Artwork for podcast The Industrial Talk Podcast Network
Huxley Barbee with runZero
19th January 2024 • The Industrial Talk Podcast Network • The Industrial Talk Podcast with Scott MacKenzie
00:00:00 00:41:57

Share Episode

Shownotes

Industrial Talk is chatting with Huxley Barbee, Security Evangelist at runZero about “OT Security vs IT Security and Passive vs Active Scanning.”  The following is a summary of our conversation:
  • Cybersecurity and OT with Huxley from Run Zero. 0:00
    • Palo Alto Networks provides comprehensive security solutions for all assets, networks, and remote operations.
    • Huxley Barbee, security evangelist at runZero, discusses cybersecurity and the importance of staying connected and safe in the digital world.
    • Industrial Talk is a platform dedicated to amplifying voices and solving problems through various mediums, including podcasts, videos, and webcasts.
  • Cybersecurity in IoT, OT, and ICS environments. 4:36
    • Security evangelist at Ron zero discusses chasm solution for cyber asset attack surface management.
    • Huxley highlights the importance of security in IoT and OT environments, emphasizing that it's often an afterthought.
    • Scott MacKenzie agrees, noting that security should be a priority from the beginning of a project, rather than an add-on later on.
  • Industrial control systems security. 9:13
    • Scott MacKenzie and Huxley discuss the importance of aligning security and operations in an organization, with Huxley highlighting the need for more conversations to understand the importance of including security in planning and decision-making.
    • Huxley notes that operational teams may prioritize mechanical problems over security updates, but this can lead to negative consequences, such as security breaches or outages, which can affect the way devices operate.
    • Huxley emphasizes the importance of knowing what assets are present in an OT or ICS environment for proper security controls.
  • Cybersecurity risks in industrial control systems. 14:04
    • Huxley emphasizes the importance of selecting security controls commensurate with the value of assets.
    • Huxley highlights the irony of introducing security measures to avoid outages, only to inadvertently cause them.
    • Vendors and devices create variety and complexity in IoT security.
  • Active scanning techniques for IoT devices. 20:02
    • Huxley explains how active scanning techniques can cause real-world problems, such as network outages, due to the way they are implemented.
    • The speaker highlights the bias against active scanning that has developed as a result of poor deployments in the past.
    • Huxley argues that active scanning can be safe for OT and ICS environments with proper development.
  • Active vs passive device discovery in cybersecurity. 24:19
    • Active scanning involves customizing security measures based on specific devices, while passive discovery tends to be more costly and effortful.
    • Huxley discusses the challenges of passive discovery in network traffic analysis, including the need for multiple collectors and the difficulty of deploying collectors in the right locations.
    • Huxley also highlights the advantages of active scanning over passive discovery, including the ability to be targeted and thorough in gathering information.
  • OT security challenges and ransomware attacks. 28:58
    • Organizations prioritize availability over security in OT environments, leading to potential exposure to penetration.
    • Huxley predicts decrease in cyber attacks due to increased payoffs.
    • Huxley believes there are more adversaries lurking in OT environments than known breaches, with a ratio of 50x on the OT side compared to 5x on the IT side.
    • Huxley thinks nation-state actors are waiting for political and military situations to make their moves, while financially driven actors are waiting for the right opportunity to strike.
  • Security programs and protocols for OTC organizations. 35:48
    • Scott MacKenzie and Huxley discuss the importance of security programs in organizations, with Huxley mentioning the need for a security program at every organization with an OTC.
    • Speaker 3 will be at the ICS village conference, showcasing Ron zero's solutions for detecting protocols and devices in a mock network environment.
  • Cybersecurity and industry connections. 39:45
    • Huxley shares his expertise on cybersecurity and asset protection in the industrial sector.
Finally, get your exclusive free access to the Industrial Academy and a series on “Why You Need To Podcast” for Greater Success in 2024. All links designed for keeping you current in this rapidly changing Industrial Market. Learn! Grow! Enjoy!

HUXLEY BARBEE'S CONTACT INFORMATION:

Personal LinkedIn: https://www.linkedin.com/in/jhbarbee/ Company LinkedIn: https://www.linkedin.com/company/runzero/ Company Website: https://www.runzero.com/

PODCAST VIDEO:

https://youtu.be/TpLNFk3hR_Q

OTHER GREAT INDUSTRIAL RESOURCES:

NEOMhttps://www.neom.com/en-us Fictiv: https://www.fictiv.com/ Hexagonhttps://hexagon.com/solutions/enterprise-asset-management Palo Alto Networks: https://www.paloaltonetworks.com/ Hitachi Vantara: https://www.hitachivantara.com/en-us/home.html CAP Logistics: https://www.caplogistics.com/ Armis: https://www.armis.com/ Saviant Consulting: https://www.saviantconsulting.com/ Industrial Marketing Solutions:  https://industrialtalk.com/industrial-marketing/ Industrial Academy: https://industrialtalk.com/industrial-academy/ Industrial Dojo: https://industrialtalk.com/industrial_dojo/ We the 15: https://www.wethe15.org/

YOUR INDUSTRIAL DIGITAL TOOLBOX:

LifterLMS: Get One Month Free for $1 – https://lifterlms.com/ Active Campaign: Active Campaign Link Social Jukebox: https://www.socialjukebox.com/

Industrial Academy (One Month Free Access And One Free License For Future Industrial Leader):

Business Beatitude the Book

Do you desire a more joy-filled, deeply-enduring sense of accomplishment and success? Live your business the way you want to live with the BUSINESS BEATITUDES...The Bridge connecting sacrifice to success. YOU NEED THE BUSINESS BEATITUDES!

TAP INTO YOUR INDUSTRIAL SOUL, RESERVE YOUR COPY NOW! BE BOLD. BE BRAVE. DARE GREATLY AND CHANGE THE WORLD. GET THE BUSINESS BEATITUDES!

Reserve My Copy and My 25% Discount

Transcripts

SUMMARY KEYWORDS

security, devices, ot, ics, conversation, environments, huxley, passive, outages, scanning, organization, industrial, solution, talk, palo alto networks, active, eavesdropping, operations, oftentimes, side

00:00

tworks solution provides over:

00:56

Welcome to the Industrial Talk Podcast with Scott MacKenzie. Scott is a passionate industry professional dedicated to transferring cutting edge industry focused innovations and trends while highlighting the men and women who keep the world moving. So put on your hard hat, grab your work boots, and let's go Hey there

01:14

and welcome to Industrial Talk. Thank you very much, once again for joining Industrial Talk, and be a part of this ever expanding community because we know you are bold, you are brave, you dare greatly. This platform is all about you, and your success. And we thank you each and every day for being a part of it. Now we're going to be talking about cybersecurity, we're going to be talking about O T, and then we're going to be talking about it we're going to be talking about active scanning versus passive scanning, all of the things that are associated with cybersecurity. His name is Huxley Barbee, and his company is run zero. So let's get cracking. I always enjoy a conversation around cybersecurity, we are connected. If we're connected community connected business, it's got to be a part of the conversation. And, and not to be so intrusive, right? We want things that just know that we are safe, and we can continue aren't doing our business, the way we need to do our business and and have those connected assets and pull that data off there and not worry at all zero, no worry about being you know, penetrated, which nobody wants, right? All right. Industrial Talk. We are a platform, this platform is again dedicated to you. You want to amplify your voice, Industrial Talk, you want to engage more individuals for greater opportunity. It does real talk, go out to Industrial Talk, click on talk to me connect with me, let's chat, whatever the button says. And you'll be talking to me because we were building this this ecosystem is a collection of individuals that solve problems. There are a lot of pain out there. pain points out there, what what do we do? Who do we trust? That's what we're all about. So this, this sort of Spotify ish platform is so that you can find the right individuals or be the right individual to help solve problems. And that's what we're building out on Industrial Talk. We have, of course, we have podcasts. We have videos, we have webcasts, we have learning management systems, got an exciting opportunity that's going to be breaking. You'll hear about it. It's not there yet, but we're going to have something that's pretty spectacular, working with one of the the incredible individuals and companies that are a part of the platform. So just keep on the lookout for that. Or you'll hear me talk about it most definitely. All right. Huxley, in the hot seat. Ron zero is the company are talking about cybersecurity. He is on his form. He's a security evangelist. And he has spent the conversation was absolutely stunning. All right, let's get cracking. Here's Huxley. Huxley. Welcome to Industrial Talk. Thank you very much for finding time in your busy schedule. How are you doing today?

04:35

doing very very well in the frozen tundra of of New York. Yeah,

04:41

but is it gonna get I mean, are you gonna get some snow? Are you gonna get some what? What's the weather gonna be like? Potentially

04:46

potentially. Tomorrow? Sunday. I think there's a blizzard coming through in the northeast, I think all the way down to mid atlantic as well. I heard

04:55

that pretty bad. Weather chit chat right off the bat everybody Everybody's focused on whether,

05:02

you know, it drives our lives. It does whether we just just as much as ot ICS environments do as well. So look

05:11

at, you know, yeah. front of mind. Top of Mind.

05:15

It all ties in. It all ties in all in mind.

05:18

There you go. All right. For the listeners out there, actually give us a little background on who you are.

05:23

Well, I am the the security evangelist at run zero, which is a chasm solution. That is the down

05:33

chasm. You can't just throw care. Online see is Grand Canyon, that's a chasm.

05:41

Sure, sure. Yeah. So let me just say that first, that I'm the security evangelist at Ron zero. I'm also the lead organizer for besides New York City, which is a security conference. And I've been in cybersecurity for over two decades, which I guess is a good and a bad thing. But to get back to your question, chasm solution to the cyber asset attack surface management solution. And what we do essentially is we are any organization's first step in managing their exposure to all the sites on that you can find. And we do that, primarily by telling you about all the things that are on your network, and what are all the risks the vulnerabilities on those things, real time way, and in real time, way. And the thing is, the real differentiator here is we can do this for IT environments, IoT environments, as well as OTs, IC and ICS. environments. And that's, that's the real thing that's really different about us, is that we can do all device types IoT, it as well as OT, as a

06:50

level set, because you've been in it for two decades, plus, you've seen a lot of changes, one of the challenges that I see is this whole IoT device, I'm going to be able to stick a device on this particular asset, I'm going to start pulling data and I'm gonna, it's, it's all connected, and I'm all great, but I never really think about the security side of that, like, I just want to collect data,

07:15

you know, you know, security is often an afterthought. It's got to be less so on the IT side, but what I find really interesting is that in OT, ICS, environments, organizations, I often feel like Marty McFly, going back to the future, where like, the security maturity is like 30 years behind.

07:41

I can attest to that. I mean, I'm, I'm an OT guy, I'm just concerned about my ot stuff. You know, that that pump that motor, the the operations, the manual, whatever it might be. Yeah,

07:53

availability is king like that. That is avoid outages at all cost, right? And that's for good reason, right? You want to avoid outages, because you want to avoid loss of revenue, you want to avoid getting fined by various regulatory organizations. So yeah, for good reason. You want to be operationally efficient, and, and have, you know, superb resilience. But, you know, at the end of the day, at some point, when you're not paying attention to the security side of the house, it's going to come back to bite you unfortunate. So how

08:28

do we take us? Like, here's a scenario, I'm an operations. I'm a manufacturer, that's what I do been doing that somebody comes to me, knocks on the door says, Hey, we can collect data now. And I'm all Oh, great. What can I do with the data? Well, you can make tactical decisions, and it's great stuff, and it keeps your assets up and running, you're more efficient, and so on and so forth. And therefore, all you have to do is to buy this device. Again, afterthought, I never even thought of security in that scenario. How do you begin? I mean, how do we begin this journey to say, It's okay to have a conversation with security upfront? What do we do? Take us through that's that, that effort? Yeah.

09:13

So ultimately, you want to get to a point where there's actually a security program that is working hand in hand with the operational folks, right, you don't want operations to completely neglect security. At the same time, you don't want security or security organization that's coming in, out of left field, you know, trying to influence operations in a way that, you know, does not aligned. Yeah. Right. And so, you need to make sure that there's alignment at the very top to start with, right. Oftentimes, like if if the board of directors of your organization is on board with making security an important part of what you do, then things are going to go well, right because they're going to ensure that people are lying at some point. But if they're not, then there's still a lot more lobbying that needs to be done before you can even get there. Right?

10:07

So, but she knows what I do you know, and when somebody comes in Hi, I'm the security specialist, I want to talk to you. Not everybody's like, all right, let me just buddy up to them. And I was like, let's have a conference. Oftentimes,

10:20

yeah, oftentimes, it's the complete opposite. Where, you know, I even met some, like, operational folks not to not to disparage anybody like, but they're willing to take an outage in order to fix a mechanical problem. Right. But they won't take an outage of a shorter time period to do a security patch, which well, I mean, that there's, there's reasons for that right there. One, it doesn't help operationally, at least directly, will say, but at the same time, they don't know what are the other ramifications of doing that security update that might affect the way these devices operate?

11:05

So not a not a disparaging way? i They're ignorant in a sense, because because a your words, not not my words. Yes, it is. But that's okay. I can have those words, because I'm just so

11:19

well, and the important thing is to have more conversations, right? Yeah. So that everybody understands, like why it is important to include security in conversations and include security and how you plan to operate your your plant or your facilities going forward. Because, you know, unfortunately, the things in the news are helping drive that conversation. I wish it weren't the case, I wish there weren't these negative drivers. That's, that's actually like a forcing, forcing function Who are these conversations, but more and more, that's, that's becoming the case,

11:56

I don't have a problem with that. I mean, whatever it takes to, if we want to be this connected facility, we want to be connected in our, in our operations, we're just going to have to just recognize that there's that second security component. So let's let's let's sort of pull on this string a little bit. So I've got it out there. I've bitten it hook, line, and sinker, I'm all connected. Now. I've got the devices out there. And they they're there. There's passive and active capabilities. Take us through what, what that looks like, I want to know what's happening out there. I want to know that I'm protected in a sense. Yeah.

12:36

I mean, there's there's a few things that we're there's a few places where you want to end up and the outcomes that you want to see, you do want to see some sort of layering of your environment. Right, many folks like the producer model, like we can debate whether or not the Purdue model is good or bad. But it is, you know, arguably the one that sort of everybody agrees to. So it might not be the best, but it's the one that that is sort of understood and accepted. So there's that you do want to get to some place where there's stratification, because having that sort of layering really does help and security, right? Layer defense is a very, very old security principle. And what goes hand in hand with that, of course, is knowing what you have. Right? There's this very old adage that you can't protect what you know, it's been said many times, and, you know, I cringe a little bit at saying that because you know, it's a little bit overstated.

13:38

Huxley, this is this is straight from Huxley. Huxley smile, right there.

13:42

Yeah, yeah. So, you know, having knowing what you have on your OT, or ICS environment is very, very important, because you need to at least know about what that thing is, in order to properly ensure that you have the correct type of security controls, right. So you start with having some sense of what you have, right. And then you couple that with your risk appetite. And based on your risk appetite, you want to decide if you're going to accept the risk, you're going to transfer the risk, or you're going to avoid the risk of you're going to mitigate the risk. And for the cases where you're going to mitigate, you're going to want to select the type of security controls that are commensurate with the value that that type of device has to your organization. And so, one of the first things you need to do is to get a good acid inventory of your environment. Yeah.

14:36

Okay. So so here it is. Again, back to the scenario. I'm all in. I'm all connected. I'm all digitally running up and I'm, yeah, I'm pulling that data. I'm going to continue to try to make my facility more connected. It would seem to me that a an active solution versus a sort of a pet So solution has greater value, because I'm going to continue to sort of say, Hey, look at that pump, that motor, I'm going to put a device out on that one I just hit because it's critical now, right? Whatever the reason is, but again, I'm an operations guy. I'm just gonna, yeah. And

15:16

just to be clear, you're not putting something that's on every device, right? You're putting something in the environment in order to collect that data, whether that be active or passive. And just on the surface, you're absolutely right. If you can go talk to something, you're obviously going to be able to get more information about it. Yeah, it's the difference between let's say, you're at a party, right? You're at a party. And I'm just sort of standing near you. And I am eavesdropping on your conversation with somebody else. I'll probably learn some things about you. Yeah. Right. But if I were to walk up to you and ask you questions, obviously, I'm going to learn way more about you. Right? So you know, before we had this, before we started recording, you know, we learned that we're both associated with Southern California, you you grew up in Barstow, and you went to school and Laverne? Like, that's not something that probably would come up at a cocktail party, right? You wouldn't normally just bring that up. Right. But because we are talking, ya know, that that comes up? And I mean, who gather that that piece of history about you? And so yes, you know, on the surface, you know, it is true, active scanning is a superior solution, because you're able to get so much more information 100%. The problem lies in how legacy active scanning solutions have been deployed into, into these OT and ICS environments, coupled with the way these are the characteristics of these these types of OT devices, right. And so I'm getting at here is the fact that many of these ot devices are not robust to arbitrary network traffic. And in fact, there have been times in history where actor scans have caused outages in these OT or ICS environments, right, the very thing that you want to avoid, right, you're trying to avoid outages, right?

17:23

You know, you don't want that. And boy, you haven't you know that one time. Right?

17:28

So, you know, and then presumably, you want to introduce security into your environment, in order to be more robust to any sort of cyber attack that might cause an outage. But in fact, as you're trying to learn about your environment, you end up doing the exact thing that you didn't want to do, right, the exact thing that you're trying to avoid. And what it comes down to here is the fact that, well, there's a number of factors, one of them is the fact that these devices tend to come from numerous, numerous different vendors with numerous different operating systems, right. So on the IT side, you basically have windows and you have Linux, and then you have Mac OS. And so there's only three different kinds to really deal with. Whereas on the OT side, you know, even among Siemens and Ella Bradley, and so on, so forth, they have multiple different operating systems that they would run. Another another important reason for this is the fact that these devices are very much fit for purpose, right, they're designed for a single type of thing to do. Whereas on the IT side, your your computer can do so many different things, you can do financial modeling, you can play games, you can stream music, and so on and so forth, that the IoT devices are very much multipurpose, whereas these IoT devices have a single purpose. And so therefore, there's a lot of variety. And when there's a lot of variety, it's harder to defend. Because just so many different permutations of what could go on. Another big problem here is the fact that the code the software on these ot devices, are basically their QA they're tested to work properly for the for the job that they're doing, right? Whether it's receiving a signal that says hey, you know, turn this on or turn that off or increase the, the, the intensity of that, like, very specific type of use cases. Nobody's actually testing for the the negative cases or the edge cases where there's just like random network traffic that shows up and the, the operating systems as well as the software on these devices will very, very often cause a reboot, or freeze up or or just Just just hang. Right. And then that causes an outage. So but I'll give you one example. So let's talk about a common active scanning technique. Which, what it does is, I'll just use an analogy. Like, we're having a phone call, right? Yeah. So I call you on the phone and say hi. Hi. And then and then you respond. You say hi. Yeah. And then you're, you're waiting for the next thing for me. Right? But the thing is, I'm, I'm the scanner here. And I'm trying to be as efficient as possible about not bought me scanning. So the moment you said, Hi, back, I knew that you were there. And that was the information I was looking for. And I'm done. And then I walk away from that conversation. Now you as the IoT device? What? You're waiting for this conversation to finish,

20:52

so I get hung up, I've gone, Hey, aren't you gonna say bye? Or

20:56

, right? But there's, there's:

21:26

what do you would do that? And that's just

21:28

one example. And that's just one example.

21:31

Example? Well, yeah,

21:33

there's there's many more, but the thing is like, this is just one type of thing that happens with legacy active scanning, right? The times when folks have used these older tools to do active scan. And because of this, because of the ramifications, the real world concrete ramifications that have occurred in the past, right. Most of these are not publicized. I don't think anybody like goes around and, you know, announces it from the mountain that hey, you know, we didn't actually scan a network. And now, you know, this part of the city is, as is now like, you know, has a blackout. Right? So and also, you don't, you know, it's not publicized, but you know, it's happened. And one of the ramifications of active scanning, being poorly deployed in these environments, is there's a bias now against active scanning has been for quite some time. And it is for this reason, it is for this reason why passive discovery is, is the methodology that almost everybody uses. Almost everybody uses, because they want to avoid that. That type of situation. They want to avoid crashing those devices. And so they will relegate themselves to just eavesdropping. Right. So going back to the cocktail party. Right, right. Right. They're just they're just gonna eavesdrop, right? Because if you eavesdrop, you're you're not going to cause any issues with anybody at the party. Right? Now, aside from being really creepy. But so, but the thing is, as you were saying before, at the beginning, coming full circle here, the information that you're going to have from eavesdropping through passive discovery is just not going to be as good. Right? It's not gonna be as complete. And, in fact, oftentimes, oftentimes, these passive discovery solutions will miss identify devices, the call it Okay,

23:31

now, now that we have all of the problems that are associated with it, I still want to be a connected, connected organization, and I still want to pull data in, and I want to make sure that I'm protected. What is your what's your, you know, your take on it? What do you what do you recommend that I'm not shut down?

23:54

So the big controversial thing, the big controversial idea here is that active scanning can be safe for OT, and ICS environments, as long as the scanner is developed in certain way that can accommodate Butina ICS devices properly, to be able to talk to them without crashing them.

24:19

It seemed to me that you would you would have this sort of a passive approach first and say, that's an Allen Bradley, Allen Bradley, Allen Bradley XYZ behaves this way. Here's a Siemens and a they behave this way, Oh, here's another device, and they behave a certain way. And we know this. And so in my active scanning approach, it's sort of customized because of that, that specific device, that sort of it.

24:47

Yeah, so there's there's definitely some vendors who do sort of a passive discovery, listening first, and then selectively does a call refer to individual devices. In practice it, I've seen many organizations that don't do step two, but just so they're so averse to doing any sort of creating direct communication with the device, that they just stick with the listening and, and just call it a day. Right. So a lot of that comes back to to the bias. So and the thing is, you know, some of that act of caring isn't necessarily all that in depth either. So it really depends. But what we have seen is if an actor scanner is built, fit for purpose, to go out there and look at OT and ICS devices, then, you know, it can do the job. And ultimately, it will have more information than you would otherwise. But

25:53

it seems to me, I'm going to have a conversation upfront, that would be the ideal scenario where I would say, Hey, we're we're going to be connecting all of these assets. And we want to be able to have that conversation with security upfront, and make sure that we do this, right. Yeah. There's

26:11

another really important difference between active scanning and passive discovery that's also problematic, which is with passive discovery. There tends to be a lot of cost and a lot of effort. So imagine, let's go back to this cocktail party. How much of the, the how many of the conversations at the party do I have to listen to to really get an understanding of who's there? And who everybody is? Hey, you're right. You're working hard. Yeah,

26:44

you have to listen to everything. And you're sidling up to a bunch of them. Yeah. Yeah.

26:49

I mean, and, and oftentimes, you know, if it's just me, right, so I'm the collector here. If it's just me, I'm only going to hear part of the room. Let me hear part of the conversation. So there has to be multiple collectors, multiple of me going on listening. And you have to listen a long time, right? I might, if I were to go up and talk to you, I would get your name, you know, within 30 seconds, right? Yeah. If but if I were eavesdropping, I might have to wait a few minutes or even longer to find out that your name is Scott. Yeah, right. Yeah. And I don't know if it's Scott, with one T or Scott with two T's. That's right. I mean, I could ask you, right, then I would know right away. So with pestis, passive discovery, you tend to have to purchase these really high resource collectors, in order to collect all that traffic, because there's a lot of network traffic that you have to collect, in order to, you know, eke out a little bit information. Number two, the deployment is difficult, right, you need to be positioned at the right place, in order to make sure you're capturing as much traffic as possible. So maybe I would have one collector hanging out by the bar less currently there, maybe have one person, a collector hanging up by the door or something like that. Something like this. So, you know, oftentimes, when organizations try to roll out a passive discovery solution, it takes months or years, all and, and the results aren't always great. Oftentimes, they end up with an incomplete inventory. Or as I said before, an inventory that's full of Miss identified devices. Right? Hopefully, well, and the thing with active scanning is, you don't have those problems. You don't have to be reconfiguring all the switches on the network in order to make sure that you're capturing all the traffic in order to be thorough to be analyzed, right? With active scanning, you can be very targeted, and you can be very terse in your conversations on the network in order to gather that information. It's so much more efficient.

29:01

Yeah, but she does still need to you need to do something. And and boy, that that passive, that that won't fly for me, that just won't stay long

29:11

term. This is what this is what this is what all organizations do, because you know, there's so because because like I said before, avoiding outages is King availability is king. And that is so much more important than anything else, that that people have just used passwords, scary. There aren't organizations that have policies against any accurate scanning and their ot environments. Precisely because they're so averse to any sorts of outages. Yeah, but

29:36

then they leave themselves open for exposure. penetration. Yeah, because they're too busy trying to do this passives or laying out this passive solution. This is what I hear you saying. And by that time, it's and the way things there's that speed that exists out there. I mean, I can't wait a long time. No I can't,

30:01

yeah, well, this is what it is. And it just, you know, it goes hand in hand with this idea of like never patching these these ICs devices, right, that's another. I talked to folks, you know, throughout my travels about their challenges in OT environments. This this one lady walked up to me, she said, I can't get them to agree to patch anything on this network. They'll they'll take downtime for business reasons or operational reasons, but they won't take any downtime for security reasons. And that's just, you know, this is part of it. Like there's, I'm here talking about, you know, going out there and finding out what are all the things that are on your ot network, but there's a larger conversation to be had about the role of security in OTs and ICS. Heavy organizations. So, so part of this comes down to active versus passive, but at the same time, there's there's a larger, there's a larger push for bringing security into IoT that, hopefully will happen over time, it has hopefully, hopefully, will take 30 years. No,

31:05

no, no, no, no, no, no, no, you know, just in my short stint as, as the best podcast industrial related podcasts in the universe, that my short stint right here right now, that's what you're on. But it I've seen so many changes that have taken place, the how quickly things have evolved. And I just can't imagine it taking. I just, I just can't imagine taking long for people to realize and recognize and and I think it's happening. I think there is there's Yeah,

31:36

and like I said, unfortunately, it's happening for all the negative reinforcement that's happening in the news. Right. Once one thing I want to point out is that I this is my opinion with with ot environments, the the number of incidents that are published, are going to be fewer. Because the the payoff is so much larger. So let me let me explain what I mean here. Yeah. So let's say let's talk about ransomware ransomware. on the IT side, lots of small, medium sized businesses, dental offices, and, and schools are getting ransom for their data. Right? The payoff here is like 20 to $30,000. Right? This is this is oftentimes what they charge, at least these days, on average. So the payoff is relatively small, but it's not millions of dollars, right? And so a lot of folks, the adversary, the attackers, they can be very, very opportunistic about it. And they don't necessarily need to put in a lot of effort. It's almost an n number of numbers game at that point. Yeah, it is. They just, they just, you know, try and pop, you know, a whole bunch of mom and pop shops, and then and then just collect their money with, with ot environments. The thing that you can do, right? It's not really stealing information, but it's it's really like causing an outage, right? That's, that's what really hurts, right? That's not allowing the organization to be able to operate a device in a proper way. Right? That's the type of ransom or the ransoming the device, not wrestling with the data, right? Let's This is a very important distinction. IT security is about all about data, controlling access to data, encrypting that data, making sure that the data is has integrity, it hasn't been changed. Right? On the OT side, it's all about security devices. Right? So ransomware, the analog and IoT side is rendering the device itself, preventing you from operating the device in the way that you want to. And the thing is, there's no like, low key way of screwing up those devices right now, you know, hitting hitting a dental office for ransomware. It looks like low key like because you're not, you know ransoming argot data like all the PII from the from the target patient, things like this. For on the OT side, there isn't a whole lot of like low key, you know, low key way low key attack. And so for the adversary who's actually put the work to get into these ot ot environments, they're probably going to wait until it's worth their while to execute the hurt. Right? Because the moment they do something, it means like the city doesn't have water, or, you know, the state doesn't have power or what have you. Yeah. And so in my mind, and again, this is my opinion, I'm guessing here, there are probably far more of the adversary lurking in these ot environments right now than there are actual known breaches, right? So if let's say that the ratio on the IT side of the adversary already being present on the network versus breaches is a certain number, that number that ratio is gonna be much lower on the OT side. Right. Okay, sorry, the other way

35:02

you see it, because it is different there lurking. Right. Right.

35:06

So So you think about the number of breaches, right? And on the IT side, right? Thinking about them breaches, the number of adversary lurking there is, let's say, 5x. I'm just guessing this that's not right. And on the OT side, it's probably gonna be like 50x. There's just my opinion, probably a lot more of the adversary just lurking around the OT environments, waiting for the next opportunity to, to go ahead and execute whatever they want to. Some of these are nation state, right, because they're waiting for like the political situation and military situations and move. But others are, you know, financially driven. And they're probably waiting for the right opportunity to make it all worries

35:48

Huxley. Now, I'm not going to sleep well at night. Well, I'm going to sleep fine at night, just because I don't have any operations that I have to worry about.

35:56

Yeah, you're out of that now. Right?

35:59

I'm out of that. Thank goodness, because that is exhausting.

36:05

Yeah, sorry. You cannot that out? No, no, no,

36:08

we're not gonna cut it out. That's the reality is is that get security is important. Get upfront, get, make it happen, have that conversation, and don't shy away from it. Deal with the deal with the whatever the problem is, but just deal with it. And then come up with a strategy and a plan that and understand the risks. You just don't just don't put your head in the sand on this one. There. There

36:38

needs to be a security program, every organization that has an OTC I

36:43

would have to have a security program. Yeah. And I would imagine Don't Don't be so prideful, either. I mean, yeah, I know. We got an A security program. Yeah, it's, you know, 27 years old. It's a problem.

36:56

Yeah, well, I don't think any security veteran would ever tout their successes, right? It's it's a strange thing, because, because in the world of security successes is defined by nothing happening.

37:14

Yes. It's odd. It's an odd. That's why it's so difficult to have security conversations because nobody wants to air their dirty laundry and say, Hey, look at us, man. We got breached over here. And you know, nobody wants to do that. But then there's learning that can be done by that. Right? They know what it was. We want to be the the example of people learning now, you don't want that. How do people get a hold of you? Actually?

37:39

Oh, well, I am I accurate plug

37:42

your conference, whatever that conferences?

37:44

Oh, sure. Yes, yes. So Ron zero is going to be at the s four conference in Miami. So March 4, through March 7, not only that, we are going to be participating in the ICS village, which is at the conference, I will personally be there at the ICS conference. Ron zero and eight other vendors will be trying out their solutions on a mock network that's being hosted by the ICS village, I think there's gonna be a manufacturing environment and potentially one more other type of OT environment. And we are going to be running our solutions to try and detect all the different protocols and all the devices that are that are running there, both active and passive capabilities. So we're going to be there. So if you want to see me, in person, I don't know why you just want to say hi and shake hands. I will be at the ICS village for the entire time. And if you want to learn more about Ron zero, go to our website www.runzero.com. And on our website, you can actually download a free version of the software which includes both the active scanning as well as the we have our own passive discovery capability called passive traffic sampling. It's a little different from what all the other passive network monitors do. But in any case, there's a free community edition you can download it you can try out the active scanning capability, you can also try out our passive traffic sampling, training pesah you can also try our passive traffic sampling capabilities and mouthful. Yeah. And if you want to reach me if you want to reach me, you can find me on on LinkedIn or the InfoSec dot exchange instance of Mastodon just look for Huxley Barbee. Hu X LE Y B A R B E. I am the only Huxley Barbee you're ever going to be I was gonna

39:45

hers. He's not Huxley Barbary:

40:05

Thank you for that. It's more laziness, then then then a sense of style. Appreciate that. Oh, gee, looks good on you. I don't think it looks good on me. Is this like some pepper like it's yeah.

40:18

I'm all salt. No pepper. All right, wonderful. Huxley, you were absolutely wonderful. Thank you. All right, listeners. We're gonna wrap it up on the other side. We're going to have all the contact information for Huxley and all the links. So reach out. Don't Don't Darnit have this conversation and security. All right. We'll be right back.

40:40

You're listening to the Industrial Talk Podcast Network?

40:49

Yeah, you want to be connected. You need individuals like Huxley. You need his company runs Europe. It makes sure that you're, you're properly protected against nefarious individuals out there. As you continue to connect your assets. We're connected. Reach out to contact information all out on Industrial Talk. So it's all out there. Make sure you make that happen. This is an ecosystem. It's expanding. You need to be a part of it. As we continue to solve problems, you are a problem solver. Your voice needs to be heard. You need to help industry succeed. That's what Industrial Talk is all about. That's the purpose behind Industrial Talk. So that when somebody goes out to Industrial Talk sees your net. That's great. All right. Be bold, be brave, dare greatly hang out with Huxley, change the world. We're going to have another great conversation shortly. So stay tuned.

Chapters

Video

More from YouTube