Episode 96

What Actually Works in OT Vulnerability Management with Dan Cartmill, TXOne Networks

Published on: 21st October, 2025

In this episode of the Industrial Cybersecurity Insider, host Dino sits down with Dan Cartmill, Sr. Global Product Marketing Director for TXOne Networks, to discuss the often misunderstood world of OT vulnerability management.

Dan brings a unique perspective, having started as a practitioner 17 years ago, before transitioning to the vendor side. The conversation explores why simply creating a list of vulnerabilities isn't enough – and what organizations should actually be doing to reduce risk in their OT environments.

Chapters:

  • 00:00:00 - Introduction and Dan's Background
  • 00:02:00 - Biggest Misconceptions About OT Vulnerability Management
  • 00:04:00 - Blind Spots in OT Vulnerability Scanning
  • 00:07:00 - Finding Vulnerabilities: OT vs IT Differences
  • 00:10:00 - Proactive Approaches to Unknown Vulnerabilities
  • 00:12:00 - How TX One Addresses Vulnerabilities Non-Disruptively
  • 00:15:00 - Virtual Patching and Operations-First Philosophy
  • 00:18:00 - IT/OT Convergence and Team Collaboration
  • 00:21:00 - Building Relationships with Third-Party Partners
  • 00:23:00 - Tabletop Exercises and Incident Response Planning
  • 00:26:00 - Key Takeaway: Never Forget Your Original Objectives
  • 00:28:00 - Dealing with Event Overload and Zero-Day Vulnerabilities

Links And Resources:

Thanks so much for joining us this week. Want to subscribe to Industrial Cybersecurity Insider? Have some feedback you’d like to share? Connect with us on Spotify, Apple Podcasts, and YouTube to leave us a review!

Transcript
ad:

Welcome to the Industrial Cybersecurity Insider.

2

:

In each episode, we dive into the

world of industrial cybersecurity.

3

:

Join us as we cover the latest

trends, innovations, and practical

4

:

insights as we talk with leaders and

practitioners across the industry.

5

:

Gear up and let's get

into this week's episode.

6

:

host: Hi, my name's Dina Bki, and

today I have Dan Cartmel from TX one.

7

:

Welcome, Dan.

8

:

guest: Thanks, Dino.

9

:

Great to be back.

10

:

Good to chat again, looking forward

to chatting today about some

11

:

vulnerability management stuff.

12

:

host: Yeah.

13

:

, Why don't you give us kind

of a, a brief rundown of your

14

:

background in your role at TX one.

15

:

guest: I do, , product and

content marketing here at TX one.

16

:

My background, I, I took a

little bit of a different path, I

17

:

guess, to get to where I am now.

18

:

I actually started on the practitioner

side about 17 odd years ago, , in

19

:

the uh,, the IT security space.

20

:

And, , did that for a while, held

a, a number of different roles as

21

:

a security practitioner, security

analyst moving into, , consulting,

22

:

and then I moved to the vendor side.

23

:

I did , some pre-sales work,

product management, and now

24

:

moved into product marketing,

and that's what I do for TX one.

25

:

I help describe how TX one's products

can help with, the challenges that

26

:

organizations are facing in the market.

27

:

host: TX one's got a very unique

offering with the technology, I believe.

28

:

I mean, we've been looking and chasing

in our role, , putting in a lot of these

29

:

OT intrusion detection systems, right?

30

:

Which was kind of the first phase of

this, you know, OT cybersecurity journey.

31

:

, And in TX one coming

along several years ago.

32

:

Has been able to say, yeah, we get that

and we're a part of that, but then,

33

:

well, how are you going to deal with

these vulnerabilities and risk as you

34

:

uncover them in the, , manufacturing

environment around OTs specifically.

35

:

So what do you think is one of

the biggest misconceptions about

36

:

OT vulnerability management?

37

:

guest: Yeah.

38

:

It's the perfect starting point , and

your setup there , is perfect for it.

39

:

, I'm often seen a misconception between.

40

:

Gathering that, , list of vulnerabilities,

doing a comprehensive scan, even

41

:

if you're able to scan every asset,

, that somehow that is the end goal.

42

:

, That once you have that list, once you

have that good understanding of, , what

43

:

vulnerabilities are there, what exposures

you have, what , your risk surface is

44

:

that your significant amount of the way,

, complete on your OT security program.

45

:

When in fact you've just created lists,

there's still a lot of work to do

46

:

and , the real work of actually reducing

that risk is, , still to be done.

47

:

And we see a lot of organizations

that have, , deployed various tools

48

:

and they do a great job at helping

identify it, but they find themselves

49

:

stuck in that gap of, what have we

got, what are we gonna do about it?

50

:

host: Well, I think a lot of mistakes

that organizations make is , they

51

:

think that OT environments can

be treated the same as it, right?

52

:

And when it comes to vulnerability

management, and, you know, the reality

53

:

is that, , they run on legacy systems.

54

:

They have uptime requirements, you

know, , and limited scanning and patching.

55

:

So, and, and they're sensitive to changes.

56

:

And that's where we, we see

this, you know, the, , gap as

57

:

I call it, between IT and ot.

58

:

And we can get into the whole IT

OT convergence conversation as,

59

:

as we go through this discussion.

60

:

Mm-hmm.

61

:

And our, and our thoughts on that.

62

:

So, and, what do you think

are some of the blind spots

63

:

on, , OT vulnerability scanning?

64

:

guest: Yeah, so, so OT

vulnerability management as a whole?

65

:

It's just less mature

than, its it counterparts.

66

:

, So in terms of the technologies

that exist to be able to, , to go

67

:

out and scan various devices , in

different, , deployment patterns

68

:

and whatnot, it's just less mature.

69

:

It hasn't been around as long, there's

not as many vendors in the market kind

70

:

of driving a lot of that innovation and

whatnot that moves technology forward.

71

:

So from a starting point,

it's just less mature.

72

:

, Another, I think, significant

part behind that is.

73

:

, How we actually do the scanning.

74

:

So no, there's the ongoing

debate of passive versus active

75

:

scanning , and all of that.

76

:

But how do you make sure that all

of the devices that exist in your

77

:

environment, , and whether or not they're

connected all the time, sometimes they

78

:

might be intermittently connected,

sometimes there might be air gap.

79

:

How do you make sure that the

approach that you're taking.

80

:

Actually collects all of that

information as it's doing.

81

:

Its, let's call it a sweep.

82

:

So the blind spot, I think that comes

from that is the more perhaps it-like

83

:

approach of, we expect these systems

to be generally online and responding

84

:

to that, , that scan, that sweep.

85

:

When in ot, a lot of the times,

either that device isn't going to

86

:

respond for various reasons, it's not

able to, 'cause it's not connected.

87

:

What that can give you is.

88

:

An incomplete picture, I'd say, where at

a point in time you may have 60% of your

89

:

assets, you scan again, the next week,

you might get another 60% coverage, but

90

:

it's a different 60% because different

devices might be online or available, some

91

:

might be, , bought online for a specific

part of a process that's happening.

92

:

, and that means that you're gonna have

outdated vulnerability information from

93

:

the devices that didn't get re-scanned.

94

:

You're gonna have new information

that you are gonna have to try and,

95

:

, consume and work out what to do with.

96

:

So I think , the big blind spot is

treating it like OT is you, your

97

:

picture is never going to be complete

98

:

there's still too many gaps,

immaturity, and tools in their

99

:

ability to see all these devices.

100

:

So, , there's more steps required, more

due diligence required in making sure

101

:

that you do have all of the information

so you can make your decisions

102

:

on, , what you're gonna do about that.

103

:

host: Yeah, you're spot on.

104

:

The OT assets are not easily

discoverable, that's for sure.

105

:

Right.

106

:

It's just their architectures around

those control systems are, are different

107

:

and you know, it's also an area where

it is, it's a blind spot for them.

108

:

'cause they're truly unsure of how

that stuff is put together within

109

:

those environments because they

didn't have a hand in it primarily.

110

:

Right.

111

:

And nobody's.

112

:

Nobody's wrong here.

113

:

It's just if you weren't involved

with the development, design,

114

:

implementation and then the ongoing

maintenance and support of these

115

:

systems, it creates a blind spot for it.

116

:

It really, really does.

117

:

And we have this saying, it's

like you can think globally, but

118

:

you gotta act locally, right?

119

:

Meaning that you have to be able to.

120

:

To work with people within the four walls

of these facilities or at these sites

121

:

that have inherent knowledge, right?

122

:

The tribal knowledge of these

control systems and how they

123

:

operate, how they work, potentially,

how they're put together.

124

:

And even sometimes the plant

people aren't really sure how

125

:

everything is put together.

126

:

They know where it's at.

127

:

They don't necessarily know how it's

connected or where it's connected.

128

:

And we run into that a lot

in the work that we do.

129

:

, So let's talk about

130

:

what's the finding vulnerabilities

different between OT and it, you

131

:

know, what makes those different?

132

:

guest: Yeah, so, so perhaps to level

set how a lot of these, , a lot of

133

:

tools that do this kind of scanning work

is the vulnerability has to be known.

134

:

So, so there has to be some kind of

intelligence, some kind of detection,

135

:

logic filter, something like that, that,

, can, , identify, scan a particular device.

136

:

Run a set of, detections for, lack

of a better word, against that, to

137

:

understand what is it vulnerable to?

138

:

Is it vulnerable to these

particular exploits?

139

:

, Does it have this missing software

that would make it vulnerable to

140

:

these other ones that are listed?

141

:

, But it all comes back

to it has to be known.

142

:

, So in our IT list, of course we have

a, a ginormous list that's continuing

143

:

to grow all the time, but it's,

it's very large in what we know.

144

:

Exists out there in

terms of vulnerabilities.

145

:

OT is just smaller.

146

:

So there's been less research done

on these vulnerabilities that exist.

147

:

There's less researchers, less

threat researchers that are doing

148

:

active investigations into, , the

vulnerabilities that exist.

149

:

So, ,, for the first part, it

is it's more difficult to do ot,

150

:

vulnerability detection, vulnerability

management, because there is less.

151

:

, Threat intelligence around

what are the vulnerabilities.

152

:

So the result of that is even if you were

able to do a complete scan, , you had

153

:

a, an excellent tool that was able to

do a complete scan of your environment.

154

:

Every device, let's just assume for a

moment that that was possible to do.

155

:

There's still a fairly good chance that

there's a whole bunch of vulnerabilities

156

:

that it just doesn't know about,

that we just don't know about yet.

157

:

They're just waiting for

someone to exploit them.

158

:

So in terms of finding.

159

:

Those vulnerabilities.

160

:

, Our initial mindset should be,

it's unlikely that we're going

161

:

to have the complete picture.

162

:

We're not gonna have as granular knowledge

and level of protection as we might have

163

:

in that IT environment, simply because

there's not as much research there how to.

164

:

Kind of move toward doing

something about that though.

165

:

So it's, it's one thing to say, yeah,

you're gonna have less visibility.

166

:

Yeah.

167

:

And they all know they happen.

168

:

host: Right.

169

:

The clients know that they've

got risk with these assets.

170

:

They, they, they

171

:

guest: know that

172

:

host: Exactly.

173

:

E

174

:

guest: exactly.

175

:

, The way to, to move forward with

that knowledge, with that acceptance

176

:

that there is going to be a good

level of unknown is rather than.

177

:

Rather than act purely reactionary

firefighting mode when, , say a

178

:

new vulnerability is announced,

, these devices are vulnerable.

179

:

It's a, priority, , 10 have to

go and take some kind of action.

180

:

And, and jumping to the response

there, 'cause that type of

181

:

announcement is only going to increase

as more research is done Right.

182

:

As we see it in the IT world where

every couple of days there's a new high

183

:

criticality one that needs to be done.

184

:

Mm-hmm.

185

:

, That's a pretty quick way to just

drain your available resources, right?

186

:

Is just jumping through and, and

trying to go and do , more scans to

187

:

identify what is vulnerable instead,

taking a more proactive approach.

188

:

And, , that comes from understanding

more about the environment, as you

189

:

were saying, getting that plant

knowledge of how these, , systems are

190

:

put together, what they connect to.

191

:

But, , instead of looking at individual

vulnerabilities, look at the classes

192

:

of vulnerabilities that exist.

193

:

So, an easy one to visualize,

cast our mind back just a

194

:

couple of years, eternal blue.

195

:

, So we know that, , that worm

went through, , SMBV one.

196

:

So instead of trying to find all the

devices that are vulnerable two, that

197

:

a more proactive approach to that

would be to simply disable SMBB one.

198

:

Not saying that that's necessarily

possible inside of ot, just as

199

:

the example, but that blocks

the entire class of attacks.

200

:

So all the, , derivatives that came from

that or used eternal blue, you have, , a

201

:

mitigating control in place already.

202

:

So that can, help you focus your

efforts and the limited tools and

203

:

resources that are going to be

available to block very large.

204

:

Portions of the overall, , vulnerabilities

and exploits that exist without having to

205

:

look at each individual one and knowing

that when the new one comes, there's a

206

:

good chance you might already have some

good protection there, buying you some

207

:

more time to do that analysis with all

the other work you have on your plate.

208

:

host: No, good point.

209

:

And we're gonna talk, you

know, specifically about how

210

:

TX one's tackling that problem.

211

:

'cause some of the other things that I

would add is, you know, the OT teams,

212

:

they can't afford taking downtime.

213

:

To take on , these

updates and these patches.

214

:

, There could be regulatory

restrictions that are involved.

215

:

It could be vendor lock in, you know,

where the OEM's telling you, Hey, you

216

:

can't touch my machine if you want

to, you know, if we wanna keep your

217

:

warranties, maintenance and support

in place, you know, and so outside of.

218

:

The risk, the fact that the

vulnerability is out there,

219

:

it's a 10, it's being exploited.

220

:

They still can't move quick

enough to do anything about it.

221

:

And, , because of the things

that I just mentioned.

222

:

So that being said, let's

talk about how TX one.

223

:

The technology that they bring

to the table can actually help

224

:

solve some of those problems.

225

:

So how does TX one look at going

after these vulnerabilities

226

:

we're talking about without being

disruptive into the environment?

227

:

guest: Yeah.

228

:

So, , there's a couple of different

ways and, and we do it slightly

229

:

different between some of our products.

230

:

It's the same philosophical

approach that we take.

231

:

So, , in edge, our network

security product, , we use virtual

232

:

patching is what we refer to it as.

233

:

Mm-hmm.

234

:

, There's a number of vendors that

provide these kind of technologies.

235

:

It's, a time tested, very robust system,

, that's just very good at what it does.

236

:

So the way that that works is

essentially for network exploitable,

237

:

network detectable, I should say,

network detectable exploits, , using

238

:

deep packet inspection, various

other inspection capabilities.

239

:

It looks at all of the

traffic going through.

240

:

If it matches that, , particular

exploit, it simply holds the last packet.

241

:

So legitimate traffic continues

to pass through the device, but

242

:

if it is an exploit, it's blocked.

243

:

, It is as simple as that.

244

:

So if, , if that particular

vulnerability, if the exploit for

245

:

that particular vulnerability can

be detected via the network, virtual

246

:

patching allows you to put that patch.

247

:

In place off of the device so you can

offload it from the device itself.

248

:

That's virtual patching in a nutshell.

249

:

For, uh,, the endpoint.

250

:

So Stellar takes on Stellar our

endpoint agent based product.

251

:

So this, , uses a slightly

different approach.

252

:

So because it's an agent, it's

based on the actual device itself.

253

:

It's more, , app lockdown based.

254

:

So, , it does a baseline scan

of that particular device.

255

:

The endpoint that's hosting

that agent does a scan of that

256

:

understands what does it normally

do, what applications generally run.

257

:

What network connections is it making?

258

:

What system IO is occurring on it,

and it creates that baseline pattern.

259

:

So then instead of specifically looking

for security, , events and taking

260

:

action based on a security event,

detecting a threat, , patent filters,

261

:

things like that, it instead detects

any deviations from that baseline.

262

:

So we have the known state of

what this device should do.

263

:

Just don't let it do anything else.

264

:

So by doing that, it can prevent

those vulnerabilities, whether

265

:

they're known or unknown from

being exploited in the first place.

266

:

So,, this is TX one's, , philosophy.

267

:

So the operations first

philosophy, that's, applied in

268

:

both of these products where.

269

:

Security.

270

:

, The security perspective is very

important and that can help us find

271

:

targeted threats of more advanced things.

272

:

But the operation perspective is equally

important, where the deterministic

273

:

nature many of these actual industrial

processes, by their very design, they

274

:

are far more deterministic in nature.

275

:

If we can accurately map

that, we can restrict.

276

:

The network activity, the

endpoint activity to just that.

277

:

So, it's more taking the approach of

eliminating process variations and

278

:

special process variations as opposed

to detecting security threats alone.

279

:

That's how we, look at , the

Prevention aspect of it.

280

:

, To circle back to your original

question, how do we deal

281

:

with vulnerabilities in this?

282

:

How do we identify and detect them?

283

:

So, well, there's

284

:

host: two things to this and there's that.

285

:

There's detect and, and it gets back

organizationally who is best suited

286

:

to really, to do this right, to be

able to map that out and make sure

287

:

that you're not being disruptive by

putting these technologies in line.

288

:

Right.

289

:

Able to, , you know, to provide the

vulnerability or virtual patching, if

290

:

you will, and not be disruptive, right.

291

:

To make sure you're not breaking

anything, you know, and safe

292

:

operations process integrity, as you

mentioned, you know, organizationally.

293

:

And what have you witnessed with the TX

one rollouts on who's best at handling

294

:

the deployment of your, your technology

295

:

guest: on the plant floor?

296

:

Yeah, that's a really,

really good question.

297

:

, The answer not, not so simple

because I think it comes down

298

:

to, a few different parts.

299

:

So it should be joint.

300

:

Both teams should, , should be

having input, but it's, it's more

301

:

in the realm of what a security

engineering team would do as opposed

302

:

to what, , someone on the plant floor

may do in their normal day-to-day job.

303

:

It's more related to the security

team, but it has to be informed by

304

:

the restrictions and guardrails.

305

:

From the actual operations side of it.

306

:

But that said, , there's always

the risk of, , inputting a policy,

307

:

applying some kind of a configuration

that causes unintended side effects.

308

:

So the technology itself, the

actual tools themselves have to

309

:

be well designed to limit that

just by their very design itself.

310

:

So making sure that, , they have

the ability to do bypass, , if power

311

:

is interrupted or a configuration

change pauses, scanning that the

312

:

actual traffic itself doesn't get

interrupted for network based appliance.

313

:

And then, , inside of an

endpoint agent, and we can use

314

:

Stellars as the example there.

315

:

It has inside of the, the console

the ability to override it's, , like

316

:

an emergency stop button on the

stellar agent to make sure that.

317

:

If something time critical, safety

critical, operation critical is

318

:

happening, the person right in front

of that particular device doesn't have

319

:

to pick up the phone, try to get to

the security person to get them to

320

:

revert a policy or change something.

321

:

They can stop it right then and there.

322

:

So it's about having the products

and tools designed to support

323

:

the way that the operation.

324

:

Needs to function, , with

appropriate controls around that

325

:

so it's not, , abused and whatnot.

326

:

But it's a combination of both.

327

:

It probably does sit more with the

security team, but it needs to be

328

:

well-informed by the operations team

really working very closely together

329

:

and well-designed products to make sure

that as many things that can go wrong

330

:

are removed before they could go wrong.

331

:

host: Most of these control systems

aren't designed with security in mind.

332

:

Safety is security not so much.

333

:

Right.

334

:

And so now we're talking about, you know,

how do you get that local plant team?

335

:

Knowledgeable enough

to know what's normal.

336

:

You know, it's like a control

system within a control system with

337

:

security wrapped around it, right?

338

:

And having multiple players

potentially involved, which

339

:

we see with firewalls, right?

340

:

We see that with firewalls and

we see that with networking

341

:

where you have those external

parties, , that have the ability to.

342

:

Manipulate, the flow of traffic and

communications amongst those control

343

:

systems, which to your point, disruptive

can cause, you know, loss of product

344

:

could be safety issues, people can

get hurt, get killed, you could

345

:

have damage, whatever it might be.

346

:

And so that relationship has to be

really tight between those two groups.

347

:

, And you get into that ITOT

convergence conversation and

348

:

there's usually still gaps.

349

:

Right, because the IT team, that

InfoSec team, that we want them to

350

:

be more inherently knowledgeable

of the processes, right?

351

:

Mm-hmm.

352

:

Within that plan.

353

:

, And that takes a different level

of knowledge , and skill within

354

:

that manufacturing facility.

355

:

Even if you have 30 plants in your

fleet, no two are the same necessarily.

356

:

Mm-hmm.

357

:

Even though you might be making the

same products, but you have different

358

:

control systems that could be of

different, , versions, different makes

359

:

and models of automation technology

out there that, that are being

360

:

used to make those same products.

361

:

So that local team, in my view.

362

:

Has to have a role in being able to

really pull this off, in my perspective.

363

:

guest: I absolutely agree.

364

:

And, , as you were describing

that, something popped into my mind

365

:

that the situation that, a lot of

security teams, it, security teams

366

:

find themselves in at the moment.

367

:

It is, , the shoes on the other foot,

the analogy I'm looking for there.

368

:

Where for, and, and I was guilty

of this when I was a practitioner.

369

:

I'll admit that.

370

:

We wish that the organization knew

more about security, knew more of

371

:

why we were doing things, why that

control was in place, and why they

372

:

shouldn't try to work around it.

373

:

We wish that they knew more about that

and we got frustrated when they didn't

374

:

and they worked around the control,

caused an issue, clicked that link in

375

:

the email, whatever the case may be.

376

:

What we're seeing now,

and as you just described.

377

:

It's, , the, IT security team now

needs to learn more about the process.

378

:

host: Mm-hmm.

379

:

guest: So they're being asked to do

what they were asking others to do.

380

:

Right.

381

:

And, , it's not an easy journey

to make it is a completely new

382

:

domain of knowledge to learn.

383

:

It is taking you outside of

your comfort zone, right?

384

:

So you don't get to IT security and

high positions in IT security without

385

:

having been in the industry for a while.

386

:

You've kind of maybe a little

ego kind of coming into that,

387

:

and making that transition and,

admitting and saying, you know what?

388

:

I don't know enough.

389

:

I don't know enough about that.

390

:

I need to go and seek

out that information.

391

:

Of course, they're, , a lot, most

IT security folks, very inquisitive

392

:

people, just by their nature.

393

:

But it is a, significant step to take

to say, I don't wanna start doing things

394

:

here until I've learned more about it.

395

:

I'm gonna have to go and be

vulnerable with these other teams

396

:

of experts essentially saying, Hey,

I don't know what I'm doing here.

397

:

I need you to teach me.

398

:

host: One of the things that we've

witnessed is that I'll say two things.

399

:

I'm a believer that, you know, a

CIO or ciso, the InfoSec teams need

400

:

to probably get a better handle on

who's working in their plants, right?

401

:

Because in any major manufacturer

has got several or dozens of

402

:

different OEMs and system integrators

working in their manufacturing

403

:

facilities at any given time, right?

404

:

And so they need to start thinking about

building a relationship with those groups.

405

:

, And I'll tell you why here in a second.

406

:

, You know, because.

407

:

, How else are they going to know what the,

overall, , OT cybersecurity strategy is

408

:

that the organization's trying to pursue?

409

:

How do you get , that message

into these, third parties that are

410

:

in there working in your plant?

411

:

And so that's one, right?

412

:

They need to build relationships with

a lot of those folks because a lot of

413

:

manufacturers today, from a controls

perspective don't have controls engineers.

414

:

They have process, they have operations,

but they're not the ones necessarily

415

:

programming those control systems per se.

416

:

They're relying on these third party

engineering companies or OEMs to do that.

417

:

And so that's where that

relationship really needs to get

418

:

tighter between IT leadership from

a CISO role and an InfoSec role.

419

:

The partners that they have to

determine what are your capabilities,

420

:

what partners are you working with?

421

:

Like is TX one, you know, part

of your partner community?

422

:

What practices do you have from

an OT cybersecurity perspective

423

:

as an engineering company?

424

:

You know, so you can leverage that within

these environments to help close this

425

:

gap that you and I are talking about.

426

:

, guest: What just popped into

my mind there is in terms of

427

:

finding that and the, and then.

428

:

Finding, understanding if you

have all of the information..

429

:

So we can map out a, large list of, , all

of those that we're integrating with

430

:

our third party providers, the different

technologies tools we have, who is

431

:

looking after what particular parts.

432

:

A great way , to test that is to

do things like tabletop exercises.

433

:

Mm-hmm.

434

:

So develop out plans on, , okay.

435

:

Well we want to.

436

:

Do a simulation for this

particular system, our, , inventory

437

:

management system going offline.

438

:

Do we know everyone that

we should be calling?

439

:

, Do we know who their backup

is when they're not available?

440

:

Do we know what systems this is integrated

in, or if the loss of that system

441

:

will cause impacts in other systems?

442

:

Mm-hmm.

443

:

So, , I mean that, that

comes up all the time.

444

:

There's a.

445

:

A big auto manufacturer dealing

with, , something probably similar

446

:

to that where it wasn't necessarily

their OT systems that were impacted,

447

:

but the IT systems that may not be

connected to it were impacted and

448

:

it caused a flow on effect, right?

449

:

Making sure that all of that is mapped and

being able to have those, . Plans disaster

450

:

and recovery and BC plans in place.

451

:

It's really important.

452

:

, Tabletop exercise as well.

453

:

They may seem a little goofy, especially

the first time you're doing it.

454

:

If you're doing a good role play of it,

they can be really good at finding the

455

:

gaps in your knowledge and helping you

patch that and really get a good security

456

:

program that's battle tested in place.

457

:

So, , when the time comes, not so much

if, but when the time comes, you really

458

:

know , what to do about it and you're not.

459

:

Running around with your head on fire

trying to work out who do you call first?

460

:

host: Yeah, it's interesting

incident response.

461

:

You know, we work in manufacturing

facilities every day, all day.

462

:

It's what we do.

463

:

And I, I can't think of any client

that's actually said, here's our IR plan.

464

:

If something of a material

breach was to unfold while you're

465

:

here, none of them have it.

466

:

Now they have, what's interesting

is when you think about safety

467

:

before you go on site, yeah.

468

:

Safety protocols or safety training,

where do you go if this alarm goes

469

:

off or if this alarm, there's one's

for tornadoes, there's one for ammonia

470

:

leaks, there's, there's one for fire.

471

:

You know, where's your mustard point?

472

:

They go through all of those

types of exercises before you

473

:

even get to start on site.

474

:

But I've yet to see one that says,

here's our incident response plan.

475

:

If we have a cyber breach within

our, within the four walls of

476

:

this manufacturing facility.

477

:

guest: It really should

just be a part of that.

478

:

Maybe , the process for developing

, the safety based responses.

479

:

Maybe it's the same kind of

a process that's a, a well

480

:

tried and tried and tested.

481

:

There's a lot of standards

out there to help guide that.

482

:

It's the same thing that we're doing.

483

:

In creating that process is just a

different, , topic that it pertains

484

:

to, but that's how the frameworks

and standards are written, so you

485

:

can use it in different situations.

486

:

Maybe that's a great way to

look at it, and that's a great

487

:

way to get started on it.

488

:

Look at what you've already done, try

to adapt that to the security part.

489

:

host: So, Dan, as part, part of

it is we're wrapping this up.

490

:

What would be one piece of

advice that, or takeaway that,

491

:

you know, for our listeners.

492

:

Take away from this conversation.

493

:

guest: Yeah, so, , no one's claiming

that, , vulnerability management is easy.

494

:

, it certainly is a task that needs

attention and, , it's not gonna be

495

:

something that you can knock out in a day.

496

:

The important thing, I think one of

the most important things to keep

497

:

in mind is always the why did you

start doing this in the first place?

498

:

, What happened in the organization?

499

:

What triggered you to start doing

vulnerability management to track the

500

:

vulnerabilities and then remediate them?

501

:

Likely answer to that is some kind

of, , security program was, designated.

502

:

So maybe you're being

tasked with OT security.

503

:

The big takeaway of that is never

forget the original objective

504

:

of that security program.

505

:

So if that security program is about

reducing risk, reducing, , the chances

506

:

of outages, keep in mind as you are

deploying various technologies that.

507

:

You may not be as close to

that as you think you are.

508

:

You might now have a, complete

vulnerability list, but that

509

:

isn't the original objective.

510

:

Your objective wasn't to get

a big list of vulnerabilities.

511

:

It was to reduce the risk.

512

:

So how do you make sure that you are

continuing to take those steps and you're

513

:

not, , seeing the big list leaning back in

your chair and saying, we are good to go?

514

:

You have to tie that to the action to keep

it in line with your original objectives.

515

:

It's very important.

516

:

Don't get lost along the way.

517

:

host: Yeah, I, I have found that,

, when these tools go in, the events

518

:

and alerts can be overwhelming.

519

:

I was talking to a very large life

sciences, , client the other day.

520

:

They average 8 million events and alerts.

521

:

Think about that.

522

:

Right?

523

:

8 million, you know, and so, , how

do you deal with that, right?

524

:

Maybe AI is something that, you

know, is, is a, a mechanism that

525

:

can come in to help you really to

try to prioritize and organize such

526

:

a massive amount of information

you're not used to seeing, right?

527

:

You haven't seen this before , and

now you've got a pile of it.

528

:

There's a mountain high of it, and how

do you start tackling that problem?

529

:

Right?

530

:

, guest: That's a problem

that, , yeah, absolutely exists.

531

:

It is one that there are some interesting

solutions that we can probably take

532

:

from the IT world in just detection,

engineering kinds of processes.

533

:

AI might be the answer, but it's

definitely not gonna be a silver bullet.

534

:

, So look at how have you dealt

with huge influxes of events, , in

535

:

other deployments of tools?

536

:

You deploy a new tool,

suddenly you're getting.

537

:

Hundreds of thousands of new events.

538

:

How do you deal with that?

539

:

Maybe apply that same knowledge in how

you're dealing with these new events.

540

:

Identify what information do

you need to make sense of these.

541

:

Go and gather that from the experts.

542

:

Then implement that same, , engineering

process to start filtering them out.

543

:

Then you can, , move forward

on that prioritization.

544

:

Don't try to prioritize

a list of 8 million.

545

:

Try to prioritize a list of 50.

546

:

How do you get it down to that list of 50?

547

:

Right.

548

:

host: Very tough.

549

:

Well, there's anything that we

didn't cover that you wanted

550

:

to cover as far of the topic?

551

:

Maybe you have something around

zero day vulnerabilities or anything

552

:

that maybe we, we overlooked or,

553

:

guest: Yeah, very quickly,

perhaps on, on zero days.

554

:

Is similar to, , that last topic there,

there's gonna be a lot of noise about 'em.

555

:

Always.

556

:

So the media.

557

:

Vendors, , they're gonna make

a lot of noise that hard.

558

:

This new zero days here.

559

:

Everyone panic first, take a

step back, take a breath before

560

:

you do anything on there.

561

:

Don't buy into the hype.

562

:

, A lot of these are industrial systems,

especially as we were saying, they

563

:

have a lot of safety built into them.

564

:

Mm-hmm.

565

:

And a lot of cases that

can help protect you.

566

:

So everything's not likely to explode

the second that, , zero day comes out.

567

:

TX one.

568

:

So we do, we do some work with, , the

Trend Micro Zero Day Initiative.

569

:

Sure.

570

:

It's really a great source

of threat intelligence.

571

:

But as, , I was describing in how the

products themselves work, where they're

572

:

looking at the deterministic nature

and they essentially lock it down to

573

:

that and just detect deviations from

what the operation should normally do

574

:

that can help prevent even zero days

from causing impact to your operation.

575

:

So Vault Typhoon is a

good example of that.

576

:

The vault typhoon attacks came out

and, , everyone was panicked and worried.

577

:

Well, we already had

protection against that.

578

:

We'd already, , had a few detections

of that happening in, , customer

579

:

deployments where it was a non-event.

580

:

, They were stopped.

581

:

The activity they were trying to do was

simply stopped before it could start.

582

:

We didn't have to have a

signature or a pattern for it.

583

:

It was something that the operation

didn't normally do, so it blocked it.

584

:

So taking that operation first approach.

585

:

It can really be helpful in

handling zero days because again,

586

:

they're never gonna go away.

587

:

There's always gonna be a new one,

and you can bet your bottom dollar

588

:

that it is gonna be hyped to the

moon every time one of them drops.

589

:

host: Well, thanks Dan.

590

:

It was a great conversation.

591

:

guest: Thanks for coming on today.

592

:

Thanks for having me dinner.

593

:

Hopefully I come back again soon.

594

:

ad: Thanks for tuning in to the

Industrial Cybersecurity Insider.

595

:

To stay up to date with our latest

episodes, be sure to click the

596

:

follow or subscribe button now.

597

:

And if you found this podcast helpful or

have a topic you'd like us to discuss,

598

:

please leave us a review or let us know.

599

:

Thanks again for listening.

600

:

See you next time.

All Episodes Previous Episode

Listen for free

Show artwork for Industrial Cybersecurity Insider

About the Podcast

Industrial Cybersecurity Insider
Everything You Need to Know to 'Get Safer Sooner'
Industrial Cybersecurity Insider offers a thorough look into the field of industrial cybersecurity for manufacturing and critical infrastructure. The podcast delves into key topics, including industry trends, policy changes, and groundbreaking innovations. Each episode will feature insights from key influencers, policy makers, and industry leaders. Subscribe and tune in weekly to stay in the know on everything important in the industrial cybersecurity world!

About your host

Profile picture for Hector Santiesteban

Hector Santiesteban