Procurement Being Involved in The Security Purchase Process

Transcript

Opening

Hello, everybody, and welcome to What's the problem, the show that explores problems, situations, issues, and discussions in the world of cybersecurity.

Today, we are fortunate enough to have David Bacque joining us from the RED Group

Conversation

Mike Krass: David, say hello to our listeners.

David Bacque: Hello to your listeners. I'm on my fifth cup of coffee today. If I'm talking too fast, kick me or throw something at me, sir.

Mike Krass: Sounds good. Dave, since you're all charged up on coffee, you're probably ready for our first question. The first question, as we all know, is, why are you qualified to talk about security?

David Bacque: I appreciate you saying my name right. I am the Vice President of Strategic Development, operational technology and industrial control systems, and cybersecurity leader here at RED Group. I have about 20 years of OT and cybersecurity experience across several different industries, particularly from South Louisiana. I've seen a lot of oil and gas chemicals. I've gotten into some manufacturing and other industrial energy supporting clients globally. I've done everything from helping very large organizations implement their security missions and mature their processes to helping smaller and less mature companies along the way, grow their organizations to be more secure and implement security in their operations, and specifically, on the plant floor, the manufacturing environment of mature organizations.

Mike Krass: Awesome. I love it. We've got our second OT, a guest expert on the show, and our first industrial controls expert. Dave, you're here in rare air with a friend with an ICS background.

David Bacque: It's an interesting background. We've been trying to build practitioners in this area for ten or fifteen years. Most people in this field come from a couple of different areas. I started on the enterprise IT side of things, got to know the controls folks and the industrial control system people, and learned about that area of the business. There's another side where people gravitate to where they start as electrical and control system engineers, working closer to the process and learning the IT world and the IT speaks. It's a hybrid skill set that people in this world have. It's something we've had to build and not buy most of the time.

Mike Krass: Before we get to our meat and potatoes question. I will agree with what you just said. A lot of folks come from controls with an electrical engineering background, any background. Most of the control folks I know in my professional network were at one point easy, academically. Then they graduated into the professional realm and went elsewhere, or they just stayed in electrical engineering. It's an easy step for those electrical engineers to make. But let's get into that second question because we're not here to talk about electrical engineers today, my knowledge. Dave, what is an issue in the world of security that you'd like to explore with our listeners today?

David Bacque: We deal a lot with engineers, the industrial control system, and the plant floor side of an operation. A lot of those projects, a lot of the things we're buying there are not typical IT equipment. You don't start a project; you'll start a project saying, “hey, I need a new compressor.” Or “I need to buy an engine. I'm looking to upgrade to a new CNC machine.” You don't start that project out saying, “Hey, this is a security project or an IT project.” A mechanical engineer leads that, and a process engineer goes to these vendors and looks for the best compressor they can buy. And what we don't realize or what isn't taken into account often is a compressor. It also has a PLC, a logic controller, and a computer on it that vendor is saying, “hey, this thing is great. Look at this app that it comes with; all you have to do is hook it up to the cloud and send all your data to us, which will be fantastic.” And we find that a lot of times those things get purchased and brought to the plant and brought to the facility before anybody that has any controls or security accountability even looks at it. And at that point, it's too late.

You have an engineer standing here with a cable, and he says, “Hey, man, where should I plug this in?” We've been trying to push out through the industry for the past decade. How do we get security and infrastructure? People and roles involved in the capital projects process and involved in the procurement process, such that when we're buying things, we're thinking about security, we're thinking about how are we going to integrate this. How will we plug this in before it's too late and before that equipment arrives on the factory floor? We're not getting that remediation right away. Remediation is a big business, and assessments are big business insecurity. And that's because we're buying insecure things. And we have to remediate them as soon as they show up.

Mike Krass: Am I crazy and thinking that you're suggesting we should have the procurement folks involved with the engineers, say, evaluate these? Or do I miss hearing it?

David Bacque: I think that's a great idea. It's even more than that because we could put that language in a contract, saying, “Hey, you have to supply a secure thing.” And here's what we mean by security, and we hope the vendor will read that. There's some education on all fronts so that the vendors understand, the engineers understand, and procurement understands what we mean by buying secure, what we expect the market to deliver to us, and what we want to do as part of our process to integrate that.

Mike Krass: Tell me a little bit more. I'm curious about what that is. What does that language look like? Can there be a universal language? Or draw from a common set of secure protocols? Tell me a little bit about what that language could look like.

David Bacque: There are a couple of things when we look at the language. One of them is the supportability of the product itself, setting expectations that, “hey, you're going to deliver something with an operating system that's modern, and that's able to be patched and that you're going to tell me how I patch it, and what patches are applicable and safe to use on this equipment.” It's putting it on the vendor, asking them to deliver a process. How do I recover this? How do I change the passwords on it? We've worked with vendors that said, “Hey, we use the same password on all of our equipment.” And that's where you're good. If you have a problem with this equipment and are anywhere in the world, any of our techs can come to it and log into it. So we know the password, but we're not going to tell you the password. And for most owners, that's not such a great answer. You want to own your equipment, you want to own some of the code, and you'll be able to maintain the things you're buying and integrate them. T

If I'm an organization, part of my security standards and processes should have some templated language that can be put into procurement language to go out to vendors, and then some of it is probably going to be more bespoke, based on the type of project that we're doing, the type of thing that we're buying, because it's going to be different if I'm buying a gas plant, or building a new gas plant, versus just buying a piece of off the shelf equipment that I'm going to be integrating.

Mike Krass: Does RED group as examples of some of these standardized languages for different types, whether building a gas plant into purchasing gas by this language that you already have developed?

David Bacque: We've worked with some customers to develop some language and put that in there. We can help people develop that language; specifically, we do it a lot around capital projects. If I'm building a new gas plant, here are the technical requirements we want for every piece of equipment being delivered to this, and we'll categorize them and share that with the vendors and then work with the vendors to deliver that equipment. The other piece on a capital project, most companies that we work with, most mature organizations have some stage gated capital projects process that's hopefully standardized throughout that organization. If possible, you also want to have some security and infrastructure checkpoints built in there as well to, early on in the process, be able to identify, “Hey, this looks like OT equipment that's going to have some security ramifications here that we want to take into account.” So we kept that on those earlier stages of the process before you start getting into detailed design and even vendor selection for those pieces of equipment.

Mike Krass: In your experience, who is good at catching what you just said? There could be some operational technology here. We need some to talk about the security here with your experience in these different capital projects that worked on which roles tend to be good, like red flagging, and saying, “Hey, I think we need to talk about security.”

David Bacque: Great question. Typically on a project, you would hope that the project manager or the control system technical leads. If an organization has spread that message and built that culture of security, those people will be aware. If not, it ends up being further along in the process that you want to be, which is when the engineers on that project need something from IT, or need an IP address, or need to plug something in, it's the IT organization that's getting asked questions that they need to answer and start peeling back going. What are we buying here? So ideally, we're educating procurement, project managers, and technical discipline leaders, particularly the control system folks and the electrical and instrumentation engineering folks that are going to be integrating some of the wiring. If you're saying, “Oh, look, here's a cat five on a drawing or cat six on a drawing, what does that plug it into? What is this thing doing?” There are some indicators you can get up front to start realizing what you're buying.

Mike Krass: Reflecting on this conversation, I asked specifically roles because I heard you draw a linear train of thought here. Are there certain roles, like you mentioned, a project manager? On the capital project, certain questions are almost a checklist of questions. Is this something that can be patched? I remember you asked that question earlier, and we've also heard coming full circle that it's gotten to IT. We're talking about plugging in cat six cables to something we've gone too far. It's all this last in terms of planning. And now, we are looking backward at what we have purchased as an organization or built. We're talking almost about audit and remediation. We've just been taking leaps and bounds steps ahead, and there's no middle ground. It's like, “Hey, we're at this point. We just need to do an audit and remediate whatever is not as secure as we had hoped it was.”

David Bacque: Another thing that can help along that we've seen some organizations do is take somebody out of the IT organization or bring up some control system engineers, and appoint them a cybersecurity focal point or an OT security focal point. Be a role on every project. Carve out a bucket of hours in the early phases to say, “hey, go into this project, understand the scope, roll through this checklist or this process.” And this includes X, Y, and Z, and here's the overall cybersecurity impact we see taking over the project's life. If you carve out that role, you can put that accountability on a specific project member. If you have a mature project organization and a peerage, a mature engineering organization can fill that function.

Mike Krass: Last question, because you just brought up an interesting point. This is an exciting question. What happens if you have an immature organization and you're growing fast? Is that a position where a third party, such as RED group or somebody you could come in and play that role or detail that position to ensure their best interests are met? Should that be somebody in some internal, like a full-time equivalent employee within that company?

David Bacque: No, as an immature and quickly growing organization, we see that across many IT and security disciplines, IT and security isn't a core competency of that business. They're in the business of building things, buying, getting investments, and selling things. It makes sense to pull out expertise from outside the organization to help overall on that OT security journey, including how we build secure things. We talked about quickly growing organizations, getting involved in that M&A process, how we onboard assets that we're buying from other organizations into whatever we need, and how we mature our overall OT cybersecurity practice. In all aspects, make sure we're building and onboarding in a secure manner. So that's a spot where it's good to go out to the industry and find some good partners like RED group who can help you along in that path of maturing cybersecurity in the OT space.

Mike Krass: That was an interesting question for me to pose. I have a friend out east whose business has grown 10- 15 fold. They're talking about building warehouses, fulfillment areas, a combination of the two things. And I can already see, just based on what he told me in terms of the growth of their business and how it's exploded, which is a great problem to have. But at this point, they're like, “We need warehouses. We need to be like filling trucks. We need to be moving fast.” And I can see them, just being great, who can set up the control system with keypads, or fingerprint scanners, let people in the door and this and that. They're in the mode of “My list is so long that I have to start checking some of these things off.” I can envision a company like that. It's a good problem to have. Their company is very healthy and robust and is growing fast, and the market is just demanding more of them. They want more, and they just want more and more great problems to have. But there's also this moment where they're at this special point where they're going to be building quite a few facilities and purchasing facilities that already exist in the next 24 months. If they don't think security, they're just gonna get great. We bought the thing. It's off the list, and we got to the Jacksonville delivery center. We got to Trenton, New Jersey, bill every set, like everything else doesn't matter. We've just got to check this off the list.

David Bacque: I can see where. It's an overwhelming problem, too. We need some security, and you start listing out. Here are all the practice areas of security and all the things I need to worry about. Here's where I currently am. And that's a process and a roadmap to develop that maturity. That's not something you can just come in and say, “Okay, we're going to do all this next week and be mature.” It's a big challenge among many challenges that growing businesses face. You need to get a partner there and put that process in place to get where you need to be to have a secure and robust organization.

Mike Krass: Absolutely. All right, Dave, the final question here is, there's nowhere to run, nowhere to hide. Tell our listeners about a terrible haircut at some point in your life.

David Bacque: I don't know what this has to do with security. But I will appease you and answer this question. We don't have a video on here, but if you were looking at me, you would look at a bald head. I lost all my hair when I was about 18, and it started thinning out pretty good. I just went for the shave. Prior to that, I had beautiful, flowing, long blonde hair. And at times, I would sculpt that into a mohawk. It was fantastic. It was very intense looking. I would be choking on the amount of hairspray and gel. It took to get it up into that position, but man, it was glorious. My current situation is probably karma or payback from those awful haircuts of my teenage years.

Mike Krass: Well, I appreciate you answering that question. You're the first person to bring it out that has nothing to do with security. We have filmed or recorded about two or three dozen of these shows, and no one's brought that up yet. So you're the number one to ask why we talked about haircuts. Well, Dave, I appreciate you bringing your background and controls, IT, and OT into our listeners. When listeners often listen to a show, they'll send us an email or hit us up on social media. Mike teased at this idea that there's a checklist and certain things. What's the best way for listeners to get in touch with you personally or with RED Group?

David Bacque: Our URL is red.group, which is very good but confusing because people want to put a .com at the end of it. Don't do that. Just go to red.group. You can look me up on David Bacque at red.group. Hopefully, we'll put a link down in the description or something, and also you can look me up on LinkedIn.

Mike Krass: Excellent. Thank you, Dave. And to our listeners, we will have Dave's LinkedIn URL in the show notes and a few hyperlinks to their website. Thank you for tuning into What's the Problem, the show that explores problems, scenarios, issues, and situations in the world of security. If you want some additional advice or counsel on operational technology, you must talk to Dave and gang at RED group.

Do you want to talk about marketing in the world of security? You've got to talk to folks at MKG marketing, and that's the left out of confusing URLs. Thank you for tuning in. We will catch you at the next show.