OT security standards – Waterfall Security Solutions

Andrew Ginter’s Top 3 Webinars of 2024

Andrew Ginter — Tue, 17 Dec 2024 11:38:14 +0000

OT Insights Center OT security standardsAndrew Ginter’s Top 3 Webinars of 2024

Andrew Ginter’s Top 3 Webinars of 2024

Discover Andrew Ginter’s top picks for the most insightful and engaging webinars of 2024, covering key trends and strategies in industrial security.

Andrew Ginter

December 17, 2024

As 2024 comes to a close, it’s traditional to reflect on the and maybe catch up on bits of reading and events that we missed throughout the year because of our busy schedules. To this end, I recommend to you three of this year’s Waterfall webinars, each an overview of Waterfall or other authors’ reports that read faster when we’ve seen an overview, so each of us can skip faster to the material we find most potentially useful.

My Top Three Webinars of 2024:

1) Cyber Attacks with Physical Consequences – 2024 Threat Report

By the numbers –Waterfall & ICS Strive produce the world’s most conservative and most credible OT / industrial security threat report. In this webinar the authors review the numbers – public disclosures of attacks with physical consequences. And we look at what the numbers mean for the practice and future of industrial cybersecurity.

To read further, the threat report is available here.

2) IEC 62443 for Power Generation

The IEC 62443 standards are cross industry, somewhat out of date, and deliberately vague in many areas – and so need to be interpreted to apply them successfully. In this webinar, Dr. Jesus Molina provides an overview of his report that shows how to interpret and apply the standards to conventional electric power plants.

To read further, the IEC 62443 for Power Generation report is available here.

3) Evolving Global OT Cyber Guidelines

This webinar is a favorite of mine because of big turnout and the thoughtful questions and comments from the audience. In this webinar, we explore the latest developments in OT cybersecurity regulations, standards and guidance worldwide and what these developments mean for industries navigating this complex landscape.

If you would like to read more, I recommend the brand new, multi-national Principles of OT Security – it’s good, and with only 9 pages of payload, it’s an easy read over the holidays.

These are my top 3. If you would like to see even more of our videos, I encourage you to subscribe to the Waterfall Youtube channel where we upload new videos regularly.

Doing the Math – Remote Access at Wind Farms

September 22, 2025

I don’t sign s**t – Episode 143

September 10, 2025

Secure Industrial Remote Access Solutions

August 28, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Andrew Ginter’s Top 3 Webinars of 2024 appeared first on Waterfall Security Solutions.

Andrew Ginter’s Top 3 Podcast Episodes of 2024

Andrew Ginter — Mon, 16 Dec 2024 15:12:04 +0000

OT Insights Center OT security standardsAndrew Ginter’s Top 3 Podcast Episodes of 2024

Andrew Ginter’s Top 3 Podcast Episodes of 2024

As 2024 winds down, kick back and enjoy some of Andrew Ginter's best podcast picks

Over the past 12 months, it has been a pleasure and a privilege to co-host the Industrial Security Podcast. When I started the podcast 5-ish years ago, bluntly, I did not know if there was enough industrial security content in the world for more than a year or two of episodes. It turns out the OT security space is much broader and deeper than I knew, and I’ve both learned something in every episode and become aware of how much more that I don’t know that every one of my guests do know and give us a few insights based on that knowledge in every episode.

Choosing three from this year’s episodes was hard, but here are three that stood out for me. If you ask me for a theme for these episodes, I’d have to say all three provide insights into high-consequence attacks, risk blind spots, and of course defenses against these attacks. This is all consistent with the perspective of the Cyber-Informed Engineering initiative and with the themes I explore in my latest book, Engineering-Grade OT Security: A Manager’s Guide.

I hope you enjoy listening to these podcasts as much as I enjoyed the interviews and discussions. And stay tuned, we are working on many more guests and discussions in 2025!

My Top Three Episodes of 2024:

Episode #134: Insights into Nation State Threats with Joseph Price

In this episode, Joseph Price nation-state threats and attacks. Nation states are often held up as “bogeymen,” able to do anything to anyone for reasons that are opaque to mere mortals. Joseph peels back a couple layers for us, explaining how to interpret the data is available in the public domain. He walks us through what to expect in terms of attack capabilities, how the world’s superpowers routinely test each other’s defenses, responses and capabilities in both physical and cyber domains, and looks at what this means for both small and large infrastructure sites and defensive programs.

Episode #123: Tractors to Table Industrial Security in the Industry of Human Consumables with Marc Sachs

In this episode, Marc Sachs, Senior Vice President and Chief Engineer at the Center for internet Security, Chief Security Officer for Pattern Computer, and a former White House National Security Council Presidential Appointee, takes a deep dive into the cybersecurity challenges facing the food production industry.

He examines the industry’s growing reliance on automation, from farmers leveraging GPS, drones and self-driving equipment to large-scale food production facilities dependent on interconnected systems. While these advancements have dramatically improved efficiency and productivity, automation has also created important new vulnerabilities. Marc walks us through real-world examples of cyber threats targeting this critical industry, the potential consequences of a future attacks, and practical measures that organizations can take to bolster their defenses.

This episode provides an eye-opening look at how completely automated the high end of agriculture and food production has become, and how this is a problem as more and more operations deploy this kind of automation.

Episode #131: Hitting Tens of Thousands of Vehicles At Once with Matt MacKinnon

In this episode, Matt MacKinnon, Head of Global Strategic Alliances at Upstream Security, looks at a cybersecurity niche in the automotive industry that I did not know existed: protecting the cloud systems that vehicle manufacturers rely on to manage and interact with the vehicles they produce. From passenger cars to 18-wheelers and massive mining equipment, connected vehicles enable everything from diagnostics and updates to real-time remote control.

Matt explains how digital transformation and the pervasive use of cloud systems in automotive and heavy equipment industries has introduced new attack opportunities, with potential consequences ranging from unauthorized manipulation of vehicular systems, data breaches, and potential threats to safe and reliable operations.

How to manage these risks and protect cloud systems connected to vehicles? Matt walks us through protective technology and how it works – technology I did not know existed.

Remoting Into Renewables – the latest guidelines for secure remote access applied to renewables generation

August 28, 2025

NIS2 and the Cyber Resilience Act (CRA) – Episode 142

August 18, 2025

SCADA Security Fundamentals

August 14, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Andrew Ginter’s Top 3 Podcast Episodes of 2024 appeared first on Waterfall Security Solutions.

OT Security Data Science – A Better Vulnerability Database – Episode 133

Waterfall team — Sun, 15 Dec 2024 10:25:40 +0000

OT Insights Center OT security standardsOT Security Data Science – A Better Vulnerability Database – Episode 133

OT Security Data Science – A Better Vulnerability Database – Episode 133

Security automation needs a machine-readable vulnerability database. Dr. Carmit Yadin of DeviceTotal joins us to look at limitations of the widely-used National Vulnerability Database (NVD), and explore a new "data science" alternative.

https://api.spreaker.com/v2/episodes/62877756/download.mp3

“…we created a new segment in the industry….Data Science for Cybersecurity.”
-Dr. Carmit Yadin

For more episodes, follow us on:

About Dr. Carmit Yadin:

Dr. Carmit Yadin is the Founder & CEO of DeviceTotal, a SaaS solution for enterprise device security that provides a centralized, agentless approach to device vulnerability and threat management. Dr. Yadin is a leader, researcher, author, and sought-after speaker in cyber intelligence. She has over two decades of experience in cybersecurity.

Dr. Yadin began her career in an elite cyber intelligence unit of the Israel Defense Forces. She then contributed to the success of several high-tech firms, including NASDAQ-listed RAD-Silicom and Alvarion, where she served as Chief Information Security Officer. Dr. Yadin’s unique blend of technical expertise and business acumen has distinguished her as an expert in both cybersecurity and business competition management. She is also the author of “How to Boom B2B Sales” and has delivered talks on global platforms, including TED. Under Dr. Yadin’s leadership, DeviceTotal helps companies proactively protect their connected devices against evolving cyber threats.

About DeviceTotal:

DeviceTotal offers the world’s first agentless solution to detect and eliminate vulnerabilities and risks in OT, IoT, network, and security devices using AI. DeviceTotal is a SaaS solution for enterprise device security that provides a centralized approach to device vulnerability and threat management. As the industry’s first universal device security repository, DeviceTotal helps businesses proactively manage their network security and ensure resilience in the face of evolving threats by offering organizations a scalable solution for complete visibility with real-time continuous monitoring.

Transcript of this podcast episode #133:
Making the Move into OT Security | Episode 133

Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Nathaniel Nelson
Welcome listeners to the Industrial Security Podcast. My name is Nate Nelson. I’m here with Andrew Ginter, the Vice President of Industrial Security at Waterfall Security Solutions, who’s going to introduce the subject and guest of today’s show. Andrew, how are you?

Andrew Ginter
I’m very well, thank you Nate. Our guest today is Carmit Yadin. She is the CEO of Device Total. And Device Total is doing OT security data science in the area of vulnerability management. And I had no idea what that was, so I was keen to find out.

Nathaniel Nelson
Then without further ado, here’s your interview with Carmit.

Andrew Ginter
Hello, Carmit, and welcome to the podcast. Before we get started, can I ask you to please, you know, say a few words about your background for our listeners, and you know, a bit about the good work you’re doing at the Vice Total.

Dr. Carmit Yadin
Thank you for the opportunity. I highly appreciate it. So a little bit about my background. I started my journey in the cybersecurity space when I joined the Israeli army, was trained for network and security. I worked as a CISO in several NASDAQ companies. I worked with governments around the world, mostly with the U.S. government on gathering intelligence from connected devices.

And with time, I realized that the biggest challenge the cybersecurity industry have is in the fact that as humans, we connect ourselves with so many devices and the number of connected devices is increasing dramatically. And the problem is that security teams and humans don’t have visibility to the security posture of each device and their organization. They don’t they also don’t have visibility on he on how each device impacts the entire organization. a So I decided to take that as a personal mission for me to solve. I did them my doctoral studies is exactly about this subject and I funded the Device Total to solve this unique problem and significant one.

Andrew Ginter
Thanks for that. Our topic today is vulnerabilities, and there’s a lot of information available about vulnerabilities out on the internet. Can you talk about vulnerabilities? Which which part of part of that space is are you looking at?

Dr. Carmit Yadin
So the first important thing is for us to understand what does it means, vulnerabilities for the IoT and the IoT space. And the biggest challenge organizations have today is to know what vulnerability is related to any of their devices in their organization. Now, in order to understand that, we need to understand how the vendors that manufactures those devices match vulnerabilities and what’s important to understand it as one is that vendor publish their vulnerabilities a by two main parameters one is the hardware of the device and the second one is the software which is the firmware version.

Now, there are different sources from where a we can gather this information. So the most reliable source is the vendor security advisory. The vendor responsibility by regulation, by the way, they have to publish and to disclose and the vulnerabilities they are aware of to their to the industry and to their customers.

Most of the vulnerability management today focusing on IoT and OT will gather the information from NVD. Now, the problem with NVD is that NVD provide a non-accurate and non-complete visibility on the vulnerability on those devices. Therefore, customers and organization in order to in order to identify the accurate data, vulnerabilities data for their devices will need to do lots of manual activities. They will need to go to the security advisory and to try to understand what vulnerabilities related to these devices. This task takes like for forever, a lot of time, and it’s a very difficult task to do. A lot of manual work, different websites, a and definitely unscalable. So this is how the industry looks today. There is no one universal repository providing all the data for any device.

Andrew Ginter
So that does sound like a lot of work for you know someone like me. If I’m operating an industrial site, I’ve got a lot of equipment. I’ve got a lot of software. To try and go out and find this information manually, you’re saying, well, it’s a lot of hard work.

Dr. Carmit Yadin
Yes, that’s true. It’s a lot of hard work. But the problem is that security advisories today a are non-structured data. The data inside there is a non-structure. And for those vendors that tried to structure, they didn’t structure the entire data. So we are dealing with a lot of data that machines cannot consume. And humans that are capable to rate that doesn’t have the scalability that machine have. So that’s the problem. The data is there, but we cannot consume that. a And and this is one problem. The second problem would be now that I understand what problems do I have, how am I going to solve that? So you’re 100 percent right.

Andrew Ginter
So that all makes sense. i mean in In previous episodes of the the podcast, we have had people talking about new standards that are out there for publishing vulnerability information in a machine-readable format. I had imagined that those standards would solve this problem. or Are they not solving it?

Dr. Carmit Yadin
Okay. So the way, so the problems start with the fact that specifically in IOT and OT devices, there are so many vendors that manufactures different types of devices to the industry.

And there is no alignment and there is no standardization on how vendor A publish their they’re a security data versus vendor B. So there is no alignment between them. a And our job is to create that alignment because it doesn’t exist elsewhere.

Another thing about standard is that there are lots of standards and regulations for the organizations that are using IOTs and OT devices. They must validate what vulnerabilities they have. They must use their latest version of the devices. a They must control the risk of the devices in different environments.

So the majority of the regulation and the standards is on the organizations that are using the devices versus on how the manufacturer should publish. They have to publish, but the way they publish is their own way, and each vendor are doing that differently today.

Andrew Ginter
Listening to to what you’re saying here, it sounds like what the world needs is a search engine for vulnerabilities that can tell me, what’s broken can tell me what fixes are available, with reliable up to date data is, is that what the world needs.

Dr. Carmit Yadin
No, Andrew, I think that what the world needs is a to know what vulnerabilities exist on on their devices. They don’t want to go and search organizations, don’t want to go and use a search engine to search all the vulnerabilities on all their devices. They want someone to tell them, hey, these are the problems you have.

Dr. Carmit Yadin
These are the solutions that you needed to implement, and that’s the priority on how on how and when you should do that. And that’s a solution that organizations like Armies, Nozomi, and Clarity provide today to their customers. The companies that need that search engine and capabilities are those companies. They need that to have devices that are behind their scenes.

Andrew Ginter
Okay, so so work with me. you know You have product in this space. What do you have? to you know How do you work with with these vendors?

Dr. Carmit Yadin
OK, so what we are doing, we are on a daily basis collecting and normalizing all the data exist on any security advisories in the industry today. So we’re collecting the data from the security advisories, from the vendor website. We normalize the data. We structure the data. And for the very first time in the industry, we managed to create one universal repository that includes all the security data, including the vulnerabilities and the mitigation and remediation for any device exists in the industry today. And what those vendor can do together with us, they can consume our data based on the devices they identified in the customer network, they can query our database and we will reply back with the vulnerabilities matched to the devices they identified, mitigation, remediation, software update, end of life data, and and so on. And we are updating the data daily.

Nathaniel Nelson
So Andrew, i while I was listening to her just now, decided to pull up any given CVE on NVD’s website. We have a description of the problem. We have a score associated with just how severe the vulnerability is. We have hyperlinks to mitigation instructions and then various other information. So I guess what I’m wondering is what exactly the platform she’s describing does so much more or better than what seems to me like a pretty comprehensive list of what I need to know about this vulnerability.

Andrew Ginter
A couple of things. That’s a good question. What Device Total has done is a) make the NBD machine readable. Because you know to her point, if I have a refinery with I don’t know how many CPUs in it. Let’s say, 6,000 devices with CPUs in them. Everything from PLCs to flow meters to you name it. And you know, my my question is not where’s my search engine. I want to go to each one of my 6,000 devices once a month and look up the device in the search engine. That’s not what I want.

What I want is to pay someone like Armis or Clarity or Dragos or Nozomi to tell me what devices I have, to tell me which of those devices are out of date, to tell me what mitigations are available for these out of date devices. I want someone to solve this problem for me.

And so what we need under the hood of Nozomi and Dragos and whatnot is that machine readable database of vulnerabilities, because these platforms are the ones that are active in my refinery, scanning what devices I have, keeping track of what devices I have and where they are and what their purpose is. And they need access to a constantly updated database of vulnerabilities so they can produce those reports about how much trouble I’m in for the devices I have. Does that make sense?

Nathaniel Nelson
So it’s less that NVD doesn’t provide the specific kinds of information we need. It’s much more about making this information accessible and machinery.

Andrew Ginter
That’s right. Machine readable for the other vendors that need the data. Another thing that you know I was talking to Carmit after the fact, I didn’t capture in the recording, is you know she pointed out, and it’s it’s public knowledge. If you Google the NVD program and you know falling behind, you’ll see an announcement from earlier this year.

Andrew Ginter
um saying, you know we are falling behind. There’s too many vulnerabilities. The program had had to to not process all the vulnerabilities that were being disclosed to them. They prioritized what they thought were the most important vulnerabilities, but the database was falling behind. So that’s another argument for a private vendor coming in here doing this, having someone pay them rather than have the government do it and you know be subject to the vagaries of, I’ve only got so much budget. There’s only so much I can do with that budget. you know This is this is an opportunity for private industry to come in and and do the job sort of thoroughly, completely, because they have the money to do it.

So reflecting on this, Nate, what strikes me is, you know i in in hindsight, it it makes perfect sense. But, until I realized what Device Total was about, I had no idea that such a company existed. If you think about it, what’s the the value that’s delivered by companies like Armas and Dragos and that sort of class of call it asset inventory and asset management solution. They scan your network, they figure out what assets you have, and they come back and tell you how vulnerable they are. And so they need their own, every one of these vendors needs a machine-readable database of devices and vulnerabilities, and ideally things like workarounds and compensating measures and fixes if they’re available and where the fix is available. They need all of this so that they can present this in reports, they can present it you in whatever to their customers. And you know before Device Total existed, I would have imagined that every one of these vendors would have to do this research on their own. And once they produce that database for their own internal use, my own guess is that they’d be reluctant to sell that database to somebody else. you know Why would they give their their competitors a leg up? And so that, you know in hindsight, produced the opportunity for someone like DeviceTotal to come in there, do the job once, and sell the results.

If they can do the job in a sense better than any one vendor could do individually, there’s a huge incentive for these vendors to say, you know instead of me doing this painfully manual process and producing a an inferior result, just buy the data from Device Total. So it makes sense in hindsight, but you know before I talk to Carmita, I had no idea that this sort of niche in the ecosystem existed.

Andrew Ginter
Okay, so it’s it’s starting to become clear to me. You’re saying that the kinds of vendors like Drago’s, Nazomi, Claroty, that kind of vendor is your customer.

Dr. Carmit Yadin
So that kind of vendors, yes. So we work with any platform that has asset management and asset discovery solution. And those kind of customers using our data is a layer of intelligence on top of their asset discovery and asset management capabilities, so they can give better visibility and data that they don’t have today, like the mitigation, remediation, end-of-life data for any IoT and OT devices exists in their customers’ network. On top of that, our customers will also be large-scale organizations service providers, SOC companies. a Their problem is that they are using different a assets management discovery, different tool and some of them they are doing even manually. Our capability is in the fact that we are capable to digest any asset inventory list from any source, whether if it’s manually or from the asset discovery.

And we provide a layer of intelligence on top of that data and we will provide on a daily basis the accurate vulnerabilities, accurate mitigation action, what softwares we need to do, a software app update to a under what priority work are the workarounds available from the vendor and with all those data we will also provide a prioritization based on the risk and the criticality for the end a customer.

Andrew Ginter
So Nate, something subtle in there that I’m not sure everyone caught. it’s clear that the asset management vendors are potential customers of this database of vulnerabilities. But Carmit also mentioned service providers. Think, I don’t know, a big oil company with 150 sites, each of which is a multi-billion dollar asset.

These big organizations tend to have central security operation centers. They tend to, to insource, they do that themselves. And you know, these centers tend to have, automation. They’ve got, they buy, one or six of each kind of tool and, uh, they generally have their own automation and own code that they’ve, they’ve invented to pull it all together and, automate the job of managing, uh, vulnerabilities, managing incidents, managing everything.

The second sort of customer she, she, mentioned very fast was service providers. you know, security as a service is a thing. Even in the OT world, a lot of people don’t, people smaller than the biggest companies, need a security operation center, but don’t want to staff their own. They might not be quite big enough to staff their own. Even if they are a little bit big enough, this may not be what they want to focus on. And so there’s a fair number of of service providers out there that will say, we will manage, we will look at your alerts, we will manage your security for you and raise the alarm if if you need to do anything. And send you reports about your assets and do all of the things that a SOC does. And again, these service providers, one they they compete based on the knowledge, the domain of their their security analysts, their experts, their But they also compete to a degree with technology. Yeah, they buy a bunch of off the shelf technology to to gather data and manage alerts. But again, they tend to have some of their own technology that sort of is their special sauce, adds their their their special flavor to the security as a service offering.

And that class of of vendor, service provider, might also benefit from access to a vulnerability database from from time to time to produce their own automation and and make their own people more effective in the space. So that was something that went by fast and and struck me as as interesting.

Andrew Ginter
Interesting. I mean, it sounds like you are competing with the NVD, the National Vulnerability Database. Do you have a search engine where people like me could search your database?

Dr. Carmit Yadin
So a yes, we do have that capability. Our customers can log into the portal and they look and manually for devices. One of our main capability and a very unique one is that we enable customer to identify the security posture of devices even before they purchasing the device.

So we give our customers to see that to get visibility and the impact on any device existing in the industry, even before purchasing that. Now, comparing us to an NVD, we just don’t do what envidy does NVD The goal of NVD is match vulnerabilities and provide data on vulnerabilities.

NVD doesn’t look at the risk from a device perspective. NVD doesn’t consider the relationship between different devices in the network and that impact. and NVD doesn’t have the mitigation, doesn’t provide remediation, doesn’t provide workarounds, end of life data. NVD doesn’t have the data that a organization nowadays needs.

Andrew Ginter
Cool. I mean, I had no idea that before talking to you, I had no idea that this sort of function, that what you do existed in the ecosystem. Can you talk about your reception? how What’s the experience of your customers like? how did How did they receive the the knowledge that you existed?

Dr. Carmit Yadin
I can share with you that when we just started, we went to one of the largest organization, Fortune 500 organization in the US. And he said, listen, we work with all the vulnerability management tools exist in the industry today. a Show us what you have, but it was like very suspicious. He wanted to see another option, but was very suspicious.

And when we actually show him the data, she really liked that. He really liked that because he so we managed to solve him so many problems that he needed to do manually, that he needed to check the vendor to go online and to validate the data for critical e devices. He was very surprised that he can add devices manually, not from assets management and still can get the data. He was amazed because understanding the impact of new devices before purchasing them doesn’t even cross his mind that it that it’s an option.

Not but not just that, the one of the unique thing that we bring is also the mitigation and the remediation. So for the very first time, he doesn’t need to pay for very expensive tools to give them a the problem. Now we can also know what’s the solution for all the vulnerabilities a that were identified on his network and under what priority to sell to to to mitigate that. So it’s it’s a really game changer for the end customers themselves and obviously for companies that has the assets management capabilities that wants to give higher value to their customers.

Andrew Ginter
Cool. You’ve been doing this for a while. Can I ask you, where are you at? What’s coming next?

Dr. Carmit Yadin
So today we’re focusing and are primarily focusing on the IOT and the OT industry because of everything that we talked about today. This is where a organization have a very significant problem. But as Device Total, our goal is to cover any device exists in the industry and any device exists in any a network. And our next stage is to add all the IT devices and softwares into our platforms as well. That’s what we are working on.

Andrew Ginter
So that’s a little bit surprising. I mean, in my experience, a lot of the cybersecurity technology that’s in the OT space starts in the IT space and then expands to include the weirdness of of the OT space. You’re doing it the other way around.

Dr. Carmit Yadin
Yes, so apparently we’re not most people. What we’re doing is very different. We didn’t change only that approach. We also changed the other approach. So we created a new segment in the industry. What we’re doing is data science for cybersecurity.

We are a data science company for cybersecurity in a very specific approach for devices. We decided to start from the IoT and the OT industry just because there is no alternative to that, right? And the reason for that is that our organizations today cannot install client or agent on IoT t and OT devices.

And that’s why it’s a significant problem and we as a startup company need to start where we see the biggest potential. So we started there and now we’re expanding for the IT industry.

Andrew Ginter
So I’m wondering, I mean, it sounds like you have more data than the NVD. I’m curious, are you youre working with the NVD? Are they gonna use your data in the future?

Dr. Carmit Yadin
So our business model is to sell data. We’re the only company in the industry today that have this data, and we’re the only organization today that are doing that. We are normalizing, fixing, and constantly updating the data for any device exists in the industry, and the only one that are doing so. So NVD should use and benefit a lot from using our data as well as any other organization. I see NVD as a great a but potential customer for us.

Andrew Ginter
Cool. So, I learned something this episode I had before I i talked to you folks, I had no idea that anyone was doing this. So, thank you for for for doing this good work. Thank you for joining us on the podcast. Before I let you go, can you sum up what what are is sort of the key lessons to to take away from our interview here?

Dr. Carmit Yadin
So the key lessons for us today is that a managing vulnerabilities on IoT and OT devices can be easy, can be done and can be easy. a Our capability is to provide all the vulnerabilities on any device. Actually, we give a commitment that we cover any IoT and OT device provide the vulnerability, the mitigation, remediation, end-of-life data. And a we managed to create data that doesn’t exist in the industry today, and no one is doing that today. And welcome, everyone, to use to go to our website at devicetotal.com you and a sign up for a free demo, connect me on LinkedIn as well and feel free to reach out. And thank you for inviting me today. Highly appreciated.

Nathaniel Nelson
Andrew, that concludes your interview with Carmilla Yadin. To take us out here, I’m wondering, she seemed to suggest that this platform, this service was broadly applicable to all industrial IoT sorts of devices. But is there any particular industry that might need this more than others? Because for one reason or another, they were having trouble with this kind of thing before.

Andrew Ginter
That’s a good question. And on many previous episodes, we’ve had discussions of how difficult it is to patch certain kinds of industrial systems. But what I find in my own customer base is that pretty much everybody needs the knowledge. So heavy industry where there’s safety critical functions and there’s an extreme reluctance to patch still wants to know how much trouble they’re in, so that they can, when new information is available, they can reevaluate the effectiveness of their compensating measures because they can’t patch, but they need to know how much trouble they’re in so that they can figure out, have I got enough and the right kind of compensating measures in place. sort of Less consequential, let’s say, manufacturing that is less safety critical tends to patch more aggressively.

And so they need to know what patches are available and which are more important than others so that they can get those patches applied. So in in my experience, sort of everybody wants this knowledge and they’re going to use it for different purposes. What struck me about the episode was sort of lifting the lid on how all that asset management stuff works. I really didn’t know that there was, I did not know there was this, this, opportunity in the ecosystem for a data science, a service provider providing a lot of data. And now I know that this these people exist. It’s a sort of a look behind the scenes I found interesting. I was also happy for the first time in my life to have a concrete example of data science.

I heard the phrase before and always scratched my head going, what’s that? New fangled language. Well, here is a very large amount of data that needs to be managed, needs to be made available to lots of different kinds of consumers, from people to machines that do asset management to machines that draw conclusions about, well, if you have these vulnerabilities and those vulnerabilities in the same network,

Andrew Ginter
You might be subject to this sort of bigger problem. That kind of of analytics might even be AI-based. These are all services you can provide, conclusions you can draw once you have machine machine access to the data. So data science for for OT security, it’s nice to have an example.

Nathaniel Nelson
Well, thank you to Carmit for speaking with you, Andrew. And Andrew, as always, thank you for speaking with me.

Andrew Ginter
It’s always a pleasure. Thank you, Nate.

Nathaniel Nelson
This has been the Industrial Security Podcast from Waterfall. Thanks to everyone out there listening.

What is OT Network Monitoring?

August 14, 2025

What Is ICS (Industrial Control System) Security?

August 14, 2025

Network Duct Tape – Episode 141

August 13, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post OT Security Data Science – A Better Vulnerability Database – Episode 133 appeared first on Waterfall Security Solutions.

Expert Impressions of Cyber-Informed Engineering

Andrew Ginter — Wed, 27 Nov 2024 13:12:36 +0000

OT Insights Center OT security standardsExpert Impressions of Cyber-Informed Engineering

Expert Impressions of Cyber-Informed Engineering

I recently had the opportunity to ask experts Marc Sachs, Sarah Fluchs and Aaron Crow about their experience with the new Cyber-Informed Engineering (CIE) initiative. Here's what they had to say...

Andrew Ginter

November 27, 2024

I recently had the opportunity to ask experts Marc Sachs from the Center for Internet Security, Sarah Fluchs, from admerita GmbH, and Aaron Crow from Morgan Franklin Consulting, about their experience with the new Cyber-Informed Engineering (CIE) initiative. For anyone not familiar with the initiative, CIE positions OT security as “a coin with two sides.” One side is cybersecurity – teach engineering teams about cyber threats, cybersecurity mitigations, and the limitations and scope of each kind of mitigation. The other side is engineering – use engineering design elements like overpressure-relief valves and manual fall-back procedures to address cyber threats as well as more conventional threats to safe, reliable, and efficient physical operations.

“CIE positions OT security as “a coin with two sides.’ One side is cybersecurity…the other side is engineering.”

With funding from the US Department of Energy (DoE), Idaho National Laboratory (INL) is assembling a body of knowledge – relevant parts of safety engineering, protection engineering, automation engineering, network engineering, and of course cybersecurity and the NIST CSF. My own experience is that CIE is very often, but not always, received very warmly. I was curious to get another couple of data points as to how other people perceived it, and the reactions they observe in their part of the OT security community. So, I asked…

1) What is your general impression of CIE?

Marc Sachs – Cyber-Informed Engineer

Marc responded “Involving the engineering community reframes digital security as a risk area that can be mitigated with engineering principles and practices. Rather than addressing computer science issues within OT or IC systems, engineers can apply physical laws and mathematical principles to design infrastructure resilient to cyber attacks.”

Sarah responded “Cyber-Informed Engineering matters because it emphasizes the need of hearing the engineer’s perspective on cybersecurity. This is both the emphasis on consequence (real-world plant consequence, not some ephemeral CIA triad) and on engineered controls, including aspects that are not in the cyber realm and cyber usually takes for granted or regards as out-of-scope.”

Aaron responded “CIE’s most important contribution is how it fosters collaboration across different domains, creating a culture where stakeholders from engineering, IT, and cybersecurity work together. This collaborative approach elevates threat modeling to the next level because it engages key personnel (like control room leads) who understand real-world operational access points and vulnerabilities.”

These all make a lot of sense to me. CIE calls out powerful tools that engineering teams can use to address cyber risk – tools that are not even mentioned in the NIST CSF, ISO 27001, nor even in the industrial IEC 62443 standards. In my experience, the realization that these engineering risk mitigation tools exist, in addition to cybersecurity mitigations, for the first time brings engineering teams to the cyber risk management table as equals. This makes cooperation easier, puts more options on the table, and results in more effective risk management strategies. And CIE’s emphasis on tackling the highest credible consequences first is consistent with the engineering perspective as well – deal with the “big fish” first and you almost always find that your “big fish” mitigations have already addressed the high-frequency, lower consequence threats as well.

2) What has been the reaction of business, enterprise security and engineering stakeholders to CIE?

Marc – “It resonates since most people are not security experts, but many can understand the concept of using engineering principles and practices to mitigate these new risks.”

Sarah Fluchs – CTO at admeritia GmbH

Sarah – “Not surprisingly, it resonates most with engineers. But I found it also makes it easier to connect with business stakeholders because the focus on plant consequences is closer to business risk than what managers usually get from IT security. Enterprise IT is usually the hardest to convince because they’re just not used to thinking about aspects outside of cyber / IT.”

Aaron – “The eye-opener comes when they realize the importance of connecting all these individual components into a cohesive process that fully integrates cybersecurity throughout the engineering lifecycle. CIE is a shift in perspective on how security should be part of every engineering and business decision.”

So again, different perspectives – Marc‘s & Sarah’s comments speak to the experience of business decision makers, while Aaron looks more at the reaction of more technical practitioners. My own experience is that the majority (but not universal) reaction can be paraphrased as “What a good idea. Why is this new? This should not be new. Why have we not been looking at the problem this way since the beginning?” Stakeholders observe that we are working with the same puzzle pieces – cybersecurity designs, engineering designs, and so on. But when we arrange the pieces as CIE suggests, there are no longer “gaps” between them – they form a seamless whole.

3) Have you had the opportunity to apply the CIE approach yourself?

Marc – “I am currently collaborating with a medium-sized municipal utility to apply the CIE framework to their water and wastewater systems. The staff’s initial impressions are that this is a great way to better understand the risks introduced by the rapid transition to networked control systems. They are already developing new engineering designs to address the issues we have uncovered.”

Sarah – “My work has always been very much aligned with CCE / CIE, so I apply portions of it every day. Mostly not the full-blown approach though because its very heavy on resources.”

Aaron C. Crow – Cyber & Strategic Risk Leader

Aaron – “I’ve been applying a similar approach for over a decade, even before it was formally called CIE, though in a more informal way. A big lesson is how crucial it is to increase awareness of critical system components that may have been overlooked. A simple fix – like training personnel to recover quickly from a failure with something as straightforward as a reboot or hardware swap – can make all the difference. CIE helps bring this level of understanding to the forefront.”

So, the short answer is “yes” – people are applying the methodology and/or the perspective to their projects and decision-making. And I agree with Sarah – CCE (part of CIE) risk assessments for example, are by OT industry standards very comprehensive. And the CIE Implementation Guide contains hundreds of questions we need to be asking of our projects, at every stage of the lifecycle. But picking and choosing or not, the perspective is clearly valuable and being used to one extent or another.

4) Many engineers believe cybersecurity is IT's job. Many enterprise cyber people bemoan the sorry state of OT security. Does or will CIE change any of this?

Marc – “Yes, CIE has the potential to change the conversation. It does not take away any responsibilities from the enterprise IT or the OT/ICS teams. It leverages the non-computer-centric viewpoints and experiences of classic engineers and uses their expertise to find new ways to mitigate digital risk.”

Sarah – “I believe it doesn’t matter as much who actually does OT security. If CIE can either enable engineers to contribute their perspective to OT security or enable IT security to take the engineers’ perspective, there’s hope.”

Aaron – “Absolutely. CIE helps bridge the gap between IT, OT, and engineering by bringing all stakeholders to the table. Ultimately, CIE facilitates shared responsibility, helping engineers realize that OT security isn’t just IT’s job but a collective effort.”

My own experience is that a dialog of equals, asking each other questions, is a powerful tool for changing perceptions. Engineers need cyber attack knowledge from enterprise security, so the engineers can see for themselves why we need to change how we do things. And enterprise security teams need an appreciation of the safety and other considerations that constrain engineering decisions, so enterprise security can see why that “do something” very often cannot be the same thing that we do on enterprise networks.

5) Any other observations?

Marc – “CIE represents a shift from treating cybersecurity as a separate IT issue to integrating it within core engineering practices, leading to more resilient and secure critical infrastructure systems. I’m thrilled and honored to have been a part of the CIE team since 2020. It’s a great way to apply 40 years experience in Civil Engineering and network security to a field that is increasingly putting our society at risk.”

Aaron – “The key to the success of CIE lies in stakeholder involvement and adoption. Getting everyone at the table – engineers, cybersecurity teams, operations, and management – ensures open communication and collaboration from the start. This shared involvement fosters trust and clarity, which are essential to fully understanding and mitigating risks.”

Said another way, the “coin” has two sides – cybersecurity and engineering. When we spend this “coin” just like any other coin, we do not choose one side of the coin over the other – we spend the whole coin. In practice, the sites and organizations that I see using engineering tools the most thoroughly to address cyber risk also use cybersecurity tools the most thoroughly. Cybersecurity alone was never enough to secure our operations optimally, and CIE shows us the unique contributions that each of our kinds of stakeholders can make to more effective solutions.

And thank you so much to Marc, Sarah, and Aaron for their insights!

Interested in learning more about Cyber-informed Engineering? Get a complimentary copy of my latest book Engineering-grade OT Security: A Manager’s Guide to learn how CIE can be put to use for protecting your systems, operations, and OT.

About the author

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 23,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.

Fill out the form and get your complimentary copy

Credibility, not Likelihood – Episode 140

August 6, 2025

Rethinking Secure Remote Access for Industrial and OT Networks

August 6, 2025

Unidirectional vs Bidirectional: Complete Integration Guide

July 30, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Expert Impressions of Cyber-Informed Engineering appeared first on Waterfall Security Solutions.

TSA NOPR for Pipelines, Rail & Bussing – Enhancing Surface Cyber Risk Management

Andrew Ginter — Tue, 26 Nov 2024 13:07:01 +0000

OT Insights Center TransportationTSA NOPR for Pipelines, Rail & Bussing – Enhancing Surface Cyber Risk Management

TSA NOPR for Pipelines, Rail & Bussing – Enhancing Surface Cyber Risk Management

The TSA Notice of Proposed Rulemaking for Enhancing Surface Cyber Risk Management is out. This is the long-awaited regulation that replaces the temporary security directives issued after the Colonial Pipeline incident.

Andrew Ginter

November 26, 2024

“This…replaces the temporary security directives issued after the Colonial Pipeline incident…[which] had to be re-issued annually. The new regulation will be permanent – at least until it’s changed or revoked.

The TSA Notice of Proposed Rulemaking for Enhancing Surface Cyber Risk Management is out. This is the long-awaited regulation that replaces the temporary security directives issued after the Colonial Pipeline incident. Those directives had to be re-issued annually. The new regulation will be permanent – at least until it’s changed or revoked.

So I’m trying to read through the proposed rule, and the document is daunting – 105 pages of technical language intermixed with very legal language, riddled with cross-references, only some of which I understand. That said, at a high level, the new rule, if passed as-is, looks to apply to some:

73 of 620 freight railroads in the USA,
34 of 92 public transportation & passenger railroads,
115 of 2,105 of the nation’s pipelines, and
71 bus owner/operators,

though the bussing rules seem focused on incident reporting rather than full-blown cybersecurity programs.

Some of the most confusing legal language seems focused on rationalizing how the TSA issues security directives, since before this it seems there were different procedures for security directives applicable to different forms of transportation. Another bunch of confusing language seems to be rationalizing physical security requirements and separating them from cybersecurity requirements. And then it gets a little bit more readable:

49 CFR Part 1580 – Freight Rail Transportation Security – starts on pp 71
49 CFR Part 1582 – Public Transportation and Passenger Rail Security – starts on pp 82
49 CFR Part 1584 – Highway and Motor Carrier Cybersecurity – starts on pp 92, and
49 CFR Part 1586 – Pipeline Facilities and Systems Security – starts on pp 96

The freight rail, passenger rail & pipeline sections have a lot of familiar language. I haven’t gone through them line by line comparing them to the previous security directives – eg: TSA SD 2021-02E the current directive that applies to pipelines – but just reading through the requirements rings a lot of bells in terms of language I’ve read before.

At a high level, in-scope owners and operators will need to:

Carry out annual enterprise-wide evaluations documenting the current state of cybersecurity and comparing that state to a ‘target profile,’
Document a ‘target profile’ that includes at least the measures and outcomes described in the new law / rule, and ideally includes all of the applicable parts of the NIST Cybersecurity Framework (NIST CSF),
Develop an implementation plan and identify people responsible for carrying out the plan, and

Identify critical cyber systems and detailed measures to protect those systems, as well as detailed measures to detect cyber incidents, respond to them and recover from them.

At a higher level, as you’ve probably guessed by now, I’m struggling to understand the legalese. I would welcome a call from someone who can explain how to make sense of the complicated cross-references. I promise to take detailed notes on the process and publish them as an article so other interested people can figure out how to do the same – with copious thanks to my generous instructor.

BTW – one of the reasons I’m trying to understand this new rule is because I’m hoping to include insights into the rule in a webinar that’s coming up: Evolving Global OT Cyber Guidelines, Recent Developments and What is Driving Them.

If you’re interested in seeing what’s common, what’s different, and what’s changing in this space, please do join us on Wednesday Nov 27.

I also invite you to get a complimentary copy of my latest book, Engineering-grade OT Security: A Manager’s Guide.

About the author

Andrew Ginter

The Top 10 OT-Capable Malware: What We’ve Learned and What Comes Next

July 20, 2025

13 Ways to Break a Firewall

July 16, 2025

What Is Industrial Control System Software?

July 16, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post TSA NOPR for Pipelines, Rail & Bussing – Enhancing Surface Cyber Risk Management appeared first on Waterfall Security Solutions.

Saudi Arabia Strengthens National Cyber Posture with OT Cybersecurity Controls Regulations

Courtney Schneider — Wed, 20 Nov 2024 07:05:58 +0000

OT Insights Center OT security standardsSaudi Arabia Strengthens National Cyber Posture with OT Cybersecurity Controls Regulations

Saudi Arabia Strengthens National Cyber Posture with OT Cybersecurity Controls Regulations

Saudi Arabia’s National Cybersecurity Authority (NCA) has fulfilled the strategic priority of updating cybersecurity guidance from 2018 to include cutting edge measures to protect national critical infrastructure and industrial sites from cyber attack.

Courtney Schneider

November 20, 2024

In recent years, Saudi Arabia has put in place a detailed and comprehensive set of regulations to strengthen national cybersecurity for critical infrastructure and OT networks. Specifically, the Saudi National Cybersecurity Authority (NCA) recently published Operational Technology Cybersecurity Controls (OTCC-1:2022), which outlines controls that must be implemented by applicable organizations as an extension to the NCA’s Essential Cybersecurity Controls (ECC-1: 2018). These measures are compulsory at applicable organizations, and such organizations must comply with not only the NCA’s mandate, but also Royal Decree #57231 (national law).

These guidelines recognize, above all, the necessity to have a distinct set of cyber controls tailored for industrial control systems (ICS) and operational technology (OT) to maximize protection and minimize physical consequences on the networks that maintain national stability and security.

“The NCA’s OTCCs are guidelines for all industrial operations in the Kingdom and are to be applied to industrial and critical control systems that are government operated, as well as private sector organizations which host critical national infrastructure (CNI).”

Applicability

The NCA’s OTCCs are guidelines for all industrial operations in the Kingdom and are to be applied to industrial and critical control systems that are government operated, as well as private sector organizations which host critical national infrastructure (CNI). Industrial Control Systems applies to all networks, systems and devices used to operate or automate industrial processes and therefore fall under the mandate of this regulation. They apply to ICS that reside in facilities deemed critical, operated by the government, private sector organizations operating or owning CNI (whether they are domestic or located abroad). Critical facilities are considered those whose sabotage or mis-operation would lead to the disruption or shut-down of the operations of the organization. That said, these controls are encouraged by the Saudi government to be applied to all OT networks as best practices.

Get a complimentary copy of Andrew Ginter’s latest book
Engineering-grade OT Security – A Manager’s Guide

Based on ECC-1:2018

For a bit of context, the OTCC-1:2022 are an extension of the 2018 Essential Cybersecurity Controls (ECC-1:2018) which were originally developed by the Saudi NCA to protect critical systems and sensitive data. The ECC-1:2018 was created to broadly establish minimum cybersecurity requirements for national organizations in the Kingdom of Saudi Arabia.

Like the 2022 controls, the ECC-1:2018 is based on an analysis of national and international cybersecurity frameworks, standards, and best practices. The ECC-1:2018 includes the following categories:

Focus: Protecting the confidentiality, integrity, and availability of information,
Domains: Five main domains, 29 subdomains, and 114 controls,
Themes: Strategy, people, processes, and technology, and
Scope: Applies to government organizations, companies, and private sector organizations that own, operate, or host Critical National Infrastructures (CNIs).

The ECC-1:2018 outlines steps for organizations to identify, avoid, or mitigate security risks. The controls attempt to encourage a multi-faceted defense strategy against a range of cyber threats. The 2022 OTCC regulations are an extension of this baseline cybersecurity set of standards to extend to more nationally critical operational networks that present unacceptable levels of consequences when not appropriately protected.

OTCC Security Levels

There are three OT security control levels defined in the OTCC-1:2022 document. Facilities are assigned to one of these levels of criticality based entirely on an assessment of consequences of compromise, consequences for health, safety & environment, and national economy and security. Level 1 is the highest criticality level. The NCA has issued a tool (OTCC:1-2022 Facility Level Identification Tool) to walk applicable sites through the process of determining which of the three levels of criticality applies to the site. All Level 3 (low) security controls also apply to Level 2 and Level 1 facilities, and all Level 2 (medium) controls also apply to Level 1 (high) facilities.

The Operational Technology Cybersecurity Controls document (OTCC) is structured into four main OTCC Domains: Governance, Defense, Resilience, and Third Party Cybersecurity (i.e.: supply chain).

How Waterfall Unidirectional Gateways streamline compliance with OTCC

There are several required controls and sub-controls where Waterfall Unidirectional Security Gateways can assist or fulfill compliance for applicable organizations for the OTCC Guidelines. The main four control areas are ICS Project Management, Identity & Access Management, System Protection, Network Security Management, and Business Continuity Management.

Cybersecurity Risk Management

Sub-Control 1-3-1-7 states that, in the event of risk acceptance, alternative cybersecurity controls must be clearly defined, documented, approved by the Authorizing Official, and implemented effectively for a defined period of time while reassessing the risk continuously. For the most critically sensitive ICS, it is very often necessary to accept the risk of vulnerabilities because it is difficult to patch systems promptly. This latter is because of the need to carry out exhaustive testing of new security updates and patches to assure that the new software does not itself introduce unacceptable risk to safety-critical or reliability-critical malfunctions in the physical process. Thus critical systems often have no choice but to accept the risk of software that is out of date at least temporarily and must implement compensating measures. Waterfall’s Unidirectional Security Gateways are powerful compensating measures. When deployed as recommended – as the sole connection between IT & OT networks – the gateways are physically incapable of propagating a cyber attack from the IT network back into the OT network to reach still-vulnerable assets.

Identity and Access Management

Control 2-2. Identity and Access Management is another sub-control which closely aligns with Waterfall’s technology offering. Sub-control 2-2-1-1 effectively forbids what other standards call “shared trusts,” where OT systems trust credentials managed in an IT network. Such shared trusts are singularly dangerous – a common attack technique on IT networks is to compromise the identity management system, e.g. a Windows Active Directory Server, in order to create new OT credentials so that attackers can simply connect to OT assets through IT/OT firewalls, log into those assets using the new credentials, and work their will upon the OT network. Waterfall’s Unidirectional Gateways render such shared trusts impossible, because IT credential information and permissions are not physically able to be communicated through an outbound-only Unidirectional Gateway.

Sub-control 2-2-1-7 stipulates that remote access to OT networks must be restricted and only enabled when necessary and justified. Waterfall’s Unidirectional Gateways support a range of remote access technologies to implement this control. Waterfall’s new HERA product provides true hardware-enforced, unattended remote access, with session recording and monitoring facilities. Waterfall’s Secure Bypass product is hardware that provides protected OT sites with physical control over when and for how long conventional software-based, 2FA remote access is enabled. And Waterfall’s Remote Screen View provides remote support personnel with a physically read-only view of activity inside the OT network, so that they can provide advice to site personnel without ever engaging in dangerous remote control.

Safety-Instrumented Systems

Section 2-3-1 specifies a number of controls that must be applied Safety-Instrumented Systems (SIS) – the very most sensitive systems in most OT facilities, tasked with protecting human life and the environment. Waterfall’s Unidirectional Gateways directly address the needs of requirement 2-3-1-1 which requires advanced techniques to reliably prevent the propagation of malware and advanced attacks from any external source into SIS systems and networks. Waterfall’s Unidirectional Gateways, deployed to connect SIS systems and networks to OT networks, enable real-time monitoring of SIS components, while physically preventing malware, interactive attacks and other cyber-sabotage attack information from penetrating into SIS components.

Tamper-Proof Forensics

In terms of system logs protection in requirement 2-3-1-10, the Waterfall BlackBox provides a tamper-proof online repository that can survive a cyber attack, preventing attackers from hiding evidence of how they entered a network and their malicious actions within it. Just as an aircraft’s black-box survives a crash, the Waterfall BlackBox survives a cyber attack – keeping protected system logs secure from external tampering. The Waterfall BlackBox also provides unidirectional protection for logs preventing all external tampering and sabotage with hardware-enforced technology.

Network Security Management

When it comes to the 16 sub-controls in section 2-3-1, almost all of these controls are thoroughly satisfied by the use of Unidirectional Gateways. These sub-controls include requirements for:

Logical or physical segmentation of the OT/ICS environment,
Segmentation of Safety Instrumented Systems (SIS),
Limitations of network connection points between different criticality zones,
Prevention of direct remote authentication and access on external-facing hosts,
Limited accessibility to services with known vulnerabilities must be limited to the greatest extent possible,
Dedicated gateways to segment OT/ICS networks from corporate zone, and
Strict limitation of industrial protocols and ports to the minimum to meet operational, maintenance, and safety requirements.

Unlike firewalls which provide logical, software and rules-based data filtering, Unidirectional Gateways are hardware-enforced; physically enabling only the outbound transfer of information while providing physical protection from inbound attacks. This physical protection is the strongest network segmentation available in the marketplace that maintains straightforward integration of OT systems and data with IT-based business automation systems essential to efficient operations.

Security Monitoring

Section 2-11-1 include ten requirements for security monitoring. What is not said in the regulation is where the monitoring information is used. In practice, most OT organizations have a central Security Operations Center (SOC) that aggregates and analyses monitoring information from all of the organization’s facilities. Unidirectional Gateway technology helps enormously in facilitating this central aggregation and analysis.

Unidirectional Gateways are routinely configured to transmit logs, Syslog, SNMP traps and other alerts from OT sources to a central IT SOC, through an outbound Unidirectional Gateway deployed at the IT/OT interface. In addition, OT network intrusion detection (IDS) sensors are most easily managed by IT SOC analysts when those sensors are hosted on IT networks. The Waterfall for IDS product is a Common-Criteria-certified technology that replicates switch mirror and SPAN ports to IT IDS sensors for analysis, without risk of attacks pivoting back through those IDS sensors into OT networks.

Cybersecurity Resilience and Business Continuity

Sub-controls 3-1-1-1 Activities necessary to sustain minimum operations of OT/ICS systems and 3-1-1-5 In the event of a system failure due to a cyberattack, OT/ICS assets or systems must operate on an acceptable safe mode to achieve a continuous operation, reinforce the OT security principle to keep a base level of operational functionality in the event of an enterprise or IT networks outage or compromise.

Unidirectional Gateways are powerful tools to support this objective. When Unidirectional Gateways, oriented from the OT network to the IT network, are the sole connection between IT and critical OT networks, no malware, ransomware or compromise of IT systems can “leak” through the gateways into OT networks to put physical operations at risk.

How Waterfall is an Obvious Partner in OTCC Compliance Efforts

Waterfall is proud to protect the most secure industrial sites in the world. To this end, Unidirectional Gateway technology is meeting the most ambitious internal security goals as well as compulsory regulatory requirements, resulting in continuous, reliable and untampered operational networks. Saudi Arabia’s OTCC requirements is an excellent step in both securing its own national infrastructure as well as providing a strong example and guidance to other nations’ critical infrastructures and heavy industries. Waterfall’s Unidirectional Gateways are powerful tools in pursuit of secure-by-design goals and objectives, secure remote access to critical networks, the strongest of network segmentation, and the goal of maintaining operational continuity in the face of IT/enterprise network compromise. For more information, please visit waterfall-security.com or write to us at info@waterfall-security.com.

About the author

Courtney Schneider

Cross-Domain Solutions: What They Are, How They Work, and Where You Use Them

July 14, 2025

Lessons Learned From Incident Response – Episode 139

July 9, 2025

What is OT Cybersecurity?

July 6, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Saudi Arabia Strengthens National Cyber Posture with OT Cybersecurity Controls Regulations appeared first on Waterfall Security Solutions.

Driving Change – Cloud Systems and Japanese CCE | Episode 132

Waterfall team — Tue, 19 Nov 2024 11:30:34 +0000

OT Insights Center OT security standardsDriving Change – Cloud Systems and Japanese CCE | Episode 132

Driving Change – Cloud Systems and Japanese CCE | Episode 132

Tomomi Aoyama translated the book Countering Cyber Sabotage - Consequence-Driven, Cyber-Informed Engineering - to Japanese. Tomomi recalls the effort of translating CCE to Japanese and looks forward to applying CCE and OT security principles to industrial cloud systems at Cognite.

Waterfall team

November 19, 2024

“…security was mostly discussed as technical topic. And there was not enough frameworks or ways of conveying important security and security risk in the way that the stakeholders can easily engage with. And CCE for me enabled that…”

Available on:

https://api.spreaker.com/v2/episodes/62429253/download.mp3

About Tomomi Aoyama and Cognite

Dr. Tomomi Aoyama is a distinguished figure in the field of industrial cybersecurity, currently serving as Private SaaS Operations Lead at Cognite (Website). With a robust academic background, Dr. Aoyama has dedicated her career to advancing cybersecurity practices, particularly in the realm of industrial control systems (ICS).

Her expertise spans several critical areas, including the application of Process Hazard Analysis (PHA) to cyber risk assessment, lifecycle security management, and the role of human factors in cyber incident response. Dr. Aoyama’s work is globally recognized, and she actively contributes to both public and private sectors. She serves as an expert advisor to Japan’s National Centre of Incident Readiness & Strategy for Cyber Security (NISC) and the Industrial Cyber Security Center of Excellence (ICSCoE) in Japan

In addition to her advisory roles, Dr. Aoyama is committed to knowledge sharing and education. She has translated essential ICS security literature into Japanese, including NIST SP 800-82 Rev.2 and the book “Countering Cyber Sabotage” by A. Bochman and S. Freeman. Her contributions have significantly enhanced the understanding and implementation of cybersecurity measures in Japan and beyond.

Dr. Aoyama’s career is a testament to her dedication to improving cybersecurity frameworks and her influence continues to shape the future of industrial cybersecurity on a global scale.

Cognite (LinkedIn) was founded in 2016 and has over 700 employees including top-notch software developers, data scientists, designers, and 3d specialists. Over the years, Cognite has positioned themselves as global industrial Software-as-a-Service (SaaS) leader, with an eye on the future and a drive to digitalize the industrial world. Cognite has created a new class of industrial software which allows asset-intensive industries to operate more sustainably, securely, and efficiently. Their core software product is Cognite Data Fusion (CDF), designed to quickly contextualize OT/IT data to develop and scale company solutions, using technology like hybrid AI, big data, machine learning, and 3D modelling to get there. Cognite’s clients include oil & gas, power utilities, renewable energy, manufacturing, and other heavy-asset industries. Cognite helps them operate through transitions, sustainably and to scale -without sacrificing bottom lines, paving the way for a full-scale digital transformation of heavy industry.

Transcript of this podcast episode #132:

Driving Change – Cloud Systems and Japanese CCE | Episode 132

Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Andrew Ginter
I’m very well, thank you Nate. Our guest today is Tomomi Aoyama. She is the principal development lead for Private SAS, that’s Software as a Service, at Cognite, which produces industrial control system software. And we’re going to talk a little bit about what she’s doing, but mostly of we’re going to talk about her translation of the consequence-driven cyber-informed engineering textbook, um Countering Cyber Sabotage, her translation of the book to Japanese.

Nathaniel Nelson
Then without further ado, your conversation with Tomomi.

Andrew Ginter
Hello, Tomomi, and welcome to the podcast. Before we get started, can I ask you to say a few words about yourself for our listeners and about the good work that you’re doing at Cognite?

Tomomi Aoyama
Thank you very much for having me, Andrew, by the way. I’m Tomomi, and I’ve been in the ICS security domain over a decade, and I started as an academic researcher. And my fascination for this domain was always about how can we enable this collaboration. um I started with and from understand trying to understand how safety and security risk assessment can be combined, how security risk specialists can communicate with safety risk specialists and share the metrics, share the value. That was the first research topic that I was working on. And then I ah gradually shifted more towards, okay, how cyber risk or auto security risk can be expressed to the business continuity risk or business risk.

And through the academic position I had in Japan and while while I was doing the PhD and doing doing the um assistant professor and teaching, I was lucky enough to be able to join some government project where I was so able to support a asset owners ah design and evaluate the cyber table topic exercises, um business content exercise ah drills ah for earthquake drills also, and also and develop help of government ah to develop this large auto security capability building center called ICCOE, where I supported building up the training curriculum and international engagement. And now I’m in Cognite and still I’m fascinated again, I’m still fascinated by this collaboration piece in OT security area. Cognite is a company that builds the OT data platform software in oil and gas, chemical, energy, and manufacturing and so on. so And the Cognite operation is based on software as a service on a cloud data platform.

And When we talk about the cloud security, and there is a shared responsibility model that the shared the security operation and responsibility together with the cloud service providers and asset owners. But they the usual model that they have is two-colored – very simplified to colored model, and there is no space for the SaaS company like Clonite. And especially when you consider about the most of the organization, most critical infrared operators would select a hybrid model where they have the public cloud, private cloud, on-prem system all together.

And asset owner wants to have the total visibility and data governance over all the platforms and all the um systems. um There’s no really guideline for that. There is no established model for that. So I cognize what I’m doing as using my background in research and also also in all the security domain trying to understand and navigate the conversation with customers, trying to navigate the Cognite towards how can we support this and new era for the asset owners where they want to have the data control and strong data ownership. So that’s where I am today.

Andrew Ginter
Cool. So you know the industrial cloud is coming. You know it’s great that you’re contributing to that at Cognite. Our topic is a little different today. Our topic today is Consequence-Driven Cyber Informed Engineering. And a couple of years ago, you translated the the book on the topic, Countering Cyber Sabotage, Consequence-Driven Cyber Informed Engineering, the book that Andrew Bachman and Sarah Friedman wrote, you translated the book into Japanese. So I wanted to ask you about that, but before I do, can I ask you maybe introduce the book to our listeners? What is ah you know CCE? What is consequence-driven cyber-informed engineering?

Tomomi Aoyama
Sure. CCE is quite mouthful, Consequence-Driven Cyber-Informed Engineering. It was originally part of the Cyber-Informed Engineering. It’s one of the pillars of the Cyber-Informed Engineering, which is the framework for combining cyber and engineering side and how we can enable security more by the design, security built into the engineering courses.

And INL, IDEC National DAB, especially focus on this consequence driven w risk analysis part. And they developed this CCE method. It comes with the four phases, starting from phase one, consequence prioritization, which is quite important one one for me. And phase two is system and system ah system analysis, meaning ah how systems or dependencies between the systems, resources, information, data, people, are contributing to the consequence, the worst, worst, worst case that you want to avoid to happen.

And phase three is the consequence-based targeting. This is where you bring in a little bit attacker’s perspective and margin in security perspective. how those dependency between the systems or the path to the consequence can be compromised, how can how attackers can take advantage of this dependency to make the consequences happen. And then phase four is all about mitigation and production. Okay, how can we a how can we cut those the dominant effect for attackers to enable the consequence to happen in the most efficient way. And preferably, how can we do that by combining the engineering method and traditional cybersecurity tools and solutions.

Nathaniel Nelson
Andrew, these are concepts that we’ve talked about in a number of episodes before, but for anybody who hasn’t listened to those, could you just do a quick review of CCE?

Andrew Ginter
Sure, CIE is the big tent, Cyber Informed Engineering. It’s all about engineering and cybersecurity together. You know, the engineering part has been neglected historically, overpressure relief valves, manual operations as a fallback. These techniques that are are used to manage physical risk can also be used to manage cyber risk.

CCE fits within the big tent. I mean all of you know a great A great deal of engineering is under the big tent, all of cybersecurity. CCE is a bunch of techniques, and it’s it’s more than what’s in the book, but the book itself has really three big chunks.

One is consequence evaluation, and they recommend don’t start with your simplest attacks. They recommend start with your biggest fish and and do something about them first so consequence analysis.

And then some a few chapters on you know engineering mitigations. But the bulk of the book is about system of systems analysis to understand your defenses, to look for choke points in your defenses where you can choke off attacks most efficiently with you know minimal investment, maximum return in terms of security for minimal investment. So that’s that’s the big picture. CIE is the big umbrella. CCE is actually a formal training program. It’s a piece of CIE.

But CIE is big enough that just about anything fits under it that that has to do with industrial security. And and CCE is a chunk of that.

Andrew Ginter
All right, so so that’s CCE. let’s Let’s come to the translation. Translating a book is a big job. the the The CCE book is hundreds of pages. And you’ve got to you’ve got to be sure that that the translation is right. you it’s It’s a huge investment. why Why would you undertake that big a job with this book?

Tomomi Aoyama
Right so When I first met the idea of CCE, I was a researcher at a university in Japan. and My research area was trying to understand how we can communicate and engage with stakeholders about OT security in an efficient way and how we can do the risk assessment that both understand security risk and also safety risk and also their implication to the business impact. And we struggle to find the way that how this can be achieved in one way or a simple way. And my running hypothesis back then, and also now, this is my belief is that the OT security is a communication problem. That they there are a lot of, it’s a team effort. OT security is definitely a team effort. You cannot just have very experienced or the expert Bob to save the world.

Every time, we need to engage the stakeholders in internal stakeholders, different teams to understand the security and in the same way as you do in their own job language. If it’s an operator, they need to understand what security means for their operation. If it’s a business leader, they need to understand cyber security or the security implication in terms of how it impacts their initiatives and their investment.

And it is, I found it very difficult because security at least back then when I was doing the research, academic research, security was mostly discussed as technical topic. And there was not enough frameworks or ways of conveying important security and security risk in the way that the stakeholders can easily engage with. And CCE for me enabled that, especially this first part of CCE in the consequence prioritization. You don’t talk about threat, you don’t talk about threat actors, you don’t talk about security solutions, you talk about what but what matters most for your business and business continuity. That makes it very simple but easy to align any stakeholder in the organization.

So that’s why I thought that this idea I really want to convey to my community in Japan in my mother language and I want to be that catalyst to deliver the message. That’s why.

Andrew Ginter
Okay so that’s why you felt it was important to to translate CCE into Japanese. Can I ask you how it came about? It’s one thing to read a book and say, hey, this is good stuff. It’s another thing to reach out to the authors and and actually make it happen. How did this happen?

When I first met the idea of CCE, it didn’t encourage me immediately about translating the book. I think back then there was no book yet published either. and I got to meet Andrew at S4 and he was presenting about idea of CCE. That’s when the idea of CC very much clicked with so that my academic interest.

And I want to talk to Andrew at the beer bash and say, hey, I really like your idea. I really want to and really promote this method in the community in Japan. and That’s the kind of beginning of my engagement with CCE teams.

And one of the big turnpoints was the Japanese government, in collaboration with the US government, we organized a capacity building training for Indo-Pacific countries. And ICCoE, the Industrial Security Center for Excellence, and which is the OT security training organization, that I support in Japan was the and the one that provided training together with US training trainer teams, which was INL. And we ended up providing the CCE training for the Indo-Pacific countries a and together with Andrew and CCE team in INL and trainers in ICCOE.

And it was very fun engagement and it was and interesting how CCE was received from the participants also. And after Andy and I were celebrating the successful delivery of that training, it really came to my mind immediately and said to Andrew that, can I translate this book? I really think I can translate this in a meaningful way. And and can you support this? And that’s the kind of beginning. And it took another two years or so to actually translate the book.

Andrew Ginter
Okay, so you ran into Andrew at S4, one of the authors of the book S4, sort of where the world of industrial cybersecurity today comes together. You also mentioned the Industrial Cybersecurity Center of Excellence in Japan, a government agency. How were you connected with them? How did you connect those dots?

So I was fortunate enough to be involved in, the from the very early stage of ICCOE, from the establishment phase of ICCOE at 2017. And they, my university, well, the university I used to belong as the the assistant professor and now still support as visiting researcher, they take care of one-third to one-fourth of the curriculum at ICCoE. So that is my connection to the organization and currently I also support the international engagement that ICCoE does. So when they want to do the international engagement such as the training, overseas training, or inviting the and international speakers to the ICCoE curriculum, I tend to support it. So the joint training we provided between Japan and the US, that’s also the some project that I supported.

And that’s why I was be involved in suggesting that CCE could be the good topic to introduce to Japanese and also in the Pacific audience.

Andrew Ginter
Cool, so you were at the university, you you had an opportunity to connect the dots and you did, good job. Let’s talk about the translation. I mean, today you can take a Word document and pump it through, I don’t know, Google Translate or something. There’s other translators on the market as well. And say here, try translate this into Japanese. When I’ve done this with my documents for a German market in particular, um I speak a little German. I looked at the result and it was full of mistakes and I had to correct it.

So what was involved in the translation? Did you press a button and it worked? Did you have to review it at in detail? Did you have other people reviewing it? How did how did the actual mechanics of the translation come about?

Tomomi Aoyama
Andrew, it was all me. It was one person operation and it was painfully long. and especially I haven’t I have done translation of, for example, NIST 800 series, some documents I have translated in Japanese.

So I have done many projects, but not the book. So it was really different level of beast. I definitely used the help of machine translation sentence by sentence just to create the baseline, but most of the time it was more confusing than helpful. So most important thing that that I needed to create was the dictionary. The translation dictionary to be consistent throughout the book on how we translate.

For example, well, as you can see in the title of the book, the consequence, this word appears unlocked in the book. And I was very intentional and also a little bit cheeky when I translated this in Japanese. I intentionally translated as business consequence because I didn’t want the readers to mistake in consequence as information breach or some technical consequences or piece of the consequences. But I want this to tar this book to be the starter of the conversation with different aspects and seeing the security from the different perspective, more from the business perspective, business risk perspective. So I and intentionally changed the translation from consequence in Japanese, business consequence.

And so this process of creating dictionary and be happy with this dictionary, and that was a very challenging part. There are a lot of terms in CC books that are very common for probably military domain or government people.

But it’s not so much a resonating word when it’s directly translated. So I also needed to understand each concept concept very deeply. And Andrew Bohman, one of the authors, was kind and generous enough to have multiple sessions for walking through those terms, what they mean, what’s the backstory of these terms one by one. So that really helped me a lot.

Andrew Ginter
So Nate, I’ve written a couple of books. I’ve translated some material, especially into German. and In my experience, exactly what Tomomi talks about, terminology is important, especially when you’re translating a technical document. In a lot of the world’s languages, a lot of computer concepts are showing up in those languages as English words sort of transplanted or adopted into the language.

This despite the language often having its own words for those concepts. In German in particular, sort of fairly words that in English have comparatively, short, simple words for a certain technical concept might have a, in English, they’d like to jam a a few adjectives and nouns together into a single, very long, very complicated word.

And what I observe in the the German community that I interact with is they’ve adopted a lot of the short English words rather than using the the long formal German words. And when you’re putting together a translation, you’ve got to figure this out. If you use the native language words and the community that you’re addressing isn’t using those words, they’re going to look at your stuff And it’s going to be a harder read. it’s It’s not the terminology they expect. And vice versa. If you use a bunch of English, transplant a bunch of English words into the the the translation. And this is not what the community is used to. They’re going to look at this and say, this doesn’t it it it again, it it impairs comprehension. And this is, this is not the only challenge with translation. What I found with German in particular, I don’t know Japanese, but I know that in German there are linguistic concepts, gender in particular, everything is gendered. When you’re when you’re doing a little bit of dialogue, A said this and B said that, and you use the word you, you’ve got to select the word very carefully. There’s the familiar you, there’s the formal you,

And in English, you don’t have all this stuff. And when you translate material from English to German, I used a machine translator. The machine translator just gets it wrong. The machine translator says, well, I need this concept in the German translation, and it doesn’t exist in English. So I’ll just make it up. And they pick the wrong one pretty consistently. So there’s there’s a lot of repair that Choose the terminology carefully and then you’ve got to go through it and and and just repair what the what the machine translator does.

Nathaniel Nelson
And I’m wondering how you felt about the particular point of translation she highlighted in her answer, how she translated consequences to business consequences, because, you and I talk about these concepts a lot. We don’t really focus on them through the business lens. Usually it’s like physical consequences, for example.

Andrew Ginter
I was thinking about that myself after the the interview here and, reflecting on it a little bit, I wonder if it’s because it sort of reflects Tomomi’s focus on risk assessment. She was doing a lot of risk assessment work in her research and, who consumes the results of a risk assessment?

It’s generally the business decision makers who have to decide, am I going to provide funding to my engineering team, to my IT t teams to fix this problem? Explain to me in one syllable words, how much trouble we’re in, and they want to understand the impact on the business. My own focus, I tend to work more with the engineering teams who are tasked with, okay, you have a budget, solve this problem and they change the design of the systems in order to prevent physical consequences, in order to keep things from blowing up, in order to keep trains from colliding. and so I might if If I were doing this, I might have been tempted to use to substitute business na sorryria physical consequence rather than business consequence.

But thinking about it, that might just be because of who I communicate with. And to what we said at the beginning, it’s all about communication. You’ve got to get these concepts across these sort of chasms of understanding.

Andrew Ginter
And if I may, I mean, I’m an an author myself. i’d I pushed my third book out just under a year ago. I’m curious about intellectual property. I mean, I see the Idaho National Laboratory logo on the the CCE book I know that Sarah Friedman and Andrew Bachman were employees, I think, of Idaho National Laboratory at the time they wrote the book. I’m assuming that INL owns the copyright on the book. But you did the translation. Can you talk about intellectual property? Do you own the Japanese translation? How how does that work?

Tomomi Aoyama
At least I know I don’t own the copyright. So it was primarily work for hire. It’s kind of twofold contract. So one sign is my contract with INL as the so service provider, meaning that the I will provide the this translation service for them so that they can have the Japanese version of manuscript in their organization. And on behalf of INL, I was sending the manuscript to the publisher. And ICCOE in Japan, they funded to publish this book in Japanese. So I was just bridging it in between.

Andrew Ginter
Okay, so, a lot of work doing the translation. How’s it been received?

Tomomi Aoyama
I got the very kind words from people in Japan that they enjoyed the book and some people mentioned about a specific part of the job that especially part of the book that touched they resonated with them very well, which is super rewarding to me. But the first review I got on a public platform on Amazon, was very funny to me. it was it was It said that the four stars, great book, great content, minus one star for the bad translation. So that really made me laugh.

Yes, it’s it’s I know I’m not the professional translator. I cannot translate the in the same level as how people would translate and yeah great novels into Japanese. I can’t yet. But at least I made them read. So that’s a win for me.

Andrew Ginter
Indeed. it’s It’s disappointing when you get stuff like that. I remember when I published my books, you get I get positive, I get negative. You you got to shrug it off. I think the the lesson is that the material is now available to a Japanese audience that doesn’t speak English. So Have you got any sort of reaction from even verbal or face-to-face from the industrial security in Japan. How useful has CCE been in Japan?

Tomomi Aoyama
Most of the people, majority of people reach out to me saying that the CCE is a very inspiring method and inspiring approach. But I’m reading between the lines and most of the times CCE is a little bit too big of the project and it’s not something bite-sized for most of the people to easily adapt to tomorrow.

So that is one challenge that I found during and duringing and then after this translation project. The great feedback I got, not necessarily negative, but I think it really, really represents what Japanese community’s character is, is that one person told me, he’s a risk assessment, OT risk assessment specialist. He supported many, many organizations. and He said that the Tomomi, CCE needs to be dumbed down. It needs to be easy and easy to do for anyone. Right now, CCE is only useful for the people who understand OT security at the deepest level. That’s not enough. It needs to be easy for any person possible.

And that’s something I’m thinking about a lot these days. I’m thinking about all the security solutions and a lot of all the security project, it’s naturally targeting towards the critical asset operators, critical infrastructure companies, and middle organizations, and government funded organizations. So the project fund in the side is huge.

But there is a concept of the cyber poverty line where organization, even they even if they know about cyber security and know about the risk, they just simply can’t afford it. They just don’t have the resource available and and any solution at their hand to mitigate the risk.

And CCE is elegant concept and right now I’m thinking how we can make CCE and any other OT security or cyber security concepts framework solutions to be affordable and easy as possible to implement fast. Because so especially when we talk women think about so supply chain security and security as a whole.

Andrew Ginter
Another, I don’t know, legal nit, maybe. In my understanding, CCE is trademarked. Idaho National Laboratory certifies training providers. You can only call yourself a certified CCE training provider if you’ve been certified by INL. I’m curious, is the Industrial Control system Center, Cybersecurity Center of Excellence, is it certified?

Tomomi Aoyama
No, I say theory is not certified to provide CCE or accessibility training, at least on my knowledge. and But I can talk a little bit about how we introduce CCE as a concept.

Tomomi Aoyama
So ICCoE runs a one year curriculum for industry professionals and they they basically leave the work for one year to um focus on the OT security training from basically nine to five plus their own research project hours. And in there we teach many principles from traditional IT security, network security aspect to and OT or engineering discipline and risk management business disciplines. And recently we also add cloud digital transformation, those domain too. And CCE fit into the category of security leadership.

And one of the trainer, Hiroshi Sasaki, a dear colleague of mine, he introduces CCE as part of the method that that they can use when they are building the security strategy for their own organization, where they go back to the company. So some of the framework they also introduced is NIST-CSF. They also mentioned about using the 62443 and other twenty ISO 27K also. and And as one of the other tools that they can use to frame their own security strategy, they introduced CCE.

So we don’t go into detail in the same way that the INL folks provide CCE training, but we we we explain the CCE concept and the trainees engage, trainee at ICCoE engage in CC and how they can use CCE concept and the framework to present their security strategy to the executives.

Andrew Ginter
So that makes sense. I’m curious, in the course of translating the book, you presumably developed a deep understanding of the material. You have to understand the material in order to to translate it correctly. How’s that served you? I mean Personally, you’ve developed a deep understanding of CCE translating the book. Your your name is on the book. Can you talk about, has has the experience of of doing this translation changed your career at all?

Tomomi Aoyama
The book was published last year, 2023 in June in Japanese, and we haven’t done any book tour or anything. And I’m also based in UK now. I’m not based in Japan. So I don’t really have day to day, way to engage with people actually and get the book in their hand. So I’m not really feeling any burning a change or anything, but internally. It was such a privilege to be able to dissect the word by word and really, really print the book in my brain by translating the work and to feel Andy and Sarah’s work so close. And also the the book has the part that written by Mike Asante, and I have never met him in person, but I can’t really express how I felt about translating his part of the book, because his word, the opening section that he wrote It was so powerful and it was such an honor to translate that in Japanese. so And when I hear the good word and good feedback from people in Japan, I always think about the part that Mike wrote in English and how I also tried to match his energy to put in the translation.

And yeah, so externally and career trajectory wise, I didn’t see a lot of changes, but internally it was a big change for me.

Andrew Ginter
And if I may come back to the present day, I mean, you’re working at Cognite. You’re doing some sort of cloud stuff on the industrial side. the industrial cloud is coming for everyone sooner or later in some capacity or another. is your sort of deep background in cybersecurity? Is that part of your role at Cognite today?

Tomomi Aoyama
Yes, and I have to say, when I first learned about what is Cognite’s mission and what they are trying to achieve, it it made me really anxious because I was very much focused, I was and I am also very much focused on and security and reliability and operation and I was more worried about how these new technologies disrupt the reliable operation. and So that that was in the beginning. But right now, as the in the project, what what we are trying to achieve is how can we make sure that the when we provide software as a service, a it doesn’t disrupt the security or reliability of the operation, the physical operation itself, especially the digital transformation transformation. It started in the enterprise area and then it’s getting closer and closer to the critical operations. And when I look into the most of the documents on how to deploy cloud technology in a secure way, a lot of government guidance and and best practice was and treating public cloud as the starting point. And there was not enough information about how do you manage the security and governance of a hybrid setup or the private cloud setup. And especially how do you continue providing a service

When the stakeholder between the SaaS providers like Cognite and Asset Owner and Cloud Service Provider, this and how how can you manage these three parties or more potentially more parties involved? How do you make this tight connection while giving the Data Owner, Asset Owners, therefore, visibility and full control on security?

Given this is largely driven by security requirements, my background gives a little bit of perspective and to balance out the need for digital digital transformation and need for pushing through the boundary and understanding and accommodating the asset owner’s needs and IT and security team’s concern. So that is where I am. And then I also see quite the connection between the CCE Again, and I’m seeing CCE as the tool to help the communication and understanding what is a consequence and especially in terms of what we do at Cognite, understanding the dependency between systems, dependency between the data and systems and people and critical process. That’s really important. Having a CCE framework in the back of my head it really helps me to have a dialogue with customers, industry and stakeholders internally and externally.

Andrew Ginter
Well, Tomomi, thank you for joining us. It’s been a real pleasure talking to you. Before I let you go, can I ask you to sum up for us? What are the the the the key messages we should take away here? We’ve been talking about CCE. We’ve been talking about translating a book. We’ve been talking about the importance of the cloud. What should we take away from this episode and from your experience in these arenas?

Tomomi Aoyama
Oh, it was really great fun and doing this interview with you, Andrew. Thank you for having me. My takeaway is that the communication and collaboration, that’s really key to enable all the security, especially at the same speed as digital transformation. CCE is a useful tool to enable that communication and collaboration. You get to examine your security strategies program from different perspectives.

And now the CCE book is available both in English and Japanese. So if you have Japanese colleagues, if you have somebody if somebody in Japan, reach out. They may know about CCE. And now you can talk about CCE together, which is awesome.

And right now, I’m in Cognite, i’m looking forward to adapt the CCE principle into industrial cloud systems and try to, again, enable that collaboration between the cloud service providers, asset owners, and sales providers like Cognite. And learning about how we can bring the data governance back to asset owners.

Again, the book is available, the CCE book is available in Amazon. And if you are coming to Japan, let me know or let ICSEoE know. We’ll be always happy happy to talk with you. And if you have experience with industrial cloud, public cloud, private cloud, hybrid, if you decide not to use a cloud in industrial space and why, let me know. I’m on LinkedIn. I’m happy to talk with you about your challenges and your experience and learn from you. Thank you.

Nathaniel Nelson
Andrew, that just about concludes your interview. Do you have any final word to take us out with today?

Andrew Ginter
Yeah, I mean, I’m looking at, a lot of the the the topics we talked about are very timely. i’m I’m a big fan of CCE and CIE. it’s all about consequences. Consequences drive the strength of of required security programs. And but, I’m looking at, I’m on the end of my career and I started in technology and sort of worked into cybersecurity and risk assessments. my My most recent book, The Topic is Risk. It’s not in the title, but it’s it’s all about how do you use an understanding of risk to decide how much cybersecurity, do how much engineering to do.

I see Tomomi working the other way. She started with risk and with sort of communicating with business decision makers and is now tackling what I believe is the future of industrial automation. And of course, industrial cybersecurity goes with industrial automation. She’s tackling the future, which is the cloud. And the vision for the cloud is very compelling. its The cloud can save enormous amounts of money. It can add flexibility. its it’s a tremendous vision. The question is how much of the vision can we realize safely? And I think the answer is almost all of it. We just don’t know how yet.

So I look forward to keeping track of of what Tomomi is doing at Cognite. I look forward to an opportunity to invite her back in a year when she’s sort of figured out a bunch of this stuff, because the world needs to understand how to reap the benefits of the industrial cloud without incurring unacceptable physical risk. So to me, it’s it’s huge that that she’s taking this deep understanding of risk and risk assessments and now diving into the technology and hopefully leading the way for us in in terms of the industrial cloud.

Nathaniel Nelson
Thank you to Tumomi Ayayama for speaking with you, Andrew. And Andrew, as always, thank you for speaking with me.

Andrew Ginter
It’s always a pleasure. Thank you, Nate.

Nathaniel Nelson
This has been the Industrial Security Podcast from Waterfall. Thanks to everyone out there listening.

How Industrial Cybersecurity Works in 2025

June 29, 2025

13 Ways to Break a Firewall (and alternatives for OT security)

June 25, 2025

Secure Remote Access: Everything You Need to Know in 2025

June 16, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Driving Change – Cloud Systems and Japanese CCE | Episode 132 appeared first on Waterfall Security Solutions.

Webinar: Evolving Global OT Cyber Guidelines, Recent Developments and What is Driving it

Andrew Ginter — Wed, 06 Nov 2024 08:20:41 +0000

OT Insights Center OT security standardsWebinar: Evolving Global OT Cyber Guidelines, Recent Developments and What is Driving it

Webinar: Evolving Global OT Cyber Guidelines, Recent Developments and What is Driving it

Watch the webinar for a look into the recent evolution of OT security standards.

Watch the webinar for a look into the recent evolution of OT security standards. There are some common themes in the OT cyber security guidance published in recent years around the world. Governments and standards bodies are feeling the pressure to increase the level of protective measures and methodologies when it comes to highly consequential systems and infrastructure.

In this webinar, Andrew Ginter takes us through:

Who are the countries and standards bodies leading the way?

How Engineering and Security principles are influencing the approach to OT cyber?

What are consequence boundaries and how do they inform an OT security strategy?

Our prediction on the future of OT cyber best practices.

Meet Your Expert Guide:

Andrew Ginter

Cross Domain Solutions Explained

June 12, 2025

Risks, Rules & Gaps: The Latest on NIS2 and CRA

June 3, 2025

Experience & Challenges Using Asset Inventory Tools – Episode 138

May 27, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Webinar: Evolving Global OT Cyber Guidelines, Recent Developments and What is Driving it appeared first on Waterfall Security Solutions.

Cloud-Rendezvous-Style OT Remote Access: Residual Risk

Andrew Ginter — Mon, 14 Oct 2024 13:31:08 +0000

OT Insights Center OT security standardsCloud-Rendezvous-Style OT Remote Access: Residual Risk

Cloud-Rendezvous-Style OT Remote Access: Residual Risk

Cloud-based remote access systems for OT networks have become popular in recent years, but many vendors make misleading claims about their security. While these systems do offer some advantages, it's crucial to understand how they work and some of the residual risks they pose.

Andrew Ginter

October 14, 2024

Security product vendors sometimes make outrageous claims – in this article we look at cloud-rendezvous style remote access systems for OT networks and how they work. We debunk the most outrageous claims, we look at residual risk that we accept when deploying these systems, and we suggest circumstances where deploying these kinds of systems actually does make sense.

Learn more about OT Remote Access from our Recorded Webinar

How They Work

A lot of these cloud-based remote access systems work vaguely like the now-ubiquitous Microsoft Teams work:

Software is installed on a host on the OT network – the host that the remote access session will “take over” as if we were sitting in front of the host – seeing that host’s screen, moving its mouse, and entering keystrokes for the computer remotely.
Software is also installed on a remote computer – say my laptop. With Teams, this is exactly the same software as is installed on the OT host, but products differ – sometimes the remote client is a different piece of software than is installed on the OT server.
Now we create a “session” – with Teams it’s a “meeting”, with other remote access products it’s called something else – and you get an identifier for the session – often, but not always, a long, somewhat hard to guess string or number or web link.
To connect my laptop to that session, I need to get that session identifier to the remote laptop. Session IDs are usually in email, or instant messaging or maybe verbally over the phone.
And now to connect my laptop to the OT host, I give the software on my laptop the session ID, and maybe a password & some two-factor stuff, and I’m in. A real-time image of the screen of the OT host comes up on my laptop and I can start doing stuff to that host.

In that last step – what happened under the hood? When the session was created, it was created by the software on the OT host, but the session was created in the cloud. When I connect to the session on my laptop, my software reaches out to the same cloud: the remote access product’s cloud, which is the Microsoft Teams cloud in this example. My laptop’s software asks that cloud to connect to the session ID that I provided. The cloud checks permissions, and if everything aligns, the cloud tells the OT host to start sending screen images, and tells my computer to start sending keystrokes and mouse movements (KMM). Every screen image the cloud receives from the connection to the OT host, it now send down the connection to my laptop, and vice-versa with received KMMs. Said another way, each of the computers opened a connection to the cloud service, and the cloud provided a “rendezvous” of those two connections “in the head” of the cloud.

"No Firewall Changes"

One claim made by a lot of vendors of this kind of remote access software is that no firewall changes are needed to enable the software. They contrast their rendezvous approach with traditional remote access, where we need to set up a VPN server or jump host in our OT network that receives connections from the Internet or from the IT network. Most firewalls, both IT and OT, are configured to forbid incoming connections from the Internet by default, accepting only those connections or types of connections for which we’ve configured a firewall rule allowing the connections.

This claim is in fact true when the rendezvous tech is used to access most IT networks. Not all, but the vast majority of IT networks permit most or all outbound connections to the Internet. This is so IT users can access the Internet sites and services of their choice. Most, but not all, IT firewalls control very strictly only incoming connections.

On OT networks, however, this practices is strongly discouraged by pretty much all regulations, standards and guidance. The buzzword is “deny by default.” OT networks should be configured so that by default all connections through the firewall in either direction are denied. If you want to connect into the OT network through the firewall, you need to add a rule for the kind of connection you are enabling. And the same holds true on the outbound side – if you want to connect out of an OT network – for example out to the remote access rendezvous-ing cloud, you must also add a rule. The “no firewall rules need to change” claim is true for most IT networks, but had better not be true for OT networks, not if your IT/OT firewall is following best practice.

"Completely Secure"

Many vendors also claim their rendezvous-style OT remote access system is “completely secure.” Why? Because you do not need to create an “allow inbound connection” rule in the IT/OT firewall to enable this remote access. The assumption is that TCP connections created from the Internet back into OT is the only way to put OT at risk. This is of course nonsense.

When looking at these kinds of remote access systems, whether we create an outbound firewall rule or not, we have to ask about other kinds of attack scenarios:

How hard is it to guess the session ID – if I connect my laptop to the cloud and start entering random IDs, will I wind up connected to someone else’s OT network “by accident,” where I can work my will upon it? Or is the session ID really easy to guess because it’s my email, or my name, or some other piece of information about me that’s really easy to find?
How hard is it to steal the session ID? People send these things in email, in instant messaging and so on. If I can shoulder surf these communications, or am copied on the communications, or the sender, receiver or someone else is sloppy about these communications, can I just connect to the session? Or is there a second level of authentication beyond the session ID – can the session be configured to be open only to a specific user / password / two factor dongle?
And even if there is secondary authentication, how hard is it to steal / spoof that password or other authentication with phishing attacks or by other means?
And what about vulnerabilities? These rendezvous systems are software systems where there is always the risk of vulnerabilities. What happens when a vulnerability is announced in the remote access system I have installed and the bad guys exploit that vulnerability – in my laptop client, in the rendezvous cloud, or in the OT host, before I have a chance to patch it all?

There are other attack paths that are a bit more complex, stuff like session hijacking, or interfering with encryption systems and the like. Nothing is ever “completely secure” – and too often, most things are really, embarrassingly far from “completely secure.”

Nothing is ever “completely secure” – and too often, most things are really, embarrassingly far from “completely secure.”

"Read Only" Sessions

Another claim I’ve heard some vendors make is that their remote access systems are read only. A couple vendors for example, basically reproduce HMI’s in the cloud and let remote users connect to those copies to visualize real-time data from the OT process. In this kind of system, most users are read only – you can press what buttons you like on the copy of the HMI, but no commands can be sent back to the OT systems. Unless you buy the remote control option. Or an enemy uses stolen credentials to log into the remote access system, puts down a stolen credit card, and enables remote access.

Who Should Use These Systems?

Despite all of my negativity thus far in this article, there is a role for this kind of remote access system in a large number of OT facilities. As defenders, we must not accept “no firewall changes,” “completely secure,” and other nonsense claims. We need to dig into the tech and understand what is the residual risk – what kinds of attack paths are possible to get through the defenses – because there are always attack paths.

Given these attack paths, however easy or difficult they are, the key question that we as defenders need to answer is whether the residual risks of those attacks are acceptable. A key criterion for making this determination is consequence – what is the worst that can happen if the remote access system is compromised, and the OT host is used either to mis-operate the physical process or to attack other hosts in the OT network in order to use them to mis-operate the process?

If the worst that can happen is that things blow up and people die, well, then we need to look really hard at the remote access system and how robust it is in the face of the kinds of attacks I’ve sketched above, and others. If the worst that can happen is that we suffer a few ten thousand dollars damage and our insurer will pay us back for that, this is probably an acceptable loss. Talk to the insurer – if they are OK with us using this kind of remote access, or are OK with the system provided we have specific security measures deployed, then we can probably use the remote access system safely.

If we go forward with the system, though, it’s important that, one, we aren’t fooling ourselves about worst-case consequences. It is easy to miss consequences – for a comprehensive set of worst-case consequences we generally need many kinds of engineers to rendezvous with many kinds of IT / cybersecurity specialists to really understand what’s possible. And two, we need to be sure that we consistently execute on whatever assurances we make to the insurance company who is taking on our risk. Too many people say “yes yes yes” to cyber insurance questionnaires in the hopes of minimizing the cost of the policies. That’s a bad goal. Our goal with insurance should be to assure with a high degree of confidence that if we suffer a loss, the insurer will pay us out. Which means doing everything we’ve assured / promised the insurer we are doing to manage their risk.

And of course, if we decide the consequences and residual risks are unacceptable, then we need to re-evaluate the use of this kind of remote access.

If this was useful to you, and you’d like a similar analysis on a lot of other kinds of remote access systems, please watch my webinar about OT Remote Access.

About the author

Andrew Ginter

Safety-Critical Clouds in Power Generation – 7 Designs Using Cyber-Informed Engineering

April 27, 2025

Data Diodes vs. Unidirectional Gateways

April 14, 2025

Selecting OT “Secure” Remote Access Solutions – Options, Criteria & Examples

April 14, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Cloud-Rendezvous-Style OT Remote Access: Residual Risk appeared first on Waterfall Security Solutions.

eBook: Cybersecurity in Power Generation – Applying and Interpreting ISA/IEC 62443 Standards

Waterfall team — Tue, 01 Oct 2024 08:22:57 +0000

OT Insights Center PowereBook: Cybersecurity in Power Generation – Applying and Interpreting ISA/IEC 62443 Standards

eBook: Cybersecurity in Power Generation – Applying and Interpreting ISA/IEC 62443 Standards

The ISA/IEC 62443 family of standards is essential for protecting Operational Technology (OT) networks, but applying these standards in the power generation sector presents unique challenges. This eBook breaks down the complexities of ISA/IEC 62443 and provides practical guidance tailored specifically to the power generation industry.

Inside the eBook, you'll learn:

Why applying 62443 standards to power generation benefits from a consequence-driven approach, and how to build it into your risk assessments.

How to interpret zoning and conduits for power generation systems, and why your current zoning strategy may not be enough to address today’s threats.

What new engineering-grade cybersecurity controls and network upgrades you should consider to simplify achieving a desired security level.

How to mitigate the risk of high-impact, low-probability cyberattacks and build a resilient defense strategy against nation-state threats.

About the author

Dr. Jesus Molina

Jesus Molina is Waterfall’s Director of Industrial Security. He is a security expert in both OT and IT security. A former hacker, his research on offensive security in industrial systems has been echoed by many publications and media, including Wired and NPR. Mr. Molina has acted as chair of several security organizations, including the Trusted Computing Group and the IoT Internet Consortium. He is the co-writer of the Industrial Internet Security Framework and the author of several security-related patents and academic research papers. Mr. Molina holds a M.S. and a Ph.D from the University of Maryland.

Fill out the form and get it by email

The post eBook: Cybersecurity in Power Generation – Applying and Interpreting ISA/IEC 62443 Standards appeared first on Waterfall Security Solutions.

OT security standards – Waterfall Security Solutions

Andrew Ginter’s Top 3 Webinars of 2024

Andrew Ginter’s Top 3 Webinars of 2024

Discover Andrew Ginter’s top picks for the most insightful and engaging webinars of 2024, covering key trends and strategies in industrial security.

Andrew Ginter

My Top Three Webinars of 2024:

1) Cyber Attacks with Physical Consequences – 2024 Threat Report

2) IEC 62443 for Power Generation

3) Evolving Global OT Cyber Guidelines

Share

Trending posts

Stay up to date

Tags

Andrew Ginter’s Top 3 Podcast Episodes of 2024

Andrew Ginter’s Top 3 Podcast Episodes of 2024

As 2024 winds down, kick back and enjoy some of Andrew Ginter's best podcast picks

My Top Three Episodes of 2024:

Share

Trending posts

Stay up to date

Tags

OT Security Data Science – A Better Vulnerability Database – Episode 133

OT Security Data Science – A Better Vulnerability Database – Episode 133

Security automation needs a machine-readable vulnerability database. Dr. Carmit Yadin of DeviceTotal joins us to look at limitations of the widely-used National Vulnerability Database (NVD), and explore a new "data science" alternative.

For more episodes, follow us on:

Share

About Dr. Carmit Yadin:

About DeviceTotal:

Transcript of this podcast episode #133: Making the Move into OT Security | Episode 133

Trending posts

Stay up to date

Tags

Expert Impressions of Cyber-Informed Engineering

Expert Impressions of Cyber-Informed Engineering

I recently had the opportunity to ask experts Marc Sachs, Sarah Fluchs and Aaron Crow about their experience with the new Cyber-Informed Engineering (CIE) initiative. Here's what they had to say...

Andrew Ginter

1) What is your general impression of CIE?

2) What has been the reaction of business, enterprise security and engineering stakeholders to CIE?

3) Have you had the opportunity to apply the CIE approach yourself?

4) Many engineers believe cybersecurity is IT's job. Many enterprise cyber people bemoan the sorry state of OT security. Does or will CIE change any of this?

5) Any other observations?

About the author

Andrew Ginter

Share

Fill out the form and get your complimentary copy

Trending posts

Stay up to date

Tags

TSA NOPR for Pipelines, Rail & Bussing – Enhancing Surface Cyber Risk Management

TSA NOPR for Pipelines, Rail & Bussing – Enhancing Surface Cyber Risk Management

The TSA Notice of Proposed Rulemaking for Enhancing Surface Cyber Risk Management is out. This is the long-awaited regulation that replaces the temporary security directives issued after the Colonial Pipeline incident.

Andrew Ginter

About the author

Andrew Ginter

Share

Trending posts

Stay up to date

Tags

Saudi Arabia Strengthens National Cyber Posture with OT Cybersecurity Controls Regulations

Saudi Arabia Strengthens National Cyber Posture with OT Cybersecurity Controls Regulations

Saudi Arabia’s National Cybersecurity Authority (NCA) has fulfilled the strategic priority of updating cybersecurity guidance from 2018 to include cutting edge measures to protect national critical infrastructure and industrial sites from cyber attack.

Courtney Schneider

Applicability

Based on ECC-1:2018

OTCC Security Levels

How Waterfall Unidirectional Gateways streamline compliance with OTCC

Cybersecurity Risk Management

Identity and Access Management

Safety-Instrumented Systems

Tamper-Proof Forensics

Network Security Management

Security Monitoring

Cybersecurity Resilience and Business Continuity

How Waterfall is an Obvious Partner in OTCC Compliance Efforts

About the author

Courtney Schneider

Share

Trending posts

Stay up to date

Tags

Transcript of this podcast episode #133:
Making the Move into OT Security | Episode 133