a security a cyber security program for your environment. So they're already telegraphing this is not a oneandone. This isn't like clean up your room and it'll stay clean forever. Build a program. and you know close to my heart with the whole you know cyber security podcast enterprise risk thing have risk assessment and I've spoken with the CER folks a few times we don't care what you do for a risk assessment it must qualify as a risk assessment but what

methodology works for your company and I've been in meetings where people have debated the merits of different risk assessment methodologies and the answer is do one rather than worry about it. Just pick one and get going. You can always refine later. So do the risk management. So they were they were gearing them towards a methodology, but they left a little disclaimer more to more to be revealed. So I think they're going to come back with more legislation because in Europe they've definitely gone down that route with very prescriptive things. But the fines are real. They're saying this isn't voluntary anymore. So that's how I take it. >> Yeah. And I I'll just add like the fines

for the organization's one thing, but now seale and directors are also accountable. And I think that's the scary thing. The individual could be like fined 10 to $50,000. I think $50,000 or$25,000. Yeah. $50,000 per day. The individual, right? So you now have accountability. So if you don't have OT visibility, you might now and critical infrastructure, right? Includes telecommunications. Sometimes we forget. We think pipelines. We think all the other things, but it also includes um telecommunications as well. What do you think, Austin? Did I steal one of your thunders? >> No. No, not at all. I've got a lot of thoughts. >> Okay. On this. >> You got one minutes of thoughts. >> Okay. >> Yeah. Uh the

I mean, I see it as sort of a shield and a sword. Like the shield, you have to get that proactive cyber security program. uh you need to understand the um the infrastructure in your environment. You you need to get that sbomb. You need to have that sort of supply chain management which is good very advanced. It seems very reactionary to the volt typhoon volt site kind of incidents we're seeing. Uh so I I like that. I don't like how they're putting all of the critical infrastructure what they consider I don't know critical in one bucket like we're in the same bucket uh finance and communications and pipeline and electric. like I don't think that's

that's not going to fly. That they haven't been really prescriptive about what that entails, but they're pretty clear about the fines and the the impact is pretty severe. Uh and uh they can just kind of show up whenever they want and tell you what to do, which I don't think a lot of companies will enjoy. Uh one of the things they're kind of interested in doing is asking you to rip out a particular vendor in your environment uh at a moment's notice. And if you fail to do that, there'll be massive fines. So, it's it's one thing if it's Huawei, but if it's another thing, if it's Cisco, what if they come up and they're like, you know, all the

Cisco stuff, got to rip it out. Or >> the internet, what do what do you mean? Yeah, you don't want the internet. >> Or if it's uh, you know, operational impact, they're like, shut down the pipeline, shut down the grid. Like, they they can they have that authority. And if you don't comply, >> yeah, >> big fines. >> Yeah. Scary scary stuff. But I think needed stuff, right? Like I think again we've got a lot of different frameworks and regulations compliance like these are all coming and intersecting with each other making sense of them all probably is not easy but I think the accountability piece is the big advantage of this right is now somebody

knows that they might be fined or negligent and even criminal like there there not just a fine you could be criminally charged as well that maybe you'll get the budget that you finally need to be able to do some of these things >> and it's it's secret as well like if you are told to do something you can't talk about it it's secret uh when you're asked to uh to do these things so it's it's seems kind of scary. >> Yeah. Yeah. All right. We don't want any more on that one. So what what are some of the most common gaps that you're still experiencing in OT? So right there we know visibility is going to come up but maybe give maybe

two or three and then Austin you you add to it. >> Okay. So yeah visibility all in on visibility. I think the second thing is it's one thing to say I can see something, but do I understand how it's connected? So, I've I've seen risk assessments in my own work where it's a PLC, therefore it's critical. It's like, no, not all not all PLC's are critical. And you know what, maybe the switch in a safety system is the most critical thing that sensor. So understanding the actual construction of how something gets done and where the bad thing is going to happen. And the uh Idaho National Labs has come up with this thing called consequence

CCE like uh cyber informed consequence blah blah blah. But basically, you walk your whole system and you figure out where the bad thing is going to happen that could be done by a digital means and figure out if you can engineer your way around that somehow some way because you're never going to patch all the things. You're never going to tap all the things. You're never going to respond fast enough. And some of this stuff was never meant to be in the environments that it's in. But it doesn't mean that we can't we have to run it this way now. That's kind of the world we're in. So I think the visibility and then the other is you

alluded to it. Last time I checked when I walked into the building I work for the same company that my OT peers do and there are some meetings where that doesn't seem to be the case. So I think us working as a group to solve the thing of significant nation states with real adversarial intent and the resources are here to mess with us. Are we all in on defending or not? >> Fair enough. Austin. >> Yeah. One of the challenges we see today still is vulnerability management and IC. It's really tricky. All these systems are often antiquated old. Sometimes there is no patch for those vulnerabilities or it's in a remote platform. So you kind of have to you

have to embrace that risk uh and uh understand that you may not be able to patch that for years. And how do you do that? You you know network visibility is a huge thing there. How do you know if your vulnerability is being exploited if you don't have eyes on it? If you don't have eyes on that device. So got to have that network visibility. A lot of customers we see still don't have a dedicated incident response plan for OT. We see a lot of segmentation issues still today in in 2025. >> Yeah, >> we see a lot of issues with uh remote access is a big one. Like there's many flavors of remote access too. uh and and

how to how to handle that properly, you know, but visibility can help with all those things. It can it can help bolster those uh and give you those insights, you know, to kick off the IR to to make sure the segmentation's working to monitor for exploitations of those vulnerable devices. >> Yeah. So knowing is half the battle. Where did I hear that before? >> Yeah, that's right. You can't defend what you can't see. >> Yeah. Um yeah. So other things too is may maybe you know and this may be going a little bit further as you advance, right? But true risk of vulnerabilities, not every vulnerability is a risk. Um, and so make sure that you're

prioritizing things that really matter. Uh, the other thing is configurations, right? Can we statically define what a configuration looks like? And then if there's changes or deviations at any point in time, can we get in front of it? So that that that those are a couple of good opportunities as well. Uh, remote access, funny enough, like it's almost like he read the questions before he got here. Uh, remote access, uh, we all know that uh, everybody wants data at a vote, right? data is the new oil or gold. Uh but we also know that we need people to get into the environment to be able to manage and support it no matter where they are uh in in in the world. So

you know remote access still a thing. Any comments around it? What are we doing better? What could we do better? >> Um we are doing better. There was uh >> it's we you or >> no we as an industry. There are there are more choices than we used to have. Um, like 10 years ago, you pretty much had a Windows jump server or a VNC box and that was kind of it. And so there there was an ISA meeting in Calgary last Thursday and I was impressed with some of the commercial offerings that were there is like this looks pretty well thought out and pretty low friction. It's still remote access and the key is

still going to be who's granting the authority to that account. And do you let everybody in as admin or do you say you're in for these three hours to do this job on that piece of equipment and you've actually got the infrastructure underneath it to support it. But to Austin's point earlier, a lot of this stuff doesn't necessarily support some of these whisbang features. So I think I like whisbang >> putting putting that you know authority right here at an edge box and then saying this edge box has connectivity to these two things and that's the end of it. It looked like a neat way to kind of resolve some of that, but you know, a

lot of details, >> Austin. >> Yeah, a lot of it. >> Yeah, for sure. Uh the vendors, they always need access into that equipment quite often. It's it's part of their contract. >> How are the OT folks in the field? Like, are they Madonna's like PM Madonna's like team like the field? The guys doing all the magic. >> Oh, they're great. They're great. You bring them some donuts and everybody's happy. it uh they're they're salt of the earth. Good folks. >> Fair enough. >> Uh but the remote access thing, a lot of vendors contractually require you to have it, but then these devices like these Sierra wireless devices you put out there, like it's kind of in a gray

area. no one really maintains them and they they sit around for years and years with critical vulnerabilities and then people are using them for these uh we're seeing a lot of this activity around these orbs or operational relay boxes that that they're using these uh compromised remote access devices to to punch holes into these >> energy environments and also use to like relay attacks. So it's hard to do attribution when you run through a bunch of these these remote devices. Um, so you got to really be able to take ownership and track who is uh actively using remote access. There's so many RMM tools out there for remote monitoring and remote management. There's like anyes and um like Chrome Desktop. You

want to have eyes on that when those things are kicking off in your IC environment. like you want to know about it because we often find these these vendors will kick off remote access or or some operator will go home for the weekend and turn on Chrome remote desktop and you know it opens you up to um un uh necessary risks I'd say. >> Yeah. Um, so a couple of things I I I think secure equipment access is something real now and I think there is the transition in the market to go to zero trust outcomes right using native internetbased secure protocols um and authenticating biometrics MFA right all as conditions to get access to the

system securely and then more importantly we're starting to see recorded sessions so once you get into the system it's automatically being recorded so anything that the operator technician whatever does um you know somebody at least knows it was done right. Um so yeah all good points. So what about platforms? Are you seeing this whole thing around platforms really come to fruition? Platform based security in and and again a little bit more focused on the OT side. Obviously in it I think that that transition in the market's kind of happening but what do you think in OT? I I think like with any security product, vendors eventually figure out they need other stuff to go with it. I mean, your

company for sure, they're masters at it. Oh, we're missing this piece and that and they put it all together. So, I think the the size and scale and the reliability that we need, I I I don't think you want to try this at home. I think you want to engage a software vendor company, you know, like Cisco, Microsoft, Paulo, like these are big companies that have the might to make stuff work. And you know, like these companies say, "Oh, I want best of breed." It's like, well, who's going to glue it all together? >> I'll take the second best of eight things and they work flawlessly. Might be all right. >> So, I'm a fan.

>> Yeah. Uh Austin, your thoughts? >> Yeah, I mean I full disclosure work for a platform company. So yeah. Uh but I mean >> are are your pieces integrated with each other? >> We're working on that. >> Yeah. And it's hard, isn't it? Yeah. >> I got called out to the Anyways. >> No, no, it's hard, right? Like >> it is hard. It is hard. >> And the problem's much larger than I anticipated going in. Like the scale of industrial and the the amount of equipment out there is it's staggering. It's incredible. just the the the number of devices and vendors in the space. So, it's a massive problem and the market, you know, we've been at it for 10 years

almost, but the market's immature. They've got a ways to go. You know, if you're buying a platform, be ready to be part of the journey cuz it's not going to go 100% smooth. Uh no matter who you pick, it's an immature market. You know, this is new. Um but, uh you know, you got to you got to do something. You got to uh jump in. But you're going to be along for the journey, I think. So make sure you you you know the person you pick make sure you uh like working with them. >> Yeah. So I'll give a couple comment. I think platform doesn't mean one vendor. Um platform means you know a platform

that you can drive outcomes across all multiple different systems. Sure, one vendor might provide a lot of it, right? But OT security will go much beyond maybe some of the components that they have, right? So from vulnerability management to patch management to, you know, isolating and micro segmentation in the data or in the operational all of those are pieces, right? So um there is ton of complexity. I think the industry as a whole, forget the you know the manufacturer is trying to do better with platforms and you're starting to hear the term best of solution versus best of breed right? >> Um all right. What about HMIs in the cloud? Cloud cloud everywhere is clouds.

What do you think? Is it real? >> Depends on what you need. >> It depends. That's a dumb IT answer, is it? >> No, it's not. No, it's not a dumb. >> Always depends, right? We hate that answer. Who who likes that answer? Nobody. >> Yeah, there we are. >> There's a consultant, right? >> Yeah, they're all consultants, right? They're chuch-ing chuch-ing chuch-ching. It depends. It depends. It depends. >> It depends. It depends on how long you can go without that information. >> If it's a trending thing like vibration monitoring, heck yeah, why not, right? But if it's are we at critical temperature or not, I want that as close as possible. Fair enough. Austin, any thoughts? Are

you seeing some people moving towards cloud for HMIs or any operational elements? >> Certainly for monitoring. I think that's very powerful. That data is gold, right? It's very valuable for uh uh any company to have that in the cloud and be able to do interesting stuff with it with AI and and models, LLMs and things like that. Uh there's a lot of potential there. But the control aspect, people like to have someone local uh to hit the big big red button. Not always possible, but remote control uh through a secure remote access solution, I think, is preferable to a cloud-based HMI. >> Yeah. Yeah. We're certainly seeing it, right? And then now there's new vectors,

new risks, right, that we have to consider that maybe OT didn't consider, right? Maybe maybe maybe these three did, right? But but or four I think there was four people in total but um now again Rainman beside me right like the next question AI right you just mentioned it so I'm giving you kudos like you're one step ahead of me >> like I read the questions or something that's great >> um AI are you seeing it are is it a real thing in OT are we starting to see it being leveraged in the edge at all anywhere in the environment >> uh I know we're kicking tires um and when I talk to vendors They're telling

me things like F-35 fighter jets are using, you know, local models to do the the sensor checks on the jet before it leaves the boat, that kind of stuff. So, this distributed model thing coming down, I I think it makes sense. And I think it was the first talk this morning where they were talking about control over your hardware, control over your model, control over your prompts. But it still doesn't sound like determinism to me. They said you had a like the squiggly equals, you know, roughly equal. And it's like, no, I want it exactly deterministic when it comes to certain real-time systems. So, I think better quality sensors, >> smarter control, but I don't think it's

going to be the final control. >> Interesting. Any thoughts on that? So I I see a lot of by um bring your own model by yom uh in play today where you can hook into an API and >> you just make that up. >> No, it's a thing. It's a thing where boom. Yeah. >> Uh so that and and that works well for companies because they have policies around what LLM you can use when what you can't use. >> Um but I wouldn't give control over to an LLM of a critical process. I'm sure we'll see some regulation before too long preventing that from occurring. >> Yeah, it is interesting. I think autonomous systems, big trucks maybe in

a field of sand with oil uh might be autonomously working through >> maybe. >> Yeah. Right. So, I think it does exist. I think you're going to start seeing more and more models being leveraged. Again, with caution at first, but here's the interesting thing. I don't know if and again I might be wrong here but you know the Tesla robot I don't know if you've seen the latest video but I thought that robot was a human inside a like a costume. I didn't think it was the robot but it was the robot. Like that's how fluid it moved. And I think he's predicting there's like something like three times the amount of robots than humans that are going to be in in

the world, right? Three times the population are going to be robots, right? Um, and that's all going to be AI. So, I think it's coming. It's coming fast. I think it's scary. I I don't think that we're putting any measures on on the security. And some of it doesn't even exist, right? You don't even have the capability in some environment. So, I think get ready for that. >> All right. As a guy who worked on those trucks, I'm not sure I there was still there was still real time sensors there. >> Yeah. Yeah. Yeah. Fair enough. Fair enough. But you can use the model to make the decisions at you know >> yep faster >> high speed. Yeah I think we're close to

the end folks but uh let's talk about maybe how do we grow focus in the operational environment. So is there you know there's a tremendous room of IT folks some rockstar OT folks. What can IT and OT do kind of bring things together? You mentioned that earlier, right? A lot of times we're still not seeing the teams come together, but they walk in, they have the same badge, they have the same goal, but we're not coming together. Is there anything we can do? And is is any of those skills transferable? Like >> I I think so. Um this is a another critical infrastructure company I worked for and we were doing something not quite as controlling as the trucks. But

when I was working with the people in this environment, I think there's things we can bring as IT people who've been down there with the malware and the, you know, getting networks to talk and stuff like that that we understand certain things about the operating systems that maybe those could be used. And I think for us the ability to understand what's a solid practice from a hardening perspective. And the other one is this whole cattle versus pets thing. A lot of bespoke configurations in these OT environments. And a lot of that stuff could be rebuilt or remediated using automation tools and things like Docker containers and stuff like that that kind of make it a little

easier to roll back. You just go to the last known good image. And it was at the last time we did this at one of besides the COVID thing and it was Paul Smith that said because I think I asked you what would you change one thing and he said configuration management and that really got the gears going like what if there was a GitHub for your SCADA system and you could go back through every change that was made instead of looking at a log book. That's that's a neat idea. >> Yeah. And I I think listen it, you know, they patch systems, system hygiene forever, right? OT, nobody takes a shower. No, I'm just kidding. I'm just

kidding. But your systems run forever, right? They run forever because that's what they're meant to do. And so you don't care necessarily about patching it uptime. But I think it can bring in those methods into OT and then you're going to say, "Wait a minute, stupid." Right? If you patch that system, it's going to take a safety control system offline and somebody might die. Right. So you both coming together will say, "Okay, wait a minute. You know, availability is pretty important over here." And maybe I I should slow down a little bit and talk about ways to maybe make the environment a little bit more resilient. So we could do the patch for only the critical things.

>> Austin, any thoughts? >> I mean, we see a huge skills gap in in ICSOT and you look at all the gray hairs up at the front of the stage here. Like, you know, that that group is getting older and they're going to look at retiring here uh pretty soon. So there's um I mean, maybe not maybe not these guys. These guys are young. But uh the uh >> so you had to sit too close and say I'm OT that now the lights on. >> But uh I think with our last question as well the AI it can help close that skill gap quite a bit. It's a lot of esoteric kind of knowledge and ICS and having uh

AI can help accelerate people in IT who are interested in coming over uh and people from OT who want to learn the IT side like it can really accelerate that learning and and operationalize their abilities a lot faster. So I think there's there's always opportunities. We need the we need the help. We need the skills out there. >> Yeah. So come hang out. Let's be friends. Right. It um last question then I'll start with Austin. You can feel free to jump in at we got like four minutes left. Um you talk about uh what about threat intelligence? I mean obviously important OT little different animal uh is it the same as IT threat intelligence? Should

you be sourcing it differently? What are your thoughts? >> At the end of the day you want your threat intelligence to be u actionable. It needs needs to have something that's applicable that you can use. You need to understand what the threat is, what the impact is and how you can do something about it. Uh and it doesn't really give you that in your IC environment. So you need to know who who are the people who are the groups who are targeting ICS and and what are they doing what are their techniques and tactics what sectors are they targeting. Uh I think that that can really go a long way with operationalizing your your cyber threat

intelligence for ICS the IT stuff doesn't doesn't really give you that lens. >> Do you see um not so much threat intelligence but just knowledge of the adversary? Do you see MITER attack framework being a source of information that's specific on ICS or is that more of Yeah, not really. I don't see it, you know, actually being leveraged in industry. >> 100%. Yeah, we use that there's a specific MITER for ICS that that is leveraged that it really provides that nomomenclature that that uh like a Wikipedia of of terms and and techniques and tactics that you can have a conversation and know you're talking about the same thing with two different threat intelligence. I mean, the one

thing the the the one thing that two threat intelligence officers can agree on is that the third one's wrong. Uh so there's it's really hard to get a consensus in that in that uh community. >> Fair enough, Doug. Yeah, I I I would 100% agree that yeah, MITER all in on the MITER and the ICS specific one is not only the breakdown of the numbers, they're different, but they even the the impacts and the actors. Believe it or not, if you read to the bottom of the page, there's a lot of good stuff and some links at the bottom you should read. And yeah, I'm uh I've consumed all the all the flavors and I OT specific

Intel for OT is night and day from the IT stuff. I don't find any value in the IT itself. >> Yeah, there might be some cross value in in the sense of if it's an operating system that's Windows and is critical, then obviously it would have some good data points around it, but it may not have an understanding of the operational process and the impact of that environment. Um, MITER attack for those that don't are as not familiar with it. Uh, the thing I love about it is based on real world. It's not the whatif stuff, right? This is based on something that's already happened. This is how the adversary seen success and then they

continue to rinse and repeat and you can take that knowledge and then build in your defensive capabilities, right? Whether you can prevent or just detect um into an organization pretty seamlessly. So, so I love it. So, any final thoughts, guys? I don't have any. Oh, >> I I think it's great. Even though it was the talk after lunch and there were people yawning, uh, most of them fell asleep. Uh, thanks for coming out and it's important that we get as many people thinking about this because there's not only jobs out there, there's a real need. >> Awesome. >> I got nothing to top that. That's great. Thank you. >> It's all about you guys anyway. Comm

Wait, Pashant. No. All right, pashant. All right. >> Is there even a Q&A in this? >> Well, we've become friends now, so I'm now entitled.

[Laughter] >> Possibly.

>> Oh, yeah. >> That is interesting. So, I made I I got a car that's got a lot of this, you know, automated stuff. So, if I go too far, it says, "Hey, wait." And it automatically steers, gets me in the lane, right? If I back up, it's chirping. It tells me to take a coffee break because I signal before I'm too far in front of the car. But I'm just signaling, right? Haven't merged yet, but it's squawking, saying, "You can't do that." I'm going, "I know. I'm waiting. I'm going to But I was thinking where bad could happen." So, I had the door open. I just wanted to pull up a little bit, right? uh into a parking

spot and uh it wouldn't let me. But what if I was uh you know some female late at night trying to get away from somebody that's trying to attack me or male, it doesn't matter who it is, right? And I try I I would have been panicking because the car wouldn't move, forget to shut the door, right? And you know, maybe that's the last conversation I have. So I think you're right. Like AI is good, but there's these nuances that come up that you don't even think about. Like the manufacturers thinking, "No, you shouldn't drive with the door open. You're right, but I'm going to be murdered. I'm okay with that risk and I can't override it." Anyways, thanks

everyone.