Making the Move into OT Security | Episode 118
Waterfall team
“…It was so frustrating for me to get into the field and I don’t want people today to to feel that level of frustration…”
About Michael Holcomb and Fluor
Michael Holcomb is the Fellow of Cybersecurity and the ICS/OT Cybersecurity Global Lead for Fluor, one of the world’s largest engineering, procurement, and construction companies. His current role provides him with the opportunity to work in securing some of the world’s largest ICS/OT environments, from power plants and commuter rail to manufacturing facilities and refineries.
He is currently completing his Master’s thesis on the attack surface of Programmable Logic Controllers (PLCs) with the SANS Technology Institute. Additionally, he maintains cyber security and ICS/OT certifications such as the CISSP, GRID, GICSP, GCIP, GPEN, GCIH, ISA 62443, and more.
As part of his community efforts, Michael founded and leads the UpstateSC ISSA Chapter and BSides Greenville conference. He also wrote and taught all six cyber security courses for Greenville Technical College’s cyber security program which focused on helping educate the cyber security practitioners of tomorrow.
In 2023, he was awarded CyberSC’s MG Lester D. Eisner Award for Cyber Excellence in Leadership for the State of South Carolina.
Share
Transcript of this podcast episode #118:
Making the Move into OT Security | Episode 118
Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.
Nathaniel Nelson
Welcome. Everyone to the industrial security podcast. My name is Nate Nelson I’m here with Andrew Ginter the vice president of industrial security at Waterfall Security Solutions. He is going to introduce the subject and guest of our show today Andrew how it going?
Andrew Ginter
I’m very well. Thank you Nate our guest today is Mike Holcomb he is a fellow for cybersecurity at fluor and he’s the global lead for industrial control system and ot cybersecurity practice and he’s going to be talking about. Changing careers. He’s going to be talking about making the move from wherever you are in engineering in it somewhere else making the move into ot security.
Nathaniel Nelson
Then without further ado here’s your conversation with Mike.
Andrew Ginter
Hello Mike and thank you for joining us. Um, before we get started. Can you say a few words about yourself and about the good work that you’re doing at fluor.
Mike Holcomb
Ah sure thanks for thanks for the opportunity to come on the show Andrew and yeah for those that don’t know me my name’s Mike Holcomb I’m the fellow for cybersecurity at Fluor as well as the icsot or control systems cybersec security practice. At at Fluor globally for those of you that don’t don’t for those that don’t know about Fluor. We’re one of the world’s largest engineering and construction companies in the world. So we get to build and I get to work in some of the world’s largest industrial control environments I’m very fortunate. Not only. Work in these large environments but also work with some of the the greatest engineering minds in the field today. So it’s really exciting and I can ask for a better place to be and wanting to work in in cyber security and and securing all these unique environments.
Andrew Ginter
And our topic today is getting started in the the ot security space you know, can we start at the beginning. How did you get started.
Mike Holcomb
For when I got started I go back to 2010 and getting into ot cyber security. So now I’ve been a long time it t cybersec security practitioner twenty five plus plus years it was 2010 when Stuxnet. Was first announced. Got the news about this new I was just amazed at this technical technological marvel that that had been created to reach out in the world and manipulate something you. Out in the in the real world and I was just really fascinated with with that concept and of course we had always thought about different types of attacks and and things of that nature. But here’s where we actually saw it it pulled off and it was very very real all of a sudden and then started asking the questions about. And what? what about power plants and water treatment facilities or railways what? what what happens there and started asking those questions and then started reaching out to folks to have those those conversations and of course back in 2010. There weren’t a lot of folks that. Wanted to have those conversations. You know you had it people that didn’t care about ot which didn’t really necessarily call it ot back then and then you had the folks in in ot environments that they didn’t want to talk about cybersecurity because I don’t think a lot didn’t want to let on that.
Mike Holcomb
Yeah, they weren’t doing anything for for cybersecurity back then and just didn’t didn’t understand it so it was it was a struggle initially for for me and it was really really frustrating I think that was probably for a lot of folks. You know at that time and I just ended up like. Twelve and a half years ago getting a call to go work at Fluor like a mitcha one of the world’s largest engineering and construction companies and so after about the first year of working there. You know keeping my head down trying to learn the the ropes of the new job and and get my feet under me i. Started to realize yeah we probably have some control systems around here and started making those connections with with different engineers and in the the company you know, right? now we have 4000 control system and electrical engineers for example and so there’s. Ah, a lot of folks we work with yeah, all over the world and there’s quite a few that are always very willing to lend a hand have a conversation and jump on a call and so I’ve been very fortunate just to build that knowledge kind of organically kind of a grassroots mode. Movement since you know probably over the last especially you know last ten years and getting into yeah working with the different departments and then yeah, really starting to build out what a cybersecurity practice for a company like Flor looks like to where we’re helping our clients.
Mike Holcomb
Build right? A cybersec security program for their environments whether it’s a power plan whether it’s a LNG port facility. Whether it’s a light commuter rail or open pit mine. Yeah, that. Manufacturing and the list goes on and on but you know we’re clientins didn’t necessarily want to have those conversations even a couple years ago whereas after colonial pipeline that really changed the landscape and all of our customers are very engaged and want to have those conversations. So for each of those you know projects we we look at building out the cybersecurity specs again to work with a client to understand their risk tolerance their their their risk threshold and and and budgets and and help them design. Ah, again, the the right cybersecurity program for their environment. Hopefully I didn’t go too far off love field on that.
Andrew Ginter
So let me yeah, let me contrast that with my own experience. But so we have you know two data points here. Um, you know I got started I had a computer science degree I I got started doing software development for the first I don’t know 1520 years of my career. Um.
Andrew Ginter
Eventually developing industrial control system product. Um, you know, rising through the ranks of the development team winding up managing teams at 1 point I was responsible for the it security of the local office and so I had dabbled a bit in in the security space. This was you know. Back before security was a real thing. It was like in the the mid 1990 s we’re talking about. Um you know the big news that I remember was y 2 ky two k was the big thing. Um, you know it was in a sense. Non-news. Nothing happened. But there was enormous preparation on the industrial side that that went into that you know rebuilds patching everything it was. It was amazing. Um, and then there was of course nine eleven which you know if you remember the Aaron Turner episode ah a couple of episodes ago. Um, you know he talked about how the nine Eleven event how he was part of the process of that turning into today’s industrial cybersecurity initiative. Um, you know in about zero two zero three I was still working on the itot middleware that was connecting a lot of control systems to sa.
Andrew Ginter
Connecting a lot of these networks together. You know in hindsight contributing to the the security problem. Um, and you know the business that I was part of was sold off. Um the you know the new management said we’re taking this into industrial cybersecurity and I said really, that’s a thing. Because this was you know this was o 2 o zero three. It was the very earliest days of that. Um, you know I finished up the itot middleware project while you know the rest of the business um took our control system product and moved it to se linux security enhanced linux. So I wasn’t part of that I sort of. I saw that from the outside I thought wow that’s a lot of work. It was a lot of work and as far as I can tell nobody 0.0 sales that was not what the world was looking for. Um you know I got pulled into the yeah.
Andrew Ginter
Project to build the world’s first industrial scent security information and event management system. You know in control systems terms it was it was a single pane of glass. It was an hmi for cyber security of your control system and that was how I got involved you know. That project went on for a long time. Um, eventually I got pulled into promoting that project out in public talking to you know prospective customers at conferences and face-to-face about the cybersecurity problem landscape. Solution landscape where the the you know the industrial defender sem fit into that industrial defender has long since moved on this was you know fifteen years ago um I don’t think the same exists anymore. But that was my own genesis. You know, dabbled a bit on the it side heavy into software development very technical. And got pulled into the product development side of industrial cybersecurity in sort of the the mid 2000 s almost to my surprise because somebody else did the market research to figure out. There was a market here. This was a thing that was happening. Because I’d never heard of it. It was it was very early days.
Andrew Ginter
So that was that was twelve years ago um you know, very few people were doing this stuff. It was possible to sort of drift into it just show some interest and you know become part of the the evolving field. Um, what’s your advice today. If you’ve got people who who want to get into the the ot security space.
Mike Holcomb
I definitely have a lot to say about about that subject 1 of my favorite to to talk about since it was so frustrating for me to get into the field and I don’t want people today to to feel that level of frustration. It. It just shouldn’t be that hard and so you when talk with folks. With it t backgrounds like like myself and’s to get help get started really There’s a focus on needing to think like an engineer I just go back to when I took my first stands Ics O T course the gi I csp. It was. It was really fascinating. The best thing about the class was it was half it people and half ot people and I remember a gentleman in the in the front of the class asked a question and it was really what I thought was a really basic question around networking. Like oh I could answer that and and but it was the way he asked it. It was completely different on how I would have thought about it and started talking with him you know and he was an engineer in a water treatment facility. And that was really a first time I had talk with somebody from from that world and really starting to look at things from from his perspective and so I think that was was a great experience and so coming from the the it world we have to again, learn to think like an engineer see.
Mike Holcomb
How they see the plant how the plant works and understand each plan each you know ot environment is completely unique. They have their own physics even you can go to 2 different power plants and they can be completely different and so being able to understand how that plant operates. Yeah that’s It’s a first part of not only helping us understand how best to protect it where we’re focused on how do we ensure physical safety of you know onsite personnel and the general public and environmental safety and and then of course the operations of the the plan and that’s very much. Very different from the it world but it’s the engineering world and so when you look at learning to think like an engineer and then the other really is just I think it can feel like a very unsurmountable hurdle to people is learning about. Different ot systems and you get caught up at least for me I remember you know Ics O T Sk and like what you know rtuhmiplc is well what are all these things and it’s like oh you can learn some acronyms but and then you can start to read about it. But. It’s it’s you know it’s ah challenging right? at first until you can really start to get your head wrapped around the the concepts and understand how each of these different assets works and how you use that to build and run.
Mike Holcomb
Ah, ot facility right? So I always like to you know focus on when I do a couple. Yeah free classes every every quarter that is we focus on how we build a power plant from from start to finish and and walking through that process because it helps people not only get. Think like an engineer and understand the physics of how we’re generating electricity and in this facility but we can also look at all the components that go into building out that facility and we can then really learn about yeah plcs and hmis and dcs and. What each is doing and what they really mean and I think that really helps to to click into to place where it people but it’s very foreign I know it was at least for me. Yeah, when first getting into to ot.
Andrew Ginter
So So that makes sense in in a sense in the abstract learn about the physical processes that you’re and you’re you’re looking at learn about the the automation systems. Do you have. Concrete advice. Is there stuff you know, would you read about these things. Do you take courses? What? So What are concrete steps people can do to achieve those those goals those learning goals.
Mike Holcomb
Sure? No a great question and I actually should mentioned I so I wrote a couple of free ebooks that I published and and they’re on Linkedin and my website michaelcomm.com where people can find them and and so and they’re not too involved and mostly it’s a ah list of different resources. And and some I guess tips and and tricks and a lot of those go into some of those practical tips right? So suggestions on different books that you can read. There are some great books that are out there. They’re not ah a ton. But I think there’s there’s definitely a few that everybody should. Should be reading even books like sandworm just to get an understanding of the importance of Ics O T Cybersecurity I’m a big fan of a few others. You know as I don’t want to I guess go too far down that rabbit hole. But you know between um, your books. I I honestly take a lot of value out of podcast I listened to your podcast before there’s a few others in in the space I also listen to you have a lot of great guests that that come on and share a lot of practical knowledge that people can learn from I remember I was starting a. New mining project at Fluor and I had not worked in mining before and and and just at that time you actually had somebody from mining on on the ah the show and I was able to pick it up but and I learned so much from that conversation and so that’s that’s one way.
Mike Holcomb
Ah, trying to get hands-on experience I understand yeah I was very fortunate that it wasn’t too long before I was able to go on site and be in an actual power plan that we were building. Yeah, that’s a luxury I understand a lot of people don’t have but. <unk> trying to get some type of hands-on experience right? So it’s building out a a home lab you know getting a plc starting with you some basic plc programming maybe hook up an hmi and start to build that out. So those are some of the things that definitely suggest. So yeah, there’s there’s books out there can i. Really take a lot from some of the podcasts out there including your own and then trying to build into that hands-on experience if if you don’t have the luxury of already working in ot or maybe you can find a mentor. And that works an ot and that they can bring you on site sometimes I hear that that happening from from time to time and that’s you a lot of experience that especially people from it. That’s you that’s experience that you just can’t even pay for.
Nathaniel Nelson
Um, less. So at this point we’ve talked about how Mike started off in the industry and how Andrew you started off in the industry. Um. I don’t participate in the industry to the same degree that you guys do. But of course I do in a tangential sense and I recall that when I was getting first started. Um I had a little bit of background in it knowledge but I and didn’t know the first thing about industrial security and i. As Mike suggested picked up a book. It was a red book. It was your book on a long flight I believe it was an 11 hour 11 hour flight I read through pushed through most of your red book and by the end of it I had a good enough sense. A good enough base to start. Talking about these subjects mostly just asking you questions and so I can empathize and agree with Mike’s general sentiment.
Andrew Ginter
Cool and you know to to put the shoe on the on the other foot. You know you came for sort of from the from the it space into industrial control systems and Ot Security. Um. Do you have advice the other way around if people are coming out of out of engineering or other sort of aspects of the Ot space and and want to get you know up to speed on on cybersecurity.
Mike Holcomb
Sure sure definitely and I and get with that disclaimer right? I am you know tried and true. You know I have a it cybersecurity background but I do work with a lot of folks in the ot space and I work with all you know I get a meet a lot of folks on on Linkedin and and elsewhere to. To have conversations with and and help and and so whether it’s at the office or elsewhere I always talk about you know for folks coming from an ot background one of the things that really surprised me is a lot of ot people or that come from different aspects of automation. They don’t necessarily have the fundamentals of. Networking down I was really surprised. Ah you know I I always think you know of engineers. They do everything? Yeah in the world and and found a lot. Yeah, a lot of engineers aren’t that familiar with with networking I was really surprised so that’s. So. It’s just like if anybody coming into it cybersecurity. The first thing I would suggest they learn is networking especially of course with Tcpip since that’s you know the main protocol that we use on all our internal networks even in ot for better or for worse and the internet of course. Ah, so that’s that basic you know foundation for connecting our systems together and then learning the basics of of cybersecurity. So I always tell folks to really look to the security plus certification that compt has and even if you don’t necessarily look to get.
Mike Holcomb
Certified even though I suggest people always do but just the knowledge that you can pick up from picking up one of those study guides or going through a security plus course or except you get the the basics the fundamentals of Cyber security. From the the it T perspective and then that really gets us to where now we’re on this kind of common playing field where we can have folks from the O T side of the house and the it t folks from their side of the house really come together and I always talk about it’s we always talk about. These different sizes of the house but we always forget that it’s the same house that we’re all living in and trying to protect and so we can come together with kind of this basic. Ah, you know, understanding of networking and cybersecurity and learn from each other’s perspectives and then you kind of. But together to build out that plan on. Okay, how are we going to protect our house from somebody trying to to break in and do harm.
Andrew Ginter
So You mentioned the the security plus certification a question that I get regularly and have you know, limited insight into into answering is sort of the the more general question about certification. Um, what should I be certified on if I want to practice. In the the Ot the industrial security Space. You know you’ve mentioned security Plus can you know is is there a more more general answer.
Mike Holcomb
Yeah, and we we talk about you know ot cyber security. There’s there’s there’s the certification landscape it is is somewhat limited compared to the it world but but there definitely are some. Some certifications that are worthwhile for people to pursue think in in my opinion I I you know I always struggle sometimes because I always want to make sure focus people really are are working on gaining the knowledge and the experience. To work in you know ot cybersec security and not trust trying to go you take a quick course and take a certification exam and then I don’t imply that they know everything about ot cybersecurity because certification. that’s that’s not the the goal right? That’s not the the endgame for. For those certifications but there are some great you know certifications out there. You know from the typically especially in the us perspective. We look to SANS and not only the SANS Institute and and their courses and certifications that we can. We can mention I have all 3 of those in part. You know, partly going through the master’s program and and also just being a longtime sand student and and having taken those courses that have been very fortunate to to do so and then the is the ISAIEC 6 2 4 4 3 series as well that that I say.
Mike Holcomb
Created so I think for for me personally the the knowledge in the SANS courses is bar none I also realized that I was was very lucky when I took the the SANS grid course with probably it was actually at the exact same time that the crisis incident was happening. So not only am I sitting in class with Rob Lee who’s teaching and and you would get to have cyber conversations and go to dinner and and but also his company is responding to one of the most important you know cyber security incidents in the ot world still today. And so we were getting you know play by play and what was going on behind the scenes which you that’s you know that you still can’t you can’t pay for an experience like that. Um, which does bring up the fact that the SANS courses are very expensive these days and I understand that not a lot of people can afford them. Can. The the knowledge is second to none Robby still teaches that his in incident detection response course for ot a couple times a year I personally think you know to to be able to be in the room with him and engage and ask questions you can’t you know that’s that’s invaluable experience. But again. You know ten thousand us dollars essentially now to take a class and the certification exam is is hard for a lot of people and I’m very fortunate to work for a company that has provided me those those opportunities. So so the isa series is a very valid alternative.
Mike Holcomb
Think a lot of people and and especially engineers have have the isa certifications they have 4 courses that you take and then you have to take the course to take the exam. It’s about $8000 if you’re not an ISA member. So for their entire series right? It’s it’s already less than 1 SANS course. And so think though the 1 thing to keep in mind about those courses is that they’re designed to teach ot professionals. Some basics about cyber security and introduce the 6 2 4 4 3 standard It’s not going to and unfortunately the the master certification right? when you pass all 4 exams they give you a what they call the isa I e c 2 6 2 4 4 3 expert cybersecurity expert certification which is a horrible name because I think we could probably all realize that if you take was it about twenty four thirty hours ah even if let’s say 40 hours of course materials and you pass a couple exams. Doesn’t make you an expert in anything. So I think it’s it’s not a great name but it’s it’s a certification that shows that you have a basic understanding of cybersecurity and different aspects.
Mike Holcomb
Cybersecurity and how they’re implemented in the ot world. So if you’re looking at getting certified and demonstrating that basic level of knowledge then I think the ia you know series is going to be the most effective for people in part because of the cost in and in part just because as the. Time and and that there is learning involved and there is good good information that to get out of it and for me SANS you know people always joke about drinking from the firehose when you go to a SANS course and you’re just flooded with information and. Have some of the greatest thought leaders. You know in the industry that that lead those courses like Rob Lee and and Tim Conway and a court with Michael Assante you know before them and and Derek Harp you know was on that original team so you can’t beat the SANS materials. It’s just the cost is so expensive. So. And then there are other alternatives out there. There’s the the folks in Germany I think it’s called Tuv or TUV Rheinland I one day I’ll figure out how to pronounce that? Um, yeah I start to see you know more individuals with those. Ah, we have some engineers at flora and and I’ve seen others with the exodu certifications so that are a little bit like the isa 6 2 4 4 3 you know, but a little bit you know SANS and yeah, but more from the vendor perspective um with with dedicated courses at a.
Mike Holcomb
Again, like Ia. You know some you ah, reduce cost right relatively less expensive than than sans courses but not as much knowledge or or information. Hopefully. And I’m very good at rambling as you could tell so.
Andrew Ginter
So let me dive a little deeper you you mentioned you know people come into a lot of training and and you know desires to learn about cybersecurity without basic networking. I’ve observed that as well. You know some years depending on when the course runs I teach a course at Michigan Technological University the audience is mostly engineers. It’s a graduate course in engineering. Um, and yeah I find it necessary to burn. You know, 2 3 maybe 4 hours of a 40 hour pool of lectures you know and assign reading and exercises on the basics of networking. What is the ethernet. What is a frame What is you know the arp protocol. How do you resolve ip addresses how does ip write on top. You know once you leave the ethernet into the internet. What does I p look like is this is this what you mean I mean how how much of that in your estimation. How much how deep on that do you really have to go.
Mike Holcomb
I would say I very similar when I do do those types of classes. You know at least a couple of hours and and I do training also within with our engineers at at Fluor on a regular basis. You know, definitely at least a couple of hours but I think that’s the same concept or the way I look at it is this idea that. If we want to understand how to protect our environments from the attackers and we have to understand how they’re getting in to the environment and how they’re actually conducting and pointing off these ah these attacks and of course they’re doing this over the network. And so we need to be able to understand the fundamentals of networking to be able to ultimately better understand how to protect our environments so we do cover everything from again focus on tcpip since that’s going to be the the main. Protocol we’re using in all of our environments and of course that opens us up to the the wonderful world of internet connectivity for better or for worse and down to you know we started to to look at things like how does our work and how does you know I p routing work and then. That leads into the conversations like when we start talking about. Well how do we? Best protect our ot network. Well we always are going to suggest we start with secure network segmentation so you can’t have those conversations about things like network segmentation and.
Mike Holcomb
Putting it firewall or a firewalled dmz between it and ot before we already at least have that basic understandings of of networking. So. That’s why it’s it’s always definitely a big focus for for me is. We need to understand the fundamentals of networking to be able to understand how all these components talk together. Yeah within I t within ot and now I t with ot and then also on top of that how we’re connected to the internet all in 1 you know some way shape or form and so how how do we? you know. Be able to protect the network from attack. But again we have to have at least a basic understanding of networking before you can really start getting into those fundamentals, especially like like things like how do we do? secure network architecture.
Andrew Ginter
Now you’ve mentioned standards 6 to 4 4 3 Um, how big a role should standards play how you know how familiar do you do you figure that people on both the you know coming from the it side or the the engineering side into ot security. How how familiar do they need to be with standards.
Mike Holcomb
You don’t have to know them in and out necessarily unless your job requires you to. But I think they’re great references. Especially for people that are getting into cyber security. They’re great references to starting to learn about the different aspects. And all the different domains everything that comes together to create a fully functioning cybersec security management program in in ot environments and whether it’s a power plant or manufacturing facility or ah. Railway it. It doesn’t matter the environment but the standards will show you all the parts that you’ll use no matter what what type of ot environment. You’re in so 6 2 4 4 3 is the gold standard everybody looks to today but it’s not you have to pay you know to to get the full copy. So it’s not something that’s probably israeli available to everybody even though it’s still a lot of great information I think that one can be a little overwhelming at first as well. For for some people at least I know it was for myself. It just didn’t come across as as to me as kind of a. Straightforward standard I think because it’s written more from an engineering perspective. So for ot folks. It probably is it probably feels and makes a lot more sense than for folks coming from an I t background I suspect at least that that’s that’s for me.
Mike Holcomb
Kind of what I was thinking. Um so I can also gravitate towards nist you know so we have mis guidance and in in ot and so people can also look to that as a standard I think that has a much more kind of familiar look and feel if you’re coming from the it t cybersecurity world. Ah, and so and and it’s freely available. So it’s something that you can access today and you can look through it to see again all the different components that go into building a cybersecurity program for an ot environment. So I do think there they are they can make some great references and then of course. Depending on if you work in an ot environment today. You might also have either requirements to adhere to those standards or frameworks or you might also have other regulations like if you’re in power generation or transmission and in North America or in United States and Canada you have to be. Very familiar with with nerrksip so all all great resources for either people that are in the field or for those that that want to learn more about ot cybersecurity.
Andrew Ginter
So you know good list of resources there the isa standards you know I e c 6 2 4 4 3 standards. They’re the same thing. Um, you do have to pay for them. Um I don’t pay for them legally what I do is I buy an isa membership I just renewed my membership. Um, you know. If you renew early, you get a 20% discount I think I paid eighty five us dollars to renew you pay this every year and you get online access to the standards. You cannot download them. You cannot print them but you can read them. this is this is what I do I don’t have copies of all the 6 2 4 4 3 standards when I need. Ah, you know the the standard as a resource I log in on my Asa account. Um, and you know Mike mentioned Nist let me go just a little bit deeper on Nist yeah nist 853 dash 53 is sort of the the it standard that everyone uses the Nist cybersecurity framework is you know it t-ish. Everyone uses it nist 883 just came out version. 3 of it just came out and it’s focused on applying all that stuff into the industrial space and so it’s much more industry-focued um you know I use it. Routinely it’s it’s got really a very readable first hundred pages of of kind of introduction. So I recommend very much the the eight hundred dash eighty three standard
Andrew Ginter
Okay, so so you know courses ah standards certifications. Um, is there anything else that that we’ve missed what you? what would you encourage people to do to to make the transition.
Mike Holcomb
Think the other big thing that we didn’t talk about that I like to focus on because I see how rewarding it can be is to get people involved with with the community as as a whole so different completely different type of networking. We’ve been talking about. But. Look at and and I understand at least speaking from my own experience I’m extreme introvert I I don’t want to get out and ah talk to people. Um as much as I might seem to and and so the last thing necessarily I want to do is is. Is get out and and talk and at the same time It’s so amazing when whether you go to a class or you’re you’re on social media like Linkedin and you’re getting to talk with people from all over the world from different backgrounds and different perspectives and they come. they work in you know it and ot and they they get they have different experiences and they work in different types of environments. You know you can learn from so many different people that are out there and you can also share you know from your own experiences and and and they can learn. As well. So it’s it’s really amazing experience. You can also see that when you go to conferences so I always encourage people whether you try to go to you know some of the larger conferences like the SANS ICS Summit or S4 or maybe even some of the smaller more local conferences like bsides that that.
Mike Holcomb
You can get together with people and everybody’s there really just to to learn and and share and and have a good time It’s just very easy and I see this all the time for people in both I t and ot where we’re just doing their job. We’re keeping our head down got the blinders on. We’re just you know. Getting things taken care of. But if we’re not out there not only learning and sharing with each other. But also you know, understanding what’s evolving out there in the world right? We need to make sure we’re staying current and understanding what’s going on the ics. Ot cyber security landscape has changed drastically over the last two two and a half years I would say even more so in just the last couple months if if not just the last couple of weeks we had news of the. The the power being turned off in the Ukraine again back in 2022 even though they just announced. It. Not not sure why it took took so long but you know that’s definitely an involvement or evolution to to understand how that. It was not I see a specific malware that was living off the land techniques that that were used in that attack right? That’s something that we need to be aware of is is ot defenders we can look at the the danish coordinated attack by I think allegedly sandworm.
Mike Holcomb
Which was detected by the sector or cert team and that alone has other implications that we all need to understand and be aware of as ot cybersecurity defenders. So if we’re not if we’re just doing the job keeping our heads down and we’re not out there talking in the community. We’re not. You know on social media like in Linkedin sharing information and reading the latest news and and out there going to the conferences listening to the podcast reading the books. Yeah, if we’re not staying uptodate. We’re not staying current then then ultimately we’re we’re not doing our job as. As cybersecurity defenders of of our ot environments.
Andrew Ginter
I Don’t know about rapidly but things are changing and I’m not sure that you know a lot of practitioners are tracking these changes. Um, so the the change he mentioned was living off the land. Um, you know for anyone out there who doesn’t already know what that is it’s Using. You know instead of writing your own malware your own remote access trojan your own virus your own who knows what instead of writing your own attack tools that have signatures that antivirus might detect that you know are artifacts of code that can be detected on a machine. Um. You’re using the tools that are already built into windows or linux or whatnot I mean Linux is a treasure trove of tools and so if you look at a compromise machine. There’s really no evidence.. There’s nothing installed on the machine that shouldn’t be there if you look at Network traffic. It’s the traffic that. Sort of normal allowed tools are putting on the network and so it’s it’s sort of more devious than average. Is it new. Well I mean people have been talking about this in the I T space for a while I think it’s newish in the Ot space. Um, you know something else that’s changed that people are not tracking is you know. The the latest waterfall threat report shows that this decade since 2020 Ah, the attack world has Changed. We’ve gone from a state for a whole decade where Cyber attacks with physical Consequences. You know the lights go out.
Andrew Ginter
As in the Ukraine or equipment is damaged as in the you know the steel mill in in ah in Germany a decade ago. Um, these attacks used to be sort of trickling along at at you know 1 or 2 or 3 a year and now we’ve we’re starting to see what looks like exponential increase we went from you know. 5 in 2019 to 18 to 23 to 57 last year you know the world has changed um is it dramatic and fast I don’t know but we do have to keep track of these I mean what what I heard in. In Mike’s comments
-20:18
Andrew Ginter
So cool. Um, so that makes sense. Um, you know it’s It’s been great. Thank you for joining us. Um, before we let you go can you can you sum up for us? What should we take away. What are the what are the the most important things to remember if you know we’re either on the it side or the engineering side wanting to make the the leap into Ot security?
Mike Holcomb
Sure I think the main points is it doesn’t matter if you come from IT like myself if you come from Ot background like like many of my colleagues. It’s it’s the I T side of the house. It’s the Ot side of the house. We all live and work in the same house. We All want to protect the same House. We have to work together to be able to do that you know and not everybody in I T wants to to learn about Ot and not everybody in Ot wants to learn about Cyber Security. So If you’re one of those people that that does and when you encounter others that that are like you and that they do as well learn work with each other and and share and encourage each other because it’s going to take all of us together. To protect our very unique and and critical environments because as we just touched on you know, just real briefly. The the threat landscape has has started to change dramatically and it’s only going to get worse from here and it’s it’s. Going to be on all of us to make sure that you we protect our environments to help ensure right? that we’re protecting the the world around us right for our families and and our friends and and no matter where.
Mike Holcomb
In the world we live. We’re all in this together. Always like to talk about you know and protecting the world but it does take us. You know all all working together. So but I I appreciate you you having me on the the podcast.
Mike Holcomb
But I do appreciate the the time for for being on the podcast the nfi it was great to get to come and in and talk with you and and share with everybody real quickly if anybody’s looking for um for us down the road. Ah course you can find Fluor fluor.com you can check out Jobs@fluor.com I think we have about 1300 openings right now for it and of course ot engineering professionals all around the world. So definitely check out the site there and if you’re looking for me, you can find me on Linkedin I’m always on Linkedin. And you can also find ah my resources at Mike Holcomb Dot Com so but again reach out anytime and ah but I appreciate. Ah again the the time and for everybody for listening to the the episode.
Nathaniel Nelson
Andrew that was your interview with Mike Holcomb do you have any last word that you’d like to take us out with today.
Andrew Ginter
Sure? Um, I mean what what makes sense you know makes makes perfect sense take training if you can afford it. You know SANS or ISA or you know I wasn’t aware of the the t v rhineland or the exodu training. Um, read the standards. Um I especially recommend the the free nist 883 that is focused on industrial systems. It’s free. It’s readable. You know when you have opportunity try to attend some conferences. You know there tend to be conferences more local than more distant you know, controls your travel costs. And when you’re at a conference network ask people questions and you know maybe to expand on that last one just a little bit. Um, you know I’ve been attending conferences for over a decade because that’s part of my job I’m a techie though I struggle with networking I had a really great networking experience at. The ics conference in Denmark just a couple of weeks they always been fifteen years but I I may finally have figured this out when you get an expert in front of you with you know, a beer in their hand and a snack in the other um you know yes, introduce yourself ask what they do and then you know from your knowledge of the field. Ask a controversial question I mean I sat down with the folks at the at the sector cert they were at at the event in Denmark a couple of different times ah continued the conversation on Linkedin. You know eventually was bold enough to ask the question. Um this attack targeted danish critical infrastructure.
Andrew Ginter
Why was there no report of any other infrastructure in the world being targeted these firewalls that were exploited are used widely. Um, the the you know the the vulnerabilities were well-known and I got a useful answer now it wasn’t a clear answer. Because there’s confidentiality agreements. There’s only so much these people these experts can tell me but I was always afraid of asking people controversial questions and don’t be experts. Love to talk about what they’re doing if they cannot tell you something they will explain why they cannot tell you something. And that context in itself was useful for me in in terms of of understanding the scenario. So um, you know I would encourage people to sign up to the sksec mailing list or sign up to the isaspninetynine ah standards committee mailing lists. You get a lot of stuff. You don’t have to read everything on these lists. But what you get is a sense of what people argue about and what’s controversial so that you have ammunition at your next your next networking session. So that’s that’s my little nugget of of you know I had 3 really interesting you know conversations at at networking at this event in Denmark by asking. Questions that are a little bit controversial.
Nathaniel Nelson
Well with that. Thank you to Mike for speaking with you Andrew and Andrew thank you for speaking with me this has been the industrial security podcast from waterfall. Thanks to everyone out there listening.
aginter
It’s always a pleasure Nate. Thank you so much.
Trending posts
From Blind Spots to Action: OT Threats Exposed
Where does IT Security END and OT Security BEGIN?
Insights into Nation State Threats – Podcast Episode 134
Stay up to date
Subscribe to our blog and receive insights straight to your inbox