IoT, OT and Critical Infrastructure: A Chat With Sean Tufts Home Insights Videos IoT, OT and Critical Infrastructure: A Chat With Sean Tufts September 3, 2020 Our recent Cyber Threat Intelligence Estimate devotes considerable attention to the burgeoning challenges security organizations face with the Internet of Things, operational technology and critical infrastructure. In this interview, Sean Tufts, Optiv’s Practice Director of Product Security for ICS & IOT, discusses these issues and provides insight into where these markets are going in the coming months and years. Share: Transcript Sam Smith: Hi, I'm Sam Smith. I'm with Optiv Digital Marketing here in Denver. Today, I'm with Sean Tufts who's our practice director of product security for ICS and IoT. Sean, thanks for making time for us today. Sean Tufts: Absolutely, Sam. Thanks for having me. Sam Smith: Now, Sean, the annual Cyber Threat Intelligence Estimate report was released recently. And I know you're especially interested in the analysis of the Internet of Things issues. First off though, I know IoT has become a big buzzword. Would you start off by giving us maybe a proper understanding of what the term is? Sean Tufts: Yeah. IoT, everywhere I look on LinkedIn, I think every other post is IoT related and everyone's putting out a bunch of content around, hey, control your Alexas, control your smart fridges. I think that's a bit of a red herring. I'm not as concerned about those specific items that run on the corporate network that have different security capabilities built around them. I'm more concerned about the pieces of IoT that are functional for how a business operates. So when I think of IoT, I think of anything that's non Windows, non Linux, and we start to kind of quantify that you look back at your enterprise and say, "Hey, I actually have a lot of this and it's really close to the money making activities we have." Think of PCI machines, think of security cameras, think of badge access, think of sensing equipment along a conveyor belt. None of that's going to be Windows based. So just saying, "Hey, here's a patch for it," isn't that easy. IoT, on the other hand, the real important items are going to sit so close to your revenue generating activities that you can't just cut them off a firewall. You can't just kill the process. You've got to get real in-depth and figure out why is this machine critical and what are the risks that we face by having that on the corporate network? Sam Smith: So I think, as you allude to, we all know that that the Internet of Things, IoT, is booming. Can you tell us where exactly you see the market you're heading, i.e., the real market that you're talking about? Sean Tufts: It's analytics driven. I mentioned the sensors that are getting close to the money making activities. Boards and the C-suite are starting to get an idea that, "Hey, that that conveyor belt, we can start to monetize the activity there. We can start to get more real time data." The example I use, we have a client that processes and manufacturers raw chicken. Temperature is critically important to them. They really need to understand when temperature dips, when temperature rises. And for the most part, that's been held very closely by people at the restaurant level, people at the warehouse level, people in the packaging centers, and that's not really acceptable anymore. The boards are asking to pull that data out, have it in one traunch so they can see where individual deviations from standard exist. Where's the refrigeration piece going down? Where is a heat wave affecting production? Where is improper actor on the network? So that's where IoT is going. It's going to be big data infused and customers are starting to unlock the potential that's been collected by so few and start to extrapolate it out and monetize it. Especially in this world of COVID and having to do more with less and having less ability to get to the sites. So I think that's where IoT is going. It's going to be wrapped in this big data blanket. It's going to be really warm and fuzzy, but if you don't hit those security milestones correctly, it's also a really big window you open for your organization to get leveraged, I'll say. Sam Smith: Let's compare this to OT, operational technology, which gets a lot less press than IoT, but it's hugely important. What's happening in that corner of the market? Sean Tufts: Yeah. OT is the grandfather. In a lot of situations, the processes that control the gas in our tank, the electricity in our grid, the food on our table. A lot of that was built in the '70s, '80s, '90s, and has not been looked at since. So a lot of these machines that are operating are running on very legacy equipment on very, very old routers and switches that were put in when the machine was built, when the building was built and have been entirely left alone. I have seen more times than I care to admit people blow the dust off of a router or a firewall because that's how long it's been sitting there. We have to modernize those old world machines. For a long time there was a tolerance for, hey, it's not broke, don't fix it. But my earlier point about big data, those boards and those C-suites are starting to see that same kind of activity where I described chicken on pipeline fuel pressure, on the grid harmonics, on supply chain issues, on the weight and movement of a box inside of an airplane or on the conveyor belt. Those things are starting to become places where wins and losses are being made. If you look at the oil and gas markets of the 1970s, a lot of the winners and losers were based around geopolitical things. How was your OPEC deal? How was your relations with XYZ country? In the '90s it was your frack position. How close were you to the spot in North Dakota that you needed to be at? The next iteration of that is who's going to do 2 to 3% more with this old legacy equipment and who's going to wring out every last piece of value from these operating gigs? And the way you're going to do that is through digitization, through modernization, through better analytics. That's where this industry is going. The old crashing into the new and having a real kind of grinding of gears over which parts are most valuable. And again, every time we transition to a new digital world, we're opening up a new threat vector. We're opening up a new risk that then we need to retrench back to on the security fundamentals. Sam Smith: One more, let's talk about critical infrastructure. Now, that's not a generic term. It has a very specific meaning. Can you give our listeners a quick look into what's happening with critical infrastructure and what that means specifically for their organizations? Sean Tufts: Yeah. Critical is growing. Critical used to mean a very defined set of characteristics. It was really based around the utilities was number one, water was number two, and fuel was number three. Now we're starting to see the reliance and maybe COVID revealed a little bit more, but what happens when we've got food chain disruptions? What happens when we've got manufacturing disruptions? What happens when manufacturing is, we all know sweaters and shoes and t-shirts, sure we build those all the time, but the shipping and logistics behind food. The creation of a lot of the COVID response stuff is being delayed from a vaccine perspective because of a lack of syringes. So when we start talking about critical, we're starting to expand our scope away from just that traditional utility based critical piece and branching out into places like data centers, places like critical manufacturing, places like food disruption, logistics, all those things are critical to us. We saw a two week delay in toilet paper and the whole world almost shut down. And that, while is a critical component, it's also showing how reliant we are on individual supply chain issues. So that word critical is growing in the critical infrastructure place. We're starting to see a lot of, obviously pharmaceutical companies come to the fray and say, "Hey, we need to advance our security policies." But we're also seeing manufacturing and we're also seeing logistics. They're starting to open their aperture up to security projects where they've typically been ignoring them. The other thing that's really happening in this environment, in the critical infrastructure world, is a workforce aging issue. There was, when I was coming out of college, there weren't a lot of recruiters on campus that were really saying, "Hey, go to the oil fields. Hey, go to the process control world." And we're starting to see an aging out of some employees and being retrenched back in with people who never were in charge of building those old infrastructure pieces. They weren't in the original build of those factories. And they like tools that are modern. They like GUIs that are slick. They like processes that you can port. They like working from home. And that is changing our perception of how we can interact with critical infrastructure projects. It's so much the days of put your hard hat on and go into the factory. More and more, it's having 24/7 visibility from a portal, from a tablet, from a mobile device, being able to walk up to a turbine and yeah, look at the sensors and gear and valves on the machine, but also get some advanced analytics from your desktop. So a lot of that world is starting to unlock new capabilities and it's being done on the back of a workforce aging out and a new, more digitally inclined work group coming in. And that's really changing that OT environment as well. Sam Smith: Sean, thanks. We appreciate your time and your insight. For those of you who haven't yet seen the CTIE report we're talking about, go to optiv.com. On the homepage, just scroll down a little bit on the right side, you'll see the section on CTIE. If you click on it, you'll not only find the full report, but you'll also find a suite of podcasts we've done looking at specific pieces of the project featuring, not only our industry leaders, but partners like Digital Shadows, VM-ware, Carbon Black, Palo Alto Networks and SailPoint. Once again, thanks for joining us. Have a nice one and we'll see you next time.