 Okay, I'm Jack Odin. I'm Jack Odin. I'm with Parsons government systems. And I'm a member of a ITOT team. And I am not a ringer for for grim, even though I answered a lot of the questions. It's because I've been doing this for about eight years. I'm an IT guy. And so for those of you in the audience that might be engineers, please forgive me. My my compatriot here, Dave, forgives me every day for the for my flubs. So just to show hands, how many IT people we got in the audience? Okay, thank you. And now hands down how many OT people? Oh good, we got a nice representation. So again, if I flub up on anything OT related, please forgive me, but point it out. I don't mind at all. Okay, so the whole thing that I want to talk about today is very non technical. It's it's more of how how we bring stuff together. And so the question that I'm asking is are we there yet with IT and OT convergence? And it's a it's a road to travel. That's why I put this slide up because we're gonna we're gonna have to follow the road signs. We're gonna have to take some actions along the way, make some turns. So we're going to go through through this definitions background, etc. You can read that. So let's talk about definitions for a minute. When I'm talking about industry, because the work that I do tends to be in building management systems, power, HVAC, a little bit of chemical, some other things, elevators, escalators, things like that. But when I'm talking about industry, I'm talking about it very broadly. So literally, when we're talking about IT OT convergence, we really should be able to talk about it in in every environment. ICS, industrial control systems, again, this is a broad term. And I'm I come from the compliance side of things. And I tend to use NIST special publication 853, which uses the term industrial control systems. People here industrial, and I think, oh, my gosh, he's talking about manufacturing. And I'm not interested in that. But ICS has been used very broadly. It includes SCADA, it includes energy management systems, it includes building management systems, all of that. So if you have a problem with it, please for the time being accepted, this is ICS. IT, hey, IT is IT, everybody knows IT, right? Anybody that doesn't know it. OT, some people might not be aware of it, is the physical side of this environment that we're that I'm talking about of the ICS network. And there's an argument, I've had the argument on and off for about eight years about where that starts. But for the purpose of our discussion, I'm going to say that OT begins at the controller. So I've got a whole bunch of computers. I've got a whole bunch of cat 5e or cat 6 cabling, maybe some fiber optics. I got switches and routers all over the place. And at in an OT environment, they plug into controllers at the point where it plugs into a controller that is attached to a generator or HVAC machine. I call that the beginning of the OT environment. Again, we can have the discussion offline, but that's that's what I'm talking about. IoT, I'm not going to really talk about too much, but it's a huge thing. This is taking the OT environment and putting it in everybody's house. And putting it on in manufacturing environments where we never saw this kind of stuff before. So that's that plethora. And the convergence that I'm talking about when I talk about convergence, I'm talking about bringing together not just the electrons, not just plugging these devices into the network, but I'm talking about everybody from the CEO on down becoming aware and working together to make this stuff happen. Background. I don't know how many people know about the OT, where the OT came from, but back in the day and Dave is going to correct me if I get this wrong, but back in the day, it was very, very physical. You had valves, you had levers, you had switches, and it was all right there with whatever device you were controlling. Very much physical. And then later on, they implemented some a little bit more remote control. They put mechanical or electromechanical devices on to flip the switches or turn the valves, but they connected those to a control room using serial connections. And so you see there in the upper right corner is a facility control center, not unlike today, but very serial oriented. Then IT developed separately. The advent of the computer systems, they were starting to be connected together. We got TCP, IP, and the folks that were doing the OT said, I need to do communications faster, better, and cheaper. So how can I, and more remote, so how can I do that? So they just loved the whole idea of the TCP, IP stack and making that happen, so they implemented that. And then in 1991, something happened, and I was around then. I was in the middle of all this. I was working on a major project for the U.S. Army, and suddenly the internet happened. And so all this communications that we were starting to have between computers got connected to the world. And in the case of OT, those got connected to the world as well, because they started using it. But OT still uses other pre-internet systems and or post-internet networks. Okay, so the truth is that the internet, and if anybody disagrees with any of this, I'm about to say, please raise your hand, but I think this is all true. The internet, most WANs, MANs, LANs, PANs, and other XANs are not secure. They're absolutely not. We have to do something to make them secure. And there are signposts of activities, tools such as GoBrute, and I'm not going to pronounce these right, Glupteba, PandaBanker, and ransomware attacks like Jokeroo, Gankrab, et cetera. These are all things that are out there. These are signposts against our security. And we've had some milestones. We've had some successes over the years. We've had firewalls developed. We've had detection systems developed, et cetera. But there's lots of long road to travel to get there for this. And this is a pretty old code from Gartner, but it still applies today. And frankly, I'd be surprised if it doesn't get worse. But by 2020, 50 percent of OT service providers will create key partners with IT-centric providers for OT offerings. Okay, so it's going to get worse. So the obstacles we have in our way in an organization, in our own minds, whoever we happen to be, IT or OT, there's resistance. There's also denial. People are going to look at their networks and say, I don't have a problem. I have disconnected myself from the internet. I don't have any other problem. I don't have any connection to any other network. Anybody believe that? I don't believe it. Nobody believes that. There's also misunderstandings. When we first got started, Dave and I spoke a different language. I was talking IT stuff. He was talking OT stuff. We had to get together. And there are delays to upgrades. In the IT world, if a patch is identified as something I got to have, I got to have that patch now. In the OT world, I can't patch a controller sometimes for months because I have to plan a system outage in order to take down that PLC and apply the patch. So lots of delays. So I'm going to go over the main differences. In the case of education experience and certification, I summarized this on the IT side. We've got computer science degrees. We've got mathematics degrees. Others that are pretty common. Plus, there's an interest. I mean, I got my degree in business. But I loved IT, so I got into the IT world. And in order to do that, I got certification. So I've got certifications that allow me to do that. And we show some of the certifications in there. CCNA, CompTIA, the CISSP is the one that I have, or the one that I have on the IT side. The OT side of education, we have electrical, mechanical, and control system engineering. Very, very hard. You're not going to find an OT person getting into the business, unless they have that hard degree, or they work themselves up from the ground turning a wrench, twisting wires, et cetera. Civil engineering, industrial technology, others that are not so common. Plus, hands-on experience, and that's from the ground up. And here's the certifications. Dave and the other folks on the engineering side, they're all professional engineers. Anybody that's a professional engineer knows how hard that is. And we on the IT side, well, ours are hard too. Well, yeah, they're all hard. But there's a couple of others. And I included the GICSP, because Dave and I both have the GAAC GICSP certification, which helps bring us together. It's still pretty heavy on the IT side, but it gives us enough information about the OT side that we know what it is that we're protecting, what's the terminology, et cetera. Okay. In the case of OT, they have specifications, absolute specification. You have to have a very detailed description of what it is that you want the system to do and how you want to build it. In the case of the IT side, we don't necessarily have specifications so much as we have requirements. I got a requirement for a firewall. I got a requirement for a router. I got a requirement for a server. What are my servers going to do, et cetera. And the differences between those impact how configuration management is done. Configuration management is very important for both sides. And then there's the difference between analog and digital. Now, this was one of our early discussions, because digital is used differently in both environments. Okay. You'd think it would be the same, but it's not. Because on the OT side, they think of things as being digital. Analog is very much in the physical layer, physical level of things. Okay. It becomes digital as soon as there's a twisted pair connecting that physical device to a controller. So they've got digital, but we don't think of that as digital. We don't think of it as digital until it hits a cat five cable. Okay. So very different. Other concepts, IP addressable devices. So I talked a little bit about that earlier. A controller is plugged into the internet. I mean, into the network. It has an IP address. Is that an IT device or an OT device? And that depends on what your organization wants to view it as. In my case, I like to call the controllers OT. And there are also non-IP Ethernet networks and other networks that are not Ethernet based. So we've got lots of protocols in the OT space that the IT folks don't have any clue about. Backnet, DP3, and there's a whole plethora of others. We have a historian in the OT environment. Historian is a big server that collects information from the OT environment and makes it available for the folks that are running the network. It's a server. Is that OT or is it IT? Well, from the conversation we had with Grim, and from my perspective, I would call that an IT device. But the impact of change on that device definitely affects the OT. So you have to be careful with that. And then I mentioned earlier about SCADA, EMCS, BMCS, and ICS. So that's okay. And the main differences in equipment, we can see here in the IT world, we've got workstations, we've got servers and storage. We've got firewalls and other security devices, routers and switches. In the OT world, we've got this is a PLC, is a programmable logic controller. There's other kinds of controllers. There are sensors and actuators. Sensor is something that brings information from the physical world, converts it to a digital signal and sends it up into the controller. So it could be a temperature sensor, it could be a motion sensor, etc. Actuators is where a signal is sent down into the device and it does something. It flips the switch, it turns the valve, etc. And then they have industrial firewalls. This one happens to be, and I just want to move right out of my head what the manufacturer is. I apologize if the representative is in the audience. But that's one of the leading industrial firewalls and they have to be special out there because we're in a non-air conditioned environment. So if I took a typical Cisco firewall and plugged it into an ICS environment, chances are the heat would get to it or the humidity would get to it. So this is a hardened device. Operating systems, the IT folks very well know the group that are on the IT side. On the OT side, we have QNX, we have VX Works. By the way, how many people read recently about some problems with VX Works? Yeah. Oh my gosh, that's a bad thing. It's huge. Windows 10, why is Windows 10 down under OT? Because there is a embedded version of Windows 10 operating in the OT environment. Yeah, troublesome, maybe. It depends. Programming languages on the IT side. You know those C++, we got PowerShell, Java, Pearl, etc. Those of us in the IT world, we look at the stuff on the right-hand side of the screen and we go, what the heck is that? Ladder logic, function logic, etc. This is the programming language that the OT folks use. So the thing you need to understand from these last two slides is they have the same thing. They have operating systems. They have software. They're working with data, very similar to us, but different terminology. Here's the next major difference. IT usually means safety in the IT world usually means safe surfing of the web, something you teach your kids. You know, don't click on this. Don't go to that website, etc. In the OT world, safety means something very, very specific. Life or death or serious injury. And I put the chart down below the levels of catastrophic activity that could occur. I mean, literally you're getting to the point where you could have a nuclear explosion because of something happening in the OT world. Okay, so our challenges. We have the typical vulnerabilities in both sides. You need to know what makes up your network. You need to know what your attack surface is. I saw somebody wearing a t-shirt today. I love that t-shirt. It says, know your attack surface. Love it. That's right. Everybody needs to know what that is. And in the OT world, your attack surface goes right down into the physical world. What applications and services are available but not needed. We talked during the grim session about somebody's workstation had a game on there. Why are games in an OT environment? They shouldn't be there. Are there connections between IT and OT and also the business network and the internet? From our perspective, we want to have layering that goes beyond anything that the IT environment provides layers for. We want to have network segmentation that goes beyond what the IT world is involved with because we got stuff that's really, really sensitive. Do you have dial-in lines, wireless connections and portable devices? I was at a customer site one time and I opened up a cabinet and it was in the antenna in the cabinet. Why is that antenna in the cabinet? Okay, things like that need to be aware of that. Okay, so this is where I'm going to get to the convergence. Who's in charge? During the grim session, we were talking about all these people who would be most interested, but I'm here to say that you need to think about what you've got in your network. So in the case of IT, do you have power? Do you have air conditioning? And how are the controllers that are associated with those plugged into your network? If they are, you're interested in OT. And if you're in the OT world, if you're in a manufacturing world or if you're running a big power distribution center or whatever, how is that being controlled? You need to be aware of both sides of that. And so if your mission is combined, you need to assess that combined mission. How does that work? And if it's separate missions, you need to assess the effectiveness of each. I don't have but just a few minutes, I want to get, allow some questions. So the CIA triad, the confidentiality, integrity and availability triad is a little different between the IT side. IT side, we put the confidentiality generally high, but in the case of the OT world, we tend to put availability high, but actually we put safety above that. And so you can see the factors that affect that. There are five stages associated with convergence and you can see the five stages down at the bottom. I believe that we're currently at the end of awareness. We're getting there. People are talking about it. I've been talking about it for years. I'd love to talk about it some more and get this thing straightened out. And I'd love to help out any company that has a problem with that. You know, come to grips with who should be responsible for that. So do I have any questions? Yes, sir. Okay. Very good question. And for those of you who couldn't hear, we have a lot, all those protocols that we have out there on the OT side, why haven't they been, they're unsecure. Why haven't they been secured? Why haven't they been replaced? And it's very, there's a very good answer to your question. The fact of the matter is the physical systems that all of these things are controlling are extremely expensive. We're talking millions, if not tens of millions of dollars to replace them. And often the replacement of a controller will require the changing of the physical system, if not a major change, a complete change. Okay. And then I'm backing out into your question. So the operating system that's running on that and the protocols that it's using is inherent in that in that box. And so now you could say, why aren't we fixing the protocol on the outside and then loading it in? We still have that same problem because it affects the operation of the physical system. So there are vendors out there that are changing, they're put, they're either put applying security devices on the controllers that help or they're making changes to the operating system or the software to help with that. I know there's a lot of folks that don't care for Windows 10, but Windows 10 embedded does bring with it a little bit of security. Okay, so that helps a little bit. But then you can't replace it all. Thank you for your question. Yes, sir. So what's the name or the role of the person to manage all this? Okay. And thank you for your question. I probably owe you something for that because I needed to get to that. So the question is who's responsible? And that very much depends on your organization. Okay. Ultimately, obviously, the CEO is responsible. But the real person on the ground that's responsible depends upon what's the mission of the organization. And so you could have a heavy OT environment, you might have a chief of operations who would have more power in that than the CIO would. On the other hand, if you have a heavy IT environment, then the CIO would have more authority. Personally, what I think I speak for Dave, too, what I think we would like to see is a blending of that with a heavier or lighter depending upon what the mission is. Does that answer your question? Okay. Anybody else? One more. Yes, sir. Okay. I'll modify the first part of what you said and I'll say that's it. What we need to do is teach IT and OT people the other side. We absolutely need to be understanding. I mean, all the training that I got, even though I was a management major, the fact of the matter is when I went through my training for IT, I didn't learn about all that stuff on the OT side. I had no clue about it until it was arguably about 10 years ago, I started getting into it and becoming aware of it. I learned a lot from Dave and his team. Absolutely. A weekly basis, we talk about something new. That's where it needs to be. I would hope that Dave could say the same thing that they learned from us because they grew up in a control system environment. It's very much important for us all to learn both sides. You could say at a junior level, if you're a programmer, you're probably not going to get on the IT side, you're probably not going to get involved in the OT side. If you're a control systems specialist who's installing, tweaking, whatever the control systems, you may not get involved so much in the IT side, but it's not going to take much in your career to start getting into the crossover. I'm afraid that's all the time I have. Thank you very much.