Sam Mackenzie [00:00:00]:
There’s an incredible cost to making sure everything’s fully secure. So, all organizations are looking for return on investment, for balancing their books, and I guess what we’re trying to do is work out where is that balance. So, how we design products, how we make them secure, is starting to become requirements out of not just our government, but other governments worldwide. And it’s something that organizations are gonna need to factor in to how they design and build products and support them after they’re released.
KB [00:00:46]:
Joining me back on the show is Sam McKenzie, cybersecurity committee member from ACS, Australian Computer Society. And today, we’re discussing securing society and the future. So Sam, welcome back.
Sam Mackenzie [00:00:57]:
Alright. Excellent to be here, Carissa. Thanks for having me.
KB [00:01:00]:
Okay. So let’s talk about the convergence between cyber and physical security. You sort of say, Sam, you know, we’re not in crisis mode, but are aligned with international security agencies like ASD, AZO, FBI, CISA, NCSC, etcetera, who are raising coordinated alarms. So keen to understand which you say is a clear call to act, but what do you think act sort of looks like if we’re not in that crisis mode?
Sam Mackenzie [00:01:29]:
It’s a great question. I think, you know and when I was on the podcast last last time, we we spoke about, you know, the impacts that the digital world can now have on our physical world. The actuators and pumps, circuit breakers and things in water, energy, and utilities can be controlled digitally. And there’s great advantages there for resource management, for optimization of assets, and, you know, slimming the bottom line by managing those assets effectively. And I guess what we get into then is this opportunity, effectively, for cyber attackers to also control those devices right down in the physical world. Attackers are taking advantage of that. Luckily, it’s few and far between, but there have been occurrences, and we’re looking at now as well. What are the solutions? How can we deal with that? Especially now that the advanced cyber security agencies worldwide, and you mentioned many of them then, Both Australia, US, UK, and others are raising coordinated alarms about these risks.
Sam Mackenzie [00:02:23]:
So one of the key things would be to acknowledge the cyber physical risk, that cyber physical outcomes can occur. And then, you know, particularly for critical infrastructure asset owners and operators, for them to make sure that their cyber teams are working really closely with their engineering teams, with their operations and maintenance teams, and understanding the potential outcomes, and that they’re aligning all of that risk and and rolling it up into the enterprise risk register, and to make sure it gets treated, to make sure it gets the funding. Treatment could be mitigation. There’s lots of different ways to treat risk, obviously. There’s probably three things. There’s treatment and management of that risk. There’s having cross functional leadership teams that blend operational technology teams, IT teams, physical risk, safety, and cybersecurity, and has those teams working together. And companies that succeed and defend success three are organizations that do that well, that has collaboration across those teams because they’re often siloed.
Sam Mackenzie [00:03:23]:
So that can be quite a cultural challenge. The third thing I would say, you know, because there’s lots of things to do, but probably if we’re just looking at three, would be incident response and resilience, that recovery piece. We spend a lot of time, and if I use the National Institute of Standards and Technology from The US, they’ve got a cybersecurity framework called NIST CSF, and they’ve got it structured in sort of detecting, identifying, protecting. And we spent a lot of time over the last twenty years doing that, and that’s really important. We should do that. But now we know that the attack is getting in anyway, and we need to spend some more time off the budget of our resources of our effort in the recovery and response. Three things, long answer I realize, but get serious about understanding, you know, the cyber physical assets and that risk, and have the teams work closer together across silos, and make sure that we’re spending time and effort in response to resilience.
KB [00:04:14]:
Okay. So there’s a couple of things in there I wanna get into a little bit more. When you say get serious about the risk, would you say now or nowadays, people are getting a little bit more serious about this? Whereas maybe historically, they haven’t been or they were unaware or they didn’t see the convergence between the physical world into the cyber world, for example. What are your thoughts on that?
Sam Mackenzie [00:04:30]:
I think there is sort of wider acknowledgment, I guess. So, and we’ll come to some of the research that I’ve done in the in the past year or so. One of the quotes was from an engineer who who spent time out with their customers, and he highlighted that some of their customers are managing sort of risk from a technology perspective, that cyber risk, in an IT spreadsheet. It’s not really connected to the physical world. It’s not really connected to the engineering safety, and it’s definitely not rolled up into the corporate risk register. There are some organizations that are still sort of behind the eight ball there. Many do manage it and have the IT and the, you know, digital technology risk, the corporate risk register. But then there’s still often this gap from the operational technology side, from that cyber physical risk, that’s not getting into the risk register, not getting its fair share of the treatment and fair share of the budget.
KB [00:05:20]:
So in here it’s not getting into the risk register, is it because people are like, well, that’s physical, so therefore it’s not going to go in the same risk register as a cyber security risk, for example, would you say? They’re sort of just trying to isolate it?
Sam Mackenzie [00:05:31]:
I think the gap is probably in the disciplines. So, the people who are running the engineering systems, the operation and maintenance teams, the O and M teams, have been doing it that way for a long time, and they feel like it’s secure. And by all accounts, it was secure ten, twenty years ago before the threat landscape changed, and before we had so much technology involved. And so now that the face of things have changed, and the digital component and threat landscape, where there’s nation state well, we’re not funded nation state actors who can get into systems through probably the IT environment or remote access. There’s a lot more remote access than there was in the past. And so, I think that getting back to the answer to the question, I think it’s not well understood, that side of physical risk, and that’s because there’s a separation of disciplines. And the separation of disciplines is historic. It’s not sort of on purpose.
Sam Mackenzie [00:06:21]:
So the IT people perhaps don’t understand the impact that it could have on the physical world. The engineering folks who do understand that probably maybe aren’t so clear on the threat landscape changes, and how much remote access and access, you know, external access other parties have. And that just really does present a cacophony of challenges for managing risk. When you’ve got that separate disciplines, looking at it from your different perspectives, and perhaps not collaborating, and bringing it together. That’s what my research said.
KB [00:06:49]:
Okay. So how do people, or we as an industry, get it to the point where there is that collaboration, where it is like, Hey, we’re gonna operate from the same sort of risk register in terms of the physical, the cyber risk, etcetera. What would you sort of say in your experience with the research you’ve been doing over the last twelve or so months? How can people move towards that outcome? Because I mean, in the industry, we talk a lot about all these problems, but it’s like, well, what do we do about it?
Sam Mackenzie [00:07:14]:
Great question. So dude, one way to address it would be to have all the teams in operational technology and IT report to the same leader. So that’s one way to do it. I’ve seen that work successfully through the people that I was speaking to in the research. That doesn’t always have to be the way. As long as there’s strong ties and collaboration with those teams. So for example, having, you know, cybersecurity policy and standards set and structured, but not isolated and to make sure including the OT staffs and their views of risk, and then having them to collaborate to build the policies and standards rather than sort of, you know, cybersecurity, IT cybersecurity, and pricing something or engineering field force. So I think it’s really about collaboration in that space of how can we make sure that the IT because the IT risk gets a lot of, visibility.
Sam Mackenzie [00:08:05]:
So all the data breaches, obviously over the last few years in Australia, the big ones, you would have heard about many people, probably many of your listeners impacted. Those are the ones that get the visibility. They’re sort of the shiny bright one that end up on the front page of the papers. And the cyber physical stuff, luckily, is much fewer and further between. But it’s still a risk, and I guess it’s a risk to put, you know, to safety and physical outcomes, which in some regards is, you know, is worse. And so, what I saw through the research was really, how do we get these teams to work together to surface that risk and boil that up into risk register to make it useful, so that they’re getting the share of the funding? And the answer that was resounding from many of the participants in my research was that to get those teams to work together, either through a reporting line or purposeful collaboration. Not just sort of superficial collaboration, where you expect people to work together, but purposeful action to get them to collaborate with purposeful programs, to have them do that and surface those risks and quantify them.
KB [00:09:03]:
Yeah. That was the operative word that you used there was superficial collaboration. So what was coming at my mind as you were speaking is historically when I was, you know, working on the internal front, there was a little bit of that angst between teams to work with security team. Now, obviously, this is over a decade ago. Things have changed and things have moved on. But do you think that collaboration is there nowadays from the physical and the security side of things? Because even when I was working internally, our whole physical team didn’t have anything to really do with us. So I think that we have seen this trend in the industry where there is more collaboration. But purely from your perspective and what you do day to day, would you say that whole superficial side of things is being lifted or removed? Or is it still gonna take a little bit more time? What are your sentiments there?
Sam Mackenzie [00:09:49]:
It’s kinda one way. I think that sort of research that I was doing, it it really has moved along. I think people understand that security is important. That doesn’t mean they always take action to make sure security is included in the program, because there’s business objectives and tight deadlines and those sorts of things. But I think there’s much more understanding when security does get involved. I think there’s very much more involvement in security early on in the process. And that sort of, just going back to that word, superficial, I think that happens across all teams, regardless of the topic and the discipline. I think the challenge is that teams have obviously different objectives and constraints.
Sam Mackenzie [00:10:23]:
So, it takes strong leadership to clarify how the different teams’ objectives can work together towards a great outcome. And that’s what good leaders do.
KB [00:10:33]:
Yeah, and that’s a good sort of point because, I don’t know, when you work in a company and you have to do all of these trainings, but there’s someone in the company, they’re responsible for making sure Sam Mackenzie does his training, but you’re like, well, I’ve got other things to do because I got other produce because that’s not my day job. So then it does become hard for people because everyone’s doing their role and everything that they’re doing in front of them is important. Right? Or I say probably wouldn’t be doing that job. So what would you say then sort of long term? Do you think that people will just work a lot easier together? They understand that there’s a vision. They understand physical security is just as equally as important as cyber. They both work hand in hand. They both have different repercussions. Do you think it’ll just get to a point where we don’t even have, like, these two different sort of teams? It’s just the security team, which encompasses physical and security.
Sam Mackenzie [00:11:23]:
So I think on on that, in regards to how security permeates through the organization, I think it needs to get much wider. It needs to be everybody’s business. You know, awareness sessions where we’re involving people who receive emails. So everybody from the organization is pretty much receiving email. They need to be aware of security and cyber awareness to make sure they’re not clicking on rings. You know, right through to, you know, the architect on the telecoms project who’s designing the new proof of concepts service to, you know, bring the call centers together. Everybody’s going to need to make sure their security is involved in those decisions and that, that design. So I actually think that while it might end up with sort of consolidated teams, it needs to be wider in that everybody needs to have it as part of their role.
Sam Mackenzie [00:12:05]:
And I guess some things I’ve been thinking about recently are like cyber awareness programs, where instead of just rolling out some online training, we have cyber champions embedded in the business, and they take, you know, lunch and learn sessions, and then bring those back to their teams, and share that learning. Rather than sort of a once a year cyber awareness training program that people click a few things on. Elon actually embedded in the team. So, there’s a cyber champion who’s sort of geared up in that team. Right through to, probably, many of your listeners have been through a cyber incident. And a lot of the times, what happens is people get locked out of their computers when those incidents happen. And the first thing they do is jump on social media and tell their friends I’ve been locked out, and can’t access because we’ve grown up in a cyber incident. And then all of a sudden, it’s on the news because the employees didn’t exactly know what to do.
Sam Mackenzie [00:12:53]:
And so, you know, right through to having do we need to have cyber safety drills, like we have fire drills, to help staff are aware of what they should and shouldn’t do if they’re locked out because of a cyber attack. So I think it sort of starts becoming everybody’s business. How do we make that everyone’s business? Just like in, say, a utilities company, you know, safety is is usually the the number one priority.
KB [00:13:14]:
The example that you were talking about before, I’ve I’ve asked someone this in an interview probably about a year and maybe eighteen months ago. So I just wanna get your view. So for example, like you said, if something’s been locked out, you can’t really follow the playbook or the IRP or, you know, you’ve got to sort of rely then off what you know. So I’ll give you an example. Like, how many times have you had to do a fire drill in a company and everyone sort of goes down, not really paying attention? Or equally, when you’re on a plane, you’ve been on a plane multiple times, so have I. I still don’t know if I’d trust myself if there were something to happen in terms of opening the door and doing all of that, because we sort of just tune out then after a while. So how do we then get it to the stage where okay. Just say we’re locked out of our systems.
KB [00:13:57]:
We can’t access the IP or the plan or whatever. Do you think people, when you’re in a state of panic like that, will be able to remember, okay. Now I know what I have to do in terms of their own critical thinking? Because I really I just use myself as an example. Like, I think if the whole building is on fire, I just wanna get out of there. I wouldn’t sort of sit down and go, okay. Like, here’s the plan. We’re gonna run through it. I mean, I’m just speaking very honestly here because when there is that state of chaos, people do operate in a state of chaos.
KB [00:14:27]:
So do you have any sort of insight on that?
Sam Mackenzie [00:14:29]:
Yeah, I think so. I mean, I haven’t been on a plane. I think there’s some, some great examples here. I haven’t been on a plane for, for quite a while and, I get that. If the drop down oxygen came that I would help myself before, you know, helping others, I would, I would know to tuck in brace. I’d work out where the life jacket was, but probably under my seat. Starts to become sort of inherent knowledge, tribal knowledge, because we’ve done it so many times. And I think similar for fire drills, funny enough, I recently became a fireworant in my current, in my work.
Sam Mackenzie [00:14:56]:
The feedback from the training is that people don’t panic. They are really orderly during those events, And they take their time, and they, they follow the rules, and they know what’s expected of them. And they tell you what’s expected because they’ve been through it so many times. So, I do hear what you’re saying around, does it sort of just, you know, meld into the, you know, I’ve done this again. Done it so many times, but I think it does become inherent in the group and the group then knows what to do.
KB [00:15:19]:
But I mean, like in the state of an actual incident or breach and they can’t log into your systems, you have to rely on, like you said before, the example with the plane, it’s like, well, I know the oxygen, you know, my life jacket and all these sort of things because people out there be not playing multiple times. Even if you’re not fully listening to it, you sort of conceptually sort of know. I’m just sort of trying to use that as draw a parallel of that example to how do we sort of inject that into some of the stuff that we’re doing in our everyday work where we don’t, you know, have to rely off a plan because people know it so well. They’re not panicked in a state of a realism, for example.
Sam Mackenzie [00:15:55]:
Yeah. And and you know who does this really well is hospitals, Cause they’ve got a they’ve got a drill sheet. I’ve forgotten exactly who it’s called. It’s been a while since I worked in healthcare. But they’ve got all the different codes, obviously. They’ve got medical emergencies, they’ve got bomb threats, and they’ve got the different colors. And you you know, when you’re in a hospital, sometimes you hear the different codes called. And you know, the staff on those sort of front line phones, even if they’re not maybe at the reception desk, they know what to do because that checklist is, or that decision tree is next to their phone, and they’ve had it there, and they’ve had the training, and they go through practice exercises.
Sam Mackenzie [00:16:26]:
So, yeah, I hear what you say, Hagen, I think that practice learning is the best way to, to do it. When your colleagues have done it, when you’ve done it, when you’ve got the reminders there and people get on with it. Yeah.
KB [00:16:37]:
I think that’s a good point. And I would say as well, like I worked, worked at Westfield maybe about twelve years ago and yet like you’re saying, they were code like code blue was like medical emergency code red. It was like there was a severe problem. But every day there was something going on. Every day you had to deal with something multiple times a day. So you sort of just you get used to it to your point in a hospital. There’s always something going on there. However, in our organizations, not every day people are dealing with these sort of incidents.
KB [00:17:01]:
So do you just think that it’s just gonna be like a muscle? It’s gonna take time to build up to that point. It is gonna be practicing the plan and all of the things that we all know, etcetera, out there. Do Do you just think we we just have to spend more time to get it to a point where it does become that inherent knowledge?
Sam Mackenzie [00:17:18]:
Yeah. Absolutely. I think so. So for example, like the scenario exercises, those tabletop exercises are practicing the events. I think some of the biggest realizations in those events that I’ve been, those activities that I’ve been part of, and the real ones, is building the, connections with the other teams. So, say, the legal team might not think that they’ve got much to be involved in in a cyber incident, but there’s a huge amount of involvement that they need. If they’re not available at X time in the morning, then that can be a challenge. And the procurement team, to get support from partners, comms team, huge corporate affairs, those sorts of teams that maybe aren’t that close to the technical operations, to the individual computer breaches that organizations might be having on a regular sort of monthly or weekly basis.
Sam Mackenzie [00:18:02]:
The bigger events absolutely need all of those teams to support, and they need to know their role and what’s expected of them, and be able to practice and prepare what they need to do. So, for example, corporate fairs or comms teams, as part of the cyber incident playbooks, makes sense to have a whole bunch of written and approved comms ready to go out. So they’re not on the back foot writing those under pressure. And, similarly, legal would have reviewed those beforehand. Those are ready to go, maybe with a minor tweak or two, depending on the scenario, so that that has been practiced, that the legal people in the columns team know who to talk to. The decision path is clear to get those comms released. Similarly, procurement team need to make sure they’re on board, that they’re ready to involve and request help from suppliers, so that you can build the best response and recovery team that you can at the time.
KB [00:18:52]:
Yeah. Okay. Alright. So I’ll now wanna talk through control rooms. So these rooms are the frontline of cyber physical operations, as you very well know. So I wanna sort of talk through your thinking here. What are the risks? Do you think as well people sort of forget about controlling? They just think they’re safe in their mind. And then I also wanna maybe talk about your you’ve recently joined the management committee of this sort of niche organization that that talks through this a lot more.
KB [00:19:21]:
So I’m keen to sort of hear your thoughts on that front.
Sam Mackenzie [00:19:24]:
Yeah. Thanks. So the ACRNA, so the Australian Control Room Network Association, is is a small not for profit organization and joined the management committee there. Fantastic organization for anyone who’s interested or working in critical infrastructure, essential services that do need these types of assets. So, Control Room, some people might not be aware, is they’re the sort of nerve centers of these organizations that that manage the transport networks, support emergency services. They’ve got a lot of screens, and they’ve got twenty four hour shifts. They might be controlling the energy grid or, you know, the water supplies and gas networks. They’re critical to the service, the performance of the service, the ongoing running of the service, because they’re making decisions in their room.
Sam Mackenzie [00:20:10]:
They’re getting alarms, and they’re treating those alarms. Transport’s another good example. Ports. And so, we’ve got many of those industries and sectors represented at the ACRNA. And we, we have a conference every year. Exciting about, I guess, the ACRNA is that there’s people who design, build, and implement control rooms, right through to the people who operate in control rooms and work their twelve hour shifts. And we get such a lovely cross section of people that we can have really interesting and valuable conversations that drive the industry forward in that space. So, I guess, one of the things about control rooms is it does sort of bring together a lot of the it brings the engineering world, the technology world, and cyber physical world together because we’re controlling physical devices in a lot of those rooms.
Sam Mackenzie [00:20:55]:
But then it does start to you do start to understand that this this is a risk to society, to to these services running. How do we make sure the control rooms are being built and designed now with the future in mind?
KB [00:21:08]:
So would you say when these these control rooms are being built with the future in mind, would you say that that’s happening currently at the moment? Or that’s that’s what sort of people are discussing around how do we build these for the future state?
Sam Mackenzie [00:21:20]:
Yeah. That’s what we’re discussing definitely at the ACRNA. You know, there’s some key challenges that we’re faced with. So, I’ll just outline some of them. So, the more frequent weather events is an obvious one that obviously hits the media. So, there’s a huge demand on control rooms. There’s more impact. They’re longer duration.
Sam Mackenzie [00:21:37]:
So, the controllers, the shift patterns, even down to things like, you know, that starts to hit fatigue management. You start to look at, you know, in a control room, is the lighting right? Is the acoustics right? Those sorts of things to make sure that you’re getting the best out of the people that are there for their shift, and that they’re operating at the highest capacity that they can. Aside from, you know, the weather events, there’s data requirements, cause you know, organizations are looking for more data and insights. Other areas like new technologies are coming on, like renewable energy, battery electric storage, IOT for smart cities and things like that. IOT for internet of industrial technology, and things like drone technology. So you’re unlikely to get all of that in a single control room, but each of the control rooms that are, that are dealing with their sort of chosen sector are getting more and more demands across these, their services. They might even be managing emergency events for staffing crises or something like that, if that was to happen. So there’s a wide demand on control rooms.
Sam Mackenzie [00:22:36]:
And I only see the need for controllers is increasing. Such a warm and positive society for the for the betterment of the industry.
KB [00:22:43]:
I like your comment around weather events. So, like, catastrophic events that are occurring more and more nowadays as we as we’ve clearly seen. Do you think as well that now that’s putting these control rooms, like you said, under a lot more pressure? Because perhaps, historically, we didn’t have as many of these weather events that have occurring, I would say. I mean, I’m I’m originally from North Queensland, so we always had the cyclones. But the cyclone occurring earlier this year in the Sunshine Coast, Brisbane, never seen that in my lifetime. So how are people sort of responding now to the way in which, like, the weather these weather events are sort of taking place more frequently as well? What are your thoughts then on that?
Sam Mackenzie [00:23:23]:
I was actually just speaking to some of the people in Queensland who were dealing with some of those weather events earlier this week and and running the control rooms. And they’re and they’re having to have a refresh of their fatigue management strategies because the events are lasting for hunger. Previously, they’d be over in a few hours or a day, and they’d have their field crews out, either restoring power networks or the services that they needed to provide. But now they’re dealing with how do we, how do we maintain services in the control room for an extended period of high utilization? And how do we, how do we get the best out of the room and the organization’s assets to, you know, deliver good services to the public? There’s lots to do in that space, but I think that’s probably only starting to get realized now.
KB [00:24:06]:
And would you say, Sam, given like all of the events and how global warming, etcetera, but equally, I would say just people out there online just maybe aren’t they’re just not as forgiving as what they used to be back in the day when something would happen. Like, someone has an issue for thirty minutes and straight away, they’re already on x complaining about, oh, well, I can’t access, you know, my my NetBank or something or my CBA applicate. I’ve I see it all the time. So would you say that that sort of adds to it as well in terms of that PR media customers complaining a little bit more quick quicker than perhaps. Whereas, like, back in the day when I was Queensland and South, that would happen, like, we’d sort of just have to stay put because, like, Internet sort of wasn’t really around. So there’s nothing to really do, and you couldn’t really call anyone out because the phones were down. So I don’t know whether it’s just because of the whole digital world and people now have a voice to be able to talk about their frustrations out in the public. But do you think that sort of weighs on these folks as well?
Sam Mackenzie [00:25:03]:
It does. In the conversation we had earlier in the week, the the key thing was that if they could provide a time when their customers had been back on supply, then the customers were okay with that, even if it was sort of two or three days down the track. If they couldn’t provide a time, like an estimated time of service restoring services, then that’s when the complaints happen. We’re all humans, and we, we like to have some certainty, even if it’s only estimated certainty. But if you know that you say it’s Thursday today, and you’re looking at, you’re going to have your service back on, even if it was Sunday lunchtime, you can now plan for that. You’re like, okay, that’s kind of is what it is. We’re going to have planned my life around, planned the activities. We’re not coming back around lunchtime.
Sam Mackenzie [00:25:40]:
It might be a bit earlier. It might be a bit later, and you can go and plan for that. And you’re okay with it because you’ve got some relative certainty. So I guess that puts some demands on because it’s quite a complex thing to be able to give a customer that. Say an energy company. So I spent quite a lot of time working here at distributor, and you need to be able to crunch the data. So you need to be able to understand how many other people are supply, round about how many field crews you’ve got, how many surge staffing you can bring on, how many field crews that you can get out in time, considering that the roads might not be clear. And then considering that you’ve got to get all the sequential power lines up and running to get to that customer’s house.
Sam Mackenzie [00:26:18]:
How do you forecast that across a geographic area? That’s where that data crunching that data, you know, in both ways, I guess. You know, social media, it gets more visible because people are talking about it. On the flip side, you’ve got more tools at your dispense in regards to better business models of calculating restoration. And that can give the customer certainty, and then they can be more at ease about, okay, I’m getting more power back then. And, they can plan the rest of their recovery efforts around that personally in their own home.
KB [00:26:45]:
Yeah. This is really great way that you address that because if I look at like an airline company, for example, I think someone recently was upset because online, the airline said, hey, you know, we’re gonna take off now, and, obviously, things change. And they they just kept saying this is the new sort of time we’d be departing, but they kept changing it. So going back to your point where you’ve got the data to be able to to indicate, hey. You know, your power’s gonna be back on on the Sunday. You can plan for that. But what about when that doesn’t go to plan? And it’s like, oh, now we have to go back. It’s gonna be a Monday.
KB [00:27:16]:
So do you think that becomes difficult on things do go wrong? Of course, we wanna get people back up and running by the Sunday. But, again, we’ve already said it’s Sunday. Now it’s gonna be Monday, and now we have to go back. So would you say that people then should go back to say, oh, we’re having a little bit more difficulty. We have to then it might be Monday. How does that sort of then work? Because I do see your point. People are eased if they sort of have this arbitrary timeline or the the timeline given by these companies. But, again, if people miss, that’s when I start to see the the angst and the rage start to permeate more online.
Sam Mackenzie [00:27:51]:
Yeah. Those estimations need to be relatively accurate, I would say. And that you probably only got, you know, one or two chances at changing them or updating them. If they get too many updates, then you’re gonna start to get backlash. In the power example, I guess, customers are trying to work out if they need to go and buy, down to a hardware store to buy a generator or not. That’s probably what they’re trying to work out. Can they manage till that Sunday example? Can they manage till Sunday without a generator, or do they need to come and borrow one, or buy one? Obviously, you know, flights, extremely emotionally sensitive, particularly because you often have the airport already, and it’s not particularly comfortable for any length of time, at least. So, you know, probably sensitivity is really exceptionally high when you’re at the airport.
Sam Mackenzie [00:28:34]:
And obviously flight patterns, aircraft are very challenging things to, time and yeah, that timing. Probably only got a small window of how many times you can change it.
KB [00:28:43]:
Yeah. This is interesting because it sort of leads me to my next sort of point I wanna talk with you about is, obviously, we know about the CrowdStrike outage that happened last year and perhaps to a less degree, like, Salt Typhoon and so forth, things that have been out there in terms of the impact that it’s had. But would you say if some of these issues aren’t addressed, like the control rooms, etcetera, bringing more alignment with security and physical teams, like, where do you think, like, as an industry? Like, what sort of path would you say we’re headed down then?
Sam Mackenzie [00:29:12]:
Yeah. So maybe just, just touching on, so people are probably aware of CrowdStrike because it affected quite a lot of people worldwide. Obviously, it wasn’t a cyber attack, but it was a sort of an example of what cascading failures would look like when you, okay, you’ve got a fundamental underlying system that fails, and that causes cascading failures across all sorts of different physical systems and, you know, customer systems, retail systems, supermarkets, all those sorts of things. So it’s a good example of what can could happen. And then, so salt typhoon, people aren’t aware. This is a adversary, believed to be a nation state backed adversary, particularly focused in The US telecoms networks. So it’s infiltrated, actually, 11 telecoms networks. So, it’s not just one or two of the smaller ones.
Sam Mackenzie [00:29:55]:
It’s actually impacted the big So Verizon, TT Mobile, and many other networks over there. And they got in through some through some vulnerabilities in some networking hardware. They’ve been listening in, and they’ve been listening in for many months on that data. Phone calls, on text messages. And so the agencies, as a security agency over there, the CIA, the FBI, have actually recommended to use encrypted communications, which is a backflip on what they used to say a couple of years ago. So they’re actually recommended using encrypted applications for phone calls, and not to use the phone network. You know, things are really changing. So even agencies like that, the cybersecurity agencies in The US, are recommending quite differently to what they were recommending a couple of years ago.
Sam Mackenzie [00:30:38]:
And so, I think where we’re heading is really that, you know, we need to protect the backbone of our networks, be that the, you know, the electricity grid, the telecoms networks, and treat all of those areas as critically important to society. And that’s why, you know, the Australian government has focused the security of critical infrastructure act, the SOKI act, on including those sectors to, you know, to make sure that the Australian public get cybersecurity front and center for those organizations to make sure that we are securing them.
KB [00:31:07]:
Would you say that people are more focused on the application layer nowadays because of everything that’s sort of there in terms of like people’s priorities. Just as you’re speaking, that’s what just came up in my mind.
Sam Mackenzie [00:31:20]:
There’s an incredible cost to making sure everything’s fully secure. And, you know, that’s perhaps probably not even really achievable. Even if there, there was the budget. Where’s the balance? So most, you know, all organizations are looking for return on investment for balancing their books. And I guess what we’re, we’re trying to do is work out where is that balance. And I think it’s, it needs to shift in that before, you could put out products that were, you know, maybe not getting patches and updates, even if they had software on them. And now, Australia, last year, released the government released the Cybersecurity Act, and now those products need to have updates for dead new vulnerabilities now, and a number of other requirements. So how we design products, how we how we make them secure, is is starting to become requirements out of out of not just our government, but other governments worldwide.
Sam Mackenzie [00:32:08]:
And it’s something that organizations are gonna need to factor in to how they design and build products and support them after they’re released.
KB [00:32:16]:
So, Sam, do you have any sort of closing comments or final thoughts you’d like to leave our audience with today?
Sam Mackenzie [00:32:21]:
Yeah. I mean, that that sort of secure by design, secure by default, and secure by operations, is it like emerging principles? In some cases, it’s becoming law. So that’s really important. I guess, I’m, you know, super passionate about this area. I’ve actually sort of recently started a cybersecurity for critical infrastructure community in Australia. So if there’s people who are wanting to join that because they’re interested to hear more about it, then, yeah, just just get in touch. Yeah. We look forward to helping protect modern day society through ensuring the security of our essential services.
