“Within the [cybersecurity] community, that's why it's so small. We establish that trust. Okay, I know you've always provided this information to us, what can we do to help you? Things like that is the human factor that cannot be eliminated.”- Dd Budiharto
Bryson Bort is joined by Dd Budiharto, Microsoft’s Customer Security Officer for the Oil, Gas, and Energy sectors, to share her experience bridging the IT/OT divide in the energy sector. Drawing on her background as a former CISO and industry veteran with decades of experience starting security programs at giants like Halliburton and Marathon Oil, Dd breaks down IT vs OT auditing, the cultural divide in oil and gas, and what cybersecurity looks like in the energy sector.
How did an early mistake involving a patch reboot change Dd's career forever? What is preventing private companies and the FBI from working together? Why is basic hygiene—like disabling terminated accounts—still the biggest "unsolved" problem in billion-dollar industries?
“If you want to upgrade your home, to modernize it, the foundation still needs to be fixed first,” Dd said.
Join us for this and more on this episode of Hack the Plan[e]t.
The views and opinions expressed in this podcast represent those of the speaker, and do not necessarily represent the views and opinions of their employers.
Hack the Plant is brought to you by ICS Village and the Institute for Security and Technology.
Bryson: I’m Bryson Bort, and this is Hack the Plant, season 5, brought to you by ICS Village and the Institute for Security and Technology. Electricity. Healthcare. The food we eat. Our water supply. We take these critical infrastructure systems for granted, but they're all becoming increasingly dependent on computers to function.
In Season 5, it’s more important than ever to ensure that our essential services are resilient to disruptions. This season, we’ll bring you insights on four of our most vital lifeline sectors - electricity, healthcare, food, and water. We know that our interconnectivity makes us vulnerable to our enemies – but what can we do about it?
We walk you through the world of hackers working on the front lines of cybersecurity and public safety to protect the systems you rely upon every day. From the threat posed by Volt Typhoon to the aftershocks of the Change Healthcare data breach, it is clear: the time for action is now.
In my day job, I'm the CEO and founder of Scythe, a start-up building a next-generation threat emulation platform, and GRIMM, a cybersecurity consultancy and co-founder with Tom Van Norman of ICS Village, a non-profit advancing awareness of industrial control system security.
I'm also an adjunct Senior Advisor at the Institute for Security and Technology, a 501c3 Think Tank dedicated to tackling technology-driven emerging security threats.
Subscribe wherever you find podcasts to get each episode when it drops.
Happy 2026 everyone! In today's episode, I’m joined by Dd Budiharto, Microsoft’s Customer Security Officer for the Oil, Gas, and Energy sectors. With her background as a former fractional CISO and industry veteran with decades of experience starting security programs at giants like Halliburton and Marathon Oil, Dd walks us through the evolution of IT/OT auditing, the cultural divide in oil and gas, and why the government and private sector still struggle to trust one another.
“And that's the thing, cybersecurity professionals, especially, I'm only talking about the energy sector. It's trust. Trust in the person, because we are not gonna share information if you have not been contributing to the pot.”
We discuss how the failure to master "basic hygiene"—from credential management to network segmentation—remains the primary vector for lateral movement and the biggest hurdle in securing the energy sector.
How did an early mistake involving a patch reboot, stop a live drilling operation, and change Dd's career forever? Why is basic hygiene—like disabling terminated accounts—still the biggest "unsolved" problem in billion-dollar industries? And what does it actually take for the FBI and private companies to move from one-way communication to a real partnership?
Join us for this and more on this episode of Hack the Plant.
Bryson: What mistakes in life led you to this moment, Dd?
Dd: What mistakes in life? I think for that one is, I majored in accounting and I didn't like it. So when the big eight accounting firms were recruiting me, I was like, hey, I don't like accounting. I like computers, but I don’t know anything about computers.
This was in 1992. So yeah, leaving the accounting behind and they trained me to be an ADP auditor, which is the precursor of IT, electronic data processing.
Bryson: And how did that lead to today? Sounds like there's about two decades in between there.
Dd: Right. Yeah. I know the memory lapse there, the minor details sometimes I left out.
Yeah, the evolution of the EDP auditing, I guess I learned what security controls were then. I had no idea what the word ‘control’ meant in the auditing world. That was still in the mainframe, IBM, the big machines and everything. The evolution of that, I moved on from being an EDP auditor into – how detailed do you want it to be, Bryson? I don't wanna go – I don't, I don't like talking about myself.
Bryson: I know it is a common problem in this industry where we are a little introverted and we don't like to talk about ourselves. And yet, I hate to tell you, a lot of people would find what you do very interesting. And so if you can just put that headset on, that there is a crowd of thousands who are out there and they're going. Who is this person? She seems interesting. Just go with that mindset.
Dd: The evolution of EDP auditing. So when I started learning controls and working for a public accounting firm, back then, it was always on the recommendation, and I was always wondering what's on the other side? How do they implement these controls?
Then after working in the public accounting space, I moved into industry, being the internal auditor for IT audit. And normally being so bossy, I complain about things that are not going efficiently, and so they always tasked me to say, hey, why don't you start this? Why don't you start that? So many times I was hired to start the program from the ground up.
So my first experience as an internal IT auditor, usually as the first IT audit department that they created, and I led the establishment of the department. Again, that role, I was always giving advice, recommendation, everything else. I was interested in, how do these people implement this correctly or efficiently and everything else.
So when there was an opening at Haliburton, the first oil and gas company I worked for to become an information security analyst, I was recruited, I said, sure, I'm gonna do that because I knew how to audit. Now I need to know how to implement it. So that started my journey in the InfoSec world, and – another interesting, funny story on that one is, so that was the first IT security department that Halliburton created, first CISO was hired. And then he hired two people, Paul Dial, he's a CISO at AECOM and me, coming from public accounting firm. And the complaint from the employees then was like, oh my gosh, before you guys came on board, we never had any problem. We've never had any computer virus. Now that you showed up, we had all kinds of problems. I guess we shone the flashlight to show all this.
Bryson: Wait, wait, wait. Hold on. So they're basically like you showed up and brought the bad stuff with you, or you showed up and you uncovered the bad stuff that was already there.
Dd: In their mind, ignorance is bliss, right? They never knew that they had problems. They knew that they had issues, but they didn't know it was related to computer virus issues.
A lot of machines were infected. The local admin access and everything, and machines that go to the field, who knows how behind they are with patches and everything. And again, this was pre-Patch Tuesday World.
So from there on, I realized I said, okay, there's a lot of education that we need to do, and I was also involved in the American Petroleum Institute, the API IT Security subcommittee, because Halliburton was one of the members of the API org.
So I started going to meetings, and back to always picking up, sharing information, sharing issues, how we work together collaboratively, addressing those different things. And having that big mouth also led me to being elected to be the Chair for the API IT Security Committee. That gave me exposure to the leadership of these big oil and gas companies, because our subcommittee reported to the committee that was pretty much led by CIOs of the super majors, and that exposure got me into being hired by these different leaders interested for me to start the information security program, or transforming the existing IT security organization. After Halliburton, I got hired by a different company, Marathon Oil. It's no longer existing, now it's part of Conoco Phillips.
And in that capacity I was hired to transform their existing IT security and I worked a lot with the lobbyist and I worked a lot through API with the White House. And President Obama then was publishing the executive order to protect the curriculum infrastructure. So it got me to connect our Marathon Oil CEO with the White House, so when the president invited the top 10 companies to talk about critical infrastructure, two oil and gas companies were selected. One was ExxonMobil, the other one was Marathon Oil. So I got to work with the White House staff, preparing my CEO how to speak with the president on these issues and everything else.
So I get excited over that because I'm thinking now, now I am influencing, not just implementing, how we as an industry work collaboratively and with the government to address all these different issues because we were targeted by state actors then in the oil and gas, and there were only, at that time, the ugly gorilla picked a few oil and gas companies and we were one of them.
So trying to work with the government on how to address those issues. Of course, the government, at least from the FBI perspective, by the time I was notified that we were being attacked, it was six-month-old data and they didn't want us to shut down the bleeding. And we wanted to stop the bleeding, because they wanted to keep the attacks going so they could collect more information.
From there on, I was involved in the different legislation. We didn't want to be regulated, but we were also wanting to get some support in terms of, we need to share information immediately and actionably. We did not have an ISAC then, and that led into the formation of the ONE-ISAC. It's called ONE-ISAC now, but as of last year, it was ONG-ISAC.
It was the first ISAC in the oil and gas and energy sector. From that circulation, I mean, oil and gas is a big world, but it's also a small world, especially when you narrow it down to the cybersecurity perspective. I am pretty much well known from that perspective, so that I kept getting hired by different companies to start doing all that.
So from Marathon Oil, I went to Chicago Bridge & Iron, Enable Midstream, Baker Hughes, Phillips 66, and after Phillips 66, I realized I was in my fifties. I realized that, oh my gosh. What I've been doing is pretty much consulting, advising. You know, hey, this is how you build your program. This is your roadmap from one to three years, three to five years, and so forth.
And I said, I'm gonna start my own fractional CISO firm and go from there. Because I also wanted to focus on getting more of the small business part of the supply chain to be more included in the conversation. Being a CISO for these big oil and gas companies, really I didn't have any bandwidth and space to do anything like that.
So when I started my own firm, I was able to establish more of a foothold that I could talk more with small to medium sized businesses who are part of the supply chains of oil and gas. And I also created the Cybersecurity Circle, which is inclusive. Any cybersecurity enthusiasts who want to learn about cybersecurity or how to get [into] the profession, how to transition from whatever they're doing now, whether they're in technology or education, whatever, and they want to be part of the cybersecurity professional world.
And I saw that big gap, so I created that. At the same time, the ConocoPhillips CISO pinged me and said, hey, we need a lot of help with your expertise and everything. So I became a consultant for them as well, and I was doing well, having fun, running my own business, running a not-for-profit, educating people and everything else.
Microsoft probably took notice and they said, hey, in July they created this role, Customer Security Officer for the Oil and Gas and Energy sector. I wasn't sure if I wanted to join Microsoft then because I was one of their big critics, like I was telling you about the TSA as well, I'm always speaking up to say, hey, you guys are pushing all these technology solutions and everything, but they don't really meet the oil and gas and energy requirements. You know, the OT world and ICS world is so different from typical IT.
And they said yeah, that's why we need your expertise and experience to become both the customer advocate and to talk to be the liaison to the product and the sales team internally. And I talked to Annessa, the CISO at ConocoPhillips. Se said, hey, yes, take that role, be our advocate, and this is a recommendation letter to hire me. So here I am, Bryson, two months later.
Bryson: So you've solved everything in two months. Is that my takeaway? I mean, what, what are you doing on this podcast? Get back to work.
Dd: I know, right? Oh yeah. I know everything. I solve all the world's problems. And Satya wanted to have a one-on-one with me, so. No, I'm kidding.
Bryson: So let's start with the corollary between where you were working in finance, and where you mentioned controls.
So I'm presuming you're talking about the financial controls that are typically in place in an organization to ensure that gap and all of the requirements for systems of record are maintained. Then you cross over into the cyber world and we have a different set of controls.
I summarize that we effectively have two technical control classes. We have preventative controls and we have detective controls.
What did you learn on the differences between the way another discipline executes controls for their processes and systems to what we're doing over here in cybersecurity?
Dd: Actually, it was not really a financial control. It was the general, IT general control, because for example, the segregation of duties, right?
The accounts payable person shouldn't have access to the account receivable, things like that, that we needed to review and uncover. Now, on the cyber side it’s the same thing, the segregation of duties. When you are developing a product, for example, right? In the QA dev environment, you shouldn't have access to the product.
And also I learned in the ITGC world to have that principle of least privilege. You don't want to have elevated access if you are only doing basic data entry, for example. So the parallels are there. So the principles – what I appreciated most learning as an ADP auditor is that basic hygiene that we still, in the cyber world, as advanced as we are, we still have not mastered basic hygienes, such as, don't share your password. You can't patch your critical systems. Don't wait until something breaks or, you know, especially in the ICS world, if you can't fix – if the system is obsolete, micro segmented, things like that. The basic hygienes that we still have not mastered.
Bryson: So why is it in oil and natural gas that we haven't mastered those?
Dd: I mean, that's the world that I'm familiar with. I worked for seven oil and gas companies, upstream, downstream, midstream, all field services. Same problems across.
Bryson: But why?
Dd: I think culture is another thing. In the IT and OT world, it's so different. Also in the oil and gas energy sector, we are talking about generational people working for the company. They move through the ranks, right? This is not against them, but again, this is back to the culture we are talking about.
I worked with someone pretty high up in the leadership in cybersecurity, and he was a third generation working for the company. And it just shows that there's no cross pollination in learning from one industry to another.
What's in the financial sector, for example, is very regulated and it's highly controlled. Things like that. They audited regularly. In the oil and gas, TSA was the first regulation for the pipeline after the Colonial [Pipeline]. And that was just recently within five years ago, right? Four or five years ago.
Bryson: 2021.
Dd: So we internally audited.
It's still, hey, management internally you know, you make the decisions that, hey, we are willing to take this risk because this is not part of our strategy, as an example. So I think, like I said, that lack of cross pollination, training in cross sector industries kind of isolated us from implementing what's the basic hygiene for a more regulated industry, versus the wild, wild west.
Bryson: That's a good pivot. Colonial Pipeline was the shot across the bow. I think to me, that was the incident that defined operational technology. Target in 2013 defined it for IT, and is what unlocked the budget explosion. We saw – 2021 with Colonial Pipeline is when the meaning of cybersecurity to the average citizen was felt. When I can't get gas, in an economy, in a world that runs entirely on gas, and that's how I run my life, I'm gonna notice that. And people did and panicked.
So you worked with oil and natural gas for a long time. What do you think happened in the Colonial Pipeline? What do you think about the security directives that came out from TSA after that? Recognizing there was work being done before that, even if it wasn't public and the lessons learned.
Dd: I've been an incident commander with so many different events as well and incidents. What we publish publicly versus what actually happens sometimes is different. I'm not saying that there's a difference there, but having seen and having done a lot of penetration testing assessment, security assessment within the environment, if we say that OT is not supposed to be exposed to the Internet, I do believe that it came from the IT side, because the basic hygiene was not there, such as either an unpatched system or the credentials were shared or compromised through that freezing exercise. Because once they're in, once they gain that credentials, they'll move laterally looking for holes, unpatched systems, and they elevate their privilege.
Again, back to the basic hygiene. Those are the types of things that, in our industry, in the energy industry in that sense, that we don't think that could happen. So what happened with the TSA, I think, is also reactionary. It's, oh my gosh. We didn't think that it could happen. Now it happened. Let's put the basic hygiene in the OT side.
I love the password requirement from SD 1 [Security Directive 1 on Enhancing Pipeline Cybersecurity]. You know, minimum what? Eight to fourteen characters. You have to change it every 90 days. In the ICS environment, we were laughing because, clearly you don't know OT and IT environments.
Bryson: So you know, my favorite thing that has happened in the last few years is whomever the guy is that apparently claims credit for having created the user ID password for computer systems implementation, apologized and was just like, you know what? Passwords were a mistake. It was the wrong way to do it. But I love the insight 'cause that's a very operational technology insight you just made Dd, right?
Anybody who's in there would know. That doesn't work carte blanche. There are devices that don't have passwords. There are devices that can't have even, that have character limits. They can't even hold passwords that long, and it doesn't match a threat model where in these environments we have other compensating controls to passwords.
One of the things I tell a lot of folks, because a lot of the work I do in OT is mostly helping the IT people figure out how to work with OT and how to get what they need with OT and how to bring in the cybersecurity component of the convergence without stepping on OT’s shoes and getting in their way.
And they cringe when they like, walk through an environment and they're like, the passwords are taped to the thing. And I was like, yes, but there's physical security. Not anybody can just get here. Everybody is tribal and knows whom everybody is in this space. That's not your primary concern. I understand you have that, like, IT cringe when you see it. Put that aside. Let it go. You got bigger fish to fry.
Dd: That's why the OT folks don't trust the IT side, because of that sometimes. Not willing to meet in the middle to understand that IT and OT are two different worlds, you know, they don't top in the TCPIP language.
I do have an experience here in the OT world where again, Patch Tuesday, when I was at Halliburton had not even existed yet, it had not been born yet.
So Microsoft sent notifications of critical verbiage that you have to apply patches immediately. Of course, you know, I was young and gung ho. I said, okay, we have to do this. You have to deploy patches. And of course, you know, this is the typical, “IT person didn't understand the OT side, and it requires a reboot for the patch to be effective.”
Boy, I stopped a drilling process. In the middle of a drilling, the machine stopped because it was rebooting. Oops. In a way, I was so glad I was a junior, and then my boss got chewed so badly, you know, how much money do we lose, blah, blah, blah.
So I got coached really, really well. So that was a good lesson learned for me.
Bryson: I like the way you phrased that. I got coached really, really, really well.
Dd: I mean, since then I said, okay, I wanna go to the field. I wanna visit the field. I need to understand how it works because from the office, I just know that, hey, if you don't patch, you're gonna be vulnerable.
But like you said, there are some compensating controls and everything else. So, yes. Since then I was sent to multiple countries visiting different sites, both the field and the IT offices and everything, so that I could understand how the operation, how the field works, and meeting the people on the ground who have to be, sometimes they have to be offsite for, you know, a full month before they get to go home. And understand the mentality, the culture, how they work in the background. And that really, really helped me understand OT, and that's why I wanted to bridge that gap. It's not about you are better than the other, it's about that communication and understanding what the other is trying to do.
Bryson: Let's continue that one before I switch threads. So how can it work better with OT? And I don't mean the, just like the soft scale stuff. Like let's, let's assume that right, they're going to grow up and actually learn how to have real conversations with their peers and with functional leaders and other parts of the organization and they're gonna do all that, right?
Let's assume that part, and that's a big ask. Because half of what I do is executive coaching. But let's get now into, they've solved that, they're in the OT space. What's your recommendation?
Dd: I believe in cross training. The cross pollination part of it. But it's so challenging to do that when they are seasoned and they're responsible for certain things.
So if they've been trained in IT, they've been in IT infrastructure for so long, and then they are to be trained on the other side, it's kind of challenging because they're part of the cop that maintains, keep the lights on all of it. All of a sudden they had to leave the post to be trained on the OT side.
So I understand that, but I'm seeing a lot more on the junior level coming up that they have to learn from the IT to OT and the same way OT to IT. So I'm starting to see those movements, especially during the internship. The interns are being rotated on both sides, so that's promising.
And leadership also has to start that change. The CISO has to be able to connect both the IT and OT world. I know that a lot of the OT usually reports to the business, which is not a bad thing. But at the same time, both leaders from the business and the CISO and CIO, they should be able to collaborate and put the edict from the top, talking about the risk and what could happen if we did not cross train, if we did not really learn about each other's system.
Bryson: You mentioned your first incident where the FBI got involved a number of years ago. One of the things that I did when I was the first senior advisor at CISA for critical infrastructure was, note we have a trust problem between government and industry. That's part of why we did the – I call it the mea culpa panel with TSA, API and the Washington Post at RSA in 2022 to give an opportunity to explore how that could have gone better.
Because it isn't about government being right, it's about government being a good partner. And sometimes government, just like anyone else, needs to say, hey, we could have done this better. And by acknowledging that helps rebuild it. But what was that experience? Why did you not trust the FBI? And do you think those relationships have improved?
Dd: Two different objectives. FBI wants to continue the bleeding, company wants to stop the bleeding, and it's a one way street. They knock on the door, give you a hard copy, one pager of what IP addresses that they feel have been compromised. What they think's been compromised, because they're seeing data exfiltrating from our environment.
And my gosh. No matter how hard I try to communicate back to have a conversation, it was silent. I kept leaving voicemail. They would not call me back.
Bryson: What year is this?
Dd: 2011.
Bryson: Okay. So about 15 years ago.
Dd: You know, I had to report to my management. My management said, I don't care. We’re going to shut down, stop the bleeding, and that's it.
Whatever it is that we need to do. The forensic, everything. So we hired someone to do it, the third party, to do the forensic and find out what's going on.
But I think the relationship has gotten much better, especially now that ISAC is established, or the ONE-ISAC has been established. So you have that hybrid and you have that middle ground. And InfraGard, especially in Houston. I wanna give a shout out to Angela Hahn. She is a retired FBI agent and she is now the executive director for the OONE-ISAC and she's the one – when she came, she took over InfraGard, she wanted to make sure that the conversation happened between the private and public sector and that information sharing and everything else.
So that has improved significantly. Also, I forgot to mention that the Secret Service, CIA came, wanted to talk to us too, but it's the same thing. They want information from us, and they couldn't promise what they could give us back. And the fact that I said, what's the difference between reporting this to the Secret Service, CIA, and FBI?
No one could answer that. And they were not talking to each other. So that's another additional layer why we don't trust the government. So later on when I became a CISO for a different company, I wanted to revisit, rekindle the relationship. So I said, okay, let's do this. Let's do the prep. Let's get to know each other and so if we get attacked, we know whom to call and everything else.
And they wanted us to sign a paper, pretty much giving up control, full control to the FBI. Of course, our counsel said there's no way we're gonna do that. So we never moved forward with that partnership, because they couldn't guarantee anything.
They just said, well, before we can even start the conversation of this bidirectional communication, you have to sign this release–you know, pretty much a waiver–saying that they could have access to all of our systems. It was not approved, so we never moved forward. Another factor of the distrust is the one way communication versus bilateral.
Bryson: Beyond hygiene, is there anything you would recommend for ONG? And how does that tie to your role at Microsoft and what you're advocating and helping your customers with?
Dd: If you want to fix – I'm gonna, using the analogy of the house. If you want to upgrade your home, to modernize it, the foundation still needs to be fixed first.
So after you get that fixed, which is the basic hygiene, this is both strategically and tactically, right? Strategically, what I've also noticed is that the relationship within the private sector, the owner's, operators, the government, and the OEMs [original equipment manufacturers], is so dysfunctional. None of us talking to each other, we talk over each other. OEMs, before CISA, publish the guidelines of secure by design guidelines, right?
Remember, OEMs, when they ship the equipment to the owners, operators, everything, most of these are hard coded. It's not designed to be secured, but it is designed to be functional and operational. So a lot of the patches that were sent for the equipment, it was to address functional and operational issues. Never security issues. Yet, after Colonial, TSA finally got it together. If we did not meet that TSA compliance, guess who gets penalized. The owners, operators, not the OEMs.
So with that in mind, in addition to the basic hygiene, the conversation at the high level, and then my role at Microsoft is to really talk about secure by design, secure by default. Actually a Microsoft Secure Future Initiative by Satya last year that he published, that Microsoft is moving towards when they design the software, it's secured by default. Not just by design, but by default. By the time the consumer receives it, they don't have to worry about changing all the different settings and everything else, but to enhance it. And information sharing is so critical. We can no longer work in our own world and say, I have so much to do, I can't even go to the InfraGard meetings or any of the ISAC, because, true.
You have so much to do.
Bryson: Hey folks! For our listeners who aren’t familiar, InfraGard is a partnership between the FBI and members of the private sector dedicated to the protection of U.S. critical infrastructure.
But without that information sharing, you don't see what's happening on the other side. Because as you know, Bryson, attackers are lazy. They're gonna use the same method from one company to another. Again, I worked for seven different companies.
Bryson: I say that so often and people always seem surprised where I'm like, hackers are lazy. I'm like, no, you don't understand. They will do the bare minimum they need to do, because it works. Until you take that away, they'll keep doing it, and they keep doing it. Back to your hygiene comment.
Dd: Exactly, and the information sharing is key.
So before ISAC was developed, or established for ONG, I used to have an account that I actually – what do you call it, hushmail? Do you remember hushmail? I think it's still around. So that's how we shared our IOCs [Indicators of Compromise] underground, because if we used the proper method of going through legal counsel and everything, we would have never been approved, right? Because a lot of our companies were competitors. So I remember, one guy from a different company said, “Dd, we found these IOCs. Dd, I want to send it to you.” And of course, you know, it wouldn't have been allowed by his company, his legal counsel. So yeah, we would exchange everything through hushmail. And that's the thing, cybersecurity professionals, especially, I'm only talking about the energy sector. It's trust. Trust in the person, because we are not gonna share information if you have not been contributing to the pot. What I mean by the pot is anything that you're seeing that say, hey, we are seeing this, check it out. Versus just take, take, take. So even within the community, that's why it's so small. We establish that trust. Okay, I know you've always provided this information to us. What can we do to help you? Things like that is the human factor cannot be eliminated from that. AI cannot replace that at all.
Bryson: That's as much as we're touching on AI in this episode. You're welcome.
Dd: That's good.
Bryson: This is not gonna be another podcast that’slike, you know, everyone is interested in AI. Let's try to navigate. Until it's relevant in our space, we ain't touching it.
Dd: Well, I mean, the bad actors are using AI to do the attacks, right? So we do have to learn and embrace and, and up our game as well.
Bryson: Are you referring to the Anthropic report that was self-serving on the topic?
Dd: Not necessarily. I'm just saying you can't necessarily shield yourself. I want to know what the bad guy's doing.
Bryson: I know what they're doing. I am the bad guy.
Dd: You are one of them, Bryson?
Bryson: I am one of them.
Dd: There are many of you!
Bryson: There are not a lot of us actually.
Dd: You are not a bad guy. You are not a bad guy.
Bryson: No, I just play one really well. That's my favorite part about doing any of these is bringing realistic threat modeling that I scale the imagination of my threat modeling accurately based on the maturity of the client. So if they're strong, I get creative and they're like, that's a thing? I'm like, lemme show you how that's a thing.
And they're like, oh my gosh. I'm like, yes. But the other side is this still sticks in my craw. And it led to an article which got a lot of questions from the industry, where I was like, I was criticizing how essentially the government had spun up the fear around what was being done in our critical infrastructure.
And what had triggered it is, I talked to a municipal in the Midwest and they were like, the Chinese are coming, the Chinese are coming. And they were, like freaking out and they'd already built this whole plan and were spending all this money. And it's a municipal, that money comes from a very limited tax base.
And I backed up and I was like, well, hold on. You've given me this whole plan. Let's walk through the threat model. This is the threat model. This is how it would happen. This is what they would do. And it isn't until item number five on your very expensive list that you've already been working on, that you even address what the actual threat model is that you're doing this about.
And they were like, uh, and that's my problem is we're getting people spun up. But if they're spun up with no direction, that has more than the cost of lost time or resources, it also means lost trust. Because when you build something that doesn't solve what you thought it was going to solve, how are you gonna believe me the next time? Why would you believe me the next time?
That's my problem and that's what I continue to see, mostly at the not haves level. Because the haves – there is definitely a correlation between making money, and being able to pay for cybersecurity, and so they can afford mistakes. Everyone else, which is what most is made, of cannot.
Dd: One more: municipalities. This is an attack on the ICS 25 years ago in Australia, the ex-disgruntled employee for the wastewater management system, he got mad and he was terminated. And then he released untreated sewage water to the public spaces. So back to basic hygiene, I forgot to mention, disabling accounts for terminated people. We don't do that either in the real world, especially in the OT side.
Bryson: Are you ready for the lightning rounds?
Dd: Sure.
Bryson: If you could wave a magic, air-gapped wand, what would you change?
Dd: Not sharing my infrastructure with IT.
Bryson: I cannot tell you how many folks I’ve had to…
Dd: I don't want the same router, I don't want the same switches.
Bryson: I hear you. But this is the most common mistake I see is it has a shared actor directory domain with OT, and they're again, it's the same thing. They're doing all this work and I'm like, you're building castles on sand.
You do realize that you now have a common vulnerability. That obviates every control you put in place and they all kind of look at me and blink. I'm like, how do you not see that? Like, do you not understand?
All right, Dd, you've waved your magic wand now looking into your crystal ball, which looks suspiciously like an HMI, one good and one bad thing you think will happen in the next five years.
Dd: Good thing is we'll have more cybersecurity conscious people as part of our workforce. I don't know about within five years, but let's hope so. The bad thing that's gonna happen within five years is that we are not changing our behavior either with the basic hygiene.