MichelleBalderson

[Music] our next keynote is Michelle who's shared her mic with me here to get us going um she's been in it oh God 1970s 80s there we go just trying to remember we had a discussion way back it was 34 years Okay so oh 80s uh late ' 80s early 90s '92 um yeah and I'm feeling bad my dad would be upset with me she has been involved I've been involved with her um in engagements from a client's side several times um I found her very knowledgeable her ability to ensure that we weren't overlooking the issues by having an over complex approach to things and her ability to ensure that we weren't missing the small details was

phenomenal I have found her to be an asset whenever we've been in had the ability to bring her in I think it was normally under foret at the time um the ability for us to be able to not miss the fine detail that were that we were asking uh a solution to try to fill she has worked in OT she has worked in it globally and she is is our next speaker give her give her a round of applause about we transition

mics get going U my slides are presenting but I don't see presenting here and we'll uh we'll we'll work on that to be able to get my slides presenting uh and and while we're waiting I'll just ask a few questions of the audience how many of you definitively find yourself in the in the it side of the house raise your hands how many of you are students I I'm I'm still a student at 56 years old so it's uh lifelong learning is what I believe in there's no question about that um we don't have that up yet okay so uh third question how many of you sit on the operation side and operations I'm I'm really

referring to uh the the physical operations of of say downtown Calgary oil and gas companies those sort of things right so I like to call it operations or I like to call it engineering because uh when we start talking about it and OT one of the things that I want to challenge you guys on is I want to through this presentation I'm going to challenge you guys on um our thinking from the perspective of security and what we're doing and and I'm going to tell you guys that I think we're going in the wrong direction um I have a friend his name is Richard steinan he was a VP of Gartner he left Gartner he created his own

analyst firm he was the CMO of foret at one point in time and uh he runs an analyst firm called it Harvest today and from that it Harvest expertise um we'll try a different USBC cable it Harvest expertise what he does is he tracks all the security vendors anybody want to take a guess at how many security vendors that we have in the market space today globally million a million I like that one we got a hand up there do you got a you got an answer huh million no security vendors 30 30 3600 security vendors and so with that is is that if I was an end user customer and I and I am not I'd have a

hard time determining what I want to purchase and how I purchase it and so what we all need to be able to do when presenting to our executive is answer the question of how secure are we do you in the room who have to report back to Executive have confidence on being able to express in executive terms the security of your environment at any given point in time silence in in the room is telling me that we're we're not on the right page we are not able to communicate to our executive how secure we actually are and so uh I love the fact that Quinn you talked about complexity and how I try to reduce complexity complexity is the

enemy of security um I'm getting older I'm I've been a technologist throughout my entire career in the next 10 years I don't think that I'm going to be learning a lot more technology I'm going to just be focusing on my course skill sets presenting those sort of things and and as we as we do that or as I'm doing that I'm doing it one of the reasons why I'm doing it is is that uh trying to keep track of of security in itself is extremely difficult trying to keep track of it is impossible and that we we need to be able to find better approaches so a little bit about myself I work for a company called is squared

uh you guys have never heard of is squared they're headquartered out of California most of you may have never heard of squ I should assume uh I've moved from foret after 20 years of working for foret I started the operational technology team with a group of other people uh about three people initially to focus towards the Enterprise security Market space and so what I'm going to start talking to you about today is we have to start thinking about the business and the domains of the business if we don't understand the businesses that we're securing we can't secure them and what I find based off of my experiences is is that based off of the customer sets that I've that I've

talked to most of us actually don't understand our businesses and that we need to be able to take time to educate ourselves on the business the business verticals and look at that as lifelong learning so relative to this I'm going to talk about shiny object syndrome how many of you feel that you have shiny object syndrome I do I bought a I bought a Jeep Wrangler in 2022 spent over $125,000 on it just simply because of the fact that it was freaking purple right I'm going to talk about I'm going to talk about my history and my expertise so you guys understand who I am and where I come from and I'm extremely opinionated uh but I

listen it's burgundy sorry my partner just reminded me it's burgundy I'm going to talk about the digital revolutions you can't have an OT speech without digital revolutions I'll talk about the operational technology Trends I'll talk about the enhanced Purdue model how many of you heard about the Purdue model Okay so we've got a good handful of people from a Purdue model is a it was a uh is a framework created in 1992 and has has has evolved over the course of time and I'll talk about it from a from a non-technical perspective and then I'll talk about it from a technical perspective uh I'll talk about the Enterprise cyber security challenges when I talk about the

Enterprise I'm talking about the entire business I'm not just simply talking about the information systems and I think that that's one of the areas that we're going wrong with information security management is that we're forgetting all of the majority of the business by focusing towards it and information and data alone we have to actually look at the entire business uh we need to align to Frameworks and I'm going to talk about nist framework and I'll talk about the interpretation that I see from the perspective of how deployments of of nist framework fail because customers start necessarily at the wrong spots and that they need to be able to look at it and be prescriptive to their environment and adopting a

framework talk about the technical enhanced Purdue model uh I'll talk about uh culture I'll talk about tools versus a toolbox because I think that we're in the world of of uh too many tools we need to be able to evolve the toolbox but then from that toolbox we need to go from products to platforms uh how many vender reps are in in the room today I'm just raising my hand because I've been a vendor W my entire career don't you guys find that interesting that uh the vendors spend an enormous amount of money to sponsor a show and they don't sit in the audience they don't learn themselves so anyway I'm not I'm going to stop picking on people contextualized

risk management and uh understanding context uh how many of you hear context being brought up in security yeah we get a few we get a few people but we don't get a lot of people in the room next year the year after the year after uh I started talking about two-factor authentication uh since around 2005 and I kept going next year is the year of two-factor authentication and then I was always wrong uh and eventually it caught on because of the fact that people were being hacked and then I'll leave you a top five actions so let's try to avoid the shiny object syndrome shiny object syndrome is really looking at it and adopting new

technologies as fast as they're coming out and I'm going to pick on AI at this particular point in time ask you guys questions I'm going to deploy AI in my environment how do I secure it I don't know and I'm a 32-year professional in Security in this industry so what happens in shiny object syndrome we chase the latest trends yet on the opposite side I talked about Basics like two- Factor ethnic authorization and in OT many of our environments in Alberta don't actually authenticate the users so why chase the latest trends when you're not even doing the basics so we need to be able to think about doing the basics we have frequent technology adoption oh my gosh

the company is allowing me to have budget to be able to spend money on technology and then we forget about people process and culture along the way and that we need to be able to put more Focus towards people processing culture and I'm telling you guys as IND us your customers stop Buy buying technology stop buying technology and deploy what we're using today I look at deployments I worked for Ford nut for 20 years of my life and I look at deployments of firewalls I'll just give a few examples one from Sonic wall walked into a customer the firewalls broken 150 rules at the bottom allow all any any right so what we need to be able to

do is to start thinking about and maximizing our investments of what we already have because we have shining object system syndrome Michelle sometimes doesn't understand how to speak uh and I love talking about myself in the third person because it really messes people up it's all good but we end up neglecting core systems and from those core systems and at that point it gets a bad name because systems are inconsistent and that you notice here is is that I focused on performance and availability and when I start talking about OT and that we seem to have a cultural conflict between it and OT performance a ability sustainability uh availability becomes absolutely critically important to operational technology but that's

exactly the same thing that's happening with it today is is that our systems have to be up all the time because we're we're distracting and it's like the shiny object oh my gosh I got to take care of this we're wasting resources and we're burning cash of the companies that we work for how hard is it to get security dollars in your corporations today from the perspective of the executive management I don't want to waste any of that money that I ever ever get and so initi initial exist existing environments uh existing initiatives or achieving long-term goals are missed and last the next thing is is adopting a whole bunch of new technologies because we don't understand

when we're buying it how it's going to integrate into the entire structure of what we're building we then lack consistency we La we lack cohesive infrastructure and we lack manageability and when we go to OT my first in iterations of OT is this it is not an engineering discipline and and I'm probably insulting most of the people in the room that are system Engineers uh OT is an engineering discipline and in Alberta there's a fight between the Professional Engineers and system Engineers by saying that it people are not Engineers I actually tend to agree with the engineering side of the house and that we need to start taking and start doing engineering disciplines to be able

to Define our systems and availability of our systems so with operational technology there's less shiny object syndrome there they do much more engineering for purpose of the solutions and so with that yes shiny object syndrome exists but it's not as bad within it what does shining object syndrome uh do for for um most organizations not just simply it or OT organizations but the Enterprise itself we create un unrealistic expectations that we can't deliver on um and with those unreal realistic expectations we end up buying a product or a solution oh I kicked it well that was me I'm so sorry guys hey I've created unrealistic expectations by saying that I was going to display this today while talking to

you so we need to be able to strike a balance and striking a balance what I'm saying is is that when we start thinking about the business we need to think about the domains of the business the engineering domain the HR domain the it domain it is not the business the business is everything else we have to start thinking about what is the impact of operational resiliency on the business itself when we're securing the environment so it's not just simply data that we're worried about so in mitigating shining object syndrome we have to build a clear concise strategy relative to the Enterprise not just simply it security OT security and all of the domains of the

business so I started with this how secure are we under attack if you work for an oil and gas company you work for a company that is producing anything can we continue to operate when we're under attack we have we have ransomware on the OT side or sorry we have ransomware on the it side do we have the data coming from the operational side to be able to make the business decision so that the executive can say hey look you know what even though we're under attack even though we have ransomware running in our environment we can still operate we want to be able to continue to operate whether it be it systems or OT systems even under attack how much

risk do we have we talk about security all the time but we don't necessarily talk about risk but we need to be able to have Tang tangible quantifiable risk to be able to understand indicators of exposure how our systems are exposed to be able to reduce the attack surface and be able to protect ourselves what qualitative risk do we have how do we measure risk how do we get risks out of our systems and so I'm going to talk about it from the perspective of of um of uh digital transformation we all hear digital transformation how many of you guys feel that you have a full understanding of what digital transform actually is it's kind of like when Cloud

came out or application service providers from going Way Way Back Into the 90s and early 2000s I'm not sure what they are um how are we using data to understand risk continuously so we had a cyber risk analysis or CRA presentation yesterday I was a little confused because I always talk about tras and the industry really talks about TR threat risk analysis and I'm like well maybe I'm a little bit behind maybe it maybe what we've done as risk professionals is reduceed the scope and therefore then we'll call it cyber but but threat risk analysis is really the risk analysis across the entire business not just simply the Cyber aspects of it so where do I come from I come from two

different backgrounds one is infrastructure in the early 90s I worked for a company called micro drives I sold hard drives I was a shuer salesperson I was just simply selling hard drives I trade was as fast and hard as I possibly could uh that closed down and and uh I then worked for globel which was acquired by Tech data and I was a hard drive product manager manager inventory manager National distributor of hard drives um why did I do this because I wanted to understand not just simply the sales aspects but the inventory management aspects the whole cycle that is required I moved over to dlink because I needed to get networking experience so I end up

getting core networking experience getting edge networking EXP experience and then I went oh hold on a second here this layer 2 networking in early 2000 I went oh this is being commoditized where can I go where is a market that's never going to be commoditized and security was the answer for me so for you guys here is the evolution of your careers for the students don't leave this area even though it's very tough a it's going to you're going to make the most money in your career by focusing towards this and two uh one one one two things for me is is that I'm hybrid I'm a salesperson and I'm deep deep technical not as deep

technical as I used to be but those hybrid skills are what employers are going to look for if you get that hybrid skills you can ask for a hell of a lot more money and I'm proof of that uh from Sonic wall sonic wall I went through seven rounds of layoffs and I went wow when when is it going to hit me and then as soon as I had that thought then I got laid off and I opened up Gartner's magic quadrant in 2003 and it was like for to who who the hell are these guys and then I started in 2004 and worked for foret for 19 years of my life I'm very proud

of the achievements that I've done there I created and worked with three people that created the OT team which represents 15 to 20% of foret overall Revenue today uh it's on track to be 50% of the revenue for foret so think about that Operations Security is as important if not more important than it security and then I've moved over to is squar because I started presenting like this to is squ executive on the first call he's like the CEO is like hey can we hire you like H I'm I'm really happy with foret and then some things changed and then I didn't wasn't as happy industrial revolutions we had the industrial revolutions we went from

farming into manufacturing and that we changed the way the world operates and that we're in this modern world because of that we then started the information revolution in the 1970s or 1980s where we started to put computers into many manufacturing processes and now what we are is is in in the digital Revolution and so when we start thinking about this is spreadsheet is spreadsheet digital or analog what type of process is it we have to start thinking about processes use of spreadsheets and exporting them out of systems and then and then pulling pulling them together that's an analog process it's not digital in any way shape or form other than the fact that you're using a digital machine you're

basically moving it into manual process the digital Revolution is moving everything into digital processes where we stop taking things out and bringing it into spreadsheets and using systems to be able to do that I won't go through all of the industry revolutions but the industry Revolution that we're in right now is industry 4.0 and 5.0 parallel working at the same time industry 4.0 was introduced in 2010 industry 5.0 was introduced in 2020 industry 4.0 is very interesting ransomware starts to occur after the introdu of Industry 40 why because we're interconnecting systems that we've never interconnected before so I work for is square this is the first advertisement for is squar and it's the last advertisement for is squar

really which is we're digital transformation expertise we have Cutting Edge Solutions we're comprehensive it and OT security cyber security expertise and that we're wor we're worried about proactive security measures and being able to look at things from a a holistic perspective of a of a um platform form based approach rather than a product based approach so operational efficiency now the the vendor sorry the the customers for me the end users are trying to become more operationally efficient so to be able to have greater degree of profitability well we have to use digital transformation to be able to become more operationally efficient is as simple as is as simple as that this slide here I think is one of the most

important slides for you guys if you're trying to get budget this is the slide that you want to take a look at as I'm investing in operational efficiency Mr executive my cyber exposure increases and I'll talk to you by the Cyber exposure increases and so therefore then it's fairly simple for every dollar that I'm putting into operational efficiency I need money for cyber security because of the fact that I'm interconnecting systems have never been interconnected before and I'm having greater degree of risk so depending upon what industries you're in financial services Healthcare education government they're all going through digital Transformations and you see this the offset of Greater cyber uh cyber uh physical risk is is including

business connectivity risk or continuous pieces so from that from an OT manufacturing entertainment energy and utilities retail are all digitally transforming in the era of digital transformation this came out in 2017 by MIT and I absolutely completely agree with this which is instead of looking at it from perimeters we're needing to look at how we're safing safeguarding data and people and physical across systems devices and the cloud here's the first really busy slide and I have several busy slides but this is the first of it Upstream Downstream Midstream corporate and retail for oil and gas in Alberta Upstream Midstream Downstream corporate retail how do you secure this so we divide it all up in the security

industry and I think that we should we should divide it all up we need to be able to look at it as each individual domain of the business and what are the needs of the business so the domain owners of the business and this is what Steve biswanger always talks about has a seeso I'm working with the domain owners of the business to be able to determine what levels of security and risk that they need to have and so therefore then it's the owners of the business that are responsible for making decisions on policy and procedures and all that sort of thing from a security perspective the ceso off office is there to influence and help them make better

decisions so with this we're interconnecting all of these we used to have what was called the air gap the air gap hasn't existed for 20 years we' air gap all of these systems but now we're interconnecting them to be able to G become more operationally efficient and then at that point we're starting to add in new sensors and actuate and we're using new technologies to do predictive maintenance analytics and applications this is the understanding the business and how the business is going security is behind the business today it's the first time in my career that security is behind the business the business is moving faster than security is uh we talk about Automation and and in

security and we don't really mean it but the business this is an automated business platform and that the business is automating so if the risk is continuous and the risk is agile because we're changing the systems all the time and they're interconnected why are we not as Security Professionals proposing continuous Security Management and management across the entire infrastructure so this is the manufacturing Enterprise ecosystem for manufacturing it becomes easier to understand this when you look at it from the perspective of how do I divide it up how do I secure it so this one's easier for me to State too from supply chain all the way through to customer experience we're interconnecting we're interconnecting systems and those

systems we'll we'll talk about on it we'll talk about CRM we'll talk about email but I never hear an IT professional talk about the OT applications like manufacturing resource planning and those are applications that we're running on the OT side of the house and so with that is is that we're now interconnecting all these applications we're putting in sensors to censor what is happening within the environment we're putting in new resources to be able to create our and Get Off the Grid and you look at the top what we're doing is is we're collecting data across the business and we're collecting all of this business data the opportunity for us is to actually collect the business data and the

security data at the same time but we choose not to do that as an industry and I don't know I don't quite understand why because we have an opportunity to go deeply into the business data to be able to help us understand context to how the businesses are operating and how the applications are operating yet we don't take the opportunity to grab that data and we don't take the opportunity to be able to say hey maybe I should be able to take a whole bunch of other data from that we try to look at it from a simplifi simplified perspective so how do we digitally transform and what are the internal and external barriers to success the

internal uh barriers are regulatory Frameworks lack of standardization that I talked about earlier inability to share information across the ecosystem right this is very predominant within Alberta and then we have talent shortages that we blame on Talent shortages but the reality of this is is that we need specialized talent to be able to take us to the next step which is pulling all the data together and being able to make better better business Decisions by being able to have better security decisions the disruptor the external disruptor is the cyber cyber threat so if you're in a business that talks about digital transformation and they're not investing in cyber you just simply need to pull slide up and say hey look this is this

is what is is problematic um operational technology security Trends we're shifting to digital we're we're physical and safety related it professionals how many of you guys looked at security and safety as equal to each other how many of you guys have gotten gotten and talked to the safety managers of your of your corporations and understanding Tim I know you're going to answer every single one of these questions so Safety and Security equal each other and with that is is that we have to worry about physical safety of people as much as we protect data the problem is is that you know why the OT people don't like it because we kill data all the time uh you know hey Fen if you're

working on my plant can I kill you today probably not a good idea right uh we're looking at productivity and uptime we're trying to increase operational efficiency and then we're focused towards customer experience how many of you bought a Tesla none of us okay okay I saw one in the parking garage as well so from a customer from a customer experience perspective thank Apple for this the Apple play store or the sorry that's the Google Play Store I'm not an apple person but the reality of it is is is that we have instant gratification as customers today and that we want to be able to enhance the customer experience by doing that we're interconnecting all the systems together

product Integrity becomes critically important where the product is sourced how it's been sourced uh particularly in the Food Industries this is that I need to be able to do recalls how many of you guys noticed that there's a hell of a lot more recalls of stuff why because we're interconnecting all of this together in the business and so we need to be able to understand the business and here's where I become a little bit more Technical and I know this is a technical audience so I hope you guys can keep up with me because I'm going to go through this fairly quickly the enhanced Purdue model reference architecture uh was created in 199 it had four levels we have multiple

different levels of it today uh the Purdue model was created in 1992 and I'll talk about the lower levels this is the physical the physical operations in Alberta it's pretty simple those are all the well heads right there's a hell lot more to it than that but it's the well heads we also censor those well heads to be able to to look at shock and vibration and other um temperature so that they can they can do Predictive manance Analytics and instead of sending trucks out on a regular basis they can try send them out when we the feel that there's going to be a physical problem the process control network is the local area network in it terms to being able

to interconnect all of the process control the supervisory control is is connecting it and OT together and basically having a uh converting it from a Serial Network into an IP network and then being able to put controls to the physical in the in the environment you'll see here now that I click the next click it then shows the Technologies we need ring uh networks which are serial Network uh we need ring networks that are process control networks and then we need firewalls at level two of the Purdue model you'll notice that there's a high secure authentication boundary and then between that then we have level three and level three five a lot of people will call this it but this is an

OT data center not an IT data center the OT data center is the manufacturing Zone the management Zone and the DMZ between it and OT and really uh where all of the applications for OT are existing is in level three that's where the applications exist then we start to move into the IT environment I have to have it resources on site and I also have core IT services so those are the Enterprise zones the it Enterprise Zone the local area network that we're used to and then the DMZ and the DMZ services to cloud-based Services now the cloud didn't exist when the Purdue model was cre created so we have level six and level seven we have the internet remote

access needs we then also have the cloud services from the perspective of industrial Internet of Things um um when we start talking about securing iot andt and Industrial internet of things I think people start scratching their head I'm not sure what to do with these devices and the problem with that is that it breaks the Purdue model it breaks the initial initial model and at that point you'll see that the blue line is talking about data and I'll go into this a little bit deeper if I don't run out of time I have 445 slides so I think I might run out of time it's one of my favorite jokes that I make and I I need to reduce the

heaviness of this slide because the presentations because of the fact that I was told that it's heavy and then I like being able to inject humor but I didn't have any humor in this in this presentation because it's a very serious topic Enterprise operational security challenges or it challenges are this we have manual processes in it as soon as you start taking things exporting data into spreadsheets those are manual processes uh we have limited and partial visibility to the devices themselves and once we gain VIs ility to devices we actually don't understand the context of how the devices are communicating to each other or why we lack operational context and business context we look at

we look at the devices from the perspective of theh herent operating system the logs and all of that but then we don't really question what is the user really truly doing on this device what is this doing within the environment so we need to be able to understand operational context to be able to secure it properly most customers and I suggest that this is the same in this room the the security vendors don't Focus you towards attack surface management you need to be able to focus yourself towards attx surfice management and reduce the attack surus and you need to be able to do that by understanding the exposures that your environment has internally and externally we then have compliance to

regulations and policies and what I found and this in particularly across western Canada is is the businesses are siloed digital transformation means that we get rid of the silos but the businesses are siloed and the GRC people don't talk to the security people the security people don't talk to the networking people the networking people don't talk to the application people they all hate each other in business and I'm sure it exists within your environments as well and what I'm trying to say to you guys is as we become more digitally efficient we need to be able to communicate and that's why programs like bsides is critically important to me and that's why these people you

people in the room you people that sounded great hello my name is Don Cherry um so let's move on from that safety and performance are a high top priority safety of data think of data from a safe perspective how safe is your data not how secure it is safety of human life how many people have died on the plant or the shop floor and then multivendor multigenerational inherently insecure we can't secure it because we don't know how to secure it well that's not the right answer we need to be able to figure that out right so I'm going to quickly go through this Frameworks and regulations and compliance the key thing from a framework and regulation I don't

believe in snapshot and time tras anymore tras need to be continuous we need to have continuous threat management and in 2008 the Obama Administration made Hippa as a HIPPA which is for healthcare protection portability act uh they made it mandatory that they do real-time TR in 2008 so in in the industry in 2023 we need to start thinking about how we're doing threat risk analysis on a regular basis and being able to report back to the executive what risk that we have manual manual processes need to be able to be uh converted into digital processes we need to ingest Frameworks so um if anybody is building Frameworks and I've worked on a few Frameworks the

output is usually a PDF it's a huge amount of reading and then but it needs to be converted into digital so I can take the framework digitally bring it in because I've worked with global multinationals and the problem is you have 25 different Frameworks across the globe and if you're a global multinational you probably have to touch every single one of them and so that's true of the downtown calary oil and gas companies you have all of these different Frameworks but it's very hard to interpret you need to be able to apply the Frameworks from the perspective of of your environment Global standards are required those sort of things so Glo uh governance risk and compliance ra we

waste resources and we have after the fact thinking oh hey Mr firewall guy I need your logs oh well we got rid of them right those sort of things from a process perspective we do things from a manual perspective and we need to be able to interconnect and being able to have that communication so I'm going to I'm going to go through this move over to the nest cyber cyber security framework how many of you guys adopt Nest probably should be the one that's the most in this room I'm not going to go through all five of these but I'm going to go and say this where do you start right and most start go oh level

one well that's great I need to identify and they never get to level four or five they get to identify detect protect but then respond and recover is left and then people like Adam make a hell a lot of money Adam's an incident response person right so on the opposite side here is is what I'm saying is is this management and Recovery managing and optimizing is critically important and that's actually where we should start because once we understand management and optimizing it's the most difficult thing that we need to be able to do then at that point you know that shiny object syndrome relative to technology it goes away and the reason why it goes away is is because of the

fact then then once we understand our environment we can then understand what technologies we need to deploy to secure our environment and identity so level one and level five are the areas that I would start and then at that point have a cost understanding based on the controls required and I can I can then let the executive management know definitively what it's going to cost me to be able to secure the the rest of the environment with that cyber security is hard but if I start with level five and take on the most difficult thing I then have decreasing levels of cyber security expertise as I'm going down the Purdue model rather than up the Purdue model

like most sorry the nest model um as I'm going down the nest model I then can select the Technologies and I don't have the technology spawn that I have today are you guys ready are you

ready

okay I have till when 9:20 I have till 920 right yeah how many you guys want to stay a little bit longer I don't know this is the enhanced Purdue model from the perspective of it being a little bit more technically accurate and you'll see the technology on one side you'll see what it looks like from an infation perspective and on the right hand side what you'll see is is that you'll see the data and data analytics side and the data and data analytics side is the area of where management and manageability becomes and if you see at the top of it Enterprise analytics there's Sim and there's sore Technologies and I'm sure you guys can't

read this and I will I will gladly send you a copy of this there's no problem with that uh you'll see there is is that we need a cyber security management system or csms how many of you guys uh is that terminology new to you a csms cyber security management system yeah it would be new to most of you guys IEC 62443 defines that that's actually what Purdue model is and what it says is is that we need to be able to have a cybercity management system to be able to manage everything downward well that's what I just said about the nisp framework in and then we need context tensions contextually do you trust the neighbor

beside you do you know what they're doing that's that's what we need to answer now I'm going to go through 400 slides to get to the end cultural change tools versus a toolbox we need a platform versus a product product and a platform based approach we need to look at things from a platform perspective Google Microsoft foret Cisco Palo Alto are all building platforms we adopt those platforms and then at that point we adopt a few different platforms and integrate that's what we integrate together contextualized risk management is really identify the organization's assets now I'm going back to the to the nest framework identify the asset vulnerability now I'm starting to sound like everybody else apply the policies

to the business impact and the vulnerabilities and then infer what mitigations need to be T taken I need to be able to understand that I can't always patch I let's get out of patching I know that sounds crazy but what if we never patched again and we built our systems resilient to a point where we can protect those systems without patching that's what OT needs to do why don't we start thinking about how OT operates and then look at it and say hey look you know what they're responsible for human life I don't hear about killed people on the production line very often but I certainly hear about ransomware all the time on the it side applying threat

modeling scenarios to evaluate risk across the organization being able to represent back to people like Tim and the ciso and the executive group how much risk and how much quantitative risk do I have from that then at that point allowing the executives to be able to make the decision from the perspective of this business change that we're going to do will impact Us in this way from a risk perspective and therefore then we can either make that decision we can understand hey you know what we're going to understand that there's risk but we're going to make it because it's a business decision CU it's not one one siiz fits all and then discover the asset connectivity and understand the

topology being able to look at it from a visual visual perspective so top five actions build an operational technology Information Technology risk and security program integrated together with safety deploy a cyber physical and and cyber security management system that gives you continuous risk management improve secur by understanding risk availability and security gaps continuous involvement of stakeholders and domain owners having continuous risk modeling and operate safely with context understand how we're being able to make dis business decisions the key thing here is is this there's not a product in the planet that does this today I mean Tim and I would discuss Archer is probably one that would potentially do this but you don't I'm not well I'm not going to I'm not

going to say anything about a vendor but it's very very difficult but this is the road that we're on in the next 10 or 20 years in fact this is where we should be right now and I thank you very much for your for your time and I'll leave you with some slides on who is squar is and if we have you know anybody want to throw one tough question and if not oh yeah there we go perfect your company is is squ is squared yes does it get confused with I it does it does and I'm a I'm a uh fellow with the uh with what's called Cay and their lettering also kind of

gets confused with it as well and so but the ni the nice thing about it is is that uh it's nice because uh is uh is squared or ISC uh is is well known so therefore then it's it's a it's a good thing thank you very much for your time the one thing I will leave you with this for the for the for the Professionals in the room I'd love to be able to come out and do this presentation and and and discuss it in depth for the students in the room I'm about giving back when I started in the industry I was 20 years old I had the gray beards we have a few gray

beards here today but the gray beards imparted knowledge to me I need to be able to impart knowledge to the Next Generation so please always reach out thank you very much for your time [Music] today