In this Spotlight episode of the Security Ledger podcast, I interview Chris Walcutt, the CSO of DirectDefense about the rising cyber threats facing operational technology (OT). Chris and I talk about how industry is responding – including the growing role of government, ISACs and managed security services providers (MSSPs) in helping shore up the security of critical infrastructure.

[Video Podcast] | [MP3] | [Transcript]

---

There is no question that critical infrastructure and the operational technologies that are used to support that infrastructure are in the cross hairs of state actors and – in many cases – under active attack. The question is: what to do about it.

Volt Typhoon: Is The Coming Storm Already Here?

In March, for example, CISA the US Cybersecurity and Infrastructure Security Agency warned the heads of critical infrastructure organizations about the ongoing activities of “Volt Typhoon” and advanced persistent threat (APT) group linked to China’s military. An advisory from February issued by CISA, the NSA and FBI asserted that People’s Republic of China (PRC) state-sponsored cyber actors are positioning themselves on IT networks and maintaining persistent access in anticipation of launching “disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict” with the U.S.

Critical Infrastructure And Digital Transformation: A Risky Combination

Campaigns like that aren’t new. Warnings about state sponsored actors sniffing around U.S. critical infrastructure go back more than a decade. What has changed is the exposure of industrial firms to cyber attacks, as “digital transformation” and the explosion of remote work have resulted in organizations that own and operate critical infrastructure being far more vulnerable to attacks and compromises.

Add to that the high social and economic impacts of critical infrastructure attacks; the varied nature of OT systems (and risks); endemic shortages of cybersecurity talent; and – in many sectors – inadequate budgeting to support cyber operations and you have a recipe for disaster.

Securing OT Systems: Help Is On The Way

But all is not lost. In our latest Spotlight podcast, recorded on the sidelines of the RSA Conference in San Francisco last month, I sat down with Chris Walcutt, the Chief Security Officer at DirectDefense.

Chris and I talked about the rapidly changing threat landscape that critical infrastructure owners and operators inhabit, and how savvy firms are managing OT risks – in part by tapping managed security services firms with expertise managing and securing OT systems and environments.

In our conversation, Chris elaborates on the distinction between OT (Operational Technology) and IT, emphasizing the unique challenges in securing OT systems like those in critical infrastructure, manufacturing, and utilities. We talk about the increasing sophistication of cyber threats, including nation-state actors, and the importance of visibility, access management, and implementing robust cybersecurity policies. We also talk about the patchy nature of our current industrial sector, the role played by industry specific ISACs and the various federal, state and industry resources that can help OT operators get ready for the attacks that are almost certain to come. Chris also discusses the value and importance of public-private partnerships and improved training and funding to enhance cybersecurity for smaller, resource-constrained utilities.

You can check out the podcast using the player (above). Or, check out a video of our conversation below or on Security Ledger’s YouTube channel.

Video Podcast and Transcript

Scroll down to check out a video of my conversation with Chris or read a transcript of our conversation!

Video Podcast

Transcript

[00:00:00]

Paul: Welcome to the Security Ledger podcast. This is a spotlight podcast from the floor of the RSA conference here in San Francisco, as you can see. And I am here with the amazing Chris Walcutt, CSO at DirectDefense. Chris, welcome. Good morning. Thanks for having

Chris: me.

Paul: Welcome back.

Chris: Oh, yes, indeed.

Paul: We’re here at the RSA conference in San Francisco,

Paul: and interestingly, you’re actually going to be talking this afternoon. First off, tell us a little bit about what you’re going to be talking about.

Chris: I’m going to be talking at 1:15 this afternoon,

Chris: over in, Moscone West, and the topic is, “Navigating Third Party Risks in OT Environments.”

Chris: Okay. It’s a fun topic.

Paul: Fun topic, and actually something that we’re going to be talking about in, this podcast. [00:01:00] So for our viewers, listeners, who aren’t familiar with DirectDefense, just give us the, quick rundown on DirectDefense, what do you guys do, and, what’s your superpower?

Chris: Sure. We are a security services firm, first and foremost, founded in 2011.

Chris: We have pentesting, application security testing, MSSP, security operations, an OT SCADA specialty practice, and some compliance, that we, do. Things that make us stand out, that OT SCADA practice, we also will wrap those services around, managed services. So, OT SCADA SOC, we do incident response, and, one of the things that sets us apart overall in the managed services space is that we will get into customizations for our clients that some other firms will not.

Paul: That OT piece is a really big one. Again, you’re talking about that here at RSA and we’ve seen just in, you know, the last [00:02:00] few years, whether it’s ransomware or nation state actors, OT environments have a big bullseye on them.

Paul: I think, like, having been in cyber security for a while, I sort of think back to Stuxnet as, the incident that put OT on the radar for everybody.

Paul: But maybe just talk a little bit about the difference, when we talk about OT versus IT, what are we talking about? Operational technology versus information technology. What types of systems are we talking about?

Chris: Sure, for people that aren’t familiar with the OT world, it’s basically anytime a computer controls a device to take a physical action.

Chris: Right.

Chris: So, the most common example I use in the consumer space would be something like a Nest thermostat in your home. The screen on it, the app on your phone, those are the human machine interface, or the HMI. Right. the PLC is the basic function of that thermostat to be able to control, the heat, the air conditioning, the fan speed and things like that.[00:03:00]

Chris: And then the sensors that come back, the thermostat, the humidity, that’s the sensing, the RTU piece. But if we extrapolate that out to the larger world, in commercial and industrial manufacturing, that’s the computer control systems, for automation in that manufacturing world. So, metal stamping, conveyors, laser cutters, CNC, Any of that type of equipment and then on the industrial controls, the critical infrastructure space that’s going to be power plants and substations and water and wastewater, oil, gas and mining,

Chris: rail telecommunications, things like that.

Paul: You bring up an interesting point. I think often the conversation around OT kind of merges with the critical infrastructure conversation. People think about grids and utilities and stuff like that. Obviously DirectDefense, you work across different industries.

Paul: What, types of, you know, industries are customers of yours and where is this kind of cyber risk really being felt?

Chris: Sure. you know, the [00:04:00] federal government has, in the, US, has regulated the energy sector since about 2006 in that space.

Yep.

Chris: Most of the others are governed through best practice.

Chris: So, the America’s Water Drinking, the America’s Water Infrastructure Act, that we always signed in 2018, that was supposed to lend some of that over to the water space. But it doesn’t have a lot of regulatory teeth. the other sectors largely do their own thing. And so we have a lot of clients in the manufacturing space, that have automation in their plants,

Chris: and they’ve just taken the approach of firewalling that off from the corporate side. But they don’t have the visibility. They don’t have the segmentation. They don’t have the controls to understand what’s a normal baseline in that space. And so we’re hoping to gain that visibility. A lot of times they’ll purchase commercial tools that are specifically designed for that.

Paul: Yep.

Chris: But their networks aren’t set up to allow those tools to work. So there’s a fair amount of change and there’s a fair amount of lead time and runway to get to the point where you can buy a tool like, Dragos or [00:05:00] Clarity or something like that and then have that actually be functional in those environments,

Paul: Right.

Paul: Looking at the threat side of things we read about You know the ransomware talk on the local water utility or the hospital or something like those tend to make headlines There’s a lot that doesn’t make headlines. What do you all see in terms of threats? What’s out there? Is this all about ransomware or?

Paul: Is it more diverse than that?

Chris: It’s not, all about ransomware anymore.

Chris: There’s been a shift. So,

Chris: traditionally we saw that somebody clicks on an email, a file gets downloaded, ransomware spreads through the environment. We worked a breach a few months ago where the threat actors had a, an actual fake ID.

Chris: A person went into a T Mobile store in a major city and SIM swapped an IT admin that they had done research on for this big company. The IT admin found out about it, contacted them, swapped it back. That same adversary went into a different store in the same city and did it again the same day. [00:06:00] Social engineered the help desk to break their own policies and reset that admin’s credentials and they were into that environment.

Chris: And this is a major manufacturer that supports critical infrastructure and the government. It was a significant thing. And this was a level of sophistication that we had not run across before.

Paul: Right. So there are vendors that you mentioned, Drago’s, Clarity, DirectDefense actually here with Clarity.

Paul: When you work with these vendors who specify in OT, cyber risk, Industrial control system, security, what’s the nature of that? How does

Paul: DirectDefense kind of partner with those organizations? And how do you work with customers jointly?

Chris: It really is a story of better together.

Chris: Yeah. So, and it’s one of the reasons that we wrap our managed services, the MSSP for both the IT and the OT SOC around that. Because a lot of organizations will provide IT managed services. There are not a lot that get into the OT managed services space. Right. And the ones that do, they may tie themselves specifically to a platform.

Chris: So, by being able to [00:07:00] offer the entire capability for a client, it’s more attractive for them. In addition, the companies that sell those products, and make those products, they’ll help, their clients get them up and running, but they don’t necessarily get into the weeds of reconfiguring those networks right so that the visibility is there, right?

Chris: So we actually can help to make the product more sticky on behalf of the,

Chris: company that makes that product and get the client better use out of it. Better fidelity of data.

Paul: Right.

Chris: Because we’re able to help them make the reconfigurations necessary and the people that are working in the OT side of our SOC have that knowledge and background.

Chris: And then they can escalate to the connected systems team, which is PLC programmers, SCADA system designers, all people who’ve, built and run these systems or operated them commercially.

Paul: Yeah, I mean, one of the things that, that I’ve just heard consistently is one of the big challenges in this space is, you know, people [00:08:00] and resources, right?

Paul: That especially when you get down to the level of the local utility. These are extremely resource constrained, and staffing period is a huge issue, let alone staffing around some specialized skill like OT cyber, you know, security. How does that-

Paul: So working with an MSSP, does that sort of, Like, take care of that problem.

Paul: I mean, is that, I mean, is that, is that one of the benefits? how are local utilities kind of finding a way around this, that staffing problem and that resource problem, just having the money and people to do what you need to do?

Chris: It’s one of the ways that they can bridge the gap. Yeah. There are some resources that are available in the local utility space, so in the energy sector, NRECA, the National Rural Electric Cooperative Association, has free resources that they’ve designed, I’ve contributed to some of them over the years, that are specifically focused around the smallest of the electric utilities.

Chris: The water side isn’t necessarily quite [00:09:00] as organized. The American Waterworks Association is doing some things, so they have their new way rewrite of their J 100 cyber security standard that they publish. one of my people is actually one of the lead authors, Mister Jacques Brados.

Chris: And so we are trying to stay involved in that space to help give back on that front as well.

Chris: There are also some free education opportunities. So Idaho National Labs runs what they call a 301 class, which is basically free SCADA security training. it’s open to anyone. It fills up as quickly as they generate a new class. There’s just not enough of it. And so working with a partner like DirectDefense allows you to bridge that gap if you have a need, but maybe it’s not a full-time need, or if you have a need that’s specifically project based, something that you can spin off or even the real time just keeping eyes on the operations while you do the day-to-Day function of keeping the utility running the way it need to, needs to.

Paul: Right. Do you, are you seeing any [00:10:00] improvement? Because there is certainly a lot more attention at the federal level to this. but is that kind of filtering down to the small local utilities in terms of their, you know, cyber resilience and their, you know, preparedness for, you know, threats and attacks.

Paul: or are we still, you know, we still in the getting off the ground stage with this?

Chris: I, think CISA has made good efforts. Yeah. there’s a lot of programmatic approach. There’s a lot of information sharing going on. Yes. There are ISACs in each of the industries. EISAC is something of a closed community.

Chris: A lot of what they do requires a security clearance. There are ways to get those if you’re part of the community. through Homeland Security Department of Energy.

Paul: Yep.

Chris: the water ISAC is a little more open. So they actively are engaging with the private sector, the consulting community, the people that are trying to help in this space.

Chris: I’m involved a little bit. Jacques Brados, I mentioned, he’s involved. So we do try to make those [00:11:00] efforts.

Chris: And then the other sectors, largely has been just guidance that’s been put out. So the other DHS, sectors that fall under CISA, you know, rail, there’s new pipeline that came down through TSA,

Chris: after the Colonial Pipeline hack, but largely that’s been-

Paul: Well, we all were like “wait, TSA is responsible for pipelines?”

Paul: “Like, the people who are like taking my shoes off at the airport?”

Chris: Exactly.

Paul: Yeah, that was interesting.

Chris: Yeah.

Chris: But the other sectors that’s been applied to, if you read the guidance, if you read the standards that have been posted, it’s largely a cut and paste.

Chris: For all of NERC’s problems,

Chris: one thing I do like about NERC, and this is, I’ve been involved with the committees for years, particularly supply chain risk and some of the others, is that, they invited the industry partners and the consultants and the system owners to come together and form these committees with some guidance and basically create the policy themselves.

Chris: And then all of the registered [00:12:00] entities, all of the owners and operators of the infrastructure, have to vote on the changes. It makes for a very long and protracted process. It makes for a lot of arguing, but at the end of the day the industry is directly involved in creating that regulation.

Paul: One of the things that strikes me as challenging is just like how siloed it is, right, that, you know, that, like you said, you know, energy and, electric transmission, generation transmission, you know, been dealing with cybersecurity issues for decades or, you know, more. Other utilities that are basically from a risk standpoint for society, no different, but are much newer to this, but they’re kind of, it all kind of happens within these, you know, within these silos, as opposed to like a more like holistic approach.

Chris: It does. The interesting thing about that also is that the energy sector has a lot more money available. So one of the challenges for the water sector is the water utilities generally are poor. The electric utilities, [00:13:00] if they’re part of merchant energy, generally are not. Yeah. And so, just having the funding for the basic cyber hygiene stuff sometimes is difficult.

Paul: Right.

Chris: You know, there’s

Chris: no world where you don’t have to spend

Chris: literally a few hundred thousand dollars to put all the instrumentation in place to have the 24/7 eyes on glass. If you do it internally, it’s much more expensive.

Chris: Right.

Chris: Hiring that level of staff, there’s something about shared costs when you work with a managed services partner, which is why so many organizations do it.

Chris: But you do have to find the ones that have the right experience to meet your needs. The funny thing about the technology is that from the control system side, these SCADA systems, It’s the same basic technology in energy, water, rail, telecommunications, manufacturing, physical security, building controls.

Chris: Physical security and building controls a lot of times get overlooked. And specifically in organizations, a lot of times physical security falls to that separate team. More of a law enforcement background, a lot of times not cyber security, not tied into IT. But, still [00:14:00] have IAP addresses, still are points of vulnerability on the network.

Paul: That door access system is, right, is networked technology.

Chris: Yeah, you got it. And then the building controls a lot of times falls to facilities, right? People that are in a maintenance function. We’re talking about the lighting, the air conditioning, the automated doors, the elevators. Once again, a lot of times you have third party vendors that they rely on for maintenance.

Chris: Sometimes they have to have remote access electronically. Nobody can ever tell me the name of the HVAC company that caused the target data breach. Yeah. That’s how it happened. Right. They didn’t breach target first, they breached that vendor first.

Paul: So DirectDefensese has a lot of case studies on the work that you’ve done with, you know, OT organizations and so on.

Paul: They’re really interesting to read. Cause you’ll go in and basically kind of do penetration tests or red teaming of these organizations.

Paul: Let’s talk about some of the kind of common. problems that you find within, you know, let’s say local water or electric utility, they’ve got OT and IT [00:15:00] systems.

Paul: Where is your security falling down?

Chris: There’s a few things. First is really visibility. So, these organizations a lot of times don’t have the tools and these are some of the specialty tools we’re talking about. That allow them to see what’s normal in those OT environments. The IT based tools, sim platforms, monitoring, visibility, they don’t necessarily understand the protocols, the communication protocols that are happening on the OT side.

Chris: And so, without those, you don’t know what your normal looks like. If you don’t know what normal looks like, you can’t establish when something’s different.

Paul: Right.

Chris: Right, you can’t see that threat actor is there.

Paul: That’s right.

Chris: The second piece of it really is around identity and access management. So the operators are accustomed to having one or two consoles where they operate the control side of the OT or SCADA system, and they log in with operator one, operator two, user one, user two, and a lot of times they never log those out.

Chris: And the argument is that they need the data real time telemetry, they can’t [00:16:00] have that lost during the log in log out time. Right. It’s actually pretty simple to solve. Most organizations have two consoles running for resilience purposes anyway. Just create role based user accounts, log one out, log the new person in.

Chris: Once they’re logged in fully, then do it with the other system and you don’t lose that data. But without that, you don’t have the attribution of activity of what, which person did what and when, which also makes it harder to spot problems. Patch and vulnerability management is a big challenge. They are certainly not going to have an automated patching system that’s rolling through and just applying these things.

Chris: They’re not going to follow sort of the Microsoft Patch Tuesday. A lot of times the software vendors have their own cadences and have their own requirements for patches being tested and approved by them before they’re rolled into those systems.

Paul: This would be OT vendors.

Chris: OT vendors, right.

Chris: And, they may be the ones rolling up, let’s say, Microsoft patches. But they may roll them up every three months or six months. So there’s [00:17:00] this lag. And because of that lag, you have to understand the maintenance windows. So a water utility or a power utility may be only able to take a maintenance window for operations to apply that stuff every three months or six months.

Chris: The cadence of that means that you have a longer stretch of time where devices are vulnerable to attack. an easier attack. The attack surface is exponentially larger because of that. remote access. So I mentioned that before. A lot of times there’s vendor third party contracts for maintenance. They need the ability to log in and look at things, log in and fix and tune things.

Chris: you may have support staff, you know, INC technicians, SCADA technicians that support multiple sites. Right, they may be VPNing from an office, they may be VPNing from home. If that’s not-

Chris: From Russia…

Chris: Let’s not do that.

Chris: Sorry.

Chris: Touche.

Chris: So, if that’s going to happen, you ideally want some sort of a [00:18:00] jump host

Chris: secure remote access solution that allows you to see very specifically what’s happening almost down to keystroke logging. You really want to be able to replay that and record everything that’s happening in remote access. That’s not typically a requirement of an IT remote access solution, just like a VPN.

Chris: Because of that, you have to take a different approach. You can’t just have that VPN connect and then not really understand what’s going on. What else is, another thing that’s really common in those support contracts, is that the companies may leave those accounts active when they’re not in use.

Chris: That’s another thing that we advise against, you know, shut those off when they’re not being used, right? Also, take the approach of very specifically understanding where they’re going and what they’re doing, right? Limit the access once they hit that jump hosts, whatever that remote access solution is.

Chris: They should only be able to go to the things that they really need to, not open. That’s a little bit harder on the configuration side, but it really is the right way to do things.

Paul: Kind of least privilege.

Chris: It is, [00:19:00] it’s least privilege.

Paul: Yeah. The other thing that, just kind of reading through that often turns up is, wireless access that, you know, these utilities, obviously many of them have remote facilities and they want to be able to access them remotely or access them wirelessly, but that presents a All kinds of problems from a risk perspective, what do you tell utilities around leveraging, having, you know, wireless access points and, in these facilities and connecting their SCADA networks up wirelessly?

Chris: So in field area networks, we’re talking, you know, a substation in the middle of nowhere or a water pump or lift station that’s maybe in a remote area. A lot of times the only connectivity available is something like cellular. And so that is really common. There are ways to secure that. There are ways, once again, it’s monitoring.

Chris: Do you have an ability to see that traffic? Do you know what it’s doing? Typically, that is very small control signal traffic with a [00:20:00] specific frequency. You should be able to see and know when it changes. When you move into the larger facilities that actually have Wi-Fi, be specific about that Wi-Fi, what that Wi-Fi can do.

Chris: So, if you’re an organization that has, let’s say, service trucks. Those service trucks come in, they get that Wi-Fi, what should they be doing with it? A lot of times they’re downloading work tickets. They may be making updates to the maps through GIS, right? Everybody uses Esri on the back end for their GIS implementations.

Chris: And these are map overlays of where they need to go to perform their services. It’s a lot of data, it works better over Wi-Fi. They shouldn’t necessarily be doing control functions. They can pull into that facility if they hit the wireless if they want to do some sort of control function on the SCADA system.

Chris: They should still have to go through that same remote access solution. Unless they’re just going to walk over to it, right? If they’re going to walk over to it, that’s fine. But the wireless, you know, obviously you don’t want to bridge those networks.

Chris: Right.

Paul: So we’ve seen, what we’ve read about, a lot of [00:21:00] interest by nation state actors in infiltrating critical infrastructure, you know, both at the national level and at the local level.

Paul: Has DirectDefense seen evidence that, in fact, that is something that’s becoming more common, these sort of sophisticated attacks, you know, and maybe you can’t do attribution, but the look of it seems to suggest, you know, sophisticated nation state actor. There’s not a economic angle to this hack, it’s something else.

Paul: What do you, what are you all saying?

Chris: We do see evidence of that. Sometimes it’s stuff that we end up having to report up. The one that I mentioned with the threat actor that went in person, that, that smelled like Nation State. There were other things about it that were very sophisticated.

Chris: There was a lot of activity that was scripted beforehand. They were very fast in what they did. Once they had access to that, client systems, they were logging into the cyber security [00:22:00] tools. They spun off an API key for one of them so they could test their own packages against it to see if they could get it past the endpoint protection.

Chris: They created their own Intune group. They spun up and published an app in Azure. They were very sophisticated very quickly. And all of this was based around being able to push their tools and, expand the footprint. So they had already pre compromised an internet facing server for another large endpoint protection vendor, well known, that this particular company didn’t use.

Chris: And they downloaded that agent and were using the Intune groups to push it across the enterprise. The reason they do that is these endpoint agents, they have remote control functions, you can push software with them. So yes, they were back doing using another security tool and PowerShell scripts natively exist in the environment so they run under the radar fairly easily if you’re not tuned to see them.

Chris: We saw them, we caught them, we got them out [00:23:00] very, quickly. And we had a couple of partners working alongside us. One of them had seen this group before several times over the past four to six months. They’d been chasing them for a while. And, they were surprised with how quickly we found them and, kicked them out.

Paul: That just seems to be, like, such a common trend or theme when you talk about these things, which is, I mean, we all know, we’ve been saying for a while, like, you know, nobody’s perfect and, you know, you’re gonna assume that you’re gonna get hacked. But in, but it really, like, what organizations need the ability to do is that type of longitudinal- have that type of longitudinal view to be like, oh, you know, we’ve seen these behaviors that, you know, in and of themselves are not necessarily malicious, but when you pull them all together something’s going on.

Chris: Right.

Chris: And it’s

Paul: hard for any, unless you’re a huge organization with a huge payroll and staffing to do that yourself, right? I mean, that’s kind of why you need to bring in the expertise.

Chris: Even the biggest ones, you know, the bigger the [00:24:00] organization, the more

Chris: technologically advanced it is, the more attack surface you have.

Yeah.

Chris: So, you know, there’s still a challenge there, no matter how big you are, how big your budget is. Being programmatic in your approach, following the best cyber hygiene that you can, having policy and procedure

Chris: to prevent certain kinds of threats. The fact that they had a social engineer that helped us to break protocol, to break policy, to let them in, and they did it successfully, so, I mean, that’s a perfect example, right?

Chris: Had everything followed policy the way it should have, that would not have worked.

Paul: Right.

Chris: In this case it didn’t.

Paul: Let me inhabit the small local utility that is talking to the DirectDefense rep and saying, No one, why would anyone want to hack us? We don’t even matter. We’re, you know, a community of 5,000 people.

Paul: We’re not a target.

Chris: There is some notoriety in the hacker community of being able to hit things like critical infrastructure. [00:25:00] And so sometimes it’s just a matter of trying something new. They figure they have a better chance of trying a, you know, a new attack type or new tool. A lot of times they’re purchasing these tools from other groups, ransomware as a service, vulnerability, you know, day zero attacks as a service, and so they want to try these things out and they figure the smaller entities aren’t as well protected, they may not have the visibility, they can largely go undetected when they do that.

Chris: Then they’ve gotten their feet wet, they’ve gotten their notoriety, they may be able to catch data about, business relationships and pivot and move different directions. If that water utility, let’s say, for example, is owned by the municipal government, they may turn and find if they’re connected.

Chris: And so now they can go after the police or the fire or the library or the city government, right? And maybe they’re tied in other ways and they’re reporting data to the EPA or they’re reporting data to the state level water authority. [00:26:00] If that’s automated, once they have access, once again, they may find these other jump points where they can pivot to other attack types.

Paul: Right. So, if you were to talk to,

Paul: director at a local utility, or, you know, a company operating, you know, using OT, and talk to them about why they shouldn’t be going it alone. Somebody would be like, “oh, we got this great guy and, you know, or we got this team and they’re awesome and they’re doing a great job,” right?

Paul: A lot of times you get into this sort of like, “we got a really great team. person who’s handling this, and, you know, we don’t need extra help.” What would your argument be for “don’t try and go it alone?”

Chris: There’s a couple. The first is that you don’t know one person or two or three people can be the experts in everything.

Chris: And we don’t try that either. It’s spread across a team. We have an economy of scale in being able to have a larger team, have the threat hunters, have the people with the incident response background, have the people with the OT [00:27:00] knowledge, the IT knowledge, knowledge of the tool sets, expertise in the tool sets.

Chris: And so when we spread that across our client base, we’re able to do some things at a better price point. So if an organization wants to stand up their own security operations center, if they want 24/7 coverage, usually they’re talking three people, three shifts during the week, two shifts on the weekend.

Chris: If they add a supervisor in there, minimum six people. It’s very easy to go north of half a million dollars without any tools, without any instrumentation. So, there is an economy of scale to it. And some organizations feel that they don’t have that need. My advice would be then at least to look across the core basic hygiene things and make sure that they’re doing them.

Chris: What are you doing for that identity and access management? How are you managing your visibility? What are you doing for remote access? You know, how are you handling the policy and procedure around that, the patch and vulnerability management. [00:28:00] A lot of this stuff is procedural level stuff that frankly could be free.

Chris: Right? It doesn’t necessarily cost money and it has a major impact on closing the holes. So, when it gets to the point of that real time monitoring, how to deal with the threats, what do you do if you think you have a breach, how do you test it? Right? The penetration testing, the application security testing, running a tabletop exercise to make sure your IR plans are going to work the way you think they will.

Chris: All of those things are things that you should consider finding a partner. Who’s got the experience and the knowledge specifically in your industry, in your technology. And that’s how the DirectDefense Connected Systems team has been built and how the Managed Services team has been built. Jim Broome, our president, one of the founders and CTO.

Chris: He and I are the primary incident commanders. We have a lot of breach experience between us.

Paul: Final question, I would feel a lot better if companies like DirectDefense were working with, you know, small and regional utilities, critical [00:29:00] infrastructure owners and operators across the whole country.

Paul: Yeah. Practically, that often comes down to an issue of money, right? It does. And, yeah, small utilities don’t have the budget to afford, you know, managed service providers or, you know. If I were to make you, if I were president and made you kind of critical infrastructure czar, how do you, solve that problem of, you know, extending these types of very needed protections and services out to, again, small organizations that don’t really have huge budgets.

Paul: Like, what, do you think is the best fix for that at the society slash economy wide level?

Chris: So the public private partnership approach has the potential. To be able to bridge that gap.

Yeah.

Chris: If the government were, had the ability to provide some grant funding, I know NRECA has some. Yeah. The MS ISAC provides some services.

Chris: I could foresee a firm like [00:30:00] DirectDefense working to build out some scale to, almost like a community based security operations capability to support small rural utilities across water, electricity, natural gas. It would require training capabilities. So I know the NSA Centers of Excellence provides funding for college education for people in cyber security.

Chris: I’ve worked for years with Cyber Patriot, which is the National Middle School and High School Cyber Defense Competition, teaching middle school and high school kids. If we had the ability to take Those programs and turn them into internships and co ops where there was some funding because obviously we can’t take that burden on ourselves and do it for free.

Chris: But if we had that capability to have resources and training dollars available and more widely available,

Chris: job training that is not just for profit institutions, right? A lot of the training, great respect for SANS, ICS410 is [00:31:00] $10,000 with the test. Not a lot of people can afford that. There are grants, but there’s, it’s geared towards larger companies.

Chris: the 301 class that I mentioned that Idaho National Labs offers is entirely free. More of that would help to bridge the gap. It would help to provide the pathway where then firms like ours could take those people as interns, if there was some funding available maybe from the government or some other granting institution to be able to support paying them,

Chris: and giving them a living wage while they’re learning and working in an environment.

Paul: Right, but once you sort of say, well, we’re going to need 10,000 people to staff this national, you know, SOC for all of our local utilities. Well then, you know, none of those programs right now are scaled up to be able to manage that type of-

Chris: Correct, but maybe that’s the conversation we should be having. DHS, CISA, INL, the other programs that exist, the universities, some of them get local funding, looking at the capability of trying to pull some of those resources and see how something like that could be scaled.

Paul: Yeah. Feels like we’re hearing a lot of [00:32:00] conversations like that.

Chris: There are, I’m hearing them too.

Paul: Yeah. Hopefully we’ll see something come of it.

Chris: I’d like to see that.

Paul: Chris Walcutt of DirectDefense, thank you so much for coming on Security Ledger Podcast and talk to us and, really looking forward to your talk and we’ll talk again.

Chris: Thanks for having me. I appreciate the time.

Paul: It’s been a pleasure.

Paul: Thanks.