Dean Frye [00:00:00]:
I think the CSO needs to be responsible for bringing the right teams together, having the right skills in the room, and importantly, ensuring that there is not an us versus them mentality on either side of the the fence. And that fence being the fence that divides the OT environment from the IT environment.
Karissa Breen [00:00:32]:
Joining me today is Dean Frye, solutions architect from Nozomi Networks. And today we’re discussing IT, IoT and OT security as a business continuity problem. So Dean, thanks for joining and welcome.
Dean Frye [00:00:48]:
Thank you, Karissa.
Karissa Breen [00:00:49]:
Okay. So Dean, I really want to talk quickly, maybe about interruptions that perhaps are caused by I. T. Or OT, which can therefore derail a business, which we have seen in recent times. So I’m keen to get your thoughts on this.
Dean Frye [00:01:05]:
Absolutely. So I suppose the easy but somewhat boring way for me to answer that that that question would be to talk about Colonial Pipeline or refer back to the Crowdstrike incident a couple of months ago. Indeed, had that Crowdstrike isn’t been a manifestation of an inability to detect a campaign. The outcome could likely have been the same. As it turned out, it was a failure of a primary control itself. But, you know, the unavailability of process control and process instrumentation is can manifest itself really, really quickly. And it actually doesn’t matter whether the trigger was cyber or not. As a as a backyard chook breeder, I’m not necessarily particularly fond of factory farming of chickens, but the reality is that that’s an important protein source for a lot of Australians.
Dean Frye [00:01:52]:
Now you would think that as long as chooks have food and water, they’re pretty much good to go. But actually, the stocking density is so high in those in those sheds that a failure of temperature sensors, ventilation controls, the the power monitoring of the extraction fans, and all of these things mean that if the if the correct ventilation and temperature is not maintained in those sheds, chickens die very, very quickly because the temperature increases very, very quickly. And and and chickens are an animal that has quite quite a lot of difficulty regulating body temperature. For the pescatarians that that enjoy their their farm salmon from Macquarie Harbour in Tasmania, That industry operates on a fairly thin social licence. And one of the important elements there is to make sure that, feed is not leaving the holding pens and falling to the to the floor of the Harbour. Well, that system is controlled by technology. Small data centers really residing on floating barges and controllers and light sensors that look at how far the feed is falling through the pen before the fish consume it. So, you know, again, another example of where if the process control instrumentation cycle breaks down and the feeding cannot be controlled very quickly, you’ve got an environmental incident that can threaten the viability of the whole business.
Dean Frye [00:03:13]:
You know, you can go on and on. We had a specific example recently in South Australia in the beef industry. Steers, so so male cattle, year or 2 old, they’re very heavy and they’re very dangerous. They get very agitated after being on herded into trucks from their lovely paddocks, pushed into salyards, back onto a truck again, and then sent to an abattoir. They have to be pinned very quickly. A worker has got to be able to scan a barcode in the ear if the receiving controller for that data is unavailable. In this particular case, the session was constantly restarting and the process was unreliable. Humans have to intervene, and the last thing you need is, you know, a humans in in a pen with an angry 67 100 kilo animal.
Dean Frye [00:03:58]:
So those are sort of 3 different examples in the food industry of how quickly safety, availability, and and even, business viability issues can manifest and derail businesses.
Karissa Breen [00:04:09]:
So I have to ask more of a, perhaps, a rudimentary question. Would you say that people, meaning the community, everyday people that we walk past in the street, just assume that things just work? And then when they don’t work, it’s complete chaos that then gets unlocked. So we saw that, of course, in the CrowdStrike incident, how quickly it was a domino effect on how much people were impacted. What do you think that people perhaps oversee when it comes to business continuity?
Dean Frye [00:04:38]:
Well, you know, you mentioned CrowdStrike again. The the number of single points of failure that we’ve got and the fragility of some environments probably is is is a reflection upon that. This might be a little controversial to say, but I talk to a lot of executives, and it seems to me that fewer and fewer of the senior executives that are making decisions about implementing security controls and buying down on risk are the sort of older engineers that have been in the business for 30 years and understand fundamentally how everything works. They tend to be more MBA types that are I’m sure, brilliant business analysts and businessmen, but but just don’t necessarily understand what keeps business ticking over day after day. And perhaps they’re less able to to quantify and and and fully understand the manifestations that that might occur if a if a cyber breach interrupts a a part of an intrinsic part of the business.
Karissa Breen [00:05:42]:
Okay. That is a very interesting observation. So, okay, I wanna get into this a little bit more. I mean, you make a great point. So that’s like me, you said before you do, like, farming for, like, chickens and stuff. That’s like me trying to advise you on how to do that effectively from what I’m hearing, from what you’re saying in terms of drawing a parallel. So I tell you, hearing, from what you’re saying in terms of drawing a parallel. So I take your point around some of perhaps people a little bit old hat in terms of the executives.
Karissa Breen [00:06:05]:
But what do we do to sort of what do we do from now to ensure that these executives are equipped to understand the landscape to prevent some of these things from happening? Now, it’ll be a sense. It could be, well, we’re gonna wait until the few move on. They, you know, they retire. We fire them. But again, what is it that perhaps a CISO or security, you know, executive could perhaps start to relay in terms of getting these people to really understand what they’re dealing with?
Dean Frye [00:06:34]:
Well, I think they’ve got to build a quorum that a group of stakeholders that brings an intersection of technical and critical thinking with with business acumen. In my line of work, we typically deal with a varied set of stakeholders. Every organization has risk and compliance people. They’ve got some information security cyber guys that typically only understand the carpeted side of the business, not the the concrete floor side of the business, if I can refer to it in that way. You’ve got the the systems owners, the guy that is responsible for the electricity system, or the water system, or the cotton bailing plan that understands how all that stuff works, but has no idea about corporate risk frameworks, no idea about information security, no idea about network operations and continuity. So I think the CISO needs to be responsible for bringing the right teams together, having the right skills in the room, and importantly, ensuring that there is not an us versus them mentality on either side of the the fence. And that and that fence being the fence that divides the OT environment from the IT environment.
Karissa Breen [00:07:45]:
Where do you think the us first then mentality stems from?
Dean Frye [00:07:49]:
I think these are probably teams that have just never had any day to day engagement with one another before. They’ve passed each other in the car park sort of thing, and that’s that’s been the extent of it. And they don’t understand one another’s world. You know, operationalizing cyber controls is incredibly difficult. And people tend to think that it’s just about the breach and that and the campaign that’s that it’s related to, the ransomware, etcetera, and that’s it. But but there’s a lot more to it. Routing the right data to the right person at the right time to make the right decision is is really hard. And it’s especially hard in in some of the bigger industries in Australia.
Dean Frye [00:08:26]:
I mean, Australia is a massive has a massive mining industry. How do you do repeatable, reliable, robust OT cyber operations with a FIFO workforce? It it’s quite it’s really quite hard. And the data that these platforms produce is not just threat data. It’s change and anomaly data. The sort of the precursors to the bigger problems. It’s health and hygiene data. It’s it’s, you know, giving the platform owners, the CSO, and the other stakeholders information about risks and quantifying those risks, and and giving them data that they can use to make decisions about whether or not they remediate this risk or other. And and, you know, work through scenarios that could actually exploit those risks and result in an unfolding OT cyber catastrophe.
Karissa Breen [00:09:15]:
Yeah. Look, you raise a great point, and I do agree it is a hard thing to do. It’s not so binary. It’s not such a, you know, obvious answer. It’s complex. It’s complicated. It can be convoluted at times. In terms of your experience, though, like how how we best move forward? Because I mean, I’m I’ve interviewed probably 300 plus 400 people in my time about a range of things.
Karissa Breen [00:09:37]:
And there is still a common undertone around someone who doesn’t understand, don’t have the budget. It needs to be more awareness. It’s still the same sort of things that are being told. But then how do we actually get to the point where we’re getting people at the top that do understand it? Now, in saying that, you know, I’m not a finance expert, but, you know, you know, I run my own business. I have to have some knowledge of that. Would you say that executives don’t really have or not all executives, but some of them don’t have any fundamental cyber security knowledge because you in this day and age, you need to have some sort of understanding of that. And then as a result of that, we’re having a lot of these issues in which we had just discussed. And I mean, I know it’s a little bit more complex than that, but if we just focus on this one problem.
Dean Frye [00:10:20]:
I talk very regularly with executives in customer organisations that want me to explain to them how they can become conformant with the Psaki Act. And relatively frequently, I get the distinct impression that the individual has no idea what is actually contained in the SOCI act, and doesn’t understand that the technical controls will assist or meet less than 50% of of the patterns that that are sort of described there. And I often sort of refer people to the Australian Energy Sector Cybersecurity Framework because that is such a brilliant it’s such a brilliant framework. It’s it’s ideal for organisations that are aspirational and have the self awareness to know that they’re not going to be entirely conformant. The self assessment framework in there is is is just brilliant, and it’s relatively easy for an organization to undertake, again, with the right, people in the room, from the right sort of areas of the business. And so I I just think that that coming from from a position of being, you know, well informed, understanding what’s practicable, what’s realistic, and that these are often multi year pieces of work is is important. You you simply can’t pick up a phone and talk to a vendor about being sulky, sulky conforming. It just doesn’t work like that.
Dean Frye [00:11:46]:
In the same vein, you can’t apply the ASD Essential 8 to industrial automation and security. And I’ve had customers tell me that that’s what they wanna do. It’s just completely irrelevant as a control set for the sort of environment that we work in.
Karissa Breen [00:12:02]:
Okay. I wanna sort of flip over now and focus on, again, business continuity, and something that I am hearing a lot kind of in interviews would be in terms of, like, even a manufacturing business. Like, if that stops running, how much of an impact that has, how much of a domino effect that that has. So I really want to get a bit of a understanding of yourself, staying around. How quickly does that if you can give me an example of an industry, how could the domino fed can occur? Because yes, we had stated the crowd strike thing. It probably will happen again. But again, I think what’s really interesting in this question is how many other supply chains, businesses, everyday people are really impacted by something that basically brings our whole nation or world to a standstill for a period of time?
Dean Frye [00:12:48]:
We’re very, vertically integrated in Australia. Right? And organisations tend to try to manage that 3rd party supplier risk through 3rd party threat risk assessments and so on and so forth. Some of the TRAs that come across my desk are are too generic and don’t really address the sort of consumption model, certainly in terms of cyber controls, if they’re pushing a TRA our way to assess us as a, you know, as a vendor. Of course, the huge part in supply chain risk really is is cloud and how dependent we’re increasingly becoming on cloud. A lot of organizations simply don’t have an OT cloud strategy, and they too quickly write off cloud consumption for OT. And this is a huge mistake. So often, I go into environments where the compute that runs the industrial system is covered in an inch of dust. The switches are 15 years old and haven’t been patched.
Dean Frye [00:13:49]:
And these organizations are are thinking that cloud is, in some way, shape, or form a risk to their business. Arguably, it’s gonna be cheaper, faster, more reliable, more secure, and more robust. Many of these sites, you can if if you were to slap a Telstra logo on the side of the ute and put a Telstra shirt on, you’d walk in there unchallenged. They don’t even have physical or protective security in the environments that that are running the hosting the on premise process control software. So, you know, customers need to start thinking about cloud seriously, and I think I think that’s a good example of where some improvements could could be made.
Karissa Breen [00:14:26]:
Okay. So a couple of interesting things that I really introduced to know. You said couple of TRAs that come across your desk. You said they’re a bit generic. What does generic look like in your eyes?
Dean Frye [00:14:36]:
Oh, using the same threat and risk assessment for for your OT security control vendor like Nozomi as you do for your supplier of earth moving equipment or or a TRA that is really written around the risks associated with enterprise software, not cloud consumption software.
Karissa Breen [00:14:54]:
And And then you also mentioned before you need to like, customers need to start thinking about cloud seriously. I mean, I’ve spoken to a lot of the hyperscalers or major cloud providers. Would you say that people are thinking about it seriously, though? Like and define seriously from your perspective as well.
Dean Frye [00:15:09]:
I’m talking about SCADA operations, process control operations and these sorts of things. These are still 90 plus percent on premise. They’re not cloud delivered and not not cloud instrumented at all.
Karissa Breen [00:15:22]:
Okay. So then taking that point of view and that example in terms of, like, OT stuff, how can people start to think a bit more seriously about this to move away from the on prem model, would you say?
Dean Frye [00:15:34]:
Well, they’ve got to deal with the the OEMs. I mean, the the OEMs in OT have got a lot more clout than they do in in other industries. When you go to Rockwell, Honeywell, Schneider, and you embed their technology in your business, it’s not like buying a Toyota, and and you simply visit the dealer once every year for a service. It’s a very much much closer, tighter relationship. And those vendors have all got strategies to help these customers embrace the the advantages of cloud that do very much front and center include the the security and and and privacy benefits of it. So the discussion really, I think, starts with the their suppliers. And the security I should also say that the that that OT security for many years has been really an overlay. So technologies and companies like Nozomi have been going into what you might term a brownfield site and lay a set of controls down on an existing network in a passive way, and it’s still a very, very valid and viable approach.
Dean Frye [00:16:38]:
But the alliances are getting deeper and more technical. The security industry in the past have had a lives as they tended to be what you might term meet in the foyer or meet at the sims. In other words, you deploy 2 or 3 different technologies together, and they all make each other work a little bit better, but they don’t fundamentally operate as one. These alliances are changing, and we’re building much deeper and more technical integrations with with some of these OT platforms to help everything work a little more seamlessly and allow us to see more of the data that we want earlier on.
Karissa Breen [00:17:15]:
And just find us example a bit more. Why do people perhaps apprehensive around the cloud? Is it just we’ve always done it this way? It’s too hard basket. Don’t have the funds. Don’t know how to do it. Don’t have time to do it. What are sort of of some of the reservations people have, would you say?
Dean Frye [00:17:29]:
Oh, look. I’m probably not the best person to to address that question, but it’s no. It’s doubtless all of the above, and dollars are a a big part of that, I’m sure. You know, OT assets are not like IT assets. You dispose of your phone after 3 years, your laptop, etcetera. In the industrial automation world, the life cycle of these assets is more like 25 years, and they sweat them quite hard well beyond end of support. I I don’t think anybody listening to this cast is probably listening to it on a PC that is is out of support and no longer patchable. But in the process control world, it’s very, very, very common for the network layer, the compute layer, and indeed the automation process control layer to all have elements that are years years years end of sale and end of support.
Dean Frye [00:18:21]:
And and the reason for that is all financially driven.
Karissa Breen [00:18:24]:
And I’ve heard as well, like, some of these, like, controllers that are obviously very manual, not on the Internet, which makes sense from, like, a physical security point of view. But then also that they cost a lot of money as well. Like, I’ve heard, like, 25, $30,000,000 or something like that. I mean, you would probably know more than I would, but I’ve heard that a bit in interviews as well.
Dean Frye [00:18:40]:
They’re expensive, and they’re, and a refresh of them is a a difficult design exercise. But you make a comment about them not being on the Internet. Too often, the organization will think that they’re air gapped when they’re actually not. Now it it would be rare for something like a PLC to be on the Internet, but it would it’s relatively common for something talking to a PLC to be exposed on either exposed to the Internet or talking out to the Internet. And indeed, that’s one of the things that we help customers improve upon. Network segmentation is the simplest, cheapest, and most effective primary control in OT cybersecurity. And so if you can’t get that right, then you’re opening yourself up for problems.
Karissa Breen [00:19:27]:
Okay. This this is interesting. Okay. I wanna talk about this a little bit more. Would you say that in terms of network segmentation, would you say that people are just not even doing this at all in terms of it’s the cheapest, easiest, most, you know, fundamental way to to improve, like, your security posture? But from the tone of your
Markel [00:19:45]:
voice, I’m kinda getting the sense that perhaps people aren’t doing this.
Dean Frye [00:19:49]:
A lot of them don’t. I mean, there’s a reference architecture which is relevant to some industries called the, Purdue or or PURA model. That tends, as an example, to be very well followed in the electricity industry, just as an example. But in many other industrial environments, they just simply don’t segment, or the segmentations are ad hoc, or the segmentations are in place, but the access control rules between those segments are a little bit weak, or then they’re not what they think they are. Change and drift is inevitable in any environment, and what was designed 10 years ago may not be reflected in today’s reality.
Karissa Breen [00:20:25]:
Would you say, in terms of getting to the cloud, like, moving, like, OT systems, like moving more into the cloud, I think about that seriously. Do you think you’ll ever get there though, in terms of everything that we just discussed? Things are expensive, you know, they run for a long time, etcetera. So it’s not like the easiest thing to do. We get that, but do you think we’ll ever really get there or if you had to sort of choose which camp?
Dean Frye [00:20:47]:
We won’t get there ever probably in in in entirety, but we can get there partially. But you can start by deploying cyber controls, cloud based delivery of cyber controls. We’ll train all of the process control on premise, but just put a a cloud based wrapper over the top of it, you know, to to bring those controls together. As you would be aware, a lot of these API to API, cloud to cloud integrations ship data that’s available essentially for free, bring it together into one console, where where you can start to build metrics and gain awareness around the cyber posture of the process control environment, give yourself a degree of assurance that the controls that you believe are in place are actually in place, and they’re also fully implemented. Too often, there’ll be a control that’s only 80% deployed. There’ll be a submarine asset that’s popped up, and it doesn’t have the endpoint EDR on it, for example. So getting rid of those holes is meaningful in terms of risk drawdown.
Karissa Breen [00:21:49]:
So speaking of assurance, going back to your point around, you know, controls, etcetera, not being air gapped, people thinking that they are, how does that conversation sort of go? And, like, what happens next?
Dean Frye [00:22:01]:
You’ve got to know what’s on your network. You can’t make decisions in the event of a breach without context. So you need to know what’s on the network, what its function is, what it needs to talk to, and that really gets to that segmentation discussion. You know, what who do its friends need to be? And and and how do I keep the enemies away from it? Ultimately, all of that context is going to reduce the cost and scope of disruption should a cyber incident occur. And it’s going to allow businesses to make the decision about to whether whether or not to pull up the drawbridge much more quickly. A lot of organizations think that they can just separate, you know, rip the blue cables out of the firewalls, and and separate the industrial part of the business from the IT part of the business. And and some some customers can do that, and they know the impact. They’ve looked at that exercise, and they’ve and they’ve planned for it.
Dean Frye [00:22:55]:
Others haven’t. And they don’t understand that actually reconnecting everything is often much more complicated than the mopping up of the of the cyber breach that that caused the whole thing in the first place.
Karissa Breen [00:23:08]:
So would you say, in your experience, companies don’t really know what’s on their network? I think I know the answer to that, but I’m just really wanna hear your thoughts.
Dean Frye [00:23:16]:
No. They don’t. They they just don’t. They don’t. It’s not it’s not only knowing what the assets are, it’s understanding the software risks that the vulnerabilities on those assets bring into the environment. When you look at the IT side of the business, larger organisations would typically have a CMDB, and they’ll have asset data and and and other bits of data in that environment. And typically, it’s 70, 80, 90 percent accurate and current. But when you when you get into the industrial side of the business, that very, very rarely exists.
Dean Frye [00:23:53]:
It’s often quite hard to get that data together. Boring, pragmatics, like the fact that there’s there are gonna be unmanaged devices in the process control environment are examples of what makes that hard. So they don’t know what the assets are. They therefore can’t quantify the vulnerability risk. And if they don’t understand the normal communication patterns of those devices, they really just don’t know what’s going on. And all of that means that when there is a breach or a suspected breach and let’s be honest, breaches are actually very rare in Australia in in in industrial control environments. But when there’s even a suspected breach, the context is just not available to help people make quick, fast, informed, and accurate decisions as to whether or not we can continue operating or whether or not there needs to be a planned shutdown or some form of remediation to, reduce the the potential blast radius of the problem.
Karissa Breen [00:24:44]:
Okay. This is interesting. So in terms of as you know, people say, well, you can’t pretend for what you can’t see. Okay. Well, we understand that. But would you say and I know you’ve sort of spoken on that a little bit more. Would you say people are sort of perhaps hoping that something doesn’t happen? Do you think there’s a little bit of that going on in there? And I know that sounds really sort of, you know, airy fairy, but I think that from what you’re saying, it does feel like a rudimentary thing that people should do. I know it’s not as easy when looking at, like, OT side of things, but do you think there’s a little bit of more hopefully, it doesn’t kind of nothing happens?
Dean Frye [00:25:19]:
Hasn’t happened in the past. The sun’s still shining today. So why is it gonna suddenly suddenly occur now? There’s a bit of that. There’s probably a bit of, oh my god. If I actually knew all the problems that were underneath me, I’ll have to do something about it. And so I’ve I’m I’m better off being blissfully ignorant. Ignorant. You know, the cost is a huge cost is a huge, huge issue.
Dean Frye [00:25:39]:
If we talk about critical infrastructure, you know, the water that gets delivered and the sewer that gets removed in major capital cities is done in a very reliable and robust way. And indeed, we protect a number of those environments. But you you step outside into the rural and regional areas. A lot of this is done by councils. These guys are still absolutely smashed repairing roads from the floods 2 years ago. The idea that they’ve got money to do an OT cyber risk assessment on their freshwater network, their water supply network, or their wastewater network is just fanciful. So there’s always costing. There’s always cost pressures.
Dean Frye [00:26:16]:
And and that’s part of the reason why as a security vendor, you know, Nozomi needs to deliver more benefits to more people. We’ve we’ve gotta provide cyber data to the information security team, and and we’ve gotta prevent threats landing and expanding, of course. But we’ve got to supply some telemetry data and some metrics to the OT systems owners. We’ve got to supply some troubleshooting data, some reliability, and some optimisation data to the network operations team. And we’ve got to roll all of that up in some way that’s really easy to consume for the risk and compliance stakeholders. So as, you know, as a vendor, we’re mindful of the fact that we’ve got to provide value to to a lot of different teams to justify these these processes and to and to grease the projects, make them easy, you know, to deliver knowing that there are typically 1 or more resistant parties or or parties that are just pushed into a slightly uncomfortable area because they don’t know much about about cyber.
Karissa Breen [00:27:13]:
So then you raised a great point, and I wanna get into the telemetry side of things. But before I do, you raised a good point around these guys are slammed, like the council workers, for example, or sorry. The councils in general, they’re fixing roads, etcetera. Would you say that in terms of the network and, you know, having visibility of your network, for example, that feels in their eyes like an invisible problem as opposed to, well, if I drive home from work, I can see the roads broken. I need to fix that first. Do you think sometimes, you know, as much as being in in IT, like, of course, these things are really important. But in their eyes, it’s like, well, the physical road doesn’t even work. So I really need to focus on that in terms of a priority.
Karissa Breen [00:27:52]:
No.
Dean Frye [00:27:52]:
I think that’s right. And and quite often, you know, if you talk if you talk specifically about councils and water supply, the council will be using a 3rd party contractor to program and run those water systems quite often. So they don’t even have the skills on staff. That is an opportunity for that provider to sort of say, hang on. Well, let’s let’s step up the maturity ladder a little bit here, and let’s lay some, cyber risk mitigations over over what we’re doing. And so I guess it’s a it’s an opportunity for those service providers and partners.
Karissa Breen [00:28:21]:
So now I wanna flip over onto the telemetry side of things. Now I was historically a security reporting analyst, so I’m quite familiar with, you know, reporting on telemetry, for example, and all other different facets of cyber security. And then you also said that by doing this demonstrates value from, like, a vendor perspective on people like just you said before, like budgets, so, you know, money’s always an issue. And I understand that. So obviously having the right reporting and telemetry to justify, hey, like, you know, why are you paying us money, for example? Give me an example of what good reporting telemetry, you know, for even from a Nozomi perspective looks like in your eyes.
Dean Frye [00:28:59]:
If I’m responsible for network operations, I wanna know about devices that have joined the network. I want that number typically to be 0 on my critical segments. I wanna know that there has been very little change. I wanna know that protocol adjacencies between devices remain the same. If I’m a process control owner, I may be concerned about critical temperatures or pressures or things that are abnormal, process tags that step way out of whack based on historical data. A lot of that stuff will pop up on the HMI. But as a cyber platform, we could bring some of that data together and put the network and cyber risk context together with the process control risk. If I am responsible for the security operations team, the people, the security operations function, I don’t necessarily care about the details of individual events or activities or or alerts in the system, but I wanna know about dwell time.
Dean Frye [00:29:55]:
How long is it taking the team to review an alert or a piece of data and close it off? I wanna know potentially about the performance of vulnerability remediation. I might wanna know about I might accept that it is impossible to remediate all vulnerabilities, and I’m not gonna look at the big numbers around vulnerability instances, but I might wanna know about those that are actually exploitable. In other words, they’re not just university theoretical research projects. There’s a known exploit in the wild. I might know wanna know about, systems that have a safety aspect to them, a human safety, criticality, and the vulnerabilities on those. So I’m not gonna cut and shut all of that data up so that I can make decisions without worrying about all the details. So those are some examples of of different sort of data points that different, roles in the organization might wanna might wanna be receiving.
Karissa Breen [00:30:45]:
Do you think as well that perhaps people that are maybe reading the ports, and again, like, I can speak on my experience of doing this. Sometimes the report gets sent, for example, then it gets stuck in someone’s inbox and read it. Too much stuff going on because I’ve often seen, and maybe you would know a little bit more about this, is people just reporting on too much stuff. So it’s like all of this stuff, here it is. But it’s like, what’s really important to me? And I guess you you could say, well, you could tell a little things and you can, you know, understand what’s important to the business, etcetera. Do you think that sometimes people just do reporting for the sake of reporting without actually deriving any real value or insights from that reporting?
Dean Frye [00:31:20]:
I do. We’re moving away from reports. Fewer than few of our customers are receiving emailed reports from our platform. We give them a real time view. Again, this gets back to the operationalization challenge, what’s important, etcetera, etcetera. Nozomi is hugely stepping up here with
Karissa Breen [00:31:37]:
more
Dean Frye [00:31:37]:
and more. We’ve got a effectively a co sourcing relationship with the the customer. In other words, we’ll either stand behind them and support them constantly on keeping the platform running, doing all the fundamentals, or we’ll stand in front of them and help triage some of the data so that their limited man hours budget is applied to doing important work, not maintenance work. Quite often, I’ll talk I’ll ask customers to be realistic about their budget. And that’s not a dollar budget. It’s the FTE budget. Because if you want to deploy the Nozomi platform, for instance, and you say, I’ve got one full time equivalent, that will set the platform up very, very, very differently to if you say, I’ve I’ve got 2 hours per week that to be allocated to this. And and it’s that sort of 2 hours per week sort of energy allocation that is more likely to be consuming a report.
Dean Frye [00:32:27]:
In the cloud based consumption model of our product, we we try and move away from alerting as an example and and providing the analysts with data insights. So we’ll show them about things that the automated data analysis engines have found. And if they find them interesting and they click on them, then we’ll produce more of those. And if they just dismiss them as irrelevant, then we won’t put that data in front of them again. So that’s just an example of what we’re trying to do to improve the human efficiency of running the security controls and and shifting away from reports is is a part of that as as as I’ve indicated.
Karissa Breen [00:33:04]:
So So what do you do, you said before, depending on the FTE, if it’s 2 hours or 8 hours. What do you do when someone’s optimistic and they’re like, hey, Dean, I think I can commit to 8 hours a week, but in reality, they’re doing 30 minutes a week. How does that sort of conversation go? How do you sort of make sure, like, okay, well, you said, hey, now you’re not doing that. So we now need to change things. Have you seen that? And then if so, how does that how does that work?
Dean Frye [00:33:25]:
I can tell pretty quickly when a customer is not not using the platform. You would think that a happy, successful customer would not open any support cases because they wouldn’t have any problem. This is just an example. Actually, the opposite is true. An engaged customer always has questions about things that they don’t fully understand. Will they will they contact support to understand what a new feature does or something of that nature? So on the back end, I can see all of this data. And customers that don’t open support cases, I tend to pick up the phone call. As I indicated, we we’re doing a lot more work to help them run the platform so they can focus on the organisation specific data that no third party will ever fully understand.
Dean Frye [00:34:04]:
We’re never gonna we’re never gonna know what’s cabled to what and what the firewall rules are in a in a factory or an abattoir or something of that nature. So that’s where the customer needs to spend their, you know, their their time on on the or or the specifics that they know and and will sort of never understand.
Karissa Breen [00:34:21]:
And I’m also curious to know, like, generally speaking, from what I understand, probably from people in the industry, there’s a lot of like, oh, we set and forget, bought this product, don’t open it. I don’t know, you know, utilized it properly. I don’t know. The guy that bought it left the company 4 years ago was still paying for this. I’ve heard a lot of that from customers. So I’m just curious if you zoom out from like a vendor landscape, like how do people get to the point where to your point, like, well, I know if someone’s not leveraging the platform, they’re not calling us up and support and everything like that. Like, how could people sit there and think this company is paying for our product or our technology, and no one’s gone into the platform, for example, for 4 years?
Dean Frye [00:35:00]:
I’m I’m extremely disappointed when that when that occurs. And and a fair chunk of my time is spent ensuring that it does not occur. You know, when you spend money with a vendor, you need to fully consume everything that that they provide. And, those different stakeholder groups have have got to be receiving value from, you know, from the platform. Automation is important, but making the data relevant and getting the right data to the right people is something that that we, and particularly our delivery team, focus quite quite heavily upon. Our churn rate is is very low, and we spend a lot of time making sure that we remain relevant and and of interest to our customer base.
Karissa Breen [00:35:40]:
So, Dean, do you have any closing comments or final thoughts you’d like to leave our audience with today?
Dean Frye [00:35:45]:
We’ve talked about a few different areas here. We’ve talked about the technology a bit, the problem a little bit. We’ve talked about co sourcing and the importance of of partners in all of this. At the end of the day, we’re a technology vendor, and there are certain trends that that we see. Those sort of trends, I think, are going to include the importance of understanding the radio space as an attack surface. That currently is not really the case. We’re not just talking Bluetooth and and Wi Fi here. We’re talking long range WAN, drone control protocols, 4 g.
Dean Frye [00:36:19]:
In some environments, you wanna know when radios are appearing and disappearing in the environment. You’re not gonna care about that in a retail space, of course, but you may well very much care about that in a transport environment or in a mine site as an example. We talked a little bit about the way relationships are changing between technology vendors, particularly when they’re deployed in a cloud based model. And with the automation OEMs, I think we’re gonna see a lot more embedded security controls on devices like PLCs and the like to allow them to extract telemetry from very close to the to the absolute core of the industrial automation environment. And I think as well there’s an argument for some active intervention. To date it’s been extremely rare for any sort of active blocking or intervention to occur in an industrial network. I think that possibly will change. It’s obviously been commonplace in the IT side of the the business for 30 plus years.
Dean Frye [00:37:22]:
It’s almost nonexistent in the in the OT side. And I I think we’re gonna see that that change not quickly, but I think we will see that change very soon.
