Sam Mackenzie [00:00:00]:
If we do the basics right, we follow good practice, we work together and share our learnings, we have good quality threat intelligence and and share that across the communities, have strong network segmentation, monitoring awareness, then we can really work together to address this this leadership challenge. The other key thing is really around how we articulate and communicate risk to make sure that operational technology and our essential services are getting the spend and need to be protected, and that we rigorously manage that risk to ensure our IT and OT systems, but particularly the OT, the crown jewels of our networks, are, are getting their fair share of protection and spend.
Karissa Breen [00:00:56]:
Joining me today is Sam Mackenzie, cybersecurity committee member from ACS, also known as Australian Computer Society. And today, we’re discussing Critical Infrastructure Defense is Doable. So, Sam, thanks for joining, and welcome.
Sam Mackenzie [00:01:08]:
Thanks for having me, Karissa. Yeah. Really excited to be here.
Karissa Breen [00:01:11]:
So, Sam, I’m aware that you’ve been conducting some research specific to cybersecurity for critical infrastructure, which is, you know, things that you you care about. So I wanna discuss maybe some of your insights and your findings. So maybe give a little bit of a context, a little bit of background, what you’ve been up to.
Sam Mackenzie [00:01:28]:
Yeah. Sure. So I’ve I’ve gained interest in the area having spent most of my, 25 year career in in health, energy, and telecoms. So, yeah, I’ve been conducting research where I’ve spoken to over 50 business leaders, engineers, and cybersecurity professionals. And, yeah, there’s some really interesting sort of I’m looking forward to sharing today around, you know, how how that works and that feedback.
Karissa Breen [00:01:49]:
Yeah. Sure. Okay. So you okay. I’m gonna read a statement that you say, as a nation and globally, we’ve sleepwalked into a complex situation. So talk to me a little bit more about this. What does that mean?
Sam Mackenzie [00:02:04]:
Yeah. Sure. Perhaps not the most elegant of terms, but I I do feel like we’ve slip walked into this situation. So the the results from my, my research are really around that there’s a leadership challenge, and it’s not really anyone’s fault. But we we’ve just, like, walked into the situation where we’ve connected all our critical services. So the electricity networks, telecommunications, health, and water assets, effectively, many of the things and and most of the things under the Australia’s Security for Critical Infrastructure Act, the Psaki Act, and we’ve done this for really good reasons. But over time, you know, collectively, organization leaders, practitioners, executives, and the boards all around the world have enabled enabled by technology and great vendor offerings and has created this demand for connectivity and the benefits that come along with that. So the benefits in regards to, you know, operational efficiencies, data and insights, and managing resources more effectively.
Sam Mackenzie [00:02:57]:
So there’s really good reasons why we’ve done it. But now that we’ve done it, we’re in a situation where our essential services are all connected, and that’s changed the risk profile for their critical infrastructure organizations from from households in the past.
Karissa Breen [00:03:10]:
So is that what you mean by we’ve sort of just slept walked away here in terms of what I mean by that is now we’re just there’s a lot of interdependencies. Right? Everything’s connected. Something there’s a problem with 1, there’s sort of a downstream impact of the other. Do you think people are aware of this, though?
Sam Mackenzie [00:03:23]:
I think perhaps not so much. I think, definitely, the public is is is not really aware from the research that I’ve done. You know, and if we if we boil it down, so the level of risk is introduced. So the technology that we’re talking about is referred to as operational technology or OT. It’s the tech that controls sort of the actuators in water pumps, the valves in high pressure gas pipes, and the circuit breakers that that run our electricity network. All of those are connected to a control room somewhere for these critical infrastructure managing organizations. And the flow and effects, you know, and requirements from executives or leadership to be efficient is that we’ve connected those devices back up through the control rooms and into the information technology network, into the IT network. So IT and OT is now connected, whereas previously it wasn’t.
Sam Mackenzie [00:04:10]:
So that’s changed the risk profile in that those networks are now, to some extent, at a quite different risk level than what they were in the past.
Karissa Breen [00:04:18]:
Okay. So there’s a couple of things in there which you said was interesting. I just wanna go back a step. You said, from the research that you’ve been conducting, you know, the public aren’t aware of the connectivity. So what are they currently aware of, would you say? Like, what’s the level?
Sam Mackenzie [00:04:31]:
I think the expectation is that when you turn a light switch on, you know, it works. It’s a utility, and it functions, and and similarly with the water and and our gas services. However, the that risk profile that I’m talking about that’s changed, these interdependent networks, this connectivity, I think, is is mostly invisible to the public. And and I think the risk profile in regards to how that’s changed, you know, what I call the parents of risk, you know, finance and safety risk, have been developed over the past 350 years in corporate environments. We understand quite clearly the terminology, the probability, the likelihood of those risks occurring and what impact they might have. However, cyber risk now that is quite clear is happening, is only about 15 years old. So it’s quite a lot younger. We haven’t really got the metrics to deal with that, to highlight that risk right up through to the executive to make sure it’s getting the focus that it needs to have, like, say, finance and safety risk and and and how that’s been developed over over over time.
Karissa Breen [00:05:32]:
So you mentioned the risk profiles change, which makes sense, around IT and OT now being connected and integrated, for example. So what are we doing about it? We meaning the industry?
Sam Mackenzie [00:05:42]:
There’s a lot happening in the industry. You know, there’s technology, there’s regulation from clients coming in. So the Australian government’s making great steps towards highlighting this and requiring critical infrastructure organizations with obligations and compliance objectives. Part of it sort of getting back to that that point you made about the public and the awareness. I think the stuff that’s been in the news, particularly in Australia, in the last couple of years is really around privacy breaches. So, you know, some information here and there, people’s accounts, financial data, certain orphan health records. Now that’s really harmful for the people that are involved and, you know, I’ll lament, you know, the fact that people have had to experience those sorts of things. However, the the risk that we’re talking about in regards to critical infrastructure is is the potential loss or impact of cyber physical outcomes where traffic lights might stop working or a water tank might overflow, and and this is going to create some real potential damage to society.
Karissa Breen [00:06:37]:
Yeah. That’s an interesting point. I mean, I have interviewed people about this a fair bit on the show in my time, and you make a great point around yeah. Okay. Like, for example, if you’re in a bank and, you know, you got your money scanned, you get it back. Right? But like you were saying, traffic lights don’t work. Water tanks overflowing. That could lead to sort of death or multiple people dying as a result of this.
Karissa Breen [00:06:59]:
So would you say that people are acutely aware of that? Or to your earlier point, we just turn on the light switch, and then who knows what happens after that?
Sam Mackenzie [00:07:08]:
Yeah. I think I think generally the public’s not, and in a lot of regards, perhaps they don’t need to be. I think it’s on the cybersecurity practitioners, the leader of the critical infrastructure organizations, to make sure we’re protecting and defending well, that we’ve got the things in place to protect society and the fallbacks to recover if they are infiltrated. There’s lots of great practice out there. The Sansing Institute is one of them. So, quoting Robert Lee from Dragos and Sands, you know, defence is doable. And I absolutely believe that if we put in place the structures around people, process, and technology, and we have good networks and reputation, we train our staff well, and we share threat intelligence, then we can absolutely protect this infrastructure. There might be breaches, but I think, that we’ve got the ability to respond and resolve and, minimize that impact.
Karissa Breen [00:07:57]:
There was someone I interviewed a while ago, and he spoke around space and satellites. Now you probably know a lot more about this than me, but he was sort of explaining, like, if one of them, whether it’s a lower Earth orbit or, like, closer to Earth or the ones that are a bit more further away, like the impact of that and how rapid things would start to go downhill within 24 hours. So is those the types of things that worry you perhaps?
Sam Mackenzie [00:08:22]:
Yeah. I think so. I mean, you know, those those, single points of failure effectively. You know, the GPS positioning system, the global positioning system. Yeah. It’s absolutely a a a risk and unless, you know, there’s examples where that’s, you know, controlled above the United States, and there’s an EU competing solution that’s that’s being built and and and launched. And and I know other countries are doing the same. Again, you know, there’s lots of points of of failure to make sure that we’re putting in place redundancies and and practicing, you know, incident response should those, you know, assets get attacked.
Sam Mackenzie [00:08:55]:
It’s really important to that we go through all the good practice that, you know, that we know is good practice from the industry. And there’s lots of advisories, you know, from the, you know, Australian Signals Directorate. There’s joint advisories from, you know, group of cyber security agencies in the US about how, you know, state sponsored actors are coming into these networks and and how to deal with those, how to how to identify them, how to fight back.
Karissa Breen [00:09:18]:
So, Sam, you’ve also used the phrase, we’ve frog in warm water connected everything. So what do you mean by that?
Sam Mackenzie [00:09:26]:
Yeah. Again, not one of my most elegant phrases, but, yeah, we’d absolutely connected all of this this equipment. So those actuators, the electricity circuit breakers that I was talking about before. I think there’s really good reasons why we’ve done that. So the benefits are significant to connect that equipment through to information networks. And the benefits there are really around operational efficiency, the asset management efficiency. So the examples of, you know, having a distributed workforce, engineers in the field, being able to know where they are, what assets are broken, where to the coverage and efficiency of having those resources that are across different geographic regions or even just, you know, more localized level. What’s happened over time is the businesses have baked in those efficiencies.
Sam Mackenzie [00:10:10]:
So the leadership, the executive, the board, the shareholders have baked in those efficiencies. Not that we’re stuck with them, but those have been baked into the financial results of those organizations, And we rely on that data, that insight, and those operational efficiencies from that connectivity. That’s a really great thing. It means that we’re getting, you know, engineers out to customers faster in in whatever industry it is. It means we’re getting those faults fixed faster. It means we’re being more resource efficient in the way that we use our equipment, and we’re managing assets more effectively. Now, on the flip side of that, though, is that if there’s an impact, a breach and some downtime, then it’s really hard to operate the organization because those efficiencies and resources have been scaled back to being the bare minimum when that connectivity is available. And so then the organization becomes incredibly inefficient because the resources might not be available to service those customers.
Karissa Breen [00:11:05]:
So I wanna ask a really rudimentary question. Now when I’m speaking to people like yourself, it’s like, okay, connectivity makes sense. But then sometimes when I’m just, I don’t know, on the weekend, and then someone starts talking to you at, I don’t know, an event or something like that. And then someone obviously knows what you do for work, and then they’re like, yeah. Like, we’re just in this really connected world. So from my observation from talking to people across the industry and just generally, it appears that people don’t like being super connected, and they see it seems to rattle them a bit. So what’s your sort of view around, you know, OT and IT being connected? Of course, there are benefits, but would you say that the benefits outweigh not doing this, but then also the risk profile has changed and increased? What are your sort of thoughts?
Sam Mackenzie [00:11:50]:
I’m so optimistic about technology and always have been. However, I guess now I start to realize that there’s there are risks. I’ve got a consumer example that I think that I it’d be good to share. So I’ve bought a laundry dryer recently, and I ordered 1 with high efficiency high efficiency unit for our electricity use, high efficiency for savings. And as you go up the chain in the product side product the different types of products are available. The more efficient you get, the more features you get. And and often is what’s happening now and what I found when I was trying to research this this work would was that the more efficient ones come connected wood connectivity whether you like it or not. And and so to buy an efficient liner, it’s considered a premium product, and therefore, it comes with connectivity.
Sam Mackenzie [00:12:34]:
I didn’t want 1 with connectivity because I don’t really want my drive connected to the to the Internet. And and so I think there’s, like, an expectation there to some extent that you wanna buy a premium product that has all these features. And then, you know, it’s a bit of a vicious cycle because that’s, you know, partly a marketing approach as well. So how do we have good quality devices and still have choice of of, you know, not connecting certain certain devices?
Karissa Breen [00:12:58]:
Yeah. That’s a good example. So there’s a couple of things that I’m hearing from what you’re saying is doesn’t really matter how we feel about the thing being connected or not. It’s just probably gonna gonna get to a stage where it is. So do you envision that in the next you know, in a little while, like, you won’t be able to buy a dryer without it being connected effectively, and therefore, we don’t have a choice. Right? So it doesn’t matter how you feel about it or your your rattle by it. It’s just the way it is. Do you see that sort of coming into play?
Speaker D [00:13:23]:
Yeah. Quite possibly. I I think there will be demand
Sam Mackenzie [00:13:26]:
for things that are not connected. I mean, cars are another example. Getting back to things that are sort of more critical infrastructure, I think I think the resource efficiencies, connectivity are inevitable for organisations. I think the bottom line of organisations will require the majority of whether it’s IT or IT networks to be connected because the the value in in gaining data and insight from app is is so great that Competitors will surpass the organisations that haven’t done that. Then it’s going to lend itself to how do we manage that risk? How do we understand that risk? How do we see the profile? How do we measure it? How do we understand the likelihood and probability? And how do we roll that up into the organization risk? So not talking about how many, you know, vulnerabilities there are on this actuator or this device at the end of the network, but understanding that if we impact the the service that the organization provides to its customers because that device got infiltrated, then we need to make sure that that risk is articulated. And and I think what’s happened sort of over time is that we’ve spent quite a lot of time protecting the IT networks and and quite a lot of money protecting the IT networks. You know, because every executive wants to have their email and wants to be able to communicate and get to their spreadsheets and their phonics data. But the OT network’s being relatively well protected, and there’s less data on those impacts.
Sam Mackenzie [00:14:47]:
And and so from the research and the the people that I’m that I’ve interviewed, I’m hearing that we’ve probably spent perhaps quite a bit of focus, resources, and and investment protecting the IT network. And and potentially, in in some organizations, we’ve left the IT network a little bit to its own devices. And and now there’s a bit of this this leadership challenge, and we we need to protect that even more so because that’s actually the crown jewels of the organization.
Karissa Breen [00:15:15]:
Okay. So you mentioned before the benefit, and I will can get into more of the benefits, etcetera. But you said having the connectivity allows for you know, you can derive more data and insight. So what do you sort of what does that look like? What are some of the insights that you can get from having the connectivity, for example?
Sam Mackenzie [00:15:31]:
I touched on a little bit before. I’ll use an example. I was at British Gas in the UK, and I rolled out gas boilers. There was much more information than available about those devices. We could get out to people’s homes, and the airline went out to people’s homes with the crews to check on the fault codes or the error codes. And we could take the bright we could take the bright replacement parts for this because we could see the codes remotely. So that that visit was more efficient. It meant that we could go to the depot first, get those those items, and then we could go straight to the the customer’s house.
Sam Mackenzie [00:16:03]:
So it’s more efficient for the crew, so it was more efficient for a customer because we could resolve the issue first visit. And so that that’s just the example. Similarly, you know, using GPS again for workforce to be able to understand where they are, which crew is closer to the depot to get the part and then out to the customer’s home, those sorts of efficiencies. I really did. Also, taking taking another look, the data that it provides, that’s just sort of at an individual engineer level. The data that it provides the organisation as a whole to be able to roll that up into, you know, the teams the data intelligence teams in in critical infrastructure can then start looking at resource efficiencies at sort of a meta level so they can they can understand where the the response time is slower, where they might need to adjust the the resourcing in regards to their crews, or the time of time of use, time of availability of their crews. So you can start to roll that up into, you know, organization level performance, and that can create significant benefits and and bottom line improvements for an organization.
Karissa Breen [00:17:04]:
So as you’re talking, Sam, I my mind’s going, and I’m zooming out a little bit more when you’re talking about resource efficiency, etcetera. Would you say as well, this is gonna be better for sustainability? I’ve interviewed someone recently around what does that look like in technology. It was quite interesting and definitely the first interview I’ve done around that. So do you sort of that, you know, with what you’re saying, it’s gonna be more sustainable than long term?
Sam Mackenzie [00:17:26]:
I think so. Yeah. Because, you know, you’re using less fuel, you know, in each of those trips, and and you’re getting the right part. You’re making one trip instead of 2. You’re having crews, you know, leveled across the geographic regions that are supported, and and that all becomes a lot more efficient. So, yeah, there’s definitely definitely environmental improvements and opportunity there.
Karissa Breen [00:17:49]:
So is there any sort of other benefits you can touch on today, give more examples perhaps for people that aren’t aware of what this looks like?
Sam Mackenzie [00:17:56]:
Yeah. I think in regards to benefits, I think I think the benefits are are really clear in in regards to how they’ve been baked into, you know, the finances, the organizations. The being able to control devices without sending, you know, some of those actuators, the pumps, you know, previously, say, for, you know, a water asset, a water organization, we start to send someone out years ago to turn the prompts on and off. Now now that can be done remotely. Similarly, for electricity networks, you know, there’s a, say, there’s a poll down. You know? So I was I was working in an energy company a couple of years ago, and you can you can make the network more safe, you know, because you can turn the circuit breaker off on that that certain substation, and you can protect that, you know, the public from those lifelines. And and and at the same time, you can be sending a crew out. The crew might be an hour or 2 away in Victoria.
Sam Mackenzie [00:18:43]:
There’s safety opportunities. There’s all sorts of benefits there from having this this operational technology connected. So then it’s how do we go about managing that risk and making sure that we’re following good standards and methods to keep it protected.
Karissa Breen [00:18:57]:
Yes. I was just about to ask you that. So with that, obviously, the flip side of that is the risk component. So with your background and experience, how would you should advise people to go about this effectively?
Speaker D [00:19:10]:
Yeah. So, I mean, one of
Sam Mackenzie [00:19:11]:
the things is that I think that’s we touched on it before about the public perhaps not being aware, but I think some of the people in the industry are perhaps aware of some of the risks, and and it’s sort of seen as something that’ll be okay. You know, the the Australian should be right for that sort of way of thinking, which, you know, has largely been true. And I’ve I’ve done some additional analysis on the the sort of major cyber breaches and impacts that, of course, were what we call cyber physical outcomes. And and so I think part of the awareness is because we haven’t had too many events in the country that have caused us to sort of sit up and take notice. And so in my analysis there, I count about 9 events that occurred that caused physical outcomes, The majority of those and maybe I’ll just talk through them a little bit. I’ll work this this each one. But if I talk through them a little bit, they’ve all all but one have been on the IT network. They’ve all been they’ve almost all been ransomware, and there’s only one that’s been operational technology.
Sam Mackenzie [00:20:10]:
And so if you consider that as a nation, we haven’t really been through an operational technology major crisis where an attack has occurred and there’s been physical outcomes. The one that that did occur was in in the U 2000 at Maroochoo Shire in Queensland, and it was actually an insider insider threat. And and there was sewage spilled out into into public park parkland and in in an attack. But since then, there hasn’t really been one that’s occurred on the OT network. A lot of them have sort of been the traditional sort of ransomware. We’ve got your data. We’ve encrypted it. Those sort of impacts, the physical side of that is that, say, the hospital that’s been impacted has had to put on more staff or cancel elective surgeries, those sorts of things.
Sam Mackenzie [00:20:54]:
So it’s been sort of flow on impacts. So some of it is around, you know, even through my my interviews of the research, even some of the control systems engineers that I spoke to are not sort of concerned about some of this risk. And I think that’s sort of maturing with the industry that we need to go through, And I think that’s that’s partly why I’m so interested in it, and and, you know, talking with you about it today. But also, you know, trying to raise awareness that internationally, there are events that are happening like this. We do need to spend time putting in place practices and making sure that we’re raising that risk profile, analyzing it correctly, and getting it onto the leadership agenda.
Karissa Breen [00:21:32]:
So guys ask, these control engineers, why wouldn’t they be concerned?
Sam Mackenzie [00:21:38]:
I guess it gets back to that sort of frog in warm water. When you’re a professional and you’ve been doing something for 20 or 30 years, you you you believe to be doing it well, and usually you are. But I think some of the threat landscape has changed in what’s perhaps not their industry. So, say, a control room’s engineer, 20 years experience or more, but doing a great job, and they’re they’re doing it the same way that they sort of always done it, Yet the threat landscape has changed considerably on the outside. And so maybe if I just talk to that a little bit. So that threat landscape has has changed, you know, in in sort of 3 areas, I would say, primarily. So the first one is the the the types of adversaries, the types of bad actors. The second one is, like, the developments in regards to the technology that’s available for them to use.
Sam Mackenzie [00:22:24]:
And the third one is, like, the value of the critical infrastructure itself. So, you know, I can talk through each of our people are at different scales for all the different types of, you know, adversaries there might be, but let’s say there’s 5 from this. You know, the state sponsored there’s estate sponsored adversaries. They’re well resourced. They’ve got huge budgets. They’ve got vast technical capability, and they are able to gain long term persistence in a network. There’s other areas like organised crime, where money talks, and they’re they’re well resourced and run market business. There’s hacktivists that cause disruption.
Sam Mackenzie [00:22:58]:
They’re passionate about a cause, and they’re a bit unpredictable. Whereas terrorist hackers, so they’re ideological, they’re extreme. They’re following a belief system. And then there’s, you know, the script giddies, sort of individual actors. So if we sort of think of those those sort of 5 adversaries or bad actors, and and the tools that are available to them and we go into this sort of second part. The tools that are available to them have significantly changed in the last sort of 10 years or so. So the APTs, these are state sponsored advanced persistent threats, They’ve got a lot more bullshit than they were in the past. The rules of warfare aren’t really applying to what they’re doing anymore.
Sam Mackenzie [00:23:36]:
So they’re infiltrating systems. They’re not seeing any repercussions. They’re staying into those systems. And that’s evident by the advisories from the US and, you know, Australian government. In in the past, fiscal warfare would have been declared for some of these these types of intrusions. But today, because it’s electronic, it’s sort of unseen, then those things are those repercussions weren’t happening. And so, sort of, you know, going on, you know, for state sponsored actors, they got patient as well. So they’re sitting in there as they’re having a tailing assistance.
Sam Mackenzie [00:24:07]:
The the cyber the cybercrime as a service has become a thing. So you can actually go and buy, you know, different parts of your cybercrime off the shelf from other bad actors, and that can give, like, organizations weeks or many months acceleration to their goals. So be that like a fishing campaign or, you know, botnets, entry services into organizations, those can all be purchased. The organized crime gangs got super involved in critical infrastructure because they found out about the value of the data. Value of the data and the value of their impact to society. So health data is considered 10 to 20 times more valuable than, say, financial or personal identifiable information. So the organised crime gangs are going after health organisations. In the past, in warfare, we wouldn’t go after hospitals.
Sam Mackenzie [00:24:52]:
Nobody didn’t go after hospitals. That was kind of the rules of engagement. But now those sorts of rules of engagement have fallen by the wayside, and that’s linked things to the possibilities then for the criminal gangs to start focusing on critical infrastructure and really diving into our assets that help us run our society has has changed considerably. So I guess, you know, going back to the the control room engineer or the control room, yeah, the control room guys, they they perhaps haven’t been that close to some of these because they’re in their discipline focused on their job, which is important and critically important, and and and they should continue doing that. But I think as a society, as as leadership to these organizations, we need to help them understand that we are gonna need more and different controls in place to reduce the risks.
Karissa Breen [00:25:43]:
So I wanna switch gears now, and I wanna read again one of your statements that you provided to me here, which is the one thing that was protecting our critical infrastructure assets, the air gap, is all but gone, which you’ve clearly explained to you today. So is this because you have the belief that the connection to OT and IT world? And where do you sort of see all of this progressing then in the future? Because, I mean, I’ve spoken to people before on the show talking about, like, some of these controls are worth, like, 30, $40,000,000. Right? But, you know, they’re so they’re not connected to anything, and they are hard to to get into. Right? So because you physically have to get there as you would know. Right? So I’m then curious to sort of explore this a little bit more. Like, what do you sort of see happening now in the future now that we’ve removed air gap, for example? Yeah.
Sam Mackenzie [00:26:33]:
I think that the air gap the air gap has gone on. I mean, a lot of people might think that it’s still there, but but I think, you know, whatever the razor there was lots of there were lots of raisins and we talked about some of the efficiencies of having people remotely connect and and and servicing equipment in plants is is definitely one of them. So, previously, we might have sent out a a technical engineer, technical person to resolve or update a system or change the configuration on that that computer or that logic controller inside a plant. Well, you know, it’s so much more efficient if they can dial in remotely and and do that. There there’s there’s safety benefits as well. And yeah. So there’s plenty of safety benefits as well. And what what we thought was an air gap is now often not.
Sam Mackenzie [00:27:21]:
So I guess the other thing is that a lot of this has moved into logical configuration in in either in a cloud or into, you know, configuration of the network. And sometimes it can be as simple as a firewall rule pointing the wrong direction or allowing a wider set of traffic through than was intended. And because it’s not a physical plug on a on a, you know, network device that you can see with certain color coding in a rack that you can go and check, it it goes unseen. And and that can make it a lot more complicated for for technical teams and security teams to make sure that it’s secure.
Karissa Breen [00:27:58]:
Just going back to the physical controllers for a moment. Now from my understanding, they had them that way because, again, to your point, it’s a lot easier to just, you know, remote in from anywhere and exploit it, for example. So would you say that those controllers are they completely abolished now? So there’s none of those? Like, I’ve just as I’ve been as I’ve spoken to people over the years, they’ve said that, you know, these things are really, really expensive. They’re not catered to anything for the reason of being secure. Right? So are you saying that’s completely removed now?
Sam Mackenzie [00:28:29]:
I think generally, there there’s there’s not too much in, you know, industry, in critical infrastructure that that has a proper hiccup anymore. There might be some really old pieces of equipment, like you mentioned, you know, here and there. I think the benefits to manage that stuff remotely are, you know, outside of the plant, manage it from a control room, from a SCADA system in a control room, or SCADA system control and advisory administration.
Karissa Breen [00:28:56]:
So I wanna touch on something. Now when I spoke to one of the guys talking about space, He was saying that, you know, when you’re looking at ground ground stuff, obviously, the way to exploit what they’re doing there would be to socially engineer your way in. And, apparently, it did happen once or something in the US, but I don’t think the person got all the way through. But they they got a fair way through. So what are what are your sort of thoughts then on that from a social engineering perspective?
Sam Mackenzie [00:29:24]:
Absolutely. So, and I know I’ve sort of talked a lot of, you know, bleak scenarios. I think there’s a lot of positives and and the key positives, and and I’m very optimistic about this area, that defence is doable and that we can do this to protect this, you know, our our essential services, And and awareness and having the whole organisation be aware of how these threats are coming in from how people are trying to social engineer, the the phishing, the snitching, all different types of of social engineering attacks, whether that’s, you know, people walking into buildings. I think we we all need to do the basics. We all need to update our skills constantly on how we can keep protected, not just for our own personal and financial safety, but for the organizations that we work with. So, you know, the basics that we talk about. So governments in Strongwood has released, you know, sort of, like, their basic three step approach, which is make sure that you’ve got pass phrases, make make sure that you’ve got multi factor authentication, make sure that you’re doing updates. And so that’s not a simple structure, and it’s not too dissimilar to what we had sort of been the eighties nineties in regards to some protection when quoting Jason Roehl of Merton, where he considers this the the slip, slap, slap campaign for cybersecurity.
Sam Mackenzie [00:30:41]:
And I think that’s a great way to think about it. We all need to start thinking in that way. We need to protect our own personal assets. We need to work and continuously, evolve into how those those social engineering attacks are occurring. So do you hold the door open, for example, for someone who’s coming into your office? Are they have we verified that they’re they’re suitable authorization for them to to come into the building? We need to we need to spend time relearning some of these more social norms, hog the door open to somebody to make sure that we verify that person or that they can prove that they should be allowed in the building. And that’s just some of the basics. I think we we need to support our staff, support the organizations to do to do all of those things, and following good cyber hygiene around passphrases, complex, you know, complex passphrases, multi factor authentication, and then simple things like having great pipeline of resources, having, good education to keep our cyber resources skilled are all critical things to to make us successful.
Karissa Breen [00:31:42]:
I just wanna go back to the door example. I hear your point. The only thing is that when I’m looking at a you know, I’ve worked in corporations before. Look, I’m probably the type of person that would question someone considering the job that I do. Of the average person, do you think they’re going to turn around and be like, oh, sorry, Sam. Do you work here? Or, sorry, do you work here? I’ve never seen anyone do that in my experience. So do you think that you know, and it could be like, oh, do you actually work in? It could be someone that is some high flying executive that only comes into the office once a year and the guy’s being questioned, and then it’s, you know, divulges into a whole HR incident to be like, why would you question, you know, the the CEO of the company or something like that? So do you think people are really doing that, though?
Sam Mackenzie [00:32:20]:
I think that’s such a great example. The hammer came down on that personally. I think that would show poorly on the executive leadership of that organization for for questioning someone coming in the door. If they didn’t have the access pass through them, if they couldn’t say who their manager was, if they couldn’t say, you know, what their phone number was or what their place at. You know, some really simple prompting questions to sort of chat quite challenge questions. I think I think we need to start considering that you can’t just walk into a building without your credentials. I’ve got a personal example from an organization that I work at. We we had a technician from the Telco show up, and they wanted to get into the rack in one of the buildings.
Sam Mackenzie [00:32:58]:
And the receptioner of that building wouldn’t let them in, so they went to the building across the road. And the reception there wouldn’t recommend that because they didn’t have the details of who they were they were protecting, who that who you know, what their job was and who requested the work. That engineer bounced around the receptionist and those sort of at that campus for 3 hours, and they weren’t let in. And and I think that that that was a fantastic job by all the receptionists of each of those buildings because we shouldn’t be letting people in who who don’t have the credentials. Now they they might have been there for legitimate work, but make sure it’s organized, scheduled, and that you’ve got, you know, the authorisation letter showing that you’re who is approved to do that work, and have the NAGR contact date meeting. I think I think those are the bare basics of things that we need to start expecting from, you know, our vendors, our suppliers, our partners. And also our staff. If they pop out for coffee and rather get their pass, I think they should expect to be asked who their manager is if they start trying to get in the building.
Sam Mackenzie [00:33:57]:
To know what department they’re in and and so forth.
Karissa Breen [00:34:01]:
I just wanna quickly touch on now, kinetic consequences. What is that?
Sam Mackenzie [00:34:07]:
So it relates to these these outcomes of events that happen in critical infrastructure. So whether cyber and, you know, cyber meets physical, and and and then there’s some kinetic outcomes or some physical outcome of of the cyber events. So kinetic consequences. And there’s a really great example earlier this year in a small town in the US in Texas called North Shore, where cyber attackers attacked and and purposefully infiltrated their operational technology network, the IT network, and the pump actuators. And the flow of water for a tank there in Texas was was forced was caused to overflow because of this attack. Now, where it was a small town, black tank was in a field by itself, The water overflowed. It didn’t really affect anybody. It’s almost like a proof of concept, effectively, to to show that cyber physical or or kinetic consequences are possible from cyber events.
Sam Mackenzie [00:35:00]:
And if that was a high pressure gas valve or electricity circuit breaker or some other type of operational technology device that could have been or is a more highly populated area, then then the ramifications could have been significant. So it’s a it’s a relatively new phrase, I think. I mean, people across the industry have probably heard it, but I think it’s one that’s going to become more prevalent. It definitely is one that’s a risk to the society. And I think that’s what we’re all working to try and protect. Now having said that, that, you know, many of the things that I talked about before is what we’re doing to protect. So following good practice around having strong network segmentation, having good architecture principles for operational technology. There’s there’s an architecture design principle called the Purdue model, And making sure that we’re designing to that, making sure that we’re doing pen tests where that we’re responding and spending time practicing our response are are all important things that we can do to reduce the risk of these these parts of the kinetic consequences.
Karissa Breen [00:36:05]:
This is really interesting because when when we’ve been talking this interview, that’s exactly what was coming off my mind. Like, some kinetic consequences, like, basically starts off as a cyber attack and then leads into a physical problem. So, like, a whole power plant blowing up, for example. And then as a result, killing people. Right? So is this something that, hopefully, we won’t have to experience? But is this something that we’re gonna see perhaps emerge a little bit more now?
Sam Mackenzie [00:36:35]:
Well, I think it’s definitely a risk. I mean, there’s plenty of international examples. One of the big ones is the attack on the Ukraine back from in 2015, 2016. The power got turned off for 100 of 1000 of people during winter. It happened twice, right, in the middle of winter in 2015 and 16, and it happened again in 2022. And side effects, 250,000 Ukrainians in those first two instances. And, obviously, being without power during the middle of winter, not not not a great situation. There are other examples.
Sam Mackenzie [00:37:03]:
There was a plant in Germany, a manufacturing plant that was severely damaged, and I think there were some there were some personal injuries there as well. And and so these events are occurring and, you know, it’s up to up to all of us. So, I guess, the key thing is sort of getting back to my earlier point is it’s a leadership challenge. It’s an industry challenge. It’s an organisation and and government challenge to make sure that we’re skilling up the people, setting up strong cyber teams, making sure that we bring along the control systems engineers and, you know, chemical, you know, water engineers, to make sure that we’re getting the right outcomes for the organisation so that we can be successful and protect society. I think that’s such an exciting and and opportune activity. It’s also such meaningful work. So people talk about meaningful work that it can get much more meaningful than making sure that we’re protecting society.
Karissa Breen [00:37:57]:
So, Sam, is there any sort of closing comments or final thoughts you’d like to leave our audience with today?
Sam Mackenzie [00:38:02]:
Yeah. I think just sort of echoing some of the points that I made earlier from my research, if we do the basics right, we follow good practice, we work together and share our learnings, we have good quality threat intelligence and and share that across the communities, have strong network segmentation, monitoring awareness, then we can really work together to address this this leadership challenge. The other key thing is really around how we articulate and communicate risk to make sure that operational technology and our essential services are getting the spend and need to be protected, and that we rigorously manage that risk to ensure our IT and OT systems, but particularly the OT, the crown jewels of our networks, are are getting their fair share of protection and spend. I think, you know, it’s something I’m particularly passionate about, and, you know, one of the key terms around this is is keeping critical infrastructure site was safe.