A

So, wow. Of course the risk is high. How do I overcome that risk? Because IT systems. And we just had a beautiful month of November where how many times did AWS and Azure and Google go down, right down for 18 hours? Could you imagine if the power grid went down worldwide for 18 hours? What would happen? I mean, there'd be wars. Now it's chaos.

Welcome to Embracing Digital Transformation, where we explore how people process, policy and technology drive effective change. This is Dr. Darin, Chief Enterprise architect, educator, author, and most importantly, your host.

On this episode, we are exploring converged OT and IT cybersecurity with OT expert and my guest, Santosh Kivetti, CEO of proarch.

Santosh, welcome to the show.

B

Thank you, Dan. Good to be here. Thanks for having me.

A

I'm really excited about this topic. It's a topic dear to my heart. It's what my PhD dissertation was actually on, on converged OT and IT cybersecurity. But we're going to talk about converged OT and IT and OT is A. As a asset, a strategic asset to the company. But before we dive into that hot topic, everyone knows that listens to my show, that I only have superheroes on the show, and every superhero has a background story. So, Santosh, what's your background story?

B

Oh, my background. Well, thank you for making me feel like superhero. Appreciate that. Well, I guess, I mean, you know, just introduce myself.

I come from humble beginnings, migrated to states in 1998.

Got my master's here, and then got into the corporate world.

Long story short, I've had a fantastic journey as an entrepreneur investor.

I was fortunate to have many mentors. I'm fortunate to be able to mentor some people.

Lastly, travel a lot, love to travel, and then do whatever I can to give back to the community.

A

Now, your career has mostly been in the IT space, or has IT been in the operational technology space? Where have you focused most of your career?

B

It started in it. I started as a programmer and then fortunate to work in a company that built products for electric transmission and distribution companies. I got into OT and understood the entire IT and OT convergence. That's where it all started for me.

A

Oh. So moving into something that's an interesting space to go into because it's a traditional. It's been around a long time. Electrical distribution, over a hundred years. Right. But still kind of high tech. Right, and still. I mean, electrical distribution's high tech still, Right.

B

Well, they're trying to become high tech. OT is still unfortunately riddled with legacy systems, proprietary softwares, you know, low visibility.

It'S. How do I put it? It's so data rich, but functionally data poor or information poor, as you would say.

A

Oh, data rich and information poor. I love that. I love that. And why do you think that is? Why do you think that they haven't moved into the 21st century?

B

I think it started with just concerns, maybe wrongly placed or maybe just not having lack of tools or knowledge, thinking that, hey, we need to protect our air gap or assets. But in the process, you know, any power generation plant or transmission or distribution company, they work with multiple vendors, they have ICA systems, they have SCADA systems on top of any number of vendors who are providing them different sensors to work with and so on. Most of them are proprietary in nature. They're air gapped, but the data is still just siloed and it's just not available to give them any kind of true intelligence. So that's how it's been. And for the most part, the reason has been, well, we need to keep this protector and therefore it needs to be completely air gapped. But that's, that's not a good excuse, in my opinion.

A

Well, yeah, but, but there's some, there's some precedents around this, right? Air gap systems are harder to break into.

B

Right?

A

I mean, if, if it's not connected to the Internet, then, you know, it's, it's hard to break into if it's not connected. Right. So I mean that in, in your head, that makes sense until something like Stuxnet came around and they, and they bridged the air gap right in, in Iran and, and destroyed centrifuges in Iran without it being connected.

Through a software update, which was devastating to the nuclear program in Iran.

And so, I mean, those attacks can still happen over the air gap.

B

That's the myth, right? Yes. I think everybody assumed that just because I'm not connected to Internet, you know, I'm not open or susceptible to hacking. That is not true at all. That's where low visibility and dependence on proprietary tools and software that is in itself susceptible to hacking. If you follow the chain of any software that comes to these proprietary channels, you will very quickly realize they are susceptible to hacking as easily as a connected system would be. And it's easy to exploit that. So it's just lack of understanding, true understanding of the risk and where they sit in that risk matrix.

A

Are you starting to see? And I've had this conversation, Obviously, with my PhD, I interviewed a lot of people on the IT world. We think of uptime as like four, nines would be incredible.

On the OT side, four nines is a disaster, right?

B

In disaster, absolutely.

A

Yeah. So, so the risk is so much higher in operational technology, especially if you're talking water treatment or, or dams, electrical, anything that's involving the physical world like that, people lose their lives.

So wow, of course the risk is high. How do I overcome that risk? Because IT systems and we just had a beautiful month of November where how many times did AWS and Azure and Google go down, right down for 18 hours? Could you imagine if the power grid went down worldwide for 18 hours? What would happen? I mean, there'd be wars, mass chaos, right? I mean.

B

Yeah, absolutely. On that topic, Darren, I mean, you know this. Look at the amount of infrastructure that everyone is building to power the AI, okay? And look at the energy gap that we have as a country today. There's no way that we can bridge that gap. I mean at the speed that everyone wants to build these data centers and infrastructure. So there is increased demand on every producer, transmission, distribution companies to be more efficient, more effective and more importantly manage their cost effectively. So now more than ever they are under microscope. But by everyone saying, okay, how are you going to manage this? There is a, there is increased pressure from public saying no, you can't pass on those costs to us. There's increased pressure from the builders saying, well you've got to, you know, you've got to give me the SLA of uptime, of, you know, whatever, so and.

A

So 9 12, right? Or 12 nines.

B

I mean, or the penalties are ridiculous. I've seen some of the contracts where penalties are millions of dollars if you don't give them the kind of uptime they're asking for. How do you manage this? In my opinion, there is a way to do it, but it's gonna require a fundamental shift in thinking from where we came from to where we are today.

A

And what is that shift?

B

So it's going to require you to first, you know, you have to understand that true convergence comes from.

True roi, or a massive ROI comes from bringing the OT and IT together. But do it in such a way that you get the massive roi. Now how do you do that? I know I'm oversimplifying a lot of these things, but hopefully for the, at least for the C levels it makes sense.

You first start with your data. Right? You have, I mean, look at, as you rightly said the beginning of the show, look at OT as a strategic asset. Now most, I would say forward thinking companies took an approach historically saying I'm going To take all the data and shove it into what's called a onelake.

A

Yeah, yeah, yeah.

B

That approach did not work. That centralized approach of I'm just going to throw all this garbage into one lake and assume that somebody's going to go figure out and clean it and improve the quality and figure out a way to use it now.

A

And it never happens.

B

Never happens. So I would say start creating a federated domain centric governance and accountability.

To what I call as domain centric data products that people can be accountable for with proper governance. You can do that. See that data mesh is essential fabric. Before you really can apply any kind of automation or AI, much less to be able to get anywhere.

Then of course you have to understand doing it securely. Security as a foundation, security first mindset has to be imperative. You can't just come in later and then say I'm going to bolt on security or I'm just going to do some vat.

A

Otherwise we end up with what we have today, which is the.

Purdue model. Right, which is air gap.

Yeah, just air gap. It, it's fine over there. And yeah, there seems to jump the aircraft.

B

The good news is if you invest in your data governance and quality and create this federated architecture and if you invest in security from the beginning, you do have a way to control and have the visibility and you can really assess your risks accurately. The issue that everybody has today is they have no idea what the risk is until something hits them and then they figure out, oh my God, I'm just exposed to all of this risk. So that's where they start. Then, you know, you start really bringing like I'll give you one example, right? In order for one ot. Well, in order for, let's say, you know, an operator or someone in the, you know, the maintenance manager to be able to ask a question and answer a question and get closer to true predictive maintenance. They have to cross OT and IT system. Let's say you're working on looking at the data of a pressure pump and something is wrong, you know, with one of the pumps. And then you're trying to figure out what to do. Well, OT will give you the data that something is wrong with this pump. Maybe the temperature is high or you're, you're noticing some abnormality, vibrations or something. Vibrations or whatever. Yeah, exactly. But then you have to cross over to IT to say, okay, what kind of warranty do I have? You know, that probably sitting in SAP. And then you have to go and say, do I even have spare parts for this? You're going to your inventory system to really say only when the data can be fused and someone can simply ask a question in a natural language, say, hey, I see something wrong here. What's happening? Tell me what to do, what your recommendations are, and to achieve that you can of course put an LLM on top of that in a. Again, that itself requires some safety protocols. But there are ways to do that. There is. Now, the technology is not the bottleneck here.

A

I was going to say technology is.

B

Definitely not the bottleneck.

A

Well, in my research, because my research was on the impediments of this convergence. Technology was not the impediment at all. It didn't even show up in, in the, in the research as being a factor at all. Because the technology exists, it's not an impediment. It's. What I found was cultural differences between OT and IT departments in the same companies. They didn't talk, they don't even use the same language.

B

Yeah, you'll be surprised. We today help many power plants. The first thing we do is just give them the visibility of what's on their OT network. You'll be surprised how many of them go, oh my God, I didn't realize I had so many devices on my OT network. They only think about big systems like, okay, I know GE has their SCADA system or Siemens. I know that. But when they actually look at everything that on their routine network they go, whoa, really? I have so many devices. And that in itself says that, okay, you don't even have the visibility to start with. Near real time visibility is super important for them.

A

No, I totally see that. How are you teaching them? Because you're in the throes of this. You're helping organizations with this digital transformation. How do you teach them to overcome the fear? Because it's a valid fear.

Hackers are constantly going after critical infrastructure. So how do you help them overcome the fear of being compromised?

Because, yeah, I mean, it's. I can't imagine being in charge of a power plant, especially a nuclear power plant, and, and the cyber attacks that happen on these plants all the time. How, how you feel? Well, yeah, I want to air gap. I don't want anyone inside here. Right. So how do you help them overcome that, that fear that they have?

B

Yeah, so it's easy for me to throw anecdotes and, you know, I've seen this time and again.

Which path would you rather choose? A path where you don't know what your risks are and you don't have the visibility. And something Hits you and hits you very bad, like it happened time and again. You know, you can take colonial pipe, it doesn't matter, you pick a use case.

A

Colonial pipe, yeah, that was right.

B

Or you pick a path where you know what your risks are, you know what your security controls are, you can monitor in real time, you know how much you're preventing or how many hacks you're preventing and you have access to threat intelligence and security intelligence constantly. To be able to be proactive, which path would one choose? Right. But you have to embrace these programs. Again, security cannot be an afterthought. Everyone from top to bottom has to have that culture. But if you again, if done right, they can in real time monitor what's going on and what's being prevented. What are the new forms of attacks, whether the nation state sponsored or whether it doesn't matter from where they are coming from, so that they can proactively be prepared. Of course we like partners, we can help, we can help you help your teams give that intelligence. We can do some of that work for you as well. We provide our clip software, managed services. But more importantly, it's for you to decide and all about information and accurate, timely information. The biggest hurdle so far, this is where AI can help to synthesize this information in a way somebody could make a decision quickly. That was a hard problem to tackle.

A

Oh yeah, I bet.

B

Very hard problem to tackle because information would come from multiple sources and you know, only somebody, one person.

A

Protocols.

B

Exactly. But AI created such a beautiful semantic layer on top of that where someone can ask a question and you can make AI LLMs not hallucinate, you know, get the temperature under control, including critical infrastructure. Right. We want accuracy, we don't want hallucinations, we want low temperature and accurate answer. So we can definitely create those parameters where it can give the recommendation, say, look, by the way, based on what I'm seeing right now in the hacking world and what's getting hacked or what got hacked or what is inactive monitoring right now by various sources. We have access to like 20 to 50 feeds that are coming actively. They can say, look, we would recommend these things right now for you to do. And they can be very specific as well.

A

I like what you're saying here because it all goes to visibility and observability of my infrastructure, where in the past OT observability was completely separate from it.

B

Yes.

A

So if there was an attack on the OT side, most of the times I wouldn't even know because on the OT side I found there was no cybersecurity whatsoever. Their cybersecurity was, it was air gapped. That was it.

B

That was it.

A

That was it, yeah. So there's no detection going on. There's.

No concepts of cybersecurity inside the OT network at all. They just kind of put up a brick wall and said no one can get in, so it's no big deal. So what you're talking about is retraining a whole industry OT to say, hey, you now have to be worried about cybersecurity and let's take the best practices from the IT side and apply them into the OT space and then converge the two. Right.

B

Only then they can truly begin to unlock. Right. They're sitting on such a gold mine of data here and now AI is creating them on other layer where anybody can simply ask questions in the natural language or why wouldn't you not want to take advantage of that? And then as I said, whether it is proprietary software, now they have better ways to understand the third party risk too. They can better assess their supply chain risk as well. It's not just what they have on the ot. If something is coming from a vendor, well, what's my risk there? You know, what kind of risk do I have? Just from supply chain perspective? So they can assess those things too. So they really have a good, Again, as you rightly said earlier, technology is no longer, you know, a limiting factor. In fact, it's a force multiplier. You just need to have the mindset and the culture and that option to say, I'm going to do this right.

A

Yeah, it's really interesting because some of the most advanced manufacturing in the world, which would be silicon, you know, semiconductors, right. We're talking one plant is 12 to 20 billion dollars. Right. Those silicon manufacturers completely segregate OT and it completely.

Never the two, in fact, two different security groups, the whole thing completely separated. And I think you're right. I think we might be leaving some data. Data rich but not information. You know, information starving.

B

There might be something, I call it trapped value. There's enormous trapped value, know, by just letting these things be silos.

A

Yeah, but I can understand as well, I mean, semiconductor people aren't going to die typically if the factory goes down, but for every hour it's down, it's like a hundred million dollars. That's a lot of money.

B

It is, it is.

A

So, so there's got to be some new architectures. Have you, have you experienced? Because I, I, I've created some new reference architectures in this space, but I haven't seen anything kind of globally adopted in this space yet. Are you seeing anything?

B

I don't know if I can speak to specific architecture.

But I can tell you that we today are able to monitor legacy devices that are old PLC devices made on proprietary software to SCADA systems that come from big companies like Siemens or ge.

You pick a device, it doesn't matter how legacy it is or how modern it is, there are now ways to provide you that visibility. They have some limitations. Meaning that some of them probably cannot do remote patching. That's another big issue.

A

But that might be okay and.

B

Exactly, exactly.

A

That might be the first step because now no one can control the OT from the IT side. But it's like a diode, a data diode. Right. Data is only flowing out. Nothing's coming back in.

B

That is correct. But in some cases, though, not maintaining them also opened a huge gap of vulnerabilities as well. You have to find that right balance. But then we, of course, we partner with Microsoft heavily, so we use their Defender programs and we also use their purview to govern in compliance. But there is a really good way to create a digital twin.

You know.

In my opinion, it's with automation and technology available now. I know a few years or even like five years ago, creating a digital twin trend twin could have been the enormous effort.

A

Enormous effort, yeah.

B

Not now, though, you know, we can. We were able to create digital twin for a manufacturing company in a matter of weeks. Now you're not trying to go to the extent of creating visual digital twin to the exact, you know, image and all of that. You know, that's overkill in my opinion. Everybody thinks when you, when you, when you think of, when they think digital.

A

Twin, they think of, you know, oh, it's a, it's a VR world now.

B

VR world, exactly.

A

Yeah, but you don't need that.

B

No, you don't need that. You know, I can literally ask the digital twin model, hey, I noticed this anomaly here. What's going on? Tell me what to do. As if it is a real thing. And it will respond to me saying, oh, yeah, you know, I definitely. The temperature on this particular transformer is relatively 5 degrees more than it should be average. Yes. Someone should go look at it. I would say, you know, you can even say, hey, go have someone check out tomorrow morning at 5am Whatever it is. Right. So digital twin is a very good way to bring everything together and then have, then you can lay over dashboards on top of that to make it easier.

A

Well, that, well, with that Digital twin. Then it's, it's almost light. It's like a, it's like a proxy gap. Is that a word? Yeah, yeah. Maybe we just created a new word, a proxy gap. Right?

B

Yep, yep.

A

Yeah. So, so that, you know, I'm not interrupting operational technology, which I've, I've been to some locations where their uptime was counted in years and decades. This system has not gone down in 40 years. That's amazing.

B

That is amazing.

A

Yeah. In our data center, this hasn't gone down in five days. Way. Yay. That's, hooray. You can't do that in ot. So I understand that trepidation. So that's cool to have a digital twin because then I'm just sucking data off of the physical devices into this virtual digital twin space where now I can play around with things. I can, I can try things out before anything goes out into the real world.

B

You can simulate. Exactly. You can simulate, look at the outcomes. Once you are able to fuse the data, both OT and it, you can, you can probably play with several scenarios and then say, you know what? I'm going to go do this. And now AI has gotten fairly well to make some recommendations to it. I can say, hey, look, I recommend these two options.

A

I've seen something like this before.

B

Yeah, you pick which, whatever you want to execute. But ultimately I always say the human in the loop. I mean, some, some AI can make a recommendation, but someone will have to make a decision, verify, validate, and then say, this is what I'm going to do.

A

You know, someone, someone on my show recently said, instead of human in the loop, why don't we call it AI in loop?

B

Oh, it's a good way to look at it.

A

Interesting, isn't that? Right? Because what that says is we're still in control. We're just using AI to help us.

B

That's actually a very good way to look at it. I love that.

A

Yeah. Which I thought that's, that's pretty clever, right? All right. So with new things like Optimus coming out of Elon's, you know, stuff where now I've got the physical world. Right. And robots are on the OT side. They're operational technology, technology, they can now start acting on our behalf. They can go into areas that are before very difficult for humans to get into to make physical changes. Do you see this kind of technology.

Making its way into the OT space? Especially when you start thinking about power plants or a mining. Oh man. Robots and mining, that could be game changing. That could save a lot of People's lives.

But there's that security risk, cyber security risk. All we need is someone to hack, you know, a thousand robots that then start going crazy. Right. What kind of security measures do you think we'll see as. As the OT space starts becoming invaded with, with robotics and things like that?

B

Probably can have another whole podcast just on that.

A

Oh, I'm sure, yeah.

B

But I, I think.

Simplistic example. You know, every one of my friends, colleagues who have Tesla who use FSD continue to tell me, I don't have Tesla, I drive Rivian. But they continue to tell me how impressed they are with the FSD feature. Right. I mean, that is completely ot, you know, in, in, in. In.

A

Yeah, it is, yeah.

B

And many in energy companies. I know energy companies, especially with. They have to monitor vast areas, drones, and they are using drones. They're using like what's called even drone birds now, thermal images, and they're all this. I mean, I know we're not quite there with the elan's version, but these things are already in place, in production, working. Yes. The attack surface is growing. Anytime you introduce a robot or it's another OT device. Just like your SCADA system here, as your smart meter is, this is another OT device. You have to understand.

The vector deeply to say, where are my exposures now? What is the hardware or the software? What are all the different vectors that we can be exposed to? The same principles apply there. You just need to extend your programs into each one of those devices just to be able to monitor, have the visibility, look for anomalies, look to see if something, anything is strange. Because remember, most of these modern devices, they have edge computing and they have AI embedded into them.

A

Yeah, yeah, they do. Yeah, absolutely.

B

So they are in a way an IT system too. So they're kind of doing both work just inside that.

A

That's, that's interesting that you said that, because that is really the fusion of the two. I can maybe in 5, 10 years there won't be a distinction between OT and.

Will just be technology.

B

I definitely foresee that. And especially, and I'm not predicting, but I believe that when quantum computing becomes mainstream, everybody says it's in two years, in three years. I know that we're getting glimpse of that. I think we have to reimagine hardware and software and AI altogether. But at that point, I know for sure that there won't be any delineation between IT and OT systems. But even now that they're converging very fast, both worlds are converging very Fast, whether you want to or not. By virtue of new devices. They're converging very fast, as you rightly said.

A

Well, and you can blame the silicon manufacturers for that, like Intel. I work at intel, so why. Because we're making the chips so small and so powerful that you know, that can, that can go anywhere. I mean the latest chips, 1.8 nanometers, that's 18 Angstroms.

B

Wow. I know.

A

And people are like, well that sounds small. And I says, let me tell you how small it is. The coronavirus is 72 nanometers across in diameter.

B

That comparison I've never heard. Okay, that's interesting. That's very interesting.

A

Think about that. 1.8.

B

Wow.

A

1.8. I can stack 32 easily. 32 transistors across the diameter of a.

Coronavirus.

B

That's amazing. Just to visually try to imagine that. Wow.

A

Okay. Yeah.

B

I did not realize that we're talking.

A

In, we're talking about in the coronavirus itself. I can fit tens of thousands of transistors. That's mind boggling, you know, but I.

B

This is intuition more than anything else.

Future breaches, I'm not going to say they won't happen by hacking into the hardware at that level they might, but I'm more worried about just lack of basic hygiene, good security hygiene.

I think we probably won't see that many cases where somebody's actually hacking into the chip level, you know, and doing something that they're not supposed to.

A

But at the software level, absolutely. I think there is a big lack of security hygiene in software world today.

B

Recently I was reading a research paper from Microsoft where yeah, the interaction, the chat between AI, you know, and the human and AI was completely encrypted, end to end. But they were able to look at the metadata and predict with an accuracy of over 90% what the topic was and what they were talking about.

A

Because no one encrypted the metadata.

B

Exactly. And so much for encryption, right?

A

That is so funny.

B

This is what I'm actually more worried about is exactly as you rightly said, will, who can look at the metadata and why? Who had access to metadata?

A

Well, and that, that leads to. Well, that's why we have jobs. They need really good enterprise architects that can handle these big systems and across, you know, boundaries that traditionally have been isolated. So Santosh, this has been great. I love talking about this stuff because there aren't a lot of people in the world that can talk ot and it. So it's great to find another person that enjoys talking about this stuff. So thank you for coming on the show today.

B

Same here. There are not a lot of people who actually know and understand like hosts like yourself on both sides, so thank you for having me. Appreciate that.

A

Thanks for listening to Embracing Digital Transformation. If you enjoyed today's conversation, give us five stars on your favorite podcasting app or on YouTube. It really helps others discover the shop. So if you want to go deeper, join our exclusive community@patreon.com embracingdigital where we share bonus content and you can always connect with other change makers like yourself. You can always find more resources@embracingdigital.org until next time, keep embracing the Digital Transformation.