Webinar: Top 10 Cyberattacks on Industrial and Critical Infrastructure of 2024
Days
Hours
Minutes
Seconds
Register Now

Driving Change – Cloud Systems and Japanese CCE | Episode 132

Tomomi Aoyama translated the book Countering Cyber Sabotage - Consequence-Driven, Cyber-Informed Engineering - to Japanese. Tomomi recalls the effort of translating CCE to Japanese and looks forward to applying CCE and OT security principles to industrial cloud systems at Cognite.

Picture of Waterfall team

Waterfall team

Driving Change - Cloud Systems and Japanese CCE - Industrial Security Podcast Episode 132

“…security was mostly discussed as technical topic. And there was not enough frameworks or ways of conveying important security and security risk in the way that the stakeholders can easily engage with. And CCE for me enabled that…”

Available on:

About Tomomi Aoyama and Cognite

Tomomi AoyamaDr. Tomomi Aoyama is a distinguished figure in the field of industrial cybersecurity, currently serving as Private SaaS Operations Lead at Cognite (Website). With a robust academic background, Dr. Aoyama has dedicated her career to advancing cybersecurity practices, particularly in the realm of industrial control systems (ICS).

Her expertise spans several critical areas, including the application of Process Hazard Analysis (PHA) to cyber risk assessment, lifecycle security management, and the role of human factors in cyber incident response. Dr. Aoyama’s work is globally recognized, and she actively contributes to both public and private sectors. She serves as an expert advisor to Japan’s National Centre of Incident Readiness & Strategy for Cyber Security (NISC) and the Industrial Cyber Security Center of Excellence (ICSCoE) in Japan

In addition to her advisory roles, Dr. Aoyama is committed to knowledge sharing and education. She has translated essential ICS security literature into Japanese, including NIST SP 800-82 Rev.2 and the book “Countering Cyber Sabotage” by A. Bochman and S. Freeman. Her contributions have significantly enhanced the understanding and implementation of cybersecurity measures in Japan and beyond.

Dr. Aoyama’s career is a testament to her dedication to improving cybersecurity frameworks and her influence continues to shape the future of industrial cybersecurity on a global scale.

Cognite (LinkedIn) was founded in 2016 and has over 700 employees including top-notch software developers, data scientists, designers, and 3d specialists. Over the years, Cognite has positioned themselves as global industrial Software-as-a-Service (SaaS) leader, with an eye on the future and a drive to digitalize the industrial world. Cognite has created a new class of industrial software which allows asset-intensive industries to operate more sustainably, securely, and efficiently. Their core software product is Cognite Data Fusion (CDF), designed to quickly contextualize OT/IT data to develop and scale company solutions, using technology like hybrid AI, big data, machine learning, and 3D modelling to get there. Cognite’s clients include oil & gas, power utilities, renewable energy, manufacturing, and other heavy-asset industries. Cognite helps them operate through transitions, sustainably and to scale -without sacrificing bottom lines, paving the way for a full-scale digital transformation of heavy industry. 

Share

Transcript of this podcast episode #132: 

Driving Change – Cloud Systems and Japanese CCE | Episode 132

Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Nathaniel Nelson
Welcome listeners to the Industrial Security Podcast. My name is Nate Nelson. I’m here with Andrew Ginter, the Vice President of Industrial Security at Waterfall Security Solutions, who’s going to introduce the subject and guest of our show today. Andrew, how are you?

Andrew Ginter
I’m very well, thank you Nate. Our guest today is Tomomi Aoyama. She is the principal development lead for Private SAS, that’s Software as a Service, at Cognite, which produces industrial control system software. And we’re going to talk a little bit about what she’s doing, but mostly of we’re going to talk about her translation of the consequence-driven cyber-informed engineering textbook, um Countering Cyber Sabotage, her translation of the book to Japanese.

Nathaniel Nelson
Then without further ado, your conversation with Tomomi.

Andrew Ginter
Hello, Tomomi, and welcome to the podcast. Before we get started, can I ask you to say a few words about yourself for our listeners and about the good work that you’re doing at Cognite?

Tomomi Aoyama
Thank you very much for having me, Andrew, by the way. I’m Tomomi, and I’ve been in the ICS security domain over a decade, and I started as an academic researcher. And my fascination for this domain was always about how can we enable this collaboration. um I started with and from understand trying to understand how safety and security risk assessment can be combined, how security risk specialists can communicate with safety risk specialists and share the metrics, share the value. That was the first research topic that I was working on. And then I ah gradually shifted more towards, okay, how cyber risk or auto security risk can be expressed to the business continuity risk or business risk.

And through the academic position I had in Japan and while while I was doing the PhD and doing doing the um assistant professor and teaching, I was lucky enough to be able to join some government project where I was so able to support a asset owners ah design and evaluate the cyber table topic exercises, um business content exercise ah drills ah for earthquake drills also, and also and develop help of government ah to develop this large auto security capability building center called ICCOE, where I supported building up the training curriculum and international engagement. And now I’m in Cognite and still I’m fascinated again, I’m still fascinated by this collaboration piece in OT security area. Cognite is a company that builds the OT data platform software in oil and gas, chemical, energy, and manufacturing and so on. so And the Cognite operation is based on software as a service on a cloud data platform.

And When we talk about the cloud security, and there is a shared responsibility model that the shared the security operation and responsibility together with the cloud service providers and asset owners. But they the usual model that they have is two-colored – very simplified to colored model, and there is no space for the SaaS company like Clonite. And especially when you consider about the most of the organization, most critical infrared operators would select a hybrid model where they have the public cloud, private cloud, on-prem system all together.

And asset owner wants to have the total visibility and data governance over all the platforms and all the um systems. um There’s no really guideline for that. There is no established model for that. So I cognize what I’m doing as using my background in research and also also in all the security domain trying to understand and navigate the conversation with customers, trying to navigate the Cognite towards how can we support this and new era for the asset owners where they want to have the data control and strong data ownership. So that’s where I am today.

Andrew Ginter
Cool. So you know the industrial cloud is coming. You know it’s great that you’re contributing to that at Cognite. Our topic is a little different today. Our topic today is Consequence-Driven Cyber Informed Engineering. And a couple of years ago, you translated the the book on the topic, Countering Cyber Sabotage, Consequence-Driven Cyber Informed Engineering, the book that Andrew Bachman and Sarah Friedman wrote, you translated the book into Japanese. So I wanted to ask you about that, but before I do, can I ask you maybe introduce the book to our listeners? What is ah you know CCE? What is consequence-driven cyber-informed engineering?

Tomomi Aoyama
Sure. CCE is quite mouthful, Consequence-Driven Cyber-Informed Engineering. It was originally part of the Cyber-Informed Engineering. It’s one of the pillars of the Cyber-Informed Engineering, which is the framework for combining cyber and engineering side and how we can enable security more by the design, security built into the engineering courses.

And INL, IDEC National DAB, especially focus on this consequence driven w risk analysis part. And they developed this CCE method. It comes with the four phases, starting from phase one, consequence prioritization, which is quite important one one for me. And phase two is system and system ah system analysis, meaning ah how systems or dependencies between the systems, resources, information, data, people, are contributing to the consequence, the worst, worst, worst case that you want to avoid to happen.

And phase three is the consequence-based targeting. This is where you bring in a little bit attacker’s perspective and margin in security perspective. how those dependency between the systems or the path to the consequence can be compromised, how can how attackers can take advantage of this dependency to make the consequences happen. And then phase four is all about mitigation and production. Okay, how can we a how can we cut those the dominant effect for attackers to enable the consequence to happen in the most efficient way. And preferably, how can we do that by combining the engineering method and traditional cybersecurity tools and solutions.

Nathaniel Nelson
Andrew, these are concepts that we’ve talked about in a number of episodes before, but for anybody who hasn’t listened to those, could you just do a quick review of CCE?

Andrew Ginter
Sure, CIE is the big tent, Cyber Informed Engineering. It’s all about engineering and cybersecurity together. You know, the engineering part has been neglected historically, overpressure relief valves, manual operations as a fallback. These techniques that are are used to manage physical risk can also be used to manage cyber risk.

CCE fits within the big tent. I mean all of you know a great A great deal of engineering is under the big tent, all of cybersecurity. CCE is a bunch of techniques, and it’s it’s more than what’s in the book, but the book itself has really three big chunks.

One is consequence evaluation, and they recommend don’t start with your simplest attacks. They recommend start with your biggest fish and and do something about them first so consequence analysis.

And then some a few chapters on you know engineering mitigations. But the bulk of the book is about system of systems analysis to understand your defenses, to look for choke points in your defenses where you can choke off attacks most efficiently with you know minimal investment, maximum return in terms of security for minimal investment. So that’s that’s the big picture. CIE is the big umbrella. CCE is actually a formal training program. It’s a piece of CIE.

But CIE is big enough that just about anything fits under it that that has to do with industrial security. And and CCE is a chunk of that.

Andrew Ginter
All right, so so that’s CCE. let’s Let’s come to the translation. Translating a book is a big job. the the The CCE book is hundreds of pages. And you’ve got to you’ve got to be sure that that the translation is right. you it’s It’s a huge investment. why Why would you undertake that big a job with this book?

Tomomi Aoyama
Right so When I first met the idea of CCE, I was a researcher at a university in Japan. and My research area was trying to understand how we can communicate and engage with stakeholders about OT security in an efficient way and how we can do the risk assessment that both understand security risk and also safety risk and also their implication to the business impact. And we struggle to find the way that how this can be achieved in one way or a simple way. And my running hypothesis back then, and also now, this is my belief is that the OT security is a communication problem. That they there are a lot of, it’s a team effort. OT security is definitely a team effort. You cannot just have very experienced or the expert Bob to save the world.

Every time, we need to engage the stakeholders in internal stakeholders, different teams to understand the security and in the same way as you do in their own job language. If it’s an operator, they need to understand what security means for their operation. If it’s a business leader, they need to understand cyber security or the security implication in terms of how it impacts their initiatives and their investment.

And it is, I found it very difficult because security at least back then when I was doing the research, academic research, security was mostly discussed as technical topic. And there was not enough frameworks or ways of conveying important security and security risk in the way that the stakeholders can easily engage with. And CCE for me enabled that, especially this first part of CCE in the consequence prioritization. You don’t talk about threat, you don’t talk about threat actors, you don’t talk about security solutions, you talk about what but what matters most for your business and business continuity. That makes it very simple but easy to align any stakeholder in the organization.

So that’s why I thought that this idea I really want to convey to my community in Japan in my mother language and I want to be that catalyst to deliver the message. That’s why.

Andrew Ginter
Okay so that’s why you felt it was important to to translate CCE into Japanese. Can I ask you how it came about? It’s one thing to read a book and say, hey, this is good stuff. It’s another thing to reach out to the authors and and actually make it happen. How did this happen?

When I first met the idea of CCE, it didn’t encourage me immediately about translating the book. I think back then there was no book yet published either. and I got to meet Andrew at S4 and he was presenting about idea of CCE. That’s when the idea of CC very much clicked with so that my academic interest.

And I want to talk to Andrew at the beer bash and say, hey, I really like your idea. I really want to and really promote this method in the community in Japan. and That’s the kind of beginning of my engagement with CCE teams.

And one of the big turnpoints was the Japanese government, in collaboration with the US government, we organized a capacity building training for Indo-Pacific countries. And ICCoE, the Industrial Security Center for Excellence, and which is the OT security training organization, that I support in Japan was the and the one that provided training together with US training trainer teams, which was INL. And we ended up providing the CCE training for the Indo-Pacific countries a and together with Andrew and CCE team in INL and trainers in ICCOE.

OT Security Translate GraphicAnd it was very fun engagement and it was and interesting how CCE was received from the participants also. And after Andy and I were celebrating the successful delivery of that training, it really came to my mind immediately and said to Andrew that, can I translate this book? I really think I can translate this in a meaningful way. And and can you support this? And that’s the kind of beginning. And it took another two years or so to actually translate the book.

Andrew Ginter
Okay, so you ran into Andrew at S4, one of the authors of the book S4, sort of where the world of industrial cybersecurity today comes together. You also mentioned the Industrial Cybersecurity Center of Excellence in Japan, a government agency. How were you connected with them? How did you connect those dots?

So I was fortunate enough to be involved in, the from the very early stage of ICCOE, from the establishment phase of ICCOE at 2017. And they, my university, well, the university I used to belong as the the assistant professor and now still support as visiting researcher, they take care of one-third to one-fourth of the curriculum at ICCoE. So that is my connection to the organization and currently I also support the international engagement that ICCoE does. So when they want to do the international engagement such as the training, overseas training, or inviting the and international speakers to the ICCoE curriculum, I tend to support it. So the joint training we provided between Japan and the US, that’s also the some project that I supported.

And that’s why I was be involved in suggesting that CCE could be the good topic to introduce to Japanese and also in the Pacific audience.

Andrew Ginter
Cool, so you were at the university, you you had an opportunity to connect the dots and you did, good job. Let’s talk about the translation. I mean, today you can take a Word document and pump it through, I don’t know, Google Translate or something. There’s other translators on the market as well. And say here, try translate this into Japanese. When I’ve done this with my documents for a German market in particular, um I speak a little German. I looked at the result and it was full of mistakes and I had to correct it.

So what was involved in the translation? Did you press a button and it worked? Did you have to review it at in detail? Did you have other people reviewing it? How did how did the actual mechanics of the translation come about?

Tomomi Aoyama
Andrew, it was all me. It was one person operation and it was painfully long. and especially I haven’t I have done translation of, for example, NIST 800 series, some documents I have translated in Japanese.

So I have done many projects, but not the book. So it was really different level of beast. I definitely used the help of machine translation sentence by sentence just to create the baseline, but most of the time it was more confusing than helpful. So most important thing that that I needed to create was the dictionary. The translation dictionary to be consistent throughout the book on how we translate.

For example, well, as you can see in the title of the book, the consequence, this word appears unlocked in the book. And I was very intentional and also a little bit cheeky when I translated this in Japanese. I intentionally translated as business consequence because I didn’t want the readers to mistake in consequence as information breach or some technical consequences or piece of the consequences. But I want this to tar this book to be the starter of the conversation with different aspects and seeing the security from the different perspective, more from the business perspective, business risk perspective. So I and intentionally changed the translation from consequence in Japanese, business consequence.

And so this process of creating dictionary and be happy with this dictionary, and that was a very challenging part. There are a lot of terms in CC books that are very common for probably military domain or government people.

But it’s not so much a resonating word when it’s directly translated. So I also needed to understand each concept concept very deeply. And Andrew Bohman, one of the authors, was kind and generous enough to have multiple sessions for walking through those terms, what they mean, what’s the backstory of these terms one by one. So that really helped me a lot.

Andrew Ginter
So Nate, I’ve written a couple of books. I’ve translated some material, especially into German. and In my experience, exactly what Tomomi talks about, terminology is important, especially when you’re translating a technical document. In a lot of the world’s languages, a lot of computer concepts are showing up in those languages as English words sort of transplanted or adopted into the language.

This despite the language often having its own words for those concepts. In German in particular, sort of fairly words that in English have comparatively,  short, simple words for a certain technical concept might have a,  in English, they’d like to jam a a few adjectives and nouns together into a single, very long, very complicated word.

And what I observe in the the German community that I interact with is they’ve adopted a lot of the short English words rather than using the the long formal German words. And when you’re putting together a translation, you’ve got to figure this out. If you use the native language words and the community that you’re addressing isn’t using those words, they’re going to look at your stuff And it’s going to be a harder read. it’s It’s not the terminology they expect. And vice versa. If you use a bunch of English,  transplant a bunch of English words into the the the translation. And this is not what the community is used to. They’re going to look at this and say,  this doesn’t it it it again, it it impairs comprehension. And this is,  this is not the only challenge with translation. What I found with German in particular, I don’t know Japanese, but I know that in German there are linguistic concepts, gender in particular, everything is gendered. When you’re when you’re doing a little bit of dialogue, A said this and B said that, and you use the word you, you’ve got to select the word very carefully. There’s the familiar you, there’s the formal you,

And in English, you don’t have all this stuff. And when you translate material from English to German, I used a machine translator. The machine translator just gets it wrong. The machine translator says, well, I need this concept in the German translation, and it doesn’t exist in English. So I’ll just make it up. And they pick the wrong one pretty consistently. So there’s there’s a lot of repair that Choose the terminology carefully and then you’ve got to go through it and and and just repair what the what the machine translator does.

Nathaniel Nelson
And I’m wondering how you felt about the particular point of translation she highlighted in her answer, how she translated consequences to business consequences, because,  you and I talk about these concepts a lot. We don’t really focus on them through the business lens. Usually it’s like physical consequences, for example.

Andrew Ginter
I was thinking about that myself after the the interview here and, reflecting on it a little bit, I wonder if it’s because it sort of reflects Tomomi’s focus on risk assessment. She was doing a lot of risk assessment work in her research and, who consumes the results of a risk assessment?

It’s generally the business decision makers who have to decide, am I going to provide funding to my engineering team, to my IT t teams to fix this problem? Explain to me in one syllable words, how much trouble we’re in, and they want to understand the impact on the business. My own focus, I tend to work more with the engineering teams who are tasked with, okay, you have a budget, solve this problem and they change the design of the systems in order to prevent physical consequences, in order to keep things from blowing up, in order to keep trains from colliding. and so I might if If I were doing this, I might have been tempted to use to substitute business na sorryria physical consequence rather than business consequence.

But thinking about it, that might just be because of who I communicate with. And to what we said at the beginning, it’s all about communication. You’ve got to get these concepts across these sort of chasms of understanding.

Andrew Ginter
And if I may, I mean, I’m an an author myself. i’d I pushed my third book out just under a year ago. I’m curious about intellectual property. I mean, I see the Idaho National Laboratory logo on the the CCE book I know that Sarah Friedman and Andrew Bachman were employees, I think, of Idaho National Laboratory at the time they wrote the book. I’m assuming that INL owns the copyright on the book. But you did the translation. Can you talk about intellectual property? Do you own the Japanese translation? How how does that work?

Tomomi Aoyama
At least I know I don’t own the copyright. So it was primarily work for hire. It’s kind of twofold contract. So one sign is my contract with INL as the so service provider, meaning that the I will provide the this translation service for them so that they can have the Japanese version of manuscript in their organization. And on behalf of INL, I was sending the manuscript to the publisher. And ICCOE in Japan, they funded to publish this book in Japanese. So I was just bridging it in between.

Andrew Ginter
Okay, so, a lot of work doing the translation. How’s it been received?

Tomomi Aoyama
Mount Fiji in JapanI got the very kind words from people in Japan that they enjoyed the book and some people mentioned about a specific part of the job that especially part of the book that touched they resonated with them very well, which is super rewarding to me. But the first review I got on a public platform on Amazon, was very funny to me. it was it was It said that the four stars, great book, great content, minus one star for the bad translation. So that really made me laugh.

Yes, it’s it’s I know I’m not the professional translator. I cannot translate the in the same level as how people would translate and yeah great novels into Japanese. I can’t yet. But at least I made them read. So that’s a win for me.

Andrew Ginter
Indeed. it’s It’s disappointing when you get stuff like that. I remember when I published my books, you get I get positive, I get negative. You you got to shrug it off. I think the the lesson is that the material is now available to a Japanese audience that doesn’t speak English. So Have you got any sort of reaction from even verbal or face-to-face from the industrial security in Japan. How useful has CCE been in Japan?

Tomomi Aoyama
Most of the people, majority of people reach out to me saying that the CCE is a very inspiring method and inspiring approach. But I’m reading between the lines and most of the times CCE is a little bit too big of the project and it’s not something bite-sized for most of the people to easily adapt to tomorrow.

So that is one challenge that I found during and duringing and then after this translation project. The great feedback I got, not necessarily negative, but I think it really, really represents what Japanese community’s character is, is that one person told me, he’s a risk assessment, OT risk assessment specialist. He supported many, many organizations. and He said that the Tomomi, CCE needs to be dumbed down. It needs to be easy and easy to do for anyone. Right now, CCE is only useful for the people who understand OT security at the deepest level. That’s not enough. It needs to be easy for any person possible.

And that’s something I’m thinking about a lot these days. I’m thinking about all the security solutions and a lot of all the security project, it’s naturally targeting towards the critical asset operators, critical infrastructure companies, and middle organizations, and government funded organizations. So the project fund in the side is huge.

But there is a concept of the cyber poverty line where organization, even they even if they know about cyber security and know about the risk, they just simply can’t afford it. They just don’t have the resource available and and any solution at their hand to mitigate the risk.

And CCE is elegant concept and right now I’m thinking how we can make CCE and any other OT security or cyber security concepts framework solutions to be affordable and easy as possible to implement fast. Because so especially when we talk women think about so supply chain security and security as a whole.

Andrew Ginter
Another, I don’t know, legal nit, maybe. In my understanding, CCE is trademarked. Idaho National Laboratory certifies training providers. You can only call yourself a certified CCE training provider if you’ve been certified by INL. I’m curious, is the Industrial Control system Center, Cybersecurity Center of Excellence, is it certified?

Tomomi Aoyama
No, I say theory is not certified to provide CCE or accessibility training, at least on my knowledge. and But I can talk a little bit about how we introduce CCE as a concept.

Tomomi Aoyama
So ICCoE runs a one year curriculum for industry professionals and they they basically leave the work for one year to um focus on the OT security training from basically nine to five plus their own research project hours. And in there we teach many principles from traditional IT security, network security aspect to and OT or engineering discipline and risk management business disciplines. And recently we also add cloud digital transformation, those domain too. And CCE fit into the category of security leadership.

And one of the trainer, Hiroshi Sasaki, a dear colleague of mine, he introduces CCE as part of the method that that they can use when they are building the security strategy for their own organization, where they go back to the company. So some of the framework they also introduced is NIST-CSF. They also mentioned about using the 62443 and other twenty ISO 27K also. and And as one of the other tools that they can use to frame their own security strategy, they introduced CCE.

So we don’t go into detail in the same way that the INL folks provide CCE training, but we we we explain the CCE concept and the trainees engage, trainee at ICCoE engage in CC and how they can use CCE concept and the framework to present their security strategy to the executives.

Andrew Ginter
So that makes sense. I’m curious, in the course of translating the book, you presumably developed a deep understanding of the material. You have to understand the material in order to to translate it correctly. How’s that served you? I mean Personally, you’ve developed a deep understanding of CCE translating the book. Your your name is on the book. Can you talk about, has has the experience of of doing this translation changed your career at all?

Tomomi Aoyama
The book was published last year, 2023 in June in Japanese, and we haven’t done any book tour or anything. And I’m also based in UK now. I’m not based in Japan. So I don’t really have day to day, way to engage with people actually and get the book in their hand. So I’m not really feeling any burning a change or anything, but internally. It was such a privilege to be able to dissect the word by word and really, really print the book in my brain by translating the work and to feel Andy and Sarah’s work so close. And also the the book has the part that written by Mike Asante, and I have never met him in person, but I can’t really express how I felt about translating his part of the book, because his word, the opening section that he wrote It was so powerful and it was such an honor to translate that in Japanese. so And when I hear the good word and good feedback from people in Japan, I always think about the part that Mike wrote in English and how I also tried to match his energy to put in the translation.

And yeah, so externally and career trajectory wise, I didn’t see a lot of changes, but internally it was a big change for me.

Andrew Ginter
And if I may come back to the present day, I mean, you’re working at Cognite. You’re doing some sort of cloud stuff on the industrial side. the industrial cloud is coming for everyone sooner or later in some capacity or another. is your sort of deep background in cybersecurity? Is that part of your role at Cognite today?

Tomomi Aoyama
Yes, and I have to say, when I first learned about what is Cognite’s mission and what they are trying to achieve, it it made me really anxious because I was very much focused, I was and I am also very much focused on and security and reliability and operation and I was more worried about how these new technologies disrupt the reliable operation. and So that that was in the beginning. But right now, as the in the project, what what we are trying to achieve is how can we make sure that the when we provide software as a service, a it doesn’t disrupt the security or reliability of the operation, the physical operation itself, especially the digital transformation transformation. It started in the enterprise area and then it’s getting closer and closer to the critical operations. And when I look into the most of the documents on how to deploy cloud technology in a secure way, a lot of government guidance and and best practice was and treating public cloud as the starting point. And there was not enough information about how do you manage the security and governance of a hybrid setup or the private cloud setup. And especially how do you continue providing a service

When the stakeholder between the SaaS providers like Cognite and Asset Owner and Cloud Service Provider, this and how how can you manage these three parties or more potentially more parties involved? How do you make this tight connection while giving the Data Owner, Asset Owners, therefore, visibility and full control on security?

Given this is largely driven by security requirements, my background gives a little bit of perspective and to balance out the need for digital digital transformation and need for pushing through the boundary and understanding and accommodating the asset owner’s needs and IT and security team’s concern. So that is where I am. And then I also see quite the connection between the CCE Again, and I’m seeing CCE as the tool to help the communication and understanding what is a consequence and especially in terms of what we do at Cognite, understanding the dependency between systems, dependency between the data and systems and people and critical process. That’s really important. Having a CCE framework in the back of my head it really helps me to have a dialogue with customers, industry and stakeholders internally and externally.

Andrew Ginter
Well, Tomomi, thank you for joining us. It’s been a real pleasure talking to you. Before I let you go, can I ask you to sum up for us? What are the the the the key messages we should take away here? We’ve been talking about CCE. We’ve been talking about translating a book. We’ve been talking about the importance of the cloud. What should we take away from this episode and from your experience in these arenas?

Tomomi Aoyama
Oh, it was really great fun and doing this interview with you, Andrew. Thank you for having me. My takeaway is that the communication and collaboration, that’s really key to enable all the security, especially at the same speed as digital transformation. CCE is a useful tool to enable that communication and collaboration. You get to examine your security strategies program from different perspectives.

And now the CCE book is available both in English and Japanese. So if you have Japanese colleagues, if you have somebody if somebody in Japan, reach out. They may know about CCE. And now you can talk about CCE together, which is awesome.

And right now, I’m in Cognite, i’m looking forward to adapt the CCE principle into industrial cloud systems and try to, again, enable that collaboration between the cloud service providers, asset owners, and sales providers like Cognite. And learning about how we can bring the data governance back to asset owners.

Again, the book is available, the CCE book is available in Amazon. And if you are coming to Japan, let me know or let ICSEoE know. We’ll be always happy happy to talk with you. And if you have experience with industrial cloud, public cloud, private cloud, hybrid, if you decide not to use a cloud in industrial space and why, let me know. I’m on LinkedIn. I’m happy to talk with you about your challenges and your experience and learn from you. Thank you.

Nathaniel Nelson
Andrew, that just about concludes your interview. Do you have any final word to take us out with today?

Andrew Ginter
Yeah, I mean, I’m looking at, a lot of the the the topics we talked about are very timely. i’m I’m a big fan of CCE and CIE. it’s all about consequences. Consequences drive the strength of of required security programs. And but, I’m looking at, I’m on the end of my career and I started in technology and sort of worked into cybersecurity and risk assessments. my My most recent book, The Topic is Risk. It’s not in the title, but it’s it’s all about how do you use an understanding of risk to decide how much cybersecurity, do how much engineering to do.

I see Tomomi working the other way. She started with risk and with sort of communicating with business decision makers and is now tackling what I believe is the future of industrial automation. And of course, industrial cybersecurity goes with industrial automation. She’s tackling the future, which is the cloud. And the vision for the cloud is very compelling. its The cloud can save enormous amounts of money. It can add flexibility. its it’s a tremendous vision. The question is how much of the vision can we realize safely? And I think the answer is almost all of it. We just don’t know how yet.

So I look forward to keeping track of of what Tomomi is doing at Cognite. I look forward to an opportunity to invite her back in a year when she’s sort of figured out a bunch of this stuff, because the world needs to understand how to reap the benefits of the industrial cloud without incurring unacceptable physical risk. So to me, it’s it’s huge that that she’s taking this deep understanding of risk and risk assessments and now diving into the technology and hopefully leading the way for us in in terms of the industrial cloud.

Nathaniel Nelson
Thank you to Tumomi Ayayama for speaking with you, Andrew. And Andrew, as always, thank you for speaking with me.

Andrew Ginter
It’s always a pleasure. Thank you, Nate.

Nathaniel Nelson
This has been the Industrial Security Podcast from Waterfall. Thanks to everyone out there listening.

Stay up to date

Subscribe to our blog and receive insights straight to your inbox