There isn't one team that does troubleshooting in an industrial control system.

There are so many complex parts.

There are literally thousands of people working at some of these large companies that I've worked at.

And welcome listeners to the Industrial Security Podcast.

My name is Nate Nelson.

I'm here with Andrew Ginter, the vice president of Industrial Security at Waterfall Security Solutions, who's going to introduce the subject and guest of our show today.

Andrew, how are you.

I'm very well, Thank you, Nate.

Our guest today is Doug Lease.

He is a longtime security practitioner.

He's the technical manager of Detection and Design at Enridge and Enridge, if you're not familiar, runs what I believe is the world's largest petrochemical or lawest petrochemical liquids pipeline and a very large network of natural gas pipelines as well.

So we're talking oil and gas and our topic is staffing, is finding people who can work on cybersecurity in these environments.

Then, without further Ado, here's your conversation with Doug.

Hello, Doug, and welcome to the podcast.

Before we get started, can I ask you to say a few words about yourself and your background and about the good work that you're doing at Enbreage.

Thanks for having me on this morning.

Yeah, I've been actively involved in it and telecom for almost thirty years now.

It's been a while, and because I've always been working out of Western Canada, I'm really acquainted with a number of different oil and gas operations and telecom providers and the rather adventurous things we had to do in Alberta twenty thirty years ago to get businesses to work.

And over the last eighteen years or so, I've been actively involved in cybersecurity as my only job.

But when I started doing this, there was no separate cybersecurity discipline.

It was just part of being a system administrator.

You also took care of the security of your systems.

But like I said, being in Alberta, a number of my customers over the years are oil and gas or electrical producers, and currently I'm at a company called Enbridge, who are the second largest I believe, oil and gas pipeline company in North America.

I don't represent the Enbridge here, but I'm very proud of the work that they do do and I'm well acquainted with the cybersecurity challenges that that company and another large oil and gas company that I worked for for five years before that, are facing every day.

Our topic is finding people, finding the right kind of people to do OT security for these big, important physical processes.

At Enbridge, you've been doing this kind of recruiting.

What does this mean who you're looking for?

Well, I think the first thing you're looking for is people that understand cybersecurity challenges.

But the special fit here is that we're not you know, although we have a significant IT infrastructure to support the business itself, we're not a bank.

You know.

Our physical process are controlled by a lot of technology choices and every large you know, some people call them skata systems, some people call them dcs, some people just call it OT.

But in the end, you're using a computer to manipulate electricity, to turn on big motors and compressors and valves, and you're also taking measurements from physical processes.

You know, like previous place I worked at, they they extracted bitchumen from sand with you know, chemicals and heat, and you know, these are big processes the size of you know, giant buildings and all of that stuff's controlled by computers.

So I'm always curious when we you know, when we're talking to somebody about cyber in the physical world, like, what do you know about OT?

And you know, you're quite right, there's not very many people that even know what those terms like RTU and PLC mean.

But I think there's even fewer that grasp it's controlling the something's the size of a jet engine sometimes and what if that's the wrong instruction, then what happens, Well, it blows apart.

Grasping that physical part of it is a challenge, and we don't find too many people to walk in the door with that kind of skill, but it is something that you know, we've been working on as an industry.

Really here in Calgary, we've been training for this for probably eight ten years, getting people very aware of these processes and what's going on.

And occasionally somebody will put their hand up and say, find this very interesting and I'd want to learn more, and at that point you invest time in helping them learn.

But a lot of it you can pick up just by reading and you know, watching you presentations from Ian l and a few others, so conceptually you get it.

But I think the best fit is bring them out to the field and let them see firsthand, what's what's really going on.

It sounds like you're saying it doesn't matter who you recruit.

Anybody you recruit, there's going to have to be some learning that goes on.

It might be, you know, training, it might be on the job, so learning.

Yes.

Let me ask you though, if if you're going to train people on the job, what are you selecting for then if you're going to teach them what they already what they need to know.

I think one of the first things we we love for as people that are at least familiar with what is what is going on.

So if somebody comes to interview you and they don't even understand the nature of your business and how OT fits into there, you know, it's a that's a problem.

You know, Like I'm always looking for somebody that's going to be interested in doing some upfront research and taking some of that initiative on their own, and that's an indicator that their trainabull because everybody's agreeable in the interview, but you know, do they have a history or a habit of that I'm looking at.

You know, We've had a number of people hired over the last few years where I'm working and I've sat in on a lot of the interviews, and one of the things we we do is even in the interview, we provide a like a pop quiz in a scenario and ask for the answer.

And it's not really even where they whether they get the answer, it's the willingness to take that challenge on spur the moment and come up with something that appears there was some thought behind it.

Even if it's the wrong path.

That's not as important as are is somebody willing to think on their feet and you know, change their mindset immediately.

Because in cybersecurity operations, everything's going along great and two minutes later you're in the middle of something.

It happens that fast, and especially at the start of it, it's very unclear what you're in the middle of.

It could be fairly benign or it could be very serious.

And over the last twenty some years of incident response work.

I've.

I won't say I've seen it all, but I've seen a lot of different you know, gravity of situations.

So, are is there head even capable of making that quick pivot and focus on the job.

So Andrew thoughts on Doug's process for finding the right kinds of people for industrial security jobs.

I don't hire a lot of technical people.

I run a small, very small technical team at Waterfall, but you know, in the past, not so much cybersecurity, just general development.

I mean I at one point led a large team thirty forty fifty people of technical people, a lot of whom were developing products.

Actually some of it was security product, others of it was control system product.

Product that you know, organizations like Enbridge used to automate their pipeline millions of lines of code.

Very complicated.

You know, I never figure out pop quiz wise what would be a useful a useful pop quiz.

I could never wrap my head around that.

I did something different, you know.

I would ask people if they were interested in something, something technical, what was that?

Could they explain to me what they've been doing that in that space?

And they, you know, some of them would would look at me a little bit embarrassed.

Yeah.

I write games in my spare time.

Really what kind of games?

Well, you know, there's some graphics, there's some some you know, some simulation behind the scenes, it's multiplayer, there's communications involved on going.

That's gold.

I need all of those skills in my team, you know, or they might say, you know, I've been doing stuff with I don't know, audio editing.

You know.

In a sense, it didn't matter what they were doing.

The field was so broad.

What we needed was to find people who were interested in something, and they migrate sort of naturally within the organization to tasks to development tasks that involved the kind of thing they were interested in.

Why is this useful because in my experience, you learn faster, you learn more thoroughly about things that you're interested in.

So it's really useful to have something that you're interested in.

That was my trick for sort of weeding through the applicants, you know, from the people who really didn't care what they did all day every day and they turned the whole thing off at five o'clock, versus people who actually would sort of grow and expand and excel in the job because they loved the piece of it that they were doing.

That was that was my trick.

And I think everybody needs something, because you know, when you're hiring, you put the job posting out and you know, if you're lucky, you get one hundred people applying.

Now you've got to reject ninety nine of them.

How do you do that?

It's just it's hard.

I would hope that there's a fair pool of people out there who can think on their feet.

How hard is it to find the people that you're looking for?

Is?

You know, do you have lots of candidates to choose from?

Where are you?

Are you digging here?

Yeah?

I think for the most part we are, which is surprising because you keep reading about the uh, you know, we as an industry, not we specifically at Enbridge.

We as an industry because I'm also involved with Calgary b sides and a couple of the local education institutions here.

So, like yourself, I talk to students quite regularly and without a doubt it's the number one question, and how do I get into cyber?

And my answer is often disappointing for them, is they go get into it first and understand it, or if you want to do OT cyber, go do some OT field work and learn how to do some of those things.

But it's kind of hard when they've already spent a good deal of time trying to navigate a curriculum that says they're going to be guaranteed a job.

At the other end, I think there's a lot of requirements in the industry for technologists and people who understand how computers work.

But every company is interested in hitting the ground running.

And when you're bringing in somebody that's out of schools and they've not ever worked in the field, I think it's really an investment on the organization's part to make that person more useful, so to speak.

And you know, it's not their fault.

We've all started at the beginning, and I think when I got into it, there was even less people willing to do this, so I got the chance.

But I think it is I think there is that expectation that you're going to want to hire people with experience, and the people that don't have experience yet have no way to get it until they get that job.

And I'm thinking that some of these labor issues are a catch twenty two invented by this whole supply demand curve, and there isn't as much of an entry level way in cyber as people think.

And I'm not sure that's a bad thing, because we are talking about protecting organizations and in the case of an industrial control system company, literally billions of dollars worth of stuff that is, you know, dangerous to work with and everything.

But even if it was a smaller company and it was just their credit cards and HR records, that can still ruin a company.

So do you really want a junior person starting there or do you want them starting on the help desk where you know there's a lot of recovery.

Well, go room if we can.

Let's let's get specific.

I understand that you were recently looking for some or you know this is what you do you always look for.

I don't know OT incident responders.

Can I ask you, you know, how how does that?

How does that work?

How do you you know, how did that work for you?

You know, let me take a side trip for a second.

You know, it's possible to do some back of the envelope calculations.

When I do that very rough numbers, it seems to me there's fifty times five ero times as many you know IT security xp in the world as OT security experts.

If you put out a call for incident responders, I'm guessing you're going to get a lot of IT respondents.

How do you deal with that?

This, you know is there's what's the difference, you know, in terms of what you're looking for?

Between an IT incident responder that presumably there's lots of them out there, and OT incident responders that you know might be in short supply.

They're definitely in short supply.

You know, I still question whether I'm one of those people.

Some days I think I am.

Most people think I am, which is good.

But I've talked with other people at other companies, and you know, a lot of people don't put this together.

But there's industrial control systems everywhere.

I have a friend of mine that works UPT at a large airline and they have he said, five flying scat of systems on every plane.

It's like, great, what could go wrong here?

And absolutely, when you know physical processes are controlled by computers, it's all the same.

If there's a mistake, there's a physical outcome and people are affected.

And if anybody ever answers an interview question like what's the difference between IT and OT with something as succinct as computers will affect physical processes, you know that I would cancel all the rest of the interviews because that is the problem.

But I don't think we're very good at articulating that as an industry.

I I think the bigger challenge is that an official OT incident responder and an IT incident responder aren't necessarily distinguishable on the outset unless you look at their resume and say, well, previously they were a skate of controls engineer or something like that.

But this feel doesn't tend to attract people that are building the equipment, so we're always kind of an add on.

So far, I only know of one person who was well into the operation side and then moved over to cyber.

It tends to be the other way around where cyber folks get interested in OT, and so we look for people with relatable experience and then you know, train accordingly, because especially at the start, the equipment we're using is exactly the same.

You know, a log analytics platform at a bank is exactly the same one that is running in a you know, in an OT shop.

But the difference is what the context of those incidents mean.

You know, that computer is experiencing an issue.

What's it controlling?

Is it just a pie historian that nobody cares about?

Or is it a you know, an extraction you know controller of some sort or or a flow computer.

So getting that context switch is something you can train for.

But if somebody doesn't understand how to hunt through data and separate operational events that are unusual but not outside the normal, compared to something like, uh, you know, an actual attack.

It's it's not going to be distinguishable.

We we often start as I'm training people on this area, you know, and it's worked out well.

We've had a number of people go through it's like one simple question, isn't an intrusion or not?

And if you're not sure, what's the first question you had asked?

To try and start narrowing that down.

And so I take more of a binary decision tree approach and we've turned that into a very repeatable process.

So we've had some good success with that.

But the trick with that is bringing people that understand the technology on the OT side into the equation how do I tell these two things apart?

And then you start to get into stuff like was it happening at three in the morning?

Yes, okay, that's not unusual in an industrial control platform, but it's outside their normal change windows.

Okay, was there an incident?

Where would I go check for that?

And they kind of work your way backwards, right, so it takes longer.

You certainly don't have a blinky light on a screen saying, you know, cocher number forty seven is on fire.

You have a fire system for that, right, So it's harder in the digital world to see that.

So I know it was a reference in passing and not mathematically accurate.

Is meant to make a point.

But you were talking Stug there and you said something to the effect of how they are like fifty to one IT security professionals out there compared to OT, and that also rings with my experience too.

I'm wondering, is it that the threats to IT are so much more common that you just end up with so many more IT professionals, or is there some reason why, relatively speaking, OT struggles to attract talent compared to how many people we need relative to IT, which seems to do a little bit better.

I think the short answer is I don't know.

I mean, I can speculate.

The back of the of the envelope that I did was I went to there's a thing called Google Trends, and it doesn't give you hard numbers, but you can put a query in there, and you know, it'll show you sort of interest in the query over time, who's searching for that, and so I put in you know, OT security, industrial security, any combination of that as I could, and then I just put in cybersecurity generally, and you know, it won't give you hard numbers, but it will give you a comparison.

And like I said, that tool suggested there were fifty times as many people searching for cybersecurity generally versus industrial cybersecurity any variation of it specifically.

So it was more a measure of interest than of available talent.

So I've you know, inferred that there's a relationship there, you know, to your question, are there are there more attacks on it?

Is there something else going on?

I think there's just a lot more IT infrastructure in the world than OT infrastructure.

I'm guessing that the fifty to one is not where it should be.

I'm guessing that it reflects sort of today's interest in the topic.

And over the last fifteen years, what I've observed is that interest in the topic is steadily growing.

So you know, hopefully ten fifteen years from now, it might settle out at a smaller ratio.

I don't know, twenty to one instead of fifty to one, But you know, it's it's a crude it's a very imperfect tool, but it's something and you know, so that's that's the number I throughout.

I've never been in it, you know, responsible for a large organization.

But you know, in my understanding, if I'm in an enterprise security team in an organization with one hundred thousand employees, each of which have a desktop computer or a laptop, I've got hundreds of thousands of cyber assets I'm managing.

They're all exposed to the Internet.

My understanding is that these teams assume constant compromise.

They assume we are compromised.

They are out there systematically trying to identify the compromised equipment and you know, take a forensic image, erase it, restore from backup, repeat.

Constant activity in the OT space.

I would hope that there's less to do incident response wise, but your your OT systems are behind so many layers of defenses that you just don't see a lot of activity, you know in your experience.

Let me let me just I don't want to ask you about about incidents in the businesses you've worked in.

You know that's that's confidential.

But let me ask you how hard is it to stay in practice as an ot incident responder.

I don't think it's as hard as people think because there's plenty of operational events that go on every day.

I mean, equipment fails all the time.

When you've got a lot of it, there's always going to be something that's not operational.

And in a widely dispersed environment, in or a hostile environment like you look at something like Fort McMurray in the wintertime.

It's a wonder anything works, but you know there's a small city up there at every plant where they're where they're doing that work.

And bridge goes across North America.

Same with Trans Canada, like these are big operations and so there are literally thousands and thousands of assets, just like you have with the commercial stuff.

So by all means, I think hunting for incidents is very important.

That's a very unique skill and kind of hard to find.

But you'll often find that equipment is misconfigured or something like that, and just through a change.

You know, they forgot to change something and and you'll start picking up events and the number one thing you got to do then is figure out was this as a result of an operational change with a with a mistake in IT, or you know, a default setting that never got unchecked or something like that, versus this is an actual attack because I think what people don't kind of get about OT security is all you've got to do is stop the process and you've met the adversarial goal.

The you know, in an IT world you have to steal some kind of data and then monetize it.

But in OT the minute you're stopping that process.

You know, if the planes can't launch off of the runway because the air traffic control systems are down, or they can't load the planes because the baggage is broken, all of those things are disrupting the operation and that costs the company money.

And as a result, you know, your security goal is to maintain availability and a trustworthy process.

So instead of confidentiality, integrity and availability, your availability integrity.

Yeah, there really isn't a lot of confidentiality, but there's enough errors that occur with this complex array of systems that those same detection capabilities go off and you'll be investigating every day.

You know, almost never is it a real attack, but you know there's enough events going on you definitely stay in practice around the investigation processes and the validation.

Correct me if I'm wrong.

It sounds like what you're saying is that your team is not just OT incident response, you're also the automation troubleshooters when something goes weird.

You know, is there a separate troubleshooting team in the organizations you work at?

Or are you it?

You're the troubleshooters for OT, and you know, let's call it, let's call you.

You know, deeply paranoid troubleshooters.

Absolutely, And you know what if you're not just because you're paranoid doesn't mean they're not after you.

We also assume breach.

But the the the difference I think is there isn't one team that does troubleshooting in an industrial control system.

There are so many complex parts.

There are literally thousands of people working at some of these large companies that I've worked at that have various parts of the equation.

There's people that only look after wide area networking.

There's people that only look after measurement.

There's people that only look after vibration monitoring, for example, and the pipeline business's leak detection.

In other areas, it's the integrity of the extraction process and so there's literally hundreds of people.

We just get avue at tip and part of what we do is we identify those things and we'll try and let the appropriate party know, hey, we saw something.

Maybe maybe it's an operational related If it's not, or if you can't explain it, please bring us back in and we'll treat this like a cyber attack until and yeah, we're deeply paranoid.

I think you have to be, because only a sophisticated actor is going to be able to penetrate a large corporation like here in Calgary.

I think there's six or eight fortune five hundred companies that are industrial control system first, right, and I've worked at most of them.

But what I've seen that's common across the board is there's not only a lot of people, they have very sophisticated incident response processes because a lot of things break mechanically or you know, injury wise and things like that.

Thankfully a lot less injuries than before, but you know, physics is physics.

Thing can still break, and we've we're very practiced at responding to incidents.

So what I've noticed at different companies is they all had a fairly robust incident response process.

So you know, cyber is just one more thing that can go wrong, and so you when you think it's a cyber event, you try and inject yourself into that incident response process.

And conversely, when something else goes on, we'll get called in and say is it cyber?

And so we work as a group, which certainly not one individual departments responsible for the whole thing.

And I'm thinking a little earlier in the interview, you mentioned a decision process that you had worked out for trying to distinguish between operational failures and deliberate operational failures in terms of cyber attacks.

Can you go a little deeper on that.

Can you tell us something about what does that process look like?

Yeah?

Sure can.

Now, again I'm not disclosing specifically how my company does it today, but I teach this methodology publicly occasionally, and I've been doing so for about ten fifteen years, so you know, it's not a secret secret.

And before it was even a title, we were thinking along this concept of living off the land and are there are there tools or capabilities that are already there for the attacker that they could use to thwart your behavior?

And when you look at the work coming out of dregos.

They've articulated that as insecure by design.

You know, the protocol itself will accept the you know, command to shut down the PLC or reset to factory default.

And you know, once they started adding these kind of payload click pain by numbers ideas into metasploit, that was a pretty clear sign that, you know, the genie was definitely out of the bottle.

So when the equipment or the the capability is already there, built right into the operating system or built right into the control protocol, you now have to take as that back and look at the context of why that event is occurring and is there an indication that it's malicious.

So if we were to look at something like a unusual command going against the PLC, ideally it would be great if you had a firewall that said that's not an allowed command in my path, and if it's an important enough piece of equipment, there you go.

But then you should also be looking at all the commands that failed, because the attacker is not going to get it right the first time.

You're going to get a couple of warnings.

So you have to do similar to a hazop or something.

You have to kind of walk the process and figure out where things could break, and you look at where that would be done digitally, and you have to think through what indicators would be that and then ideally you do data mining and you go look through what does it look like now when things are okay?

And then you have to work against that process.

You know, I get an event.

Is this the same account that I see every day doing this event and for the last thirty days.

Yes, that doesn't protect me against somebody who's an insider on the payroll of a nation state, but it's also far less of a credible risk because you know they've been here for quite some time.

So walking that decision treach through, you wind up seeing an event.

You look at the attributes of that, think about the context, and then you work through what would normal look like, what would abnormal but safe look like, and what's unexplainable And when it's are not sure the answer is no, that's not normal, you go to kind of the next criteria and the minute it looks a little weird, we get other people involved that are experts close to that system, and we may have something here.

So our job number one is not to be the crying wolf department all the time.

But if it's done in good faith, you're really figuring out, No, this is unusual.

Usually they'll tell you, yeah, we don't.

We hardly ever log in at three in the morning to do this.

So, yeah, thanks for that, But we had an MII.

So yeah, it's a you know, when you look at the attacker is going to have to disrupt your equipment the same way that you operated in order to do any real damage, and that's that's going to leave some marks.

And if you've instrumented or you've got the right observability in that environment, you can start to trace through the path.

And so I tend to take an attack path approach to it, and I look at logical steps because you're one hundred percent right, we don't none of the major companies out there have their infrastructure set up so that if somebody opens a phishing email, it's all over like that's that could be the start of it.

But that attacker is going to have to have a lot more steps to get anywhere near a physical destruction of something.

And so if we understand that path and we're monitoring those paths, we can look at certain key checkpoints and choke points, have baselines of how stuff works and work against those things.

It's going to need to be a very patient attacker with an incredible amount of insider knowledge to get through all of that without making a mistake.

So you see it every now and again people talk about something called a home field advantage or the blue team advantage.

We know all the path, the attacker doesn't, so they're going to make mistakes.

And that's that's the idea.

As you try and monitor for that.

I think you know, respond accordingly.

But the minute it looks funny, get help.

That's take one thing away.

That's it.

You know, know what normal is, and if it's not normal, get help.

So Nate, what what struck me in Doug's answer there?

You know, we're diverging a bit.

We're talking about the process for incident response rather than recruiting incident responders, you know, but the process tells us something about the kind of person that we that we need, that we're looking for.

What I'm reminded by in the description of the process.

What struck me was that he's described what sounded very similar to what we had Sarah Friedman described.

I don't know a few dozen episodes ago where she was talking about the book that she and Andrew Bachman wrote.

The book was Countering Cyber Sabotage and the subtitle is Consequence Driven Cyber Informed Engineering.

And the book was, you know, about a bunch of stuff.

Most of it was about a methodology for risk assessment and the heart of that methodology was system of systems analysis.

Sounds very fancy.

What were they looking for when they're analyzing these systems?

They're looking for choke points, just like Doug said.

And so you know what struck me is Doug someone who's been doing incident response for a very long time in the oil and gas industry.

You know what struck me is that when when Idaho National Laboratory writes this stuff up, when you know Sarah Friedman and Andrew Bachman write this stuff up, they're not making it up.

This is stuff people have been doing for a long time, and this is arguably the right way to do it.

It's it's arguably the best way to do it.

So you know that, just that just rung bells with me, going, oh, so we actually can believe what we lead what we read in that book, because you know, here's a man who says, yeah, I've been doing that forever.

It's it's not that you're making this stuff up.

It's a question of writing down what leaders in the field have been doing for a long time.

You've touched on this a couple of times throughout the interview here, But let me ask you outright.

I have a lot of people coming to me saying, hey, Andrew, I shoudn't say a lot.

I occasionally have people coming to me saying, Andrew, I'd like to get into OT security.

How do I do that?

What's your advice to people who are asking that question.

Yeah, I would love that question.

I get it occasionally, but I don't think a lot of people even know that there's a giant need for that capability.

What I would do, for sure is I would recommend them, recommend to them that they do go get other practical IT experience, whether it's in maintaining server equipment or a couple of complicated applications that utilize databases and you know, workers with interfaces, wide area networking, local networking.

All of the same components that we use to control computers in IT T are the same ones that they're using in OT.

The differences are around both the impact and then the service expectations.

You know, you can't just reboot it at will, and you can't just you know, let it not run for the weekend, and you know, any upgrade needs to be tested impeccably and ideally on a you know, a staged approach like a lot of this operational rigger.

You're not playing with a desktop.

You're playing with a computer that is controlling a very expensive, complex physical environment.

So go get experience on computers and networking and application support.

I want to say, in a safer environment where there's fewer physical consequences, and after you've got a couple of years of that, it's a lot easier to make the pitch to say I want to do something like this in the physical world.

I've looked around for specific training on this, and probably the best stuff out there is coming out of Idaho National Labs and ISA, and that would be an excellent addition, and there reasonably accessible.

But there's also some online training and books and things like that that you can get.

There's a very good book on cyber and form consequence driven engineering, and you know, even though that's a little advanced for you know, how to deliver.

The first four chapters will teach you a lot.

There's another guy I know, in fact, it's you who's written three great books on this whole problem.

Read those, Yeah, Like I think studying that, but also getting your hands dirty working with the technology day in and day out.

And I hate to say it, but even just build yourself something that does a little physical process.

Like if somebody was to say I'm working with embedded devices and you know, software, radio and things like that, like that tinkering mindset, that's somebody that's going to be a lot more useful in the field.

Well, thank you for the the mension of my books.

I appreciate that.

Let me return the favor.

I mean, you are not only an expert OT incident responder, you are also the co host of the Caffeinated Risk podcast.

And yes, I'm interviewing you, but a couple of weeks ago you interviewed me, and you know, I was impressed you and your co host asked me questions that no one else had ever asked me.

So can you talk a bit about your podcast what's it all about?

Because you know I'm recommending it to our listeners as well.

Thank you?

Yeah, it was a COVID thing that I kind of came up with.

But I've known Tim for a long long time and we've worked at different companies, and you know a lot of them were industrial control companies, so our heads were both kind of there.

But I've learned over the years that cyber security is really about risk management.

And it's funny.

I was scrolling around this morning as I'm getting coffee going and you know on LinkedIn, you know, resilience is you know, protection is not feasible at the scales that we work at, so resilience is everything.

And they, oh, you mean like risk management and it's got a new brand with resilience.

But businesses have always been running risk And I think what people have missed in the cyber security equation is no company president or board of directors ever woke up and said let's take thirty to fifty million dollars a year and go buy a bunch of computers and apps and do cool things with it.

Like that wasn't their goal.

They had a business function that needed to be done, and over time the digital elements fed into it, and after that it becomes a target because that's how you disrupt the business.

That's where the data about your customers is stored.

That's where the effective controls of the product are.

So you know, it's always about crime and money and power and all the same things that have been driving the world for I don't know, five ten thousand years, and risk management has always been.

Part of that equation.

You know how big your army needs to be, how long you're you know, how much food you need to store in case they seed your castle.

To modern things like the banks obviously were some of the first people involved in cybersecurity because people figured out you could steal money from them.

But it's it's an evolving field, but it's fairly immature compared to something like medicine or engineering.

But risk management has been going on since day one.

It maybe wasn't a formalized practice, but they're you know, let's uh, you fast forward and now it's got a bunch of different branches and we're a lot more sophisticated at it, but in the end, it's still managing the risk to the organization to be successful.

Because nobody ever starts a business hoping they go out of business and waste a lot of money.

And as we digitize, we have to protect that digital capability, just the same way we lock the door at the end of the night when you close up shop so that people don't come in and steal all your stuff.

So it's it sounds more simplistic maybe the way I'm explaining it, but we've interviewed a lot of different people on that podcast over the years, and a lot of different disciplines.

Definitely some brilliant people like yourselves and others in ot but also people that are dealing with physical things like buildings catching on fire.

We had one episode where they were dealing with drones identifying shooters and you know, all kinds of crazy stuff.

But it's all risk management because you're always balancing how much you're going to invest to protect and preserve versus how much of a chance you're willing to take, because if it does come to pass, you have enough money leftover financial reserves or safety tolerance that you can repair the damage.

So it's a you know, risk management's a very interesting field, and now it's branded a little bit more like resilience.

But in the end, you know, I can tolerate this level of a cyber intrusion because if it happens, I know I can rebuild it.

And you had mentioned at the start.

I think we were talking about hundreds of thousands of computers and you take a forensic image and not typically we'll just pave it and move on because there's nothing on that computer that we care about.

So it's a dumb TV set.

All the data is elsewhere, and that's backed up in a very different way than an individual desktop.

Doesn't mean we don't put protection on stuff like that.

There's a lot of great products to do a pretty good job now, but the number one thing was taken away people's and min rights and now there's not much value to the attack or on that laptop if they do get on kind of thing.

But sometimes we'll take a forensic image of a laptop, like let's say the CFO lost their laptop on a plane and then it comes back.

We're not plugging that back in, but we may just take an image of that one because he didn't accidentally lose it, right, So yeah, there's a risk.

Management is complicated.

Any of the advanced digital stuff is expensive and time consuming, so it'd better be worth it.

But there are a number of things that happen every day that you can absorb.

A lot of companies don't bother chasing people port scanning the outside of their company anymore because they're not going to get anywhere.

And you would bury people in paperwork trying to get things shut down with abuse.

Now somebody comes at you in a denial of service attack, that's a different story, right, you'll address that.

But individual port scanning nobody cares anymore.

But that used to be a thing a long time ago.

We'd run around try and block him in a firewall, and I was like, yeah, they'll tire themselves out.

There's nothing there to hit.

So it's a different way to go about it.

And I think I was to look at how do I how do I want to sum things up?

You know, to me, risk management is cyber We're just bandaging that through digital means.

And the best value that you can bring to an OT security scenario is understand both security and the IT technologies that are controlling these physical processes, and you know, really be humble enough to accept a gravity that a lot of the people that have been developing and building these very amazing technology driven plants and stuff like that, that they are experts in what they do, and there's a time to listen and a time to talk, but mostly listen, especially if you're new to the field.

Before I let you go, you know, you're a public figure, you're a podcaster, you know, you're you're teaching.

If people want to get in touch with you to ask you how to get into OT security, you know, how how would they reach you?

Uh?

Well, probably the easiest is to find me on LinkedIn.

I'm I'm very I'm very bad at immediately hitting the reply, but I definitely go through them a couple times a month and accept and I will answer questions through there without a doubt.

And then you know, here in here in Calgary, Western Canada, like you say, I'm pretty visible.

I'm you know, six three and white hair kind of stick out.

And I'm very approachable on this, especially if somebody is interested in this at all.

I think this is such important work that we're doing.

Like I said, I don't represent Enbridge here, I don't represent Suncore or any of the other companies I work for, but I'm really proud of the work that we are doing here in Alberta, and the education institutions are taking it very seriously.

There's a lot of momentum in this area of securing our way of life that is controlled by a lot of digital stuff.

So I'm easily very approachable on this.

Find me on LinkedIn, and I've got a couple things out there online.

But the other one, like you say, is caffeinated Risk.

We have a website, and Doug at Caffeated Risk would find me if you wanted to send me an email, and LinkedIn the other best way to do it.

Andrew, that just about concludes your interview with Doug Lease.

And as we exit this episode here, I figure in a show about recruiting, some of our listeners will want to know how do I get a job in the OT industry?

So, Andrew, how do I get a job in the OT industry?

What are recruiters looking for?

Well, what I heard Doug say, and I agree with him, is that if you want to be effective in the world of OT security, you've got to understand cybersecurity.

You've got to understand it because a lot of that technology is in the OT space, and you have to understand OT.

You have to understand something about engineering, something about the physical process, something about automating the physical process.

So you need cybersecurity, you need it.

You need OT.

You know, what I heard Doug say is it's it's a hard fit to have someone come straight out of school and drop them straight into OT cybersecurity.

He would rather people come straight out of school and do one of the three.

Do some cybersecurity on the I side, do some server administration on the IT side, or telecoms or network stuff, just to learn about those tools and how to you know, apply them to different kinds of problems.

Or you know, do something on the engineering side and you know, learn then about cybersecurity and the other stuff server administration and so on.

So start with something and grow into or you know, get recruited into the space that you're really interested in.

You know.

Again, my own experience is I love to hire people who are interested in something.

If your interest is in OT security and I've hired you into any of these other functions, I'm going to work as your manager to give you opportunities to move into the field that you're interested in.

That's how you're going to be the most efective for you know, my organization, because you keep naturally learning more about the stuff that you're interested in.

So start somewhere and you know, work into OT security over time is what Doug said, and it kind of makes sense.

You know, it might be frustrating for people who have come out of the very few OT security programs in the world, but you know, if you've come through one of those programs, I think there's there's there's opportunities for you as well.

But you know, maybe maybe it doesn't hurt for you to grab something related for a couple of years and then move into sort of your your first love as well.

So it's complicated.

Sorry, Well, thanks to Doug Lease for speaking with you about this.

Andrew and is always Andrew, Thank you for speaking with me.

It's always a pleasure.

Thank you, Nan.

This has been the Industrial Security Podcast from Waterfall.

Thanks to everyone out there listening.

Something