 Welcome to today's very special, in-studio presentation of theCUBE. I'm Peter Burris, Chief Research Officer of Wikibon, and we've got a great guest. We're going to talk about critical infrastructure today, which is a topic that deserves a lot of conversation, but sometimes ends up being a lot of talk and not as much action. And we've got Phil Quay, who's the Chief Information Security Officer of Fortinet to talk about it. Phil, thanks for coming to theCUBE. Appreciate being here. Thank you. So Phil, the issue of security is something, as I said, that's frequently discussed, not often understood, and therefore often is not associated with action, or perhaps as much action as it should be. Talk about the conversation that you're having with customers and peers in the boardroom about the role that security is playing in business thinking today. Sure, thank you. The folks I talk to, they're not dumb people. You don't get makin' to the C-suite without having some type of intellect and perspective. What I found is that they recognize indeed that we are in the midst of another computing revolution and the roots of that trace back from mobility to the cloud and now the internet of things. What they don't quite recognize, though, is that we're in the midst of a security revolution as well. And I look at that as going from security from being point solutions to being ubiquitous security everywhere, to having that security integrated so it works as a team, to have that team-oriented security simplified so it doesn't overwhelm the operators. And importantly, in the future, much more automation, so far, so highly automated to the degree that it will actually execute the intent of the operator and of the security people. So, Phil, you made a very interesting point. You said it's security everywhere. We usually think about security as being something that existed as the perimeter. Almost analogous to walking into a building and securing the outside of the building and once we secured the outside of the building, everything else was fine. But the nature of security everywhere means that the threats seem to be changing. Talk over about the evolution of some of the threats and why this notion of security everywhere becomes so important. You're right. We all know how well relying on boundary security alone works. It doesn't. You have to have boundary security where there is indeed a defined boundary. But increasingly, networks are borderless. You'll work from home. You'll work from your car. You'll work from while you're taking a stroll in the park. But you also need to recognize that you have important assets there in your data centers, there in your clouds. So it's not about having point solutions at the border, but it's about having ubiquitous security that can operate in your pocket, on your laptop, on the edge, in the data center, in the cloud as well. But this is importantly, having all those pieces working together as a team. We like to talk at Wikibon about the idea where everybody talks about digital transformation. But to us that means ultimately is that companies are using data as an asset. That's the essence of digital transformation. This notion of border security becomes especially important because our data becomes a representation of us, of our brand. Data is acting on our behalf right now. So what are some of those key kind of new things that we're concerned about in terms of the new viruses? I mean, if we think about a hierarchy of concerns, bullying, all the way down to strategic, where are we in understanding that hierarchy and how we're dedicating your right resources to making sense of it? Sure, it's tempting to think that wanna cry and not pet ya represent the new normal or the cutting edge of the cybersecurity threats we're seeing today. But I think we need to take a step back and recognize that the intent of such threats. Some threats come at you because someone simply wants to cause mischief. Other because they are trying to bully you into doing certain things. Some of these threats are based on a criminal element where they're trying to get some type of financial gain. But then others are much more, I'll say harmful. Some of them might be due to revenge. So look at the Sony incident. The Sony incident was primarily because a foreign leader was upset of a film company's portrayal of his country or himself. And the two that are especially worrisome to me are threats that are motivated by military tactical advantages, but most importantly, strategic advantages. So for example, there's some countries that would hope to hold our strategic assets at risk. And what I mean is they'd like to be able to impose their national will on the United States or other democracies by holding some of our critical infrastructures at risk as in preventing their reliable and safe operation or causing folks to have a distrust of their financial system. So I'm really worried about the threats that come after us from a strategic perspective. Don't worry, wanna cry and not Petra. Petra are important, but they're very different than being strategic threats. Now this issue of strategic threats sounds like there's also a continuum of the characteristics of the threat from you totally bring something down to you actually introduce behaviors that are not expected or not wanted. So talk a little bit about this notion of critical infrastructure and how we're getting more both planful and subtle and strategic in our responses to the threats against critical infrastructure. Well, it's the subtle ones, you're right. It's the subtle ones that worry you, meaning it's really relatively easy to recognize when something bad happens to you because you can immediately try and fix it. But when something's subtle, oftentimes it passes your prickly sensors to come up and the problem is when all these subtle things build on top of each other so that all of a sudden 10 subtle things turn out to be one very big thing. And there's the type of things we need to worry about with some particular critical infrastructures. So for example, a terrorist, a malicious activity, might simply be looking for one big high visible attack, meaning causing heat and light to happen on a TV screen for an exploding oil field or something like that. But a much more subtle malicious activity would be the gradual degradation of the quality or availability of water or the gradual degradation on the precision of some of our critical manufacturing. So I'm with you that some of the subtle things are what we need to worry about. We call those low and slow attacks. So you not only be prepared for the loud and stealthy ones but also the low and slow ones. Now, we used to think for example of one of the more famous portrayals of security concerns in movies and whatnot is the idea that I take off the last six decimal places of a transaction and I somehow amassed millions of dollars. Is that the kind of thing you mean by low and slow? Those aren't necessarily the kind of threats I know, but that kind of thing, which is subtle and it doesn't have an immediate obvious impact, but over time it can lead to dramatic changes in how a business or an infrastructure national asset works. That's a great analogy of the old financial attacks where they bleed off 0.01 cent per transaction. That adds up very quickly into a very high volume loss. Well, imagine applying that style of attack on something that could result in not simply a financial loss but it could cause a physical or safety event, whether it be a pressure explosion on a pipeline, a degradation of water, or something of a sort. Those are very, very important and we need to make sure we're looking for those too. Now, the question might be, well, how do you find such things? And the answer is automation, right? Human cognition is such that they're not going to be capable of tracking these very low and subtle and slow attacks. So you're going to need to use some always-on analytics to find those types of things. So I want to bring you back to a word that you use in the context of this conversation actually becomes very important. Simple small word, we. In the world of security, when we start thinking about, for example, the internet, which is a network of networks, some of which are owned by that person, some of which are owned by that corporation, some of which may have more public sponsorship, the idea of we becomes crucially important. We all have to play our role, but to secure critical infrastructure is going to be a public-private effort. So talk a bit about how we go about ensuring this degree of control with the public infrastructure. So bingo, oftentimes when I say we, it's the royal we, because as you know, as I know, critical infrastructure is not owned and operated by any one place. In fact, it's owned and operated by hundreds if not thousands of different entities. Unfortunately, some people think that the government, the US government, is going to swoop in and do something magical and magnificent to secure critical infrastructure. And there's certainly the intent, not intent, there's a will to do such a thing. The government doesn't have the authority nor resources nor expertise to do such a thing. So what it means is we, this is the royal we, the public sector, the private sector, and then there's even the role for individual citizens. We need to come together in new and innovative ways to get the security critical structure to a much better place. And that is, and this is part of that conversation, having the conversation about the role of critical infrastructure plays in the economy, in social endeavors, in government, in democracy, becomes a crucial element of this whole thing. So when you think about it, what do the rest of us need to know about critical infrastructure to have these conversations, to be active and competent participants in ensuring that we are having, focusing on the right thing, making the right investment, putting our faith in the right people and corporations? I think the first step is taking a long-term approach. I'm a big believer in the old Chinese proverb of a journey of a thousand miles starts with one small step. The problem with critical infrastructure security is that the problem is so big and it's so important that we're often paralyzed into inaction. And that gets back to the point we were talking about earlier, that no one single person is in charge. But we need to recognize that and get past it. We need to recognize that the solution lies in us, several folks, several communities coming together to try and figure out what we each can bring to this problem. And I believe there's some actionable things we can do. I don't know what those thousand steps look like to get to where we need to be, but I do know what those first five, 10, 15, 25 things are as do other folks in the community. So why don't we start acting on them now? And that has the side benefit of not only making incremental progress towards them, but it develops what I call muscle memory between the public and private sector of how we go about working together on problems where no one entity owns the whole problem or solution. So one of the things that makes critical infrastructure distinct from, again this goes back to the idea of what do we need to know, is the critical infrastructure is distinct from traditional networking or traditional infrastructure in that critical infrastructure usually has a safety component to it. And you and I were talking beforehand about how IT folks like to talk about security. OT folks are operational technology people, people who are often responsible for a lot of these critical infrastructure elements talk about safety. Bring that distinction out a little bit. What does it mean to have a perspective that starts with safety and figures out how security can make that easier versus starts with identity and figures out how to control access to things? Right, I think that's an important point because too often the folks in the IT, information technology community and folks in the operational technology community to OT community, too often we're talking past each other. And one of the reasons is just as you said one focuses on the security of bits and bytes and other focuses on the safety of water and chemical and electrons and things like that. Well, it's at the end of the day, it's hard to say I'm going to secure water by not letting this group drink. Right, that's right. You can do that kind of thing in the IT world. Right, so very much so the industry control system folks, the OT folks, number one on our mind is the safety and reliability of their systems and equipment. They're serving their public with reliable transportation, water, electricity and the like. And so one of the first things we need to do is recognize that it's not either or security or safety, it's both, number one. Number two, I think an important solution is an important part of the solution is mutual respect. Meaning that, yes, it's true that the IT folks have some important strategies and technologies to bring into the OT space but the opposite's also true. The OT folks, some of the smartest folks I know in the business have been doing what people recently breathlessly call the Internet of Things. So in the critical infrastructure world, they have what's called the Industrial Internet of Things. And they've been using these lightweight, distributed appliances for decades successfully. And so I think that we need to take some of the lessons from IT and apply it to the OT space but the same is also true. There's some OT lessons learned that we need to apply the OT space. So the real solution though is now taking both of those and working together to address the increasingly blended critical infrastructures, IT, OT worlds. So if, Phil, if you were to have a recommendation as someone who works, who has worked in, been familiar with the black security world, the black ops world, the black hat world as well as the white hat world. If you were to have a recommendation as to where people should focus their time and attention now, what would it be? What would kind of be the next thing, the next action that you would recommend that people take? If I could, I'd like to answer that in two parts. First part is, you know, what are the group of activities where we can actually make some progress? Well, the first one is getting some like-minded thought leaders together in agreeing that this is in fact a 10-year problem, not a one-year problem. And no matter what jobs we're all in, commit ourselves to working together over that period to get to a good spot. So one is a forming of like-minded people to agree on the vision and determination to help us get there. But then there's some practical things we can do like the mundane but important automated information sharing. There's some critical infrastructures that do that very well today. The financial sector is often brought out as one of the best in that field. But some of the other sectors have a little ways to go when it comes to automated information sharing of the threats and the risks and the situations they're seeing. Another thing that I think we can do is some high-column pilots. Specifically, we need to explore all the dimensions of risk. Right now when we think about mitigating risk, we think about how can I stop a threat or how can I fix a vulnerability. But too often we're not talking about what are the bad consequences I'm trying to avoid in the beginning with. And so the critical infrastructure community, especially, is maturing a discipline called consequence-based engineering. So it's mitigating risk by engineering out the bad consequences from the very beginning and then using your technology to address the threats and the vulnerabilities. So I'd like to see us do some public-private partnership, some pilots, based on consequence-based engineering. And that will not only reduce overall risk, but it will create, as I mentioned earlier, that muscle memory. Consequence-based engineering. That's right. So is there one particular domain where you have, like, when you sit back and say, I want to see these public-private partnerships, is there a place where you'd like to see that start? Yeah, in fact, the- Part of the whole critical infrastructure story. Right. You can't ignore the electric critical infrastructure. And the good news is that they've been practicing this science, this art, consequence-based engineering for some time now. So, for example, in the electric grid, as you certainly know, there are three major interconnects in the United States, the Eastern, Western, and Texas interconnect. So they already create segments or islands so that one failure won't propagate against across the whole U.S. So the mythical U.S. wide power grid is, in fact, a myth. But even within those segments, the Eastern, the Western, and the Electric, in the Texas interconnect, there's other further segmentation. They don't quite call it segmentation. They call it islanding. So when things fail, they fail in a relatively safe way. So islands of power can continue to be generated, transmitted, and distributed. So in a sense, some of the folks in the electric companies, the electric sectors, are already practicing this discipline. We need to, though, pivot that and use it in some of those other disciplines as well. Think oil and gas, transportation, water, critical manufacturing, and possibly a couple others. So, Phil, I find it fascinating. You were talking about the electric grid as a network and all networks have kind of similar problems and we have to think about them in similar ways. And Fortnance has been at the vanguard of thinking about the relationship between network and security for a long time now. How is your knowledge, how is Fortnance's knowledge of that relationship going to manifest itself when we start thinking about bringing more networking, more network thinking to critical infrastructure overall? You're right, that the strategy of segmentation is still king in the security business. And that's especially true in the IT space. At Fortnance, we offer a range of security solutions from the IoT to the cloud and can segment within each of those different pieces of the network. But more importantly, what we offer is a security fabric that allows you to integrate the security at the edge, at the cloud, in the data center, and other parts of your network. Integrate that into a fully cooperating team of security appliances. What that allows you to do is to integrate your security, automate it much more so because you don't want to bring a knife to a gunfight meaning the adversaries are coming at us in lots of different ways and you need to be prepared to meet them on their terms, if not better. But it also greatly decreases the complexity in managing a network by leveraging greater automation and greater visibility of your assets. So, you're right. Segmentation is a strategy that's proven the test of time. It's true of the IT space and it's especially true to the OT space. And at Fortnance, we'd like to see the blending of the planning and implementation of some of these strategies so we can get these critical infrastructures to a better spot. Well, Phil Quaid, thank you very much for coming on theCUBE and talking with us about critical infrastructure and the role the network is going to play and ensuring that we have water to drink and we have electricity to turn on our various devices and watch theCUBE. Phil Quaid, CISO, Fortnette, thank you very much. My pleasure, thank you. And I'm Peter Burris and again, Chief Research Officer of Wikibon SiliconANGLE. You've been watching theCUBE. Thank you very much for being here as part of this very important discussion and we look forward to seeing you in the future.