In the last two months Bryan Owen attended the SANS ICS Security Summit, DHS ICSJWG, RSA, OSIsoft's PI World, and LOGIIC (Oil/Gas/Gov consortium). Since most listeners like me aren't able to attend these events I thought we could find out what's happening from Bryan.

  • Why Bryan attends events. (4:12)
  • Is it worthwhile for an ICS security professional to attend RSA? (7:40)
  • Mike Assante from the ICS world winning the most prestigious RSA award. (14:00)
  • Any difference in ICSJWG given the recent DHS reorganization? (15:25)
  • Does it look like DHS will increase it's ICS security consulting and is this a good idea? (18:36)
  • Are two ICSJWG events a year too much? Or should there be more? (20:45)
  • Government training of ICS resources and what does success look like? (23:00)
  • What was the theme of PI World? (31:35)
  • Information on the new secure PI System Connector for passing information between PI components (slow RIP 5450). (33:50)
  • Will we see a shift away or replacement for the Purdue Model? (36:05)
  • Is Oil/Gas in the LOGIIC group rethinking control/safety integration recommendations after TRITON? (49:00)
Links and Info:

The native 3 zone architecture approach is called a PI Connector.  Instead of a basic client server approach, PI Connectors come with a purpose built relay as a proxy for deployment in the DMZ.  Some of the major US control centers collaborated on the design and year of field trials.  PI System Connector is now generally available.  All PI Connectors such as Modbus, OPC-UA, etc will include the connector relay. The relay architecture also provides the endpoint for data ingress from our open source project called FogLAMP or any device pushing OSIsoft Message Format (OMF).

PI World links:

Biogen Case Study – Gus Green

Fog Computing On The Plant Floor - Ivan Zoratti

Introduction to FogLAMP - Ivan Zoratti

OSIsoft Extreme PI System Hardening – Harry Paul

This episode was sponsored by CyberX. Founded by military cyber experts with nation-state expertise defending critical infrastructure, CyberX has developed an end-to-end platform for continuous ICS threat monitoring and risk mitigation.

Check out the CyberX Global ICS and IIoT Risk Report and my podcast from last year on the report with Phil Neray.

United States


00:00:07Hi this is dale peterson and welcome to the unsolicited response podcast this is the place where you're bleeding edge ideas analysis and opinions on isis security from the people who are driving progress and creating the future of icy s and the industrial internet of things my guest this
00:00:25episode is brian no one of us i soft he's recently over the last sixty eight weeks been attending one conference after another it seems both isis security event as well as general security events like the arse a show so i thought i'd get him on to talk about
00:00:42what's new out there what seems to be generating buzz and interest because when brian attends these things he's not just a marketing guy who's going to stand behind a table or booth he actually attends the talks he talks to a lot of their clients which are all over
00:00:58the industries and the industry experts and if you follow him on twitter you'll see that he asked a lot of very interesting questions and has maybe some ideas of the answers they're a little bit different than what you traditionally here so we talk about what he saw we
00:01:16get into some of the topics that have been brewing in various discussion groups such as what is the future of the purdue model or what's the next model if the purdue model is outdated and just cover a lot of ground i think you'll enjoy it our sponsor for
00:01:32this podcast is cyber acts founded by military cyber experts with nation state expertise defending critical infrastructure cyber x has developed an end in platform for continuous isis threat monitoring and risk mitigation i'll tell you more about a global risk report you can get from cyber axa later in
00:01:50the podcast and just one other note we put out a lot of content between the as four events videos the podcast the block post but one thing that i thought was really interesting to look back at this week was stuxnet and i wrote a post on the big
00:02:08remaining question on stuxnet really Why did the u s government takes something that was very stealthy and probably would not have been discovered for quite a long time and go ahead and actually make it much more noticeable muchmore noisy in a variety of ways so it certainly would
00:02:28be discovered that's the one question we really don't have an answer on and i've been curious watching the comments to see what various people think the answer is so you can see that on my block Dale dash peterson dot com are linked in a variety of other places
00:02:43but now let's get into my podcast with brian owen of os i soft joining me on the unsolicited response podcast is brian owen he is a principal cyber security manager at wes i soft welcome back to the podcast brian hey dana good afternoon beer so you know one
00:03:02of the reasons why i wanted to get you on the podcast was you usually attend a lot of icy s security events but it seems like even by your standards the last four to six weeks have just been ah flurry of them with following your tweets which everyone
00:03:20should do he's brian s o n on twitter as b r y a n s o n ah but it looks like you attended the sand summit i c s j w g r se ah it's ice office own event pie world and then also recently the logic
00:03:40the oil and gas organization event i think just last week did i miss any orders that been your your life for the last month and a half or so yeah kind of coming back that that's accurate there's uh seems like there's multiple security conference every week so i'm
00:04:02sure i didn't did miss some good ones but for the yes folks it was a pretty good run of conferences So i guess one of the questions i have is you know why do you attend so many of these events i've run into you know i understand i'll
00:04:20see people especially from the isis security vendors that will attend the events is a marketing activity you know here we are name recognition attention lead generation that sort of thing but i don't really get the sense that that's why you attend the events what's the driver for youto
00:04:38be so active in attending events i guess become more involved in the advisory board with some of these organizations have felt an obligation that way on dh obviously with our say and my world back to back this year there was a little little inconvenient but they're right in
00:05:00back yards so but the main drivers always been to be available to our customers and that's that guy's which events i selected participate in interesting to that you are your tweets on the events are always well i guess i put you down as one of the more thoughtful
00:05:23people in the industry and i don't mean that that you're kinder than most alone You certainly are a kind individual but when i read your tweets of the events they tend to bring out almost more than anything interesting questions like you watch an event and you raise the
00:05:43question as to how this is going to attend the industry or affect the industry Do you see this driving at all how you approach integrating security into the products or or or even how per you present the security solution Do you get much I guess new information and
00:06:02and input from these events I suppose you know the first part of what gets tweeted is really out of respect to my colleagues that also go to events assess you know the community has lots of these events and a lot of great thinkers and there's no way to
00:06:24go to the mall so i this is a way to get back to the community the things that the presenters are bringing forward and help help get the message out to everyone and it gets paid back you know kind of pay it forward and it's not going to
00:06:44get it back when other folks are sharing what what they hear is events but yeah i think the trying to move the community forward is what we can hope for these conferences it's you have been way too long that people will say well yeah security guy that's all
00:07:06they do is talk they don't do anything and i think that's on all of us to change that and help help actually turn these ideas into action well let's dive into some of the events now maybe start with the the odd ball of the group which would be
00:07:24our say because it's not aimed specifically at the isis community if you were talking to let's say an acid owner let's leave aside vendors for a second do you think it's worthwhile for an isis security professional and an acid owner location to attend are safe from time to
00:07:45time i do on and it's when we say are saying i think we should recognize that it has become a melting pot of opportunities and speaking conferences so the in particular besides sf has always been a big part of that and a great place to really get cutting
00:08:17edge ideas Cyber scoop put on a great create one this year that had a a couple of surprises for the folks that heard in critical infrastructure that you wouldn't have otherwise thought of The iowa aces guys always have a aside area that you can get away from the
00:08:40really hectic pace of our say and deep the dive with security experts s o so those things might not be immediately obvious that are available right right around the say and a lot of times not even required the r's a pass at all but the sandbox for i
00:09:02c s and coyote was really those guys have really stepped up game and there's top talent speaking there and in everything from connected cars to capture the flags going on that were repeatedly well attended and busy original I wonder if it's useful even for the non isis material
00:09:28that you might get at the event that's i always try to attend at least one non i see a security conference a year just to see what the broader community is doing since we have this tendency to lag there um i know in your presentation or your team's
00:09:45presentation at us for they really showed experience and knowledge and how to secure microsoft systems that i can't imagine you would get that at an icy s event but it may be is the combination of attending a lot of talks from a variety of other security events do
00:10:04you you pick up well let me ask you to a different way what other non isis security events do you tend to target besides our say I'd already kind of i thought about the response so just to come back that per second the tracks it are say this
00:10:22year that really attracted me and every year they always seem to have different themes but there was some really excellent incident response training that was very focused the mckinsey folks put it on met some great folks in there and that was an exercise that i felt like could
00:10:41come back and really use that up the game inside ellis i stuff so that was a real focus Another day was just really i just focus on everything i could i o t and but that was it was valuable and there's folks that from the ideas world that
00:11:04you'll you'll see there there's guys like josh court when that air leading that charge with the medical devices and that particular aspect of via tv and following what they're doing in terms of there's a lot of government folks that are say and if you want to kind of
00:11:27get a feel for what direction that they're leaning is ours it is good good place to go is well the softer bill materials presentation with the department of commerce and alan freeman was was really really a good one and well attended you know as you're answering that it
00:11:47it sounds like you had aa game plan going into it and i and i guess when the event is actually an event of events and so money talks in so many tracks and huge exit exhibition floor and in sandboxes and such it probably really does require a little
00:12:06bit of planning up front to make it worthwhile It does but you can also it's surprising for us many people is there are you'll sit down and you in my case said that totally by accident was my counterpart from siemens and we had a great conversation while wealthy
00:12:26just was giving their big keynote so it was you can still have those kind of surprise meet ups as well So having a plan though you know for the many conference that charges which is our say you you're going to spend your time going through the agenda to
00:12:45be sure you're gonna have specials there of interest in takeaways that you can use right away did you see much participation by the isis security vendors at our say where they all there The expo at our say is so overwhelming and it's i would say most automation vendors
00:13:10ah arise toe not be there but the security solution providers themselves they are there on dh itt's good to see it that way they're trying to expand beyond beyond the smart offices and what will you do find that are say is the corporate um industrial companies will be
00:13:39in the crowd so you you'll see plenty of utilities there and a lot of times these decision makers and i think it's it's lies for those company has to be at our say in as a vendor you know one thing just close off our sale though i welcome
00:13:57any other comments you might have on it but the one thing i took about from it watching from afar was that was really pleased and surprised to see that mike asante was awarded the e excellence in the field of information security award given that it's a general information
00:14:16security or cyber security event it's the largest in the world and this was an event this is an award that's only given to one person each year so it really shows that this at least the isis security sector has certainly gotten mindshare of the broader community if if
00:14:37their wording someone in our little niche that award i was you know and obviously i was pleased for mike he well deserved and glad to hear that he got it but um did that surprise you at all when when he won that i was i was thrilled to
00:14:55stay it and it was a surprise on dwell deserved as you said deal that on the big stage that was good to see in last year's i think it was a seven month dangerous threats mike had a great role in that one too so he was no stranger
00:15:16to say that's for sure Okay well let's let's move on from marseilles let's maybe a deceased briefly talk about the d h s event isis j w g and i was curious from that standpoint if you noticed any difference in the event given the reorganization that we've had
00:15:34with you know i see asserts sort of being subsumed in tow and kick and and cyber command did you was it pretty much the same iess i c s j w g or or did you notice any new twists I actually a great question there like i did
00:15:53notice a really strong change in terms of peaches and then kick really doing their best to he successful open asking for input from everyone attending it was there clearly emerging from this reorganization with ah with a change charter and i think i think it's great that that they
00:16:26have that that mission in the true thing would be totally will they do more than listenable that actually actually make adjustments with that basic ideas jw ji is asking for but they're showing all signs of of trying which is a great first step and the agenda seemed a
00:16:52little heavier on government or lab presentations and usual it maybe it was just my imagination but it it appeared that they were making an effort to put more of their own content into the agenda uh you know tio it came together so quick i think you probably i
00:17:18recognize that the thing might have struggled a bit with the continuing funding you know what Well normally we would have been planning that the agenda far more advanced so uh first quick that came together i think uh it was good i wouldn't suggest that that's a pattern of
00:17:40any kind on of course with with sandy right there and help a cookie that that might have been a natural thing to well i don't know that that would be a bad thing and maybe this is just me as a competitive conference with my ass for event but
00:17:57it's a d h s event so that i would think there should be some unique flavor to it that is related to you know this is what the government is doing this is how we can help this is what we're seeing that you're not seeing and this is
00:18:13you know the ideal place for us to transmit that information because if if it really is just another set of presentations i'm not sure why it would exist if it doesn't have you know some some twist that says we can do this and others can't it looks like
00:18:31in some of the i guess some of the they're not official announcements yet but some of the interviews that the the people have given who are in charge over there that they might even be doubling down on this idea that they're going to provide services to industry you
00:18:48know particularly toe asset owners and and ah and government agencies to say if you need an assessment if you've been compromised if if any of these things have happened call us and we will do these services for you i notice you you were a little bit skeptical about
00:19:06that in your tweet are you seeing much of that well to party Are you seeing much of that from them at the event talking about doing those sorts of things in and what's your impression of that right right so early that is um is a direction that is
00:19:26being floated out there i am suspect that that government might not be the vehicle to really maintain the level of services that's needed and that they repeated that same message in our say so it it seems unusual to me that you talked about this many times about how
00:19:58specific that the talent is in i c s and some of the ideas being floated to grow the workforce from from the hse just doesn't seem like it would be viable to me um you have internal leaves of government as i see us as well um maybe this
00:20:22is part of part of that strategy i have to say more is better but but keeping the keeping the pace with everything is his hard in isis what do you think that just one last question i c s j w g do you think they should pare it
00:20:43down to one conference a year I mean that's what i've been suggesting for a while now but they've they seem to be set on to what's what's your feeling no no ah it is really the only i see this conference is going to the different cities in america
00:21:04i think that they're at capacity every every time you know if you could do it more often that would be great but there's right now two years probably about hold it could get put together that's interesting So so you actually take the other side you think that to
00:21:25do mohr and spread it around the country would be a better way to go then then just do it really well in one place each year way think that the reason you know about half the hands go up saying this is their first i c s conferences that
00:21:47because the conference is coming to them and it's making a big difference in bringing people into the fold if you will and building the communities So i think in a new tale of i kind of thought that might might be the special nish that that i see is
00:22:05jaded piggy has on i think it's it's really well with stuff we've got value out of like going out to the red blue training they have in idaho falls and so forth those who's just seem like really good fits together too to train the workforce and bring them
00:22:26get more people hands on okay it's it's interesting and it's probably not fair for me to comment because i think it's it's been about two or three years since i've been the one i try to go about every third year so i'm due ah i'm not sure i'm
00:22:42going to make cincinnati maybe i'll wait for a better geographic location uh just a follow up on that training i think you mina you did reply to some of the tweets when i was um in the international track dad that i see is a chain of g and
00:23:03i was stunned the kind of investments i see going up four force investments going on in japan tio t be able go to isis j g and hear about that on kind of compare it to what we're doing in our country is is pretty unique you you get
00:23:24around and see those differences but i was stunned as to the level investment that what is going on in other places yeah i agree but it is that's we can talk a little bit about that so in in japan ah what the government has done is they've created
00:23:42a training program and encouraged the isis vendors in the large ice yes acid owners you can imagine you know you're you're mitsubishi's your toyotas your large economic interest to the country companies to send one person i think they allowed more than one but they were highly encouraging one
00:24:05person to a year long training course that was that was put on sponsored by mehdi on dh put on by some of the other people epa and others with the idea then that each of these companies would have won well trained person uh of course the training course
00:24:25putting it together and staffing it costs money but each of the companies actually had to pay a not a small amount of money to send a student to the class and they had to pay their salaries as well so it was the sizable commitment on an individual basis
00:24:41for each one of the companies and they're viewing that as a success and they're going to do it again next year um so that's a good thing and i think it certainly was successful for those trained individuals but i think back to my discussion with marty about training
00:25:00and kind of what i was tweeting is i was wonder when these things are done if they're viewed a success how do we scale it up And you know i look at what you just told me about isis j w g i say ok if that's true if
00:25:17that's a good way of reaching people then why not scale that to six a year You know or even ten a year And why not include some of their training classes in that Because i would think it it actually might be more useful to get a at least
00:25:35one of those days be a full out training day as opposed to getting a hodgepodge of of different presentations So that's that's what i always wonder on these things is are we and i look at this with our research projects or anything we do I always say do
00:25:52we at least have a path to success What does success look like And i'm not sure i really have seen that in the u s or even in japan although they have both have had some level of success in what they've attempted you're you're more involved with the
00:26:10d h s obviously then then i see s jw gee do you see them ramping up this training at all All i really agree with you dale I think that is the kind of vision that needed and in terms of defining what success looks like on dh we
00:26:27love toe love to see the training brought brought in a cz part of part of the isis j w g it's and someone had done in the past and i know they were thinking about it again because that's kind of what they're getting is well and to take
00:26:47the other side of that I don't really know that they should be doing training now because there's many many training options out there betweens our isa and sands and and read tiger and skate hackers all those so there's a lot of people providing this training for a fee
00:27:05but i guess where i come from is if the government believes that training these groups is something that falls in their purview and is important then let's do it You know the same thing with assessment side i don't think the government should be doing assessments but i had
00:27:25this conversation with marty on stage if you're going to do assessments you're not really moving the needle if you're doing thirty or forty a year how do you how do you know gear up to actually make something happen and i i guess i don't really hear that from
00:27:41any of the governments around the world at least at this point yeah one of the ways that maybe could strike the balance is to focus the training on things that how does zak tutor like to save things that that really only the government he's in a position to
00:28:00do or no one else would really invest in but one of the most requested things in outlook ricky was hey what's going on with c stat and and there was some really cool announcements like they're planning to open source it why not have some tea set focus training
00:28:19if people are using the temple and so forth yeah yeah i think there's a lot that can be done there Well you know i think it's only fair ah it's easy for me as a small shop to say do this do that turn on a dime but i
00:28:33guess we need to give ah and kick and d h s a little chance toe to find their way here with the new organ figure out what the priorities are going to be and then then see how they do um and and a lot of them were there
00:28:47i thought it was actually good that a lot of them were there to support the change to show that they're still commitment from d h s in this area as opposed to just you know kind of fading away or even i wasn't sure they were going to do
00:29:01one i thought they might just skip a while which would have sent the wrong message yeah i really it was a well done how they executed any any other thoughts you have on isis j w g before we move on to your event but no just to encourage
00:29:20you know community to put put papers in for it that's the the biggest thing is so don't be shy about writing a paper about one of the best lighting talks was someone just to share their experience of how they went from being a hacker tio to a depend
00:29:41er it was a great story let me take a quick break from my interview to talk about this episode sponsor cyber x as i mentioned cyber x has been a good supporter of s for being a sponsor since two thousand fifteen and the eu official right up the
00:29:57game he says founded by military experts cyber x has developed a platform that helps organizations continuously reduce isis risk so they have a very interesting product but what i want to actually talk to you a little bit about is their global icy s and i i o t
00:30:13risk report we did a podcast episode with phil mary on this back in november of last year and what they actually did is they have this platform that obviously they sell in their promoting to reduce isis risk and they put that platform and three hundred seventy five different
00:30:29isis networks primarily to show the the acid owner what the platform khun do but as a side benefit of that they actually were able to collect a lot of data in terms of what is on that network what's happening on that network and they compiled that data anonymously
00:30:46of course so no acid owner information was given out but they compiled that data and created this global icy s and i i o t risk report you can get that report at cyber x dash labs dot com and a link to both the place to get the
00:31:02report as well as the podcast they did with phil in the show notes cyber x was able to generate this report because their platform has a built in intelligence to understand a large number of isis protocols the popular ones of course as well as many proprietary protocols so
00:31:20i'd encourage you to download that report listen to the podcast and check out their platform at cyber x dash labs dot com well let's talk about the ortho i soft event so you have ah pie world event and i know there's having been to it when it was
00:31:38named something else a few years back i know there's certainly a number of sessions on security and a and a focus on security but i guess i'd like to start a little broader what what did o s i soft has have is the theme for the event Okay
00:31:55So like a lot of companies digital transformation is um here now on dh our message about supporting that was we're extending our product to support folks that are doing things that the edge all the way to the enterprise in the cloud so that it was really kind of
00:32:18are i have seen for this year ended that different much from last year where their new new services or products or was it more just an emphasis and more case studies now that it's a little more mature The i think the biggest surprise is how quickly the edge
00:32:37solutions air aren't coming forward and seeing us football source projects out that already baked to send data into into the system is pretty exciting way we've never really done that before and it's it's great to see that ah that new new idea come forward our cloud service is
00:33:06their enforces well and we were i think it's no surprise that our industry is starting tio look there we weren't the first ones to go to the cloud but it's certainly certainly an attractive value proposition especially for for folks that maybe are the biggest kind of please write
00:33:32that don't have the resource just operate their own infrastructure i think we're seeing the cloud is actually more secure than in an on premise because new security wise it is the product we build for um for our replication engines so it had a pi pi system for a
00:33:57long time that kind of corrected protected the perimeter between the local historian and and your enterprise infrastructure on there's a new engine for that we called pi system connected in it it comes on natively billed for free zone architecture er it's probably the best security engineering we've ever
00:34:22done so very pretty proud of that is that also going to be used from like a pie interface to the pie servers that his pie server to pie server Ah actually that uh that architecture er is going to be available oreos in some cases for like a mob
00:34:41us all the all the collectors they're moving to this new connector architecture it's it's exciting setting change for us and to see it customers talking about it after they have had it in the field is is when the reward comes it feels good that so does that mean
00:35:02tcp fifty four fifty will slowly fade away Paul fifty four fifty is going to be out there really a decade or more but this seems the concept is separate protocol in separate protocol of separate authentication in separate authentication out it's uh it's more of a true proxy design
00:35:29likes of native native for being ableto deploying the d m z uh okay well to look at that so i assume you have some uh you should send me a link i'll put it in the show notes for people toe get a view of what's what that is
00:35:43exactly there was a big guy say ninety nine conversation in the run up the pie world and the the speaker that featured on that was actually from a company called bio jim and gus gave a presentation on that So cindy that link okay good Ah you know one
00:36:01of the ideas that i've seen kicking around not just you talking about it but a variety of people is and this is a little bit related to the new architectures were seeing the use of the cloud and and getting data from maybe sensors that are not down at
00:36:19level What would traditionally be level one anymore is is this shift away from the purdue model or a change from the purdue model Um i was curious about that's easy to say but i think a little bit tougher is when you say ok we're going to move away
00:36:37from that on dh then its toe what is it another model or is it a a set of principles are what do you think will move from if if the producer model actually does no longer be the dominant force in the way people architect these networks oh you
00:36:58went to the third rail of i c s here when i'm in the camp of of the new pretty model will persist and as a is a funny side note i am officially a product that pretty much both my mother and father for some produce so anyway thie
00:37:22the idea yeah kind of funny there so the idea is that the network model part isn't really what the reference model from produce about it it's really more about the functionality and that's what i mean when i say it'll persist the things like on the high speed closed
00:37:50loop control that we see it at level one is it's got to stay there right that the dynamics of process control won't allow you to insert leighton sea and in that in that functions so it's just going to have to stay local decisions that are being made to
00:38:13optimize the business that's still going to happen at the enterprise level on how the information gets out there it using isn't really important parts that the optimization has to happen with the view of the broader picture of the business but well but i guess where it maybe gets
00:38:35a little more interesting is maybe the definitions of the levels don't change but that we've seen i have drawn to many of them you probably have a cz well where you'll have a diagram that shows the levels and then you will almost be ableto overlay a network diagram
00:38:54on top of that with in some cases security perimeters between the levels and some people put thes dems as point five levels you know two point five or three point five but that seems to be something that is bound to change in the next you know one to
00:39:15five years and something that probably has changed some places already where some of the things that some of the level zero sensors and actuators aren't going to be sitting down deep buried in a control system uh you know and you're going to have different levels in different places
00:39:37that are going to then transit networks that you know might not lead to such a pretty diagram as we've had for the last decade So do you see Are we going tio change the model based at all on on where i based on the networking or do you
00:39:55see it I don't i don't even know what the other option is to be honest with you it's it's a question i've struggled with so they think that you know what's going to drop the changes are are really what our notions of control centers are and we know
00:40:13we need tio protect control centers where those decisions are being made and the traditional thinking is all right get in and you got to protect the control center from from the porter network or the internet now that's the direction the attacks come from the men you know a
00:40:33few few years ago with a digital bonn conference crane and system got up there and pretty much proved everyone that you gotta worry about the bottom up i think since trump cut out a said it's like you can't just move the front yard you got a motor back
00:40:52you're too and the idea that information is going to attack the control center from from the sensors on up is israel we know it's coming and it's very very today i think a lot of not of the automation vendors that are working hard on that the threat that
00:41:20worries me is when control moves all the way to the edge whether it's connected car or whatever is now we're gonna have sensors level one things attacking each other and my worry is we don't have a plan there yet i know that joe weiss is is busy trying
00:41:44to help people see that level one level zero or things that we need to work on and and others are to do the consequence based engineering is really good as well that's uh those those three things i think you're driving going to drive the models on how we
00:42:02have to descend what we could run into a case where the model stays the same but thie uh the interfaces between the levels get better defined in terms of requirements and that would be something and that would be independent of your network topology potentially if if you said
00:42:28if if you are going to talk to this actuator this is what you have to do to talk to that actuator you know you need to be authenticated you need to be issuing the command that that authenticated entity is allowed to issue think things out down those roads
00:42:43but that's that's in a little bit that's not as much of ah linear or easily drawn model that's that's a little more i don't want to say conceptual but it's it's really based in more of an interface model i haven't is have you seen anyone working on purdue
00:43:02model next Gen yeah at logic it's really fantastic keynote about iowa tea and i think that's probably where of where we'll see if anything's emerge not necessarily logic itself that probably even mentioned it that the idea's community needs to somehow be a part of the discussion with what's
00:43:31going on in ohio tea and that's maybe a place where we haven't done as well as we need to do because these new architectures are are emerging largely outside of all right's echo chamber if you will the the idea that sensors non essential kind of indicators can be
00:43:55brought up very cost effectively through through these wireless cellular links on dh and i don't take a ways to cloud and back into your decision making infrastructure that all looks great to me that the thing that worries me again is when people thursday well yeah this is working
00:44:26good why don't i start to in control Why don't i connected to my isis network and and then then we bypassed all this all the security mechanisms that we have in place with based on the pretty model today yeah and this is where i think just to go
00:44:46down this rabbit hole little deeper way say control and this is why i'm excited about the consequence based approach whether it's i nl's or others not all control is going tio i introduce a lot of risk and we tend to look at things and this is part of
00:45:11the model i think is it it treats everything on the same level is the same and somehow we're going to need to be more more granular and mohr tailored in the sense that this controls okay but that control is not ok and where i'm really seeing this and
00:45:31not having a lot of success yet with some of our vendor clients they're all beginning to off look at offering cloud services to their customers and it tends to be the default approaches we will connect and then we will do these things but there their limit on doing
00:45:54these things is strictly based on their good intentions and not having someone do the wrong thing or not being hacked There's not anything there's no technical control to prevent them from doing the things that they shouldn't be doing and on lee doing the things that the acid owner
00:46:10says i'm willing to accept the risk of someone remote doing these things so i don't know when we're going to get when we're going to start looking at an ng security controls that taylor what can and can't be done in some of these areas where some things are
00:46:26very dangerous and others are innocuous it's it's much different than the safety system safety system you say Well obviously that's designed to prevent very bad things from happening we don't want anyone to touch that but when we get into control there's i can make the case that there's
00:46:44a lot of things that could be controlled better from the cloud then from a control room more efficiently and perhaps even more accurately i don't know though that i would want something in the cloud to be able to control everything in my operation there might be some things
00:47:03that i say no we only do that locally you've probably heard this story is to support that many times a cz you were sharing that i was thinking about the transcript story from pittsburgh icy jade lbj but and i won't try to retell it here it's it's unfortunate
00:47:25that those presentations are posted ah circle back to what i see is jade everybody could do to approve that might be in one of them but you were right that there's a lot of times where the the supplier your partner's whatever provide a great great value and it's
00:47:48maybe even better than trying to do it yourself and from a security perspective that trying to trying to have it come with criteria that allows it to understand when you're taking too much risk of when you're not is worthwhile worthwhile endeavor to figure out i agree one we're
00:48:11practically there from a technology standpoint with these deep packet inspection capabilities that are out there yeah we can do it we can say allow this we don't allow that but actually approaching the problem in that sense is and something that's done But let me get off my soapbox
00:48:31on that because i did want to hit at least one more topic with you and that's logic which is a combination of large oil and gas vendors and some government funding as well that have for a number of years now funded projects and you were at an event
00:48:49there one thing i was curious about logic was a couple years back they funded i don't know if it was the second or third logic project but they funded look at safety and control integration and the end report on that probably not surprisingly because you had so many
00:49:09people that needed to sign off on that report was a little uh might my words it was wishy washy it it said you can integrate them you can separate them it he kind of showed all the different options and it did talk about some pros and cons of
00:49:23the various approaches you know immigration you get efficiencies more data sharing separation higher security less cross compromise they covered all that but they didn't really put a line in the sand saying look you should not be able to compromise your safety system from your control system they didn't
00:49:42say that immigration was dangerous i was wondering at the at the event two degree you can talk about it post trite and if if people were really looking at that are saying we need to rethink this now that we've actually seen someone go after a safety system oh
00:50:00yeah i think i might even tweeted that one of the active projects is reviewing that science immigration um so recall multiyear assessment going on slough it yeah it's a hot hot topic and very timely the logic is it's going to be here the the assessment of that a
00:50:28scientist immigration piece well it's one of those things too where now are their vendors that are members of logic or they just support logic on projects has asked uh no that it's the bladder so vendors are members they they simply supported the projects when there's the opportunity to
00:50:52do so and did they announce any are there any new projects or anything that they've they've committed to that they'll be working on over the next year or two Besides that safety relook uh the that's really the book to the workshop is tio bring together people and brainstorm
00:51:15what the what the projects to be donated are going to be on there were several different themes in the in the breakouts for brainstorming and and i know that there were actually meetings following the the formal workshop where other ideas were being pitched as well so the be
00:51:37exciting to see what bubbles to the about all this they they are well funded group and committed to moving things forward i e i actually think that this voluntary approach should be the a model for other sectors they think oil gas will we'll get farther than some of
00:51:58the other sectors there uh really moving only because of regulatory or threat of regulatory action i think from you know an outsider because i've been peripherally involved with this for a while uh i think the sometimes the benefits of logic and i've been a critic of it at
00:52:20times the benefits aren't as obvious is it is you would think they could be because the output is a report that again because you have so many vendors involved you have large asset owners there's there's certainly some impact to something being very much against what you're doing you
00:52:44know if you're a large large supporter of it and all of a sudden they say your architecture is wrong and dangerous that's not going to go very well for you so that tends not to make it into the report but i think the benefits to these oil and
00:52:56gas companies of talking to each other participating getting the you know the knowledge and putting it back into the organization probably far exceeds the final report that comes out The final report is just something they have to do to show completion of projects but i've always thought that
00:53:18and i made this mistake early on of judging them by the final report i kind of maybe gone a little smarter over the years and realize that that's not really the main deliverable of logic it's it's c the interactions it's the knowledge sharing that doesn't become official written
00:53:36in stone has has also i saw been involved in any of the projects way had aa successful project with logic it was really the group they that folks doing the assessments are very skilled and you know they're they're things that we would like if i could do it
00:54:05over and with a magic wanda i'd love to have the actual logic members involved at the same time but it it's okay it's work with researchers the main thing is that we learn something out of the assessment and we didn't soon that's what that's our reward good good
00:54:30well let me let me just kind of to finish off let me take a step back then and say you've attended all these events and and certainly others over the last you know since the start of the year are there any themes or areas that you think people
00:54:47that maybe don't attend so many of the events should be looking at because there's ah groundswell coming in the community one of the pieces that way talked about is how companies develop their workforce and i see a security and i think these conferences are proper the key key
00:55:12elements of doing that right now it's where the information sharing is happening whether it's beer i sack or whether it's actually being able to give a presentation to your peters and get the feedback so it kind of channel something that long ago you had ross anderson as a
00:55:33key note and that's for it might have been oh nine way but uh he do a really nice chart about how you should have two vectors on a chart and the upper locked and how good you could be and the bottom line was you know you're limited that
00:55:54you can only be a good as your weakest link kind of thing but it could only be good is your best best people as well That's that's why i think it's important for also soft and massive donors to come together in these communities here what researchers are saying
00:56:15where where we need to go teo teo tilt the slope on the line we'll do that way share if we all have to learn it the hard way we'll never get there well that's a show i want to thank again my guest brian o in a voice i
00:56:38soft brian himself on us i soft as a company has been a big help for our s for event they were actually the first sponsor we ever had i think back in two thousand eight and they've sponsored the capture the flag competition for the last four years You
00:56:55can learn more about us i soft and soft dot com and i'll include some links that we mentioned in the podcast show notes for this please send me ideas for future guests and topics for the unsolicited response podcast to ask for at digital bond dot com i've already
00:57:14got scheduled a recording on cyber heidi you know i cs on I'll talk to you then or next time something warrants and unsolicited response

Transcribed by algorithms. Report Errata
Disclaimer: The podcast and artwork embedded on this page are from Dale Peterson: ICS Security Catalyst and S4 Conference Chair, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.


Thank you for helping to keep the podcast database up to date.