- The unique challenges of bridging IT and OT security.
- Why workforce shortages hinder progress and how industry and academia can collaborate.
- The importance of standardizing roles, frameworks, and terminology.
- Stories of how early curiosity sparked a career in cybersecurity.
Let’s connect about IoT Security!
Follow John Vecchi on LinkedIn here.
The IoT Security Podcast is powered by Phosphorus Cybersecurity. Join the conversation for the IoT Security Podcast — where xIoT meets Security. Learn more at https://phosphorus.io/podcast.
Subscribe on Spotify, Apple Podcasts, Amazon Music, and wherever you get your podcasts.
Episode Transcript
John Vecchi:
Well, hello, everybody. You’re listening to the IoT Security Podcast live on Phosphorus Radio. I’m your host, John Vecchi. We’ve got a great guest today. And all of you listening to this podcast, you know that we dive deeply into the OT, industrial control system side. It’s a topic that’s dear to our heart, and it’s always worth discussing.
There are so many angles and so many discussion points and topics that we can bring when we think in terms of securing these complex, mission-critical environments. And with that in mind, I’d like to introduce today’s very special guest. We are fortunate to have with us today Khris Woodring. Khris is the senior cybersecurity architect for OT and ICS at Syngenta. And Khris, we are so happy to have you, my friend. Welcome to the podcast.
Khris Woodring:
Thanks, John. I’m very happy to be here.
John Vecchi:
Absolutely. So, look, one of the reasons we wanted to have you on the podcast, I know we’ve been trying to kind of get you on here, is that you are just quite a practitioner. You’ve been at this for a long time. Whenever we talk about OT, ICS, and cyber-physical systems security and these environments, industrial control systems, I always just am so interested in, how did you get here?
I mean, we’re going to dive in a little bit around the fact that this is a small community. In fact, it’s probably too small. That’s one of the challenges we have. And so, it’s always fascinating. How did you get here? What was your journey to where you are today, and how did you get into this crazy area of cybersecurity for OT/ICS? Can you share with us a little bit about that?
Khris Woodring:
Absolutely. So I think about this a lot myself, and it really will dovetail into the conversation we’ll dive into here a little bit later. But I feel that my path to my position, my role today in OT cybersecurity is one that is part planned and part… I hate to say accident, but part just how the cards fall, right? So in my early career, I was really an IT engineer, so senior systems engineer for the same company that I work for today.
And being that that’s for a manufacturing-oriented company, I’ve had a lot of exposure working with manufacturing systems. And so, with changes in the industry over the years, there was more and more of a need for support for the infrastructure for these manufacturing systems. We went from an era and a time where that level of support was largely provided by engineering groups or small computer support groups within the industrial discipline.
So we went from a time where that level of support was provided by folks who were working close to the industrial systems themselves, so that may be engineers and may have been computer engineers, but it didn’t necessarily scale out very well. And so, over the years, what happened was, folks from the corporate IT-type organizations were being asked more and more, “Hey, can you help support this network? Can you help support this aspect, that aspect?”
And what happened was, through just exposure and the job that I happened to be in, I began to understand more and more about these industrial control systems, and that prompted questions in my head. I’m a very inquisitive person by nature. And so, I would ask questions like, “What are you guys talking about when you’re referring to these loops?” and getting into details.
I’m very detail-oriented, so I’m like, “Why do these tags…” We talk about tags, how they name industrial control systems, instruments, and so on, like, “Why are they named this way?” So I’m very inquisitive by nature, and I ended up moving into the automation engineering group at one of our larger facilities, where I work today.
And from there, I was just very closely tied to the engineering community at that location, and just continued to develop my understanding of what is an industrial control system, what are the unique risks in this space, and how can I take the understanding and background that I have from an IT perspective and help start facilitating discussions and understanding between the folks who are designing these industrial control systems that are designed to produce in a safe, efficient, resilient manner and add that cyber element to it.
Obviously, as you guys know, this is a difficult topic. There are somewhat raging battles and quests for the solutions to all these problems going on from many different perspectives. But the long story short is that I happen to be working in IT for a manufacturing-oriented company, working at the plant level, and that exposure is what brought me into the field that I’m in today.
John Vecchi:
Wow, that’s cool. I mean, essentially, you were on the front end, and we talk a lot about the convergence of the IT and OT side. And I often don’t like that term as it sits a lot, because it just assumes that these things are the same, and you’re just converging two things that are the same, and then they’re so different. But it sounds like you were kind of on the forefront of that as the IT side comes in, and you’ve got all the operators who are like, “Who are you? Don’t touch my stuff. You don’t understand anything about what we do. It’s not an IT…”
I mean, that is really the crux of how we even got to the cybersecurity side of OT, and you were kind of on the forefront of that. How long did that take? What was the time frame of that? Was this a decade ago? Was it longer than that, where you started to have the IT side coming in and brought you into the OT environment and all the practitioners and operators and all the disparate teams, of course, that are over there?
Khris Woodring:
Yeah. So I think there’s the timeline as it pertains to the industry in general, and then there’s my own personal timeline. I go back 20 years, and I can remember time where I was working on infrastructure where it was truly all converged. The IT network was shared with the industrial network and so on. Those days are long past. But at the time, me and a friend of mine, we were both IT engineers, we would say, “Hey, look, we can actually see what’s happening in the process.”
We would take that to our managers, and it just wasn’t a thing back then. You were talking 20-plus years ago. I’d say about 15 years ago, maybe a little less, there started being more interest about, we have to not only consider the cyber, but the safety implications of having these networks converged, of figuring out who should be responsible for what here, and really determining an operating model for a safe and resilient operating environment for a control system.
So for me, that probably started about 15 years or so. So from my perspective, I was looking at this stuff, saying, “Look, I can tell already the trajectory of this. This is going to be something that is very much in need. Give another five, 10, 15 years, companies are going to be screaming for resources to help address security in this space.” Fortunately, that prediction turned out to be right, but it comes with some unfortunate side effects, again, which we’ll talk about here in a second.
John Vecchi:
Yeah.
Khris Woodring:
Yeah. So essentially, it was maybe 15 years ago I started seeing a little bit of attention on it. And then over the past 10 years, it’s kind of kicked into hyper-gear. You see the emergence of all of these vendors in this space trying to offer up solutions that may help solve at least part of the problem and so on. But look, going back even 10 years ago, shoot, even a few years ago, people couldn’t even agree on the terminology. It’s just like, “What is this? Is this manufacturing information? Is it ICS systems? Is it OT?”
John Vecchi:
Right.
Khris Woodring:
So it’s been a journey, for sure.
John Vecchi:
It’s fascinating, and that’s amazing. So, I mean, let’s fast-forward to today. I mean, I’m assuming… And you mentioned it, right? I mean, I said we can just go back a couple of years. But certainly, over the past few years, and like I say, if you’re paying attention to news at all, you don’t have to know anything about OT security or these types of things. But what you can hear if you listen to the news is critical infrastructure maybe, or you’re hearing about a country, a nation-state, as we call them, compromising our critical infrastructure.
And, I mean, this is headline news. This is kind of ripped from the headlines. You don’t have to just be reading high-tech publications to be understanding this. Right? And so, is it safe to say that even over the past few years, between all of the issues and the stories and Christopher Wray and the FBI and the NSA and CISA and everyone going to Capitol Hill and talking about this, combined with all the attacks from nation-states like Russia and Iran and China, is that, in your experience, bringing this more to the forefront? Is it helping? Is the awareness level higher in the past couple years? Is that a safe assumption to make?
Khris Woodring:
It is definitely higher. There is more awareness. So I have different perspectives on this, because in my role, what I have to do is I’m required to view the landscape from an executive level, from somewhat at my level. I have to look at it from the folks who are out there in operations, on the floor, just trying to do their job, and I have to look at it from your CISO, IT, and information security-type perspective. And every one of those individuals is going to look at the information that they’re receiving from whatever the sources they are. They’re going to look at it and perceive it a little bit differently.
So for your executive, if there’s a lot of noise, a lot of risk, they’re like, “My business is at risk. Production may be hurt if we get shut down for some reason from a cyberattack, and that’s going to affect our reputation, our revenue stream, and so on.” From a CISO, it’s like, “This is the function of my job. I’m supposed to be protecting this company. So I’ve got to absorb all this information, understand every single different thing that’s out there that could possibly go wrong.” That type of thing.
And then from your operation standpoint, just being very blunt. I don’t want to paint this with too broad a brush. But again, from an operation standpoint, these guys are just like, “Tell us what we need to do to be safe. We’re not cyber experts. We run a plan. We design, we engineer, we implement, and we run a plan. We’re trying to produce some product. If cyber is an element of this, tell us what we need to do.”
Now, if we look at the broader information landscape, all the news articles and things like that that you mentioned here, I think we’re in a unique situation, because it’s good to have awareness, but at a certain point, the human mind begins to shut down with too much information. Right? Information overload. So a lot of what’s happening is it’s, I don’t want to say cry wolf, because there’s a lot of stuff happening. But at a certain point, we as an industry need to get beyond just saying, “Hey, this is happening. That’s happening. This is happening,” all these different things, and move to towards more of an organized effort to make true progress.
And I don’t want to discount the efforts that are happening towards that end. But the biggest risk by far that I see to critical infrastructure, industrial technologies, and things like that that are potentially impacted by cyber is that there is a lot of information out there. There’s a lot of voices, a lot of news articles, but there’s not as much leadership driving resolution. Right? There’s not none. There is some, and there are those who are thought leaders, and they’re trying to do everything they can.
I think what we’re missing is, we’re missing people, like a workforce, to support what needs to be done, and we are missing, to some extent, leadership at a governmental level. And this isn’t aimed at any given country. This is worldwide, like organized frameworks on how we’re going to move forward as a world, not just, “This country is going to do this, and that country is going to do that.” So they’re really big challenges.
John Vecchi:
Yeah. It’s really a great point you make. I mean, you’re right. I mean, at some point, yet another attack, yet another compromise, and now it’s things like Salt Typhoon compromising the ISPs. It just keeps going. And at a certain point, it just will go in and out the other. It’s like yet another thing. The question is, okay, I mean, what the heck do we do about it?
And I think, certainly on this podcast, we like to kind of bring to attention some of the what do you do proactively? I mean, there’s a lot of challenges. You know, and we’ll talk about it. It’s incredibly complicated. There aren’t enough people that understand and experts. So like you said, when the operators and the operational side say to you, “Just tell me what I can do. Tell me how I can help,” the answer to that should be relatively clear, prescriptive. Right? So let’s talk a little about it. I mean, the backdrop.
So what we see a lot, and I’d love to get your thought on that, is fundamentally… So on one hand, you have all the news about all the attacks. But on the other hand, you do have organizations like CISA. And if you just even look at the past, I don’t know, year, I mean, we could go back a couple, but my gosh, let’s just take the past 12 months. You see the number of CISA advisories out there talking about OT and industrial control systems, PLCs and HMIs and RSC, all this stuff with these inherent hygiene issues. Right?
So they’re saying they’re getting attacked. So if your PLC is… If your credentials are still 1111, and they’re still default, you should probably change them. If you have insecure ports and protocols or unneeded services open on those devices, you might want to shut them off. If the firmware is 10 years old and loaded with severe, critical, vulnerable issues, you might want to think of patching. Right?
So one of the things is, fundamentally, there are these hygiene issues. And when you just put it side to side with traditional IT, you see the state we’re in, right? Traditional IT, we’ve been thinking about passwords and shut things off and patch for decades. I mean, oh my gosh, so many technologies are doing that today. You don’t even know where to begin.
And you look over on this side, it’s like, literally, we’re back in 1992. Right? There’s a lot of things to answer the question when you get asked, “How can I help? What should I do?” Do you see the fundamental hygiene issues as something though that we should be thinking about in terms of what do we do to kind of address some of these issues?
Khris Woodring:
I do. But if we look at this within the context of the reality of the world we’re in right now, the state of things with regard to… Again, I’ll go back to even workforce. It’s almost a pet peeve of mine when I read articles, especially vendor articles, they’re out there, that say, “You should be doing this. You should be doing that.” It’s like this whole list of, “Thou shalt, thou shalt. You should be doing this, this, that, and the other.”
And oftentimes, especially where I sit today, functionally, I want to challenge some of those folks to take a role. Some of them have, but I want to challenge some of them to take a role within an organization that is being told, “You should, you should, you should, you should.” And it’s not that they don’t value that advice, but they’re taking those “you shoulds,” and they’re trying to move that conversation forward within their organization or, depending on their role, if they’re consultants, maybe with organizations they work with, and they’re running into this brick wall. Right?
We want to address vulnerabilities. We want to make sure firmware stays updated. We want to make sure that clear text communications aren’t in place. Default passwords aren’t there. Run down the list of really what we would consider easy, low-hanging fruit. Again, the problem is that we run into, “The business may get it. We need to do this, whatever this is, these security measures.” Your folks who are in more of an architect-type role or someone like myself, even engineering, cyber engineering-type roles, they might get it, but you have to have the people that are going to do. Right?
John Vecchi:
Yeah.
Khris Woodring:
And so, in a small organization, you might find that you are very fortunate. You’ve got this guru. They really get it. They understand it. They can connect into all the devices. It’s a small organization. They can handle it for you. The problem is at scale, and we’re talking about critical infrastructure, energy, water, or if we’re talking about chemicals, these types of situations. Essentially, the information flows to a certain point, and then it kind of just dies.
There’s no one to delegate these responsibilities to to understand the nature of what’s being asked of them. And again, we arrive at this same conversation, workforce. Workforce, workforce, workforce. And so, I think that these things need to be done. They seem like low-hanging fruit. In IT, it’s much more simple. You’re talking about a single management tower to the largest degree. It’s IT. They’re IT systems. They’re owned by IT. They’re operated by IT. They have the folks in the discipline to conduct those types of activities.
But when you take that same set of information and say, “Okay, operations folks, whatever…” There are so many varying titles, right? “Whatever your role is, maybe you’re an industrial engineer, maybe you’re a maintenance operator, who knows what your title is? We need you to go in and update all your firmware, and make sure you’re not using insecure protocols, and this and that and the other.” They’re like, “What? I mean, I just need to hook this. I don’t even know what-“
John Vecchi:
Yeah. They don’t even know where these devices are. Yeah.
Khris Woodring:
They’re like, “We don’t know what you’re talking about. You got to give us someone who knows. We’ll do it. We’ll work with them to do it, but you’ve got to give us someone who can walk through doing what you’re asking us to have done.”
John Vecchi:
Yeah. It’s such a powerful point. And so, what can we do? Let’s talk a little bit about that, because a lot of conversations are about the threat, and you should do this. And like you said, yeah, most organizations aren’t going to argue with your point to me. Yeah. I understand I need to do it. And as you said, some of those teams on the OT side are going to say, “Tell me what to do.” It’s not that they don’t agree with it.
Okay. So you can talk about that, but we don’t think about the fact, and we don’t talk about it enough of, who’s going to do this? Who are the people? And not only who, but how and what kind of understanding and experience? And it’s one thing to have the technical capability to understand those environments, but then move to that to add cyber on top of it. I mean, it’s difficult enough even if you’re a traditional OT. There’s struggles there.
So what can the industry do? And I think, like you said, it’s back on vendors too. It’s everyone. It’s the agencies. It’s the government side. It’s the vendor side. It’s the organizational side. How do we begin to think about helping with this, making progress on that side?
Khris Woodring:
So I really feel like, in this true conviction, I feel like we can talk in circles for the next 10 years. And to a large degree, we’ve made some improvement, but I am a little disappointed on where we are, given where we were 10 years ago. Some advancements have been made. Tools have advanced. There are conversations that have advanced. But by and large, I’d still, in a lot of ways, feel like we aren’t that much further down the road than we were 10 years ago. We refer to the same exact scenarios and so on.
So the thing, from my perspective, my own opinion, own personal opinion, that has to change is that we need a coordinated push, both from a governmental perspective and from the industry, who’s being asked to do these things, maybe even to push on the government, and vice versa, to coordinate and work together, not to come up with more lists and more frameworks and this and that and the other, but to start going beyond that. That’s documentation.
We can produce documentation. We got smart people that can produce documentation all day long. We need the people that are going to carry out the work. So what is the solution? And that’s, to your point, what do we do? What we do is we take that from a regulatory or government perspective, and then from industry. They’re crying, saying, “We want to do what you’re asking us to do. We need people.” And we start putting in the groundwork for universities to begin to prepare people for this line of work. They’re already doing it for IT cyber. Right? It can be done.
And I’ve met some folks in the universities that are very interested in ICS. I ran into some folks at a recent SANS training that I was at personally, and I was blown away by the level of interest and just passion from some of these attendees that were at university. They had been studying just cybersecurity in general, just, say, traditional IT, cybersecurity, and they had taken an interest in this industrial side of things.
They were sharp, very sharp. And I thought to myself, “This is what we need.” We need more of this. We need more of these folks, and that has to come from a more developed curriculum within the universities, and kind of a training track that can be deployed at scale, not just here in the U.S., but around the world. And there’s going to be a delay. We’re going to suffer this, for a time anyway, but what I’m hoping for is that we’re going to look five years down the road, and we’re going to start to see some of those first folks being turned out that have the understanding.
They’ve been through not only the educational path to prepare them, but through internships and things like that. They’re getting exposure in these critical infrastructure environments. They’re walking down through power distribution facilities. They’re walking through chemical facilities. They’re out there talking to the folks. They’re out there getting into the regulatory side of things. We need this labor market to grow, that they understand… It’s an exciting field to be in. But if we just keep swimming in the same small bowl with the same people, talking about the same points, there’s a absolute limit to what we’ll be able to accomplish.
John Vecchi:
Yeah. And that’s a wonderful point, and universities do have a big, big part to play. And, for example, Phosphorus, we’re in Nashville. Vanderbilt is right down the road, and we actually engage a lot with Vanderbilt, and we’ve actually recruited tremendously from them. One of the things I think as well is, “Yes. Let’s have the universities have more focused curriculum and programs for this,” while, at the same time, I think from an industry perspective, it’s having the industry bring these people… have interim programs that bring them in again so they can learn. Right?
I mean, it’s like, some of the students from Vanderbilt, we’ll bring them in. They’ll work in our lab with all of these devices. And they’re already interested, but now they begin to learn. They begin to see it, and that motivates them more, I think. Do you think there’s enough of, from an industry perspective, industry reaching into these universities to build programs to harvest these kids and these young bright minds into this, or is that something that’s mostly nonexistent?
Khris Woodring:
I think it’s happening here and there, and this is where I believe that we have to have this be a coordinated effort from somewhat of a governmental standpoint. And what I mean by that is, it’s not necessarily just another regulation, but through outreach programs, through standardization of terminology of roles, role titles. All these pieces have to fit together in order for a university to prepare a curriculum to say, “Okay. When you are out of this curriculum, when you’ve graduated, these are the role titles that you will be most qualified for.” Right?
John Vecchi:
Yeah.
Khris Woodring:
We don’t have those well-defined today, and we really need them. In fact, I had some discussions with some of the folks at INL last year, and I was talking about this specific challenge right now. It’s, you go to one company, shoot, even within the same company, you’ll have people doing the same job, but they have different role titles. And that’s a real problem today. It really is. Companies themselves, they may want to go to the university, but they don’t even know exactly what to ask for in terms of, “I need a such and such.” Right?
John Vecchi:
Right.
Khris Woodring:
So we need a standardization of terminology.
John Vecchi:
Yeah. Why is it? Is it because we haven’t caught up? This side of organizations… And again, we talk about it. It’s very unique. It’s very separate. I mean, you got expertise over there. In your case, you saw some convergence. But overall, there hasn’t been a lot of that too-siloed groups. Is it because of that, or why do we have such a disparity? And even simple terms defining a title or an area of a practitioner or a defender, let alone the devices. I mean, we could go on with that, OT, ICS, industrial Internet of Things. You got so many of those. But jeez, just like you said, think of the actual job title or what people are doing. Why is that, do you think?
Khris Woodring:
I think that it would best be answered by looking at how we’ve gotten to where we are. And again, essentially, you have a lot of smart people. You have a lot of engineering-minded people, both as actual automation engineers and as IT or cyber engineers, whatever, just that engineering mind. Very meticulous, very opinionated, and also, oftentimes, very self-driven.
And so, what you see… And I see this all the time. You see these folks, they take the initiative. They recognize there’s a gap. Right? Something needs to be done. Right? We need to come up with some way of categorizing devices, like you’re saying, IoT or IIoT. What’s the difference? What’s OT, ICS? These types of things.
John Vecchi:
Yup.
Khris Woodring:
There was a time when a term like ICS was only used within the automation engineering, industrial community. It was very clear. I mean, we know what industrial control system is. There’s really not much ambiguity there. There are different types of ICS, but we know what an industrial control system is. But as we’ve brought in concepts like OT, a Gartner term basically, and overlaid this, there’s been more ambiguity that’s been added on to that concept.
And so, you’ve seen people kind of push forward, given their personality type, and say, “I’m going to take the initiative. I’m going to reach out to…” Maybe they’ll start working with universities, or maybe they will publish a paper, and they may work that through their connections or by working with CISA. They have their channels and their paths, but it’s kind of all random streams.
And so, we end up with a buffet of, “Well, which way do you want as the business…” Again, the downstream of this is, essentially, a business needs to apply control to mitigate risk. That’s what it’s really about. We need to apply control to mitigate a risk. Different types of risks, but we need to mitigate those risks. Right?
John Vecchi:
Yup.
Khris Woodring:
And then you have all these different philosophies of how you do it. I mean, I’ve seen battles online about whether the Purdue model should be used today or not. I don’t know. Should it be used? Should it not be used? It’s a model. It worked for a time. Maybe it doesn’t work now, but you’ve got adherents that said, “Well, that’s why I always use the Purdue model, and we will only use the Purdue model.” There’s no overarching authority to say that within this field…
And I think this comes from universities. I really do. Look, as a society, we always fall back to, what do the people who have studied this, and this is what they do, what do they say? That’s what we’re pretty much going to adopt. Until then, it’s just a bunch of maybe good opinions by a lot of very bright people, but there’s got to be a way to filter through that, and that’s where I see government and universities pairing together to help solve that problem, and, of course, the industry working along to support that.
John Vecchi:
Yeah. I mean, when you put yourself in their shoes, it’s not like they have a great number of groups or resources or that overarching knowledge base to go interact with to kind of define what they’re doing. So it’s kind of like almost a bespoke function in each of these organizations. Right? Everyone’s just kind of, “I got to do this. I’m going to lean forward and figure out what… I’m going to call it this.” Right?
Khris Woodring:
Yeah.
John Vecchi:
Right? Does that make sense? And then another organization will say, “I’m going to do…” And it’s kind of the same thing, but they’re going to be in their own little world, and it’s not like… Again, they don’t have just tons and tons of groups and resources and teams and work groups and all these resources to go interact with. So in their world, they say, “Oh, I’m going to call it this.” That’s probably what’s happening, right? And I think you might-
Khris Woodring:
Very much. Yes.
John Vecchi:
Yeah. And you make a great, great point, and the university side is a really big one. It’s like, you’re getting me thinking. I mean, I think at the very least, for all the listeners today, and even myself, I mean, that’s something that’s just going to be rumbling in my mind, is, how does anyone help move the needle on that? I mentioned we are experiencing a little bit with Vanderbilt, and I know we’ve gone in and spoken to them about this, and it’s full of the room with the engineering students and the security guys, and they think it’s fascinating, but I don’t think enough of that is happening. How do we move the needle on that?
Khris Woodring:
I don’t think so either, and my experience has been in trying to use internships, for instance, as a way to-
John Vecchi:
Huge.
Khris Woodring:
… help boost this. Currently, where we are today, you will find that maybe you can recruit some interns that are interested in cybersecurity. It’s very rare that I come across someone at the university level that is even aware that industrial cybersecurity or OT cybersecurity is a thing. They’re like, “Oh, I never heard of that before. That sounds kind of interesting.”
Actually, for the most part, what I discover is, when I start talking about it, maybe partly because I’m such an impassioned person, I really truly am… I’m excited about OT cybersecurity. I’m excited about industrial cybersecurity. I think we have a lot of work we can do. I think we’ve made progress. But in general, what draws me to it is the tangible nature of industrial cybersecurity, to know that if I go in and I’m able to compromise a system, make changes to that system, and have physical, real-world, immediate effects to the environment, to the people in that, it’s a completely different conversation from even some of the worst-case scenarios where you’re talking about a pure data compromise of some sort, where maybe things are exposed. They shouldn’t be exposed or abused in some way.
There are two different scenarios. And what I’ve found is, when I talk to folks about this concept of industrial cybersecurity, not 100%, but most of the time, if they were interested in cybersecurity to begin with, their eyes kind of light up. They’re like, “This is really cool. This sounds really cool.” And so, I think we’re missing the opportunity that the people are there that would want to do this. I truly believe that. It’s just a matter of making them aware that it’s even an option.
So in order to push it forward, I think we have to have a united voice across the industry. Let’s stop looking at each other. Let’s stop arguing about this framework versus that framework. I mean, there’s a lot of work that’s been done. Look, NIST has done a tremendous amount of work. The amount of detail, time, and effort they put into trying to document and give guidance and so on is amazing. We’ve got the ISA and IEC 62443 standards. Tremendous amount of work that’s been done in that area. We’ve got CISA doing what they’re doing.
I mean, there’s so much work that’s been done to providing some of the foundational information to start to begin to build a coherent path forward, which has to start with a workforce. A lot of that’s been done. We don’t need to sit in the same room with the same information and keep talking about it. What we need to do is the outreach to universities, placing calls, asking the local university. You guys sound you’re already working with Vanderbilt, calling that university and saying, “Do you guys have an industrial cybersecurity program? Okay. If you don’t, how can I help you? How can I help you?”
And maybe they’re interested. Maybe they’re not. But until they start hearing this from the industry, maybe it comes through regulation, whatever the case might be, executive directive or something like that, it’s not going to happen, because the university is going to cater to what the market demands.
John Vecchi:
Yeah. No, 100%. And, I mean, I think as well, a lot of practitioners like yourselves need to be present at the universities, talking to these… Like you said, there’s a lot of awareness and education. I think we’re moving the needle a little bit and just kind of now focusing on as a general term, cyber-physical systems, which kind of really accurately describe the difference between these and just some IT system where you’re only worried about a data leak. Right? Great. I mean, not that that’s not impactful. It certainly is.
But when you think in terms of cyber-physical systems, “Huh, what do you mean cyber-physical system?” And you’re just talking about, “Well, they’re controlling physics. These are literally cyber-physical systems. They control the electricity, the water, the grid. You could do damage. You could have safety issues. You could have a lot of bad things purely from a physical kind of perspective in there.” And I think that’s helping a little bit. Would you agree?
And I know, it’s cyber-physical systems, and then you break it down into, “Well, we’ve got IoT. We’ve got OT and industrial IoT, IoMT. We’ve got all these other areas.” But at least kind of settling on these are cyber-physical systems, and kind of helping the awareness of that. I think, as you said, when you kind of explain that to someone in college who’s interested in cyber, it’s kind of like, “Whoa, I didn’t quite think of that before.” Right?
You could do a lot of damage, which is why I think we have nation-states so focused on these. Right? They’re easy targets. And boy, could you do some damage if you wanted to, right? So I think there needs to be a calling. This is critical infrastructure, and I think maybe we need to do a better job of… Almost like the government recruits across NSA and FBI and some of the other agencies. This is critical infrastructure. We need a force and a team to defend this. Right? And it’s private and public. Right?
Khris Woodring:
Absolutely. And there needs to be resources made available to industry and to universities to facilitate that. One of the huge differences and why we have such a massive labor force available for traditional IT information security is the fact that you didn’t have some of the barriers that you have with industrial cybersecurity. If you want to get yourself a Siemens PLC, or whatever the case may be, it’s nothing like IT.
I mean, you’re going to have to probably buy… At best case, you have to buy it used, and maybe you can’t even get the programming software. It’s very expensive, and so on and so on, and you can learn some of the basic principles with a more generic solution. But my point is that the real-world systems that are out there, they’re not easy to obtain at any scale-
John Vecchi:
Correct.
Khris Woodring:
… for training and learning purposes. If I want to learn about IT cybersecurity, well, I’d buy a PC, fire up a few VMs, and load Windows, Linux, and things, and start simulating the kind of things you would see in an industrial environment. You can do it anywhere at almost virtually no cost. So the barrier to entry for learning is very, very high from a cost perspective when we’re talking about industrial cybersecurity.
And I believe that’s why we see, to a large degree… Again, I was lucky. I happened to be working for a company that… I started in IT. I had manufacturing systems. I was able to get exposure to that. I was very inquisitive, and I was able to learn and move into that path. That’s how most people are moving into it today. They just happen to be in the right kind of job where they have exposure, and then they become highly, highly sought after. Obviously, that’s not a scalable model. Right?
John Vecchi:
Right. Right.
Khris Woodring:
So huge, huge discrepancy in the way that we source and prepare that type of talent in IT cyber versus OT or cyber-physical.
John Vecchi:
Yeah. It’s so funny, because we have a lot of guests, like yourself, on the podcast, and so many of you practitioners kind of talk about the serendipitous nature of how you even got to where you are. You know what I mean? It’s just kind of like, “Yeah. I was here, and then there, and I needed to kind of do that. It was interesting. I went over there.” It’s all like that as opposed to, “No, I specifically… My education here, then I went and sought an internship. I focused on it.” You don’t hear that much. Right? It’s a lot of just tribal-
Khris Woodring:
The stereotypical [inaudible 00:39:14]. It’s just not a thing really today. But can I share a really quick story, though?
John Vecchi:
Of course.
Khris Woodring:
I believe that it must have been destiny in me ending up doing this type of work at some point, because I was thinking the other day, as I was preparing thoughts for the podcast, I thought, “How did I end up doing what I’m doing, and maybe what elements laid a foundation for that interest much earlier in my life?” And I remembered I was probably about seven years old. My dad at the time was working as a contractor, and he would come home with these extra parts that they would replace from systems, and they were made by a company called Veeder-Root. If I’m not mistaken, they were an electromechanical counter. Right? So I’m seven years old-
John Vecchi:
Interesting.
Khris Woodring:
… and I look at the thing, and I figured out if I hook power to it, the LCD elements would light up. This is back in the mid-’80s. And so, I played around with this thing, and finally figured out that what it would do is it was counting… Basically, it was like a counter for a relay trigger. Right? If you have a relay trigger and touch… contact on it, it was counting.
So being this seven-year-old kid, I was like… The way a typical maybe young boy might think about this is, “I want to make sure my sisters aren’t coming into my room without me knowing about it.” So I wired this thing up to a door contact on my door so that I would know how many times the door had been opened and closed. And so, it’s such a simple, simple concept of a physical system being integrated with a digital system.
And I look back and I said, “That’s really kind of where it started.” And, of course, many stories since then, but that’s what we’re talking about. We’re talking about integrating the real physical world with digital systems. And the difference today is, that was an isolated system, as simple as it was. Now, imagine taking the same thing today. You may have a young person who thinks, “I want to do the same thing, same philosophy behind it.” But they’re probably going to use something like an Arduino, Raspberry Pi. They’re certainly not going to have a Siemens PLC.
John Vecchi:
Yeah. Right.
Khris Woodring:
But that device is accessible from the internet. So it’s a completely different scenario. Right? If that device gets compromised over a network, whatever systems it’s connected to can be compromised, made less safe, whatever the case may be. And that’s one thing if it’s a door counter, trying to make sure your sisters aren’t coming in your room without your knowledge. It’s a whole different ball game when you’re talking about a system that is controlling a safety-centric process where you’re mixing chemicals or delivering power to millions of customers and that type of thing.
John Vecchi:
Purifying water. Yeah.
Khris Woodring:
But I think that that was step one.
John Vecchi:
That’s a fascinating story. I mean, that’s kind of like the little spark that kind of just stays with you. And so, when you’ve fallen, you get an opportunity. You’re like, “Gosh, I’m just naturally inclined to go seek it.” And that’s a great example. I love that story.
I mean, yes, it’s… Again, when you think in terms of critical infrastructure and look at something like… whether you look at Fuxnet, something like that, where you can go compromise the gateway, and guess what’s attached to the gateway? Every single PLC and all those systems. I mean, see what you mean? You compromise one, and you can now do so much. Right? And that’s why I think… I love the idea of, it’s more of a calling. We need a task force and teams to be thinking about defending our critical infrastructure, and we certainly need that most definitely, right?
Khris Woodring:
We need to get that message out to young people, because I guarantee you, there’s a lot of other seven-year-old boys and girls out there that would be totally natural to move into this type of field that would do great. They’ll help us actually implement all these great ideas that folks are coming up with. But without that, we’re going to be very limited in what we can actually achieve in terms of transformation of this space from a cyber protection standpoint.
John Vecchi:
Yeah. And just going back to the other point you made, by the way, which is very powerful, I think, and is sometimes overlooked, is the difficulty of even just setting up and acquiring and being inquisitive around this with the difference between, say, IT security and a laptop and some software, and an industrial device like a PLC. It’s very different and incredibly common.
We have a very large lab, and we have all these PLCs in there, and it is hard. And I think my point there is it comes back to why I think it’s critical for the internships, because organizations have this, and you can bring them in so they can experience it that way, because you’re not going to have someone setting up the PLC system connecting to some cyber-physical outcome in their bedroom. It’s hard. Very, very hard. Right? I think that’s a really good point, actually, of the difference.
Khris Woodring:
Especially if they’ve never been exposed to it. Again, if you look at just the dichotomy of the realities between IT cyber, again, information security, and then OT cyber or cyber-physical, you can go, and there’s so much information about how to set up different scenarios. You can set up detection software. You can learn about the MITRE ATT&CK framework and how security operations work. You can do all this right from your own home, sitting there with your own computer and maybe a couple VMs, or whatever the case may be.
But we start talking about cyber-physical, because it’s physical. You have to have those physical elements, things that you’re tying to to make it connect in people’s mind what the real-world implications of something like this are. And so, whether it’s a… Like they do in the training, they’ll set up a mini simulation of a… SANS does this. They’ll set up a mini simulation of a power distribution-type scenario with a PLC.
That’s the kind of thing that starts making your brain connect, “Wow. If I change this, then that changes over there.” That’s that industrial control systems mindset. Now, what if it’s not me changing it? What if it’s someone else changing it, and they’re not authorized to make that change? Right? Those connections get made through experience.
John Vecchi:
Yeah. Yeah. And the one thing we haven’t talked a lot about is just the other kinds of massive amounts of different types of devices that are all coexisting. And a lot of times, when I speak, I’ll do a hack of a camera. Why? Well, as I say, you see a camera. I see a Linux server. It’s a camera. If you have an OT environment, there’s cameras everywhere, by the way, and they’re just computers. They’re Linux machines, and they’re coexisting with PLCs, and you also have door controllers and HVACs and PDUs and USPs. Right?
And oftentimes, these are devices that are also very interesting, and sometimes there’s not a connection of, “Huh, that’s a cool thing. I didn’t think in terms of, you compromise my HVAC, or if it’s a data center, which is also mission-critical today, and you start compromising my power systems, huh, you could have a big effect on that.” Right? See what I mean? So I think also, the broad spectrum of these interesting types of devices that all fit under the category of cyber-physical systems just can make it even more interesting. Right? There’s more to sink your teeth into, I think.
Khris Woodring:
It’s a wide array of devices. And again, we kind of get into a conversation of what level of understanding and agreement do we have as an industry and at an individual level of what is OT. Right? What is OT? Operational technology is just an umbrella term that can include IoT, IIoT, industrial control systems, and then break that down further, and this is why we need the structure so bad. Right? We need there to be just an agreed, “This is what it is, and this is how we’re going to move forward.”
But even within that, let’s say you have an OT environment, or an IoT environment, and you’re thinking, “My IoT environment is like a LoRaWAN gateway. We’ve got some sensors out there connected to it.” Right? That’s IoT, IIoT, depending on what you’re using it for. But like you said, as part of that, you may have some cameras in there. I mean, who knows? There could be a whole numerous array of different devices in there, but, whether it’s IoT or OT, they’re within that IoT environment or OT environment. Are they OT? Are they IoT? Should they be considered as such? I think it doesn’t really matter. You just need to know that they’re there.
John Vecchi:
Yeah.
Khris Woodring:
I mean, I shouldn’t say it doesn’t matter. It does matter. But most importantly, you need to know they’re there, because you could start the conversation within your organization about how you want to classify them, prioritize criticality once you know they’re there. But you have to know that they’re there first. And surprisingly-
John Vecchi:
You do.
Khris Woodring:
Well, probably not surprisingly to you guys. Oftentimes, folks running networks with IoT, IIoT, OT, whatever you want to call it, cyber-physical assistance, they are stunned to find out how many devices are actually connected in their environments, posing a potential risk. They’re running out-of-date firmware. They’ve got all kinds of vulnerabilities and so on.
John Vecchi:
Yup.
Khris Woodring:
And I saw that when I worked for Nozomi Networks for a while. We would do installations, and the customers… We’d fire up the installation. It starts detecting devices and things like that, and they’d be absolutely stunned at how many devices were in their environment. They thought, “Oh, well, we have like 100,” and it’d be 500.
John Vecchi:
Right. Right. Yeah. And we see that, right? We say they’re oftentimes, almost a minimum, 60% off on their best, and sometimes it’s with conviction. I know for sure we have this, and they’re 60% off, and it’s because there’s proliferation. And again, there’s a wide spectrum of devices. They’re not thinking about some of the other types of devices that are coexisting.
And you’re right. We need more standard… I refer to it a lot of times as OT-adjacent IoT, just to help people understand that it’s in there. But then I say, “But it’s in your OT environment, so it’s kind of OT, and the way you should think about it.” Right? But even in healthcare, I’ll talk to healthcare organizations and say, “You have OT all over your place in healthcare. I mean, you might not think about it that way, but you do, and then you have medical devices, and you have other traditional IoT devices.”
Right? So I think it’s been pretty eye-opening on some of the things. I think the entire industry, the entire world can do better. Khris, it’s fascinating stuff, my friend. I love this discussion. We need to have you back and just continue exploring this. And, I mean, you’re getting me thinking about other things. Everyone can do better at the university level, at that kind of level of getting more internships, of engaging more people. And, of course, we all have to do a better job of just education and terminology and all those things.
I mean, as we kind of wrap up the podcast today, and you shared… I love that story about your childhood. There are practitioners listening to this podcast, and they may be in all industries. But like I said, you could pick almost any industry, and you may have an industrial environment, or you may have industrial devices. But to those practitioners out there who are maybe just thinking about this or exploring it, or maybe, like you, were having an opportunity to maybe go dabble in that a little bit, what would be some of your advice to them as we kind of finish up today?
Khris Woodring:
Yeah. So my advice is something I’ve tried to follow as best as possible myself, and that is, one, keep a positive attitude regarding where we are, but where we’re going, because it is a journey. We’re not going to get there overnight. Keep a positive attitude. Make sure you reflect that positive attitude in the community.
And then also, make sure you’re sharing the passion and the interest with your children, with their friends. Go to the local high school. Offer to do some kind of show-and-tell type of thing. Go to the universities. Talk to them, and say, “Look, can I help you develop an industrial cybersecurity curriculum program?” whatever. But essentially, it’s going to require outreach by all of us in this field.
John Vecchi:
That’s great advice. I love it. And I’m seriously going to be thinking about, what can I do? I’ve been through a couple of universities and have presented there, but I think you’re so right. We need to just do a lot more of that, and it’s just… A lot of things you got us thinking about today, Khris. So nicely done.
Khris Woodring:
Great. Yeah.
John Vecchi:
I appreciate it. Again, great discussion, Khris. We’d love to have you back. So, so great to have you, and thanks for joining us today. And for those out there, Khris, who would like to follow you or your posts, is there anywhere they can go to find you and maybe follow what you say or reach out to you that you want to let them know?
Khris Woodring:
Yeah. Absolutely. I mean, LinkedIn is the best place. I’m relatively active on LinkedIn, not so much in recent months. Just been extremely busy personally, but generally very active on LinkedIn. I love to interact with folks, converse, and so on. Outside of LinkedIn, don’t have a lot of presence. Being in cybersecurity, you learn keeping a managed footprint is really good in this space. So yeah, I’d say LinkedIn is the best place.
John Vecchi:
Phenomenal. Awesome. Thanks so much, Khris. It’s great to have you. And remember, everybody, the IoT Security Podcast is brought to you by Phosphorus, the leading provider of unified, proactive cyber-physical system security and remediation for the extended Internet of Things. Thanks again, Khris. And until we meet again, I’m John Vecchi, and we’ll see you next time on Phosphorus Radio.
Author
Phosphorus Cybersecurity
Phosphorus Cybersecurity® is the leading xTended Security of Things™ platform designed to find, fix, and monitor the rapidly growing and often unmonitored Things of the enterprise xIoT landscape.