hello everybody and in this video I wanted to talk about the 16 critical infrastructure sectors and why they're important when we talk about industrial control or operational technology security you know a lot of times when when we start talking especially with new folks to to come into cyber security and Industrial controls and OT there's a lot of a lot of confusion around just because of all the different terms and whether we talk about ICS or OT or scada all these different acronyms and then we start talking about critical infrastructure versus well it's not critical you know there can be a lot of confusion so I do like to take you know all of the different look you know look look at you everything from different aspects and one is to kind of take a step back and and look at the the different critical infrastructure sectors or in this case if you want this is housing U.S government and cisa Define essentially critical infrastructure for the United States right the idea is that these different areas you know we can't live without the society can't live without these and and if we had any issues in any of these areas there's significant repercussions that's why when I always think about industrial control security my main focus is is is always this idea that you know what happens if this facility goes down and it's not not a question of if it goes down for a couple of hours if a power plant goes down for a couple hours we can live without electricity for a few hours and that's okay but when hours becomes days and days could potentially become weeks or months or so on and so forth you can just imagine you the the repercussions The Fallout that happens from those extended algae right the longer they go on the the impact only exponentially increases so again I just wanted to take this kind of brief look to look at some of these sectors at a very high level you can see there's there's 16 that that CSA have defined and if you can see that the URL at the bottom is where you can go actually to the cesa page and actually look at additional details on each of these and there's a lot of great information especially like in chemical and energy if you really want to to dig into it uh even further right or you can just Google for uh cisa critical I think infrastructure sectors and and it'll pull up the page for you so there's a lot of great information that that's there and then it'll help let you dive into to those but I wanted to look at you know the first one we talk about chemical and a chemical as a a sector is actually broken down into four different groupings if you will so they have basic chemicals I talk about specialty Agricultural and then and then consumer so everything from from the the sprays and that you can buy at the store to clean your kitchen and bathroom to pesticides right that we we spray in the the fields that we come back and talk about in one of the later sectors when we talk about food and Agriculture and that's one of those themes that you'll see as we go throughout is this idea that so many of the sectors play off of each other and they're dependent in a lot of different ways on each other but but the chemical sector is is made up of they talk about on the site hundreds of thousands of just in the United States I think of of chemical and petrochemical Facilities that are responsible for for creating building and and making all of these different chemicals that we use in in our lives I do think back to you know 2017 where we had the Trident or trisis incident which was where a nation-state adversary had taken troll over the sis systems or the safety instrumented systems at a petrochemical facility in the Middle East and it's it's that one known cyber security incident in control systems where the attackers were taking over that that sis that backup Fail-Safe system right that shuts down the plan in case anything happens so the whole point of that system is to protect life right it's protect physical harm from from coming to the people on the site and that the idea was the attackers had taken control 99.9 of the control they made one little coding error which prevented them from having complete control but it demonstrates that there are attackers out there and they are targeting these environments and in that case you know potentially to create some type of explosion destroy the facility and and have an impact you know killing people so of course we can imagine there's a lot of focus in in industrial control security around the the chemical sector space especially since since tried and the crisis incident now commercial facilities comes up and so there's less of a focus on more industrial controller operational technology Security in this case we're we're typically looking more from a physical security aspect and commercial facilities is pretty much anything where the public can go it's a very general very broad um the only talk about whether it's you can see a sporting event at a stadium whether it's a shopping mall amusement park so I always think of you know I met the gentleman at Disney that's responsible for cyber security for all of the rights right that's a that's a pretty fun uh industrial Control job for sure right but zoos museums even hotels the list goes on and on any place essentially that that the public can go to so again we're typically considering more with s with physical security in those cases but there's also an aspect of of OT or ICS security when we think of things like a building management systems so making sure that elevators are secure air conditioning heating right proper ventilation a lot of those common systems that we see from from building management systems we make sure that if there's a secure badge readers that are used to access sensitive areas in those locations by authorized Personnel like those are those are kept secure uh and so so there's definitely a lot of a lot of security concerns most fallen inside the the Physical Realm but but they're also there's definitely some some operational technology concerns there is uh in addition to right we talk about Communications and and so much of what we do in today's world is based off of communications whether we think of the internet or point-to-point communication or we'll talk about you know a lot of the other different fields especially you know with sectors like emergency services and how critical Communications is to dispatch for fire for for police yeah other First Responders but how much of of the world we we live in base of communications when we think of power transmission and distribution right we're monitoring those lines we're using skate it which is just really a a fancy acronym if you want for industrial control security and management and operations you know going over some type of wide area link and so we're reaching out to the field to pull back information from those remote systems right that's all done over some type of communication link so if we don't have those communication links we lose that ability to monitor those remote systems we lose the ability to control those remote systems and ensure their their security and availability and there's critical manufacturing and critical manufacturing at least to me is more of the focus of any manufacturing facility that produces goods that is used by any of the other critical infrastructure sectors you think so where we talk about metals they you know start to talk about all the different Machinery that are used in all of these other different sectors we want to make sure that um you know we're able to receive those goods and continue operations I need to make sure I'm able to buy parts to be able to maintain my my chemical refinery or petrochemical facility right um so there's this idea of manufacturing manufacturing is one of those areas that probably doesn't get a lot of love in in icsot cyber security a lot of times because I think it's sometimes seen as maybe too simple of an environment for some but it's very important uh nonetheless and it shouldn't be taken any less seriously um than than any of the other environments where we focus on on control system security so look at dams uh and dams are interesting it's another one of those that that doesn't get a a lot of a lot of focus from from an icsot perspective that there's a lot that depends on bands I always you know I'm always worrying about the water shortages and the Western especially the southwestern portion of of the United States and so much of that and irrigation into the Farms supporting agriculture right and and food that is it comes from from the dams within that that system in in the southwest which is really interesting right dams can be used for power generation so when we go back to to talking about energy shipping that's that's done um based off of the the different waterways that become available from from the dams plays into Waste Management you know water management and of course unfortunately we saw you know the recent loss of the dam in in the Ukraine where you you don't have to go far to see the repercussions of what happens when when Dale dams fail right so there's definitely another important sector that doesn't get a lot of attention but but definitely should and there's a lot of you know great you know defenders in in that field so there's a defense industrial base which I always find very fascinating and for the company I worked for in my day job is is part of the defense industrial base right we're a contractor to the United States government that helps support the the government's missions in different places around the world for example we had supported the army bases in Afghanistan and so if you would go into the the mess hall right the kitchen for for dinner at one of those bases it's not a soldier that's that's the Cook or you know the cleaning the dishes or or serving the food it's a floor employee and so that's you know kind of an example of the defense industrial basis the contractors the subcontractors that help support the the government in their different missions around the world it's okay it's another one of those there's not as much of a focus on ICS OT security but more physical security and then probably more of a traditional I.T cyber security perspective but also going back there's some ICS and OT considerations there with things like uh building management systems and anything sports that that would plug into physical security and helping there so uh they talk about Emergency Services another one of those areas that's very critical to the society today and making sure that we can get First Responders there um you know we learned a lot of those lessons ideally during during covet but it's a police the the medical you know First Responders fire you know response um you know that that come out to to save us when when we need them right and going back to communication right being able to dispatch those Services being able to for for somebody to contact 9-1-1 at least in the United States right to contact emergency services is is an essential service right so again it's making sure all of those fundamental services that support the emergency services and the First Responders right are are there and they're always available so and then my favorite and probably the one area that gets the most focused in industrial control security is energy it's my favorite because my first project for industrial control security was was actually a large power plant one of the the larger power plants in the the Western Hemisphere and so it was really exciting to get to go on on site and then be able to see as it's being energized and just the electricity and in the air around you it was pretty pretty phenomenal um but whether we talk about a power plant generating power or you know sending power out over a transmission lines so when I talk about transmission and then distribution right how we take that power and get it to homes and businesses or they can actually take in and use that that energy again that it probably has the the most focus and in a from an ICS OT cyber security perspective to make sure that that plan is always continually generating or that we do have continuous transmission and distribution of power because it is it goes back to the we can live with yeah the power you know goes off for a couple hours not the end of the world but you know once it gets to six hours or 12 hours or a couple days I mean and then okay just the the repercussions just rise exponentially so there's definitely always a large Focus around round energy we talk about financial services so this is one that has probably more of a traditional I.T cyber security Focus uh when we talk about ensuring this ability of financial services uh I think I think of the the not petcha example that Andy Greenberg highlighted in his Sanborn book where where not pecha took out since all Financial Services in the Ukraine and so you had somebody trying to rush into the store to buy food and that they try to use their ATM card or the debit card or credit card and it doesn't go through because all of the systems are down so you know they they try to go to the ATM to get cash and there's all the ATM functionality is down you start to think of all those those repercussions again the the impact so there's more of a again a traditional I.T cyber security Focus there but um doesn't make it any less important just not as much of a strong industrial control or OT perspective you know food and agriculture is is definitely one that probably is another one that's taken taken for granted a lot of times but when you look at you know where our food comes from and making sure our food gets to our table and into our stomachs safely um that it was interesting there was actually just a recent activist attack against farms in the Jordan Valley in Israel where they had knocked off all the systems that that were responsible for watering the fields and the Jordan Valley it wasn't the end of the world the the workers could go and and just switch to manual operations and still water the fields it wasn't the end of the world um but you start thinking if in more sensitive environments like like a nuclear power plant you don't necessarily want your systems to go down and then just say okay oh we'll just send in a worker uh you know an employee to to go ahead and manually operate the the facility right there's definitely a lot of you know security and safety considerations that we have there but but food and agriculture is obviously obviously I don't you know very important to our life and it depends on so many other sectors so we talked to you know right the chemical sector for pesticides which we talked about earlier or obviously the water making sure that we're able to water the fields and grow facility uh growth plants right energy and things like Transportation um it's so much that it depends on and and we all depend on on it as well as all these others they talk about government facilities this is another one that's more probably traditional more I.T cyber security you know and we also look physical security and there's you know a component of OT like when and we talk about things like building management systems and secure badging so making sure only authorized Personnel will enter into certain areas of that that installation and and so government facilities actually covers federal state local tribal buildings so any any government building within the United States and then also because it's interesting so National Labs so so floor actually manages and runs a few of the National Labs um different military installations courthouses and and and so on so a lot of importance there um Healthcare is is one of those another um that doesn't get a lot of attention it got a lot of attention uh especially at the beginning of the pandemic of course and we saw the you know the the impact to doctors and and nurses um but you know we we get sick or you know we need to it's an emergency we want to be able to go to to the hospital I've had a procedure you know so I've been on a a surgery surgery but I've had a procedure so I've been on a on a table right where they they knock you out and and they have instruments inside your body right it's I always yeah what would happen if there was a a attack against the systems what if you know the systems went down right and healthcare for me hospitals are very interesting because there's there's definitely a physical security component there's an I.T cyber security component and then there's a a industrial control or an OT for uh component as well so you look at different systems that are used in the the emergency room the operating room we always joke about the the four million dollar MRI machine that runs on Windows XP but it's true I mean we have to make sure that those all stay secure and available to ensure that that doctors and nurses and other staff can can take care of their patients so and then we talk about it is another one I group into like with Communications it's it's almost it just it's kind of this commodity right that we just assume is there and we have that connectivity and we have the systems I think of all the you know the data centers that support cloud and and how cloud has changed our line especially over the last five ten years and changed business in the world where we live in and what would happen if if we lost those capabilities there's a very you know importance there a lot of course again more of a traditional I.T cyber security Focus but but there's you know some some OT considerations there for sure you know nuclear reactors materials way that's a another big one like like with Just Energy in general right because we think of the most dangerous type of energy generation like what could happen with you know what you think of um you know all the way going back all the way to the Three Mile Island or uh looking at Chernobyl or you know the the fears of having some type of nuclear reactor um issue right so there's there's always a strong focus on on cyber security as well as physical security and nit Security in these environments but as well as those nuclear materials before and after use right how do we properly and safely as possible Right dispose of of that that waste we talk about um let me see water and then uh where we look at you know how it touches so many aspects of all these different sectors as well as of course making sure we have things like clean drinking water or being able to cook or you know being able to go to the hospital where clean water services are essential and and Etc so so it's definitely one of those areas where it's another one that's underserved from an icsot cyber security perspective it doesn't make it any less important than than any of these other uh sectors right and then we talk about Transportation right getting people from point A to point B right safely is really what it comes down to I've got to do a been very fortunate lately especially to do more and more work in transportation and commuter rail so um you know be able to look at the systems they're responsible for moving the train if a train comes up to an intersection you want to make sure that all the the guards that come down in place so that way cars and and people right pedestrians are not moving in front of the train uh where you could have potentially somebody you know seriously hurt or more than likely you know killed unfortunately right so you take that very safe you know the the safety concerns very seriously you know what happens if the the person you know responsible for for driving the the train um but they do have that stereotypical um kind of conversation but what happens if they have a heart attack or they pass out right they have a seizure and they're not able to slow down the train as it comes up to a curve and the Train's going at a high speed right make sure that we're able to slow down the train you know through through automated controls safety controls in that instance so again we're protecting the the safety the lives of the people that are on the The Reel itself so so all very um important aspects but but yeah it's it's yeah I like taking the time to look at you know the different sectors so when we talk about industrial control security as well as we're really talking about in in industrial and Industrial environment and what is that being and from the the U.S government perspective right these are the the critical infrastructure environments and when we hear critical infrastructure right and these industrial type of environments um most of these are I guess industrial we don't necessarily have threw in like things like uh critical or Emergency Services per se but um you know the the importance of when we look at these environments and then looking at each again and what happens when one doesn't you know becomes unavailable for a couple hours versus a couple of days a couple of months what is the impact and that's to me that's what we're protecting in industrial control security right in operational technology cyber security so so I appreciate everybody's time for checking out the video if you have any questions comments you know concerns uh please don't hesitate to to reach out and you can find me on LinkedIn and Mike Holcomb all right thanks again take care