25Minutes: Insights. Expertise. Impact.
In just 25 minutes, I deliver concise and thought-provoking conversations with top minds in technology, cybersecurity, business, culture and enterpreneurship. Whether you’re a technologist, executive, culture-enthusiast or someone passionate about growth, each episode explores trends, strategies and ideas that shape success.
For those with limited time but unlimited ambition, 25Minutes offers actionable insights and fresh perspectives where they matter most. Your time is valuable. Your 25 minutes. Your advantage.
Contact: eliel.mulumba25@gmail.com
25Minutes: Insights. Expertise. Impact.
1 - John Kingsley: Acknowledging the threat is the first step to defending your business
In this episode we discuss with John, a cybersecurity expert with over 20 years of experience, his unexpected career path that led him to Operational Technology (OT) security. John shares his motivations, challenges faced during his transition and key incidents that shaped his career, including Stuxnet and other significant OT security breaches in the past. The conversation delves into the differences between IT and OT security, the importance of frameworks like IEC 62443 and the need for better communication between IT and OT teams. John also shares his passion for board games, highlighting their mental health benefits and their role in stress relief and socialization.
Our Guest:
LinkedIn: https://www.linkedin.com/in/sjkingsley/
https://www.youtube.com/watch?v=kp6F90MH48U
https://www.linkedin.com/pulse/ot-cybersecurity-resources-kickstart-your-learning-today-kingsley/
25 Minutes Podcast
Hostey by: Eliel Mulumba
Audio editing & mastering: Michael Lauderez
Join conversation on LinkedIn: www.linkedin.com/in/eliel-mulumba-133919147
Hello, John. Welcome to 25 minutes. I'm so thrilled to have you as a guest on the show, John, you have more than 20 years of experience in cyber security, 10 years in OT security, with an automation background, focusing on design and documentation, have worked across 20 Different industries, mainly oil and gas and manufacturing served large enterprises Europe, but also in America. And I'm very happy here to have you as a guest on the show and to talk about your entire journey. like to start a deep personal career question. John, if you look 20 years back. Are you today where you expected to be 20 years ago?
Well, Eliel. I'm really glad to be here. And, uh, thank you for inviting me to your podcast. Yeah, coming to your question I definitely did not expect that I would land here. Yeah, and I always wanted to be probably working in an oil and gas uh, refinery or so as an instrumentation and control engineer.
And that was probably my dream job. But here am I you know, have done multitude of roles and finally ended up becoming an OT cybersecurity engineer architect.
Wow. I mean, John, that's, that's amazing. You're saying that you didn't expect to be here, but you made your way through your career, through different employers that you have also been working for. Tell us a bit more about the motivation behind your career decision to enter the field of and especially ICS, because I believe there have been much more options. that you have been exploring or that you could have followed.
Yes, very well. That that's something that Probably didn't cross my mind during my mid career when I hit a decade of work experience, but that's something that we have already been doing, um, in a way, like since when we talk about engineering design of control system, control and automation systems security has always been a part of the documentation deliverables.
Of course it wasn't called the cybersecurity deliver back then, but as a part of the documents that you submit to the client we, we have something called a factory acceptance test. And we also capture various details regarding the configuration, the settings, uh, the different applications, and the various usernames and passwords that we have used and how to.
Go about it in terms of maintaining as per the best practices then. And of course, OT cybersecurity wasn't. As popular as it is now back then, but this is something that was ingrained to me. And as I was progressing in my career I worked in a company called iFluids Engineering, which did a lot of projects for the oil and gas majors, both in Middle East and India.
And they were primarily functional safety consultants. And when I was working on those projects with all these Fortune 500 companies, I kind of realized that the cybersecurity life cycle and the functional safety life cycle go hand in hand. They kind of complement each other. That's when I had this light bulb go off in me and Uh, okay and the, the advantage that I had was I am from the OT, I have a background in engineering and electronics and instrumentation and having worked in steel manufacturing, marine oil and gas and petrochemical,
Mm hmm.
worked in various sites, hands on, I realized this is something that I could specialize myself in and, uh, that, that's when It started and 2011, 2012 was the time when, uh, there was a lot of interest.
Based on the stuck net and other incidents that happened
Mm
hmm.
In 2015, we had a major incident in one of the refineries in Saudi probably that was, that was. Something like a catalyst, right?
Mm
That's when the shift in me happened. And I consciously decided in my roles and responsibilities in the organization that I was working that I should start working on more and more cybersecurity related projects.
hmm.
And that's how, uh, my transition into cybersecurity started. But, of course, there were some challenges, right? Uh, because cybersecurity has always been predominantly in the domain of I. T. I. T. Security, information, security, data, security. Of course, they had a first hand experience with respect to the security implementations and so on.
Anything related to the security.
Mm
But coming from an automation background and not knowing about the security fundamentals was a bit challenging. So, there was a lot of push and pull. Uh, probably looking back, I could have done things differently in my learning journey. But I do not complain. Um, I am still in a good state.
So, but yes, that's something motivated. Me to kind of try to help others, mentor, coach and participate in various other professional bodies, right, like to educate and empower people who want to transition, who are already in OT side or IT side, doesn't matter, but they might need a direction and a push in the right way.
Mm hmm. I mean, thank you very much for what you have been sharing so far, John. And I just recalled you also best practices in the area of OT security, something that we will definitely touch on, especially when it comes to certain frameworks. You're heavily engaged and involved. Within IEC 62443, also focusing on threat modeling aspects.
So this is something that we're really curious to explore, but something that actually caught my attention while you were also speaking are actually those big OT security incidents in the history uh, kind of. catch your attention have give you the feeling that it's the right way, to follow when it comes to your personal growth. you were just talking about Stuxnet. I mean, Stuxnet around 2010, a highly sophisticated cyber weapon has infected industrial control systems in Iran. I think we also had in 2021 the column now pipeline ransomware attack that has disrupted fuel supply supplies across the U. S. But given also the current geopolitical tensions that we have, I think in 2015 and 16, we also had the Ukraine power grid attacks. Which was a malware and which actually shows that this industry is vulnerable, manufacturing is vulnerable, oil and gas is vulnerable, uh, when it comes to OT security. So something that I would be to, to learn a bit based on your entire history, and maybe we need to take it level deeper before going into practices and recommendations.
it comes to engineering and automation in the OT context. Can you elaborate a bit more, what is automation in this field? What is engineering in this field? What are the different control systems we're talking about?
Right. So, yes. So this is something that people, irrespective of whichever background and work experience they come in. One needs to understand what OT is all about, and especially the various OT processes, which is industry specific, they need to understand that as well. That, that will kind of give everyone a big picture.
And when we Say OT or, uh, in other words, it's also called industrial control systems or industrial automation control systems, which again comprise of various hardware. This is loosely defined, but you might hear a lot of term DCS, SCADA, ICS, PLC, RTU, and so on. So, when we talk about automation, it's basically an integration of multiple hardware and software applications that also use commercial off the shelf IT hardware, as well as Windows, right?
So, it could be a multiple set of hardware, depending upon the industry. Sector you are in energy industry uses DCS, a lot of oil and gas and manufacturing uses PLC, geographically wide dispersed facilities, they use a lot of RTU and so on. And when we talk about engineering and design, it's about selecting the right hardware or the controller.
And programming it with programming language. Nowadays, of course, that, that we, using code says a lot more has been possible. But earlier it was based on the PLC programming, lateral logic or functional block descriptions and so on, and these things to be hardwired or a fiber optic cable or a ethernet cable.
And which also uses used proprietary protocols or open protocols like Modbus and so on, Modbus TCP and so on. And of course, when we speak about the security aspect of the protocols again there are secure protocols and there are these protocols that are used because they have been use since longs since when we had the legacy systems because at that time they were all designed for trouble free communication.
Security was probably the last thing in the mind, but nowadays, uh, trust, it's a trust deficit world. And, uh, we have all sorts of problems because of that. And good thing is, uh, lot has been changing. There has been various standards that is coming in, various best practices. And various regulations and complaints requirements across different nations.
All this tries to kind of help to develop a secure engineered system.
Thank you very much, John, for that. And I mean, what I understand is that operational technology really refers to hardware and software. monitors, detects and controls physical devices and processes an industrial environment. unlike information technology, which focuses mainly more on communication and data management, OT is also responsible for Managing industrial operations. In this aspect, we also have often this discussion about what are the differences between IT and OT. You were just discussing about protocols, about legacy systems. And I think that you're touching already the area and angle that it's quite interesting. So maybe from your perspective, what are the key differences that. You would explain to an executive is just embarking on the OT cybersecurity journey. Mm
All right. So, of course this is something that a lot has been spoken about, but still, it will continue. People will be speaking about this again and again, um, and there's a reason, good reason for that. It's not because not much has been said or not much has been written. It's simply because a lot of people from other backgrounds, especially from non OT backgrounds, are coming in and it's very important that they understand what the priorities are.
Unlike a very, very oversimplified answer. Would be like an IT system can, can be shut down and restarted if something goes wrong. And it still, still wouldn't make a big impact as such. But we can't say the same thing for OT systems 'cause people work on the factory floor or on the, on the, on the occupants, right?
And such kind kind of unauthorized or shut downs. Without taking prior proper actions can lead to a catastrophe, right?
hmm. Mm hmm. Mm
And this is something, this three letter word people continuously say CIA, AIC, etc. Of course, we all know that confidentiality, integrity, and availability. And which, which applies for the IT, but for when we speak about the OT, it is always about the safety, productivity, and reliability, right?
And so our, like, the primary concern is the availability then the integrity, then only the confidentiality, uh, comes in. Yeah.
Mm
hmm. Mm
Yes, that's right. That's right. And one other important aspect is IT systems are probably they may have a very short shelf life, like three years to five years, the continuous patches, firmware updates and so on.
When we speak about OT, the design life itself is probably around a decade or 15 years or 20 years. There are various key systems, uh, legacy systems that have been operating for 30, 35 years and they still work well. There are a lot of Windows, uh, Vista computers still available on the right now. Uh, it might come as a very surprise and a hard awakening.
Shock to people from non OT background, but that's a sad reality anyway,
Mm hmm. Absolutely. I mean, you were just mentioning some of the aspects around OT security that are a key challenge for organizations today. One of them for sure, legacy systems. So many OT systems run an outdated software that cannot be easily patched. I think it also starts with visibility. Yeah, do we actually know where those systems are actually within our environment? going a bit into that direction around challenges based on experiences of more than 10 years in the field with clients that are among the Fortune 500 clients. are the challenges that you still do see apart from legacy systems when it comes to implementing right security measures around OT?
right? So yeah, we need to take a honest look at the way things are, right? When we accept that there is a problem, then only we'll try to start thinking about a solution. And this is very relevant to the OT security scheme of things, uh, because People have a belief that things are working well, why you should be disturbed.
That's good to an extent, but but if something happens, it's all until. It goes wrong, right? And we speak about legacy. You have aging infrastructure, the possibility of or the inability to do some updates and patches and compatibility with all the modern security tools. That's a major challenge, right? And we can, we have a limited visibility.
We can't detect or respond and we don't know what is there and so on. So that is some of the major aspects. If you ask me from my personal experience, The drawings probably wouldn't have been updated. The projects have been executed a while back. It could be years since a lot of upgrade projects happened, but for some reasons, the person on the ground or sitting in the control room may not have the Updated drawings.
This has, this has happened multiple times and as a third party consultant reviewing and doing the various hazard analysis, uh, and so on. When we need to do a thorough activity, right, like we need to do the documentation review, then we need to go on site and see if it is as per the what is designed and we see either the drawing is unavailable or if it is available, it may not be updated.
to reflect what is on site. So this is one of the major challenges. And the second one that I keep seeing recurrently is not having a visibility in terms of what your asset inventory is or knowing which connection goes where. And that would be a major problem when we want to either limit attack or Try to understand where the connections are going in or coming out, right without knowing.
We do not have a clear view, so these are major challenges and having some shiny hardware or software on top of that is not going to solve all those problems. So, yes, it is a bit of challenge, especially when you. A bit resource intensive people think that, no, without boots on the ground, we can do it just using solutions, uh,
Mm-hmm.
like plug and play.
No, it doesn't work that way. There needs to be someone on the ground reviewing the design, reviewing the site to understand where goes what and how it is connected and they need to validate and verify with the, the, Drawings that they have and based on that they need to update their network architectures and, uh, develop their asset inventory.
Of course, to do those activities, there are various solutions that kind of passively or actively try to figure out all that. But of course any active methodology is not acceptable in a live. Environment that is under production. So, there are some constraints and challenges. Always we're working at a facility, but safety is first priority, right?
And we need to know what we are going to do before we actually do it and not regret later,
I think this would be the right approach. Definitely. And I think one of the topics we have also touched at the beginning are frameworks and standards that can help organizations to tackle OT security in the right way. And I would like to call out the framework IEC 6 2, 4 4, 3. Tell us a bit more about that from a product security angle where you do believe that this is vehicle or the right framework that helps organization in boosting their OT security posture.
right? So there are two two aspects to it. One is if you're an asset owner. As an asset owner. We already discussed that we need to understand what our risk is
Mm hmm.
what our exposure is. So for that, we do a site survey. We use some solutions to understand our asset inventory. We do a risk assessment based on that.
We review our main network topology and revise our architecture in terms of the network segmentation. Adopting relevant methodologies like zero test architecture, which again in OT, there are various challenges. It's not like how we do it in IT. So, but of course, network segmentation and zoning different zones is the best way to go.
And very importantly, we need to have some monitoring and detection, a proper running patch management. And very importantly, Incident response and planning. This is something that I keep miss, uh,
hmm.
keep seeing the list and asset owner side or the facilities, right? Because you have all the other aspects, but you do not have a proper backup recovery and business continuity plan.
Or how to manage your prices, I think it could be a disaster. All right, so that is one aspect related to the asset owner. So when we come to the product development part of the security, especially as a product supplier like original equipment manufacturer, uh, there are plenty of who supply to all the critical infrastructure,
Mm
hmm.
of the industry, it could be any industry sector.
Because all this hardware Either for the power distribution or for the machinery is used somewhere to control, automate and so on. So we have these standards where we can use them to follow a secure development life cycle, which again borrows a lot from the various ISO standards. That came in earlier, and the Microsoft secure development lifecycle practices.
So, implementing the security measures throughout the lifecycle of the design through deployment maintenance is the way to go. So, what happens is, there are various methods to use multiple layers of security controls to protect against various types of attack. And how do we find that? We do a threat model.
Of the systems that we are designing or the products that we are designing, then we understand. Where is, how is the data flow? How is the architecture? Where is the possible infill and exfiltration? How is the attack surface? And what are the different protocols that we use? Are we using a protocol that is not secure?
So threat modeling gives a lot of information in terms of how we can improve the the security posture of the product and how we can ensure that all the discovered vulnerabilities do not exist in the product. So this is very important. And once we do a successful threat model and we know that. We can try to avoid all the known vulnerabilities as much as possible, right?
And again, finally, the most important aspect irrespective of your asset owner or a product supplier or a service provider. One thing that I have again seen time and again is. A very important aspect that is somehow not very efficient or is always missing. I always try to encourage cooperation between the various IT and OT teams, right?
And this is a major challenge because they might be separate teams. They might come under the same manager or a CISO having different role responsibilities, but they don't end up Uh, speaking. So the collaboration is so important and that's the probably the way to go. We need to bridge the IT OT gap, right?
Like improving the communications and collaboration between the IT and operations. And yeah, because the priorities and goals are completely. pulls apart. And importantly, the the levels of technical knowledge and expertise also differs highly, right? Like each other has a very limited understanding, to be honest.
And this is where Yeah,
no I can definitely confirm this also based on the experience that I have seen that communication is also a key part between I. T. people, O. T. people, but also people involved actually in site operations. We are actually also approaching the end of our show. And if I'm remembering well, you have a passion for board games. So tell us, how does this work together? Such a highly skilled OT security architect, with a strong automation background has an addiction for board games. Tell us a bit more about your private story around that.
all right. So, of course, we have all played board games in some way or other but the board games that I am very much interested in is called modern board games of today, where there is little or no luck, there is no player elimination there is a possibility of a lot of strategy and planning far ahead and the reason why this got probably a D rediscovered the board and board games around five years back and one of the reasons that I really got into them is it when we play on our table with our friends or family, or maybe even after a hard day of work it helps to relax de stress, and very importantly, it helps the brain to focus.
It's, it's something like a mental exercise for the brain, right? Like, and, uh, I, I, I can't stop stressing enough the health benefits in terms of, we do physical activity to keep us healthy, but. When we, of course, we are also getting old and we need some kind of exercise for the brain. I felt that the games also helped in that.
And not only that, but helps to socialize and have a good time with our loved ones. And of course, there's various categories of board games for all. People, whatever they want, probably there's a board game for what they like. So that's one of the primary reasons and I avidly try to promote and play as much as possible.
