Presenter:
Transcript:
Or to accelerate. How to reignite the spark to sustain OTT. Security Programs by Vivek Panetta. Do you have a company? You're with us, with Francis. Vivek is a global OTT security leader. He's senior vice president of growth strategy at Fresno's, the industry's first on security posture management platform. From field to boardroom, he began his career commissioning gas turbine engine or gas turbines worldwide and now shaped strategy for critical infrastructure security.
Has a proven track record that has held key roles at GE Xenon Fiber Dynamics and Nozomi Networks, spanning sales, marketing and services. He's a respected thought leader, code lead at the top 20 secure plc coding practices, project C to AI fellow NASA IEC 62443 Cyber Security expert. Welcome, Vivek. Thank you. All right. Let me clean up so you can see me.
Well, good morning folks. Failure to accelerate kind of talks itself about the gas turbine controls background. So. Sometimes when people talk about what you did in the past, I feel like I'm just getting old. You know, that's the bottom line, right? But the reason I mention a couple of things here, the gas drone controls and of course the PLC coding is because I want to give you the perspective of the automation and controls engineering that I did, which is still relevant for OT security.
Big time. Right. Because OT security is not a simple, straightforward vertical like some of the others are. It's a combination of operations risk, financial impact, safety. There's a lot going on. Right. So that's why I bring that topic up. All right. Let's do here.
The observations of the current state. Some of you might be very well aware, but if not, you know we'll go through some of the key considerations. Right. What's the current situation? OT security. There's a lot of interest. Like literally you would not go to a conference these days. That has nothing to do with OT. But we'll have a conversation, right?
Sometimes it can be IoT or adjacent o t, but more or less everyone has heard of. Hey, OT is a big gap. We should do something about it, right? Many, many actually started their programs to. Maybe they did that ten years ago, or maybe in the past five plus years. Where the most recent exit that Nozomi Networks had, there's a big news item out there that hey, OT is arrived.
You know, people are investing, people are considering. So.
The common theme is that after big event, you know, obviously back in the day, Stuxnet, that was like the 911 moment for a lot of people that got integrity security back in the 20 tens. Occasionally when something happens in Ukraine, when something happens in Saudi Arabia, there's a lot of news, articles about it. There's a little bit of hype about it, and people forget because, hey, it's over there.
It's not really here, it's over there. But when it happens close to home, like when colonial, impacted production, when the plants were stopped and, you know, people couldn't get gas. That's right here on our doorstep. And things do change because TSA directives came after that. Even when Oldsmar, which ended up being a not a real issue, there was a lot of hype about it.
People started talking about security, more access, things that they had to do. Right. So there's a lot of interest spikes when there's an event right? But the common problem is there's not a lot of OT security people, to be able to take a good handle of your situation. Right. So whether you are early mid maturity or in a slightly more advanced.
The common theme is that there are not a lot of OT security experts. Right. So those that are experts or those that are responsible end up being overburdened, you know, sometimes burnt out. And you know, they have to there's a lot of churn because they just can't handle it. Too much is thrown at them. Right. And the boards and leadership typically are rarely security savvy, let alone OT security savvy.
There's a big difference between general I.T security and OT security. And if the boards are not asking the right questions about IT security, they can't at all ask anything about security. That's the thing. And historically, we've had some problems right in OT safety and quality reliability. These are all super critical. And we have a culture of maintaining them.
Right. You can't walk into a refinery without doing a safety video. You can't do anything at work without doing a toolbox talk. Right. Safety is so critical. Similarly quality. I can't imagine a pharmaceutical or a manufacturing company without a very detailed, rigorous, you know, culture of maintaining quality, right? It's important because they have regulations, but even without them, they'll still be very positively reacting to quality improvements and stuff.
But that's not the case with security, right? And then new OT deployments often just replicate past projects where they had no audio security. So if you copy paste a project from three years ago, four years ago, you're just replicating whatever was there the same device, the same network, same methodology. So security does not make them even on a new project, right?
And the last one, we rarely have budgets for routine like this is a common theme across the board. It's not required in a lot of verticals. Right? Not a critical infrastructure vertical. So there's no need to invest in that segment that doesn't have any fines associated with it. There's no expectation of an ROI. So people just don't invest in.
The common hiccups, as you can see, like the title was failure to accelerate because we know that people have started working on it. But why is it not taking off? Right. Why is everything kind of talked about started. But you know, it's not really growing quickly on the left. The first and foremost problem, I think, is that the outcomes are unclear in many OT security investments like this is by far, I think, the biggest problem.
People invest money, but they don't know how to measure the ROI. Whether it's actual mitigation of risk or saving in terms of money or time or resources or whatever the case might be like, what are we getting from this OT security investment? It's been very hard to define lots of missing policies and overdependence on technology, leading to a lot of tool purchases, but no clear outcomes.
This is a very common thing, folks. Second is a lot of projects languish because these take time right? You're trying to train for a marathon. And if you're trying to measure day three, day four, day five, we're not talking about week one, week two, week three. Sometimes you're trying to measure day one, day to day three. They're not the same, right?
If you have never wrong like okay, security has never been a thing. If you've never run a marathon, you can't be measuring your progress day one day to day three. It might be week one, week to week three, or even month one, month to month three, right? So long, prolonged deployment timelines and of course, incomplete resources. Incomplete. Project methodology.
So lots of gaps there, which makes it even more difficult to establish an ROI, right? And the last one we just talked about how employees are overloaded. And so there's a churn. And you built a program around two people being trained on this technology or in this process or whatnot. One person leaves. What happens? The other guy is already overburdened.
Now he's got double duty. Plus, the deployment now screeches to a halt because there's no one to actually do things right, let alone maintain things. So big problem for them. And then on the other hand, on the technology and the policy side, it's impossible to build more and more layers. Right? Chasing CVS is hard enough in it. How many of you remember lock, forge?
How many did not sleep for a week that week? Right. You had a problem. You had a patch. You said, okay, let's go do it over the weekend. You know, this must be done. You know, we we just do this. Well, as soon as you came back home to get a couple hours of sleep, there was another patch.
Well, redo the whole story. As soon as you did that, there was another patch. So all through New Year, you were constantly chasing it. If patching was your only thing to do, you did not sleep from Christmas through New Year. And in OT we have hundreds of thousands of vulnerabilities. So CV chasing is your dream? Yeah. Forget sleeping.
You won't even get to step two because you're constantly stuck. I and adding even more layers of defense. I mean, it's great, right? When you're building a castle and adding more layers of defenses, great. That's the defense in depth. We talked about, but it adds so much more complexity. It adds more and more requirements, more and more things to do.
It just gets really overburdened, especially when your job is not a security person. You are there to produce, right? You're a manufacturing entity. You're a power producer, you're an oil and gas producer. That's your main goal, not security. But adding all these layers adds a lot more complexity for your workflow. And the last one, the prevention focus, which is what in it is pretty common, right?
You're just trying to avoid the bad thing to happen. You just want to block the block the package. Right. Some malicious software is out there. You want to just block the packets, you know, stop the execution, stop the worm, stop the spread. That's the whole point, right? But that is not any kind of prevention focus. At one point is not as cost effective as trying to think about resilience and reducing impact.
Because you might again, we we've seen this before right. In that risk equation the prevention focus is so much on establishing and reducing the likelihood. But really the other part of the equation is reducing impact or consequence, which sometimes is a lot cheaper. And things that you can deal with, right. If you have to invest $1 billion in prevention versus invest maybe half $1 million in reducing impact if something does happen, that's something that's much more palatable.
And this I like from Yogi Berra if you don't know where you're going, you might wind up someplace else. This is a very common theme in IoT security. Most people start on a journey, but they have no goal. They have no destination. It seems like the right thing to do. Let's start on this. But they're not going to go anywhere because there's no clear picture on where to go next.
So where should they go? Right? Let's look at the landscape threat actors. Their motivations are million different right. What a nation state wants versus what a ransomware actor wants versus what a script does. It's all different, right? What are we trying to protect against? Right. The leadership's lack of vision is worsened by lack of skill resources. Right. We certainly have seen this where some top level person decides that we got to do something.
Oh, Mr. CISO, you're now responsible. For what? Okay. All right, let's do something about it. What do I do? Who do you ask? What's the persona like? Sometimes it's so confusing. We talk about things to be done, but we never assign the roles and the accountability. Like who's supposed to do it? Like if the CTO or CSO or CIO is now given the responsibility, who can they go to and assign this security responsibility because they don't know all the resources?
Not that many people that can do this, right. It's difficult to justify investments based on events that happened elsewhere. If you are not a pipeline company, you can't just say, hey, it happened to colonial. It could happen to us. We don't have a lot of publicly documented events. In fact, the past week has been a big ruckus on LinkedIn because people were debating should you make investment decisions based on known, established issues or what could potentially happen?
It's a difficult decision for an investment maker. When you can't have relevant examples to say right or show. And last one is rapidly changing attack vectors. We've seen this in it, right? It's kind of like a whac-a-mole. You know, you fix this problem. You know, they will go somewhere else. You take out the easy way of getting in for an attacker.
They'll find a different way. Right? Maybe phishing was relevant for certain actors, but if phishing is, you know, a lot more resistant, people are more trained or whatnot, then they'll probably start buying people, right? We've seen the North Korean, attackers, you know, trying to get jobs and, you know, this whole new farm thing that three years ago, you wouldn't have thought about it because, you know, that was good enough with phishing.
But once you fix a problem, they'll go somewhere else. So how do you keep up with the investments, especially when it's long three or 4 or 5 year time period. Right. Look at the other side in terms of significant differences amongst verticals. We talk about OTC security as if it's one thing, right. Oftentimes, especially in conferences, we make it sound like OTC security is something that's very similar across different verticals.
But the supply chains are different. What's relevant for transportation is not the same as what's relevant for power, or what is for oil and gas or pharmaceutical, right? These are all very different verticals. The requirements think about patching. You might have a patch management program for a manufacturing location that has a lot of virtualization and redundancy. Right. Built in and maybe more flat networks.
But you can't have the same approach in an oil and gas refinery that doesn't shut down for a decade. Right? Where there is no virtualization. Two different things. Right. And lastly, there are no universal OTC solutions. We have some themes, but we don't have universal OTC solutions. What might work for one vertical, one region might not work for another vertical in that region, though they might have some common approaches.
All right. What is a baseline. So where do we start. Where have people started in the past. This is all well known right. On the left you have the same six five character controls. On the right you have the ICSA 62443 methodology. But look at what they're saying. It's huge. A lot of people, as soon as they see it, they walk away.
It's kind of like if I have to run a marathon. And the nutritionist and the fitness guru gave me 50 things to do, I'm going to just walk away. And this is not something I can do. I haven't even run A1K in my life. Yes, I would like to get to a marathon, but if I need to do all this.
All right. That's not what they're saying. That's not the intent behind publishing documentation, right? They're saying this is a journey. Let's work with each other on getting somewhere. But this is a lot. So a lot of people the biggest problem for a lot of people is a starting verse two, three, 4 or 5 steps back. So it could not be any more complex if you just look at all this in one go and say, I need to do everything in one go, right?
So the critical thing to note here is that you need to figure out what your base level security needs to be, right? Yes, you understand that you are way behind. Yes. Okay. Security is not being invested in, but you need to figure out where you want to be the starting point, right? What would be considered a decent success if you have the money and the resources to do something right?
But once you start it, what does maturity look like? Like where do you go from a decent starting point? All right. On the left you'll see if you can get to a place where security is like safety or like quality. In my mind, that's the win that you need, right? And that differs across verticals, across regions, across the world, across organizations.
But whatever it is for you, whatever quality means for you, whatever safety means for you, if OT security is in the same realm, in the same level, that's a win. That, in my mind, is the most mature you can ever aim to. Right.
Second aspect the mutual understanding of priorities, problems being addressed and responsibilities. This is more tactical, less strategic. So if it's OT, finance, legal, HR, they all understand what we're trying to accomplish because they do in safety right. How many times did you, as an office person working in a one gas facility, chuckle when before you start a meeting, you have this safety moment and the best you can come up with?
Yeah, best you can come up with trip hazard for an extension cable, right? Same company in the refinery. You have hundreds of potential, you know, things to think about for a safety moment. But same company, same organization in the office. You're limited because the the location is different. The risks are different, right? But everybody still thinks about safety, right.
So if you can get there, if you can get the whole organization to just naturally do security as a, as a key component of their daily lives, that's a win. How do you get there? You'll see the policies that work for one organization might not work for another organization. We talk about culture, right? In terms of companies. Company culture is a huge part of this.
So if your company is not focused on quality, for example, there's nothing you can do in that company to get OT security to that level, right? You can't. You just can't. So that culture is key. Training and awareness are crucial. Like literally the lowest hanging fruit for a lot of OT practices are training and awareness because we're starting from a very low point, right.
Most ICS engineers, technicians even today have not heard a thing about security. They don't know why passwords should be changed from default. They have never heard of why that's important. Right. And the tech investments need to be aligned with operations and the risk appetite. This is a no brainer. I mean, literally, I think all investment folks know this, right?
If you buy a tool, deploy software, get a resource, and that's not aligned with operations. The operations team will override that investment any given day. You could buy whatever fancy widget, whatever fancy tool, whatever technology, but if it doesn't align with operations, it will. It will die instantly, right? So I think there are two distinct requirements. Things that are good, nice compared to what is required to start versus what is required to sustain.
Right. On the left you'll see what's required to start. We all need to understand what security risks, if they're relevant to the organization, if they are required to be addressed. Right. But again, look at the persona. If you're a leader, ask the right questions. Are we addressing security risks? But let's say you're not the leader. Let's say you're the practitioner.
You're the controls engineer. You're the operations person. You need to be able to answer the question if you're asked the question right. If the leader ask you the question, are we addressing all these security risks? And if your answer is, oh, I don't know, we never even looked at it. That's not going to start any investment conversations, any deployment.
Nothing. Right. You need to be able to address the question or ask the question depending on your role. Take advantage of new projects. This is a no brainer, folks. If you're investing a million, 10 million, 20 million, whatever it is on digital transformation new I was bang tools. That's the best time to look at security because now you're changing your workflow.
Might as well incorporate security into that workflow because then there is no additional cost. Makes it so much easier to deploy, maintain and sustain right. We have a lot of virtualization options, a lot of AI and ML projects these days, so they can all scale out security quickly because it's part of the new New Deal. And the last one.
Don't wait for security regulations. They're coming one way or the other. In many countries they now have standard processes. Government regulations from multiple industries in the US, of course, were different, right, compared to many other countries. We have different verticals being managed by different agencies, different entities. So we don't have universal regulations here. But they're coming. No question.
So you can get in front of them. You don't have to wait for the regulations. If you do the right thing, if you wait, it's kind of like what happened in safety. Safety regulations over time were written in blood, right? People did get impacted. And that's how the regulations came on later. We don't have to wait for that.
We kind of know we've seen the history, right? What happens if you don't address certain risks in OT? So we could get in front of them. So all this is on the front end, right. You can start programs based on established events, establish what it was established, kind of best practices. But how do you sustain it. That's on the right.
I can't emphasize enough. Executive buying is not a one time thing. You can't start on security projects without an executive buy in, without management oversight. But oftentimes it's expected to be a one time deal and it's not sustainable. Right? You started a project, but then management went on to think about other things. They have a billion other problems to deal with.
And so six months later there is some other priority, right? If it's a one time deal, you've lost momentum. You can't sustain this year after year. Right? The organization needs to really understand that this security, especially if you're trying to get the executive to buy into this, you have to make sure the expectations are set that this is not an ask for this one time.
This is going to be 3 to 5 year time period. When you have the maturity eventually and maybe it'll roll out into, you know, just like a quality or safety sustained automatically but not leaning a lot of tender and attention. But it's not a one time thing. Absolutely. Make sure that when you go in front of an executive to request that if you're all in on this, you have to be all in for a longer period, not a short term right.
And when you do start a program, you have to validate it thoroughly, end to end at 1 or 2 sites before you ramp up to all the other sites. We have a lot of critical infrastructure companies with 5000, 5001 thousand substations or small regional whatever locations. Oftentimes I see this because you're starting fresh and maybe you got a good deal in the software.
Whatever the case may be, you're like, oh yeah, let's just get this done. I'll give you three months to establish something. You get nothing out of it because you're not using the end to end workflow to prove that this is how you can establish this to be a, a policy, a procedure, a technology, something that you can live with.
Right? So everyone from operations all the way to legal to, finance, everyone should be on board, right? All the way to integrating alerts into a SoC and making sure you have the triaging and the response time and part of the incident response plan. It has to work well in 1 or 2 sites, really, before you can ramp up anything other than that.
You just can't sustain it because you've tried too much. It's kind of like trying to eat an elephant, not one bite at a time, but just trying to bite into it. It's just not possible. The consistency in product and vendor partners, we see this too. You can just think about this for the moment, right? Maybe in it because you can do projects quickly.
Maybe you can say, hey, I'm going to try this out for the next three months and maybe I'll swap it out if it doesn't work, because maybe centrally managing a tool is easier. Maybe swapping out is not as difficult. In this space, nothing happens in months. It has to be a longer term plan. I have so lock in your vendor or product, you know, partnership for at least three years because then you can give them the justification that you're in for the longer term.
You can plan things out for the longer term. I mean, we all know this, folks. We live in Houston. The LNG plants were planned 15 years ago. The first production happens literally 15 years after the permit was sent, to the government because pre feed, feed construction, the whole thing is multi years in the making. Why is auto security going to be any different.
Right. So at least for security projects think about a three year timeline. Not six months not one year. And then the last one. This is probably the most unique one that I could think of when I was doing my research. We have to be ready for adjusting to market conditions. Oftentimes you start really high. You got the investment.
But think about it from an organizational standpoint, right. You are investing money. You're expecting an ROI in risk reduction or maybe some, you know, cost savings. But the market changed six months from now. Maybe the price of oil is lower now. Or maybe there's a new competitor out there or there's a whole bunch of other problems. So now we have tariffs, for example, which means that they're looking at the overall investment.
That includes the security investment. Why do we think we have layoffs in the industry. Right. It's not like security was less important yesterday compared to the day before. Right. It happens because the market conditions are changing and executives are having to make tough decisions. But if you plan for an advance, right, you have this idea that this is my plan.
I'm going to do this for the next three years. However, this is my minimal viable security program. I could cut back these three layers if I have to, right. I'm doing these ten things, and ideally my maturity will be here in the next three years. However, if push comes to shove and I need to cut back, these are the three things I could cut back.
If you have that pre-planned already, your life is going to be a lot better. Because then when it comes to you, because it's going to happen right the next three years, things will change and hopefully you don't have to. But if it comes down to that, you can plan for the cut back so you can be a better security program regardless of how much you cut back or what you have to remove.
And that way it's not a surprise. It's not something you bring up last minute to say, oh man, now what do I do? Because and I started this program and now I can't even sustain it. So those are my ideas, folks. I'm happy to take questions or, you know, kind of see your thoughts on what I presented.
Testing. So just raise your hand. And I'm happy to come by. Thank you.
Thank you. We wait for, drawing attention to some of the issues that, with the environments face in relation to cybersecurity. So you referred to cyber economics and marginal utility and return on cyber security investments. So can you provide some specific examples where, this is applicable and how cyber security in the environment can provide value to businesses and enterprises?
Absolutely. The marginal utility that I was talking about in terms of impact, right. Reducing likelihood versus reducing impact. This is not a few examples. We have a lot. Think about, a tank, right. Something that's storing, some kind of toxic substance. Right. You typically have regulation about how many layers of, metal you need, how much the thickness should be, overall, like, you know, how can a, what level of monitoring you need to make sure that it doesn't go beyond a certain level?
It doesn't overflow. We have all that, right. You can add more thickness to the tank if you want to be in a little bit more robust. You can add more sensors to make sure that you know, the the the valves will close as soon as you know the first level high. Maybe another valve will also close. And, you know, read out the substance so you can do a lot of things, right to plan for, the situation when the toxic substance will never overflow.
But at some point, you have to evaluate the cost of all this additional sensors, all this additional automation compared to building a huge ditch around this tank that might only cost you 500 bucks. And yes, it overflowed, but it's limited to that area, right? All the investment on the sensors and automation and valves and all that, that is difficult to justify or unnecessary.
If you have an alternate where, yes, you have at least some level of automation and control, but you have this backup plan to restrict the movement of liquid with this ditch, right? It's the same with cybersecurity investments. We have a lot of technology. It could be, network security monitoring related. It could be firewalls, some segmentation. It could be secure remote access.
All of that costs a bunch of money. Takes a lot of time, right. Meanwhile, if you have other ways to mitigate the risk, where the event still happens, right, the breach still happens. But the outcome of the breach is not a disaster. Where? Yeah, I get it. This PLC was impacted, but because I segmented in such a way that only this PLC, if this network was impacted, not the other PLC or the other networks, I can still sustain my production.
Right? Or even that PLC was impacted, but I have a backup manual switch over where the process is still continuing to run based on known conditions, and I am rebooting the PLC or replacing the PLC, whatever the case might be. So we have many. In fact, the Idaho National Labs Consequence driven focus, Sci consequence and cyber informed engineering and consequence driven focus on reducing impact is really crucial.
Like they built a good methodology to kind of help you understand the cost implications of doing only prevention, investing in technology versus building more resilience and building alternate ways to reduce the impact. If something were to happen. Yes, sir. Hang on. Let me get to.
Good morning. Thanks for the session here, Vivek. Good to see up there. One thing I like to highlight about, not only bringing in C-suite and, executive level stewardship. That's bribery. You have to have a vested. The, the, executives, level has to have a vested interest and not cybersecurity. And at a minimum, they'll have a named resource for OT cybersecurity.
From that point, I believe in my especially my experience, understanding the operational technologies or operations use cases, once we understand their business and use cases, especially in terms of talking to operations and understanding. Hey, so what is it that you go through every day? How many if you have sites that are 100 miles, like pumping stations or tank storage sites that are 100 miles apart?
How can I help you minimize your man hours, your cost, and get to some automated, automated deployment to these sites to rectify some of your Radio.com issues or network issues? And I have to show that value, even though the OT, like solution will be concerned or specifically focused on OT cyber security. But I need to show operations how this drives value through their known existing use cases.
How am I saving the time? How am I saving the money? And like I think Brian McDonald said this yesterday, when I say sessions it's like ROI return on security, right? How do I show them? And it's, exemplified this in a very intelligent and smart way how they're going to get savings cost savings, tangible cost savings. And that's where you get the wins.
Yeah, I agree, the more. Operations automation and the rest of the infrastructure that's not security focused understands the value from security, right. Whether it's investing in the technology or operationalizing it. Right. You ask them to do something different from yesterday. They will ask the question, why? What is it getting for me? Right. If you can get them involved, I call that donut diplomacy.
The more you can make friends with operations and automation engineers, the better, right? Overall, the relationship is better and you're not being facetious anymore when you ask them, hey, what's your problem? You know, let me see if I can fix it. Oftentimes it won't be on day one, right? Because if you're not part of them, if you're not an automation engineer talking to an automation engineer, by default, they have their walls up and they're like, yeah, this guy's from it.
And he doesn't know my world. But the more time you spend with them, the more in doing a diplomacy, right? Playing donuts whenever you go and you know, just genuinely be curious about their daily lives, you can see where you can help by oftentimes there are things that they do because that's what they've been doing for 20 years that you can easily help fix and solve.
That has nothing to do with security. Now, sometimes it's as simple as, hey, you're using this tool to do this manual data entry. You know, let me give you this automation that I already use in it. I already have a license and it saves you time, right? You can make a lot of friends that way. And once you really understand the daily lives.
Yeah. And maybe there are things that are not necessarily, evident, in terms of ROI quickly. Right. So that's when you need that relationship to say, yeah, do the right thing. You won't see anything right away. You won't see any time savings right now. You won't see any, dollar savings right now. But in the longer term, in the next six months, we'll get there together.
Right? So this is my goal. But for that to happen, they need to respect you, and you need to earn the respect. And to your point, the more friends you make and the more collaboration you have upfront, the better. For sure.
I'm going to try and get some more questions out of the crowd here. We get a couple here.
For me, Vivek, I applaud your emphasis and spotlight on right of boom controls, responsive controls that focus on reducing the impact. And so thank you for that. I also, you know, the the point you made about safety regulations really got me thinking because I, I think that, you know, regulations in general are driven from they're all about avoiding something that happened in the past.
Yeah. They're not at all about avoiding something that's all feature in front of you. Right. It's regulations are all driving. They're all reactive. Usually they're rearview mirror based. They're not windshield based. Right, right. And I think that any organization with, dependance on OT, I would posit if they do a proper risk analysis and really look at the risks to their operations and the risk to their mission that could come from cyber events in OT or cyber accidents in OT, making investments in OT security and taking a long view on to secure OT security is a no brainer.
And so, I think the one of the things I think is that the mindset on risk is, is missing. So that's that's a point I'll make. And then spot on. Curious your thoughts about the because the LinkedIn ruckus over the weekend. Well, two different things. But one, I couldn't agree more that if they actually do a risk analysis, they will absolutely do something about it.
We have a cultural problem and we have a mass inertia problem, right? We have never done this. It did not impact us in the past. So why is it going to impact in the future? It's a very difficult conversation when that's the starting point, right? If you take five steps back and say, hey, we look at all kinds of risks, we look at hurricane risks in the Gulf Coast.
We look at earthquake risks in the West Coast. We look at terrorism risk in the Middle East. We take care of risks every day for operations. But why is cyber risk the only one that you don't want to touch? That's because historically, they did not have to do it. All these others, we've had a lot of experience, a lot of events, a lot of affected parties and companies and lost revenue.
We have established historical events to compare, but we don't have as many historical events to compare. And that ties back to the LinkedIn request we were talking about. Right. If your goal is to make investments based on relevant, established metrics, you're going to be late. You're absolutely going to be late, right? It's no different from like why?
You know, why do we build doors and have locks and have a monitoring for home? It's not because you were burgled, but somebody was right. And if you're building a brand new society out there, right on the moon or in the Mars, and we were all going to Mars, are we going to have doors on a housing and a mars colony?
Most likely not. Right. Because we're building a new society now. We're we're establishing new norms. And we might not have doors or maybe it's not possible to have doors. That's a different conversation. But the point is, if you're starting from scratch, we will do things differently. But right now we're in this strange moment where we take care of all kinds of risk, but we just do not want to deal with cyber risk because we just don't have the established metrics.
So my opinion is you have to do the engineering mindset or apply the engineering mindset to cross the chasm. Right? So you have to deal with the possibilities in the future. I mean, when you build a bridge, you're not thinking about, you know, what happened to other bridges in the past. You're also thinking about what would happen in the next 100 years, right?
That's why, you know, we're in Houston. We have power outages day in, day out. You don't have to worry about only what happened in the past ten years in terms of droughts and, you know, freezes and everything. The look ahead, right. Is the weather changing? Is the climate change climate change impacting my operations? Is the grid any more, resilient?
You know, in the future? These are all things that we do day in, day out with an engineering mindset. It's kind of missing. It's a gap that we have in cyber. So I absolutely think those that want metrics before they do anything are wrong. In my opinion. Hi Viva, love your emphasis also on last a booming culture.
I think that is fundamental to success. There is a lot of excitement about the sparkly new shiny tool or technology, particularly when it comes to automation. Some of those automation technologies actually increase security risk if the foundation of culture and policy isn't there. In terms of how are you going to finance that license in the future? And do you have people who can manage it with the next update breaks the integration?
How do you prepare or any advice you have both from your perspective of helping the vendors understand how to make sure that the foundational resources are there to sustain the value of the product they're buying? And how do you inform the customer to not buy it just because it's the newest thing? If they don't have a patching management system that can actually maintain it or whatever, the underlying foundational vulnerability is.
Yeah. Great question Simon. I think there are different questions in that same sentence. Right. Number one, forget security for a second, supply chain management, buying new tools and technologies and the risks in doing something versus not doing something that's across the board. Right. I used to work for GE. My design group was condition monitoring. So if you did not have a vibration system on your compressor and you're trying to install a new one, you have the exact same problems, right?
It's now adding risk. It'll now trip the unit if something is incorrectly configured that causes loss production that I didn't have to deal with before I or I used to work on converting mechanical overspeed bolts to electronic overspeed. Yes, it adds more accuracy reliability testing, but it now adds more possibilities to trip the turbine again, causes more outages right?
So sometimes you have to take a step back and say it's not just a security tool like that supply chain problem, managing what the risks are doing something versus not doing something that's been well known. I in general, most people can sit together and say, hey, you're asking me to do this? This, if done correctly, will improve my life.
But if it doesn't, then our problems. We have done this before I we have done these kind of project management questionnaires before. We've looked at the possibilities. I mean, how could you get a cold work on a hot work permit in any manufacturing or oil and gas facility without that conversation? Right? I've never seen a production in-charge sign off on a permit that he does not understand a thing about what it is without asking the question, you said it's a change in this PLC.
You're just doing this for, I don't know, one bit, and it's going to take you three seconds to do it, I get it. But what happens if you make a mistake? Will that impact on production? They always ask the question. So in terms of OT security or any investment in that matter, right. You ask the same question. It might not be a one person or one team to answer.
Right. And it's the you you do bring a good point though. All this is well-established in OT, not so much in it, right? The if the vendor is so IT centric and they haven't really I mean, I use cows like as an example, who in their right mind thought that global 24 seven deployment of patches and get them to do everything in one go was the right idea for OT.
That is maybe the right thing to do for it. I because you found a problem, you found a malicious nature of something and you want to make sure that everything is passed at the same time. Maybe that was the right decision for it, right? But if you install the same tool on OT systems and globally, you deploy the software the exact same time with no rollback, no one in O two would have ever designed that, right?
No one in OT, no matter who. Today you can go to Honeywell, Siemens, GE, Emerson. No one would have designed that automatic patching for all their systems at the same time, because we've had a lot of experience in it. So to your point, if those vendors were so white centric and not able to provide you that answers look elsewhere.
But in general, if you have a vendor in this space that has a thing or two knowledge or two about OT and software development in OT and maintaining systems, offline patching, for example, offline downloads or, roll back rollback mechanisms. If they can't answer those basic questions, they're not the right vendor for what? Right. So. Any other questions folks?
I know we've got one more really good question in here. Don't feel bashful.
Perfect.
I think a common question and, people trying to get off the ground there. What program do you think it's better to go super narrow and get, like, one site really good or go super wide? Yeah, I absolutely think one site. Right. So I said here I'd validate thoroughly at 1 or 2 sites before ramping. Absolutely important to make sure that any representative site is tested.
All right. So most customers have dozens, hundreds or thousands of sites. They might have, you know, 500 from this acquisition. That was all Siemens. They might have 50. That was another acquisition. That was all GE. So pick one representative Siemens, one representative GE right. If you only have like three sites and all three are different then I can't help you.
You have to try all three of them separately. But in general find a representative site or as many that are representative for your whole environment and go deep right? Make sure that you hash out how the tool works, how the technology is part of your process, what policies are needed for adjustments, what complaints people had, what, feedback they have in improving, or what feedback you have for the vendor, right.
What new things that they need to develop to make sure that you can scale? I don't think you can scale across hundreds of sites without knowing exactly how it works in your particular environment. So yeah, my ward is always, you know, get a representative site end to end test it before you go further along.
