Below is what I intended to say on stage. It always varies a little bit live. The video will be out next week.
Each S4 Conference has a single word theme. This year’s theme is Connect.
Connections are exciting, unpredictable, scary, they bring opportunity, and for security people like us, they introduce risk. Every connection is another potential attack path.
So why is Connect this year’s theme? Three reasons.
The first is the most direct. We’re about to experience an explosion in the number of connections to and from OT systems, and OT security systems. We need to understand and prepare to secure what’s coming in the next 1 to 3 years. The benefits resulting from these connections will not allow us to say no. The CSO will not be able to be the CS No. However, we can influence their design and deployment if we’re prepared.
Industry 4.0, Digital Transformation has the key steps of Connect, Collect, Store, Visualize, Analyze. The first step is Connect. We’ve been fortunate as security people that the speed of digital transformation was much slower than expected. This is changing, and you know why, AI. In particular the combination of generative and agentic AI.
Connections are required to make data with context, information, available to AI. And these connections are made cheaper and faster with AI.
To be clear, I’m not talking here about AI in any security solutions or aiding attackers. Not defense or offense. Yes, AI is and will be increasing important for defenders’ and attackers’ tools. I’m highlighting that AI is going to lead to a huge increase in connections to OT and applications OT relies on. New connections to enable new business wins. We need to be ready to address the related cyber risk.
I’ve been focusing on the manufacturing sector because they’re one of the fastest moving sectors, having the widest variety of projects, and some of the earliest wins. Last September I attended the Ignition Community Conference. Ignition is a SCADA system used primarily in manufacturing. It’s leading or bleeding edge from a connection standpoint because of it’s open approach, as compared to the market leaders Rockwell Automation and Siemens who have more of a “buy everything from us approach”.
In fact, if you want to see all three of these vendors in action go to the Proof of Concept Pavilion on the third floor. Booz Allen is playing the role of auto manufacturer and has a paint line controlled by Siemens gear and an assembly line controlled by a Rockwell Automation system. Inductive Automation’s Ignition system sits on top of that for an all plant view, interconnection to the MES as well as systems on IT.
At that Ignition conference, vendors had to show how they connected to Ignition and each other to share data with context to solve a business problem on a live environment. Solutions that would have taken years were being done in weeks in large part because AI made connecting the systems and getting contextual data simple.
One example, Claude was asked to identify the largest variance between scheduled and actual production in a factory last month and the five most likely reasons for the variance. From that simple prompt, Claude accessed the MES to pull the schedule, connected with Ignition to identify the actual production, determined the largest variances, and then pulled data from a variety of systems to identify the top five reasons for the variance.
This project was done in less than a week rather than months. Greatly improving the ROI because the I, the investment, was greatly reduced. Projects that weren’t approved previously are now going to happen because of this drastic improvement in ROI. And a key to these projects will be connecting systems to get data with context.
It blew my mind. As slightly more than a novice, an AI enthusiast, I won’t try to explain this aspect of connect more. The best live demos were done by Aron Semle of Highbyte. I’ll let Aron explain this more in the next keynote.
The demos were a surprise and not why I went to the conference. I went to the conference to finally answer a question I’ve been chasing for a while: // do manufacturing systems have an OT cyber asset inventory?
I know our OT security products do, and I couldn’t believe that manufacturing systems wouldn’t have this information. I asked everyone I could talk to at the event, even Arlen Nipper the inventor of MQTT. The universal answer was no. Manufacturing systems don’t have an OT cyber asset inventory.
Hmm. My next question. If one existed would you want it? Or access to the OT cyber asset inventory to ask it questions? Probably via an MCP server. Sure! More data good. Especially if it already exists, and integrates easily into our industrial data ops.
Imagine the questions an AI agent can ask an OT security product with an MCP server and some appropriate tools.
- I’m seeing lower availability on line A as compared to other lines. Analyze the asset inventory and identify differences in the OT cyber assets and their software or firmware versions that might explain this.
- We have an outage on line C that began at 8:13 today. Were there any security alerts or activity that could possibly be related to this outage?
Or flip it, what could an OT security solution ask other systems.
- Has there been any maintenance activity on PLC PaintShop9? If yes, please tell me what’s changed. This could help identify the reason for a change in the asset inventory.
- Or
- What are the scheduled outages today? This could help us automatically lower alert levels when the related communication ceases.
The days of OT security systems and manufacturing systems being separate islands is ending. At least for those manufacturers who want to be leaders. Who want to Create The Future.
One last aspect of connecting systems // connecting OT security systems. This has been slow. Rarely going beyond the “we have a Rest API” cop out. Vendors have been hesitant to invest precious R&D into interconnecting with others who are fighting for the same OT security budget.
There are examples of vendors connecting their own security solutions, Fortinet’s security fabric is a great example of this. We’ve also seen some basic connection and information sharing between the detection vendors and Splunk, the detection vendors and ServiceNow.
Think how much more powerful an OT detection solution would be if it brought in alerts from Crowdstrike or other endpoint security? Brought in alerts of blocked communication attempts at external and internal security perimeters. This is just the start.
We’re already seeing increased security product integration in the POC Pavilion. Take a look at this diagram. Each line arc is a connection that adds value. We’re starting to see new companies enter the OT security market, such as Frenos and Indurex, whose value proposition begins with connecting to other OT security solutions. Will this be the next OT security product segment?
We need to understand what’s coming and be ready to secure this explosion of system and device connections.
Connecting systems to share information, is the first reason Connect is this year’s theme.
The second reason: We need to connect with other disciplines, other fields of knowledge. My experience at the Ignition event was a vivid example that there’s little or no connection between OT security and manufacturing systems. Our OT security effectiveness can be greatly increased if we understand and learn what’s going on in engineering, operations, and safety.
This isn’t a new thought, and yet we still see the number of OT security professionals pursuing this knowledge, this connection, to be small.
The knowledge of risk management at the business level is also minimal. This continues to lead to misallocation of OT cyber risk management resources, difficulty getting budget, and so on.//
Are your eyes starting to glaze over, are you looking at your phone? Connecting with engineering, operations and corporate risk management is important. And you’ve heard this for a decade, including at many sessions at S4 over the years. Where’s the new?
I’m suggesting we also need to connect to less direct and radical sources of knowledge and ideas. Areas outside of our bubble, far outside your circle of competence, to bring in new ideas and get rid of our stagnant thinking. Here’s one example you’ll see at S4 this year, something from psychology, Dialectical Behavior Theory (DBT).
When I had my daughter Grace at age 50 I decided I had better work hard on my health if I wanted to survive her teenage years and have a chance of ever getting on the floor with grandchildren. I became a bit of a bio hacker. One course I took had modules on diet, exercise, sleep, bio-markers, and mental health. The mental health module had an interview with DBT expert Dr Shireen Rizvi. I must admit I wasn’t paying much attention to this video. After all, I’m sure you all agree I have no mental health issues. No one in OT security does.
Anyway, Shireen discussed one of the four pillars of DBT … distress tolerance. I perked up. Distress tolerance sounds a lot like resilience. There were seven tools to build distress tolerance and deal with distress better. Can we identify some new approaches to resilience from DBT?
I have a Fireside Chat with Shireen tomorrow and she will be signing her book at the Cabana Sessions. This information is important from a mental health standpoint, especially for incident responders and anyone who is responsible for security and is being asked about a breach.
Having read the book and talked with Shireen, I know there are many new approaches and lessons we can take to make ourselves, our OT, and the operations OT is monitoring and controlling more distress tolerant.
Connect. One. Connections between systems will explode and we need to be ready to secure this new environment and make use of the connections.
Two. We need to connect to knowledge adjacent and far outside our circle of competence to bring new ideas into our OT security community.
And three, we need to connect to people. This is also not new, but in the world of AI it’s more important.
Why? Pick your favorite social media, news, or analysis site. I spend time and put content out on LinkedIn. Their interest graph knows I interact with OT security, so I see a lot of that. Over the last year, and even more so over the last 3 months, I’ve seen many people new to OT security generating a significant volume of OT security content. Long and detailed posts, covering vast areas of OT security. Very dense infographics.
If you didn’t know better, you would call this content impressive. Of course, most of it has been generated by AI and sometimes, but not always, slightly cleaned up. I struggled to explain the problem with this.
Many complain it isn’t authentic. True, but that’s not it.
Is the information wrong? Well, overall it often represents the consensus view of the issue at a high level. As you’d suspect if you know how Gen AI works.
There are three problems with this content:
One, It’s basic and naive. It lacks nuance, and won’t prepare you for the reality of operations and business. It’s like taking a year or two of electrical engineering courses, and then telling people how do design and electrical system.
Two, it doesn’t prioritize recommendations, good practices. The lists of OT security good practices are getting longer and longer. If you rely on the increasing volume of AI generated content to guide you on what to do, that overwhelmed feeling you have today will be nothing compared to what’s coming.
What we need from the early adopters and leaders, the people like you that come to S4. We need you to be brave, flexible, and to do the hard work to decide what is the best OT cyber risk management approach for the system you’re working on. It will require you selecting and prioritizing actions, and more difficult, deciding what cyber hygiene not to do, at least not at this time.
This may sound familiar if you were here last year. It was the end of my opening keynote. It’s more true than ever.
The third problem with AI generated OT security content is it’s reinforcing a premature consensus. We are still early in figuring out this OT cyber risk management thing. We have very limited data proving out the value of most good practices; in many cases we aren’t even trying to measure and collect data. We have hypotheses that haven’t been tested.
Every year there is less OT security guidance that I’m certain is correct. The variety of systems, risk and current security postures is such that once you get past basic segmentation, not allowing unrestricted Internet access, and a few other things … after that I’d need to work with the asset owner and team to come up with a prioritized set of risk reduction actions.
Even worse the AI generated content from these new “experts” is being ingested by the LLMs. This is called model collapse or model autophagy disorder. It results in a loss of diversity of views and the data progressively degenerates.
Enough doom and gloom. Switching to the value of connecting to people. Particularly in person at an event like S4. One of your main goals here at S4 should be to identify your subject matter experts or gurus, and initiate a relationship with them. Whose viewpoint or analysis should you seriously consider on an issue?
For example, when I want to know something about the EU Cyber Resilience Act, I look for what Sarah Fluchs is saying about. If I want to know what’s coming in NERC CIP I look to Patrick Miller.
It’s not always that easy. Sometimes I want to get a diversity of opinions. If you took almost any issue, there is a good chance that my analysis and recommendation is going to differ with Sinclair Koelmiji. While you may lean towards agreeing with one of us more often, you probably would benefit from reading both. I read almost everything Sinclair puts out because it challenges my analysis, and I’ve changed some things.
You could say the same thing about Rob Lee and me. I may just be disagreeable.
We are entering the era where your curation of information sources will be critical for getting quality input for your decisions.
There is no better place to identify your sources for information in OT security than S4. Sure, it could be a speaker you watch on a S4 stage. More likely it will be another attendee you talk to over the next three days at lunch, the Cabana Sessions, or in the hallway.
Real connection happens at 4 feet, not 40 or 400. We can’t truly know someone from across a conference hall – or through a screen. Connection requires closing the distance.
There’s actually a field of study that began in the 1960’s by Edward Hall. It’s called Proxemics. You see the four distances, the four zones, on the screen. I could tell you the data and even the studies on how Zoom and Teams are closer to the public zone in terms of connection. It’s not really necessary? How many times have you heard, or even said, the hallway con is the best part of an event?
It’s why the Cabana Sessions are many attendees favorite part of S4.
Prioritize making these connections this week to curate your information sources, your tribe of mentors and trusted colleagues. To identify who you will seek out and listen to in the deluge of content.
Thank you for coming to S4. We appreciate your time is valuable, and will do our best to make this an important and memorable week for you. I hope you take advantage of the opportunity of being face to face with over 1000 of the worlds’ best. Make those connections, and enjoy S4.