In this episode of Resilience Rising, Sean Costigan, Managing Director of Resilience Strategy at Red Sift, and Kevin White, Senior Operation Consultant with Enhanced Information Solutions, explore the critical intersection of wastewater management and cybersecurity.
The two highlight the health and operational impacts of cyber threats on water utilities, emphasizing the vulnerabilities due to under-resourcing and lack of standardization. The conversation details the difference between IT and OT cybersecurity, the importance of frameworks like NIST, and the necessity of regular assessments to address critical security risks. Sean and Kevin discuss practical steps for improving cybersecurity in the water sector, including the integration of Multi-Factor Authentication (MFA) and secure remote access. The conversation also touches on the importance of fostering public-private partnerships, education, and training to build a resilient operational technology workforce.
Core takeaways
Cybersecurity risk in water utilities. Water utilities face significant cybersecurity risks due to under-resourcing, lack of standardization, and increasingly sophisticated adversaries, including state actors. Unlike IT, operational technology (OT) in water management has not seen the same level of cybersecurity advancement, leaving critical infrastructure exposed.
Importance of frameworks and assessments: The NIST cybersecurity framework and assessments from organizations like the American Water Works Association (AWWA) are crucial for identifying and addressing vulnerabilities. However, the challenge lies in the implementation due to limited resources and expertise at the local level.
Public-Private partnerships and standardization: Effective cybersecurity for critical infrastructure, including water systems, requires stronger public-private partnerships and standardized approaches across states. The federal government’s increased recognition of water systems as critical infrastructure is a step towards more funding and resources.
Training and workforce development: There is a need for a revolution in training and education to equip the next generation with the skills necessary for cybersecurity in critical infrastructure. This includes promoting hands-on, problem-solving skills and encouraging non-traditional career pathways to fill the growing gap in cybersecurity expertise.
Key Links
Follow Kevin White on LinkedIn: https://www.linkedin.com/in/kevin-white-915ba0b/
Follow Dunwoody College of Technology https://www.linkedin.com/school/dunwoody-college-of-technology/
Follow Paul Veeneman https://www.linkedin.com/in/paulveeneman/
Follow Sean Costigan on LinkedIn: https://www.linkedin.com/in/seancostigan/
American Water Works Cybersecurity Assessment Tool: https://cybersecurity.awwa.org/
Full Transcript
Sean Costigan: [00:00:00] Hi there, I’m Sean Costigan, Managing Director of Resilience Strategy at Red Sift. And I’m here today with Kevin White, Senior Operation Consultant with Enhanced Information Solutions.
That were a fantastic opportunity at the Dunwoody College of Technology in Minneapolis, Minnesota. We’re in the PLC laboratory and behind us, we’ve got quite a bit of technology.
Don’t touch that button. I’m pretty sure that I’m not supposed to do that. We’re going to have a good conversation today about cybersecurity, about wastewater, and about some of the risks to critical infrastructure that we’re seeing on mass around the globe actually. We’ll start there with just some very basic, it’s in the news, wastewater management and cybersecurity come together in ways that affect people’s health very profoundly.
Kevin I’m really excited to be here with you and have the opportunity to talk with you about it. What happened, what went wrong and we can maybe just give a bit of a background.
Kevin White: Yeah, and this is a symptom more than anything else.
There’s a major underlying issue that we’re really looking to address, and this is one example of it coming to the head.
The major issue right now [00:01:00] is, everybody in the cybersecurity landscape is looking on how to put up their defenses. Water is no different than manufacturing, chemicals, power generation, any of these others.
They have the same vulnerabilities. The differences in water is state agents are coming after it.
Sean Costigan: State agents?
Kevin White: Huge attack. The water utilities are under resourced, they’re not standardized, and they’re having an adversary who’s coming at them that’s better equipped. And the issue is that these are repeatable actions across all our water utilities and the adversaries know this.
What we’ve really got is we’ve got people who don’t really understand the operational technology side, and if we look back historically, information technology cybersecurity has gotten really ramped up in the past several years, right? With your role exactly, I’m sure you see this where the experience, the knowledge base, the growth in it.
We have not had that same revolution in operational technology.
Sean Costigan: In the MTN.
Kevin White: In this end. Where these same devices, we need to get [00:02:00] access to for our operations, but we need to do it securely. And we have not been securing those in the same way we have some of our information technology.
Sean Costigan: And it’s a growing effect surface at the same time, right? That there are more and more devices connected, right? OT devices connected.
Kevin White: Absolutely.
Sean Costigan: And so how do you see that playing out?
Kevin White: So it really has to be a mythology used to figure out how we approach this and the nice part about it is the frameworks are out there, right?
None of this stuff is recreating the wheel and that’s where our biggest recommendations are where do we start, it’s, look at the framework, and NIST has done a phenomenal job of putting together a cybersecurity framework, and if you really look at the NIST framework, it’s not a path, it’s a life cycle, right?
It’s not just figuring out where you are now, it’s how do I clean my backlog and then stay ready for my zero day attack. One of the biggest issues is there are a ton of known vulnerabilities already out there, you can Google them right now and it’ll show you every patch that’s come across for every PLC out there for how long passed.
If someone hasn’t gone in and patched those are known [00:03:00] vulnerabilities that have not been addressed. Every day you go not patching those, every day you go not addressing those, that backlog gets bigger and bigger. So step one is knowing where all that stuff is addressing that, but then after you clean out your closet, you got to keep the room clean and you’ve got to maintain, you’ve got to look forward. So luckily there’s frameworks to do this, but that’s the biggest issue right now is to get the house in order and then maintain the house in order takes a large number of resources and especially in the operational technology area, we don’t have the knowledge base that’s been built the same way it has in information technology, especially when it comes to cybersecurity.
Sean Costigan: Yeah. I imagine one of the big concerns is just knowing the scale of your assets too and how those are configured. So how does that happen in this space? Like, how do people get to know what they have, what the vulnerabilities are? You mentioned that they’re out there, the vulnerability, so now I’m like, I’ve crossed your attack surface, how do you know what you have and how are those things?
Kevin White: And so the tools as addressing problem sets is what I like to do. And EIS folks, because there’s a lot of things you could do, there’s a lot of tools out there that do a lot of great things. So you’re [00:04:00] actually testing to a customer. I said, Hey, I want to go find all my vulnerabilities out there. I said, awesome. What do you do once you find them? I don’t know. Okay.
Sean Costigan: We’ll prioritize them.
Kevin White: The good part with water is there is step one is an assessment, and so A W A, so the American Water Works Association, right? Put together an assessment and it’s actually the CESA tool for assessments has an A W A portion in it for the CESNET tool, so you can actually go through and do a federally recognized assessment, it’s not an audit, it’s a gap.
Sean Costigan: It’s a self assessment.
Kevin White: Absolutely it is. The issue with it as we’re finding with customers is unfortunately, yes, it covers everything, but who at our plant is going to implement that, right? Right now, if you look at our municipalities, if you look at our rural water associations, we are not resourced at the plants with either people, skill sets, knowledge base, or time to be able to do these. And so what’s happening is it’s not happening and it’s getting pushed further and further down and not happening more and more, which only creates that backlog. Step [00:05:00] one to find those parts is an assessment.
Sean Costigan: Right.
Kevin White: Because you’re absolutely right. In water, we frankensteined our plants.
Why? What controls did we put in at this generation? Who was your maintenance manager? Who was your ops manager? How did purchasing go? That is our biggest vulnerability, but step one is find what’s out there and that’s part of your assessment, is do you know everything out there and how you get to it?
Sean Costigan: So with the Aliquippa attack in particular, would that be, is it analogous to the sort of Sputnik moment where people are tuning in now in a way that they didn’t in the past, that the vulnerabilities are out there, that you got a non state and state actors who are thinking about using and exploiting our tax service, particularly, municipal water and other, health related. Is that a moment do you think that is being captured now for politicians and for others in our space to be able to say, we’ve got to resource this all the way from education through training and all the different pieces to get to the point where we
Kevin White: The White House just today released two governors, watch out for your water and wastewater. That was today.
Sean Costigan: I know, I want to say that yes, [00:06:00] this is the inflection point, but as I’ve gotten more into this space, our inflection point was long, should have been long long ago. This is a wow moment, right?
And the nice part about it with water is with the funds that are coming out from department of hemp homeland security, from infrastructure renewal act, from these programs, and your renewing infrastructure, especially key critical infrastructure, that no longer means just brick and mortar programs.
That means that data that’s contained within these systems, that’s absolutely important to keep moving forward, has to be controlled securely as well. And so it can’t be an and OT. And that’s really, as you look at it, it can’t be IT OT, and that’s where our break’s been. And as I talk to our customers, they bring their IT professionals to these conversations and I say, great, who’s your OT side?
They said, what is OT?
Kevin White: So let’s not make a whole new thing, let’s do the muscle memory of the audits we’re doing, right? Of the standards we use, of the password identifications. Simple tool. And it comes out in [00:07:00] every bulletin when we see this is, do you have multi factor use in MFA?
That’s not an OG thing. That’s an IT thing.
Sean Costigan: And what do you see as the, there’s still we don’t want to reveal any dirty laundry here, but where’s, is that being used as MFA? Is there a resource?
Kevin White: If you go to a customer and you look at their support crew and their support budget for their IT, that will tell you if they have MFA or not.
Sean Costigan: And whether it’s being resourced at the right level, right? I love to talk about this issue and I bet you do too.
Kevin White: Absolutely.
Sean Costigan: How do we get the attention of the people who are going to actually then devote the resources to make sure that things like MFA are used?
If it’s not called out in the standard or if it’s not required we know that it’s important because the bad actors are looking to exploit.
Kevin White: I think there’s a couple different ways. The first one you brought up was standards. The great part about this is we have things in place for critical infrastructure for cyber security.
My background is in power. When I was first out of the Navy, I worked as power management. When you do that, you’re under FERC and NERC guidance. They have [00:08:00] very stringent controls. Why? Because failure. Is not an option, right? I’m a nuclear engineer by background. You don’t get to come close to the right answer. It’s either correct or incorrect. If you don’t have those standards in place to define what that is, right? And power did a really good job on that.
Sean Costigan: A positive containment that’s still quite fresh.
Kevin White: But when you look at that’s the same level if you want to talk about critical infrastructure that needs to be applied to all critical infrastructure. And so the good part is there’s models in place in the SIP standards that NERC has that can absolutely be applied in water.
So that’s step one is I think the standards need to be quickly implemented, right? I think states are slowly going to get there as they get to these assessments. Our goal with doing these assessments is to come up with the common factors, and guess what number one is? There’s now policies and procedures in place that identify this stuff.
Beautiful, we know where we can work on that.
Number two is, when I talk to cities and they go, where are we going to get the money for this? I said let’s talk to your city council about that. Ask which in that city council group [00:09:00] wants to be the person on television tonight when they are handing out bottles of water in a civilized nation, in Minnesota, the land of 10, 000 lakes.
Sean Costigan: We saw this play out in Michigan.
Kevin White: Any of these places where it’s been because of poor management, there’s been somebody having to say, yeah, we knew that.
Now, imagine handing those out and going, oh yeah, we couldn’t afford MFA. That’s the other thing about it is, if we’re going to talk about criticality, then we need to feel the pressure of criticality, right? And it needs to be brought to that level and it needs to be communicated in that way.
Sean Costigan: Yeah.
Kevin White: We talk about drinking water. The part that we haven’t even touched on, is all these water facilities, speed manufacturing, industrial processes, our hospitals, where is this water coming from? If you really look at what the cost of water was truly associated with, not the commodity price we’ve put on it, then the security of that water would also match that valuation.
Sean Costigan: Yeah, especially where we see climate change and drought and other sorts of water availability would be a huge one. Yeah. Let’s pick, there’s so many threads here, but I [00:10:00] want to pick up a little bit more on the, the Sputnik moment, which is one of the things that bothers me.
It’s when do people wake up and how do we get them to, at the right level? And I can think back in our history, we’ll look back at, remember there was a insider threat, I think it was Australia wastewater treatment engineer who decided to go haywire and dump, raw sewage, right?
That’s, that was one my, my own small memory of these things. Another one, of course, the dashboard that goes haywire because somebody’s in the system and is messing with the chemicals, right? And luckily it didn’t result in human death.
Kevin White: Thank goodness.
Sean Costigan: So we’ve had repeated exposure, right? Global examples, and yet here we are, we’re not thinking critically in a way or about criticality in the way that, so how do you get from whether it’s at the municipal level or at the federal level or at the global level or where do you see it starting to really mesh gears?
Kevin White: So where I did see just recently, where this may match up with your Sputnik, when did this open something different, was when the federal government and CISA has these tools and these programs in place because they’re in charge of all cybersecurity, [00:11:00] everything. And they’ve always had a list of critical infrastructure.
Then they sent out this update. Hey guys, no joke, this is critical infrastructure, we’re now opening this up to you as well, and there’s three areas it brought into. Look across the newspaper, by the way, at any given time and you’ll notice these three areas and cyber attacks happen to be popping up more, so the federal government is releasing more tools to address these.
One, K through 12 education. I see that every week about somebody getting a malware hack, a denial of service, or just dispersing all of a sudden personal information.
Sean Costigan: Yeah.
Kevin White: Number two, hospitals. HIPAA information. Imagine also if you go in to get your surgery done and the computer system’s down, not good.
Number three, water waste water.
Sean Costigan: Yeah.
Kevin White: So the federal government has recognized that we know we’ve said critical infrastructure, power’s got their stuff in line, but when you really look at what gets turned off and what happens, water is at the key of that, healthcare’s at the key of that.
So the federal government acknowledging that, I believe will open up more [00:12:00] funds. The state of Minnesota just went to a conference where the assistant CISO for the state is looking at how do we do whole of state plans. And I think that’s really where the opportunity comes in this is in the same way that these municipalities have gaps and opportunities, we know what they are, right?
You and I have already done without doing an assessment on any of the facilities could probably name off your 80 20 rule of what are the biggest things you could do right now to at least partially start closing that door, and we know those answers. So the answer is going to have to be, let’s standardize that.
That it can’t just be in Minnesota. We’ve been talking to Michigan, we’ve been talking to Wisconsin. It’s how do you figure out this model and implant it in place, and who’s going to own this? Because this again, it’s not a, we did the check, we cleaned the closet, it should stay clean forever, we’re going to have to be daily, hourly monitoring this. How do we respond as a system?
State of Minnesota is really trying to see how to centralize that in an organization, right? That the state now controls us. But again, to get to that point of control, we have to go through the journey and the journey really starts with that initial [00:13:00] assessment of, what do you have a place with don’t you?
Not to shame, but to find gap analysis that we can group together in funding buckets where we can go, okay, look, you’ve been taken care of, your cybersecurity isn’t great, but it’s way up here. We’re all water, guys, who’s doing your cybersecurity? What’s your password? I go here’s my post it note, it’s password.
Sean Costigan: Digital divide.
Kevin White: We need to get you to this point. We need to raise all ships because the thing about it is your weakest link is where your chain breaks, not your strongest. And so if we can’t identify those weak links and backfill that immediately, that is where these bricks that we’re seeing that are little onesie twosies will open into larger things.
These systems are not disconnected. These are not completely paper based systems. These are SCADA control systems, they are integrated with other state systems. There are connection points, we don’t know them all, so we haven’t assessed them all.
Sean Costigan: Sure. And potentially, I was thinking as we were talking about probably remember the Cryptosporidium Milwaukee, I think it was incident years ago where it’s just yeah, the amount of time that it takes [00:14:00] for people to recognize that there’s been a problem sometimes can actually be days. Having awareness, at the earliest possible point.
Okay so switch gears again. Thinking about risk management, about how the big shift that I’ve seen over the years has not just been stop bot information and communications technologies and cybersecurity or OT and cyber, but to move towards a risk management frameworks.
So how do you see that playing out? Do you see the sort of competence level across the board moving in the right direction? Are we seeing progress as people imagine how they prioritize the risks, how they see them?
Kevin White: That’s a great question. And that’s in, in my opinion, that’s part of the break between the IT and the OT world.
Sean Costigan: Yeah.
Kevin White: Because of the way we manage risk in IT, you are heavy on control, right? And making sure only the right people can get to that at exactly the right minute, right. Now it may be a pain to get to it, you’re fine with that part, but it’s going to be protected for this, those people.
Sean Costigan: Yeah.
Kevin White: In OT and operations, we need access to that data and we will take [00:15:00] continuity above those other security items. We don’t get to say, we made it too hard to get to that control panel so we didn’t control the water level. We need it to be that. So that’s been bit as far as risk management.
Sean Costigan: Yeah.
Kevin White: And the AWA assessment does this actually really fantastic.
What do you care about the confidentiality? What would it be nice if we, nobody could come in and find what our layers were? Sure. But really what we need to do is make sure we have access to the data so we can run the system all the time. And that skews your questions, that skews your prioritization when you do that risk management.
Sean Costigan: Sure, right away.
Kevin White: This is where I think there’s a good opportunity is because those tools are in place, right? Those tools have been used, utilized by IT for ages, right? And how do we, because you can’t go after everything, so they have to do the risk assessment for the prioritization of implemented actions.
Those tools, those activities are already in place in the IT world. They need to be implemented into the OT perspective so that it’s not new things, it’s, oh, that’s right. If this goes down, we don’t get email out. If this goes down, that plant shuts down the road cause they don’t have cooling water for their plant.[00:16:00]
So we need to keep that water up and if that means that maybe one more person can get on to see the data, that’s fine, but that’s now we’ll control the PLC closer or something of that nature. So how you define those architectures, how you define those scopes, is based on what you’re trying to do. But like I said, I think the good part about it is all those are in place.
Sean Costigan: The pieces are there with us bringing them together.
Kevin White: So if we try to start from scratch with OT, we’re like, we’re going to define OT and how we’re going to do it, we’re going to be way behind.
Sean Costigan: Way behind.
Kevin White: And the IT cybersecurity world is so well developed it’s not a whole different world. This is it’s all 1’s and 0’s.
Sean Costigan: Yeah.
Kevin White: And once we can get to that point, we can now just change the kind of the prisms through which we look at those things.
Sean Costigan: Let’s pick up a couple of different threads here.
So information sharing, where you see that headed and the public private partnership end of the spectrum. Yeah. The private sector is involved in water too and is a reliant on water, as we mentioned earlier, before we started our conversation that there’s a great reliance and industry elsewhere that it’s not just drinking water that we’re talking about or groundwater, it’s a variety [00:17:00] of things for industrial purposes.
Where do you see that playing out in terms of not just the delivery of what they need, but rather, where is the public private partnership that’s merging? So the people who make the devices, how are they thinking about cybersecurity and how do they help, further the conversation in such a way that, everybody’s working together towards the same purpose.
Kevin White: Absolutely, and you bring up a great point because at OT, we’re always pushing the edge, right? It’s always going to be more devices tomorrow than there were today, and those devices, how they operate with your architecture, can do a bunch of great things for you, but they can also open up vulnerabilities.
Sean Costigan: Yeah.
Kevin White: As new products are coming out, there are better standards on what they have to meet, but that also means that you now need either a tool or a process.
Sean Costigan: Like AC products, I see what you mean, all the things that may not have those.
Kevin White: That may not have those. One of the interesting parts when we talk as one of the tools is patch management, right?
Of what you would do in this cybersecurity assessment pipeline. We’re like, okay, how do you see if a patch is required and how do you implement it? In the IT world, you guys get patches on Tuesday.
Tuesday, we’re going to push these on Thursday.
It’s almost funny because with my OT [00:18:00] customers, I know if IT’s push to push on Thursday, they’re like, Oh my God, everything’s broken.
Because what they hadn’t checked on is does that integrate with the OT network? OT network, if you implement a patch that you haven’t checked that it works for all those seven different devices for generations, can you shut one of those down?
Because those patch does not talk that way. You just shut down operations from a patch, right? You shut down an overspeed control. You shut down a chemical control. You broke the system from a patch, that’s why OT is very worried about patches.
In the past, those histories have crashed us.
Sean Costigan: Yeah.
Kevin White: You get burked that and you’re backlogged.
Sean Costigan: Be very conservative. Very conservative.
Kevin White: That means you, that doesn’t mean don’t do it, it means you have to have a plan in place to implement that. So to your point, it’s got to be a work in progress because if people are afraid to add new devices because they’re adding new vulnerabilities, those devices are a weight on the organization.
Sean Costigan: Right, where they should be efficient.
Kevin White: And where they shouldn’t be efficient. Absolutely. So that’s where the integration really comes in is [00:19:00] us understanding, hey, as we continue to add these on our paths management, now, when we’re looking at all the different things that will affect, and so there’s actually roughly a 90 day between when you get a patch and when it’ll be implemented in operations, because you need to go through and check every version of everything out there to make sure that this works on this patch.
Sean Costigan: So is there an ISAC for, okay. And what does that look like and how it moves?
Kevin White: A lot of municipalities, a lot of governments, in fact we’re actually presenting at the next Water ISAC on system hardening. So Joe Cody from our group is actually going to be presenting on how you close the drapes and shut the door, and it’s a an analogy for at the end of the day, how you configure your systems to put it in a safe way and how to use those configurations to really keep your system in a safe place. And it’s not a one time activity because as you add things and configurations change, you need to verify you’re expected as actual.
And so how do you get into that process? And that’s something that maybe OT organizations aren’t thinking about. And IT may feel extremely comfortable, [00:20:00] yeah we do that all the time. When we asked IT organizations, but do you do that with the plant sign ins? They go, no, that’s another access point.
Sean Costigan: Yeah.
Kevin White: And in the end of it, it’s very interesting because, OT belongs to IT, right? It’s still under that umbrella. So data security belongs to IT, even in the OT world. And so if with the lack of understanding in that area, that’s where the other opportunity I think is for you to go, okay what’s down here that we haven’t looked at?
How do we leverage what we’ve done already?
Sean Costigan: And so that can all happen at ISAC and in other spaces too, I imagine, quite a bit.
Kevin White: Absolutely. And then you’re starting to get, like we talked about, that standardization, right? And now, whether it’s homegrown or, and like I said, CESA’s put out some fantastic tools.
So that’s the tools that are out there, but you also have the knowledge base to use those tools, and that’s where we’re seeing a large gap.
A perfect example is actually if you look through the first line in the AWDA and I did with a customer who straight water guy and is yeah, I’m going to go do this cyber security assessment. Cool, let’s read the first one together and see if we have the answer. He reads it, doesn’t understand what it [00:21:00] means, asks his local integrator about it, and they’re like, yeah, you’re good. You got a firewall.
Sean Costigan: Yeah.
Kevin White: And he goes back to me. So he said, I’m good because I have a firewall. I was like, that’s not what that’s asking for. That’s okay because,
Sean Costigan: but it’s a starting point. It’s a starting point.
Kevin White: But that’s what we’re seeing everywhere.
Sean Costigan: Yeah.
Kevin White: That’s not in one time.
Sean Costigan: Yeah. So let’s cross the Atlantic together for a second.
Kevin White: Okay.
Sean Costigan: Anything happening in Europe that you see with NIS and a variety of things that have an impact, either for the manufacturers themselves who are working in this space because they, clearly they’re going to have to sell in multiple markets.
Is there an impact for the U. S. and for municipal order?
Kevin White: I have not seen any directly. However, Europe as controllers generally coming from there, what we’re seeing, and we saw this actually from some of the vulnerability shown is, people are getting controllers, engineering firms are getting controls and kind of packaging to get an engineered solution.
The skill sets they use to package those together a lot of times they leave initial settings in place, which leaves a lot of vulnerabilities.
Sean Costigan: Password one, two, three, not saying [00:22:00] that’s the actual password. Don’t use that password.
Kevin White: Again, I don’t, yeah. That’s my luggage password.
As I look at that, I go how many of those are out there?
And the answer is, you can actually log on and see everybody who had these on the internet live.
As far as what Europe’s done with some of their regulatory controls on privacy and things of that nature, that’s where I could see some interesting data accessibility. Their GDPR’s done really good with private data.
Sean Costigan: Right.
Kevin White: I’m curious where that same kind of control system and regulatory roll into their electronic systems. Because anything that can transmit, whether you want it to or not, could potentially be a data transmission device. Again, I don’t know if they’re looking towards that regulatory, but that’s the only place I would see the real PLC play in here.
Sean Costigan: Yeah. I think there’s a, maybe, like in your, in the EU Cyber Resilience Act, there’s a quite a bit about secure by design. So I would say, but most of that seems to be aiming at consumer product, but that doesn’t necessarily mean it’ll only stop there, right?
Kevin White: Correct. And really what it comes down to,
Sean Costigan: Devices are devices, endpoints are endpoints.
Kevin White: And people are going to be [00:23:00] building these things all over the place, right? Unitronics is a was an Israeli company. That made really good PLCs.
Sean Costigan: And they’re the ones in Al Qibla.
Kevin White: They’re the ones that had that vulnerability. It wasn’t because of their device. It was again, it was because of the lack of layers that left it vulnerable in the first place and the lack of understanding of how those layers play together.
Sean Costigan: Let’s pick up on that for a moment. We’re going to try to entice you, to get in and has said this a little bit. So, the bad actors side of it, so you mentioned, it used to be that it was possible to see vulnerabilities or see all the different problems across dashboards, I presume for very good reasons like convenience of being able to see that.
Is that being locked down now? And do you think bad actors are having a harder time being able to find vulnerabilities and wastewater and municipal water systems or because the attack surface is expanding,
Kevin White: It is.
Sean Costigan: We’re just we’re opening more doors than we’re closing.
Kevin White: It’s the attack surface opens and the problem is if you look at where these gaps are, it’s because the architecture hasn’t been built for use.
And when my group looks at these, where you’ve got a live SCADA systems [00:24:00] that you want to have remote control over, those are just put in place sometimes, right?
There’s not the structure required, which is how do you make sure someone else doesn’t come in and do it, right? Because we want to make it easier, so our operator who’s doing rounds can’t do that. And it may not even be outside, it could be across the street where engineers are looking at data on a plant, anywhere where you’re transmitting that data to pull out, to look at is an opportunity, is a vulnerability.
Sean Costigan: Yeah.
Kevin White: So a lot of these systems, the way we used to do it in the past was cool. We’re going to air gap everything, right? You’re going to have paper logs. No one can touch your SCADA.
Sean Costigan: No longer possible. Not convenient. Not desirable.
Kevin White: Oh, so not desirable. The thing about it is it’s that if you know that, and you know that data and that information is power, is property, is the way you’re going to understand the system and is required.
Sean Costigan: Yeah.
Kevin White: Then you protect it, right? And you design the system so that happens. There are frameworks in place, right? There’s simple tools like we talked MFA being one, having an [00:25:00] SRA, secure remote access tunnel where you brought up surface, attack areas, but we’ll limit it that right.
Give it a gatekeeper, a single that you can then buffer up as much as you want to, and that’s what you can control. And people can work through that, right? That simple of an idea, again, takes resources to implement, resources to understand, and resources to upkeep. That’s not what we’re providing our frontline plans.
That’s really where our gap is. Is we’re not putting that out there. As the threat actors are getting smarter and finding new opportunities and becoming more active because it is key critical infrastructure, and we’ve seen this again and again. You’ve brought up some examples, we won’t stop seeing these examples, right?
It’s not, oh, good and we locked it down.
Sean Costigan: Yeah.
Kevin White: No perfect security, but right now we’re not putting the resources. If we believe this is as critical a resource as it is, we’re putting the power in place to make sure that we’re maintaining it. People lost power every day.
Sean Costigan: That’s the, that I like to talk about the misalignments and misconfiguring.
Kevin White: Absolutely.
Sean Costigan: The two, and today [00:26:00] I was talking about that with red staff to my my company, leadership and how important these things are, so you, we talked quite a bit about misalignments, whether those are resource misalignments or we’re not there yet with,
Kevin White: Right,
Sean Costigan: Standards and guidelines that we’re paying attention to, or we’re not doing the, attestation that we should be doing or the testing and assessments. So think about the misconfigurations a little, so how do we get people to know what, what right looks like in this space so that they don’t air, they to air as human as we, it’s all how we reduce that, that bit. So we get to the point where they can say, they’ve done everything they can reasonably within the priorities and resources that are aligned to make sure that misconfigurations are open door for, bad actors, whoever they are.
Kevin White: And really, you may find out that, not to say that we wouldn’t go after those, but you may find out priority wise for continuity, that’s okay. Cause we don’t change configurations very much, so actually, what we really care about first is, something else.
But with those misconfigurations, the best way I think is, again, the standards that come out and starting with the [00:27:00] assessment itself. Because it’s asking you a question because it’s aligned to a requirement, right? And so how did that reference there that tells you this is what it should look like.
Sean Costigan: Right.
Kevin White: Is really how I think that the standard is going to be set.
Right now, again, it’s tough because the way we’re finding across some states, depending on who owns the water information it’s in some states, the Department of Health, who’s mandating that you have to go do a cybersecurity assessment. In another state, it’s the Department of Natural Resources. Who says, hey, this water information.
Sean Costigan: Who owns risk here is going to matter and what they think the problem is.
Kevin White: So we’re talking between different states, this is water utility, so it’s not even different and they don’t have it aligned at the state level who owns this data. So asking our operators at the front line to figure this up is a very difficult thing.
Sean Costigan: And water, like electrons, moves across state lines, borders without a right.
Kevin White: Don’t have to worry about that, right? It’s, and the part about it is until we see a stoppage of that service, right? And you bring up the misalignment, right? We don’t pay for that risk, [00:28:00] right? Right now that’s a commodity for us.
So we’re, we expect to have these things. And that’s where I’d say that the misconfiguration, if we can set the standards across state lines, then it becomes, okay, how’s it supposed to be? Then we can do again with the baseline assessment, like we’re doing with the AWA, you go okay where’s your gap and what gap should we go after first?
And if we look across the state, what are the levels or milestones we should be reading in this journey, so we can all do this together in a standardized manner so that again, we don’t have to worry about who’s operating the water plant today, are they going to remember about this or not? We want to build it into the entire structure.
Sean Costigan: They get into the structure.
Kevin White: Absolutely.
Sean Costigan: From the get go.
Kevin White: Yes, absolutely.
Sean Costigan: Secure by design, secure by default thinking, right?
Kevin White: Absolutely it is. And we’ve got the pattern that works with that, like I said, with power. And I think it’ll happen the same with wastewater because very closely aligned to clean water.
Same exact implications and similar systems, right? So you already do there. And if we look across what are each of these, right? Community heating and cooling systems. Those are other [00:29:00] ones, right? These are key parts of what we expect to be in place at all time, but we don’t reinforce them as if we do expect them to be in place.
Sean Costigan: Sure.
Kevin White: The great part about it is as utilities, they’re very reputable. And since the government already took the first cut with energy, we can distill that and pass it around.
Sean Costigan: I see, yeah. Since we’re here at Dunwoody College of Technology.
Kevin White: Yeah.
Sean Costigan: We had a little sidebar discussion when we started off and I think it’s worth reinforcing and talking about the training and the education side of it for a moment.
We have, you started off in English, right? You have a degree in English before you did a degree in engineering. I started off in history before I did it, my doctorate in cybersecurity. So there’s it’s pathways that are not always the the seemingly the direct route as to cyber into OT and arrived at one of their fields, but where would you recommend people start, what sort of skill set with flexibility do you think is necessary to make the changes that you’re describing?
Kevin White: And I appreciate the question because when I go to middle schools and high schools to talk about STEM education, I don’t go in with a curriculum list, right?
I don’t say make sure you get this class and make sure you get [00:30:00] this one. I truly believe that this beginning of us being on the cusp of this is a opportunity at a revolution in how we trade and how we teach our next generation of middle class workers, right?
This digital transformation that’s occurring is bereft of people like us who understand that who can talk between the physical and the digital, and that’s because like you said, there is no piping thing for people like us. We come from the most random backgrounds, we are the misfit toys, we love it.
Sean Costigan: That’s far. That’s good.
Kevin White: But what mentality is as I look around the group, do we hold it common?
Because that’s what it really is, do we believe that mentality is intrinsic or do we believe we can train it? And if we believe that we can train people to be curious and problem solvers and give them resources, ask them to come to a conclusion and not say whether it’s right or wrong, but whether it met these goals or not.
Sean Costigan: Operate in some uncertainty and be okay with it.
Kevin White: And be understand and delegate that it doesn’t have to be perfect because 80 percent is pretty dang good for [00:31:00] what we’re looking for, and being okay with the failure. And again, I know it sounds like a fluffier curriculum, but it really points to apprenticeships, and it really points to the VOTEC, and a hands on training, and my time in the military showed me that where we took 18, 19 year old men and women with no background in this stuff and those were my technical experts six, seven months later.
So I know it can be done that when we bring people in and we empower them to learn and not be a feed me person, but I’m part of this, I’m making the decisions here. We unlock amazing potential and I think that’s what this edge is going to need because we’re going to need people who can’t be locked down because we need to get ahead, right? We’re talking cyber security on the white hat side.
Sean Costigan: Yeah.
Kevin White: We don’t even know what conversations are going on in the black hat side, and I’m sure it’s not good.
Sean Costigan: And they only have to be right once.
Kevin White: And we have to be right every single day.
Sean Costigan: Yeah, people are our greatest asset and so I think that’s really that’s a, I think that’s where we should leave off this really wonderful conversation, Kevin.
Kevin White: Awesome.
Sean Costigan: It’s like a pleasure to talk with you.
Kevin White: Thanks so much. I appreciate it.
Sean Costigan: That’s great. [00:32:00] Yes. Great.
