Spotlight Podcast: CSO Chris Walcutt on Managing 3rd Party OT Risk

https://is1-ssl.mzstatic.com/image/thumb/Podcasts122/v4/ba/d8/2e/bad82e93-4808-378e-51db-7998969753df/mza_14911023975293012637.png/600x600bb.jpg

The Security Ledger Podcasts

The Security Ledger

9 episodes

8 months ago

In this, our 70th episode of The Security Ledger podcast, we speak withXu Zou of the Internet of Things security startup Zingbox about the challenges of securing medical devices and clinical networks from cyber attack. Also: we take a look at the turmoil that has erupted around the OWASP Top 10, a list of common application security foibles. And finally: open source management vendor Black Duck Software announced that it was being acquired for more than half a billion dollars. We sit down with Black Duck CEO Lou Shipley to talk about the software supply chain and to hear what's next for his company.

All content for The Security Ledger Podcasts is the property of The Security Ledger and is served directly from their servers with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.

Spotlight Podcast: CSO Chris Walcutt on Managing 3rd Party OT Risk

The Security Ledger Podcasts

35 minutes 42 seconds

1 year ago

Spotlight Podcast: CSO Chris Walcutt on Managing 3rd Party OT Risk

In this Spotlight Podcast,

In this Spotlight episode of the Security Ledger podcast, I interview Chris Walcutt of DirectDefense about the rising cyber threats facing operational technology (OT). Chris and I talk about how organizations that manage OT – including critical infrastructure owners – are being targeted by sophisticated cyber actors and the strategies best suited to manage increased cyber risks to OT environments.

[Video Podcast] | [MP3] | [Transcript]

Cyber attacks on critical infrastructure have gone, in the past two decades from the hypothetical, to the actual, to the epidemic. Today, malicious actors from cybercriminal ransomware gangs to nation-state affiliated hacking groups are teeing up vulnerable operational technology (OT) environments. As CISA noted in a February Advisory about Chinese infiltration of critical infrastructure providers, the goal of many of these groups is long term persistence and – eventually – disruption of critical functions such as power distribution at a time of their choosing.

Christopher Walcutt is the CSO at DirectDefense

How should companies respond to the increasing risks to OT systems and environments? In our latest Spotlight episode of the Security Ledger podcast, I sat down with Christopher Walcutt, Chief Security Officer at DirectDefense, to talk about the changing cybersecurity landscape for critical infrastructure and the challenges (as well as the solutions) that organizations face today.

Chris’s Cybersecurity Journey

Starting his career on a help desk for a Fortune 200 energy firm, Christopher’s path to infosec is a testament to the many unexpected routes leading to cybersecurity expertise. Starting out on a help desk, Chris worked his way up to roles as a system administrator and network engineer, eventually taking the IT helm at a power provider with a portfolio of over 30 North American plants, including three nuclear facilities.

Chris’s time in the industry saw the inception of NERC CIP regulations – the first cybersecurity rules directed at critical infrastructure (with the exception of nuclear facilities). Since then, the dialogue about cybersecurity has evolved from a focus on checking compliance checkboxes to addressing cybersecurity as an existential organizational risk amid mounting threats and attacks. Chris and I dig deep on this paradigm shift, and the growing focus within critical infrastructure sectors on resilience vs. simple compliance.

Addressing the Human Factor in OT Cybersecurity

While OT environments present a number of challenges, many of the most significant risks facing OT environments stem from “layer 8” in other words: “the human factor.” As Chris and I discuss, social engineering attacks are the first step in many sophisticated attacks. Accordingly, Chris stresses the importance of security training for employees that is focused on creating memorable learning experiences. For example: by sharing real-world examples as a part of awareness education, organizations can discuss practical measures they use to bolster defenses against sophisticated cyberattacks, underscoring the nuanced nature of cybersecurity threats which defy mere technical solutions.