On Location With Sean Martin And Marco Ciappelli

Navigating the World of Operational Technology and Cybersecurity | A Brand Story Conversation From RSA Conference 2024 | A DirectDefense Story with Chris Walcutt | On Location Coverage with Sean Martin and Marco Ciappelli

Episode Summary

Explore the intersection of operational technology and cybersecurity in a captivating dialogue between Sean Martin and Chris Walcutt.

Episode Notes

In a recent episode recorded live at the RSA Conference, an insightful discussion unfolded between Sean Martin and Chris Walcutt on the intersection of operational technology (OT) and cybersecurity. The conversation look into the challenges, insights, and best practices surrounding these vital areas of technology. Let's dive deeper into the key takeaways from this engaging dialogue.

Bridging the Gap Between IT and OT

Chris emphasized the importance of collaboration between IT and OT teams, highlighting the need for mutual understanding and cooperation. By fostering communication and building trust, organizations can navigate the complexities of integrating IT and OT systems effectively.

Understanding Critical Infrastructure

One of the key insights shared by Chris revolved around the critical nature of infrastructure, particularly in sectors such as energy, water, and manufacturing. The emphasis on resilience-based risk assessments and the need to comprehensively evaluate vulnerabilities underscored the importance of proactive cybersecurity measures.

The Purdue Model and Practical Approaches

Chris shed light on the Purdue model, a framework often referenced in the OT space. While acknowledging its value, he emphasized the need for practical implementations tailored to individual environments. Simplifying zones and focusing on critical operational aspects can enhance security without compromising system performance.

Fostering Resilience through Collaboration

The conversation underscored the significance of resilience in cybersecurity efforts. By fostering collaboration, implementing tailored security measures, and leveraging expertise across IT and OT domains, organizations can bolster their resilience to cyber threats effectively.

Procurement as a Strategic Ally

An insightful recommendation from Chris highlighted the role of procurement as a strategic ally in the cybersecurity landscape. Educating procurement teams on the specific needs of OT systems and integrating cybersecurity requirements into vendor contracts can fortify defense mechanisms and mitigate risks.

The dialogue between Sean Martin and Chris Walcutt offered a comprehensive glimpse into the dynamic realm of operational technology and cybersecurity. By emphasizing collaboration, risk assessment, and strategic partnerships, organizations can navigate the evolving cybersecurity landscape with resilience and adaptability.

The insights shared in this conversation serve as a valuable resource for IT and OT professionals seeking to enhance their cybersecurity practices and fortify critical infrastructure against potential threats. Embracing a proactive and collaborative approach can pave the way for a more secure and resilient technological ecosystem.

Learn more about DirectDefense: https://itspm.ag/directdef-gs7

Note: This story contains promotional content. Learn more.

Guest: Chris Walcutt, Chief Security Officer at DirectDefense [@Direct_Defense]

On LinkedIn | https://www.linkedin.com/in/christopher-walcutt-cism-cissp-45a6631/


Learn more and catch more stories from DirectDefense: https://www.itspmagazine.com/directory/directdefense

View all of our RSA Conference Coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverage

Are you interested in telling your story?

Episode Transcription

Navigating the World of Operational Technology and Cybersecurity | A Brand Story Conversation From RSA Conference 2024 | A DirectDefense Story with Chris Walcutt | On Location Coverage with Sean Martin and Marco Ciappelli

Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.


[00:00:00] Sean Martin: And here we are. You're very welcome to a new On Location, coming to you recorded live. We're live. I'm alive. You're alive.  

[00:00:09] Chris Walcutt: I'm alive.  

[00:00:10] Sean Martin: We're both live, uh, from RSA Conference. And, uh, it's been a good, good day so far. And, as you know, I'm the host of Redefining Cybersecurity podcast where I get to talk to cool people about cool things. 

One area I don't get to talk enough about that I love, operational technology. Why? Because I'm a nerd, for one. But two, it's cool. It's involved in a lot of stuff that matters. It's a lot of stuff that matters. So, uh, I'm thrilled to have Chris Wolcott on with me. How are you, Chris?  

[00:00:40] Chris Walcutt: I'm doing well. Thanks for having me. 

[00:00:41] Sean Martin: Yes, and, uh, direct defense here, full force. Uh, having good conversations, protecting the world through, uh, one OT device at a time, right?  

[00:00:50] Chris Walcutt: We're gonna try. Keep the bad guys out of the power grid. Keep them out of the water. Keep them out of your, uh, Nest cameras in your house, you know.  

[00:00:58] Sean Martin: All the good things we love. 

I like to drink water. Um, clean water. Mixed with what? Yeah, exactly. In the form of an ice cube over, uh, under bourbon. Excellent. Um, alright, so we're here to talk about ITOT, the convergence there, the need for visibility and control, a different view of how we look at risk, and how to tackle that with the teams. 

that are already understaffed and may not know all the details of those two worlds together. Um, we're going to get into the nitty gritty of that, but before we do that, Chris, a few words about your role and what you're up to.  

[00:01:39] Chris Walcutt: So I'm the Chief Security Officer at Direct Defense. So in addition to the day job of trying to keep our enterprise secure, I also run a team called the Connected Systems Practice that's focused around all things OT, SCADA, IoT. 

We get down in the weeds with manufacturing and commercial and industrial side. We get into critical infrastructure, you know, energy, water, gas, pipeline, all that fun stuff. And then we've got a side of it that's all about hardware testing, breaking devices, working with the manufacturers, testing them, figuring out how they can make them more secure. 

[00:02:15] Sean Martin: And I want to pull on this thread to start. Um, I can envision a lot of Teams thinking they know what their environment looks like. I can think of a lot of vendors, technology providers, service providers, that think they know how things work a certain way. But then I hear from you, you're working with the manufacturers. 

You're working with the threat researchers. And this view, and in environments that matter, this view and this depth, I suspect, gives you an interesting insight. Very powerful view of what needs to happen.  

[00:02:57] Chris Walcutt: It does. It does. Across all of critical infrastructure, the energy sector is really the only one that has real regulatory teeth. 

So the bulk energy side can be fined a million dollars per day per instance of non compliance for the NRCSIP regulations. Regardless of all the other presidential directives and regulations that have been put out, there's nothing else with that kind of actual enforcement capability. that exist across any place else in critical infrastructure. 

So water, oil and gas pipeline, production, um, you move over into telecommunications and rail. Everything's focused around safety. There's not a lot that's focused around cyber security. And if there is, it's generally guidelines. You move over into the manufacturing space and a lot of these companies have done things to protect their IT environment. 

They've got the perimeter firewalls, they protect the corporate side. On the OT side, they kind of Put the security perimeter wrapper around it, but then inside that space, they don't touch it. It's very hands off. This is operational uptime. We can't mess with it. We don't patch it. We don't scan it. Um, and they may not have the staff to understand what's really going on in that space. 

And then the hardware vendors are struggling because there's not a lot of, uh, agreement on what should be the cybersecurity standards for hardware. So, IEEE's got 62443. UL has 2941 that hasn't been ratified yet.  

[00:04:22] Sean Martin: So, when I, I haven't spent a lot of time in OT, so it's a new world for me as well. Sure. Um, when we look at IT, 

for many years it's been compliance driven. So you're saying there's not even a lot of compliance to help drive a lot of change in this space then?  

[00:04:38] Chris Walcutt: There's a lot of best practice, but there's not a you need to or you must. Right. And so a lot of organizations haven't done what they need to or they can't get the money. 

So, in the U. S. anyway, in North America, the bulk energy sector is all these big private merchant energy companies. A lot of them are publicly traded. They've got a lot of money at their disposal, right? And they can go and make a case to charge more money for the electricity that you pay. But the water utilities, a lot of times, are a small municipal government. 

Um, they may not even have a bunch of full time staff. They don't have that same access. They can't necessarily go and make the case successfully to charge more money. And so they don't have the funding to do the same type of stuff.  

[00:05:18] Sean Martin: Interesting. So, so without, without the funding, you say there are best practices. 

There are. So this is just people who care and are trying to do the best thing then? Or, or it just doesn't happen?  

[00:05:32] Chris Walcutt: Some of it is people who care, some of it really doesn't happen. Okay. Um, at least not until a breach happens. Okay. And we do breach work in both the IT and the OT space, and so we see that, That, that panic, that fear, you know, there's a lot of stuff that, that doesn't make it into the news or is very tightly controlled and a little bit gets out because of the nature of what it is. 

[00:05:55] Sean Martin: Tell me some stories, no, no names, I don't want to expose anybody here, but let's say a wannabe. Um, so I would imagine sometimes a breach isn't catastrophic, an incident doesn't destroy an environment. Sure. Sure. But it wakes somebody up. Um, you get called in, you help. Help with that, maybe you can share some stories on that. 

But, before the breach, there must be some signals. Right? That stuff's crossing over from IT and OT. Or, there's known weaknesses on Shodan that send some flags up that people aren't looking. I don't know. Tell me some stories of how organizations could have seen some red flags before, even if it wasn't catastrophic. 

[00:06:39] Chris Walcutt: Right. Well, and sometimes they even get testing done and then just don't follow up. So I give you an example of a large energy utility in the northeast deployed smart meters, call it five, six, seven hundred thousand of them across part of a state. And then they wanted to use that network. In doing that, they stood up their own mesh network. 

Right? Devices can talk to devices to get back to the data center. So that gave them the ability to have this free mesh network. So they wanted to do something called recloser automation. Reclosers are basically giant circuit breakers. Think of turning on and off parts of the power grid for maintenance, or if you have an outage, let's say a tree comes down in a storm, you can de energize one side to make it safe to work on. 

They'd love to be able to do that remotely. And so to do that  

[00:07:24] Sean Martin: California, you want to That's a whole different thing.  

[00:07:28] Chris Walcutt: Right, right. The Enron days. So, you get an organization that says, OK, well we rolled out this network, we're going to use it for something else. And they come up with a way to put these devices onto that network. 

And they want a little secure gateway that's out on a box on a pole, right, out in somebody's neighborhood, that's going to give them a secure communication path back to the data center. Well We went out and we tested one of these devices out in the field and found a vulnerability in it and was able to use it to get back to that control center, the energy control center. 

So this would have given a bad guy the ability to get all the way back to potentially control of the power grid. And so  

[00:08:08] Sean Martin: Not just the control point, but the control center?  

[00:08:10] Chris Walcutt: All the way back to the control center, right? Because this device is talking to that control center. So, we stopped. We stopped. The assessment, because this was not the full scope, and we create a little report and we give it to them and we say, we need to go talk to this particular hardware vendor and have them explain how they're going to fix the vulnerability. 

The problem was this vendor didn't do a lot in the space. It was not a U. S. Based company, and they basically said, you know, we don't really plan to do anything about it. We're not gonna be forced to buy anybody. This isn't really something we really care about. And because they didn't buy a couple of these devices and get him security tested before they put him in. 

Now they've got to go buy. They cared if you just got rid of three or four thousand of something else and roll trucks and replace them all and pay a fine to the government on top of it.  

[00:08:52] Sean Martin: While they're down?  

[00:08:53] Chris Walcutt: While they're down, yeah, exactly.  

[00:08:56] Sean Martin: Alright, so, this tells me, well, in that situation they had some sense of risk. 

[00:09:04] Chris Walcutt: They did, they were doing some things. They were doing some things. It just wasn't a complete program.  

[00:09:09] Sean Martin: And I know you have this. This term of resilience based risk. Because if they'd taken, I'm assuming if they'd taken their analysis of what was important and what might impact that and kind of expanded that just a little bit more to say a replacement of this environment would actually be just as much, more so of a risk. 

To our resilience, hence the penalties.  

[00:09:38] Chris Walcutt: Yes, and you can expand that a little bit more. And this is where I always recommend that the OT side should talk to the IT side. There's distrust between them and a lot of organizations. And the downside is the IT side may have in the past done something, applied a patch and it caused an outage, right? 

They don't necessarily understand the true importance of, you know, five nines or whatever that uptime requirement is for the organization. But the OT side doesn't necessarily understand that IT is used to vulnerability management and patch management and they've got tools and processes and OT could and should be making use of them. 

So if they expand that out just a little bit and looked at it from a perspective of what if we need to patch that device? What if we need to manage the vulnerabilities and go back to the vendor and ask those questions and the vendor says, well, we don't really have. A patch management cadence. We're not going to, we're going to release patches when we find out about problems. 

Those are potential red flags for devices in that space. So one of the big challenges is getting to the point where the OT staff or even the procurement staff, to my mind, procurement is your friend. Educate them, let them help you. All the vendors that you bring in this space, you're inviting them into your ecosystem. 

This is how you avoid vendor transmitted diseases. You don't want those VTDs. You get to know that vendor pretty well. You don't get in that relationship after, you know, one lunch or one dinner.  

[00:11:00] Sean Martin: Ah, yes, um, VTDs. Uh, yeah, uh, let's, I'm speechless. I was expecting it and I'm still speechless. No, I think what I,  

[00:11:14] Chris Walcutt: you need a security prophylactic. 

[00:11:16] Sean Martin: I do need one. I'm going to go to segmentation, actually. In all seriousness, the, so you mentioned best practice and Yeah. I think there's a lot to learn from both. Right? There is, um, because it, especially when you, when you insert security in it Mm-Hmm. Can often be seen as a, as a, a disabled right. For a business. Mm-Hmm. , so kind of blocking things. Yep. Which goes completely against the, uh, the ot where it has to main  

[00:11:44] Chris Walcutt: and it doesn't need to be sort of the organization of No. It needs to be the groups coming together and figure out how you make it happen, how you make it work. There's always a way. 

[00:11:53] Sean Martin: Yeah.  

[00:11:53] Chris Walcutt: There's always a way.  

[00:11:54] Sean Martin: So I think both sides can learn a lot from each other. And I think this is where another interesting point comes up for what you do at Direct Defense because of all the experience you have on both, right, is you can kind of help bridge that.  

[00:12:08] Chris Walcutt: We do.  

[00:12:08] Sean Martin: And if I remember correctly, you have a keen way of helping and keen way of using words as well to help, uh, To help translate the environment, so translating best practices, translating how things work in one environment versus the other, why things are important in a certain way. 

Um, so talk to me a little bit about what that looks like.  

[00:12:30] Chris Walcutt: So the translation goes back to really my first significant job in technology. Um, I started on a energy commodities trading help desk for a big Fortune 200 energy company. And over the course of my career in system admin, network engineering, network architecture, eventually I landed as the director of IT for power generation. 

So we had 37 power plants spread across North America, there were three nuclear plants in the mix, and IT and OT really didn't trust each other. And so I didn't know a ton about OT, what it meant, what it was, and so I asked my leadership if I could do some job shadowing. And introduced a job shadowing program between IT and OT that really helped to foster that communication and build some trust, which made the whole organization better. 

And a lot of that was later adopted and is still, some of it is still in play. But because of that, the team that we have at DirectDefense on the connected systems side, which is our OT practice, is all built from practitioners. Everybody who's on the team has been responsible for either designing, building, or running. 

OT SCADA systems. Uh, one worked for a big manufacturer and then ran a water system for a major city. Um, another worked for two energy companies and went on to run manufacturing for a well known brand. I spent almost 10 years with Constellation Energy, which is the parent company of Baltimore Gas and Electric. 

And then another almost seven with Black Veatch, which is a large engineering firm that builds critical infrastructure. Um, and we have another who was on a CyberPatriot team that I coached that won the national championship in 2016 and is a very well known, becoming world renowned hardware hacker. And so he's got the latest Google Pixel vulnerability. 

Uh, Google Chromecast, excuse me, Vulnerability, and yet to be publicized series of vulnerabilities on another product that I can't yet speak about. But, um, this team fosters trust. When we go someplace and we walk in and we sit down with the OT staff, and you're talking plant managers, plant control system engineers, technicians. 

We can tell them we literally have done your job. We understand your technology. We know we need to make sure that everything we do won't cause an outage, won't take time away from operations. We're very respectful of the fact that there's one of you in a million square foot facility. We get it. And because we get it, they will open up to us and understand that we really are trying to help. 

We're going to help them try to figure out how they talk to IT to get the funding, to get the tools, to get the people, to get the training so that they can make that system more resilient. Right, but they have to focus around things like vendors that release patches every 18 months or vendors that won't let you patch your own systems. 

So there's a couple of these SCADA system vendors. Some of these, and particularly in other countries. The team was over in China and Japan recently, and SCADA system vendor that is also well known for not letting you patch your own stuff. So if you don't have the annual service contract. They don't come in and apply the patches for you. 

When we saw, one of the systems we saw hadn't been patched in almost 10 years.  

[00:15:44] Sean Martin: How do you get around that? Because you can toss security layer products on top. That's not going to solve that problem.  

[00:15:51] Chris Walcutt: Well, you do, but they also don't have the visibility of what's happening, right? So without the visibility, you don't have a baseline. 

Baseline tells you what's normal, you see what's abnormal, you can take some action. You could truly take that system offline from the corporate side if you wanted to. You could disconnect it from all things not self contained. That causes problems on the business side, but a lot of the business processes could be handled on paper if you really had to. 

For some period of time anyway. And usually the manufacturers will tell you, Hey, we can run on paper for eight hours, or we can run on paper for two weeks before we have to stop. Um, but, These vendors, if you don't provide them their annual service maintenance payment, they won't come in and apply your patches. 

And so that's about executive leadership realizing that that service contract is more than just what if, but it's ongoing life cycle that really needs to happen. And if somebody who understands the business side doesn't explain it to them, they just may not realize it.  

[00:16:48] Sean Martin: Back to procurement.  

[00:16:49] Chris Walcutt: Back to procurement. 

And, and leadership having the wherewithal to support that. It's a necessary thing. Yeah.  

[00:16:57] Sean Martin: So, responding to some of these things, um, because I made a bit of a joke in terms of you just throw security on top of it and then that problem goes away.  

[00:17:08] Chris Walcutt: Yeah, you spray it on instead of baking it in, right?  

[00:17:10] Sean Martin: Exactly. 

Yeah. But you do need some layers of security. You do. Similar to IT. It looks different. It acts different. It smells different. Um, Organizations need, as I would presume, more OT teams. I'm thinking back 10, 15 years ago, 20 years now in cybersecurity and the IT side. Yeah. Um, you don't just set it and forget it. 

[00:17:32] Chris Walcutt: No, it's continuous.  

[00:17:33] Sean Martin: And if you, if you don't know how to set it right in the first place, then you might be missing the mark as well. So talk to me a little bit about how you work with some of the security vendors to ensure that, to your point, it's going to help. Maintain and ensure resilience, but not kill the OT team in the process. 

[00:17:54] Chris Walcutt: So a lot of that comes down to, one, having things set up so that you understand the criticality of the environment. So I still call a lot of this critical infrastructure, even on the manufacturing side. It's just business critical infrastructure. And so, some things can run on their own, some things can't. 

Some things are critical, which shut down all operations, and some things don't. Even understanding and having a catalog, having an inventory of that. Sort of the IT inventory problem brought forward 20 years. That OT inventory, what's criticality? This system can't run with that, without that. This business process requires that we take data from this, and we take it out through a DMZ and give it to the business side, right? 

If you can't do that, there are some organizations that also shut down. Uh, we worked one breach a few years ago. One large manufacturing company bought another smaller one. And they had a 90 day window to establish their new technology stack on the cybersecurity side. And about 30 days in, the smaller company got breached. 

And one of the things that it did was it shut down their ability to ship product. They could still manufacture product, but they couldn't ship product. If you can't ship product, you're out of business. And so, understanding what those critical processes are, you have to have the teams working together. 

The OT, the IT. That side has to talk with leadership, the IT side has to talk. You establish that nature of these are the things that we have to have, and that's how you start to build the roadmap for that security. Now, a lot of times the teams that are on the functional side on ot, they know how to keep it running. 

They know how to make sure that it does what it's supposed to, but they may know, not know a lot about the advanced side of cybersecurity. The way the market is right now, also one of the other challenges is that a lot of critical infrastructure is built in places in the world that people don't necessarily want to live. 

So it may be out in the middle of nowhere, it may be in an industrial area with a lot of other companies where there's not nice housing and great schools and some of the other things. And so it's a challenge to get the staff and retain them. And so some organizations end up in a situation where they need a good partner. 

And we, as Direct Defense, get a lot of that because we get organizations, large, well known name brands that you would recognize, um, that struggle to be able to meet their staffing needs in the OT security space. And so, when they can get some, they can have them on the road and traveling around. But, you know, the organization 37 plants globally, um, they're not going to be able to find everything they need. 

And sometimes they'll have positions sit open, and so we become the force multiplier. We've got the experience. We've got good references. We've worked with other firms doing similar things. We can come in and give them what they need and in some cases actually help them make the changes. Because of the OT background of our staff, they trust us. 

They know that we're going to be careful. And then you go that step further and you talk about, well, how do we understand what's normal? You can buy, as I mentioned, you can buy the best OT visibility tools that are on the market. You can buy the, you know, the Clarity's and the Nozomi's and the Drago's of the world. 

Um, they will help you get their product up and running, but if your network is not segmented properly, you're not going to see the data you need. You're not going to get what you have to have from that. And so we will come in and do what they won't, and that is help you make the specific changes to route the traffic across a point of inspection where you can see it and help to take a protective action. 

[00:21:22] Sean Martin: Got it. And then I'll, otherwise you end up no tail, no tails to chase. Exactly. Or too many.  

[00:21:26] Chris Walcutt: Exactly. And because these are not, uh, situations where you can just install an endpoint agent, that's not a thing in the OT space for the most part. And then you go a step further and if the organization is big enough that they do have their own IT soc, that it SOC doesn't know what OT is, they don't have any background or training, um, you could train them. 

Um, but it takes time. And so we also as a partner, have started to work with the convergence of IT and OT on the managed services side. And so the IT SOC has OT cross training and a capability to escalate to the connected systems team that then have designed and built this stuff. And you get a cohesive capability for visibility, um, some semblance of endpoint protection. 

You can wrap in that risk assessment piece. We can do the incident handling and response. And make the changes to get you the visibility and tuning that you need that the platform vendors, um, frankly aren't prepared to dig into.  

[00:22:19] Sean Martin: While adhering to, uh, the, the need to, need to stay up and running. Yes. Yeah, exactly. 

You can't, you can't be down just because you're under attack.  

[00:22:29] Chris Walcutt: You, you know, you mentioned best practice before. A lot of, a lot of the OT space, uh, what's usually referenced is the Purdue model. Yeah. Yeah. And the problem, the Purdue, the Purdue model is great in a perfect world. But you can't go seven or eight layers deep. 

Um, in a space where run time is that important because a lot of these systems are 15 years old. And they can't handle an extra 10 or 15, literally can't handle an extra latency. So you can't segment that far. So we boil it down, we usually end up with maybe 3 zones, 4 zones. So you've got kind of the operational zone, all the stuff that's taking an action. 

A lot of times you have the sensor zone, all the stuff that's taking readings. You've got kind of the control zone, all the stuff that's in charge. And then you're going to have a DMZ because you've got to take that data, usually it's fed to a historian, and you've got to feed it out to either a Manufacturing Excellence or an MES system, or it might need to go to some sort of shipping or an ERP like an SAP that allows for the billing and the raw materials control and all that stuff. 

All the business stuff. Right. But you have to have some idea of where the data is moving and what it's supposed to look like. And that's once again where the experienced staff comes in that have run. Manufacturing facilities that have run power plants and substations or water and wastewater facilities. 

They know what that data is. They know where it's supposed to go and what it looks like.  

[00:23:50] Sean Martin: So Chris, as we begin to wrap here, let's say something to two audiences. IT folks who have friends in OT and OT folks who have friends in IT. So the first I want to hear from you is, and I want you to draw upon your conversations with customers. 

What can IT say or do to their OT counterparts to give them an aha moment that we're here to help, not force stuff, but to actually help with what's going on here?  

[00:24:31] Chris Walcutt: I think one of the biggest takeaways that IT can offer to OT is let us help you understand where the data is going. So that we can help you protect it. 

And we've got some of the tools, but we also know that we don't know enough to not make mistakes. So, we need your help, but we also need you to listen. Let us show you what we can do, and let's figure out where it makes sense. And the IT side is used to documenting the relationships and the data flows and things like that. 

And that's something that OT typically isn't.  

[00:25:01] Sean Martin: Alright, so that's a good tip in best practice. How about in reverse? What are some maha moments? OT, here's what you have to say, and they realize, alright, that makes sense, and I know how to take action now. Here's how I'm going to go have a conversation with my executive team. 

[00:25:22] Chris Walcutt: So OT needs to understand that the world is changing, the attack surfaces are changing, they may already have ways that people could sneak into their environments, and they need to ask for help. They need to understand that there are processes that need to be put in place that are different than what they're used to, and the goal is to maintain that uptime. 

But it has to happen in a way that's a little bit more secure than it's been in the past. Um, a couple of areas that they're probably accustomed to that may not be going the right way. Remote access is a big one. Right? So a lot of times they'll have vendors that need remote access because they've got a maintenance contract. 

They need to let them in. They need to let them come in and do their periodic check. And it happens remotely, right? What they're probably not doing is shutting off those access accounts when they're not being used. They're not monitoring almost under the keystroke of what's being done in those remote sessions. 

And they're not necessarily restricting that account so that it can only get to very specific devices. The other thing that I want to tell OT is, procurement is your friend. Talk to procurement. Take the time to educate them. A lot of times, they may not have your level of technical expertise on those OT systems. 

But if you can give them a checklist of the 10 or 15 things you have to have. And there's some things you may not be thinking about. So if there's a vulnerability that's identified in one of your devices, it should be in the contract language that they need to notify you if you weren't aware, and that there's some reasonable remediation window, or that they help give you something else that can help protect you in the meantime. 

Some sort of remediation action. For And if you can't get it from the vendor, then you turn back to IT and say what can we do to protect this in this short period of time.  

[00:27:02] Sean Martin: Oh, this has been fantastic, Chris. Um, I think both teams have a lot they can, they can gain from chatting with you and the rest of the DirectFence team. 

No question, visibility. Yep. The start, collaboration between the two. Um, a skill set that crosses both domains. Don't have it, don't have it now. Yep. Chris and team have it.  

[00:27:25] Chris Walcutt: And we're happy to educate everybody we come in contact with. So, we're happy to help teach the team. The more you know about it, the better off we all are. 

[00:27:33] Sean Martin: Yep, absolutely. I'll close with, uh, resilience based risk assessments. Resilience based risk assessments. Yes, indeed. I think it starts there. The ability to communicate around that, um, will help shape the rest of it.  

[00:27:46] Chris Walcutt: It does. It does.  

[00:27:47] Sean Martin: Perfect. Well, Chris. I could chat with you for hours, but, uh, we'll leave it here and maybe we have another, another conversation, more stories. 

Uh, so thank you very much and thanks everybody for listening to, uh, this episode. Coming to you from RSA Conference, thanks for joining me. Sean, uh, on Redefining Cybersecurity. We'll see you here this week, lots more coming.  

[00:28:05] Chris Walcutt: Thanks for having me. Thank you.