Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Nathaniel Nelson
Welcome. Everyone to the industrial security podcast. My name is Nate Nelson I’m here with Andrew Ginter the vice president of industrial security at Waterfall Security Solutions. He is going to introduce the subject and guest of our show today Andrew how it going?

Andrew Ginter
I’m very well. Thank you Nate our guest today is Mike Holcomb he is a fellow for cybersecurity at fluor and he’s the global lead for industrial control system and ot cybersecurity practice and he’s going to be talking about. Changing careers. He’s going to be talking about making the move from wherever you are in engineering in it somewhere else making the move into ot security.

Nathaniel Nelson
Then without further ado here’s your conversation with Mike.

Andrew Ginter
Hello Mike and thank you for joining us. Um, before we get started. Can you say a few words about yourself and about the good work that you’re doing at fluor.

Mike Holcomb
Ah sure thanks for thanks for the opportunity to come on the show Andrew and yeah for those that don’t know me my name’s Mike Holcomb I’m the fellow for cybersecurity at Fluor as well as the icsot or control systems cybersec security practice. At at Fluor globally for those of you that don’t don’t for those that don’t know about Fluor. We’re one of the world’s largest engineering and construction companies in the world. So we get to build and I get to work in some of the world’s largest industrial control environments I’m very fortunate. Not only. Work in these large environments but also work with some of the the greatest engineering minds in the field today. So it’s really exciting and I can ask for a better place to be and wanting to work in in cyber security and and securing all these unique environments.

Andrew Ginter
And our topic today is getting started in the the ot security space you know, can we start at the beginning. How did you get started.

Mike Holcomb
For when I got started I go back to 2010 and getting into ot cyber security. So now I’ve been a long time it t cybersec security practitioner twenty five plus plus years it was 2010 when Stuxnet. Was first announced. Got the news about this new I was just amazed at this technical technological marvel that that had been created to reach out in the world and manipulate something you. Out in the in the real world and I was just really fascinated with with that concept and of course we had always thought about different types of attacks and and things of that nature. But here’s where we actually saw it it pulled off and it was very very real all of a sudden and then started asking the questions about. And what? what about power plants and water treatment facilities or railways what? what what happens there and started asking those questions and then started reaching out to folks to have those those conversations and of course back in 2010. There weren’t a lot of folks that. Wanted to have those conversations. You know you had it people that didn’t care about ot which didn’t really necessarily call it ot back then and then you had the folks in in ot environments that they didn’t want to talk about cybersecurity because I don’t think a lot didn’t want to let on that.

Mike Holcomb
Yeah, they weren’t doing anything for for cybersecurity back then and just didn’t didn’t understand it so it was it was a struggle initially for for me and it was really really frustrating I think that was probably for a lot of folks. You know at that time and I just ended up like. Twelve and a half years ago getting a call to go work at Fluor like a mitcha one of the world’s largest engineering and construction companies and so after about the first year of working there. You know keeping my head down trying to learn the the ropes of the new job and and get my feet under me i. Started to realize yeah we probably have some control systems around here and started making those connections with with different engineers and in the the company you know, right? now we have 4000 control system and electrical engineers for example and so there’s. Ah, a lot of folks we work with yeah, all over the world and there’s quite a few that are always very willing to lend a hand have a conversation and jump on a call and so I’ve been very fortunate just to build that knowledge kind of organically kind of a grassroots mode. Movement since you know probably over the last especially you know last ten years and getting into yeah working with the different departments and then yeah, really starting to build out what a cybersecurity practice for a company like Flor looks like to where we’re helping our clients.

Mike Holcomb
Build right? A cybersec security program for their environments whether it’s a power plan whether it’s a LNG port facility. Whether it’s a light commuter rail or open pit mine. Yeah, that. Manufacturing and the list goes on and on but you know we’re clientins didn’t necessarily want to have those conversations even a couple years ago whereas after colonial pipeline that really changed the landscape and all of our customers are very engaged and want to have those conversations. So for each of those you know projects we we look at building out the cybersecurity specs again to work with a client to understand their risk tolerance their their their risk threshold and and and budgets and and help them design. Ah, again, the the right cybersecurity program for their environment. Hopefully I didn’t go too far off love field on that.

Andrew Ginter
So let me yeah, let me contrast that with my own experience. But so we have you know two data points here. Um, you know I got started I had a computer science degree I I got started doing software development for the first I don’t know 1520 years of my career. Um.

Andrew Ginter
Eventually developing industrial control system product. Um, you know, rising through the ranks of the development team winding up managing teams at 1 point I was responsible for the it security of the local office and so I had dabbled a bit in in the security space. This was you know. Back before security was a real thing. It was like in the the mid 1990 s we’re talking about. Um you know the big news that I remember was y 2 ky two k was the big thing. Um, you know it was in a sense. Non-news. Nothing happened. But there was enormous preparation on the industrial side that that went into that you know rebuilds patching everything it was. It was amazing. Um, and then there was of course nine eleven which you know if you remember the Aaron Turner episode ah a couple of episodes ago. Um, you know he talked about how the nine Eleven event how he was part of the process of that turning into today’s industrial cybersecurity initiative. Um, you know in about zero two zero three I was still working on the itot middleware that was connecting a lot of control systems to sa.

Andrew Ginter
Connecting a lot of these networks together. You know in hindsight contributing to the the security problem. Um, and you know the business that I was part of was sold off. Um the you know the new management said we’re taking this into industrial cybersecurity and I said really, that’s a thing. Because this was you know this was o 2 o zero three. It was the very earliest days of that. Um, you know I finished up the itot middleware project while you know the rest of the business um took our control system product and moved it to se linux security enhanced linux. So I wasn’t part of that I sort of. I saw that from the outside I thought wow that’s a lot of work. It was a lot of work and as far as I can tell nobody 0.0 sales that was not what the world was looking for. Um you know I got pulled into the yeah.

Andrew Ginter
Project to build the world’s first industrial scent security information and event management system. You know in control systems terms it was it was a single pane of glass. It was an hmi for cyber security of your control system and that was how I got involved you know. That project went on for a long time. Um, eventually I got pulled into promoting that project out in public talking to you know prospective customers at conferences and face-to-face about the cybersecurity problem landscape. Solution landscape where the the you know the industrial defender sem fit into that industrial defender has long since moved on this was you know fifteen years ago um I don’t think the same exists anymore. But that was my own genesis. You know, dabbled a bit on the it side heavy into software development very technical. And got pulled into the product development side of industrial cybersecurity in sort of the the mid 2000 s almost to my surprise because somebody else did the market research to figure out. There was a market here. This was a thing that was happening. Because I’d never heard of it. It was it was very early days.

Andrew Ginter
So that was that was twelve years ago um you know, very few people were doing this stuff. It was possible to sort of drift into it just show some interest and you know become part of the the evolving field. Um, what’s your advice today. If you’ve got people who who want to get into the the ot security space.

Mike Holcomb
I definitely have a lot to say about about that subject 1 of my favorite to to talk about since it was so frustrating for me to get into the field and I don’t want people today to to feel that level of frustration. It. It just shouldn’t be that hard and so you when talk with folks. With it t backgrounds like like myself and’s to get help get started really There’s a focus on needing to think like an engineer I just go back to when I took my first stands Ics O T course the gi I csp. It was. It was really fascinating. The best thing about the class was it was half it people and half ot people and I remember a gentleman in the in the front of the class asked a question and it was really what I thought was a really basic question around networking. Like oh I could answer that and and but it was the way he asked it. It was completely different on how I would have thought about it and started talking with him you know and he was an engineer in a water treatment facility. And that was really a first time I had talk with somebody from from that world and really starting to look at things from from his perspective and so I think that was was a great experience and so coming from the the it world we have to again, learn to think like an engineer see.

Mike Holcomb
How they see the plant how the plant works and understand each plan each you know ot environment is completely unique. They have their own physics even you can go to 2 different power plants and they can be completely different and so being able to understand how that plant operates. Yeah that’s It’s a first part of not only helping us understand how best to protect it where we’re focused on how do we ensure physical safety of you know onsite personnel and the general public and environmental safety and and then of course the operations of the the plan and that’s very much. Very different from the it world but it’s the engineering world and so when you look at learning to think like an engineer and then the other really is just I think it can feel like a very unsurmountable hurdle to people is learning about. Different ot systems and you get caught up at least for me I remember you know Ics O T Sk and like what you know rtuhmiplc is well what are all these things and it’s like oh you can learn some acronyms but and then you can start to read about it. But. It’s it’s you know it’s ah challenging right? at first until you can really start to get your head wrapped around the the concepts and understand how each of these different assets works and how you use that to build and run.

Mike Holcomb
Ah, ot facility right? So I always like to you know focus on when I do a couple. Yeah free classes every every quarter that is we focus on how we build a power plant from from start to finish and and walking through that process because it helps people not only get. Think like an engineer and understand the physics of how we’re generating electricity and in this facility but we can also look at all the components that go into building out that facility and we can then really learn about yeah plcs and hmis and dcs and. What each is doing and what they really mean and I think that really helps to to click into to place where it people but it’s very foreign I know it was at least for me. Yeah, when first getting into to ot.

Andrew Ginter
So So that makes sense in in a sense in the abstract learn about the physical processes that you’re and you’re you’re looking at learn about the the automation systems. Do you have. Concrete advice. Is there stuff you know, would you read about these things. Do you take courses? What? So What are concrete steps people can do to achieve those those goals those learning goals.

Mike Holcomb
Sure? No a great question and I actually should mentioned I so I wrote a couple of free ebooks that I published and and they’re on Linkedin and my website michaelcomm.com where people can find them and and so and they’re not too involved and mostly it’s a ah list of different resources. And and some I guess tips and and tricks and a lot of those go into some of those practical tips right? So suggestions on different books that you can read. There are some great books that are out there. They’re not ah a ton. But I think there’s there’s definitely a few that everybody should. Should be reading even books like sandworm just to get an understanding of the importance of Ics O T Cybersecurity I’m a big fan of a few others. You know as I don’t want to I guess go too far down that rabbit hole. But you know between um, your books. I I honestly take a lot of value out of podcast I listened to your podcast before there’s a few others in in the space I also listen to you have a lot of great guests that that come on and share a lot of practical knowledge that people can learn from I remember I was starting a. New mining project at Fluor and I had not worked in mining before and and and just at that time you actually had somebody from mining on on the ah the show and I was able to pick it up but and I learned so much from that conversation and so that’s that’s one way.

Mike Holcomb
Ah, trying to get hands-on experience I understand yeah I was very fortunate that it wasn’t too long before I was able to go on site and be in an actual power plan that we were building. Yeah, that’s a luxury I understand a lot of people don’t have but. <unk> trying to get some type of hands-on experience right? So it’s building out a a home lab you know getting a plc starting with you some basic plc programming maybe hook up an hmi and start to build that out. So those are some of the things that definitely suggest. So yeah, there’s there’s books out there can i. Really take a lot from some of the podcasts out there including your own and then trying to build into that hands-on experience if if you don’t have the luxury of already working in ot or maybe you can find a mentor. And that works an ot and that they can bring you on site sometimes I hear that that happening from from time to time and that’s you a lot of experience that especially people from it. That’s you that’s experience that you just can’t even pay for.

Nathaniel Nelson
Um, less. So at this point we’ve talked about how Mike started off in the industry and how Andrew you started off in the industry. Um. I don’t participate in the industry to the same degree that you guys do. But of course I do in a tangential sense and I recall that when I was getting first started. Um I had a little bit of background in it knowledge but I and didn’t know the first thing about industrial security and i. As Mike suggested picked up a book. It was a red book. It was your book on a long flight I believe it was an 11 hour 11 hour flight I read through pushed through most of your red book and by the end of it I had a good enough sense. A good enough base to start. Talking about these subjects mostly just asking you questions and so I can empathize and agree with Mike’s general sentiment.

Andrew Ginter
Cool and you know to to put the shoe on the on the other foot. You know you came for sort of from the from the it space into industrial control systems and Ot Security. Um. Do you have advice the other way around if people are coming out of out of engineering or other sort of aspects of the Ot space and and want to get you know up to speed on on cybersecurity.

Mike Holcomb
Sure sure definitely and I and get with that disclaimer right? I am you know tried and true. You know I have a it cybersecurity background but I do work with a lot of folks in the ot space and I work with all you know I get a meet a lot of folks on on Linkedin and and elsewhere to. To have conversations with and and help and and so whether it’s at the office or elsewhere I always talk about you know for folks coming from an ot background one of the things that really surprised me is a lot of ot people or that come from different aspects of automation. They don’t necessarily have the fundamentals of. Networking down I was really surprised. Ah you know I I always think you know of engineers. They do everything? Yeah in the world and and found a lot. Yeah, a lot of engineers aren’t that familiar with with networking I was really surprised so that’s. So. It’s just like if anybody coming into it cybersecurity. The first thing I would suggest they learn is networking especially of course with Tcpip since that’s you know the main protocol that we use on all our internal networks even in ot for better or for worse and the internet of course. Ah, so that’s that basic you know foundation for connecting our systems together and then learning the basics of of cybersecurity. So I always tell folks to really look to the security plus certification that compt has and even if you don’t necessarily look to get.

Mike Holcomb
Certified even though I suggest people always do but just the knowledge that you can pick up from picking up one of those study guides or going through a security plus course or except you get the the basics the fundamentals of Cyber security. From the the it T perspective and then that really gets us to where now we’re on this kind of common playing field where we can have folks from the O T side of the house and the it t folks from their side of the house really come together and I always talk about it’s we always talk about. These different sizes of the house but we always forget that it’s the same house that we’re all living in and trying to protect and so we can come together with kind of this basic. Ah, you know, understanding of networking and cybersecurity and learn from each other’s perspectives and then you kind of. But together to build out that plan on. Okay, how are we going to protect our house from somebody trying to to break in and do harm.

Andrew Ginter
So You mentioned the the security plus certification a question that I get regularly and have you know, limited insight into into answering is sort of the the more general question about certification. Um, what should I be certified on if I want to practice. In the the Ot the industrial security Space. You know you’ve mentioned security Plus can you know is is there a more more general answer.

Mike Holcomb
Yeah, and we we talk about you know ot cyber security. There’s there’s there’s the certification landscape it is is somewhat limited compared to the it world but but there definitely are some. Some certifications that are worthwhile for people to pursue think in in my opinion I I you know I always struggle sometimes because I always want to make sure focus people really are are working on gaining the knowledge and the experience. To work in you know ot cybersec security and not trust trying to go you take a quick course and take a certification exam and then I don’t imply that they know everything about ot cybersecurity because certification. that’s that’s not the the goal right? That’s not the the endgame for. For those certifications but there are some great you know certifications out there. You know from the typically especially in the us perspective. We look to SANS and not only the SANS Institute and and their courses and certifications that we can. We can mention I have all 3 of those in part. You know, partly going through the master’s program and and also just being a longtime sand student and and having taken those courses that have been very fortunate to to do so and then the is the ISAIEC 6 2 4 4 3 series as well that that I say.

Mike Holcomb
Created so I think for for me personally the the knowledge in the SANS courses is bar none I also realized that I was was very lucky when I took the the SANS grid course with probably it was actually at the exact same time that the crisis incident was happening. So not only am I sitting in class with Rob Lee who’s teaching and and you would get to have cyber conversations and go to dinner and and but also his company is responding to one of the most important you know cyber security incidents in the ot world still today. And so we were getting you know play by play and what was going on behind the scenes which you that’s you know that you still can’t you can’t pay for an experience like that. Um, which does bring up the fact that the SANS courses are very expensive these days and I understand that not a lot of people can afford them. Can. The the knowledge is second to none Robby still teaches that his in incident detection response course for ot a couple times a year I personally think you know to to be able to be in the room with him and engage and ask questions you can’t you know that’s that’s invaluable experience. But again. You know ten thousand us dollars essentially now to take a class and the certification exam is is hard for a lot of people and I’m very fortunate to work for a company that has provided me those those opportunities. So so the isa series is a very valid alternative.

Mike Holcomb
Think a lot of people and and especially engineers have have the isa certifications they have 4 courses that you take and then you have to take the course to take the exam. It’s about $8000 if you’re not an ISA member. So for their entire series right? It’s it’s already less than 1 SANS course. And so think though the 1 thing to keep in mind about those courses is that they’re designed to teach ot professionals. Some basics about cyber security and introduce the 6 2 4 4 3 standard It’s not going to and unfortunately the the master certification right? when you pass all 4 exams they give you a what they call the isa I e c 2 6 2 4 4 3 expert cybersecurity expert certification which is a horrible name because I think we could probably all realize that if you take was it about twenty four thirty hours ah even if let’s say 40 hours of course materials and you pass a couple exams. Doesn’t make you an expert in anything. So I think it’s it’s not a great name but it’s it’s a certification that shows that you have a basic understanding of cybersecurity and different aspects.

Mike Holcomb
Cybersecurity and how they’re implemented in the ot world. So if you’re looking at getting certified and demonstrating that basic level of knowledge then I think the ia you know series is going to be the most effective for people in part because of the cost in and in part just because as the. Time and and that there is learning involved and there is good good information that to get out of it and for me SANS you know people always joke about drinking from the firehose when you go to a SANS course and you’re just flooded with information and. Have some of the greatest thought leaders. You know in the industry that that lead those courses like Rob Lee and and Tim Conway and a court with Michael Assante you know before them and and Derek Harp you know was on that original team so you can’t beat the SANS materials. It’s just the cost is so expensive. So. And then there are other alternatives out there. There’s the the folks in Germany I think it’s called Tuv or TUV Rheinland I one day I’ll figure out how to pronounce that? Um, yeah I start to see you know more individuals with those. Ah, we have some engineers at flora and and I’ve seen others with the exodu certifications so that are a little bit like the isa 6 2 4 4 3 you know, but a little bit you know SANS and yeah, but more from the vendor perspective um with with dedicated courses at a.

Mike Holcomb
Again, like Ia. You know some you ah, reduce cost right relatively less expensive than than sans courses but not as much knowledge or or information. Hopefully. And I’m very good at rambling as you could tell so.

Andrew Ginter
So let me dive a little deeper you you mentioned you know people come into a lot of training and and you know desires to learn about cybersecurity without basic networking. I’ve observed that as well. You know some years depending on when the course runs I teach a course at Michigan Technological University the audience is mostly engineers. It’s a graduate course in engineering. Um, and yeah I find it necessary to burn. You know, 2 3 maybe 4 hours of a 40 hour pool of lectures you know and assign reading and exercises on the basics of networking. What is the ethernet. What is a frame What is you know the arp protocol. How do you resolve ip addresses how does ip write on top. You know once you leave the ethernet into the internet. What does I p look like is this is this what you mean I mean how how much of that in your estimation. How much how deep on that do you really have to go.

Mike Holcomb
I would say I very similar when I do do those types of classes. You know at least a couple of hours and and I do training also within with our engineers at at Fluor on a regular basis. You know, definitely at least a couple of hours but I think that’s the same concept or the way I look at it is this idea that. If we want to understand how to protect our environments from the attackers and we have to understand how they’re getting in to the environment and how they’re actually conducting and pointing off these ah these attacks and of course they’re doing this over the network. And so we need to be able to understand the fundamentals of networking to be able to ultimately better understand how to protect our environments so we do cover everything from again focus on tcpip since that’s going to be the the main. Protocol we’re using in all of our environments and of course that opens us up to the the wonderful world of internet connectivity for better or for worse and down to you know we started to to look at things like how does our work and how does you know I p routing work and then. That leads into the conversations like when we start talking about. Well how do we? Best protect our ot network. Well we always are going to suggest we start with secure network segmentation so you can’t have those conversations about things like network segmentation and.

Mike Holcomb
Putting it firewall or a firewalled dmz between it and ot before we already at least have that basic understandings of of networking. So. That’s why it’s it’s always definitely a big focus for for me is. We need to understand the fundamentals of networking to be able to understand how all these components talk together. Yeah within I t within ot and now I t with ot and then also on top of that how we’re connected to the internet all in 1 you know some way shape or form and so how how do we? you know. Be able to protect the network from attack. But again we have to have at least a basic understanding of networking before you can really start getting into those fundamentals, especially like like things like how do we do? secure network architecture.

Andrew Ginter
Now you’ve mentioned standards 6 to 4 4 3 Um, how big a role should standards play how you know how familiar do you do you figure that people on both the you know coming from the it side or the the engineering side into ot security. How how familiar do they need to be with standards.

Mike Holcomb
You don’t have to know them in and out necessarily unless your job requires you to. But I think they’re great references. Especially for people that are getting into cyber security. They’re great references to starting to learn about the different aspects. And all the different domains everything that comes together to create a fully functioning cybersec security management program in in ot environments and whether it’s a power plant or manufacturing facility or ah. Railway it. It doesn’t matter the environment but the standards will show you all the parts that you’ll use no matter what what type of ot environment. You’re in so 6 2 4 4 3 is the gold standard everybody looks to today but it’s not you have to pay you know to to get the full copy. So it’s not something that’s probably israeli available to everybody even though it’s still a lot of great information I think that one can be a little overwhelming at first as well. For for some people at least I know it was for myself. It just didn’t come across as as to me as kind of a. Straightforward standard I think because it’s written more from an engineering perspective. So for ot folks. It probably is it probably feels and makes a lot more sense than for folks coming from an I t background I suspect at least that that’s that’s for me.

Mike Holcomb
Kind of what I was thinking. Um so I can also gravitate towards nist you know so we have mis guidance and in in ot and so people can also look to that as a standard I think that has a much more kind of familiar look and feel if you’re coming from the it t cybersecurity world. Ah, and so and and it’s freely available. So it’s something that you can access today and you can look through it to see again all the different components that go into building a cybersecurity program for an ot environment. So I do think there they are they can make some great references and then of course. Depending on if you work in an ot environment today. You might also have either requirements to adhere to those standards or frameworks or you might also have other regulations like if you’re in power generation or transmission and in North America or in United States and Canada you have to be. Very familiar with with nerrksip so all all great resources for either people that are in the field or for those that that want to learn more about ot cybersecurity.

Andrew Ginter
So you know good list of resources there the isa standards you know I e c 6 2 4 4 3 standards. They’re the same thing. Um, you do have to pay for them. Um I don’t pay for them legally what I do is I buy an isa membership I just renewed my membership. Um, you know. If you renew early, you get a 20% discount I think I paid eighty five us dollars to renew you pay this every year and you get online access to the standards. You cannot download them. You cannot print them but you can read them. this is this is what I do I don’t have copies of all the 6 2 4 4 3 standards when I need. Ah, you know the the standard as a resource I log in on my Asa account. Um, and you know Mike mentioned Nist let me go just a little bit deeper on Nist yeah nist 853 dash 53 is sort of the the it standard that everyone uses the Nist cybersecurity framework is you know it t-ish. Everyone uses it nist 883 just came out version. 3 of it just came out and it’s focused on applying all that stuff into the industrial space and so it’s much more industry-focued um you know I use it. Routinely it’s it’s got really a very readable first hundred pages of of kind of introduction. So I recommend very much the the eight hundred dash eighty three standard

Andrew Ginter
Okay, so so you know courses ah standards certifications. Um, is there anything else that that we’ve missed what you? what would you encourage people to do to to make the transition.

Mike Holcomb
Think the other big thing that we didn’t talk about that I like to focus on because I see how rewarding it can be is to get people involved with with the community as as a whole so different completely different type of networking. We’ve been talking about. But. Look at and and I understand at least speaking from my own experience I’m extreme introvert I I don’t want to get out and ah talk to people. Um as much as I might seem to and and so the last thing necessarily I want to do is is. Is get out and and talk and at the same time It’s so amazing when whether you go to a class or you’re you’re on social media like Linkedin and you’re getting to talk with people from all over the world from different backgrounds and different perspectives and they come. they work in you know it and ot and they they get they have different experiences and they work in different types of environments. You know you can learn from so many different people that are out there and you can also share you know from your own experiences and and and they can learn. As well. So it’s it’s really amazing experience. You can also see that when you go to conferences so I always encourage people whether you try to go to you know some of the larger conferences like the SANS ICS Summit or S4 or maybe even some of the smaller more local conferences like bsides that that.

Mike Holcomb
You can get together with people and everybody’s there really just to to learn and and share and and have a good time It’s just very easy and I see this all the time for people in both I t and ot where we’re just doing their job. We’re keeping our head down got the blinders on. We’re just you know. Getting things taken care of. But if we’re not out there not only learning and sharing with each other. But also you know, understanding what’s evolving out there in the world right? We need to make sure we’re staying current and understanding what’s going on the ics. Ot cyber security landscape has changed drastically over the last two two and a half years I would say even more so in just the last couple months if if not just the last couple of weeks we had news of the. The the power being turned off in the Ukraine again back in 2022 even though they just announced. It. Not not sure why it took took so long but you know that’s definitely an involvement or evolution to to understand how that. It was not I see a specific malware that was living off the land techniques that that were used in that attack right? That’s something that we need to be aware of is is ot defenders we can look at the the danish coordinated attack by I think allegedly sandworm.

Mike Holcomb
Which was detected by the sector or cert team and that alone has other implications that we all need to understand and be aware of as ot cybersecurity defenders. So if we’re not if we’re just doing the job keeping our heads down and we’re not out there talking in the community. We’re not. You know on social media like in Linkedin sharing information and reading the latest news and and out there going to the conferences listening to the podcast reading the books. Yeah, if we’re not staying uptodate. We’re not staying current then then ultimately we’re we’re not doing our job as. As cybersecurity defenders of of our ot environments.

Andrew Ginter
I Don’t know about rapidly but things are changing and I’m not sure that you know a lot of practitioners are tracking these changes. Um, so the the change he mentioned was living off the land. Um, you know for anyone out there who doesn’t already know what that is it’s Using. You know instead of writing your own malware your own remote access trojan your own virus your own who knows what instead of writing your own attack tools that have signatures that antivirus might detect that you know are artifacts of code that can be detected on a machine. Um. You’re using the tools that are already built into windows or linux or whatnot I mean Linux is a treasure trove of tools and so if you look at a compromise machine. There’s really no evidence.. There’s nothing installed on the machine that shouldn’t be there if you look at Network traffic. It’s the traffic that. Sort of normal allowed tools are putting on the network and so it’s it’s sort of more devious than average. Is it new. Well I mean people have been talking about this in the I T space for a while I think it’s newish in the Ot space. Um, you know something else that’s changed that people are not tracking is you know. The the latest waterfall threat report shows that this decade since 2020 Ah, the attack world has Changed. We’ve gone from a state for a whole decade where Cyber attacks with physical Consequences. You know the lights go out.

Andrew Ginter
As in the Ukraine or equipment is damaged as in the you know the steel mill in in ah in Germany a decade ago. Um, these attacks used to be sort of trickling along at at you know 1 or 2 or 3 a year and now we’ve we’re starting to see what looks like exponential increase we went from you know. 5 in 2019 to 18 to 23 to 57 last year you know the world has changed um is it dramatic and fast I don’t know but we do have to keep track of these I mean what what I heard in. In Mike’s comments
-20:18

Andrew Ginter
So cool. Um, so that makes sense. Um, you know it’s It’s been great. Thank you for joining us. Um, before we let you go can you can you sum up for us? What should we take away. What are the what are the the most important things to remember if you know we’re either on the it side or the engineering side wanting to make the the leap into Ot security?

Mike Holcomb
Sure I think the main points is it doesn’t matter if you come from IT like myself if you come from Ot background like like many of my colleagues. It’s it’s the I T side of the house. It’s the Ot side of the house. We all live and work in the same house. We All want to protect the same House. We have to work together to be able to do that you know and not everybody in I T wants to to learn about Ot and not everybody in Ot wants to learn about Cyber Security. So If you’re one of those people that that does and when you encounter others that that are like you and that they do as well learn work with each other and and share and encourage each other because it’s going to take all of us together. To protect our very unique and and critical environments because as we just touched on you know, just real briefly. The the threat landscape has has started to change dramatically and it’s only going to get worse from here and it’s it’s. Going to be on all of us to make sure that you we protect our environments to help ensure right? that we’re protecting the the world around us right for our families and and our friends and and no matter where.

Mike Holcomb
In the world we live. We’re all in this together. Always like to talk about you know and protecting the world but it does take us. You know all all working together. So but I I appreciate you you having me on the the podcast.

Mike Holcomb
But I do appreciate the the time for for being on the podcast the nfi it was great to get to come and in and talk with you and and share with everybody real quickly if anybody’s looking for um for us down the road. Ah course you can find Fluor fluor.com you can check out Jobs@fluor.com I think we have about 1300 openings right now for it and of course ot engineering professionals all around the world. So definitely check out the site there and if you’re looking for me, you can find me on Linkedin I’m always on Linkedin. And you can also find ah my resources at Mike Holcomb Dot Com so but again reach out anytime and ah but I appreciate. Ah again the the time and for everybody for listening to the the episode.

Nathaniel Nelson
Andrew that was your interview with Mike Holcomb do you have any last word that you’d like to take us out with today.

Andrew Ginter
Sure? Um, I mean what what makes sense you know makes makes perfect sense take training if you can afford it. You know SANS or ISA or you know I wasn’t aware of the the t v rhineland or the exodu training. Um, read the standards. Um I especially recommend the the free nist 883 that is focused on industrial systems. It’s free. It’s readable. You know when you have opportunity try to attend some conferences. You know there tend to be conferences more local than more distant you know, controls your travel costs. And when you’re at a conference network ask people questions and you know maybe to expand on that last one just a little bit. Um, you know I’ve been attending conferences for over a decade because that’s part of my job I’m a techie though I struggle with networking I had a really great networking experience at. The ics conference in Denmark just a couple of weeks they always been fifteen years but I I may finally have figured this out when you get an expert in front of you with you know, a beer in their hand and a snack in the other um you know yes, introduce yourself ask what they do and then you know from your knowledge of the field. Ask a controversial question I mean I sat down with the folks at the at the sector cert they were at at the event in Denmark a couple of different times ah continued the conversation on Linkedin. You know eventually was bold enough to ask the question. Um this attack targeted danish critical infrastructure.

Andrew Ginter
Why was there no report of any other infrastructure in the world being targeted these firewalls that were exploited are used widely. Um, the the you know the the vulnerabilities were well-known and I got a useful answer now it wasn’t a clear answer. Because there’s confidentiality agreements. There’s only so much these people these experts can tell me but I was always afraid of asking people controversial questions and don’t be experts. Love to talk about what they’re doing if they cannot tell you something they will explain why they cannot tell you something. And that context in itself was useful for me in in terms of of understanding the scenario. So um, you know I would encourage people to sign up to the sksec mailing list or sign up to the isaspninetynine ah standards committee mailing lists. You get a lot of stuff. You don’t have to read everything on these lists. But what you get is a sense of what people argue about and what’s controversial so that you have ammunition at your next your next networking session. So that’s that’s my little nugget of of you know I had 3 really interesting you know conversations at at networking at this event in Denmark by asking. Questions that are a little bit controversial.

Nathaniel Nelson
Well with that. Thank you to Mike for speaking with you Andrew and Andrew thank you for speaking with me this has been the industrial security podcast from waterfall. Thanks to everyone out there listening.

aginter
It’s always a pleasure Nate. Thank you so much.

Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Nathaniel Nelson
Welcome Everyone to the industrial security podcast. My name is Nate Nelson I’m here with Andrew Ginter the vice president of industrial security at waterfall security solutions who’s going to introduce the subjects and guest of our show today Andrew how are you.

Andrew Ginter
I’m very well. Thank you Nate our guest today is Aurelio Blanquet he is the secretary general of the EE-ISAC which is the European Energy Information Sharing And Analysis Center and he’s going to be talking about the good work that they’re doing at the ISAC at the center. And about more generally what is an ISAC and how does it work.

Nathaniel Nelson
Then here is your conversation with Aurelio

Andrew Ginter
Hello Aurelio and welcome to the podcast. Um, before we get started. Can you give us a few words of introduction? Please. So you know tell us a bit about yourself and about the good work that you’re doing at the European Energy ISAC.

Aurelio Blanquet
Hi Andrew thank you for the invitation then it’s a pleasure to to share with you. the the isaac. So I’m the secretary general of the energy. The european energy. isaac which calls for information sharing and Analysis Center and previously I was the first president elected from the from the members community in the 2015 when the association was launched. And I shared the association between 15 and 18 and previously I was director and board advisor of and european energy utility in this case in particular in in Portugal edp where I was responsible for. The ics and cyber security strategy and implementation. So I work I work with the topic of Dcs for almost forty years and cybersecurity since the very beginning where the cybersec security was not a known word. Around the community. So about the the the role that I’m performing you what the I do is of course assure the presentation. The of the eyes zak to the community and namely to aspiring me members.

Aurelio Blanquet
Um, of course we have lots of work with the meetings and contacts with the sea levels partners and the stakeholders namely European associations including the European commission and of course I also attend and and I’m speaker at the events and conferences on namely on energy digitalization and on cybersecurirty. Ah. You know one sentence is everywhere where information sharing can play or plays a relevant role in Europe and I would say even worldwide
-2:55 <cut here>

Andrew Ginter
Thanks for that. Um, and we’re talking about the European Energy ISAC Information Sharing And Analysis Center. You know I’ve been part of other ISACs and the the model that I have in mind for an ISAC is sort of ah, a weekly phone call. Where managers of security operation centers are are on the call or you know senior people from from so security operation centers. They exchange actionable intelligence. They exchange ip addresses that they’ve noticed are attacking them. They exchange file checksums from um, you know, suspicious attachments that they’ve received they gather. All this information they feed it back into their intrusion detection systems and their security information and event management systems. You know, is this what the the European Energy ISAC does or are you doing something else?

Aurelio Blanquet
We do something else. starting by the feed of information. So what? So we intend to do and what we are doing and promoting inside our community is to feed.

Aurelio Blanquet
And an information sharing portal and the idea is to assure that each member can in the real-time bases share their own incidents Namely the ones related will malware. So We have a European platform for malwa information sharing and the the idea is to have these the feed that this platform emeded in our members internal processes including.

Aurelio Blanquet
And a synchronization between the members platform if they have a private and sharing platform. and this european platform this way we are able to have. in almost real-time basis a full information. dataset that allow us to have a broad vision about incidents within our members community. And broadly in at the european level.

So the first thing that we do is to collect. this information to make this information actionable we do as we we perform a second task. What we do is to vault this information to assure that. it’s trustable information and is not a false positive information and this is the first challenge or second challenge. We have the first one is to feed the information second. Is to have a right balance between the vaulting process and the the the timely information that is made available in platforms if we take if we take too much time to vault.

Aurelio Blanquet
The information lacks timeliness and if we want it to be very timely. Maybe it can be not avoted information. So this is second task that we we perform and last but not the least. What we do is to use this information in order to produce threat intelligence report that reports that made available inside the community and that corresponds to an analyses. And that helped the members to to take more supportive. actionable information which means that. each member can use the information that is feeding in platform on Isb off and the the information is updated and also the reports that came from the treatment of these row information that is. stored in the in the in the platform. So I think it’s from my perspective. The the 3 main levels that to do isaac and the community works.

Andrew Ginter
So nate real quick. What I heard there was that the isac does have a function that is focused on actionable intelligence. It’s different from the the eyes act that I described they know my previous experience in in a different ISAC in that. it’s more. It sounds like automatic instead of. A call once a week where the information is exchanged verbally or you know pasted into teams the yeah the information is made available in a real-time portal. There’s a a validation step that goes on people have access to the the intel as soon as somebody enters it and it’s validated. And there’s there’s reporting that goes on so that you know that that sounds useful

Andrew Ginter
So that makes sense I mean I’ve I’ve had a look at your website. You have a risk management white paper there that that anyone can download. you know it it. You’re focused on events that shut down operations in Europe. And you know I am reminded that at at the time we’re recording this just just a week ago. There was an announcement of an event in Denmark where you know firewalls on critical infrastructures including I understand electric utilities were breached by.. And accused nation state adversary where does can you can you talk about the denmark event where does that fit in sort of your scale of of attacks on the power grid.

Aurelio Blanquet
Well, that’s a very very good question. I think both types of incidents are by different reasons very relevant. of course. When you have a huge impact on on people or in the or on the economy and this is an incident with immediately critical consequences. And it can be a power outage. but it can be. You can you can have a necking situation like you talked about in Denmark and we we had the also 1 in in portwell in 2022 that didn’t have any impact on on the on power. Nevertheless it means that the companies face a vulnerability and this vulnerability was exploited if the it. Didn’t have any consequence. It could have 2 main reasons because the company were able to defend itself and control the the incidents and have an effective response.

Aurelio Blanquet
Ah, or maybe even the attacker was not intending to make armful but was just testing and it also happens quite often and in it in any of those situations and association like the isaac. Plays a critical role. if you are if you have not a network like we had in Ukraine a couple of years ago it will be more than useful to have community that is able to. To support you and help you in the incident response and sharing with you. what can the the the different kinds of best practice that you can perform to to overcome the incident.

Nathaniel Nelson
So this danish incident that you guys are referring to for listeners who aren’t fully caught up. it began it occurred in the spring of last year starting with a firewall vendor. Called Zyxel I don’t know if it’s zesler Zixe which in late April of 2022 revealed a pretty serious command injection vulnerability. It was given a nine point eight out of 10 cbss score for for those of you who follow along with that. and shortly thereafter attackers utilize this vulnerability in their firewalls to attack the the danish energy sector pretty broadly because the firewalls were the thing separating. The internet from control systems protecting safety critical equipment. It became a very serious incident I believe according to what I’m looking at now eleven energy companies were compromised pretty much immediately. five more were attacked but managed to stop the attackers. It. Took the as the sector cert described it entire night to remedy the issue but they did successfully protect all of the systems until eleven days later when more attackers came back.

Nathaniel Nelson
This time instead of the publicly revealed vulnerability. There were two zero day vulnerabilities of the same severity affecting the same devices. the attackers seem to have thrown the book at the energy companies this time and a couple of pings back to attacker controlled servers. Revealed that they might have had to do with the russian group sandworm. So I believe at the end of the day all of the utilities and related companies were safe but it did sort of very obviously demonstrate the threat here.

Andrew Ginter
That’s right I mean I was in Denmark when the story broke. at at an event doing a book signing and had opportunity you know at at the event. the. The organization sectur the sectur cert that reported the incident. you know gave a presentation I had a chance to sit down with the the technical lead from the cert afterwards. and so yeah, you know all of that’s true. a. fine detail in my understanding. the firewalls were not between the internet and the ot systems the firewalls were the internet-facing firewalls for the business they were the you know the the firewallet protected the it t network and so the sector cert is a little bit unusual. they have technology that is you know getting a copy of all the packets that are being exchanged and inspecting them for tax signatures at the internet interface of these critical infrastructure utilities their members. Not. At the itot firewall where most people think that you would be you know monitoring for attacks. They’re monitoring for attacks on the entire organization. and they found these. You know these attacks it was 1 of 1 of their people that identified the the initial intrusion.

Andrew Ginter
And they said you know, really their role is to detect and alarm detect and inform so they called the affected organizations said you’re under attack here’s the details and a great many of them were small and. You know didn’t really know how to deal with the intrusion and so in spite of the Sektor CERT not primarily you know, being an incident response organization. Not really having a flyaway team. They said look this is denmark they got into a car. They drove out to these facilities and you know walked them through the process of of turning off the the firewall and updating the firmware and you know activating the internal incident response to to see if if anything had been stolen or. Sabotaged or anything so they were involved in the in the the incident response as well. Even though that officially isn’t what they do So So good on them.

Nathaniel Nelson
Yeah, that is a pretty crucial correction that you made to me Also the report. the language in the report is a little bit broad. They say we have experienced that zeicil is used to a large extent to protect the critical infrastructure and we know that many Ot environments. wait here. We go. The attack groups had a publicly known vulnerability that they used to penetrate the industrial control systems and the primary defense against that happening was precisely the equipment that was vulnerable. So Maybe they use the the firewalls to get into the id networks and then the IT/OT. Defenses are sort of taken as a given. do you have any detail about exactly like how their network was mapped out or not so much.

Andrew Ginter
No I don’t I I missed that in the report. you know I’m going off my memory of the the conversation with the the folks at Sektor. They’ve promised to come on a future episode. So let’s let’s get them on and and we can dig into the details with them instead of relying on my my fallible memory here.

Nathaniel Nelson
It also occurs to me as we’re talking about this. You know this was a critical vulnerability in what appears to be a relatively popular firewall product. that might be found anywhere else in the world. I know that there was a gap between the twenty fifth when the vulnerability was revealed. We’re not talking about the zero days here that’s another matter and then may eleventh when the attack occurred. Is it just that everybody would have patched in that time that I haven’t heard similar stories from other countries. Andrew do you know if this initial vulnerability was exploited elsewhere.

Andrew Ginter
I Don’t know that you know I asked Aurelio that and he basically said you know he if he had information he couldn’t share it with me. They have strict rules about nondisclosure. and but you know to me it’s It’s a. It’s an interesting question I I would like if someone you know, digs up an answer I’d very much like to know because what we have here is excuse me a danish organization the sector cert reporting an attack on Danish critical infrastructure using this firewall as an attack vector. as you point out. The firewalls used very widely did anyone else get hit and they’re just shut up about it that would be useful to know if nobody else got hit and. The bad guys used this firewall as and as a vector specifically to attack Danish Critical Infrastructure. What does that mean I I don’t know I’d very much like to know.

Nathaniel Nelson
Ah, or alternatively others were hit and as we know that there is some evidence here that there’s a state sponsorored actor involved. Maybe they just didn’t know.

Andrew Ginter
Yeah, so like I said I would I would like to know I I hope that you know more information comes to light over time.

Andrew Ginter
I’m going to change topics in a moment but before I leave your your information sharing system. You know I know that the information in there is confidential but is there anything that you can tell us sort of. In terms of the the volume or the the quality of information that you have in there that you’re tracking

Aurelio Blanquet
Just to have a small idea when I look at to the information gathering in our sharing platform. January to July and I I didn’t updatedate it with the figures from October but we have them something like 60000 events responding to five millions of attributes. And two point five millions co of correlations among those and the cyber security events and the attributes if we look to our the organizations that fitted the platform and we make an average. Each organization in average feeded something around one hundred than fifty and events in the platform. This means that that if an organization is not part of a community. With an active and very proactive and information sharinging attitude. The organization is able to deal with 150 incidents but is only able to take decisions and to make action based on the information deliver by One hundred and and in 50 in security incidents if you broad your your interests you are able to take the same action based on 60000 on the information of 60000 and events which means that the scale is much much higher and if you go up your in in your information scale. for sure then. Ability to take a better decision will be much much higher.

Andrew Ginter
And changing gears a bit. I understand that yes you folks are focused a lot on incidents and information sharing. That’s what you know isac means but you’re also talking to governments you’re talking to the commission. you know NIS2 is the big news from the commission that all of the governments are acting on can you talk about NIS2 what what does it mean to your members and you know is there I don’t know advice that your members are giving the the member states. What’s what’s happening with nis two in in the organization.

Aurelio Blanquet
Well then the needs to as well as the the very very new network code for cyber security that was the close for comments last Friday midnight last Friday means for the the association 2 things as old regulation that comes from the commission is always a concern and an opportunity to have a voice on the on the content of the the less legislation. whatever it is focus on the the NIS2. what this means is that looking to the energy sector in Europe and looking for to the and NIS the and yeah, the NIS2 broadens the accountability of the companies that who were already covered by the and NIS and then brings to the compliancy.

Aurelio Blanquet
Requirements A new group of companies that were outside the and nis and when we look to those companies we see small companies and this is a very very big challenge. Not for the members of the association. But namely for the no members of the association because those companies and because they are small and energy companies. They are not so well prepared as as the big players are in these cyber Security Challenge.

So until now they were outside the regulation now they are inside and they must be as compliant as as the big ones of course with some nuances. and with different. impacts in terms of a ah fault. But Nevertheless this means that there is an opportunity to to join forces instead. fight along in this world and Then. We recognize that the that the NIS2 from this perspective makes sense because as we talked before the the European energy system and is an into is an interconnected system which means is as strong. As it’s a weakness link and it’s easier to attack a couple of 10 or 20 small energy companies and bring problems to a full energy systems than to try to attack. big company that is that is well prepared and train into better response maybe is not going to be as effective as she would like but is for sure better prepared and so NIS2 brings a new level level of responsibility for the energy companies and a new challenging challenge. namely for the small companies that are not not so prepared. So for sure. It will be time to start thinking collectively and not individually. Other other way they will be noncompliant with and ni to looking to the big companies and to do all companies covered by the NIS2 and for the first time and NIS2 recommends cooperation and as a pillar for cybersec security. So NNisTwo incentivizes and european companies to cooperate on cybersecurity and this goes straight to The Dna of an association like the isaac we are sharing information in order to be able to cooperate on actions and to be more effective on the decisions. Each member can individually take.

Another point that and NIS brings and it’s an a challenge as well as an opportunity is to make them responsible managing the the managing of the companies for. Assuring the training to and to assuring the the resources for implementation the to implement mitigation measures which means. That once once again, it’s an opportunity to share plans and strategies. among companies in in order to have. and then lying in the approach on those on those challenges so I would say that those 2 points are the the the the main news that the and NIS is bringing to the table and will be compulsory from next October 2024.

Andrew Ginter
So Nate just a word of background here for people who aren’t necessarily tracking what’s happening in the european union. this too is the the new I don’t know I’m even sure what it is directive from the the union from the commission. to to everyone about cyber security of critical infrastructure. It. It is not in and of itself a regulation. Okay, NIS2 does not say these power companies have to do those things. nistu is a requirement it. It orders the member states to pass regulations and it says you have to take these factors into account when you decide which. Of your you know power providers and other critical infrastructures are critical. you have to pass laws that have these kinds of characteristics and you know it’s called nistu because niss happened a few years ago was the same thing ordered the member states to to pass laws.

Andrew Ginter
And so things are a little bit different in every member state. and the the new regulations the new NIS2 is has got broader strokes you know as Areio said more smaller utilities are coming into scope in the the very broad brush of nis I and of course in the. The individual national regulations that will will come about because of it. you know the other one the the network code for cybersecurity. This is something that’s newer than than this to it’s still being being created but in my understanding, it’s analogous to north american NERC CIP 012. you know the NERC CIP family of standards has I don’t know 14 standards in it 12 yeah is one of the things 12 talks about it. They use very technical terminology in 12 but it’s loosely interpreted as requiring encryption between control centers. You know the control centers are the the places the systems that control large chunks of the power grid and when they talk to each other about how much extra capacity they have how much. Power is flowing through them. You know all this real-time communication. sip 12 roughly requires encryption I’m guessing the the same thing is coming in the new law in in Europe because increasingly the european power grid is integrated. There are you know there’s electricity being sold from 1 nation to the other.

Every nation tends to have its own control center and of course now they’re all increasingly talking to each other to facilitate these international flows and exchanges and you know purchasing and and selling of of power. So it’s it’s a complicated space. Every nation tends to have its own control center and of course now they’re all increasingly talking to each other to facilitate these international flows and exchanges and you know purchasing and and selling of of power. So it’s it’s a complicated space.

Andrew Ginter
So NIS2 is going to change a lot I mean member states are are passing their regulations right now to comply with the with the directive is the eisac involved in you know, creating or or I don’t know influencing this regulation.

Aurelia Blanquet
you talked about the n ni s 2 but as I said previously. last week the the public discussion on the the network code for cybersec security was open for for discussion. and the. When we look and it’s also a very important piece. for the the cybersec security wall and in Europe and the the association also was able to comment and to deliver a positioned paper to the commission. And as well as it vi do with the and NIS2 the association is usually 3 main concerns if I may might say when we look to the legislation and usually we start working. within the working groups that are responsible to to to write to the the legislation but when we look to the final documents what we look for is to check the consistency of of the the legislation and the consistency.

Aurelio Blanquet
At the document level. for instance, when we we look at the to the and nccs we saw some inconsistency some potentially inconsistency on the way the document described a cyber incident or a cyber attack. And this is something that can not be misconfused and so what we do in this case is to comment and ask the commission to make clear the concepts. And the terms that they are using on the less. The legislation that usually is already complex enough that risk to me to to to be misconfused the the second one is about efficiency and about the efficiency means. No avoid redund disease and leverage on existing work or an existing technology so the same way that NIS2 was the buildup from the and Nis the nccs when the. one was published for public comments was written in the moment where other pieces of legend legislation was already in place and we must assure that is not going to invent or reinvent the will and.

Put other rules. Besides the ones that are already in place or are going to be in place and risk to impose and double lines of action that will be useless and in and the inefficient. and the third last but not least is the time to action what we try to see is ah and comment is if the time to make it possible is suitable or not and for instance looking. Going back to your first question about the and nis two. 1 criticism that most of the sector and sector puts is that it will be very difficult if not impossible to to assure that companies are ready for nnis too. You know October of 2024 if we think that most of those companies now cover as small. They don’t have resources neither financial nor in people don’t have met your teams in terms. cybersec security and even if they have the money they are going to face the shortage of skills that we are facing in Europe and world the wild when we talk about cyber security. Which means that they are not talent enough. in europe to assure the the resources we need to to full fuel the and NIS2 requires. But this is a challenge.

This is an opportunity for cooperation and it’s true that we need to move forward. Otherwise we will be as weak as the weaknessed link and it will not be conceivable in european terms.

Andrew Ginter
Um, okay so so sharing actionable intelligence you know, working with with X government authorities to try and influence legislation So that. It You know doesn’t mess things up too badly with with inconsistencies and whatnot. I understand as well that the ISAC hosts face-to-face meetings. in those meetings I mean what? What do you accomplish?? what. What? What do you do? face-to-face that that doesn’t happen through your portal and through these these you know letters that you sent to governments.

Aurelio Blanquet
Okay, thank you for and for your question. It’s ah, quite relevant one. we can split to the face-to-face meetings in in 2 types. The first one is face-to-face meetings with members. And the face-to-face meetings with the members are mostly to share non-disclosable information. There is no way to share nondisclosure information unless you make a face-to-face meeting because this information usually. Is even not written the second one is with non-members can be prospect members or in the intending members. And in this situation. the face-to-face meetings is critical to build trust this information sharing is only possible if you do it in the trustable community and the trustable community is more than a group of people. That you know by name and by affiliation into an organization is people that you need to know in the eyes and you can identify yourself and at the and level.

Aurelio Blanquet
That allows you to to share and and at back. useful information to to yourself and so I would say that. Face-to-face meetings for members are critical to to to keep the trust and to share non-disclosable information to to non-members. The face-to-face meetings are critical because I the first seed to build to build Trust. and without them we were lack of the most critical value of an ISAC which is. That is trust.

Andrew Ginter
Well, this has been good. Ah thank you Aurelio for joining us before we let you go can you sum up for us. You know what? what? what should we be taking away about working with an organization like the European Energy ISAC?

Aurelio Blanquet
thank you for your question and you well I would say that there are main for forming takeaways that I would like to share with you the the first one is that active information sharing. In the trusted community is a powerful a very powerful pillar if not the most powerful pillar in a successful cybersecurity strategy. The second one is that capabilities are by the end, the outcome of knowledge. And experience and through an association like Isaac when you share knowledge and you share information you are able to improve both both knowledge and experience and get more capable to face. The cyber security challenges the the third one is that almost as a consequence is that through cooperation we will for sure reach farther than we we stay. Alone in these challenging cybersec security world and last but not the least what I can say is that if.

Aurelio Blanquet
Someone that is listening and is working in the energy sector and is not yet member of the European energy isaac or even in energy isaac in his own Country. Don’t wait more. And join us and this because it’s more than ever time to act together so look to to the our website get in touch. And we’ll be more than pleased to get you on board and thank you and you.

Nathaniel Nelson
That was your interview enter with areo bla I forgot is how to pronounce his last name. So I entered that was your interview with Areo blanquie. Do you have anything to take out our episode with.

Andrew Ginter
Yeah, you know Aurelio pointed out sort of 3 priorities for the ISAC. You know, active information sharing sharing, developing capabilities, and knowledge & experience. He pointed out that cooperation makes us all stronger and you know. Ah, NIS2 is requiring cooperation among critical infrastructures and NIS2 is you know is not saying you have to go join the Energy ISAC. But it’s saying you need to cooperate. You know we need to be stronger and here’s an opportunity to do that I mean it’s it’s a truism that our enemies cooperate. You know nation states cooperate against us with their allies. There’s a dark web where criminals cooperate where they share information. They buy services from one another we need to do the same. We are stronger together. They are stronger together. We need to be stronger than they are um so it. It all makes sense to me.

Nathaniel Nelson
Well thanks to Aurelio for speaking with you and Andrew thank you for speaking with me today. This has been the industrial security podcast from waterfall. Thanks to everyone out there listening.

Andrew Ginter
It’s always a pleasure. Thank you Nate.