Adapting to Legislative Demands: Insights on Cyber Security Compliance in Critical Infrastructure

Jim [: 00:00:00

Hello. Welcome to another edition of Razor Wire. Today we're going to be navigating the courses of cybersecurity legislation from government institutions and other institutions related to those types of organizations. And in order to do that, I thought, who can I get who really knows this environment and has a number of customers under very strict legislation from government on the services that they provide? And I thought of Dragos. So we have the wonderful Steve and Phil, who can tell us a little bit more about what he's seeing from kind of like their customer side and some of the conflicts and issues and difficulties that they actually have themselves. So let's hop down this bunny trail and see what we can get. So let's do the introductions. Welcome to the Razorwire podcast, where we discuss all things in the information security and cybersecurity world, from current events and trends through to commentary from experts in the field, providing vital advisory on what it is to work in the information security and cybersecurity space.

Jim [: 00:01:21

So here today to talk about legislation and navigating this wonderful world of cybersecurity in an ever changing world. I have two special guests. I have Steve and Phil, both from Dragos. So, Steve, shall we start with yourself?

Phil Tonkin [: 00:01:39

Yes.

Steve Applegate [: 00:01:39

cybersecurity since the late: 1980

Jim [: 00:02:07

Fantastic. And Phil.

Phil Tonkin [: 00:02:09

Hi, I'm Phil Duncan. I'm chief of staff at Dragos, chief staff to the CEO. My role on a day by day basis often involves me engaging with customers and listening to the needs that they have, in particular in resolving the issues that many critical infrastructure companies have around the globe. I joined the cybersecurity industry only a few years ago, but I focused on cybersecurity with my previous employer for the five or six years before that. But my career has really spanned many different engineering functions and understanding how to manage assets and how to manage risks within those spaces. So I am one of those people who transition from looking after the systems that we're now trying to protect. By getting an understanding of how those systems work and what risks they face, you could understand the challenges that the additional threat vector of cybersecurity offers.

Jim [: 00:03:05

Fantastic. I've been looking forward to speaking with you guys on a number of different subject matters for a little while, I think you guys have quite a unique kind of offering where you do get involved in a lot of organizations who are subject to the kind of legislation that most other organizations don't tend to come across. I mean, there's plenty of people out there that are used to kind of like financial regulation, that kind of thing. But when it comes to government, especially ot, it's quite extensive. And I know that from cybersecurity perspective, legislation in this space is relatively new. In the grand scheme of things, you go back ten years and the legislation was very loose because I think a lot of people looked at infosec as not really a thing that you needed to worry about and how that has changed in recent times. I turned on the news this morning and do it every morning. It's like, who's been compromised today? Who's gotten themselves in trouble? What water company has been done by a particular group out in certain parts of the world who may not be annoyed at another certain part of the world? What nuclear facility has been done? I think in the UK seller field has just been reported to have been compromised.

Jim [: 00:04:21

And I think what we are seeing in recent times is quite a big uptick in both commercial compliance requirements such as PCI, DSS, the need for ISO 27,001. But we're also starting to see a lot of governments start to really catch up as well and take the kind of cybersecurity piece really seriously. I mean, Steve, you're from over the pond in the states. You've recently had your president, Mr. Biden, legislate against kind of like the AI side of things, which has, I know, been quite a big piece for Silicon Valley. But you guys are starting to see quite a significant change in the way of things working over there because of that colonial pipeline issue that occurred a few years ago. Do you just want to give us a bit of a view of what your thoughts and what you're seeing over there in the states? Because no doubt we're going to be seeing either something similar over here or we're going to be seeing it relatively soon.

Steve Applegate [: 00:05:19

Yeah, I think first and foremost, I think that there's a lot of confusion in the CISO community and the practitioner community, the asset owners. And again, Phil might be able to elaborate on this. He spends a lot more time with customers. But if you ask a person that owns a know program at a company and say, what do you need from the government? They're likely going to say, I don't want the government involved at all because now if the government's involved now I've got to set up a whole new compliance wing. I've got to take dollars from my actual tangible security budget and put it into trying to protect this new risk of non compliance or whatever, especially when it has teeth, when there's millions of dollars or whatever, if levy or fines, if you are found non compliant, whenever people are looking for guidance, but when they look at the guidance that's available today, most companies, it seems like now are starting to have to deal with international regulations. So they've got, like you're talking about there's executive orders and there's some things that apply to everyone across the board in the US and then there's state specific legislation and then there's now anything we have to deal with with countries where we do business. It just gets really complicated. There's no kind of Rosetta stone or something to say, okay, here's what I have to do for, take your pick.

Steve Applegate [: 00:06:37

For password complexity and length or for encryption. There's no, just one size fits all. If I do this and meet this need, this will take care of all compliances. So you instead have to protect two certain compliances and map all these controls. And it just gets unwieldy and it changes. It's such a moving target. If you think you're doing okay today and you haven't looked for a couple of weeks, there might be some new legislation or change that you have to meet, it just makes another risk that's difficult and could possibly take scarce resources away from an area where we're sometimes starting to make some traction and get ahead of the thing.

Jim [: 00:07:12

It must be crazy for you guys, actually, because I mean, over here in the UK, and we'll kind of move over to know shortly, we don't have quite as much difficult legislation to navigate because as you quite rightly pointed out, Steve, you've got the local state, you've got the federal requirements, then you've got any kind of additional government requirements via industry, industry standards. You've got things like HIPAA as well. So if you're the cease over an american organization or an organization that's multinational and has locations in the states as well as say in Europe or whatever, you've got GDPR over here to worry about, you've legislation over there. How do you kind of track all of this? I mean, is this something that you've literally got to the point where we really need to have some kind of GRC tool to figure out what's going on across the board because you could comply with one legislation, I'm guessing, but it might not quite comply with another legislation that requires, say, a stronger password or multifactor authentication. Or do you have somebody you actually employ to do this, or is this looking increasingly like something that you might end up having to do?

Steve Applegate [: 00:08:20

Absolutely. I think both things that you said, you have to have a tool of some sort. The days of trying to manage this with a spreadsheet, even if you had an army of people, that's going to be impossible. And not just a tool that does mapping and crosswalks across controls and things, but you have to have some way to be looking out there and seeing what's coming new, like crawlers or some kind of feeds to keep the tools updated. And then, like you say, a dedicated team. The hard part of security should be the security part, trying to figure out what controls are effective, have a threat intelligence that feeds and builds your efficacy of your toolbase and things like that. But it seems like now that that's almost more tangible and more defined in a way than the compliance framework. So you end up having to have almost two sets of teams.

Steve Applegate [: 00:09:11

ecurity, I guess, as early as: 1989

Steve Applegate [: 00:10:11

But then over time that became its own specialty and they separated. Now, same kind of thing a security person is going to separate from, it seems like from GRC, and it's going to have more of a legal acumen understanding all the ins and outs of every word and what the ramifications are.

Jim [: 00:10:27

And it's funny you should say that, weirdly.

Steve Applegate [: 00:10:29

Enough.

Jim [: 00:10:29

I was talking with another colleague, a friend of mine, the other day, and there seems to be this new breed of infosec persons springing up from the legal sector, of all things, which I never thought I would see. But you've got cybersecurity specialists in the legal sector now, and it's like, wow, okay, this is very different from the 25 years ago when it was all sticky tape and chewing gum and everything was kind of put together. Now we have entire legal representatives whose sole job is to understand legislation, whether you're in, whether you're out of it, and how to argue in the event that there is an issue or whatever. But let's move over to Phil. Phil, what are we seeing in kind of the more european side of things when it comes to legislation? I mean, we've got Dora incoming soon. Well, it's technically already in. It's just not kicked off just yet, which is going to be a real big game changer in Europe. But what are your thoughts on the subject matter of legislation?

Phil Tonkin [: 00:11:29

Yeah, it's been a really sort of interesting journey over the last few years in Europe and the UK. A lot of the legislation in particular that affects critical infrastructure companies has come a lot later in the journey. When you look at the history in the US with things like noxip regulations that apply to the electricity industry. It's been there for a long time and it's had time to develop and it had a purpose, it occurred, to set up that kind of legislation to manage a risk that companies didn't necessarily believe in at the time it was brought in. And I think that's when regulation and compliance can really work, when there's not necessarily any motivation to do the right thing, you've got to come in with specific controls that are very measurable and it drives people to do something. And without a doubt, that moves the risk needle somewhat. But one of the big challenges with a lot of compliance frameworks is that being compliant doesn't necessarily mean you're managing the risks. It doesn't mean you're necessarily managing the specific threats that are out there.

Phil Tonkin [: 00:12:30

at were there in Niz one from: 2018

Phil Tonkin [: 00:13:53

There's a huge amount of movement in Europe right now and has a lot of complexity, and there is a risk that organizations have a lower tolerance to compliance risk than the risks that they have from the outside world. So they will put a lot of effort into demonstrating compliance. That is a transfer of effort and resources and funds towards demonstrating compliance, over managing and mitigating those specific risks. As Steve was saying, you really do need to have a proper threat led approach to understanding the risks that you face as an organization who's targeting not just me, but the type of industry that I'm in. What are the tactics that they're actually using that helps you to understand? What should I really try and address? But if you've got a compliance framework that says everything should be patched within a certain period of time, you can run around patching things that are just totally unnecessary. But that's the sort of thing that people will do, because it's the only thing that's really measurable to them because they haven't invested in that risk based process. So, yeah, there's a lot going on. There's a lot for people to keep on top of.

Phil Tonkin [: 00:15:03

I think we are fortunate that it's newer legislation that's built on some sort of foresight of what's happened in the past in other countries, but it's still got. There's a big uplift for many organizations who are just starting to fall into that compliance space. Niz two brings a lot of operators of infrastructure in that weren't in the original legislation. When you look across many of the european countries and we're seeing sort of a tightening of capabilities as the UK government start to think about what to do with it and his regulations as well. So it's challenging time.

Jim [: 00:15:40

I've always had a bit of a love hate relationship with legislation and in many respects, compliance as well. I mean, commercial compliance, I think, is a very different animal to legislation. I find a lot of legislation is massively knee jerk. It's like something happens, something bad happens. The government kind of goes, oh, we got to get involved because we can't have this kind of happen again. And then five minutes later, you've got a set of directives and you're like, did they consult an infosec person when they wrote these? Because some of these are going to be very difficult to implement. And it's like, well, if this is now legislation, if this is coming in, in the next sort of six months or so, some of the changes that you suddenly see, you're like, I can't do this in six months. I've got a massive environment.

Jim [: 00:16:27

I've got, in many respects, especially in the OT industry and staying with the manufacturing industry, a lot of old technology, old systems that are running these lines that haven't necessarily had many updates in years and years and years. And you can't necessarily impose security constraints on that kind of environment. Are you seeing a lot of problems with that kind of thing, with some of the OT environments that you guys handle on the customer side of it, obviously, I'm not saying that your customers aren't handling it. I'm saying it must be a significant challenge for them, because if you've got a system that's ten years old that runs, I don't know, your gas pipeline, and it's not exactly going to be in support anymore, is it? But they don't want to change it. They might not have the budget to change it, and then all of a sudden they've got this legislation that kicks them in the teeth, and they have to suddenly try desperately to hammer this square peg in an extremely round hole.

Phil Tonkin [: 00:17:20

We have certainly seen some of that. Those initial knee jerks. Post the colonial pipeline incident, the importance and reliance that we have on things beyond electricity suddenly became obvious. I think historically, the immediacy of any issue on the electricity grid has meant that it's become an early focus of legislators. There's never been a film where somebody's doing hacking, whether or not trying to switch off lights, whether their objective is to rob a bank or something more nefarious. It's been dramatized by Hollywood for a long time. But pipelines are different pipelines. The impacts of something like a cyberattack are much less immediate.

Phil Tonkin [: 00:18:06

But can be much more significant. And I think that's, in the past years, made it much harder to legislate for, because the typical attack that you imagine against a piece of infrastructure is switching the lights off. You click a button, it opens a circuit breaker and the lights go out. There is no equivalent on a pipeline. They've got things like line pack, keep it flowing for some time. You might say operational disruption, but not necessarily an immediate impact to many people, but over time and over days, those things become more obvious. And so we saw that the gaps in legislation suddenly being brought to public attention there. And so there was a very fast reaction, which was necessary by legislators like TSA, who are responsible for pipeline security.

Phil Tonkin [: 00:18:59

But actually with some collaboration and some initial consultation with the private owners of infrastructure, and by listening to security experts, a lot of the initial proposals, which were very nursip like, with very demanding timelines, were changed to much more risk based controls. And so I think it's understandable the fast reactions that legislators will bring in when there's a public demand. We're a very reactionary society now. That level of communication and connectivity we have means we demand things faster and we strive towards popularism. So I think there's a certain expectation that when something happens, legislators are just going to turn around and fix it very quickly. But modifying it, like, say a ten year old or 20 year old system on supporting a pipeline, can't be done overnight. It's difficult when those things come in quickly and there is that reaction to it. Legislators are reacting to a threat landscape that's changing very quickly as well.

Phil Tonkin [: 00:20:01

So again, it's very understandable that they're driving that, but there has to be a certain amount of realism to how quickly change can occur in a legacy industry.

Steve Applegate [: 00:20:10

Yeah. Otherwise you end up introducing operational risk. That's much more real than the potential for a cybersecurity breach or cybersecurity fine. Yeah, I have anecdotes. I was a NERC sip auditor for a while, and I remember going to one place and the CISO came out and talked to us before the audit and said, I've instructed my people to turn off any device that's the least bit out of compliance. They started naming all the stuff, and as we started looking through, they had done that already, they had turned off certain control systems and they had lost visibility, and they made a decision and said, this loss of visibility is a risk. Yes, but we have other manual controls and we know which linemen is out on which device or which pole or whatever at any given time, we were using radios. And so they literally were so worried about a violation that they went out and decreased their capability and their visibility and basically put human lives at risk.

Jim [: 00:21:06

There's a kind of intrinsic risk between do we follow this sudden change in legislation that has suddenly occurred and now we need to get it done and kind of lose visibility because suddenly we got to turn off a load of systems that we've been relying on for so many years versus keeping them on and then running the risk of being attacked. I get the impression in many respects, with a lot of legislation coming out, especially government, it's more based upon the outcry from the public. I remember the public outcry. For instance, we're using the colonial pipeline as a good example because it was a really good example of something that occurred relatively recently where there was awareness immediately because the reports were coming in, oh, the oil is going to run out and no one's going to be able to do anything, and all of a sudden, cars aren't going to get filled. What was it like over in the states when this was kicking off? Just listening to the media. I mean, having visited the states myself, more than a few know, I love the place. I think it's fantastic. I'm mesmerized by your tv, though, because it's like there's a lot of sentinelization on news channels where you get like the three people arguing with one another on telly about the same subject matter.

Jim [: 00:22:16

But what was it like out there when that kicked off? Did that really kind of kick the government into touch? Like, right. We're going to need to do something immediately, calm the populace down.

Steve Applegate [: 00:22:25

I'm just trying to think of different things in my life that occurred and still continue to occur whenever we have a scenario like this. But on the good side, budgets are no longer as restrictive. But then it seems like if a CISO doesn't already have a seat at the table, this is going to allow them to have a seat at the table, but then they're going to be asked questions strictly around whatever's in the news, whatever is sexy. And if they realize that they're missing hygiene, they're missing not sexy stuff. Again, you talked about old computers and old, if they've got ten, is pretty new. When you said ten, I was like, oh, man, I wish we're talking about Windows nt or something. Some people are stuck with Windows 95 and it was never designed with security in mind. And so if they're stuck on something like that and they're now hearing about this latest threat, and they're trying to address this to the board of directors and come up with what they're doing about log four j.

Steve Applegate [: 00:23:25

I don't know. I'm just trying to think of something more modern than some windows machine that can't be patched anymore. It's difficult. Sometimes it gets a distraction. It makes a distraction where they want to try to. Okay, I really like how you're engaging now, board of directors, I really get that. I get that you're very interested in this now, and you understand the threat, but then they have to turn around and exert their own expertise and take a bold step and be able to say, okay, do you remember last year when I mentioned that we got to get rid of Windows 95? They have to go back and try to address fundamentals. And sometimes there's something that I feel like this is.

Steve Applegate [: 00:24:04

I think it's going to resonate with Phil. What he's hearing from some of our customers is you can't treat Ot like it. So you're talking about a manufacturing plant, electricity, any place where you have a lot of OT stuff, and then you're hearing about a threat against it that may or may not even apply on the OT side. If it does, that's even more problematic. That probably means you don't have segmentation. You have nothing between your it and your OT. So it takes this new getting the fundamentals, the same thing that we did in it 20 years ago, the same idea in place, like the change management and stuff. But Phil has mentioned it two or three times.

Steve Applegate [: 00:24:42

It all has to be risk based. If we take a vanilla approach and say we cannot have one compliance violation across anywhere, otherwise it could be a million dollars, then they go to some unused system. Hardly. Or some like. I don't know. I'm just trying to think of like a weather feed. Very important to know what the weather is doing. But if you have a box that all it does is accepts feeds from the weather services and allows the people to plan maintenance and things like that, it can't be treated with the same risk as an engineering workstation or anything on the lower levels of the industrial controls.

Phil Tonkin [: 00:25:18

Yeah. So capturing what really is key to the organization, what delivers value, is so important in looking at risk, and that is actually called out in things like the Niz directive. You only have to deal with assets that are in scope. And most of the time, the it side of the house. Most of it is considered in scope because in many ways, it is the protective layer that looks after a lot of the OT, there is an intrinsic connectivity between it and OT. The idea of one being air gapped from the other is incredibly rare now. And if you were to look at modern manufacturing, it would be absolutely impossible to think, to imagine how today's modern supply chains would work without that intrinsic connectivity that exists. We talk for many years about industry 4.0, and they said where that's come to fruition is in the manufacturing sector.

Phil Tonkin [: 00:26:13

You see the demand from a supermarket deriving from particular suppliers what products need to arrive. Trucks arrive, and they pull into lights out warehouses where there are pallets of goods that have been specially picked and selected by robotics. They're put onto the trucks without any human interaction. There's no way of managing a complex supply chain and that kind of variety without an intrinsic exchange of information between different organizations. And it's often at a commercial level. So you got to think about the end to end capability of an organization and the capacity those work. Management systems, the enterprise management systems, the commercial systems, they're all connected in some way and have to be done in a very particular way to keep it safe. But we can't just disconnect, can't assume that there won't be connectivity.

Phil Tonkin [: 00:27:09

We've got to figure out how to manage that connectivity in a safe way, how we ensure that things are properly segmented and segregated, and how we have visibility of those things. We can see that communication, that necessary communication that's occurring so that there's the ability to respond to the most important vulnerabilities, in particular the threats that might be occurring in that space. It was really cool to see that in the Niz legislation. Actually, the idea of in scope assets, we're not just looking at everything. We're not just seeing everything in this particular system because it's over a certain number of watts is there? But instead getting organizations that are in scope due to their overall size, to think about what's important to their operation and driving towards that risk based perspective. But it is understanding that we can't just disconnect, we can't just air gap anymore. We can't have these old fashioned controls. You mentioned the Sellerfield reports that we've just seen in the media.

Phil Tonkin [: 00:28:13

It's really challenging when you get these for organizations like them who got a non corroborated story comes out, generates a huge amount of work for them to go and deal with them. But the government departments that are responsible for looking after them, they are a Niz compliant organization. It has to be. The Office of Nuclear Regulation is involved in looking after them. Department of Energy net zero will be working with them for years now to ensure NIS compliance. And it's important that we recognize that there will be very difficult controls to implement there. One of the things called out by the Guardian in their reporting on that is the fact that USB sticks can be used on this equipment. Of course they can.

Phil Tonkin [: 00:29:02

They've built an environment that has been air gapped for many years and many bits of legacy equipment without knowing what's in their environment. I think it's entirely reasonable that those things may exist and they will have all the mitigations for it. But there can be some. Without an understanding and appreciation of legacy challenges it can get a lot of very difficult to manage messages because the things we assume are a problem even from an it security perspective. The things that we think of as normal and not normal controls are often very difficult to implement in those legacy ot environments. And I think we've got to step back and appreciate the hard work that everybody is putting in in this space and make sure that the right and proportional controls are driven in by legislation. I think that's something we've got to always consider. Every environment is difficult.

Phil Tonkin [: 00:29:59

You will have some of those highly segmented standalone legacy systems like you get in nuclear generation or reprocessing. But on the other end of the scale you've got that highly interconnected, highly interdependent itot environment in manufacturing and supply chain which is intrinsically interconnected. It is intrinsically digital and we need to allow for that and make sure that the right controls can be put in place to keep things flowing because we need goods on our shelves as much as we need electricity, we've got to eat. And so I think it's also good to see that shift in legislation, not just to look at things like electricity, but also to look at all of the things that are critical to us in civilization.

Jim [: 00:30:44

We all know that government departments aren't necessarily the greatest at talking to one another or even planning together about what they're about to put in place. Know, these are the new guidelines. And in the UK we have ombudsmen who do this all the time. And you see conflicts within organizations because two different legislations, a cybersecurity legislation that says one thing could actually kind of countermand or break legislation from another completely different department. Nothing to do with cybersecurity. And it was something that I gleaned out of the old technology thing. You got legislation that says, right, you've got to keep an uptime of this amount of time you've got to maintain your pipeline or maintain your electricity feeds and gas feeds or whatever it may well be. But then on the other side, you've got cybersecurity saying, no, you can't have those systems because they're old.

Jim [: 00:31:37

Who wins in that situation? Do you end up in this kind of deadlock environment? Because they're never going to talk. The gas people are never going to talk to the cybersecurity industry or ombudsman if we end up with one of those in the UK. I mean, what are your thoughts on that? Do you see that, first of all? And is that something you kind of live in a bit of fear of? It's like, who wins?

Steve Applegate [: 00:32:00

Yeah, I don't really know who wins. I don't know who loses is the consumer, because at the end of the day, the companies are running thin. You can't take a manufacturing company and say, okay, now suck up another $50 million budget for compliance or whatever. So all these costs have to get passed to the consumer. So at the end of the day, now, who wins? And those arguments between competing authorities and everything, that's where I feel like the only practical way that I've personally ever been able to do it is to try to build a high watermark and say, if you're saying five character password and you're saying ten, let's do ten. But even that's complicated since it's a moving target. And I think also what you kind of teased out is, do we even want passwords? I mean, if I can have a better way with MFA and no passwords, why shouldn't I? So the whole idea of technical feasibility being built in and say, if you could make really practical compliance requirements that, say, at least do this, but anything more secure than that is okay. But a lot of times they don't have any kind of a caveat like that.

Steve Applegate [: 00:33:07

It's strictly at the words, whatever the words mean. And the compliance requirement is what you have to address even if the intent of the requirement is met. That's where, I guess, attorneys hash it out in court at the end of the day.

Jim [: 00:33:19

But that's expensive for the, as you say, that's expensive on the budgets themselves, because normally you're the one that's fighting it in court. And of course, if it sets a precedent, then it has a knock on effect to a lot of other organizations within the environment who are having the same kind of concerns.

Phil Tonkin [: 00:33:36

I can think of two examples of where legislation is to the detriment of the advancement in cybersecurity one is on information exchange. The hesitance that many organizations have in order to quickly share information with their peers, to try and mitigate the threat from expanding fast, is that ultimately, once you get to the process, the point of, in a process of declaring the event, you start a chain of events. So there's a delay for people waiting until the absolute certainty that this has gone from being an incident to a potential cyber incident to a cyber event. Once you get to that point where you're saying, yes, I'm declaring that this is an incident, and it starts to become reportable, people will hold off from that as long as they feasibly can, until they've got absolute certainty. And during that time, that's when information is new. We struggle to get that exchanged. And there have been many cases where your organizations within your, there's almost a certainty that they're under some sort of attack, but the ability for them to very quickly share in order to manage the threat and help others from being hit by the same thing, it could be delayed by that. The other thing is around technological advancement.

Steve Applegate [: 00:34:58

Until you're eradicating an event too, until you're at the point where you're resilient against a reattack, you don't want to share that, even if you have a government mandate. Let's go back to our old windows 95 or whatever, and you say, okay, we have to go and isolate and get jump boxes and do some kind of mitigation before we announce this to the public, because we still have 75 of them out there, or whatever. Our exposure is still there. So then all of a sudden, you got the little angel on one side and the devil on the other. I'm not going to say which is the government, but one of them is saying, you shall report now. Another one is saying, if you report now, you're going to open yourself up to further attack from other adversaries.

Phil Tonkin [: 00:35:34

But the other area seen where legislation, some members, drives a stiflement of development, is, if you take an example, like cloud based technologies, sometimes the cloud is the solution. There are some resilience reasons why people might not want to adopt the cloud in OT. And that's not really the debate. An organization deciding it should put its skater in in the cloud that should be driven by whether they want to physically host it somewhere else, and whether they can stand up to the idea that it might not be in their own direct physical control. But actually, most organizations aren't worried about whether it's physically the right place to put it, they're more worried about how do they demonstrate compliance if they put their stuff on other people's machines. Because when you've got legislation that says you must be able to declare who has ever had physical access to a particular computer and you don't even know where that computer is because it doesn't matter where it is, then you can't demonstrate compliance, so you can't move towards it, which means you're stuck on the legacy technology. Microsoft Active directory is a great example of that. The on premise version of it is ultimately riddled with flaws.

Phil Tonkin [: 00:36:48

It's been the key way of managing access into so many systems for so long. Azure ad is the future. That is the one that is architected differently. It's the one that is going to be kept, maintained and up to date. But managing a standalone on premise environment using just purely the legacy technologies is going to get incredibly difficult in the future if you're trying to keep on top of it, keep it patched and all the rest. But it's difficult for people to adopt those new technologies because it's in the cloud and the legislation doesn't allow for it. So I think it's going to be something that legislators need to continue to think about is how do you deal with the fact that new technologies will emerge that might be better and might be more resilient? I'm not going to argue for whether it's the right thing for people to do it or not, but the fundamental principle is that sometimes the next technology might be better and the legislation might stop you from taking it. We deal with many utilities who still use serial links instead of IP links, not because they're actually better, are actually more secure, but it's the way that the legislation handles those things and allows them to have slightly different control.

Phil Tonkin [: 00:38:06

So it's a logical decision for organizations to take, and so technological advancement is stifled by that legislation and actually to the detriment of their risk profile, which is.

Jim [: 00:38:18

You've read my mind, Phil, on that one, because that was the other side of the question. I don't see a lot of third party management starting. Some of it is starting to come into the more commercial stuff. You see a lot of it now because I think they've gotten used to the idea. Finally, in some cases not going to mention any particular compliance legislations because I'll get in trouble that third parties are now a thing that are here to stay as a service functions platform, as a service software, as a service. All of this different stuff is now being served from independent organizations that make up the whole of your infrastructure. And you mentioned like Azure, we're reliant on the security of that organization, holding those functions as well. It's not just us anymore.

Jim [: 00:39:03

We now have to consider the wider third party food chain as well. And I'm seeing a significant challenge with that realization coming in. In the commercial world, compared to kind of companies that come under quite strict government legislation like ot organizations, they must be having a nightmare with that one because a, obviously, I'm guessing the adoption in that space has been relatively slow compared to the more commercial world. But does their legislation even support it? And is it even coming close to being able to support the fact that they could do it cheaper, feasibly better through some kind of as a service function? But at the same point, this is then going to push the problem out even further. I mean, in Dora, for instance, it's not just for financial institutions, it's also for organizations that deal with those financial institutions. So there's a domino effect in the food chain. Are we seeing that, are we going to start seeing that in legislation coming out of government bodies? Because I do worry about.

Phil Tonkin [: 00:40:07

When, when I first read the news directive and started to see who would be in scope of that, I remember asking whether phillips would be included because they control more load than the average substation in their ability to switch on and off light bulbs. And so I think there's a much greater level of integration with the supply chain than maybe we appreciate. And aggregated risks associated with the supply chain in OT are quite considerable. The industrial giants have become the size that they are because they are very business savvy. And these are 150 year old businesses that have adapted many, many times through their life. And most of them, if you were to consider the largest Siemens, GEs, Abbs of the world, they have all been through many adaptations of their business model. And so they've shifted not just from selling boxes to selling services way beyond them. Others have copied that model.

Phil Tonkin [: 00:41:11

They're moving from the idea that they used to sell big pieces of industrial equipment to the fact that they now almost service that for its life. We find many organizations that traditionally used to buy things to them almost buying services. If you look at the wind industry, many organizations now that own wind farms are not big power companies. They're pension funds. What do pension funds know about managing engineering assets? They don't know anything. They don't care. They manage assets. They manage financial assets.

Phil Tonkin [: 00:41:41

How are they going to manage a wind farm? They're purchasing services. And you buy turnkey facilities. And they don't say, I would like to buy 50 wind turbines. You buy a certain number of megawatts at output, which means that we're seeing these oems and we're seeing actively working and connected to these assets throughout their life. Or people buying them, but they're buying them with service contracts connected with those assets for 25 years. So who and why, from a connection point of view, is expanding massively. And so even in those traditionally very vertically integrated organizations, which could create very natural digital divides between their it and their OT at different levels, we're seeing a lot more interconnectivity and a lot more shared threat across that landscape as well. And it can be very challenging for those organizations to manage against different commercial frameworks and different legislation across multiple international boundaries.

Phil Tonkin [: 00:42:44

I don't think that the legislation is quite there yet to start to recognize that the supply chain is part of that. But there are things in consultation for updates to the NIST directive that start to look at. Key suppliers will fall into the scope of these things if they have that connectivity, rather than just the asset owners themselves. And so it's evolving. I think there's a recognition that there's this fundamental change in the market by legislators, but haven't seen anything really significant in the OT legislation space that allows for it. In some cases. The legislation still makes that remote connectivity very difficult, which may drive inefficiency in those businesses. There's still very limited remote connectivity into, say, the US power system, certainly for the Bez high and medium assets, because the legislation just doesn't really allow for it.

Phil Tonkin [: 00:43:40

Which means that the traditional model of buying assets, building them yourself and maintaining them is still there. But in other countries where the legislation is different, we're seeing very different commercial models being deployed by the vendors who are building and servicing those things. But the only way for them to achieve economies of scale and ultimately deliver benefit to the rate payer and the consumer is by having remote connectivity. So we're seeing it's going to happen. That shift is occurring and the legislation needs to keep up with that.

Steve Applegate [: 00:44:13

I think that's a key success factor for legislators. They have to be able to empower companies to adopt new technology as opposed to creating this paradigm where the only people that are compliant are the ones that are falling behind in terms of operational. Like they're not competitive anymore with others out there in the field, because they're putting all their emphasis on legacy controls and trying to make their compliance program real easy to maintain.

Jim [: 00:44:40

And it's hard as well, because obviously, the older the technology gets, this is the weird dichotomy behind it, the more expensive it gets to maintain the damn stuff. The movement to third party allows you to kind of skip ahead in a variety of different ways, to kind of be able to provide assurance that solutions are going to be up to date and so on and so forth because you can mandate it through contracts and all the rest of it. Are you starting to get kind of like increased oversight into how secure you are as an organization from your customers? Because I'm definitely seeing it over my side of the fence. It's still early days. There's a lot of kind of questionnaires that you get, usually based off of ISO and all the rest of it. But are you starting to see people saying, actually, no, we want to sit down and actually, I'm a CISO at, I don't know, XYZ company, and we've been using you for a year. Can we sit down and have a conversation about security, what you guys are doing, and understand a bit more about the strategy that you have behind it, rather than relying on the answers to an actual spreadsheet form.

Steve Applegate [: 00:45:45

I still think the majority of them are spreadsheet forms because the CISO of the that's going to scrutinize us is very busy and also has their own fires. So they're largely outsourcing that within their team to their third party risk managers. But once in a while, we'll get someone that'll, I'd rather meet with the CISO because sometimes we'll get a third party, we'll get someone, especially when it's a contractor. Some company doesn't even do their own third party. They ironically outsource that to a third party to vet their third parties or whatever. That's going to get recursive if I don't watch it there. But those people, sometimes they're checkboxes and they'll say, do you x, y and z? And then as we're going down through it, there's something that, no, we didn't do that five years ago. We quit doing that.

Steve Applegate [: 00:46:32

Here's a better way. But now it's just like the whole compliance paradigm I've been talking about. Now we're out of compliance with their internal program because we don't do a thing. That's legacy. So then if we're able to sit with their security leadership or with anybody internal to the company that really understands it, then we can say, here's a prime example, and then we can explain exactly we can show them. I welcome that kind of scrutiny. But here's what I don't like. You want to hear about a thorn in the flesh.

Steve Applegate [: 00:46:58

and then all of a sudden now: 2030

Jim [: 00:48:03

Again, Steve, you and I are very similar, and I totally agree with you. More often than not, if you just sit down with the other CISO and just kind of have a bit of a chat with them, you can get far more than you're ever going to get out of a simple spreadsheet. I get really annoyed with the tick box exercise and with our service providers. We're company. We've got our own service providers, maybe not Microsoft. It's kind of harder to do it with that kind of organization when we're the size that we are. But we have a hosting company that provide a number of systems for us. And I sat down specifically with their leadership and their CISO and said, right, so tell me a little bit about yourselves, what you're doing.

Jim [: 00:48:45

Pretty much did the security rundown that I would do for customers when we first go in and they say, could you tell us what our security is like, please? And I think it's important to have that. And it's important as well that if there is a misinformation attack that they can reach out to somebody they know and trust and say, hey, Steve, look, I've seen this in the media or. We've got a bit of a concern at management, this new legislation coming in. Can we just kind of like have ten minutes, maybe meet up for a pint and a chat about. I mean, I'm british, obviously it's going to be a pint and a chat. Pint and a chat and discuss what we're going to do about it. Or you're one of our key suppliers. It could be all done a hell of a lot easier if we just did that.

Jim [: 00:49:26

Yeah.

Steve Applegate [: 00:49:27

That relationship is key to the whole thing, right? Having that trust and that transparency. If people are not incentivized to share and to be open, then it hurts us all. Okay, maybe I'll look better for a minute, but someday somebody is going to tell what actually happened. If I go in there and I am too vague and I don't get people actionable intelligence or actionable ttps out of a certain attack, I think that kind of transparency, we got to somehow foster that. I appreciate the Biden administration. What is an executive order about that kind of know. It's back to what Phil said earlier, that the early days of compliance were to force people to do the right thing because people weren't doing the right thing. I remember hands on, I watched people surf the web from his the devices that control the most inner workings, that control systems at electrical utilities with no firewall in between or whatever.

Steve Applegate [: 00:50:21

Let's go way back and talk war stories. So before NERC sip came out, a lot of people were doing the wrong thing. Maybe it was because of a governance problem inside their company. They didn't have the budget, the understanding, they didn't have people they could trust that knew it, the subject matter expertise. But at some point now, I kind of hope that it evolves to where compliance is not that where it's truly where legislation actually is getting help into the hands of the practitioners, as opposed to another hindrance from real security. I don't know, maybe I'm just dreaming. But that has to be the goal of legislation overall, right? Over time.

Jim [: 00:50:57

I think one of the biggest problem I have with specifically government legislation is I do wonder sometimes whether or not they actually include a good set of infosec professionals to advise them properly on what they're saying. We did get a few laughable ones in the UK parliament. It's like we need to legislate the Internet. Okay, that's going to be interesting, isn't it? How are you going to regulate the Internet now? The time to regulate that was like 20 years ago when it was first created. You didn't do it then. It's not that beast that it was 20 years ago now. It's putting a lot of stress, for instance, on social media. I mean, I'm not a big fan of social media at the best of times, but they're now saying, oh, you've got to regulate this content.

Jim [: 00:51:42

And you go, how? You've got millions upon millions upon millions of users who are talking about millions upon millions of subject matters and posting millions and millions of things. How can you get any one company to regulate it? I mean, we can barely regulate our own event management. That's why we go to fantastic companies like know to help us do that. It's just crazy for me. And I just wish that they would maybe think a little bit better and get like proper peer groups because I was involved in the CSFI, the cybersecurity forum initiative years and years ago, many years ago, when they first started and had a great time with those guys and got to speak to some interesting people in elements of the american government and what have you that I would never normally have access to. And it's a great team, you know, look them up out there if you're ever interested. SFI, great bunch of guys.

Phil Tonkin [: 00:52:36

I think it's obviously important that any opportunity to provide support and feedback to legislators is there. I don't think a day goes by when some people aren't consulted on what they think. I don't think that legislators are deliberately doing things in a box. I think they're often responding to time constraints and budget constraints which limit how far that they can reach. But the opportunities are there for those infosec experts to get out there and get involved. But one of the big challenges is that capacity challenge flows both ways. Your csos are some of the most busy people in the world. So the like that they can just sort of, in their free time, reach out and provide that support is hard as well.

Phil Tonkin [: 00:53:33

I think it's not easy to carve that time out on either side to try and. To try and feedback, but I think that's something that's entirely necessary. And I think that if legislators reach out often, they will get the support that they ask for. And if they tell people that there's a time constraint, people want to help because they want to avoid the pain that could come from the wrong thing being put in place. It's important that those in the north take the time to reach out and help governments and legislators as well, to help them come to the right conclusion, because they aren't going to be able to hire people. Even if they did hire people, their relevance starts to drift because it's a constantly changing environment. So I think that we all have to continue to work together and collaborate as much as possible to try and form new legislation as it arise.

Jim [: 00:54:30

Fantastic, right? Well, we've reached the end of our time together. Thank you, Steve, Phil, it's been absolutely fantastic working and having a chat with you guys about the subject matter. I know we've got a few other things posted up, and at some point soon, if you haven't already seen it, by the time we release this, I will be interviewing Steve myself. We'll be having our own little chat at some point. So absolutely fantastic. It's been really good talking about this. We're probably going to have to return to this in like another six months because everything will know or something new will come out. We'll all be sitting there commiserating over it or trying to figure out how we're going to damn well do it.

Jim [: 00:55:09

But thank you ever so much, guys, and look after yourselves. Thank you for listening to the Rosewire podcast. If you like the podcast, if you love the podcast, please feel free to subscribe and if you have any questions, please get in touch. Thank you very much and have a great day.