Modern industrial control system security issues | Guest Thomas Pace

Chris Sienko: 0:00

All right. Today on Cyberwork, I've got Thomas Pace of Netrise on the pod to talk about industrial control systems security. We'll talk about Tom's time in the Marines in cyber intelligence, his move to forensics and then ICS, and why the greatest asset a security professional can have is the ability to find, clearly see and create narratives out of data. I always find ICS professionals to be fascinating and Tom took us down some really new paths. So if you're also interested in ICS security, keep it here for today's episode of Cyberwork. Hello and welcome to this week's episode of the Cyberwork with Infosec podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of Infosec professionals, while offering tips for breaking in or moving up the ladder in the cybersecurity industry.

Chris Sienko: 0:49

Prior to founding Netrise, thomas Pace spent 16 years working in security across multiple roles and disciplines, from serving in the United States Marine Corps, being responsible for ICS security within the Department of Energy and most recently serving as global vice president for Silents. Thomas has been a proven leader and innovator within security. Thomas has also responded to hundreds of security incidents globally and shared his experience at multiple security conferences, such as RSA and Black Hat. So for the next couple weeks here we're going to be talking ICS, infrastructure and manufacturing security, and Tom's my first guest on this subject and I'm very, very excited to meet him. So, tom, thanks for joining me today and welcome to Cyberwork.

Thomas Pace: 1:32

Yeah, thanks for having me, Chris, really excited to chat with you, I appreciate it my pleasure.

Chris Sienko: 1:35

So, tom, to get a sense of your own history, can you tell me about your earliest interest in computers and tech and cybersecurity? Was there an initial draw, was there a moment, and what did you do to sort of gather knowledge when she got excited about it?

Thomas Pace: 1:50

Yeah, I think it really probably stemmed from like many getting my first computer, which I think I was in like sixth or seventh grade, which is probably like a. I mean, it's definitely a late bloomer these days, but I think we got it from a circuit city that we're just really going back in time.

Chris Sienko: 2:13

Oh, yeah, for sure.

Thomas Pace: 2:15

And I remember this is back in like the AOL days where you had to like get a CD and do all that, and I just remember figuring out some ways to take advantage of that, and it was really fascinating to me that you could make these things I guess in these systems do things they weren't really supposed to do or weren't intended to do perhaps, and typically that allowed you to get access to more information or knowledge or something like that. And this is pretty like, really not serious things at all, but it was. I just remember that element of connectivity was really interesting to me and then I just became super interested in it. I was one of those people who was, I think, pretty lucky in the sense that I like always knew what I wanted to do, like related to cybersecurity for the most part, and so, yeah, I followed a fairly traditional path there.

Thomas Pace: 3:16

I'm not some like naturally gifted person Like my like. Like like my co-founder at Silenance is just that guy is just incredible, never been to college, like all that. You know what I mean. And I had to, I had to get after it.

Chris Sienko: 3:33

You had to really grind. Yeah, for sure. Learn by doing.

Thomas Pace: 3:38

Yeah, but yeah. So that's kind of how I got there. I didn't do cybersecurity things in the Marine Corps, but I was in the infantry and did some intelligence work and all that, but I did. I was always like reading those kind of books all at the same time, so I kept some semblance of knowledge, even though that wasn't exactly the best environment for that. So I did my best to stay up to date on things. But then when I got out, just went back to school, followed a pretty traditional path after that, I think.

Chris Sienko: 4:12

Yeah, okay, so that's good to know. So even when you were doing other things in the Marine Corps, you were still thinking like this is something I want to keep on top of. And it sounds like even then you had a sense that the pace of this stuff was moving at such a rate that you had to feel like you would be left behind if you didn't sort of like keep up on it.

Thomas Pace: 4:29

Yeah Well, that's one of the things that's always been very interesting to me about cybersecurity is a. It moves much faster than I think some of the other disciplines and you have to know a little bit about everything. You have to know a little bit about databases, web applications, windows, like. You have to have a decent amount of knowledge and a number of domains. I just I like that. I can certainly understand what people don't. And you know I was able to stay in the space a bit. Like you know, I was a radio operator in Afghanistan, so I got to like do a lot of stuff with that. I was like our de facto IT guy, which is a kind of hilarious thing Whenever. Oh, my deployment to Iraq, you know it was like splicing cables and doing all that kind of stuff. So so, yeah, I tried to stay as sharp as I could given the circumstances that was in.

Chris Sienko: 5:19

Well, good. So I want to talk about your career background. You started a little bit. Of course, I always look at people's LinkedIn profiles because it gives me a good sort of sense of the sweep of history. So, as you say, for a four year period in the Marine Corps you served as an intelligence specialist, followed by approximately four more years working in forensics and incident response. So can you talk about this period of your career and the areas of skills and lessons that you worked, learned working in cyber intelligence and especially in forensics and incident response, and how that sort of applies to your current work in sort of ICS and industrial control systems and infrastructure?

Thomas Pace: 5:51

Yeah, I mean, I think, doing some of the intelligence work I did and that was a really unique opportunity. I basically just got cross trained as an intelligence specialist, throwing a work up for a deployment and then on the deployment, so it was about as good of experience as what you could get, obviously.

Chris Sienko: 6:11

Yeah.

Thomas Pace: 6:13

And so I think what that taught me was Every piece of data is important in its own way. When you collect all of that data, you get a picture that is difficult to assemble with some of these individual elements on their own. That sounds very obvious now, but whenever you're collecting photographs from this intelligence source and data from this intelligence source, and when you look at these things independently, you're just like you're not real sure if there's any there there. But whenever you start connecting all these different pieces and parts, it becomes real obvious that there is, and I think that is a really good analogy for cybersecurity in general. And so, as it relates to the work I was doing from like an incident response perspective, I liked that. It was very.

Thomas Pace: 7:06

There's a lot of uncertainty in that role. You don't know when things are going to happen. Obviously, you don't control that. I also liked that it was fast, like you had to get something done immediately, and that was you want to talk about being ahead of the game and on the bleeding edge. You're constantly dealing with attackers evolving and so what's the latest open source tool, what's the latest analysis technique that I can employ here, et cetera. So I really liked that, and then I did a lot of incident response work in silence as well, mainly around ransomware cases and negotiating with all of those folks. And same thing you just it really it teaches you that things like preparation are by far the most important element of what you're going to do in cybersecurity. So I think that would probably be like some of the more valuable lessons learned there.

Chris Sienko: 8:03

Yeah, I want to jump back to something you said there regarding your time with doing intelligence, cyber intelligence and so forth. I think one of the things people worry about with AI or high level automation and stuff is that they're going to be like automated on a job, but, like you literally told the exact reason why that's not going to happen. Like you can like, high level automation can pull the images, it can pull the data points, but as far as I can see, like there's no chance that it's going to be able to do the sort of human level cognition that says this, suggests this and this. I have a hunch about this and because it's not a literal sort of data driven, you're basically learning storytelling, right?

Thomas Pace: 8:48

That's a great way to put it, I think. Yeah, you're basically you're constructing a narrative to either support or refute a thesis, right? Whatever that is like, do we have enough evidence to justify a raid on this location, yes or no? Right? And then now, where you set that threshold is another piece of criteria. That's in that formula. Maybe the threshold to raid the house is really really low for some reason, because there's a low probability of collateral damage or like whatever, but maybe it's like really really high because it's in a populated area and whatever. So you just figure out that there's all of these elements that come into, like these decision-making processes.

Thomas Pace: 9:29

And so, in terms of the AI comment, yeah, I mean, I totally agree. Some people are going to lose jobs, but most people are going to get better ones, and that is what is literally the definition of progress. So, you know, everybody said this during the Industrial Revolution, everybody said this whenever the car was created. They'll say it again whenever the next technological evolution occurs. So, yeah, like there will be some negative side effects, like that's just, nothing is ever perfect, because humans make it.

Chris Sienko: 10:06

So yeah, yeah, and I guess I'm also wanting to just sort of staple it on, because we talk a lot about soft skills on here and the ability to you know, communicate with, say, your board or your team or whatever, but I think we don't talk enough about the importance of being able to draw a narrative out of analysis and data and sort of network analysis and what you're seeing, you know like, because again, you're going to be using these high-level tools that are going to be giving you mountains of data and it's going to be up to you not to just hold on to it but to actually sort of like find the stories in there, convey the stories and so forth, and I think that's going to be like a big part of where this type of job, where you're going to like, succeed or fail most spectacularly.

Thomas Pace: 10:50

Yeah, I think that's going to be a big part of it.

Chris Sienko: 10:53

Yeah, so again, touch to have you on as a guest on the show because of your expertise specifically industrial control system and manufacturing security concerns. That's kind of one of our areas of interest right now on the podcast. So time to start with that. We've talked about ICS security a number of times on the show and I encourage our listeners to check out some past guests. We've had great ones Emily Miller, leslie Carhart. So I want to start by asking you about the current state of ICS and infrastructure security in this country, because I get a slight variation on this answer every time I ask the question, and I think it's a good thing because it's such a nuanced issue. But what are the main hardware and software issues currently at play when attempting to secure facilities that say, provide a city's water supply or electrical grid or traffic management?

Thomas Pace: 11:38

Yeah, it's a loaded question. I think there's a number of issues, if you want to ask it that way, in terms of like water in those kinds of specific ICS and OT environments. I think the issue you run into there is, I think, pretty clear. You're just talking about a nowhere near enough resources to adequately, frankly, do much of anything, and I don't know how there can even be a counter argument to that statement. Yeah, right, the idea that a local water municipality in Arkansas is going to be able to, like, stand up against a nation state threat actor is 100% false. I mean, google can't stand up the nation state threat actors over a long enough period of time. This is a no-no, right, and that's not a negative statement against a water treatment facility in Arkansas or Google, right? That is the problem that, like, therein lies the problem though. Right, and so you know we.

Thomas Pace: 12:49

So how do you fix that? I mean, do you centralize all of the protection and defense of these local municipalities and critical infrastructure sectors? I mean, maybe that's a? You're talking about a significant change in how that all works. On paper, that seems like the smart decision in a good one, but you worry about what's that look like in practice and it probably is a mess. How does it get messier though at the same time? So you can see how like this is. I don't know, but I think I know the reason for the problem. I don't know that I know the best answer to fix it, so I think that's an interesting dynamic that exists there.

Chris Sienko: 13:35

Yeah, I mean, it's certainly a very, very high level question that obviously is not dealing with nuance, I mean, and as you said, it's kind of a loaded sort of question. Can you talk about sort of other aspects that are maybe less apocalyptic in that regard?

Thomas Pace: 13:50

Yeah, I mean you know I always answer these kinds of questions. I answer them honestly, but they come off as a biased answer, I suppose based on what we do. If you think about a laptop, a desktop, a server, like traditional enterprise assets, we know every single thing about those things. Imaginable, right, there's not. We have a question about what's going on on a Windows server or whatever. We can answer that that same visibility does in telemetry just does not exist for these devices. It doesn't some limited fashion.

Thomas Pace: 14:28

I mean that's obviously one of the things that we and some others do as well, but how that hasn't like really became the priority I think that it should be, is a confusing thing. I mean, I think there's some reasons like it's a hard problem. Okay, that's fine, hard problems are fun ones. Frankly, that's why we picked it. So I think that's like the crux of a lot of it.

Thomas Pace: 14:58

If you have better visibility into these things, it's not to say immediately, people start going to a place that says, well, you can't fix this and all these vulnerabilities are there and you can't address them, and it's like, listen, I mean, we don't even know they're there, so we're making decisions now based on essentially no data. I'm less concerned, actually, about the vulnerabilities and risks that exist on the devices than I am about the inability to even identify them. To me, that's a significant. This is always how things go. The first time you typically get visibility into a new industry and new whatever it's problematic. What's confusing to me is how defensive the industry becomes about these things. You would think and this is what we do see from a number of the people we work with is a willingness to be on the leading edge of the companies, providing that transparency and providing data-driven capabilities so they can prioritize and figure out what needs fixed first. Right now it's a, it's like a roll of dice it's no great for sure.

Thomas Pace: 16:26

And I get it right, like some of these device manufacturers are. They're concerned about liability, they're concerned about the competitive landscape. These are not illegitimate concerns. But here's the funny thing about it Everyone has the same problem. Like it's not like there's one vendor who's just like blown everyone else out of the water. Right right, it's not reality. Everyone has the same problem. So it's not like it's not even worth naming names. Like this PLC manufacturer has these problems and this one doesn't. This is just not true, right, right. In fact, a lot of them even operate on the same like base operating systems, and then they add on their own custom stuff. So it's just like a mental shift needs to occur, and that's happening. It's moving in a positive direction, there's no doubt about that, but I think it's just moving at a pace that is not commensurate with the risk in which it exists.

Chris Sienko: 17:33

So as you were saying that, what it sounded like to me is equivalent to like when the US made the sort of deliberate decision to go forward with the space race, with the man on the moon. Like there wasn't just like oh, we're starting to learn how to do this. It was like we have to make like a full on decision to like make this our priority. Like I feel like securing infrastructure is gonna have to require, like you know, like this sort of massive act of agreement that this is a really, really high priority for us to make it happen. And, as you say, the perceptions are changing, but there's still a lot of resource issues, I suppose.

Thomas Pace: 18:11

Yeah, I mean, just think about, you know, if we wanna keep it in the vein of like just technology you had Microsoft come out with, like the trusted computing initiative or whatever right when Bill Gates wrote the email was like we are changing, like this is a top priority now. And that was how many? That was 20 some years ago. Are there any vulnerabilities in the windows anymore?

Chris Sienko: 18:35

Yeah, no, we took care of all of them, Right, yeah, we think it's all fixed right?

Thomas Pace: 18:41

Yeah, sure, and so it's like use that as a reference point, right, Like no one's saying that everything needs to be fixed tomorrow 100%.

Thomas Pace: 18:50

No one thinks that's possible or true, right, but we need to like be more intentional about what we're trying to accomplish. Yeah, and you see the federal government trying to like move the needle there with like executive orders and binding operational directives and like some of the things that CISO is putting out, and it's like none of that's bad, but it's just like what actually matters and that's pretty. I think that's pretty unclear at this point.

Chris Sienko: 19:20

I mean, given the sort of, you know, figurative magic gavel, like what would rather? Than sort of executive you know the directives and so forth, like what would you rather be hearing from, like the top level down in terms of these kind of issues? From the government, yeah, or yeah, government, and you know the industry itself?

Thomas Pace: 19:42

I mean, here's the fascinating thing about the government there's I know this because I've inventoryed them all there's at least 20, maybe 30 different executive orders, binding operational directives, nist, special publications, standards, compliance frameworks, like there's all of these things exist, I don't pick one out of a hat, it doesn't matter.

Thomas Pace: 20:10

Like just pick one. Maybe you want to pick the one that says there's a firmware resiliency guideline. Maybe you want to say that we actually are going to ensure that all critical infrastructure sector providers are going to adhere to NIST 800-53, all of the controls. Or maybe we're going to say S-bombs are mandatory for everybody that meet these device classification types. Like I mean, all of those things would make a really big forward step. I mean, I'm actually like I love the S-bomb. Like how much that's out in the industry. Obviously that's helpful for us. It's what we do.

Chris Sienko: 20:52

But could you untangle what that is just for our newer listeners?

Thomas Pace: 20:56

Yeah, sure. So an S-bomb is a software bill of materials which is essentially just a ingredients list. It's basically a list of things that make up a thing, so, and that could be software components, libraries, dependencies, and then you can include other things in there too, like vulnerabilities if you want, and blah, blah, blah. So it's really just a inventory of the software on a thing. So, first off, the idea that this is like a controversial thing or we shouldn't be doing it is just like what and so. But I actually I think that the word in the phrase S-bomb has to me this is a supply chain risk management problem, where an S-bomb is just an element of that thing. Right, like saying an S-bomb is the solution is the wrong approach.

Thomas Pace: 21:51

An S-bomb is an element of a program that needs to be put in place, right? So let's imagine you have a perfect S-bomb and that S-bomb says everything here is up to date and there's no vulnerabilities, which has been the case of grand total of zero times. That does not include things like credentials and keys and misconfigurations. That are other ways that you can gain access to these things, right? So think about a Windows operating system. Imagine a Windows operating system that's fully packed, 100% packed, but then you get the password. Yeah, the fact that it's 100% patch doesn't matter anymore.

Chris Sienko: 22:27

You make the phone, call the person that gives up their password before they think about it, and boom, there you go.

Thomas Pace: 22:32

Exactly, and so that's where people like latch onto a thing and then that creates all this like consternation of the market, right, which is just frustrating. So if I had the gavel for a day, I mean I can think there's a few different frameworks that I think make a lot of sense. Nist has put out a really good like open source. What do they call it? I don't remember the exact phrase they use, but it's like a open source software, like third party program thing, and it basically says understand, like where are your software components, the providence of those things, be able to answer questions, like you know, this software component is here. Where else is it? Which are things we should be able to handle at this point, I would think. But we don't make them mandatory. And the fact that we have to make that mandatory from a government perspective is super frustrating to me. It's like where's the firewall standard?

Thomas Pace: 23:38

Yeah, right, like everybody knows you need a firewall Like we just buy firewalls, so sometimes that's what is required though, so you know.

Chris Sienko: 23:49

Is it using? It's one of the things that's falling down. It seems like they always have kind of long like well, get to it when you can get to it, or whatever. But like, is it like picking one and then enforcing like a very like narrow time to get everyone to sort of complain with it, or Depending on which one you pick.

Thomas Pace: 24:06

Sure, they always give a big. You know, they give people the ability to submit waivers. I mean, just look at CMMC.

Chris Sienko: 24:19

We have looked at CMMC Many times, yeah. I mean you know it's been over a decade.

Thomas Pace: 24:24

It's been over a decade, yeah, and everyone's like, oh, now's the time. And I'm like okay, all right, still ready. Yeah, yep, sounds good guys. And sure it does seem that they're putting some things out there. They're going to make these things a requirement, but I don't think they recognize fully how many defense contractors are hilariously underprepared to become compliant with these things. So what are you gonna do then? Are you just gonna neuter?

Chris Sienko: 24:55

That's nothing. Yeah, I always wondered about that. They say, well, if they don't make the requirements, then we can't use them as vendors. And it's like you're gonna lose like 85% of your vendors overnight. Like are you really gonna enforce that that hard? Like what's gonna happen?

Thomas Pace: 25:10

Yeah, I mean yeah. So we're just gonna just eliminate all the people who make things for the defense industrial base because they, I don't know, don't have antivirus installed. Like it's interesting, it is.

Chris Sienko: 25:22

Okay, so I wanna sort of pivot this into you know, people who are listening, and our listener base is mostly people who are just starting to get involved in cybersecurity, and they might be students, they might be new professionals, they might be coming into it from another industry. But I wanna help you, or have you help them, sort of get up to speed on these issues Because, like, we're talking about very thorny issues here and I wanna get a sense of like what you think people who are interested in doing this kind of work in this sector, like what kind of like career skills, training, experiences, what should they be looking for to sort of get them up to speed? What should they be working on, even if it's not in their current job? Like what should they be learning on the side, learning in the evenings and things like that, to get a sense of, like what the landscape is like right now?

Thomas Pace: 26:14

I mean, do you mean for industrial control system security in particular? Yeah, I mean, the amount of resources that are free and available is so outrageous these days, so that has put out a ton of like beginner courses for free around like ICS security. I think Idaho National Labs has put out some stuff Just going down YouTube rabbit holes. I think what most people don't recognize and appreciate is the best way to get something is by asking for it, and so if you are like a young, motivated, hungry individual who really wants to get in this space and you just reach out to 50 incredible ICS security people it's an awesome community Like five or six people of them are going to give you some time. Maybe it might be way more than that, but people will give you time as long as they see that you are serious and intentional about what you're trying to accomplish here. And so, you know, get internships to these places. I'm just a giant fan of going and doing things. I don't know. It depends what you want to do in this space.

Thomas Pace: 27:38

I'm of the opinion that most people nowadays don't really need to go to college in cybersecurity. There's some absolutely incredible programs out there, which is also nice, like I went to one that I loved, but you know there's a number of people at NetRise who have no college education whatsoever and they are spectacular, I mean. So I think that I think that's less of an indictment against college, frankly, and more of a statement in support of everybody doesn't learn the same way. Yeah, sure, and so if you need to have your butt in a seat and have somebody tell you how to do some things, I think that's totally fair and reasonable. But if you can just go pick this up on your own and figure out how to do everything in six months by yourself, then that should be treated the same as far as I'm concerned.

Thomas Pace: 28:34

So, yeah, I mean, I think there's that. I think SANS does a great job. Obviously, in terms of some of the classes they offer. They've gotten to be pretty expensive, I think, but the great pipeline I went through it when I was at the Department of Energy, taking a boatload of those classes which were just super practical, which I appreciated, and you have just a number of other organizations offering those classes. I have no affiliation with SANS at all, it's just the one I'm most familiar with. But getting internships at your local municipality providers and things like that, I think, is probably pretty easy.

Chris Sienko: 29:17

I think that was kind of what I was going for Sort of two things I want to know where young professionals can get hand-on experience doing this kind of work and also what sorts of experiences in this space they should be able to document on a resume, a cover letter, whatever. That will give future employers a sense that oh yeah, you actually do this, you're not just reading the book, you're not just sort of don't know it, just know it abstractly.

Thomas Pace: 29:44

You know there's. I think cybersecurity consulting is unique amongst a lot of other types of consulting. Like when you talk about management consulting and some of those kind of consulting engagements. I don't think you get the same set of experience out of that kind of work. It's like sure you get a nice cross-section across a number of different companies, but in cybersecurity you have to do the work Now. You might not be responsible for the remediations and things like that after the fact, but to me the level of effort that's required to do cybersecurity consulting is a good deal more.

Thomas Pace: 30:33

I have to think about that a bit more. I might talk myself out of that at some point, but I did consulting for a number of years and I think that was just a spectacular set of experiences that I. It was like working 20 years and four years, and so I think that was quite good. And the barrier to entry at some of those places not to say it's easy to get these jobs I actually don't think that's true. But a lot of these firms provide for opportunities for junior people to come in and get trained up and then do right seat with a senior person, and then they have processes for bringing people up to speed. So I think that's a really good approach. I also think that you get a very unique experience working at a vendor.

Thomas Pace: 31:24

Okay, oh, yeah, that's a good point. Yeah, so I went from being on the end user side like PNC Bank to end user again, but in the government, to a vendor where I was doing both product stuff and consulting stuff, which was great, and now I'm running a vendor, which is confusing to me, frankly, still Now it's more confused to me how I got here. But here we are, yeah, so I'm very pleased with that path I took. We have people here at Netrise who went from consulting to us and never worked as an end customer ever, so there's no right answer here. Okay.

Chris Sienko: 32:18

But I think it comes back, like you said, to asking. I keep having this sort of vision in my mind of people who want to get involved in this, like knocking on the doors of their local water treatment plans or their local municipalities or their local government or whatever, and saying what can I do? How can I chip in? And I mean it sounds like from what you're saying that that is at least somewhat feasible in terms of something that you could do to get your quiz on the door.

Thomas Pace: 32:42

The worst thing they can say is no.

Chris Sienko: 32:44

Yeah, yeah, as John Waters said, it's always free. So yeah, I want to talk a little bit, shift over to sort of manufacturing security. So, unlike ICS, a lot of the manufacturing sector has some degree of security in place already. We don't have that sort of whistling past the graveyard vibe necessarily manufacturing that we do in some aspects of infrastructure, but there's a lot of changes in technology and policy and protocol, manufacturing methods and standards that present an entirely different set of issues. So can you talk again 20,000-foot view where the breaches and security emergencies are in the, you know, capital M manufacturing sector? What are some of the big culprits at the moment?

Thomas Pace: 33:27

Well, I think you have a big problem in the supply chain, as that's been there. I think people are paying a lot more attention to that.

Chris Sienko: 33:37

Yeah, oh yeah, yeah. We've really break down the last couple of years here, so yeah.

Thomas Pace: 33:42

Yeah, in a really big way, I mean, and that exists from both a hardware and software perspective. That's not constrained to just one of those. You know one of those elements. I mean I'm trying to think of a particular attack on manufacturing. I mean, you obviously have the things that happen in Ukraine and like the steel mill in Germany. You know, once upon a time you have all those, but I think I mean I don't want to cry back in 2017, impacted a lot of manufacturing facilities. You have not Petsha taking down a bunch of things when that all happened.

Thomas Pace: 34:29

Those environments are just. They are not treated the same way as the enterprise networks, which is really confusing. Think about how confusing that is. That this in manufacturing environment is the environment that makes the thing that the company exists to sell and that environment is protected less than common accounting's laptop. Right, there's just a risk calculation there.

Thomas Pace: 35:07

That is really misaligned, I think, and I think the reason for that is people don't know how to secure these environments that well. The number of technology solutions that exist in those environments, it is just less. There are less of them than in the traditional enterprise. That is just a reality. I think that the subject matter expertise required to implement, operationalized and monitor is few and far between. To bring it back, I guess, full circle to management, I don't think management does a very good job of communicating how important those particular environments are to their stakeholders, whether that's a board or the public market or whoever it is. I think it's just interesting to me that you have this soft part of a company, which is arguably the most important part of the company, that's always seemed to be, like I said, misaligned a bit.

Chris Sienko: 36:32

Yeah, I think, when you think of it in terms of this loose umbrella of manufacturing, versus when we were talking about federal government type things and DOD things, you have these directives that can come from the top, and whether they're not there useful, or whether they're enforced or whether they're comprehensive enough is one thing, but you don't really have manufacturing directives necessarily. I suppose it still leaves a lot to each individual concern to figure out what their own solutions are. I imagine that the pace of improvement is very herky jerky.

Thomas Pace: 37:10

Yeah, you have things like underwriters, laboratory standards. You have IEC 62443. You have some things that exist. Now some of those standards are more device-centric than entire environment-centric. There are manufacturing facility standards, sure. I think they typically just adopt a subset of something like NIST 100-53, though no one's really reinventing the wheel here. Yeah, it's a lot of boilerplate, I imagine it is. It's a lot of the same kind of thing, like make sure you use MFA, make sure you segment your networks and make sure you have monitoring in this capacity, and blah, blah, blah, sure.

Chris Sienko: 37:58

You mentioned specifically before the show, when we were talking about the manufacturing around port cranes and the fact that manufacturing capabilities of port cranes is starting to move back to the US, as well as vulnerabilities found in cranes made in China. I mean, this was all new to me. I wanted to ask you a little bit about what specific security risks we're talking about in these scenarios.

Thomas Pace: 38:20

Well, the issue is a supply chain issue in that I think the number is 88% of all cranes at American ports are made by one Chinese crane manufacturer. And so what are the vulnerabilities and risks associated with that? Well, here's the interesting thing they might not be CVEs in the traditional sense. There could be that there's like an inherent, like just supply chain economic risk, where Palmer Lucky, the CEO, founder of Andrew, gave a great talk a while back, talking about comparing our relationship with China now with our relationship with Japan during World War Two. Imagine if, during World War Two, we were buying all of our jet engines for our planes from Mitsubishi. That wouldn't happen, right?

Chris Sienko: 39:32

That makes no sense.

Thomas Pace: 39:33

Like Japan wouldn't be. Like, yeah, we'd love to sell you some fighter jet engines so you can come shoot us with them, but that is the exact thing that's happening with China. Like we cannot decouple ourselves from China, we cannot do it. They can manufacture things that we cannot Period, like transformers. There's like a special kind of steel that can only be manufactured in like two plants in China that we need, and like that's a problem for just a number of reasons, so not even counting the cybersecurity wants. It's just like. There's just like an inherent supply chain problem, the supplyiest of all supply chains, yeah right, yeah. So if these cranes break and we are in an act of conflict with China, like we better not hold our breath, waiting for the replacement parts to show up, and so that's going to have a lot of downstream effects, obviously. So that's what I was referencing about that. Frankly, I am unaware of any specific vulnerabilities around those things, but it's just like the inherent presence of that set of facts is problematic.

Chris Sienko: 40:51

Yeah, so OK, well, good. So again I guess Jeff's question above what is your advice for people who want to get into manufacturing security? Because again I think we're working with a different set of similar but different set of assumptions and sort of current issues or whatever. Like we said for ICS and infrastructure, go knocking on doors and see where you can lend help and take internships. Is it similar for manufacturing, do you think?

Thomas Pace: 41:19

if you want to get into it, I mean, I think this is another idea that should really apply to both. Let's take me as an example. I didn't go to DOE because I had all this like ICS security experience. I didn't really have that, but I got there and I was working on like the corporate side of the network and then started working on the other side. So if you want to do manufacturing security, go get a job on the cybersecurity team at a manufacturing company and then once you're in, you know now you can say, hey, can I help out a little bit with some of the stuff over here on the manufacturing side? Yeah, and then over time, you know, you can find yourself in that environment totally perhaps.

Thomas Pace: 42:10

I think that would be a good approach because you have to think about it right. Like they're going to want to hire somebody, typically at these bigger organizations. Like, think about it, like I don't know a large automotive manufacturer, they're going to want to hire people who probably know what they're doing already. And if you're not that person but that's something you want to do, then go get a job at the SOC on the corporate enterprise security team and then, you know, start trying to chat with people or, you know, get data from the manufacturing facility. Get that pumped into the SOC, you know. Start building workflows and processes around it to become the subject matter expert. You know, eventually find yourself over there, hopefully. I think that would be a good approach.

Chris Sienko: 42:50

OK. So I want to make sure that I'm clarifying what you're saying there, Because I think I understand it. But you're basically saying you want to start out doing security for the company, the you know the sort of environment, and if you are able to sort of rise up in that, then you can start thinking about, like, the security of the things that the product you know, rather that you're not securing the place, you're securing the product. Is that sort of what I'm?

Thomas Pace: 43:16

I mean, I'm saying so, if we took, you know, any automotive, that's just me song and you, you're working in the security operation center of their, like, corporate environment exactly All of their laptops, desktops and servers yeah Right, like they're going to want to be getting data from the manufacturing side of the house, I would imagine and Be that bridge, like be the conduit between those two networks, and then, over time, just migrate your way slower and slower.

Chris Sienko: 43:50

Get better and better at that side of things. Yeah, yeah, because that's the best.

Thomas Pace: 43:53

That's a great way to get that experience and exposure, and so that could be a good angle.

Chris Sienko: 43:59

Automate out your old position and make a new one. Yeah, that's good. So as we wrap up today, thomas, I wanted to ask something of you personally. Can you tell our listeners the best piece of career advice you have ever received?

Thomas Pace: 44:13

Oh man, career advice.

Chris Sienko: 44:22

Or just something that a former mentor said, that you just sticks with you and that you sort of live.

Thomas Pace: 44:28

I'll tell you the first thing that entered my brain when you asked me that question, and that was so. Stuart McClure is on my board, the former CEO of Silance, and I remember talking to him when I was raising money, like 18 months ago or something like that, and I was unsure if I wanted to take more capital in, like eat the dilution of doing so. And I just remember him saying to me with no hesitation whatsoever I've never met a founder with too much money at home, and that just I'll like never forget that. I think like more generally speaking, I mean I don't know how you answer something here without it sounding real cliche, but whenever people ask me advice about what I should do, I give really the same answer, and I think some people love it and some people hate it, because it's I just tell people to go do what you want to do.

Thomas Pace: 45:26

Like just do what you want to do, like that's all I've done. I don't have any like secret about like how did you do this? It's like I don't know. I started doing it. I just I almost can't even answer it. So like just figure out what you want to do, and then when people say, well, I don't know what I want to do. I can't help that.

Chris Sienko: 45:46

Right, yeah. Yeah, that's a, that's a you problem. Figure that part out first, yeah.

Thomas Pace: 45:51

Yeah, and then just beeline and just start doing stuff and you'll figure out like, oh, maybe I actually don't like this. Yeah, that's fine, that's great. That's a good thing to find out. Actually, yeah, absolutely, that's yeah. I guess those would be the two things I would. I would say that's fabulous.

Chris Sienko: 46:10

Yeah, nothing wrong with that, so. So one last thing before we go feel free to tell our listeners about your company, netrise, and their work with companies across a variety of related manufacturing and infrastructure sectors.

Thomas Pace: 46:22

Yeah, so Netrise is a company that began by developing a platform that provides visibility and risk identification into a class of devices that have historically had none, particularly devices such as IoT, industrial control systems, medical devices, embedded systems and vehicles, satellites and telecommunications equipment, router switches, vpn spiral all of that. What we recognized is, if we can identify components and supply chain artifacts for those things, which are difficult and complicated, we can probably do it for everything else, and so we started as this supply chain visibility company for, like, embedded operating systems and firmware for these kinds of devices, and now we are rapidly expanding to basically do the same thing for everything else. And so you know, we work with device manufacturers that are selling things into manufacturing and ICS environments, and we work with those people at the same time. We work with both the asset owner and the device manufacturer simultaneously, as well as the federal government and consulting firms too.

Chris Sienko: 47:38

Okay, Well, nothing left to ask now. But if people want to learn more about Time of Space or Netrise, where should they look online.

Thomas Pace: 47:46

Yeah, netriseio is our website. There's a bunch of stuff on there you can reach out If you submit a form. It comes to me, amongst other people, so I see every all of those the easiest way to get in touch with me, aside from just blasting my email out there, which is not hard to figure out anyways, but, like LinkedIn, works really well. I'm pretty active there, so just look me up.

Chris Sienko: 48:10

Our listeners are very active there as well, so I expect you can look forward to a couple of connects here.

Thomas Pace: 48:15

Yeah, no problem, I'm looking forward to it. That's great, all right. So yeah those are the easiest ways.

Chris Sienko: 48:20

Beautiful Netriseio and find Time of Space on LinkedIn if you can. Well, time of Space. Thank you for joining me today. Like I said, it's always when we talk ICS security it's always a little frightening or intimidating, but it's a fascinating topic and I really appreciate your insights.

Thomas Pace: 48:34

No, thank you very much, sir. I appreciate it.

Chris Sienko: 48:36

Okay, and, as always, thank you to our cyber work viewers and subscribers. I've been teasing it for a while, but we finally hit 80,000 subscribers on YouTube, so I thank you all so much. You're putting enthusiasm makes this a joy to do each week, and if you have any topics you want us to cover, we'll be doing infrastructure and manufacturing for a while, but if you want anything else, hit the comments Below. I read all of those and I'd like to hear about it. So before I let you go, I hope you'll remember to visit infoSecInstitutecom To get a whole bunch of free and exclusive stuff for cyber work listeners, including our new Cyber Security Awareness Training Series work bites, which is just awesome, and please watch the trailer.

Chris Sienko: 49:12

So if you have better security awareness skills than your coworkers, well, what if those coworkers were a pirate, a vampire, an alien, a zombie and a fairy princess? Go find out. Infosecinstitutecom Free is also the place to go for your free Cyber Security Talent Development ebook, where you'll find our in-depth training plans for the 12 most common security roles, including SOC analyst, pentester, cloud security engineer, information risk analyst, privacy manager, secure coder, acs security practitioner and so on. Once more time, that's infoSecInstitutecom slash free and yes, the link's always in the description below. One more time, thank you to Thomas Pace and Netrise, and thank you all so much for watching and listening and until next week, happy learning.