Cloud Security in $25 Billion dollar Company

View Show Notes and Transcript

Episode Description

What We Discuss with Kurt John:

  • Cloud Security in a Large Organisation and the challenges that come with it.
  • Cloud and Cloud Security in the Operation Technology World
  • How Product Security and Enterprise Security is approached?
  • The impact of Covid-19 on cloud transformation.
  • Impact of Edge Technology and 5G.
  • How beginners can expose themselves to OT security?
  • What happens in the world of OT and SCADA to help businesses with cyber readiness?
  • Should security be turn on by default?
  • Charter of Trust
  • Whats next for SCADA (Supervisory Control and Data Acquisition)?
  • And much more…

THANKS, Kurt John!

If you enjoyed this session with Kurt John, let him know by clicking on the link below and sending her a quick shout out at Linkedin:

Click here to thank Kurt John at Linkedin!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.

Resources from This Episode:

Ashish Rajan: Hello, and welcome to another episode of cloud security podcast with Virtual Coffee with Ashish. Today’s topic is interesting because you’re talking about what does cloud security look like for a large company? I just say on a really large company, but number I’m just not going to talk about the number over there, but it’s a really large company.

Everyone knew about it, and I’ve used their mobile phones when they used to be a thing as well. I’m going to continue suspense for a bit before I do that. All these episodes get available in audio format on the website below, and you would be able to hear them from tomorrow onwards, but otherwise, feel free to follow our YouTube.

We are on Twitch as well, seems to be on Periscope, but I know LVR. So my name is Ashish. And before we get into this episode, I do want to have a word from a lovely sponsors

Hello, my name is Anthony Young with Bytechek. Thanks for watching. Thanks for listening to the cloud security podcasts with the one and only Ashish You’ll experience knowledge and stories from the world’s leading cloud security folks, subscribe, [00:01:00] Apple podcast, Stitcher, Spotify, Google podcasts, overcast, Amazon music box and YouTube weekly live interviews from cloud security leaders and practitioners from around the globe available on all your favorite platforms. Listen on cloud security podcast.tv.

This episode is sponsored by Bytechek. The days of manual audit requests. Over buried in compliance emails over build, manage, and assess your cyber security program as well as complete your SOC two audit faster all from a single platform. www.bytechek.com. Let’s make compliance. Suck less now. That’s a bytechek

yeah.

So thank you Bytechek for the sponsorship and I’m going to bring my guests over Hey Kurt, How are

Kurt John: you?

I’m doing really good. Ashish how you doing, man?

Ashish Rajan: Good man. Thanks for coming in, man. I’m so glad you could make it. And I’ve got all these questions in my mind about how do the big [00:02:00] guys do this?

We’ve got a few people coming in already. So I’m looking forward to this conversation, man. And it’s a tradition over here in virtual coffee of the sheet. I’ve got my coffee here.

What have you got?

Kurt John: Macallan 12.

Ashish Rajan: Oh, I’ll tell you, man, like the modern times I’ve heard about Macallan 12. I just want someone to just give me a bottle. A great bottle.

Everyone has told me, I just cannot wait to try it when I come to America, man. Thank you for coming for coming in. Cheers, by the way. Cheers.

Kurt John: Cheers.

Ashish Rajan: All right, so first question So what, how did you get here? How did you get what’s your cyber security journey?

Kurt John: Yeah. Thank you guys. I’m sure. How did I get started in cybersecurity? You know, it’s interesting. I’ve always had an interest. I remember the very first time that a thought occurred to me is when I had a couple of friends of mine who came over and brought a whole list of dial up numbers. And I asked myself, why is it that we can dial up to the ISP free of charge and just get on the internet?

But fast forward to about [00:03:00] 2010 after my undergrad in computer science. And I got started in the consulting industry. My boss at the time came to me and say, Hey, cybersecurity is going to be a real thing. Are you interested in doing a couple of certifications? And so I did so a couple of audits certifications as well as certified ethical hacker certified penetration tester.

And so I had a very, somewhat technical start to cyber.

Ashish Rajan: Interesting. So, and you were back in the phone generation as well, that wasn’t really called phone hacking. Wasn’t it? It was more like by number freaking that’s the word I was trying to see.

So. You’ve landed on cybersecurity. And now you kind of like, you obviously, you’ve seen a few variations of it. You’ve seen freaking you’ve seen on-premise and now you’re looking at cloud security. So now Siemens is like the number one industrial software company.

I use their mobile phones when I was a kid. So they’ve the big guns have been there for a while. So now it’s the cloud security. Well, so what does cloud security mean for you?

Kurt John: Oh, that’s a really good question. As you [00:04:00] mentioned. So over the past 10 years, Siemens has done roughly about $10 billion in software acquisition.

We did our, obviously our own home grown development as well, which is what propelled us to, to the number one software industrial software company Siemens itself has a pretty significant cloud offering as well as a product we call MindSphere. And so the way we view cloud is sort of

two different ways. The first is internally. And how can we leverage it in order to be more efficient, effective, and get to market faster. And the second obviously is with our customers, right? Because you got to think through those very differently. Both the emphasis is on security, but one is how can we streamline and ensure that we’re leveraging it as best as possible to make sure that our operations are efficient.

And the other is how can we leverage cloud to co-create collaborate with our customers in order to provide them what they need to succeed. And so those are the two approaches. And you know, on the one hand we have a very [00:05:00] strong internal team, right? About 1300 professionals globally who look into cybersecurity and cloud being a part of that.

And then on the other hand, we have what we call product and solutions security professionals. And these are the people who are focused intently on our products and ensuring that they’re ready for prime time.

Ashish Rajan: That’s very interesting. Sounds like you have a lot of varied spaces as well.

I guess a lot of organizations I speak to you on the podcast have cloud security, but they’re more, they have one product or one stream that goes, you guys have IT and OT, I so I guess I’m curious to hear what are some of the challenges you face, I guess.

Kurt John: It’s massive. So if you think of Siemens that say in the U S specifically, you have what we call mobility. So those are our trains or train sets, including software, such as positive train control or track controls. When people say we have our digital industries, which are factory automation just software.

To help with digital twins and then you have our [00:06:00] smart infrastructure. And this is the folks that do smart buildings as well as energy as a service, basically the grid edge. and each one, so Siemens in the U S for example, is $25 billion. And each one of these verticals is a behemoth onto itself.

And their go to market strategies are going to be different, whatever they need to do in order to succeed is. Is what they need to do. And so it’s not uncommon for a particular vertical to leverage a particular configuration or cloud provider in order to support their go to market strategy.

So what you want to do is try to abstract as much as possible because individual cloud providers might be different maybe in. What they call a configuration setting or the way they allow you to access, right. A certain cloud environments, but the broader strokes are, tend to be somewhat similar to concepts, tend to be somewhat similar, right?

Controlling access. And showing your configurations, correct. So you want to abstract from a cybersecurity perspective, you want to [00:07:00] abstract as much as possible. Those rules, configuration settings, expectations, policies and provide that to the, you know, the business so that they have sort of a roadmap of how they need to interact with the cloud environment, regardless of what its particular policy or rule is called.

And that’s, that is. The biggest most critical way to ensure that the business has a good approach in terms of security.

Ashish Rajan: That’s pretty interesting. I didn’t realize you guys were in the smart cities as well. I mean, yes. Each one of them, each one, even trains, like, I can’t even imagine like the technology, like, this is what people say as operation technology.

Right? So it’s kind of where we kind of creeping into that world where the scar of the world and all that, but yeah. What role do you see cloud and maybe even cloud security play in this operation technology world?

Kurt John: You know, man, that’s a really good question. Not what maybe 10 years ago, the predominantly most effective way.

For people to leverage [00:08:00] operational technology was like you said, a scary environment that was an Island onto itself, not connected to anything else. You know, black screen green text valves opening, and closing. Now you have a situation where you could remotely operate critical infrastructure. So from the power facilities to water treatment plants, and What cloud is going to allow us to do so let’s use COVID-19 as an example.

So we know for the white collar workers the majority of them got to stay home and work from home. A lot of blue collar workers still had to go in and a lot of our even Siemens employees are critical infrastructure folks who helps support the U S infrastructure and keep the lights on and fun fact, by the way, about 30% of the power generated in the us comes from Siemens equipment.

So 30%, 30%. Yeah. So, so a lot of our folks were deemed and you know, critical personnel because we had to keep [00:09:00] this stuff moving what you’re going to see. And I think what’s going to get accelerated when it comes to OT and cloud is to be able to do some of the same things that white collar workers were able to do.

In other words, pivot to home, right. And be able to remotely control, assess, monitor, analyze and you know, flip virtual switches in order to ensure that, these critical infrastructures are working correctly. So I think you’re going to see a lot of utilities. Pulling the trigger on virtualizing, digitizing, digitalizing, their infrastructure in order to support that type of environment.

And not just in anticipation of the next pandemic, but it’s cost effective. It’s fast it reduces costs. It allows more responsiveness, faster response times. It’s just all around, just a better way to go.

Ashish Rajan: That’s interesting. So would you say, and I guess to your point, because the virtualisation of operation technology is really interesting from a [00:10:00] perspective that yeah, traditionally these, I guess scada systems kept offline for a reason, I guess, but so it’s really interesting to see that world change and adopt while being on the internet, for lack of a better word, because coming from a scada world and coming from a freaking well as well let’s just say, scada were never known for being the highest security standard.

That’s why they were kept isolated. Yeah. That’s right. So does that mean the challenges? To what we were saying earlier, we’ll also include things like, Oh, how do i securely virtualize, these I guess these internet operating technology machines, if that’s what the right word would be, where do you see that as a challenge yourself as well?

Like, or is that quite mature in a space?

Kurt John: Unfortunately it’s not very mature and this is the same and IT has a different problem. I think it, the increasing complexity, the speed at which technology changes it gets aged out. You got to bring new technology in and just these microservices that gets spin up and [00:11:00] then spun down just to do two or three transactions.

It’s. Difficult to undo from the cybersecurity perspective, to try to monitor that tons of great startups, as well as some interesting concepts that are coming out to help us to better govern that OT has a different issue. I’ll give you an example. I remember when I first joined Siemens I was talking to someone out of the UK and he was telling me a few different stories, some interesting stories.

For example, he was explaining how our equipment was used to get you know, to process energy that we get from the ground. And so. One of the things that he was telling me is that Siemens in the 1950s sold a turbine to somewhere in the middle East and this turbine was so fantastic. It drove a lot of the energy production for this middle Eastern country.

And they fell in love with it. I think they nicknamed it like the beast or something like that. And so they call us up in like 2006, right. When it [00:12:00] starts to have some issues. And they’re like, yeah, we need you to fix the beast. And so someone hops in a plane flies out there, they’re like, Oh wow. This thing is like over 50 years old, here’s a list.

Here’s a list of some new turbines that are more efficient, more and so on and so forth. And the customer at the time was like, ah, no, we’re good. We have very deep affection for the beast. And all we need you to do is to keep the beast running. So whatever you need to do to do that, you do that. And so. That story to me is indicative of the challenge for cybersecurity and OT, which is in the it space is three to five, maybe max seven years, right?

In the OT space, you’re talking equipment that’s decades old. And so, you know, we’re going to find a very interesting transition period, moving from the old way of doing things to a more digitized and digitalized way of doing things. Where are you going to have [00:13:00] those equipment that are like decades old?

And that requires a particularly creative approach to how to secure or maybe protective perimeter of equipment. That’s that old nevertheless. It’s possible. And so I think what you need to see and what you will see is equipment providers such as Siemens who take cyber security, seriously building security into their products.

By default and turning it on by default so that when it’s shipped, the customer actually has to turn it off, but more importantly, developing and making available equipment, which can help protect that older equipment as well. And so that’s the challenge, and I think it’s incumbent upon all of the various providers of these types of technologies to one, right.

Take cyber security seriously, to ensure that The enabled security by default three ensure that they have an incredibly robust supply chain, right? Because that’s super critical. None of us are an Island in the [00:14:00] U S Siemens’s has 15,000 suppliers globally. I think we have like 250,000 suppliers.

So we’re only as strong as the weakest link in this case. , depends on the criticality of the part. So all that I think the providers such as Siemens and Siemens does take seriously in order to, to provide this stuff.

Ashish Rajan: That’s awesome, man. I think I, and you’ve explained it so well

you know how we talk about patching insecurity? Like, Oh yeah, we should do a windows patching patch Tuesday, like, like a thing, like there’s no patch Tuesday in operation technology out there. I’ll tell you this, right? My parents were old school as well.

And. Or we had this television thing that my dad loved, like current television, but with the ginormous back, you had that for years, he would not move to one of those OLEDs or whatever. Like now why do I need to change that to like, I mean, it’s not like still works. But so that just remind me one of those ones when the beast story, but it, like, he loved that television.

He did not get rid of it until that [00:15:00] television died basically. And he could, there was no one to repair it. So it reminds me one of those ones where. You grow so much affection to it, but I’ve got a question here. I think it’s kind of ties in really well into our conversation right now as well.

So Houston is a previous guest has as a great friend as well. massively into Skateboarding outside context Does Siemens separate product security from enterprise security.

Kurt John: Yes and no. So that’s a really good question. And allow me to ramble for a bit, conceptually when it comes to cybersecurity, we try to take a holistic approach because one affects the other, as you can imagine.

Let’s say we develop a product which allows an organization or a manufacturing facility to create a digital twin. Right. And that’s digital twins are really, really cool for those that don’t know. In essence, if you need to build up a new manufacturing facility, instead of moving stuff around and trying to figure out how it’s going to fit you open up a computer program, you create a digital twin

you can actually model your floor plan. Simulate your [00:16:00] production and you can get very, very close to what your manufacturing facility needs to look like. Which means you save time, costs, resources, et cetera. But in order for us to develop that software, you got to imagine that there’s an R and D let’s call it enclave within Siemens.

Where the coding is done, testing is done, et cetera. And that is, what we would consider from more or less enterprise security and that R and D space after it’s gotten sufficiently mature, then translates to a product which a customer would buy and leverage in order to create their digital twin.

So conceptually at the highest level, We don’t, we call it cybersecurity. That’s why I’m called the chief cybersecurity officer. I’m not necessarily a chief information security officer, which tends to be it. And that’s because conceptually I’m responsible for both the product as well as our enterprise.

But because they required different [00:17:00] skillsets and expertise what we have is we have people who specialize in enterprise security, and then we have people who specialize in product security for example, my team, as the cybersecurity team were able to ensure that we’re talking with each other, we’re speaking to each other , and the whole value chain gets protected.

But it’s more of a collaborative effort because of the individual expertise that are needed for both.

Ashish Rajan: Wow that and adding on to the risk and compliance and governance has filled that I’d probably add another adds another layer because you had that, I think the supply chain that you mentioned, like enormous month’s supply chain.

So the risk as well, hopefully that answers your question, Houston. So feel free of us to follow up question. If you have one

Kurt John: I think you’re going to see because of how prolific cloud is going to get, I think IT departments are going to have to start to transition from an infrastructure environment, so to speak strictly speaking to more of digitalization and [00:18:00] operations.

Environment. In other words ,IT is going to need to become more like advisors. Okay. This is what you want to do. This is the speed to market you want to do. This is the costs you need to manage in order to get this margin that you’re looking for. Okay. This particular cloud provider, along with these two other suppliers is going to be your best bet.

So it’s going to be fascinating to see how IT environments handle this. Because they’re going to need to become expert advisors. Be part of the businesses, go to market strategy very early on and supporting that entire value chain and helping the business to create a really vast dynamic, flexible technology ecosystem that allows them to go from concept to market in half the time that it does now

Ashish Rajan: interesting. We spoke about pandemic and COVID a bit earlier, has that accelerated all this? Like, do you feel like the adoption it’s like, Whoa, how do you see that [00:19:00] change? How has the COVID thing affected this kind of transformation?

Kurt John: Huge. look in my opinion. I think the companies that are out there fall into two buckets, either they have put a complete, full stop on their digitalization journey, or they have leaned all the way in on they’ve pulled the trigger in everything that they had on the books for digitalization, obviously pending.

Their budget or availability of funds. They’ll pull the trigger on that. And I really think the people who don’t pull the triggers because they might have a funding issue because companies, when COVID happened, either you were able to pivot to work from home and leverage technology in order to remain efficient and effective.

In which case you see the value and you’re going to lean all the way in or you weren’t. And you miss out on either the efficiency and there’s the continuity of operations or another example would be companies who weren’t able [00:20:00] to modify their operations in order to pivot, let’s say, for example, a manufacturer masks when they used to manufacture beer, right.

Or scotch, I dunno. And so I think when COVID happened, Everyone sees the value of having a very robust digitalized infrastructure that allows flexibility and speed. And I believe for the vast majority of people who don’t pull that trigger, it’s probably a funding issue.

Ashish Rajan: That’s even more interesting because that kind of ties in really well into the virtualization conversation we had about OT environment as well.

I wonder how many OT environments accelerated their digitization product I kind of have to ask about 5g because it’s been on my mind for some time. We kind of spoke about COVID and just before the whole COVID thing started, everyone’s talking about 5g and I’m not going to go into conspiracy theories.

I’m sure to this, like a government agenda somewhere. But how do you see the impact of edge computing or 5g? What would that be on this? Like IT and OT will be kind of moving into, especially for [00:21:00] critical infrastructure.

Kurt John: Transformational, I’ll tell you that. I mean, 5g is going to be having an impact across the board from education to to medical too.

But let’s talk about OT. When you combine 5g with edge computing, with industrial IOT the only way to really take advantage. Of those technologies and including artificial intelligence, machine learning and so on is through cloud computing. Yeah. Cloud computing is the shortest path for the vast amongst of data that 5g and that connectivity would produce is the shortest path in order to analyze correlate, and then come up with responses for what that data presents to you.

And so. 5g imagine this, for example, I think this is a good example. Imagine right now their manufacturing facilities, it’s in their best interest to reconfigure their floor plan because of new technologies, because of some inefficiencies of how it was first laid [00:22:00] out in order to let’s say, even with a digital twin, for example, in order to move that around.

It’ll take, let’s say anywhere between four and six weeks when you have a manufacturing facility whose revenue daily revenue is, let’s say two, $3 million. Even if you’re to try to shut that down in portions, in order to minimize the impact, you’re still talking significant value over the course of four to six weeks, even if it’s a week.

That’s still a lot. Imagine then you have your own private 5g network that spans your manufacturing facility. And instead of having to rerun cables and reconnect and so on, you’re able to do everything in two hours versus two weeks. Right. That’s one example of how valuable a 5g network can be, but even beyond that 5g increases the size of the pipe that data can flow through.

And it also increases the speed is like going from a two lane road to like a 15 lane highway in both directions. It’s interesting stuff. [00:23:00] And so. When you have that large degree of data flowing between devices and available what you’re going to see is there’s going to be a big drive for artificial intelligence, machine learning, data analytics.

For another example, Siemens has a service where after we’ve sold you a turbine. And this is probably another good story. Typically when turbines are sold, there’s a maintenance schedule. And if you can think of, for example, a few turbines out on an oil rig, trying to pump oil out of the ground, for example, this is like years and years and years ago.

Shut it down in order to do planned maintenance, typically that plan maintenance will take about a day, right? And if you have a particularly large oil field, and the reason I’m using this is because it was from many, many years ago, right? We’re still Siemens as a company is transitioning to focus on renewable energy.

If you’re doing like a million barrels a day, that can be a lot of revenue. So then one of the things that we did is when we ship our turbines, we have this service, [00:24:00] which monitors the turbines and. Based on the data we get from the turbines, we can, with a reasonable amount of certainty predict when a turbine might fail.

So instead of now having to shut down once a quarter, four times a year for one day, right? Which is millions, if not hundreds of millions, of dollars of revenue loss, We can say, just keep running, we’ll give you a call and it might be once a year, it might be zero a year. And so that’s an example of sort of the analytics that comes with data.

So to picture the size of the pipeline, the amount of data that you’re getting through 5g, just growing exponentially. So long story short is this I do believe that 5g is going to have a major impact on the manufacturing, OT space. Cloud computing is going to be the primary method for taking advantage of these new technologies.

And it’s going to introduce a never before seen flexibility, speed and just efficiency of how OT [00:25:00] manufacturing spaces work.

Ashish Rajan: That is, that’s a great answer,

Kurt John: I felt like I talked for a long time there.

Ashish Rajan: That was good, man. You a great story. It’s interesting for me, especially coming from primarily an IT world because the OT world seems like, I think we had a guest in the past Parul and she was from a Canadian company which worked in the operational technology space as well.

And we were kind of mentioned to the whole nuclear plant conversation as well. Like, you know, cause that’s a real thing. When you write a software and do some programming and you put out facebook.com, I feel like there’s not nothing touch and feel at that point. Right. But these are like, imagine a turbine.

Like you can’t avoid it though, by when you walk past it, you’re like, you’re not going to be like, I’m going to ignore this website. There’s no way you can do that. So to hear stories about how they do update is just fascinating, especially because. To do what you said, a lot of us in security may go down the path like, Oh, we should patch every time.

But imagine the impact on the business. When you switch off [00:26:00] a turbine for one day is millions of dollars. How do you justify that? Oh, you should patch. But why, and it does, and it doesn’t

Kurt John: even have to be a turbine. So for example, there are some printers by the way, Oh, they’re labeled printers that cost 50, $60,000.

And they they’re run constantly, especially for factories that have 24 hour schedules. And so just, you can’t even take it offline for five minutes because five minutes equals $200,000. So how do you patch that what’s the process for that? So it’s a very interesting space.

OT is that requires very creative solutions to solve these things.

Ashish Rajan: You have definitely gotten some people curious. Cause I’ve got a question from Hardik here is can you give us some recommendations for beginnnerrs to it now he’s clearly interested in this. I don’t know if do you wanna how do you wanna tackle this?

But I think they’re going to appreciate that some insight into this OT world.

Kurt John: That’s a good question. First, I mean, the most obvious route is obviously you, I want to try to, depending on [00:27:00] experienced backgrounds, certifications, and so on, try to get hired by a company like Siemens. That’s the first thing.

The second is you want to. Expand your network. I think people are more open to mentoring now than they ever have been. So that’s a very valuable way to go about sort of pivoting on your skillset. The next is there are some classes out there that you can take. And you’ll want to look into those.

Another example perhaps is there’s some companies out there that offer what we call cyber ranges. Siemens has one as well. Why did you write no use predominantly by educational facilities as well as our customers? You know, we’ll see in the future, how we pivot on that to make it available, for example, to the public, not it isn’t right now, but that’s another thing.

Siemens isnt the only company with one, you want to look into those companies because what that’ll do is. Especially if you’re a fairly technical person, is it would expose you to sort of the inner workings of a power [00:28:00] utility company or a water treatment facility. So you can see how it’s configured what the pieces are working together, play around with it.

So there are a few paths that you can take the start to get

Ashish Rajan: Interesting. That’s a great answer, man. And I just want to quickly add something because we did an episode on this as well. There were a couple of interesting points mentioned similar points, but exactly what you said, the commonality was this where try and get started in a company which already has.

The OT environment that you mentioned a couple of examples it could be a power grid. It could be a water plant, or there’s a lot of options. You see them all around. It’s just that a lot of people don’t really consider that there’s an OT part to it as well. They just think it’s IT so I think that that could be a great start to go into it.

So I’ll definitely recommend that. I think that answered Hardik’s question sweet and a hundred percent of mentorship. I think I’ve been mentoring people. I am sure Kurt would be open as well. There’s a lot of people, I wish they have a lot more mentoring when I guess we were coming up up, back in the day, I guess there was LinkedIn and other things to kind of get mentorship, but [00:29:00] nowadays everyone wants to help other people.

I’ve got another comment here considering 5g and renewable energies. Is there a big mindset change or prep work? Or R and D starting in cloud security area from Siemens. Cause that’s something you can answer.

Kurt John: Yeah, it is. We have a huge R and D department. and perhaps I should qualify what I mean by R and D.

We have development in networks where there’s something, there’s a product we’re trying to build over shore. We understand what it is and we’re building it, that sort of like a development environment that is working expressly to develop a product. We have R and D, which is a global research and development organization that spends, and we spend roughly $2 billion a year on that across a variety of topics, including cybersecurity.

So yes, we do do research such as digital twin. Cloud computing the impact on various businesses, including renewable energy. And so we do that and I do think for the broader community, or list of businesses that are involved in this space, [00:30:00] there is a mindset change that’s needed.

And I see it happening if the federal government is working on making 5g more equitable and more accessible. And once that starts to happen, I think you’re going to see that’s when you’re going to start to see sort of the snowball effect first in the consumer space. But then also in the OT space and in the manufacturing space.

So I think there’s a little bit of time for that mindset to take hold, but yes, there is a mindset change that’s needed. I think. The biggest difference now than before is if you look at how OT and the way it was done, it was very geometrical. In in how it was done. And now with the advent of industrial T with 5g and so on is very exponential.

That graph is just going almost at a 90 degree angle, the speed of change, and just the way you can combine technologies in order to, to be super effective. It’s just fascinating. And so we have [00:31:00] a little bit of time now, I think in the next. Let’s say five to seven years maybe is my prediction. And if that prediction is right, I’m going to quit my job and play the stockmarket because I’m really good at guessing.

But I think in the next five to seven years, that’s the horizon we have for all of us to collectively. understand the way that we’re going to engage with technology and so on is going to change dramatically.

Ashish Rajan: Its very interesting with the IOT pieces as well, because I guess if you do require IOT sensors and hardware, which traditionally have never had internet, how do you connect them and put them , on a computer somewhere as well?

A quick question from Sunil another great friend as well. In the IT security world, we carry out a lot of red team and tabletop exercise to train the company.

What happens in the world of OT and SCADA to help businesses with cyber readiness.

Kurt John: Really good question. That’s a really good question. And so what you have is a mix. Let me put it this way. I’ll have two answers for you. They’re sort of the Siemens environment [00:32:00] answer. And then there’s the broader you know, answer for the rest of the industry.

You know, so Siemens has a thing called the charter of trust is basically a collection of companies where we have come together and agreed on 10 principles, what we call cyber norms. And that’s because in the absence of a very strong international. Regulation or guidance on cybersecurity. We, the companies who have that touch point with the consumers, it’s our responsibility to take it seriously.

So that’s a big driver for what Siemens does in the cybersecurity space when it comes to OT. So whether it’s penetration testing of our training or penetration testing of our smart building technology. We do that. However, if I switched to like the broader answer for the industry, remember what I mentioned about.

Technology or equipment being decades old. So there’s some that were, let’s say commissioned two years ago that have adequate cybersecurity, but then there’s some that are still in existence that are like, you know, [00:33:00] 16 years old that may not. And so You’re going to see a variety of approaches to that.

Nevertheless, regardless of what let’s say technologies are used to try to help you prep or make sure you’re a cyber ready. Conceptually. It’s the same. You want to try to understand what your risk profile is across your equipment, and then try to reduce that risk as much as possible in some cases for the more modern equipment it’ll be.

Patching and so on. And then for older equipment, it’ll probably be the addition of a process or the disconnection of some equipment or in, you know, some type of integrated firewall to try to manage communications. But whatever the answer is, you’re asking the right question. And the question is how do I gain transparency of my risk profile?

And then what measures can I put in place to try to reduce that risk?

Ashish Rajan: That’s a great nil answer and I think Sunil agrees with you as well, but also gave you that share. You’re already good restaurant communicator of [00:34:00] experience. Thank you for sharing your experience. So thank you for that. It’s really interesting mix as well.

We kind of dabbled into 5g. We spoke about that as well and how that’s kind of moving forward. And you’ve touched on something really interesting. Initially when we started this conversation, you were talking about how siemens is providing security defaults to begin with and going forward with that, do you feel like in the cloud security or I guess cloud service provider space rather.

Is it a more, these guys could be doing like, you know, sounds like you guys are going down the right path. I mean, this is obviously an outsider’s view from the OT world. Sounds like by making cybersecurity defaults already in the product is a great way to go forward. But out of the cloud service providers not do this.

At least I haven’t seen this. So I’m curious, where does that responsibility lie? And. what are your thoughts on that?

Kurt John: My thoughts in that is , first of all, take cyber security. Seriously. That’s the first factor. The second is as long as you’re in a position to aggregate a large amount of data and correlate that data and analyze that data, you have some level of responsibility to try to leverage that, to [00:35:00] create better cyber security.

And what I mean by that is this Cloud providers, Siemens included are in a very unique position where we can sort of take a step back and see how various customers are using our products. and. No two customers are the same. So they’re obviously going to be very nuanced ways they’re using a product, but I believe the broadest strokes of how customers engage with your product.

There will be some similarities and it would be in everyone’s best interest. If you could gather, analyze, correlate that data and then provide some. At the very least insights on how users are using this for transparency, so that people who do use it or will be signing up, can think about, Oh, really?

That’s interesting. How should I be using this code environment all the way to. Possibly providing templates, approaches turning on stuff by default so that, yes, it’s a pain in the butt, but [00:36:00] customers actually have to go into the, the environment and flip switches off. I’m a big fan of like templates and so on that are modifiable.

So in other words, I have 2000 customers that are using my environment. These are the insights I’ve gained here to four templates that are most common to how customers use this. Feel free to modify it, but pick one, or we’re going to assign you one when you sign up so long answer short. I do believe everyone who provides any type of service environment, infrastructure as a service cloud, you name it.

We do have some responsibility to ensure that security is on by default and that we take it seriously because not all customers are created equal and everyone doesn’t understand how to deploy their environment in a secure way.

Ashish Rajan: Yeah. I love the answer also because I see. One on AWS example where it took them.

I think they have this thing called the S3 bucket retrieval storage, and everyone would [00:37:00] talk about breach, S3 breach. And a lot of people also spoke about the fact that there was an encryption by default. You almost would think that that should have been there by default. Why are we expecting someone else to make an informed decision that if I have storage, I should encrypt it.

Like, why is that a two-step process? It’s just like you have storage, it’s pre encrypted. I think Azure does this really well. That is pretty incredible. I don’t favor any cloud service provider, but it is definitely a mix is what I see . Somebody will take responses, ability in certain areas, which are probably because they’re in the news, but in the other areas, they’re like, it’s no, it’s just like, ah, let’s not worry about that one so far. So it’s really interesting that you gave that example.

So security by default in a way should be kind of. There should be some responsibility on the providers. That’s how, what I’m taking away from

Kurt John: Sure. I mean, call me a little bit of I would actually take some pleasure in knowing that customers are inconvenienced because they have to turn off security features.

I’d be like, great. That means we shipped a product that was fantastically [00:38:00] secure. And they just need you to take an extra 30 seconds to flip a switch off. I think that’s wonderful because the challenge that we’re facing now as a community, and maybe not even community, cause I’m not talking about cyber specifically, but as a group of individuals who are engaging with technology across, a variety of different verticals is that we have varying levels of maturity.

And in the absence of that maturity, it’s incumbent upon the people who have the resources and the knowledge to deploy that security systematically pragmatically and have. Folks who might not be at that level, take the extra step to try to turn it off. I can perceive how someone might see it as an inconvenience, but then the flip side is that you end up in situations where either your IP, or if you’re leveraging a cloud provider, your customer’s IP might be exposed and we don’t want to do

Ashish Rajan: that.

No a hundred percent. I want to change gears a bit as well and talk about [00:39:00] something that I would like your insight on and probably.

I guess my audience to hear about as well, charter of trust, what is it to begin with? Let’s start with that. I mentioned that

Kurt John: before. So Siemens is one of many founding members who came together and said, you know what? There is no international guidance and or regulation when it comes to cybersecurity, we are all, integral to how consumers or people, our society interacts with technology.

If we’re to take that role seriously, we have to take cybersecurity seriously. And in order to do that, let’s think through what’s the best way for us to leverage our Influence the products we have in order to make that happen. And so we came together, we had three objectives and 10 principles.

And some of my favorite principles for example, is security by default, right. Supply chain, right. We’re only as strong as our weakest link. Right. Education is huge for me. Because I think [00:40:00] that is, I always say education is the best way to unlock someone’s future. It’s the best way to connect people with opportunities.

And it’s the best way to make sure that as a world we flourish. And then there are a few other principals as well, 10 total. And so the charter of trust right now, I think we’re at 18 members and it is a connection of companies who just take these principles seriously and are integrating them into their very culture into their products.

Yes, of course. And services, but more importantly into the culture of the company so that when we continue to interact with society we have products that are secure, but our general approach for how we view that interaction with society is built upon. What, you know, I like to say is trust. I have a colleague of mine, Kai Hermanson, who says trust is the new gold.

And so that’s true.

Ashish Rajan: Yeah, I was going to actually bring that up. So I’m glad you brought up the [00:41:00] trust is a new gold. It is so true. And I think it’s the nuance of it. I was going to say to your point about the charter of trust. So anyone who’s listening and probably is part of an OT environment. Okay.

Can anyone be part of this or is this specifically for say, I don’t know if this is a region base. I imagine it’s only US.

Kurt John: No, it’s international. It’s international. And so we have IBM is a member, you know, we have, I think there’s a bank. That’s a member. Forgive me. I can’t remember all

Ashish Rajan: , I’m just trying to thinking for the people who are hearing the audience. They, some of them actually have operation technology, I guess, water treatment, plants, and other. So can they like, because they might feel inspired yet there needs to be a standard and can they just like join in?

I guess that’s kind of where I was coming from.

Kurt John: There’s two answers to that in order to actually become a member all members have to approve, so you’re free to apply. All members have to approve of you joining. But I [00:42:00] think the second answer is what’s is where the rubber meets the road.

As part of these 10 principles. We don’t just list the principles. For example, in principle number two, which are three, which is supply chain we actually came up with 17 requirements, right. And as an example, because all the members that we had on these 17 requirements, you could have been assessed.

By one member in those 17 areas. And then we in Siemens would, value that and take that as part of our own assessment of a supplier before we onboard them. So, We’re making publicly available the work and the effort that we’re putting into each of these principles. So that even if you’re not a member of charter of trust, you can actually go to charter of trust.com and download any number of the principles and underlying documentation that would help support how you approach in your own organization.

Each of these principles.

Ashish Rajan: That’s awesome especially because all the wealth of knowledge from global companies being shared on one [00:43:00] forum, especially in an operation technology space where some of the devices could be 20, 30, maybe 50 plus years old, having a standard there are, or even the.

The other half of the lack of standard, there is scary. So I’m glad that it’s at least a forum or for lack of a better word. This is a focus group that then goes and talks about they want to do the right way, I guess. How do you see this evolve then? Like, I think it sounds like there’s a lot of maturity coming into this space as well.

Yeah. I remember when I started in the whole cybersecurity space, SCADA was like super hot back then because they used to be these like elite people who can only pen test and you get the pen testing trains. Right. So I mean, for me in my head was SCADA devices were like, all these industry devices, imagine like a driver with like an IOT device or whatever, or someone just goes in and hooks into this line correctly is this world changing is this world evolving? whats that next maturity for SCADA, where are they going with this?

Kurt John: You know, you mentioned that it brought back memories when many years ago, when I was still doing pen testing, I actually [00:44:00] pen tested two major airports on the East coast.

And that was a little scary but fun, nonetheless. And that just popped in my head.

Ashish Rajan: Sorry, just to quickly, is there a Dev environment for them to test in?, like testing, like real. The production.

Kurt John: So you know that in and of itself, I mean, this was back in like 2012 13, but that in of itself is I guess a little bit scary too, that it was just production, but we were very careful. But still the results were still scary. I mean, but everyone, everyone sort of understands that. Yeah,

Ashish Rajan: I think there’s been some improvement,

Kurt John: major improvement in those, in those areas in general.

To answer your question, which is what’s next for SCADA? I think right now, SCADA is used as a catch all bucket. It was initially as, you know, a very specific system, right? Command and control system. I think now it’s used more like a [00:45:00] concept, which is to cover OT in general. I think you’re going to see in the next one to three years, a lot of companies in that space reaching out and trying to figure out how do they digitalize this environment.

They’re going to be coming up with, you know, five to seven years strategic plans. They’re going to be spending money on how do I bring in. Industrial IOT not so much 5g yet. How do I use edge computing? How do I modernize? How do I create a digital twin? How do I prepare myself? So that as 5g comes into focus as artificial intelligence, make some progress as machine learning continues to evolve, I can take advantage of it.

So that’s a one to three year timeframe, sort of like a setup for leveraging future technology. And then from anywhere from the five to seven to 10 year timeframe is where you’re going to see a huge shift across the board in the OT space. [00:46:00] And it’s going to be less about SCADA more about.

Cloud computing, for example, did you know there were digital circuit breakers? So in other words if someone is at home the maintenance guy and, some type of power shortage has happened. Yeah. Do they need to go in there and physically move these gigantic industrial circuit breakers in order to flip the power back on?

No, they’re at home on their iPad and they hit us. They hit a button and then, the circuit breaker can flip on and back off a Mac on, so that. Which is it’s done today by a very specific set of companies who decided to embrace that is going to be the status quo in about seven to 10 years. And so what people should be thinking about now, if you’re in that space is what’s my strategic plan for the next.

Five to seven to 10 years. What do I need to do now in order to position myself, to take advantage of these technologies? What do I [00:47:00] need to map out in terms of technologies? Now that will give me the flexibility and the speed to leverage those upcoming technologies. Those are the types of things that people should be thinking about now.

And that’s where SCADA in general is transitioning

Ashish Rajan: to. That is awesome, man. I think, it’s so positive here, cause it’s really interesting how we’re looking at this and going, Hey, it’s not all gloom in this world. There are actually things that are happening in a betterment.

And there are technologies that are evolving as well, because I think one of the things that people should talk about was that, Oh, that’s just how SCADA systems are. I remember hearing that so often, like, and that’s why they’re never connected to the internet, but. It’s almost like you would be left behind if you don’t adopt these things.

So I’m glad that you’re seeing this trend. I just had a question about a public link, which I’ve shared, which was www.charteroftrust.com. Yeah. So that’s the answer for that? I’ve got one [00:48:00] final question, in your opinion, what are people not talking enough about in the whole OT space, cloud, security spacee or maybe even about Siemens it’s like, what are people not talking enough about? Like, I think we hear a lot about cloud security, cybersecurity and all that. And from where you’re sitting, what are not people talking enough about in this space?

Kurt John: I would say people are concerned about cybersecurity and they should be. However, what I think people aren’t spending enough time on, cause I’m a glass half full kind of guy is the market opportunities are just the benefits that comes from a strong cybersecurity approach. I remember reading somewhere and I can’t remember the source where it says 70% of organizations will use cybersecurity as a service.

And so. For those who are part of companies out there don’t view cybersecurity as just, how do I protect my enterprise? That is critical because without it, your company fails and then whatever you want to do else, do you want to do doesn’t matter? [00:49:00] So that’s the fundamental, however, People need to spend more time understanding the value chain of the business in terms of rule or principle Pareto principle, you know, 80% of something comes from 20% of something.

So in other words, for an organization, 80% of the revenue will typically come from 20% of the products, general rule, 80%, 80% of the mass. In the solar system comes from 20% of the planetary bodies, including the sun. So it’s just a general rule, Pareto principle. And so what you want to try to understand is what is that 80% of in your organization?

What’s their go to market strategy? What are the market conditions in which you’re operating? What are some of the challenges they’re facing? What does your budget look like? Okay. How can you pivot? And you cyber security, not just as a, the sky is falling, but it also. Here’s how we can provide additional value, not just to the business in terms of an additional revenue stream, but in terms of, to our customers.

So think [00:50:00] glass half full think Value chain think opportunity when it comes to cybersecurity. And I think that’s something. If people spent more time on the only can we cover the fundamentals, but we can really promote cyber security because it’s now a value driver in the business.

Ashish Rajan: That’s awesome.

And I think sounds like a lot of people already doing this fit the adoption of, I think people trying to go into a cloud and adopting it. Oh, yes. They teach discipline. Well, personally, I’m more tired than a boxing person, so yeah, I do appreciate the discipline. What’s your favorite cuisine or restaurant that you can?

It just really been an honor to have you here. man Has been really good. Where can people get in touch with you? If they have follow up questions on operation technology and all this.

Kurt John: On LinkedIn, right? linkedin.com/kirk M John, you can reach me on Twitter at the real Kurt, John. And those are the two primary places. I had tons of fun. Yeah. This is a fantastic way to spend a Saturday afternoon. Great questions. A great audience and scotch is yes. [00:51:00]

Ashish Rajan: Perfect, dude. I can’t wait to bring you back on again Kurt.

So I’m looking forward to this. Thank you so much for coming.

Kurt John: Thank you so much for having me now,