The Colonial Pipeline Attack Underscored the Timeliness of Our OT Roundtable

I hosted a roundtable recently with two experts on operational technology (OT), which we published in the form of an edited transcript. It was called “Enough About Data Breaches. Let’s Talk About OT Security.” Almost immediately after, a ransomware attack on Colonial Pipeline spurred great interest in the nation’s critical infrastructure, which was a big part of our conversation. Then on May 12, President Biden released Executive Order on Improving the Nation’s Cybersecurity.

I asked my roundtable guests what they thought of the executive order in light of our talk. Joe Weiss, an expert on instrumentation, controls, and control system security, and author of the book “Protecting Industrial Control Systems from Electronic Threats,” was not impressed. An executive order covering this area was “desperately needed,” he noted, but this one failed to address “the unique issues associated with control systems.” It was clear to him that either no control system cyber security experts contributed to the EO, or that their input was ignored.

Mark Weatherford, who has held a variety of executive-level positions in the public and private sectors, was a bit more upbeat. Weatherford is currently chief strategy officer at the National Cybersecurity Center. He was previously chief security officer at the North American Electric Reliability Corporation, known as NERC, and served stints as chief information security officer for the state of California and the state of Colorado. He called the document “the federal government’s most ambitious and comprehensive attempt ever to address a long list of cyber security issues.” He pronounced himself “happy with the overall tone” even though “it doesn't provide any great detail about operational technology.”

If you’re wondering what makes OT a big deal—even though it’s barely mentioned in the executive order—I invite you to click on the short (most three minutes) video highlights of my conversation with Weiss and Weatherford, which veered from finger wagging to fist bumps. Or, if you have time, watch the longer (36 minutes) video that puts the pieces together. A link to the edited transcript, which is the most comprehensive version of the event, is also provided.

Short Video Highlights

#1: What’s the Problem? (3:15)

#2: Who Can Unite Operations and Networks? (3:59)

#3: Do You Send Someone with a Laptop or a Gun? (3:26)

#4: What an OT Attack Looks Like (5:17)

#5: Out of 16 Critical Infrastructures, One Has Federal Security Standards (3:47)

#6: Do Chinese-Made Transformers Have Hidden Backdoors? (6:50)

#7: Should Reporting OT Cyber Events Be Mandatory? (4:07)

#8: One Suggestion to Improve the Situation (3:21)

Long Video

Enough About Data Breaches. Let’s Talk About OT Security (36.35)

Edited Print Transcript of Complete Roundtable

Enough About Data Breaches. Let’s Talk About OT Security