Dale Peterson Talks Current and Future States of OT Cybersecurity
On this episode of Forging Connections, Tim has a conversation with Dale Peterson, the founder and host of S4, the world's largest and most advanced ICS / SCADA cyber security conference. Listen in as they talk current and future state of OT cybersecurity. Tune in now!
Episode Transcript
Introduction (00:01):
Welcome to Forging Connections, a podcast from Honeywell about the convergence of IT and operational technology for industrial companies. We'll talk about the future of productivity, sustainability, safety, and cybersecurity. Let's get connected.
(00:20):
Hi everyone. Welcome to the Forging Connections podcast. I'm your host Tim Verras with Honeywell, and today I'm sitting down with Dale Peterson. He's an expert in OT Cybersecurity. He's been in the business for a long time. He's well known amongst the cyberspace as the host for S-4. It's a premier cybersecurity event and he's done a ton of talks and thinking around the topic of OT cybersecurity. And we're going to sit down today for a chat around the current state and where it'll head in the future. Dale, welcome to the podcast. Thank you so much for joining us today.
Dale Peterson (00:53):
Oh, thanks for having me here.
Tim Verras (00:55):
So Dale, I was looking at your website and one thing was really interesting to me. So you've kind of been in the cybersecurity landscape for 15-plus years now, and that's cool. But what was interesting to me was that you've actually spent most of that time in OT cybersecurity. And I don't know that there's that many people that have that long of experience in OT. We hear a lot of people that are in IT cybersecurity, but just now for a lot of industrial companies, they're just starting to think about OT-specific cybersecurity. So talk to me, what got you into cybersecurity and OT cybersecurity kind of 15 years ago?
Dale Peterson (01:32):
Well, I've been in it a lot longer than that actually. So, I started in 84 when I graduated from college as a cryptanalyst, a codebreaker at NSA. And basically, I did that because it sounded a lot more fun than being an actuary, even though these days, I think some of the actuarial stuff on cyber insurance is very cool. But I did that. Then in the nineties when there just began to become a career path for information security, I did a lot of work in finance, so a lot of work in banking, and started my own company in 98’ where I thought we were going to do just general-purpose consulting. But then a large water utility called me up in 2000 because we had one of the early websites and they said, Can you do an assessment of our SCADA system? And if you're a consultant, the answer to that, it's almost always yes, even though I had no idea what SCADA was.
(02:27):
<laugh>. So, I went out there and I did it, and fortunately, water moved slow and it's not so bad if you break things because we did end up breaking something because we didn't know what it was. But this customer actually thought it was cool that they learned that something could break. And it was just fascinating. I mean, actually going out and seeing physical processes as opposed to being stuck in a data center and figuring out how systems worked, and I've never been close to being an engineer, but just seeing how all these different vertical sectors, how candies made, how pipelines work, how an open pick, copper mine works, all that stuff was very, very cool and I was hooked. So from 2000 on, my focus has been in the OT world.
Tim Verras (03:14):
Great. That's fascinating. And it's interesting because obviously right now with all of the new regulations coming out and communications around the increase in OT cyber-attacks, now this is really top of mind for kind of everyone. And at Honeywell, we're kind of seeing a shift where there's kind of a power shift going on inside of operational environments, kind of moving cybersecurity from the operational folks into the traditional C-suite, CISO, CTO, CIO, kind of depending on how the company is structured. Talk to me a little bit about what you've seen there and how that transition’s playing out and maybe where it will go in the future.
Dale Peterson (03:55):
Well, it's definitely a trend. I mean, you're on it there and a lot of it comes from the fact of it's really bad to be responsible for something and not have any authority. And that's what the CISOs were finding was they were getting pointed at when there was a problem in OT and they had no visibility, no responsibility for it. So <laugh>, a good CISO isn't going to stand for that. They're, they're going to jump in. What's kind of interesting, I had an experience just this month or actually last month, and I don't do a lot of consulting anymore. I spend almost all my time on my S-4 show, but I do a little bit just to keep my feet wet. And I actually went with the CISO out to various physical sites out in their environment. It was a wide area environment, it was in water.
(04:40):
And it was funny because a couple of things came up that I hadn't run across. One was the CISO was much better at getting the budget to solve this problem because the ops guys were just amazed that I was even there. They said we've been trying to hire people to do this for years and we never could. And the CISO's like, this is nothing. This is small money. And I think the CISO is bringing a lot more budget to the problem. And then the other thing, and I don't think this is really a global issue, but it's a CISO issue, was we ran into a situation where they had this problem and I said, Oh, you could just put a Tofino there if you were worried about that. The CISO said, No, no, no. He said we have too many security products already. In this case, they were a FortiGate shop.
(05:26):
He said we'll just put a FortiGate there. So, the CSOs are getting involved in this because they're now owning the problem. But if I could just jump in with one other thing, you mentioned a lot of Cs. I think the one that we need to get more involved with is a CRO, the chief risk officer because, in the end, we're trying to deal with risk at a corporate level. We're not necessarily trying to have perfect cyber security. It'd be great if we did, but we need enough cyber security and enough consequence reduction to address the risk. So, I think if we look three years down the road, you're going to, the same argument you just made about CISOs, we're going to start to hear that about chief risk officers.
Tim Verras (06:07):
That's interesting. Yeah, and I would imagine that for an industrial company that maybe isn't used to hiring these sorts of folks for these sorts of roles, there's kind of some uphill learning going on around. It's a whole different game when it comes to the kind of talent they're looking for and where they find that talent and who they're competing for, with that talent. Has that kind of changed the way they recruit and position certain roles within the company?
Dale Peterson (06:34):
It's really a hard problem because there's a school of thought that you need to find a unicorn, someone who has engineering automation and security experience. And in my experience, that's not required to actually help out. You can come from either ones. Those people are great if you can find them. They're really great, especially if you're an asset owner and it's an engineer in your field. If you're in refining and you happen to find someone who knows all about refining and cybersecurity, great, but we're not going to grow those people. I mean that's a lot of times engineers want to be engineers; they don't want to be security professionals. So, I think the ones that are succeeding most are the ones that are being flexible and they're saying, this person has some skills, this person has the right attitude and ability to learn and we're going to grow them into this role. So, I think we make it a hard problem and we're looking for those unicorns as opposed to saying we're going to grow people into this role, then I don't think it's that much different than other under-resourced professions.
Tim Verras (07:41):
Yeah, I mean, do you see a growing need to have dedicated OT cybersecurity classes and degrees? I mean, do those exist out there or is that just kind of a nascent field in the educational sector?
Dale Peterson (07:57):
I think we're going to see it. Idaho State University, Sean McBride, who used to work at INL and a couple other places has put together a two year program out there where they give them some level of awareness on engineering and automation and cybersecurity. So they don't become experts in those three areas, but they become aware in those three areas. And I think that's worth something. I don't think it's required, but I think it's a good way to grow the workforce. What I've found is, especially for people coming from the information security side, if you can understand the purpose of the process and where it fits in the business and you're willing to not pretend to know more than you know and ask questions, you can do quite well. I've seen people be very effective at helping in OT security after working on one or two projects as the second or third on the project. So I don't think it's a big struggle, but you will see some of these programs, I think.
Tim Verras (08:58):
Yeah, and I think a lot of it is probably being driven by all of these regulations that are coming out both in the US and abroad and in Europe and other places, Asia. Talk to me a little bit about what you're seeing there. I mean, I know the infrastructure Act has, and this is a big topic, so we can take it in a couple of different places, but just overall it seems to me like the cybersecurity landscape is kind of going through what GDPR did for IT cyber and customer information sharing. What kind of effect is it going to have on OT cyber?
Dale Peterson (09:36):
Well, if you're working for a global asset owner, I really feel for you because it's going to be incredibly difficult dealing with NIS and Europe and even Singapore has their own regulations. US is doing various things. I think that's really a challenge. If we focus on the US, where I probably know the most about, I know there's a desire to regulate at the executive branch, and I would say even in Congress, but actually getting something through that everyone agrees on has been troublesome. So I think there's that. What we're seeing now, and I don't think it's a good trend, but we're seeing CISA, which is part of DHS and other people put out various lists of security controls saying, hey, these, we had this big list. Now they just came out with 37 cybersecurity performance goals a couple of weeks ago that they say are the most important.
(10:35):
If I'm a CISO, that does almost nothing for me. If you're a company big enough to have a CISO, you're not learning anything from these performance goals, it's just now another 37 things they say you have to do. And who knows if those are going to last for one year or three years or actually going to be important. So it's tough. I think at this point you're almost playing defense on regulation with the government. I think you have to say, What do I actually have to do? I would not be an early adopter to go out and say this regulation must come, we need to get a jump on that because it's going to be so many changes. So I would be very cautious about making regulatory moves and just really focus on what you know and deal with the risk. Not so much what they're telling you are good ideas, but that might be a minority opinion. Some people think they're doing a great job. I'm probably in the minority. I think they're helping small and medium businesses understand what's important. But if you're big enough to have a CISO, you already know how to deal with risk, you should be running your own program.
Tim Verras (11:45):
Well, and it seems to me that a big part of these oncoming regulations is around transparency, especially around transparency around when you've been attacked and what the nature of that attack and how far that infiltration went, especially when it comes to critical infrastructure. How can companies prepare to even get the data they need to accurately report that kind of thing?
Dale Peterson (12:10):
Well, you're talking about really the difference between regulatory risk and cyber risk. And sometimes there's some overlap. If we look at electric sector with Nordic SIP, certainly some of the things you did to meet your regulatory risk reduced your cyber risk. Now it was a lot of wasted effort in that case, but you got some of that in terms of the reporting that you're talking about. I'm not sure that's really going to help a company that much. You are already in the weeds. You've been hit, you brought in your favorite incident response team that you hired that are quite frankly better than the government. The government is kind of in your way, but it's almost, I'm telling CISOs and incident response teams, you almost have to treat this dealing with the media, you know, can't not deal with them. So now this is, the media isn't a regulatory requirement, but it's something you know have to do. Working with the government in this case is something you know have to do and you have to include it in your incident response plan and it's just a fact of life. And there might be other regulations that you have to put in just to deal with regulatory risk. Most of these companies that we're are probably listening and are running some process, probably have some regulatory element outside of cyber that they have to deal with. This is just another one you're going to have to deal with.
Tim Verras (13:36):
And I imagine that's why your thoughts around the chief risk office are becoming more important in the long term is that if you pull that threat, that's the reason.
Dale Peterson (13:46):
Well, the problem I'm having with a lot of what the government is saying is there, there's this idea that if we just deploy all these great security controls, then we'll never get hit. And we know that's just not true. So, you need to, as a chief risk officer, you need to say, if we are hit, can we live with that? Can we live with an outage of six days? No. Well then how are we going to recover? How are we going to operate manually? How are we going to run partially, how are we going to, if I'm an electric company, buy the power instead of generate the power? You need to start thinking about that. And this idea that we're going to cyber hygiene our way out of the problem isn't really going to be there. And this is why I think you're going to see engineers get much more involved because they deal, they're much better at understanding the consequence side of the risk equation than cyber security people are. And whenever we hear about cyber risk, it's, hey, another control, something happened, put in another control. We have to get away from that thinking and we have to put controls in that reduce the likelihood. But just because it's good cyber hygiene as a CISO, I'm not necessarily going to push that until it becomes a regulation, then I have no choice.
Tim Verras (15:04):
And let's kind of pivot a little bit, talk about the nature of those attacks that are happening on operational companies. So Honeywell does a bunch of research and every year we put out kind of a report around what we're seeing and we're seeing that OT specific cyber-attacks around the rise, USB cyber-attacks on the rise, social engineering, all that. What are you seeing out there around OT specific cyber-attacks? What is the nature of those attacks and like how are they evolving to be more effective?
Dale Peterson (15:39):
Well, Tim, I would say this is probably a place where Honeywell probably has more visibility than I do.
(15:45):
<laugh>, you have a lot more customers that you're interacting with every day, and you're probably hearing more about that in terms of the OT specific attacks, I mean we do know that, I don't think it hasn't been a mystery for years that remote access and removable media, whether that be USBs or engineering laptops that go between zones are how the attacks are getting in. I don't think you need a lot of additional threat information to say, those are my two most likely attack factors. I need to make sure I'm protected on those. The one thing that I would say on the public attacks, and again this is where you deal with risk, is we're seeing example after example where someone's IT network is compromised. Often with ransomware, that's the most frequent case, or it could be a business partner or something like that. And they're unable to meet their mission to deliver their product and service to their customers.
(16:44):
That's the classic example from Colonial Pipeline. If you look at Colonial Pipeline, it's such a great example and probably overused, but in front of Congress, the CEO said the bad guys got in through a remote access. That was not two factor. Even though their company had two factor authentication, it was some rogue system that IT didn't know about. So the answer isn't, Oh, we all need two factor authentication. The answer there is, Oh man, if we lose our billing system or our scheduling system, we can't run our pipeline. We need to be able to get that back up and running within whatever our recovery time objective is. So I'm hoping that all these public attacks, the ones that Honeywell knows about all the secret stuff, but the ones that are out in the public, I'm hoping that's driving CISOs and boards to say, Hey, if our IT network is down, how long are we down in our ability to produce product or service? So that would be the big, I think, takeaway from the activity we've seen
Tim Verras (17:48):
That's interesting. Yeah, because on our end, we hear a lot about the asset discovery being kind of one of the major challenges in a OT environment, but I think it's just important based on what you're saying, it sounds like it's just important to have kind of a holistic picture because oftentimes they're not going in through the OT side, they're coming in through the IT side and coming from the other direction. So I mean is how do you balance asset discovery on the IT side or the OT side with what you're doing on the IT side?
Dale Peterson (18:18):
Well, and to be clear on the IT side, most of the examples you're hearing that have caused outages control system outages, have never made it to OT. They've just made it to it. They've taken out IT systems that OT relied on <affirmative>. So, you might want to rethink either your recovery or should that be on it. Asset discovery is kind of interesting because asset discovery for itself is, it's more of a foundational element. So if you're doing asset discovery, it can help you with variety of things. And I think the engineers might appreciate this more, but asset discovery is really important for change control. And this idea that these asset discovery systems are what you need for asset management, I think is a little bit overplayed right now. You need an asset management system that includes change control in a variety of other things. And by the way, asset discovery can tell you when there's something on your network that's either new or you didn't know about, that should be in your asset management system. So I think it, it's, if you really look at the products that are doing asset discovery, they started out as detection products and they have strong detection capabilities, but most people weren't ready for detection and they found, oh, they also do asset discovery. We don't know all our assets. This is a good thing. I'm not sure I answered your question there, but I think asset discovery as an end goal isn't really that important. It's more it facilitates other things that you're going to want to do,
Tim Verras (19:52):
Right? It's a foundational element because if you don't know it exists, you can't do anything else outside of that. You can't protect it, you can't measure it, you can't manage it.
Dale Peterson (20:01):
But if you really think about it, I mean, do I really need to know every panel that's connected to a plc? Well, I mean, in a perfect world, it'd be nice to know, but what if I don't know about it? What happens if the bad guys get to that panel? It's game over anyways. Do I really care if it's running XP and it's out of date in May. From a risk standpoint, I'm not so sure that's where we kind of get in this cyber hygiene versus cyber risk. From a cyber hygiene perspective, yes, I want to know every asset from a cyber risk standpoint, I don't know how high I would prioritize this. I think it's actually been over prioritized in for a lot of asset owners. The trick is though, if we're talking to CISOs now it's gotten so much mind share that if I'm a CISO, I need an answer on what are you doing for asset discovery? What are you doing for detection? Whether from a cyber risk standpoint, it's the right thing to do from just from a career standpoint. If the board comes to me and I don't have an answer to those questions because of all the oxygen those marketing dollars have gotten and how it's been absorbed by the government, you need to be able to answer those questions.
Tim Verras (21:11):
And that's interesting to me because so often when we talk about cyber, it's all about let's throw technology at the problem. What I've heard you say a couple of times now is, yeah, that's obviously important. You got to have the right technology, but you can't let it blind you to planning adequately for what happens when things do go sideways and how do you mitigate and go from there. Because our cyber guys tell me all the time, it's not a question of if, it's a question of when, So you got to plan for the when.
Dale Peterson (21:38):
Yeah, we catch ourself in the cybersecurity world, it's not a question of if or when. So that's why we need to deploy all these more security controls. So it never happens. It's like, wait a minute, you just told me if not when. Yeah, yeah. It's like sometimes you'll get red teamers who will get into a system through a pen test or something and they'll say, Well, what should I do? And they'll say, well, if you did this, I'll do that. If you do this, I'll do that. You kind of degrading the reason why you put in these security controls if they can't actually stop a highly skilled person. So we do need to spend a lot more time on the consequence side of the risk equation. And the good news is it doesn't have to be something that's really difficult. What are you, your company probably already knows, let's say you're a refinery again and you've done some sort of process hazards analysis or some other formal method, you know what the really bad things are that could happen. So then you just go to the next step and you say, could a cyber or cyber physical attack cause that really bad thing? And then if the answer is yes, what do I have to do? So it doesn't cause that really bad thing. It doesn't have to be something that takes 10 man years to do.
Tim Verras (22:55):
Yeah. And I mean is there an element of trust in between the CISO and the operational IT folks and the rest of the C-suite? Like how do they navigate those issues of trust in cyber security when it's frequently other C levels that have to report about cyber-attacks or talk about 'em, like how do they navigate those communications and those issues of trust?
Dale Peterson (23:23):
Are you talking about trust between people or trust between systems?
Tim Verras (23:27):
Well, let's dig into both. Let's dig into both. So let's start with people. How do you navigate the trust within inside the organization, between the leadership and the folks on the ground doing cybersecurity?
Dale Peterson (23:41):
Well, there's a lot of sessions about speaking with executives because we just, quite frankly, even in the IT security world, it's not something that many people are good at because we have this idea in the security community, you see a problem, you want to fix it. And from a cyber or an executive standpoint, you're really looking at how much risk can I accept? They're not trying to reduce risk to zero, they're trying to maximize the profit and growth or whatever their goals are for the company at that point in time, which means accepting risk. So you're kind of coming at it from a different standpoint. They're trying to accept risk, they're trying to find ways to accept risk. You're trying to eliminate all risk. And I think that really leads to a difficult conversation between the people. So, the most effective people, whether they're people reporting to the CISO or the CISO reporting up tend to be the ones that really understand what the company's mission is.
(24:46):
And also understand that these people that they're talking to are accepting all sorts of risks, not just cyber risk. We’ve heard sometimes that cyber risk is the most important thing, it's top of mind share. And we just went through covid and you're thinking really, you really think that that was the number one worry, but when they were going through covid or now we're going through this economic downturn, you know, don't think that's a big thing that's going to happen. So again, it's something, I don't know that you need it at the base level if you're a practitioner, but certainly if you're a manager reporting up, you need to really understand how the company understands their business, what's important and how they deal with risk.
Tim Verras (25:30):
That's it. And if you think about risk, even from a sustainability perspective, we just had a conference at Honeywell, we talked a lot about the intersection of sustainability and technology. Where does cyber security kind of fit into the broader sustainability regulations and risks involved around say, fugitive emissions, things like that. Does cyber need a seat at that table for sustainability?
Dale Peterson (25:53):
I don't really know the answer to that. Andy Bochman, who's with Idaho National Labs he's really looking into that and he's going to give a talk at S-4 that I'm very curious to see because he sees that cyber has a role to play there. Now certainly we will have a role to play, but whether we're just kind of an adjunct to it, that gets brought in on specific issues or we play a key role, I don't really have a good handle on that. A good question. I think it's one we're going to have to figure out in the next year or two.
Tim Verras (26:24):
Yeah, yeah, definitely. Definitely. I mean, we're definitely hearing about it and seeing it on our end of things. And I think everyone's trying to figure out how to navigate that as, and the regulations aren't going to stop there. There's new ones coming all the time. So it's kind of like a fixing the car, while it’s going down the road sort of situation.
Dale Peterson (26:43):
But I think you bring out a good point that ties into what I said earlier is it's another thing that executives have to deal with <affirmative>. So we have to realize when we're talking about cyber risk, that we're just one of many, and some of them are getting a lot of mind share and are quite frankly, maybe earlier on in solving the problem. That's one that's probably going to change even faster than people say, cyber is changing fast. My guess is that's going to change more in the next five years than even cyber will.
Tim Verras (27:13):
Yeah, yeah, I think I agree with you. And that it brings me to the other notion then of trust between systems. One of the things our customers struggle with and even Honeywell itself struggles with, because we have a lot of operations ourselves, is every site is a unique snowflake full of different systems as you well know. And the more different kinds of systems and vendors you have, the greater your cyber posture. So how do you navigate, is this the solution? In the past, people have said, Well, the solution is to go with the wall garden ecosystem, one vendor for everything. And we found that's not very realistic. So we try to focus on how do we look at it holistically, not just, Hey, we're going to come help you protect your Honeywell assets, we're going to help you protect everything. So if you're an organization, how do you figure that out?
Dale Peterson (28:04):
Well, that's a big question. I'm going to take a snippet of it. That's more future-focused
Dale Peterson (28:09):
Ok. We're seeing, and Honeywell does this as well, we're seeing more and more vendors offer cloud-based services or off-prem services, but usually they're services. And some of these are for things like predictive maintenance that are pretty easy to protect. You can just send the data out. Brian Owens, who was with OSIsoft, now Hexagon, called those open loop systems. That there's no feedback coming back. And in the control world, we have open loop and close loop, but we're also seeing cases where sometimes the vendors will send information back, The cloud service provider will send information back, maybe to change a setting for efficiency or to tell you, Hey, I think this piece of information was wrong, or you should do this. Once you have that closed loop when you're sending things back and trust becomes really important there. When it's open loop, you're just trusting that they won't give your information to somebody else.
(29:03):
It's just the confidentiality aspect. But when you're sending something back, you're potentially affecting the integrity, either the integrity of the command you're sending or the integrity of the system overall if you're sending back an attack. And I think one of the things asset owners really need to do is look at that edge and say, How can I enforce what's being allowed into my network? All these vendors that they work with will have a good story. I know Honeywell has a great story about, hey, we have a, it's a VPN tunnel, we have background checks. We're using two factor authentication; all this is great. So that tunnel from here to there is correct, but the thing on the other end of the tunnel is what I worry about if something happens there. I don't want this just open pipe to do anything. So I think in terms of trust, if I'm an asset owner, I'm saying, what do I want to allow the vendor to do in my system?
(29:58):
And how can I enforce this at the edge? And then you're making a trust decision on each one. I may trust Honeywell to do all these things, but I don't want 'em to do these three things because we only want people with line of sight to be able to start or stop those sorts of things. I mean, Honeywell, your engineers know this much better than I do, but you have these different classes of things that can be allowed offsite and shouldn't be. How am I enforcing at the edge? Even if I trust the vendor, I still want to have that enforcement mechanism at the edge.
Tim Verras (30:32):
So you've got to explicitly map out those connections and make explicit decisions around what you're going to allow and not.
Dale Peterson (30:40):
Yeah, and the good news is there, the technology is there to do it, but it adds a level of complexity. It adds a level of complexity for people like Honeywell and the vendor side. And then it adds a level of complexity to the asset owner because they have to decide on that list of things <affirmative>, one has to decide, and one has to enforce. So what I've seen so far on a lot of cloud services is it's, we're going to open this pipe and we're just going to trust them to only do the things they should do. And to me, that trust is further than I would take it if I were advising an asset owner.
Tim Verras (31:17):
That's great. That's great. Well, I want to kind of maybe wrap it up with one final question. I'd like to ask this question to everyone. If you could give a OT specific company that has a lot of physical operations, one piece of advice to start down or continue down there OT journey, what is that piece of advice
Dale Peterson (31:39):
Once you have the basics done? And you mentioned some of them good perimeter, two-factor, remote access, USB things. So you're basically, you're locking down what can get into your system. My one piece of advice is once you've got the basics down, focus on consequence reduction because, that's where you get your big wins. That's where you can cap the maximum impact of a cyber incident. And that's something that really has led to many easy wins for asset owners.
Tim Verras (32:07):
That's great. That's a great piece of advice. Well, thank you Dale, so much for your time and your thoughts. This is great. I really enjoyed this conversation.
Dale Peterson (32:16):
Thanks, Tim.
Tim Verras (32:17):
All right, thanks.
(32:21):
This has been Forging Connections, a podcast from Honeywell. You can follow Honeywell Forge on LinkedIn and download new episodes from our website at honeywellforge.ai. Thanks for listening.