A (3:13)

Yes, let's start there. So OT is operational technology. So it is the laptop or your phone or whatever you're using right now. To listen to this podcast, ot, think of factories. Electric water manufacturing, where the electronic meets the physical. So the programming actually makes something happen. That's ot. Critical infrastructure depends on OT, because critical infrastructure produces physical results. So I started out programming nuclear power plants, as you said, which is ot, by the way. But really I was just doing software engineering. I wasn't doing ladder logic. I wasn't doing PLC programming. I wasn't programming the OT devices. From there, I went to Carnegie Mellon University and just was still doing software engineering. But they drew me into this project for the center for Disease Control, and it was to create a bioterrorism portal. So if there was a bioterrorism attack, would have to bring together the cdc, State departments of Health, FBI, National Guard, you name it, pharmaceutical companies. And so we created this portal for them, and it was a prototype. But I realized we didn't even talk about security. And it seems to me that if we had a bioterrorism attack, security would be important. And I knew nothing about cybersecurity. This was in around 2000. So I am old. So I cert. The cert coordination center, the very first cybersecurity organization in the world, is at Carnegie Mellon University. So I thought, I think I'll try to get a job there. And I did. And this was August of 2001, and my first job was to work with the Secret Service to protect the Olympics from potential cyber attacks. And I was the project manager. I knew nothing about security. And I thought, this is the coolest job in the world. I get to work with the Secret Service protecting the Olympics.

B (5:46)

Yeah, that is a pretty cool job. That's a really cool job. Yeah.

A (5:49)

Yeah. I thought, how did I manage to get this job? I can't believe I'm getting paid for this.

B (5:54)

Absolutely.

A (5:55)

But then a month later, 911 happened. And the intelligence community really thought the Olympics would be the next target, because they were in February of 22. And so suddenly, that cool, fun job was not cool and fun. It was very real. And that awakened this passion in me to protect. Protect everyone. So from there I ended up, long story short, insider threat was seen to be an issue with the Olympics. And so we started an insider threat study with the Secret Service, and that grew into the CERT Insider Threat Center. So over 13 years, we created this insider Threat center. I was the founder and the director, and then Rockwell Automation came along and they said, we'd like you to come here and create an insider risk program. And Rockwell Automation makes OT devices. They make industrial control system devices. And when I was at CERT working on insider threat, the thing that I felt like we had not figured out was, was how to stop insider cyber sabotage. And when Rockwell came to me about creating this program, I realized, what if someone, an insider at Rockwell, deliberately planted a backdoor into their products? So if they did that, any terrorist, any malicious threat actor out there could use that backdoor to get into any Rockwell customer in the world. And so that awakened that passion in me, and that's why I went to Rockwell, went there and built the insider risk program. And then in 2016, became the CISO. And that's when I realized, oh, I'm responsible for the security of all of our manufacturing plants. And I knew nothing about how to do that. And in fact, nobody really did. Back then, there were no real standards out there for security except for IEC 62443, which is very, very complicated.

B (8:25)

So now you've made your way over to Dragos, where you're director of OT cert, and you're tackling things like insider risk and mitigating a lot for the OT community, and you provide a lot of critical resources for that group. What are some of the emerging threats that are facing OT environments that your team is observing? And how do you think the free community driven programs like OT CERT that you're running are helping mitigate these threats?

A (8:51)

So in 2022, in February, when the Russia Ukraine war broke out, everything kind of changed as far as cyber threats against critical infrastructure. Before that, for the most part, state actors didn't want to attack critical infrastructure in another country because it was kind of like if you think back to the Cold War, nuclear war, Russia wouldn't drop a nuclear bomb on the US because the US might then drop one on them, and then you have a full blown nuclear war and civilization is destroyed. And it was kind of the same way with cyber. For years we talked about what would happen if a state actor attacked US critical infrastructure. What would the US do? And there was never really a good answer put on the table, at least not that we know of. And so, you know, there was this kind of hands off Cold War kind of mentality. But then when the Russia Ukraine war broke out, Russia attacked Ukraine's n critical infrastructure. Ukraine attacked Russia's critical infrastructure using cyber. NATO countries started getting involved in controversy surrounding NATO. Next thing you know, there are cyber attacks against NATO critical infrastructure. The Israel Hamas war started and they attacked each other's critical infrastructure using cyber attacks. We have the US and Iran that are now involved, and of course we have the China and Taiwan situation. And we know the FBI director has said China has compromised US critical infrastructure. So first of all, the gloves are off. And so the threat environment has escalated. But the other thing that we've seen is hacktivists becoming involved. So hacktivists traditionally have conducted DDoS attacks, website defacements, very unsophisticated cyber attacks, and they didn't really have much disruption. And certainly not in ot, but in the past, like two and a half years, we have seen hacktivists aligning with state actors. And that's according to the US Government. Dragos does not do attribution. But the US Government has said that we have the cyber Avengers aligned with the government of Iran. We have the cyber army of Russia reborn, aligned with a Kremlin. And these hacktivist groups are using more sophisticated methods to actually disrupt our critical infrastructure. And that's because these state actors can give them the tools, the tactics, the techniques that they can use to perform that disruption. And yet the state actors still have plausible deniability. I had nothing to do with that. That was those hacktivists, that wasn't us. And so that has dramatically increased the risk to critical infrastructure around the world. Because now we have these hacktivist groups that are ideologically motivated and with the geopolitical climate what it is, they have the motivation and now they have the ability and they have been carrying out cyber attacks, disrupting water, power, manufacturing, transportation. So it is happening. And it worries me that organizations still just are going too slow, right?

B (12:51)

And these organizations are the ones that are obviously caught in the crossfire of this giant geopolitical all out war that we're seeing. And so how do the threats that are facing these kind of critical infrastructure organizations, other ones like manufacturing, logistics, things like that that you mentioned, how do the cyber threats facing those organizations differ from what we're seeing more in the commercial space? And how do the threats that we're seeing or the attacks we're seeing from these hacktivists, from these state backed groups, how do they operate? Like, what is that entry point and what does the life cycle of that attack look like?

A (13:29)

So I'm going to kind of answer your question in a roundabout way, which is by talking about the SANS 5 critical controls for ICS security. The reason that I'm going to talk about those, to answer your question, is because Tim Conway from SANS and the CEO of Dragos, Rob Lee, they sat down and they looked at all of the different attacks that have happened in OT environments and they looked at what controls would have been effective in preventing those attacks or leading to quicker detection and response. And that's where those five critical controls came from. So I think by talking about those, we talk about what are the threat actors doing. So for instance, having an ICS incident response plan, if you have a plan and you do tabletop exercises, and because you have that plan, you realize, oh, we don't have the logs that we need, you can prepare better for an attack and hopefully prevent it. Secure remote access. That's being exploited by a lot of adversaries right now. And that's one that organizations really need to think about. During COVID we all opened up remote access. We had to, and most of it was not secure. We just, boom, had to do it one week. I remember I was CISO at Rockwell at the time, but a lot of CISOs went back and made sure that that access was secure. But in ot we find a lot of either insecure remote access or we see third parties that come in, systems integrators and engineering firms, service providers that come into your plant and they think, well, I'm just going to put this remote access in so that I can get in easier next time to fix things and I don't have to travel to the plant. Third is a defensible architecture, and that includes securing your OT from it. Because a lot of ransomware attacks that we see, as well as hacktivists and state actors, they get in through it. They use phishing, they use unpatched vulnerabilities, they get into it and then they're able to move into ot. So a defensible architecture is very important. Risk based vulnerability management. Vulnerability management is very different in OT than in it, but there are vulnerabilities that come up in OT environments that are actively being exploited by threat actors and they have the ability to disrupt your plants. And so those have to be addressed right away. So, you know, in ot, organizations tend to say, oh, we can't patch like you can in it. We just patch when we have some downtime. Sometimes you can't wait. Usually you can, but sometimes you can't. And then finally there's visibility and monitoring. They get into OT and you don't even know they're there. And so imagine running an IT environment without any monitoring capability, any network monitoring and visibility. None of us do that. But in OT it's very common. You just have no idea what's in your network. So those five controls were developed based on what is being done. And so I think I'd rather answer the question with what to do about it than what are they doing.

B (17:23)

I want to talk a little bit about ransomware as well. We haven't really touched on that as much. What do ransomware attacks look like for OT operators and how are they impacting their environments? And what trends are you noticing as you're doing your research?

A (17:36)

So we have someone at Dragos that does nothing but track ransomware attacks impacting OT environments every day. And IT is escalating dramatically. It doubled from 23 to 24. And right now we're compiling all of our statistics from 2025 to do that comparison. But we do quarterly ransomware reports and I can tell you it's probably way more than doubled this year. And they primarily the ransomware groups, they want to make money. So they're, they're solely in IT for money. It's not ideology, it's just money. And they go where the money is and where they think they can collect. And they've realized years ago they realized if we hit manufacturing companies, chances are they're going to pay because they don't want us to bring them down. And to try and recover a manufacturing plant is much more complicated than recovering in an IT environment. So they're going after manufacturing. They're also going after any critical infrastructure that they can. So it's important for organizations to realize if you think, oh, this won't happen to me, we just manufacture food, crackers, cookies, no, they will go after you because they know that you will pay if they attack you. So it's a very important third threat group that organizations definitely need to be aware of. How do you combat it? Those sans five critical controls that I talked about earlier, Right?

B (19:22)

Absolutely. Now I want to talk a little bit about everybody's favorite two letter word, and that is AI, and specifically agentic AI. We've heard a lot from guests on the show about how AI agents can help with specific things, like SOC analysts who are evaluating, managing and prioritizing alerts and risk management. How is AI, and more specifically the idea of agentic AI augmenting the approach organizations take to securing their ot?

A (19:49)

Well, you know, I just talked about lack of visibility and monitoring in ot, and you need data to create these AI models. And so without the data, it's very dangerous to just have things happening in ot. But at Dragos, we do have a lot of data. We have a lot of data from years that we have had our platform. And so we are looking at how can we help those SOC analysts. There's such a shortage of OT security experts. And so how can we take that data and help the analysts that are looking at our platform, looking at the dashboards, figure out what does this mean and what actions might I consider taking? But I think we have to be really careful in ot, because we're just OT security in general is behind it security by decades.

B (20:52)

Right. And the idea of autonomous AI agents kind of running amok in your OT environment is something that can strike fear into the hearts of many people, I believe.

A (21:01)

Very scary. I heard a vendor once say, and then the AI will take over and just take care, protect your plant. And I just cringed. I thought, oh, please don't let the AI take over in the plant. OT is not like it. If you do one thing wrong, you could have safety issues, you could shut down the plant, you could have quality issues.

B (21:28)

Well, dawn, thank you so much for the conversation. Where can folks learn more about the incredible work that you're doing and all of these free resources that OT Cert is providing at Dragos?

A (21:38)

Just go to Google. Google Dragos OT-C E R T. We have free resources 75 at the moment, but it's always growing. Any organization with an OT environment anywhere in the world is welcome to join. And our big push is the ecosystem. So it's not just about you. I like to say if you're. Let's say you're a manufacturing plant, where are your plants? They're probably not in the middle of a city. They're probably out in the middle of nowhere. And so where do you get your power and your water? Probably from some small rural or municipal water or electric utility. And they, chances are, have no OT cybersecurity. In fact, you're lucky if they have it. Cybersecurity. And if they get. If they get hacked, they get brought down. You can't run your plant without water or electricity. Same with any office building. You can't run your organization without water and power. So it's imperative that we all look out for each other right now. I talked about what the threats are like, and they're not just going after big organizations. They're really going after the small organizations, the small critical infrastructure organizations. So urge your supply chain, urge your critical infrastructure providers to also join OT cert. It's totally free. We provide practical resources for creating an OT cybersecurity program. So while, you know, other organizations say, here's what you need to do, and they give you the list and you sit there and say, well, fine, but how do I do that? We give you the how. We give you demonstration, videos, guides, templates, a free tabletop exercise. So come to OT cert. Please join and encourage your systems integrators, your engineering firms, because they're the ones that are working in your plants and they don't probably understand cyber security. And so we need that. That's another of that ecosystem. In addition, Dragos has the Community Defense Program for utilities, water, electric and natural gas in the US and Canada. With under $100 million in annual revenue, they can get our platform totally free. Threat hunting, enrollment in our collective defense system, neighborhood keeper, OT cert education, they get it totally free. And we meet with all of these organizations on a monthly basis. Our Community Defense program, we meet with them separately because they're all small utilities. And so we work with them in one way. And then OT cert, we meet monthly with those members. And it's my favorite day of the month. You have large, medium, small organizations, us, Europe, Latin America, Canada, all in there working together and helping each other, sharing lessons learned. It's a great community. So please, please join us.

B (25:12)

That is wonderful. Thank you so much, Dawn. We'll link to all of those free resources in the show notes as well. Thank you for joining us for this conversation. I learned a lot about OT environments and how they operate and the unique risks facing these environments. Dawn, thank you again for joining and until next time time.

A (25:28)

Thank you so much for the opportunity.

B (25:39)

That's a wrap on today's episode of Data Security Decoded. If you like what you heard today, please subscribe wherever you listen and leave us a review on Apple Podcasts or Spotify. Your feedback really helps us understand what you want to hear more about. And if you want to reach out directly about the show, email me at Data security decoded@n2k.com that is n2k.com thank you to Rubrik for sponsoring this podcast. The team at N2K includes senior producer Alice Carruth and executive producer Jennifer Ibin. Content strategy by Mayan Plough Sound design by Elliot Peltzman Audio mixing by Elliot Peltzman and Trey Hester Video production support by Bridget Kirkey Wild and Sorel Joppy. See you next time.