If there is one sector that is keeping people cool, warm, and secure, that would be the utility sector. They are the ones who have been ensuring that our basic needs are well-provided and, in that process, well-functioning for decades. However, with the cyber element growing and taking root in the sector, threats to how utilities are delivered have become a concern. In this episode, Matthew Stephenson is joined by the Director of Energy Solutions at Finite State, Brian Proctor. Brian shares with us how the utility sector is taking cyber threats and eEvents head-on with their own cyber teams. He discusses the evolution of response teams as well as the regulations in the industrial control systems and operational technology. Brian also dives deep into open-source, how they are making things secure, and mitigating risks from the human element. Looking ahead, he then tells us what the industry needs to get better and improve at, especially as we look at the merge of people, process, and technology.
Listen to the podcast here
Brian Proctor: Keeping The People Cool, Warm And Secure
I hope that by now we have spent some time together, but if you are new to the show, we are talking about cybersecurity and all the things that are cool. Welcome aboard. We continue to bring you all of the top experts in the industry for a chat about anything weird, interesting, fun, and terrifying that’s involved in keeping the world secure in a way that we have not discussed yet. That is why I am excited to welcome Brian Proctor to the show.
Brian is the Director of Energy Solutions at Finite State. He has many years of experience securing the power grid for the 2nd and 5th largest cities in the United States. That’s a big and vague thing, but if you think about what those states are, you’ll understand what I’m talking about. Our man has spent time leading teams in the public utility sector, then made the leap to the vendor side to promote the benefits of supply chain analysis and SBOMs, ICS, SCADA, and DCS threat detection. I don’t know what those mean. You may not either. We’re going to get to that in the show.
Also, network security monitoring or visualization capabilities that could bring into critical infrastructure the things that they need. Brian’s thing is all about helping the industrial control system security community make a difference for the greater good of our industry. I’m a cynical bastard, so if I’m going to say that out loud, I mean it. His longer game is about keeping the people of California electrified, watered, warm, cool, and secure. Brian, welcome to the show.
Thanks so much, Matt. I’m happy to be on. I love the title of the show. Hopefully, I can bring some heat and some fire and take some hot takes. Let’s get going.
I’m not worried about hot takes from you. I feel like that’s going to be a thing. We’ve had a couple of guests that say, “There is no such thing as friendly fire. It’s just fire.” Given the world that you have spent your entire career in, there’s no such thing as friendly fire.
That’s true because things blow up, people get hurt, and other crazy impacts can happen. I totally agree.
We are in that weird time of year where, depending on where you live, there’s record heat and also massive snowstorms. From your history in utilities, especially given where you have been in San Diego and Los Angeles, these are things you have to deal with. How does weather affect you and what you are charged with securing from a security perspective? I remember a few years back in Texas that radical storm crushed everything. How do you have to prepare and then react to that?
Working in the utility sector for several years, you notice and you get to understand that utilities do an amazing job mobilizing field crews and preparing for these large weather events and have mutual assistance across the country. I live in California, and we’re lucky enough that our weather normally isn’t too crazy. This 2023, it’s a little different, but what you see with a lot of weather on the East Coast, like hurricanes and tornadoes, the field crews normally from California are going out and driving their trucks out to those areas to help install new poles and get electricity back to the customers.
Utilities have been doing mutual assistance and getting power back to their customers for decades. It’s truly amazing and a great thing to watch, but the cyber element is something new and has been growing over the last couple of decades because when these big weather events happen, there’s always a question, “Will our adversaries take advantage of that?” They understand that there’s a lot of commotion going on and emergency response.
What I’ve seen and was a part of back when I worked in the utility sector was cyber was now part of the emergency response. It was part of the various teams. It was a heightened state where we wanted to make sure that when these outages occur and we’re rebuilding the physical pieces of the electric grid, the cyber monitoring and the various controls that we have around the system, in general, are maintained. If those go down, they want to bring those up as quickly as possible to make sure that they’re not other cyber-related eEvents or situations happening.
As I said, people’s heads are turned a different way by building things and trying to keep people online, and that can take focus and attention away from other areas. The utility sector has been doing a great job in general, like getting the power back on. Now, that I’m on the sales side, you said I’ve made the jump. What’s great for me is I’ve gotten to meet and learn what all these other utilities across the country have been doing. The trend I see is when these eEvents happen, the cyber teams are absolutely part of the emergency response teams. That’s something that is, in general, an awesome thing.
I wanted to ask you a follow-up question on that. Have you witnessed an evolution of what the response teams are? You’ve got to get the trucks and the people out there to make sure that the power and the water stay up, all of these things that we as a society are based on. Has cybersecurity been added to that list of teams if something catastrophic happens, whether it’s a hurricane in the gulf, a snowstorm in the Northeast, a massive drought in the Southwest, a rainstorm, or anything like that?
I’ve been part of a cyber team for utility in the early 2000s. 9/11 brought a lot of attention to cyber. That was one of the eEvents along with other worms, slammer worms, and other things that impacted enterprises like those big viruses and then other incidents. What I’ve seen over the last couple of decades is, from my experience, cyber security started on the IT side of things. It made sense. Technologies normally lived in the IT business unit and things were connected to the internet. There were email servers, and that’s where a lot of the threats and the impacts happened.
Cyber teams are built on the IT side of things, but what’s happened over the last several years with the introduction of regulation in the operational technology side, especially for new utilities with NERC CIP as a big thing for the utility sector, is security teams are now focusing on industrial control systems and operational technology. The maturity of those programs has grown over the last several years. Regulation helps that and has pushed that. That’s why, in my personal opinion, this is one hot take, the utility sector from an ICS OT perspective is the most mature ever security critical infrastructure.
We’re going to get aggregated on that. That is a great hot take, and I absolutely believe you and all of it up rocks.
You can say banking and finance are one of the critical infrastructure sectors. They do a fantastic job, but they’re like cloud and IT. Think of cyber incidents that can make things blow up, make drinking water stop, and make electricity unavailable for millions of people, those types of verticals. I would argue that the electric sector’s probably one of the most if not the most important of the CI sectors in my opinion. Working with various verticals in sales and seeing where oil, gas, water, and manufacturing are, the electric utility sector, especially the biggest ones across the country from a maturity, what they’re doing, and a program standpoint are the furthest all along than any other sector.
I talked about the drivers like NERC CIP regulations. One of the things I want to talk about that dropped was the National Cyber Security Strategy document that the White House put out, which was a great document. It had a lot of focus on operational technology. That was one of the takeaways that I personally had.
Another big focus was from a regulation standpoint. If you are vertical critical infrastructure and you don’t have any regulations at all relating to cybersecurity, those are coming. We’re already seeing this from a TSA Pipeline standpoint, which is for Colonial Pipeline was the triggering e-event to drive the regulation from TSA. We’re going to see other verticals like water and wastewater and maybe even trains. The derailment in Ohio is a big deal. This is setting the groundwork for regulation to hit a variety of CI verticals. That’s a good thing.
If you look at what happened in the electric industry, NERC CIP back in the early 2000s drove a lot of the programs, investments, people, and resources from the electric utility side. I can see this helping all the other verticals catch up and get up to speed. I’m excited about that drop. I’m doing what I’m doing. I’m also seeing a focus on the supply chain, which is a big deal and a big topic.
Something centered around a big change, which is interesting, is the people who make products and software, are they going to be held liable potentially or more liable for the stuff that they make. If there are vulnerabilities and it causes incidents, the people who make their products are going to be held liable. We’re waiting to hear what’s going to happen. This is a big change because the operators or the private sector normally say it’s all on them and they are at fault. Now, the government’s saying, “We’re going to be looking at the people who make these things and make them liable for building security into the design of their products.” A lot going on as it relates to OT and industrial control systems and what the strategic vision is from the White House.
A lot going on, he says, in the opening answer in the very first segment. I want to get out of your way as you continue to dig into the details of this, but let’s get a little bit of 101 stuff upfront for those who don’t live in the operational technology or industrial control space. This network and securing and keeping it safe has a different type of implication. We’re talking about if the power goes down, water goes away, and the food chain is disrupted, that is different.
Given what you have done in your experience both on the public utility side, now that you’ve come over to the vendor side and are selling things to people in order to keep those things safe, what are the differences that you have seen as opposed to what most people would think of as a traditional SOC? It’s different when you’re talking about a gas turbine that powers a city the size of San Diego or Los Angeles as opposed to being inside the network of a major financial institution.
They’re different, but they’re the same. The reason why I say that is a lot of the technologies and things that you’d find in an IT data center, you’ll find similar stuff in an ICS or OT environment. The big difference as you touched on is that the focus on your priorities is not the same. What I mean by that is if you look at a common IT cybersecurity professional and they got their CISSP and all about the CIH, confidentiality, integrity, and availability.
When you’re working in ICS and OT, normally people are like, “The confidentiality is critical because you want to protect the IP, customer data, and employee data,” but ICS and OTs live on its head where reliability and availability, the A in the CIA triad that is the most important and probably the second most important is the integrity. The integrity of the process, whether you’re generating power or running a compressor station for a pipeline, making sure that those numbers are accurate, and the integrity of that data is maintained is critical.
If it’s not and you start making operational changes based on this data, if you’re an operator sitting at a compressor station or control center maybe hundreds of miles away and you’re like, “We need more pressure in this pipeline and that data’s wrong,” and you start increasing the pressure, there could be some bad impacts to that. That’s the big difference when you’re talking about IT and OT. It’s true that there are different types of OT devices for securing those. How you assess those is a little different because they can be very old and they’re not running Windows. They’re real-time operating systems that are much more delicate. You can’t scan those with vulnerability scanners.
Your approaches can be different. What’s been happening over the last several years is IT and OT are merging together. Patrick Miller coined the term It’s Just T or It’s Just Technology. At the end of the day, it’s just technology. A lot of these OT vendors are adopting embedded Linux stuff. They’re no longer these proprietary weird things. They’re trying to speed up their development life cycles. They’re trying to get things to market quicker, faster, and easier. They’re using a lot of open source stuff like Linux, various libraries, open SSL and SSH, and all these software packages that IT has been using for decades.
You’re now seeing those being introduced into embedded devices in ICS and OT. As we migrate off the legacy system, that is another big thing in the strategy as well from the White House. They’re talking about upgrading legacy technology to new technology where, hopefully, security is in the design. That’s the ultimate goal. Dale Peterson, if you know him, I consider him one of the godfathers of ICS and OT security. He coined the term Insecure By Design and how these systems made that famous, at least in our community.
What’s cool to see is the White House and the government has now adopted a secure by design phrase, almost the reverse of that. They’re pushing and building security in the products. Additionally, what we heard, too, is holding those folks who make the products liable for doing that. They want to help improve and bake in the security necessary to protect these critical environments from these various factors that we’re all facing.
What about open source coming into critical infrastructure and operational technology when it comes to the notion of risk? Also, open source being able to trace things back through the Software Bill of Materials, how difficult is that regulation-wise? Also, trusting and believing what you’ve got in there. Again, we’re talking about powering cities and tens and hundreds of thousands, if not, depending on where you live, a couple of million people. When you get into open source, how difficult is it to trace that back through the SBOM and make sure that things are secure?
Another hot take, open source has been in and is in a lot of ICS and OT environments now. It’s only growing. I talked about wise because the OEMs or the people who make these products want to speed up their development. They want to use non-proprietary stuff because when people leave the company, all the knowledge leaves. They’re going to open source because there are more people who know those languages, architectures, and operating systems so they hire quicker and ramp up.
Are you saying we should trust humanity?
Absolutely not. What I’m trying to say is that, historically, as an industry overall, whether it’s ICS and OT or just IT, we haven’t done a great job of asking the question, “What’s inside of this software or this device that I’m buying and putting in an environment?” even things in cybersecurity technologies like, “What’s in my Palo Alto network box? What’s in this router?”
If you look at network infrastructure, I would argue 90% odd, it’s like a Linux Kernel running a ton of open source stuff. It’s the same with security technology. These companies adopted Linux and OpenSSL. The reality is, like every company, there’s tech debt. They don’t always upgrade every component and everything on every release. There are features that their customers want to close a big deal, and a lot of times, upgrading everything and then testing and going through the regression testing that’s needed. That takes a lot of time, effort, and money.
As a community, especially in ICS and OT, we already talked about the impacts. They’re big and can lead to bad things happening. We haven’t done a good job of asking the difficult question, “What’s inside of this thing that you’re selling me?” The new approaches that we at Finance State are focusing on are looking inside and doing analysis where we break apart firmware and software to identify and create an SBOM and automate that and say, “What’s the ingredients list of this device that’s controlling my gas turbine? I want to know what the ingredients are to make this controller that can spin this thing fast.”
Now, with the whole SBOM movement and what NTIA started and CISA continuing to do promoting transparency, which is what the movement is calling, people now are aware of or at least gain some visibility into, “Here’s the software package or device’s ingredients list.” Now, they can take this ingredients list and more importantly understand what are some vulnerabilities that are associated with this ingredients list.
Based upon our analysis, the reality is the people who make the products only write 10% to 20% of the actual code that’s inside. That’s the proprietary first-party code. The remaining part of it is either from other suppliers or from open source. A lot of times, the people who sell you the product have suppliers, and those suppliers provide components. They even have open source pieces to it, but all this information isn’t sent between the suppliers and not sent to the operators or the people buying the stuff or installing and deploying this stuff.
Bringing that visibility and the whole movement for SBOM, I’ve seen it and have been working in it for the last few years. It’s a hot topic in the industry overall in ICS and OT, but we’re also seeing it in SaaS and cloud because that’s a big thing on the IT side. When you buy a SaaS offering, it’s, “I want to know what technologies you’re using. Are you using any component that’s five years old with a slew of vulnerabilities?” Log4j opened our eyes there. I hate to have this show talk about Log4j because people have probably heard enough about that stuff. The reality is I used to be an asset owner. I call those celebrity vulnerabilities.
I love that term. If you’ve got a logo and a name for your vulnerability or your malware attack, you have arrived as a bad guy.
Log4j is a celebrity vulnerability where executives were asking their teams, “Where do we have this? What’s our response? How big of a deal is this?” What we heard from our prospects and customers was that they would at least then call their vendors, email them, or send questionnaires out and say, “Do you have Log4j?” It was a very manual process. What they got back was interesting because they got back responses like, “No, we don’t have Log4j,” but a few months later, they got another email saying, “We found out that we do.”
It was like COVID. Pretty much everybody had it.
They have suppliers and the OEM didn’t have insight into what their suppliers were using from the open source perspective, so then the answers changed. Log4j also opened people’s eyes from the people who made the products and the people who buy and operate the products to the complexity and how manual it was to go through that, how time-consuming, and the resource constraints for teams, the OEMs, and people who deal with vulnerability disclosures on a day-to-day basis. It was a nightmare for them.
I see SBOMs and this whole VEX or Vulnerability Exchange that’s added machine-readable file that goes along with SBOMs to tell you in this software package, device, or product if the Log4j vulnerability or CBE is exploitable or not exploitable. That’s the golden egg or goose in all of these. If you’re an operator, you want to know when Heartbleed 5.0 comes out with OpenSSL very quickly. Not only do you have this OpenSSL in that version and potentially vulnerable, but more importantly, you want to take that next step. Is it exploitable? If it is, that can help you as an operator identify, “What’s our response going to be? How many and where is the software package installed in my environment?” It helps speed up an incident response like what the plan’s going to be.
You use the word operator a couple of times, which brings us to the human element or, as I have been referring to it, the fleshy bits that are involved in this thing. As we creep back up, the SBOM, as you were saying 10% to 20% is actual new code but then it’s attached to the manufacturer’s code, but somebody had to write that, which is attached to open source, which means somebody had to write that. I don’t like the word weakness and would go with the word vulnerability when it comes to the human element of this.
It’s not something you can never cure because humans, by definition, are chaos and chaotic and we are grateful that we are such. How can you mitigate that risk at a maximum that allows the operators to do their job at their best efficiency, while at the same time making sure that as we said where we keep the lights on, the internet up, and the water flowing? We can live without digital transfers of money, but we can’t live without water.
The human element is, as you said, one of the hardest things to address. We think of everything from insider threats to phishing, people not clicking the links to people writing code, and talking about supply chain and open source projects. There are always going to be vulnerabilities and weaknesses. We, by no means, are not perfect. In my opinion, a lot of people in the security communities say humans are the weakest link. It’s hard to argue against that because humans are part of all these things.
There are always going to be vulnerabilities and weaknesses. We, by no means, are not perfect.
First and tied for last because as humans, we write the software and build the hardware.
We then click the links and exploit ourselves.
We all get the gold medal and the bronze medal because we made everything that is better or worse than we are.
I’m glad we’re talking about the human element because when I led my team in the electric utility, one of the highlights of my career was getting to interview probably thousands of people across the country to join our team as consultants or as engineers. I love doing that. I love building the next generation of security professionals and seeing people grow and mentoring people.
When I was at my last gig at the last utility I worked with, I built the most impressive group of cybersecurity engineers ever hired for a critical infrastructure operator. We had the most elite team ever created in history. Another hot take, let me tell you why. If you look at my team and I’m not going to say their names because some of them probably don’t want me to.
They’re security people. They don’t ever want anybody to know their names.
One of the team members was on 60 minutes and probably found one of the highest-profile acts in ICS OT. We’ve got guys who are leading threat detection for unicorn startups. We have two people like that. We got people working in high positions at Amazon. My coolest job was being a team lead over these elite engineers and doing some of the coolest work the industry had ever done and seen. We all left and went on to bigger and better things, but as I said, I love the human element here and getting to talk to people.
I made this weird transition from a cybersecurity architect to team lead and went into sales, which is weird as a vendor. I’m not sure if it was a smart move, but I personally love it. The reason why I love it is I get to talk to people and hear about their challenges and complexities, and learn about other environments. I was focused on the electric and gas stuff, but now I get to work with people in all these different verticals and sectors. They’re totally different with different constraints and priorities as I’ve mentioned.
Getting to help them solve these hard cybersecurity challenges and getting to see the positive business outcomes of what we do, hitting goals, and seeing people build maturity and capabilities, that’s what I like. There are no knocking salespeople, but I’m a different type of salesperson where I try to help them. It’s not about selling a product. It’s helping them with whatever problems and priorities they have. What I do too is connect them with industry folks or even other vendors and other categories in cybersecurity overall.
It’s not about selling a product. It’s about helping people with whatever problems and priorities they have.
I’m happy to connect them with people and companies that I know that I have met throughout my years with them to help solve their problems. At the end of the day, even as a vendor, we’re all battling the same threats. We’re all trying to achieve and do the right thing. What I love about the community overall is we’re all finding the same battle even though you have competitors and everything else. At the end of the day, we’re trying to do good for humanity and the greater good. Something that I like doing is bringing people together and helping solve hard problems.
In the course of your career as you have transitioned from being an asset owner over to the sales side, shout out to the salespeople because they’re the warriors who make sure that all this stuff gets done, but it gives you an interesting prism through which to view all of this stuff. Not only did you build a team of chefs, but you also knew the farmers. You knew the millers who ground the grain in order to make the bread that was served at the restaurant. That’s one side of the kitchen.
Now, you’re on the other side where you are dealing with the diners, the people who are receiving and eating the meals. When you look at the vulnerabilities, whether it is malicious attackers from the outside, unwitting people who think they’re doing their jobs the right way on the inside, or the occasional insider threat, knowing that you can look at it from a 360-degree perspective, what do we need to get better at? If you had to pick one thing or even stack 1, 2, 3, where do we need to improve?
Insider threat is probably one of the most difficult things to conquer. It can come at you from so many different angles. You need to establish a focused program. As I touched on earlier, one of the awesome things that I’ve gotten to do in my career is probably working with the most advanced cybersecurity programs, at least in ICS and OT, and understanding their programs and their maturity.
Insider threat is probably one of the most difficult things to conquer. It can come at you from so many different angles.
One of them has probably the most advanced insider threat program I’ve ever seen. It’s a team of dedicated people doing a variety of activities, not just from a technical side, monitoring access and what people are doing, and data that they’re accessing, but even doing things like continuance background checks, drug tests, and various other things. ICS and OTs are different. Bad things can happen, like people dying, being injured, and other things.
I have seen some cool success on insider threat programs, but it has to be a focus on people processes and technology. That’s probably three items used, but if you don’t have folks who address one of the hardest risks in all of cyber, which is the insider threat, it’s going to be difficult. Having focus when it comes to insider threats is one of the biggest hurdles and challenges. Going back to the supply chain, the supply chain is like an insider threat a little bit.
It’s the most inside.
You’re buying stuff and bringing it inside. All the ramp-up with solar winds and Log4j, which is a supply chain type of concern, that too is a big priority and focus because you’re bringing not people in, but you’re bringing software and devices in. Gaining the visibility and trust of these things is critical. It’s adopting a program and maturing your processes to identify insider threat concerns or supply concerns. You’ve got to have a focus and put those three things, people, processing, and technology on it or it’s not going to work. You’re not going to see the fruits and the benefits of focusing on that if you don’t have those three things together.
I’m going to swerve a little bit on a question that I’ve been asking folks over the last several episodes. We are now in the springtime, which is all the big show seasons. You have mentioned a couple that may sound a little esoteric for those who are not in the OT ICS space, but they are big for that industry. Rolling up on RSA, HIMSS, and South by Southwest, and the summertime is coming, and all the things now are happening.
Here’s a different version of this question that I’ve been asking. You mentioned you went to South Beach. What’s the buzz? Is it about this the new hot thing, or does the industry not lend itself to that? Is this what we’re more concerned about? What are we hearing as we roll from show to show, “Here’s the issue and a potential solution,” and then you get to the next level, “We figured it out.”
You’re referring to the S4 Conference. For the readers out there who don’t know about S4, it brings together the biggest thought leaders in industrial control systems and cybersecurity. It’s highly recommended. It’s in Miami, in February and March every year. We don’t just focus on ICS and OT. Our main verticals are automotive and healthcare as well. That’s HIMSS and automotive shows like Auto ISAC, etc.
The ISACs are great shows. If you’re not at RSA, you’re probably not a cyber company. If you are, you have to go to RSA. The hot topics I hear about are supply chain and SBOM, but looking outside of that, there’s attack surface management. There’s a lot of talk around that. Also, insider threat and cloud security. Everyone’s got cloud strategy and new technologies to help gain visibility and deal with threats in cloud environments that people use. I see a lot of startups in that space.
The cyber insurance space doesn’t get a lot of attention, but there are some cool cyber startups, at least people focusing on loss expectancies and a lot of other terms I’m not educated at all on to speak on. That’s an important thing from a liability and insurance standpoint, especially with these large hacks. Now, it’s what we’re hearing from the White House with the strategy and putting more liability and the people who make and build the devices and software.
Insurance play is going to get more and more attention over time and how we see insurers and other tech companies offering either technologies or services around making sure that you have the right policy and understand cyber risk in these complex environments, especially ICS and OT. I would argue insurers probably maybe have an okay on how IT and cyber risk works. Probably not, but there’s even a bigger problem when it comes to the OT and ICS when they’re trying to ensure wind farms, solar plants, even huge nuclear plants, and power generation. These are super complex and are running IT and OT stuff. Improvements in that area and understanding of risk in those types of environments are also something people should be watching for.
I want to kick over to a little bit of a different thing and do some leadership corner. You and I have had the good fortune to do a few of these fun things over the last several years. Not everybody knows you, and not everybody knows me, but what are you doing when you’re not doing this? What’s on your Spotify playlist? Do you have magazines in the bathroom and books on the coffee table? What’s going on?
I’ve got two young kids. I’m spending a lot of time with them.
Speaking of the chaos of humanity. Yes please, let’s add those to everything else.
I like to stay up to date on the hot things in the space and industry. It’s something that I’m trying to get more educated on. I don’t have a lot of time to read books because honestly, after work and then going to the park with my kids after school every day and doing the dad thing and putting them to bed, I maybe get an hour to an hour and a half of free time before I have to go to sleep. I’m on the West Coast and deal with the East Coast companies where I’m waking up for 6:00 AM meetings and stuff like that. I don’t get a lot of time to read books, but I do get to read stuff on the internet and other things.
It’s cool if you say that I like the Marvelous Mrs. Maisel on Prime. You could admit, “Sometimes I watch TV.”
The Mandalorian drops season three. Let’s be real. Star Wars is awesome. The national Cyber Informed Engineering or CIE, there’s a whole strategy and movement around that. Idaho National Laboratory is leading the effort there on how to engineer out cyber risk when you’re building new industrial control systems or operational technology. There’s a whole strategy from the government coming out around that. I’m reading and getting educated on the pillars and focus of that.
For any readers out there, I highly recommend googling Cyber-Informed Engineering and seeing the strategy documents coming out of DOE and CESER. That’s another entity in DOE around that whole eInitiative. It’s pretty cool. I don’t want to say reverting back to analog things, but if you’re running a water treatment facility instead of having a valve that’s cyber-controlled or there’s intelligence to reduce the risk of someone opening the valve and closing the valve when you don’t want to, maybe we should make the emergency bypass not digital and go back to the more physical thing.
Taking a strategy like that and engineering cyber risk out when it’s being built and designed makes a ton of sense. We need more of that because working in electric utilities for several years, there are some sharp electrical and engineering folks out there. Bringing them up to speed, working with their peers and the cyber teams, and pushing this thought of engineering out the cyber risk is a good thing for all of us.
I’m reading a lot on that, and there are some startups that are popping up now that are focusing on that, trying to build those principles into big EPCs or those people who build the big power plants or companies who build those things. They’re strategies and processes into those. That’s super cool. I’m not on social media all the time, but I’m a vendor, so LinkedIn and Twitter are awesome. I’ll always try to stay up to date with Twitter and LinkedIn. Behind the scenes too, if you’re in the ICS and OT community, you might have heard of something called the Beer-ISAC.
Quit telling me about these dry dusty academic things you’re reading. Please talk to me about the Beer-ISAC.
The Beer-ISAC is started by a handful of awesome folks in the ICS and OT space. They hand out coins at conferences for people who are helping the community out. I was lucky enough when I was an asset owner and got to speak at conferences. Now as a vendor, no one wants me to speak and they don’t care what I have to say, which is totally fine. I get it. You don’t want to hear it from a vendor, which is cool. When I was an asset owner and giving talks about what we’re doing trying to help people, I was lucky enough to get a coin.
The coin is not the cool thing. The cool thing is the Slack channel that you get at or the community that you could add to with 250 of the top ICS OT thought leaders. Sharing stories and the hot takes coming out of that are the highlight of my week every week. It’s super cool to communicate with these groups of people and get this semi-private chat room where you get to share thoughts and ideas. There are a bunch of characters on there, and it’s awesome to be part of that.
To be straight, the coolest part is the beer.
We talked about conferences earlier, and as for RSA, there are always meetups. I was like, “Where’s the beer tonight?” Whether you’re a coin holder, not a coin holder, have alcohol to share or not, or even if you don’t even drink, it doesn’t matter. It’s about getting together and sharing stories. That’s where the real intel and real good conversations come in. It’s over whiskey and beer. It’s not in the public and on stage. It’s, “Let’s dig into this over a beer, a nice whiskey, or whatever you drink.” That’s where the real action happens.
Where the real intel and good conversations come in is over whiskey and beer. It’s not in the public and on stage.
One last thing so people don’t think that you’re a guy who pounds beers and whiskeys, and reads academic books about how to secure the industrial control system universe. You got a frame Jersey hanging behind you. Readers, I am trying to pride personal OPSEC information out of Brian. This is the one you got to tell us about. You got something very cool hanging on your wall.
That’s a signed USC jersey of Reggie Bush. He’s a big college football guy. I got that from my ex-girlfriend as a gift. I don’t know if my wife knows that I got it from an ex-girlfriend.
Once she reads this, she’ll find out.
He’s a football guy. I’m a USC fan. Both my parents went to USC. I have a lot of family members who went to USC, so I grew up going to the games. I didn’t go there because I went to high school down the street. I want to get out of LA, but I’m still a big fan. I grew up being competitive and doing a bunch of sports. That’s half the reason why I went into sales. I’m a competitive person. I’ve got signed paraphernalia from USC.
That’s the best. If anybody is more invested in keeping California fed, watered, cooled, heated, safe, and secure, I feel like that bit of a background tells you where our man is from. Here’s the last bit of a shameless plug. For people that are looking for you or if you’ve got anything cool that you want to give a shout-out to, and you want to talk about Finite State, where can people find out what’s going on, what’s interesting, and what they should be aware of?
Check us out, FiniteState.io. Find me on LinkedIn and Twitter at @BrianProctor67, which by the way, talking about sports, 67 is my football number. I’m repping the football number on Twitter as my handle. Find me there. Reach out, whether it’s the talk about supply chain, SBOMs, doing binary, or SCA on software. I’m happy to talk about that, but more importantly, as I said, I love connecting with people in the community and trying to help out in whatever way possible. Message me or email me at Brian.Proctor@FiniteState.io. I want to thank you, Matt, for having me on. Hopefully, I dropped some friendly and maybe unfriendly fire and some hot takes. I appreciate it. I love getting on these things and giving my perspectives.
This is the information that we need to get out there. You can also hit Brian up if you want to dig deep into the Bush Push and that one USC team with LenDale White and Reggie Bush, the greatest college football team of all time, but I’m going to say that for you guys to have that exchange on your social media platform of choice. That is it for this episode.
Brian is somebody who doesn’t have that much personality. He’s going to be hard to get information out of if you talk to him, but trust me, if you give it a shot, he might give you a couple of 1 or 2-word responses. Brian, thank you so much for joining us here on the show. A little bit of a reminder, all comments reflect the personal opinions of the participant, not necessarily those of their employers or organization.
For more information on all that is good in the world of cybersecurity, make sure that you check out what Brian is doing personally and also at Finite State. Look for us at Elevate Security on LinkedIn and Facebook and as always, the mothership, ElevateSecurity.com. You can find me at @PackMatt73. Also, Brian, 73 is my football number.
We got something in common.
A lot of folks have always asked if that’s my birthday. I said, “I might be a couple of years before that.” That’s where you can find me across all the socials. Make sure that you check out the show in all the places where you get these shows. That’s where we are. Subscribe, rate, and review, and give us five stars. If you give us four, I am inclined to think you are a hater because we got people like Brian coming on the show. How is this not worth five stars? Make sure you check us out. We are stacking up ridiculous guest after guest. We want to help. That’s how you find out all the cool things are going on in security. Until then, we will see you next time.
- LinkedIn – Elevate Security
- Facebook – Elevate Security
- Finite State
- Cyber-Informed Engineering
- LinkedIn – Brian Proctor
- @BrianProctor67 – Twitter
- @PackMatt73 – Twitter
About Brian Proctor
Brian Proctor has spent the majority of his career as an ICS/SCADA cybersecurity engineer and cybersecurity team lead working for two progressive California Investor Owned Utilities. In 2017 he took an opportunity to join an ICS security startup. Brian jumped to the vendor side to promote the benefits ICS/SCADA/DCS threat detection, network security monitoring, and visualization capabilities can bring to critical infrastructure asset owners. He’s passionate about helping the ICS security community in any way possible and trying to make a difference for the greater good of our industry and country.