A Look to the Past for the Future of Cyber Security for Cyber Physical Systems

perfect thank you very much for having me here today my name is Michelle balers and I think you guys heard that I came I'm coming from an organization called is squared uh we focus on building secure secure platforms and in my presentation today I'm going to talk about the past of cyber security to be able to understand where we've been to be able to understand where we where we're going and and right now I believe that we're in a dystopian future relative to cyber security uh a friend of mine Richard steinon who was a VP Analyst at Gartner uh keeps track uh via a company called it Harvest keeps track of the number of cyber security vendors

and he's keeping track of over 5,300 different cybercity vendors I've been in the industry for over 25 years of my life and I can't keep I can't keep up personally relative to the number of of security vendors and also I can't keep up with the uh with the hype I'm not saying that I'm not a proponent to AI based off of some of the questions from my previous the previous presentations I just think that AI is the latest shiny object in the room and that many of us don't actually do the security Basics so we should be looking at the basics first before we even start taking a look at the Advanced Technologies so let me talk

about operational technology I am I'm an operational technology specialist and in that operational technology specialist it means that I'm working with systems that are cyber and physical in nature so anything that's operations in the oil field uh where there's a physical component to it but it's also connected and it's connected to the systems those those systems uh are where my expertise has been lying for the last seven years previous to that I've been working I work for foret for about 20 years of my life so one of the global cyber security companies I started in the 2004 when it was a $39 million company and I've started to recognize a few things based off of what I've been seeing in the

field is is that we take a point products approach and we take a a uh an approach of Technology after technology after technology and we have a tendency of forgetting about people process and culture we need to really start thinking about people process and culture and particularly in this world I believe that we need a cyberphysical risk-based approach right so uh risk and security are not equal to each other uh but the reality of it is is that if we understand our exposures we then understand what risks we may have and then we can take SE steps to mitigate it whereas over the last 25 years I've been dealing with customers from the perspective of I'd

like to be able to buy this technology and a lot of the times I'll ask them the questions of well why are you doing this and they don't necessarily have a good answer so we really need to start the answer answer the the question of of why so this is who I am I come from is squar we're a leading information Tech technology company um I have put up my QR code so if you want to trust my business card by all means take a picture of the QR code and you'll find that my contact information will be there if you like me in person and you like to trust me in person also have

those same business cards that I can hand to you in in person let me ask you the entire audience a question look to the person to the left of you and look to the right of you do you trust them Adam Adam in the back room we know for a fact we don't trust him right um Adam uh you need to leave the room and I'm going to reauthenticate you as we go into this next conversation so talking about you can come come back right in but uh we created by and and one of the things in these slides I want you to pay attention to a couple of things technology and who created it

and then start to take a look at it from the perspective of the different corporations that have created them some of them don't exist anymore and then from the perspective of the organizations so miter as an organization government run organization type thing and then you'll also see analyst firms creating terms and terminologies throughout this presentation but in OT in the oil and gas field MIT created uh authentication in the 1960s today I can walk into the o gas field in Alberta and connect up into systems and not be authenticated so what is that 40 not 40 years but 63 years we've had authentication capabilities within computer systems and we choose by human nature not to continue to deploy them

you know uh 15 years ago I started on the rant of this is the year of MFA this is the year of f MFA and MFA never really started to come along until we started to see a lot of external Services of of systems rather than internal Services of systems Access Control lists we talk about Layer Two networking I'm a networking expert because of working for fortnet and I understand networking quite well uh we put access controls to be able to put traffic East West within our environments and the technology is is over 60 years old one of the Ford net tests in a lot of the exams they'll talk about what's the first what the first

virus was but in fact it was a first worm and the first worm and the first virus were created by the same organization uh it basically said I'm the creeper Catch Me If You Can and so the reaper uh worm uh replicated and self-replicating so this is the first iteration of self-replicating viruses was the first malware that we had within our environments we bring out uh by miter we' talked about theer attack surface security Kernel in 1974 yet the kernels that we operate today are not secure by default they're not secure kernels doesn't make like a lot a lot of sense public key infrastructure coming from Diffy and Helman and uh for the longest time in my

early career I thought DIY and Helman were German just because of the last names but they're Americans and they created the public key infrastructure from the perspective of what we use for all our certificate management today is is is fairly aged everybody knows John mcaffe at least everybody knows all the strange videos from John mcaffe anyway but maffy ended up being the first antivirus software we then see packet sniffers from Network General many of the technologies that we're using today are foundationally off of the technologies that we've used in the past many of them used Network generals packet sniffing capabilities to be able to understand and then visually graphic you exactly what's happening within in

the uh within the network we then go into packet filter firewalls and I come from a firewalling company so packet fil filtering firewalls is looking at the individual packets filtering it all out understanding what I can and cannot allow within the environment and then you'll see stateful packet inspection come up in the next slide uh but then you have rule-based access controls we need to be able to apply rule-based access controls throughout our entire environment but it's been around for a long long period of time notice the extensive vendor sprawl and notice that I missed the last 10 years of the timeline and the reason why is is because I couldn't continue to put in

all the different technology enhancements that we've seen in the last in the last 10 years and by the way I'll share these slides I've uh I'll share with them so you don't have to take pictures but checkpoint and they're here today created stateful firewalling and then you go forward forward over and then you have Palo Alta who creates the T term uh Next Generation firewall but I DC created unified threat management and if anybody in the room can tell me the difference between unified threat management and Next Generation firewall I'll I'll I'll give you a hug because the reality of it is is that they're not they're not anything different it's how the analyst firm

Gartner couldn't use the UTM terminology uh because IDC created it right so it's all about the analyst firms that are influencing Us and how we're spending our money it's the vendors it's the analyst firms we'll see very rarely will you see actually people's names AC coined to anything Gardener and I'm going to call them what they are an IT analyst firm created the term for operational technology the reality of it is is that they were like oh well they're doing something similar to it we don't really know exactly what it is so let's just call it operational technology because it's the operations Department that we're dealing with the reality of it is is that operational technology is an

engineering discipline and information technology is not and so from a security perspective what we have to start to think about is how do we evolve Information Technology into an engineering discipline and how do we move security and particularly into an engineering discipline so that we engineer security for purpose and for the the the net result um we'll see further in uh endpoint detection and response Gartner coin the term in 2013 By 2023 everybody's talking about endpoint detection and response so it's the marketing hype and then it's the technology that follows it right oh thank you very much for the clap I I really appreciate that because it's it's you know putting a lot of effort into building these these

presentations so where we are we talk about digital transformation a lot within business but how do each of us Define it becomes very difficult so what we have to do is we have to look to the past the Industrial Revolution was really taking us from a farming agriculture into an industrial agriculture into sorry Farming Farming uh uh environment into an industrial environment and that we're manufacturing we're manufacturing Goods the information technology Revolution started in the 1980s I was born in 1967 I was an 80s child in high school and I learned all my computer science and in in not all of it but I learned computer science in the 1980s because of the information technology Revolution and

now we're in the digitization revolution we have analog processes so something that we're doing analog let's use Excel spreadsheets how many of you guys still use Excel spreadsheets those Excel spreadsheets to my mind are an analog not a digital process I'm just anal I'm just putting it in and I'm not doing much with it whereas we're now starting to move things from an analog process into a digital process and that's the digital Revolution to be able to make things move simpler and faster for people so how do we put this in a graphical way 1784 we have the industry 1.0 it's using physical means to be able to take water out of the ground and it's starting to

use steam as a well way of of propelling things industry 2.0 we introduce electrification and mass production that's where we start to see Ford in the assembly line come come about industry 3.0 we end up introducing computers computerization and then you start to see a whole bunch of terminology come out plc's programmable logic controllers rtus remote terminal units IEDs intelligent Electronics devices we're in the realization phase of Industry foro as we move into industry sorry we're at the realization stage of Industry 3.0 as we're moving into industry 4.0 meaning we're now using data instead of physical we're now using data to be able to collect data and being able to make Better Business decisions based off the

data that we had have so with that in the oil and gas field in Alberta we'll talk about o specifically we have high distributed points of physical equipment that create data we're now using industry 4.0 to be able to make Better Business decisions based off of the data so if you're in those indust Ries oil and gas manufacturing um electrical generation transmission distribution you're making a conscious decision to use uh data and collect data from the field so from a technical perspective instead of talking about security what we should be talking about is data aggregation and collecting data to be able to bring it into Data Lakes to be able to make Better Business decisions

and then we move into industry 5.0 and a lot of people are like oh man I just learned about industry 4.0 industry 5.0 is over you know I started in 2020 and it's the introduction of Cooperative robots on manufacturing plant floors or being able to take the human tasks that we don't want to do lifting things uh those sort of things and using a Cooperative robot and also being able to do uh Mass customization and I will talk to you about Mass customization in in my presentation as we move along operational efficiency demands digital transformation if I want to become more operational efficient I need to digitally transform my environment so in digitally transforming my environment

another way of looking at it is I'm connecting supply chain all the way through to the End customer you guys don't trust each other we've already proven that we now interconnect you guys all together in systems where you're communicating messaging from each other yet your untrusted systems let's just use that for the concept CT within the audience and so to adopt digital transformation now the attack surface is exponentially greater I'm interconnecting everybody in the room to be able to have a better output but the reality of it is is that I've now allowed the attackers to be able to have a greater visibility to what the environment is and that's why we've seen ransomware increase since

2010 since the introduction of of Industry uh 4.0 we've seen an exential growth of ransomware why is that because we're interconnecting systems we've never interconnected before so what's happening in the business environment we're shifting to digital talked about analog processes we're doing analog measurements we're converting it to digital signals and then we're aggregating our data we're focused on safety and availability of our systems and when we start thinking about OT and we apply it to it how many of you ever thought thought about data from a safety perspective what's the safeness of your data can you kill your data well yeah you can because you can put it on a backup you can kill it you

can delete it you can put you you can bring it back right but when you talk to an operational technology professional I can't kill people on the production floor because they're not doing what they're supposed to be doing right we may want to so we're focused towards productivity and uptime and we're focused towards safety and availability of human life we want to be able to gain operational efficiencies we're really focused towards the customer experience how many of you guys noticed in the last 10 years that when you're consuming Goods you can start to get a more personal approach uh it feels it feels better because you're buying something well that's intentional uh but I also need to be able to do product

integrity and product tracing I need to know where this product sourced from it from from from from the source of of it to how it is created and all of the processes in between by the time that it rece is is received by consumer and particularly in uh food manufacturing how many of you have noticed a lot more recalls relative to food why because we're tracking it a hell of a lot more and then the uncomfortable name in the room is compliance we all need to be able to be compliant yet we don't necessarily collect the data or aggregate the data in the way that we need to to be able to show compliance so OT security evolution in

1784 I would go and I would break your pump and then your family wouldn't survive because you wouldn't get water by 1870s it was also industrial asage 1929 now for me I'm a I'm a tenant of History Winnipeg general strike occurs in the 1920s 19 forget exactly the date then Winnipeg general strike occurred because of the fact that manufactur in plants in Winnipeg and Winnipeg was the second largest city in Canada at that particular point in time uh but all of the manufacturing was done in western Canada and people were dying on manufacturing lines because of it so we now have the unions come in in the 1930s and then we start to then build in

safety culture we need to be able to take safety culture and evall safety culture to security culture but we introduced the PLC in 1968 we talk about airga environments and Trust untrust do I trust you do you trust me because computer science got it wrong in the in in in those in those years why because trust untrust model should have never occurred but that's exactly what the how we've how we set up systems safety culture was updated after Chernobyl 1886 1986 yeah in ' 86 when Chernobyl occurred The Operators did not understand how to safely shut down the systems therefore then training and safety started to increase Industrial Level firewalls were introduced in 2001 by a company called defino networks

they're owned by a company called Beldon today and they segment the lower levels of the process zone so if you hear a lot from firewall vendors about segmentation micr segmentation they're really talking about 20 25y old Technologies um we see uh a systematic vendor called tool called industrial Defender they focus towards risk what is the risk what are the exposures to my environment and how do I reduce that exposure that's one of the things that we need to start thinking about from a security perspective how do I reduce exposure we introduced industry 4.0 in 2010 and then industry 5.0 in 2020 we introduce visibility vendors so we talked about the nist nist framework how many of you you guys have used Nest

Frameworks from a security perspective today identify detect protect respond recover what I find is I get to I get many customers identify detect protect they never get to respond and recover thank you 20 minutes left and then you don't have to deal with me anymore or you could come up I'm I'm not I I do public speaking all the time but I'm forgetting people's names and I don't know why I'm getting older I'm 55 years old so if you'd like to reintroduce yourself to me and if I met you before please do that and I'll give you my business card or if you want to introduce to me the first time please come over and talk to me so IDs vendors

come in this concept of hey we just need to know all of the assets within the environment unfortunately understand just understanding the assets without having the framework around it doesn't result in in good cyber hygiene so now let's talk about the risks to the environments if you've ever been to an OT talk before everybody needs to bring up stuck net stuck net occurred it changed the industry and everybody's all worried about security of of it because of stuck net let's take a look at stuck net as a nation state attack it required social engineering it required four day four zero days to to happen to be able to use a stuck net I'm not going to go through

all of the different attacks because you guys are getting obliterated with the number of attacks that are occurring on a regular basis today but when you when you fast forward to past 2016 into 2020 2018 2019 2020 what we're seeing the attacks are are cyber physical in nature they're coming from the internet the IT department becomes compromised then it goes over into OT and the and the operations become compromised and so really what we need to be able to do is to start thinking about how we Shore up it security to be able to protect the operation of our of our business when I I started and I was one of three people that started the OT team

at foret which is I'm happy it's about 250 employees today uh but in this latest report 95% of our organizations have moved Operations Security under the ceso why because previously it was under under folks that were only solely worried about the OT side when really in fact it's an it and an OT and it's an Enterprise security challenge so I want to educate you guys on manufacturing processes and how they've changed and in the world of course I'm talking about the showtime rotisserie in barbecue and even if you're on a diet look at just my Ison new Showtime rot delicious 5B chicken not one Chen oh my God you can have two 5B chickens pound mouthwatering

porkloin roast the point of this video is Juicy qu pound hamburgers a manufacturing process that Ron papil mastered is everybody in the room you get a rotiss you get a TR everybody gets a rotisserie right well now you fast forward to the Technologies of of today BR your host today and you can pause and we'll move forward and we're going to talk about Dynamic manufacturing processes how many of you guys have bought a shoe customized specifically to yourself there we go Custom Custom materials how many of you have bought in on buying a Tesla and going through the buying experience of a Tesla not very many okay so from a dynamic from a d Dynamic manufacturing processes I can

make individual decisions on purchasing based on the individual desires of the individual isn't that a hell of a lot more powerful than uh said it and forget it and Ron although I want one of those Fortiss ovens my partners my partner in the room Fen you cook really well I need one of those Fortiss ovens so this is the static process and uh everybody remember Carol Bernett show I'm a certain age myself but everybody can watch these things now Nik asked the question what if you were a shoe what if you were a shoe is the idea is so absurd well if you could be such a thing you'd have to be hm what's the word not

a word like Flawless or Perfection but just an idea you get in the produce section it's all play when you customize there's no wrong or right go pop some colors or keep it simple like all white what's your jam what's your thing no more thought than this design your shoe as a league champ or an opera loving Bist just turn up the what's newness or the stay tress but with much more bless as a gift from your Aunt un I wonder what my auntie got me wao these are great Unice that so we have the UN Unice of today from the perspective of our ability to be able to order and C things I'm just going to get rid of the

video here and in digital transformation from a consumption perspective we as human beings can't keep up how many of you overwhelmed with the amount of data that is coming into your life how many of you guys are trying to cut it out right like I uh I quit Facebook for seven years of my life because I just couldn't handle it I just too much I don't want it I'm not on Twitter X any of the social media platforms yet I feel the pressure all the time from the perspective of hey I have to be interconnected do we do we really have to be interconnected and so with that is is that what we need to be

able to do is is start focusing towards education and empathy now I'm going to go back into the 50s or 60s whenever this was created all right girls now this is your last chance if one piece of candy gets past you and into the packing room unwrapped you're fired yes ma'am let oh anybody remember the end or the the whole video here so is there EMP empathy involved here from the perspective of understanding so when we start talking about operations in it and it security is is that we have to be empathetic we talk in acronyms people don't understand us I sit in this conference and I'm a security professional and sometimes the content I

don't understand and it's perfectly fine to be able to say that because I'm a specialist in specific areas and we need to be able to have empathy for each other from the perspective of operations and it it's not US versus them it's us being able to deliver to the business what we need to be able to what what what we need to be able to deliver so there's a need for cyberphysical risk management and mitigation Solutions so today we have a whole bunch of manual processes how many of you agree that security ultimately ends up in manual processes we end up having a whole bunch of manual processes we have limited or partial visibility to what is actually

our systems are all all about how many of you have an accurate inventory of all of your assets there's a customer in the room that has about 250,000 nodes on their network uh 15 years ago I walked into a meeting with the executive and I said hey the best way to secure your environment is is to understand all of your assets the meeting ended at that point because we weren't prepared they weren't prepared for that asset conversation so how can you secure something if you don't know you have it you have to have an asset inventory you have lack of operations and business context I'm going to use this example again look to your neighbor do you know

what they do do you know who they're connected to do you know how they're connected or why they're connected or what their criticality is do you know why they're here so lack of business context and operations you don't hear very many security vendors talking about business context or operations it's the flashy new thing I need AI why do I need AI how do I secure AI right that's what I was trying to propose the question in the last session how do I secure AI then I have minimal attack surface management how many of you in the room from the perspective of in uh to it professionals and it Security Professionals can understand your attack surface and how you're

managing your attack surface today and and I'm asking these tough questions because this is this is the reality we have focused way too much towards technology we put too much focus and too much trust in the vendors I worked for a vendor for 20 years of my life I love their products but the reality of it is is that I cannot determine what my attack surface is internally or externally today for the most part not with the technologies that most most companies have deployed so I want to be able to understand what my attack surface is then we start to move into multivendor multigenerational inherently SEC insecure how many of you know that you have insecure devices within your

environment right so we know for a fact that we have insecure devices but we don't understand our attack surface so we need to be able to understand and apply the insecure device and understand that to attx surface how many of you guys understand indicators of compromise my environments I've got indicators of compromise so indicators of compromise past tense this is what's happened within your environment what about what is happening within your environment how about indicators of exposure maybe we should be focusing towards exposure of systems and what exposure they have because then at that point you can take a risk famework approach and you can reduce the exposure therefore then you're never compromised or I just did it I said something

that's not possible you will be compromised we know for a fact and I'm sorry that I swore but and I just delete that from the video when you're done um safety and and performance are a top priority right what do the executive care about that's the questions that we need to answer governance compliance and regulations with policies so uh any of you guys are gr GRC Professionals in the room governance risk and compliance professionals good good so we've got Security Professionals in the room threat risk analysis does it make logical sense to you guys that I do a threat risk analysis of of my environment once a year and then it changes 480 million times throughout that

year so TR and and look I come from a company that does Consulting it's lucrative Consulting business for those companies but why not just simply have real-time threat risk R analysis so that you can then understand the risk to your environment and the indicators of exposure to your environment at any given point in time so stop paying the consultants and start start looking at it from a process perspective manual processes converting it into digital processes I'm a big believer in this um how many of you guys use spreadsheets to understand Frameworks how many of you guys like I ISO 2701 or IC 62443 from a framework perspective so these organizations they create them they put them into PDFs and then we have

to interpret them and we have to read them as Security Professionals well why don't we just do digital ingestion of those Frameworks it only makes sense to me digitally injust those Frameworks then at that point there's less learning curve uh Global compliance standards required this is just a selection below these these uh logos uh IEC 624 43 Ian 50155 that's for train Rolling Stock the nist cyber security framework um I can go on and on and on nist directive nist directive 2 uh if you're Global Security if you're Global multinational and this is where part of my career I started working a lot with global multinationals they have to comply with every single one of these oh oh not only

that but I sell to retail I have to sell and I have to be PCI Compliant each one of those have distinctive controls but the reality of it is is that the controls overlap therefore then we need to have Global standards uh continuous reporting aligned to Agile business models we're using agile business models to be able to make our businesses better and we're flattening them out and so from that perspective we need to be able to then move security into agile business models as well for once security and the people in this room we're behind the business and I don't think that that has been I can't say that throughout my entire career that we

have been the business is moving faster than us in security and therefore then we have to start to adopt the technologies that they're using to be able to have their business models become more agile our business models need to become more agile and this last piece and this is a contentious conversation with a database person I believe in unified data lakes or unifying of and doing data aggregation to be able to understand how how to aggregate the data to be able to pull out that information now I could go and say well we're going to use AI we're going to use machine learning no let's just use the systems we can use Ai and machine learning but let's get the to

the basics first let's collect the data then at that point start to be able to make those business decisions governance risk and compliance we have wasted resources after the fact thinking we're using it a snapshot in time and I'm not going to go through that because I got five minutes left and I've got a very key message I want to send to you from the perspective of the N cyber security framework uh Adam what's wrong with this and I love you man I I was hope I didn't plan it it's backwards why is it backwards because most customers look to identify detect they get stuck at identify and detect they never finish the rest of the

model the model is not intended to be go level one level two level three level four four the model is to be able to look at what security controls you need to put in place that are associated to the business that you're protecting so I can go through all these models but the but but the point that I want to be able to make is if you start with managing an optimizing you actually spend less money you put fewer security controls in place because you know for a fact these are the security controls that I need to be able to put in place and the slide that I that I um that I skipped was the

security controlers themselves and I'll be more than happy to share it but I want you guys to start thinking about it not from the perspective of of linear thinking I'm a salesperson so I jump all over the place but from the perspective of selectively choosing what you need reduce the cost of security and increase the the the the value of what you're getting out of security by not putting all of the controls that the security vendors are telling you to put in but only put in the ones that are relative to your business culture culture I think is the most most important thing we started talking about culture but we want to be able to erase

a a culture of safety and availability of systems and people's life Safety and Security equal each other that's the message here then we move into this message we have cultural conflict between it and OT and in that we have CIA rule confidentiality integrity and availability and then we have the saic rule safety availability integrity and confidentiality and so with that what we want to be able to do is learn and have empathy for each other to be able to understand how we don't get to this there's a war in the industries going on right now from the perspective of it and OT and who's right and who's wrong the reality of it is is that both are

serving the business and both are correct and both are wrong the other concept I want you guys to think about too too is this this is that we talk about tools all the time at these conferences I can sell you this next Generation firewall I can sell you this ATP I can sell you this EDR I can sell you this xdr I'm getting so tired of the terminology what I'm trying to say is is that you want to be able to take a look at Tools in context to a tool box or in context to a platform so we're using in the application World we're using Microsoft Google AS application Platforms in security we need to start

thinking about Security based platforms now there's vendors out there that are doing that Cisco builds a platform Microsoft builds a platform foret builds a platform we want to be able to think about a platform and then Focus towards risk and risk risk-based mitigations so number one identify the assets number two identify the vulnerabilities understand the vulnerabilities um from a vulnerability program I see lot lots of people ending up and lots of organizations having saying hey you know what I have 15,000 vulnerabilities I can't address all those 15,000 vulnerabilities that's where context comes in which is why address a vulnerability if it can't be breached contextually if it can't be breached if the system is so deep into the systems

and you've figured out there's no attacker path to get there then you don't have a need to address that vulnerability whereas the vulnerability vendors will tell you I have to address everything apply Poli Ed I affected assets uh into the organization and vulnerabilities and understand the uh understand the context uh discover Network assets and and and being able to understand that from a contextual perspective and giving it to you from a different learning perspective I'm I'm dyslexic and from a dyslexia perspective I have to learn I have to read it I have to see it I have to hear it many people don't understand why I do those things but that's when I remember it I want to be able to give

different people different viewpoints I want an operator with an operator context I want an IT security analyst with a security analy context so apply threat modeling scenarios to RIS to address risk across your entire environment and from that then uh in uh infer what mitigation steps that need to be taken to be able to reduce the exposure to your to your environment and I'll leave it at that with the top five things I'm going to suggest that you do build an operational technology and risk security program and if you're an IT build an IT security risk program uh build a cyber security management system um uh csms that's what it's called in IEC 62443 terminology but essentially is

continuous risk mitigation from the highest level to be able to understand what you need to be able to do at the lower levels and improve security by understanding the risks and the gaps to your environment and then have continuous involvement of stakeholders and domain owners we do not ask the business enough as Security Professionals what they need and how they would recommend that they secure the environment we need to be able to start doing more of that and then operate safely with context to being able to make business decisions um this is the advertisement of who is squ is I'm going to use Colonial pipelines as an example the executive said this we had to shut down the OT

systems and Colonial pipeline attack for the gas the pipeline because they had the data they had the data to understand but they didn't have the data to be able to interpret it and so they did not know if they could operate safely so you want to be able to answer the executive question how much risk do we have and how can we operate safely thank you very

much