A logo with accompanying text "Listen on Spotify"A logo with accompanying text "Listen on Apple Podcasts"
You Can’t Spell Zero Trust Without OT
Season Two
· Episode

You Can’t Spell Zero Trust Without OT

In this episode, host Raghu Nandakumara sits down with Carlos Buenano, CTO, OT at Armis, to discuss his path to OT security, the importance of Zero Trust in industrial environments, and how to make progress in security while not compromising productivity.


00:02 Carlos Buenano

They are now in charge of security. Until now, they haven't been accountable to basically provide security. Okay. Of course, they are concerned about the operations being disrupted.

00:14 Raghu Nandakumara

Welcome to The Segment: A Zero Trust Leadership Podcast. I'm your host, Raghu Nandakumara, Head of Industry Solutions at Illumio, the Zero Trust Segmentation company. Today, I'm joined by Carlos Buenano, CTO of OT at Armis, a leader in asset intelligence cybersecurity. Carlos brings over 30 years of experience in the control systems and telecommunication fields. He's worked for organizations across the globe, holding roles ranging from solutions architect to principal engineer to ICS cybersecurity consultant. For the past five years, he's focused specifically on operationalizing cybersecurity solutions within industrial networks. In this episode, Carlos joins us to discuss the path to OT security, the importance of Zero Trust in industrial environments, and how to make progress in security while not compromising productivity. So, it gives me great pleasure to welcome onto this episode of The Segment Carlos Buenano, CTO for OT at Armis, the leader in OT security. Carlos, Welcome to The Segment.

01:24 Carlos Buenano

Thank you So, much. Thanks for having me. It's a pleasure, real pleasure to be here.

01:28 Raghu Nandakumara

Oh, I think the pleasure is all mine. Because we're into Season Two of the podcast and if my recollection is correct. I think this is the first episode where we've had someone who is an expert in OT security, which is So, top of mind these days. So, I think the path into OT security is not a natural one when people think about careers in information security. So, tell us a bit about your background.

01:51 Carlos Buenano

Yeah, So, I'm an electronic engineer, I specialize in control systems. I remember going to university and having that one subject: control systems. And I got hooked. So, programming, my PLC, configuring SQL Server, and pulling information connecting to sensors and actuators and making the automation happen, it got me hooked from the very beginning. Throughout my career I developed basically the skills to be a control systems engineer. I remember the time when networking was actually part of the transition between zero networks and Ethernet networks. And I [was] very curious about it. And I wanted to be part of it, but part of that transition, and then the mixing the whole networking and control systems into one. And then, I started designing control networks, which was actually quite interesting. And there's a lot. It was actually going more into configuring PLCs. SCADA said it was DCS; it was going into networking, programming, and defining control networks that come across with IEC 62443 and how it defines network segmentation from a Green Seal point of view. And slowly, slowly started getting involved with systems, access directories, EDRs, and integrating all these different systems joining all these systems into the domain. And protecting these devices and backing them up and making sure to have the procedures in place. Following ASC 62443 at the time, it is almost like I just fell into it, and in the last 10 years, I've been focusing only on cybersecurity for OT environments. You know, my understanding of the environment, the OT environment, as such in communicating with the OT personnel, the engineering teams, the plant managers, and giving them the information that they need to hear, because it can actually be very, very complex conversations with the plant managers because they want to protect the production. And then we need to start introducing security topics; it’s actually one of our pleasures.

04:18 Raghu Nandakumara

I love that, thank you. Thank you because I think it's fascinating that you're someone whose background is an expertise in control systems which means that when you have these conversations with sort of plant managers, etc. Today, you're able to have those conversations with a very informed perspective.

04:38 Carlos Buenano

I was the one person behind the laptop programming, the PLCs, plugging the cable. So, I understand exactly what the plant managers have to go for to maintain production, to maintain safety of the people while doing so.

04:53 Raghu Nandakumara

So, I just want to go back to sort of your time studying engineering when you're studying control systems. At that point, do you think about security?

05:01 Carlos Buenano

No, never. All my focus was actually always automation. You know, how to automate. And of course, we were used to getting involved with the vendors, Rockwell, Siemens, for instance, Schneider, and learn their tools, learn the way the most efficient way to perform the automation. And when you come to OT systems, there is also, a hierarchy internally; you have the process engineers that define what the clients need to do, how they need to behave, what is expected, from an automation point of view. But then, you have the control systems near; they need to be structured to understanding all the narratives produced by the process engineers and then put that in place. And then design and implement. Then you look at and think about other things. You think about standards, you think about ways to program templates to program the systems, So, that the next person that comes from maintenance need to do what they need to do to maintain it, understand it, [and have it] very well documented. So, you’re actually focusing more on the implementation of these control systems, and you use what is available. You use the network, you plug the network, you're given an IP address. If you have a network, or you're given an ID number, if you have a serial network, and they have the gateways and how they communicate, and you configure the SCADA server with different tags to pull information. So, it's a big world of knowledge that you have to implement during implementation of these systems. So, there's no, there's almost no space to think about security, really; the whole thing is about making it work. It's like any other projects, you have a project manager, and it's all about time, an asset dedicated to deliver that specific project. And when you are in operations, is all about meeting the requirements from production perspective and ensuring that the device is actually working as it's supposed to be working, when you don't think about the communication because one of the main requirements in OT networks is to communicate the devices that need to be communicated to. You don't think about an application when I want to add more options when it comes to a new tool So, that you can actually use it. And no, no, no, this is actually you have a PLC, you have an HMI, and you have a SCADA server, you have a network that connects three, and once they're connected, don't touch it. Let's see. It's working. You need to actually go through a very strict management of change, just to make sure that whatever changes are made, validated, are actually approved by the plant managers, and they're not going to affect negatively in the performance of the network. So, that's why it's like, okay, once it's designed, you have a person that designed that control network or that later on was that person. And then was designed to be able to change it, you have a really specific reason to change it.

08:38 Raghu Nandakumara

Thank you for that very detailed explanation. I'm going to paraphrase, So, I apologize for sort of trivializing it a lot. But I think to summarize, it's like the priority in those control systems is keeping the plant operational, keeping it efficient, keeping it safe. Right? Kind of, though, if I think about those are the priorities. So, if I bury this to, say, a, like an application development environment, it's like the application team cares about availability reliability of their application. And it's almost if those are compromised, the security, they're like, "Well, if the application doesn't work, who cares about security?" So, now, kind of bringing it to your role today? How do you have that conversation with the plant managers or whoever you engage with that sort of in your engagements to walk them through how you can introduce security that they need in the right way that doesn't compromise the things that they most care about?

09:31 Carlos Buenano

Yeah, So, that's a very tough conversation. You know, plant managers and engineering teams are very protective of the networks. However, there is a concern around basically validating the performance then the design of the networks. The communications that these networks are actually exposed to. So, there are two basically two methods, I guess, two strategies. The first one is what is it for me? What is it for me as a plant manager? How can I actually or why would I want starting with visibility? I already have my inventories; I already have, I understand what the device is supposed to be doing. And then you start with that, you start like, okay, So, I do inventories up to date, do you understand what devices you have running that end of life that can potentially affect your production? Are you really, can you really be sure that these devices are, in fact, doing what they what they're supposed to do? They don't have any misconfigurations, who is actually making changes of your system or your PLCs? Are you aware of when they actually, in fact, are making the changes. So, the approach is actually more about, Hey, these are the benefits that introducing a security system is going to bring you and is going to basically facilitate some of the processes that you have to work on. And then perhaps and roadmap the most efficient and they understand the pain points. And it gives you a very, very specific example one of our customers in the team. They asked me, "Okay, well, I've got a problem with an IP address. You know, I'm trying to deploy this device on the network. And he says it's going to clash up the IP address, and I can't find it." And then it turns out that someone else came to me and introduced another device, used an IP address that was free in their spreadsheet, and then update the spreadsheet. And then the other person is, like, came in, it's like, well, I wanted to use that. And then they came and used the visibility, the visibility platform, and then tap the IP address and find it two devices. And then the plant manager is like, "Is that simple?" Now, that used to take me weeks to figure out how. And then once you actually expose that benefit. We said, "Okay, tell me more. What else can I do?" So, that's how I can't actually tell you straight answer things in terms of what the recipe is, but I can tell you the ideas. Get them involved, help them understand the security platform that you use also, is going to, it's going to bring some benefits, and then highlight the benefits on their side. Because the security part has to meet, they're not going to be interested in because then are going to provide benefit. It's going to provide some benefit to the whole organization as such, but not specifically to the team.

12:50 Raghu Nandakumara

That's fantastic. The IP address tracking via a spreadsheet story is funny because it does take me back to my days on the on the customer side. And those spreadsheets or whoever holds the keys to the spreadsheet is king or queen. I love how you describe that it's really bringing; it's not forcing the agenda about "oh, you need to secure," but it's about showing them baby things that they know, they're not seeing, or they don't know. Right? And that, as you said, that aha moments like, "Oh my god, is it that easy?" And I've been like struggling with this for ages. But I can only, like I think, one of the things you touched on very lightly was around sort of the amount of legacy infrastructure in OT environments. And we hear this a lot about how much sort of very old versions of Windows continue to run, because they're So, critical. Like, going back to what we were saying earlier about how important they are to running that safely. How do you resolve that?

13:45 Carlos Buenano

Yeah. So, let's just tell the story first. So, why do we have So, many legacy systems in OT environments? Right. So, when you are actually involved in a project, agreeing on the project, the first requirement is, the lifespan of this, whatever we're building this plant, this production line or whatever it is, is 30 years. That's the first requirement. Because this is a multi-billion dollar investment, they need to make sure that they have to expand as long as possible. Okay. So, when we actually entered the moment into an environment, we can actually see that there is a lot of legacy systems. So, that's the first challenge. So, that we have devices that are running Windows 10, Windows NT. Some systems are actually running serial interfaces. Some devices, at the end of life, are actually not years, in that imposed at risk. It has happened to me, where I was actually part of the engineering team and one production line failed. And we went and tried to resolve the issue and figured out that the card failed, it was the end of life. And it has been end of life for ten years. Because they are designed So, well, So, robust they can actually last for years and years and years until they fail. The problem is that we went to the stores, and we couldn't find spare parts because the last of the spare parts were used. And then, of course, we went to the vendor, "Hey, we need an emergency delivery of this specific card," and guess what? "We don't have it; we stopped producing it ages ago." So, what do you do? Right? Because to replace the equipment itself, it takes a coordinated project, okay, because you need to understand what you need to change it to and So, forth. And we ended up delivering all go onto eBay and finding the card, buying it, but that triggered a project to replace equipment, because it is a system that it costs $100,000 an hour, if it's actually not running. So, there are the challenges with the legacy systems is a very, very common to see it's the environment. And the other thing is that they are designed to run all the time. And for us to be able to remediate, execute, make any changes is not as simple as, "Okay, that's it, we're just going to replace it and replace it with the next." No, no, you have to create a specific project; in some cases, that is a Windows, or we call a shutdown window, where you have a very limited amount of time to make those changes. Okay, because that's actually how it is they're designed to run for 30 years, and then you can make changes. They have to be small changes that can fit in that window, that actually shut down process. It's actually also, driven by a project. So, you have a specific task, and then they will be controlled by saying, "Hey, I need to install a new firmware version for this specific card or replace this card." But then if the process the asset that they need to change, this is part of the testing of some of the other tasks within the item with the author of the of the shutdown process is like, they're going to tell you, "Unfortunately, you have to wait another year for the next shutdown window to replace it. Because we can't afford to risk the testing of this change that we're making that is more beneficial for the business or is driven by protecting people because it's actually adding more safety." So, you can imagine that all the design, longevity design, they all these different challenges when it comes to modifying and updating systems. It just keeps dragging, dragging, dragging, and that's why we see now, So, many legacy systems. 

18:17 Raghu Nandakumara

I love the story. I mean, I used to get frustrated when I thought I had long change windows in finance, but it doesn't even compare to what you're talking about. So, I just have a question before we go into the next part. I have a question about this. So, as you gave an example, these plans are designed with very long lifespans, which you mentioned are 30 years, right? So, I see the kind of both there's two challenges here you have securing the legacy environment that's kind of been running for up to 30 years. But then also, when you're securing the new plant you're building, you almost need to look 30 years in advance and plan for that from a security perspective. If I got that right,

18:57 Carlos Buenano

Yeah, no, that's about it. And some of the systems that you're going to find to achieve that, they are behind when it comes to the implementation of standard for Ethernet, for instance. So, I can tell you that when I was actually implementing ISO, 62443 network segmentation, I was actually creating the zones and the conduit just to make sure that had a whitelisting policy in the communications between devices. And it just gives you an example of how critical or how challenging necessary is to implement security in legacy system. So, this is a specific vibration controller, one of the most important parts of business critical because it measures the duration of the operations, and if something goes wrong, then it trips the system because you want to protect people. So, they didn't implement gateways. So, you have an IP address and mask, you didn't have a gateway. So, you can't, you couldn't even direct the traffic across to the firewall, let alone how do you block it? How do you implement the policy if you can't let it communicate through the gateway? Then you can imagine, okay, well, what do we do? I mean, that's we're going to have to risk assess. You create the risk assessment and try to figure out what you do. And then you have a really nice whitelisting policy, every segment segmented, and that one villain that goes across. Can you imagine some of the complexity that comes when it when it's trying to implement? And go back to your question. So, you try to actually design around the security net needed in the long term. But you have to create risk assessments that let you basically interact with what you have, work with what you have, create and minimize the risks, and implementing the solution accordingly with what you have. So, sometimes you don't have an option. And then you have to then basically isolated in a way, but the communication needs to flow because needed in the process.

21:23 Raghu Nandakumara

Yeah, if you've got something on the network, and you can't define the gateway, it might as well not be on the network, right? Can't talk to anything.

21:29 Carlos Buenano

But you need it because you just got to service to this. Yes, everything in the HMI they need to retrieve information, sometimes the actual, the logic, the strategy that is around the safety system needs to communicate. In a normal situation, it's hard; why they communicate, how, why, when, and your safety. When it comes to knowing the status, it needs to be on the network So, that the SCADA system or DCS needs to pull information to understand what that is. And you know, it's a requirement; you have to have it regardless.

22:07 Raghu Nandakumara

Yep. So, before we get on to talking about Zero Trust, I wanted to go back to something that you said about how, again, the plant manager what they care about, right, but when like sort of when I'm reading, like the security news, we see a lot of coverage about attacks on manufacturing plants, energy and utilities organizations, and this kind of real concern that attackers are now targeting sort of critical national infrastructure. Right? And not necessarily the data site to steal data, but actually to disrupt services or disrupt production. Does that not resonate with the sort of plant managers, and like is that not something that's their concern? 

22:48 Carlos Buenano

It is definitely a concern, but it's not their concern, because they're not security people, they're not in charge of security. Until now, they haven't been accountable to basically provide security. Of course, they are concerned about the operations being disrupted. But they rely on the design of the network. And the vendor saying this actually was designed with security in mind. But the reality is that they are not really concerned because it's not their scope. Nowadays, with Industry 4.0, for instance, that's actually changing because CISOs are becoming accountable. And because of that, they are becoming more stakeholders from a northeast perspective. And then that trickles down into the plant managers and engineering team to say, "Well it's not an option anymore." You need to help me help you in a way. And that concept is starting to resonate a lot more. I mean, because we can, we can see the effects the CISOs are actually making sure that that communication is passed on to the team, and they start helping towards the security and the processes need to follow. There's still different processes, I can still listen yeah, I understand. But safety and production is first, and then I get to security later. 

24:19 Raghu Nandakumara

Yep. Yep. No, I completely understand and that resonates. So, with this sort of move towards industry 4.0, for more integration between sort of the IT and the OT sides of organizations, and we're seeing a lot of real adoption of Zero Trust strategies right across verticals globally. Firstly, what does Zero Trust mean to you as a practitioner? And then secondly, what does it mean in that space that you operate in?

24:47 Carlos Buenano

Look, it is very important and relevant, and I think one of the, one of the motivators from an OT perspective, especially when it comes to engineering team and plant managers. There is a very, very well-known benefit when it comes to Zero Trust having a platform that allows you to provide policies that then allow you to validate the communications that allow you to securely manage devices with the OT, it resonates right very well. In fact, I, myself have deployed several Zero Trust strategies into environments. And the benefit is that the plant managers, they, well, first of all, they want to give the way for systems managed by vendors to be able to come in and then provide maintenance that diagnostics, calibrations to their systems. They want to do it securely, they want to understand when it happens, and who is doing it how long is happening, So, that it's actually very appealing to them? Because well, first of all they get a notification, somebody wants to connect, he decides how long they want to connect to, to that specific device, most likely to be an engineer or station, or a draw, or anything that is actually within the OT network that it needs maintenance. So, that allows in third-party vendors to come securely into the OT network and then being monitored, being recorded, being validated. So, that resonates really well because it's all part of the of the management of change processes becoming part of that of that process. And they can actually be basically tracked very well. 

26:41 Raghu Nandakumara

And how are you seeing adoption? Because I think that's a great, like, that's a great example of a perfect use case for Zero Trust. What are you seeing in the OT space? What are you seeing as sort of the rate of adoption of Zero Trust for use cases? Is it a real, sort of organization that are sort of having real programs? Or is it still fairly immature compared to other verticals?

27:07 Carlos Buenano

I was actually surprised that it depends on the industry. When you talk about oil and gas, for instance, it's a must, okay, there is no question. So, the adoption rate is very, very high. Mining is following behind transport and energy still trying to mature. Manufacturing is trying to mature on that as well. But you can actually see, that is a push, and that is a really good adoption from a Zero Trust methodology to protect the networks. Okay.

27:39 Raghu Nandakumara

And those are verticals where, like, for example, you mentioned energy, utilities, and mining; what is driving the accelerated adoption there? Is it like regulatory requirements? Or is it just the fact that their concern of the threats?

27:55 Carlos Buenano

It's a bit of both. So, it's a bit of both. It's also, I will also add in the operational benefits. So, we have then threats, and they want to make sure that they have, internally, they all systems that they are maintaining those have the security policies, and they are only the ones that are accessing all the devices within the OT network. And then that name, of course, then protects from a third party having an unknown device, asset, laptop connected to the network, that they're not that. So, that, then removes that concern, then then you have compliance as well. So, just to make sure that they comply. I mean, depends on the country that you're in. So, you have NIS2 in Europe, and then you have others here in the US. But that's actually also become more important because it's actually that regulation is becoming sixth kicking in, and then they need to actually have those processes in place. But then operations, as I mentioned before, operations, because again, the IT and OT convergence is actually amongst us, and is important because they use issue at the moment is, you know IT and OT needs to compare merch because there's a lot of systems in the IT network that are nowadays used to provide reports or scheduling, monitor production and all these things that they need, basically to connect in towards the environment to pull that information. So, that's actually becoming inevitable. And then when that merging of the two networks becomes more obvious, and we are talking about legacy systems, the attack surface increases too greatly. And then having the Zero Trust platform or framework will actually minimize the risks across all the different scenarios that we can think of. You know, like you were saying, stealing data, ransomware you know, any other attack vector that can be exploited.

30:06 Raghu Nandakumara

So, before we talk about the challenges with applying zero across the legacy infrastructure, let's just, because you touched on that need for the IT and OT to increasingly converge; what are the cybersecurity challenges, threats risk, whatever, however you want to phrase it, that organizations are concerned about as that integration accelerates?

30:23 Carlos Buenano

Well, first of all, it's the know-how, So, when it comes to IT/OT networks, very differentiated before, OT networks are executing that specific task only. IT is completely the opposite. IT will actually provide tools and systems and processes that are designed to increase the efficiency of people, okay, as such, and then the essentially, the philosophy between the two networks are completely opposite. So, the biggest concern is that you know, that philosophy clashes as soon as we start opening the OT networks into IT networks, and that's a big challenge. Helping IT people understand the requirements of OT, because again, they're not familiar with it, also, understanding the dynamics of the devices within our OT network, and how they need to behave what systems need to communicate to each other. How can we achieve that segmentation? And it's a very difficult and a very steep learning curve to basically implement that information or those mechanisms into the OT environment. And of course, getting the buy-in from that, from a manufacturing point of view, from an OT process point of view to implement these processes, right? So, that's why there are So, many challenges here because of the nature of the networks. 

32:03 Raghu Nandakumara

And just to inquire about this challenge is just a bit further. Obviously, in other verticals, the whole sort of cloud transformation, digital transformation, is a huge driver, right? And massive concerns about how do we secure applications workloads as they move into the cloud? Is this a real concern in the OT sector as well? Or is the focus much more on that OT/IT convergence at this stage?

32:27 Carlos Buenano

Look, to be honest; we are driven when it comes to new technologies and pushing technologies into IoT environments; we are driven by this pen that the vendors. And if the vendors don't support it, we simply won't go. We will take that path when it comes to digital transformation, depending on the industry, depending on the manufacturer, that actually developing these systems you might or might not have the possibility to install a SCADA server into hypervisor, or hosting that into the cloud, because the technology is not there yet, or the vendor doesn't offer it. So, because of that, then I don't think that's a driver. The driver is really financial the driver will be reducing the footprint. They're using the managing costs, the production costs, but not So, much about security.

33:28 Raghu Nandakumara

Understood. Let's go back to Zero Trust. What are the challenges with adopting a Zero Trust strategy when you have So, much legacy infrastructure? 

33:39 Carlos Buenano

So, the challenge is, basically how you implemented, how are you basically are able to put those policies in place when you have to make So, many changes. As I mentioned before, some of the legacy systems do not support the requirements or the technology that is needed to implement Zero Trust. That's one. Number two, legacy systems might not have the performance; they definitely don't have the capability to authenticate or validate what policies have been put in place. And of course, how we have time to implement it. So, finding that window, to make the changes to restructure or redefine a redesign, and then network So, that we can implement the network changes that are required to make Zero Trust work. So, that's basically the challenges that we face.

34:42 Raghu Nandakumara

So, when organizations ask you for your advice and say, "Okay, I want to adopt a Zero Trust strategy to secure my IT/OT environment," how do you guide them on where to start and how to start?

34:53 Carlos Buenano

So, obviously this communication, these you know, you need to be very honest. But there is always there is always the boundary. You start with a boundary, and they start going deeper into the systems. So, basically, you can establish a new DMZ, for instance, without having to make too many changes of your OT network. And then from there, then try to find the path into the different systems to start achieving that Zero Trust method. So, securing the network. You have to be very creative; you have to sort of understand the network, gain the visibility, understand how they can communicate with each other, and then start making decisions. You know, risk assessments. Again, communication is always important. Express the benefits from an operations perspective, as I mentioned before. And try to get the buy-in from an operations perspective because they know the processes and what  the capability is from a process point of view to start implementing these systems. It's not an easy task. You just have to break it down to care less, let's just create the visibility first, they understand what devices we need to protect, they understand the business-critical devices, and then isolate those business-critical devices, and then implement Zero Trust, and then start expanding across as a programmatic process, until you get to the end. It's not going to be a very small journey or short journey; it's going to be a long journey. But if we do it, step by step at least we can gain the first goal, which is securing the network. And then the second, then continue on until we're finished protecting our network.

36:58 Raghu Nandakumara

I love how you express that. And the way you summarize that, because I think that is the real path towards actually seeing measurable improvements in security, right? And as you said, for all the challenges that exist in those environments, trying to do anything on a massive scale is pretty much impossible. 

37:16 Carlos Buenano

Unless you have greenfield projects or brownfield projects, it's impossible. 

37:20 Raghu Nandakumara

Yeah. Because it just kind of getting done as you kind of go from like that real macro view. Right? And you kind of continue to refine, refine, refine. Do you see an opportunity to leverage, like, apply Zero Trust security principles to things like control messages So, that when an attacker couldn't, say, hijack a controller and essentially put in sort of illegal messages? And apologies, I have the terms all wrong.

37:52 Carlos Buenano

It's okay. It's okay. But I look at the answer is yes. Okay. The answer is definitely yes. I think as vendors mature into the cybersecurity reality, and the requirements what we haven't seen before is, vendors are starting to design around security.  So, they're starting to look at ways to authenticate changes, controller changes making sure that they cannot sense, okay, they start looking at encrypting the protocols that are in charge to make those changes. But right now, there are systems that are becoming available that they can actually put in line, where you have the device that you put in line, and then that device in connects to the PLC network. And then any configuration that needs to be done through the network from an engineer with a session to the PLCs, that communication needs to be authenticated. And they use Zero Trust to authenticate, to provide access control, to understand, to think and the policies of who can make the changes, what changes this person can make and so forth, that can actually be very, very good in terms of gaining access to continue with the systems. 

39:16 Raghu Nandakumara

So, almost like a, the equivalent of like a WAF? 

39:18 Carlos Buenano

Correct, right. 

39:20 Raghu Nandakumara

So, just kind of as we as we move forward, we talked a bit about sort of the adoption of Zero Trust strategies in a number of industries. And we kind of see like the different approaches by which, in various regions, this this step forward is taking place, you've got obviously the direction from, in the case of the US, you have that that direction to go and adopt a Zero Trust strategy. Whereas let's say the EU we're taking much more of a compliance-based approach. What are your thoughts on the pros and cons of those approaches and what we need to accelerate this?

39:52 Carlos Buenano

Yeah, so, it all depends on basically the governments and the countries and the regulations they feel comfortable with. Okay, So, you can actually see in some countries, like you said we have better resources were understanding of, of the requirements. And we see, for instance, that the US adopting Zero Trust, have been more like you said, and then Europe compliance a bit more. But the reality is that the more we can do to secure systems, the better. Compliance in my opinion, compliance framework is a great way to start for those because it's when you look at the frameworks, some of the frameworks are designed to take you by the hand to actually start putting processes in place to start securing your systems. Okay. So, and that's great, that's a great start. But you need to actually be a bit more thorough when it comes to then controlling. And I will say that we can really separate one of each other, okay, because some of these frameworks, they requirement is authentication, but zero trans goes above and beyond that. So, there is a lot more than authentication is. Authentication and validation, but Zero Trust goes beyond that of what basically who is actually accessing, not only from a user perspective but from a device perspective. And that's basically a step forward. And it requires more maturity. But in my opinion, they're both required to have better chances to be protected. But from an operational point of view, to be honest, I like the fact that you can have management of change processes that can actually link to Zero Trust to basically monitor and validate changes that are being made on the network, or the devices or the process, to have more control to be more thorough. And when it comes to productivity and process and integrity.

41:55 Raghu Nandakumara

That's a really interesting take. I've never heard anyone say that about applying Zero Trust to the actual the process itself and using that as a driver to kind of drive better practice. Right. So, it's almost you're not necessarily driving a new technology, adoption, etc. But you're just saying, "I'm not going to allow things to creep in as part of the change process at this stage."

42:17 Carlos Buenano

Correct. Correct. And that's the pattern I like the most. 

42:21 Raghu Nandakumara

So, as we get close to wrapping up, if you're able to provide this perspective, how do you think the critical national infrastructure space today is geared up to survive a large-scale cyberattack? What is your confidence in that?

42:38 Carlos Buenano

So, it's a very difficult question as well. But look, they have the resources they have the frameworks, they have the good ideas, okay to basically protect systems. But the reality is that, when it comes to having people resources that need to implement these people that need to respond from a specific incident was still developing that, it's still early stages for them to be in a great position to survive, I guess, I don't know if that's a good word, but to be able to respond and remediate, and a large scale incidents. You can actually see that they there is a lot of work in place. That is a lot of real procedures, there is a lot of mechanisms and frameworks. But if there's a large scale you will be very, very difficult. Just to give an example of Log4j, we all work towards that as a community. But we were, in a way, very isolated from each other. Everyone was actually doing their own thing and trying to survive in the independently. And some organizations were more ready, but still have a lot of work to do. And some of them still trying to recover. So, it is just an example of do we have what we need? Yes, but can we actually implement what we said we need to do? I don't think we're ready yet.

44:09 Raghu Nandakumara

I like the way you phrased that because I think you're, you're presenting a glass-half-full picture. You're optimistic that we have almost like the tools in place and that we now need to sort of drive adoption, and you spoke about really working as a community rather than in isolation, which is, I think, So, important to better security. So, looking into the future, Carlos, right? If we don't talk about AI in any conversation, then, like, no one, no one will the SEO, the SEO will be trashed, right? So, how do you see the relevance of AI in the OT space, not just from a cybersecurity perspective, but in terms of what, like its benefits towards operations, and then, of course, right, its use in securing that? 

44:56 Carlos Buenano

So, look, AI is a very, very powerful tool, right? So, and you know, as long as you have the data you can actually take advantage of the results that gave you the automation the reporting. So, there's a lot of benefits when it comes to AI, we basically use it in our production system to correlate information to create reports to be more in tune of efficiency, And create the basically manage the data in such a way that no other results while being positive. But unfortunately, that is always the other side of the coin, right? So, there needs to be actually used for a good use, it needs to be used to benefit we already started to see AI, in OT environment, specifically, use to take advantage of vulnerabilities to take advantage, and this is actually we have already seen some attacks, cyberattacks, and using AI, and exploiting, unfortunately, vulnerabilities from these legacy systems, they don't even have to log in to the machines they use AI to understand how to basically exploit that vulnerability. But at the same time, then we can actually use some of the tools using AI to fight against that. So, I guess my position is it is great, So, long we use it good in the way design, if like everything, right? It's like, yeah, we can use it to improve production. We can use it to improve security. But at the same time, we need to be very careful because if it's not implemented properly, and it actually gets in the wrong hands, it can basically work against us.

46:56 Raghu Nandakumara

Yeah, absolutely. Right. And I think you touched on that in the AI, in the hands of an attacker, gives them the ability to sort of have a far more detailed visibility and analysis that would sort of, they'd have to spend a lot of cycles on doing today. So, I think if I think about this from a Zero Trust perspective, it's then how do we ensure that their view in the environment is as limited as possible So, that they can hoover up as little information as possible to drive that analysis?

47:25 Carlos Buenano

We segment basically, segmenting every possibility from an authentication point of view, and they have to be authenticated So, the vulnerabilities cannot be exploited because you need to get in. From a business-critical point of view, you can't get to the place that you need to get to actually affect production because you have Zero Trust methods to avoid this spread. Okay, then you have that network segment. And it's like, whoa, you get there. But you can go forward. If you get there. That is, yeah,

48:01 Raghu Nandakumara

Absolutely. So, let's wrap up with something fun. Carlos, what is your favorite Zero Trust analogy? So, if Carlos was describing Zero Trust to a five-year-old, how would you describe it?

48:12 Carlos Buenano

It's like the security part, right? So, you can design, and I'm going to just change my analogy for a minute So, you can design a house. And this is actually how I explain security to my sons: you can design a house, and the house has windows and doors. Are you secure? And they say, "Yeah," okay, what if I break the window? Ah. What if I pick the lock? So, what else can you do? Okay, well, you can pull bars and your windows. Okay, what if I can bring an end angle grinder and then angle around the device and break the window? Well, you can actually put a roller door, that's actually how I see Zero Trust. You know, it is a full set of methodologies to ensure that your house is secure by segmented to maintain the security processes, right? So, you actually have to define, and again, risk, assess, and then understand how you secure and put the controls in place. And one of those controls is video cameras, for instance to understand who is accessing. And then the other control is just to have a very secure authentication system that allows you to get into the house, and they once you in the house and you have the cameras to actually see you what you're doing. But then you get into a room, and then you only have access to that room. That's your room; you sit down, lay down, and sleep in there. But you try to go to your brother's room, and you can't because you're not allowed. You know, that's actually fun.

49:51 Raghu Nandakumara

I love it. It feels like you actually have Zero Trust conversations with your sons, which I really like. So, Carlos, it's been such a pleasure to speak to you today. Thank you for such an enlightening overview of security in the OT environment, the challenges the future, the relevance of Zero Trust, it's been eye opening for me who actually has no understanding of that environment. So, I really appreciate that. And for the listeners, if you haven't already had the chance, Armis recently published a fantastic research report the anatomy of cybersecurity, a dissection of the attack landscape. I highly encourage you all to go and check that out. Carlos, thank you so much.

50:32 Carlos Buenano

Thank you so much for having me. It was fun.

50:35 Raghu Nandakumara

Thanks for tuning in to this week's episode of The Segment. We'll be back with our next episode in two weeks. In the meantime, for more Zero Trust resources, be sure to visit our website, www.illumio.com, and find us on LinkedIn and X using the links in our show notes. That's all for today. I'm your host Raghu Nandakumara, and we'll be back with more soon.