Ready for Goodbyes? : Critical System Obsolescence

Ben Miller

In the analysis, several speakers provided insights on various aspects of cybersecurity in relation to industrial control systems (ICS) and digital transformation. Dragos, represented by Ben Miller, is a notable company dedicated to protecting and securing ICS. Miller leads Dragos’ services team, which includes instant response and preparedness checks, demonstrating the proactive approach of the company.

The analysis highlights a shift in companies’ cybersecurity approach from solely relying on protection-based measures, like segmentation, to more proactive measures that involve creating visibility for threat detection. This change is needed as companies integrate more similar systems, increasing the attack surface. Outdated infrastructures, running on systems that reached end of life several years ago, are particularly vulnerable and require enhanced visibility.

The analysis emphasizes the need to combat obsolescence and vulnerabilities through implementing appropriate technology. Recent incidents, such as a case where ransomware affected an undetected traffic control system for months, highlight the urgent need for improved defensive measures. Prevention alone is not enough, and visibility is crucial to understand the environments.

Additionally, the analysis acknowledges that prevention in terms of security measures can eventually fail. It is crucial to create a defensible architecture with active system monitoring and capable personnel to respond to threats or incidents. Staff members should understand how to operate in an environment where they may be provided with incorrect information.

The analysis suggests that achieving a completely secure system is not a realistic goal due to the constant introduction of new technologies and capabilities by adversaries. Cybersecurity is an ongoing journey that requires continuous adaptation and improvement.

Collaboration between IT and OT is crucial in the context of cybersecurity. It is acknowledged that the life cycle and pace of change in IT and OT are significantly different. Conversations between the domains should focus on understanding the facility’s mission and working within constraints to avoid disruptions. IT disruptions to OT systems can cause downtime in revenue-generating assets, leading to tension between the two domains.

In conclusion, the analysis provides a comprehensive overview of cybersecurity in relation to industrial control systems and digital transformation. It highlights the proactive approach of companies like Dragos in protecting and securing ICS. The shift towards creating visibility for threat detection, combating obsolescence, and the importance of a defensible architecture with active system monitoring are emphasized. The analysis recognizes that achieving absolute security is not feasible and that cybersecurity is an ongoing journey. Collaboration between IT and OT is seen as crucial, focusing on understanding the facility’s mission and constraints to prevent disruptions.

Joshua Kennedy-White

The rapid pace of technological change leads to obsolescence as new technologies continuously replace older ones. Telecommunications, for instance, have moved from 3G to 4G and now to the latest 5G network, rendering previous generations obsolete. This highlights the constant need for adaptation to keep up with the ever-evolving landscape of technology.

Adaptability emerges as the best approach to embrace these changes. Being flexible and adaptive is crucial in navigating technological advancements. Surara, for instance, actively cultivates a culture of adaptability through research and development, training, and promoting workforce diversity. This helps prepare their employees to anticipate and embrace obsolescence.

Technology itself is a major driver of obsolescence. The introduction of new technologies like artificial intelligence (AI), 5G networks, quantum computing, and space technologies fuels rapid change. For example, the development of a new navigation system for airlines can make an entire fleet of aircraft obsolete. Similarly, the potential rise of driverless cars could make drivers themselves obsolete.

However, the biggest challenge in transitioning from legacy to modern technologies lies in people. Individuals are often resistant to change and may struggle to adapt to new technologies and ways of doing things. Despite being the largest asset of a company, human resources can be the pain point in the transition process. Overcoming this challenge requires effective training and change management strategies to facilitate successful adoption of new technologies.

The concept of absolute security is explored, suggesting that it is impossible to achieve complete security. The security vendor community’s obsession with achieving absolute security is questioned, as it is proposed that resilience and good enough security should be prioritised instead. This highlights the importance of finding a balance between security and usability in technology.

The expectations of consumers and the government also need to be recalibrated in response to technological changes. It is argued that the government does not always hold the responsibility to address every issue, and consumers should have a concept of resilience. Furthermore, the sudden criticality of modern services necessitates a revised understanding of their importance as critical infrastructure.

Strategic planning emerges as a crucial factor in successfully transitioning from legacy to next-generation technologies. Without a well-thought-out plan, organisations risk accumulating a plethora of technologies without a sense of security. To mitigate this, it is recommended to establish a shelf life for technology, adopt a modular architecture, and involve vendors in the upgrade processes. These strategic considerations can help facilitate a smooth and successful transition.

In conclusion, the constant change in technology drives obsolescence, necessitating adaptability to embrace these changes. Technology itself is the leading cause of obsolescence, and the transition from legacy to modern technologies can present challenges, particularly related to human resources. Achieving absolute security is deemed impossible, and instead, the focus should be on resilience and good enough security. The expectations of consumers and the government need to be adjusted, and strategic planning is crucial for a successful transition.

Major General Manjeet Singh

Obsolescence, the concept of something becoming outdated or no longer useful, has long been practised in military inventories, with certain percentages of outdated equipment maintained. However, the pace of technological advancements, user expectations, market forces, and security requirements have significantly accelerated obsolescence.

In response to this accelerated obsolescence, it is crucial to establish a cycle to effectively manage it while ensuring functionality and security. This means finding ways to address the challenges posed by rapidly changing technologies, evolving user needs, and the market-driven demand for up-to-date equipment.

One notable effort in mitigating the impact of obsolescence is being undertaken by Major General Manjeet Singh in India. India boasts a large population of approximately 800 million internet users and 1.3 billion phone users, resulting in a significant number of transactions, around 10 billion per month. Recognising the importance of minimising obsolescence in such an advanced and connected society, Major General Manjeet Singh is working towards finding effective strategies to manage and reduce the impact of obsolescence in India.

Furthermore, India is also making commendable strides in securing its cyberspace. They are actively addressing governance issues related to cyberspace, developing comprehensive crisis management plans, and creating resilient infrastructure. Additionally, India is taking measures to ensure disaster recovery and backup plans for data, emphasising the importance of network resilience.

The analysis reveals that obsolescence is not a new concept for militaries, with certain strategies like maintaining specific percentages of outdated equipment being employed. However, the increasing speed of technological progress, evolving user expectations, market dynamics, and security considerations present challenges that require proactive management of obsolescence. The case of India highlights how the country recognises the significance of addressing obsolescence in its technologically advanced society and is taking measures to both minimise its impact and secure its cyberspace.

Overall, the detailed summary highlights the various factors accelerating obsolescence and the importance of managing it effectively. It also underscores the efforts made by Major General Manjeet Singh in India, along with the country’s commitment to securing its cyberspace.

Dr. Yacine Djemaiel

The obsolescence of software and hardware components in critical infrastructure can pose significant threats to the services they provide. There is a strong dependency between the software and hardware for each component in most cases. When the hardware fails to respond after software updates, the process to replace such hardware is initiated. However, this process can be time-consuming and may lead to potential threats regarding critical infrastructure if not addressed promptly. This raises concerns about the need for up-to-date regulations and strategies for critical infrastructure.

From the Tunisian experience, it has been observed that targeting regulation is essential in addressing this issue. In 2023, Tunisia defined a new law for cybersecurity, updating a previous law from 2004. Critical infrastructure had a dedicated chapter and a set of laws that major companies must respect. This demonstrates the significance of up-to-date regulations and highlights the importance of having specific laws that govern critical infrastructure.

Regulatory guidelines for critical infrastructure are also crucial. Dr. Yacine Djemaiel emphasises the need for such guidelines to ensure that these infrastructures are maintained and updated in a timely manner. Including criteria against which the components of the infrastructure should be certified in the regulations can further enhance their effectiveness.

However, upgrading hardware or software for critical infrastructure can be challenging for government companies. It requires detailed planning and budgeting. The process of acquiring the necessary budget and carrying out the changes in compliance with regulations may be lengthy, causing delays in maintaining and improving the infrastructure. This issue underscores the need for more efficient solutions to reduce the time required for infrastructure replacement and upgrades.

Dr. Yacine Djemaiel advocates for reducing the time needed for updates, as it would make compliance with regulations more efficient. Faster replacement and upgrades can mitigate the risks posed by outdated infrastructure. By streamlining the process and making it more time-efficient, the potential threats to critical infrastructure can be reduced.

In conclusion, the obsolescence of software and hardware components in critical infrastructure poses significant threats to the services they provide. It is crucial to have up-to-date regulations and strategies to mitigate these risks. Regulatory guidelines, along with efficient infrastructure replacement and upgrade solutions, can help maintain and update critical infrastructures more effectively. By addressing these issues, the potential threats to critical infrastructure can be mitigated, ensuring the smooth and secure provision of essential services.

Rebecca McLaughlin-Eastham

This comprehensive analysis examines the level of preparedness and protection of companies and entities against obsolescence and vulnerabilities. It sheds light on the budget companies allocate for upgrades and resilience measures, questioning whether it is adequate. The analysis also explores the broader perspective of how well-protected or exposed entities are in the face of obsolescence.

One of the key points raised is the budget companies allocate for upgrades and resilience measures. This raises concerns about whether companies are sufficiently prepared for potential obsolescence and vulnerabilities. The analysis emphasizes the importance of investing in upgrades and resilient infrastructure to mitigate the risks associated with technological advancements and changing market dynamics.

Another significant point is the overall preparedness of entities when it comes to obsolescence. The analysis urges us to take a broader view and consider the extent to which entities have considered the implications of obsolescence and taken proactive measures to protect themselves. By doing so, entities can ensure their sustained viability and competitiveness in the face of rapidly evolving technologies and changing industry landscapes.

The analysis also notes the neutral sentiment surrounding this topic. While it does not provide a clear indication of stakeholders’ views, it signifies the importance of a balanced perspective when examining the level of preparedness and protection against obsolescence and vulnerabilities. It suggests that a well-rounded assessment is essential in identifying areas of improvement and developing strategies to address any gaps.

In conclusion, this analysis highlights the significance of preparedness and protection when it comes to obsolescence and vulnerabilities. It underscores the need for companies to allocate sufficient budget for upgrades and resilience measures, as well as the importance of taking a comprehensive approach to ensure entities are adequately protected against obsolescence. By addressing these issues, companies and entities can enhance their ability to adapt, thrive, and remain competitive in an ever-evolving business landscape.

Rebecca McLaughlin-Eastham:
Good afternoon, everybody. Nice to see you all again. I hope you are continuing to enjoy a fantastic first day of GCF 2023. It’s wonderful to be back on this hallowed stage with another fantastic panel. Our topic is obsolescence, the long or maybe the short goodbye we shall have to debate and see. In today’s world, with such rapidly advancing technology, the life cycle of critical systems is becoming ever shorter. So what exposure, what challenges, what threats does that pose to organizations around the world today? And what can we do to traverse these waters to mitigate those dangerous times? So I have all the answers in my learned friends to my left. You’ve had them introduced, but let me come to you each individually first just to set the scene. Tell me a bit about your role and your remit and what you bring to this conversation today. Major General Majid Singh, it’s wonderful to see you. Thank you for being here. How are you? Thank you.

Major General Manjeet Singh:
Thank you, everyone. At the very outset, let me thank the global cybersecurity team for having invited us to speak on an important issue such as obsolescence. I also thank the moderator who has introduced us and to my fellow panelists to be all here. Let’s hope we have a great discussion on the topic. Obsolescence, in my initial thoughts, is something I would like to say that it’s not a new concept. It’s been practiced all over. It’s been practiced by the militaries. They do lay down certain percentages of what do they really maintain in their inventories. Say, 30% of the equipment which is obsolete or in the obsolescence phase. About 40% is current. And there is 30% wherein the induction of the modern technology or the modern equipment happens. So 30, 40, 30 concepts. Some people may practice 20, 60, 20 concepts depending upon various factors of technology regulation, the budgets, the HR, all those concerns. However, in light of the technological advancements, the going analog to digital, the user aspirations, the market-driven forces, our aspirations, our security requirements, all that has really speeded up the way the obsolescence is happening. So, therefore, it’s really become a challenge to take care of that cycle of obsolescence. And, however, the bottom line is that we should be able to maintain the functionality as also maintain the security. So we have to maintain a very fine balance between the two and ensure that we have a cycle wherein we are able to manage obsolescence.

Rebecca McLaughlin-Eastham:
Thank you so much. Ben, nice to see you again. Familiar face in Saudi Arabia. Hope you’re enjoying GCF 2023. Tell us a little bit more about what you do for those who might be unfamiliar.

Ben Miller:
Yeah, absolutely. It’s great to be back here, two years running. I work at Dragos. So Dragos is focused on obsolescence systems at the end of the day. We focus on defending and securing industrial control systems, sometimes called operational technology. And in my role at Dragos, I lead the services team. So our instant response team, our assessments team, the teams that do preparedness and checks against the defenses. And so, in many ways, what I’m representing today is not so much Dragos but our customers at large and what we see from that ground level.

Rebecca McLaughlin-Eastham:
Thank you. Thank you. Dr. Yassine, nice to see you. How are you today? Thank you. Talk to me a little bit about, from your point of view, when it comes to Tunisia and the importance of not only core systems but obsolescence.

Dr. Yacine Djemaiel:
Yeah. This is a great issue that we should discuss carefully when we deal with critical infrastructure because there are many factors that should be considered when we look carefully to the component of critical infrastructure. So we will find that there is a dependency between the software and the hardware for each component in the most cases. We are updating. We will update the software the first time, the second time. But at the moment, there is a limit. There is a point where we stop because the hardware does not respond. And this will initiate for us the process to replace such hardware in order to be able to continue providing the needed service by this critical infrastructure. This is an important point. Now, this time out between the instant where the system does not provide the needed hardware properties may lead to a set of threats regarding our critical infrastructure. And this is most dangerous because we are providing critical services. And at this time, we are not able to provide this service in an efficient manner. It means that there is something that is missing. There is some vulnerabilities related to this system that may be exploited by attacker to engender damage to this infrastructure. In this way, from the Tunisian experience, we have tried to focus on a major component that is the regulation. And we have defined since 2023 a new law for cybersecurity since we have a law that is dated from 2004. And in this year, we have elaborated a new law text for cybersecurity. And we have dedicated for critical infrastructure a chapter and a set of laws that should be respected by major companies. So, this is very important. And this is the first step if we need to help company to be compliant with the requirement of critical infrastructure. So, this is the first point that should be discussed here regarding the regulation that should be up to date. Followed by the strategy that should be also up to date in a country regarding critical infrastructure.

Rebecca McLaughlin-Eastham:
Thank you very much. Policy and regulation will definitely be discussed. Absolutely so important to our conversation. Joshua, let me come to you from the standpoint of Surara by STC. How are we currently positioned when it comes to obsolescence?

Joshua Kennedy-White:
Yeah, thank you very much and thank you for having me. It’s my second time here. And I’ve been coming to the Kingdom since about 2005, which I think is a nice backdrop to think about how much has changed. Just when we talk about obsolescence, we normally think of legacy technology and how we adapt and change. It’s interesting that we’re having that conversation here at the Global Cyber Security Forum in a quite new and modern country that doesn’t have a lot of existing legacy, perhaps less than others. I’m privileged to be an executive board member on Surara, which is a young company that we spun out of STC, the Telco, with a young team that is addressing a lot of the problems that are emerging now in the Kingdom or the opportunities, if you like. When I think of the obsolescence question, I’d like to just take a step back. If we were having this conversation 200 years ago and we were talking about critical infrastructure, probably the two things that would stand out would be a lighthouse and telegraph lines, two things that don’t really exist anymore, or maybe they do as a tourist attraction. They existed for a long time. Technology didn’t have much of an effect on them. Lighthouses went from using wood to oil to electricity. Telegraph had morse code and other things, but they generally didn’t change. Now we’re in an environment where the thing that fundamentally changes the obsolescence of critical infrastructure is technology. It’s just compressed in such a short space of time. If you were to think of just three things in business, telecommunications, we now have 5G, that’s made 4G obsolete, that’s made 3G obsolete. We have multi-core processes. We’ve got the cloud. There’s so many things there. What does that mean? When I look at that from a Sarah perspective, the ultimate question is, we know that things that we’re dealing with today are going to be obsolete tomorrow, so how do we plan around that? I think back to the best trait in evolution is to be adaptive, to be adaptable, to accept those things that are coming. From our perspective, it’s not to be too fixed in our ideas, to be able to have flexibility to say we need to adapt, we need to change. That has to be pervasive throughout the organisation as a culture, as an approach to R&D, as an approach to training, as a diversity of the workforce. When I look at what we’re trying to achieve with Sarah, I think that sits behind that. When I look at the numbers that we have in terms of what we’re doing, the people, the projects they’re working on, I think in the background, we’re preparing ourselves for a constantly changing world and how we can help our business and government clients adapt to that. What are the leading causes of obsolescence? Let’s take it back to basics. How do we make sure that they’re on our radar, that we’re aware of what we need to be fixing? Let me come to you, Joshua, first. I think the biggest one is technology. We’re now living in, I don’t know, is it the fourth or is it the fifth industrial revolution? The rate of change of chat GPT and large language models, it’s happening right now. When we look at the first industrial revolution with steam and others with electrification and automation and mechanisation, those things took decades to happen. We’re looking at things that are happening now in literally months. I think that the technological change, which poses so many challenges, the things we define as critical infrastructure, there are many, many more of those. The regulations around them, I mean, look at AI. We haven’t even begun to get our heads around that. I used to work in government. With all due respect to government, we’re not normally on the cusp of technology and the ability to regulate it. We tend to go through a cycle of making something illegal, compulsory, obsolete. These cycles happen. I think the big one for me is technology, the pace of the change, the depth of the change, whether it’s space, quantum, AI, 5G. There are other things that sit behind that. We might bring in a new navigation system for airlines, which makes a whole fleet of aircraft obsolete. Or we might driverless cars. It’s probably going to make me, as a driver, obsolete. There’s a range of those things. Or traffic signals might be obsolete or railway signals. I think that as we devolve to harness all of the benefits of this next digital transformation, enabled by this amazing new technology that’s out there, it will create a wave of obsolescence. I don’t think that’s necessarily a bad thing, but it does pose many, many questions to how we’re going to secure it, how we’re going to regulate it, etc., which we’re only just thinking about.

Rebecca McLaughlin-Eastham:
Let’s talk about security and regulation, not least for a variety of sectors, because the impact is different, of course, across many different industries. In Tunisia, Dr. Yassine, what regulation do you want to see? What is it critical to put in place to make sure that there is a more manageable, seamless transition?

Dr. Yacine Djemaiel:
We deal with this regulation. When we focus on the content of this regulation regarding critical infrastructure, we will find that there is some restrictions that should be applied for this infrastructure regarding if the components are certified against a set of criteria. We should keep these constraints available. to implement the needed replacement updates in time in order to comply with this law. This is the first point that should be mentioned regarding these obsolescence. Now another problem that should be also presented is related to the act of replacement. When we make the upgrade, the needed upgrade for the hardware or the software, especially for the government companies, when we need to plan to get the budget. And this time to plan the needed budget and to get the needed amount in order to be able to make this change in order to be compliant with the law may be for a long period. And this period will be also another issue for our infrastructure. So this is among the aspects that should be also discussed, and we should find a solution for that in order to reduce this time and to be able to make the needed change in an efficient time. So this is another issue that should be also discussed.

Rebecca McLaughlin-Eastham:
Ben, when it comes to budgeting, when it comes to spending, protecting ourselves, making ourselves more resilient, sometimes the CAPEX is not there or even the OPEX as we were discussing backstage. So what level of preparedness and protection do companies and entities tend to have today? If you were to give us the broad view, how protected or how exposed are we when it comes to obsolescence and the vulnerabilities that causes?

Ben Miller:
Sure, yeah. Sure. I think the challenge within many of the critical infrastructure environments is around the idea of first 10 years ago, it was we were segmented, we’re okay. Or actually, no, it was air gaffed. We’re air gaffed, we’re not touching any other systems, we’re fine. And then it moved to what we’re segmented, so we’re protected. Now with the age of digital transformation and we’re adding more systems that are talking to each other and they’re more homogeneous, so they’re very similar from an attack service perspective. We have this challenge now where we can’t just rely on prevention, it’s getting in front of that. So when prevention fails, what’s next? And the old proverb, chance favors the prepared. How are we getting in front of an attack so we have the right visibility to detect them when they’re in their environment? Backstage we were talking about a recent case my team supported, ransomware related, that affected a traffic control system. They were within that environment in an order of months, and it wasn’t until they deployed the ransomware that they were detected, pretty obvious at that point. But there’s an opportunity there if you’re deploying the right technology to create that visibility. I think that’s the, when you’re dealing with old technology, and by old technology I mean systems that went end of life seven, eight years ago, the mitigations there are creating visibility and understanding what’s happening within those environments.

Rebecca McLaughlin-Eastham:
It may be basic to observe, but the actors are moving faster than we are. The technology is moving faster than companies and even governments are. So how do we bridge that gap? How do we step one step ahead, given some solutions, but what would your key advice to entities, to governments, to companies in the room be?

Ben Miller:
It really does come back to the idea of prevention does eventually fail. And so not just creating a strong architecture, but a defensible architecture. So that means people that are actively monitoring the systems and able to respond, and creating the expectation that the operators and the engineers know what to do if they think that if it were to go into a dangerous state, it’s actually a human safety issue. It’s not my database is corrupt. There’s a degree of impact there that’s really important to understand. And those staff members that are in that facility need to understand how to operate in an environment where they might be given the wrong information and make the wrong choices because of that. That’s the leading edge in training and where we need to build towards.

Rebecca McLaughlin-Eastham:
Thank you. Major General, how are you minimizing the impact of obsolescence in India? What examples can you point to?

Major General Manjeet Singh:
India is a huge country, has got a huge cyberspace. If we look at the numbers, we have about 800 million internet users. We have 1.3 billion people using these phones, but in the large quantity of them is smartphones. So the interconnectedness is very heavy. If you look at the overall payment landscape, it’s 10 billion transactions happening every month and they run into billions of rupees. So it’s a huge landscape. If I look at the resilience aspects at the strategic level, we are addressing it at the policy and the strategy level. Then we have the governance. Governance of cyberspace is being addressed through suitable governance structures. We have a huge amount of infrastructure development, capacity building programs. That’s at the strategic level. And if we come to the technical level, we are putting in place all issues which contribute to the resilience, whether it is the crisis management plan, or whether it is putting in place resilient infrastructure, having disaster recovery, backup plans for the data, the network resilience, the network time protocol, the DNS systems, the safety and security of our submarine cables, all that is being put in place. So it’s something a work in progress. We are doing fairly well to secure our cyberspace. It’s a work in progress.

Rebecca McLaughlin-Eastham:
Joshua, talk to me about the biggest pain point, transitioning from legacy to modern technologies and infrastructures and reinforcing those core infrastructure systems. Where is the weakness or what’s the biggest headache, if we can call it that?

Joshua Kennedy-White:
So I think in a word, it’s people. You always hear people are our greatest asset. They’re also incredibly hard to change, they’re hard to train, they’re hard to find, they’re hard to keep. I used to have a very large team with a lot of people. I’m sure I miss them individually, but in aggregate, less so. So I think the people piece is hard. But I just want to pick up on a theme that was talked about there, and Rebecca, you mentioned it with minimize. This seems to be sometimes, maybe often in the security vendor community, this obsession with making something absolutely safe. I can tell you, absolute security is absolutely impossible. And so if you think of that in the context of critical infrastructure, I think historically, the government had more of the ownership of those assets, power stations and the like. And today, if I was to define critical infrastructure in my house, it’s probably Netflix and it’s probably the Uber deliveries and Grab and all these other things. So I think that poses a couple of questions. The first of it is, let’s not always assume that it’s the government’s fault and the government has to fix things. But that the other side of it is, as a consumer of that service, whether it is provided by the government or not, maybe we do have to have an idea around resilience and good enough to be able to get there. We manage perfectly well without these things that suddenly is embedded. It owes us a favor. Why can’t I have Wi-Fi streaming on the airplane? So I think we have to recalibrate that discussion. And that’s a subtle political piece as well of what we expect of our political leaders. Maybe I’m being kind because I used to be in that frame. But the key thing, I suppose, when I look at moving from legacy through to the next generation is, in the absence of a really good strategic plan, you end up doing these tactical things and you amass a whole bunch of stuff. You feel secure because you’ve got one of everything and that doesn’t really happen. So I think a better approach is to be able to say, this has a shelf life. It’s an interim solution. We’re planning to do something else. We’re going to have a modular style architecture. We’re going to have a relationship with our vendors, that they’re going to be part of the upgrade process, that it’s not… There’s a lot of people involved in legacy infrastructure to get from where you are to where you need to be. And I think there’s interesting contracts that you can write with your technology providers. You can kick the question to them. I’ve been to multiple conferences where you walk in and if you’re someone trying to buy a solution, you’d be baffled. There’s 4,000 things all with a variation of shadow this, carbon that, trace this. And it’s quite baffling. I think the other part of it is we always think that it’s some super sophisticated hacker, probably criminal gang backed by a state. I can tell you, in a lion’s share, a lot of these things are kind of mistakes that people make. It goes back to the people thing because they’re not trained. They don’t understand it. They don’t know what they’re doing. So it’s a complex problem. I don’t think it’s going to be easily solved by perfect technology solutions. I think it’s about redundancy, resiliency, a discussion with people. I would say that because as a service provider.

Rebecca McLaughlin-Eastham:
Of course, he would never say that as a service provider. I’ve got to bring in Ben here. It takes many people. It takes a village. Absolutely safe is absolutely impossible. Do you agree?

Ben Miller:
That it takes a village? That it’s possible. Oh, that it’s possible. I think it depends on what your end goal is. I think if you’re focused on creating a robust, resilient, defensible system, absolutely. If it’s about preventing all attacks or that we’re 100% bulletproof, secure, I don’t think that’s a reality that we live in. And even if it were, it would be very transitory of, hey, we reached this state. There’s a new technology. There’s a new capability that the adversary is deploying that pushes everything to this side. I think a lot of our customers, as an example, focus on secure remote access. I’ve seen adversaries take advantage of secure remote access and use those appliances and that equipment to actually gain access, unauthorized access. So it’s always a cat and mouse game and it’s a journey, not a destination.

Rebecca McLaughlin-Eastham:
Speaking of cat and mouse or perhaps friction of a different kind, IT and OT. What’s the future? Never the twain shall meet. One will always outpace the other or have a disagreement, shall we say.

Ben Miller:
Yeah. In your last question, you had a great phrase that stuck out, actually, a legacy. I think perhaps in many environments, the IT teams see all the what they would call legacy equipment and software that’s deployed at pick your type of infrastructure, refinery, generation plant, green energy, they see that as legacy. That that plant was built maybe ten years ago. It’s not legacy. It’s that the pace of change is way different than IT. It’s not a phone. And so that the life cycle there is entirely different and it’s not, again, on we need to patch all your systems all the time, because that would put that facility in outage. And so that’s that friction, right? Actually, we’re generating the revenue for the business. Why are you creating downtime when we’re actually operating and building the capacity that’s needed for the business? So there’s that tension that exists. And I think as we understand the mission, as IT staff understands the mission of the facility and the constraints of the facility and works within those constraints rather than trying to constrain that revenue generating asset, I think that’s where the conversation needs to go.

Rebecca McLaughlin-Eastham:
I wish we had more time. We need to talk about collaboration as well, but sadly the clock has beaten us. But ladies and gentlemen, please join me in thanking my fantastic guests for their contribution today.