Navigating IT-OT Dynamics: Cybersecurity, Integration, and Collaboration

Speaker 1 (00:00):

You are listening to the Virtual CISO Podcast, providing the best insight on information security and security IT advice to business leaders everywhere.

John Verry (00:19):

Hey, there. Welcome to yet another episode of the Virtual CISO Podcast. With you as always your host, John Verry, and with me today, Curtis Griffin. Hey, Curtis.

Curtis Griffin (00:29):

Howdy. It’s good to be here.

John Verry (00:31):

Thanks. Thanks for coming on. Looking forward to chatting. I always like to start off super simple. Tell us a little bit about who you are and what is it that you do every day?

Curtis Griffin (00:39):

Yeah. Curtis Griffin. I’m a senior manager with CBIZ Risk Advisory Group. It’s part of the CBIZ Organization, and more specifically on the information technology and cybersecurity consulting side.

John Verry (00:54):

So, thanks for coming on. I always start with another question. What’s your drink of choice?

Curtis Griffin (01:01):

Honestly, I drink a lot of Coke. It’s boring but simple. Probably been doing that way too long, since I was a kid. I’ve had to back off a little bit as I’ve gotten older.

John Verry (01:14):

You haven’t seen the press releases that say that Coke’s not healthy for you, have you?

Curtis Griffin (01:18):

Yeah.

John Verry (01:18):

I don’t want to ruin it for you, but I think you should know that. You know what I mean?

Curtis Griffin (01:23):

I appreciate that. Yeah, I’ve heard. I’ve heard such. The sad thing is, the diet stuff, I mean, I think is worse for you and I find it disgusting.

John Verry (01:31):

I would agree with that. I think they’re both bad for you. It’s a matter of which is the lesser of two evils, right?

Curtis Griffin (01:37):

Yeah. I might as well take the sugar.

John Verry (01:40):

There you go. So, thanks for coming on. Over the last few years, the term operational technology has increasingly crept into conversations. I think it’s largely driven by the risk associated with operational technology, and increasingly more guidance from the US government relating to it. So, let’s start by just defining, what do we mean by operational technology or OT?

Curtis Griffin (02:13):

Yeah. The term is expanding I think, faster than we realize. But generally my definition is, where technology touches the real world beyond the screens and the keyboards. I mean, obviously we have screens and keyboards in both areas, but technology that’s aware of its surroundings, taking measurements, pressures, temperatures, flow rates. But also things like smart cameras that know what’s going on outside its little electronic brain. But also stuff that has the ability to do things in the real world, turn on and off power, start generators, open valves, close valves, control flow rates, control robots. I mean, that’s stuff that touches that, that makes that leap into the rest of the world. I think the difficulty when we start talking OT in our world is that everybody starts thinking industrial control systems or SCADA.

(03:17):

But these days I think it’s merging into the internet of things. People have smart refrigerators in their houses, smart light switches, and they don’t think of that as operational technology, but it really is. I mean, its got a computer in there, it’s talking to other devices, but it’s also controlling our homes, our factories. It is controlling fish tanks. I remember several years ago there was a hack against a fish tank in a doctor’s office, and killing fish is not great but it’s not life ending. But when you start extrapolating those types of devices out into the rest of the world, nobody was thinking operational technology when they hooked up an ethernet cable or a wifi to their fish tank.

John Verry (04:06):

Yeah. One of the things that’s interesting that you said is that, that line between IOT and OT has definitely blurred. I think when most people think of OT, they think of, I’m going to say non IP, as in internet protocol, conventional communications. I think we tend to think of the OT technologies being something running other than that, like DMP3 or something of that nature. But it is interesting though that the things that make something OT are also the things that make something IOT, but now with a different set of standards and requirements and risks that are associated with them.

Curtis Griffin (04:47):

Yeah. I really think that that transition, I think there’s been a curve. I mean, we still have the devices in the field or things that just talk old, I say older protocols, Modbus, or even just standard serial stuff. We still have all that stuff, but when I’m going into clients and we’re talking OT, they are thinking about that stuff, but when talking about cybersecurity it is closer to our more traditional IT protocols and technologies systems. The problem is, and I’m sure we’ll get there, stuff that we’ve traditionally said, “Oh, it’s a Windows system.” Well, OT wants that, because the flexibility and everybody’s developing stuff for a Linux kernel, and so might as well bring it into their world. I’m seeing that a lot.

John Verry (05:54):

With many IT professionals, the minute you start talking OT they get a little bit nervous, they get a little uncomfortable. It’s unfamiliar. But fundamentally when I look at it, there are as many or more similarities than there are differences. At this point I’m talking about, I’m going to call it traditional OT, like the factories that we’re talking about, the non IOT type. So, talk about those similarities. How can somebody who’s listening that’s an IT person analogize or get comfortable with OT?

Curtis Griffin (06:30):

Well, I think you’re right. I think that there is a lot of similarities and there’s been this hard line in the sand, or maybe even a fence between OT and IT, that they’ve got their stuff, I’ve got our stuff. But getting past that, it’s completely foreign. I mean, we are talking about just hardware and software, whether it’s a PLC, it’s just a computer, and it may be running an RTO, a real-time operating system that’s super fast, super efficient, does one thing really, really well, doesn’t like disturbances. As opposed to a kernel that’s running all sorts of things all the time. But it’s still hardware and software. I think getting to that point, I’ve not done a lot.

(07:24):

I want to emphasize, I’ve not done PLC programming, but I’ve done some ladder logic. Gotten into the middle of it and seen, and it is just computer programming. It’s just a different interface and a language that most programmers aren’t familiar with. But you’ve got inputs, outputs and whatnot. Then your screens, it’s just a touchscreen with another PC on the backside that’s registering and talking to that PLC. That HMI, that human machine interface that’s on a steel cabinet, it’s no different than your touchscreen on your laptop, except that its got a very dedicated purpose.

John Verry (08:08):

Then of course, the fundamentals that IT professionals are familiar with, the concepts of strong and appropriate authentication, good user access and authorization procedures, system monitoring from a performance perspective, system monitoring from a security perspective, all of those fundamental ideas translate pretty directly.

Curtis Griffin (08:30):

They do, yeah. I mean, you’ve got to know what’s going on in your network. You’ve got to have a location for logs to go, and then you’ve got to look at them. They all, I say all, they should have those capabilities, and so you’ve got to have a destination for that monitoring and whatnot. When you start talking about infrastructure, fiber, ethernet, CAT5, CAT6, whatever is out in the field, it looks the same. It feels the same. Just like, we’ve been pushing different types of protocols over these cables for a long time. We’ve just gotten used to the fact that now we’re just doing TCP/IP on our LANs, but for years we’ve been doing all sorts of protocols and they can coexist. A lot of people forget that. So, that awareness level of different things that are run on your network, but still the physical infrastructure is really similar.

John Verry (09:37):

So, we highlighted a lot of the, or you highlighted a lot of the similarities. What makes OT different?

Curtis Griffin (09:44):

First thing that we talked about is that physical aspect to these devices. There are implications to having systems that are connected to the real world, and you’ve got to be aware of those implications. You’ve got to think about it. I think about environmental control systems. If your house AC goes off, it’s fine. But if you’re in a hospital and you’ve got this whole HVAC system running through HMIs and entire building ecosystem, and somebody tweaks the hospital’s air conditioning, I mean that can have big implications. So, there’s that physical aspect to it. Same goes for oil and gas production or manufacturing or whatever. There’s just physical stuff that you’ve got to be thinking about when you start talking about it. But there are a lot of less obvious differences.

(10:45):

OT systems, when they’re implemented, there’s no, and I say no. They’re most likely not thinking about the replacement period. Somebody deploys laptops and they say, “Okay. This has got a lifespan of three years,” and we’re going to replace it and just have that rotation. Or maybe your server systems or your SAN is on a five or six-year rotation. OT systems generally get implemented and they’re like, “Okay. This is going to be for the life of the building until it breaks.” So, there’s that intent that it’s going to run forever, or at least decades. OT systems, they’re much less open to downtime, so the concerns are much more elevated. It is the toaster analogy. Every time somebody puts toast in this thing and they push the button, they expect toast to pop out. They’re not thinking, “Oh, I’ve got to patch this thing later,” or every third week, “We’re going to have to take it down. Nobody can get toast. Mondays is non toast day.” No, we have to have this every day. Its got to work and its got to work all the time. So, there-

PART 1 OF 4 ENDS [00:12:04]

Curtis Griffin (12:03):

It’s got to work and it’s got to work all the time. So the system owners are really less open to patch cycles or any outages that might happen. So-

John Verry (12:14):

Your family likes toast that much?

Curtis Griffin (12:20):

The toaster analogy-

John Verry (12:22):

I got to be honest with you, that wouldn’t have been my analogy. I do understand it. I thought the analogy was brilliant, with the exception of the fact using a toaster. I think most people are going like, “Yeah, I can do without toast on Mondays.” I get that.

Curtis Griffin (12:32):

It is just the simple input-output.

John Verry (12:39):

Right.

Curtis Griffin (12:42):

You have the people that are implementing the operational technology, but then you have the users, the endpoint. And some dude out in the field, he knows oil and gas. He understands the properties. But I mean, he’s pushing a couple of buttons to make sure that the flow rate is right, but he doesn’t understand or need to know all of the backend stuff. So in his mind, this is a toaster. I push this button, this happens. And the idea that there’s some CPU that has to make sure that this threshold hits this limit and this safety is engaged before it opens that valve, and he doesn’t care or want to know necessarily about those things.

John Verry (13:24):

Right. So those are definitely some of the differences. And then of course, from a technological difference, like you said, you’ve got, the computer is different. It might be a PLC, it might be some other type of device. Communication protocols are different. The operating systems that they run are different. Anything else from a technology stack that is significantly different that maybe we can get, people get some comfort level with?

Curtis Griffin (13:53):

Well, I don’t know if this is going to give comfort, but they respond a lot differently to our normal, or what we, on the IT side, would say, our normal day-to-day operations would be. You don’t put a vulnerability scanner on an OT network, for example. It can have very unintended consequences. Anybody that’s running a vulnerability scanner knows that the first couple of times you may empty a printer out of paper. You hit that printer with the wrong port at the wrong time and it’s going to dump all of its paper.

(14:28):

Well, that’s fine for… Okay, we lost 50 sheets of paper. But if you run a vulnerability scanner against a tank PLC and it decides to dump its contents, that’s a much bigger conversation. And OT, as the general rule, do not respond well to penetration testing, vulnerability scanning. I don’t do it, but a simple end map across an OT network can have disastrous impacts. You can even brick a PLC, it’ll never operate again. Hopefully, the newer ones, they’re getting better about this. And I’ve seen and heard some good reports. But like I said, some of these things have been in place for decades, and so that you just don’t jump into the middle of that and say, “Well, I’m going to inventory our OT network and run this scanner to identify stuff.”

John Verry (15:27):

Right. Yeah. If you think about it, if you go back to the old days, I did a little SCADA system work in the ’90s. That was the idea of IP connecting SCADA systems at that point was still new. It wasn’t something that was… In the old days, they were fully isolated. So I think that helps to explain why some of these systems have challenges of that nature because A, they weren’t originally architected with this idea. This idea of IP enabling them and interfacing them into the rest of your corporate network, as an example, didn’t exist back then.

Curtis Griffin (16:05):

Yeah. It’s been an add-on to a lot of systems. Oh, well, we’ll add an ethernet module to a PLC brick. And okay, now you can SSH into it. Well, now you have remote administration, but it hasn’t had the years of troubleshooting-

John Verry (16:24):

Now you’ve got a listening service that isn’t mature.

Curtis Griffin (16:28):

Yeah, exactly. Exactly.

John Verry (16:31):

The other thing too that I was smiling at when you were talking about this idea that it set it and forget it with OT, isn’t that always the case that the systems that produce revenue, like the most important systems in an organization generally are the ones that are least secure, which is contrary to what you would logically think, but it’s because nobody wants to interrupt them either to take them down for any period of time if they’re revenue generating or no one wants to update things if they’re working.

(17:02):

I remember there was a system for a major city that processed all of the credit card transactions relating to fines and licenses and things of that nature. And it was woefully insecure because it hadn’t been updated in seven years because of the fact that every time they tried to update it, something would go wrong and the CFO would come forward and say, “Listen, that’s enough. You can’t mess around with this thing.” So they built all type of compensating controls around this system to try to prevent it, keep it secure while you’re here, because they never wanted to touch it.

Curtis Griffin (17:36):

Well, I have a similar, funny, frustrating story. Years ago, I was working for a manufacturing company and they had an HMI, human interface that talks IP to this… It was a x86 type system that ran their software. It was PLC controllers. And it died on the floor, plant floor, stopped production. And I didn’t work with them much. Basically, I provided access and the OT folks did it, but they were like, “We can’t get this system this week or this month to replace it.” And I had already implemented some virtualization, and I was like, “Well, if you have images, I could probably throw this on a VM while we wait.” And so I did, spun up a VM and it ran fine, connected the HMI to it over the corporate network. And this was years ago before I would, I mean, I would not… Don’t do this gamble.

John Verry (18:54):

Do as I say, not as I do.

Curtis Griffin (18:58):

Exactly. And I got it up and running, and I was a hero for the day, which was great. I left that company and went on to other stuff, and I actually worked, I ended up working for a technology company that did consulting. And they called me up and I’m like, “Curtis, something’s not working.” And I was like, “I’d love to help you. I’m working for this consulting company.” We do that sort of stuff. Call this, we’ll get me out there and we’ll take a look at it. Turns out seven years later, they were still running on that VM. That temporary fix was never followed through with. And-

John Verry (19:43):

That goes to what I was just saying. If it ain’t broke, don’t fix. It’s the same idea that you see, I mean, one of the things that we smile about is when people say, “Oh, it’s just a proof of concept. We don’t really need to follow good security practices with this piece of software.” And I’ll be like, “If the proof of concept works, you’re going to use it as a jumpstart or it’s going to migrate directly to prod, and you’re going to have a fundamentally flawed piece of software.” “No, no, that’s not…” And of course, they always end up in prod. So same idea.

Curtis Griffin (20:11):

Temporary always goes into production.

John Verry (20:14):

That’s exactly right. So just to kind of double down on what you said before, one of the big differences, and maybe we should just give a couple more examples of this is why I think OT is one of those things that people look at differently is because the implication of a risk being realized. These OT systems, they’re pressure sensors that should trigger a valve opening on a manufacturing tank if it gets over-pressured. And if it fails to, not only do we have a disruption of an entire batch or whatever it might be, but we’ve got explosions and we’ve got people getting hurt.

(20:49):

Oil and gas, I know you guys do tons of work in the energy industry. Maybe you can talk about oil and gas pipelines, wastewater treatment plants, airfield lighting systems for major airports and things that need traffic control systems, probably train control, positive traction control systems and trains. The implications of OT risks being realized are just insane.

Curtis Griffin (21:12):

The risks of life and limb especially, but also equipment, destruction of equipment. You can’t restore a physical device from backups. That’s not the way it works. And so yeah, we’ve talked through on the OT side, there’s devices that if you spin them too fast, they will break. And all it takes is one limit change and they’ll go too fast, and they can self-destruct. If you have a heater that you change the limit on it, you might have a fire start. Just as simple as that. So yeah, the implications to the real world are definitely a big deal.

John Verry (22:09):

Okay. So knowing that the implications are significant, what is the best process for understanding, assessing and managing risks in an OT environment? Do you conduct conventional risk assessments? Do you do vulnerability assessments? I know we can’t do active, but there are tools, passive vulnerability assessment engines that you might use. Do you do a gap assessment? Some combination thereof? What’s your best approach for addressing risk?

Curtis Griffin (22:42):

How about go-to?

Curtis Griffin (22:49):

The short answer for me is a combination. The first part is education. Helping organizations and the IT guys and the OT guys to talk. IT guys and CISOs, they have an understanding of cybersecurity risk. They can’t always put a pinpoint on what that means for OT, but I’m finding it a lot of times they’re not talking to the OT folks. And so the OT guys may have some level of concern about cybersecurity, but again, the OT guys are interested in getting product out the door or producing widgets. I mean, that’s what the OT guys are interested in. So cybersecurity is not necessarily on their radar. So assessing OT risks is somewhat challenging, partly because it’s new. I mean, like you said, the maturity level hasn’t grown like it has in IT over the last 10, 20 years. And so we’re trying to get them back up to speed, both at the OT side and throughout the organization.

PART 2 OF 4 ENDS [00:24:04]

Curtis Griffin (24:01):

… and throughout the organization, we’re used to talking RPOs, recovery point objectives and recovery time objectives, with executives on the business side when you’re talking about your data centers and your enterprise systems, but in many cases, you’re not talking to RPOs and RTOs with the OT guys. And until you’ve defined what those are, it’s hard to understand what the level of risk is. So that’s my disclaimer.

(24:35):

Our approach and my approach has been initially doing some gap assessments to their environment, understanding where they are, where we think they should be, where they’re lacking security controls, that sort of thing. We do tabletop exercises, get people in the room together and talk through scenarios, “Hey, if this happens, what are the implications?” I really enjoy those. We’ve had tabletop exercises where IT and OT had never spoken, other than maybe getting their corporate laptops, and they just hadn’t been in the same place having that conversation.

(25:17):

I’ve talked to OT guys that are brilliant building systems, but I ask them, “Okay. So if you got a ransomware screen pop up on your screen, what are you going to do?” And they didn’t have a response. That’s not in their normal day-to-day thinking about incident response or disaster recovery. They’ve got tons of answers for if that light’s on fire or if we need to evacuate the site, they’ve got plans for that. So those tabletop exercises really help. It’s helpful when organizations have done some sort of business impact analysis already. Thankfully, a lot of places will know, “Okay, if this site goes down, it costs us X dollars a day to be down.” So that helps in that, but then you got to figure out what technology would cause that outage.

John Verry (26:17):

Right. Yeah. What would be the trigger to that occurring? And then how do we protect against that trigger actually occurring?

Curtis Griffin (26:26):

And then what’s upstream and downstream, either physically in the pipeline or what processes are upstream and downstream in your manufacturing process?

John Verry (26:38):

You said something interesting to me. I don’t know if you’ve ever worked in the world of TV, networks and things of that nature, but they had a stretch of time where it was very problematic, where … What they used to have is engineering and video engineers, and then you had IT engineers. And what happened was all of the engineering stuff was isolated from their IT network. And then of course, much the same way we’re talking about IT technologies creeping into OT, IT technologies crept into what they referred to as engineering and video production. And what happened is we’d have these strange situations where the two ends didn’t get together, where there was gaps between it, there was challenges in making that migration. It sounds as if, in, I guess, some of the larger organizations that you work with, you have that same issue where you’ve got almost two camps, if you will, and part of your job is just bridging those camps and getting them to talk a common language and view the world from a more wholistic perspective/

Curtis Griffin (27:40):

Yeah, definitely. Bridging that gap on conversation is huge. Conflicting interests, a simple example, these OT guys, and I say these, I are one some days, but they’ll do an implementation, and we’ve all done it at home where you get a default router and it’s set for 169 or 192, 168.1, and you create your network, and then you move on. Well, if you’ve got dozens of these around and you try and start connecting stuff together, well, there’s all sorts of implications about that. And when you’re thinking just this isolated system, it’s not a big deal, but when you want to start having that functionality of true networks, you’ve got to think IT planning. And that hasn’t been on the radar for OT guys.

(28:42):

On the IT side, we’ve been dealing with it forever, integration of companies and having to either jump through hoops, or painful migrations, or NAT configurations, or whatever. We’ve come up with solutions, but on the OT side, well, what are the implications on that and how do we fix that? Because, again, we can’t take a week and renumber everything.

John Verry (29:12):

What’s interesting is we talked about the fact that IT has a lot of similarities and OT has some differences. We’re big believers in aligning our clients with … I’m going to refer to it as open trusted frameworks and guidance. And so it gets interesting to me. I could see arguments for using conventional IT controls as best practices, like CIS controls or ISO 27001 controls, or some of the things they do around authentication, access management, logging, things of that nature.

(29:45):

Then you’ve got … you talked about the blend into IoT. So now, we’ve got IoT guidance. Anisa has some great IoT guidance. In fact, some of Anisa’s IoT guidance stems down into the industrial internet of things, where they refer to that smart factory, I guess they’re calling that. And then of course, you’ve got OT-specific guidance, either directly from the manufacturers of the devices or something like NIST 800-82. How do you typically approach it? Do you use some combination of those? Is there one go-to?

Curtis Griffin (30:15):

Yeah. First and foremost, if an organization has regulatory requirements, start there. Electrical NERC CIP gives guidance and direction for that, or a lot of the, well, marine terminals, the Coast Guard has MTSA requirements. They’re pretty light right now, but they’re getting there. They’re starting that process. A couple years ago, they added to the facility security plans cybersecurity requirements, new adds. And so we’ve helped clients with that. So that regulatory piece, the TSA has now implemented all sorts of security directives for pipeline regulation. And so there’s that. So that’s where I would start. [inaudible 00:31:09].

John Verry (31:09):

Real quickly, TSA is not the same TSA that does airlines, is it?

Curtis Griffin (31:14):

It is, yeah.

John Verry (31:16):

The TSA that does, what’s that, the Travel and Safety Administration? Is that what TSA stands for?

Curtis Griffin (31:22):

But yes, it’s the same T S A organization at the head. Now, there’s different departments, different people.

John Verry (31:28):

No, I know that, but I would’ve thought that would’ve come out of critical infrastructure. CISA, which comes out of DHS, I wouldn’t have thought that guidance would come out of TSA. That’s just surprising.

Curtis Griffin (31:39):

It’s an odd relationship, but they’re the same ones that are governing rail cars and interstate pipe liquids transportation, stuff like that. So yeah, the first time, I had the same question, I was like, “Is this the same TSA that I have to deal with when I go through airport security?” At the head, yeah, ultimately. So it’s an odd approach. So like I said, that’s where I start.

(32:13):

And then honestly, if the company has some sort of already-adopted framework, whether that be CSF or a CIS cybersecurity controls, you talked about that common language, in order to maintain common language, use the company established standards. We’ve got a lot of companies that are using CSF at some level or another. Now, it’s a framework. It’s super high level and you’re not going to get specific, “Turn this on and turn that off,” or whatever, that you might on the CIS side, but at least it’s a framework to start the discussion.

(32:58):

And then I supplement a lot with 882 NIST. And the nice thing about the latest revision, it’s in draft still, R3, it has a lot of better correlation to CSF and CIS and those other frameworks and those other stuff so that, if a company is using the CIS, we can go, “Okay, this is what CIS says, 882 has some supplementary information. Help us define what things we should be looking at,” and then really customize it for their organization. It gives us a framework to work from and that language.

John Verry (33:43):

Circling back to what we talked about before, you talked about, with many of your customers, where there’s OT personnel and there’s IT personnel. Is that generally the case or is that just the case when you go into a large organization? Because I’ve been in smaller organizations that don’t have massive staffs and I’ve seen IT people struggling to deal with OT. How do you typically see that?

Curtis Griffin (34:13):

There’s really three groups. Those larger organizations, definitely, there’s an OT side and an IT side. And unless forced to talk to each other, they haven’t. I think it’s getting better, especially with the cybersecurity aspect and people understanding that they want that connectivity, but for the longest time, IT, we’ll deliver you a circuit, we might even put a firewall or a router in there for connectivity, but after that, beyond the firewall, it’s a black box.

(34:50):

So definitely, larger organizations, and even more so if they’ve grown by acquisition. You’ve got this group here, and we’ve acquired them, and they’ve got their systems, “Okay, we’re going to give you the connectivity you have to have and then we’re just going to let you do your thing.” And in some organizations, I’ve actually tracked org charts where the only place they meet is the CEO because it’s operations and then it’s administrative and they just don’t … So even if the CISO or the security folks want to implement some better security, it’s a hard road to help.

John Verry (35:35):

Gotcha.

Curtis Griffin (35:38):

Sorry. Go ahead.

John Verry (35:39):

No, I apologize. You didn’t finish. Go ahead.

Curtis Griffin (35:42):

I was going to say, smaller organizations, it’s a mixed bag. A lot of smaller organizations, they’re consulting it out. They’ve got service providers or consultants that are doing their PLC programming, their implementations, and then they hand over that toaster. And the operators, the day-to-day stuff …

PART 3 OF 4 ENDS [00:36:04]

Curtis Griffin (36:03):

And the operators, the day-to-day stuff, if it’s working they’re just doing their thing. And then when there’s issues or they need an upgrade or a change or a process adjustment, they’re engaging those vendors. But again, it’s on the operator side. We need X, Y, Z, so please come and do it. The really small organizations I would say, yeah, it’s a free for all. IT’s helping, they’re making stuff work.

John Verry (36:35):

So how does OT… Well, maybe I shouldn’t say how does. How should OT impact security monitoring incident response? So when you’re talking about this idea that two bridges not meeting, I’m assuming that what we’re going to find is that OT is either not doing the security monitoring and where maybe in an ideal world that security monitoring for both it OT and IT should be more consolidated. Certainly incident response planning, I would think would be or should be, but it probably isn’t yet. What do you see?

Curtis Griffin (37:05):

What I see is that OT is not doing any security monitoring. There’s a lot of products out there now that do it and some really neat stuff coming out, and a lot of maturity, even the last 5, 10 years has come into the industry where security monitoring, understands OT protocols, understands real behavior, can do behavior monitoring and trending so that if something’s out of line, they’ll know about it and can alert on it. The challenge has been this hard line in the sand both administratively and physically where [inaudible 00:37:49] air gaps. So we’re not going to be pushing logs or alerts anywhere else. There’s solutions to that now, and you can fix that problem and still not compromise those air gaps. So I would say largely organizations that have regulation, the NERC CIP, electrical grid stuff, yes, definitely mature in those spaces. A lot more advancement. But sadly, in a lot of organizations where regulation hasn’t pushed them, they haven’t gone.

John Verry (38:25):

Gotcha. How does OT impact cyber liability insurance? Can they not get it? Can they get it? Does it cost a lot more? I would think where risk is higher, claims are higher, hence insurance either doesn’t exist or costs more.

Curtis Griffin (38:45):

It certainly costs more. We’ve done a little bit of advisory work in trying to identify where insurance is needed. Well, CBIZ actually does do some insurance work, I’m kind of new to that space. So I don’t want to say we don’t. We do that, I have not specifically done that. But we have helped organizations try and identify those price points or cost that they needed coverage for. And that’s where the difficulty has been because when you’re getting an insurance policy, where does physical damage stop and where does cyber start? If there’s a plant explosion or a fire on a tank, is it physical property insurance that covers that? Or if it was discovered that, well, that was caused by someone maliciously overheating the heating element, does that fall into cyber? I don’t know if we have the answers to that, I know people are working on that

John Verry (40:05):

And that probably is a pitch for the business side of our house.

Curtis Griffin (40:10):

Yeah. I realize that as I start to say.

John Verry (40:15):

Yeah, but you see the same thing with cyber with crime policies. If you don’t understand the interaction of the way your policies work with each other, you can get hosed. So as an example, I know a client of ours, a major city, a consultant that was working for them from another company, they’re a general ledger application, excuse me, human resource application, left a laptop in a Korean restaurant that had all of the names of all the employees and former employees of the city at Infinitum. So it ended up being $20 million notification process that they had to go through. And what was interesting was it wasn’t covered by the cyber, it was covered by the crime because the laptop was stolen.

Curtis Griffin (41:02):

Interesting.

John Verry (41:05):

Again, if you don’t understand the subtle interaction of the way these work, so if you are listening and you do have OT, do make sure that you have your policies looked at by somebody who knows what the hell they’re talking about.

Curtis Griffin (41:15):

And I’ll add to that-

John Verry (41:17):

It’s not easy not to layer these things together, right?

Curtis Griffin (41:19):

No, it is not because if you start talking about is it a nation state attack now, does that come under acts of war on the insurance versus just your general cyber hacker? So I know that they’re starting to increase those, “Hey, it’s not our problem if a foreign nation is implicated in this hack.” So you got to understand where those lines are being drawn.

John Verry (41:50):

Yep. We beat this up pretty good. Did we miss anything?

Curtis Griffin (41:56):

For the people that are listening I would say culture is a big deal. Get IT and OT talking together. We kind of hit on it in different places, but I think that if they can start talking to each other, you see the value in each other’s organizations, that’s going to be a big thing. And that’s one of my soapboxes I guess is getting IT folks to talk to OT folks and back and forth because with that you can actually get some things done.

John Verry (42:36):

Yep. And that space in the middle is where a lot of risk exists.

Curtis Griffin (42:40):

Exactly.

John Verry (42:42):

Give me a real world or a fictional character that would make an amazing or horrible CISO and why.

Curtis Griffin (42:50):

A fictional or a real person? I’m thinking about-

John Verry (42:56):

Anyone’s listening now knows Curtis did not read all the way down to the bottom of the agenda.

Curtis Griffin (43:00):

No, I did. I did. I read the questions and I was like [inaudible 00:43:07]-

John Verry (43:06):

[inaudible 00:43:06] memory. You either have a memory problem you didn’t read all the way down, Curtis, either way you’re not looking… So own one of the two and let’s move on. All right?

Curtis Griffin (43:15):

All right. My memory is what fails me. I’m going to go with probably the largest operational technology piece of equipment known to man, which is the Death Star on the original Star Wars. And probably the worst CISO would be Grand Moff Tarkin because he’s not a team player. He’s unapproachable. He’s really even got… How would you put it? Darth Vader on his leash, and he truly believes that his organization and his grand thing is impervious to risk. So, I’m going to go with him.

John Verry (44:09):

You’re talking to the one guy in America that doesn’t know the Star Wars stories. So that was lost on me.

Curtis Griffin (44:15):

Sorry man-

John Verry (44:18):

I know who Darth Vader is, but I think that’s about it. I’m not sure about the Death Star thing. I don’t [inaudible 00:44:23]-

Curtis Griffin (44:23):

The Death Star is that big planet looking thing.

John Verry (44:27):

Yeah. The amazing thing is I am not even sure I’ve ever seen Star Wars the original.

Curtis Griffin (44:32):

It is in the original, the 1976 movie. So I know you probably weren’t alive yet.

John Verry (44:42):

Listen, I wish. Okay. I may have seen it in the theaters. All right. Well this has been fun, man. If somebody wanted to get in touch with you, what’s the easiest way to do that?

Curtis Griffin (44:52):

Yeah, I’m on LinkedIn, Curt, C-U-R-T, G-R-I-F-F-I-N. I mean, if you go to the IN/CurtGriffin, I’m on LinkedIn, you can reach me through CBIZ [email protected]. Love to hear you and assist in some of these things. This is what we do every day.

John Verry (45:21):

Sounds good, man. Thank you.

Curtis Griffin (45:23):