Waterfall Security Solutions https://waterfall-security.com Unbreachable OT security, unlimited OT connectivity Sun, 09 Nov 2025 10:09:19 +0000 en-US hourly 1 https://wordpress.org/?v=6.8.3 https://waterfall-security.com/wp-content/uploads/2023/09/cropped-favicon2-2-32x32.png Waterfall Security Solutions https://waterfall-security.com 32 32 Data Diode vs Firewall: Understanding the Key Differences in OT Security https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/data-diode-vs-firewall-understanding-the-key-differences-in-ot-security/ Tue, 04 Nov 2025 09:20:06 +0000 https://waterfall-security.com/?p=37000 The post Data Diode vs Firewall: Understanding the Key Differences in OT Security appeared first on Waterfall Security Solutions.

]]> When you’re protecting operational technology infrastructure, the security solution you pick could mean the difference between weathering a cyberattack and making headlines for all the wrong reasons. It’s not really about whether you need protection anymore; that ship sailed when hackers started going after power grids and water systems. What matters now is figuring out which technology will actually work when attackers come knocking.

OT security isn’t your typical IT problem. We’re talking about systems that run power plants, manage water treatment facilities, control manufacturing lines, and keep transportation networks moving. When these systems fail, you’re not dealing with stolen passwords or leaked documents. You’re looking at potential physical damage, environmental disasters, or genuine public safety threats. Understanding your security options has never been more critical.

Two technologies dominate the conversation when it comes to creating secure boundaries between OT networks and external threats: data diodes and firewalls. Both handle security, but their approaches are worlds apart. This choice shapes everything: immediate protection, operational flexibility, compliance posture, and how well you’ll handle whatever new threats emerge.

TLDR: Data Diode vs Firewall key differences: 

Aspect Data Diode Firewall
Security Model Hardware, one-way Software, two-way
Attack Surface Minimal, immune to 0-day Larger, exploitable
Maintenance Low, set-and-forget High, ongoing updates
Flexibility Limited, no remote High, supports remote
Performance Low latency, scalable Higher latency may slow
Compliance Simple, physical proof Complex, ongoing checks
Use Cases Critical infrastructure General OT with access

What is a Data Diode? Core Technology and Functionality Explained

A data diode is a cybersecurity device that enforces one-way data transfer between two networks. It allows information to flow out of a secure system without allowing external data to flow back in. Organizations use data diodes to protect critical infrastructure, defense systems, and industrial control networks from cyberattacks.

The technology works by physically severing the return path that network communications typically need. Regular network connections require two-way communication for protocols like TCP/IP to work properly. Data diodes break this requirement at the hardware level, making it physically impossible for external systems to establish connections or push data back into protected networks.

What is The Technical Architecture of Data Diodes?

The hardware creates what’s essentially an air gap with controlled, one-way data transmission. Inside these devices, fiber optic connections carry data from OT networks to external monitoring systems, but the physical design prevents signals from traveling backward. The transmit fiber literally can’t receive signals, and the receive side can’t transmit anything. This isn’t a software setting that could accidentally get changed; it’s baked into the hardware design.

Your OT systems still provide all the data needed for monitoring, reporting, and analytics. Historians keep collecting process data, SCADA systems continue displaying real-time information, and operators maintain full operational visibility. The key difference? This visibility never creates a pathway for attackers to reach critical systems.

Data diodes also eliminate concerns about network protocols being exploited. Since there’s no return communication path, traditional network-based attacks simply can’t function. Malware that depends on command and control communications finds itself cut off from its handlers. Remote access trojans lose their ability to communicate back to attackers.

Security Guarantees Provided by Hardware Enforcement

Hardware enforcement gives you security guarantees that software simply can’t match. With a data diode, protection doesn’t depend on perfect configuration, timely updates, or hoping that nobody’s found an undiscovered vulnerability. The security model is binary: data goes out, nothing comes back.

This approach eliminates entire categories of cyberattacks that need two-way communication to succeed. Advanced persistent threats, remote access trojans, and command-and-control communications all need bidirectional connectivity. By physically preventing this connectivity, data diodes create an impenetrable barrier.

The reliability extends beyond just cybersecurity threats. Data diodes also protect against insider threats who might attempt to establish unauthorized network connections. Even with administrative access to systems, an insider can’t override the physical limitations of the hardware.

Firewall Technology in OT Security Contexts

Firewalls have evolved considerably since their early days, particularly for operational technology environments. Modern OT firewalls include deep packet inspection, protocol-aware filtering, and specialized capabilities for industrial communication protocols. They act as intelligent gatekeepers, examining traffic and deciding what gets through based on predefined rules and policies.

Unlike data diodes, firewalls keep bidirectional connectivity alive while trying to filter out malicious traffic. They analyze packet contents, addresses, protocol types, and application behaviors to determine whether communications should pass or get blocked.

Evolution of Firewall Technology for Industrial Networks

Firewalls were originally built for IT networks, where the main job was to keep malicious traffic out of corporate systems while still allowing employees, servers, and applications to connect to the internet. These early firewalls were not designed with operational technology (OT) in mind. Industrial networks have very different requirements-24/7 uptime, specialized communication protocols, and devices that often remain in service for decades. Applying traditional IT firewalls directly to OT environments often caused disruptions, latency, or outright failures because the firewalls simply didn’t “understand” how industrial equipment communicated.

 

evolution of firewall technology

To meet these unique demands, firewalls for industrial use evolved in several key ways.

First, they became protocol-aware. Industrial control systems rely on communication protocols such as Modbus, DNP3, IEC 61850, OPC, and PROFINET. Unlike typical IT protocols, these are highly specialized and often lack built-in security features. Modern OT firewalls now include deep packet inspection (DPI) for these protocols, meaning they can read and interpret the actual commands and values being exchanged between devices. This allows the firewall not only to block generic suspicious traffic, but also to detect anomalies such as unauthorized control commands or malformed data packets that could indicate tampering.

Second, OT firewalls added segmentation capabilities tailored to industrial environments. In IT, segmentation often means dividing a corporate network into different security zones. In OT, segmentation is even more critical because it can stop a compromise in one part of a plant or facility from spreading to safety-critical or production-critical systems. Modern industrial firewalls enable very granular control, ensuring that only specific devices or applications can talk to each other, and only in very specific ways.

Third, these firewalls evolved to perform application-layer filtering. Instead of just looking at IP addresses and ports, they can analyze the actual applications running on top of communication protocols. This provides deeper security by distinguishing between normal operational commands and malicious activity that might be hidden inside legitimate-looking traffic. For example, a command to “read data” might be allowed, while a command to “change setpoint” from an unauthorized source would be blocked immediately.

Finally, OT firewalls now support high availability and redundancy features designed for industrial use. In environments like power grids, oil refineries, or manufacturing lines, even a momentary network disruption can have costly or dangerous consequences. Industrial firewalls are engineered to handle continuous uptime, support redundant hardware configurations, and tolerate the challenging physical conditions of plant environments, such as electrical noise, temperature extremes, or vibration.

In short, firewalls for industrial networks have matured far beyond their IT ancestors. They are now specialized security devices that combine traditional packet filtering with deep industrial protocol awareness, network segmentation, and resilience features. This evolution reflects the growing recognition that OT environments face distinct threats, and that protecting them requires tools specifically designed for the realities of industrial operations.

Configuration and Management Challenges in OT Environments

Managing firewalls in OT environments creates challenges. Industrial systems often need 24/7 availability, which means maintenance windows are scarce. Configuration changes require careful planning and testing. Firewall rule sets can become incredibly complex, and mistakes can block legitimate traffic or allow malicious activity through.

Another challenge involves keeping up with security updates and threat intelligence. Firewall effectiveness depends heavily on current threat signatures and properly configured rules. This ongoing maintenance requirement can strain resources.

Key Differences: Data Diode vs Firewall Security Capabilities

Data diodes operate on a deterministic security model where the hardware design makes certain attacks physically impossible. Firewalls implement rule-based protection requiring constant management.

The deterministic nature of data diodes means your security posture doesn’t deteriorate over time.  Firewalls, on the other hand, rely on constant vigilance, updates, and adjustments.

data diode vs firewall

 

Maintenance and Operational Requirements

Firewalls need regular updates, rule changes, and monitoring. Data diodes need minimal maintenance once deployed. Firewall management requires cybersecurity expertise; data diodes require more upfront network design work.

Performance and Operational Considerations

Data diodes excel in high-throughput scenarios and handle any IP-based protocol without modification. Firewalls introduce latency due to inspection and require protocol-specific support.

Operationally, firewalls enable remote access while data diodes eliminate it. Organizations must balance between absolute security and operational flexibility.

Data Diodes Regulatory Compliance

Data diodes align closely with critical infrastructure protection standards, offering simple, verifiable compliance. Firewalls can support compliance, too, but require continuous updates and detailed documentation.

Implementation Scenarios

Use data diodes for critical systems that can’t tolerate compromise, such as power generation or chemical processing. Use firewalls when bidirectional communication and remote access are essential, such as in manufacturing. A layered approach using both often makes the most sense.

Waterfall Security’s Unidirectional Security Gateway

Waterfall Security Solutions pioneered hardware-enforced unidirectional protection. Their Unidirectional Security Gateway advances data diode concepts with support for industrial protocols, secure file transfers, and solutions like HERA (Hardware-Enforced Remote Access).

Waterfall Security’s technology provides deterministic security guarantees while addressing practical deployment challenges in industrial networks. With proven deployments in power, oil and gas, water treatment, transportation, and more, Waterfall offers a reliable approach to OT cybersecurity.

Conclusion

When it comes to protecting Critical infrastructure, your choice between data diodes and firewalls does not have to be an either/or decision. While data diodes provide absolute protection through unidirectional communication and firewalls offer flexible, bidirectional connectivity with rule-based security, the most robust OT security strategies often combine both. 

By adding hardware-enforced protection to segment critical networks, organizations can dramatically strengthen their security posture. This layered approach ensures that even if a firewall is compromised, the physical barrier provided by a data diode prevents threats from reaching your most sensitive systems. As cyber threats against OT continue to evolve, combining these technologies delivers resilience and safety for the future.

As cyber threats against OT continue to evolve, understanding these differences ensures resilience and safety for the future.

 

The post Data Diode vs Firewall: Understanding the Key Differences in OT Security appeared first on Waterfall Security Solutions.

]]> Security by Design- The New Imperative for Rail Systems https://waterfall-security.com/ot-insights-center/transportation/security-by-design-the-new-imperative-for-rail-systems/ Tue, 04 Nov 2025 07:00:36 +0000 https://waterfall-security.com/?p=36880 The post Security by Design- The New Imperative for Rail Systems appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterTransportationSecurity by Design- The New Imperative for Rail Systems

Security by Design- The New Imperative for Rail Systems

An introduction to the UITP Report & Real-World Applications

November 26, 2025 | 15:00 CET

Security by Design- The New Imperative for Rail Systems
Register Now

Join us for an in-depth webinar exploring the UITP “Design for Security of Safety-Critical Systems” report — a groundbreaking framework for integrating cybersecurity into rail Safety Instrumented Systems (SIL 1–SIL 4) across their entire lifecycle. Aligned with the soon-to-be-published IEC 63452 and other key safety standards, this session will provide rail operators, suppliers, and cybersecurity professionals with practical insights on applying security-by-design principles to real-world challenges. Discover how industry leaders are addressing the intersection of safety and cybersecurity, the growing impact of AI-driven threats, and the new engineering principles shaping the future of secure rail systems.

In a webinar, attendees will come away understanding:

arrow red rightKey findings from the UITP report and their impact on rail safety and cybersecurity

arrow red rightReal-world insights from Waterfall Security, MTA and Alstom on implementing recommendations

arrow red rightOpen discussion on challenges, solutions, and best practices for embedding cybersecurity in safety-critical systems.

About the Speakers

Picture of Serge Van Themsche

Serge Van Themsche

Senior Consultant for Waterfall Security,
Co-Leader of the UITP Report

Picture of Eddy Thésée

Eddy Thésée

Vice President Digital & Cyber Platform at Alstom

Picture of Shea McKinney

Shea McKinney

Deputy Chief Information Security Officer OT at MTA,
Contributor to the UITP Report

Picture of Michael J. Wong

Michael J. Wong

Cybersecurity Director at MTA,
Contributor to the UITP Report

Register Now

Share

The post Security by Design- The New Imperative for Rail Systems appeared first on Waterfall Security Solutions.

]]> Cybersecurity Risk Assessment for Public Transport OT Environments: A Practical Guide https://waterfall-security.com/ot-insights-center/transportation/cybersecurity-risk-assessment-for-public-transport-ot-environments-a-practical-guide/ Thu, 30 Oct 2025 14:40:06 +0000 https://waterfall-security.com/?p=36894 The post Cybersecurity Risk Assessment for Public Transport OT Environments: A Practical Guide appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterTransportationCybersecurity Risk Assessment for Public Transport OT Environments: A Practical Guide

Cybersecurity Risk Assessment for Public Transport OT Environments: A Practical Guide

Discover how rail operators can strengthen cybersecurity in OT environments. This blog explores the UITP framework, helping transport leaders assess risks, set protection goals, and build resilience across critical rail systems. A must-read for anyone securing modern public transport.
Picture of Serge Van themsche

Serge Van themsche

Waterfall team

Cybersecurity Risk Assessment for Public Transport OT Environments: A Practical Guide

Why OT Cybersecurity Requires a Specialized Approach

Unlike IT systems, OT environments prioritize safety, reliability, and real-time operations. A cyber incident in an OT system, such as a signaling failure or a train control breach, can have immediate physical consequences, including service disruptions or safety hazards. 

The UITP framework outlines two models: Track A for small PTOs and Track B for mid- to large-sized operators. In addition to offering corporate and IT risk assessment guidelines, the report introduces a comprehensive model specifically tailored for OT environments, where customized protections are essential to address unique risks. 

Key Insights: Risk Assessment for OT Environments:

The Role of Track B in OT Cybersecurity 

Track B is designed for larger operators with intermediate to advanced cybersecurity maturity. It provides detailed risk and vulnerability assessment, aligning with international standards such as IEC 62443, ISO 27005, and TS 50701/IEC 63452. 

Practical Steps: From Risk Scoring to Security Level Targets 

Step 1: Identify the System under Consideration (SuC) 

Define the scope of the OT system to be assessed, by identifying the SuC’s boundaries and document the system’s architecture. 

 

Step 2: Identify Assets 

Create an inventory of OT assets within the SuC, by listing the physical and logical assets and group these assets into zones, based on their criticality and function. 

 

Step 3: Define Risk Criteria 

Establish scales for impact and likelihood to evaluate risks. Assess consequences in terms of safety, operational availability, and financial impact. Evaluate the Likelihood of a cyber incident based on threat actor capability (e.g., skill level, resources) and vulnerability exposure. 

 

Step 4: Identify Threats and Vulnerabilities 

Define the threat landscape for the OT system, by identifying threat actors (e.g., hacktivists, nation-states, insiders) and document vulnerabilities in the SuC. 

 

Step 5: Conduct an Initial Risk Assessment 

Security Level 

Level of protection 

SL1 

Protection against casual violations 

SL2 

Protection against intentional violations 

SL3 

Protection against sophisticated attacks 

SL4 

Protection against high-resource attacks 

 Evaluate the inherent risks in the SuC, by assigning risk scores based on impact and likelihood. To help you determine the risk level (Low: 1; Medium: 2, High: 3, Critical: 4) use UITP’s risk matrix.  

 

Step 6: Translate Risk Scores into Security Level Target (SL-T) 

The SL-T is transformed into a 7-dimension matrix based on the 7 Foundational Requirements (FRs) defined in IEC 62443’s / EN 50701. 

FR 

Description 

Details 

FR1 

Identification and Authentication Control 

Ensure only authorized personnel and devices access OT systems. 

FR2 

Use Control 

Restrict system access based on roles (e.g., operators vs. maintenance). 

FR3 

System Integrity 

Protect OT systems from unauthorized modifications or malware. 

FR4 

Data Confidentiality 

Secure sensitive operational data within OT networks. 

FR5 

Restricted Data Flow 

Segment OT networks to limit unnecessary communication. 

FR6 

Timely Response to Events 

Implement real-time monitoring and incident response. 

FR7 

Resource Availability 

Ensure OT systems remain operational during cyber incidents. 

 

Step 7: Perform Zoning and Define Zone Criticality 

Group assets into security zones that should reflect common security requirements (e.g., safety-critical vs. business-critical) and assign Zone Criticality Levels (ZC-L) based on the worst-case impact of a breach. 

 

Step 8: Implement Mitigation Strategies 

Apply controls to meet SL targets, for each of the 7 Foundational Requirements. In order to do so, each defined Security Requirement must be addressed.   

For example, if a signaling system is assessed with a risk score of 3 translated into a SL-T3, the Security Requirements in red in the following table must be met for FR5 (Restricted data flow). The same process applies to the 6 additional Foundational Requirements. 

This is where cyber technologies play an active part in the process. For example, a network architecture based on firewalls could achieve SL1 for FR5 but would require additional means to meet SL2 (SR 5.1.(1): physical network segmentation), whereas a unidirectional gateway would inherently meet SL1, SL2, and SL3 for FR5. 

 

Step 9: Address Tail Risks 

Modern risk management introduces the concept of “tail risk”. The notion that some risks could bring down organizations or even entire industries has now entered the sphere of best cybersecurity practices. Even with robust risk mitigation, tail risks—low-probability, high-impact events—pose a real challenge. For instance, abusing a fail-safe mechanism to generate the derailment of a passenger train or of a freight convoy carrying dangerous goods could be considered a tail risk. Mitigation Strategies may include increasing the security Level target (e.g.: from SL-T3 to SL-T4) or beefing up the resilience planning (by implementing backup systems and manual overrides) and the incident response plans by preparing for worst-case scenarios. 

Applying UITP’s Risk Assessment Tools for OT

Tool 2 is specifically designed for OT systems, helping operators:  

  • Assess risks based on SL targets. 
  • Implement mitigation strategies aligned with the 7 Foundational Requirements. 
  • Address tail risks through resilience and contingency planning. 

 

Next Steps: 

  • Apply Tool 2 to assess and mitigate risks in your OT environment. 
  • Consult OT cybersecurity experts to tailor protections to your specific needs. 

 

Conclusion: Proactive OT Cybersecurity 

Cybersecurity in OT environments is not a one-time effort—it’s an ongoing process. By adopting UITP’s Track B methodology, operators can: 

  • Proactively protect their OT systems against evolving threats. 
  • Ensure safety, reliability, and resilience in public transport operations. 
  • Start the compliance process with standard EN 50701/IEC 63452. 

Final Thought: OT cybersecurity requires a specialized approach that balances safety, reliability, and security. Which methodology, if any, does your company use?

Share

Trending posts

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

The post Cybersecurity Risk Assessment for Public Transport OT Environments: A Practical Guide appeared first on Waterfall Security Solutions.

]]> Managing Risk with Digital Twins – What Do We Do Next? – Episode 144 https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/managing-risk-with-digital-twins-what-do-we-do-next-episode-144/ Mon, 20 Oct 2025 15:17:50 +0000 https://waterfall-security.com/?p=36741 How can we USE this information to make useful decisions about next steps to address cyber risk? Vivek Ponada of Frenos joins us to explore a new kind of OT / industrial digital twin - grab all that data and work it to draw useful conclusions.

The post Managing Risk with Digital Twins – What Do We Do Next? – Episode 144 appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterManaging Risk with Digital Twins – What Do We Do Next? – Episode 144

Managing Risk with Digital Twins – What Do We Do Next? – Episode 144

Asset inventory, networks and router / firewall configurations, device criticality - a lot of information. How can we USE this information to make useful decisions about next steps to address cyber risk? Vivek Ponnada of Frenos joins us to explore a new kind of OT / industrial digital twin - grab all that data and work it to draw useful conclusions.

For more episodes, follow us on:

Share this podcast:

“Lots of people have different data sets. They have done some investment in OT security, but they’re all struggling to identify what’s the logical next step in their journey.” – Vivek Ponnada

Managing Risk with Digital Twins – What Do We Do Next? | Episode 144

Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Nathaniel Nelson
Welcome listeners to the Industrial Security Podcast. My name is Nate Nelson. I’m here with Andrew Ginter, the vice president of industrial security at waterfall security solutions, who’s going to introduce the subject and guest of our show today.

Andrew, how’s it going?

Andrew Ginter
I’m very well, thank you, nate. Our guest today is Vivek Ponnada. You might remember him from an episode a little while ago. He was the co-lead on the top 20 secure PLC coding practices document that came out a year ago, two years ago.

Today, he’s the Senior Vice President growth and strategy at Frenos. And our topic is digital twins for managing risk. And it sounds like a bunch of marketing buzzwords, you know, digital twins, managing risk, but they’ve got some real technology behind this. So I’m looking forward to this.

Nathaniel Nelson
Then without further ado, here’s you with Vivek.

Andrew Ginter
Hello, Vivek, and welcome to the show. Before we get started, can I ask you to say a few words about yourself for our listeners and about the good work that you’re doing at Frenos?

Vivek Ponnada
Sure, thanks Andrew. Hey everyone, my name is Vivek Ponnada. I am the SVP of Growth and Strategy at Frenos. I’ve been in the OT security space for quite some time. Back in the day, I was a gas turbine controls engineer for GE, then I became a controls and cybersecurity solutions upgrade sales manager for them.

I initially covered power and utilities and then of course added oil and gas. I’m based in houston so that was a natural thing. Before joining Frenos worked at nozomi networks as the regional sales director for three years so I’ve been in the OT security space for quite some time and I am happy to be on this podcast.

And at Frenos, we’re doing something cool. We’re doing an attack path analysis and risk assessment at scale, bringing autonomous risk assessments to a space that’s been lacking this kind of approach. So we’re looking forward to our conversation discussing more about that.

Andrew Ginter
Thanks for that. And our topic today is risk, which a lot of people find boring. I mean, people new to the field tend to want to focus on attacks. Attacks are interesting. Attacks are technical. It’s not until they have failed to secure funding as a manager of, you know, their security team for the last 10 years that they start being interested in risk, which is the language and the decision-making of business.

We’re going to talk about risk. You’re talking about, you know, we’re going to talk about digital twins, which is a real buzzword nowadays, but, you know, this is our topic.

And you’ve mentioned, you know, risk assessments, you’ve mentioned attack path analysis. You know I look forward to looking looking into all of this. You know to me, risk is is fascinating. It’s how we make progress. It’s how we shake the money loose.

But you know before we start, can we can we can you before we dig into it, can we start at the beginning? What is the problem, the risk problem that that you know we’re trying to address here?

Vivek Ponnada
Yeah, great question, Andrew. The past 10 plus years in OT security has been, let’s find out what we have, right? So lots of people start figuring out that they need asset inventory solutions. So the likes of Dragos, Nozomi, Claroty have been the forefront of that kind of an approach. So network security monitoring leading to passive asset discovery and vulnerability identification.

So now 10 plus years into this people have a lot of datasets. They have several sites, especially the ones that they would consider important to their production. They’ve installed sensors. They have lots of information.

Now they’re asking what next, right? The real use case is risk identification and risk mitigation as you mentioned, but there’s a struggle. We’ll struggle out there with different data sets not able to figure out what the actual risk is for them to address next. So that’s the problem we’re trying to solve.

We are trying to aggregate information, provide contextual analysis of what’s the riskiest path to a crown jewel or what might be the logical way to isolate and segment because not every risk can be mitigated by just patching your vulnerability for whatever reason that that’s the the main problem.

The conclusion is that lots of people have different data sets. They have done some investment in OT security, but they’re all struggling to identify what you do with that information what’s the logical next step in their journey.

Andrew Ginter
So that makes sense. I mean, it’s one thing to sketch, this is what, the nist cybersecurity framework says a complete security program should look like.

It’s another thing to say, I’ve only got so much budget this year and a comparable amount, hopefully next year. What do I do this year? What do I do next year? What’s sort of most important to do first? That’s that’s a really important question.

How does a person figure that out? What what’s the decision path there?

Vivek Ponnada
Yeah, that’s the real question. Lots of people in the past used to say over isolated or we are segmented. Where we have a DMZ between it and ot. A lot of these assumptions have not been validated.

In other cases where they have different data sets, it’s not very clear what the what the next problem that they could solve is, right? So everybody like you said has limited budget or resources.

So the honest question is, hey, where we should focus next? It’s not very clear. People have done linear projects, right? They’ll pick a firewall project or a segmentation project or a vulnerability management program.

And all these are are good, but overall not fixing the immediate problem or not solving the immediate problem first, right? So the commonly requested feature of many of these tools like dragos, nozomi or other vendors has been, hey, can you please tell me what my riskiest asset is or what my riskiest path is?

And they have not been able to do it because that’s not in in their and their current portfolio, is that contextual summarization, right? So let’s say you have an asset at the purdue model level two, for example, that is talking to another asset at level three, and then there’s a DMZ about that with some kind of firewall rules, isolating it, and if someone has a real world knowledge of this network and and that’s what we are talking about right a digital twin that’s kind of replicating the network and you analyze if that firewall rule and if that path is possible to get to level two or maybe they have other compensated controls in the path allowing them to say yep my level two is secure this network this location is not reachable easily or it takes a lot of complicated daisy-chaining of attacks to get to then that would be a an identification of what the what the risk is and if you need to address something.

The common consensus has been one, of course, you can really assess these in real time in the production environment, right? So you need to build something that’s a replica of that network.

And then you analyze all these scenarios to see if that asset that you deem important or that network that you deem is a is it critical for your environment.

Is reachable or not reachable from the outside or from any other attack vector that you choose, right? They assume breach could be your corporate enterprise network it could be a wireless network or it could be anything else that you deem as a as an attack vector and to assess in this digital replica or digital twin if that asset can be reached.

So that’s what in general most people have been asking for that’s been missing in the currently available set of tools.

Andrew Ginter
So Nate, Vivek’s answer there was a little abstract. Let me let me be a little more concrete. He’s saying, look, a lot of people in the last 10 years have deployed Dragos and Nozomi and Industrial Defender and you name it, asset inventory tools.

And in a large organization, these tools come back and say, you have 10,000, you might have 50,000 industrial control system assets. Okay.

And many of them are poorly patched because they’re deep down in areas where you can’t, it’s really hard to patch them. Patching them is dangerous. You have to test these patches, blahh blah, blah, blah.

So you’ve got 107,000 vulnerabilities in these 50 odd thousand assets. Okay. And they’re arranged into 800, 2000, whatever subnetworks.

And the networks are all interconnected. Right. So now you’re you’re you’re you’re scratching your head going, and the question is, what do I do next with my security?

And one of the things the asset inventory folks have done is they’ve allowed you to go through these assets, understand what they are, and assign a criticality to them. These are the safety instrumented systems. They’re really important.

Nothing touches them. These are the protective relays. They prevent damage to equipment and so on. And so what he’s saying is you can’t just look at the list of assets and vulnerabilities and figure out what to do next.

You need a model. And so this is what he’s talking about, a digital twin that is looking at attack paths and looking at which assets are really important and telling you which really important have assets have really short and easy attack paths.

That’s probably what you need to focus on next.

Nathaniel Nelson
Yeah, and I fear this is one of those things where everybody else in the world knows something that I don’t, but like, what is a digital twin?

Andrew Ginter
You know… That word is a marketing buzzword and it means whatever the marketing team wants it to mean. The first time I heard the word was in a presentation a few years ago at s4.

The sales guy from ge got up and did a sales pitch, in my opinion, a very smooth, a very, what’s the right word, cleverly scripted sales pitch. But he basically said a digital twin is a computer model of a physical system.

And you the ge at the time had technology, they probably still have it, that will, let’s say you’ve got a chemical process. It’s going to it’s got a physical emulator built in. It can simulate the chemistry.

It’s got emulators built in for all of the ge PLCs in the solution, for all of the ge ihistorian and other components. It’s got a complete simulation. And whenever the physical the measurements coming out of the physical world, they correlate against the measurements that should be coming out based on the simulation.

Whenever there’s a material discrepancy, they would say, oh, that’s potentially a cyber attack. Investigate this. Something has gone really weird here and would take all sorts of automatic action to correct it.

It was amazing in principle, yet I’ve heard dozens of other vendors use the term digital twin to mean other things. The best definition that I’ve heard is, look, your cell phone, Nate, your cell phone is a digital twin of you.

What does that mean?

It’s not, probably not, a biological simulation of your body, though some apps kind of do that. They’re measuring heartbeat and whatnot.

It is an enormous amount of different kinds of information about you. Somebody who steals this your cell phone, steals all that information, knows an enormous amount about you.

And so, I like that definition because it’s much broader than the very specific original definition that I heard at s4 from ge. A digital twin can be anything that is a lot of detailed information.

And so, I can’t remember if it’s on the recording or not, but I remember asking Vivek, is your digital twin that kind of physical simulation? And he’s going, no, no, no. It’s a network simulation. It’s a different kind of digital twin than the physical simulation that some people talk about. And they use it for different purposes. So, again, it’s a marketing buzzword, but it means, generally speaking, a system that has a lot of information that uses and analyzes and, does good things with a lot of information about another thing, like my cell phone does for me.

Andrew Ginter
So that makes sense in the abstract. I mean, you folks do this. You’re building this technology. You’ve got this this digital twin concept. Can you talk about what you folks have? I mean, maybe give us an example of deciding what to patch next and using this this digital twin and sort of give us some insight into into what data you have, what data you need, and and how you use that to make these decisions.

Vivek Ponnada
Yeah, great question, Andrew. Patching has been a significantly challenging problem to solve in ot, as you’re well aware, right? In it, if it’s vulnerable, you apply a patch and there’s a limit of downtime impact, but you run with it.

In ot, of course, it’s not practical because a patch might not be available, an outage window might not be available, and of course, there’s production, downtime issues to deal with, so patching has been really hard.

With what we’re doing though, it’s actually highlighting what to patch and what might be skipped for the moment. Right so when we’re doing this attack path analysis and we come up with a mitigation prioritization score and we say that, hey, this particular network is easy to get to, the complexity of the attack is pretty pretty low.

In just one or two hops from the enterprise network, I’m able to get to this asset and this is vulnerable. And we do provide other options besides patching right we’ll say maybe segmentation or adjusting the firewall role might be a way to go in some cases but if you do decide that patching is relevant and and our recommendation provides that you’ll see that if something is not on that attack path, right? So it might be another asset in the vicinity, but the complexity the attack of that to that asset is much, much higher, then you could deprioritize patching that asset, even if those two assets we’re talking about have the exact same vulnerability, right?

So if something is on the attack path and it’s easier to execute an attack to that asset, maybe you want to prioritize that more than another asset that’s exactly the same vulnerability, but it’s not on a critical attack path, if you will.

And so getting to it is harder. So you would want to deprioritize that compared to the other ones.

Andrew Ginter
All right, so so you used the word reachable. Is that loosely the same as or connected to the concept of pivoting, where an adversary takes over a an asset and a computer, a PLC, something, and uses the compromised cpu, basically, to attack other things, pivot through a compromised device to attack other things, and then repeat, use the newly compromised things to attack other things?

Eventually, you find, let’s say, computers that have permission to go through a firewall into a deeper network, and now you can use that compromised computer to reach through the firewall. Is this what reachable means? Reachable by a pivoting path?

Vivek Ponnada
It certainly could be right so pivoting would be jumping from one host or one asset to another right or from one network to another.

The concept of living of the land means that you have ownership of an asset and you’re using native functionality and eventually get to another asset from there because you have a direct connection or to a firewall for example. And so reachable essentially means that you’re able to get to that asset.

Now how you get to that asset or network is it because know firewall rule has any any for example that allowed you to just get there or in another case you were able to use rdp or some kind of insecure remote access to get there or in other cases maybe a usb right somebody plugged in the usb and now you have access to that asset. So lot of these scenarios are very much dependent on what the end user is trying to evaluate the risk for.

So if they are for example heavily segmented and their primary mediations are all segmentation and firewall based then they would want to know if those firewall rules are working according to plan or if the last time there was an exception that that poked a hole in their firewall now they are allowing access from level 4 to their critical networks, not realizing that their firewall has as a hole.

In other cases, they might have assumed that rdp was disabled in this level 3 device in this workstation, but it is actually enabled. And so now suddenly someone from outside of their enterprise network is able to get to that level 3 and now once you’re there, they could do a lot more, right, further exploration. So reachable essentially means that you’re able to get to a network that’s of interest from another area that’s your starting point.

Andrew Ginter
So, Nate, I remember a couple of episodes, a year and a half, two years ago, robin berthier was on from network perception. He was doing, it sounded like a bunch of similar stuff.

He wasn’t, I don’t think they were taking the output of, drago’s tools, but I could be wrong. What I remember was that he was taking firewall configurations and putting sort of a reachability, what’s reachable from where, map together for large complex OT networks, and would issue alarms, would issue alerts when sort of reality deviated from policy. You could say policy is this, safety instrumented systems never talk to the internet.

That’s a reasonable policy. And he would ingest hundreds, sometimes thousands of firewall configurations and say and router configurations and come back with an alert saying, these three devices over here are safety systems and they can reach the internet. So that what he was doing. What we’re talking here, what seems to me to be different here, but I could be wrong, is we’re talking here about pivoting paths, not only paths.

Sort of network configuration, not not just reachable not not just reachability, but the difficulty of pivoting as well.

Nathaniel Nelson
Yeah, and and is the reason why pivoting becomes relevant in a discussion about PLC security because these devices make for such efficient means of, that they connect your maybe, let’s say, lesser it t assets to more important safety critical systems. So PLCs sort of seem like a natural point at which an attacker would move through.

Andrew Ginter
Sort of. PLCs tend to be the targets of pivoting attacks in ot, sophisticated attacks, because they’re the ones that control the physical world. You want to reach the PLC to cause it to misoperate the physical process.

Pivoting through PLCs is possible in theory, and it’s a little bit more possible in practice when the PLC is based on a popular operating system like a stripped-down windows or a stripped-down linux.

But a lot of PLCs are just weird. They just their operating system, their code does one thing. It does the PLC thing. In theory, you could break into the PLC and give it new code.

But if I want to if I want to pivot through a PLC to a windows device, what am I going to how am I going to get into the windows device? I might want to get into it with a remote desktop. There is no remote desktop client on a PLC. It doesn’t exist.

And so pivoting through PLCs, you the attacker might, depending on the version of the PLC, might have to do an enormous amount more work to get pivoted through a PLC.

And so if the only way into, a let’s say, a safety system target is a really critical system, is to pivot through three different PLCs, pivoting through firewalls each time, that’s going to be really hard to do.

Whereas if, I remember a presentation from from dale peterson at s4 last year, year before, where he he was talking about network segmentation. He says, network segmentation, firewalls are almost always the second thing that industrial sites do to to launch their security program.

And I’m going, excuse me, excuse me, what’s but second thing? What’s the first thing? I thought firewalls were the first thing everybody does. “Andrew,” he says, “the first thing is to take the passwordless hmi off of the internet. That’s the first thing you have to do.” and I’m going, yep, you’re you’re right.

And a tool like this will be able to look at you and say, here’s my network. If I want to go from the bad guys into this hmi, it’s on the internet. It has no password.

That’s your number one. It’s it can tell you that. Not just policy, but it it it says, and the safety systems back there, you’ve got to pivot through three PLCs.

That’s going to be really hard to do. You might have some other security you might want to deploy in between. So this is the the concept of of pivoting that, I found very attractive in this this tool, measuring the difficulty of an attacker from the internet reaching a a target inside of a a defensive posture.

Andrew Ginter
That’s interesting. We’ve had guests on the show talking about attack paths. These, these are tools that, build a model of the system and, count all of the ways that an attacker can get from where they are into a consequence that we want to avoid. Um,

And it’s not just count them, but evaluate, let’s call it the difficulty. Mean, risk talks about the classic approximation for risk is likelihood times frequency.

Sorry, likelihood times consequence or impact, if you wish. And, likelihood is a really murky, difficult concept for high consequence attacks. And so what a lot of people do is they substitute likelihood with difficulty. And they They try to evaluate how difficult are really nasty, attacks with really nasty consequences.

It sounds vaguely like you’re doing this. You’re you’re You’re talking about attack paths. You’re talking about difficulty. Is this Is this where you’re going? The one thing you haven’t mentioned is consequence.

Vivek Ponnada
Yeah, that’s a good point because we are doing something unique in that we are allowing user to evaluate in this digital to in this digital replica how an adversary might be not only pivoting but exploiting different components to get to their crown jewels right the way we’re doing that is showcasing different views of TTPs that are well documented with all the IOCs and the threat intel that we aggregated so if it’s a power customer for example they could use a volt typhoon view to see how a volt typhoon actor might be able to leverage initial access to credential exploitation to other kind of exploits within within the environment and there might be a manufacturing customer with a whole different set of interesting TTPs that they want to evaluate But the idea behind this is you figure out what the generally documented TTPs are for a certain type of adversary and how they might you go about from your your starting point, which is initial access or the starting point of your threat analysis to all the way to the crown jewels. And in doing so, you’re making assumptions, right? Because, we’re not in this production environment. We’re not actually exploding something, but you’re evaluating the different scenarios where you say, OK, I have this Windows workstation and I’m going to use RDP, right? I’m going to exploit something there.

What if RDP was disabled? So these days people have some datasets where they can export from an EDR tool and provide open ports and services, right? Then we know, for example, upfront that and some of these services like SMB or whatever that you think is typically exploited by the TTP or the threat actor of choice or or interest is exploding and you disable that, you now know that at least that path is closed, right?

In other cases, The attack path might show three or four different types of exploits to be able to get to that ground jewel or the ground jewel network.

Then that that layer of difficulty or the complexity of the daisy chaining is much higher compared to another network or another attack path. That is trivial, right? So it uses native credentials and it only takes one hop in the attack path to get to that asset or network, then for example, that the previous one was more complex to even get to, right?

But the end of the day, all this conversation so far is about, how difficult it is to get to that ground jewel network or the ground jewel asset right not talking about what the attacker might do once they get there because that part is the impact or the consequence here we actually have a an automatic assessment based on the types of PLCs or types of controllers or the types of assets we see in general based on our threat intel and our initial assessment.

But an end user that’s running this tool or a consultant that’s running this tool can adjust that. Right So there’s a manual way for them to say, hey this network is of a higher priority for me compared to this other network.

Show me what the impact of getting to this network is for me because this is higher for me. So to to be fair, we’re not doing quantification yet in this In this tool we’re limiting ourselves at the moment to how easy or difficult it is to get to a particular crown jewel network and what the adversary might be able to do in that kind of a network. Right So it’s it’s one of those interesting aspects of that analysis where you’re not doing the analysis of what an attacker would do once they get to a crown jewel because that’s a whole different ballgame compared to you’re trying to break the kill chain break the path way before that so you’re you’re assessing or analyzing what are all the attack paths and how easy or difficult it is to get to the crown jewels that you’re trying to protect.

Andrew Ginter
Good going. I mean, I have maintained for some time, and and it’s easy for me to do because I’m on the outside. I don’t have to do the work. But I’ve maintained for some time that risk assessments, part of a risk assessment should be a description of the simplest attack or three that remain credible threats in the defensive posture, threats able to bring about unacceptable consequences. There’s always a path that will let you bring about, an attacker bring about an unacceptable consequence. The question is how difficult it is.

And so to me, the risk assessment should include a description of the simplest such attack or, attacks, plural. Um,

So that’s that’s sort of one. Is this kind of what you’re doing? Can can you give me the next level of detail on on what you’re looking at and and how you’re making these decisions?

Vivek Ponnada
Yeah, definitely. So the problem like you described is that there might be some open ports or services that are vulnerable.

However, if those ports are closed or those services are disabled, then that problem is solved, at least for the moment, right? Unless there’s another vulnerability discovered on the particular asset. So what we’re doing is we’re ingesting information from the various sources that they have.

In other cases, provide options to add that in the tool so that you have the contextual information as to what attacks are possible with what’s relevant in that environment, right?

And in the past, people did this using questionnaires, asking people or evaluating and subject matter experts, using a tabletop or something like that. But the beauty of our frameworks platform is that you’re actually able to do this in an automated fashion and at scale, because if you have like a typical customer, or dozens of end-user sites and hundreds or even thousands of networks, you’re not actually able to analyze the risk of each network of each asset down to the level of what’s possible with the given ports and services or install software or not install software in that environment, right?

But if you’re able to ingest all this information right from the IP addresses and different types of assets and the vulnerabilities tied to them to the ports and services that are enabled or disabled or in other cases, making a an exception to say hey I’m disabling this using some kind of application whitelisting or some kind of segmentation.

All the information at scale can be analyzed and you can get a a view that shows a realistic and more or less validated attack path versus someone that’s just looking at a piece of paper or a complex network in a manual fashion.

So this this is where I think the big difference is in that we’re looking at the attack complexity and the attack path at scale with whether it’s tens or so of sites or thousands of networks and able to decipher what the context is for exploitation or just lateral movement or or whatever the path might be to get to your crown jewels.

Andrew Ginter
So you’ve mentioned a couple of times at scale, you’ve mentioned a couple of times the potential for ingesting information about a lot of assets and networks. The asset inventory tools out there produce that knowledge already. I’m guessing you’re interfaced with them.

Can you talk about about that? How do you get data? How do you get the data about the system that that you’re going to analyze?

Vivek Ponnada
Yeah, that’s a great question. Yeah, we definitely can ingest information from a variety of sources. So the platform can ingest information both offline. So drag and drop a CSV or an XML file or any kind of spreadsheet.

And we also have API hooks to be able to automatically ingest information from The likes of Dragos / Nozomi / Claroty, which are the OT security product vendors. We can also ingest information from CMDBs or any kind of centralized data depositories like Rapid7 or Tenable.

In other cases, the customers might have just spreadsheets from the last time they did a site walk. We can ingest that too. So we’re not restricted on ingest ingesting any specific type of format. We have a command line tool that can ingest other sources as well.

But the basis, the digital twin starts with the firewall and the config file. So we ingest information from the likes of Fortinet, Cisco, Palo Alto, you name it.

Then ingest information from these IT or OT tools. At the end of the day, the more information that’s provided, the fidelity of the data is higher. But the and beauty of the platform is that if you don’t have any kind of information,

We can not only create mitigating controls and options within the platform, but we also built an extension of the Frenos platform called Optica, where you can quickly leverage existing templates, for example, Dell servers or Cisco routers or Rockwell PLCs.

Within a few minutes, you can drag and drop and build a template, which you then import into Frenos. To replicate what might be in the system already. So long story short, any kind of asset information, vulnerability information out there, we can ingest.

And if there is none or there’s limited visibility in certain sections or location, we can build something that’s very similar so that the customers can have a view for what the risk is in a similar environment.

Andrew Ginter
And you mentioned a couple of times, I remember here, compensating controls. I mean, the compensating control everybody talks about is more firewall rules, more firewalls, more firewall rules, keep the bad guys away from the vulnerable assets that we can’t patch because, we can’t afford to shut everything down and test everything again.

Can you talk about compensating controls? What other kinds of compensating controls might your your system recommend?

Vivek Ponnada
That’s a great question because as we were discussing earlier in OT, not everything is fixable because a patch might not be available or an outage window is not available, right? So historically, most people have used a combination of allow listing or deny listing or some kind of ports and services disabled or, to your point, firewall rules and segmentation have a place in that as well.

Overall, the key is to figure out what the attack path is and in how or which fashion you can break that attack path. So if the consideration is from level 4 through a DMZ or firewall and the firewall rule was any any or something that was allowing too much, and maybe too many protocols or something that could be disabled, you can start there as a preference. Right If that’s not possible or that’s not a project you can take the next thing could be hey I’m leveraging this kind of SMB or other exploit at that level 3 device before going to level 2.

Let’s look at what this service was on that particular asset right so you can disable that so within the tool we built in almost 20 or so different options for combinations of all these compensating controls and that are historically used in OT right so it could be a combination of firewall rule or a service or port disabled or or in other cases it could be disconnecting them to put in a different segment Again, this is not new, right? This is how historically OT has been able to mitigate some of the risk.

We’re just bringing that to the forefront to see or show you what other things can be done to break the attack path versus strictly talking about vulnerability management and fixing the problem by applying a patch, which is not practical as we talked about.

Andrew Ginter
Compensating controls are are tricky Nate, making we identify a vulnerability a weakness in a defensive posture there’s a new vulnerability announced from some piece of software that we use on some PLC or safety system or who knows what deep into our architecture the what do we do about that is an open is a question everybody asks sort of the consensus that’s building up is that, if that system is exposed to attack, then we have to put compensating measures in.

If it’s not exposed or if it’s, really hard to reach, maybe we don’t need to change anything in the short term until our next opportunity to to do an upgrade or, a planned outage or something.

And a tool like this one, like the Frenos tool, is one that can tell us how reachable is it, how exposed is this, compare that to our risk tolerance. Are we running a passenger rail switching system? Are we running a small bakery?

Different levels of exposure are acceptable in different circumstances. So having the tool give us a sense of how exposed we are is useful in making that that decision, are we gonna patch or not? And if we have to do something, it’s useful to have a list of compensating controls and sort of the list that that I heard Vivek go through, but they’re probably gonna add to this if they haven’t already.

You can change permissions. If you got a file server that sharing files is the problem and the bad guys can put a nasty on the file server, change permissions so that it’s harder to do that.

Turn off services, programs that are running on, Windows ships with, I don’t know, 73 services running. Most, industrial systems don’t need all of these services. They would have been nice to turn them off ages ago if you haven’t already turned them off and there’s a vulnerability in one of these services and you’re pretty sure you’re not using it, you can turn it off.

Add firewall rules that make it harder to reach the system. Add firewall rules that say, fine, if I need to reach the system for some of the services, but I don’t think I ever need to reach this service from the outside, even if I need to use it on the inside, add a firewall rule that blocks access to that service on that host from the outside.

None of this is easy. Every change you make to an important system have the engineering team has to ask the question is this how likely is it that I’m i’m messing stuff up here how likely is it that I’m introducing a problem that’s gonna that’s gonna bite me with a really serious consequence how how likely is it that the cure is worse than the than the disease here so compensated controls aren’t easy but what I see this tool doing is giving us more information about the vulnerable system about how reachable is that vulnerable system. What are the paths that are easiest to get to that vulnerable system? If I can turn off, I don’t know, remote desktop halfway through the attack path and make the attack that much more difficult, now you have to go through, I don’t know, PLCs instead of Windows boxes.

That’s useful knowledge. This is all useful knowledge. We we need as much ammunition as as we can get when we’re making these difficult decisions about shoot, I have to change the system to make it less vulnerable. What am I going to change without breaking something?

Andrew Ginter
Well, thank you so much for joining us, Vivek. Before I let you go, can I ask, can you sum up for our listeners, what are the most important points to to take away from this new technology? And I don’t know, what can they do next?

Vivek Ponnada
Yeah, for sure. So the quick summary is we’re trying to solve a problem that’s been around for a decade plus. Lots of customers do not have a risk assessment in place. They’re not quite sure where they stand currently.

So some of them are early in their journey with this lack of information. They still need to figure out where they have to invest their next dollar or next hour of resource. And in other cases they had spent the past three or five years in developing an OT security program.

A lot of information available, lots of alerts, but again they’re not so sure how they are compared to maybe their industry peers or how they are compared to where they should be in their security posture management.

So what Frenos is able to do is to both leverage their existing data sets and missing information by providing something that’s a replica of their environment showcase where they should be focusing on in terms of breaking the attack paths highlighting not just where they currently stand but also where they were compared to yesterday so overall this is what most executives have been asking before investing in OT security where do we stand currently how good are we compared to an existing known

Attack vector or campaign if you will and then how good can we be currently as in today because the risks are not staying constant so how do we keep up with it so the outcome of the frameworks platform is both a point in time assessment if you like and also continuous posture management because you’re able to validate what compensating controls and preventive measures that you are deploying or or implementing and if they’re going well or not

So conclusion is that we are a security posture management and visibility company that’s able to bring out the best in your existing data sets and provide you gaps and the gap analysis and and help you figure out where to invest your next dollar or resource on what site or what location.

And if you’d like to know more, hit me up on LinkedIn. My email is Vivek at Frenos.io or happy to connect with you on LinkedIn to take it from there. If you’d like more information, know hit up on our website, Frenos.io as well. You’ll see all the information about our current use cases, the different products and services we have to offer. So looking forward to connecting with more of you.

Nathaniel Nelson
Andrew, that just about does it for your interview with Vive Banada. Do you have any final word to take us out with today?

Andrew Ginter
Yeah. This topic is timely. the topic of risk-based decision-making. I mean, this too is coming into effect in a lot of countries, particularly In Europe, the regulation in every country is different, but the directive says you have to be making risk-based decisions.

And I’m sorry, a risk assessment is… Should be much more than a list of unpatched vulnerabilities. A list of unpatched vulnerabilities does not tell you how vulnerable you are.

It’s just a list of vulnerabilities. To figure out how much trouble you’re in, you need a lot more information. You need information about how which assets are most critical. You need information about how reachable are those critical assets for your adversaries.

And when new vulnerabilities are announced a arise that simplify the pivoting path that simplify reachability of a critical asset for your adversaries you need advice as to that’s what you need to fix next and here are your options for fixing that so I see this kind of of tool as as uh step in the right direction. This is the kind of information that that a lot of us need in not just the world of NIST-2, in the world of managing risk, managing reachability.

You know We’ve all segmented our networks. What does that mean? You can still reach, bang, bang, bang, pivot on through. Well, then, What does that mean? This kind of tool tells us what that means. It gives us deeper visibility into reachability and and vulnerability of the critical assets, risk, opportunity to attack. You know I don’t like the word vulnerability. Too often it means software vulnerability. This talks about This kind of tool exposes attack opportunities and tells us what to do about them. So to me, that’s that’s a very useful thing to do.

Nathaniel Nelson
Well, thank you to Vivek for highlighting all that for us. And Andrew, as always, thank you for speaking with me.

Andrew Ginter
It’s always a pleasure. Thank you, Nate.

Nathaniel Nelson
This has been the Industrial Security Podcast from Waterfall. Thanks to everyone out there listening.

Trending posts

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

The post Managing Risk with Digital Twins – What Do We Do Next? – Episode 144 appeared first on Waterfall Security Solutions.

]]> IT & OT Relationship Management https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/it-ot-relationship-management/ Mon, 20 Oct 2025 13:23:37 +0000 https://waterfall-security.com/?p=36718 In many organizations the relationship between IT/enterprise security and OT/engineering teams is dysfunctional. Much has been written about the problem. Most of that writing misses the point. In most cases, the relationship problem can be resolved with a little clarity, a bit more good will, and a modicum of mutual education.

The post IT & OT Relationship Management appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterIT & OT Relationship Management

IT & OT Relationship Management

IT & OT Relationship Management eBook

In many organizations the relationship between IT/enterprise security and OT/engineering teams is dysfunctional. Much has been written about the problem. Most of that writing misses the point. In most cases, the relationship problem can be resolved with a little clarity, a bit more good will, and a modicum of mutual education.

The root cause of most IT/OT disputes is consequence – IT and OT networks in most organizations have dramatically different worst-case consequences of compromise. These sharply different consequences demand very different management disciplines for OT vs. IT assets and networks. Compounding the problem is each side’s limited understanding of the other’s threats, risks and constraints.

While there is no “magic bullet”, effective cooperation to define and develop a workable OT proceeds much more smoothly with mutual understanding. Providing the foundation of that understanding is the goal of this guide.

Download now

Request the guide to explore:

arrow red rightAddressing espionage vs. sabotage – different risk management goals

arrow red rightCommon misunderstandings – criticality, credibility, and cost-cutting

arrow red rightPrioritizing prevention – why segmentation and dependency analysis is so important in OT

About the author
Picture of Andrew Ginter

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 23,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.

FAQs About IT & OT Relationship Management

In many organizations the relationship between IT/enterprise security and OT/engineering teams is dysfunctional. These teams work in the same organization, support the same mission, and even address many of the same threats, but when they sit down together it sounds like they need relationship counselling.

Much has been written about the problem. Most of that writing misses the point, focusing on symptoms of the disagreement rather than the root cause. The root cause is consequence – IT and OT networks in many organizations have dramatically different worst-case consequences of compromise. These sharply different consequences demand different management disciplines for OT vs. IT assets and networks. Compounding the problem is each side’s poor understanding of the other’s threats, risks and constraints.

Mutual education is a key starting point. The goal of IT security teams is most often to manage business risk by protecting information – information is the asset. The security goal for most OT / engineering teams is to protect safe, reliable and efficient operations of the physical asset – information is the threat. The only way a control system can change from a normal state to a compromised state is if attack information somehow enters the control system. The focus for engineering teams must be to control the flow of potential attack information, not to protect that information.

The right question is not “Who should manage each asset?” but “How should each asset be managed? While teams may argue over who should maintain which assets, the real question is “What are the consequences for the business if the assets are mis-managed?” Horror stories abound: an IT intern schedules a complete backup of the power plant control system at 2:00 AM and takes the entire plant down for the duration of the backup. A new Active Directory policy universally schedules a complete virus scan on every computer in the company at 3:00 AM and takes down every factory in the company.

In a real sense who does the job does not matter, so long as they have the skills, knowledge, credentials and certifications to manage each asset correctly. The engineers who manage OT-critical Windows systems – does it make sense to make these people into the part of the IT team that manages Windows servers? There may be benefits – efficiencies, cross-training opportunities, or better expert retention rates because bigger groups lead to greater opportunities for advancement. There may also be risks, if OT people are promoted into upper management roles and we no longer have enough people at lower levels trained and certified on how OT equipment must be managed. These are all organizational questions that can and should be answered independently, once we have agreed on how machines in OT must be managed differently from what appear to be similar machines in IT networks.

Share

Fill out the form and get it by email

The post IT & OT Relationship Management appeared first on Waterfall Security Solutions.

]]> Analyzing Recent NIS2 Regulations – OT security is changing https://waterfall-security.com/ot-insights-center/ot-security-standards/analyzing-recent-nis2-regulations-ot-security-is-changing/ Sun, 05 Oct 2025 07:16:29 +0000 https://waterfall-security.com/?p=36227 One EU nation after another is releasing new regulations for their energy infrastructures to comply with the NIS2 directive. Jørgen Hartig of SecuriOT in Denmark joins us to look at the recent Danish, Norwegian, Finnish and other rules.

The post Analyzing Recent NIS2 Regulations – OT security is changing appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterOT security standardsAnalyzing Recent NIS2 Regulations – OT security is changing

Analyzing Recent NIS2 Regulations – OT security is changing

Watch the webinar with SecuriOT for an in-depth look at the Recent NIS2 Regulations

One EU nation after another is releasing new regulations for their energy infrastructures to comply with the NIS2 directive. Jørgen Hartig of SecuriOT in Denmark joins us to look at the recent Danish, Norwegian, Finnish and other rules. We compare the rules to each other, to long-standing NERC CIP regulations in North America, and to the IEC 62443 cross-industry standards. And we dig into what’s new – consequence boundaries, OT/IT dependencies and more – and we look at what are the new concepts and ways of thinking that are at the core these new security measures.

Attendees will come away understanding:

arrow red right What are the rules, who do they apply to, and to what degree?

arrow red right What’s new – for example requirements for manual operations, spare parts, IT/OT data flow inventories, OT isolation and IT/OT dependencies?

arrow red right What are the unifying concepts underlying the new security requirements?

About the Speaker

Picture of Andrew Ginter

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 23,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.
Picture of Jørgen Hartig

Jørgen Hartig

Jørgen Hartig (OT Security Specialist | Founder at SecuriOT) bring practical, hands-on experience to the complex challenges of operational technology (OT) security. Jørgen Hartig work closely with clients to ensure compliance with NIS2, IEC 62443, NIST CSF, etc., making sure that security strategies are not only compliant but also resilient, scalable, and tailored to the operational reality on the ground.

Share

Trending posts

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

The post Analyzing Recent NIS2 Regulations – OT security is changing appeared first on Waterfall Security Solutions.

]]> Doing the Math – Remote Access at Wind Farms https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/remote-access-at-wind-farms/ Mon, 22 Sep 2025 12:07:50 +0000 https://waterfall-security.com/?p=36144 The post Doing the Math – Remote Access at Wind Farms appeared first on Waterfall Security Solutions.

]]> By Andrew Ginter, VP Industrial Security, Waterfall Security

Stuff wears out. Friction is the enemy of moving parts and rotating equipment. Vibration is the symptom of wear – in conventional generators and wind farms both. But the math is different in wind farms. 

In a conventional generator – coal, natural gas, or hydro – you have a turbine that turns steam pressure, chemical energy, or water pressure respectively into rotational energy. The rotating turbine turns a generator, which produces power. The generator rotates as well, but it is the turbine that suffers most of the friction and most of the wear.

So we monitor the turbines for vibrational anomalies, gas turbines we also monitor for heat anomalies. We send a lot of detailed information about these symptoms to the turbine manufacturer, the manufacturer diagnoses the wear and about once a quarter remotes into the turbine management system to adjust the turbine. These adjustments increase runtime between maintenance outages – one way to minimizing the cost of maintaining the turbines.

There is a similar situation for wind farms. There is enormous stress on the bearings and other elements of a wind turbine. These things wear and need adjustment from time to time. So what’s the difference?

The math differs. A large power plant has maybe half a dozen steam or gas or hydro turbines. If the manufacturer remotes in once a quarter for an hour-long adjustment each time, that’s 6 hours of remote access per quarter. Many power plants use unidirectional remote screen view for this – extremely secure attended remote access. An engineer at the plant is on the phone with the turbine support technician, the engineer takes advice, asks questions and moves the mouse on the turbine management system. This cost is acceptable – 6 hours a quarter. The site engineer has the added benefit of supervising and understanding what the vendor technician has done to the site’s 6 very large, very expensive turbines.

The difference is math – a large wind farm has 300 turbines. Each of these smaller turbines wears out roughly as fast as the conventional turbines. Each of these wind turbines needs adjustment, maybe once a quarter as well. That’s roughly 300 hours of remote access sessions per year, adjusting the turbines.

It gets worse. Wind turbine technology is not as mature as 50-year-old conventional turbine technology. In older wind farms, there may be 5-6 vendors involved in supplying different kinds of technology in each turbine, and each of them need to log into each turbine control system roughly once per quarter. That’s 1500-1800 hours of remote access sessions per quarter. Back of the envelope, there are 13 weeks in a quarter and so 13 x 5 x 8 = 520 working hours per quarter, give or take holidays. In these older, larger wind farms, therefore, we’re looking at 3-4 vendor remote access sessions going on simultaneously, to 3-4 different turbines, every working hour of the quarter.

But turbine technology is improving. In modern wind farms, there may be only a couple of vendors, each logging into each turbine roughly once per quarter, to adjust the turbines to minimize wear. That might only be 1 or 2 vendors logged in on average, every working hour of every working day. Either way, attended unidirectional remote access, no matter how amazingly secure, is impractical. The math doesn’t work. 

Renewables are the future of power generation – so we must solve this problem. This math is why Waterfall invented HERA – hardware-enforced remote access – hardware-enforced unattended remote access. Vendors can be logged in constantly, across the Internet, using technology that is much more secure than “secure” software remote access (SRA).

Remote access for renewables is the topic the inventors of HERA will discuss on Waterfall’s next webinar. Join Lior Frenkel, CEO and Co-Founder of Waterfall, with me Andrew Ginter, VP Industrial Security, to look at what’s needed for strong remote access to renewables,and how Waterfall is responding to this need with something brand new – a kind of technology the world has never seen before. We look at how customers showed us what they needed, what we built (HERA), how it works, and how it is dramatically more secure than software remote access / SRA

We invite you to join us. Click here to be part of the hardware-enforced future of OT security in renewable generation.

The post Doing the Math – Remote Access at Wind Farms appeared first on Waterfall Security Solutions.

]]> I don’t sign s**t – Episode 143 https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/i-dont-sign-st-episode-143/ Wed, 10 Sep 2025 08:31:45 +0000 https://waterfall-security.com/?p=35976 Tim McCreight of TaleCraft Security in his (coming soon) book "I don't sign s**t" uses story-telling to argue that front line security leaders should not be accepting multi-billion dollar risks on behalf of the business. We need to escalate those decisions - with often surprising results when we do.

The post I don’t sign s**t – Episode 143 appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterI don’t sign s**t – Episode 143

I don’t sign s**t – Episode 143

We don't have budget to fix the problem, so we accept the risk? Tim McCreight of TaleCraft Security in his (coming soon) book "I Don't Sign S**t" uses story-telling to argue that front line security leaders should not be accepting multi-billion dollar risks on behalf of the business. We need to escalate those decisions - with often surprising results when we do.

For more episodes, follow us on:

Share this podcast:

“It always comes down to can I have a meaningful business discussion to talk about the risk? What’s the risk that we’re facing? How can we reduce that risk and can we actually pull this off with the resources that we have?” – Tim McCreight

Transcript of I don’t sign s**t | Episode 143

Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Nathaniel Nelson
Hey everyone, and welcome to the Industrial Security Podcast. My name is Nate Nelson. I’m here as usual with Andrew Ginter, the Vice President of Industrial Security at Waterfall Security Solutions, who is going to introduce the subject and guest of our show today. Andrew, how’s going?

I’m very well, thank you, Nate. Our guest today is Tim McCrate. He is the CEO and founder of TaleCraft Security, and his topic is the book that he’s working on. The working title is We Don’t Sign Shit, which is a bit of a controversial title, but he’s talking about risk. Lots of technical detail, lots of examples, talking about who should really be making high-level decisions about risk in an organization.

Nathaniel Nelson
Then without further ado, here’s your conversation with Tim.

Andrew Ginter
Hello, Tim, and welcome to the podcast. Before we get started, can I ask you to say a few words for our listeners? You know, tell us a bit about yourself and about the good work that you’re doing at TaleCraft.

Tim McCreight
Hi folks, my name is Tim McCreight. I’m the CEO and founder of TaleCraft Security. This is year 44 now in the security industry. I started my career in 1981 when I got out of the military, desperately needed a job and took a role as a security officer in a hotel in downtown Winnipeg, Manitoba.

Shortly after I was moved into the chief security officer role for that’ that hotel and others and had an opportunity to move into security as a career path. And I haven’t looked back I decided I also wanted to learn more about cybersecurity.

Holy smokes, in ’98, ’99, I took myself out of the workforce for two years, learned as much as I could about information systems, and then came back for the latter part of my career and have held roles as a chief information security officer in a number of organizations. So I’ve had the pleasure and the honor of being both in physical and cybersecurity for the past 40 some years.

Andrew Ginter
And tell me about TaleCraft

Tim McCreight
It’s a boutique firm with two of our lines. Our first line is that it’s new skills from the old guard, and we are here to help give back and grow.

And it’s our opportunity to provide services to clients focusing on a risk-based approach to developing security programs. We teach security professionals how to tell their story and how to use the concepts of storytelling to present security risks and ideas to executives.

And finally, we have a series of online courses through our TaleCraft University where a chance to learn more about the principles of ESRM and other skills that we’re going to be adding to our repertoire of classes in the near future.

Andrew Ginter
And our topic is your new book. You know, I’m eagerly awaiting a look at the book. Can I ask you, you know before we even get into the the content of the book, how’s it coming? When are we going to see this thing?

Yeah Well, thank you for asking. i had great intentions to publish the book, hopefully this year. and Unfortunately, some things changed last year. i I was laid off from a role that I had and I started TaleCraft Security.

So sadly, my days have been absorbed by the work that it takes to stand up a business get it up and running. And my hats off to all the entrepreneurs out there who do all of these things every day. I’m new to this. So understanding what you have to do to stand up a business, get it running, to market it, to run the finances, et cetera, it has been like all consuming. So The book has unfortunately taken a bit of backseat, but I’ve got some breathing room now. I’ve got into a bit of a rhythm.

Tim McCreight
It’s a chance for me to get back to the book and start working through it. And and it’s to me, it’s appropriate. It’s a really good time. If I’m following the arc of a story, this is the latter part of that story arc. So I get a chance to help fill in that last part of the story, my own personal story, and and to put that into the book.

Andrew Ginter
I’m sorry to hear that. I’m, like said, looking forward to it. We have talked about the book in in the past. Let me ask you again, sort of big picture. You know, I’m focused on industrial cybersecurity. I saw a lot of value in the the content you described us as being produced. But can you talk about, you know, how industrial is the book?

We’re talking about risk. We’re talking about about leadership, right? How industrial does it get? I know you you do ah you do a podcast. You do Caffeinated Risk with Doug Leese, who’s a big contributor at Enbridge. He’s deep industrial. How industrial are you? How industrial is this book?

Tim McCreight
It spans around 40 years of my career and starting from, you know, physical security roles that I had, but also dealing with the security requirements for telecommunications back in the eighties into the nineties, getting ready for, and and helping with the security planning for the Olympics in the early two thousands, working into the cyberspace and understanding the value of first information security, then it turned into cyber security, then focusing on the OT environment as well, when I had a chance to work in critical infrastructure and oil and gas.

And then finally, you know the consistent message throughout the book is this concept of risk and that our world, when we first, you know when we first began this idea of industrial security back in the forties, bringing it up to where we need to be now from a professional perspective and how we view risk.

I do touch and do speak a little bit about the the worlds that I had a chance to work in from an industrial perspective. The overarching theme though is really this concept of risk and how we need to continue to focus on risk regardless of the environment that we’re in.

And some of the interesting stories I had along the way, some of the, honest to God, some of the mistakes I made along the way as well. I’ve learned more from mistakes than I have from successes.

And understanding the things that I needed to get better at throughout my career. I’m hoping that folks, when they do get a chance to read the book, that they recognize they don’t need to spend 40 some years to get better at their profession. You can do it in less time and you can do it by focusing on risk, regardless of whether you’re in the IT, the OT or the physical space.

Andrew Ginter
So there’s, there is some, some industrial angle in there, but, like I said, industrial or not, I’m i’m fascinated by the topic. I think we’ve, I’ve, beaten around the bush enough. The title, the working title is, is “We Don’t Sign Shit.” What does that mean?

Tim McCreight
I came up with “We Don’t Sign Shit.” And it’s I have a t-shirt downstairs in my office so that that I got from my team with an oil and gas company I worked with. And and Doug Lease was in the team as well.

And it really came down to this, the principle that for years, security was always asked to sign off on risk or to accept it or to endorse it or my favorite, well, security signed off on it, must be good.

Wait a second. We never should have. That never should have been our role. We never should have been put in a position where we had to accept risk on behalf of an organization because that’s not the role of security. Security’s role is to identify the risk.

Identify mitigation strategies and present it back to the executives so that they can make a business decision on the risks that we face. So in my first couple of weeks, when I was at this oil and gas organization, we had a significant risk that came across my desk and it was a letter that I had to sign off on. a brand new staff member came in and said, “Hi boss, I just need to take a look at this.”

I’m like, “Hi, who are you? What team do you work on? And what’s the project you’re working on?” When I read this letter, I’m like, are you serious that we’re accepting a potential billion dollar risk on behalf of this organization? Why?

And like, “Well, we always do this.” Not anymore. And we went upstairs. We got a hold of the right vice president to take a look at this to address the risk and work through it. And as I continued to provide this type of coaching and training to the team there, I kept bringing up the same concept. Look, our job is not to sign shit.

That’s not what we’re here for. We don’t sign off on the risk. We identify what the risk is, the impacts to the organization, what the potential mitigation strategies are. And then we provide that to executives to make a business decision.

So when I did leave the organization for another role, they took me out for lunch and I thought it was pretty cool. The whole team got together and they created this amazing t-shirt and it says, “Team We Don’t Sign Shit.” So it worked, right? And that mindset’s still in place today. I have a chance to touch base with them often. Ask how they’re doing. And all of them said the same thing is that, yeah, it’s that mindset is still there where they’ve embraced the idea that security’s role is to identify the risk and present opportunities to mitigate, but not to accept the risk on behalf of the organization.

That was the whole context of where I I took this book is, wouldn’t it be great if we could finally get folks to recognize, no, we don’t sign shit. This isn’t our job.

Nathaniel Nelson
So Andrew, I get the idea here. tim isn’t the one who signs off on the risk. He identifies it and passes it on to business decision makers, but I don’t yet see where the passion for this issue comes from, like why this point in the process is such a big deal.

Andrew Ginter
Well, I can’t speak for Tim, but I’m fascinated by the topic because I see so many organizations doing this a different way. In my books, the people who decide how much budget industrial security gets should be the people ah making decisions about are these risks big enough to address today? Is this, is this ah a serious problem because they’re the ones that are are you know they have the the business context they can compare the the industrial risks to the the other risks the business is facing to the other needs of the business and make business decisions

When you have the wrong people making the decisions, you risk, there’s a real risk that you make the wrong decisions because the the people executing on industrial cybersecurity do not have the business knowledge of what the business needs. They don’t have the big picture of the business and the people with the big picture of the business do not have knowledge, the information about the risk and the mitigations and the costs. And so each of them is making the wrong decision. When you bring these people together and the people with the information convey it to the people with the business knowledge, now the people with the business knowledge can make the right decision for the business.

And again, the industrial team execute on it. If you have the wrong people making the decision, you risk making the wrong decision.

Andrew Ginter
So let me ask, I mean, you take a letter into an executive, you you you do this over and over again in lots of different organizations. How do how is that received? How do the executives react when you do that?

Tim McCreight
So, I mean, my standard approach has always been, and and I use this as my litmus test is if the role I play as a chief security officer or CISO, and you’re asking me to accept risk, I come back. And the the first question I’m going to ask is if this is the case and you’re asking me to do this on, I’m going to say, no, invariably the room gets really quiet.

People start recognizing, oh, he’s serious. Yeah. Cause I have no risk tolerance when it comes to work. I would be giving everybody like paper notebooks and crayons and I want it back at the end of the day So I don’t have any tolerance for risk. But to test my theory is when I ask executives, if you’re saying that my role is to sign off on this, then I’m not going to, does that stop the project?

It never does. So the goal then is to ensure that the executives understand it’s their decision, and it’s a business decision that has to be made, not a security decision because my decision is always going to be, I start with no and I’ll negotiate from there.

But when we look at what the process is that i’ve I’ve provided and others have followed is I’ll bring the letter with the recommendations to the business for them to review and to either accept the risk, sign off on it, or to find me an opportunity to reduce the risk.

That’s when I start getting attention from the executives. So it moves from shock to he’s serious to, okay, now we can understand what the risk is. Let’s walk through this as a business decision. That’s when you start making headway with executives is taking that approach.

Andrew Ginter
So, I mean, that that sounds simple, simple but in in my experience, what you said there is actually very deep. I mean, i’ve I’m on the end of a long career as well, and I’ve never been a CISO. And in hindsight, I come to realize that, bluntly, I’m not a very good manager.

Because when someone comes to me, it doesn’t matter, so any anyone outside the the my sphere of influence my scope of responsibility saying, hey, Andrew, can you do X for me?

Whenever one of my people comes to me with an idea saying, hey, we should do Y, my first instinct is, what a good idea. Yeah, yeah.

Whereas I know that strong managers, their first instinct is no. And now whoever’s coming at us with the request or with the idea has to justify it, has to give some business reasons.

Again, so that’s, this is this is deep. It’s a deep difference between between you and and people like me.

Tim McCreight
Yeah well, and it is, and there’s, don’t get me wrong. There’s an internal struggle every time when I’ve worked through these types of requests where I, I want to help people too, but, but I understand that the path you got to take and how you have to get business to understand it, accept it and move forward with it. It’s different, right? This is why some great friends of mine that I’ve known for years, and they were technical, they’re technically brilliant. They have some amazing skills. Like, honest to God, I stopped being a smart technical person long time ago, and I’ve relied on just wizards to help move the programs forward.

And, I’ve chatted with them as well, and then they’re similar to you, Andrew. they’ve They’ve got great technical skills. They’ve been doing this for a long time. And, one of the one of the folks I chatted with, they’re just like, I can’t I can’t give myself the lobotomy to get to that level. I’m like, oh, my God. Okay, fair enough.

And I get it, but the way I’ve always approached this, it’s different, right? So I i take myself out of the equation of always wanted to help everybody to how can I ensure that I’m reducing the risk?

And if I can get to those types of discussions and have them with executives, for me, that’s where I find the value. So all of the work I’ve done in my career to get to this space, the amazing folks that I’ve met along the way, the teams that I’ve helped build, the folks I still call on to, to to mentor me through situations,

It always comes down to, can I have a meaningful business discussion to talk about the risk? And then it takes away some of the emotional response. It takes away that immediate, I need to help everybody do everything because we can’t.

But it gives us a chance to focus on what the problem is. What’s the risk that we’re facing? How can we reduce that risk? And can we actually pull this off with the resources that we have? So yeah, I get it. Not everybody wants to sit in these chairs. I’ve met so many folks throughout my career that they keep looking at me going, Jesus, Tim, why would you ever want to be in that space?

Why would you ever accept the fact that you’re, that they’re trying to hold you accountable for breaches or or for events or incidents? And I challenge back with it from it, for me, it’s that opportunity to speak at a business language, to get the folks at the business level, to appreciate what we bring to the table, whether it’s in OT security, IT t or cyber, it physical or cyber, it’s,

It’s a chance for all of us to be represented at that table, at that level, but at a business focus. So for me, that’s why I kept looking for these opportunities is can I continue to move the message forward that we’re here to help, but let’s make sure we do it the right way.

Andrew Ginter
So, fascinating principles. Can you give me some examples? I mean, TaleCraft is about telling stories. Can you tell me a story? How did this work? How did it come about? What kind of stories are you telling here?

Tim McCreight
So there’s there’s a lot that i’ve I’ve presented over the years, but a really good one is I was working with Bell Canada many years ago. We had accepted the, we were awarded the communication contract and some of the advertising media supporting contracts for the Olympics for 2010 for Vancouver.

And I was working with an amazing team at Bell Canada. Doug Leese was on the team as well, reporting into the structure. So it was very cool to work with Doug on some of these projects. We decided that the team that was putting in place the communication structure decided they want to use the first instance of voice over IP, commercial voice over IP. It was called hosted IP telephony.

And it was from Nortel. If folks still remember Nortel, it was from Nortel Networks. We looked at the approach that they were taking, how we were going to be applying the the technology to the Olympic Village, et cetera.

Doug and the team, they did this amazing work when the risk assessment came across, but they were able to intercept a conversation decrypt the conversation and play it back as an MP4, like an MP3 file.

You could actually hear them talking. And it was at the time it was the CEO calling his executive assistant order lunch. And we had that recorded. You could actually hear it. It was just as if it was, they were speaking to you.

So that’s a problem when you’re trying to keep secure communications between endpoints in a communication path. We wrote up the risk assessment. We presented it to the executives. We we presented the report up to my chain and it was simple.

Here’s the risk. Here’s the mitigation strategy. We need a business decision for the path that we wanted to take. And that generated quite the stir. My boss got back to me and said, well, we have to change the report. No, I said, no, we don’t. We don’t change this shit. We just, you you move it forward.

We’ve objectively uncovered the risk. The team did a fantastic job. But here’s an attached recording. If you want to hear it, but let’s keep moving forward. So it went up to the next level of management and same thing. Would you alter report? No, no I would not.

Move on, move on. Finally got to the chief security officer. And I remember getting the phone call. It’s like, well, Tim, this is, this is going to cause concerns. No, it’s a business decision. It isn’t about concerns. This is a business decision. And what risk is the business willing to accept?

So he submitted the report forward. Next thing I’m getting a call from, an executive office assistant telling me that my flight is going to be made for the next day. I’ll be, I’ll be flying to present the report. Like, Jesus Christ. So, all right, I got on a plane headed out east.

Waited forever to talk to the CEO at the time. And all they asked all they asked was, it is this real? are you is Would you change this? I said, no, the risk is legitimate.

And here’s the resolution. Here’s the mitigation path. Here’s the strategy. So they asked how much we needed, what we needed for time. it was about six months worth of work with the folks at Nortel to fix the problem. And all of that to state that had we done this old school many years ago, we would have just accepted the risk and move forward with it.

That wasn’t our role. That’s not our job, right? In that whole path, that whole risk assessment needed to presented to the point where executives understood what could potentially happen. We already proved that it could, but they needed to understand here’s the mitigation strategy. We found a way to resolve it.

We need this additional funding time resources to fix the problem. So that That stuck with me. That was like almost 20 years, like that was over 20 years ago. And that stuck with me because had I, altered my report, had I taken away the risk, had he accepted it on behalf of the security team, we don’t know what could have happened to the transmissions back and forth at the Olympics.

But I do know that in following that process, you never read about anyone’s conversations being intercepted at the 2010 Olympics, did you? It works. The process works, but what it takes is an understanding that from a risk perspective, this is the path that we have to take.

It’s not ours to accept. You have to make sure you get that to the executives and let them make that decision. Those are the stories that we need folks to hear now, as we move into this next phase of developing the profession of security.

Andrew Ginter
So Nate, you might ask, the CEO had a conversation, intercepted ordering lunch. Is this worth, the the big deal that it turned into? And I discussed this offline with with Tim and what he came back with is was, Andrew, think about it. Imagine that you’re nine days into the 10-day Summer Olympics or two week, whatever it is.

And someone, pick someone, let’s say the Chinese intelligence is found to have been intercepting and listening in on all of the conversations between the various nations, teams, coaches in the various sports and their colleagues back in their home countries.

They’ve been listening in on them for the the whole Olympics. What would that do to the reputation of the Olympics? What would that do to the reputation of Bell Canada? This is a huge issue. It was a material cost to fix. It took six months and he didn’t say how many people and how much technology.

But this is not something that the security team could say, “Okay, we don’t have any budget to fix this, therefore we have to accept the risk.” That’s the wrong business decision.

When he escalated this, it went all the way up to the CEO who said, yeah, this needs to be fixed. Take the budget, fix it. We cannot accept this risk as a business. That’s ah a business decision the CEO could make. It’s not a business decision he could make with the budget authority that he had four levels down in the organization.

Andrew Ginter
So fascinating stuff. Again, I look forward to stories in in the book. But you mentioned stories at the very beginning when you introduced TaleCraft. Can you tell me more about TaleCraft? How does this this idea of storytelling dovetail with with the work you’re doing right now?

Tim McCreight
When I was first designing this idea of what TaleCraft could be, we reached out to a good friend of ours here in Calgary, Mike Daigle. He does some amazing work. He spent some time just dissecting what I’ve done in my career and what I’ve accomplished. More importantly, some of the things that he wanted to focus on from company perspective.

And one of the the parts he brought up, and this is how TaleCraft was created, the word tail was I i spend a significant amount of my time now telling stories and it’s to help educate and to inform and stories to influence and and to provide meaning and value to executives.

But the common theme for all of this has been this concept of telling a story. One of the things I found throughout my career is as security professionals move through the ranks, as they begin, junior levels, moving into their first role as management and moving into director positions and eventually chief positions, the principles and the concepts of being able to tell a story or to communicate effectively with executives,

I found that some of my peers weren’t doing a great job or they were, I don’t know about you, Andrew, but if you sit in a ah presentation that someone’s giving and if all you’re reading is the slide deck, Jesus, you could just send that to me. I got this. I don’t need to spend time watching you stagger through a slide deck or the slides that have a couple of thousand words on them that you’re expecting us to read from 40 feet away.

It doesn’t happen. So what really bothered me is that we started losing this skillset of being able to tell a story. And to effectively use the principles of storytelling to provide input to executives, to make decisions for things like budget or resourcing or allocating, staff resources, et cetera.

So that’s one of the things that we do at TaleCraft is we teach security professionals and others, the principle and the concept of storytelling and how the story arc, those three parts to a story arc that we learned as kids, the beginning of the story, the middle where the conflict occurs, the resolution, and finally the end of the story, when, when you’re closing off and heading back to the village, after you slayed the dragon, those three things that we have, we learned as kids, they still apply as an adult because we learn as human beings through stories. We have for hundreds of years, thousands of years, used oral history as a way to present a story from one generation to the next.

We can use the same skill sets when we’re talking to our executives, when we’re explaining a new technique to our team, or when we’re giving an update in the middle of an incident and how you’re going to react to the next problem and how you’re going to solve it.

Those principles exist. It’s reminding people of what the structure is, teaching people how to follow the story arc when they’re presenting their material, taking away the noise, the distractions and everything else that gets in the way when listening to a story, but focus on the human.

And that’s one of the things that we’re doing here Telegraph is we’re teaching people to be more human in their approach and the techniques work. I just, My wife is up in Edmonton doing a conference right now for the CIO c Conference for Canada.

And she actually asked me to, this is a first folks, for all those of you who are married, what what kind of a progress I’ve made. My wife actually asked if I could dissect her presentation and help her with it. I thought that was pretty amazing. We restructured it so that she was able to use props.

She brought in a medical smock and and a stethoscope to talk about one of the clients that she worked with. And it sounds like it worked because she got some referrals for folks in the audience and she’s spending time right now talking to more clients up in Edmonton. So yeah, I crossed my fingers I was going to get through that one and it seemed to have worked. But these principles of telling a story, if you have a chance to understand how a story works and you’re able to replicate that in a security environment, all of a sudden now you’re speaking from a human to a human.

You’re not bringing in technology. You’re not talking about controls. You’re not spewing off all of these different firewall rules that we have to go through. Nobody cares about that stuff. What they want to hear is what’s the story and can I link the story to risk?

And at the top end of that arc, can I provide you an opportunity to reduce the risk and then finish the story by asking for help? If we can do that, those types of presentations throughout my career, that’s when I’ve been the most successful is when I can focus on the story I need to tell, get the executives as part of it and focus on the human reaction to the problem that we have.

That’s one of the things that we’re teaching at TaleCraft.

Andrew Ginter
So that makes sense in principle. Let me let me ask you. I mean, I do a lot of presentations. I had an opportunity to present on a sort of an abstract topic at S4, which is the currently the world’s biggest OT security-focused conference. And, if you’re curious, it was the title was “Credibility Versus Likelihood.” So, again, a very sort of abstract, risky, risk-type topic.

And the the the advice I got from Dale Peterson, the organizer, was, “Andrew, I see your slides. You can’t just read the slides. You’ve got to come to this presentation armed with examples for every slide, for every second slide.”

Tim McCreight
Yep.

Andrew Ginter
“Get up there and tell stories.” so I would give examples. Sometimes they would be attack scenarios. is that is that the same kind of thing here?

Tim McCreight
It is, I think. you And congratulations for for being asked to present at that conference. That’s amazing. So so kudos to you. That’s that’s awesome, Andrew. That’s great to hear. But you’re right. You touched on one of the things that a lot of presentations lack is the credibility or how I view the person providing the presentation. Do they have the authority? Do I look at them as someone who’s experienced and understands it?

And you do that by telling the story and providing an example for, let’s say, an attack scenario where you saw how it unfolded, how you’re able to detect it, how are you able to contain it, eradicate it, recover back. Those are the stories that people want to hear because it makes it real for people. Providing nothing but a technical description of an attack or bringing out, us as an example, a CVE and breaking it down by different sections on a slide. Oh my God, I would probably poke my eye out with a fork.

But if you walk me through how you identified it, The work that you guys did to identify, to detect it, to contain it, to eradicate it, and then recover. it If you can walk me through those steps from a personal example that you’ve had, that to me is the story.

And that’s the part that gets compelling is now you’ve got someone who’s got real world experience, expertise in this particular problem. They were able to solve it and they provide to me in a story. So now I can pick up those parts. I’m going to remember that part of the presentation because you gave me a great example, which is really, you gave me a great story. Does that make sense?

Andrew Ginter
It does to a degree. Let me Let me distract you for a moment here. I’m not sure this is I’m not sure this is the same the same topic, but I’ve, again, i’ve I’ve written a bit on risk.

Tim McCreight
Okay.

Andrew Ginter
You know I’ve tried to teach people a bit about what what is risk, how do you manage risk in in especially critical infrastructure settings. And I find that a lot of risk assessment reports are, it seems to me not very useful. They’re not useful as tools to make business decisions.

You get a long list of, you still have 8,000 unpatched vulnerabilities in your your your OT environment. Any questions? To me what business decision makers understand more than a list of 8,000 vulnerabilities is attack scenarios.

And so what I’ve argued is that every risk assessment should finish or lead, if you wish, with a in In physical security, you’re you’re probably more familiar this than I am, the the concept of design basis threat, a description of the capable attack you must defeat. You’re designed to defeat with a high degree of confidence.

And you look at your existing security posture and decide this class of attack we defeat with a high degree of confidence. These attacks up here, we don’t have that high degree of confidence.

And and what I’ve argued you should tell the story. Go through one or two of these attack scenarios and say, here is an attack that we would not defeat with a high degree of confidence. Is it acceptable that this attack potential is out there? Is that an acceptable risk?

Is that Is that the kind of storytelling we’re talking about here, or have I drifted off into some other space?

Tim McCreight
No, I think you’ve actually applied the principles of telling a story to something as complex as identifying your particular response or your organization’s response to ah either an attack a attack scenario or a more sophisticated attack scenario. So no, I think you’ve you’ve nailed it.

What it does though, in the approach that you just talked about, It gives a few things to the business audience. One, you have a greater understanding of the assets that are in place and how they apply to the business environment, right? Whether it’s in a physical plant structure for OT or whether it’s a pipeline, et cetera.

If you understand the environment that is being targeted, understand the assets that are in place and the controls that you have there in place, that gives you greater a greater understanding and foundations for what is the potential risk.

By telling the story then of what a particular attack scenario looks like, And if you have a level of confidence that you’d be able to protect against it, you’d be able to walk through the different parts of the story arc.

This is the context of the attack. This is what the attack could look like. Here’s how we would try to resolve it if we can. And then here’s the closing actions that we would be focused on if the attack was either successful or unsuccessful.

So all of those things, I think, apply to the principles of telling a story. What you’ve given is a great example of how to take something that’s very technical or, the the typical risk assessment I’ve seen in my career where, that Andrew here, here’s your 200 page report, the last 10, last hundred pages are all the CVEs we found.

And let us know if you need any help. Well, that doesn’t help me. But if you walk me through a particular example where here is in this one set of infrastructure, we’re liable or we’re open to this type of attack.

I think that’s amazing because it gives the executives the story they need. You understand the assets. Here’s the risk. Here’s the potential impact. Here’s what we can and cannot do to defeat or defend against this.

And then we need your help if this is a risk that you can’t accept. So no, I think you’ve covered all parts of what would be an appropriate story arc for using that type of approach. And honest to God, if you could get more folks to include that in reports, I would love to see that because I’m like you, I i have read too many reports that don’t offer value.

But the description you just provided and the way we break it down, that offers huge value to executives moving forward.

Nathaniel Nelson
Tim’s spending a lot of time emphasizing the importance of storytelling in conveying security concepts to the people who make decisions. Andrew, in your experience, is this sort of thing something you think about a lot? Do frame your your information in the same ways that he’s talking about, or do you have a different sort of approach?

Andrew Ginter
This makes sense to me. it’s sort of a step beyond what I usually do. So I’m i’m very much thinking about what he’s done and and how to use it going forward. But just to give you an example, close to a decade ago, I came out with a report, the “Top 20 Cyber Attacks on Industrial Control Systems.”

And it wasn’t so much a report looking backwards saying what has happened. It’s a report looking at what’s possible, what kind of capabilities are out there. And I tried to put together a spectrum of attack scenarios with a spectrum of consequences. Some of the attacks were very simple to carry out and had almost no consequence.

Some of them were really difficult to carry out and would take you down hard and cost an organization billions of dollars or dozens of lives. And everything in between.

And I did that because, in my experience, business decision makers understand attack scenarios, better than they understand abstract numeric risk metrics or lists of vulnerabilities.

But I described it as attack scenarios. In hindsight, I think really… what I was doing there was telling some stories and, I need to update that report.

I’m going to do it by updating it to read in more of a storytelling style so that, people can hear stories about attacks that they do defeat reliably and why, and attacks that they probably will not defeat with a high degree of confidence and what will be the consequences so that they can make these business decisions.

Nathaniel Nelson
Yeah, and that sounds nice in theory, but then I’m imagining, you tell your nice story to someone in the position to make a decision with money and they come back to you and say, well, Andrew, your story is very nice, but why can’t we defeat all of these attack scenarios with the amount of money we’re giving you?

Nathaniel Nelson
What do you tell them at that point?

Andrew Ginter
That is a very common reaction, saying, “You’ve asked us where to draw the line. We draw the line above the most sophisticated attack, fix them all.” And then I explain what that’s going to cost.

They haven’t even really paid attention to the attack scenarios. They haven’t even asked me about the attack scenarios. I’ve just explained the concept of a spectrum. They said, yeah, put it on the very put the line on the top, fix them all. And then you have to explain the cost.

And they go, “Whoa. Okay, so what are these?” And they ask in more detail and you give them the simplest attack, the simplest story that you do not defeat with a high degree of confidence.

And you ask them, is that something we need to fix? And they say, “Yeah, that’s nasty. I could see that happening, fix that. What else do you got?” And you work up the chain and eventually you reach an attack scenario or two where they look at it and say, “That’s just weird.”

I mean, let me give you an extreme example. Imagine that a foreign power has either bribed or blackmailed every employee in a large company. What security program, what policy can this the the CEO put in place that will defend the organization? Well, there isn’t one. Your entire organization is working against you. Is that a credible threat? The business is probably going to say, no, this is why we have background checks.

A conspiracy that large, the government is going to, be you going to come in and, and and and arrest everyone. That’s not a credible threat. And so, the initial reaction might be, yeah, fix it all. Draw the line across the very top of the spectrum.

And when that becomes clear that you can’t do that, this is where you dig into the stories and they have to understand the the individual scenarios. And they will eventually draw the line and say, “These three here that you told me about, fix them.” The rest of them just don’t seem credible.

That’s the decision process that you need to to to go through. And you need to describe the attacks. And I think the right way to describe the attacks is is with storytelling.

Andrew Ginter
So, I mean, this all makes great sense to me. I mean, this is why I asked you to be a guest on the podcast. But let me ask you, a sort of the next level of detail at TaleCraft. If, I don’t know, a big business, a CISO, says, TaleCraft makes sense to me and they bring you in, what do you actually do? Do you do you run seminars? Do you review reports and give advice? what What does TaleCraft actually do if we if somebody engages with you?

Tim McCreight
So there are a couple of things that we can offer to organizations that bring us in that from a TaleCraft perspective. First, what we offer, let me talk about storytelling first. What we offer from the storytelling approach is we will go to the client site.

We will run workshops, anywhere from four-hour workshop to a two-day workshop. We will bring team members from the security group, as well as others that the security team interacts with. We’ll go over the principles of storytelling and the concepts of storytelling, how to be more mindful in your public speaking and in your preparation.

And we’ll spend the first day going through the theory and the concepts of telling a story and becoming a better public speaker. Then on the second day of the workshop, we we then ask all participants to stand up for up to 10 minutes and provide their stories.

At the end of each one of the sessions, we provide positive feedback and provide them opportunities to grow and experience more more storytelling opportunities. And then we close out the workshop We provide reports back to each of the individuals on how we observed them absorbing all of the content from day one, and then offer opportunities for individual mentoring and coaching along the way.

So that’s one of the first services we offer. The second, as we come into organizations, if a CISO or CSO contacts us and asks us for assistance, we can do everything from helping them redesign their security program using the principles of enterprise security risk management, review the current program that they have today, assess the maturity of the controls that they have in place, identify risks that are facing the organization at a strategic level. And then we can come in and help them map out and design path to greater maturity by assessing the culture of security across the organization as well, where we go out and interview stakeholders from across the organization, from different departments, different divisions, and different levels of employees in the organization and identify their perception of security, the value that security brings to the organization, and how the security team can become greater partners and trusted advisors to the company. That’s part of the work that we do at Telegram Security.

Andrew Ginter
I understand as well that you’re working with professional associations or or something. I mean, I know that in in Canada, there’s the Canadian Information Processing Society. It’s not security focused. Security is an aspect of information processing in in the IT space.

In Alberta, there’s APEGA, the Association for Professional Engineers, Geologists, Geophysicists. I would dearly love to see these professions embrace cybersecurity and establish professional standards for practitioners for what is considered acceptable practice so that there is sort of a minimum bar.

So tell me, you’re you’re working with these folks. what What is it that you’re doing? How’s that going?

Tim McCreight
Yeah, so this happened, I’ve been thinking about this for probably the last 20 some years, and it always bothered me that the security director, the CISO, et cetera, in an organization, if they did get a chance to come to a board meeting or to be invited to talk to executives, you got a 45 minute time slot. Most times it was less. You had a chance to drink the really good coffee, and then you were asked to leave the room, and that was your time.

Where your peers who were running other departments across the organization in legal, finance, HR, etc. They stayed the entire weekend to help map out the strategy for an organization. Yet we weren’t invited to that party.

And that kind of annoyed me for the last some years. So I took it upon myself to begin a journey and I brought some folks along with me. There’s about 15 of us now that are working on the concept of designing and developing the profession of security, focusing on Canada first, and then working through the Commonwealth model to all those countries that follow the Commonwealth parliamentary system.

And it it made sense to me. I couldn’t do much work when I was the president of ASIS 2023. I didn’t want to have any perceived conflict of interest or anything that I was doing. But what we looked at from this concept of designing the profession of security It’s an opportunity for thus those who call this our profession and want to be recognized as such to borrow some of the great work that KIPPS has done and that APEGA has done here in Alberta, KIPPS across the country, to recognize the path that they took, how they were recognized and established, how they developed their charters, et cetera.

So we’ve had an opportunity to chat with some folks from KIPPS, but also to look at the work that they’ve done. And I’ve had a chance to review APEGA and it made sense to me. So now, Spin forward to 2025. We have a group of individuals who are focused on designing and developing what we consider to be a model that will provide a professional designation for security professionals in Canada.

It’s an opportunity to demonstrate your expertise and your body of knowledge. It’s an opportunity to take all of the the designations that you’ve received from groups like ISC squared, ISACA, ASIS, et cetera, use them as stepping stones to the next level where you’re accepted as a professional designation so that a security designation, whatever we can land on for the post nominals would be recognized the same as an engineer or as a doctor or as potentially a lawyer.

It gives us the validation of our work that we do. It gives us the recognition of the value that security brings to an organization. And it ties together OT, IT, t cyber, physical, all of the different parts of makeup security. And it’s a chance for us to come under one umbrella. So the way I describe it is that, I’ve, For years, I said, I ran a department. It just happens to be security. Now we can say I’m a security professional and my expertise is in OT security or in forensics or in investigations or in a crime prevention through environmental design.

It gives us an umbrella designation for security and a chance to specialize. So a good friend of mine is a surgeon. He started off as a doctor and now he’s a thoracic surgeon. So whenever he recognizes himself is that, he’s a, he’s a doctor, my specialty is c thoracic surgery, and now he’s chief of thoracic surgery at Vancouver General Hospital. Super great guy, but the path he took was become a doctor, demonstrate your expertise, spend more time to create your specialty, focus on that, be recognized for that. And now that’s his designation.

I want to do the same here in Canada for security. The reason why is, look, you and I both know this, Andrew, and we’ve we’ve seen this. If I go do a risk assessment for a client or internally, and if I do a bad job, I just go to the next client.

But if we have a doctor or a lawyer who mishandles a file or mishandles an operation or is liable for their actions, they’re held accountable to it. We are not. What I want to be able to do is put in the standards that demonstrate the level of our expertise, that we’re held accountable for our actions, that we maintain our credentials throughout our career, that we’re able to give back to the profession of security, and that if something does happen, we’re actually accountable for the work that we do.

And think that’s important, right? like here in our new house, an engineer stamped our plans. He’s accountable for the work he did. Why can’t we have the same for security? I think we need to, because then that provides executives a greater understanding of how important the work that we do every day to secure your organization so that you can achieve your goals and objectives.

That that’s what I’ve been doing on the side of my desk for the past 20 years. I finally got some breathing room to do it now with a TaleCraft giving me the space to do it. So I’m, I’m looking forward to trying to roll this thing out between now and the end of the year, at least the structure of it, and then we engage more people to get their comments and their perceptions so that we’re trying to reflect and represent as many folks as we can across the security profession.

Andrew Ginter
Well, Tim, this has been tremendous. Again, I look forward to to your book. Hopefully you find some time to work on it. Before we let you go, can I ask you to sum up for us? What are the what what should we take away from from the discussion we’ve had in the in the episode here and and use it going forward?

Tim McCreight
Thank you for that. I appreciate it. And yeah, fingers crossed, I can get working on the book over the summertime. That’s my goal. But for this particular episode, I think a couple of things. One, as security professionals, it’s not our job to accept the risk. It’s our job to identify it, provide a mitigation strategy, and present it back to executives. So that’s that’s one of the things that I want to keep stressing for everybody. Our role is to be an advisor to the organization.

It’s not to accept the risk on behalf of the organization. Second is, We all have a story to tell. We all understand the value and the power of a story. We all see how important it is when we tell a story to our executives, to our leaders, to our teams, and to others.

You need to focus on those skill sets of how to tell a story, particularly in the role of security, because not everyone understands the value that we bring. and the second annual and then And the last point for me is that You need to continue to look for mentors, for instructors, for trainers who can offer you these skill sets and you can provide this type of training for you so that you can continue to build your career.

We can’t do this alone. but You need to make sure that you have an opportunity to reach out to folks that can help you, whether it’s looking at your security program and trying to build it on a risk-based approach or teaching people the value of telling a story and then applying those skills the next presentation you give to executives. If folks remember those things, that’d be terrific.

So for those folks listening to the podcast today, if those points resonate with you, and if you’re looking for opportunities to learn more about telling a story or how to be effective doing that, how to look at your program from a risk-based approach and how to find mentors that can help you in your career path, reach out to TaleCraft Security.

This is what we do. It’s our opportunity to give back to the profession of security, to help organizations build their security programs, and to grow the skill sets of people who want to learn more about telling a story, becoming a better security leader, or understanding the concepts of a risk-based approach to security.

That’s what we’re here at TaleCraft for us, to help, to give back, and to grow.

Nathaniel Nelson
Andrew, that seems to have done it with your interview with Tim. Do you have any final word you would like to say gazelle today?

Andrew Ginter
Yeah, I mean, I think this is a really important topic. I see way too many security teams saying, this is my budget. This is all I have budget to I do not have budget to solve that problem. Therefore, I will accept the risk of that problem. And, especially for new projects, for risks that that we’ve never considered before, you That is often the wrong decision.

When we have new kinds of decisions to make, we need to escalate those decisions to the people who assign budget. We need to tell those people stories so they understand the risk. We have to get the right information, the right stories to the right people so they can make the right decisions. Saying, I have no budget, therefore I’m going to accept the risk many times is the wrong decision for the business. And we cannot afford to be making those wrong decisions time and again.

As the threat environment becomes more dangerous, as consequences of of industrial cyber attacks increase, we need to be making the right decisions. And this seems an essential component of of making the right decisions.

Nathaniel Nelson
Well, thanks to Tim McCreight for that. And Andrew, as always, thank you for speaking with me.

Andrew Ginter
It’s always a pleasure. Thank you, Nate.

Nathaniel Nelson
This has been the Industrial Security Podcast from Waterfall. Thanks to every everyone out there listening.

Trending posts

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

The post I don’t sign s**t – Episode 143 appeared first on Waterfall Security Solutions.

]]> Secure Industrial Remote Access Solutions https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/secure-industrial-remote-access-solutions/ Thu, 28 Aug 2025 20:19:01 +0000 https://waterfall-security.com/?p=35720 Secure, efficient, and reliable industrial remote access solutions enable monitoring, maintenance, and troubleshooting of SCADA and control systems from anywhere, protecting critical operations.

The post Secure Industrial Remote Access Solutions appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterSecure Industrial Remote Access Solutions

Secure Industrial Remote Access Solutions

Industrial remote access enables secure, efficient connectivity to SCADA, PLCs, and other control systems, supporting maintenance, monitoring, and troubleshooting. Best practices include robust authentication, encryption, network segmentation, and compliance with standards like IEC 62443 and NIST, while solutions like Waterfall’s HERA provide zero-trust, reliable remote access for critical industrial operations.
Picture of Waterfall team

Waterfall team

Secure Industrial Remote Access Solutions

In today’s hyperconnected industrial world, remote access has become both a necessity and a risk. Organizations across manufacturing, energy, utilities, and critical infrastructure rely on remote connectivity to monitor systems, troubleshoot equipment, and enable vendor support without dispatching teams onsite. While this brings significant efficiency and cost benefits, it also introduces new security challenges. Unsecured or poorly managed remote connections can serve as entry points for cyberattacks, threatening operational continuity and even safety.

Industrial remote access, therefore, requires a comprehensive framework—one that balances the operational need for connectivity with rigorous security controls. This framework isn’t just about VPNs or firewalls; it encompasses identity management, secure protocols, granular access policies, and continuous monitoring, all tailored to the unique demands of operational technology (OT) environments.

Definition and Scope

What is Industrial Remote Access?
Industrial remote access refers to the secure ability to connect to industrial systems, equipment, and control environments—such as SCADA, PLCs, and HMIs—from distant locations. This connectivity enables operators, engineers, and vendors to monitor performance, troubleshoot issues, deploy updates, and maintain equipment without being physically present at the facility.

How it differs from IT Access

Unlike general IT remote access solutions (think remote desktop tools or corporate VPNs), industrial remote access must account for the unique requirements of operational technology (OT). OT systems prioritize availability, safety, and reliability over typical IT concerns like data confidentiality. While IT remote access is often focused on office productivity, industrial remote access deals with real-time processes, critical infrastructure, and potentially life-safety functions—making its risk profile significantly higher.

A Brief Historical Evolution

Remote access in industry began with direct connections—dial-up modems or leased lines that allowed engineers to reach specific machines. Over time, this evolved into VPN-based approaches and, more recently, cloud-enabled remote access platforms. Each step has increased flexibility and ease of use, but also expanded the attack surface. Today, modern solutions integrate identity and access management, encrypted communications, and continuous monitoring to strike a balance between connectivity and security.

Importance in Modern Manufacturing

Role in Industry 4.0 and Smart Manufacturing

Industrial remote access is a cornerstone of Industry 4.0, where interconnected devices, automation, and data-driven insights define the future of manufacturing. Smart factories depend on continuous access to machine data, predictive maintenance, and real-time monitoring—all of which require reliable and secure remote connectivity. Without industrial remote access, the promise of fully digitalized and adaptive manufacturing environments would remain out of reach.

Benefits for Modern Operations

The practical advantages of industrial remote access are compelling. Manufacturers can dramatically reduce downtime by enabling engineers to diagnose and resolve problems without waiting for travel or onsite presence. Remote updates and configuration changes cut costs while ensuring systems stay current with minimal disruption. Most importantly, operational efficiency improves when plants can be monitored and optimized from anywhere, allowing scarce engineering talent to support multiple sites simultaneously.

Adoption Rates Across Sectors

Adoption of industrial remote access has accelerated rapidly. According to industry surveys, more than 60% of manufacturers now use some form of remote access for equipment maintenance, with adoption highest in sectors like energy, automotive, and pharmaceuticals. The pandemic further accelerated this trend, as facilities sought safe ways to maintain continuity without sending large teams onsite. These adoption rates underscore that remote access is no longer a “nice-to-have,” but an operational necessity in competitive, modern manufacturing.

Key Stakeholders and Use Cases

Machine Builders and OEMs Providing Remote Support

Original Equipment Manufacturers (OEMs) and machine builders increasingly rely on remote access to deliver timely support for their equipment deployed at customer sites. Instead of dispatching technicians worldwide, OEMs can diagnose faults, apply software patches, and guide operators in real time. This not only enhances customer satisfaction but also opens opportunities for new service-based business models.

System Integrators and Remote Commissioning
 System integrators play a critical role in setting up and maintaining industrial systems. With secure remote access, they can perform commissioning tasks, configure programmable logic controllers (PLCs), and troubleshoot integration issues without physically being onsite. This accelerates project timelines, lowers costs, and ensures quicker adaptation to client needs.

Plant Operators Monitoring Production Lines
 For plant operators, remote access provides continuous visibility into production processes. Operators can track performance metrics, spot deviations, and intervene as necessary from any location. This level of oversight ensures not only higher productivity but also quicker response to emerging issues, which can prevent costly downtime and safety incidents.

Maintenance Teams and Preventive Care
 Maintenance engineers benefit enormously from industrial remote access. With real-time monitoring, they can detect anomalies before failures occur, plan preventive maintenance, and conduct corrective interventions remotely when possible. This proactive approach extends equipment life, reduces unplanned outages, and optimizes spare parts management.

Technical Architecture and Components

Connection Methods

VPN Tunnels and Secure Connection Protocols

Virtual Private Networks (VPNs) are one of the most common methods for establishing secure remote connections to industrial environments. They create encrypted tunnels that shield data traffic between external users and internal control systems, helping to prevent unauthorized interception. When paired with industrial-grade firewalls and authentication controls, VPNs provide a strong security foundation for remote access.

Cellular Connectivity Options (4G/5G)

Cellular connections have become increasingly attractive for remote industrial sites where wired infrastructure is limited or unavailable. With the advent of 4G and especially 5G, industrial facilities can achieve low-latency, high-bandwidth connectivity suitable for real-time monitoring and even control tasks. However, security hardening and proper device management are critical to prevent exploitation of cellular endpoints.

Ethernet Solutions for Local and Wide Area Networks

Ethernet-based connections remain a cornerstone of industrial networking. Whether through local area networks (LANs) within a plant or wide area networks (WANs) linking multiple facilities, Ethernet provides reliable, high-speed data transfer for SCADA, PLCs, and other control devices. Segmenting industrial Ethernet networks into security zones and managing traffic with firewalls ensures safe integration of remote access capabilities.

Internet-Based Access Mechanisms

As Industry 4.0 pushes systems toward cloud integration, internet-based access has become more widespread. Technologies such as secure web gateways, remote desktop protocols (RDP), and vendor-provided cloud platforms enable access through standard internet connections. While highly flexible, these methods also broaden the attack surface, making robust encryption, authentication, and monitoring essential components of secure deployment.

Hardware Infrastructure

Edge Gateways

Industrial-Grade Remote Access Gateways

Edge gateways are specialized devices that serve as secure bridges between external networks and industrial control systems. Unlike generic IT routers, industrial-grade remote access gateways are built with features tailored for OT, such as deep protocol inspection, built-in encryption, and role-based access control. They form a critical first line of defense, ensuring that only authorized and authenticated connections reach sensitive equipment.

Ruggedized Design for Harsh Environments

Industrial environments often involve extreme temperatures, dust, vibration, or electrical noise—conditions that typical IT hardware cannot withstand. Ruggedized edge gateways are designed to operate reliably in these harsh settings, providing uninterrupted remote access even in mission-critical facilities such as oil rigs, power plants, or manufacturing floors. This resilience is essential to maintaining secure connectivity without compromising system uptime.

Integration Capabilities with Existing Infrastructure

One of the strengths of modern edge gateways is their ability to integrate seamlessly with existing industrial infrastructure. They support a wide range of industrial protocols (e.g., Modbus, OPC UA, PROFINET) and can connect legacy equipment to modern remote access frameworks. This makes them invaluable for organizations seeking to modernize their systems incrementally while maintaining backward compatibility with their operational technology.

Control Systems Integration

PLC Connectivity Options

Programmable Logic Controllers (PLCs) are at the heart of industrial automation, and enabling secure remote access to them is essential for monitoring, programming, and troubleshooting. Modern solutions offer connectivity through encrypted VPN tunnels, protocol-specific gateways, or cloud-based interfaces, ensuring engineers can manage PLCs without exposing them directly to the internet. This secure connectivity reduces the risk of unauthorized manipulation while allowing timely interventions.

HMI Remote Visualization Techniques

Human-Machine Interfaces (HMIs) provide operators with a window into industrial processes, and remote visualization extends this capability beyond the plant floor. Techniques such as web-based dashboards, thin-client applications, or secure remote desktop sessions allow engineers to view and interact with HMI screens from afar. When properly secured, this enables faster response times and decision-making without compromising the integrity of the control system.

Control Panel Access Methodologies

Traditional control panels house critical switches, indicators, and manual overrides. With remote access, these panels can be virtually replicated, giving authorized users the ability to monitor or control key functions securely. Methods range from digital twins to secure remote terminal access, which balance the need for operator flexibility with strict safeguards that prevent unsafe operations or accidental activations.

Remote Access Client Applications

Client applications are the user-facing software that enable engineers, operators, and saervice providers to establish secure connections to industrial assets. These lightweight tools often include multi-factor authentication, encryption, and role-based access to ensure that only authorized users can reach sensitive systems. A well-designed client simplifies the user experience while embedding strong security by default.

Server-Side Management Platforms

Behind every secure remote access solution lies a management platform that enforces policies, provisions users, and controls connectivity. These platforms often reside on-premises, in the cloud, or as hybrid solutions, and provide administrators with centralized visibility and governance. By managing sessions, configurations, and permissions from a single interface, they reduce complexity while strengthening compliance and security.

Authentication and Authorization Systems

Robust authentication and fine-grained authorization are the backbone of secure remote access. Beyond simple usernames and passwords, modern solutions employ multi-factor authentication (MFA), certificate-based access, and role-based control to ensure that users can only perform actions aligned with their responsibilities. In SCADA and industrial contexts, this limits the potential impact of compromised accounts or insider misuse.

Monitoring and Logging Tools

Visibility is essential in remote access environments, and monitoring and logging tools provide the audit trail needed for both security and operational oversight. These systems capture session details, command histories, and user activity, which can be analyzed for anomalies or compliance reporting. Real-time monitoring also enables rapid detection of unauthorized actions, helping to contain potential threats before they escalate.

Security Framework for Industrial Remote Access

Threat Landscape

Common Attack Vectors Targeting Industrial Systems

Industrial systems face attack vectors ranging from stolen credentials and phishing to compromised remote access tools and exploitation of unpatched software. Attackers frequently exploit weak authentication, exposed VPNs, and misconfigured firewalls to gain an initial foothold. Once inside, they may move laterally across the network to target control systems, disrupt operations, or exfiltrate sensitive data.

Documented Incidents and Case Studies

Real-world incidents highlight the risks of insecure remote access. For example, the 2021 Oldsmar water treatment facility breach involved an attacker remotely accessing operational systems and attempting to manipulate chemical levels in the water supply. Similarly, ransomware campaigns have locked out operators from remote monitoring systems, forcing costly shutdowns. These cases underscore the dangers of inadequate security controls.

Emerging Threats Specific to Remote Industrial Environments

As industrial environments increasingly rely on cloud-based connectivity, IoT devices, and mobile access, new threats emerge. Attackers are developing malware tailored to industrial protocols, exploiting insecure edge devices, and leveraging supply chain compromises to infiltrate trusted systems. The rise of ransomware-as-a-service and nation-state actors targeting critical infrastructure further amplifies the risk, making proactive defense measures essential.

Compliance and Standards

IEC 62443 Requirements for Remote Access

IEC 62443, the leading standard for industrial automation security, establishes strict requirements for secure remote access. It outlines measures such as strong authentication, session encryption, access control policies, and audit logging. Compliance ensures that remote connectivity to control systems is governed by the principle of least privilege and monitored to detect anomalies.

NIST Cybersecurity Framework Application

The NIST Cybersecurity Framework (CSF) provides a flexible model for managing risk in industrial environments, including remote access. By applying its five core functions—Identify, Protect, Detect, Respond, and Recover—organizations can align remote access strategies with broader cybersecurity goals. For example, the “Protect” function stresses identity management and access controls, while “Detect” highlights continuous monitoring of remote sessions.

Industry-Specific Regulations and Guidelines

Different industrial sectors have their own compliance mandates for remote access security. Energy companies must follow NERC CIP standards, while pharmaceutical manufacturers often adhere to FDA regulations for electronic records integrity. The oil and gas sector may face additional regional requirements. Aligning remote access practices with these sector-specific guidelines not only reduces risk but also ensures legal and regulatory compliance.

Certification Processes for Secure Remote Access Solutions

Vendors offering remote access technologies are increasingly seeking certifications to demonstrate compliance and trustworthiness. Certifications such as IEC 62443-4-2 for components or third-party security audits validate that solutions meet stringent cybersecurity requirements. For end-users, choosing certified solutions helps reduce vendor risk and provides assurance that the tools enabling remote access won’t become the weakest link in the control environment.

Securing industrial remote access is no longer optional—it’s essential for protecting operations, maintaining uptime, and safeguarding critical infrastructure. By implementing best practices across authentication, encryption, network segmentation, and monitoring, organizations can reduce risk while reaping the benefits of modern connectivity. 

To see how these principles are applied in practice, explore Waterfall’s HERA remote access solution, a purpose-built platform that provides secure, reliable, and zero-trust remote connectivity for industrial systems. 

Learn more about HERA and how it can safeguard your operations today.

About the author
Picture of Waterfall team

Waterfall team

FAQs About Industrial Remote Access Solutions

Industrial Remote Access Solutions are specialized technologies that allow authorized personnel to securely connect to industrial control systems—such as SCADA, PLCs, and HMIs—from remote locations. These solutions enable monitoring, troubleshooting, maintenance, and updates without requiring on-site presence, all while addressing the unique requirements of operational technology (OT) environments where availability, reliability, and safety are critical. They typically combine secure connectivity methods, robust authentication and access controls, monitoring and logging, and seamless integration with both modern and legacy industrial systems, ensuring that remote access enhances efficiency without compromising security.

 
 
Ask ChatGPT

We need industrial remote access solutions because modern industrial operations demand real-time monitoring, rapid troubleshooting, and efficient maintenance across geographically dispersed facilities. Remote access enables engineers, operators, and vendors to respond quickly to issues, reduce downtime, and optimize production without the delays and costs of traveling on-site. Additionally, with the rise of Industry 4.0, cloud integration, and smart manufacturing, secure remote connectivity is essential for leveraging data-driven insights, predictive maintenance, and continuous process optimization—all while maintaining strict security controls to protect critical infrastructure from cyber threats.

The main use cases for industrial remote access solutions include equipment monitoring, troubleshooting, and maintenance, allowing engineers and operators to diagnose issues and apply fixes without being physically on-site. They also support system commissioning, configuration updates, and software patching for PLCs, SCADA, and HMIs. Additionally, remote access enables vendor and contractor support, real-time production monitoring, and data collection for analytics and predictive maintenance. These use cases improve operational efficiency, reduce downtime, lower costs, and ensure that industrial facilities can respond rapidly to both routine and emergency situations while maintaining security and compliance.

Share

Trending posts

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

The post Secure Industrial Remote Access Solutions appeared first on Waterfall Security Solutions.

]]> Remoting Into Renewables – the latest guidelines for secure remote access applied to renewables generation https://waterfall-security.com/ot-insights-center/power/remoting-into-renewables-the-latest-guidelines-for-secure-remote-access-applied-to-renewables-generation/ Thu, 28 Aug 2025 12:03:00 +0000 https://waterfall-security.com/?p=35923 Learn how secure access can enhance both safety and performance in renewable energy operations.

The post Remoting Into Renewables – the latest guidelines for secure remote access applied to renewables generation appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterPowerRemoting Into Renewables – the latest guidelines for secure remote access applied to renewables generation

Remoting Into Renewables – the latest guidelines for secure remote access applied to renewables generation

Watch the webinar to learn how secure access can enhance both safety and performance in renewable energy operations.

As renewable energy continues to dominate new power generation projects across North America and the EU, organizations must find ways to support remote operations without compromising cybersecurity. Wind and solar sites, often remote and digitally connected, demand secure access solutions that meet both operational and regulatory needs.

This webinar explores how energy leaders are balancing efficiency with cyber resilience. We’ll cover the latest guidance from CISA, CCCS, and others, with a spotlight on hardware-enforced, unidirectional remote access, now widely recommended for high-consequence OT environments.

Whether you're planning a new facility or optimizing an existing one, you'll gain insights into:

arrow red right The business impact of secure remote access

arrow red right Safe, scalable deployment strategies

arrow red right Aligning cybersecurity with operational goals

arrow red right Real-world adoption: how renewables operators are deploying these technologies today.

About the Speakers

Picture of Andrew Ginter

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 23,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.
Picture of Lior Frenkel

Lior Frenkel

With more than 20 years of hardware and software research and development experience, Mr. Frenkel leads Waterfall Security with extensive business and management expertise. As part of his thought leadership and contribution for the industry, Lior serves as member of management at Israeli High-Tech Association (HTA), of the Manufacturers’ Association of Israel and Chairman of the Cyber Forum of HTA.

Share

Trending posts

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

The post Remoting Into Renewables – the latest guidelines for secure remote access applied to renewables generation appeared first on Waterfall Security Solutions.

]]>