You can’t secure OT environments with checklists alone - you secure them with trust, clarity, and focused action.
In this episode of Protect It All, host Aaron Crow sits down with OT security expert Dean Parsons to unpack what actually improves cybersecurity maturity in manufacturing, water, and wastewater environments. From remote access blind spots to outdated network architecture, they explore the practical gaps many organizations face - and how to fix them without massive budgets.
A central theme? Tabletop exercises. Not as a compliance checkbox - but as a powerful tool to build collaboration between IT and OT teams, clarify roles, and stress-test real incident response plans before a crisis hits.
You’ll learn:
Whether you’re leading OT security, managing critical infrastructure, or trying to bridge IT and engineering teams, this episode delivers practical, experience-backed strategies you can implement immediately.
Tune in to learn how to strengthen OT security through people, process, and purposeful action - only on Protect It All.
Key Moments:
03:57 "Improved IT-OT Collaboration Tabletops"
08:57 "ICS Security Priorities"
12:16 "Accelerating ICS Cybersecurity Programs"
15:07 Trusted Expertise Builds Credibility
17:28 "Engineering Role in Incident Response"
20:53 "Cybersecurity: Tabletops Gain Traction"
26:34 "Control Systems, Protocol Abuse Insights"
27:51 Secure Architecture Enables Network Visibility
33:07 "Targeted Network Monitoring Essentials"
35:23 Prioritize Critical Assets Strategically
37:50 "Bridging IT and OT Expertise"
41:56 Critical Infrastructure Security Risks
44:30 ICS Leadership and Threat Strategy
48:14 "Power Plant Walkthrough Insights"
52:02 Critical Cyber Asset Management
57:29 "SANS Courses: Essential and Valuable"
About the guest :
Dean Parsons is a SANS Principal Instructor and the CEO and Principal Consultant of ICS Defense Force. Over the past two decades, Dean has built and led industrial cyber defense programs, conducted incident response and digital forensics in live plants and partnered with operators and engineers to maintain both safety and uptime across major industrial sectors.
He helps organizations align investment and policy decisions with operational priorities, developing risk metrics and tabletop exercises that unify operations, engineering, and cybersecurity so organizations in any industrial sector can prioritize and measure what matters.
How to connect Dean : https://www.linkedin.com/in/dean-parsons-cybersecurity
Connect With Aaron Crow:
Learn more about PrOTect IT All:
To be a guest or suggest a guest/episode, please email us at [email protected]
Please leave us a review on Apple/Spotify Podcasts:
Apple - https://podcasts.apple.com/us/podcast/protect-it-all/id1727211124
Spotify - https://open.spotify.com/show/1Vvi0euj3rE8xObK0yvYi4
Aaron Crow (0:1.034): Hey everyone. Thank you for joining me on another episode of protected all podcast. everybody probably knows this guy Dean's been on the, on the podcast before, you know, OG in the O T space. if you don't know him, like you must be new to this environment. So Dean, thank you for taking time and joining me again today. Excited to, dig in and have more, more conversation of what goes on in the trenches.
Dean Parsons SANS ICS (0:23.636): Excellent, Aaron. Thanks so much. Glad to be on here. I know this really gets to the community, so I'm all too glad to be here, man. Thanks for having me.
Aaron Crow (0:30.354): Awesome, man. those of you, those that may not know who you are, why don't you give us a very brief who you are, what your background is, history, that kind of thing. Just, and then we'll kind of get rolling.
Dean Parsons SANS ICS (0:41.144): Yeah, for sure. Very, quick. I was that pale pasty guy in my parents' basement hacking systems across state lines for educational purposes back in the day. know, degree in computer science, computer security, 10 years in IT, telecommunications, you know, the last 10 years in ICS and OT in water, wastewater, oil and gas and electric power. So, a principal science instructor, course author as well. I teach ICS 515, so visibility detection response and a two-day
Dean Parsons SANS ICS (1:11.138): leadership level class on control systems as well. And in between those classes, I'm in the field talking with engineers doing assessments and tabletops. That's me.
Aaron Crow (1:20.938): That's awesome. Yeah, so it's amazing that this community is so small that most of us know each other, but it's growing as well, which is awesome to see because the need is there. 15, 20 years ago when I was in this, nobody had heard of OT. There was nobody in this ICS space. There was no conversation and it was all just, well, I'll air gap it or I'll put a firewall in.
Dean Parsons SANS ICS (1:47.041): Yeah.
Aaron Crow (1:47.740): or whatever, right? And I didn't need anything else, right? And now it's really coming around. Unfortunately and fortunately in that, you know, we're seeing more and more things happening in these spaces and everyone knows it's going, it's not a matter of if, it's a matter of when. So I see more and more effort and focus in these spaces from all those spaces like, you know, wastewater.
Aaron Crow (2:11.208): Those are the organizations that five years ago weren't spending a whole bunch of time and effort in that. And now you're starting to see more and more of those types of organizations really focusing on it. So tell it, walk us through what, is some of the stuff you've been working on in those types of places and where are you seeing, you know, kind of the, the, ball moving down, down, down the field.
Dean Parsons SANS ICS (2:29.954): Yeah, for sure. So let's just go back a little bit to come some insight on your point there.
Dean Parsons SANS ICS (2:34.638): Like, you know, 20 years ago and 15 years ago, when I started into ICS specifically and 22 years ago in cyber defense, like it was who's going to target a PLC. Like who can manipulate that? Like they don't even know what a PLC is. Like yeah adversaries know what PLCs are. They have them in their labs and they target them and they're all different kinds of vendors. So what I've seen in the field recently, and just to recap, this is obviously 2026, but some of the things I'm going to draw from is 2025 experiences somewhere kind of early in 2026 is I've
Aaron Crow (2:44.209): right
Dean Parsons SANS ICS (3:4.671): out in manufacturing facilities and out in you mentioned water waste water facilities. And I would agree that the ball is kind of rolling in the area of like, we have to do something about the business, is OT. because there's that need now, because the adversary has been focusing on this and with impacts. So from my perspective, being in the field recently in 2026, early now, just recently out in the field, doing tabletops, sitting with engineers on one side of the table and IT is on the
Aaron Crow (3:17.322): Mm-hmm.
Dean Parsons SANS ICS (3:34.494): other side and there's like a VP of engineering here and there's like, you know, CIO or CSO here. Like the conversations that I'm having now when I facilitate these workshops are far better, far improved and they're needed, I think, because I'm sitting there facilitating a crafted scenario that's realistic from what I've seen in the field. And IT is like, wait a second, PLC can't take antivirus? Like how do you, what adversaries techniques are they using? And so IT is learning, OT is learning. We get that convergence that we hate talking
Dean Parsons SANS ICS (4:4.448): about, but we know we love, right? And so what I'm seeing in the field is more collaboration, but at a tabletop level, rather than just IT talk to OT, it's make it practical through tabletop. so I love been able to do that the last number of months specifically in the field. Now, when I hear the word water or wastewater, we all know that that area needs additional resources, but this is not like, poor them, they need resources. They're like stuck. This is like a call to action. Like they
Dean Parsons SANS ICS (4:34.288): can do something. And a common thing I get Aaron is, well, if we do a security assessment, there's going to be like 150 gaps that we have to, you how do we prioritize? And this is where the sans five critical controls comes in place again. And I've gone out, I've done assessments in water and I say, it's all good. Like, let's hold off on the 150 things you may want to consider. Let's look at the two things, two of the five right now that you can do. And I mean, yeah, if you want me, I'll reveal
Dean Parsons SANS ICS (5:4.297): those two of the critical five controls that I see most impactful to water and generally they're not doing it and that's why we respond. That's why there's incidents, that's why there's issues, you know. So that's a little bit of the thing I've seen in the field the past few months.
Aaron Crow (5:22.344): Yeah, and you know, as a consultant walking into these spaces, it's really easy to go in and I use the analogy of like my, you know, freshman English paper when I get it back from my teacher and it's just red because everything is wrong. Like capitalization and wrong words and no comma or semi-colons or all the things like there's so much on it. It's just like basically just rewrite the paper. And that's what most of these wastewater like you just.
Aaron Crow (5:47.379): talked about like, of course they have everything wrong. They haven't done anything. They're not up to date. So it can be overwhelming as a consultant. I see it as my goal when I walk into these spaces is I don't want to do that. Like, yeah, I'm going to tell you all the things wrong. Sure. But I'm also going to say, okay, now put all that aside. These are the one or two types of things that you should be working on first. If I had one hour to spend, this is where I would spend that hour. So
Aaron Crow (6:12.424): Where are you seeing those focuses in those one or two things that you talked about in those, out of those five critical controls?
Dean Parsons SANS ICS (6:17.070): Yeah. So totally love that. And the thing is, is you're right. I always get the kind of, it's not resistance, but it's like the overwhelming, like, where do we start, dude? Like, and which ones do you think we should do? Because, and why, like justify why this one or that one. And it's like, every time it's like do an assessment, understand meet with the engineers, critical, meet with the engineers, and then walk them through the kind of after action. And when we're walking through, it's like,
Dean Parsons SANS ICS (6:41.132): I just go right to it. Here's the top two, three, four, five, and here's why. And it's never because it's a nice thing to do, or it's like, best practice, which is good things to do, but it's because you're in the water sector. And this is what we've seen in the water sector for the last six years, seven years, eight years, the last two years. And these are the high impacts that are going to hit you. And to counter that there, here's the top two or three. So the top two things that I see in control systems in water and wastewater today.
Dean Parsons SANS ICS (7:11.336): is they do not have general statement, do not have proper architecture or remote access. And I'll extend it to one more control, which is visibility. So let me back up a bit. Generally, when I go into these facilities and do a tabletop for control systems, the men that even have an incident response specific, you know, response plan, which is needed because IT is going to kill stuff. So you like the plan is so they don't have that. And then I start with, well, let's do
Dean Parsons SANS ICS (7:40.978): a tabletop and I'll prove to you with a realistic scenario that makes everything kind of like up on board here realistic. I'll prove to you the gaps that you have based on the threats. So the scenario drives us down through this facilitated workshop and tabletop and out the other end it's, well you're in the water sector. Guess what? Threats usually come from IT into OT. That's architecture. They don't have that. And it's not necessarily a large overhaul to put proper architecture in place or
Dean Parsons SANS ICS (8:10.842): least to have a boundary to protect the OT from IT and the internet specifically as well. And I'll drop some statistics here. It's over 50 % of the time that an ICS gets compromised. It's because the threat is in IT and it's been allowed to transition into OT. So architecture, for sure. Visibility, I would think, I know is a really good next step.
Aaron Crow (8:29.738): Mm-hmm.
Dean Parsons SANS ICS (8:38.338): But I wouldn't do visibility unless you have sort of an extensive architecture, but it's really secure remote access because we do see threats that don't come in through IT, which is still very common. don't, the avatar doesn't have to work through IT. come in from the internet because there's stuff out there that doesn't have multifactor authentication, doesn't have time-based specific remote access with proper authentication, you know. So architecture for sure is a super weak point in the sector. And, and I would say that remote access
Dean Parsons SANS ICS (9:8.362): And I would extend that into once you have those solid visibilities, what you need to kind of maintain an early stage threat detection kind of program. So those three of the top five ICS critical controls is what I see being very weak in the water and wastewater sectors. And this stuff is not rocket science. And it's even this is why I love about this, Aaron. And you're probably going to see this value as well is that those controls actually help the engineering staff as well. It's not just secure to save the day. It's now the engineers.
Aaron Crow (9:35.305): Right.
Dean Parsons SANS ICS (9:38.192): with visibility as an example, they can do root cause analysis. Like they need that, you know? So yeah, it's not just security that the benefits extend into engineering as well.
Aaron Crow (9:49.747): Yeah. And it's so funny you say that, It's most of the problems that we solve in OT are not overly complex. you know, you and I are, I'm going to be at S four, you're probably going to be at S four and RSA and black hat and all these places that there's all these vendors that have really cool, awesome products. And I was a VAR and a vendor, you know, CTO of a product company, like all the things, right? I get it. All these products are valuable. There's needs and in the space. But when you're at one of these places that have nothing,
Aaron Crow (10:19.177): Right. You know, going out and finding, know, it's always and we talk about this a lot, but it's always people process and technology. Right. I can't just go buy a product and have it solve all of my problems. Somebody has to maintain it. Somebody has to install it. I have to understand where my critical things are and my paths, all that kind of stuff. Right. Because if I put if I go buy the best Palo Alto or Claire, you know, whatever the thing is and stick it out there, but then I'm allowing somebody in the back door.
Dean Parsons SANS ICS (10:26.168): Yeah.
Dean Parsons SANS ICS (10:37.442): Yeah.
Aaron Crow (10:46.827): then it's not actually able even to do its job. Like you talk about remote access and I was literally at a manufacturing facility and walking it down and like, we have these firewalls and we have all this and all this stuff and my, how do you do remote access? Well, I take this USB dial-up thing and I plug it directly into the HMI and allow the vendor and just directly the internet. Like, oh yeah, that's a bad idea.
Dean Parsons SANS ICS (10:49.324): Right. Yeah.
Dean Parsons SANS ICS (11:5.911): and leave it there.
Dean Parsons SANS ICS (11:12.194): Yeah, it's a tip that you know you're coming back to do it's response to help them the next week.
Dean Parsons SANS ICS (11:16.942): Yeah, you're right. You're right. It's people process and technology I get the question all the time when I teach or when I'm in the field It's like so we have X number of dollars. What do we do? Do you hire somebody and before the sentence is finished? I'm like hires a person first hire a person and I'll say the word AI, know, it's not abolishing engineering It's not abolishing cyber security. There's ways to adapt that after you do the foundations But it's it's what I try to do is is hire people train people and I've hired people from IT I've hired people from OT and kind of put them into
Aaron Crow (11:17.063): Exactly.
Dean Parsons SANS ICS (11:46.868): these environments and some of them succeed really, really well. So my thought would be to, yeah, you need technology for sure. And even at the ICS summit coming up in June, so I'll be there, I'll be teaching there, doing workshops. We have vendors there as well. And it's great to see the ICS OT specific vendors, but all the time first people. And what I try to do in water, wastewater, oil and gas, whatever is when they're looking to hire someone to do the things they have to do now, because we're forced to do these great things that are beneficial to
Dean Parsons SANS ICS (12:16.782): everyone, it's, I always suggest like, who do you have on the engineering side now that you can have as a champion that knows the control system and safety, you can kind of tweak their job role and, and, and have them do some tasks of cybersecurity as well for OT. And that process is significantly like rocket ships their program to maturity rapidly. Cause the engineers, they know the control system, they know the safety, they know the, the systems work and how the things that are not documented.
Dean Parsons SANS ICS (12:47.072): And those people, when you think about it, even if you're tasked with IT, OT tasks in the ICS, those engineers, they're going to need them in its response and recovery and data collection and data. So hiring people back to your point, critical, and then implementing one or two of those controls over time, not too long. These controls are foundational. Don't take two years to be like, maybe I'll do architecture now because that's
Aaron Crow (12:59.307): Mm-hmm.
Dean Parsons SANS ICS (13:16.602): seems like a nice thing to do. Like a review of your external edge ICS firewall, a must, and a tabletop will expose those potential opportunities. And that's why I love tabletop so much, dude. it's like, I don't want to sound like a broken record here, but the value, like I love seeing light bulbs go off all around the table and IT gets it and OT gets it and safety who's there. They get it. Love it, man. So much value there.
Aaron Crow (13:42.315): Oh yeah, a hundred percent. It's funny you mentioned that, know, hiring the OT folks is, so I built a team. I was an asset owner at a power utility and built a team that we supported 40 something power plants across the state of Texas. And I had, you know, people that I hired off. Again, this was, you know, 15 years ago. So there weren't OT people. There wasn't ICS type conversations. Nobody had that on their resume, right? So I was having to build a team.
Aaron Crow (14:8.083): from, you know, IT people and I hire people from the plants and operators and things like that. The other thing that nobody thinks that we don't talk about is when I walk into these places, I can walk in and I can credentialize myself because I speak the language. I look the part, I have the steel toe boots, I have the hard hat, it's not new, you know, I got it dirty in the parking lot before I went in, right? You know, I looked the part because I've worked in outages, I've worked in these spaces. They know, they can detect
Dean Parsons SANS ICS (14:23.299): Yeah.
Dean Parsons SANS ICS (14:29.474): you
Aaron Crow (14:37.673): that yeah, I'm not just some person that worked in corporate and is coming down here to dictate, you know, cyber controls in their space that won't work. When you hire someone from that type of space, even if they're not a technology person, they're a cybersecurity person, but they've been in those places, you're getting that experience. They know where the bodies are hidden. They know how the processes work. They know how to do a lotto, a lockout tag out, but...
Aaron Crow (15:1.707): The other piece to this, especially in organizations and OT, a lot of the times these people have been working there for 20 years, for 15, 20, 30 years, et cetera. They also have the reputation that they will, people will, the other locations will listen to them just because of who they are. And because they've been in those fields, they have that trust. And then you come along with them and just because they're seated next to you and they're
Aaron Crow (15:26.943): Vowging for you in this conversation the people across the table that normally would have given you the Heisman and not listen to you Well now at least hear you out because that person is sitting next to you and saying hey, just listen to him He has something to say here
Dean Parsons SANS ICS (15:41.262): 100%.
Dean Parsons SANS ICS (15:42.158): Can't agree with you more. I think that in the tabletop, or even going into a facility, when you have that, you gain trust. So we're talking about people, process, technology, like get a new tool, put it in, cool. None of that works if you don't have trust. If you don't have someone that walks in there that says, I know that person, I know they know the language, they know what Modbus is and DMP3 and Profit, and like, if they don't understand how that can be abused today by the attacks that we're seeing, then what would they be doing on an HMI? Like, what would they be doing on a controller? What would they, like from an,
Dean Parsons SANS ICS (16:11.958): a safety, let's go that way. Like from a safety perspective, why would you let anybody touch anything in the OT unless they have that respect? And so a lot of times from IT, it's great because they have passion, but they're like, yeah, man, let's lock this puppy down. And they're like, give me the logs, give me the logs. I'm like, that's great. But what logs do you want? And most of the time, they're not all generalization here, but most of the time it's give me the AD logs and give me the windows logs and we're good. And like, well, so that's about 20 % of the control system. So let's kind of level up. Let's understand how it
Dean Parsons SANS ICS (16:41.872): control systems are actually are attacked for the last 15, dude, 15, 16 years now we're getting wow. Like, wow. And it's like the controllers can be manipulated. We've seen that like the logic needs to like, need logs from the controller that says anytime somebody touches the controller logs into a changes, firmware changes, the logic you need to be aware of it. Like, let's talk about what actually can, you could do tech threats in the control system. Like windows is fine and all that. So engineering workstations, of course, USB insertions, you want USB store, you want mempool.
Aaron Crow (16:45.065): Mm-hmm. I know.
Aaron Crow (16:52.363): Mm-hmm.
Dean Parsons SANS ICS (17:11.792): points to like all those things in the registry on that device, but the engineering devices is what we see more and more being manipulated. So back to practical and back to your point about respect. When we do into response tabletops, like I'm the usual one facilitating this from a company ICS defense force, and I won't run them unless we got engineering representation in the house, because I never want to walk away from a tabletop saying like, well, that sucked. So we always have engineers there and they bring that OT stuff. so the
Dean Parsons SANS ICS (17:41.664): areas that we create, they're all not all, but a lot of them are catered to the OT side based on what the client wants. But we just inject like, here's what the threats are. This is what we recommend, right? In your sector, in your region, your country and all that. And we build in, well, the engineer has to get an inject that says, how do you get logs from a controller or the engineer has to, you have some ability to look at something on the firewall or something similar. So yeah, it can't be understated that or overstated that
Dean Parsons SANS ICS (18:11.588): the engineers play a major role in anything in cyber for OT and, that respect rightfully to them. If they say, dude, I don't trust you and don't sit at my keyboard. Yeah, man. Like you wouldn't want it the other way around where someone like an engineer rolls into it and they're like, can you just kind of scooch over? I'm just going to make some changes on the email security server. Like, so it's the respect piece, right? And then it's the people process that technology and,
Aaron Crow (18:34.448): Yeah.
Dean Parsons SANS ICS (18:37.824): I think you and I both go way back enough to know that building that trust, dare I say again, the coffee and donuts or brisket, bourbon and barbecue was a way to do that. But aside from brisket, bourbon and barbecue in a real life setting,
Dean Parsons SANS ICS (18:53.420): The tabletop is where a lot of that relationship kind of extends and trust builds. and it sounds cheesy and corny and soft skills, but it really starts to blend. And like, I joke, not, what I'm doing tabletops and I see that interaction. like, yeah, I'm at like now that person in the sock from it, I can see it during the break. of the tabletop or whatever they connect. They're like, yeah, yeah, I'll need these logs too. Well, I can get you these logs and here's where they're coming from. And like, where's your sis logs?
Dean Parsons SANS ICS (19:23.445): Like it's, it works dude and love seeing that.
Aaron Crow (19:24.736): Yeah.
Dean Parsons SANS ICS (19:28.630): Yeah. So I think that's how we win. think looking at what we've seen geopolitically, you know, with the other parts of the world currently and all that stuff recently, what happened as well in December reported on in January, all of those things we see the geopolitical tensions, remote access as a problem. Guess where they got remote access to? Terminal units like remote access into the devices that can, if abused and they have the access can cause damage, can cause physical damage to equipment. And so back to a tabletop, it would be shaken out of a tabletop.
Dean Parsons SANS ICS (19:58.596): in a scenario that's realistic in the sector to say you don't have visibility to even detect someone getting remote access into a critical asset that you have at an origin device. So yeah, those controls I mentioned in the water sector that I think are lacking, I see that opportunity in some other smaller utilities as well. And it's not just water that doesn't have proper architecture.
Dean Parsons SANS ICS (20:24.556): Just did a tabletop in a manufacturing facility. did the walk down to the site first, all that stuff made the engineers high fives all around. Awesome. was fantastic. We went in and kind of got an understanding. IT thought, well, there was an air gap, but there's not an air gap. so the learning happens. So it just makes it super practical. And I never think of a tabletop being like one and done. It's like, okay, cool. We did a check. It's okay. Cool. If you me back in six months or 12 months, let's take a look at this and see how we've improved based on the threats, not
Aaron Crow (20:38.719): Mm-hmm.
Dean Parsons SANS ICS (20:54.510): checkbox, it's based on the threats and looking at the data from 2025. So the SANS-ICS cybersecurity survey, I think something like there's large, I don't know the stats exactly, but there's large portions of facilities now doing tabletops and they prefer tabletop exercises. But what I do know from the statistics in that white paper in the survey is that mature facilities are now doing tabletops more than once a year.
Dean Parsons SANS ICS (21:21.524): and they're recognizing the need.
Aaron Crow (21:24.885): Well, I've been touting this for forever as long as I've been talking into this microphone. And before honestly is those tabletops and you hit on so many real nuggets there and I want to call them out to folks that are listening here. Like tabletops, yes, there is a compliance, check the box reason to do a tabletop exercise as part of your incident response plan, blah, blah, blah, Awesome.
Aaron Crow (21:51.939): That's a great thing. Everyone needs to do a tabletop. If you're at least doing one a year, that's better than none a year, right? That said, you talked about a lot of value and a lot of benefits that came out of those tabletops that have nothing to do with cybersecurity. Like when you're having, and you've got all of the team members at the table and everybody understands the perspective. Like my dad used to tell me, I grew up in the South in Texas and my dad used to tell me, there's a reason God gave you two ears and one mouth. You should listen more than you speak.
Dean Parsons SANS ICS (22:20.322): Wise, wise.
Aaron Crow (22:20.445): Right. So when you put people in the room and you're in there, actually, we're all at the same table. all, you know, we've got food and everybody's got coffee and we don't have other distractions and we're not enemies. We're all on the same team and you're building connections. You're building that trust. And if you do it once a year, there's not enough time and opportunity for people to build relationships. Right. So as
Aaron Crow (22:49.929): The more often that you're doing those things, you're putting those people together. You're giving it up. So it's a team building exercise. You're building trust. So when the shit hits the fan, excuse my language, these people know each other, right? They've already went through these scenarios. They know, they know Bob at that location. I'm going to call Bob and it's not just some random person from the sock. Me and Bob had coffee and we sat next to each other during this tabletop exercise. Like
Aaron Crow (23:15.017): So we need to be looking at these tabletops. Yes, there's a cybersecurity perspective. Yes, it's going to help us, you know, have a more thorough incident response plan. And yes, we're going to find some things that are missing from that. We're going to find some gotchas and hey, we thought this was air gapped and it wasn't all those things are true. And also there's so many additional benefits that are not in the, you know, the outcome or the deliverables of the, of the tabletop that are priceless. Like we should be doing these monthly.
Aaron Crow (23:44.723): quarterly, you know, as often as possible for all these other benefits, even if it's not bringing in you and I to do every one of them, like maybe that's too much, maybe it's quarterly, like, but the more that you're doing these things, the more that you're strengthening your teams and you're building this, this culture of, of convergence in that I'm not necessarily converging the technology, but we're one team, one mission.
Dean Parsons SANS ICS (24:9.034): Yep, 100%. So what I've seen recently.
Dean Parsons SANS ICS (24:11.340): Like you mentioned, like it's not even in the after-action report or maybe it is. It's when the team is working together, they actually realize the roles. Like it's a common question to ask, like who actually does its response on a controller? and, and, and there's like people looking around the room and they're like, we'll do it. I'm not sure. And so you're right. So once that's done, that actually speeds up recovery. Once you nail down, this person is going to talk with this person or that group to get the logs required to see if the control has been manipulated. Like it sounds like a basic thing and it's easy to understand.
Dean Parsons SANS ICS (24:41.544): that once that role is defined, the recovery is much quicker. So it's one of the things I learned from 2025 and 2026 so far in doing these tabletops. The common thing is a lot of facilities don't know the roles and responsibilities. They're not defined. And it's largely because there's no ICS serious response plan. So it kind of all rolls into one. The other thing I noticed as well is that when the tabletops happen, you get that kind of definitive who does what, when, how, which is great.
Dean Parsons SANS ICS (25:6.318): But there's also this kind of trust the bills as we talked about before. So you mentioned, I guess, either self-facilitated or external facilitated. Obviously, it be external facilitators to kind of come in. So I recognize that facilities may not be in that position yet. They want to do one internally. So I just released like kind of an artifact, I guess, like a free kind of a guide that says, like, if you don't want to have a saying, cool, here is a free list of things you want to consider to do a self-facilitated instant response plan with the OT staff.
Dean Parsons SANS ICS (25:36.274): website, icsdefenseforce.com. So the point is, that start something. You also mentioned a really good point, Aaron, about, well, one inch response tabletop, one a year is better than none a year. So from the survey details we've seen is that, again, those mature facilities, you know, in maybe more oil and gas and electric and some other maturing facilities in water or whatever, they're really up to par. They're actually doing now tabletops once a quarter.
Dean Parsons SANS ICS (26:3.054): And these tabletops don't have to be two days long. It's like a four hour, you know, like you, like you said, Aaron, like non distracted kind of put the phones outside dedicated with the engineering staff or people four hours, half day, whatever. And it's more consistent building that relationship and it's refining the roles as needed, which was one of the major gaps I've seen in 2025 is there's, there's no roles defined and they don't know who's going to get logs from the controller. And yeah, so much value here. And there's other areas too, like visibility.
Dean Parsons SANS ICS (26:33.018): Visibility is one of the top technical controls. If we shift from our conversation from people and we look at the technology, when they do a tabletop and they recognize architecture, got to have that place, or I can't see what's in the network visibility and deploy that, then the benefits are not only, well, we can see the packets and the Modbus TCP and the function codes being utilized and all of those things, but you can see now the abuse of those protocols getting back to what we see in the field. Adversaries continue to abuse the protocols we already have.
Dean Parsons SANS ICS (27:2.986): And another thing back to the tabletop for one second is that IT is like, wait a second. And they learn from the conversations and from awareness of like, wait, you're telling me that an attack on a control system is not just necessarily malware. can just get access and reprogram the PLC with new logic from the engineering workstation through an allowed port on the firewall. Whoa, whoa. So that discussion comes out too. And then that it's like, then I'm sitting back like light bulbs are going off. And then they realize, well, a technology.
Dean Parsons SANS ICS (27:32.832): What technology can we deploy to detect that kind of thing? Well, visibility is a great way to do it because antivirus is not going to help you there,
Aaron Crow (27:40.756): Right.
Dean Parsons SANS ICS (27:41.742): And then IT also learns that when there's an incident, that quote unquote incident might not be the execution of malware. It's an adversary on a control system, clicking buttons on the HMI or something similar. How do you detect that? Well, antivirus is not going to help you, right? It's going to be in that visibility technology. So earlier in our discussion, water architecture for sure. Remote access needs to be done in a proper way if it's required to secure remote access, time-based, multi-factor authentication, jump hosts, all those things with
Aaron Crow (27:56.490): Nope.
Dean Parsons SANS ICS (28:11.716): ties into architecture. After those two things, you're then in a prime position to actually deploy network visibility because without those two things prior, or at least the architecture piece, your network visibility technology and the person that uses that technology, then it's going to be far less effective. If you have architecture in place,
Dean Parsons SANS ICS (28:32.652): Visibility now is far more return of investment because you can understand where the protocols are, understand the different choke points you have created for containment, but also for collection of data. And that's where I see facilities really excel. When IT comes in and they're like, yeah, we got a great architect to network now. Let's look at the packets from this managed switch and this firewall at level three at level two. Like then I can see, and I've seen this and I've helped organizations just, they leapfrog year over.
Dean Parsons SANS ICS (29:2.586): year and they accelerate and mature. So yeah, back to people for sure. When the people are established the technology it should be ICS specific, right?
Aaron Crow (29:2.889): Mm-hmm.
Aaron Crow (29:15.735): yeah, absolutely. And as you continue down that path, you talked about the critical controls and we talked about people and we talked about tabletops and then we started getting into architecture. Once I've got these basic things done, then I can more mature. And there's also something you said before, maybe way early in the conversation is this doesn't have to be super expensive or complex. Especially to start, some of this is gonna be a manual walk down with a...
Aaron Crow (29:42.207): with a clipboard and hey, where are my assets? Where are my switches? Where are my PLCs? Like all that kind of stuff. I've literally done those with a freaking camera and a spreadsheet printed out so I can hand write everything and it's in this room and this rack and all that kind of stuff because they had nothing.
Dean Parsons SANS ICS (29:52.514): Yeah.
Aaron Crow (30:1.943): And then that's where we start. But then as you start building new stuff and you have tools and you get to a place where I've got secure mode access, I'm recording my sessions, I'm limiting access, there's dual factor authentication in that, right? All of those things. And then you start monitoring things. And that's where, again, as we build on these things, it's why all this people stuff matters so much. You talked about it before.
Aaron Crow (30:25.075): If I just started sending logs, even if I sent every log available from PLCs, everything to an IT sock, they would know what good or bad looks like. Like they don't know what to look for in an OT space. Like you talked about it. Like it's not malware. It's not antivirus. It's more than likely none of those things. It's allowed actions in an unallowed time or way that is not going to be triggered by.
Dean Parsons SANS ICS (30:36.866): percent.
Dean Parsons SANS ICS (30:49.922): Yeah.
Aaron Crow (30:53.139): a virus or other things. So those relationships that we're building there need to continue so that when something comes up, we can tune these things and tell the people what to look for. And these are the types of events. And are we in an outage? Are we not in an outage? What is accepted? What is allowed? What is not allowed? Like those are the things that's how you make this where it's actually valuable. And we're not just sending sending logs to send logs that are
Aaron Crow (31:20.551): adding no value. that's the other piece to this that I see a lot in a lot of these spaces is a CISO comes in, they want tools, they deploy tools, but the endpoint, the users, the plants, the manufacturing facilities, they get no value from it. To them, it's a cost, it's complexity, and they don't see any real value out of it. When you flip the script and you, yeah, 100%.
Dean Parsons SANS ICS (31:41.902): could be a risk. Yeah, could be a risk of taking that internal information and pushing it out to a network you may not trust. That's hostile. That's always targeted. Yeah. So you make another...
Aaron Crow (31:47.307): Correct.
Aaron Crow (31:50.793): What in what when real quick when I when I approach that and from that perspective when you're thinking about it from a hey I can't I can't protect the world but when I'm looking at what is the value that I can bring to the customer.
Aaron Crow (32:5.759): This is going to help them do their job. It's gonna help them bring vendors in securely. I can lock the door. I can monitor the things they're doing, like all those types of things. So when we make sure that whatever we're doing, where we have the intention of adding value to the customer, not just, hey, you don't know what you're doing. I'm just gonna handle this. You go sit over there and I'm gonna protect it for you. Just trust me, I got this. Like, no, that's never gonna help.
Dean Parsons SANS ICS (32:28.438): Right, right. So you're bringing up really good points here.
Dean Parsons SANS ICS (32:30.542): So many good points, Aaron. So number one, you brought up like, you know, don't take on the world. Don't boil the ocean or whatever. So I want to talk about that a little bit. I also want to talk a little bit about if you don't have all the money, what do you do with the money that you have? And like, let's take a look at water, for example, again, they're probably right now going through budget cycles to get money for piping for water, like to push through new piping, maintain like, that's awesome, needs to happen. But none of that is going to be useful if the water you push them through is not at the right pressure or poisoned or et cetera, et cetera.
Aaron Crow (32:35.753): Right. Sure.
Dean Parsons SANS ICS (33:0.496): So there's a cyber security element there. So let's go back to the money aspect and like not boiling the ocean. If I look at network visibility of like packet captures in your network, a lot of people are like, whoa, that's like a lot of data. And I need like to spend money on like a whole like array of disks to like get all that. And I get that, but wait a second. The purpose is not to be like check, put the tool in place. It's, I always take the threat approach. What have we seen the last decade plus?
Dean Parsons SANS ICS (33:24.750): Where do we think the adversary is going based on our research and based on us seeing them in the field recently? And I go back to let's look at network monitoring. Well, what devices are most targeted and simultaneously most critical in a control system, regardless of sector, HMI, engineering workstation, data story. And for various reasons, and obviously the PLC, if you start with network visibility at to and from those assets, which is not going to break the bank and not going to fill up a terabyte hard drive in every two minutes. Like it's super.
Dean Parsons SANS ICS (33:53.972): achievable to do that. And that data then from those critical targeted commonly assets in most ICS facilities and sectors we see, if you have one person looking at that traffic to spot what's normal and what's abnormal, not looking for malware as such, but looking for anomalous activity.
Dean Parsons SANS ICS (34:10.572): Like that's a workable deployment of a solution with one person commonly looking at your top two, three, four, five, 10. Not going to scale to 300 sites, but you get the idea. And if you focus on that limited subset, I'll say, of network visibility, you will win, like without question. And in doing so, to your point, you're going to show the value to engineering staff as well. So like it doesn't have to be, let's boil the ocean. think the misconception is CISO comes in, I have to have X, Y,
Dean Parsons SANS ICS (34:40.796): visibility, go get visibility and so on and get everything. I'll say, challenge I see is someone comes in and they're appointed, now you have to do OTICS security.
Dean Parsons SANS ICS (34:55.374): And they're like, let's go get visibility. And they start with the firewall between IT and OT. And that's cool. There's some use cases there. There's some value. And then they stop. They run out of the budget or check the box. We've got visibility now at the edge of the OT. And that's awesome. can just, you know, determine if malware is coming in or out, like check the, but the value to the engineer is not there. The value to look at the threats that we see today is not there. You have to go down into the control system.
Dean Parsons SANS ICS (35:20.962): Now I don't want to too deep into this, but it's basically called North South versus East West in the control system. So to recap, visibility does not have to be break the bank kind of solution. If you target inside East West traffic in between those devices, we talked about HMI, ensuring workstation data story. And for example, PLCs like that's an excellent place, high value place to start again, not going to break the bank.
Aaron Crow (35:25.482): Mm-hmm.
Aaron Crow (35:45.929): Yeah, and it goes back to all these things build on top of each other. It's a puzzle piece that all these pieces fit together. When you understand the environment, when you talked about having that architecture and understanding where my critical assets are, then to your point, then I can determine which assets should I be monitoring because I, know, the argument that I've always had is like, I've got two PLCs in environment. One of them is in the break room controlling the ice machine and the other one's controlling the turbine.
Aaron Crow (36:14.555): They're the same firmware, they're the same everything, they have the same risk, a CVSS score, but they're not the same risk to my organization. I don't have to monitor the one in the break room for the ice machine. Yeah, the operators get pissed off, it stops working, but I don't have to spend a whole bunch of money, time, and effort protecting it. So it's just different. So if I understand it, then it makes it easier to protect.
Dean Parsons SANS ICS (36:19.234): Yeah. Right.
Dean Parsons SANS ICS (36:31.980): Love that dude, like love that.
Dean Parsons SANS ICS (36:39.608): So what I'm getting, Aaron, is the PLC managing and monitoring and controlling the ice machine. That's dev environment. Yeah? Is that up for devs? Like, can, if you want to do a pen test, like, pen test that thing, not production, right? Like, that's safer. Like, that's awesome.
Aaron Crow (36:50.162): Exactly.
Aaron Crow (36:54.795): Exactly. But it really comes down to it's that simple, right? And it's why it's so powerful and it doesn't have to be super expensive. If you understand your environment and you understand where the critical assets are, how everything connects to each other, and you can't do it in a vacuum. This is why it's so powerful to have IT teams and OT teams be at the same table and be able to communicate and be able to build that level of trust.
Aaron Crow (37:23.529): because you don't want your OT guy to have to do firewalls and patching and all this type of stuff alone. You want him to be able to reach out to the IT team that has a dedicated firewall person. That's all they do. It doesn't mean that you want them controlling your firewall, but you should at least be help. They should be advising you on your policies and making sure that it's done in an effective way and challenging the design. Again, maybe not controlling it, but at least having a dialogue. And if you build that trust,
Aaron Crow (37:52.617): That's the type of thing that you'll benefit from as an organization instead of having this adversarial type relationship like this is mine. Everything from the firewall South. Don't even think about it. Don't look at it. Don't breathe on it. It's none of your business, which is unfortunately where some organizations are. And I think that's the biggest hurdle beyond technical, beyond, you know, cybersecurity, beyond nation state attackers. I think that is the biggest risk in many organizations.
Dean Parsons SANS ICS (38:18.262): Yeah, I think you just nailed it a couple of times there. And I think it goes back to people. And I think if you look for someone to understand the control system, the obvious answer is the engineering staff. So I'll just say it here right now, live on your shows that if someone out there is in IT and they want to do cool things and like for critical infrastructure, like come over to the OT side because we need your knowledge from IT, but we need, must have your like the engineering safety built on top of that. So if you're in IT, you want to go to, to OT, think the biggest
Aaron Crow (38:38.367): Yep. Yep.
Dean Parsons SANS ICS (38:48.176): right now for you as an opportunity. If you're listening to this out there, everybody is get with an engineer, talk with an engineer, take them out to lunch to understand their world because that is the business. Understand how it operates. Understand the control system protocols. Don't be like, yeah, man, have you heard the good news of like, you shouldn't click on bad emails. Like you need to really understand the business, which is the OT side. And I've seen it folks integrate into engineering with that approach that is like, tell me how I can help you. And they're in and they were, and they have that respect versus
Dean Parsons SANS ICS (39:18.196): If they come in guns blazing, you'll never get in there. Rightfully so. and back to the people element again, if you find, if an organization now today, after hearing this podcast, if they're looking for someone in the OT side, that champion, it's going to be an engineer. They already know the engineering side, the safety aspect conversations with the vendors. know where the road access already is that probably didn't go through it because the vendor put it installed and it's all that. And it's even outside the hands of the engineer. So.
Dean Parsons SANS ICS (39:48.086): Engineers are awesome people.
Aaron Crow (39:52.895): And you hit something there as well, right? As many times in these OT spaces, the vendors, third parties are bringing in technology, they're bringing in firewalls, they're bringing in their own systems and configurations. So it does not meet the IT baseline standards. It's probably not the same switches and firewalls and Windows machines, and it's not in the same Active Directory, and it's not patched. Like everything is different, right? And it's not because they...
Dean Parsons SANS ICS (39:59.842): Yes.
Aaron Crow (40:18.887): necessarily want to be different. It's because many times the vendors require them to use their equipment. You only can buy their stuff. You have to use their cybersecurity controls and things like that. So that means that we need to really go. I know we keep harping on this, but that's where this trust keeps coming back to of we need to understand where the risks are, where the concerns are, where what the configuration looks like so that we know, OK, what is good look like?
Aaron Crow (40:46.547): where are these things talking, what is supposed to be going on so that I can help you make sure that this is configured correctly, we're blocking it, we're locking it down, and that east-west, like being able to get into the environment in a good way and see what's going on and understand that is the critical aspect in any of these spaces.
Dean Parsons SANS ICS (41:7.086): For sure. And to bring it back to the five critical controls, the people who implement the monitoring, et cetera, where do those five come from? Well, it's all threat based. It's thread informed. It's because the threats are doing this. These are at least the basic things to prevent them or at least delay them or detect them, et cetera. And so I get that a lot of the times it's well, why the five critical controls? So like what's the sixth control? what's, like what's, what's control zero, right? Like it's, it's those controls exist because of the threats that we've been seeing.
Dean Parsons SANS ICS (41:37.172): year over year over year. And I think that they will evolve over time. I think that once the maturity level comes up in the community, it will mature. Maybe there will be a sixth or add a zero one, like the first found. But I think it's gonna totally depend on the threats. It's gonna depend on the threats and the investments, which can be small.
Dean Parsons SANS ICS (41:57.678): of people and the right technology. And I think to win is looking at the five critical controls first and seeing in water, wastewater, in oil and gas, where we go. And if you have all the five controls done well, then awesome. It's not something I see often. And that's why we still see incidents year over year over year. Going back to 2025, that data indicates to us one in five ICS facilities gets compromised. And that compromise is not, oh, there's ransom
Dean Parsons SANS ICS (42:27.642): where we got it, it's a compromise such that the control system is impacted. So when I talk in Windows boxes, we're talking the control system, the shutdown and impact to a controller, something similar. So one in five is high, man, when we're talking critical infrastructure. Yeah, there's a need for it. Yeah, there's a need for it, man. Like there's a need for the protections that we're talking about.
Aaron Crow (42:41.876): Mm-hmm.
Aaron Crow (42:44.786): It's terrifying to think about, right?
Dean Parsons SANS ICS (42:51.710): And not to sound too kind of like dramatic here, but like when we talk about convergence that happened 20 years ago, what do we do in OT security? Well, what we've converged technology is 20 years ago, which means in OT security today, we're defending the control system against all of the things that IT has been seeing for decades. Plus the stuff. This is a dramatic part. Plus the attacks that can kill people and break gear that you can't replace overnight. Right. And that means downtime. It means brand tarnish. It means injury, possible loss of life.
Dean Parsons SANS ICS (43:21.584): And, but it's only critical infrastructure after all,
Aaron Crow (43:26.537): Well, we're dealing with, you know, we're dealing with, you know, people that, prime example, again, I was an asset owner. had 40 something power plants all across the state, Texas. If you've seen Texas on a map, it's a pretty big place. Plants were as many as, you know, eight to 10 hours apart from each other. My team was based out of Dallas, but I had, you know, plants in Odessa. I had plants in East Texas. I had plants in South Texas. I had them all over the place, right?
Aaron Crow (43:53.627): my team, had six, six employees and, and another six to 10 contractors doing various things. So I had a team of, let's say less than 20 supporting 40 something power plants. Right. and my IT counterparts had, you know, hundreds of people, know, they had a dedicated firewall team, but in my team managed absolutely every bit of technology from the boundary firewall at the site.
Dean Parsons SANS ICS (44:4.568): Yeah.
Dean Parsons SANS ICS (44:12.152): Yeah, yeah.
Aaron Crow (44:18.955): to the control system, including the control system. didn't, obviously the vendors controlled the control systems themselves, but we advised on the networking, the VMware, the patching, the monitoring, the applications, like all that kind of stuff. So we supported, my team had to understand virtualization, VMware, patching, firewalls, networking, routing, like all, the entire tech stack, everything that is supported in IT in an OT space. And I had six guys across 40 something sites.
Dean Parsons SANS ICS (44:45.154): There's an uneven distribution of resources on, again, I'll bring it up, the business. So HR, IT, like finance, those departments are awesome. They're support functions. We need them. That's great.
Dean Parsons SANS ICS (44:56.430): But if the OT part of an OT business didn't exist, HR wouldn't exist, IT wouldn't exist, financial, like, so the OT is the business side. So if there is an uneven distribution of not only resources, but an understanding of risk to the business. And Borger asked the right question. So when I teach ICS 418, when I'm also teaching in June at the ICS Summit coming up in Orlando,
Dean Parsons SANS ICS (45:18.700): teaching ICS 418 there that's a two day leadership class. And in that class, like leaders come there, people at the C-suite come there and they realize, okay, wait a second, like you're telling me, and I'm understanding now that the control system, okay, there's a tax on that. and, okay, so they realign their budgets and I'm not saying take money from IT. I'm saying reallocate or redistribute or create budgets for your business based on the threats we see, not just because it's a nice thing to do. I always go back to the five
Dean Parsons SANS ICS (45:48.596): controls are there based on the threats we see the threat intelligence guides us to what we should do based on what we observe consistently. Now, the other side of that is a leading edge things of like how we're kind of predicting what the adversary is doing next. And we're teaching that in our classes in sans and 515. I'm sharing that in my tabletops, etc. From what I've seen. So it is evolving. These five critical controls need to be in place yesterday, yesterday year. And as we continue to grow and as threats change, there
Dean Parsons SANS ICS (46:18.490): might be additionals to those controls. I can't see them being abolished by any stretch anytime soon, but in the future, I think that like maybe one or two critical controls can be maybe added to that based again on the threats. And I have some scenarios of what controls to add, but I'll keep that for another podcast.
Aaron Crow (46:35.780): Well, I mean, just to be frank, as we know, if you've been in the O.T. space, you know, you and I've probably I know I've walked into places that looks like it's the time, you know, the land that time forgot, right? It's the stuff hasn't been touched in 20 years, 25 years, 30 years. Right. And I'm not talking about nuclear power plants. I'm talking about manufacturing facilities and other places that have literally control systems that were installed 20, 30 years ago and has not been touched since its networked.
Dean Parsons SANS ICS (46:46.926): Yeah.
Dean Parsons SANS ICS (47:0.654): Superlative.
Aaron Crow (47:4.157): It's running and it's very much a, it ain't broke, don't fix it perspective. they just, it's like, the analogy I always give, it's like you bought a new car and you never changed your oil and your engine hasn't exploded yet.
Dean Parsons SANS ICS (47:17.564): Yes.
Dean Parsons SANS ICS (47:20.504): Which tells you something about the reliability of a lot of the industrial control systems that we actually have. They're not built to last two or three years. They're built to last decades. And there will be times when they need to be updated. We see NERC SIP mandating updates and so on and so on for integrity and safety and security. And that's great and awesome. I mean, patching is another kind of topic and issue as well that has to be done. Mature organizations now are patching basically once a year or once a quarter, depending. And it's not patch all the OT at once. It's we do have legacy.
Dean Parsons SANS ICS (47:50.520): systems. Let's test on the ice machine PLC first, right? Like it's through let's let's look at level three responsibly. Let's look at level three or level 3.5 patch there every six months and then let's pass the controllers when we have maintenance window. So I see a lot of the times it's like, we got to patch OT. Yeah, you're right. We got legacy devices, but patching OT doesn't mean just turn everything off, patch everything and bring it back up because bringing it back up could be two or three or four or five or 10 days, right? Depending on if you're oil and gas facility or your refining
Aaron Crow (48:18.088): Mm-hmm.
Dean Parsons SANS ICS (48:21.405): So, yeah, and that goes back again to the engineering staff, because if they're not involved, they're not going to tell you, well, the sequence of events to start this oil and gas facility up is this and this and this, and we need to wait X number of hours or days for this to come back to you. Like, so the engineers back to either a tabletop or even patching or changes in general. If they're not part of the conversations, then why are we having the conversations? they are like, you know what you said in
Dean Parsons SANS ICS (48:50.234): meeting out right it's like well 10 people on the list and if the engineers say like I can't or like you know tentative like just reschedule it till they're available like look without question yeah yeah
Aaron Crow (49:0.229): They're the priority. was literally in a power plant a couple of weeks ago and walking it down and it was a low site that was getting converted to medium and actually getting moved to high because anyways, none of that matters. But we were walking it down and there was this one section. And again, I'm the OT guy and I've got people from the organization that are cyber, they're IT.
Aaron Crow (49:27.423): they don't really have an understanding of power plants and things like that, even though they work at a power company, right? So I'm the outsider coming in, but I understand the environment. So we're walking down this thing and we need to see all the assets. So they're walking us to all the HMIs and all the different spaces. And we walk over to this one section and it's the ox boiler, which if you don't know what that is folks, it's the auxiliary boiler. Many times to start a power plant, you have to have steam getting rolling. you have it.
Aaron Crow (49:53.565): an auxiliary boiler that can start up by like generators or other smaller ways. Cause if I don't have electricity, need electricity to start producing electricity. It's weird, but without going too far down that path, there was, there was an HMI and engineering workstation that's sitting in front of in, the middle of this power plant in the, in the bell, you know, in the basement of this space sitting next to the ox boiler in the dirt, in the, you know, nastiness. And it was sitting there and
Dean Parsons SANS ICS (50:2.786): Black Star tradition, yeah.
Aaron Crow (50:21.213): And I'm having these conversations like, well, we have to protect this. Like we need to put a cage around this. like, no, no, you can't do that. Well, it has to be because of NERC SIP. I get that. Like I understand what you're saying, but there has to be another way because they need this to be able to start that. And if they can't start that, then the whole plant doesn't start up and then NERC SIP doesn't matter. Right. So we have to put, you know, understand that operational. Why is this at? And in that same conversation, there was the, the, the,
Aaron Crow (50:50.621): air compressors. And again, folks, if you don't know at a power plant, you need instrument air. They use air pressure to start tools. It runs process, it open valves, it closes valves, part of the control process. So they had two instrument air compressors. And again, there was a control panel on the side of it. So because this was control,
Aaron Crow (51:10.351): and they needed both of those those compressors to be able to run if one of them went down the site went down. So they needed them both. So it became a critical control component. They're like, well, we'll just build a cage around it. And I'm like, no, you're not going to build a six wall barricade around a compressor. How do you make it? How do you work on it? How do you start it up? Like, again, it's not that the IT people were dumb or they were they just don't know why that's a problem in their world. The easy solution is just build a barricade around.
Aaron Crow (51:40.137): Right. And but in our world, we know that's not an option. So obviously I walk him through like instead, let's take the controller off the side of the compressor. Let's move that someplace else and put it in a box we could control. And then the compressor is still where it is and nobody's going to mess with it.
Dean Parsons SANS ICS (51:51.653): Love it.
Dean Parsons SANS ICS (51:54.882): Yeah, no fence needed on that asset, but that's awesome, man. That's really cool. And that's on the, on the plant floor stuff, you know, boots on the floor.
Dean Parsons SANS ICS (52:3.090): And if I look at that from a NERC SIP perspective, like NERC SIP now going all the way back to our earlier discussions, one of the controls is network visibility. So NERC SIP is coming out and say like they've like INSM, call it. So network internal security monitoring internal to the ICS. So not just like your Neuro South Firewall, East West conversations of the assets. And that's going to be a requirement now for like medium and high best facilities. And so that network visibility, that control is not a nice to have the benefits
Aaron Crow (52:32.811): Mm-mm.
Dean Parsons SANS ICS (52:32.994): are coming to you because you have to have installed. And so that force of NERC SIP to protect our electric power grids is definitely the right thing because the benefits there from a cyber perspective and engineering perspective. So bring on NERC SIP 15, which is INSN, so network visibility. so no fences around, no cages needed for that one. But you will have to understand what your critical assets are, your critical cyber assets to which they deem as a device that goes down.
Dean Parsons SANS ICS (53:2.864): that has a disruptionary impact on the control system within 15 minutes. That's a cyber asset, depending on the criticality of your site, which is medium high or low and so on. if we go back to like kind of looking back a little bit, it's kind of higher level view, there is a mandation now for these kinds of controls for very good reason. And if we look at water, well, that's not there yet. And it kind of sucks because they need it. And so at some point I think they will get that. And I think that there's opportunity for organizations to do that at least
Dean Parsons SANS ICS (53:32.784): in some way before they have to be mandated to do it. And if they do it in some way before they're quote mandated to do it, they will reap the benefits before a checkbox is required. And that's important. I wouldn't wait for mandation because the adversaries are not sleeping, yeah?
Aaron Crow (53:43.198): Mm-hmm.
Aaron Crow (53:51.871): Yeah, 100%. And I think it gets back to what we've said a couple times through this is do something. It doesn't mean it has to be multi-million dollar, super complex, like do a lot of these basics. You can get off the shelf, you can get open source, you can do a lot of this without spending a fortune in technology and all the things. Do as much as you can with what you have.
Aaron Crow (54:17.555): and you'd be surprised how far you can take and protect and lower your risk and improve your perspective in these spaces.
Dean Parsons SANS ICS (54:25.920): Yeah. And I think that how much and what do you do and where do you start? What's the priority as much as you can with the five critical controls. And that's where to start. I think that's, that's the ultimate place to start. And if you need a budget, then if you run a tabletop, it actually tells you what you need because of the outcome of the tabletop and there's your budget. Like you, you know, there's, there's ways to justify that stuff.
Aaron Crow (54:43.435): Correct.
Aaron Crow (54:46.325): So what do you see come up over the horizon? What are some of the things that, know, maybe one thing, at least one thing that's concerning and one thing that you see as promising in this space?
Dean Parsons SANS ICS (54:56.342): Yeah, for sure. So I think that concerns for me is really around how the adversaries continue to manipulate the control system devices using.
Dean Parsons SANS ICS (55:3.822): of the control system against itself. So we call that living off the land. So we see more and more of that. And the concern is, that that stuff's hard to detect if you don't have network visibility. With it, you can baseline understand where there's anomalous activity with engineering focus. Without it, it's like, well, the controller did something and now we have production down. That already happened, period, full stop. It's proactive versus reactive. So my concern is not knowing what's happening inside the internal network of the control system down at East-West. From a positive point
Dean Parsons SANS ICS (55:33.728): perspective, have seen organizations, so like 57 % of organizations surveyed right now have an ICS instant response plan. However, not sure that's a plan that's actually been executed and exercised with threat in the forum scenario, sector specific, at least annually, right? So the positive is that we are seeing organizations say, you know what, an IT instant response plan will only help us out 20 % of the time in ICS and OT. So we've got to have a dedicated plan. And just again, that's positive.
Dean Parsons SANS ICS (56:3.652): that they're now having that plan, 57 plus percent. But my question then is, tinfoil hat on, is are they executing it? Are they exercising that ICSOT plan in a tabletop?
Aaron Crow (56:17.033): Or did they create it once and it gets stuck on the shelf and collects dust and nobody reads it and nobody, people forget it's even there.
Dean Parsons SANS ICS (56:21.100): Right. Or bit, yeah.
Dean Parsons SANS ICS (56:24.492): Yeah. Or did they let AI create it then they're screwed anyway. Like you have to have that engineering knowledge. Yeah. We have to have that in there. AI will help later on at some point. And there's even cases where I got to say it. There's even cases where AI can help engineering as well, troubleshooting, et cetera, but making it do things today, action things inside the ICS, I would be very hesitant to have that happen today in many critical. There's so many other things we can do that has so much higher value now.
Dean Parsons SANS ICS (56:52.155): Yeah, I can, we can do that when we get, you know, the basics done. The foundational five controls first.
Aaron Crow (56:57.853): Yeah. AI is not going to be, it's not going to solve world hunger yet. so exactly, exactly. We should all have the ice machine PLC. So, so, what's called action? How do people find more, take your class, where are you going to be speaking? All the good, all the good stuff.
Dean Parsons SANS ICS (57:1.516): We can try AI on the ice machine PLC. Yeah, put it in the ice machine PLC. That's a great story, Yeah. Love your ice machine. It's great.
Dean Parsons SANS ICS (57:19.896): For sure. So LinkedIn, as I continue to post things on LinkedIn right now, which is like ICS related, OT related, like free things, like kind of things to help people build tabletops, all those kinds of things. I do tabletops, I do assessments.
Dean Parsons SANS ICS (57:32.270): Uh, in June, I'm really looking forward to June, putting a lot of effort into a, uh, hands-on workshop I'm doing in June at the ICS summit, sans ICS summit Orlando. And I'm going to be teaching there as well. ICS 14. So for leaders, a two day class packed class, like there's two days of content, but it's really three years of content in two days. Like it's going to be an awesome ride. So that's the kind of leadership level class, but I also teach ICS five 15 and I teach that at least kind of like once a month and it is global. And in Orlando in March, I'm in like across the
Dean Parsons SANS ICS (58:2.274): see like you know after that I just came back from London like all over and 515 is a 6-day class and that goes into network visibility it goes into incident response where we look at living off the land capabilities of the adversary and how to detect that stuff. Nation states and all and yes we talk about AI and ransomware as well we focus on the engineering side and that's exactly what I think we continue to need.
Aaron Crow (58:26.933): That's awesome. Yeah, guys, if you haven't been to a SANS course, if you haven't checked those things out, you absolutely need to. It's a great time. Great. There's so much value there. I would send, when I was at another consulting firm, even when I was at the S, you know, when I was an asset owner, I sent folks to those classes, especially if you have IT people that are getting into OT, they don't really understand it. Or even those OT people that have great knowledge in the control system and the operational side, but they don't necessarily understand. It's that great.
Aaron Crow (58:57.007): It's really a great convergence place to be and really understanding the wise around these things beyond just it's there's a lot of how in it as well, but there's a lot of why. Why are we doing these things? Why do we care about this stuff? And why is it important to really focus in these areas and those five critical controls like you talked about? That's awesome, man. Well, thanks. Thanks for the time today. I'm excited to see, see that and be part of that. I'm actually trying to get to Orlando this year. it's been a minute since I've been back. So.
Aaron Crow (59:26.325): Hopefully we'll see you there and thanks again for your time today and keep fighting the fight, man.
Dean Parsons SANS ICS (59:31.758): Awesome Aaron, thank you so much man, I appreciate it, all the best.
Aaron Crow (59:34.941): Absolutely.
Transcript lightly edited for readability.
Subscribe to PrOTect IT All and stay ahead of the threats targeting critical infrastructure.