Critical Infrastructure Risks

Most cybersecurity conversations focus on stolen data, breached accounts, and attacks that live entirely on screens. This episode looks at a far more consequential threat: what happens when cyberattacks target the physical systems that keep society running. Power, water, transportation, and manufacturing. When those systems fail, the consequences aren’t just digital. They’re immediate, visible, and sometimes dangerous.

My guest is Lesley Carhart, Technical Director of Incident Response at Dragos, a cybersecurity firm focused exclusively on protecting critical infrastructure. Lesley specializes in industrial control systems and operational technology, investigating real-world attacks against power plants, water systems, transportation networks, and industrial facilities built on aging, irreplaceable technology.

We talk about why these environments are uniquely vulnerable, how ransomware groups and nation-state actors quietly gain long-term access, and why many compromises go undetected for years. The conversation also explores the limits of traditional cybersecurity thinking, the real-world constraints operators face, and what organizations can realistically do to improve security when failure isn’t an option.

Show Notes:

• [01:30] Lesley Carhart is here and explains what operational technology is and why industrial systems are uniquely vulnerable
• [03:40] How decades-old computers still run power plants, water systems, and transportation infrastructure
• [06:10] Why industrial environments can’t simply patch, upgrade, or shut systems down
• [08:25] The mindset shift required when safety and continuity matter more than stopping an intrusion
• [10:40] Why air-gapped systems are mostly a myth in modern critical infrastructure
• [13:15] How remote access became unavoidable—and one of the biggest risk factors
• [16:05] The three main threat categories facing industrial systems: ransomware, insiders, and nation-state actors
• [18:45] Why ransomware is especially damaging in power, water, and manufacturing environments
• [21:30] How nation-state attackers quietly establish footholds years before taking action
• [24:20] Why many industrial compromises go undetected for months—or even years
• [27:10] What incident response looks like when you can’t just “pull the plug”
• [30:05] The most common causes of industrial failures: human error, maintenance issues, and environment
• [32:40] A surprising incident that looked like a nation-state attack—but wasn’t
• [34:55] Why critical infrastructure organizations often feel pressure to pay ransoms
• [37:00] Practical starting steps for organizations with aging, mission-critical systems
• [39:20] Advice for people interested in industrial cybersecurity and working with legacy technology
• [42:10] Why mentorship matters and why Lesley chooses to give back to the field

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

• Podcast Web Page
• Facebook Page
• whatismyipaddress.com
• Easy Prey on Instagram
• Easy Prey on Twitter
• Easy Prey on LinkedIn
• Easy Prey on YouTube
• Easy Prey on Pinterest
• Lesley Carhart
• Lesley Carhart – LinkedIn
• Lesley Carhart – Dragos

Transcript:

Lesley, thank you so much for coming on the podcast today.

Thanks for having me.

Can you give myself and the audience a little bit of background about who you are and what you do?

Hi, everyone. My name is Lesley Carhart and I've been doing this since the time I've walked the earth. I am a cybersecurity practitioner. I do industrial cybersecurity, I do cybersecurity for trains,  and power plants, and aircraft, and manufacturing facility equipment, things like cranes, and drill presses, and things like that. Those are all from my computers today, and they can get hacked into, and there's a small group of us on the planet who investigate what happens when those get hacked into.

Maybe it's not as niche as I think it is, but that's a very specific area of cybersecurity. How did you get into that specific area?

Yeah. Today, we call it OT or operational technology, as opposed to IT, cybersecurity, and it is a growing field. It's a quickly growing field because all these systems have started being connected to things, and they're all ancient, vulnerable, and other nasty stuff, so the field is growing. But for me, I started out in the hacker community in the '90s.

I was a web developer, and of course, the dot-com bust hit me like it hit everybody else, especially as a young person at the time, and I had to rethink my life choices, and I really had no option at that point but to enlist. I joined the Air Force, and they were like, “Hey, you want to be a medic? You want to be an administrative assistant?” I'm like, “No, give me something with computers.”

They're like, “Well, do you want to solder the circuit boards that go into airplanes?” I was like, “Yeah, let's do that.” For a while, I got a degree in avionics, and I did maintenance. It wasn't what I wanted to spend the rest of my life doing, but it gave me a lot of exposure to life safety, critical systems, and things that are computers that don't look like computers. After that, I got a degree in network engineering, and I went to go work in a sack, like a lot of young people did in the box, to get into cybersecurity. I went to a manufacturing company, and I stayed there for quite a long time, worked my way up to incident response leave there over a decade.

Then a colleague from the Air Force actually reached out to me and was like, “Hey, I'm starting this startup, and we are going to just do critical infrastructure, cybersecurity, so we are going to safeguard water and power and transportation, oil and gas, things like that, and that's what we're going to do globally, exclusively, and do you want in? I'm like, “Hey, that sounds really, really cool.”

I've been there ever since. The company's called Dragos, and yeah, that's my day job, is doing digital forensics incident response investigations of all this weird industrial and legacy computing stuff that runs everything we rely on in society. When it gets hacked into or potentially gets hacked into, I get my bag and I go there in the world and try to figure out what happens. There's probably less than 100 people on earth who do what I do. We know each other. It’s a very small practice.

That's kind of neat when you know everybody in the industry.

Yeah.

What is the main defining difference between kind of traditional cybersecurity that people think about and kind of industrial control systems and operational technology? What's kind of the, what's the dividing line between the two?

Yes, so there's two major differences, and one is kind of a way of thinking, and one is technological. The way of thinking is you have to stop prioritizing hackery stuff. The priority there is like keeping people alive and keeping the water safe to drink and keeping the power on, things like that. It's not like OIC configure on a system, or like, “Oh, somebody hacked into a main controller.”

That may not have any bearing on whether there's safe water to drink. You really have to prioritize what could really happen. And these systems are systems of systems. They are full of safety controls, human operators, redundancies. They're made to be safe because people screw up and pieces of equipment fail over time in an industrial environment. So there's lots of things that keep them from catching on fire and exploding.

You really have to think about that in reverse. Like how would an adversary actually defeat those controls? It's not going to just be, “Oh, they hacked a PLC.” It's like, “Well, they took out the safety controls and then they changed what the operator was seeing, a very thought-out attack pass.”

You have to kind of do the opposite as a defender, is think about how would you disable all of these levels of redundancies and safety controls? What's actually the most important system? What's the crown tool that's keeping people alive? What would somebody target? All those questions?

And you can't cause a worse impact either. You can't just bring things down. They're keeping the power on. There's that different set of priorities that can be very hard for traditional cyber security people to get their head around. And then the second thing is a lot of this technology is very, very old and a lot of people have never had exposure to it.

People coming into the field and people today never worked with Windows 2000, Windows 95. We see those in production. Still running critical parts of society. You have to be able to do cyber security working around these incredibly old computers that are still doing really important things. You can't yank them out and replace them. They have been certified to work safely in that state.

You can't just replace them ad hoc with like a Windows 11 computer or whatever. You have to think of other solutions and you have to be able to do forensics and containment and investigations and threat hunting with Windows 95 computers against modern threats. So like, those are kind of the two major differences.

It's just got to be kind of interesting to, “OK, we've got a Windows 95 machine. Because of everything that's connected to it, we can't upgrade it, which means it can't be protected in the ways that you would try to protect.” I use the word normal machine, but a current machine. I know why you have to think differently.

How do you think differently about, “OK, I know I have this machine and I know the things that it's vulnerable to.” How does that change the way that you protect it versus a Windows 11 machine on a network?

You name two of the important factors to that is knowing what's there in your architecture, how it's laid out, and also knowing what the vulnerabilities are. It's not necessarily being able to fix them in traditional ways, but you do have to have those two pieces of information. That's where you start. It's like, what do I have and what's it vulnerable to?

And then you build mitigations. Those mitigations are oftentimes levels of detection, passive detection, like we do around 2005, 2008, like old-school network, packet-based detection because that doesn't touch anything or break anything and it doesn't require agents that aren't supported on older computers. A lot of that. Then also mitigating architectural controls from microsegmentation where you can do it.

Data diodes are very common in industrial environments. Not that people necessarily know how to use them, but they're elite. Also remote access control because remote access network connectivity has gotten incredibly popular in those environments. And there's usually multiple remote access mechanisms into environments that were not intended for that. You have to really, really watch that and control it carefully.

Can some of these systems just be air gapped? And say, “Well, we're just not going to connect it to other networks. We're going to just kind of keep it on its own little thing.”

No, the train has left the station. The freight train is gone and you and I are not getting out there and going air gap. There's too much value in connecting these systems to business and to critical infrastructure agencies. Everything from real-time telemetry, like historian data, like how well is the system functioning down to the millisecond, nanosecond data they want in real time.

It's used for billing. It's used for things like smart meters, like remote detection sensors, things like that. Things are feeding data in, things are feeding data out. People want remote access to everything to date. That's the culture we live in. Yeah, there's return to office and things feel like office workers. But like, no, your power company doesn't want to have the same number of remote technicians that they use, or onsite technicians that they used to.

They want centralized remote technicians who can do most of the work. It's just way more affordable to be able to do things remotely. For their cost savings perspective, remote access is like a must for most industrial organizations. You see, I see maybe like two, three air gap environments a year now. They are very, very old or they're like government or nuclear. That's it.

They're air gapped because they pre-existed computers in that sense. And there was nothing that would be connected in that way.

Or there's such extreme regulation on them.

Are those, like, really very rare? If you're watching TV shows and things like that, you kind of get the impression, “Oh, gosh, half the industrial equipment out there, it's either air gapped or it's plugged into fiber and every port is left open.”

It's somewhere in between really. Everything we see on TV related to having a computer is goofy, but I love that too. Another hobby of mine is catching that stuff. It's really somewhere in between. People are trying really hard. The people who are owners, operators of industrial equipment are generally very aware that there's major cyber threats against their stuff these days.

And things like ransomware have made that very visible. You can't hide from that. You can't stick your fingers in your ears over things like that. People are aware, but these are challenging problems. You can't just upgrade everything. You can't take things down more than once a year.

It's incredibly expensive. Systems are certified by the vendor to only work safely in one condition that they come out of the factory.

It's a challenging process to staff for. The expertise is rare. Then actually doing the things is expensive and complicated. It takes a long time. People are usually in the lower to mid stages of maturity right now in their OT environments. They’re, like, starting to implement programs and they're starting to build better architectures and defensive controls, but everyone globally has a long way to go.

Yeah, I assume it's not just US infrastructure that has risks, it's everybody's infrastructure has inherent risks to them.

Oh, yeah. I live in Australia. Just for clarification for your listeners, I live in Australia in Melbourne. I serve a lot of customers around the region. It's really funny. Every time I go to a new national cybersecurity body, somebody pulls me aside and they're like, “Hey, are we the worst ones?” I'm like, “No.” Everybody's facing the same problems right now.

They're all grappling with how fast these systems have relatively gotten connected to traditional IT networks and then started to use traditional IT technologies like Windows computers and then how fast they've been connected to other networks. It's challenging. It's really, really hard and it's something we're all tackling together.

I don't know if you necessarily know from your experience, the lifetimes of, OK, clearly it's pretty long. If it was initially working with a Windows 95 machine, the newest thing that can run off of. Let's say water treatment systems. Was there ever a design of like, “Well, we know we're going to replace this in this control system, but we're going to replace it every 50 years”?

Yeah, it's less than that. Chris, you'll get my reference here just explaining this. I don't know how many of your listeners will, but it's like thinking about buying an IBM system in the 70s, 80s. Like, you bought a system and it was like everything. It was the screens, it was the terminals, it was the mainframes, everything came in the package and it was all certified at the factory to work together.

And it's like that when you buy a power plant, everything from the PLCs to the computer systems like the HMIs and the engineering workstations and the network infrastructure, everything comes from the vendor and it's all certified and tested for months to work together safely. It's a big deal when you're going to do those upgrades. You have to have a major downtime outage. It's a major expensive update from the vendor.

There's minor updates and major updates. It depends, but either way, you maybe have one or two downtime windows a year to do whatever you're going to do. The lifetimes, it depends on the vertical. There's verticals that have a lot more money, like oil and gas. They can upgrade more frequently and then there's things like municipal water that has no money and they can plan to upgrade like every 20 years maybe. Or when things break catastrophically and they can't be fixed anymore.

The window’s usually like five, 10 years at least between major updates, even if you're well resourced. Because again, you're only bringing systems down like once a year, twice a year and it's a big, expensive deal.

Yeah, it's not like you can go to, if you're in municipal water, you can go to your customers and say, “Hey, we're turning off the water for the next two weeks while we upgrade our computers.” People are not going to be–

No, and you can't do that in cybersecurity as an auditor. You can't do that. Yeah, you just can't do that. You usually have to create, like, some bailover plan with peers, partners, all in support from other municipal utilities, things like that. It's very complicated, and it's very expensive, and it's a big deal. The systems have to get old for a reason.

Since you work on the forensic side as well, are the threat actors the same in people that are trying to get into my computer and the listener's computer versus the ones that are trying to get into industrial systems? Or are you looking more nation state-y sort of thing? Or is that just a bit of a myth?

It's very interesting. Let me go through the case types that I get. The first one’s, like, criminal stuff like ransomware, and they're attacking everybody. They like industrial targets because when they explode, it's very visible to the public and they're less defended, they're more vulnerable. They are tending to target them more often. And ransomware has a big impact on those environments because they use Windows computers to see what's going on and if it's running safely.

When you lose those, it's like, “Well, things will probably keep running for a while but we don't know.” Sometimes you have to shut down your operations because we just don't know if things are running safely, especially chemical, hot metal, things like that. Ransomware are hugely impactful, not necessarily targeted criminal organizations, but they like industrial spaces and they're targeting them more and more because they know they're super vulnerable.

And the second set of cases is like insiders and they're usually mad, intentional insiders. There's exceptions. Those engineers who work there, if they get fired, they sure know how to break things really badly. They are the experts on all the mitigations in the system, but most of the time it's just like somebody being bored or doing shadow IT and trying to do their job or just wanting to watch movies in the middle of the night.

That could cause big problems, obviously. The third type is what you were asking about, which is state stuff, state terrorist stuff and also big cartels and stuff. That's like geopolitical and there's nothing new under the sun there. It's like sabotage or industrial espionage and industrial espionage, of course, these environments may have proprietary data, manufacturing procedures, configurations, things like that.

That's mostly just stealing stuff from the environment, but they can accidentally break things. The more concerning thing is of course the sabotage and sabotage has been a part of warfare, conventional warfare and politics, geopolitics for as long as there's been human civilization, but now people can do that via computers and, in some cases, that's cheaper and more efficient. What we see is every country that has the capability to do cyber stuff is building footholds and doing reconnaissance on everybody who they might want to target in the future.

That's a lot of what we're finding and sometimes honestly it's getting lucky because the maturity level is pretty low in a lot of environments. We go into an environment, and we do a hunt, and we find a state actor, and they're doing a bunch of things. They're just building quiet back doors so they can get in later. They're doing a lot of understanding the environment because those systems of systems are unique and complicated.

That if they want to do something, if there's a war, something like that in the future, they have that capability. They can quickly bring down the power, poison the water, bring down sewage systems—that’s a nasty one that keeps me up at night—stop trains, whatever. They want to be able to do that. They don't want to do it right now. It doesn't get any budgets and it doesn't get much attention.

But we've seen that at least the stuff happening to the US telecommunications infrastructure made the news. But yeah, everybody wants footholds and reconnaissance on everybody else so that if they want to use it in the future, they have full capability to do that. And they're also building toolkits and testing them. We've caught a couple of toolkits being developed before they were actually used. They'll usually go to places where there is little-to-no cybersecurity and the infrastructure fails more frequently that nobody notices their testing, their attacks.

What kind of industries are there where the equipment fails, let's say on a regular basis, but more frequently or maybe is it industries where failures of equipment are less, “OK, yeah, we have downtime, but we can manage downtime sort of thing as opposed to water and electricity”?

No, they'll find the utilities that they want to attack. They'll find the system and the vendor they want to attack, but they'll find it in an underprivileged nation or a part of the world where there's no cybersecurity agencies, programs, funding. They still have power plants there, but the power plants go down on a routine basis because of maintenance problems and lack of funding.

Same with water, same with things like that. There's places in the world where there's no safe drinking water. You can mess with the drinking water systems more liberally. One of the interesting attacks that we did analysis on was Trisys, which was an attack against Triconex safety controllers. That was caught through a series of fortunate events that somebody was learning how to tamper with the safety systems that are used in these, the digital safety systems that are used in these process environments.

And again, like they thought they were testing, probably testing their attacks somewhere where they wouldn't get noticed. And fortunately through a series of fortunate events, we actually were able to detect them and catch that in process. But we know people are interested in doing that stuff.

How do they know that someone's in their system? Let's pretend that it's a nation state or someone waiting for an opportune moment to shut down the system. If they're in and they're waiting, or what is the circumstance under which the vendor realizes, “Hey, the system has been compromised,” if the actor is not doing anything?

Oh yeah, and they're living off the land, they're using PowerShell, they're using admins full-on credentials. It's real hard to detect. They're not using, like, stuck in it, they know or they're not doing that stuff. Living off the land is just really hard to detect. And it's 10 times harder to detect in these legacy systems where there's no, like, EDR and there's no even, like, PowerShell locking necessarily on the systems, things like that.

It's much harder to detect there. There's two factors. One is just luck. Like the company gets acquired and the new company has a cybersecurity team or, like, they bring in a consultant or something. The second one is maturity is improving. Companies are starting to build detection. They're starting to put monitoring appliances in and they're starting to look at what's there and they're finding really old compromises. I get called in on a lot of incidents that are six months to six years old or older.

They finally put in detection, and this is a state of things—come help figure it out. It could be commodity malware, and it could be state adversaries. It's just like untangling it all at that point. And yeah, everybody's kind of getting to that state or a little bit beyond it, just like starting to see how bad things are.

What is the process that you would go through? If a company calls you, “Hey, we just bought this critical infrastructure. We put in sort of surveillance and monitoring and we realized there's stuff going on that shouldn't be going on. We think stuff's been compromised. We don't know what's been compromised, who's compromised it.” What's the process? Like you said, it's not like you can pay, “Well, let's just turn it all off. We'll replace all the hardware and then turn it all back on.” You can't do that. So is it a little bit of playing kind of cat and mouse in systems as you're patching and putting in protections?

Yeah, it's tough. Like I said, this is a very different space to work in. First of all, you need an incident response plan just for OT. Who are you going to call? How are you going to make those decisions? What actually matters? Like that's all different. How you do containment is different in those environments. How you do recovery is different. That's all completely different. I will plug a white paper. The SANS Institute has a white paper out there called the Five Critical Controls for Industrial Cybersecurity, and I highly recommend that.

It's got five simple things that you can start on. They get very complex as you get more mature in them, but they're things like secure architecture and remote access control and having an incident response plan and doing some basic vulnerability management and all of those things together, plus, like, detection, actual detection on the network, give you a place to start, like, to tackle this problem. But it's not easy. Like, it's a long-term thing.

For people that have old systems and maybe you're not a, you don't run a municipal water plant, but you know you have old systems and they may not be critical to the local population, but they're critical to their business. And if this 40-year-old piece of machinery goes down, the production line goes down and now I've got 40 or 50 employees that aren't working.

I've got to lay people off, and where do they start? Like, “OK, we want to make sure our systems are safe. What's the process? If there's only a hundred of you in the world doing this, like, what are the steps that they should be taking to try to get ahead of the game?

I mean, those five things, you really start in those five things. I'm not marketing this. I understand that's like a paid educational institution and things, but I really agree with everything in that paper. It's just like these basic things. Start with the basics, start with the fundamentals. You really have to treat this like you're back 20 years ago, you've gotten your entire machine, you're in the TARDIS, you're going back to, like, 2005.

You've got to go back to, like, what is our network map? What assets do we have? You have to start there and then you have to start with those basic security controls. It's not jumping to, like, EDR solutions or anything, AI, anything. It's like, “Hey, what computers do we have?” That's where we're at. Just start at the beginning and just do a little bit. It's layers of deterrence to keep these adversaries out and detect them before they do something purposely malicious.

They might stay in an environment for 20 years before there's a geopolitical reason to make something right. You might have quite a bit of time to detect them. Just start with somewhere, start with the basics and don't get overwhelmed by trying to jump into everything at once. There's another good framework I can plug. The Department of Energy has a framework called C2M2 and it's cybersecurity maturity modeling. What they have you do is rate where you're at.

If you're wondering, “Where do we stand compared to everybody else,” that's how you figure that out. It's a self-assessment. It's like an Excel spreadsheet and you go through and you check, like, you rate yourself in a bunch of different OT cybersecurity capacities. Here's where you are, like maturity level, compared to other organizations in general. And then this is what you're jumping ahead on and these are the foundations you haven't done yet. That's another really good one to start out with.

Gotcha. For people that are kind of interested in this field, like it's not going to be your traditional, “Hey, go to college and get your cybersecurity degree and all the modern techniques of things that are happening on all the modern systems since this stuff is 20, 30, 40 years old.” What's the training in this industry like to train for working with these systems that don't do the things that modern systems do?

I do a lot of mentorship and boy, the market's really bad right now and something I do tell young people who are thinking about getting into cybersecurity is first of all, be aware of how bad the market is. It's a real bad time to be getting into cybersecurity. But on top of that, legacy and OT are good spaces to get into because nobody's getting trained to do them in their colleges or universities because even computer science degrees today don't have time to cover, like, legacy computing.

Everything from mainframes in banking to OT systems in industrial environments, there's a lot of need for stuff there. A lot of people are retiring or other things. They're not there anymore. I would like to retire someday. It's challenging for us to hire people. It's really hard. We need people, we aren't asking for them to come in with a suite of industrial knowledge. We're asking for juniors. We would like to have them have some exposure to being in a process environment. It doesn't need to be as an IT or a cybersecurity person. Just like, hey, did you spend some time working in a shipping facility? Did you have a summer job working on a farm with agriculture technology? Do you understand what's important?

That set priorities of what actually matters in the world and thinking about how stuff works, like how systems of systems work together and not just hyper focusing on an exploit or a domain controller, things like that. A little exposure to industrial stuff. If you can job shadowing one, if you have family who work in an industrial facility of some sort, like try to get some time understanding what they do.

If you can't do that, find one process that really interests you and spend like a month hyper focusing on that and learning all about it from top down, what happens, what can go wrong, what's involved, what devices are there, what vendors, et cetera. That's one thing. And then the other thing is just, like, learning how to use old computers. Unfortunately, the last generations, the newest generations, sorry, they don't necessarily have to build their own computers.

They don't necessarily have to code a website or set up a network. Everything just kind of works out of the box. And that's not your fault. This isn't like generation batching, but, like, you need to be able to do that stuff to do the job that I do. You need to do hands-on legacy computer builds and network setups. I need to understand all that-old school computer, 20, 25 year-old computer stuff to do my job. If you want to do this stuff, you're just going to have to get exposure.

You can download this stuff. You can find it on the internet. It's not hard to get a hold of old computers or old computer, virtual machines, networking equipment, things like that. But that is something you'll have to focus on heavily because you're not going to learn it in school.

Find some token ring network hardware.

Sure, get that running. Boy, that will teach you command line. That will teach you frustration, rage, networking, like whatever. But you need to really think about, like, I've run into people who have come out of a cybersecurity degree program and don't understand how a file system works or how a packet works. Really concerning. I cannot use them to do this job. So be cautious, do self-study, understand what you're missing on foundations.

OK, and so is there a particular interesting story—that’s fun and scary, should be used in the same sentence—but an interesting—any interesting incident responses that you've done that you can talk about?

Yeah, so that's the hard part, yeah. The scariest ones are ones you'll never hear about in the news, and I respond to a lot of those. Obviously, there's a lot of reasons why critical infrastructure providers don't want to talk about incidents when nothing has physically happened to them. But like things I found, adversary groups like water treatment, traffic, like control systems, smelters that do, like, hot metal chemical plants, biopharma that I found long-term adversary persistence in.

People thinking about doing something in the future and building the capability to do that. A lot of scary stuff. The funniest story I have that I tell a lot of people because I'm allowed to tell it is the time I got called in because somebody thought that there was a state adversary in their power plant because it turned on in the middle of the night by itself. And after a day of frantic forensics and everybody freaking out, it ended up being there was an extra computer out in a shed in the wintertime next to the end.

It was a touchscreen wrapping out a computer. I had to leave paint up overnight on the screen to find out that bugs were landing on it all night. Eventually after years, they finally hit the right sequence of buttons to turn the power plant on. But yeah, it's just like a bizarre space. But yeah, I mean like 99.9% of things that fail in society and industrial contexts are still like maintenance or humid or things like that. It's just growing small percentage of purposeful attacks and preparing for future attacks. It's really concerning.

Are the vast majority of the issues human error?

Usually it's equipment failing. That stuff is expected to happen in industrial environments like wells break and sensors die over time and pieces of even industrial computing equipment will start failing in weird ways because they're very simple computers.

They start throwing out more ones than zeros when they're supposed to alternate between zeros and ones. They don't just stop working.

And it's very exciting because again, a thing you will appreciate, and I hope other listeners appreciate, is, like, the network module is still separate on the PLC. It's a separate device you've had to tack on a serial converter to network so that can fail in all kinds of interesting ways. That can go down with a PLC still. The network module can stay up while the PLC's down. Like, it's very exciting.

I suspect you've run across lots of rodents-ate-a-wire sort of situations. Or, you know, like something rusted and it failed because something rusted as opposed to–

Sure, I mean, they're incredibly inhospitable environments. I work in mines and in deserts and things like that, in frozen wastelands in the Arctic north and south. There's a lot of reasons why things fail and not just degradation, but also theft of things like copper, cutting of fiber, like, all those things play a factor too. You really have to think about things. It's the overarching system of systems and what could be. You’d have to hypothesize about what could actually be happening.

What are all the weird reasons that this might fail?

Yeah, and what's likely. And then once you eliminate everything likely, whatever's left, no matter how unlikely, is the reason.

Exactly. I'll ask the question, and if you don't want to answer it, don't answer it. When industrial systems are taken over with ransomware, are the ransoms more frequently paid out than in other situations because it is critical infrastructure?

I don't think anybody's got, like, a really solid number on that. There's a couple numbers you could ask me, like how many ransomware attacks happen a year and, like, how many organizations pay and how many of them are detected where nobody really has a full picture because so much stuff goes unreported and undisclosed and, like, different vendors.

I work at a company that just does OT, industrial cybersecurity. Other people work at MSSPs that just do IT, cybersecurity. We don't see the same customers, and we don't see the same adversaries. Nobody has a full picture. Like Verizon, Diver tries to do it. They really do a good job. They do their best. But there's so much data out there nobody has. There's certainly more motivation, psychological motivation to pay. Yes, I see a lot of organizations pay.

To me it's things like hospitals and critical infrastructure, municipal water, power, sewage, all of those things. “We can't have this go down.” I can see that they really would be a particular target for…

They can't go down. It's visible when they go down. Incredibly visible, impactful to the population psychologically. And they're less defended. They're more exposed, less defended, older technology, less security tooling. Yeah, of course they're a desirable target and the adversary groups know that.

Yeah. So as we start to wrap up here, if people want to get ahold of you, if they want to learn more about this industry, if they're like, “I love taking things apart and figuring out how systems work and I've taken apart heavy industrial equipment and rewired it and…”

Good on you. That's expensive and takes up a lot of space in your bedroom, but good on you.

If they want to learn more about the field, if they want to connect with you, how can they find out more about the field, and how can they connect with you?

I am terminally online on most social platforms. You can most easily find all of them on my blog. It's https://tisiphone.net/. I think that will be linked with the blog, but that's my blog. I do a lot of educational content. There's also free mentorship if you want to sign up on my calendar. If there's a bit of a wait for it, I apologize, but I do that. And all my social links are on there. I'm active on Reddit and Blue Sky and Mastodon and Instagram, et cetera. Happy to help if I can.

You mentioned you do free mentorship. Why do you do that?

Because nobody helped me. Well, originally it was because it was a cool industry to get into and nobody helped me get in. And I had a hard time finding help breaking into cybersecurity. And then recently it's become, oh, my God, the market is horrible. I feel so bad for these young people who are graduating and can't find a job. Now, it's mostly putting out fires and trying to desperately keep people in the field. So yeah, a little bit of both.

I'm glad you do that. Lots of people who're, “I worked hard to get where I want and I don't have time for this.” I appreciate that. That is something that you have chosen to do voluntarily.

I try. I try to make things a little better. The world's pretty dark out there and we also do what we can to improve things a little bit.

Yep. Lesley, thank you so much for coming on the podcast today. I really appreciate your time.

Thank you so much for having me.