How to get started in industrial control systems cybersecurity

Chris Sienko: 0:00

Okay, today on CyberWork we are talking about operational technology, or OT security, with my guest, robin Berthier of Network Perception. From his earliest studies to his time as an academic researcher, robin has dedicated his career to securing the intersection between operational technology and network security, with some pretty imaginative solutions to show for it. In today's episode, robin explains why modern OT security means thinking more about the mechanics of the machinery than the swiftness of the software solutions, the big conversations that infrastructure and ICS security need to have about nation state attackers and seem to be finally having, and Robin's best piece of career advice turns into some excellent thoughts on the importance of maintaining your network and I'm not talking about routing and switching here. Welcome to the machine, the OT machine, and welcome to this week's episode of Cyber Work. Hello and welcome to this week's episode of the Cyber Work with InfoSec podcast. Each week we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals, while offering tips for breaking in or moving up the ladder in the cybersecurity industry.

Chris Sienko: 1:05

My guest today, robin Berthier, is co-founder and CEO of Network Perception. It's a startup dedicated to designing and developing highly usable network modeling solutions. Dr Berthier has over 15 years of experience in the design and development of network security technologies. He received his PhD in the field of cybersecurity from University of Maryland, college Park and served the Information Trust Institute, or ITI, at the University of Illinois at Urbana-Champaign as a research scientist. So today we're going to once again be talking about ICS security, government infrastructure security, all the juicy stuff that that keeps industries pumping and cyber criminals at bay, hopefully. So thank you for joining me today, robin, and welcome to CyberWork.

Robin Berthier: 1:51

Thanks a lot, Chris, for having me Excited for the conversation.

Chris Sienko: 1:54

Me too. So, robin, to help our listeners get a better sense of your background and your connection to this field, can you tell us about your early interests in computers and tech and security? Was there an initial draw? Was there a moment that excited you? And once you did get excited, what path did you take to learn more? Were you a sort of a self-taught early person, or did you learn in college or in the military?

Robin Berthier: 2:16

Yeah. So, like most people my age, it all started with video games in the 90s. You know they were really taking over the world. I remember the just being completely, um, excited with games like quick three and a ring tournament and, you know, doing land parties with my friends, yeah, and then starting to go beyond the generic video game but starting to develop modules and plugins for those games, uh, so kind of self-taught in terms of, you know, going to, uh, uh, get a book on on C, c plus programming, and then, uh, and then getting my, my hands in the code and and learning as much as they could.

Robin Berthier: 2:56

And that led to, uh, after high school and after prep school, having the uh, a decision to make regarding with which college I would join. And you know, I grew up in France and there was this school that just opened the first major in the country around cybersecurity. And I thought, you know, combining my interest for programming and computer science with the excitement of, you know, of protecting systems against cyber attacks, which was brand new at the time, was an amazing combo. So I applied, joined that school and then really been diving into cybersecurity.

Chris Sienko: 3:38

So I always want to hear, when people are near the beginning of something new like that, what was the school like, the school that had a specialized cybersecurity computer program, and how unusual was that? I mean, obviously it was unique, but what was the perception of it in France?

Robin Berthier: 3:57

Yeah, it's a pretty small school and historically they've been well known for risk and reliability, but mostly industrial risk. And they just started a new class around cyber risk and when I joined the class it was just 15 students, so the group was pretty small, just 15 of us.

Chris Sienko: 4:20

Yeah, I mean, did you have a sense of that? They were, you know, was it? Was it pretty? You know up to the moment in terms of technology? What do you? Did you feel like you were kind of like on the bleeding edge of of learning new things, or were they still kind of getting their legs when you were there? It?

Robin Berthier: 4:36

felt really early, like you could see in in terms of the professors, and I remember like one year a couple of us in the class actually took over to teach a specific topic to our colleagues, because you know, that was so like bleeding edge that even the professor didn't know about it.

Chris Sienko: 4:55

okay so your presentations were like okay, uh, sit down, professor, we need to explain something to you as well yeah, yeah that makes very collaborative yeah, I was gonna say it makes it very, very collaborative and makes you feel more like colleagues than someone who's being you know dumped information into their brain like that. I suppose that probably helped Absolutely, yeah. So before we talk about your current role as CEO and co-founder of Network Perception, I want to ask you about your five years of as a research scientist at the University of Illinois at Urbana-Champaign, during which you, to use your own words, designed and developed specification-based intrusion detection systems for smart energy delivery systems. So that sounds pretty germane to what we're talking about today. So can you talk more about the specification-based intrusion detection systems you were designing at the time?

Robin Berthier: 5:41

Yeah, absolutely so, you know, University of Maryland.

Robin Berthier: 5:45

And then the years before I was really focused on IT cybersecurity like traditional network cybersecurity.

Robin Berthier: 5:51

Okay, when I joined U of I, we had a large research center made of eight universities, funded by DOE and DHS, to research and develop the next generation of solutions that would be aligned with the roadmap that DOE put together every 10 years, and so I learned everything I could about OT cyber. That was new to me. We were fortunate to have really strong industry partners. We were working with local electric utilities companies like Emren and ComEd in Chicago and so, through those industry partners, really accelerating our understanding of their challenges and what they had to deal with on a daily basis with cyber risks. And one thing that fascinated me was how, in traditional cybersecurity, you know, as a defender, you're always behind the attackers, like they always, you know, are ahead of you, and the equation is really skewed towards the attack side because they have all the time in the world to be able to poke holes and find a you know one opening and, as a defender, you need to be perfect across your perimeter and your entire you know defense program to keep them at bay.

Chris Sienko: 7:15

Yeah, you're constantly sort of defending against. You know they're endlessly on the attack and you just have to just keep waiting for the rocks to get like flinged over or whatever.

Robin Berthier: 7:25

Yeah, and then when you shift to the ot side, where operational technology, where you have actual industrial systems, um, there's one sliver of hope there to kind of rebalance that equation in favor of the defender, and that's by leveraging the laws of physics, like, if you have the pump system, if you have a manufacturing plant, you can leverage the fact that some process have to, you know, physically move things and if something is not, you know, going according to plan, you can leverage that knowledge to be able to better detect what will be suspicious or what would be not conforming to your requirements, which you don't have in the in the IT side. No, so, yeah, sorry, that was the idea for specification based ideas. It's like okay, we need to develop an internal detection system for smart meters.

Robin Berthier: 8:19

Back then smart meters were just getting started like being deployed at large scale. The fear was that those smart meters, being tiny computers, could be hacked and then you can create a botnet of millions of smart meters to then turn on and off the power at millions of homes, and so we wanted to be able to put sensors in that smart meter network in order to really fast detect if any command sent to those smart meters would deviate from your expectations and that's where we programmatically capture the specification of how those smart meters are supposed to be used and from those specifications build the rules around the ideas and say, okay, if the utility is sending comments too fast that don't make sense physically for a power grid network, then let's raise an alarm.

Chris Sienko: 9:18

Okay, yeah, that's interesting. I was going to ask if you could give me a few more practical examples, but that's interesting. So you're just to make sure that I'm understanding correctly rather than counting on using your security network to see, like, unauthorized logins or unusual network activity, you are watching the actual production of the thing and if it's moving at a different speed than it should be, or it's speeding up or slowing down or changing quantity of, you know, chemical in the water supply or whatever like, then you can, you can sort of. So I did that. Did that require sort of developing a different set of? Would that be sort of like more mechanical tools that you were developing then, in addition to sort of cybersecurity tools?

Robin Berthier: 10:05

Well, we had to get the understanding of the mechanical side of things before being able to develop the ideas. Got it. Like an example as well is a water tank. You know you have a specific volume of water in a tank. If there's a command to fill a tank beyond that volume, you know that's an invalid command. On that volume, you know that's an invalid command and so you need to have a way in your ideas to capture that maximum volume of water or just at the speed at which the water can get out of the tank. And when you have those parameters you constrain, like you put constraint around how the system is supposed to be used. And the good things there is that those OT environment already have safety systems like mechanical safety systems with alarms and triggers to be able to prevent physical equipment from harming someone or from harming itself and destruction. So if you extract that knowledge and put that into your cybersecurity system, you can detect intrusions faster.

Chris Sienko: 11:08

Yeah, that's kind of giving me a new insight into this. One of our past guests talked about the problems of securing sort of operational technology, in the sense that if you were putting too much sort of security software into sort of processes that require, like you know, very, very precise you know timings on sort of manufacturing processes, than running into that, You're sort of going back to the original sort of physical process and then using the security to sort of catch the info rather than trying to like. Am I getting that right?

Robin Berthier: 11:57

Absolutely. And the aspect we can leverage as well is how deterministic those environments are compared to IT. You know, in an IT network you have millions of applications and protocols. People plug their you know tablet and cell phone and you have things you're not expecting. And then millions of websites. In an OT environment, you know that machine should be sending a ping to that other server once every hour. That data, you know packet, looks exactly the same every 60 minutes, and so you can leverage that determinism to again detect faster what's deviating from it.

Chris Sienko: 12:33

Yeah, that seems like way ahead of its time and sort of a very exciting development. So I want to move from that to your current work. So for almost the past 10 years you've been part of the creation of Network Perception, which is a company whose product enhances network resiliency through network access, security, visualization and perimeter verification, which sounds like it's of a natural progression from your work at University of Illinois, Urbana-Champaign. So how did you come to launch this company and was this sort of a continuation for you of these sort of same ideas that you were working on?

Robin Berthier: 13:06

Yes, so you know it came from the same research center I was describing at U of I. I was actually working on two projects. One was the specification based ideas. The other one was a new solution for visualizing OT networks faster, ok, and building and doing that visualization using a network model, so replicating an environment in memory, using what we call a cyber digital twin of the environment, just by ingesting config files of firewalls.

Chris Sienko: 13:43

So you're creating like a model of, like a mechanical environment in a cybersecurity environment.

Robin Berthier: 13:48

On the cyber side yeah, not the mechanical part, but the cyber side Absolutely Got it Okay. So you know it was yet another research project. You know the plan when you do those, those research initiatives, as you work on it for two, three years, you publish papers, you present and then you move to the next one, but this one, when we started to present it to our industry partners and when they started testing it, the prototype of it the feedback we got was extremely positive. So we knew that we were addressing a key challenge for the industry and so we decided to branch out of the lab and then launch Network Perception to continue developing, maintaining and then later commercializing the technology into a product. So it took us a few years to refactor that prototype that was a mix of code from different sources, different students, different professionals into a video product and then in 2017, 2018, we moved to the office from the incubator down in Champaign, illinois, to Chicago, and that's really when we launched commercially the company.

Chris Sienko: 15:04

Okay, was there any issue of like having to sort of restart your research? Was there some aspect of your research that was sort of owned by the university? Did you have to sort of like sort of start over to sort of make this thing your own, or was it a pretty natural sort of progression from an academic environment to a commercial environment?

Robin Berthier: 15:28

Yeah, it's actually a really mature process at universities today. They have an office called the Office of Technology Management. You're working with them to identify what IP comes from the university, what do you want to transfer to the company? And then you have an agreement, you know, a licensing, an exclusive licensing agreement that's being signed between the entrepreneurs and the university to make sure that this is done in the right way.

Chris Sienko: 15:52

Okay. Well, I guess I've watched too many TV shows where someone comes up with an amazing thing and it's like sorry, you don't own this amazing insight.

Robin Berthier: 16:01

Well, you, know it's funny because I think the maturity I was describing came from many of the you know lessons learned for the last 20 years, where you know things like Netscape and you know other software. Just yeah, that process didn't go well in the past. That's why they put resources to make it go better now.

Chris Sienko: 16:23

Okay, I'm not going to blast the TV show Lessons in Chemistry just yet, Thank you. So, Robin, I wanted to have you on, as I said, as a guest on the show because of your expertise in operational technology, which we're already having a great time talking about here. So, to start with, we've talked about ICS security and operating technology security a number of times on the show already, including past guests Emily Miller and Leslie Carhartt, and recent guests Thomas Pace and Teresa Lanowitz. So if folks are really into that, I encourage you to skip through our back episodes and get a whole ICS, OT manufacturing mega lesson here.

Chris Sienko: 17:03

But I wanted to start today, Robin, by asking you about the current state of ICS and OT infrastructure security in this country. I mean, obviously you're working in a place where you've got like some very interesting and sort of forward facing insights. But I also know that you know I get a slight variation on this answer each time I ask the question, like what is, what is the state of things? Because I know it's such a nuanced issue and there's hardware issues, software issues and not everyone is necessarily working from the same model. So can you give us sort of a heat map of what the industry is like right now?

Robin Berthier: 17:39

Yes, things are moving pretty fast. I mean, as you know, the last five, ten years, ot has just joined the list of targets for cyber attacks. Before that they were pretty safe, being completely offline and disconnected from the internet. And then we've been adding connectivity left and right for productivity reasons, to improve our ability to control those physical equipment remotely, not having to send a truck to, like a substation, for example, every time we want to change a setting, but adding that connectivity of you know, expanding our attack surface or even created a new attack surface that we didn't have before.

Robin Berthier: 18:27

And really, when you work inside a cyber physical system, like an operational technology environment, the priority that you have is to make sure operation like operationally, you deliver on your mission right. If you're a gas pipeline, they need to be you know gas delivered at a certain rate every day. You know gas delivered at a certain rate every day. If you're an electric utility, you need to have the transmission line you know up and running with a certain voltage frequency every day. And cybersecurity often is just left as a you know priority at a lower rank and the result of that is that we have a debt, like a cybersecurity technical debt now that we need to catch up on and there's a lot of exposure and that's why you see in the news, you know pretty often that such and such water treatment system got hacked.

Robin Berthier: 19:24

Or you know, three weeks ago we heard from the director of the API about this whole typhoon attack where nation state was able to get into the critical networks of multiport electric utilities. So, to answer your question, we are on an accelerated journey to first know what we have to protect that's the visibility challenge, yeah and then second, um adopt the best practices around cyber hygiene that we haven't followed in the past in those OT environment. Yeah, you know, it is much more mature on that side. Right, like we've right, we have some best practices, practices that's been in the industry for more than a decade In OT. It's brand new. And it's brand new because, in terms of processes and equipment and technology we have to adopt, we're still at the early stage of that maturity journey.

Chris Sienko: 20:24

Yeah, now that moves into my next question perfectly, because that moves into my next question perfectly, because you know we do hear a lot about, you know, attacks on infrastructure, on water treatment plants, on manufacturing. But honestly, like, the thing that I keep thinking is I'm surprised we don't hear more about it if things are as sort of open as they are. So, like you know, every past guest I've had on, like it always escalates into some fairly high stakes discussions about just how like there's they make it seem like there's just this, this field of unsecured industrial control systems out there that it would just be like Candyland for nation state attackers. So I guess I'm kind of wondering why we're not seeing full blown catastrophes like every 12 hours. Or am I just reading the wrong news here? But is there, are there things that are protecting insecure systems? Like is it really just a combination of, like good fortune and wishful thinking? And maybe just like the sheer number of possible targets to choose from? Or you know, like, why is this not happening? Like, as we speak, constantly?

Robin Berthier: 21:36

that's a great question um, I think it's a combination of factors and uh, as an industry, I think we need to work much better on um, you know, adopting a scientific approach to answer those questions, meaning to to collect data and draw conclusions from data. And now we just have mostly anecdotes. But you know, the bottom line is the state of OT cyber security today is that any resourceful attacker with enough and can compromise the system, like there is a, a. You know, if you have enough resources and you have a clear target is, you know, the likelihood of you succeeding after some time to get into those networks is pretty high. And and we don't see that in the news every day because you know, luckily there's not many resourceful, determined attacker going for those targets, or, you know, a combination of that. Plus, we are investing and we are putting those defense on a daily basis to be able to raise the cost of those attacks.

Chris Sienko: 23:02

Yeah, now, yeah to that end. I guess that is also the sort of persistent refrain that we hear is that a lot of these places, especially when you get down on like a municipal or citywide level, that they're woefully underfunded and the idea of having, you know, a dedicated security team, let alone even a single security person, like is is budget a big consideration in a lot of this, and are there certain sort of like above budget things that are that people are doing to sort of like, put things in place until you know you can have the resources for things like this?

Robin Berthier: 23:32

Well, you mentioned, you know, the Candyland. I think if we were to adopt just that foundational best practice, which is not that expensive, we would turn that Candyland into a much more robust you know field of play where the attack surface is contained, you know, the resourceful nation state attackers would still be able to make their way. That requires, to your question, a higher level of investment and budget. But I think the maturity of OT asset owners today are still in that early phase of the maturity where they have to still adopt good visibility, good cyber hygiene, in order to no longer be a low hanging fruit for those, for those attacks.

Chris Sienko: 24:16

Yeah, now I mean, I I know with sort of like larger, you know, and again I feel like we're we're working on this sort of dual layer system of like the very sort of sleek up to the moment, you know, cybersecurity systems that are, you know, protecting networks and cloud and so forth. Then you have this sort of like heavy mechanical stuff that you're you're you're kind of working with, is there? It seems like that these would also sort of be discrete targets, more so than like if you're like trying to hit like a financial system and you're right, you could be like zipping through, you know, multiple different domains and sort of like grabbing from here, grabbing from there, hiding in here, like are these really sort of being defended like you would defend like a small fort or something like that, where there's not like a lot of like jump from like one place to another?

Robin Berthier: 25:04

right, you know, we call those crown jewels right, like it's the most critical system you have in your OT environment. It's the most critical system you have in your OT environment, so it's your electricity, that's your energy management system, or like a power plant. And then you, absolutely according to the regulatory framework, like NERC and NERC-SIP, you define an electronic security parameter, esp, around those ground rule equipment. And then you have that cyber hiding, that best practices, to make sure that firewalls are correctly configured, that you have a process in place around change management to make sure that no one can add a rule that would be opening an expected access into your ESP without knowing and then and you continuously monitor for a suspicious thing that could happen.

Chris Sienko: 26:01

One of my past guests was someone who facilitated sort of and they would do this sort of city-wide but these sort of disaster simulators where you would get multiple industries and companies and sort of like, create sort of a you know a focused nation state cyber attack on the city from multiple levels. You know municipalities and stuff like that that comes into play at all within these things, or are you really just like we just got to keep that water supply from changing chemicals, you know unauthorized or whatever? Or do you think in terms of sort of like catastrophic, like giant, you know attacks like that and what part you know the thing that you're securing plays in that? It's all about risk assessment.

Robin Berthier: 26:50

So those tabletop exercises can be extremely valuable and I really recommend everyone to part. You know, the thing that you're securing plays in that it's all about risk assessment. So those tabletop exercises can be extremely valuable and I really recommend everyone, to everybody, to adopt them. We do that at central perception.

Robin Berthier: 26:59

Actually, we had one this week where you come up with different scenarios uh, you know a ransomware, or uh, you know some phishing, uh attack that lead to one of the administrative accounts being compromised. And then you go from that scenario into okay, how do we protect against it, how do we detect it, how do we contain it and how do we recover from it. And, step by step, around the table, we go and we check our processes or mitigating controls, um and uh, and then we make sure that we don't have gaps and, for sure, every time we do that exercise there are gaps identified that we can then prioritize based on the level of risk. Uh, you know typical risk matrix, right, the severity, the frequency or the likelihood, um, and then you focus on uh, you know what could disrupt your business, uh, uh, the most, your business the most, based on those combinations.

Robin Berthier: 27:56

And so in the electric sector, which is the industry I know the best, every two years. You have GridX, which is a nationwide exercise involving hundreds of utilities around that type of scenario. It goes for two days and then you make sure you have the right processes. For example, do you know the contact information of your local FBI field officer? Because if something bad happens, who do you need to contact? Who do you need to escalate? Which resources can you use to, you know, mitigate and recover faster?

Chris Sienko: 28:35

Yeah, I think that moves into my next question here I wanted to talk more about. You know, the bread and butter here of cyber work is to help students and new cybersecurity professionals sort of sharpen their skills needed to enter cybersecurity. Or if people are coming to it from other industries, say maybe manufacturing or heavy industry or whatever, they want to sort of move into the cyber side of things. I think one of the things that you always hear that I hear when I hear this is that you're looking for people that aren't just sort of applying the next patch or solving the immediate leak in the wall, like you're thinking on such like a massive level in terms of what if this happens? What if this happens? And you have like the risk element and you have this sort of simulation element, but also you're thinking about these things in this larger way. So for listeners who are passionate about the idea of securing these critical industries, what are the most important skills, experiences, hard skill training, certifications and soft skills that they would need to actively pursue this type of work?

Robin Berthier: 29:38

Yeah, it's challenging because you need kind of a dual background. You need a background in cybersecurity. You need to understand networks and systems from the cyber side, but also, to be effective in the OT or industrial environment, you need to have that additional background, almost like an engineering background, where you understand the mechanics and how things are working at a you know, system level, as you just you just mentioned, because without this you won't be able to understand the unique constraints of those environments that are so important to take into account for your cybersecurity solution to be effective. There's always that battle between oh we have a cybersecurity issue, let's just bring an IT solution into OT and that's it, and it never works because of those unique constraints.

Robin Berthier: 30:31

You have geographically dispersed sites, you have legacy equipment, you have that reverse set of priorities that I was mentioning earlier around you know availability being so much more important than you know confidentiality and so, like in the electric substation, often you have less than a week per year to do any change into a network. It's not like in IT where you can pass something, reboot, or you just add a new server the next week. You have to plan a month in advance in order to be able to make any change to those critical environments. And so for the workforce there to be efficient and it's a fascinating career because it's really a career of cyber defender with a mission, with a purpose but to be effective, yeah, Having the joint background is extremely important.

Robin Berthier: 31:33

And then, in terms of soft skills, I believe, to communicate well with a variety of stakeholders, because you'll have to deal with engineers, you have to deal with the networking team, with the compliance team, with leadership and getting everyone on the same page, team with leadership and getting everyone on the same page. That's something that we are pushing through the solution we developed at Network Perceptions. We always say we want to have software that can be useful for both technical as well as non-technical users, and so being able to understand that and have the good level of empathy to be able to make your server solution sticky and effective, yeah, I mean the way you're sort of pulling together, like you said, the high tech side, the very mechanical, not computer savvy side of things, the stakeholders.

Chris Sienko: 32:26

It almost seems like there's an element of project management to it, like you're really sort of like pulling such diverse parts of the company together and making them work closely together, so like when you're hiring someone to do this type of work, do you? Are there certain things you like to see on the resume that say, oh, this, this person knows the scene, like like what, what or or just like you you know, especially for someone just entering what, what are some signs of like curiosity that you think, like I would take a chance on this person just entering the industry?

Robin Berthier: 32:58

yeah, it's, it's, um, you know, if someone is very early in their career, like just fresh out of school, uh, you can see, based on their uh, extracurricular activities, if they have that curiosity, as I just mentioned, like they went to volunteer at the you know, at a local, you know, you know local facility that would have those types of same challenges that we've just described Later in their career. I was looking for, you know, boots on the ground, experience, like in the field, like have you been working for a consulting firm where you've been thrown at different missions in different environments and you had to deal with that variety of stakeholders and do the product management effectively, as you just mentioned as well? So, yeah, I think it's not for everyone, but when you read the resume and you see that dual background I was describing earlier, that's what I'm looking for.

Chris Sienko: 33:58

Yeah, and I imagine there's a lot of benefit to really explaining in detail what you did, you know, because it's real easy to just sort of rattle off like past job experiences, but like if you have a project that applies directly to this job, that you're very proud of, I imagine. Imagine it's worth like stretching your resume out a little bit to sort of explain exactly what you did so that they can see, oh you, you literally like put this together for this water treatment plant or this electric grid or what have you. So, yeah, that's, that's, that's great advice.

Robin Berthier: 34:26

Yeah and sorry, often as well. I'm doing interviews as ask you know, describe or tell me what about a recent cyber attacks that got your attention, like in there.

Robin Berthier: 34:37

Anything in the news in the past few months that you actually were curious enough to go deeper than just the first news article. But go to more technical website and understand. You know how did the attack process work, what exactly did they compromise Like, and you know people know what they don't know. But but you know the good candidates if they spend the time to do their own little investigation and get that understanding that that put them abroad.

Chris Sienko: 35:08

Yeah, and imagine like, even if you, you know, were to say well, if I had been in there, I would have done this and this even if it's not necessarily like the best possible solution, especially early on.

Chris Sienko: 35:19

if you're, if you're showing that you're already sort of like imagining scenarios there, I imagine that's probably a good sign rather than like, oh, I don't know any about these attacks, let alone what I would have done in them, you know, like that's a big jump. So I guess, speaking to the way people are getting jobs in this, where are the ICS security jobs being filled today? Is this a job role where you know you mentioned volunteering at your local, you know, state, local government, infrastructure thing, whatever? Is this a job role where professionals largely work for a single company or part of the country or the city? Or is ICS security more of a consultancy type thing that takes on clients and implements changes on a project by project level, which is more common? Or are they sort of equal?

Robin Berthier: 36:04

It's sort of equal. I would say both, and I've seen many people in that career like starting in a consultant consultancy role for you know, five to 10 years and then moving to, you know, being part of a and I said, owner asset operator.

Chris Sienko: 36:39

So I think, yeah, I think it's pretty cool in terms of the consultancy and then the you know kind of desk job where you have the same location. Julio, do you have any advice for presenting yourself to sort of local infrastructure organizations and let them know that you know in a way that that shows that you're serious about this? Apart from, you know, I'll do it for free, obviously.

Robin Berthier: 37:17

But like, what are? What are some of the ways you can kind of get your antennas out and you're going to start seeing more OT systems that you've had before. You're going to see them pretty much everywhere. You can go on campus to your school and then the the HVAC system. That's an OT environment. Now you have smart buildings and so, uh, it can be really close to where you are already that you can learn and volunteer and and help, uh, you know, on your school, on your, in your city yeah, now we've talked about uh, some of the desirable uh traits and desirable experiences.

Chris Sienko: 37:55

Are there any particular skills gaps among people trying to work in ot and ics security that you've seen like? What are some some skill areas that you see lacking in job candidates that you'd like to see become more universal?

Robin Berthier: 38:08

um, um. So you know the network aspect is often a gap, because either we find really strong network experts, network engineers, but then they don't have a network is configured how a Cisco firewall can be deployed to mitigate an event ability or to protect those crimes rules, then they're lacking. So my advice would be to really get on your Cisco certification class, or or or you know there are tons of free resources online, but you know the. The ISO model should have no, you know, no mystery for you. You should be able to to be able to read an ACL in a in a firewall and know what it does, and and and just start at home Like you have a, you know what it does, and just start at home. Like you have a, you know, just get a small firewall in there for your home network and start playing with it.

Chris Sienko: 39:21

Yeah, absolutely no, you can't neglect the essentials. I guess, even if you want to do like the fun, sexy, crazy things or whatever, like you still have to know how it all gets put together. So, moy, this has been an amazing talk, robin. Thank you so much. So, as we wrap up today, can you tell our listeners the best piece of career advice you ever received, whether it was from a teacher or a mentor or just something you kind of learned in the field from a colleague?

Robin Berthier: 39:47

um, you know, I think the advice we receive at different stages of the career but will. But the best one I've heard early on, specifically, you know, coming from Europe and going to the US, was how important it is to build and nurture your network, and you know that goes both ways here.

Chris Sienko: 40:07

We're not talking about Cisco, right? We're talking about your professional network, right.

Robin Berthier: 40:11

Exactly, exactly, because later in your career, career that becomes like a, you know, a bank account, like you can withdraw from it and and you can, and if it's rich enough, which it's dense enough, uh, then then it's really an invaluable resources resource to be able to, uh, you know, find the right job opportunity or or find mentors or just address some challenges you have. So that would be the first one. The second one is to write things down. Like, if you don't set your goals and write them down, or if you have an idea but you don't write it down, often it escapes you pretty fast. So I'm kind of writing everything important that goes my way and that's been helping me a lot.

Chris Sienko: 41:01

Yeah, and rereading it. I know I have a bad habit of writing things down and then losing it. I know we're kind of coming near to the end here, but I kind of want to go off script for a second and ask you a little bit about because it's clear that your network is very important to you and, like you said it's, it's, it's a resource that you can draw from and and and give to um, can you talk about the way that you sort of cultivate your network? Because I think, especially with a lot of young professionals and maybe some older ones, like I think that the idea of cultivating your network comes in fits and starts. Like you don't think it was this ongoing process. It's like, oh, I haven't talked to so and so in nine months I better just like write them a quick note or whatever like that.

Chris Sienko: 41:41

Like, what is your, what is your sort of routine for sort of maintaining a robust network? Like, how often do you check in with people? Do you send things to people? Do you receive things from people? Like, what is, what is your average sort of week?

Robin Berthier: 41:55

Like in that, in that sense, that's a great question and I don't think I'm. I think I have a lot of to improve there, but I'm fortunate. I'm fortunate that in the field in which I am, which is, you know, ot, cyber, we have some really good forcing events to reconnect with our network. We have conferences you know, just last week was s4 in, uh in in miami. Uh, in a few months we'll have the sense ics uh summit in in orlando, um, and so those you know events four or five times a year are great uh opportunities to like see people in person, reconnect with them.

Robin Berthier: 42:36

It's funny because we were joking last week, it's like a family reunion, right, it's. It's not a big space, you know, as far as about a thousand people, a thousand attendees, and so you'll kind of see the same faces. Sometimes the affiliations will change like they would go to a new company, right, but but during those few days, that's really where you're strengthening the relationships, the friendships, and then building and nurturing that network. So, post-covid, I think, favoring in-person interactions to nurture your network. I have, of course, now a network in Chicago and you know I would tend to go out for dinner or lunch with folks I haven't seen in a while, just to catch up, and that's been a good practice, yeah.

Chris Sienko: 43:28

I love that and it kind of ties back to what we were saying before in terms of someone who is good at the work of OT. Security is that you're not just thinking about the immediate thing in front of you or what can you get from it, or whatever. Like you're thinking on such a large scale of like this is a thing that requires maintenance in six different directions or whatever, and so you're always kind of thinking and I guess the more you can do of that sort of interconnected thinking, the better. Right, absolutely, yeah, so wonderful, wonderful advice, thank you. So we talked a bit about network perception earlier in the program, but if you'd like to tell our listeners more about your company and what services you provide, let's do that now.

Robin Berthier: 44:09

Sure, thank you. I know we developed the fastest solution to go from not having visibility of your network into having a robust map of your OT environment. And we do that in a very lightweight manner because we don't require any type of sensor or live data feed from networks. We just use the configuration files of firewalls, routers, switches, so you drag and drop those files into our platform. We're on-prem. We are going to analyze them for a few seconds to a few minutes, depending on their size, and then show you this Google map for OT environment that, as I mentioned earlier, can be understood by both technical and non-technical users, and having that visibility just becomes that common communication language for those different stakeholders. And then, on top of which, we do automated risk assessments reports to adopt those cyber hygiene best practices that we discussed earlier.

Chris Sienko: 45:13

That sounds really cool. Cyber hygiene best practices that we discussed earlier that sounds really cool. I like the idea of a Google map of your OT environment and things like that. That's really interesting. It's very much needed.

Robin Berthier: 45:21

You can't defend what you don't know. You have to protect, and so the first step is visibility.

Chris Sienko: 45:27

Yeah, asset detection. We've done several episodes on that as well, and this sounds connected to that as well. So well, we're just about out of time here. But one last thing before we go. If our listeners want to know more about you, robin Berthier, or Network Perception, where should they look online?

Robin Berthier: 45:41

So our website, network-perceptioncom, and then we also, you know, posting frequent news on LinkedIn and Twitter or X. So, yeah, that would be the best resources to get the latest.

Chris Sienko: 45:58

Yeah, I had no trouble finding Robin on LinkedIn, so and our listeners tend to like to connect with our guests, so, yeah, go check out Robin there. Go check out Network Perception and some of their offerings as well. So, robin, thank you so much for joining me today to talk about this crucial sector of cybersecurity. This blew my mind. This was really really good, thank you. Thanks a lot, chris, and thank you to everyone who watches, listens and writes into the podcast with feedback. If you have any topics you'd like us to cover or guests you'd like to see on the show, drop them in the comments below. We are reading them and we are course correcting appropriately.

Chris Sienko: 46:35

So before we go, don't forget infosecinstitutecom slash free. I've been telling you about it for a while. You can get a whole bunch of free and exclusive stuff for CyberWorks listeners. You can learn more about our new cybersecurity awareness training series, work Bites, a smartly scripted and hilarious acted set of videos in which a very strange office staffed by a pirate, a zombie, an alien, a fairy princess, a vampire and others navigate their way through age-old struggles of yore whether it's not clicking on the treasure map. Someone just emailed you making sure your nocturnal vampiric accounting work in the hotel is VPN secured? Or realizing that even if you have a face as recognizable as the office's terrifying IT guy Boneslicer, we still can't buzz you in without your key card. Anyway, go to the site and check out the trailer. It makes me laugh every time I see it.

Chris Sienko: 47:12

Infosecinstitutecom slash free is still the best place to go for your free cybersecurity talent development ebook. You'll find our in-depth training plans and strategies for the 12 most common security roles, including SOC analyst, pen tester, cloud security engineer, information risk analyst, privacy manager, secure coder, ics professional and more. One more time. That's infosecinstitutecom slash free and yes, the link is in the description. One last time. Thank you so much to Robin Berthier and Network Reception, and thank you for watching and listening Until next week. This is Chris Sanko signing off, saying happy learning.