Industrial Cybersecurity: IT/OT Convergence

Hello everybody. I I think the the after lunch is the one to have because I I have a handful of people here. I appreciate you guys all coming. Um I'm Anthony George. Um I am uh I own a company based out of Witchaw, Kansas that does industrial integration. So we help small and medium manufacturers integrate these technologies that we're talking about into their manufacturing environments. We primarily target small and medium manufacturers. So um not companies like Cargill or KO, they have in-house data scientists, uh data analysts, industrial cyber people, but we help these small media manufacturers, mom and pops as we like to call them sometimes, help them apply this actual technology. Um this is

a link to my website, but what I'm really trying to accomplish here is this is my LinkedIn. I'm trying to grow my LinkedIn. This is all part of what uh growing a company is about. So, and and to get the information out there. Um my background. Um scan this is also be at the end if you want to scan this. Um so, I have a degree. I I grew up in Rose Hill, uh Kansas near Witchah. I joined the Navy right out of high school. Um when I joined the Navy, I joined the Navy to actually be a Navy Seal, but I got hurt and I got reclassified into cryptology. So, I end up after six years

in the Navy as a cryptologologist. got out of the Navy um went to college to get a degree in computer programming um and then picked up a job working for um Rathon or defense contractors on uh various projects. Um at the time it was high altitude unmanned aircraft. Um I joined the Canary National Guard at the same time and became a reservist. Um over the next um few years I became a a cyber warfare operator. So I was attached to a cyber protection team out of Witchaw. Um I was actually the first hireer for the cyber protection team in Witchaw and we were tasked with um securing um some of the nation's most critical assets primarily around

industrial control systems. So I was born out of that. Um I attended some schools in the Navy for building security systems. Um but this isn't about me. I'm I'm going on here. But um I I do hold a CISP um uh and a SANS um certificate in forensics um cyber warfare operator um cryptologologist 14 years DoD systems engineering. Three years ago I moved back from Italy and I started this company. Um it was initially a different company and we pivoted a little bit. So I I initially started offering industrial cyber security services. Um but what was really needed as I walked these factories is what I understood is that these manufacturers actually needed help with the digital transformation or

applying the technologies. I took some of my systems engineering experience and my industrial cyber security experience and GCE was born or rebranded. Um this is the long list of this is what I don't know this is I even wrote this before Chad GPT really was in my life but we go into existing factories and we modernize and secure them. So we build smart factories a little the wrap around them the building the HVAC controls the systems we bring all those in in addition to the machines and then what we try to do is we try to normalize the data over this um entire infrastructure or ecosystem so that we can now um use machine learning algorithms and AI to

kind of drive decisions around the processes um and such a small group and it's bides if you guys have any questions just yell them out so I don't get bored standing up here just saying what I always say to people. So any questions, comments, whatever. And we got a small group so let's hear them. Um so just to cover how we got here or or the the way that technologies advances here is we have the first industrial revolution um or the industrial revolution as it was known. Um basically machines were created. Cotton gin instead of doing it by hand you had a machine that could do the process. The second industrial revolution um really was powered by

electricity. Um but what enabled that now is for multiple machines to be working in conjunction. You hit one button, some machines happen. Assembly line for Ford as most commonly known uh mid mid 1920sish um the third industrial revolution. This is um basically the the um automating of factories. So you hit a button and the process starts and many machines are working together. So this particular industrial revolution the United States was dominated by countries like Germany and Japan because they embraced these technologies and so we at that point we offshored a lot of our production decoupling the engineering of the manufacturing processes from the actual process which left us at a slight disadvantage in producing better

products over time. And then we have the fourth industrial revolution. Um probably really kicked off around 1999 um when TCP IP won the internet wars and the internet really um took off. Before that there was stuff like net net bios and net booty going on. There's some different different type stuff but now we have this common um language that we can communicate. Um and the thing about industrial revolutions is you often times don't know when they start until after they're over. So what we are amongst now is what many believe to be the fifth industrial revolution which is AI. So um I know who here hasn't heard of AI. It's crazy because when I you I

didn't expect anybody because I've heard it like 20 times today more but when I first had started giving this talk four years ago most of the hands would go up in the room and and now today it's common knowledge. So, um, this is a this is a presentation that I gave in Witchah 6 months ago and I submitted it to Bides to get in. But, um, things have changed. There's going to be things in here that are different than I than I gave before. I learn how to use technology. So, first industrial Oh, man. I already covered all this. We're flying through here. Fifth industrial revolution. Fifth. This one fell flat in Witchah. Is this funny to anybody? Does this need to

come out? Okay, this is Bides. It's a lot better. Like I heard people cussing so I might [ __ ] cuss. I don't know, you know. Oh man, I'm live streaming for my my daughter's on here you guys. Um so um time frames for what happens and what really happens in the mechanization all the way to the the personal. So we're doing per people to machines now and this is and the third is machine to machine. So and then it's machine to human and now and now going you're going to get chips in your brain and it's going to run a robot across the room. Who knows? What I will say is I have no idea for the first time in my

life that I can't even really think about 5 years from now what it's going to be like. I was in um full disclosure I spend most of my time in business development now which is why I love here because this is the technology. I I miss being in the technology as much as I was. So this is a great place to be in the technology. But as I go to go to these businesses and I'm helping them apply this technology to get them through these industrial revolutions, I'm telling people not to buy software, which is crazy to me. There was a certain point where I was like software runs your business. Spend the money on the

software. But now you can prompt AI to create the software. So really your competitive advantage is going to be high quality people making good decisions and your data infrastructure the data lake the data layer the underlying the back end of the software the front end of software from 5 years I don't know what it's going to look like you guys it might just be an AI generated thing but I can't predict this and you I'm 42 um so I grew up in the 80s and I know what Skynet is and I watched Terminator and I did all this stuff you know and so I'm I'm read 1982 So I you know so I can I have a little

bit of idea what some people can see into the future but um for the first time in my life it's it's a little bit more scary.

Um speak I speak fast sometimes. So uh is there any questions at this point? Anybody want to mix this up a little bit? Anybody got experience? I have here I have a little story. Um I was reading a story about a uh deep fake. So this is something that I wouldn't have spoken about even six months ago, you know. Or if something really interesting in this is if you watch a video of Will Smith eating spaghetti. This is kind of the famous one if you've seen it. The original one is it's terrible, but it's like oh that's cool. That's cool. When I first saw I said that's neat. when you see it now it's like is that actually

Will Smith eating spaghetti I don't know you know so um what happened uh the recent story was $25 million deep fake CFO of a company calls an employee employee voice communicates with them and the deep fake convinces the person to wire $25 million so this is a whole different attack vector than we've ever seen before but gone are the days when you tell grandma man look look at the words they're not even spelled Right. No, you don't have to speak English to well to write well-crafted fishing emails now. So, you can't even tell people what

Yeah. video face to face. They were face to face. They thought they were doing the proper uh protocols to do that, but you can't even trust that anymore, man. Someday, guys, we won't be able to trust the person standing right in front of us. But that's a problem for my kids hopefully. So um and you know so retired from the military cyber warfare operator and just to cover what I think is so dangerous about this particular technology is normalizing it as a weapon. So just like we did with nuclear, we normalize nuclear. We normalize submarines attacking ships that were defenseless with stuff under the sea. You know that wasn't that wasn't real humane at the time. But

we're going to start using this and it's being used. It's already being used. I gave you guys an example there. But you can craft really good malware with AI. You know, I'm telling you that's creating malware. Write me embedded code. Oh, I'm not supposed to move off of this. Have I seen I've seen the I've seen China fighting the robot dog with the drone in the air, you know, and and I've spent So, I was a project manager for WSUE smart manufacturing incentive. So, we had one of those dogs and uh it's Boston Dynamics dog, but you can buy cheaper u kimu versions or whatever from China. Well, it might not be cheaper now. I don't know. But, um that's a

polit that's not that's any too much a political statement for this place, but um yeah, so the AI the robots finding each other um the world's going to change, you know. Um if you need to if you need to shoot a robot, use magnesium shotgun slugs. That's not the topic of the conversation, but that's what I've thought. Uh because the magnesium will ground all the terminals and stuff and cause it to short circuit. So, you want that metal spread out throughout the robot. Um but what was that? Yeah, that's right. You know, you make a little little fire that can't be put out. Um so, so what what do we do? So I walk into a factory and I help these

these manufacturers get to the other side of this industrial revolution. So the first thing that we're going to do is digitize the information. This is where IoT comes in. This is where you start to pull all the data points that sit in your environment. You're trying to get them out of that environment into something. Um because I literally will see a piece of paper that will say I made 1,500 parts and they'll write it down at the end of their shift. They get to write down the number they want to write down and they might get paid based on the number that they write and they hand it to the shift supervisor and then that shift supervisor reads it but it

looks like it's you know 500 parts. So now it gets put into the ERP or the the software that runs the organization has 500 parts inventories off or it smudges or it's in the wrong language or it's just not passed right. So how do we ensure that the data is accurate? And this is where IoT comes in. And Isaiah is not in the room, I don't think, but Isaiah uh no, yeah, Isaiah gave a good talk on how to attack these IoT devices upstairs. And and he's he's absolutely right. That would play into how you could essentially data poison your your models. Um so we walk through, we look at the we look at the environment. You

know, I I speak a lot about manufacturing because that's what I work in. Um, so, um, I do have some knowledge in oil and gas and power generation, prochemical stuff, but I'm going to stick mostly to, um, to manufacturing here. So, we install the sensors. So, you got a machine that's been sitting there that's been running for years. It might maybe was installed in some some cases in the 1960s, but it's it's a it's a machine press that comes down and press. Does anybody here work in manufacturing? Handful. Yeah, I know you do. This is the IIO. This is the industrial cyber security guide and no right here. It's Joe. Um I won't say too much. I

don't know what I'm supposed to say about him here, but um so we walk in, we try to get the data out of the machine. The machine might maybe is there still making products, but we want to know what's coming out. We can use cameras, we can use IoT sensors, we can use a PLC, we can run wires and then put sensors all over the device, but we can figure out what the machine is doing. And then over time, we can make some predictive analytics. Maybe it's around machine maintenance. Maybe it's around scheduling of your plant. Um, then we set up industrial software infrastructure. We build the infrastructure. This is the piping. Before I started before I

started talking, I actually called my daughter. That's how I kind of get my mind right. She's a biology major at Rono College in Virginia. And um, and we talked a little bit of tech, but and she was kind of asking about this um, what the talk was. And I tried to put it in terms that she could understand. And so it's the nervous system. If you know the human body, it's the nervous system. We're putting in the nervous system, right? What's going to run it? This is the most important piece is is is setting this up in a way that is not only secure by design, scalable, and agile because like I said, we have no

idea what's coming. So what we need to have is something that's agile enough to change with the technology around us. And you can't not move. You can't not move. In manufacturing, you're at this point where it's do or die, right? Because a machine shop down the road that pulls their data. So machines make um I work for military aircraft um parts producers that supply to like Textron, Boeing, Spirit. That's my target market. Now I do some other stuff. Um I apply the technology in in uh lower risk environments and I move it into my higher risk environments once it's secured, certified, and all that stuff. So it's kind of like a So I work some in food a little bit. Not like

we're taking risk in food or anything. It's just like we won't burn down a plant or something. Um so we we apply the technology, we harden it, then we move it in there. Um then we start to pull the data and we look at it and this is where you can start to use AI, some machine learning algorithms. So the algorithms that we use, oh I'm sorry, I was explaining a machine or the process of making a part. CNC machine makes a part. It's got, let's say, five axis CNC machine, drills, holes, cuts, does all that stuff. You extract that data. It's in what's with something called G-code, machine code. Um, and then that data now

can be put in machine learning algorithms that says you can speed up access six and that might improve your process 30% and you might make the parts in 70 70% of the time with 30% of the material. A machine shop down the road that does not collect the data cannot use the the algorithms to do that and cannot remain competitive in this environment. I live in a city that is full of small machine shops that I unfortunately know will go away. I'll walk through the organization and they have captured no data and I'll go to the next company and they have the data but they don't know how to use it. Having the data, not knowing how to use it,

you're way ahead of the game because to train a model, you need data, right? It's it's all about the data. We should be talking more about data than about AI because AI is useless without data. So the data structures, the data format, the master data models, how you hold the data integrity across the organization is important. And so we hold the standard. We use an industrial sta standard in shaping our data so it's easily understood by AI time stamp what sensor produced the data and then we put it in a payload or format that AI can easily understand and now you're correlating across I use time series databases um because ingestion rate basically ingestion rate and you don't need

relational databases. I'm not trying to get too technical in the room, but um clearly I did. Um cyber security measures. That's why we're here. So, what kind of things can you put in place? Zones, conduits, VLANs, subnetss, um you know, um putting the putting some of the standard IT stuff in place and some of the stuff that just you can't do. You wouldn't do it. Uh train employees. You got new technologies rolling out. You're going to get push back. You're going to get people that refuse to do it. you're gonna you're gonna get people to say, "Hey, AI is taking my job. They're not going to want to implement it." But it you have to enable them and you have to

encourage them to use it. Um, and then you have to tell them how their life is going to be better. You can't just push these products on them and expect users to use them. Um, compliance and certification's big in my industry. So, it's like how do you get these things through the process? Um, uh, aviation manufacturing moves pretty slow in compliance. That's actually one of my big pet peeves. life sciences moves even slower. So you're in like farmer or something like that, you'll see this technology probably lasts. Oil and gas uh or petrochemical, you you apply some weird stuff to a plant and you got a valve that doesn't open and it should open and you got a

you got an issue on your hand. Um so we all are used to this. I don't have my cell phone on me, but it's right there. But pretend like I'm holding my cell phone. And I used to when I gave this the first time, I pulled my grandma's flip phone out and showed everybody if if you had to compete against me and you had a flip phone and I had a smartphone and we had to order a pizza, check our bank account, um, and text somebody, who's going to win? The smartphone, right? But there's literally manufacturers sitting out here with this flip phone. But in addition to that, who's going to win even more between the

smartphones? The people that know how to use the smartphone, kids. You know, my son can pick up a robot controller. He was in robotics in high school, but they ain't working on fanic robots or these. He can pick up the controller and intuitively understand that. So, long gone are the days where as a manufacturer, your competitive advantage is access to inexpensive labor. Now, it's access to intelligent people who make great decisions. Because what's going to be happening is you're going to be faced with a decision. And just like how Netflix might suggest different outcomes, your your your suggestions will say turn the factory here, turn it up here, turn it down here, because you might turn machine all the way up and be

running it at full blast and it produces a lot of reject parts. But during COVID, if you produced anything, you made a killing. So you might want to turn it up as long as you can get spare parts for the machine and raw materials. You or you might not want to get bad parts and turn it down and get those efficiencies. but to pull that data out and be able to use that machine data to actually drive these decisions. Um, we've covered this, but why do you want to do it? You know, a lot of these places have their information in silos. They don't have access to them. They don't own their data. So, own your data. Um, that's very

important. And what's coming up because how are you going to like a good example is Ford doesn't own the data. Who does Tesla? You pull your Tesla in the garage at night, it gets an update over the air and all of a sudden you got your car's got 10 more miles of range, you know. So Ford, you pull your car in the night, you you open up a a piece of mail that comes in that says there's a recall, you take it to the Ford dealership, it sits down there for two months, Bosch is a company that owns Ford's data, might have to do a system update, bring that in. It's just the the that model is old in manufacturing.

Um, this is why we digitize. Um, I'm not going to read this to you, but um, it's because the the data can stay accurate. Whenever you involve a human in the loop, it's going to be inaccurate. Um, these data, uh, humans aren't built for these tasks. These tasks suck. The the task that AI and robotics is replacing when we have a term for robotics and what we call is dirty, dull, daunting, or dangerous. That's what we go after for robotics. This is just automating the processes, right? But also boring. If the job's boring for people doing spreadsheets and stuff like that, we go after those processes, too, because you're more likely to make mistakes. People are less

likely to take that job. We're freeing people up to do some of the more higher level thinking as human beings. Natural progression of society. 10,000 years ago, every single person in this room would be farming. You know, 1,000 years ago, it was like one and two. Today, one in like 600 or something. you know, combines drive themselves, GPS enabled, smart agriculture, don't water if it's going to rain, you know, planting the right seeds. We're we're finding efficiencies across every industry, not just manufacturing, a healthcare, you know, you name it. More with less. American way. Um, attack vectors for AI, machine learning systems. This is Wow. Okay. Well, anyways, um, I have a little mistake here. I had AI trying

to fix my slides this morning and I went back to my originals. So, this wasn't even AI mistake as me. So, um supply chain attacks. So, I've been talking about this one for a long time, but this one's even even uh more important now. So, when you're getting software, you want to know what libraries are using that software because what I could do if I was targeting power in the United States, for example, I know that Seammens, I had a lot more to bring in, guys, but I parked so far away I didn't bring bring the whole tub. Seammen's S7. This this bad boy runs a lot of the the infrastructure for power, right? So, if

anybody hasn't seen a PLC, this is it. You wire stuff in. Um I could understand that Seammens build some of this in CC code and where they get that library from. I could go in there and maybe if it's an open source library or something that I can put in there, I can put something in there so that now I know the logic that's running on the back end of this. So that's supply side attack. So you want to know what libraries are built. My company uses open source software. Um we do that for security purposes and scalability purposes because we can see all the code. We don't want to see code that we can't see. Um, also that's going to give

you a competitive advantage because if you have information that's locked behind a payw wall as we call it, um, AI is not going to be able to get to it or understand it as easily. So if you need AI to help you configure stuff or get access to information of stuff, you want something that doesn't sit behind a payw wall. So you want open source stuff. And then this right here I'll cover is it's called an estop. I I have a slide coming up, but it's ESTO. You hit this button and something shuts down. I I had a bigger one planned. It's just got wires and it wires right in that PLC. Right? So, for one, this is a

denial service if you can get access to this button, right? But the idea is when you hit this button that the processes are going to safely and reliably shut down. Nothing else matters at that point. You have your friends hanging over a meat grinder and he's dangling. It's like save me. And you go and you hit the estop and it's like multifactor. Oh, my phone. Go get your phone. Okay. No. Yeah. thumbrint, all that stuff. No, my gloves on. No, you need it to happen, stop no matter what. So, that's what's most important. Safety and reliability. That's what's different about these systems versus your tra traditional IT systems. We need to make sure we have

positive, safe control over them. How you guys doing back here? Um, data poisoning. You're training your models off of the data. So if you can understand the model that Airbus is training their flight data off or whatever and then you can poison that data and they train with that data then you've you've um basically injected your attack into the process. So most of the attacks are going to come data side. You could get access to some APIs or something too and and push data into via API. But um you can repoint AI if they're using chat GPT and you want your own instance of chat GPT that's trained off of your data and now that company's

making decisions off of what they believe is their own data and said they're using your data attack vectors. This is why uh you guys in this room are going to be the most valuable coming up because you're listening to my talk for one. And somebody that's not here is probably going to be unemployed. But it's not. No, I'm kidding. But um because you guys are going to have to think about these attack vectors. They're not traditional. The world is going to change so much. You know, we have additional fishing. You know, our traditional attack vector was fishing. Now we have deep fakes. Now we have targeted fishing emails. Um you can use AI in somebody's email inbox and mark

something as spam and they may never get an email from that person again. and AI can like change that kind of stuff. So there's all different ways to try to do this and that's corporate side and that's on the corporate side. You could get access to an engineers on the corporate side there because you can use AI now um when emails come in to respond and there's a whole workflow for that. Um so attack vector the complexity of securing critical infrastructure. Um so we got chemical commercial buildings. So what's happening more is as my business um is being requested services being requested it's buildings more so the industrial building so how do you build a smart building um whereas

a few years ago that wasn't really a consideration um and Witchah is is always a lagging industry with technology um even even though we are strong in manufacturing we still tend to lag the imple uh implementation of the technology um whereas like Germany or Austria or something, we'll do it right away. Um, and then it's our cost of labor essentially that causes that. Um, energy healthcare um, okay, the domino effect. So, what happens when you lose an industrial control system? So, there here's a case case study of not a cyber event, but um, power lines were overloaded in uh, Ohio, I believe, um, during snow and ice storm, sag down, touched the trees. um that

caused the power station to go out which caused um water to go out. So you lose water in all the homes. So now you got no water in the homes. You lose power in all the homes. So you got no power in the homes. You uh you're going to lose health care. So generators didn't start on some hospital. So you had potential loss of life. You had untreated water being dumped into the thing because there's no power to treat the water. But the water's got to run out somewhere. So you're dumping water, untreated water right in into the rivers. This spread into Canada. This affected subway systems in New York City. People couldn't commute to work. And this is

just from overloaded power lines. But now you can talk about what could a cyber event actually trigger in a real life situation. And it is a cascading effect. Rail has effects too that you wouldn't believe that affects water eventually in some way. They're all tied together. Um I spent most of my military career studying and doing. Um challenging environments. Uh, do you guys think I see Windows 95 when I walk into a factory? Yeah. Yeah. Do What would you tell them? Somebody tell me what I should tell them. What do you think I should tell them? I'm I'm going to hear this word I need. Air gap can't do it. Why? You won't be competitive. You won't be competitive.

So, you got to you got to get the data out of the machine because your competitor's going to do it. Now, not every single case, right? Not every single case. There's going to be cases where I'm like, "No air gap. No air gap. Air gap." Um, but uh, you got to work with it. You got to work with tools. The machine was designed and implemented and put in in 1995 and this was cutting edge software is warrantied and and there's no patches available and you wouldn't want to patch it anyways. Why? What do you think would cause if you patch the system? You're gonna break it. You're gonna break it. I would, you know, so that's

what the first thing you say, "Oh, we need to patch this." No, because then you're going to risk breaking the system. Then you're going to be out of warranty. Then the original equipment manufacturer is not going to cover it. Now you're going to have a $1.8 million brick sitting on your hand and you're a small business. You're going to be ruined, right? So, how do you get access to the data? What do you do now? Yeah, you can put dumb drives in there. You can put it behind a firewall. You can design the data structures in the Yway zones, VLANs, all that stuff. There's ways to get to it. Who's ever heard of this Sun Micro

Systemystems? Yeah, I cut my teeth on Unix, man, back in the old days. So you and I still see this in in some plants, you know, but military certainly definitely still runs off of this. So So the Estops, hit the button, needs to turn off. That's why you're not running these crazy protocols. That's why you're not going to run encrypted protocols on this. You hit that button. Oh, I'm not going to shut down. Why? Because I username password log out lockout. No. Now, now once again, plant meltdown. Why? Because you wanted to do multiffactor or whatever case you wanted to do. So during co um this was sped up quite quickly and then we had AI piled on top of that. So

during COVID there was a rush to connect the systems to the internet because your engineers were sitting at home, your employees were sitting at home. So and as we know with technology, you never go backwards once you get a feature or something. You can't walk into a plant and tell the engineer like, "Hey man, you you can't take that laptop home and work from home. They'll just won't call you back, you know, because they want the technology. They want the tools. They want to move forward. You're there to solve problems." Gone are the days where you sit there as an IT department and you are compliance and regulation only where you're the no guy. Who knows

an IT guy? Who is the IT guy that says no? No. We're all cyber guys, but you need to say yes, how do we do it? How do we do it? That's the that's the challenge we have is you need to get them there. And um and then to compound it, then you add AI and the complexities are just growing. So, uh there's 600,000 open manufacturing jobs as of last week and 400,000 open cyber security jobs. Marry those to you guys and you'll be you'll be getting paid for a while. Joe knows. So applies enterprise security principles to OT systems. So there are things you can do backups you know um you want to what I try to do is

establish a gold state for the manufacturing. So if I need to redeploy an entire manufacturing environment then I can do that from a known state. Gold discs is is uh where I coined that term from. Um you segment and you monitor. Um and then how are you going to respond? Um, sometimes we just tabletop it and even sit at the tabletop and you can say, "Okay, your ERP's down. What's your plan?" Everybody in the room will just look at each other. We have no plan. We can't run without ERP. Okay. Well, your ERP is on the internet. What happens when you lose connectivity? We got no plan, you know. So, what is the plan to

respond? Because if the first time you're having the conversation is during an incident, you're going to be in trouble. Factories, if things are not coming out the back of that factory, they're in trouble, right? You got 200, 400, 800 people standing around, no money being made, uh IBP, U a beef production plant out in Liberal, um cyber event, 2 million pounds of spoiled beef on their hands. Now you got a whole environmental deal. What are you going to do with 2 thou 2 million pounds of beef that's spoiled or whatever they had? They had the real issues, right? So how do we meantime to recovery or repair depending on what industry you come from? This is where manufacturing and it

will overlap in their terminology sometimes. But how quickly can we get you back online? How quickly can we get you back into production? Manufacturing and manufacturing the saying production is king. So how are we how are we producing? Because if you don't produce you don't make money. Um covered that. So what can we do with old school stuff? So this is old school stuff that we all know. Uh network segmentation. That way you're just going to limit the scope of attack. um asset inventory and visibility. This is pretty rare to have this when you walk into a manufacturing facility. Um they don't know what they don't know what's there. You got to walk around, you got to look,

you got to be on the ground. Passive, active scanning. There's different ways to do each one of them. Active is a little more risk, a lot more risk because you're actively scanning it and some of these things can't handle an active scan. Um so passive is a little safer. Um taps, span ports, whatever. um IDS's for OT um access control and authentication. So who's getting access to the actual physical access? You hit that button, it stops the plant, right? So that could be a denial service that actually happens in person. So how are you ensuring that only the right people are accessing the stuff? Um uh secure supply chain threat intelligence. What's going on? You got to stay up to date on

things that's moving too quickly. um challenges to specific to OT uh cyber security is these systems are old um and they're expensive. You know, the machine press that makes um parts is still abs absolutely rock solid. Built in 1960s, these are some of the highest quality machines that I have on any manufacturing facility. They go in there, they say, "Oh, we want a smart machine. Let's replace it." And my recommendation is don't replace that machine because that thing's made out of cast steel. Like it's a good machine. You just want to overlay some sensors on it. You can make it smart. You might tear the controls off. So the controls that run it, the electrical controls

that run on there, we'll actually tear the whole whole thing off and replace it with a modern PLC that can connect right into the internet or the network and all the controls and leave the actual machine, whether it's an oven or a press, sitting in place because it's a high quality piece of product that does what it needs to do, but the tooling is already there. So how do we help these manufacturers do that? A lot of my um counterparts or competition um will just sell the new machine, right? But small medium manufacturers can't do that. And they're actually in the right position now to be able to quickly take advantage of the technology over these bigger companies that can't

maneuver quite as well in the technology because their data is more spread out. Um the decision-m process is much longer. If I can get access to an owner of a company that cares, we can make be making actual impactful decisions and movements immediately or fairly quickly. We deploy from Docker containers and GitHub. We use standard development processes that are modern. So we can basically cut and paste in across each manufacturing facility already hardened already done. So when you need to say I need to connect your stuff into infrastructure, we got the infrastructure already that's built in ways that's easily deployed. Um, how does AI attack impact? Because it used to be secured through obscurity. Um, because it's so weird. The protocols

are so weird. Modbus and backnet. Um, HVAC systems run off backnet or secure backnet, right? But if you hacked into a system and then you got access to ladder logic or the code that runs on these PLC's, you had to go find an electrician or electrical engineer that understood what was going on this process to do that. Now throw that thing in in AI and explain to me these processes, modify this, re-upload it. So there's no more, you can't rely on the obscurity anymore. It's too easy to to automate that. um what you can get in OT that you can't get as easily in it is um like signatures or normalization. So this process talking to that process. Now you

can't get every one of them. So this is a problem that you'll run into when you start to deploy these IDS's or IPS's is then all of a sudden this process that's never been seen or learned before starts. Think about emergency plant shutdown that's never been seen. you never trained on that because you've never had this particular incident happen. But then now you have that happen and it detects it as a cyber event and could shut you down and therefore causing the the plant meltdown that we're avoiding. Um AI assisted attacks. Yeah. Okay. I'm facing this firewall. Uh I'm facing Apollo Alto industrial firewall and I know it's got this vulnerability in it. Um, write me an attack for that

vulnerability on that firewall. 82% success rate on that. 82% you guys layered. Layered, right? And even the layer's not going to get you because it's just this this you're going to you're going to eventually have these automated step through attacks. I haven't seen it. Um, but it's coming.

Um, so there's physical and logical controls. Physical just means the actual asset and then the logical controls is how how you doing it in the digital world. Um, it OT collaboration. So it's getting IT and OT in the same room. They they honestly don't really like each other much. So I'm kind of their gateway. Um, and I do deal with IT organizations that will say no. It is not uncommon. It's actually quite common. Um, but I do come from IT background somewhat before I got into this. And, um, sometimes I'll bring my sispin in in the, you know, frame and show it to the guy like I know what I'm doing. Um, but they won't let the

technology in there. But the OT, the industrial side, they need the technology. They're the ones wanting. They're the engineers that want their problems solved. So, how do we how do we get them in the same room? how do we talk? Um, the easiest way that I found to do it is to provide the IT services and then bring the OT services into the company. So, work with the IT. Um, and a lot of times it's even getting them on the same language because what you'll happen is this happened to me a couple years ago now, but um, when you talk about a firewall um, failing open, what would you guys think, what would you think a firewall failing open would do?

Past traffic or not pass traffic? Past traffic. That's what's expected, right? It's failing open. Open the door. Let everybody in. When electrical circuit fails open, any electricians? None. I I have a little bit of time in there, but uh when electrical circuit fails open, it does not pass electricity. So when you use that terminology in a group of it and OT, they're talking about different things. And so now they're arguing and I'm, you know, I have the unique ability to I spent some time in electrical um to understand the the differences and the similarities between the two and kind of help um with that language barrier there. So getting them in the same room, getting them on the same page, using the

right terminology is is the first step. Um this is my this is my LinkedIn. This, like I said, I'm trying to grow this. Uh I get nervous. I speak a little fast. So, I'm 8 minutes ahead of time. So,