[00:00:00] Speaker A: If we do the basics right, we follow good practice, we work together and share our learnings. We have good quality threat intelligence and share that across the communities, have strong network segmentation, monitoring, awareness, then we can really work together to address this leadership challenge. The other key thing is really around how we articulate and communicate risk. To make sure that operational technology and their essential services are getting the spend that they need to be protected and that we rigorously manage that risk to ensure our IT and OT systems. But particularly the OT, the crown jewels of our networks are getting their fair share of protection and spend.
[00:00:41] Speaker B: This is KBCS.
[00:00:43] Speaker A: Are they completely silent?
[00:00:44] Speaker B: As a primary target for ransomware campaigns.
[00:00:47] Speaker A: Security and testing and performance and scalability, risk and compliance, we can actually automate those, take that data and use it.
[00:00:56] Speaker C: Joining me today is Sam McKess, cybersecurity committee member from ACS, also known as Australian Computer society. And today we're discussing critical infrastructure. Defence is doable. So, Sam, thanks for joining and welcome.
[00:01:08] Speaker A: Thanks for having me, Carissa. Yeah, really excited to be here.
[00:01:11] Speaker C: So, Sam, I'm aware that you've been conducting some research specific to cybersecurity for critical infrastructure, which is, you know, things that you care about. So I wanted to discuss maybe some of your insights and your findings. So maybe give a little bit of a context, a bit of background, what you've been up to.
[00:01:28] Speaker A: Yeah, sure. So I keen interest in the area, having spent most of my 25 year career in health, energy and telecoms. So, yeah, I've been conducting research where I've spoken to over 50 business breeders, engineers and cybersecurity professionals. And yeah, there's some really interesting insight sharing today around, you know, how that works and the feedback.
[00:01:49] Speaker C: Yeah, sure. Okay. So you. Okay, I'm going to read a statement that you say, as a nation and globally, we've sleepwalked into a complex situation. So talk to me a little bit more about this. What does that mean?
[00:02:04] Speaker A: Yeah, sure. Perhaps not the most elegant of terms, but I do feel like we've slept walked into this situation. So the results from my research are really round up. There's a leadership challenge and it's not really anyone's fault, but we've walked into the situation where we've connected all our critical services. So the electricity networks, telecommunications, health, our water assets, effectively many of the things, and most of the things under the Australia Security for Critical Infrastructure act, the sockeye act. And we've done this for really good reasons. But over time, collectively, organisation leaders, practitioners, executives on the boards all around the world have been enabled by technology and great vendor offerings and has created this demand for connectivity and the benefits that come along with that. So the benefits in regards to operational efficiencies, data and insights, and managing resources more effectively. So there's really good reasons why we've done it. But now that we've done it, we're in a situation where our essential services are all connected. And that's changed the risk profile of our critical infrastructure organizations from. From our lives in the past.
[00:03:10] Speaker C: So is that what you mean by we've sort of slept walked away here? In terms of what I mean by that is now we're just. There's a lot of interdependencies, right? Everything's connected something. There's a problem with one, there's sort of a downstream impact of the other. Do you think people are aware of this, though?
[00:03:23] Speaker A: I think perhaps not so much. I think definitely the public is not really aware from the research that I've done. And if we boil it down, so the level of risk is introduced. So the technology that we're talking about is referred to as operational technology, or OT. It's the tech that controls sort of the actuators in water pumps, the valves in high pressure gas pipes and the circuit breakers that run our electricity network. All of those are connected to a control room somewhere. For these critical infrastructure managing organizations and the flow on effects and requirements from executives and leadership to be efficient is that we've connected those devices back up through the control rooms and into the information technology network, into the IT network, so it and Ot is now connected, whereas previously it wasn't. So that's changed the risk profile in that those networks are now to some extent at a quite different risk level than what they were in the past.
[00:04:18] Speaker C: Okay, so there's a couple of things in there which said was interesting, I just want to go back a step. You said, from the research that you've been conducting, you know, the public aren't aware of the connectivity, so what are they currently aware of, would you say? Like, what's the level?
[00:04:31] Speaker A: I think the expectation is that you run your turn, a light switch on, you know, it works, it's a utility and it functions. And similarly with the water and nano gas services, however, that risk profile that I'm talking about, that's changed these interdependent networks, this connectivity, I think, is mostly invisible to the public. And I think the risk profile in regards to how that's changed, what I call appearance of risk finance and safety risk have been developed over the past 350 years. In corporate environments, we understand quite clearly the terminology, the probability, the likelihood of those risks occurring and what impact they might have. However, cyber risk now that is quite clear is happening, is only about 15 years old, so it's quite a lot younger. We haven't really got the metrics to deal with that, to highlight that risk right up through to the executive to make sure it's getting the focus that it needs to have, like, say, finance and safety risk and how that's been developed over time.
[00:05:32] Speaker C: So you mentioned the risk profiles change, which makes sense around it, and ot now being connected and integrated, for example. So what are we doing about it? Like we meaning the industry?
[00:05:42] Speaker A: There's a lot happening in the industry. You know, there's technology, there's regulation compliance coming in. So this journey, government's making great steps forwards, highlighting this and requiring critical infrastructure organizations with obligations and compliance objectives. Part of it. Getting back to that point you made about the public and the awareness, I think the stuff that's been in the news, particularly in Australia in the last couple of years, is really around privacy breaches. So some information here and there, people's accounts, financial details, and often health records. Now, that's really harmful for the people that are involved. And I lament the fact that people have had to experience those sorts of things. However, the risk that we're talking about in regards to critical infrastructure is the potential loss or impact cyber physical outcomes where, you know, traffic lights might stop working or a water tank might overflow, and this is going to create some real potential damage to society.
[00:06:36] Speaker C: Yeah, that's an interesting point. I mean, I have interviewed people about this, a fair bit on the show in my time, and you make a great point around. Yeah, okay. Like, for example, if you're in a bank and, you know, you got your money scanned, you get it back. Right. But like you were saying, traffic lights don't work, water tanks overflowing, that could lead to sort of death or multiple people dying as a result of this. So would you say that people are acutely aware of that? Or to your earlier point, we just turn on the light switch and then who knows what happens after that?
[00:07:08] Speaker A: Yeah, I think generally the public's not, and in a lot of regards, perhaps they don't need to be. I think it's on the cybersecurity practitioners, the leader of the critical infrastructure organizations, to make sure we're protecting and defending well, that we've got the things in place to protect society and the fallbacks to recover if they are infiltrated. There's lots of great practice out there. The Sans Institute is one. So quoting Robert Lee from dragos and sands defence is doable. And I absolutely believe that if we put in place the structures around unpeopled process and technology and we have good network segmentation, we train our staff well and we share threat intelligence, and then we can absolutely protect this infrastructure. There might be breaches, but I think that we've got the ability to respond and resolve and minimise that impact.
[00:07:57] Speaker C: There was someone I interviewed a while ago and he spoke around space in satellites. Now, you probably know a lot more about this than me, but he was sort of explaining like, if one of them, whether it's a lower Earth orbit or like closer to Earth, or the ones that are a bit more further away, like the impact of that and how rapid things would start to go downhill within 24 hours. So is those types of things that worry you perhaps?
[00:08:22] Speaker A: Yeah, I think so. I mean, you know, those. Those single points of failure effectively, you know, the GPS positioning system, the global positioning system. Yeah, it's absolutely a risk. And there's examples where that's, you know, controlled by the United States and there's the EU competing solution that's being built and launched and I know other countries are doing the same. Again, there's lots of points of failure to make sure that we're putting in place redundancies and practicing incident response should those assets get attacked. It's really important that we go through all the good practice that we know is good practice from the industry. There's lots of advisories from the Australian Signals Directorate, there's joint advisories from cybersecurity agencies in the US about how state sponsored actors are coming into these networks and how to deal with those, how to identify them, how to fight back.
[00:09:18] Speaker C: So, Sam, you've also used the phrase we've frog in warm water connected everything. So what do you mean by that?
[00:09:26] Speaker A: Yeah, again, not one of my most elegant phrases, but yeah, we've absolutely connected all of this equipment. So those actuators, the electricity circuit breakers that I was talking about before, I think there's really good reasons why we've done that. So the benefits are significant to connect that equipment through to information networks. And the benefits there are really around the operational efficiency, the asset management efficiency. So the examples of having a distributed workforce, engineers in the field being able to know where they are, what assets are broken, where there are coverage and efficiency of having those resources that are across different geographic regions or even just localized level. Whats happened over time is that businesses have baked in those efficiencies. So the leadership, the executive reports the shareholders have baked in those efficiencies, not that were stuck with them, but those have been baked into the financial results of those organizations. And we rely on that data, that insight and those operational efficiencies from connectivity, thats a really great thing. It means that were getting engineers out to customers faster in whatever industry it is. It means we're getting those faults fixed faster. It means we're being more resource efficient in the way that we use our equipment and we're managing our assets more effectively. Now on the flip side of that though is that if there's an impact, a breach and some downtime, then it's really hard to operate the organization because those efficiencies and resources have been scaled back to being the bare minimum when that connectivity is available. And so then the organization becomes incredibly inefficient because the resources might not be available to service those customers.
[00:11:05] Speaker C: So I want to ask a really rudimentary question now. When I'm speaking to people like yourself, it's like, okay, connectivity makes sense. But then sometimes when I'm just, I don't know, on the weekend and then someone starts talking to you at, I don't know, an event or something like that, and then someone obviously knows what you do for work and then they're like, yeah, like we're just in this really connected world. So from my observation, from talking to people across the industry and just generally it appears that people don't like being super connected and they see it seems to rattle them a bit. So what's your sort of view around, you know, ot and it being connected? Of course there are benefits, but would you say that the benefits outweigh not doing this? But then also the risk profile has changed and increased. What are your sort of thoughts?
[00:11:49] Speaker A: I'm so optimistic about technology and always have been. However, I guess now I start to realize that there are risks. I've got a consumer example that I think would be good to share. So I bought a laundry dryer recently and I order one with high efficiency. High efficiency you get throughout electricity is high efficiency for savings. And as you go up the chain in the product, the different types of products are available.
The more efficient you get, the more features you get, and often is what's happening now. And what I found when I was trying to research this workweek was that the more efficient ones come connected with connectivity, whether you like it or not. And so to buy an efficient one, it's considered a premium product. And therefore it comes with connectivity. I didn't want one with connectivity because I don't really want retire connected to the Internet. And so I think there's like an expectation there to some extent that you want to buy a premium product that has all these features, and then it's a bit of a vicious cycle because that's partly marketing for sure as well. So how do we have good quality devices and still have choice of not connecting certain devices?
[00:12:58] Speaker C: Yeah, that's a good example. So there's a couple of things that I'm hearing from what you're saying is, doesn't really matter how we feel about the thing being connected or not, it's just probably going to. To get to a stage where it is. So do you envision that in the next, you know, in a little while, like, you won't be able to buy a dryer without it being connected effectively and therefore we don't have a choice. Right. So it doesn't matter how you feel about it or you. You're rattled by it, it's just the way it is. Do you see that sort of coming into play?
[00:13:23] Speaker A: Yeah, quite possibly. I think there will be demand for things that are not connected. I mean, cars are another example. Getting back to things that are sort of more critical. Infrastructure, I think. I think the resource efficiencies are. Connectivity are inevitable for organizations. I think the bottom line of organizations will require the majority of whether it's it or it networks to be connected. Because the value in gaining data and insight from app is so great that competitors will surpass the organizations that haven't done that, then it's going to lend itself to how do we manage that risk? How do we understand that risk? How do we see the profile? How do we measure it? How do we understand the likelihood and probability and how do we roll that up into the organization risk. So not talking about how many vulnerabilities there are on this actuator or this device at the end of the network, but understanding that if we impact the service that the organization provides to its customers because that device got infiltrated, then we need to make sure that that risk is articulated. I think what's happened over time is that we spent quite a lot of time protecting the IT networks and quite a lot of money protecting the IT networks, you know, because every executive wants to have their email and wants to be able to communicate and get to their spreadsheets and their finance data. But the OT networks been relatively well protected and there's less data from those impacts. And so from the research and the people that I'm, that I've interviewed, I'm hearing that we've probably spent perhaps quite a bit of focus, resources and investment protecting the IT network. And potentially in some organisations we've left the OT network a little bit to obtain devices. And now there's a bit of this leadership challenge in that we need to protect that even more so because that's actually the crown jewels of the organisation.
[00:15:15] Speaker C: Okay, so you mentioned before the benefit, and we can get into more of the benefits, etcetera. But you said having the connectivity allows for, you know, you can derive more data and insight. So what do you sort of, what does that look like? What are some of the insights you can get from having the connectivity?
[00:15:30] Speaker A: For example, I touched on a little bit before. I'll use an example. I was at british gas in the UK and rolled out smart gas boilers. There was much more information than available about those devices. We could get out to people's homes and I went out to people's homes with the crews to check on the fault codes, on the error code. So we could take the write, we could take the right replacement parts for this because we could see the codes remotely. So that visit was more efficient. It meant that we could go to the depot first, get those items, and then we could go straight to the customer's house. So it's more efficient for the crew. So it was more efficient for a customer because we could resolve the issue first ever. And so that's just the example. Similarly, using GPS, again, for workforce to be able to understand where they are, which crew is closer to the depot to get the part, and then out to customers home, those sorts of efficiencies are really also taking another look. The data that it provides, that's just sort of at an individual engineer level, the data that it provides the organization as a whole, to be able to roll that up into the teams, the data intelligence teams in critical infrastructure can then start looking at resource efficiencies at a meta level, so they can understand where the response time is slower, where they might need to adjust the resourcing in regards to their crews, or the time of use, time of availability of their crews. So you can start to roll that up into organization level performance and that can create significant benefits and bottom line improvements from organization.
[00:17:04] Speaker C: So as you're talking, Sam, my mind's going and I'm zooming out a little bit more. When you're talking about resource efficiency, et cetera, would you say as well, this is going to be better for sustainability. I've interviewed someone recently around, what does that look like in technology? It was quite interesting and definitely the first interview I've done around that. So do you sort of that, you know, with what you're saying, it's going to be more sustainable than long term?
[00:17:26] Speaker A: I think so, yeah. Because, you know, you're using rescue, you know, in each of those trips and. And you're getting the right part. You're making one trip instead of two. You're having crews, you know, leveled across the geographic regions that are supported and that all becomes a lot more efficient. So, yeah, there's definitely, definitely environmental improvements and opportunity there.
[00:17:49] Speaker C: So is there any sort of other benefits you can touch on today? Give more examples perhaps for people that aren't aware of what this looks like?
[00:17:56] Speaker A: Yeah, I think in regards to the benefits, I think the benefits are really clear in regards to how they've been baked into the finances, the organizations that being able to control devices without sending. So those actuators, the pumps previously say for a water asset, water organization, we still have to send someone out years ago to turn the pumps on and off. Now that can be done remotely. Similarly for electricity networks, say there's a pole down. So I was working in an energy company a couple of years ago, and you can make the network more safe because you can turn the circuit breaker off on that zone substation and you can protect the public from those lifelines.
And at the same time, it can be sending a crew out. The crew might be an hour or two away. In general, Victoria, there's safety opportunities. There's all sorts of benefits there from having this operational technology connected. So then it's, how do we go about managing that risk and making sure that we're following good standards and methods to keep it protected.
[00:18:57] Speaker C: Yes, I was just about to ask you that. So with that, obviously the flip side of that is the risk component. So with your background and experience, how would you sort of advise people to go about this effectively?
[00:19:10] Speaker A: Yeah, so, I mean, one of the things is that I think this, we touched on it before about the public perhaps not being aware, but I think some of the people in the industry aren't perhaps aware of some of the risks. And it's sort of seen as something that'll be okay. You know, the Australians should be right sort of way of thinking, which, you know, as largely been true. And I've done some additional analysis on the sort of major cyber breaches and impacts that have caused what call cyber physical outcomes.
And so I think part of the awareness is because we haven't had too many events in the country that have caused us to sort of sit up and take notice. And so in my analysis there, I count about knowing the events that occurred that caused physical outcomes. And the majority of those, and maybe I'll just talk through them a little bit. I won't list each one, but if I talk through them a little bit, they've all but one have been on the IT network. They've all been, almost all been ransomware. And there's only one that's been operational technology.
And so if you consider that as a nation, we haven't really been through an operational technology major crisis where an attack has occurred and there's been physical outcomes. The one that did occur was in the year 2000 at Maruchi Shara in Queensland, and it was actually an insider threat and there was sewage spilled out into public parkland and attack. But since then, there hasn't really been one that's occurred on the OT network. A lot of them have sort of been the traditional sort of ransomware. We've got data, we've encrypted it, those sort of impacts. The physical side of that is that, say, through the hospital that's been impacted has had to put on more staff or cancel erective surgeries, those sorts of things. So it's been sort of flow on impacts. So some of it is around. You know, even through my interviews of the research, even some of the control systems engineers that I spoke to are not sort of concerned about some of this risk. And I think that's sort of maturing with the industry that we need to go through. And I think that's, that's partly why I'm so interested in it and talking with you about it today, but also trying to raise awareness that internationally there are events that are happening like this. We do need to spend time putting in place practices and making sure that we're raising that risk profile, analyzing it correctly and getting it onto the leadership agenda.
[00:21:32] Speaker C: So guys, ask these control engineers, why wouldn't they be concerned?
[00:21:38] Speaker A: I guess it gets back to that sort of frog in warm water. When you're a professional and you've been doing something for 20 or 30 years, you, you believe to be doing it well, and usually you are. But I think some of the threat landscape has changed in what's perhaps not their industry. So say a control rooms engineer, 20 years experience or more or doing a great job, and they're doing it the same way that they sort of always done it. Yet the threat landscape has changed. Considerably on the outside. And so maybe if I just talk to that a little bit. So that threat landscape has changed, you know, in sort of three areas, I would say primarily. So the first one is the types of adversaries, the types of bad actors. The second one is like the developments in regards to the technology that's available for them to use. And the third one is like the value of the critical infrastructure itself. So, you know, I can talk through each of those. People have different scales for different types of adversaries. There might be, but let's say there's five from this. You know, they're state sponsored, there's a state sponsored adversaries. They're well resourced, they've got huge budgets, they've got vast technical capability, and they are able to gain long term persistence in a network.
There's other areas like organized crime where money talks and they're well resourced and run market business. There's hacktivists that cause disruption. They're passionate about a cause and they're a bit unpredictable. There's terrorist hackers, so they're ideological, they're extremely. They're following their belief system. And then there's the script kiddies or the sort of individual actors. And so if we sort of think of those, those sort of five adversaries or bad actors and the tools that are available to them, and we go into this sort of second part, the tools that are available to them have significantly changed in the last sort of ten years or so. So the apts, these are state sponsored, advanced, persistent threats. They got a lot more bullshit than they were in the past. The rules of warfare aren't really applying to what they're doing anymore. So they're infiltrating systems and not seeing any repercussions. They're staying into those systems. And that's evident by the advisories from the US and australian governments. In the past, fiscal warfare would have been declared for some of these types of intrusions. But today, because it's electronic, it's sort of unseen, then those repercussions aren't happening. And so sort of, you know, going on, you know, state sponsored actors, they got patient as well. So they're sitting in there and they have maintaining persistence. The cyber, the cyber crime as a service has become a thing. So you can actually go and buy, you know, different parts of your cybercrime off the shelf from other bad actors. And that can give organizations weeks or many months acceleration to their goals. So be that like a fishing campaign or you know, botnets entry services into organizations. Those can all be.
The organized crime gangs got super involved in critical infrastructure because they found out about the value of the data, value of the data and the value of the impact of society. So health data is considered ten to 20 times more valuable than, say, financial or personal identifiable information. So the organized crime gangs are going after health organisations. In the past, in warfare, we wouldn't go after hospitals. Nobody go after hospitals. That was kind of the rules of engagement. But now those sorts of rules of engagement have fallen by the wayside. And that's lend things to the possibilities then for the criminal gangs to start focusing on critical infrastructure and really diving into assets that help us run our society has changed considerably. So I guess going back to the control room engineer or the control room, the control room guys, they perhaps haven't been that close to some of this because they, in their discipline, focused on their job, which is important and critically important, and they should continue doing that. But I think as a society, as leadership to these organizations, we need to help them understand that we are going to need more and different controls in place to reduce the risks.
[00:25:43] Speaker C: So I want to switch gears now, and I want to read again one of your statements that you've provided to me here, which is the one thing that was protecting our critical infrastructure assets. The air gap is all but gone, which you've clearly explained here today. So is this because you're of the belief that the connection to OT and it world and where do you sort of see all of this progressing then in the future? Because, I mean, I've spoken to people before on the show talking about like, some of these controls are worth like 30, $40 million. Right. But I, you know, they're so they're not connected to anything and they are hard to get into. Right. So because you physically have to get there, as you would know. Right. So I'm then curious to sort of explore this a little bit more. Like, what do you sort of see happening now in the future, now that we've removed air gap, for example?
[00:26:33] Speaker A: Yeah, I think that the air gap. The air gap has gone. I mean, a lot of people might think that it's still there, but. But I think, you know, whatever the reason, there was lots of, there were lots of reasons. And we talked about some of the efficiencies of having people remotely connect and servicing equipment in plants is definitely one of them. So previously we might only send out a technical engineer, technical person to resolve or update a system or change the configuration on that computer or that logic controller inside a plant? Well, you know, it's so much more efficient if they can dial in remotely and do that, their safety benefits as well. And. Yeah, so there's plenty of safety benefits as well. And what we thought was an air gap is now often not. So I guess the other thing is that a lot of this has moved into logical configuration, either in a cloud or into configuration of the network. And sometimes it can be as simple as a firewall rule, pointing the wrong direction or allowing a wider set of traffic through than was intended.
And because it's not a physical plug on a network device that you can see with certain color coding in a rack that you can go and check, it goes unseen and that can make it a lot more complicated for technical teams and security teams to make sure that it's secure.
[00:27:57] Speaker C: So it's going back to the physical controllers for a moment. Now from my understanding they had them that way because again, to your point, it's a lot easier to just, you know, remote in from anywhere and exploit it, for example. So would you say that those controllers, are they completely abolished now? So there's none of those like, I've just as I be spoken people over the years, they've said that, you know, these things are really, really expensive, they're not catered to anything for the reason of being secure. Right. So are you saying that's completely removed now?
[00:28:29] Speaker A: I think generally there's not too much in industry, in critical infrastructure that has a proper heater anymore. There might be some really old pieces of equipment like you mentioned here and there. I think the benefits to manage that stuff remotely outside of the plant and manage it from a control room, from a Scada system in a control room, ScADa's system control and advisory administration.
[00:28:56] Speaker C: So I want to touch on something now. When I spoke to one of the guys talking about space, he was saying that, you know, when you're looking at ground, ground stuff, obviously the way to exploit what they're doing there would be to socially engineer your way in. And apparently it did happen once or something in the US, but I don't think the person got all the way through, but they, they got a fair way through. So what are you, what are your sort of thoughts then on that from a social engineering perspective?
[00:29:24] Speaker A: Absolutely so. And I know I sort of talked a lot of, you know, bleak scenarios. I think there's a lot of positives and, and the key positives and I'm very optimistic about this area, that defence is doable and that we can do this to protect this. You know, our essential services and awareness and having the whole organization be aware of how these threats are coming in from how people are trying to social engineer, the phishing, the smishing, all different types of social engineering attacks, whether that's people walking into buildings. I think we all need to do the basics. We all need to update our skills constantly on how we can keep protected, not just for our own personal and financial safety, but for the organizations that we work with. So the basics that we talk about. The government's in Australia has released their basic three step approach, which is make sure that you've got passphrases, make sure that you've got multicultural authentication, make sure that you're doing updates. And so that's nice, simple and structure and it's not too dissimilar to what we had sort of in the eighties and nineties in regards to fund protection. When I'm quoting Jason Murral of Muratin where he considers this campaign for cybersecurity. And I think that's a great way to think about it. We all need to start thinking in that way. We need to protect our own personal assets. We need to work and continuously evolve into how those social engineering attacks are occurring. So do you hold the door open, for example, for someone who's coming into your office?
How have we verified that they're suitable authorization for them to come into the building?
We need to spend time relearning some of these. What were social norms hold the door open for somebody to make sure that we verify that person or that they can prove that they should be allowed in rebuilding. And that's just some of the basics. I think we need to support our staff, support the organizations to do all of those things. And following good cyber hygiene around passphrases, complex pass phrases, multifactor authentication and then simple things like having great pipeline of resources, having good education to keep our cyber resources upskilled are all critical things to make us successful.
[00:31:42] Speaker C: I just want to go back to the door example. I hear your point. The only thing is that when I'm looking at a, you know, I've worked in corporations before, look, I'm probably the type of person that would question someone considering the job that I do of the average person. Do you think they're going to turn around and be like, oh, sorry, Sam, do you work here? Or sorry, do you work here? I've never seen anyone do that in my experience. Do you think that, you know, and it could be like, oh, do you actually work in it could be someone that is some high flying executive that only comes into the office once a year and the guy's being questioned and then it's, you know, divulges into a whole HR incident to be like, why would you question, you know, the, the CEO of the company or something like that? So do you think people are really doing that though?
[00:32:21] Speaker A: I think that's such a great example. The hammer came down on that person. I think that would show poorly on the executive leadership of that organization for questioning someone coming in the door. If they didn't have the access pass through them, if they couldn't save you, they manager was, if they couldn't say what their phone number was or what they sat at. Some really simple prompting questions to sort of challenge questions. I think we need to start considering that you can't just walk into a building without air credentials. I've got a recent example from organization that I worked at. We had a technician from a telco show up, and they wanted to get into the rack in one of the buildings. And the reception at that building wouldn't let them in. So they went to the building across the road, and the reception there wouldn't let them in either because they didn't have the details of who they were. They were protecting what the job was and who requested the work. That engineer bounced around the receptions and those sort of building at that camphor for 3 hours and they weren't letting, and I think that was a fantastic job by all the receptions of each of those buildings, because we shouldn't be letting people in who don't have the credentials. Now, they might have been there for legitimate work, but make sure it's organized, scheduled, and that you've got the authorization letter showing that who is approved to do that work and have the none of contacting meeting. I think those are the bare basics of things that we need to start expecting from our vendors, our suppliers, our partners, and also our staff. If they pop out for coffee and they forget they pass, I think they should expect to be asked who their manager is, if they start trying to get in the building, what department they're in, and so on and so forth.
[00:34:01] Speaker C: I just want to quickly touch on now, kinetic consequences.
What is that?
[00:34:07] Speaker A: Sorry? It relates to these outcomes of vents that happen in critical infrastructure. So whether cyber and cyber meets physical. And then there's some kinetic outcomes or some physical outcome of a cyber event. So kinetic consequences. And there's a really great example earlier this year in a small town in the US in Texas called Milshu, where cyberattackers attacked and purposefully infiltrated the operational technology network, the OT network, and the pump actuators. And the flow of water for a tank there in Texas was caused to overflow because of this attack. Now, you know, it was a small town, but tank was in a field by itself. The water overflowed. It didn't really affect anybody. It's almost like a proof of concept, effectively, to show that cyber, physical or kinetic consequences are possible from cyber events. And if that was a high pressure gas valve or electricity circuit breaker or some other type of operational technology device, there could have been or is a more highly populated area, then the ramifications could have been significant. So it's a relatively new phrase, I think. I mean, people real close to the industry have probably heard it, but I think it's one that's going to become more prevalent. It definitely is one that's a risk to the society, and I think that's what we're all working to try and protect. Now, having said that, many of the things that I talked about before is what we're doing to protect. So following good practice around having strong network segmentation, having good architecture principles for operational technology, there's an architecture design principle called the Purdue model. And making sure that we're designing to that, making sure that we're doing pen tests, that we're responding and spending time practicing our response are all important things that we can do to reduce the risk of these types of comedic consequences.
[00:36:05] Speaker C: This is really interesting because when. When we've been talking this interview, that's exactly what was coming up my mind. Like, some kinetic consequences, like, basically starts off as a cyber attack and then leads into a physical problem. So, like a whole power plant blowing up, for example, and then as a result, killing people. Right. So is this something that hopefully we won't have to experience, but is this something that we're going to see, perhaps emerge a little bit more now?
[00:36:35] Speaker A: Well, I think it's definitely a risk. I mean, there's plenty of international examples. One of the big ones is the attack on the Ukraine back in 20, 1516. The power got turned off for hundreds of thousands of people during winter.
It happened twice in the middle of winter in 2015 and 2016, and happened again in 2022. And side effects? 250,000 Ukrainians in those first two instances.
And obviously being without power during the middle of winter, not a great situation. There are other examples. There was a plant in Germany, a manufacturing plant, that was severely damaged. And I think there was some personal injuries there as well. And so these events are occurring, and it's up to all of us.
I guess the key thing is sort of getting back to my area. Point is, it's a leadership challenge, but it's an industry challenge, organization and government challenge, to make sure that we're skilling up the people, setting out strong cyber teams, making sure that we bring along the control systems engineers and chemical water engineers, to make sure that we're getting the right outcomes for the organization so that we can be successful and protect society. And I think that's such an exciting and opportune activity. It's also such meaningful work. People talk about meaningful work, that it can get much more meaningful than making sure that we're protecting society.
[00:37:57] Speaker C: So, Sam, is there any sort of closing comments or final thoughts you'd like to leave our audience with today?
[00:38:02] Speaker A: Yeah, I think just sort of echoing some of the points that I made earlier from my research. If we do the basics right, we follow good practice, we work together and share our learnings. We have good quality threat intelligence, and share that across the communities, have strong network segmentation, monitoring awareness, then we can really work together to address this leadership challenge. The other key thing is really around how we articulate and communicate risk. To make sure that operational technology and their essential services are getting the spend that they need to be protected, and that we rigorously manage that risk to ensure our IT and OT systems. But particularly the OT, the crown jewels of our networks, are getting their fair share of protection and spend. I think, you know, it's something I'm particularly passionate about. And, you know, one of the key terms around this is keeping critical infrastructure. So I would say.
[00:38:59] Speaker B: This is kBcast, the voice of cyber.
[00:39:03] Speaker C: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access to.
[00:39:11] Speaker B: This episode is brought to you by Mercsec, your smarter route to security talent. Mercsec's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and mid sized businesses scale faster and more efficiently. Find out
[email protected] today.
