How to Embed 30 Years of Security Funding into Capital Budgets – Episode 135

Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Nathaniel Nelson
Welcome listeners to the Industrial Security Podcast. My name is Nate Nelson. I’m here with Andrew Ginter, the Vice President of Industrial Security at Waterfall Security Solutions, who’s going to introduce the subject and guest of our show today. Andrew, how are you?

Andrew Ginter
I’m very well, thank you, Nate. Our guest today is Ian Fleming. He is a solutions architect for OT, industrial control systems and cyber physical solutions at Deloitte. And today we’re going to be talking about how the money flows. We’re going to be talking about working the numbers, arranging the budget so that there is in fact budget for industrial security.

Nathaniel Nelson
Then without further ado, your interview with Ian Fleming.

Andrew Ginter
Hello, Ian, and welcome to the podcast. Before we get started, can I ask you to please introduce yourself and, you know, say a few words about the good work that you’re doing at Deloitte?

Ian Fleming
Yeah. Hello, Andrew. Thanks for having me. My name is Ian Fleming. I lead cybersecurity efforts with operational technologies at Deloitte. My team really focuses on helping organizations secure their industrial control systems, like building automation and physical infrastructure systems that are typically overlooked when it comes to cybersecurity prior to Deloitte, I worked for really heavily in power. I did a lot of operational technology. Cyber was involved in a lot of NERC SIP work actually enabled a lot of some of the vulnerabilities that we’re we’re trying to patch today. So I feel like I’ve come into the consulting side to pay penance for what I’ve done in industry.

Lately Deloitte I’ve been working on integrating security as part of a core operations, especially in in, in industries and areas of government civil. Where the line between physical assets and cyber assets is becoming increasingly blurred, we also work to make sure our clients can effectively manage risk related to these systems and just proper alignment between security investments with business goals. It’s good to be here.

Andrew Ginter
And our topic today is budget, you know, shaking the money loose, managing the money. We don’t get any anything done in most businesses unless there’s a budget to get it done. And we’re going to talk about sort of the OT security budget, the industrial security budget. But can we start with IT? I mean, do IT teams have the same struggle for budget that that we observe in the OT world?

Ian Fleming
That’s a good place to start. Mean IT teams do face their challenges with budgets, but they’re often more straightforward nowadays when compared to OT. I think in IT, cybersecurity costs are generally tied to a business process or a system that the top, you know, top floor of the office typically understands. Pretty clear. But often like cloud based solutions where information is an asset, they’re easier to finance and frankly, it does work more from a top down of the organization. It initially couldn’t get funding. They’ve been able to really structure their sales pitch towards. You know. Real business goals, which is a great, you know, it’s something that OT. I I you’d think it would be easy to for them to describe it, but they top floor tends to just throw money at those problems whenever things break versus IT where they see it more as a strategic advantage. If you move data between say cloud provisor cloud providers, you’re doing upgrades of infrastructure relatively easy. In it, you can handle the issues in a more agile way. At the same time, it has been rapidly transitioning from company owned data centres which were once inside of a a office building to to cloud based. More operational expense type models where logical security nowadays we refer to it as security as code. It automates much much of the security work in it. Now these models do allow IT teams to dynamically shift their resources and manage security through software which works really well in environments where assets are entirely virtual and easy to scale. And that’s the reason why operational expenses have really exploded in it. But let’s look at the other side like an OT where my clients are working in and where I’m focusing some of my time at Deloitte, we’re dealing with physical assets like machines and sensors, industrial equipment where failures mean real world space and time consequence.

IT goes beyond just the information, it’s it’s physical stoppage of production. So the problem is also compounded by the fact that IT often has to compete with the physical maintenance budget for operations, which typically isn’t really seeing much in IT, especially with the advent of cloud and everybody in IT moving that direction. As far as physical capital projects like industrial automation systems or infrastructure, they’re they are also fundamentally different. Most of the projects in OT are architected, designed and budgeted and financed over really long life cycles like 20 year life cycles before a refresh. When a capital project such as you know physical infrastructures initiated all costs, including materials, labour, maintenance, think of building a building, or heck, even just renovating your kitchen in your house, they’re budgeted upfront and financing is typically secured through like a large one time capital expenditure.

Andrew Ginter
So Nate, you know we’re talking about budgets here. A lot of our listeners, I’m guessing, are like me and have sort of a limited understanding of of accounting and budgets. I mean, we tend to be focused on bits and bytes and buffer overflows and you know crypto systems. So let me let me give you just a little bit of background here. you know When I started the episode, I had sort of a a small business owner’s understanding of accounting and budgeting here. you know I’ve operated my own small business from time to time. And when you know when I operated my own business, there’s you know there’s two kinds of expenses. There’s what’s called capital expenses and operating expenses. If you buy, let’s say, a delivery truck for a delivery business, the the the truck you know, hat is going to deliver value to you. You’re going to use the truck for like a decade. And so the government generally requires you to declare that large expense as a capital investment.

Which means, you know, I always thought it was sort of a liability to to declare that because I would have to, you know, What I’d like to do is reduce the amount that I pay in taxes. And so if I could claim the entire cost of the truck against my revenues that year, as a small business owner, as a sole proprietor, I would pay less taxes. The government says, no, no, you can’t do that. You have to you know assume a lifespan of three or 10 years or something for the truck, and you can only claim a fraction of the expense against your taxes and reduce your taxes slowly over time because you are the the you know the asset is reducing in value over time.

Andrew Ginter
Expenses like gasoline that you use up you know that day or you know the the over the course of the next week, you can claim the entire amount of the expense against your your your income. You can reduce your taxes. This is sort of the the naive model I had of of capital expenses versus operating expenses. You can claim all of operating expenses right away. It turns out that in big business, claiming capital costs over a period of time, let’s say the delivery truck over 10 years is an advantage because bit you know big business wants to show a profit every year, wants to control their expenses every year, control the expenses that they claim. And so if they have to buy you know a fleet of trucks, a thousand trucks in a particular year, and they’re going to last 10 years, then they don’t want to show that they have negative profit in the year that they had to make that, you know in the year that the money left the business, because it left the business that year to buy the thousand trucks. They want to show that, you know to to account for that expense over the the the life of the asset, the trucks, so that they can show a consistent profit.

So, you know this is, sort of capital versus operating is is different in small business versus large business. And you know in heavy industry, which is you know industrial security. We’re all about industrial here. In heavy industry, there tends to be extreme pressure to reduce operating expenses. When you build a mine, you invest, I don’t know, $3 billion dollars in you know before the first shovel full of ore you know with with gold or whatever in it comes out of the mine. You invest a massive amount. This is your capital investment.

And once you’ve made that massive investment, generally you’re under pressure to minimize the cost of operating that asset over the course of the next 30 years because you’re producing a commodity. you know Even gold is a commodity and you know you sell the gold at the world price for gold. Gold is interchangeable. Nobody cares if it’s your gold or somebody else’s gold. You’re fighting with every other gold mine on the planet to produce gold.

and you know even gold gets more expensive every year to produce as the the supply diminishes, to produce gold you know at a price that will that will show you a profit. So, operating expenses are always under extreme pressure in heavy industry and they they capitalize their investments. So, that’s sort of, accounting 101, when I came into this, I have learned from Ian. So, i’m I’m thinking, let’s go back to Ian and and learn you know the mistakes i’ve just I’ve just explained to you and sort of the naive understanding of accounting.

Andrew Ginter
So thanks for that. You know, reflecting on what you just said, the thing that that I think I caught was that. There’s roughly two kinds of budget there’s capital expenses and operating expenses. You know, in the OT world, everybody wants to minimize operating expenses and you know capital is is kind of what it is in the IT world. I think I heard you say that everything is becoming operationalized, meaning it’s all going into the OpEx budget, but you’re saying that in, you know, capital budgets are still really important in the OT space is, is that the key difference here between between these two spaces? Is is the budgets?

Ian Fleming
Well, I think that’s a it’s a really good question and it has been something that I’ve been struggling with, like how to operationalize an OT cybersecurity program when. It’s being funded through what like I was talking about earlier, typically on it is more of an operational expense budget. You don’t really tie the ongoing maintenance of a computer system that’s anticipated to run for five years on a capital expense. It’s like replacing Oracle or a sales force application. Be a CapEx. Unless of course, you’re buying all the software as a service. See those lines have have been. Grade, but because those physical assets do have a long lifespan and the security investments are typically, and when I say security, it’s also availability of those assets are are tied to those those physical assets. So whether it’s built into CapEx or drawn down over time, it needs to be sustainable from a resourcing perspective.

Like for instance in in power I worked in power systems for several years. Power delivery and distribution. We had a financial metric called tier meant. It meant timed interest, earned ratio and a CFO and a prior life taught me about this because I had no idea how to tie like a cybersecurity. A tool that was that was designed to protect an operational asset. So the tier measures a company’s ability to meet its debt obligations by comparing its income before interest and taxes to the interest and expenses on its debts. So basic. The life cycle of that asset, you wouldn’t be under the water, you know, underwater on your loan. So the tier ratio can indicate whether your organization has that profitability from that asset that’s operational to cover its debt obligations and ongoing operational cost. When I figured that out with the CFO and this is several decades ago, I was like, OK, that’s how I’m going to tie my cyber security program to a specific a very specific operational asset. And when I say operational assets, it’s it’s it has a a physical, a cyber physical component to it.

That actually helped me budget long-term OT cyber security measures towards the asset and that’s some of the work that I’ve been doing here at Deloitte is tying that by by getting it down at the low level like how is this asset being budgeted and financed in order to. Convince somebody to take on the risk of installing it and owning it. But but, but also trying to influence the cybersecurity metrics into that asset to where the OpEx, the, the, the cost, the ongoing cost of protecting that asset from cybersecurity is also encompassed inside that operational the, the, the, I’m sorry, the capital expense of that asset.

Andrew Ginter
OK, so so you know TIER, you talked about tying costs and interest to income. So when you say that you’re tying cybersecurity to a an asset, we’re talking about an asset. Like you know, in a power plant, a generating unit, not an asset that generates revenue, not like a bolt or a PLC that represents only an expense is is that the kind of is that the the the sort of size and class of asset that you’re tying cybersecurity?

Ian Fleming
Well, cybersecurity can be tied to any single component or group of components inside of the power plant. I like to think of the system itself. I do a lot of model based systems engineering at at at Deloitte as well, and we don’t typically look at each individual component as as being completely autonomous from the process that it’s designed. To you know, to operate. So it would, it would be all the entire system, I mean, the whole idea of doing a capital improvement or capital. Project is to account for also the you know the financial risk. You know of of doing the investment or or performing the investment on the asset, but also reducing the you know proper engineering to reduce the total cost of ownership of that asset. If cybersecurity isn’t tied in. To those models, it makes it very difficult to not just bolt on because it’s being design. Mind, without cybersecurity in mind, but like for your example, a PLC.

If a PLC is designed inside of a power plant, let’s just use that as an example, and there’s no cybersecurity maintenance tied to that as part of the the model for financial keeping. Keep keeping that that asset functioning, it’s going to make make it very difficult in the future. Over years or even an adjustment to a threat or a risk. To find financing for that. And and when you then you’re running into the patching problems, right? You got to go through design assessments and everything all over again. However, if if a a device like a PLC was engineered and designed in that system, knowing that it had to accommodate a 20 year life cycle, and there will be. Times that that they’ll have to be system systematic updates and upgrades due to either compliance regulatory which is really difficult to plan for, but you you know for a fact that the equipment itself is probably. He is probably going to be replaced over time. I did one project for a client regarding a tunnel and that was one of their transportation tunnel. And they were extremely concerned about that because they knew that the technology was going to improve over time. So as part of the Capital improvement project, it was a 50 year life. People.

Creating a budget for for cyber security improvements and functional improvements over time, instead of creating another capital project in the future, it was just built into the maintenance of that capital asset.

Andrew Ginter
OK, so so it you know you’re saying that we need when when there’s a capital project that’s the time not just you know? Lots of people say it’s you you need to build cyber security into your stuff beforehand, not afterwards. It’s always more expensive afterwards. What you’re saying sort of in addition is that you have to build the cybersecurity budget into the capital budget. That at least that’s that’s what I’m hearing. You know, have I got that right. And you know, if I may you, you’ve been working, you, you you mentioned with with building automation. You know when you. When people try to tie the the you know. To to make that tie. How’s that working in sort of in in the parts of the the industry that you’re working with?

Ian Fleming
Sure. And I do work a lot in, in government with you know, a lot of government facilities, those types of things. When it comes to building automation systems or HVAC lighting. Heck, even even water treatment systems. It it’s clear that. That cybersecurity is an is an afterthought in these systems we go in. The there’s not a really clear. Point of reference for even what assets are on the network and we are. Having. To delve into like IT tools just to determine what physical inventory is out there.

And again, it goes back to the whole an IT data is the asset, it’s easier to justify protecting the data because you can move it. If there’s a failure but an OT such as HVAC systems, refrigeration and those types of systems, food processing and plant goes down, you’re not just losing data, you’re you’re risking the the physical assets themselves, sport, spoiled food damage machinery comes in the challenge that physical operations are always under pressure to reduce those operation. Expensive and cybersecurity, seen as an extra cost rather than a central part of keeping that system running safely and being available. Ironically, the way I feel about it is just working in OT versus IT it it a lot like how cybersecurity was reviewed in the early to mid 1990s. We didn’t really have cybersecurity budgets back then. Everybody was just looking at like IT as operations. I just need the information and the product was more important than keeping it secure and I feel like a lot, a lot of these OT systems.

So. Just building automation that don’t really have the cybersecurity component. To it, if we if we look at the way they’re budgeted. And the way that they’re they’re brought online as a capital investment and you you design in that cyber security component to it, whether it be in contract or through supply chain. You know that is what sets the budget. That’s what. That’s what gives us the big wins in integrating security as a core part of operations, particularly in industries where there’s that vague line between where cyber can control or impact those. Assets I mentioned the tunnel earlier, that’s the a great example we recently worked on a tunnel maintenance project. They had to address. They wanted us to address cyber security as a as as a priority. They basically made us. Cyber physical commissioning agents. So any type of PLC or logic controller that was touching an Ethernet network or had some kind of routable protocol that was creating some sort of. Function inside this this structure, this infrastructure they they wanted us to to look at that from a not only a design perspective because knowing what we’ve seen with TPS that are happening today and in the past how they can how we can make those cyber components more modular. To where we know we’re going to have to upgrade, say, passive network monitoring. Well, maybe we’re doing passive network monitoring today, but in the future we might want to do active monitoring just using that as an example, just designing those hooks in. To where in the future would require a massive heavy lift it it’s akin to, you know, having a spare tire or or some sort of designed resiliency built in for cyber security purposes on an operational system.

Andrew Ginter
so Let me chime in here, Nate. This is sort of my learning curve as as I went through the episode. you know Start with IT. t One of the points that Ian made was that almost everything is becoming operational costs in IT. you know in in In years past, 20 years ago, if I bought a laptop as part of my small business, I would have to you know claim that as a capital expense. And I could only claim a third of the cost of the laptop every year. And I had to keep track of it for three years. you know To me, it was annoying. But again, to big business, they they like capitalizing things. It normalizes their profits. In the IT space, though, today, you know increasing the the the in many jurisdictions, if you buy a laptop for $1,500, you just claim the thing right then and there.

It’s not it’s not worth capitalizing. It’s not big enough to to drag out the accounting over three years. If you buy a server farm at a cost of $50 million, dollars you know you still are going to and and you expect a life of five years out of the server farm, you’re you’re still expected to capitalize that. The thing is almost nobody does that anymore. People don’t have you know A lot of businesses don’t have their own server farms anymore. They’re renting the farms from someone else out of the cloud. And the rent comes out of the operating budget, not the capital budget because they’re someone else owns the asset. You can’t capitalize somebody else’s asset. So you don’t have big capital expenses in IT anymore.

When you apply that principle naively in OT you wind up fighting for capital or sorry for operating budget every year and you lose sometimes and cybersecurity sort of falls by the wayside and we have all these problems and this is what we’re trying to solve. the The insight here is that what you want to do is associate the cybersecurity cost with the asset that you’re protecting and the asset is not the computer, the asset is the the generating unit or the tunnel or you know a physical asset. To me, that’s counterintuitive. It’s an ongoing expense every year, yet it’s part of the capital plan, the capital budget for the asset. Why does that make sense?

And you know he didn’t quite say it in this many words, but in in chatting with him, you know he gave the example of a tunnel and maintenance. them I mean, what what do you maintain in a tunnel? There’s equipment in a tunnel. you’ve got to blow if In a long tunnel, you’ve got to put air down there, or you know over time, all you’re left with is CO2 and nobody has anything to breathe, especially if you’re driving through the thing. You have to drain water out of there. If the tunnel is low enough to be below the water table, you really need strong pumps if the water, if the tunnel is is under a body of water or under a river. So you’ve got a lot of equipment in these tunnels.

And what he’s saying is that the cost of maintaining the equipment is part of the capital budget. And I’m going, really? And he says, yeah, the reason for that is because the asset that pumps the yeah for for the water, the the blowers for the air. The value of the asset depends on correctly maintaining that equipment. If you don’t maintain the equipment, the the value of the asset declines. You can’t use the asset anymore or the equipment wears out faster than it’s supposed to. It’s supposed to last 20 years. It only lasts four years because you never maintained it. And so the the maintenance cost is an ongoing cost every year, but it’s part of the capital budget, because it’s essential to the asset. And what he’s saying is that in the modern world, if you want to protect these the automation that you know controls the equipment that’s essential to your asset, that cybersecurity protection should be part of the assets budget, not part of your you know cut to the bone operating budget, which was you know which was news to me. So this is this is sort of the theme going forward.

Andrew Ginter
OK, so so you know what I’m hearing is that we need to build cyber security, ongoing costs into capital plans. It sounds contradictory. You know, capital sounds like one time and and operational, you know, cybersecurity is ongoing, you know, is this is this new, is this something that there’s there’s? Precedent for in in the OT space already.

Ian Fleming
Oh, absolutely. That’s a that’s a really good. Point. I mean, that’s most OT systems are designed and with the under capital to to account for operational expense over the life of that asset like it’s just these are you know contrarian example of what happened with with Al Equipo OT breach. That the water facility out in Pennsylvania, it’s a great example of consequences, you know, potential consequences of cyber security in these types of OT environments. These these water treatment plants. And water utilities, if it’s not properly integrated into long term financial planning. And and life cycle management and in the case I’ll equipped like remote access was added to a PLC that PLC was exploited led to a beach. And you know if we look at this you know it’s pretty obvious that. There was a functional upgrade requirement. They wanted to be able to remotely manage this PLC if.  Was managed if if that if that functional improvement to that capital asset was managed as a CapEx project instead of an operational improvement like an OpEx budget because IT? Just adds you know. Remote control or interactive remote access as a day by day function for for regular maintenance of of information technology system.

But if it was designed and built into the system from the very beginning as part of the overall project cost, the change would have been memorialized in documentation. There would have been a change to an as built of the function of that system, the architecture engineer, the system integrator, all the people that was involved in the original design. The system could have included in the initial setup of the interactive remote access feature. That they wanted a long term security strategy that embedded that function into the life cycle of the asset they could. Have. Also modularized that cybersecurity function for planned replacement as as new remote access protocols came out, finance might also account for that expected life of the asset. And if the cost was too much. What the risk appetite was low and say no, this isn’t worth it. At least you’d have some sort of document that that was showing what the cybersecurity expenses over that asset life cycle was going to be, you could have accelerated depreciation of that asset. It would have been more of a financial and a risk management decision versus a hey, we need to enable interactive mode access on this on this machine or on this with this logic controller. Now it makes it a lot easier to enforce cyber security policies and just general operations policies and adjust to new standards while maintaining existing protections without having to worry about annual budget constraints.

If, say, there’s a bridge, there’s two ways of bridge that you want to you want to put more load on it. There’s two ways to to do it. You could just overload the bridge by changing out the weight limit sign right, or you. You obviously have to recreate the structure and reinforce the base of that structure to carry the additional load. In operational technologies, it’s pretty clear that that’s very unsafe to do in information technology. It’s not because there’s not an intrinsic tie between the OT system. And the context of operations that that system is operating under and that the physical component, it’s just like, OK, we’re just installing interactive remote access here. So if a project is is budgeted through a capital expense, it’s going through like a, a, a long term plan of how long that assets supposed to last and how it’s supposed to be maintained. It shouldn’t be an OpEx budget that we’re we’re adding more IT features to it without taking into context what that system was supposed to be used for and if we’re circumventing any of the controls by adding IT based cybersecurity and.

Interact, you know, feature sets to that asset, I feel. Andrew, that’s where most most of you know my past life I’ve gone wrong is taking the IT approach which you know, hey, it’s a VPN, it’s it’s encrypted, there’s nothing wrong. But I’m not really looking at the operational context that that I’m that should be. The attention that should be given to the operational context of the asset that I’m modifying.

Does that? Does that make sense? I guess I’m. I’m I’m trying to tie that OpEx to the CapEx budget and the asset, the long term asset and I’ve seen this over and over again, it has been a pattern without using too many examples from clients that I’ve worked with. But those were most of the problems, if you’re you’re modifying code. In a virtual environment, there’s very little physical consequence to that. But when you’re when you’re doing it to an operational asset, it’s very, very different constant set of consequences.

Andrew Ginter
OK. So so let’s assume we can get cybersecurity costs for the life of the asset built into the capital plan for the improvement, whatever it is. UM. You’ve got those costs built into the the plan up front? How do you manage that financially? How do you how do you pull money out of that over time and and what happens if you you run out of the money that you’ve budgeted or you know you know because?

Costs have gone up, or what? You know what happens if you if you use the physical asset, not 20 years, you use it for 30 years and you haven’t got the number in there that you know is gonna you can draw down for is it is it like a fixed number that you’re drawing down and you have to guess right with the number or how does that work?

Ian Fleming
So yeah, the maintenance, the maintenance cost for you know, I’m not suggesting they need to be. Like it’s all going to be CapEx, but if OpEx, I’m sorry, it’s all going to be CapEx. Maintenance is going to be an operational expense over the lifetime of the asset. However, if if there’s not a what I’m advocating for is cybersecurity, being part of the CapEx plan, so.

Think of designing any type of physical asset you’re going to have components that are made to be pulled out and replaced like conveyor belts. There’s a maintenance plan for that asset. Now what you just described there is a problem. It arises when, like the TCO, the total cost of ownership metric of financial metric remains static and doesn’t account for either business growth added, functions demands you know, asset improvements, those types of things over time. For instance, we would install. It’s the the whole overloading the bridge. We wouldn’t replace just by moving the weight limit size. We have to reinforce that structure itself because it’s a it’s a safe, it’s a safety issue. Tanking without equip a a water, the TCO will have to be. Dynamic when it’s in the in the operational expense side, has to adapt to the evolving functional demands of the asset and including the threat landscape of cybersecurity. But the CapEx part, the capital expense, it reduces the operational expense. Considerably. If you plan for those systems to be replaced. Time you might have to accelerate the depreciation of a life cycle or the the acceleration of that asset.

You know, replace versus fix. If you don’t build into the the model, the componentry that needs to be replaced over time so. I hear what you’re saying. I mean, you kind of threw me a an interesting one there on like, well, it has to be dynamic. It’s not all all. I just hope I’m. I’m. I’m being clear that I’m not. I’m not. Advocating for the full. Operational technology security of an OT. That to be fully CapEx, the problem that I’ve seen is when people when when asset owners deploy assets without even without even taking into account for security concerns during the development and the financing of that capital asset, think of it this way, it’s usually commissioned. 1st and then we go buy a product and call it, you know, cyber security vendor. A and we try to force force it on top of that asset and more. A better approach would be hey, we need to bring cyber security in on this. Let’s look at the model of the system, figure out where the the more significant and risks are, and design the system to account for a cybersecurity. Over the long lifespan of the asset it does, it does create issues because it doesn’t usually think that way. Remember, they’re mostly capital. I mean there’s they’re mostly operational. You know if if if Azure comes out with something tomorrow. They’ll shift over to it. If you make a decision today with a capital expense, you have to be able to live with that. With that with that solution for a specific period of time. Based on that, based on your maintenance. Budget. Just just like. You know, if a you know a high OpEx type component fails on a on a truck, you’re you’re going to replace it just to keep the capital asset alive. But there’s better ways to deal with it than just continually raising that operational expense over time. I hope I’m being clear on that, that I I I’m not advocating for the entire OT cybersecurity budget to be 100% in the capital expense or the. Capital expense of that asset, it’s just OT cyber needs to place the table to influence the design of that OT asset.

Andrew Ginter
Okay, so so let me chime in here. Again, in sort of my learning curve, there’s a difference between a capital expense and a capital plan. A capital expense is one where you spend, I don’t know, $3 billion dollars over the course of eight months, and then you reap the benefits of that over the next 30 years because you’ve built a mine, you’ve you know built a a power plant, you’ve built something.

That’s a capital expense. You spend the money once. A capital plan is setting money aside in future budgets, in my understanding, setting money aside in future budgets to deal with that asset. You’ve made a capital investment. You can’t just spend the money and expect the thing to run. You’ve got to maintain this stuff. You’ve got to secure it. You’ve got to operate it. All of those costs are built into a plan for the asset.

And from time to time, the financial people have to reevaluate that plan. So for example, let’s say, you know, we’ve just put a solar farm in and, you know, we’ve got I don’t know, lithium batteries that we’re using to to store the power for the farm for for you know overnight use. And these batteries wear out every, I don’t know, three years and have to be replaced. And the the life of the solar farm is expected to be 20 years. If the price of lithium batteries shoots through the roof,

The cost of maintaining this asset has now shot through the roof. are are the the The numbers we put together saying the asset is going to pay for itself in 20 years don’t work anymore. There may be a point where we say, you know we’re going to shut this down and you know wait for three years and see if the price of lithium comes back to normal. or you know We’re just going to shut it down and get rid of it. it’s just It doesn’t work anymore because you’re reevaluating the capital plan for that asset. and you know In a sense, you might have the same thing with cybersecurity. It’s not like you’ve put maintenance money in a bank account to be drawn down over 20 years. It’s not like you put cybersecurity money in a bank account to be drawn down out of 20 years and you might run out of money. That’s not how it works. It’s part of the capital plan.

And if there’s a sudden change or a permanent change in your expenses, for for example, a new regulation comes down that makes cybersecurity for this asset much, much more expensive than it used to be so expensive that you know the asset was only performing marginally to begin with.

And now we’ve tipped it over and it’s just not profitable anymore. We might choose to shut the asset down. That’s part of, in my understanding, that’s part of the capital plan for the asset that that needs to be reevaluated in light of current conditions. It’s not part of the capital budget. The you know the capital expense happened when you built the asset, but the plan persists. That’s that’s my limited understanding here of of of of how this works.

Nathaniel Nelson
You know The more we talk about long-term capital plans and 20-year timelines and these these amortized cybersecurity budgets, are we then accounting for patching and upgrading legacy systems over these many-year timelines?

Andrew Ginter
ah Yeah, I mean, I did not ask Ian that question, but yeah I think what what springs to mind is patching. you know Legacy systems, legacy automation, 20-year-old automation, because that’s how long the power plant lasts. you know We put automation in in place for that.

The question you know question is, should should money not have been set aside to upgrade the automation? And the answer is yes. If you need to upgrade the automation to reap the benefits out of the asset, then you have to budget for that. But when we’re talking cybersecurity, I mean, part of the problem I think is that it’s an afterthought. but you you know Even if you plan up front and you look at a system and say, well, I’m going to take it down every five years for a for maintenance, for essential maintenance, and that’s the opportunity to upgrade everything. And you know what do I do in between? Well, there’s new vulnerabilities a week after we turn the asset back on. you know Can we patch those things?

I think that comes down, I’m guessing it comes down you know partly to is it in the plan, but partly as well just cost benefit. If you can put compensating measures in like strong network segmentation or you know device encryption or if you can put a compensating measure in that achieves the security objective and is cheaper than the really expensive patching process because of all the engineering that’s involved

Maybe you should use the compensating measures, not you know because you have no other choice, but because you’ve rationally looked at costs and benefits and said, it’s way cheaper to use compensating measures than it is to try and keep this you know the the software up to date week by week as as new vulnerabilities are announced. so that’s Again, I didn’t ask Ian this, but you know applying the principles he’s laid out, that that’s kind of what makes sense to me.

Nathaniel Nelson
And the other question I had, as as Mike Tyson says, everybody has a plan until you get punched in the mouth. When you have a very long-term cybersecurity plan in place, how do you account for all of the ways in which your needs are going to change and the threat landscape out there is going to change in unpredictable ways left and right?

Andrew Ginter
And that’s a good question. And I think that’s the difference between sort of a capital expense and a capital or an asset plan. you know An expense happens one time. The plan is something that lives for the life of the asset. And as conditions change, you know the cost of lithium changes, the the threat environment changes, the plan might have to be reevaluated. Regulations change. You might have to reevaluate your plan. But that’s sort of part of the answer. A second part of the answer is engineers tend to be heavily involved in asset plans because they’re designing the asset and they’re the ones that have to design the asset to deliver the value over a 10, 20, 30 year period. And so engineers are are heavily involved. And this is, I think, why the engineering community that that I see majority of them, it’s not universal, but a majority of them are really embracing cyber-informed engineering because this is an upfront process that shows them how to subtly change their designs upfront in ways to just take certain entire classes of risks off the table. you know the The threat of a cyber attack causing a massive boiler to blow up in your face, you can take that off the table with a mechanical overpressure relief valve.

You can take other kinds of threats off the table by subtly changing the design of your network, so the design of your automation. and These changes, in a sense, are are permanent. They take those classes of threat off the table permanently. That simplifies long-term planning. so you know They’re embracing CIE and you know the the asset plan is something that’s reevaluated periodically over the life of the asset.

And you know, new conditions about the cost of maintenance, the cost of security, the the need for security, you know, the cost of insurance. All of these conditions are built into the periodic reevaluations of the asset plan. You don’t have to get it perfectly right 20 years in advance.

Andrew Ginter
It does make sense. I mean, you know what what I’m hearing is that, you know. We’ve had lots of guests on on the show over the course of a 100 episodes talking about, you know, building cybersecurity into technical plans for the the the management of of automation assets. What I’m hearing you say is that. You know, it’s not one number. It’s not one time. It’s that cybersecurity budgeting needs to be part is what I’m hearing, needs to be part of the the ongoing budgeting and capital and asset management process that you know, large organizations have. It. Is that what you’re saying?

Ian Fleming
Well, that that is the intent of of asset management in an operational construct, right? I mean it’s it’s about influencing the budget or influencing the books on on inventory that you have. On the shelf, that’s where. Really good asset management forecasting come into play even from an OT or a cyber perspective. It just feels like there’s a disconnect there because of the financing method and the way that things are operating with cloud and virtual. Virtual software that it’s not not operating inside of a data centre.

More, but we need to be realistic about how long these assets will last and how long it will cost to maintain their security. A really good parallel can be drawn from the history of maritime insurance in this story and the the shipping industry I’ve been working with the MTS Isaac lately, so I got a really good crash course on how the shipping industry vessels are classified based on build quality, ongoing maintenance which directly impacts their insurance. Premiums, actually, it’s one of the oldest, I think was one of the first insurance companies that came to out of existence with the maritime. So for instance, ships that receive high classification rating from a society that classifies the building rating like given A1 rating from the Lloyds of London. It indicates a vessel is a very high quality construction, well maintained. They’re also from MTSISAC. They’re they’re even. Tying cybersecurity rating systems into vessels, which I thought was fascinating at the last MTSISAC I went to.

This actually is is built just to lower or maintain or just put some sort of a marker on what the expected insurance premium will be because the higher that rating, the lower the insurance premium would be. Conversely the ships of the lower classification ratings from the society. Or those that fail to maintain their rating will have higher premiums or they’ll be considered out of class. This. Which is uninsurable. So the same principle, if it would apply to OT cyber if the asset outlived its original budgeted timeline or cybersecurity cost increase due to the threat of regulatory landscape, the the organization should have that process in place to reevaluate that cybersecurity posture much. Much like how the ship’s classification ratings would be reassessed overtime if this asset loses its high rating because of neglected security or added features that we’re taking into it, you know, bolted on over time, the organization would face increased risk. Higher cost for maintaining and and I’m sorry for for mitigating those risks and not maintaining that asset.

Andrew Ginter
Cool. more than I thought I was going to learn about finance, so thank you for that. Can I? Can I ask you an open question? You know, you’ve been doing this for a while. What else should we know? What? What? What? Am I not smart enough to ask you about here?

Ian Fleming
Ohh, you know the the hard part, I think waterfall I go, I go far back with you guys in in prior lives working in power and I did like the the approach with the data diodes and and things like one thing that that opened my eyes working. With waterfall on other projects in in my prior lives with, with utilities and and an industry. Is the importance of the collaboration between an IT leader and those operations people that are in the field working on things and including that finance team? I think having that cybersecurity built into CapEx, it’s not easy. It’s a hard thing to describe. I think I’ve done a. A pretty horrible job of trying to drive it here today, but it does require that clear communications about the risks, benefits, long term cost saving.

And I do feel like if if if we can explore this deeper, I hear a lot of the leaders, business leaders saying the same thing there. There’s this disconnect between what’s valuable and IT cybersecurity those metrics or those KPIs, you know the. Number of vulnerabilities that we’re searching for, or a number of threats that were thwarted and it’s disconnected from like actual production or, you know, just just maintaining that business relevance with cybersecurity.

I feel like. Cybersecurity. Just in in, in general is is more like quality and engineering the the longer I’ve been in the industry and because I’m finding myself focusing more on how to articulate. The problem in financial terms and using historical references to tie all this stuff together, it’s not really about the Whiz Bang latest and greatest vulnerability or attack. While those are sensationalized. It’s really about how do we sustain and and how do we adapt and as a cybersecurity practice and specifically in in operational technology and not even specifically just in cybersecurity in general.

How we can look at this differently and how we can describe it differently to get the attention that that the asset deserves and in our profession, how we can make things better? So. I don’t know if that answered your question, but this has been something really top of mind for me for a while. It’s I wish I could tell you all the things that I’m involved in there. We we actually do hear, but the ones that I did bring up during this call were published and. Either the Wall Street Journal or or other other places that that got some national attention put in for some awards. So it’s just kind of a I’m just hope that we can challenge everybody here to think a little bit differently about the cybersecurity problem and how itcan. How cybersecurity as a practice can address some of the some of the problems in our industry that we serve.

Andrew Ginter
Thank you for joining us. Before I let you go, can you can you, you know, take us through the highlights. What what are the key takeaways from from you know our discussion here.

Ian Fleming
Yeah, sure, Andrew. You know the key takeaways. That I have. Just three, really. There’s one OT cybersecurity is fundamentally different from IT, mainly because it. Deals. With those physical assets that can’t be moved to the cloud can’t be replaced easily. Or shifted. And the second one is budgeting for OT cybersecurity shouldn’t be an afterthought for a capital project. Trying to integrate it into the physical, the life of the physical asset, I think is key. That’s what’s going to keep. Your. Budgeted over the life of. That asset and the third. Try to seek out collaboration across it, not just inside your you know the IT circles, but also the operations people that are designing ENA firms and include finance. So I think that’s. CFOs, I think that’s really essential for the long term success of cyber security program. You have to have a resourcing plan on that. Resourcing usually starts at finance. It’s how everything gets gets. For. It’s maintained overtime and if you’re struggling to secure that funding for those cyber don’t, don’t, don’t fight for OpEx every year. Try to try to work design work to design that cyber maintenance. Into modulars for those modules for those capital projects from the start. It’s really a smarter way to secure your operations in a safer way to fund your ongoing maintenance of a physical operational asset over the the life over its operational life cycle.

Nathaniel Nelson
Andrew, that was your interview with Ian Fleming. Do you have any final words to take us out with today?

Andrew Ginter
Yeah, I mean, I i learned something here i’m about sort of financing for big business. You know, I learned that that accounting for big capital expenses, accounting for those expenses over time is actually a benefit. It stabilizes your profits. And I learned that you know large assets tend to have a capital plan that associates critical recurring expenses like maintenance and insurance and cybersecurity, couples those expenses to the asset. So you don’t have to fight for those allocations every year. You know you either spend the money or you retire the asset. They’re part of the asset.

I also learned that you know you kind of have to speak the financial language to make this happen. You’ve got to be able to communicate with the the people who manage the budgets. You’ve got to be able to talk about assets and depreciation and management and maintenance. you know Use that language to to work cybersecurity into that that equation and you know The lesson is if if you can get cybersecurity into the asset plan, then you know You’re going to have an easier time of managing cybersecurity and other sort of operational, essential operational outlays for that asset over over the life of the asset.

And Ian didn’t mention it, but he’s on LinkedIn. you know he He has a lot of papers on this topic, and you know he does more general cybersecurity stuff. This is just a piece of what he does. He’s got papers on that, other stuff. If you’re interested in digging deeper on on these or other sort of cybersecurity topics, there’s a whole OT section at the Deloitte website, and you can just connect Ian Fleming on LinkedIn at Deloitte, and he’ll he’ll be happy to point you to his you know that his writing and you know help you dig deeper into the topic.

Nathaniel Nelson
Well, thanks to Ian for speaking with you, Andrew. And Andrew, as always, thank you for speaking with me.

Andrew Ginter
It’s always a pleasure. Thank you, Nate.

Nathaniel Nelson
This has been the Industrial Security Podcast from Waterfall. Thanks to everyone out there listening.