Platform

Insights You Need

ColorTokens Named a Forrester Wave Microsegmentation 2024 Leader Badge

Download Report

By Industry

By Use Case

Services ZERO TRUST AS A SERVICE

Let's Win Together!

Partner Program Overview

Designed to deliver unparalleled customer value and accelerated mutual growth by harnessing partner expertise and ColorTokens cybersecurity technology.

Learn More
Become a Partner

Resource Center

View all Resources

Asset Type

Customer Success Stories

View all
What's New
Analyst Mentions, Awards, & Certifications
View All
platform-forrester-badge

ColorTokens named a Leader in the Forrester Wave™ Microsegmentation Solutions report.

Download Report

ColorTokens named a Leader again. The only vendor among 15 to achieve a perfect 5.0 across key feature categories.

Access Report

Xshield™ earned a spot on Constellation's Shortlist™ for Microsegmentation

Learn More
arrow Back
May 4, 2026 | 36 min

Breach Ready Dialogues Episode 11: Keep OT Running During Cyberattacks

In this episode of Breach Ready Dialogues, Agnidipta Sarkar sits down with Kevin Kumpf, an experienced OT cybersecurity leader and consultant, to unpack what makes breaches in operational technology environments so different from traditional IT incidents.

From industrial control systems and medical facilities to manufacturing plants and critical infrastructure, Kevin shares real-world lessons on why OT security is not just about data protection – it is about safety, availability, resilience, and keeping operations running.
This is a must-watch conversation for CISOs, OT security leaders and anyone responsible for protecting critical infrastructure and industrial environments.

Listen in to learn how organizations can become truly breach ready in the OT world.

Agnidipta Sarkar: Hi everyone. This is Agni again, and I have a new guest for our Breach of Dialogues this week. Meet Kevin, and I’ve known him as a great expert on industrial control systems and ot cybersecurity as well. So I’ll, I’m going to ask Kevin to introduce himself. I’m not gonna steal your thunder, Kevin, hold the, can you?

Agnidipta Sarkar: Why don’t you?

Kevin Kumpf: Yep. Absolutely. Hi, my name is Kevin k I’m currently consulting for several organizations out in the industry. Prior to this I was with one of the secure mode access vendors that I took the platform from an IT focused realm into the OT realm where the technology really fit. And it’s a pleasure to be here today with you, sir.

Agnidipta Sarkar: Thank you. Yeah, actually the pleasure is mine because OT is an area which the industry doesn’t understand that well. Not especially the specialist vendors who are good in cybersecurity in in the IT world. And then there is the whole CSO community that we work with. And then there are people on the OT side.

Agnidipta Sarkar: The general perception is that OT has too much pushbacks and OT guys feel that it doesn’t understand OT problems. So I think that’s where your expertise will help our audience today, especially CSOs and OT experts and all those who are listening in in how it is different. So my first question to you is, how are breaches any different on the OT side and what should be, what should what has been your experience with breaches?

Kevin Kumpf: I come from a long background in ot director of OT security for Avan Grid for several years. Working with Case New Holland. Working with almost every vendor you can name out in the industrial control system space, and even medical devices that I’ve worked on from a probing perspective.

Kevin Kumpf: So the one thing I have learned is that in it the mindset is they’re looking for confidentiality, integrity, and availability of the resources. It’s the CIA. The OT side, it’s actually a IC, but there’s a giant S that’s in front of that called safety. And so you have to have the safety uptime slash availability, the integrity, and then the confidentiality because they don’t view the data as critical.

Kevin Kumpf: What they view as critical, and the rightly is the safety of the human beings and the facilities. In fact, we’ve seen when sadly, a. Munitions plant went up. Recently it was this a cyber threat? What happened? When we saw another plant recently here in the US exploded and I believe it was Pennsylvania.

Kevin Kumpf: The first thing was there’s something cyber related that caused this. So what really is about, when you have a breach in ot, people need to understand that human lives and other things can be put on the line.

Agnidipta Sarkar: Sorry, let me stop recording for a moment. I think some, for some reason I went mute.

Kevin Kumpf: Yep. Yep.

Agnidipta Sarkar: You do have substantial experience in OT and especially even breaches in ot. Could you name a few which you believe are. Have been impactful and they could have been prevented in some way or the other.

Kevin Kumpf: Yeah. I will start with some that I have been involved with directly where I was working at a facility where we had cutting machines on a facility floor. I won’t get into deep specifics due to confidentiality, but we had cutting machines on a factory floor. The systems actually were impacted with malware that was brought in when a vendor didn’t upgrade from their laptops.

Kevin Kumpf: Now, what was interesting about this was that we had no way to get the malware off of those systems once it was installed, and that to replace those cutting systems would’ve cost the company an excess of $500 million. So the only way that we could actually keep them in our facility operating and running.

Kevin Kumpf: Was microsegmentation, which is an underused and yet misunderstood area of, OT cybersecurity. Another one that I was involved with was a major medical center in the region I live in, and sadly, that brought that facility down to its knees for almost a year. In fact, they got to the point where they were having to use.

Kevin Kumpf: Whiteboards and do paper charting again because those systems were affected. And people look and say okay, that happened at a hospital. This happened often. That is critical infrastructure in our world, and people need to understand that. If I look at one that goes back even further. There’s a myriad of breaches that people talk about by name out there.

Kevin Kumpf: One that comes to mind for me that is not talked about enough is the Norse Hydro case where locker Gogo basically was used to bring the Norwegian aluminum business to its knees.

Agnidipta Sarkar: Oh wow.

Kevin Kumpf: That is more sophisticated ranch from where than non-PE. It actually was logging users off, changing their passwords, encrypting files on the servers, posting messages on the screens, which as we’ve seen in it, that is a, has been a common attack because it basically comes in through email and that is where, people say it and ot, that boundary you talked about, how do they get things in.

Kevin Kumpf: So when you look at breaches that are coming into the OT world. Everybody says they start in it, and for the most part, I’m not gonna sit here and say they’re right or wrong. This is not a place where you’re us versus them. To me, it’s really that point of saying, if this is one of the ingress points into the environment, and this is where the boundary really needs to have a working relationship with it to prevent these, how do we do that more effectively?

Kevin Kumpf: And what tools do we use?

Agnidipta Sarkar: Absolutely. And I think the one that you talked about illustrates to the point that I, that organizations at that point in time did not really focus on what you’re doing today in terms of figuring out where that act might come from and then what it would lead to, what can be done to, understand, at least have visibility of what can, what that attack can hap what attack can happen and stuff like that. More importantly, the reaction, the first reaction that I see, and you talked about microsegmentation also, the first reaction that I see from everyone that’s in the news, it says, there has been an unprecedented cyber attack and we have had to shut down our operations, which is really sad because.

Agnidipta Sarkar: If you shut down operations, then you are defeating the whole purpose of setting up the digital system. What you really intend to do if you’re using microsegmentation is to limit the damage, which is outside the critical systems. Do you think something like that?

Kevin Kumpf: Yeah, I fully agree. I’ve talked to companies out there and said, what is your first reaction if you find out that there’s something going on in OT from a.

Kevin Kumpf: Event or incident perspective. And we really have to, even at that level, understand the nomenclature. An event is something that is non-malicious in nature that cause a disruption to business. Operations at its simplest form and an incident is something malicious in nature. And the only way you truly find that out of what is happening is, in an incident, start to formulate the data, start to  formulate what is going on, start to engage and try to, mitigate and prevent what is going on. But then that’s the root cause analysis afterwards of what really happened. And as you’re seeing, there’s a lot of things out there that were unintentional. Like I won’t mention the company’s name ’cause I’m not here to bash anybody because I tell every security vendor out there that.

Kevin Kumpf: You are one line of code away or one implementation away from being the next name on that list. And going back prior to, early 2025, we had a vendor that was doing an auto update and that auto update caused massive disruptions around the globe. It turns out that if you read some of the groups out there, the Reddit groups or other things where the plant engineers truly talk.

Kevin Kumpf: You’ll find out that update actually had to cause a plant facility to shut down due to safety concerns because they lost visibility into critical systems of safety. So if we take that approach and say, what are we really trying to prevent here? And you have people out there that the first inclination is to say, I’m going to disconnect it from OT without understanding the cause.

Kevin Kumpf: A lot of those systems now are monitored by it. VoIP, phones, cameras, other things that are used in OT many times from security. Door access and things are now run in it. So to say, we’re going to segment the networks and basically cut each other off. Gives you no visibility, gives you no real recourse on how to solve things, and gives you less intel to find that root cause to begin diagnosing and solving.

Agnidipta Sarkar: There’s another concept that I have heard that, I’m not heard, I’ve experienced when I talk to OT experts is that they talk about a mechanism of fails open. Yeah. Which means if systems fail, you basically now allow everyone to come in. How comfortable are you with

Kevin Kumpf: that? That’s I ask that question often.

Kevin Kumpf: So when something happens, you fail closed or fail open. If you look at the industries that you’re in, the federal space, the government, other areas many times that enclave will fail closed. They do not want anybody in, and I tell people this is that firewall, that drawbridge at the boundary, or even internally a network access at a switch level where they say We’re gonna cut people off.

Kevin Kumpf: That is a problem because most of the resources for OT when handling an incident are not on site. If I look at the facilities and the companies that I’ve worked with, if you have 10 to 15 plants, let’s say you may have four or five people that can solve problems, and in fact, when I was at one manufacturer, we had A-A-U-P-S unit go down at one facility.

Kevin Kumpf: The engineer that knew how to reset that was covering at another facility almost five hours away for another engineer that was on vacation. And the plant with the UPS that went down remained off of line for three days because nobody else knew how to reset the unit and had to be on site and there was no access to do that remotely.

Kevin Kumpf: So when uptime and availability and basically safety are at on the line, the. If you cut off your access to the outside world, how do you get the resources in to help you? How do you get the boots on the ground there quickly?

Agnidipta Sarkar: Yes. Yes. And that, that’s a matter. So I think what was going on in my mind, and I think that’s what you are alluding to also is is the challenge of fail close and fail open.

Agnidipta Sarkar: It’s not a simple decision. There are pros and cons on both sides, and most importantly, if you had microsegmentation and if you have done that that limited the breach. If you reduce the lateral movement, then maybe you could do some fail open. But otherwise it doesn’t make it’s dangerous.

Agnidipta Sarkar: As you said, plant remained closed for three days. Now the question that remains is how acceptable is it and what’s the alternative if, how does it go around with the leadership who are, let’s say, operational leadership who say, okay, it’s okay. We’ll shut down for three days versus no, we cannot shut down for three days.

Agnidipta Sarkar: Let’s pay more and get that engineer in.

Kevin Kumpf: Yeah. And that’s where right now, so the reason I’m consulting right now is I’m actually working with a couple firms where we’re designing a platform. For this type of this type of situation where you can get engineers and resources in securely in a small form factor device that I could drop in and spin up in less than 15 minutes.

Kevin Kumpf: And now you can get people in collaborating with osint type tools with an incident response command center and having access into the environment over the rudimentary protocols. So to that point, if you need to isolate a segment of a network and you need to do that microsegmentation being able to drop into that area because as we’ve talked about here with, the aluminum plants organization, their systems were being encrypted, their traffic was being monitored.

Kevin Kumpf: Things in their environment were basically limiting to what they could do. The only way to unlimit that and to get people in is to have. Devices that you can place in your environment on a moment’s notice with the tools you need to make things happen that way you can start in that cell, if you look at it right now, and they talk about, is that a critical system or not?

Kevin Kumpf: People expect email to go offline for certain periods of time. Even you and I here with, the meeting software that we use to have this meeting today, that’s not expected to be there 24 by 7 365. How many times have you gone into a meeting and said, it won’t start. I can’t get the link to work.

Kevin Kumpf: Things like that. That’s that difference between, what is a critical system and what is not. That’s where people in their mind need to think about. If I own a plant and I’m operating the plant, what is critical to me? And many times what an OT operator sitting in the plant manager deems as critical is not critical to the people in it.

Kevin Kumpf: Look and say that just does this simple, rudimentary task. And if I could close that with one thought. When I worked at another manufacturer out there, every plant had different budgets based on what they produced. And one of the plants was flush with resources to do cybersecurity because they made the big end product, the plant that made the 5 cent widget, that made that big product go, had no budget for that.

Kevin Kumpf: Because it was a plant by plant budget. That plant basically had an attack. That plant was down for four months. The end product could not come off the line, and they couldn’t sell that. And they had to start taking these pieces of equipment and moving them to other locations to store them. So that one, that plant came back online.

Kevin Kumpf: They could put that little widget into those machines. The odd thing about that was that was the only plant that made them, that was a specific, basically method of doing that. And when they came back up with that facility, they actually had to change the method because by that time, that plant had been down so long.

Kevin Kumpf: Some of the people that knew the process had said, I’m retiring, I’m done. And so when you look at criticality, you have to know your supply chain, and you have to know what is truly critical to your environment. To continue processing, running and being efficient, and IT, and OT and senior leadership need to be on the same page.

Agnidipta Sarkar: So I think you touched upon all those points that, we discussed earlier and all very valid points and you also touched about decision making and that it’s not easy because. And not many people would understand that. But the point the question that then props up on my mind is a situation like JLR as you say, you talked about supply chains.

Agnidipta Sarkar: So every manufacturing unit, everyone who has got an OT system has a supply chain that depends on that organization. Almost every, because it’s all connected, right? It could be critical infrastructure. It could be non-critical, or it could be part of a larger organization. It could be pharma, it could be power plant.

Agnidipta Sarkar: It could be oil and gas. But everything in the world today will be connected sooner or later. Now, how does, how, what do the operational people in a plant think about the effect of cyber attacks? How serious it is it for them? Does it make them, like it gives CISO a sleepless nights. Is there, does the same thing happen on that side?

Agnidipta Sarkar: Does unavailability of a system give them three plus nights? I’m not even talking about hacking.

Kevin Kumpf: So there’s differences to the lens You’re looking through from the csco level. You’re looking at compliance, you’re looking at image, you’re looking at, dollars and cents of what the breach is going to cost us, even if it’s not quote unquote a breach, it’s just downtime.

Kevin Kumpf: From a plant manager perspective, you’re looking at uptime, availability, and getting things out the door. From the guy that’s working on the plant line at the, most functionary level. He understands the stack light or the siren or the buzzer or something in his system that he knows that if that goes off, I have a problem.

Kevin Kumpf: He’s not thinking about, Hey, if the malware gets in here, oh my God, what do I do? No, that’s not his job. And when you look at it. The mindset of you know what? You need to get rid of those Windows XP systems. I even have had people out there still using paper tape. If we got rid of those and we could patch them from it, we’d be in a better world.

Kevin Kumpf: And we saw that where all of a sudden we had that auto patch a couple months ago, as we’ve referenced earlier from a vendor, and it took everything down because they shouldn’t have been patching systems. The reason they shouldn’t have been patching systems. A lot of these systems are stuck in a steady state of if you change that, if you update that, if you basically do anything to that, even if you try to reboot that system may not come back up.

Kevin Kumpf: It is not the same world where everybody has a backup, where they say, Hey, it’s in the cloud. Just like you’re sitting home and you say, oh, don’t worry. I took a photo. I loaded it to my Google Drive and it’s safe. I have that forever. There’s code that is running in operational facilities that was written 30 plus years ago.

Kevin Kumpf: The person that wrote it is long gone and retired. Now we’re hitting the silver tsunami where people are retiring and nobody knows how to bring that back online. And I had that in a real world example where when I was with Avan Grid is the current name of the entity, but I was over three different opcos in the utility sector.

Kevin Kumpf: And we were sitting down with New York State to go over a grid X exercise, which I helped basically write. And one of the things came up was in the facilities that we have who can read the dials and gauges and things like that locally here to keep these systems running and functioning, if the critical IT based system for it goes down and of the area of one facility I was covering.

Kevin Kumpf: They had 30 or 40 locations. They had one engineer that was trained in how to read the old technology to ensure that things stayed up. So the people that are on the floor, they can tell the sound of their system. They know that if a light goes off, something is happening and what to start looking at to diagnose and to bring that back up from a plant manager.

Kevin Kumpf: He trusts those people that they know their systems. He’s in many ways the buffer between the ciso. The C-suite up there that says, you need to patch this. And he’s I have two choices here. My budget this year of X dollars allows me to fix a hole in the roof and a hole in the parking lot so OSHA doesn’t come in here and give me trouble, or I can spend that money on what you’re doing, and now you have some entity in here that’s gonna come in here and slap my wrist.

Kevin Kumpf: Which way do you think he’s gonna go? He’s gonna go to fix the OSHA problems because he knows they have the teeth. The CISO person. Yeah. Thanks for stopping by my plant. You haven’t been here, if ever, you’re not the guy walking in from OSHA that says, we have a problem today. That’s the lenses you have to look at is what is everybody’s value in the proposition of doing something, in any type of event, patching, microsegmentation, know your asset or anything else we’re throwing at them in ot.

Kevin Kumpf: What is your lens?

Agnidipta Sarkar: I think you made very valid points, and I am, I’m gonna take up a suggestion on that. What if there was an ability, if you’re using microsegmentation for example, what if there was an ability by which you could put the unpatchable or those systems that you don’t want to really patch into bubbles, which allow for.

Kevin Kumpf: No that’s one of the points of why people are pushing microsegmentation and know your assets. Yes, and it’s a hand in hand area where I know many individuals out there that I talk to on a daily basis that their entire job is walking a plant facility after one of these assessment tools to find assets, finds 10 to 15% of them.

Kevin Kumpf: You go to a plant manager, he says the tool told me I have 200 OT assets here. PLCs, hmis, RTUs, SCADA devices, you name it, right? And then you start to walk the plant. And I’ve had to walk the plants, and I love walking the plants. You get to meet the people that are there and understand what they’re doing, and you’ll find things the size of a cigarette pack, zip tied to a rail in a cabinet.

Kevin Kumpf: You’ll find things hidden underneath basically a wiring rack, literally on the floor underneath it because that’s where somebody put it. ’cause they didn’t have a long enough cable. And so as you look at these facilities, you’ll find out that if I know 15% of my assets and I think I have 300 assets in the plant, I’ve gone into somewhere.

Kevin Kumpf: They said, I know I have 500 assets in this facility. And by the time we walked out the door, they were at 3,300 and some odd assets.

Agnidipta Sarkar: Oh wow.

Kevin Kumpf: So now you say microsegmentation. Yes, it’s important, but you need to know what is in that bubble. You need to know those assets and what they impact. You need to know what that one component does in that system.

Agnidipta Sarkar: I call that the context of preach readiness. Yes. If you know your assets, if you know what, unless you know what you need to put in what bubble. There’s not going to be any use of microsegmentation at all. You have to know. No. Yes. Yep.

Kevin Kumpf: And it’s funny because even at home there are tools that you can put on your home network that constantly scan, and I can tell when my son is walking in the door, because all of a sudden it’ll say, new watch alert.

Kevin Kumpf: For the, the asset that’s on his wrist. I’m not gonna name the vendor, the manufacturer. That’s not what I’m here for. But you know that something’s on your network. In an OT facility, a vendor walks in with a laptop to patch a system. An employee walks in with a US B stick to play music out of a machine.

Kevin Kumpf: And I’ve had this incident, you don’t know. And in fact, I chased the tail of one of these for six plus months. All of a sudden the network would start to go into disruptive states and we couldn’t figure it out. And we started to get contention on the network and things shutting down. It turned out that an employee randomly was bringing in a USB stick of music and plugging it into his system.

Kevin Kumpf: And because he was moving plant to plant, it was hard to find that, chasing the tail.

Agnidipta Sarkar: So what you just said is actually broadly termed under observability and visibility. So if, once you gain access to that information, and I think there are many tools out there, but most of these that do microsegmentation also do some amount of discovery in terms of what is on.

Agnidipta Sarkar: Like you said, someone comes in and puts a watch and there is a watch on the network. You can’t do that to OT traditionally, so

Kevin Kumpf: no.

Agnidipta Sarkar: And that brings me to another topic and which is identities. Because when you talk about, even when you see people talking about non-human identities, they’re mostly talking about the cloud.

Agnidipta Sarkar: But in reality, there’s a whole lot of non-human identities that are out there between PLCs, hmis, and all those machines which talk to each other. And I don’t know if you think that’s an area to be concerned about.

Kevin Kumpf: It is because one of the things when we talk about CIA versus a IC is confidentiality.

Kevin Kumpf: And I’ll give you a prime example. We had a, we have a major manufacturer up here at Defense and they had some data for their new flying systems that was coming out. They had two employees that were getting after hours access. They were higher up in the organization. Everybody just thought that, hey, they’re in here doing things, but nobody ever put a baseline together.

Kevin Kumpf: And a couple months later they resigned. They had taken all the code for the new products out the door with them to a competitor, and there was no baseline. There was no knowing why is this device connecting in at two o’clock in the morning to do this? It’s the same with data in the environment. And why confidentiality now needs to really matter.

Kevin Kumpf: Does this system need to be talking to that system? When you plot out building an infrastructure, no matter what it is, you say, what do I need to have connected? And what is the purpose and the flow of information to that connected system. So even when you’re home and you put in a new internet router, now everybody in the world says, everything in my house can basically breach the internet.

Kevin Kumpf: People need to look and say as layman’s terms of people that may be, listening to this or watching this that don’t have the deepest OT background. Do you really need your thermostat to go out to the internet? If the internet was down, would your thermostat function in your house? Do you really need your fridge to tell you that it is low on milk and that you need to add this to it?

Kevin Kumpf: There’s the critical need and then there’s the nice to have need, and that’s the difference we’re really talking about here. I do not need my fridge to tell me I’m low on milk today. Okay. That’s a nice to have. If you take that to the OT world and you take that mindset into your plants, do I need this packaging system to talk to this production line?

Kevin Kumpf: Do I need this shipping system over here or this barcode label printer here to basically talk to my HMI? Should They could they, and the answer today is somebody can write an API to make anything, talk to anything out there. The question is what is its intended functional purpose? What does it do to your risk factor of that environment, and is it a really must have or nice to have?

Kevin Kumpf: And how did it get there in the first place and who controls it?

Agnidipta Sarkar: I think the last point is the main thing who controls it? And I was, who was it? I don’t remember who I was talking to, but I talked to someone and he said in the end, what really matters is who decides that a hacker can come in?

Agnidipta Sarkar: If it is you who’s managing that, if it’s the organization, it’s a different story altogether. But if it is the hacker who decides how to come in, then it’s a different story altogether because you don’t know, like you said, you started with 200 and then it went to 33,000. Those many assets, it means you did not know what assets are there.

Agnidipta Sarkar: And if you don’t know, then you can’t define what allowable parts someone can take to hack into an OT system, and that could be highly dangerous.

Kevin Kumpf: It is, and this is where I tell people, vendors are the king in ot and people will set their head and go, what do you mean? Why is the vendor the king? Many of these facilities out there they don’t have the resources, they don’t have the trained staff.

Kevin Kumpf: They don’t have people that are knowledgeable in, certain aspects of, vendor components or production. So when I go in as an engineering firm and I put in a production line, I have SLAs I have to meet to keep that up. They expect I’m going to do that. So if I’m going to keep that up, I’m going to put in my simple point product tools of saying, if I need access, here’s my access solution.

Kevin Kumpf: If you’re gonna hold me to an SLA, then I’m gonna do what I need to do. If you’re not gonna let me do what I need to do. Then I’m not gonna do this service for you. And the penalties there are, some of the manufacturers I’ve worked with are 60, $70,000 per minute. Yes, that’s that uptime and availability.

Kevin Kumpf: And so really what happens now is, the plan operator says, alright, your ball game, your show, you know the penalty if something goes wrong. You get systems that are put in place that nobody asks enough questions about how do you do this? Who has access to it? It used to be in the old days that, okay, I can ally put it down to two IP addresses from here where I know my vendor’s gonna come in from, because they’re working from an office now.

Kevin Kumpf: People aren’t working from an office, they’re working from a coffee shop. So how do you turn around and say, I know the identity of that user, based on the resource, based on their location. Then you look at a system and it has a shared credential to it, like so many do or hard-coded credential. And now you say, how do I limit that?

Kevin Kumpf: So the only way you can limit that now is to say we build enclaves of where people can go to the quote unquote zero trust concept out there. And then you say, okay, I’m gonna do zero trust. I’m gonna do that wonderful term, secure remote access. That doesn’t stop that when somebody gets down there. And I’ve had this discussion way too many times.

Kevin Kumpf: I’m letting somebody tell net, and yes, they still do Telnet or SSH to a host to fix something and they’re in a Unix box. How do I stop them from doing commands on that box that can be escalated privileges and cause lateral movement. And the answer is you don’t have these tools down below. Like you have an it most times to say, if I see somebody type.

Kevin Kumpf: A command for escalation of privileges, changing of mod, even deleting things or extracting things. You have no way to see that data.

Agnidipta Sarkar: Let me change track. I think we’ve talked about this and we can go on talking about this in recent times. What is the trend that you are noticing on from a leadership perspective?

Agnidipta Sarkar: Because I think one of the key factors that OT has always suffered from is lack of. Credible budgets where you are trying to balance it off between cybersecurity and availability. What is happening now? Are organizations thinking that, you know what we need? We need to protect our critical infrastructure.

Agnidipta Sarkar: And hence, if there’s certain amount of budget that they need to do certain activities, let’s think about it and let’s put some dollars in.

Kevin Kumpf: So this is becoming in the the what I call the CYA budgets. I’m sure you can figure what the cover your A is, but this is where cyber insurance has been somewhat of a driver.

Kevin Kumpf: It’s also now been noted that in fact one of the big vendors in the OT space just came out and said that, Hey. 80% of the budgets to cover OT security now are coming from the CISO’s office, and that’s wonderful. But the CISO has to get out on the floor and figure out what these plants do and talk to the people.

Kevin Kumpf: Remember I said the different lenses? I was actually at a meeting the past few weeks ago, and I had one of my coworkers with me, and there was two people pictured in the photo on the screen, on the slide. One was wearing a safety vest and a hard hat, and one was wearing a collared, white shirt.

Kevin Kumpf: And I normally wear a hard hat when I do these talks because it was like, who’s the OT guy? The guy in the hard hat and the safety vest. Who’s the it guy? The guy in the white shirt that just walked into a plant that he has no idea that he’s gonna get dusty and dirty and it’s dangerous and doesn’t, as doesn’t have his PPEs with him or doesn’t even have a set.

Kevin Kumpf: You have to have that mindset. So it’s great you have the budget, but you can’t just make that decision in a vacuum of I think we should put in antivirus software. I think we should put in software that basically finds all the assets. ’cause that tool works great in it. Let’s start having it crawl the network in ot.

Agnidipta Sarkar: So what you’re saying is. So what you’re saying is there needs to be effective collaboration between OT leadership and the CISO to really figure out where the dollars should go in.

Kevin Kumpf: Exactly.

Agnidipta Sarkar: And

Kevin Kumpf: the reason. Yeah,

Agnidipta Sarkar: exactly. And it’s not that the dollars are not there, it’s just that. That collaboration is missing and someone needs to build that bridge so that there has to be the stake in the ground has to be for the OT leadership to understand this is how the CISO can help me, and the CISO needs to understand if I am able to understand what OT needs, I’ll probably be investing in the right things.

Kevin Kumpf: Absolutely, and I tell people, it’s ironic when I brought up the one plant had security and was flushed with dollars, the other one didn’t. And yet the plant that had no dollars took out the bigger one. In the IT world, if you have antivirus software, you don’t decide today. The accounting department, those people really save me money by finding, the beans and stuff like that.

Kevin Kumpf: I’m gonna give them antivirus software. Shipping department. You know what? They don’t really, do much for me. There are cost. I’m not gonna give antivirus software. Everybody in it gets AV software on their laptop as an example. Okay. Why should we treat OT facilities any different?

Agnidipta Sarkar: Absolutely.

Kevin Kumpf: You have to look at the budget and say, all of my infrastructure is critical. After I’ve done my assessment, found the key components in each plant, in each area, and now I’m gonna protect everything. Exactly. So I really feel that the industry, and that’s what I’m working on now, is pushing towards a service model.

Kevin Kumpf: Because in OT I can go and drop in a system and nobody bets an eye when they say, in order to keep that uptime available and running and operating, like your car warranty today that people are pushing, I’m gonna pay that service fee. I’m gonna pay it because I need that up. If they don’t have the dollars to say, I’m gonna go out and buy new hardware, new software, new systems to do this.

Kevin Kumpf: There’s that difference in where they spend the dollars because that facility has this production line that it’s been there 30, 40 years, but they continue to pay the maintenance on it. ’cause they know if that goes down there in trouble, that doesn’t mean they’re gonna buy new.

Agnidipta Sarkar: Absolutely.

Kevin Kumpf: So security now is coming more towards a service mindset of.

Kevin Kumpf: Can you as a vendor, own the software, hardware, everything else, and provide this service to all my plants? Can you protect me globally?

Agnidipta Sarkar: Last question.

Kevin Kumpf: Where going,

Agnidipta Sarkar: what are some of the recent breaches that you think people should learn from?

Kevin Kumpf: I think if I was to take one that people don’t talk really about.

Kevin Kumpf: We’ve talked about, water treatment plants in Florida. In the past we’ve talked about semiconductor facilities, colonial pipeline that has been out there. Let’s focus on the breaches that have hit the industry. There was a supermarket chain in the United Kingdom that was completely taken offline and had to go out of business.

Kevin Kumpf: Because ransomware and it got into systems that basically dealt with their logistics and delivering everything else. A hundred year old plus company out of business. There was a manufacturer I worked with out in Missouri that for years had just systems that sanded parts to a certain finish for a customer that was building tables.

Kevin Kumpf: Their systems were taken down when basically the code by a vendor accidentally. Was erased off the system. Nobody had a backup. The manufacturer of the tables is now at a nine month delay because those legs are matched specifically to these tables here and the system that ran it, they’ve not been able to get back on because of how it built things.

Kevin Kumpf: And people may say it’s just sending table legs and stuff. It’s craftsmanship. This is where we’re really hurting is you’re hurting from the mass production to the hand craftsmanship out there. If Rolls Royce had a system that was attacked and that was now designing their cars and doing certain things for those vehicles or Ferrari, they’re not large volume production, they’re, I build one.

Kevin Kumpf: It takes me this long to do it, and that’s why some of those systems are insulated because we’ve always done it by hand. But other ones are like, how would I ever reproduce this part if I don’t have a system that can form this shape for me in 3D and then stamp it out?

Agnidipta Sarkar: I think there are a lot of takeaways in what you, just, what we talked about, what you touched upon, and there’s a lot for the audience to learn from.

Agnidipta Sarkar: And I think my takeaways are three. Number one, you talked about the fact that microsegmentation can really help build those bubbles. You also talked about the fact that there needs to be a collaboration between the. People who work at a plant and the CISOs who take decisions and fix budgets where they’re going to put the dollars in.

Agnidipta Sarkar: And the last thing that he talked about was where should one be really focusing on if they had to invest and make sure that they, that enterprises are ready for breaches. So I loved it and I would like to talk to you once again. So for now, thank you for being on my. Reach readiness dialogues. I really loved talking to you.

Kevin Kumpf: Thank you. It was a pleasure to be here, sir.

Agnidipta Sarkar: Thanks.

xshield-logo

Explore the Platform

forrester-badge

Download Report

Request Your Free Customized Demo

In this episode of Breach Ready Dialogues, Agnidipta Sarkar sits down with Kevin Kumpf, an experienced OT cybersecurity leader and consultant, to unpack what makes breaches in operational technology environments so different from traditional IT incidents.

From industrial control systems and medical facilities to manufacturing plants and critical infrastructure, Kevin shares real-world lessons on why OT security is not just about data protection – it is about safety, availability, resilience, and keeping operations running.
This is a must-watch conversation for CISOs, OT security leaders and anyone responsible for protecting critical infrastructure and industrial environments.

Listen in to learn how organizations can become truly breach ready in the OT world.

Agnidipta Sarkar: Hi everyone. This is Agni again, and I have a new guest for our Breach of Dialogues this week. Meet Kevin, and I’ve known him as a great expert on industrial control systems and ot cybersecurity as well. So I’ll, I’m going to ask Kevin to introduce himself. I’m not gonna steal your thunder, Kevin, hold the, can you?

Agnidipta Sarkar: Why don’t you?

Kevin Kumpf: Yep. Absolutely. Hi, my name is Kevin k I’m currently consulting for several organizations out in the industry. Prior to this I was with one of the secure mode access vendors that I took the platform from an IT focused realm into the OT realm where the technology really fit. And it’s a pleasure to be here today with you, sir.

Agnidipta Sarkar: Thank you. Yeah, actually the pleasure is mine because OT is an area which the industry doesn’t understand that well. Not especially the specialist vendors who are good in cybersecurity in in the IT world. And then there is the whole CSO community that we work with. And then there are people on the OT side.

Agnidipta Sarkar: The general perception is that OT has too much pushbacks and OT guys feel that it doesn’t understand OT problems. So I think that’s where your expertise will help our audience today, especially CSOs and OT experts and all those who are listening in in how it is different. So my first question to you is, how are breaches any different on the OT side and what should be, what should what has been your experience with breaches?

Kevin Kumpf: I come from a long background in ot director of OT security for Avan Grid for several years. Working with Case New Holland. Working with almost every vendor you can name out in the industrial control system space, and even medical devices that I’ve worked on from a probing perspective.

Kevin Kumpf: So the one thing I have learned is that in it the mindset is they’re looking for confidentiality, integrity, and availability of the resources. It’s the CIA. The OT side, it’s actually a IC, but there’s a giant S that’s in front of that called safety. And so you have to have the safety uptime slash availability, the integrity, and then the confidentiality because they don’t view the data as critical.

Kevin Kumpf: What they view as critical, and the rightly is the safety of the human beings and the facilities. In fact, we’ve seen when sadly, a. Munitions plant went up. Recently it was this a cyber threat? What happened? When we saw another plant recently here in the US exploded and I believe it was Pennsylvania.

Kevin Kumpf: The first thing was there’s something cyber related that caused this. So what really is about, when you have a breach in ot, people need to understand that human lives and other things can be put on the line.

Agnidipta Sarkar: Sorry, let me stop recording for a moment. I think some, for some reason I went mute.

Kevin Kumpf: Yep. Yep.

Agnidipta Sarkar: You do have substantial experience in OT and especially even breaches in ot. Could you name a few which you believe are. Have been impactful and they could have been prevented in some way or the other.

Kevin Kumpf: Yeah. I will start with some that I have been involved with directly where I was working at a facility where we had cutting machines on a facility floor. I won’t get into deep specifics due to confidentiality, but we had cutting machines on a factory floor. The systems actually were impacted with malware that was brought in when a vendor didn’t upgrade from their laptops.

Kevin Kumpf: Now, what was interesting about this was that we had no way to get the malware off of those systems once it was installed, and that to replace those cutting systems would’ve cost the company an excess of $500 million. So the only way that we could actually keep them in our facility operating and running.

Kevin Kumpf: Was microsegmentation, which is an underused and yet misunderstood area of, OT cybersecurity. Another one that I was involved with was a major medical center in the region I live in, and sadly, that brought that facility down to its knees for almost a year. In fact, they got to the point where they were having to use.

Kevin Kumpf: Whiteboards and do paper charting again because those systems were affected. And people look and say okay, that happened at a hospital. This happened often. That is critical infrastructure in our world, and people need to understand that. If I look at one that goes back even further. There’s a myriad of breaches that people talk about by name out there.

Kevin Kumpf: One that comes to mind for me that is not talked about enough is the Norse Hydro case where locker Gogo basically was used to bring the Norwegian aluminum business to its knees.

Agnidipta Sarkar: Oh wow.

Kevin Kumpf: That is more sophisticated ranch from where than non-PE. It actually was logging users off, changing their passwords, encrypting files on the servers, posting messages on the screens, which as we’ve seen in it, that is a, has been a common attack because it basically comes in through email and that is where, people say it and ot, that boundary you talked about, how do they get things in.

Kevin Kumpf: So when you look at breaches that are coming into the OT world. Everybody says they start in it, and for the most part, I’m not gonna sit here and say they’re right or wrong. This is not a place where you’re us versus them. To me, it’s really that point of saying, if this is one of the ingress points into the environment, and this is where the boundary really needs to have a working relationship with it to prevent these, how do we do that more effectively?

Kevin Kumpf: And what tools do we use?

Agnidipta Sarkar: Absolutely. And I think the one that you talked about illustrates to the point that I, that organizations at that point in time did not really focus on what you’re doing today in terms of figuring out where that act might come from and then what it would lead to, what can be done to, understand, at least have visibility of what can, what that attack can hap what attack can happen and stuff like that. More importantly, the reaction, the first reaction that I see, and you talked about microsegmentation also, the first reaction that I see from everyone that’s in the news, it says, there has been an unprecedented cyber attack and we have had to shut down our operations, which is really sad because.

Agnidipta Sarkar: If you shut down operations, then you are defeating the whole purpose of setting up the digital system. What you really intend to do if you’re using microsegmentation is to limit the damage, which is outside the critical systems. Do you think something like that?

Kevin Kumpf: Yeah, I fully agree. I’ve talked to companies out there and said, what is your first reaction if you find out that there’s something going on in OT from a.

Kevin Kumpf: Event or incident perspective. And we really have to, even at that level, understand the nomenclature. An event is something that is non-malicious in nature that cause a disruption to business. Operations at its simplest form and an incident is something malicious in nature. And the only way you truly find that out of what is happening is, in an incident, start to formulate the data, start to  formulate what is going on, start to engage and try to, mitigate and prevent what is going on. But then that’s the root cause analysis afterwards of what really happened. And as you’re seeing, there’s a lot of things out there that were unintentional. Like I won’t mention the company’s name ’cause I’m not here to bash anybody because I tell every security vendor out there that.

Kevin Kumpf: You are one line of code away or one implementation away from being the next name on that list. And going back prior to, early 2025, we had a vendor that was doing an auto update and that auto update caused massive disruptions around the globe. It turns out that if you read some of the groups out there, the Reddit groups or other things where the plant engineers truly talk.

Kevin Kumpf: You’ll find out that update actually had to cause a plant facility to shut down due to safety concerns because they lost visibility into critical systems of safety. So if we take that approach and say, what are we really trying to prevent here? And you have people out there that the first inclination is to say, I’m going to disconnect it from OT without understanding the cause.

Kevin Kumpf: A lot of those systems now are monitored by it. VoIP, phones, cameras, other things that are used in OT many times from security. Door access and things are now run in it. So to say, we’re going to segment the networks and basically cut each other off. Gives you no visibility, gives you no real recourse on how to solve things, and gives you less intel to find that root cause to begin diagnosing and solving.

Agnidipta Sarkar: There’s another concept that I have heard that, I’m not heard, I’ve experienced when I talk to OT experts is that they talk about a mechanism of fails open. Yeah. Which means if systems fail, you basically now allow everyone to come in. How comfortable are you with

Kevin Kumpf: that? That’s I ask that question often.

Kevin Kumpf: So when something happens, you fail closed or fail open. If you look at the industries that you’re in, the federal space, the government, other areas many times that enclave will fail closed. They do not want anybody in, and I tell people this is that firewall, that drawbridge at the boundary, or even internally a network access at a switch level where they say We’re gonna cut people off.

Kevin Kumpf: That is a problem because most of the resources for OT when handling an incident are not on site. If I look at the facilities and the companies that I’ve worked with, if you have 10 to 15 plants, let’s say you may have four or five people that can solve problems, and in fact, when I was at one manufacturer, we had A-A-U-P-S unit go down at one facility.

Kevin Kumpf: The engineer that knew how to reset that was covering at another facility almost five hours away for another engineer that was on vacation. And the plant with the UPS that went down remained off of line for three days because nobody else knew how to reset the unit and had to be on site and there was no access to do that remotely.

Kevin Kumpf: So when uptime and availability and basically safety are at on the line, the. If you cut off your access to the outside world, how do you get the resources in to help you? How do you get the boots on the ground there quickly?

Agnidipta Sarkar: Yes. Yes. And that, that’s a matter. So I think what was going on in my mind, and I think that’s what you are alluding to also is is the challenge of fail close and fail open.

Agnidipta Sarkar: It’s not a simple decision. There are pros and cons on both sides, and most importantly, if you had microsegmentation and if you have done that that limited the breach. If you reduce the lateral movement, then maybe you could do some fail open. But otherwise it doesn’t make it’s dangerous.

Agnidipta Sarkar: As you said, plant remained closed for three days. Now the question that remains is how acceptable is it and what’s the alternative if, how does it go around with the leadership who are, let’s say, operational leadership who say, okay, it’s okay. We’ll shut down for three days versus no, we cannot shut down for three days.

Agnidipta Sarkar: Let’s pay more and get that engineer in.

Kevin Kumpf: Yeah. And that’s where right now, so the reason I’m consulting right now is I’m actually working with a couple firms where we’re designing a platform. For this type of this type of situation where you can get engineers and resources in securely in a small form factor device that I could drop in and spin up in less than 15 minutes.

Kevin Kumpf: And now you can get people in collaborating with osint type tools with an incident response command center and having access into the environment over the rudimentary protocols. So to that point, if you need to isolate a segment of a network and you need to do that microsegmentation being able to drop into that area because as we’ve talked about here with, the aluminum plants organization, their systems were being encrypted, their traffic was being monitored.

Kevin Kumpf: Things in their environment were basically limiting to what they could do. The only way to unlimit that and to get people in is to have. Devices that you can place in your environment on a moment’s notice with the tools you need to make things happen that way you can start in that cell, if you look at it right now, and they talk about, is that a critical system or not?

Kevin Kumpf: People expect email to go offline for certain periods of time. Even you and I here with, the meeting software that we use to have this meeting today, that’s not expected to be there 24 by 7 365. How many times have you gone into a meeting and said, it won’t start. I can’t get the link to work.

Kevin Kumpf: Things like that. That’s that difference between, what is a critical system and what is not. That’s where people in their mind need to think about. If I own a plant and I’m operating the plant, what is critical to me? And many times what an OT operator sitting in the plant manager deems as critical is not critical to the people in it.

Kevin Kumpf: Look and say that just does this simple, rudimentary task. And if I could close that with one thought. When I worked at another manufacturer out there, every plant had different budgets based on what they produced. And one of the plants was flush with resources to do cybersecurity because they made the big end product, the plant that made the 5 cent widget, that made that big product go, had no budget for that.

Kevin Kumpf: Because it was a plant by plant budget. That plant basically had an attack. That plant was down for four months. The end product could not come off the line, and they couldn’t sell that. And they had to start taking these pieces of equipment and moving them to other locations to store them. So that one, that plant came back online.

Kevin Kumpf: They could put that little widget into those machines. The odd thing about that was that was the only plant that made them, that was a specific, basically method of doing that. And when they came back up with that facility, they actually had to change the method because by that time, that plant had been down so long.

Kevin Kumpf: Some of the people that knew the process had said, I’m retiring, I’m done. And so when you look at criticality, you have to know your supply chain, and you have to know what is truly critical to your environment. To continue processing, running and being efficient, and IT, and OT and senior leadership need to be on the same page.

Agnidipta Sarkar: So I think you touched upon all those points that, we discussed earlier and all very valid points and you also touched about decision making and that it’s not easy because. And not many people would understand that. But the point the question that then props up on my mind is a situation like JLR as you say, you talked about supply chains.

Agnidipta Sarkar: So every manufacturing unit, everyone who has got an OT system has a supply chain that depends on that organization. Almost every, because it’s all connected, right? It could be critical infrastructure. It could be non-critical, or it could be part of a larger organization. It could be pharma, it could be power plant.

Agnidipta Sarkar: It could be oil and gas. But everything in the world today will be connected sooner or later. Now, how does, how, what do the operational people in a plant think about the effect of cyber attacks? How serious it is it for them? Does it make them, like it gives CISO a sleepless nights. Is there, does the same thing happen on that side?

Agnidipta Sarkar: Does unavailability of a system give them three plus nights? I’m not even talking about hacking.

Kevin Kumpf: So there’s differences to the lens You’re looking through from the csco level. You’re looking at compliance, you’re looking at image, you’re looking at, dollars and cents of what the breach is going to cost us, even if it’s not quote unquote a breach, it’s just downtime.

Kevin Kumpf: From a plant manager perspective, you’re looking at uptime, availability, and getting things out the door. From the guy that’s working on the plant line at the, most functionary level. He understands the stack light or the siren or the buzzer or something in his system that he knows that if that goes off, I have a problem.

Kevin Kumpf: He’s not thinking about, Hey, if the malware gets in here, oh my God, what do I do? No, that’s not his job. And when you look at it. The mindset of you know what? You need to get rid of those Windows XP systems. I even have had people out there still using paper tape. If we got rid of those and we could patch them from it, we’d be in a better world.

Kevin Kumpf: And we saw that where all of a sudden we had that auto patch a couple months ago, as we’ve referenced earlier from a vendor, and it took everything down because they shouldn’t have been patching systems. The reason they shouldn’t have been patching systems. A lot of these systems are stuck in a steady state of if you change that, if you update that, if you basically do anything to that, even if you try to reboot that system may not come back up.

Kevin Kumpf: It is not the same world where everybody has a backup, where they say, Hey, it’s in the cloud. Just like you’re sitting home and you say, oh, don’t worry. I took a photo. I loaded it to my Google Drive and it’s safe. I have that forever. There’s code that is running in operational facilities that was written 30 plus years ago.

Kevin Kumpf: The person that wrote it is long gone and retired. Now we’re hitting the silver tsunami where people are retiring and nobody knows how to bring that back online. And I had that in a real world example where when I was with Avan Grid is the current name of the entity, but I was over three different opcos in the utility sector.

Kevin Kumpf: And we were sitting down with New York State to go over a grid X exercise, which I helped basically write. And one of the things came up was in the facilities that we have who can read the dials and gauges and things like that locally here to keep these systems running and functioning, if the critical IT based system for it goes down and of the area of one facility I was covering.

Kevin Kumpf: They had 30 or 40 locations. They had one engineer that was trained in how to read the old technology to ensure that things stayed up. So the people that are on the floor, they can tell the sound of their system. They know that if a light goes off, something is happening and what to start looking at to diagnose and to bring that back up from a plant manager.

Kevin Kumpf: He trusts those people that they know their systems. He’s in many ways the buffer between the ciso. The C-suite up there that says, you need to patch this. And he’s I have two choices here. My budget this year of X dollars allows me to fix a hole in the roof and a hole in the parking lot so OSHA doesn’t come in here and give me trouble, or I can spend that money on what you’re doing, and now you have some entity in here that’s gonna come in here and slap my wrist.

Kevin Kumpf: Which way do you think he’s gonna go? He’s gonna go to fix the OSHA problems because he knows they have the teeth. The CISO person. Yeah. Thanks for stopping by my plant. You haven’t been here, if ever, you’re not the guy walking in from OSHA that says, we have a problem today. That’s the lenses you have to look at is what is everybody’s value in the proposition of doing something, in any type of event, patching, microsegmentation, know your asset or anything else we’re throwing at them in ot.

Kevin Kumpf: What is your lens?

Agnidipta Sarkar: I think you made very valid points, and I am, I’m gonna take up a suggestion on that. What if there was an ability, if you’re using microsegmentation for example, what if there was an ability by which you could put the unpatchable or those systems that you don’t want to really patch into bubbles, which allow for.

Kevin Kumpf: No that’s one of the points of why people are pushing microsegmentation and know your assets. Yes, and it’s a hand in hand area where I know many individuals out there that I talk to on a daily basis that their entire job is walking a plant facility after one of these assessment tools to find assets, finds 10 to 15% of them.

Kevin Kumpf: You go to a plant manager, he says the tool told me I have 200 OT assets here. PLCs, hmis, RTUs, SCADA devices, you name it, right? And then you start to walk the plant. And I’ve had to walk the plants, and I love walking the plants. You get to meet the people that are there and understand what they’re doing, and you’ll find things the size of a cigarette pack, zip tied to a rail in a cabinet.

Kevin Kumpf: You’ll find things hidden underneath basically a wiring rack, literally on the floor underneath it because that’s where somebody put it. ’cause they didn’t have a long enough cable. And so as you look at these facilities, you’ll find out that if I know 15% of my assets and I think I have 300 assets in the plant, I’ve gone into somewhere.

Kevin Kumpf: They said, I know I have 500 assets in this facility. And by the time we walked out the door, they were at 3,300 and some odd assets.

Agnidipta Sarkar: Oh wow.

Kevin Kumpf: So now you say microsegmentation. Yes, it’s important, but you need to know what is in that bubble. You need to know those assets and what they impact. You need to know what that one component does in that system.

Agnidipta Sarkar: I call that the context of preach readiness. Yes. If you know your assets, if you know what, unless you know what you need to put in what bubble. There’s not going to be any use of microsegmentation at all. You have to know. No. Yes. Yep.

Kevin Kumpf: And it’s funny because even at home there are tools that you can put on your home network that constantly scan, and I can tell when my son is walking in the door, because all of a sudden it’ll say, new watch alert.

Kevin Kumpf: For the, the asset that’s on his wrist. I’m not gonna name the vendor, the manufacturer. That’s not what I’m here for. But you know that something’s on your network. In an OT facility, a vendor walks in with a laptop to patch a system. An employee walks in with a US B stick to play music out of a machine.

Kevin Kumpf: And I’ve had this incident, you don’t know. And in fact, I chased the tail of one of these for six plus months. All of a sudden the network would start to go into disruptive states and we couldn’t figure it out. And we started to get contention on the network and things shutting down. It turned out that an employee randomly was bringing in a USB stick of music and plugging it into his system.

Kevin Kumpf: And because he was moving plant to plant, it was hard to find that, chasing the tail.

Agnidipta Sarkar: So what you just said is actually broadly termed under observability and visibility. So if, once you gain access to that information, and I think there are many tools out there, but most of these that do microsegmentation also do some amount of discovery in terms of what is on.

Agnidipta Sarkar: Like you said, someone comes in and puts a watch and there is a watch on the network. You can’t do that to OT traditionally, so

Kevin Kumpf: no.

Agnidipta Sarkar: And that brings me to another topic and which is identities. Because when you talk about, even when you see people talking about non-human identities, they’re mostly talking about the cloud.

Agnidipta Sarkar: But in reality, there’s a whole lot of non-human identities that are out there between PLCs, hmis, and all those machines which talk to each other. And I don’t know if you think that’s an area to be concerned about.

Kevin Kumpf: It is because one of the things when we talk about CIA versus a IC is confidentiality.

Kevin Kumpf: And I’ll give you a prime example. We had a, we have a major manufacturer up here at Defense and they had some data for their new flying systems that was coming out. They had two employees that were getting after hours access. They were higher up in the organization. Everybody just thought that, hey, they’re in here doing things, but nobody ever put a baseline together.

Kevin Kumpf: And a couple months later they resigned. They had taken all the code for the new products out the door with them to a competitor, and there was no baseline. There was no knowing why is this device connecting in at two o’clock in the morning to do this? It’s the same with data in the environment. And why confidentiality now needs to really matter.

Kevin Kumpf: Does this system need to be talking to that system? When you plot out building an infrastructure, no matter what it is, you say, what do I need to have connected? And what is the purpose and the flow of information to that connected system. So even when you’re home and you put in a new internet router, now everybody in the world says, everything in my house can basically breach the internet.

Kevin Kumpf: People need to look and say as layman’s terms of people that may be, listening to this or watching this that don’t have the deepest OT background. Do you really need your thermostat to go out to the internet? If the internet was down, would your thermostat function in your house? Do you really need your fridge to tell you that it is low on milk and that you need to add this to it?

Kevin Kumpf: There’s the critical need and then there’s the nice to have need, and that’s the difference we’re really talking about here. I do not need my fridge to tell me I’m low on milk today. Okay. That’s a nice to have. If you take that to the OT world and you take that mindset into your plants, do I need this packaging system to talk to this production line?

Kevin Kumpf: Do I need this shipping system over here or this barcode label printer here to basically talk to my HMI? Should They could they, and the answer today is somebody can write an API to make anything, talk to anything out there. The question is what is its intended functional purpose? What does it do to your risk factor of that environment, and is it a really must have or nice to have?

Kevin Kumpf: And how did it get there in the first place and who controls it?

Agnidipta Sarkar: I think the last point is the main thing who controls it? And I was, who was it? I don’t remember who I was talking to, but I talked to someone and he said in the end, what really matters is who decides that a hacker can come in?

Agnidipta Sarkar: If it is you who’s managing that, if it’s the organization, it’s a different story altogether. But if it is the hacker who decides how to come in, then it’s a different story altogether because you don’t know, like you said, you started with 200 and then it went to 33,000. Those many assets, it means you did not know what assets are there.

Agnidipta Sarkar: And if you don’t know, then you can’t define what allowable parts someone can take to hack into an OT system, and that could be highly dangerous.

Kevin Kumpf: It is, and this is where I tell people, vendors are the king in ot and people will set their head and go, what do you mean? Why is the vendor the king? Many of these facilities out there they don’t have the resources, they don’t have the trained staff.

Kevin Kumpf: They don’t have people that are knowledgeable in, certain aspects of, vendor components or production. So when I go in as an engineering firm and I put in a production line, I have SLAs I have to meet to keep that up. They expect I’m going to do that. So if I’m going to keep that up, I’m going to put in my simple point product tools of saying, if I need access, here’s my access solution.

Kevin Kumpf: If you’re gonna hold me to an SLA, then I’m gonna do what I need to do. If you’re not gonna let me do what I need to do. Then I’m not gonna do this service for you. And the penalties there are, some of the manufacturers I’ve worked with are 60, $70,000 per minute. Yes, that’s that uptime and availability.

Kevin Kumpf: And so really what happens now is, the plan operator says, alright, your ball game, your show, you know the penalty if something goes wrong. You get systems that are put in place that nobody asks enough questions about how do you do this? Who has access to it? It used to be in the old days that, okay, I can ally put it down to two IP addresses from here where I know my vendor’s gonna come in from, because they’re working from an office now.

Kevin Kumpf: People aren’t working from an office, they’re working from a coffee shop. So how do you turn around and say, I know the identity of that user, based on the resource, based on their location. Then you look at a system and it has a shared credential to it, like so many do or hard-coded credential. And now you say, how do I limit that?

Kevin Kumpf: So the only way you can limit that now is to say we build enclaves of where people can go to the quote unquote zero trust concept out there. And then you say, okay, I’m gonna do zero trust. I’m gonna do that wonderful term, secure remote access. That doesn’t stop that when somebody gets down there. And I’ve had this discussion way too many times.

Kevin Kumpf: I’m letting somebody tell net, and yes, they still do Telnet or SSH to a host to fix something and they’re in a Unix box. How do I stop them from doing commands on that box that can be escalated privileges and cause lateral movement. And the answer is you don’t have these tools down below. Like you have an it most times to say, if I see somebody type.

Kevin Kumpf: A command for escalation of privileges, changing of mod, even deleting things or extracting things. You have no way to see that data.

Agnidipta Sarkar: Let me change track. I think we’ve talked about this and we can go on talking about this in recent times. What is the trend that you are noticing on from a leadership perspective?

Agnidipta Sarkar: Because I think one of the key factors that OT has always suffered from is lack of. Credible budgets where you are trying to balance it off between cybersecurity and availability. What is happening now? Are organizations thinking that, you know what we need? We need to protect our critical infrastructure.

Agnidipta Sarkar: And hence, if there’s certain amount of budget that they need to do certain activities, let’s think about it and let’s put some dollars in.

Kevin Kumpf: So this is becoming in the the what I call the CYA budgets. I’m sure you can figure what the cover your A is, but this is where cyber insurance has been somewhat of a driver.

Kevin Kumpf: It’s also now been noted that in fact one of the big vendors in the OT space just came out and said that, Hey. 80% of the budgets to cover OT security now are coming from the CISO’s office, and that’s wonderful. But the CISO has to get out on the floor and figure out what these plants do and talk to the people.

Kevin Kumpf: Remember I said the different lenses? I was actually at a meeting the past few weeks ago, and I had one of my coworkers with me, and there was two people pictured in the photo on the screen, on the slide. One was wearing a safety vest and a hard hat, and one was wearing a collared, white shirt.

Kevin Kumpf: And I normally wear a hard hat when I do these talks because it was like, who’s the OT guy? The guy in the hard hat and the safety vest. Who’s the it guy? The guy in the white shirt that just walked into a plant that he has no idea that he’s gonna get dusty and dirty and it’s dangerous and doesn’t, as doesn’t have his PPEs with him or doesn’t even have a set.

Kevin Kumpf: You have to have that mindset. So it’s great you have the budget, but you can’t just make that decision in a vacuum of I think we should put in antivirus software. I think we should put in software that basically finds all the assets. ’cause that tool works great in it. Let’s start having it crawl the network in ot.

Agnidipta Sarkar: So what you’re saying is. So what you’re saying is there needs to be effective collaboration between OT leadership and the CISO to really figure out where the dollars should go in.

Kevin Kumpf: Exactly.

Agnidipta Sarkar: And

Kevin Kumpf: the reason. Yeah,

Agnidipta Sarkar: exactly. And it’s not that the dollars are not there, it’s just that. That collaboration is missing and someone needs to build that bridge so that there has to be the stake in the ground has to be for the OT leadership to understand this is how the CISO can help me, and the CISO needs to understand if I am able to understand what OT needs, I’ll probably be investing in the right things.

Kevin Kumpf: Absolutely, and I tell people, it’s ironic when I brought up the one plant had security and was flushed with dollars, the other one didn’t. And yet the plant that had no dollars took out the bigger one. In the IT world, if you have antivirus software, you don’t decide today. The accounting department, those people really save me money by finding, the beans and stuff like that.

Kevin Kumpf: I’m gonna give them antivirus software. Shipping department. You know what? They don’t really, do much for me. There are cost. I’m not gonna give antivirus software. Everybody in it gets AV software on their laptop as an example. Okay. Why should we treat OT facilities any different?

Agnidipta Sarkar: Absolutely.

Kevin Kumpf: You have to look at the budget and say, all of my infrastructure is critical. After I’ve done my assessment, found the key components in each plant, in each area, and now I’m gonna protect everything. Exactly. So I really feel that the industry, and that’s what I’m working on now, is pushing towards a service model.

Kevin Kumpf: Because in OT I can go and drop in a system and nobody bets an eye when they say, in order to keep that uptime available and running and operating, like your car warranty today that people are pushing, I’m gonna pay that service fee. I’m gonna pay it because I need that up. If they don’t have the dollars to say, I’m gonna go out and buy new hardware, new software, new systems to do this.

Kevin Kumpf: There’s that difference in where they spend the dollars because that facility has this production line that it’s been there 30, 40 years, but they continue to pay the maintenance on it. ’cause they know if that goes down there in trouble, that doesn’t mean they’re gonna buy new.

Agnidipta Sarkar: Absolutely.

Kevin Kumpf: So security now is coming more towards a service mindset of.

Kevin Kumpf: Can you as a vendor, own the software, hardware, everything else, and provide this service to all my plants? Can you protect me globally?

Agnidipta Sarkar: Last question.

Kevin Kumpf: Where going,

Agnidipta Sarkar: what are some of the recent breaches that you think people should learn from?

Kevin Kumpf: I think if I was to take one that people don’t talk really about.

Kevin Kumpf: We’ve talked about, water treatment plants in Florida. In the past we’ve talked about semiconductor facilities, colonial pipeline that has been out there. Let’s focus on the breaches that have hit the industry. There was a supermarket chain in the United Kingdom that was completely taken offline and had to go out of business.

Kevin Kumpf: Because ransomware and it got into systems that basically dealt with their logistics and delivering everything else. A hundred year old plus company out of business. There was a manufacturer I worked with out in Missouri that for years had just systems that sanded parts to a certain finish for a customer that was building tables.

Kevin Kumpf: Their systems were taken down when basically the code by a vendor accidentally. Was erased off the system. Nobody had a backup. The manufacturer of the tables is now at a nine month delay because those legs are matched specifically to these tables here and the system that ran it, they’ve not been able to get back on because of how it built things.

Kevin Kumpf: And people may say it’s just sending table legs and stuff. It’s craftsmanship. This is where we’re really hurting is you’re hurting from the mass production to the hand craftsmanship out there. If Rolls Royce had a system that was attacked and that was now designing their cars and doing certain things for those vehicles or Ferrari, they’re not large volume production, they’re, I build one.

Kevin Kumpf: It takes me this long to do it, and that’s why some of those systems are insulated because we’ve always done it by hand. But other ones are like, how would I ever reproduce this part if I don’t have a system that can form this shape for me in 3D and then stamp it out?

Agnidipta Sarkar: I think there are a lot of takeaways in what you, just, what we talked about, what you touched upon, and there’s a lot for the audience to learn from.

Agnidipta Sarkar: And I think my takeaways are three. Number one, you talked about the fact that microsegmentation can really help build those bubbles. You also talked about the fact that there needs to be a collaboration between the. People who work at a plant and the CISOs who take decisions and fix budgets where they’re going to put the dollars in.

Agnidipta Sarkar: And the last thing that he talked about was where should one be really focusing on if they had to invest and make sure that they, that enterprises are ready for breaches. So I loved it and I would like to talk to you once again. So for now, thank you for being on my. Reach readiness dialogues. I really loved talking to you.

Kevin Kumpf: Thank you. It was a pleasure to be here, sir.

Agnidipta Sarkar: Thanks.

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.