Platform

Insights You Need

ColorTokens Named a Forrester Wave Microsegmentation 2024 Leader Badge

Download Report

By Industry

By Use Case

Services ZERO TRUST AS A SERVICE

Let's Win Together!

Partner Program Overview

Designed to deliver unparalleled customer value and accelerated mutual growth by harnessing partner expertise and ColorTokens cybersecurity technology.

Learn More
Become a Partner

Resource Center

View all Resources

Asset Type

Customer Success Stories

View all
What's New
Analyst Mentions, Awards, & Certifications
View All
platform-forrester-badge

ColorTokens named a Leader in the Forrester Wave™ Microsegmentation Solutions report.

Download Report

ColorTokens named a Leader again. The only vendor among 15 to achieve a perfect 5.0 across key feature categories.

Access Report

Xshield™ earned a spot on Constellation's Shortlist™ for Microsegmentation

Learn More
arrow Back
May 27, 2026 | 35 min

Mike Holcomb unravels Breach Readiness Challenges in OT.

In this episode of Breach Ready Dialogues, Agnidipta Sarkar sits down with Mike Holcomb, founder of Utilsec and a leading voice in OT cybersecurity, to unpack why industrial environments must move beyond “prevent the breach” thinking.

From IT/OT interconnectedness and lateral movement to AI adoption, cloud exposure, and the limits of the Purdue model, Mike explains why breach readiness is now a business resilience issue – not just a security problem. The conversation explores how leaders can better align budgets, teams, and decisions to protect critical operations when incidents hit.

Watch this episode to learn how OT teams, CISOs, and business leaders can collaborate, simplify cybersecurity, and build environments that withstand the next breach.

Agnidipta Sarkar: Hi, welcome to Breach Ready Dialogues, the show where we assume the bad day is coming, and we focus on whether we’ll survive with dignity or we will be we’ll collapse in this array because we were not ready. So if you’re a CISO or a cyber leader who’s who’s or a board member. You already know that the rules of the game have changed.

Agnidipta Sarkar: It is no longer about whether we are we, whether we’ll be breached or not. It’s about when it happens, how fast can we react to contain it, withstand its effects, and, keep the critical business unaffected. So we are talking about that shift today as well. And we are moving away from traditional parameter based defenses to.

Agnidipta Sarkar: To focusing on how we can withstand the next breach. And if you’re ready for that, it’s just not, it’s just not about tools. It’s also about decisions. It’s about what we do when crisis hits and how do we handle all that. Today today my guest is Mike Holcomb. Who to me is an enigma in evangelizing about OT Cybersecurity.

Agnidipta Sarkar: And yes. Our discussion today will focus on OT and. And the connection between ot, it, the incidents that are happening around the world and what are the, what are some best practices that people can do? And in our conversation we will, dig into his rich experience. And he does a lot of courses that are widely available for free.

Agnidipta Sarkar: And to me he’s an evangelist who I live up to. Without taking much from him, let me ask Mike. Why don’t you introduce yourself and probably start off with how do you react when you hear leaders talking about that they need to, double down on the material impact of a breach or the risks thereof.

Mike Holcomb: Sure. Yeah, I can do that. Thanks for having me on the the show, Agni. I really appreciate it. Yeah, and my name’s Mike Wilcom. I run a small boutique shop called Util sec, so I really focus on helping environments understand how to secure. Better from, against OT and ICS related attacks, right?

Mike Holcomb: How do we make our environments stronger? And besides that, I post on LinkedIn and YouTube and just started Instagram for helping others understand, OT ICS, cybersecurity. It doesn’t matter if you’re an, an owner, an operator. If you’re looking at transitioning into OT cybersecurity from either IT security or maybe you’re a engineer or an operator.

Mike Holcomb: That’s at the high level, a little bit of what I currently do prior to my. Current role going out on my own. I worked for 15 years for one of the world’s largest engineering and construction companies for about 10, 10 companies the size of where we’re at. So if you were building one of the world’s largest control system or ICS or OT environments, then.

Mike Holcomb: You would call one of these 10 companies. And so I worked with their and actually build the OT or ICS cyber security program and work with some of the largest companies and environments in the world like Shell and Saudi Aramco. And so I was very fortunate not only to work with those types of clients and those environments, but also with some of the best engineering minds in the world.

Mike Holcomb: So I’m, really fortunate. Not only have that experience, but some are, they’re friends that I still talk to. To today. Which again, I was very fortunate enough but a lot of, what I do today is yeah, taking that information, that experience and that knowledge and share it with others and put it out on LinkedIn and put it out on YouTube.

Mike Holcomb: I have over 50 hours of courses that, that people can take for free. And a lot of those are used by universities around the world or large companies. You’re looking at one of them. What’s that?

Agnidipta Sarkar: I said you’re looking at one of them, the guys who took your course,

Mike Holcomb: so Oh, on YouTube. Oh, I’m glad you Hey thanks for watching.

Mike Holcomb: Yeah, no, I appreciate that. Yeah, I think the, my very first getting started course is like at a hundred and I think 10,000 views which is, really exciting to see, and I’m just about to release a new version of that course, so I’m really excited for that. Yeah so that’s a little bit about me and then what was your earlier question?

Agnidipta Sarkar: Yeah, the question was so when you come across leaders in in the OT world and boards and maybe CISOs who say, you know what, let’s understand a little bit more about. The material impact of breaches in OT and how do we look at risks? What’s your take on that?

Mike Holcomb: Sure. Yeah, it’s a good question and it’s still a challenge today because you have to think that OT cybersecurity is pretty much where it cybersecurity was 15, 20 years ago.

Mike Holcomb: So you still have a lot of leaders that don’t even realize that they. Need to do anything about OT cybersecurity or they’re just starting on that journey, right? They’re just realizing, oh, we need to be doing something about this. Or also see, unfortunately, a lot of leaders make a lot of assumptions and they’re.

Mike Holcomb: I’m trying to figure the right way to put this, at the end of the day, they’re being told by their OT teams that, Hey, yeah we’re good, right? We’re protected and we’re secure against, some type of cyber attack that it could bring down the plant. And at the end of the day, I think what is being shown is that maybe those OT teams really think they are secure but they’re not.

Mike Holcomb: And then you start having the attacks and then the plant goes down for days, if not weeks or potentially months, where we saw, like even with Jaguar Land Rover. And so you have these extended impacts and not just, on a single site, but a lot of large companies with multiple sites that are getting hit.

Mike Holcomb: And so we’re seeing these. It’s almost like this exponentially increasing, almost compounding interest on the, not only the risk, but the damage to the organization today. And don’t think executives and leadership understand that. And once they start to understand that, then they realize, yes, we do need to do more for OT cyber.

Mike Holcomb: Because right now 95% of cybersecurity budgets go to the it. It goes to the IT side of the house and only 5%, if you’re lucky, goes to the OT cybersecurity house. But at the same time, when you think of where the company makes its money, right? If I’m a manufacturing company I make my money because of the manufacturing plants, right?

Mike Holcomb: And I think you see executives, leaders that are now in a position where they are starting to realize that we do need to be concerned with cybersecurity in, in the plant. We need to take those steps and we need to look at the risks, right? And understand the company’s risk tolerance and at the end of the day let.

Mike Holcomb: Them make the decision. What and how they’re going to invest those resources into protecting the company, right? That’s their job. That’s their role. So like when I go in or other ot, cybersecurity, defenders and consultants out there, right? We’re always trying to do our best to work with leadership to help them understand the risk and then work with them, understand the company’s risk tolerance and the company’s goals.

Mike Holcomb: And not just for cybersecurity, but the overall company goals so we can make sure that the cybersecurity goals align with the mission of the organization. I think once we can all get on the same page, right? Then we can have kind of the, like those adult decisions on, okay, this is what we’re going to do next.

Agnidipta Sarkar: Yes. And. And that’s exactly what I have experienced too. In fact, one of the key differentiators, which I believe I have learned in my life is the definition of how, or not definition, how risk is perceived at higher leadership levels versus how risk is perceived below. So when you look at it from bottoms up, everyone’s trying to treat transfer tolerate and do all those things about risks, which are written in the books.

Agnidipta Sarkar: But when you go up, it’s not about all that. It’s about cybersecurity or someone who’s knowledgeable enough can tell them there are risks. Which risks should the leader take? And why? Because not because it is riskier than others. But because it brings in more business benefits. So that differentiation is what I learned much later as I grew up in the organization.

Agnidipta Sarkar: And that to me is a big thing. So I have another question for you about, one of the things that I think most leaders in cybersecurity or in OT need to understand are, what are those? Three things probably. I, there are many, of course. I’m just saying top of your mind. Three things that should serve as indicators for investing in ot Cybersecurity.

Mike Holcomb: As far as indicators, I know when I work with leadership, probably the biggest thing that I get the most support from is we go in and talk about the current threat landscape. And we look at what’s happening in OT across the board from a cybersecurity perspective. And so we can look at, the number of attacks that are impacting OT environments doubling every year since 2021, since we had the colonial pipeline.

Mike Holcomb: Yeah.

Agnidipta Sarkar: Yeah.

Mike Holcomb: And so you can look at not only the increasing attacks, but the number of attack groups, right? Attackers going after, right before Colonial Pipeline, we used to, you just worry about nation or I should say state adversaries. And now it’s not just state adversaries, but it’s. Activists, right?

Mike Holcomb: It’s ransomware operators. Everybody’s coming either after your OT environment or they’re coming after the IT environment that OT is connected to. And like we saw with Jaguar Land Rover, they, the entire IT network burned down to the ground. And if you have systems on the IT network that the OT side relies on to operate, then.

Mike Holcomb: You’re down, whether the attacker gets into the OT network or not. So I spent a lot of time in that awareness

Agnidipta Sarkar: so what you’re saying is something that I’m hearing a lot and I think interconnectedness is probably, which was something that we were driving for in the past 10 years, is probably something that we need to be careful of as we head into the future because.

Agnidipta Sarkar: That’s what is primarily being leveraged by, people who are trying to attack OT, either through IT or otherwise, but they’re trying to leverage the fact that there is interconnectedness, there’s interdependencies between IT and ot. The traditional method used to be that somebody has a 3.5 DMZ and you have got firewalls and stuff in there, but.

Agnidipta Sarkar: Do you think it, it still is interconnectedness something that we need to now, go to the leaders and say, if we are getting so interconnected, let’s have a budget. Let’s look at what could be that could breach and hence let’s focus on how we can put a budget around it so that whatever digital initiative or AI that we bring in.

Agnidipta Sarkar: Right now there’s ai, digital twins that we bring in are secure from are or we are going to be breach ready from the day we invest into something which is really innovative and, AI built or whatever. Do you think?

Mike Holcomb: Yeah, it. It goes back to, I remember the best lesson I ever learned was, and I worked for this guy named Dan Crow.

Mike Holcomb: He used to be an army officer. He was actually in Delta Force. Which doesn’t technically exist but it exists. And he actually went from, jumping out of airplanes and probably shooting at people. And it went to become a software pin tester. So quite, quite a shift. And I remember when wifi first came out.

Mike Holcomb: And I was telling the business, no, you can’t have wifi ’cause it’s not secure. And it wasn’t. And Dan pulled me aside and he said that, he’s you’re right, it’s not secure, but you know what? They’re going to do it anyways, whether you tell them they can’t or not. And so the best approach right, is we’re not gonna tell them no.

Mike Holcomb: We’re gonna tell them that, okay, we’re going to do this, but we’re going to do it as securely as possible. And that’s the same whether you talk about connecting IT and ot, right? Yeah. 20 years ago, very few it OT environments were connected together. Now in 2026, almost all of them are connected together.

Mike Holcomb: Unless it’s a nuclear and rapidly increasing. Pretty much. Yeah. It’s everybody is and, they’re only adding more connections. And of course then, probably four or five years ago, we started seeing the push to connect OT to the cloud, right? So then there was the big rush to the cloud, and now of course there’s the huge rush for ai.

Mike Holcomb: And it’s, and I’ve never seen, in the OT world, something just really catch fire and it’s coming super fast and a lot of people aren’t prepared. But again, at the end of the day, it comes down to, okay, you want to do this? Okay, let’s do this. But we have to do it as securely as possible.

Mike Holcomb: But yeah, especially when you introduce things like cloud or ai, right? Every cloud environment. Managed by every large company with the best security teams in the world like Microsoft, and they’ve all been compromised. So when we talk about going to the cloud or we talk about doing AI or we talk about integrating with it, right?

Mike Holcomb: Where we always say it’s not a question of if, it’s only a question of when you’re compromised, right? The, we have to not only make sure we do it as securely as possible, we make sure that we’re prepared for when the breach happens because. It’s going to happen. It’s just a matter of time.

Mike Holcomb: Might not be today or tomorrow. Might not be next year. It could be the year after that, or 10 years down the road, or maybe it is tomorrow. We just don’t know, because it just depends on, which attacker is looking at us and any particular time.

Agnidipta Sarkar: I’m just going back to what we were discussing again and the first thing you talked about was interconnectedness.

Agnidipta Sarkar: Would you think the second point that leaders should consider is to make sure that all digital innovation must be accompanied by breach readiness?

Mike Holcomb: It should absolutely. Hundred percent shift. Now that shifts the onus of getting the budget from the CISO or the ot leader to the business leader in saying that, okay you want to do this new business. You want to invest in connecting OT to it, to cloud, to ai, whatever that you want to do. Do you have a budget for defending the ot?

Mike Holcomb: Yeah. I think in a perfect world that makes absolute sense. I think in the reality though, is it is one of those conversations where if you’re gonna go to them and talk about security is going to either slow them down or it’s gonna cost a certain amount, which they’re not gonna have in the budget because they’re still going to do it.

Mike Holcomb: So it is trying to work with them. Within the confines and the constraints of the company to make it as secure as possible. But I don’t it’s, and I’ve seen this too many times, especially in the last couple of years where we do go, it’s okay, let’s do this and let’s do it as securely as possible.

Mike Holcomb: And if you. We’re gonna need, let’s say a budget of a million dollars to make it a nice round member. And this is for, let’s say a, medium sized to, to large sized organization. And, they might come back and say we, maybe we’ll give you half of that or a quarter of that.

Mike Holcomb: And you don’t have six months to implement this. You have six weeks. And that’s just the reality of the situation.

Agnidipta Sarkar: Yes.

Mike Holcomb: I’ve seen, a lot of good folks decide, under those certain circumstances they go find a role somewhere else. And that’s really concerning, right?

Mike Holcomb: Because they left and then there’s no one to replace them immediately, and then the company’s still putting in this new solution and introducing the risk and no security or risk mitigation whatsoever. So yeah, it’s really, it’s a harsh reality that. I think in OT especially, most teams are asked to do more with a lot less, and I realize there’s a lot of IT teams out there as well that are doing that in IT cybersecurity teams.

Mike Holcomb: But remember, like I mentioned in the beginning, 95% of security budgets go to it. 5% go to ot. So OT is already so stretched, so thin, and when they’re asked to do these new initiatives, that course great. But it is rare to have leaders that understand that and that want to make sure that they’re investing and supporting cybersecurity in the environment.

Mike Holcomb: Not that anybody, supporting having a breach, right? But the leaders have so many other things that they’re concerned with and they’re looking at, and I think OT has a really hard time being able to communicate those needs and those risks to leadership. That’s a big part of what’s missing in OT today, right?

Mike Holcomb: It cybersecurity folks, have had decades of practice now. In getting budget and resources and support from leadership and ot, it really just wasn’t something you really had to do. You just kept the plant up and running and that’s very different in today’s landscape. What defines, what it means to keep the plan up and running.

Mike Holcomb: Yeah. It does include cybersecurity now. And again, that’s something that many are still trying to. Wrap their heads around, right? They’re just still starting to learn. And that’s all parts of the organization.

Agnidipta Sarkar: That actually brings me to lateral movement because. From what I have gathered, all the breaches that you talked about, the colonial pipeline, the JLR one and the recent happening in Poland and Romania, the energy systems, there’s one thing that’s common.

Agnidipta Sarkar: It doesn’t matter where that attack got in from. The reason that they were able to move and move laterally is what eventually gave them the authority to stand up and say you’re attacked. And to me that’s one of the biggest factors. So we talked, so this probably could be the third thing that we could talk about in terms of, if, and you touched upon another very important topic and that is about people.

Agnidipta Sarkar: If there’s somebody who’s moved a proposal, so there are actually too many things in my mind right now. You gave too many important points to discuss. I know. I always

Mike Holcomb: need take notes. Sorry.

Agnidipta Sarkar: Yes. And so one of them was the fact that you need to control lateral movement. The second point you mentioned was about people.

Agnidipta Sarkar: And if people move there becomes a void, do you think it makes sense that. Ot cybersecurity teams work very closely with it, and then take a judgmental decision and go to the leadership and say, we’ve invested so much in, in it cybersecurity so far. This is 2026 and you’ve been giving us 5% to quote your number.

Agnidipta Sarkar: You’ve been giving us 5% at this time. We moved it up. We don’t want you to reduce, give us something substantially larger. But we want you to move up that percentage and make it like 30% so that we could get things done in a more granular manner, and then make it more, more useful to the business.

Mike Holcomb: Sure. Yeah. It depends. It depends on the environment. For sure. But I would say yeah, in general the more OT cybersecurity works with IT, cybersecurity and IT leadership just in, in general, so much the better and the more those teams work together, the more secure the environment is. Abs absolutely.

Mike Holcomb: I’ve seen, where IT and OT work really well together and it’s a beautiful thing and then I’ve seen where they absolutely hate each other. To where I’ve seen entire, and massive plants being pulled, like I should say, ripped off the rest of the corporate network because they absolutely can’t work together.

Mike Holcomb: And at that point you’re just letting the attackers win. So teams need to work together and I think the more OT cybersecurity can come to the plate. Come to the table, get on the same page as it work with them and right. And doesn’t happen overnight, but work with them and ask for their help and, okay.

Mike Holcomb: You’ve been really successful in getting support from corporate leadership. How do we do that? Yeah. I think that would actually, I think, solve a large amount of issues that we see in OT cybersecurity, but it’s, it is still fairly rare where you have OT and IT working together where you would have somebody from the OT side come to somebody in IT and ask for help, right?

Mike Holcomb: Or have somebody in it reach out to OT and offer help. That’s a very rare that needs to happen, is what you’re saying. Absolutely, yes. Absolutely. I always say the biggest problem we have from an OT cybersecurity perspective, it’s just a lack of empathy and compassion. It’s if, why don’t we put ourselves, in the other person’s shoes, right?

Mike Holcomb: And realize what they’re up against and maybe, start to look at, Hey, how can we help them? I think if we did that right, OT environments would be so much better off. But again it’s either a lot of, apathy or just, infighting and it’s, it that’s the attackers are going, they win.

Mike Holcomb: If we just can’t, be decent human beings to one another and help, help help the other out.

Agnidipta Sarkar: In fact, that reminds me of. Something that I experienced myself. I used to work in a pharma company and we had water is one of the most important factors for pharma, for making medicines.

Agnidipta Sarkar: Yeah. And we had this small little I wouldn’t even call it an office and outpost where there was water pumping. There were some sensors there, which we needed to monitor and they needed to be connected to the for effluent management. And because the environmental authority said that we need video feeds on whatever is going on.

Agnidipta Sarkar: We want to make sure that your effluent movement is monitored. When I went and met those guys I was a CSO at that point in time, in, in saying that, no the traditional MET thing used to be that you, it guys don’t understand our issues. And I said, okay, I’m here. Tell me how do you want me to help you?

Agnidipta Sarkar: Because people need to put in video cameras there. The environmental authority wants a live feed, which means you need to connect it to the internet, otherwise you can’t give them a live feed. And if you have to give them internet, then that needs to get connected. And that means we need to have some cybersecurity in place.

Agnidipta Sarkar: And I was so happy that I did that because that person literally opened. Saying that the guy before you never asked me these questions, he didn’t ask me how he could help me, and that made such a big difference. But that brings me to another point. A lot of OT are remote, so there could be, let’s say the power the water supply treatment, the water supply systems.

Agnidipta Sarkar: They could be a field situation where they don’t have. Any big IT installation, there’s a small unit, so you need a rugged system in place. You need to make sure that’s protected from tampering. It’s tamper proof, and yet it is managed centrally. In your experience how complicated or how difficult is it when you think about OT Cybersecurity?

Agnidipta Sarkar: Because putting in, let’s say a device which monitors that. Electrically or transducer wise, not very difficult. But when you put in digital systems, it’s complicated, isn’t it? And imagine a water supply system across a large country or a large state. Then you have many of these. So when you think about cybersecurity, how are you thinking?

Agnidipta Sarkar: How do you think that works? Does that make sense?

Mike Holcomb: It does. Yeah. I think I get in trouble sometimes for saying this. I don’t think it’s. That hard. I think people over complicate or they think ot cybersecurity is complicated, but it is much more easy to do than people let on. I think it’s, yeah, and maybe it’s just a lack of awareness and education, which is a big part of why I post on LinkedIn and YouTube to help people understand.

Mike Holcomb: It’s not that it’s not that hard. A lot of engineers want to tell you it is right? Because I think in part they still, they want the mystery and oh, hey, only we can do this. It’s no, that’s not actually necessarily the case. And so there’s. When you look at as you’re talking, I was thinking about like with Poland, you just mentioned the Poland, the coordinated attack against Poland.

Mike Holcomb: And the main thing that really came outta that was, the coordinated attack against 30 substations that each connected wind farms and solar farms to the Polish grid. And they were all. Taken out from a, attackers got in and they wiped out all the equipment. At the end of the day, the attackers were able to get in and wipe out all the equipment because they were using either easy to guess credentials or default passwords, right?

Mike Holcomb: Or no passwords or no passwords. I think these were all easy to guess and default credentials in this case. And so it’s, we’re not talking about. Was it a state adversary? Yes. But did it take a state adversary to do that? No. No, it didn’t. And so when you look at all of these incidents that at least we know about and that come to light, which is just a small percentage of what actually happens out there, but when you look at what’s going on in each of these attacks, again, these almost never require a rocket scientist.

Mike Holcomb: That was, back in 2010 when we had stuck net, right? That was a technological marvel and the situation at the time required that level of expertise to do what it did. But you can actually pull off a lot of those attacks days very easily because of things like that interconnected connectedness now that we have between IT and ot.

Mike Holcomb: And the commoditization of OT systems where, go into OT networks. I think a lot of people don’t realize there’s windows everywhere, so we used to have windows everywhere. So you bring in all of those vulnerabilities that attackers can use. Plus, when we talk about PLC, programmable logic controllers, the human machine interfaces, which are GUIs that you know, allow us to see what’s going on in the environment and make changes if we need to.

Mike Holcomb: And how vulnerable the these are. But it’s not hard to secure these environments. And on top of that, it’s not hard to be able to monitor and look for changes that would indicate that something suspicious or malicious is happening in the environment. The problem is, and this goes back to earlier conversation about lack of resources that are being focused on OT cybersecurity.

Mike Holcomb: Because you have probably, and this is according to Rob Lee at Dragos, that only about 5% of global OT environments are actually performing network security monitoring. And I would even say out of the 5%, half of them are doing it, are actually doing a really poor job. It’s, oT environments, again it’s, it is very much like it was, 15, 20 years ago, and they’re just starting to crawl before we get to walk and run. No very few are running. That’s the shells and the Aramcos of the world, right? Almost everybody is still in the crawl phase.

Mike Holcomb: And it’s also partly because there is a lack of resources, right? And most. The sad thing is right. Unfortunately, the majority of OT environments, they’re never gonna have resources to do anything for OT cybersecurity because they’re, that, they’re just that small. They’re not gonna have somebody for OT cybersecurity.

Mike Holcomb: They’re not gonna have somebody for it. Cybersecurity, right? Because they’re that small if you look at, but with so much innovation happening, for example one of my favorite topics is. Is describing the fact that remember, I, I talked breach readiness, right? So what I’m trying to say is if you know how your enterprise is connected, you definitely know how an attacker can come in, whether he, that attacker is coming from outside or inside, it doesn’t matter.

Agnidipta Sarkar: But I’m talking about when you’re sitting on. Okay, let me give you a corollary to that. So I think attackers are like Tom and the Tom and Jerry Carton and defenders are like, sorry, the attackers are, Jerry Defenders are Tom. We keep chasing them all over, but we never actually end up catching them properly.

Agnidipta Sarkar: And there’s another character called Brutus, and I think that’s the most important one, because he sits on the top of the refrigerator, the cheese is in the refrigerator, that’s where Jerry needs to go. And he is sitting there with a baseball bat and he just wax Jerry the moment it goes there. And I think if you sit on, if you understand.

Agnidipta Sarkar: How attackable your PLCs are, or your DCS machines are, and you are able to determine that because, the route, the inverse route that someone can take from the DCS machine to all the edges, all the places that someone can come in and from the internal side. So whether the attacker is using an exploit in getting in or is using a valued user, no.

Agnidipta Sarkar: Putting to be a normal user.

Mike Holcomb: If we understand

Agnidipta Sarkar: what attack path that hacker can come in, then we control the attack path and then we can decide, yeah, without a lot of investment that Let’s stop. That brings me, goes back to the whole zoning and conduiting that’s there in IC 6, 2 4, 4 3. So instead of just saying that, look at it from a Purdue model perspective, look at what’s happening within the Purdue model because as you said earlier, we defeated the Purdue model long back because we brought in cloud to connect into level two probably.

Mike Holcomb: Yeah, yeah, does it make sense a lot there? It does, Purdue Yeah. Was not a security architecture, right? Yes. It was just mostly to show how automation systems are connected within each other and how, as you go down the different levels that the more deterministic that traffic is, which may, it has to get to a very, specific point at a very specific point of time. And sometimes you’re talking like milliseconds or less yeah. And so we have this idea of an expanded Purdue model and 6, 2 4, 4 3 with zones and conduits, which we always talk about which I think is what everybody needs to leverage.

Mike Holcomb: At the end of the day, it’s the problem is that a lot of these environments aren’t configured that way because people don’t know. They just don’t, they don’t know, they don’t have that awareness. They don’t have that leg level of

Agnidipta Sarkar: and they don’t have the technology that can tell them what that act path is.

Mike Holcomb: Yeah. There are some, yeah, some providers out there that are working on different solutions to help with that so that, if you don’t have a knowledgeable resource, this is, but so much of OT cybersecurity, unfortunately is up against, because again, there’s. 70% of environments, unless the solution is free, they’re not gonna ever be doing anything with it.

Mike Holcomb: And that’s probably true. Actually, about 80, 85% of environments are there, right? They’re never gonna have the resources. Dragos, which has their community defense program, which is awesome, they give away. Their products, they give away their services. If you are a utility provider in the US and Canada for, under a hundred million in revenue annually, and you’re like, wow, that’s awesome.

Mike Holcomb: But the problem is you still have to purchase the hardware to run the platform. You still have to have the people to run it. Install, configure, manage, maintain, monitor it. They actually have very few takers. Because organiz organization, OT organizations don’t have those resources. They don’t have the money.

Mike Holcomb: They’re too small.

Agnidipta Sarkar: Yes.

Mike Holcomb: In the US they,

Agnidipta Sarkar: they are, I don’t know. I don’t think there’s a magic bullet there. But the fact is with newer innovations that are happening, if you were not to spend a lot of money, a lot of resources, I think the. The future of technology is how can we make things simpler to manage or operate faster to deploy.

Agnidipta Sarkar: You said people will give you, what, four weeks to get things done and if it also aligns and does not put a strain on your existing investments. So if you had to, let’s say, bring in a mechanism to stop lateral movement, agentless. By just connecting off network switch, that’d be a lot faster than thinking about doing a heavy shift of putting in a whole system in place.

Mike Holcomb: It can be right, but yeah, there’s always the questions you’re gonna get around how are you gonna impact. Safety, how are you gonna impact availability? And that’s, it’s like anything in security.

Agnidipta Sarkar: The whole purpose. The whole purpose, Mike, would be to enable safety and to enable, oh.

Mike Holcomb: For sure.

Agnidipta Sarkar: Availability

Mike Holcomb: for sure. That’s any, right? Any solution or even, we could even say, that’s why we wanna install a patch right on, on a system. But in an ot, right? They’re gonna come to you and say how does this impact safety? How does this impact availability? And I think for the business it’s,

Agnidipta Sarkar: I went off, sorry.

Mike Holcomb: Okay. I. I think I asked a lot of questions. Let me I don’t know how time passed and I’m so happy we are having this conversation, but let me ask you one last one

Mike Holcomb: okay.

Agnidipta Sarkar: As we go ahead in the future and look at, AI adoption and all these fancy new things.

Mike Holcomb: Sure.

Agnidipta Sarkar: How. How does, there’s no magic bullet as we discussed, but how is it possible to, for OT leaders to think that their adoption of modern cybersecurity mechanisms can be more adaptive given all the constraints that they have?

Agnidipta Sarkar: Is there something that people, that you want people to take away and see that, like you said earlier, why don’t we. Have collaboration within the organization, talk to the CISOs, talk within them. And that could be one aspect, but there could be others as well. For example we discussed lateral movement as well.

Agnidipta Sarkar: How much, because from what I know, there will always be the resistance to patching. So if you’re able to create islands of excellence, as I call it which are interconnected but not connected to everywhere. Do you think that makes sense?

Mike Holcomb: It does. Yeah. It helps, right? I think it it helps when you’re looking at, being able to do appropriate segmentation, right?

Mike Holcomb: When we’re looking at, especially micro-segmentation or looking at reducing the ability for attackers to move from one part of the network to another. Absolutely. I think. People also need to be aware though, they need to be monitoring the network in the first place. And watching to see what’s happening. ‘Cause if you’re not watching and you’re not monitoring you’ll never know what’s going on in the environment. Yeah. So I think there’s definitely a lot of. Tools out there and solutions that can help for those organizations that can afford them.

Mike Holcomb: Absolutely. I just, I typically, in, in my old job, it was nice ’cause I did get work with, from a perspective of, I did get to work with some of the largest companies, right? And they had the budgets and the resources and all the support that they could want for cybersecurity. And no would it would’ve ever given any pushback.

Mike Holcomb: Amazing. But I did realize that. Those environments are very few and far between, and it really comes down to. A lack of awareness and education. And we need more people in these environments that understand right, what we’re actually up against. And also understand, yeah. How to secure these environments.

Mike Holcomb: And it doesn’t have to be complicated. It doesn’t have to be difficult. These environments are very complex. Absolutely. I’m not trying to say they aren’t, but securing them from a cybersecurity perspective is not complex. And it doesn’t have to be complicated, but people need the awareness, they need the education, they need the time, they need the support and that is a struggle in a lot of environments today.

Mike Holcomb: The majority of them, unfortunately.

Agnidipta Sarkar: Thank you, Mike. A lot of learning. I didn’t realize, but I just kept talking and asking questions and you kept on answering. So thank you for being on the Breacher Dialogues, and I love your wallpaper as if you are practically guarding the gears.

Mike Holcomb: That’s the idea.

Mike Holcomb: Yes. Yes. And I think that was the the first thing I ever used Chachi VT for two and a half years ago was, I wanna write in newsletter, what should I call it? And it spit out like a hundred. And the only one that I actually liked was guarding the gears. So that’s where I got guarding the gears from.

Mike Holcomb: And that’s actually, yeah, why I made the wallpaper. So thank

Agnidipta Sarkar: you again.

Mike Holcomb: Yeah, thanks.

xshield-logo

Explore the Platform

forrester-badge

Download Report

Request Your Free Customized Demo

In this episode of Breach Ready Dialogues, Agnidipta Sarkar sits down with Mike Holcomb, founder of Utilsec and a leading voice in OT cybersecurity, to unpack why industrial environments must move beyond “prevent the breach” thinking.

From IT/OT interconnectedness and lateral movement to AI adoption, cloud exposure, and the limits of the Purdue model, Mike explains why breach readiness is now a business resilience issue – not just a security problem. The conversation explores how leaders can better align budgets, teams, and decisions to protect critical operations when incidents hit.

Watch this episode to learn how OT teams, CISOs, and business leaders can collaborate, simplify cybersecurity, and build environments that withstand the next breach.

Agnidipta Sarkar: Hi, welcome to Breach Ready Dialogues, the show where we assume the bad day is coming, and we focus on whether we’ll survive with dignity or we will be we’ll collapse in this array because we were not ready. So if you’re a CISO or a cyber leader who’s who’s or a board member. You already know that the rules of the game have changed.

Agnidipta Sarkar: It is no longer about whether we are we, whether we’ll be breached or not. It’s about when it happens, how fast can we react to contain it, withstand its effects, and, keep the critical business unaffected. So we are talking about that shift today as well. And we are moving away from traditional parameter based defenses to.

Agnidipta Sarkar: To focusing on how we can withstand the next breach. And if you’re ready for that, it’s just not, it’s just not about tools. It’s also about decisions. It’s about what we do when crisis hits and how do we handle all that. Today today my guest is Mike Holcomb. Who to me is an enigma in evangelizing about OT Cybersecurity.

Agnidipta Sarkar: And yes. Our discussion today will focus on OT and. And the connection between ot, it, the incidents that are happening around the world and what are the, what are some best practices that people can do? And in our conversation we will, dig into his rich experience. And he does a lot of courses that are widely available for free.

Agnidipta Sarkar: And to me he’s an evangelist who I live up to. Without taking much from him, let me ask Mike. Why don’t you introduce yourself and probably start off with how do you react when you hear leaders talking about that they need to, double down on the material impact of a breach or the risks thereof.

Mike Holcomb: Sure. Yeah, I can do that. Thanks for having me on the the show, Agni. I really appreciate it. Yeah, and my name’s Mike Wilcom. I run a small boutique shop called Util sec, so I really focus on helping environments understand how to secure. Better from, against OT and ICS related attacks, right?

Mike Holcomb: How do we make our environments stronger? And besides that, I post on LinkedIn and YouTube and just started Instagram for helping others understand, OT ICS, cybersecurity. It doesn’t matter if you’re an, an owner, an operator. If you’re looking at transitioning into OT cybersecurity from either IT security or maybe you’re a engineer or an operator.

Mike Holcomb: That’s at the high level, a little bit of what I currently do prior to my. Current role going out on my own. I worked for 15 years for one of the world’s largest engineering and construction companies for about 10, 10 companies the size of where we’re at. So if you were building one of the world’s largest control system or ICS or OT environments, then.

Mike Holcomb: You would call one of these 10 companies. And so I worked with their and actually build the OT or ICS cyber security program and work with some of the largest companies and environments in the world like Shell and Saudi Aramco. And so I was very fortunate not only to work with those types of clients and those environments, but also with some of the best engineering minds in the world.

Mike Holcomb: So I’m, really fortunate. Not only have that experience, but some are, they’re friends that I still talk to. To today. Which again, I was very fortunate enough but a lot of, what I do today is yeah, taking that information, that experience and that knowledge and share it with others and put it out on LinkedIn and put it out on YouTube.

Mike Holcomb: I have over 50 hours of courses that, that people can take for free. And a lot of those are used by universities around the world or large companies. You’re looking at one of them. What’s that?

Agnidipta Sarkar: I said you’re looking at one of them, the guys who took your course,

Mike Holcomb: so Oh, on YouTube. Oh, I’m glad you Hey thanks for watching.

Mike Holcomb: Yeah, no, I appreciate that. Yeah, I think the, my very first getting started course is like at a hundred and I think 10,000 views which is, really exciting to see, and I’m just about to release a new version of that course, so I’m really excited for that. Yeah so that’s a little bit about me and then what was your earlier question?

Agnidipta Sarkar: Yeah, the question was so when you come across leaders in in the OT world and boards and maybe CISOs who say, you know what, let’s understand a little bit more about. The material impact of breaches in OT and how do we look at risks? What’s your take on that?

Mike Holcomb: Sure. Yeah, it’s a good question and it’s still a challenge today because you have to think that OT cybersecurity is pretty much where it cybersecurity was 15, 20 years ago.

Mike Holcomb: So you still have a lot of leaders that don’t even realize that they. Need to do anything about OT cybersecurity or they’re just starting on that journey, right? They’re just realizing, oh, we need to be doing something about this. Or also see, unfortunately, a lot of leaders make a lot of assumptions and they’re.

Mike Holcomb: I’m trying to figure the right way to put this, at the end of the day, they’re being told by their OT teams that, Hey, yeah we’re good, right? We’re protected and we’re secure against, some type of cyber attack that it could bring down the plant. And at the end of the day, I think what is being shown is that maybe those OT teams really think they are secure but they’re not.

Mike Holcomb: And then you start having the attacks and then the plant goes down for days, if not weeks or potentially months, where we saw, like even with Jaguar Land Rover. And so you have these extended impacts and not just, on a single site, but a lot of large companies with multiple sites that are getting hit.

Mike Holcomb: And so we’re seeing these. It’s almost like this exponentially increasing, almost compounding interest on the, not only the risk, but the damage to the organization today. And don’t think executives and leadership understand that. And once they start to understand that, then they realize, yes, we do need to do more for OT cyber.

Mike Holcomb: Because right now 95% of cybersecurity budgets go to the it. It goes to the IT side of the house and only 5%, if you’re lucky, goes to the OT cybersecurity house. But at the same time, when you think of where the company makes its money, right? If I’m a manufacturing company I make my money because of the manufacturing plants, right?

Mike Holcomb: And I think you see executives, leaders that are now in a position where they are starting to realize that we do need to be concerned with cybersecurity in, in the plant. We need to take those steps and we need to look at the risks, right? And understand the company’s risk tolerance and at the end of the day let.

Mike Holcomb: Them make the decision. What and how they’re going to invest those resources into protecting the company, right? That’s their job. That’s their role. So like when I go in or other ot, cybersecurity, defenders and consultants out there, right? We’re always trying to do our best to work with leadership to help them understand the risk and then work with them, understand the company’s risk tolerance and the company’s goals.

Mike Holcomb: And not just for cybersecurity, but the overall company goals so we can make sure that the cybersecurity goals align with the mission of the organization. I think once we can all get on the same page, right? Then we can have kind of the, like those adult decisions on, okay, this is what we’re going to do next.

Agnidipta Sarkar: Yes. And. And that’s exactly what I have experienced too. In fact, one of the key differentiators, which I believe I have learned in my life is the definition of how, or not definition, how risk is perceived at higher leadership levels versus how risk is perceived below. So when you look at it from bottoms up, everyone’s trying to treat transfer tolerate and do all those things about risks, which are written in the books.

Agnidipta Sarkar: But when you go up, it’s not about all that. It’s about cybersecurity or someone who’s knowledgeable enough can tell them there are risks. Which risks should the leader take? And why? Because not because it is riskier than others. But because it brings in more business benefits. So that differentiation is what I learned much later as I grew up in the organization.

Agnidipta Sarkar: And that to me is a big thing. So I have another question for you about, one of the things that I think most leaders in cybersecurity or in OT need to understand are, what are those? Three things probably. I, there are many, of course. I’m just saying top of your mind. Three things that should serve as indicators for investing in ot Cybersecurity.

Mike Holcomb: As far as indicators, I know when I work with leadership, probably the biggest thing that I get the most support from is we go in and talk about the current threat landscape. And we look at what’s happening in OT across the board from a cybersecurity perspective. And so we can look at, the number of attacks that are impacting OT environments doubling every year since 2021, since we had the colonial pipeline.

Mike Holcomb: Yeah.

Agnidipta Sarkar: Yeah.

Mike Holcomb: And so you can look at not only the increasing attacks, but the number of attack groups, right? Attackers going after, right before Colonial Pipeline, we used to, you just worry about nation or I should say state adversaries. And now it’s not just state adversaries, but it’s. Activists, right?

Mike Holcomb: It’s ransomware operators. Everybody’s coming either after your OT environment or they’re coming after the IT environment that OT is connected to. And like we saw with Jaguar Land Rover, they, the entire IT network burned down to the ground. And if you have systems on the IT network that the OT side relies on to operate, then.

Mike Holcomb: You’re down, whether the attacker gets into the OT network or not. So I spent a lot of time in that awareness

Agnidipta Sarkar: so what you’re saying is something that I’m hearing a lot and I think interconnectedness is probably, which was something that we were driving for in the past 10 years, is probably something that we need to be careful of as we head into the future because.

Agnidipta Sarkar: That’s what is primarily being leveraged by, people who are trying to attack OT, either through IT or otherwise, but they’re trying to leverage the fact that there is interconnectedness, there’s interdependencies between IT and ot. The traditional method used to be that somebody has a 3.5 DMZ and you have got firewalls and stuff in there, but.

Agnidipta Sarkar: Do you think it, it still is interconnectedness something that we need to now, go to the leaders and say, if we are getting so interconnected, let’s have a budget. Let’s look at what could be that could breach and hence let’s focus on how we can put a budget around it so that whatever digital initiative or AI that we bring in.

Agnidipta Sarkar: Right now there’s ai, digital twins that we bring in are secure from are or we are going to be breach ready from the day we invest into something which is really innovative and, AI built or whatever. Do you think?

Mike Holcomb: Yeah, it. It goes back to, I remember the best lesson I ever learned was, and I worked for this guy named Dan Crow.

Mike Holcomb: He used to be an army officer. He was actually in Delta Force. Which doesn’t technically exist but it exists. And he actually went from, jumping out of airplanes and probably shooting at people. And it went to become a software pin tester. So quite, quite a shift. And I remember when wifi first came out.

Mike Holcomb: And I was telling the business, no, you can’t have wifi ’cause it’s not secure. And it wasn’t. And Dan pulled me aside and he said that, he’s you’re right, it’s not secure, but you know what? They’re going to do it anyways, whether you tell them they can’t or not. And so the best approach right, is we’re not gonna tell them no.

Mike Holcomb: We’re gonna tell them that, okay, we’re going to do this, but we’re going to do it as securely as possible. And that’s the same whether you talk about connecting IT and ot, right? Yeah. 20 years ago, very few it OT environments were connected together. Now in 2026, almost all of them are connected together.

Mike Holcomb: Unless it’s a nuclear and rapidly increasing. Pretty much. Yeah. It’s everybody is and, they’re only adding more connections. And of course then, probably four or five years ago, we started seeing the push to connect OT to the cloud, right? So then there was the big rush to the cloud, and now of course there’s the huge rush for ai.

Mike Holcomb: And it’s, and I’ve never seen, in the OT world, something just really catch fire and it’s coming super fast and a lot of people aren’t prepared. But again, at the end of the day, it comes down to, okay, you want to do this? Okay, let’s do this. But we have to do it as securely as possible.

Mike Holcomb: But yeah, especially when you introduce things like cloud or ai, right? Every cloud environment. Managed by every large company with the best security teams in the world like Microsoft, and they’ve all been compromised. So when we talk about going to the cloud or we talk about doing AI or we talk about integrating with it, right?

Mike Holcomb: Where we always say it’s not a question of if, it’s only a question of when you’re compromised, right? The, we have to not only make sure we do it as securely as possible, we make sure that we’re prepared for when the breach happens because. It’s going to happen. It’s just a matter of time.

Mike Holcomb: Might not be today or tomorrow. Might not be next year. It could be the year after that, or 10 years down the road, or maybe it is tomorrow. We just don’t know, because it just depends on, which attacker is looking at us and any particular time.

Agnidipta Sarkar: I’m just going back to what we were discussing again and the first thing you talked about was interconnectedness.

Agnidipta Sarkar: Would you think the second point that leaders should consider is to make sure that all digital innovation must be accompanied by breach readiness?

Mike Holcomb: It should absolutely. Hundred percent shift. Now that shifts the onus of getting the budget from the CISO or the ot leader to the business leader in saying that, okay you want to do this new business. You want to invest in connecting OT to it, to cloud, to ai, whatever that you want to do. Do you have a budget for defending the ot?

Mike Holcomb: Yeah. I think in a perfect world that makes absolute sense. I think in the reality though, is it is one of those conversations where if you’re gonna go to them and talk about security is going to either slow them down or it’s gonna cost a certain amount, which they’re not gonna have in the budget because they’re still going to do it.

Mike Holcomb: So it is trying to work with them. Within the confines and the constraints of the company to make it as secure as possible. But I don’t it’s, and I’ve seen this too many times, especially in the last couple of years where we do go, it’s okay, let’s do this and let’s do it as securely as possible.

Mike Holcomb: And if you. We’re gonna need, let’s say a budget of a million dollars to make it a nice round member. And this is for, let’s say a, medium sized to, to large sized organization. And, they might come back and say we, maybe we’ll give you half of that or a quarter of that.

Mike Holcomb: And you don’t have six months to implement this. You have six weeks. And that’s just the reality of the situation.

Agnidipta Sarkar: Yes.

Mike Holcomb: I’ve seen, a lot of good folks decide, under those certain circumstances they go find a role somewhere else. And that’s really concerning, right?

Mike Holcomb: Because they left and then there’s no one to replace them immediately, and then the company’s still putting in this new solution and introducing the risk and no security or risk mitigation whatsoever. So yeah, it’s really, it’s a harsh reality that. I think in OT especially, most teams are asked to do more with a lot less, and I realize there’s a lot of IT teams out there as well that are doing that in IT cybersecurity teams.

Mike Holcomb: But remember, like I mentioned in the beginning, 95% of security budgets go to it. 5% go to ot. So OT is already so stretched, so thin, and when they’re asked to do these new initiatives, that course great. But it is rare to have leaders that understand that and that want to make sure that they’re investing and supporting cybersecurity in the environment.

Mike Holcomb: Not that anybody, supporting having a breach, right? But the leaders have so many other things that they’re concerned with and they’re looking at, and I think OT has a really hard time being able to communicate those needs and those risks to leadership. That’s a big part of what’s missing in OT today, right?

Mike Holcomb: It cybersecurity folks, have had decades of practice now. In getting budget and resources and support from leadership and ot, it really just wasn’t something you really had to do. You just kept the plant up and running and that’s very different in today’s landscape. What defines, what it means to keep the plan up and running.

Mike Holcomb: Yeah. It does include cybersecurity now. And again, that’s something that many are still trying to. Wrap their heads around, right? They’re just still starting to learn. And that’s all parts of the organization.

Agnidipta Sarkar: That actually brings me to lateral movement because. From what I have gathered, all the breaches that you talked about, the colonial pipeline, the JLR one and the recent happening in Poland and Romania, the energy systems, there’s one thing that’s common.

Agnidipta Sarkar: It doesn’t matter where that attack got in from. The reason that they were able to move and move laterally is what eventually gave them the authority to stand up and say you’re attacked. And to me that’s one of the biggest factors. So we talked, so this probably could be the third thing that we could talk about in terms of, if, and you touched upon another very important topic and that is about people.

Agnidipta Sarkar: If there’s somebody who’s moved a proposal, so there are actually too many things in my mind right now. You gave too many important points to discuss. I know. I always

Mike Holcomb: need take notes. Sorry.

Agnidipta Sarkar: Yes. And so one of them was the fact that you need to control lateral movement. The second point you mentioned was about people.

Agnidipta Sarkar: And if people move there becomes a void, do you think it makes sense that. Ot cybersecurity teams work very closely with it, and then take a judgmental decision and go to the leadership and say, we’ve invested so much in, in it cybersecurity so far. This is 2026 and you’ve been giving us 5% to quote your number.

Agnidipta Sarkar: You’ve been giving us 5% at this time. We moved it up. We don’t want you to reduce, give us something substantially larger. But we want you to move up that percentage and make it like 30% so that we could get things done in a more granular manner, and then make it more, more useful to the business.

Mike Holcomb: Sure. Yeah. It depends. It depends on the environment. For sure. But I would say yeah, in general the more OT cybersecurity works with IT, cybersecurity and IT leadership just in, in general, so much the better and the more those teams work together, the more secure the environment is. Abs absolutely.

Mike Holcomb: I’ve seen, where IT and OT work really well together and it’s a beautiful thing and then I’ve seen where they absolutely hate each other. To where I’ve seen entire, and massive plants being pulled, like I should say, ripped off the rest of the corporate network because they absolutely can’t work together.

Mike Holcomb: And at that point you’re just letting the attackers win. So teams need to work together and I think the more OT cybersecurity can come to the plate. Come to the table, get on the same page as it work with them and right. And doesn’t happen overnight, but work with them and ask for their help and, okay.

Mike Holcomb: You’ve been really successful in getting support from corporate leadership. How do we do that? Yeah. I think that would actually, I think, solve a large amount of issues that we see in OT cybersecurity, but it’s, it is still fairly rare where you have OT and IT working together where you would have somebody from the OT side come to somebody in IT and ask for help, right?

Mike Holcomb: Or have somebody in it reach out to OT and offer help. That’s a very rare that needs to happen, is what you’re saying. Absolutely, yes. Absolutely. I always say the biggest problem we have from an OT cybersecurity perspective, it’s just a lack of empathy and compassion. It’s if, why don’t we put ourselves, in the other person’s shoes, right?

Mike Holcomb: And realize what they’re up against and maybe, start to look at, Hey, how can we help them? I think if we did that right, OT environments would be so much better off. But again it’s either a lot of, apathy or just, infighting and it’s, it that’s the attackers are going, they win.

Mike Holcomb: If we just can’t, be decent human beings to one another and help, help help the other out.

Agnidipta Sarkar: In fact, that reminds me of. Something that I experienced myself. I used to work in a pharma company and we had water is one of the most important factors for pharma, for making medicines.

Agnidipta Sarkar: Yeah. And we had this small little I wouldn’t even call it an office and outpost where there was water pumping. There were some sensors there, which we needed to monitor and they needed to be connected to the for effluent management. And because the environmental authority said that we need video feeds on whatever is going on.

Agnidipta Sarkar: We want to make sure that your effluent movement is monitored. When I went and met those guys I was a CSO at that point in time, in, in saying that, no the traditional MET thing used to be that you, it guys don’t understand our issues. And I said, okay, I’m here. Tell me how do you want me to help you?

Agnidipta Sarkar: Because people need to put in video cameras there. The environmental authority wants a live feed, which means you need to connect it to the internet, otherwise you can’t give them a live feed. And if you have to give them internet, then that needs to get connected. And that means we need to have some cybersecurity in place.

Agnidipta Sarkar: And I was so happy that I did that because that person literally opened. Saying that the guy before you never asked me these questions, he didn’t ask me how he could help me, and that made such a big difference. But that brings me to another point. A lot of OT are remote, so there could be, let’s say the power the water supply treatment, the water supply systems.

Agnidipta Sarkar: They could be a field situation where they don’t have. Any big IT installation, there’s a small unit, so you need a rugged system in place. You need to make sure that’s protected from tampering. It’s tamper proof, and yet it is managed centrally. In your experience how complicated or how difficult is it when you think about OT Cybersecurity?

Agnidipta Sarkar: Because putting in, let’s say a device which monitors that. Electrically or transducer wise, not very difficult. But when you put in digital systems, it’s complicated, isn’t it? And imagine a water supply system across a large country or a large state. Then you have many of these. So when you think about cybersecurity, how are you thinking?

Agnidipta Sarkar: How do you think that works? Does that make sense?

Mike Holcomb: It does. Yeah. I think I get in trouble sometimes for saying this. I don’t think it’s. That hard. I think people over complicate or they think ot cybersecurity is complicated, but it is much more easy to do than people let on. I think it’s, yeah, and maybe it’s just a lack of awareness and education, which is a big part of why I post on LinkedIn and YouTube to help people understand.

Mike Holcomb: It’s not that it’s not that hard. A lot of engineers want to tell you it is right? Because I think in part they still, they want the mystery and oh, hey, only we can do this. It’s no, that’s not actually necessarily the case. And so there’s. When you look at as you’re talking, I was thinking about like with Poland, you just mentioned the Poland, the coordinated attack against Poland.

Mike Holcomb: And the main thing that really came outta that was, the coordinated attack against 30 substations that each connected wind farms and solar farms to the Polish grid. And they were all. Taken out from a, attackers got in and they wiped out all the equipment. At the end of the day, the attackers were able to get in and wipe out all the equipment because they were using either easy to guess credentials or default passwords, right?

Mike Holcomb: Or no passwords or no passwords. I think these were all easy to guess and default credentials in this case. And so it’s, we’re not talking about. Was it a state adversary? Yes. But did it take a state adversary to do that? No. No, it didn’t. And so when you look at all of these incidents that at least we know about and that come to light, which is just a small percentage of what actually happens out there, but when you look at what’s going on in each of these attacks, again, these almost never require a rocket scientist.

Mike Holcomb: That was, back in 2010 when we had stuck net, right? That was a technological marvel and the situation at the time required that level of expertise to do what it did. But you can actually pull off a lot of those attacks days very easily because of things like that interconnected connectedness now that we have between IT and ot.

Mike Holcomb: And the commoditization of OT systems where, go into OT networks. I think a lot of people don’t realize there’s windows everywhere, so we used to have windows everywhere. So you bring in all of those vulnerabilities that attackers can use. Plus, when we talk about PLC, programmable logic controllers, the human machine interfaces, which are GUIs that you know, allow us to see what’s going on in the environment and make changes if we need to.

Mike Holcomb: And how vulnerable the these are. But it’s not hard to secure these environments. And on top of that, it’s not hard to be able to monitor and look for changes that would indicate that something suspicious or malicious is happening in the environment. The problem is, and this goes back to earlier conversation about lack of resources that are being focused on OT cybersecurity.

Mike Holcomb: Because you have probably, and this is according to Rob Lee at Dragos, that only about 5% of global OT environments are actually performing network security monitoring. And I would even say out of the 5%, half of them are doing it, are actually doing a really poor job. It’s, oT environments, again it’s, it is very much like it was, 15, 20 years ago, and they’re just starting to crawl before we get to walk and run. No very few are running. That’s the shells and the Aramcos of the world, right? Almost everybody is still in the crawl phase.

Mike Holcomb: And it’s also partly because there is a lack of resources, right? And most. The sad thing is right. Unfortunately, the majority of OT environments, they’re never gonna have resources to do anything for OT cybersecurity because they’re, that, they’re just that small. They’re not gonna have somebody for OT cybersecurity.

Mike Holcomb: They’re not gonna have somebody for it. Cybersecurity, right? Because they’re that small if you look at, but with so much innovation happening, for example one of my favorite topics is. Is describing the fact that remember, I, I talked breach readiness, right? So what I’m trying to say is if you know how your enterprise is connected, you definitely know how an attacker can come in, whether he, that attacker is coming from outside or inside, it doesn’t matter.

Agnidipta Sarkar: But I’m talking about when you’re sitting on. Okay, let me give you a corollary to that. So I think attackers are like Tom and the Tom and Jerry Carton and defenders are like, sorry, the attackers are, Jerry Defenders are Tom. We keep chasing them all over, but we never actually end up catching them properly.

Agnidipta Sarkar: And there’s another character called Brutus, and I think that’s the most important one, because he sits on the top of the refrigerator, the cheese is in the refrigerator, that’s where Jerry needs to go. And he is sitting there with a baseball bat and he just wax Jerry the moment it goes there. And I think if you sit on, if you understand.

Agnidipta Sarkar: How attackable your PLCs are, or your DCS machines are, and you are able to determine that because, the route, the inverse route that someone can take from the DCS machine to all the edges, all the places that someone can come in and from the internal side. So whether the attacker is using an exploit in getting in or is using a valued user, no.

Agnidipta Sarkar: Putting to be a normal user.

Mike Holcomb: If we understand

Agnidipta Sarkar: what attack path that hacker can come in, then we control the attack path and then we can decide, yeah, without a lot of investment that Let’s stop. That brings me, goes back to the whole zoning and conduiting that’s there in IC 6, 2 4, 4 3. So instead of just saying that, look at it from a Purdue model perspective, look at what’s happening within the Purdue model because as you said earlier, we defeated the Purdue model long back because we brought in cloud to connect into level two probably.

Mike Holcomb: Yeah, yeah, does it make sense a lot there? It does, Purdue Yeah. Was not a security architecture, right? Yes. It was just mostly to show how automation systems are connected within each other and how, as you go down the different levels that the more deterministic that traffic is, which may, it has to get to a very, specific point at a very specific point of time. And sometimes you’re talking like milliseconds or less yeah. And so we have this idea of an expanded Purdue model and 6, 2 4, 4 3 with zones and conduits, which we always talk about which I think is what everybody needs to leverage.

Mike Holcomb: At the end of the day, it’s the problem is that a lot of these environments aren’t configured that way because people don’t know. They just don’t, they don’t know, they don’t have that awareness. They don’t have that leg level of

Agnidipta Sarkar: and they don’t have the technology that can tell them what that act path is.

Mike Holcomb: Yeah. There are some, yeah, some providers out there that are working on different solutions to help with that so that, if you don’t have a knowledgeable resource, this is, but so much of OT cybersecurity, unfortunately is up against, because again, there’s. 70% of environments, unless the solution is free, they’re not gonna ever be doing anything with it.

Mike Holcomb: And that’s probably true. Actually, about 80, 85% of environments are there, right? They’re never gonna have the resources. Dragos, which has their community defense program, which is awesome, they give away. Their products, they give away their services. If you are a utility provider in the US and Canada for, under a hundred million in revenue annually, and you’re like, wow, that’s awesome.

Mike Holcomb: But the problem is you still have to purchase the hardware to run the platform. You still have to have the people to run it. Install, configure, manage, maintain, monitor it. They actually have very few takers. Because organiz organization, OT organizations don’t have those resources. They don’t have the money.

Mike Holcomb: They’re too small.

Agnidipta Sarkar: Yes.

Mike Holcomb: In the US they,

Agnidipta Sarkar: they are, I don’t know. I don’t think there’s a magic bullet there. But the fact is with newer innovations that are happening, if you were not to spend a lot of money, a lot of resources, I think the. The future of technology is how can we make things simpler to manage or operate faster to deploy.

Agnidipta Sarkar: You said people will give you, what, four weeks to get things done and if it also aligns and does not put a strain on your existing investments. So if you had to, let’s say, bring in a mechanism to stop lateral movement, agentless. By just connecting off network switch, that’d be a lot faster than thinking about doing a heavy shift of putting in a whole system in place.

Mike Holcomb: It can be right, but yeah, there’s always the questions you’re gonna get around how are you gonna impact. Safety, how are you gonna impact availability? And that’s, it’s like anything in security.

Agnidipta Sarkar: The whole purpose. The whole purpose, Mike, would be to enable safety and to enable, oh.

Mike Holcomb: For sure.

Agnidipta Sarkar: Availability

Mike Holcomb: for sure. That’s any, right? Any solution or even, we could even say, that’s why we wanna install a patch right on, on a system. But in an ot, right? They’re gonna come to you and say how does this impact safety? How does this impact availability? And I think for the business it’s,

Agnidipta Sarkar: I went off, sorry.

Mike Holcomb: Okay. I. I think I asked a lot of questions. Let me I don’t know how time passed and I’m so happy we are having this conversation, but let me ask you one last one

Mike Holcomb: okay.

Agnidipta Sarkar: As we go ahead in the future and look at, AI adoption and all these fancy new things.

Mike Holcomb: Sure.

Agnidipta Sarkar: How. How does, there’s no magic bullet as we discussed, but how is it possible to, for OT leaders to think that their adoption of modern cybersecurity mechanisms can be more adaptive given all the constraints that they have?

Agnidipta Sarkar: Is there something that people, that you want people to take away and see that, like you said earlier, why don’t we. Have collaboration within the organization, talk to the CISOs, talk within them. And that could be one aspect, but there could be others as well. For example we discussed lateral movement as well.

Agnidipta Sarkar: How much, because from what I know, there will always be the resistance to patching. So if you’re able to create islands of excellence, as I call it which are interconnected but not connected to everywhere. Do you think that makes sense?

Mike Holcomb: It does. Yeah. It helps, right? I think it it helps when you’re looking at, being able to do appropriate segmentation, right?

Mike Holcomb: When we’re looking at, especially micro-segmentation or looking at reducing the ability for attackers to move from one part of the network to another. Absolutely. I think. People also need to be aware though, they need to be monitoring the network in the first place. And watching to see what’s happening. ‘Cause if you’re not watching and you’re not monitoring you’ll never know what’s going on in the environment. Yeah. So I think there’s definitely a lot of. Tools out there and solutions that can help for those organizations that can afford them.

Mike Holcomb: Absolutely. I just, I typically, in, in my old job, it was nice ’cause I did get work with, from a perspective of, I did get to work with some of the largest companies, right? And they had the budgets and the resources and all the support that they could want for cybersecurity. And no would it would’ve ever given any pushback.

Mike Holcomb: Amazing. But I did realize that. Those environments are very few and far between, and it really comes down to. A lack of awareness and education. And we need more people in these environments that understand right, what we’re actually up against. And also understand, yeah. How to secure these environments.

Mike Holcomb: And it doesn’t have to be complicated. It doesn’t have to be difficult. These environments are very complex. Absolutely. I’m not trying to say they aren’t, but securing them from a cybersecurity perspective is not complex. And it doesn’t have to be complicated, but people need the awareness, they need the education, they need the time, they need the support and that is a struggle in a lot of environments today.

Mike Holcomb: The majority of them, unfortunately.

Agnidipta Sarkar: Thank you, Mike. A lot of learning. I didn’t realize, but I just kept talking and asking questions and you kept on answering. So thank you for being on the Breacher Dialogues, and I love your wallpaper as if you are practically guarding the gears.

Mike Holcomb: That’s the idea.

Mike Holcomb: Yes. Yes. And I think that was the the first thing I ever used Chachi VT for two and a half years ago was, I wanna write in newsletter, what should I call it? And it spit out like a hundred. And the only one that I actually liked was guarding the gears. So that’s where I got guarding the gears from.

Mike Holcomb: And that’s actually, yeah, why I made the wallpaper. So thank

Agnidipta Sarkar: you again.

Mike Holcomb: Yeah, thanks.

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.