Hello, everybody, and welcome to What's the Problem, the show that explores challenges or problems that folks in the cybersecurity world face.
Today, we are fortunate to have Oscar Ruiz joining us on the show.
Mike Krass: Oscar, say hello to our listeners.
Oscar Ruiz: Hey everyone, how are you doing? I'm here in Houston, enjoying the heat. It’s a lovely and awesome day to talk about cybersecurity.
Mike Krass: Yes, and it is hot. I passed through Houston recently, and I can attest Oscar is correct. It is warm there right now. Oscar, talk to us about security. Why are you qualified to talk to our listeners about cybersecurity?
Oscar Ruiz: Thank you very much, Mike. I work for Accenture, a professional service firm in the world, one of the biggest ones, and our security practices are pretty broad. I'm part of that group, and I have two main functions. I'm the lead for the critical infrastructure and cyber efficient center for operational technology in the system. It's the innovation space we have within Accenture and the OT practice where we bring our clients. We deal with the old team security and operational technology security, solve their issues and try to guide them to discovery design, implementation, and services.
On the other hand, I am part of the security innovation group overall for OT security and Accenture globally. I'm supporting the different entities and marketing units at the same time. As the cybersecurity space is evolving, I'm trying to get as many certifications as I can. The main one for OT security is the CICSP. This is my day-to-day if you tie in six, engaging internally and at the same time supporting leadership and all of the different services that we have.
Mike Krass: Awesome. Thank you for that very humble explanation of your background. Oscar, you're more than qualified to speak on the show today. And speaking about different topics you're in daily. Operational Technology. Let's talk about some problems and some challenges there. What are the listeners need to know about the world of OT?
Oscar Ruiz: I will use a reference model, the Purdue model. Let's imagine five different levels, and at the top, you have levels four and five, which are the internet and enterprise applications. All those applications that the companies have to help them operate daily. So that's not what I do in terms of cybersecurity. A lot of people are better at that than I am. We take care of the other 3.5 levels in OT with all the operational technologies. We're going to go a little bit into this, which is their core economic activity for most companies. If we're talking about chemical plants, all in gas is big. The refinery, chemical planning, assets, process controllers, balls, tanks, pressure, containers, piping, and all the operational assets. The difference we can see right now is already happening, and I call the OT security the only frontier because all these environments used to be an air gap. They were not exposed to the internet or extended external networks that are changing. We all know there's increased connectivity with many devices, solutions, and no short-term things. It's real. It no longer could come. These environments and assets are starting to be potential attacks by cyber threats, and this is not something new. OT environments are just in the past since this system was separated from IT environments. It was hard to get. You had to have some spy, a person supported by an advanced persistent threat, which was at the same time supported by a state-sponsored group going to plan and inserting a piece of malware through USB. We're talking about some James Bond kind of thing. But things are changing, and all these environments are getting exposed. And something really important to dimensions here. When we're talking about OT technologies, it’s not just a chemical plant. There's the critical infrastructure security agency, which is part of Homeland Security. There are water facilities such as dams, commercial facilities that can hold events for large crowds, defense energy, all the grid lines, and financial services. They have security and will deal even with what happens if you lose power in Wall Street. The categories are pretty broad, but essentially, one thing you could say about OT technologies is that society will greatly impact itself when they are not there. If we don't have water, that's going to be catastrophic. We don't have lives here in Texas. One year ago, we fermented that for some days and did terribly. And that was not a tech that was just too much consumption over the offer. But those are the implications. The priorities in the OT environments are different than it simply had in a broad sense. It cares about confidentiality, integrity, and data availability. You add an element at the top which will be safe for society and the environment. And then we're talking about availability, because we're talking about systems that are an economic activity for many companies or just in service of society, then integrity and confidentiality at the end. There's some major interconnection in their strategies, but at the same time, you want to understand and define a strategy.
Mike Krass: Let's talk about some of those different industries. Because we went from chemical plants to oil refineries to Wall Street, losing power, which is a very James Bond type experience. When you talk about shutting down the markets to manipulate them through the use of a critical infrastructure attack or a power loss, and about water. In the United States, are certain industries more mature in their OT environments? And if so, which ones are they?
Oscar Ruiz: Those are cultural systems or OT. It’s a technology that hasn't been around for decades. And as we were talking about, there weren't those systems, and he would go to lower levels. We will find sensors, actuators, etc., but the core unit is the PLC, which allows you to control your process. Many of these facilities have been running on PLCs for 15 years. If the process is working and creating a profit for their business, don't change it. They have suffered minimal updates over the years.
Sometimes when you go into this industrial environment, it’s not difficult to find a windows 98, windows 2000 desktop machine working and still helping to operate the multimillion-dollar process. It sounds crazy, but at the same time, some specific industries have had to mature right faster than others. Let's go back to the energy sector, specifically utilities. You could say that competition has been a lot, and increasingly in the last years since it was probably open to all to be owned. In recent years, they'd had to improve their technologies to gain a competitive advantage and capture a larger part of the market. We're talking about utilities and electricity in your house. I don't know if anyone remembers. Forty or fifty years ago, a person would be going down the street taking note of the lectures and meter reader. Now, everything is done digitally and remotely because of the reason and gaining competitive advantage such as utilities. It's a hell of other industries, and they were talking about the fence. There's a decent amount of budget there. They're also concerned with cyber warfare, and there's a lot of investment that they were talking of, maybe oil and gas and some chemical sectors, where they are barely improving and upgrading a lot of this equipment that has been running for several years. This is a lot of money, and there's no real.
Last year, almost a year ago, we had an opponent pipeline, one of these critical infrastructure categories that will fit. And now we know, or after running the forensics and the analysis, we understood that it was an attack that stayed at the IT level. It was just computers with a ransomware attack that encrypts your files and does not allow you to operate or gain access to them. We know that the actual reason that they had shut down was that they didn't know, or we're not sure that the threat managed to get into their old systems. If the pipeline's control system did an attack where they would override the safety system for pressure or flour, something like this could happen. We're talking about financial banks, utilities, depends, map manufacturing, or high-tech manufacturing such as cars. There were nuclear, and the local controls were good, but their attack surface, in the same way, it's increasing as they got connected to the world. We go into the level of maturity, and its natural resources are lagging a little in time. But at the same time, you have a lot of companies that are driving a lot of innovation within this group. It's a little bit on a case basis, but it will be the answer that we'll get.
Mike Krass: Oscar, you are the expert here on OT. That’s why we brought you on the show, and I want to say a statement, and then you need to be honest with me and either say, "Yes, it's accurate" or "No, it's not accurate." I started thinking about energy, nuclear plants, and oil refineries. I will focus on the oil and gas sector with this question or the statement that I'm asking you to confirm yes or no to. And I know you're in Houston, I'm in New Orleans, we're down in the southeastern US, a lot of refineries and oil production. When I think of refineries, in particular, or an oil and gas environment, the number of endpoints makes me immediately nervous. I know that we are talking about Shell or BP. They have so many full-time equivalent shell employees. They've got so many contractors running around their engineering contractors and people like Accenture, who have OT contracts to protect pressure valves, they can't be accessed and dialed way up to create a blowout. In the oil and gas space, endpoints are a huge part of the attack surface, as now everyone has an iPad and an iPhone, and they bring a hardened computer to work, a hard case laptop, and is that an accurate statement that a lot of those endpoints are expanding the attack surface, specifically in the oil and gas space?
Oscar Ruiz: If that's a big concern, to answer the question of whether yes or no, it’s yes, and point protection is a huge area of opportunity. But at the same time, there's a lot of work around it. It's not just this, but it's also all these companies. We can expand, and the company will have different maturity levels. But we want to expand on the concept, and we need to deal with endpoint protection. Many vendors, such as BM with carbon black and VMware, will help you with this. And at the same time, your strategy, identity, and access management policies need to improve. Also, in these industrial, highly virtualized environments, there are a lot of practices about access management, passwords, and users. It's not hard to find the admin. The company can invest in endpoint protection solutions, but it needs to change all those practices.
Some offerings will help with the multi-factor authentication, which is preferable, even over good password practices, because you're double proofing that someone's getting access. You need to establish some policies around whitelisting your applications. These rules align with the firewalls you manage by using micro-segmentation, a virtual or cloud environment, or on-site, or you're going to a hybrid model, which will probably be the biggest enemy going in the middle point in comparison with other technology companies. It's more around the concept of defense in general and one standard I liked that helped me understand the core of security. I have to be honest. I'm currently working with security, but I used to be more around industrial optimization, maintenance, and reliability. I understand the business, but at the same time, what helped me understand this answer is one of the biggest standards of auditing, which is the NIST 853, which goes through five big different groups. One needs to identify and cover inventory management, asset allocation, policy definition, and governance while also connecting with the principle of protection. How are you going to monitor your assets and your all your events? How you're going to respond in case something happens? How you're going to recover from specific cyber events? It's a big thing. We just tackle one point and the challenge for companies. We're all going to have budgetary constraints. But as we progress and companies increase their attack surface, they finally realize this will happen. Big companies get hundreds of thousands of attacks per day or attempts for an attack. Not all of them had a huge impact, or most stayed on the surface. But they're going to happen. So yes, trying to deter and prevent all these attacks is important. You need to do a really good exercise on defining your strategy, especially how you can or will respond when something happens and it's growing.
Mike Krass: That's become abundantly clear. Even before this conversation, that's growing. We always commit to producing punchy, informative, and educational episodes on these shows. I'm going to ask this last clarifying question before we wrap up: what is the maturity of the geographic region in the world of OT, such as North America? Hands down ahead of Western Europe. Is Asia ahead of all of us? Can you just give us a stack rank list of who tends to be by region of the world which tends to be more mature in their OT practices and environments?
Oscar Ruiz: One of the good things that came out of the Colonial Pipeline attack was the administration's promises to deliver a series of mandates around cybersecurity.
Mike Krass: You're talking about that administration.
Oscar Ruiz: In the United States, under the Viner administration, there were some opportunities on these mandates. The industry helped them understand and know, and they signal or support other companies, etc... It's a good step toward improving the overall resonance of companies and all these critical infrastructure sectors. But before this, establishing controls and establishing mechanisms was completely optional. So on this end, and probably GDPR in Europe laid a foundation for data protection overall. We're talking about the countries in Europe. Part of the EU has a little edge on this topic because they're more regulated. They have a slight edge. The United States has a huge number of companies, and the government, by itself and its fans, are huge entities that can help the evolution of all these mandates, controls, and policies. EU, United States, and Asia are a bit difficult, especially with China, where one of the major players will be besides India. They're finding their own rules and are highly observant of whatever's happening in their environment.
Mike Krass: Thank you so much for joining us today to share some of your experiences and your knowledge about the world of OT with our listeners. It's not uncommon for our listeners to want to reach out to some of the guests and ask them more questions about whatever topics were covered to network, just to connect. Is there a good place for listeners to connect with you, Oscar?
Oscar Ruiz: The best way is through my LinkedIn. You'll find me as Oscar Ruiz. My email firstname.lastname@example.org. Those are the main point of contact.
Mike Krass: Perfect. Oscar, thank you so much for sharing your experience and knowledge. For the listeners, if you have questions. Oscar gave you his LinkedIn and work email address with consent to reach out to him. Don't hesitate to reach out and start a conversation. Talk about this world of OT with him.
To our listeners, thank you for tuning in again to What's the Problem, the show that explores problems that folks in the world of cybersecurity are facing today. Until the next episode. Thank you.
Oscar Ruiz is a Security Manager and Operational Technology CFC Lead working for Accenture out of their Houston, TX office.