Episode 98

When IT Security Meets OT Reality: Why One Size Doesn't Fit All

Published on: 5th November, 2025

What happens when IT cybersecurity practices collide with OT operational realities? In this episode, Jim and Dino expose the costly mistakes organizations make when applying IT security playbooks to manufacturing environments.

Discover why zero trust architectures can halt production, how shadow IT thrives on every plant floor, and why remote access policies designed for corporate networks fail in industrial settings.

Learn the critical importance of OT-tailored asset inventories, the need for IT/OT collaboration, and why digital safety must be treated with the same urgency as physical safety.

If you're struggling to bridge the gap between IT security mandates and OT operational needs—or if you've ever watched a well-intentioned security policy bring production to a halt—this episode is your roadmap to getting it right.

Chapters:

  • (00:00:00) - Introduction and Episode Overview
  • (00:01:19) - IT vs OT Security Mindsets
  • (00:02:03) - Zero Trust Challenges in OT Environments
  • (00:05:12) - Remote Access and Change Management Conflicts
  • (00:09:00) - Who Should Learn from Whom: IT or OT?
  • (00:10:23) - Asset Inventory: What OT Engineers Don't Know
  • (00:15:00) - Process Integrity and Operational Value
  • (00:21:57) - Shadow IT: The Backdoors Nobody Talks About
  • (00:26:00) - Designing Security Into New Equipment
  • (00:28:00) - Digital Safety vs Physical Safety

Links And Resources:

Thanks so much for joining us this week. Want to subscribe to Industrial Cybersecurity Insider? Have some feedback you’d like to share? Connect with us on Spotify, Apple Podcasts, and YouTube to leave us a review!

Transcript
Jim:

the OT guys need to start asking for it.

2

:

And the IT guys need to start saying, Hey,

do you guys want this in the OT world?

3

:

And if they know that it's possible,

they're going to go, yeah that'd be good.

4

:

we've shown these guys, like you

said, where they've had the tool up

5

:

and running, they've looked at it,

the controls engineer, whoever it

6

:

was at that point said, wow, wait a

minute, we've had this for 3 years.

7

:

Why can't I see this?

8

:

Why don't I get this information?

9

:

Why don't they have access to it?

10

:

This would be valuable to me,

this, my planning and just so many

11

:

things that could come from that.

12

:

But let's take that over to the OT value.

13

:

So this sort of.

14

:

And walking through going hey, I can

do asset inventory and doesn't have

15

:

it, but it's a real value to them.

16

:

Dino: Hi, this is Dino Boussalaki.

17

:

Jim: Hi, this is Jim Cook, Thank you

for joining us in this podcast, what

18

:

are we talking about today, Dino?

19

:

We're going to

20

:

Dino: talk about OT security lessons

from the IT playbook for those that

21

:

might be applicable and those that will

be challenges for, OT cybersecurity

22

:

following an IT playbook per se.

23

:

Jim: we'll do it.

24

:

We get to start talking about

the IT guys they've been in this

25

:

cybersecurity game for quite some time.

26

:

they have a lot of different

and proven on the I.

27

:

T.

28

:

side strategies, technologies

to move them forward.

29

:

And there are things that the O.

30

:

T.

31

:

guys need to start thinking about, right?

32

:

All right

33

:

Dino: the mentality is different, right?

34

:

When you think about O.

35

:

T.

36

:

security does not necessarily

follow, the uniqueness of I.

37

:

T.

38

:

security.

39

:

And we can start with zero trust, for

example, And how do you go about setting

40

:

up a zero trust environment between

your IT and OT environment, recognizing

41

:

that there is communication requirements

within that OT environment that are going

42

:

to come through the IT space, right?

43

:

and vice versa.

44

:

And so how do you create a zero trust?

45

:

There's those organizations out there

that think that they can monitor

46

:

traffic between IT and OT, determine

what's normal, and then lock it down.

47

:

And maybe they just do it

with from an IP level, right?

48

:

Just IP address level to create an ACL.

49

:

What about remote access protocols

that are required to get into that

50

:

OT environment, And I've heard this,

swiss cheese creating in my firewall

51

:

because of all these different O.

52

:

T.

53

:

protocols that I have to open up to let

these applications flow between the I.

54

:

T.

55

:

and O.

56

:

T.

57

:

environment, right?

58

:

to me, that's always going to be a

challenge because once you let somebody

59

:

in now, how do you control where they go?

60

:

Where the protocols that they're using,

your control points are just following IP.

61

:

They're not necessarily watching what

the protocol, application relationship

62

:

Jim: at that level.

63

:

That's the thing.

64

:

Zero trust always sounds great.

65

:

Doesn't it?

66

:

It just sounds cool, right?

67

:

Zero trust.

68

:

yeah, that's what we want

to do implementing even on

69

:

the IT side is difficult, but

you're right on the OT side.

70

:

It becomes, a whole nother can

of worms when you're trying to

71

:

take those, that approach and the

technologies and apply it over.

72

:

And you said for 1, just the IP

addressing scheme, are you just

73

:

trusting between that just IPS?

74

:

Because you have all these different.

75

:

Yeah.

76

:

Ports and protocols that are very unique

to OT plus, let's not forget that.

77

:

you're dealing with legacy protocols,

legacy communications, legacy devices,

78

:

so suddenly you have to really think

through how does it apply on the O.

79

:

T.

80

:

side?

81

:

Because there are things that

I'm dealing with on the O.

82

:

T.

83

:

side that don't exist and

legacy being 1 of them, right?

84

:

weren't built.

85

:

For a lot of identity management

and those types of controls in

86

:

place at the beginning, and those

devices don't have those right,

87

:

Dino: we've seen this before.

88

:

is not a new story, right?

89

:

If you look at, as we like to call

the itot convergence, itot collision

90

:

is because in the past, it has

implemented some level of, security

91

:

within the environment that's been

disruptive to the plant floor.

92

:

For example, remote access

is a good one, right?

93

:

I have a machine center that

has failed on my plant floor.

94

:

I can't get somebody on

site for 3 or 4 days.

95

:

I'm going to give them

remote access, right?

96

:

In order to get the plant

back up and running.

97

:

And if you have policies and procedures

in place, that it takes a week to get

98

:

somebody onboarded to get them in.

99

:

Number 1, or the remote access isn't

working and I don't have anybody

100

:

available to me on the IT side to make

to set it up, get whatever is required.

101

:

And now all of a sudden

I'm experiencing a day.

102

:

Or a half a day or a weekend of downtime

is costing me hundreds of thousands,

103

:

if not millions of dollars a day.

104

:

Because of these types of

events, what is OT said to it?

105

:

Take that crap out of the way, or I'm

going to put in my own pipe and ignore

106

:

you entirely because I can't afford this.

107

:

Jim: I don't think it's

what they're going to say.

108

:

It's what they say right now.

109

:

And we find even without zero

trust, maybe with four trusts, or

110

:

three trusts without zero trust.

111

:

And that gets to something that we see.

112

:

I wrote down coordination, right?

113

:

And I'll get to coordination in a

minute, but it's the capability like.

114

:

IT organizations and their

change management, which

115

:

are great, wonderful things.

116

:

They don't align with it.

117

:

So if you're taking zero trust and you

suddenly go, okay, we're putting in zero

118

:

trust, but I need a change right now.

119

:

How's that handled on the it side?

120

:

We go through it, right?

121

:

Like you said, we go through it and go

you've got to be set up as a vendor and

122

:

then you fill out some paperwork and then.

123

:

Then it's got to go into this

guy's queue and that guy's queue,

124

:

Dino: and you're paying for it, right?

125

:

Who's paying for this?

126

:

What cost units is right for this?

127

:

Jim: And that's usually 1 use case here,

Which is just, I need somebody now.

128

:

And that's just 1 use case.

129

:

Imagine other use case where is Can

be thought of as, okay now I put zero

130

:

trust in and I'm pushing out these

rules, Which are great, I took my

131

:

baseline and I'm pushing these rules out.

132

:

but maybe they haven't

logged in 6 months.

133

:

Maybe a

134

:

Dino: maintenance window

they haven't witnessed.

135

:

Jim: That's the thing.

136

:

You get a maintenance window, and

the guy's coming in on one panel.

137

:

He's working and has to fix

the interlock on another.

138

:

Your baseline doesn't include that.

139

:

Suddenly their maintenance

window is extended because they

140

:

can't get the machine up, or

they can't get the work done.

141

:

And meanwhile, that

tickets, sitting somewhere.

142

:

Involved in there.

143

:

So the concept, I guess I get to

it, not to get on the it, it's

144

:

just needs to recognize that.

145

:

And go, what is my capability?

146

:

Does my capability meet the

needs that production needs?

147

:

If I'm going to roll something out,

zero trust, Do I have that capability?

148

:

Do I have that knowledge?

149

:

Can I support those things?

150

:

It's not just turn it on and let it run.

151

:

And then if something happens,

it's a weak window to troubleshoot.

152

:

don't have a week, these guys

are out there running around.

153

:

I got an hour.

154

:

They're trying to get

it back up and running.

155

:

That's just while the zero trust,

don't get me wrong, is great.

156

:

It's a great strategy and a target

to keep moving forward to there's

157

:

just all these implications inside of

supporting that in an OT environment

158

:

that have to be thought through, right?

159

:

All right.

160

:

Dino: And if you don't do it in a timely

manner and a collaborative manner where

161

:

everybody agrees to it, you will find.

162

:

These OT environments finding

alternative methods and pathways to

163

:

get work done in their environment.

164

:

They just do, the question you really

have to ask yourself is who shadows who,

165

:

Is it incumbent upon the OT people to

learn and do what it does every day?

166

:

And how they operate their practice, or

is it more coming for it to learn what OT

167

:

does every day and how to run that plant.

168

:

I would vote on the latter, just I would.

169

:

Because

170

:

Jim: you should, that's a cash register.

171

:

You always say it's the

cash register, right?

172

:

If I'm a manufacturing company, I'll go,

I don't understand what all you guys are

173

:

doing, but I understand that if this isn't

producing product, I'm not making money.

174

:

So who wins?

175

:

Who wins in that?

176

:

Dino: I would say if you're an IT security

professional, and if you haven't visited

177

:

your plants on a regular basis, meaning

you spend 90 percent of your time in the

178

:

field, especially if you have 30, 40,

50 plants in your fleet, then chances

179

:

are, you're not going to be able to

develop an all encompassing detail

180

:

cybersecurity scope for your manufacturing

181

:

Jim: environments.

182

:

And

183

:

Dino: even, and that's just getting

out there and living through the

184

:

production aspects of it, but startups.

185

:

And or maintenance windows

when we're taking the plant

186

:

out of service for the weekend.

187

:

So we can go in here and do

fumigations and to clean and repair

188

:

and do some updating on some of

our stuff, do try to do a bunch of

189

:

things in a short period of time.

190

:

So we can have the plant back

up and running by Monday morning

191

:

or whatever midnight on Sunday.

192

:

I would argue if you're as an it person,

networking person, security person, or

193

:

not working through that on a regular,

consistent basis, you will struggle.

194

:

Yeah.

195

:

Private security solution for

your organization at the OT level.

196

:

Jim: I wanna say to my IT friends

out there that hear that it's

197

:

not, and it may not be your fault.

198

:

And that's why I use the term capability.

199

:

There's only so many

resources to go around.

200

:

So if you're it and you're scratching

your head going I can't get out there,

201

:

I can't get that knowledge, you go,

okay, you need a new capability.

202

:

And is that new capability gonna be

more resources, reallocated resources,

203

:

or are you gonna use services and

knowledgeable people on the.

204

:

And quite frankly loop in your OT friends

out there, loop in your production friends

205

:

because they might have some money to

spend too if they realize you're doing

206

:

this to help their resiliency, right?

207

:

They may be thinking about it

and not even talking to you by

208

:

saying, okay what do I need to do?

209

:

I want to jump to a couple other things

here real quick, but to wrap that

210

:

one up from a capability standpoint,

and I think this will be throughout

211

:

any of these security lessons

that it does that they need to at

212

:

least start that conversation there.

213

:

Hey, Dean, I want to touch on the asset

inventory, another component that it does.

214

:

A pretty darn good job of,

that is something that the OT

215

:

folks need to kinda listen to.

216

:

And I'll open with something and I tell

all the clients this in our intro meetings

217

:

is that, I came from the IT side and

as I joined up with you here at Veta.

218

:

1 of my realizations was Hey, there

are a bunch of engineers and don't

219

:

engineers have good inventory, right?

220

:

You would think they know.

221

:

No, they don't.

222

:

They have horrible inventory.

223

:

They, they don't know what's

inside of those panels specifically.

224

:

They'd like to, they have a general idea,

but they're more focused on what's going

225

:

inside that machine and going out The

outside and what's it producing, right?

226

:

One of my raw materials is making

the other end than it is all the

227

:

network and devices components

that are on the existing side.

228

:

From an IT perspective, while you have

a good job of your inventory, don't

229

:

assume that the OT guys know everything

that's connected out in their plant.

230

:

And that'd be a great way for the IT

guys to come out and talk to the OT

231

:

and say, Hey there's some value here.

232

:

But let's talk a little bit about

that from, the asset inventory to

233

:

take that lesson to the OT side.

234

:

what should the OT guys be thinking about?

235

:

What should they have?

236

:

What level of expectation should

they have from getting a good

237

:

asset inventory on the OT side?

238

:

Dino: first I need to recognize that

IT does that there's probably a 20 to

239

:

25 to 1 ratio of OTS as compared to

IT assets out there in that plan for.

240

:

So numbers are a lot bigger and asset

inventory, when you got a manufacturing

241

:

facility, let's say it's running 7 by

24 by those engineering and operations

242

:

staff, there's a lot of people coming

and going inside those manufacturing.

243

:

Facilities replacing stuff, right?

244

:

Fixing things.

245

:

And so how do you keep up

with that asset inventory?

246

:

If over the course of a month, several

assets were replaced new stuff, put in,

247

:

and so what is my accurate inventory?

248

:

Somebody went to the

storeroom or the parts.

249

:

Store and got what they needed out

of the plant to go and fix things.

250

:

Go put in a new drive to go put

in a new HMI or a new switch

251

:

or some sensor or whatever.

252

:

How do you keep tabs of all of that?

253

:

How do you know what went

out there into the field?

254

:

If you don't have continuous monitoring

to give you asset visibility, right?

255

:

And most asset visibility practices

that we've seen to date in a

256

:

minute is from is to the IDF level.

257

:

Not inside the panels where all of

that stuff I just described is located.

258

:

Is asset inventory important?

259

:

It is by getting asset inventory.

260

:

You get information that tells you what

your serial numbers are that you actually

261

:

have live that are in the environment.

262

:

So you can do a better job of managing

your warranty and maintenance programs

263

:

and know what you need to keep in stock.

264

:

Because you can keep

track of this information.

265

:

You have the vulnerability.

266

:

We And risk information that's provided if

you're continuously monitoring that stuff.

267

:

Some people would say.

268

:

Do I need to continuously monitor that,

or is there some stopgap measures?

269

:

And the question is just,

those do exist, right?

270

:

But moving forward, you want to

try to get continuous monitoring in

271

:

place to be able to determine what

assets do I have out there, and what

272

:

is their current situation from a

vulnerability and exposure perspective.

273

:

And, who's remoting in?

274

:

Jim: Hang on.

275

:

Let's get to that remote.

276

:

I'm going to stick on the asset inventory

and then we're going to, we're going to

277

:

do that remote thing again in a minute.

278

:

But the asset inventory, right?

279

:

Every time we show what's possible

to a controls engineer, plant manager

280

:

facilities manager of what's possible,

they look at us and they're like, holy

281

:

cow, I didn't know that was possible.

282

:

Wait a minute.

283

:

Now.

284

:

Dino: What about companies that have

already bought a tool and they don't

285

:

even give OT access to the tool.

286

:

Jim: This is from the OT side.

287

:

wait a minute, you guys

have asset inventory.

288

:

Why don't I have my

asset inventory, right?

289

:

It sounded funny, but okay,

I want my asset inventory.

290

:

And they start taking a look at,

you mentioned some of the things,

291

:

serial numbers and firmware versions.

292

:

Vulnerabilities whether it's on

remote Ron or Ron just there's a

293

:

number of things with what rack

slots, what NASA devices, they didn't

294

:

even realize that was possible.

295

:

Dino: To them, it was a

physical inspection that had

296

:

to be had in order to get that.

297

:

And most times they'd have to take

downtime so they could pull the

298

:

equipment out of the panel to look

at it, to get the serial number,

299

:

Jim: this is the stuff that from an I.

300

:

T.

301

:

perspective again, come from the I.

302

:

T.

303

:

world and it's I can get everything

that I need just remotely and hit it.

304

:

You got to remember that because

of those devices and different

305

:

devices that are out the O.

306

:

T.

307

:

side, they don't necessarily.

308

:

Respond to the same type of technology.

309

:

not simple and clean as that, but once

you have the right OT specific tool

310

:

sets, if you will, out there to get

your asset inventory Hey, partner

311

:

up with the OT guys, go back to your

IT guys and say, do you have anything

312

:

that can give me this asset inventory?

313

:

Because there are tool sets out

there and they're combined with the

314

:

cybersecurity tools can actually

give you asset inventory, which gets

315

:

to that the OT value in this thing.

316

:

And the OT guys need

to start asking for it.

317

:

And the IT guys need to start saying, Hey,

do you guys want this in the OT world?

318

:

And if they know that it's possible,

they're going to go, yeah that'd be good.

319

:

we've shown these guys, like you

said, where they've had the tool up

320

:

and running, they've looked at it,

the controls engineer, whoever it

321

:

was at that point said, wow, wait a

minute, we've had this for 3 years.

322

:

Why can't I see this?

323

:

Why don't I get this information?

324

:

Why don't they have access to it?

325

:

This would be valuable to me,

this, my planning and just so many

326

:

things that could come from that.

327

:

But let's take that over to the OT value.

328

:

So this sort of.

329

:

And walking through going hey, I can

do asset inventory and doesn't have

330

:

it, but it's a real value to them.

331

:

What else is a real value to my

friends over there for the guys

332

:

to be aware of it and the guys

to be aware of it to ask for it.

333

:

So when we get around

the process integrity.

334

:

Aspect of it.

335

:

I mean, talk to this all the time, right?

336

:

Process integrity.

337

:

gets to operational resilience

and cybersecurity resilience.

338

:

But if you got the right tool

sets in place, those are 1 in the

339

:

same for a manufacturing plan.

340

:

Dino: Yeah, most manufacturers have.

341

:

A wide range of industrial control

systems in their plant handful, several,

342

:

there's not just one uniform automation

technology vendor in the plant.

343

:

For example, you're not going to go

into a plant and find it necessarily

344

:

to be 100 percent Rockwell.

345

:

if you were 100 percent Rockwell's

got some asset inventory stuff asset

346

:

center, for example, to help you keep

track your control system inventory.

347

:

Your PLC programs, your backups, things

of that nature so that you have a

348

:

good inventory of what's out there.

349

:

There are also ODIDS platform tools

that will do that for you and do it on

350

:

a wider range of automation technology

stuff you may have in your plan.

351

:

So if you've got Siemens in there

and you got Emerson in there, you

352

:

got GE or Honeywell or back off or

Mitsubishi, whatever you may have

353

:

to be able to get the same level

of asset inventory information.

354

:

In that environment to where

you're tracking PLC changes,

355

:

process integrity, right?

356

:

If somebody makes a change to a PLC,

am I going to be able to see that?

357

:

If you're talking to a controls

person, that's pretty important.

358

:

To an IT person, that means nothing,

It means nothing to them, And so the

359

:

question you have to ask yourself

is if the cybersecurity tool.

360

:

Who's not giving the OT person access to

that tool, for whatever reason, because

361

:

they don't think that they should.

362

:

You gotta ask yourself, why did

you pick an OT cybersecurity tool?

363

:

IT, why did you do that?

364

:

If you don't have the input and follow up

with the OT people, again, who 80 percent

365

:

of that information is valid to them.

366

:

Use an IT organization,

but to the OT people.

367

:

So, you know, you have

to get into that dynamic.

368

:

And then here's what will happen is

once you get the right people in the

369

:

room and you start uncovering this

discussion that we're having, what

370

:

will happen invariably is IT will start

backing away and basically tell OT.

371

:

It's hey, you're going

to run your own plan.

372

:

You get your own tool.

373

:

You need to fund this stuff.

374

:

Which is what happens.

375

:

It does because once they recognize that

their influence is small they don't have

376

:

as much control at that control point,

and they're not really adding value to

377

:

the organization and he's getting smart.

378

:

They're getting smarter.

379

:

They're getting wiser.

380

:

They're maturing.

381

:

And now they're starting to ask these

types of questions, and I'm telling you,

382

:

IT, what I see them doing is backing

away, and then OT needs to start leaning

383

:

in and start taking responsibility and

accountable for these OT cybersecurity

384

:

hygiene practices and also things

that will help them reduce potential

385

:

unplanned, unscheduled downtime,

386

:

Jim: i.

387

:

e.

388

:

process integrity.

389

:

the way you characterize that.

390

:

I t back and away.

391

:

That's not a bad thing.

392

:

It's not.

393

:

It's not a bad thing.

394

:

you can bring it from

my friends out there.

395

:

Hey, bring it to the table.

396

:

Start those conversations that

these things are finding stuff.

397

:

Say, hey, what's possible?

398

:

The art of what's possible.

399

:

Let's go to the guys.

400

:

they see things and we

see this all the time.

401

:

The guys.

402

:

They breeze over this data, but

the OT guys will go, wait a minute.

403

:

Wait a minute.

404

:

Wait a minute.

405

:

Go back.

406

:

No.

407

:

Hey, that's interesting.

408

:

That's interesting.

409

:

And that's where if they

back away, that's good.

410

:

As long as the OT is finding value in

it, that means that's a good thing.

411

:

Okay.

412

:

OT is finding value and maybe

it's going to shift a little bit.

413

:

And OT is going to go, wait a minute.

414

:

We want some of that.

415

:

We want some of that.

416

:

And then it will find the equilibrium now.

417

:

If there's no conversation, nobody's

finding any equilibrium, right?

418

:

you got to dig into it to find that

you got to get those participants.

419

:

And this goes, this is about

security lessons from the playbook.

420

:

Hey, you've got the playbook go down Just

know that those things don't mean exactly

421

:

the same thing, but bring them to the o.

422

:

T.

423

:

side needs to go.

424

:

Hey, I.

425

:

T.

426

:

has some interesting playbooks

technologies approaches.

427

:

How does that fit for O.

428

:

T.

429

:

And then work together and O.

430

:

T.

431

:

can go.

432

:

Wait a minute.

433

:

I want this right?

434

:

And when O.

435

:

T.

436

:

saying, wait a minute, I don't want this.

437

:

That means you're actually providing O.

438

:

T.

439

:

value at that point.

440

:

And that To me can be a success.

441

:

It's not always right.

442

:

You always got organizational issues,

but it can be success when they're

443

:

out there grabbing it away from you

and saying, wait a minute, want this.

444

:

I want this.

445

:

I want this.

446

:

That's a good thing.

447

:

Dino: Yeah.

448

:

Cause ideally I believe that,

it could definitely bring this

449

:

forward would be expected to

bring a security project forward.

450

:

And what you want them to be able to do

Is engage their OT peers, colleagues and

451

:

partners and slowly back away a little bit

and let them run with it for some extent.

452

:

Just mentor them heard them,

and say, look, I'm here to help.

453

:

I'm here to provide some value.

454

:

I understand technology.

455

:

I understand standards, governance,

policy, all of those things.

456

:

Now, let's help you orchestrate that.

457

:

Around an OT cybersecurity platform that's

good, benefits this organization, right?

458

:

Versus OT trying to put

themselves in front.

459

:

It's almost like putting the cart in front

of the horse in my view, when it comes to

460

:

OT cybersecurity, the way I've seen these

projects run with organizations without a

461

:

doubt, they make a decision without really

looking at the broader, bigger picture

462

:

and how it impacts their manufacturing.

463

:

And ideally, they're not really

doing anything of value to them.

464

:

Very little, if anything.

465

:

And the simple question is, do

they have access to the tool?

466

:

Do the OT people have access to the tool?

467

:

And if they don't, then you

468

:

Jim: have your answer.

469

:

that's where on the OT side, they

have to start listening in and

470

:

saying, you've got skin in this game.

471

:

Listen in and go ahead and

stand up and say wait a minute.

472

:

Do I know enough?

473

:

Do I have a good partner with me do,

whether it's internally or externally,

474

:

do I have a good partner that can

help explain how this relates to

475

:

me again, whether it's internal?

476

:

Does the is that a good part?

477

:

Do you need to go find someone?

478

:

Do you have an existing 1 can

explain where this intersection

479

:

is and how you can go?

480

:

I want to learn from some of

these it approaches, but I want

481

:

to do it right for my world.

482

:

Right.

483

:

so let's touch on something else.

484

:

set the remote off to the side, but

the remote is always interesting.

485

:

Because when you start looking at it.

486

:

Everyone thinks it's

controlled uh, ready.

487

:

IT's got their whole procedure.

488

:

It takes three weeks to get, even get in.

489

:

What they don't know is,

which is again, a good thing.

490

:

They got the governance, they

got the controls in place.

491

:

Now three weeks to get somebody new in.

492

:

And that's always a challenge.

493

:

And that's, that OT's working around it.

494

:

But they've got one door to come in

and they've been working toward that.

495

:

Now, what is OT done?

496

:

OT's gone around that and they've

got vendors going around that.

497

:

And meanwhile, they've got, a dozen

back doors per site open up, right?

498

:

Yes

499

:

Dino: it's not unusual, right?

500

:

Whether it's the cradle point type

modems that you can find in machine

501

:

centers or plant managers that have

allowed an ISP to drop an internet

502

:

connection into the environment.

503

:

O.

504

:

T.

505

:

groups that manage their own network

access, jump boxes, et cetera, in order

506

:

to gain access into that environment

very quick and efficient manner and

507

:

under the guise of trying to reduce their

own plan and schedule downtime, right?

508

:

Because they've experienced days.

509

:

Weeks trying to get things

done on the other side.

510

:

And if they've walked away from it,

but then, the technologies that

511

:

these OEMs and SIs and OT people

put in those plants are wide.

512

:

You'll find, their own firewalls

they'll put at the head

513

:

end of that control system.

514

:

They'll have in things like Tashi

boxes, and E wands and things like that.

515

:

If soft PLCs, you have no idea what's

running on that soft PLC can be running

516

:

a myriad of remote access capabilities,

in order to get into that machine center

517

:

and extract data and or do support

that nobody knows anything about right?

518

:

And we see that all the time.

519

:

And so if you don't have the right

tools in place to watch this stuff,

520

:

if you're sitting there going

I'm just watching IP addresses.

521

:

That's insufficient, right?

522

:

That's not good enough today.

523

:

Not anymore.

524

:

I need to get down to that

industrial protocol level, right?

525

:

Application level think next

generation firewall capabilities

526

:

implemented down in your OT environment.

527

:

That's passively listening, not actively

doing anything, building this baseline

528

:

of all this activity and vulnerabilities

within your control system environment.

529

:

And today, you're ignoring that.

530

:

Why?

531

:

Because of cost, kind of

resource issues, cost issues.

532

:

I just recently asked

the CIO this question.

533

:

Are you executing the same amount of

due diligence to secure and protect

534

:

the plant floor control system

environment as you do the enterprise?

535

:

And the response was expensive.

536

:

That would be

537

:

Jim: what's more expensive

losing your plan for losing your

538

:

Dino: data set.

539

:

You've already got several I.

540

:

T.

541

:

cybersecurity professionals in your

group, you got nobody on the O.

542

:

T.

543

:

side, concern was,

544

:

Jim: what's that going to cost?

545

:

Yeah, you got to ask the question.

546

:

question is, what's going to cost

you if you don't do it, right?

547

:

that's always a challenge because, the I.

548

:

T.

549

:

guys feel like, man, the last.

550

:

10 years has increase and spend geez,

now I missed this whole section for OT.

551

:

Now I got to go back and

ask for more increases.

552

:

Again, that's why we're talking about

what work with your OT and be able to be

553

:

demonstrate that and things have changed

so that this has to be addressed now.

554

:

Well, every time we've, added equipment or

gone to digital 4 0, or said that these

555

:

machines need to connect for predictive

analytics or predictive maintenance.

556

:

Those are all things that have

been done without security measures

557

:

in place without security program

in place for specific reason.

558

:

Then this gets to where you say, some

discussions about technology debt and

559

:

those types of things that need to

support that to say, hey we've already.

560

:

Reap the benefits from this

technology being in place.

561

:

However, we have technology

that because we probably should

562

:

have invested in it up front.

563

:

But now it's connected and we're going

to have to go back and, whether it's

564

:

re engineer or start a new journey over

the uh, start addressing these things.

565

:

Or if

566

:

Dino: you want stopgap measures, there

are stopgap things that you can do.

567

:

They're not continuous monitoring,

but you can improve your snapshot

568

:

windows from once a year or every

other year to once a week, once a

569

:

month, at least do something again.

570

:

What are you doing to get better?

571

:

Until you can think about what it's

going to take to get out there and

572

:

put, a sensor technology out there

in those panels to collect that

573

:

metadata to continuously monitor.

574

:

Which is why we would pursue if

you've already gone down this path,

575

:

and you've already chosen an O.

576

:

T.

577

:

I.

578

:

D.

579

:

S.

580

:

cybersecurity platform, any new machine

centers you got coming in, you should be

581

:

thinking ahead and talking to those and S.

582

:

I.

583

:

S.

584

:

about the sensors you want to put

in those machine centers, those

585

:

panels before they come to my plant.

586

:

Yeah.

587

:

Before they show up.

588

:

Jim: Do it up front.

589

:

Yeah.

590

:

That's it.

591

:

Do it up front.

592

:

That's those are things

we've talked about it.

593

:

We know it's going to be

a long journey, right?

594

:

With any company with most companies,

it's going to be a long journey that's

595

:

evident in the OT cyber security space.

596

:

But.

597

:

At least what we with our approach

has been hey, you probably maybe 10%.

598

:

Of your facility, or even if it's

5, 10 percent is being changed over.

599

:

They've got their new capital plan.

600

:

Every manufacturing plan is always

they're annually trying to get new

601

:

capital dollars for a new machine.

602

:

If you start it now, your new machines

then come in with what we say seatbelts.

603

:

So it's not suddenly when

seatbelts became a thing seatbelts.

604

:

They went out and said, okay,

now seatbelts are the thing every

605

:

car has to have a seatbelt, or

the 3 or the shoulder strap.

606

:

Come on.

607

:

When were kids, we got enough

gray hair to know we would just

608

:

slide around in the back seat.

609

:

And then come back around and put

seatbelts in and you had to retrofit

610

:

the old cars with the seatbelts.

611

:

No, but all the new cars came

seatbelts and eventually all

612

:

the cars have seatbelts now.

613

:

And it's really that same philosophy

about designing, that with security

614

:

in mind, moving forward, That same

concept of going if you're bringing a

615

:

new machine in, we'll put cybersecurity

tools in it, or, something in it.

616

:

To make it safe coming in so

that 10 years from now, at least

617

:

now we have all our cars have

618

:

Dino: seatbelts, right?

619

:

And you got to get to, and you're

talking about safety, right?

620

:

Physical safety.

621

:

we are talking about kinetic

connected physical systems, right?

622

:

So we are talking about safety or as

we like to call it, digital safety.

623

:

And, and we've heard the arguments

where, people balk at pursuing

624

:

cybersecurity initiatives because

they think it's too expensive.

625

:

But they would never

say that about safety.

626

:

They would never come back and

say who wants a safer machine?

627

:

They all want safer machines.

628

:

They have to have safer machines.

629

:

We're getting to the point

where this stuff is going to

630

:

go in lock step sync, right?

631

:

Where digital safety and physical

safety with around these machine

632

:

centers need to be treated the same.

633

:

You can't just say, I'm going

to forego physical safety.

634

:

So I'm not going to put gates on my.

635

:

can line, so if I get a jam, I'm just

going to reach my hand in there and remove

636

:

the jam while the machines are still

running, until a few people figures and

637

:

hands or whatever you put gates there.

638

:

And if you open up the

gate, the machine stops.

639

:

That's the downside.

640

:

Okay, the machine, but it's safe.

641

:

We got to get to that

point with digital safety.

642

:

If you have to go through a couple

extra hops or steps in order to get

643

:

into this environment securely versus

saying, no, I just want to get straight

644

:

in there and do what I need to get out.

645

:

No, that's right.

646

:

Yeah, on the conveyor to pull

out a twisted can that got

647

:

bent and get it out of there.

648

:

All the machines are still running and

we got to get to that same mindset around

649

:

digital safety that a lot of folks haven't

quite wrapped their head around yet.

650

:

And this is again, getting back

to, can I T best practices that

651

:

wouldn't be in an I T playbook when

you talk about physical safety.

652

:

Jim: Or Right.

653

:

Or digital safety.

654

:

And that's where, and I love

saying this all the time, right?

655

:

What is cybersecurity?

656

:

First thing people think about with

cybersecurity, it's the digital systems

657

:

that are controlling digital outcomes.

658

:

That's what everybody hears about.

659

:

Oh, there's ransomware and all

the, records or the books or

660

:

customer information, credit cards.

661

:

So all.

662

:

Digital outcomes, right?

663

:

This world we're talking about,

it's about physical outcomes, right?

664

:

These are digital systems

controlling physical outcomes.

665

:

Like you said, you can lose fingers.

666

:

You can lose hands.

667

:

Things can explode.

668

:

Things can catch on fire, people

can get hurt a machine can get

669

:

damaged and believe me those machines

that get damaged is going to cost

670

:

you a lot more than a new server.

671

:

So the implications are

that much different.

672

:

that's the clearest delineation you can

say, and that's why we call it digital

673

:

safety because of those physical outcomes.

674

:

And as Dino was saying, the relationship

with safety and how you need to Start

675

:

thinking about it's cyber security.

676

:

It's cyber security, but it's

also operational resilience,

677

:

and it's also safety.

678

:

And you roll all these things together and

you go, yeah, it's a little bit different.

679

:

what did we know and how do we

apply it to OT, which is really

680

:

what we're getting here today.

681

:

And so just as a wrap up, started.

682

:

Talking about the wrap up, there are

things that it does that have been built

683

:

around from it security that needs to

be aware of and they don't transfer for

684

:

1, but They have unique considerations

in the space we've talked about.

685

:

There's security zones is the

0 trust that we talked about.

686

:

There's an asset inventory.

687

:

There's big value there.

688

:

The vulnerability information that

comes with it process integrity.

689

:

How about that?

690

:

Remote access audit

change control measures?

691

:

And then we ended with trying to get out

in front of it and design in as you

692

:

bring these pieces of equipment in, but

ultimately have to say, okay let's get to

693

:

the table and let's have the conversation.

694

:

And do we have the capability

to have the conversation?

695

:

And if we do.

696

:

How do we take it to the next level?

697

:

And where's buy in and the

ownership on both sides?

698

:

Let's find it.

699

:

And if it's, IT has gotten too far and OT

wants to step up and take responsibility,

700

:

IT will be more than happy.

701

:

They've got enough problems

on their own, right?

702

:

companies have to start getting to that

point and having that conversation.

703

:

And if you're ultimately when you're

IT and you're OT, people are having

704

:

that conversation, you're going

to find that right point, right?

705

:

Dino: To your point, if IT is

driving it, how do they engage the

706

:

OT people to make sure that they

are providing input and value into

707

:

the decisions being made, right?

708

:

As long as they're doing that,

being collaborative and aligned

709

:

and transparent, that's great.

710

:

If you're an IT organization that

thinks that you can go out and pick any

711

:

tool you want just because you think

that's your job, setting yourself up

712

:

for failure as far as I'm concerned.

713

:

OT, on the other hand get a plan.

714

:

Drive them, drive yourself, Start,

put on your big boy pants and start

715

:

looking for what it takes to secure

and protect this environment.

716

:

IT will follow, they'll show up, they

will or they won't, don't matter, lead it.

717

:

Follow them, let them follow you.

718

:

But if they're going to lead it, then

you need to get in there and challenge

719

:

them and don't let them just make a

choice because you think that they're

720

:

the smartest cats in the room and

they're the ones that probably know

721

:

what's best for your plant floor.

722

:

Don't let that happen either.

723

:

Jim: I think maybe we can, push

to have this podcaster named O.

724

:

T.

725

:

put on your big boy pants.

726

:

Can we do that?

727

:

They do, cause they'll shy away from

728

:

Dino: it.

729

:

They will cause they're looking

over their shoulder and go, I

730

:

don't have a line of people behind

me or money back in me to go.

731

:

Yeah.

732

:

Jim: anything else you

want to add for wrap up?

733

:

I see we're getting a short on time

other than the OT big boy pants.

734

:

Yeah, everybody thanks for listening.

735

:

and until next time

let's be safe out there.

736

:

Thanks everybody.

All Episodes Previous Episode

Listen for free

Show artwork for Industrial Cybersecurity Insider

About the Podcast

Industrial Cybersecurity Insider
Everything You Need to Know to 'Get Safer Sooner'
Industrial Cybersecurity Insider offers a thorough look into the field of industrial cybersecurity for manufacturing and critical infrastructure. The podcast delves into key topics, including industry trends, policy changes, and groundbreaking innovations. Each episode will feature insights from key influencers, policy makers, and industry leaders. Subscribe and tune in weekly to stay in the know on everything important in the industrial cybersecurity world!

About your host

Profile picture for Hector Santiesteban

Hector Santiesteban