Episode Description
What We Discuss with Parul Kharub:
- Operational Technology Vs Informational Technology, what’s the difference?
- Example of industries that use Operational Technology
- How is the public cloud space effecting OT environments?
- What is Industry Evolution 4.0?
- What is IoT?
- Why would someone move OT environment (physical assets) to Cloud?
- And much more…
THANKS, Parul Kharub!
If you enjoyed this session with Parul Kharub, let her know by clicking on the link below and sending her a quick shout out at Twitter:
Click here to thank Parul Kharub on Linkedin!
Click here to let Ashish know about your number one takeaway from this episode!
And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.
Resources from This Episode:
- Tools & services, discussed during the Interview
- Cloud Security Academy
Ashish Rajan: [00:00:00] Welcome.
Welcome to the show.
Finally made it happen by the way she is.
Parul Kharub: [00:00:06] Yes, I do have my coffee mug and actually, I, I always have my mugs according to how I’m feeling today. So I’m feeling pretty nice. It’s Saturday here. I’m in Calgary and I can’t be thankful enough that it’s a weekend. So cheers.
Ashish Rajan: [00:00:21] Cheers to that. You have to do a Saturday as well.
But so far for people who don’t know you, I guess who is Parul and what is she doing in this world of OT? It who is powerful people don’t know you.
Parul Kharub: [00:00:34] Thank you very much. Hello everyone. My name is . You can already tell. And, I’m originally from India. That’s where I actually completed. My, bachelor’s in computer sciences, in engineering with focus on absolutely computers, but also artificial intelligence towards the end.
And that’s where I completed my research work in expert systems as well. and right after that, I got into my first job [00:01:00] and that’s where I started my career as a software developer, where I was literally hands on and coding in C sharp and Microsoft sequel. And websites and other cool stuff. But very soon I realized that my attention was actually, kind of getting driven to the other side or the underworld of software.
That’s what I call cyber. yeah. Where, you know, at that point, so I’m talking about like early 21st century century where validations and verifications were only used to be done from a functionality standpoint, but not, not really security. And I’m just talking about. Fortune 500 here. And that’s when I started to research in this field.
And soon after I got myself in fold into configuration management, that’s where, you know, things start to get for us and can actually cause. big cyber, cyber security gaps in, in the software side of the world. So followed by that, I shifted some gears and, very initial in very [00:02:00] initial stages of my career.
I quit my job. I moved to New York. I that’s where I pursued my masters from in information systems management with concentration on cybersecurity. Oh, nice. Yes. So that, that was like kind of my, well, just probably taking a little step back back in my first job, I actually had an identified a kind of an access related issues and you know, how the turnstiles work in offices.
So my badge wouldn’t read on those turnstiles and they were actually, I was actually absconding. That’s what exactly my status was showing. I was scanning for straight two and a half, half months where people were literally searching for me. And I was right there and working with everyone else, like, you know, even talking to some of the HRS and the, in the meanwhile.
And that’s where I actually, you know, got into the office one day and said, Hey, this could be something wrong with those things. And that’s exactly where, it just hit my mind and it was actually right [00:03:00] in the beginning of the job itself. So like two and a half months.
Ashish Rajan: [00:03:05] Wow. You’re pretty brave as well, by the way, I just want to give you a heads up.
I’ve good. got dropped the love watching this as well. He’s he’s, he’s a fan of, he’s got his own PhD and he’s a fan of the OT network as well. So,
Parul Kharub: [00:03:16] so I’m going to basically be grilled down today. No,
Ashish Rajan: [00:03:22] he’s a good guy. He’s a good guy. So you’ll be safe.
Parul Kharub: [00:03:26] I appreciate your time today. And you know, it’s not just me, I’m going to be sharing those things. I would love to hear some from you and the other audiences as well.
Ashish Rajan: [00:03:35] Awesome. Awesome. Yeah, we definitely want to make it more of a two way conversation as well.
The first question I normally go for is more, more with obviously it’s cloud security podcast as well. So what does cloud security mean for you?
Parul Kharub: [00:03:48] So I think, cloud security is something that’s, I always say to people is like the next era of security and or technology itself where not only [00:04:00] it’s gonna, you know, bring the number of human involvement down, but also going to create those challenges in terms of security, to make sure if humans are not truly, you know, involved up to that level.
How are we going to control it? So as cloud, cloud, has gotten its way through, or into technology and gotten into all the automation and, you know, the automatic scaling and all those fancy stuff going on. I think it’s very important to realize the fact that now we are talking about velocity as well and not just security.
So we also need to think in terms of security, to not cause slow down or slowing, slow down off the velocity of, you know, from that pace perspective that things might be running on cloud. And now is the time we should be thinking about those automatic control versus having to go back and fixing code ourselves.
So that’s where I really wanted to, you know, I, I. Personally, I [00:05:00] connect those two together and I see that as an opportunity for getting that innovation done insecurity as well. Oh,
Ashish Rajan: [00:05:07] and, do you work in a particular public cloud or is it just a multicloud?
Parul Kharub: [00:05:12] I do. I actually work on the three major one, AWS Google as well as Azure.
Ashish Rajan: [00:05:18] Awesome. And obvious question for people. Cause I guess we have an audience who may not be aware. Like I think I was not aware of how the complexity of ODN environments work before this conversation. So for people who don’t know, what’s an OT environment and how’s it different from an it environment?
Parul Kharub: [00:05:36] Yes, absolutely.
So I think it would be nice if I, you know, just. Quickly glance over the it, provisions itself, which is all about computing technology, starting from the back end, the front end and all sorts of different web technologies, including, like, you know, day to day use or business transactions. And the best examples are like customer relationship management, software, enterprise resource planning, or human [00:06:00] capital management or anything that could be run on those software or.
You know, the, the, website-based technologies, whereas operational technology is actually a very fine conglomeration of computing, which is it and communication systems on top of it, which actually monitor and manage industrial process assets. In terms of both processes, as well as those manufacturing slash industrial physical devices or equipment per se.
And I’m more than happy to go over those, you know, I have a very nice example in my mind that I would like to share just to understand devices or equipment.
Ashish Rajan: [00:06:40] Yeah. Yeah. Cause I was thinking, I’m thinking more like nuclear devices, energy devices, but. You can give me a better example, I guess
Parul Kharub: [00:06:48] I would say it’s definitely part of it because wherever, so, okay.
Let’s, let’s think about OT in a manner of wherever machines are involved. I would call that as an OT, you know, [00:07:00] where, like physical devices are present that would, constitute towards that operational technology or operational technology environment. So the examples that, you know, So, we, we definitely use this term industrial control systems versus information technology for operational side of things.
Andrew, which there could be, different, physical devices, like scale their systems, which is a super basic controls and data acquisition systems, the distributor control systems or HMI, but just human machine interface or PLCs or process control networks and so on and so forth. But just to, you know, describe one of them, which is a SCADA systems.
That’s actually one of the, industrial control systems, which is a communication network based controller that controls coupling between the software components like actuators sensors, physical processes, and it is. Excuse me used to control, infrastructure processes and, [00:08:00] human management of essential commodities versus services.
For example, consumable products like, electricity or gas that comes from, a polar plant, or it could be as simple as a water treatment plant or, it could also control the facility, these processes at airport space station ships. That’s exactly where I said that. You’re right. In mentioning the nuclear power stations.
Okay. So if, you know, it’s just something very simple, very complex that, you know, when I actually got my attention to operational technology, a couple of years back, it was pretty eye opener. When, you know, my, my first, like few of my very initial clients were actually ranging from a cereal company to actually like a pharmaceutical company, or even like automobile where manufacturing is such a big role.
that, it actually, was really like a surprise, like, Oh, okay. OT, like this term OT is [00:09:00] actually pretty real, so that’s, that’s how I would probably define the difference. And actually, you know, just something, just, just kick my mind, just. Think in terms of connecting, connecting ourselves to the outside world, I call it says it, but something that’s more focused in a given range or often industry or a field would be OT.
Ashish Rajan: [00:09:22] Oh. And I think, there’s one thing more August. One thing more that I would like to get into is a difference varied when it comes to IOT devices as well, but we’ll probably get towards the end of it. How has the public cloud space affecting OT and it environments.
Parul Kharub: [00:09:39] So, cloud to me, always struck with thinking in terms of OPEX and CapEx, which is operational expense and capital expense, where, you know, both of these things became a very important part when it.
it came to moving it to the cloud. So it has definitely been turning tables in terms of transitioning or migrating to cloud to minimize their on premise [00:10:00] assets. However, in OT things that are a bit different, especially because of its nature of having to do so much with physical devices that taking them all together to cloud is still kind of a concept.
However, the underlying technologies like software applications or data on which those machines I mentioned, or the sensors are actually running, can definitely now be tackled or managed from a, from a cloud. They’re actually the concept of industry 4.0 comes into play. So if you allow me to quickly share my, one of my, studies or work that I did, back like a couple of years back, with a consulting firm, they actually, they kind of prepared a study and, it was purely based on, you know, how these industries have evolved.
So the first generation of this was, when all. Natural resources were used to generate those, essential commodities or electricity or power like steam engines or any natural resources per se. The second [00:11:00] generation I actually, got, you know, it was the evolution from the natural resources usage into the assembly line or production system, supply chain per se.
Then third generation was all about computing era or automation, where we started talking about all the fancy words, artificial intelligence and everything, like all the things like that. But right now we are in the fourth generation, which we, Define as a cyber physical systems or another fancy term here, IOT, which is internet of things, which is literally to me, if we think a manner where it’s, connected with those physical to digital systems to take in the data and.
Provided to the physical systems that are a big part of the OT environment and then getting the data back to it, which is again, converting that to digital information, to actually do some running, probably on a cloud or anywhere else too. Yeah. Operators to [00:12:00] actually make those machines move. That’s where, yeah.
VR today. and that’s right. You know, you might hear people saying about industry 4.0.
Ashish Rajan: [00:12:10] Oh, so he thought like, I think. it’s, it’s actually a great example because industry 4.0 is not about the fact that you can move, move an entire nuclear plant onto the cloud, but it’s more of a processing of data, or I guess your point, if something was done on paper, now it can be done online like that.
That’s it? Curiosity. Why would someone move that to the cloud? Like why, why moving to the cloud?
Parul Kharub: [00:12:37] Well, again, like I said, I think I don’t see it happening, like in like this year or next year to move those, all the physical assets to cloud. But actually we can definitely think in terms of the 5g longterm evolution, which is five G LTE, that is still being talked about these days a lot and still in its infancy.
Infant stages, [00:13:00] but, how we as a OT practice or cyber practitioners see it happening is. You know, so right now, how OT environment is segregated is based on a P a model called Purdue model, which actually, helps define a different segments to its network. Like it starts from level zero, which actually consists of all the processes.
Then level one for the controls in level two, three and four, the top most layer is level six, which is the cloud layer. Between the, those control or the control zone of operational technology and the cloud zone, there is, there are still two more zones to overcome or to actually cut down on those zones.
I think, how five G L D is going to be a difference in a manner that. Not only it’s gonna bring, that layer down, but it’s also going to bring a challenge about how do we make sure that our security [00:14:00] controls are so strong enough that it’s, it gets hard to break into that one layer. So high, how I see it happening when they are now talking about reducing those layers in Purdue model, I see more security layers getting added within that one zone.
And that’s how the security. that’s how I see security becoming possible, or even getting to that level when it doesn’t cause harm to the OT environment. Because, another thing that I would mention here, it actually is a lot of impact that a failure in OT environment can cause. In comparison to impact that an it failure may cause.
And why I say it, I say it because people are still so heavily involved in all those fields and all around all those machineries. If something were to go wrong in a, on a field or in, in an OT setup, it’s [00:15:00] not only gonna cause business disruption, but it’s. It’s also, it may also cause like, you know, losing people’s lives, which is invaluable.
Right? So the impact that comes, from the, you know, cyber attacks in an OT environment is all together. Like it’s a different level. Like, you know, it’s something like, like I don’t want to compare it with what happened in the, which one was that the nuclear. A failure that happened. So it’s something similar to some not stuck Stuxnet.
It was, not commit to, it was one of them, but stuck stuckness is a good example as well.
Ashish Rajan: [00:15:39] Well, I think is a good segue into the question, dr. . I told you he’ll ask the question. He has a screen as well. So his question is more around the fact that. interesting topic. What are some scenarios of cyber attacks in the industrial network?
How do malware get in such secure industrial networks? Just kind of, I think it’s related to [00:16:00] the one that you were talking about earlier.
Parul Kharub: [00:16:01] Yeah, I think, there’s not just one way to getting in the simplest one I can tell is, use, you know, in my experience and you know, a couple of years back, I did see some, some companies or industries still using unencrypted, or even allowing people to use their USB devices and having to plug them into directly the control network.
So. Those USB devices could just cause havoc to there. And they did there, there were some attacks or intrusions that happen because of a USB device itself. I don’t know how public that information is, so I’m not going to take any names here, but so. could be one of those things where, you know, the malware can be brought into the USB devices and it could take access, off the whole, a control network.
And then things can go South, like in just a couple of seconds. How, and, just adding a few to that. It could be simply, it could simply so be social engineering as well. So people at [00:17:00] field site are not really, They’re not really cyber oriented or cyber aware per se. And that’s exactly where training and education also play a very big role that, so.
I am a big fan of mentioning that security is not just security’s team’s responsibility, it’s everyone’s responsibility to make it everyone’s responsibility. There has to be enough awareness created amongst people of the simplest things of the simplest, most things that aren’t like social engineering.
I work on a field and she, she come walking some day and just in, you know, chitting chatting and say, Hey, so what’s, what’s your pet name? And, you know, so, you know, how do you keep your password away is your password. And, you know, they’re happy some cases where people were so Gulen that they did share their passwords.
Right. The adversities literally got their way into the control network and operational environment. [00:18:00] And they literally like brought in, uh malwares or like various kinds of kinds of viruses. And they just planted those things into, those, Those plants and things just went crazy after that. So it’s, I mean, it’s the simplest to the craziest things that you can think of that could really mean those cyber attacks.
But, hopefully I answered your question. Yeah.
Ashish Rajan: [00:18:24] Yeah. And I think it’s an interesting point as well, because the impact for this probably I guess a follow up question just around that, where social engineering. I guess in a regular technology world of saying you and I have it all, I guess, maybe not to you, what me, I guess, because you’re working the audience with and I work in the it space, but in saying it environments, it’s common for people to walk around and talk about fishing.
Gilbert scams. But already in moments may not be even getting an email. You could just regular folks walking about in a factory and they just have access to control systems. [00:19:00] And you can just like, get the information, just walk into the place and, or maybe meet outside the place or something. I mean, I’m just thinking from social.
Parul Kharub: [00:19:08] This is actually good. And it actually got me thinking of another good example. So it’s not that OT is like totally separated from it. There is like, A gateway through which we can still, or not, we, but the adversaries could get their way into the OT environment. It actually has. There have been some cases that actually kicked off from fishing emails.
People were able to steal credentials because they would click on the links. They would provide their credentials and that’s all the adversaries would need to get into, you know, they respect sites or to steal some more data and, you know, just. Having the most, recent ransomware attacks that actually caused, well, it was probably in 2018 that actually caused a company, a billion dollar loss just by clicking on those emails and like, Oh my gosh, my assets that are logged and what not [00:20:00] all.
And people like, even people on those high levels, which like C suite people, right? The CEOs or chief technology officers, they’re like, Oh, I mean to me, they’re the most educated people, but again, from a cyber standpoint, Anyone could get a prey to those very tricky emails or, any, you know, those, tricks and, plots by our adversaries.
So I think a refresher of knowledge and education is always a good thing to do from, you know, from, from, all different levels of people, like from the C suite level to an employee level and to the admins.
Ashish Rajan: [00:20:41] Interesting. And I think to your point about if there’s an obvious connection between it and OT environments and obviously every, I guess, control system, or, I guess an industry like this, they obviously have corporate security as well.
You almost have three versions of it. I guess one would [00:21:00] be, As simple as, okay. I need security footballer. Who’s a staff. And then another is I need a software security for applications that I’m using. My staff is using. That’s another version of it, but then there’s a whole nother space. So like, I feel like almost any energy sector or I guess any, any control system environment has almost three networks, three environments.
Right for security ID security. And then there is the, I guess, OT, security. How do they all get, how do they manage all that and the complexity and how do they connect together? Usually from the common patterns you may have seen.
Parul Kharub: [00:21:37] Great. So I think, I have done many security strategies from purely it oriented to OT, to also a convergence to it and OT, where they were made a part of the strategy, the major corporate strategy itself.
again, like I said, in the beginning, it was introduced in my purview of cyber vault in a couple of years back where, there were some major national organization. [00:22:00] The involved stakeholders that weren’t even fully worse with the terminology OT, and I’m not lying about it. It’s like really serious.
Cause we have had conversations with CEOs and CEOs in the room and just having that socialization and making them realize of the fact that. There is this thing, OT that also needs regular attention. And that’s exactly where, you know, a lot of people and change management was also required. But going back to your previous question, I think to me, it all ties back to the security triad.
Which is con CIA security track, right. Confidentiality, integrity, availability. But I would add another factor to it, which is safety of people working in the audit environment. Right. So when it comes to OT, I think safety plays a lot bigger role. So just thinking about those four factors, I think, I’m talking from a strategy standpoint, corporate strategy sits on top where cloud strategy is just want cloud or OT or it [00:23:00] strategy becomes like components to it.
So we have to work from a top to top down approach to start thinking about what are the major components that are driving factor factors to an organization business, or, how, how is going to make a difference to, divide it versus OT and, define your, your strategy, your next step for a couple of years down the lane and in those terms and what kind of controls should be included.
So the best example that I can think of where, it, OT and cloud are all involved is DevSecOps.
Ashish Rajan: [00:23:34] Alright. So how,
Parul Kharub: [00:23:35] yeah. So how, in cloud, when applications are migrated or people now have started developing their applications right. On the cloud and, you know, they, they keep talking about those fences, see words like CIC pipeline, like kind of continuous integration and continuous, development diploma.
Sorry. yeah. So that’s exactly where we need to think of how to. Shift security left, [00:24:00] which is simply introducing security at each and every early stages of developing that software. So how you know this, The overall software development life cycle is like the requirement phase, the design phase, the testing phase.
I see security getting involved in very early stages where, when we were talking about requirements, we also need to ensure that we are talking about security requirements as well, versus having to let them develop the software and deployed on the
Ashish Rajan: [00:24:32] hundreds. Just to be clear, we’re talking about software for control systems or software in general.
Parul Kharub: [00:24:37] So, no, I’m just giving you an example of, like dev dev ops and how security can be involved and how it can impact OT environment.
Ashish Rajan: [00:24:47] What was happening in the OT environment as well?
Parul Kharub: [00:24:49] So it’s okay. So, DevOps. So OT environment likes, like I said, it’s a conglomeration of software and physical devices. So the software side of it.
Yeah. It actually is [00:25:00] responsible for driving those physical devices. Right. There are underlying applications that are running the, the human, the, the HMI, the human machine interfaces and all the other machines there. Heavy data that’s involved in driving those machines and, performing their, their, their jobs or their tasks.
Right? So those applications become the driving factor to actually run those, those, those devices as well. Right. So if those applications are not set for success in terms of security, It’s going to cause harm to those devices as well. Right.
Ashish Rajan: [00:25:33] Interesting. And I think causing harm. dr. Abelow also has another question.
so what was the, so what are the solutions and products currently being applied for industrial network? What are these existing parts actually doing? Are they effective to prevent such ICS cyber attacks?
Parul Kharub: [00:25:50] So, yes. So before I jump into, naming those few products, I would really like to mention that.
So, you know, it’s always a single vulnerability, [00:26:00] a way that an attack can be initiated. So I think we always need to be on top. of, of an organization detecting, con detecting capabilities and, attacks containing capabilities, respond, responding, and remediations. And when I say those things, it’s, literally.
Thinking about having the right processes in place. Naming a few is one rubbery management. So without even, or before even thinking about a product or a tool, we should have processes in place that if somebody there is a zero day vulnerability, which is for those who do not know about it as something that needs to be fixed ASAP, it’s like it could harm you in a second.
So, if you do not have those, wander ability identification mechanisms, or vulnerability remediation mechanisms in place. There was no technology or no products be a huge help. So having the [00:27:00] right set of processes in place, is the first key to success of awarding those attacks. The next one that I wanted to bring up in terms of these processes itself is having a capability around behavior and malware detection or real time monitoring, where it all comes back to.
Collecting logs from all the machines, from all the software that they’re running from and inputting them into your, security, incident and Evan manage a monitoring system so that your incident response team can be, watching, your environment to see if something, animals or malicious is going on in your environment before it could even go to those products or tools.
So I think having that, having the right processes and having the right detection versus response versus remediation mechanism is the first step. Now, when we start thinking about, okay, how do we, what kind of tools can we use [00:28:00] to collect those logs that are a lot, tools that are out there and market naming a few is a Splunk or even, looking at.
services from companies like Dragos, having, these monitoring capabilities or, you know, just the, the, the bad, which is behavioral animal detection could be possible from, the tools like a cyber lens. Or even there, there are two other vendors that I’m really a huge fan of it’s clarity and RMS.
And I can chat. I don’t know if, can you see my pain here? I can actually just put them all in here.
Ashish Rajan: [00:28:36] I can just say the link once we’ve I guess, monthly, I can always put the link in the show notes, so they should be able to see it later on as well. I can get links from me.
Parul Kharub: [00:28:42] So I think tools like that will give you, capabilities to not only see what IPS are actually.
Opposed had already environment, but also will give you capability to keep an eye on the malicious activity that might be going on in your network or having those [00:29:00] logs coming in from the firewalls would actually let you see if there is something that you didn’t want to welcome NGO environment. Is it still coming, having not set up the right rules into the fireballs?
So I think, it’s being more proactive and then reactive that’s. That’s you know, that I have seen becoming successful in operational environment, then having like tons of technologies, but you know, losing on okay. What to do with these?
Ashish Rajan: [00:29:27] Oh, I love the way you answered this question are you’re going to take a step back and kind of went with one of the, almost the data point that they should already be collecting before you even go down the path positive doing.
A work product or solution. Should I be looking for? And I think just the last bar to doctor plus question how effective these are, might just add another lens to this because it environment, incident responses like, Oh yeah. I mean, there’s an incident plan. Everyone’s got like a DRA exercise that happens once a year.
So, well, I guess hopefully once a year and people kind of know what’s going to [00:30:00] happen. Yeah. I imagine. Yeah. It or an OT environment. Who is that, are those things still applicable? Like people actually make someone in, I guess, an energy sector or someone’s, who’s such as onto Jeff energy or like collect current in our houses for them to be involved in a security awareness or like, I think for me, because the effective of this tool is only can only go to some point, like if an attack has happened, Yeah.
And you’ve been collecting all these logs and everything, right. There are people doing some kind of training for like a, for cyber safety as well to make these effective?
Parul Kharub: [00:30:42] Absolutely. So I think, so there are teams that are always developed in the background to, not only. See what’s going on in the environment, but also what are the requirements that an incident response team may have to make those logs more meaningful or to [00:31:00] tune those logs based on some intelligence that could be added on top of the logs and then, you know, making them more useful so that we can get alert in a much proactive manner.
So once we once. Like just talking from the incident response team standpoint. I think the most valuable thing that could, he could get out of the, the, the logs is. Firstly, like I mentioned, how well tuned are those? Secondly, how, how, timely can they pro generate those alerts to actually alert incident response team?
Okay. There is an active intrusion going on in your environment and it could again be a very simple fishing, camping or fishing attack that could be going on in an environment because everything just starts with the candy. And, when you get into being a sugar patient, you do not know because it’s something that’s a lot that’s going on in, in a body.
And that’s a, I use this analogy a lot because it’s so simple to understand that how [00:32:00] or how fast things can spread depending upon how strong your environment is. It’s actually going to drive all those, processes or tools or, products that you may have to ensure security in your environment.
Ashish Rajan: [00:32:14] All right.
So I guess your point, it’s a combination of, so for, for these solutions and products to be effective, it’s a combination of having the right processes, right. Data points, right. Even right. I guess, right. Educational, cyber safety as well so that everyone can work in. Harmony for lack of a better word, I guess.
Parul Kharub: [00:32:31] And sorry, I think I missed one part of your question, which is, having the field people aware of the cyber things as well. Just, yeah. Sorry about that. Yeah. So I think, we cannot expect them to be coming to us and say, Hey, I just interrupted this mechanism over here just to make it to secure. No. I think the expectations are different from them in terms of, okay.
we need to be smart enough to understand if people are trying to social engineer us, we need to be smart enough to [00:33:00] understand if somebody’s on the phone. The field is actually bringing a laptop from outside. Either there is, something that, you know, either there is a complete unintentional, thing that’s going on in the person’s mind, or there is something hundred percent malicious, but do you care of security would actually go and ask that person, Hey, why are you bringing the stopped up?
And you know, it’s not allowed. So I think just training them or making them aware of from a standpoint of, okay. What is allowed versus not allowed to bring into the field or into the process control, sorry, the control room, where, you know, from where all the devices that have control to drive the operation environment, or even like the smallest example I told USB device, right.
Or even if, if on a, on a, in a computer sitting in a control room device, if the computer is actually giving you notification that your ma anti-malware is getting [00:34:00] expired, you bed wrapped on it.
Ashish Rajan: [00:34:02] Oh, I see the funny thing. Yeah, you’re right. Because thinking from a, I just put myself in the mind of a worker in one of those industries and I’m like, That doesn’t affect my job day to day.
Why would I care about updating malware?
Parul Kharub: [00:34:15] Yeah. Basic things. And I think it wouldn’t hurt to actually have somebody to, you know, give them a refresher kind of course, every, probably three months, or it depends like what kind of an environment that. Industry may be in like, it differs from industry to industry as well.
But I think having those refresher courses, just from a basic level, like I said, the social engineering aspects to it, or people bringing in devices from outside, or even keeping their machines up to date with antivirus or anti matter of errors, right. Are the right, right things to do. And they all become part of that.
Do you care for security?
Ashish Rajan: [00:34:52] That is awesome. And I think, it’s, it’s a great answer because I feel like it’s. There’s so much similarity at the same time, the subtle differences [00:35:00] between the way a regular it environment works. Whereas, and OT environment is almost like a sibling of it, but with its own nuances, I guess they’re its own character.
Parul Kharub: [00:35:12] I think like, I, you know, let me please, iterate my like really important point. The impact is huge human life. You’re talking about right now, right? It’s the, it’s the environment, the nature that might get disturbed, like if a gas pipeline were to burst because of a cyber attack, there’s nothing worse than that, right.
Because it’s not going to impact a loss in terms of. The cost or money, but it’s, it’s going to disrupt our whole environment. Right. It’s going to make our air poisonous. That’s just put it that way.
Ashish Rajan: [00:35:46] Yeah. And I think the worst case scenario and how real these things could be, is that a energy example that you would like the nuclear example that we were talking about earlier, where I think the, it was just a.
I think the ma [00:36:00] the specifics of it were around how the machine was working on the calculation of how quickly a fusion or a fee, although the reaction was happening between nuclear or that chemical body. And it could just explore the whole planned. And then there was this whole concept around the fact that.
something as small as I could lose power to my house or not just my house, but my entire suburb or my entire state. Like, it’s like, it’s something that affects every day to day person. Whereas an it environment usually like, Oh, I kind of log into Facebook. Big deal.
Parul Kharub: [00:36:36] And I think the nuclear, I totally agree.
The nuclear example that I was trying to recall was the Chernobyl, refresh my memory just this year is beginning with my friends in Toronto. we watched the series on Netflix and I was like, Whoa, okay. To me, it was like, literally not being compliant.
Ashish Rajan: [00:36:56] Interesting.
Parul Kharub: [00:36:57] And
Ashish Rajan: [00:36:57] it just caused
[00:37:00] Parul Kharub: [00:37:00] the huge catastrophe.
That’s still not fully recovered.
Ashish Rajan: [00:37:06] Oh, wow. Yeah. I think we’re still suffering from it. It’s been, I think it’s, it’s probably a good segue into this as well, because almost like, even though we’re talking about the existing challenges, there are some new things coming up in this space as well. We spoke about, we touched on an IEP just before as well.
I would love to hear a bit more about the relevance of IOT or. How important is IOT getting in this space?
Parul Kharub: [00:37:27] Yep. So I think it has great relevance with IOT and the industries, a future where we can see smart industries or smart factories developing per saver, things that are so device or machinery oriented these days could be made smart or smarter.
And the sense of, again, coming back to my previous point, introducing 5g, longterm evolution or. LT, in, in our common, the usage of language and other edge technologies to get data faster in and out to those machines. And that’s exactly where artificial [00:38:00] intelligence is actually going to play a very, very big role.
In, doing advanced analytics in the background so that the response time of that data coming in and going out of those machines on cloud, or, you know, just in that IOT environment now can go faster to back to those machines and create more productivity out of it. So that’s the best example, from a manufacturing point of view that I could provide.
Ashish Rajan: [00:38:26] Yeah, no, that’s a, that’s a great example. I think it’s, yeah. with this spoken about a few different topics that aren’t OT it. And I’ve got a few folks in this audience that I have cybersecurity students as well, and or people who are looking into moving into cybersecurity. What kind of skill set?
Would you recommend for them? Cause obviously we don’t talk much about Garda networks and OT network in uni. So what kind of skill sets should they be? Like someone who’s interested in this field would love to work for a nuclear plant. [00:39:00] Uh huh. I’m lucky. I keep thinking of nuclear plants, but maybe did you watch
Parul Kharub: [00:39:06] something on there
Ashish Rajan: [00:39:07] last night?
No, I feel like I probably should think of a better example, but I keep thinking of a nuclear plant.
Parul Kharub: [00:39:12] What’s the worst
Ashish Rajan: [00:39:13] case scenario, nuclear plant.
Parul Kharub: [00:39:15] I know. And the easiest one is Cedar making company. I always making company Kellogg’s you eat Kellogg’s
Ashish Rajan: [00:39:22] every day. Good one. Yeah. What if I want to vote for Kellogg’s cyber security?
What kind of skillset? obviously outside of the uni, the basics, not your point about triad, the basic information, security triad, CIA. I mean, what else am I looking forward? Are there certifications or things that people can learn
Parul Kharub: [00:39:41] in this space? So I think, first things first. You know, always whenever you are trying to make decisions in your career, always meet with people.
You know, let’s say you’re trying to be, you’re trying to get into cybersecurity in for OT or you’re trying to get into cybersecurity, let’s say for Tesla. So I [00:40:00] think the best way of going forward is to actually meet with some, People from that, from those industries who could actually like, you know, maybe just go through their LinkedIn profiles or just research a little bit of what they’re doing in terms of, clearing up your expectations coming out of the job, because do not let.
You wait for those surprises to happen when you would have completed your four years of, or howsoever long years of education and then getting into knows, knowing something. The thing that I, made a wrong choice or anything, but it’s funny how, so I belong to a very middle class family from India and.
I was just told to do great things in life, but nobody defined that. Great for me. So always be on top of defining that grape to yourself by doing a little bit research and meeting common people about that. So moving on to the actual question here, certification. So I think, First things first, I think we should always [00:41:00] start from understanding the industry itself for which, I think for freshmen, I would suggest taking up some courses around, in like core engineering or manufacturing or, if, you know, some people are really, really into it and they have figured out that great for themselves.
I think, going for industrial engineering as their, concentration would be a good idea. So just probably starting with that, to understand the industry and then connecting it to the cybersecurity where I think, when I completed my CIS CSP, it was one of the greatest things to do. Cause not only, it’s so much connected to each and every industry, but it actually gives you a very basic and ground level introduction of security to an extent that it could be connected to, anything.
coming back to just, OT, specific certifications. Yes, there are a couple. so the, the global industrial accreditation certification actually [00:42:00] provides G I see S B, which is global industrial certification for security professionals. Yeah. So I think that could be a great thing to, to start with really understanding some underlying standards of frameworks, nest, actually the national Institute of standards and technology.
It actually covers all various aspects of the right controls for OT environment and probably having a nice understanding of that also would not hurt in addition to. Like very laser focused industrial and automation controls, which is I S a or I E C six two four four, three. It’s like one of the very great standards that I have seen getting used in, in industries like these to define their control systems and.
I think last but not least, center for internet security, the CIS top 20 controls. And also now when cloud is so hot and life, I [00:43:00] think the cloud security Alliance cloud control matrix also would be a good thing. The idea to understand and tie those controls back to OT.
Ashish Rajan: [00:43:10] Awesome. And I think that’s a great answer.
I’ll put the certificates and the references into the shorter, so it’s also people can follow up and come back and it’s always good to get into technical questions and get into the greater things, but it’s always good to have some fun questions in the episode as well.
Parul Kharub: [00:43:33] I
Ashish Rajan: [00:43:33] know. You should have started with Dave, but yeah, just come back down and relax a bit more. I’ve only got three questions, so, ah, yeah, so I could go the whole day, but I thought, why don’t I start with three and I’ll let everyone else connect with you to get to know you a bit more. The first one is where do you spend most time on when you’re not working on cloud or technology or in your case?
OT networks, I guess.
Parul Kharub: [00:43:58] I think I would say three things. [00:44:00] I love, cooking and I bake a lot, like a lot. So I’m into French and English bakes mostly. And I also have started doing this, you know? So you order stuff from. That these various vendors like chef plates and stuff like that. And they will give you like all the grocery to your door strap.
And all you need to do is the follow the recipe and try those things. So what I’m doing these days, I’m literally trying international foods every day. This I had like a Korean Jacka Shui noodles for my branch today.
Ashish Rajan: [00:44:35] It’s like a black noodle. If that what that is,
Parul Kharub: [00:44:38] it’s not it’s like a Korean spice noodle.
It’s amazing. I actually put it on my Instagram as well. So
Ashish Rajan: [00:44:44] there you go. People should follow you on Instagram just to find out.
Parul Kharub: [00:44:48] I don’t really mind. Yeah. But I like the funny fact is me and my husband and so much into food. We. Make so much and we end up eating it [00:45:00] all by ourselves.
Ashish Rajan: [00:45:01] Fair enough. It’s not a bad thing.
It’s actually not a bad thing to be able to do that, you know? And I think
Parul Kharub: [00:45:06] it’s a great, sweet can be a bad thing too, right? Like,
Ashish Rajan: [00:45:10] wow. Well, you know, it’s Saturday at your, at your end Sunday, Maya and why not? Right. The next question is kind of a little Patriot as well. What is something that you’re proud of?
Parul Kharub: [00:45:19] Sorry, sorry, sorry. I also love sleeping and playing with my daughter. Those are the three things.
Ashish Rajan: [00:45:24] Fair enough. That’s a great way to find it. Spend time to switch off from technology and OT network congenital. the next question that I have is what is something that you’re proud of, but is not on your social media.
Parul Kharub: [00:45:37] Oh, okay. I not on my social media and I’m proud of it.
Ashish Rajan: [00:45:42] Wait, I think you found these already in social media.
Parul Kharub: [00:45:45] Probably my, yes they are, but I think I actually am chairing, a community group. Like, they just made me a chairman for a community group. And probably this is the first ever time I’m ever talking about this other than my [00:46:00] husband.
It’s just that I never got a chance. So probably that. And, something
Ashish Rajan: [00:46:05] probably. Can you talk about it? What are you, what is it now? I’m curious. What is this?
Parul Kharub: [00:46:09] Well,
Ashish Rajan: [00:46:10] yeah,
Parul Kharub: [00:46:12] I don’t think I can take the name of the company, but I can definitely talk about, so they recently made me a chairperson of, driving their operational technology.
environment and the underlying security controls specific. Yes. It actually came to a big surprise to me as well, one fine morning. And they’re like, Hey, you know what? We are actually making you a chairperson, like, Oh, okay. That’s nice. I know. Right. So I don’t think I ever. Got a chance to share this with my family.
And I’m just realizing it
Ashish Rajan: [00:46:46] exclusive. Now this is the excuse of if your family and to find out you can come and check out the show.
Parul Kharub: [00:46:51] Yes, they would probably see it tomorrow morning of the day. Okay. Why don’t you tell us I it’s. Okay. I forgot.
Ashish Rajan: [00:46:57] Fair enough. and I think the last question over here [00:47:00] is right up your alley.
What’s your favorite cuisine or restaurant that you
Parul Kharub: [00:47:03] can share? Oh, okay. So I think my favorite cuisine is definitely Indian and restaurant. Okay. You’re going to laugh about it, but it’s my own kitchen. Cause I really find it’s so hard to find good Indian food in restaurants because they, just, to me, it just sounds like they just put all the spices into everything and everything tastes similar to me, but I don’t like my food that way.
I like different flavors in it. If I have like five things in front of me, I really want to make sure that all five things are exclusively differently flavored. So I would say it’s my own kitchen or my mama’s kitchen. So that would be my most honest answer.
Ashish Rajan: [00:47:43] Wow. And it’s like, it’s like having food with you would be like having a master chef experience with everything like a different place, have different flavors going on by the way.
Congratulations as well, by the way.
Parul Kharub: [00:47:55] Very much doctor. And thank you again for your time today, too. Here my blabbering,
[00:48:00] Ashish Rajan: [00:48:01] it was really helpful. And I think it’s a great introduction for OT and it, and how even that industry is being effected by. And I think, I think that the biggest takeaway for me is honestly the IOT and five G part, dr.
Loves Indian food as well. Great.
Parul Kharub: [00:48:20] I know. Right. And you know, Most welcome to anytime, visit Calgary. And my house is definitely an open cottage.
Ashish Rajan: [00:48:28] Oh, there you go. There’s like Oprah open restaurant for Moffitt chef critique going on, but
Parul Kharub: [00:48:34] coasting parties, Ashish, I’m
Ashish Rajan: [00:48:36] not like, Oh, there you go. I just wanted to say thank you so much for taking the time out.
I really appreciate it. It was, It’s been very informative for me personally, and I’m sure for other people as well. And where can they reach you for the question? Like
Parul Kharub: [00:48:48] what’s so funny cause, I’m yes, I’m active on Instagram, but not to an extent that I would read messages there, but LinkedIn is something that I would definitely respond to, [00:49:00] to, you know, any
Ashish Rajan: [00:49:00] perfect.
Yeah. That’s awesome. I think I’ll leave the gone.
Parul Kharub: [00:49:04] So I, sorry, I was just saying that I, you know, that this is also something that I do aside, my job is actually mentoring students and people to find their career paths and make the right decision. So I’ll be more than glad to help anyone or each one of you who are listening to this podcast today.
Ashish Rajan: [00:49:25] Yeah, that’d be, that’d be pretty cool. Cause I’m getting mentorship for a hard to get into the OT space. It’s something really interesting. Cause yeah. People kind of forget that it’s such a equally big three hour. I mean our fight or just the regular ID or Facebook, LinkedIn and things like that. There’s so much more like, I think we have everything around us.
Even if you look at our, in your own house, there’s so much coming from that industry, like your power, your gas.
Parul Kharub: [00:49:51] Another thing that I keep telling people that, Hey, you will never be mad at when your internet will be gone, but you will be like on your toes if your electricity is not in the house. [00:50:00] Yup. I think not only OT I have, I have my hands and toes into everything, but digital forensics.
insecurity. So, I mean, I can definitely talk about more things with whosoever is interested in the background. Cause that’s what my experience has given me. Like, you know,
Ashish Rajan: [00:50:21] you can expect a flood storm of people coming up to you for mentors. So that’s awesome. Yeah. Thank you so much for your time. Let
Parul Kharub: [00:50:27] me take this opportunity to thank you as well.
One of the very biggest fans of your podcast, like I know, I haven’t gone through the last one, like the last 30 minutes and I’m still trying to get. Do it, it’s just like, I, sometimes I find it hard to find time from my sleeping time playing with my baby and baking. Fair enough for sure. So please
Ashish Rajan: [00:50:48] keep up
Parul Kharub: [00:50:49] awesome podcasts and, you know, keep making difference in people’s lives this week.
Ashish Rajan: [00:50:54] Thank you. Thank you so much. It means the Lord. Thank you so much for this. And again, thank you so much for your time as I think [00:51:00] the audience will appreciate it. I love the fact that you love the podcast as well. So thank you. Thank you for appreciating this a good blog for the podcast as well, but it also, I get to learn quite a bit from people like yourself.
So, it’s, it’s actually, it’s still a two way street, but thank you so much for your time and for anyone who’s. Yeah, I’ll see everyone else in the next episode.