Claroty's Nexus podcast, in its first full year in 2021, delivered to its listeners a mix of the smartest technical and strategic minds in cybersecurity. While our focus was the security of SCADA and industrial control systems, we also brought to you high-quality insight into trends around protocol security, open source projects, SBOMs, and U.S. government action to ensure critical infrastructure remains safe.
Here's a purely subjective recap of the top five podcasts of 2021, in no particular order.
Martin Scheu and Dirk Rotermund of the Top 20 Secure PLC Coding Practices project appeared on the podcast in September to discuss how engineers can best secure programmable logic controllers. PLCs are generally insecure by design, meaning that engineers must apply some of the same secure coding principles prevalent in IT development to PLCs as more industrial devices and processes have some connection to the internet.
"Process control systems were always connected, but now they are connected to the business side of a factory. These connections went very fast. The OT lifecycle is 15 years or maybe more, and everything is thinking in these timeframes," Scheu said. "The IT side, in terms of ransomware, just came too fast and now we are trying to catch up."
Rockwell Automation Chief Product Safety and Security Officer Tony Baker appeared on the podcast in August to discuss not only some of the challenges that patching automation software and firmware updates pose to users, but also the importance of CIP Security to the future of connected industrial processes.
CIP Security is a specification that adds device authentication, data integrity, and confidentiality to ENIP networks. It ensures secure communication between control systems and devices. Message integrity will become an indispensable security feature as more processes are connected to the internet and managed from the cloud, Baker said.
Water ISAC Managing Director Michael Arceneaux and Cyber Threat Analyst Jennifer Lyn Walker joined the podcast in February, shortly after the news of the Oldsmar, Fla., water treatment facility hack. The incident kicked off a frantic few months that put OT cybersecurity front and center of headlines and legislative bodies.
Oldsmar was not only a landmark incident for the attention it brought to the issue, but also for the level of detail about the attack shared by plant officials and law enforcement. This was a key point Arceneaux and Walker stressed that utilities need to share incident information with peers, even competitors. .
"Utilities ought to know they can share incident information with the government, with Water ISAC and get the help they need without having to have press conferences," Arceneaux said. "Organizations that recognize the value of sharing are really improving their sector-wide posture."
Former NSA Director, Adm. Mike Rogers, was a guest in June and spoke on a timely topic: ransomware and critical infrastructure. Incidents at Colonial Pipeline and JBS Food were fresh headline fodder, and Rogers' insight from years guiding some of the nation's most sensitive networks and organizations—including as commander of U.S. Cyber Command—provided a fresh perspective for asset owners and operators.
In particular, Rogers addressed the complexities of cybersecurity policy-making for critical infrastructure, much of which in the U.S. is privately owned. In the case of Colonial Pipeline for example, it shut down production when it realized its enterprise systems were compromised; the decision impacted fuel delivery and availability up and down the East coast for weeks.
"As I look at that, I say 'Hmm,'" Rogers said. "Think about the economic and national security implications of that. Are we as a nation comfortable with the idea that when it comes to critical infrastructure, companies are just going to unilaterally do what they want or feel is appropriate? They thought about it and clearly did what they thought was appropriate. I just think to myself, I'm not sure this is the best methodology, particularly in some areas where the economic impact or national security implications are so high."
As more companies converge IT and OT systems, responsibility for securing those newly connected systems falls largely on the chief information security officer, many of whom are well-versed in IT cybersecurity practices. OT, however, is an entirely new animal for many security and risk managers.
Splunk OT security strategist Chris Duffey and Global Advisory CISO Doug Brush joined the podcast in November to discuss the CISO's journey to managing OT cybersecurity. The first step is often on a people level: establishing a trusted advisor and partner relationship with asset owners and operators.
"Frankly for a lot of OT teams, because they're tied directly to the revenue of the company, it's easy for them to say 'This will affect operations; we're going to lose money.' Or, 'there's a safety implication,'" Duffey said. "You definitely want to have that trusted relationship and leverage domain expertise. If you leverage those people, they're going to realize this is a different approach and they really care about what I'm doing."
Special thanks to all my guests in 2021, and to all of you for listening and subscribing. Nexus is available on all the major podcast platforms, including Apple Podcasts, Spotify, and Podcast Addict. Keep spreading the word, and we'll be back in early 2022 with more of the industry's best.
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
