The Cybersecurity Path Less Traveled

Full transcript

We're welcome back to the podcast guys. Today we're joined by Patrick Miller. Patrick, welcome to the podcast. Thank you so much. I'm glad to be here. Do mind sharing with the viewers what are you currently building? Yes, I'm building two consulting firms under one brand. I've got one in the US that handles all the North American business, one in the EU based out of Germany and Hamburg to handle the European side. Fully understanding that the European uh operation needs a European sovereign technology and pretty much everything that goes with the firm is all European. I was born in Augsburg in Germany as well. But we are an operational technologies or industrial control systems cybersecurity consulting firm. And we do a lot of work with critical infrastructure. So think, you know, power, water, gas, transportation, those kinds of things. Nice. And before actually Ampyx Cyber existed, what were you actually doing? Like in the day to day or how did you end up in the OT and ICS world?

Yeah, I started uh doing this a long time ago back in the 1980s, believe it or not. uh Things were analog back then. There weren't a lot of computers, there were some, but there weren't many and they were expensive and hard to get. As the world digitized over time, I had been in the telecom space and then joined an electric utility right around the Y2K era and... than with the industrial control systems ever since. as the world and all of the technologies in the industrial spaces went digital, ah I just became part of that and was part of the cybersecurity scene through the whole thing. I helped write some of the electric sector. cybersecurity regulations in the US, the NERC standards. I helped write those, get those off the ground. And I was a principal investigator at the Department of Energy for a few years and various other roles starting nonprofit CEO. And then I've been consulting. This is my fourth consulting firm that I've started.

And a lot of people in the cybersecurity stay on the IT side because it's uh more familiar and there's actually more budget. What made you committed to the OT space when uh that was the harder path? Yeah, because it was the harder path. I like the challenge. I like to find myself outside my comfort zone on a regular basis. But um more so that it was needed and there weren't a lot of people that were doing it at the time. So at least I understood it. I was apparently good at it. So I just stayed with it. The sense of purpose and sense of mission is different than if email goes down and the shareholders get upset uh from the IT side versus the OT side where people die. That's a serious risk in a lot of ways. So it can be uh far more loss, far more expense all the way up to and including not just the loss of one human, but the loss of multiple humans depending upon how things go. So uh that was a driver. The sense of purpose and sense of mission is very different.

And going back to the early days when you were actually getting Ampyx off the ground, who were you trying to convince first and how hard was it to actually get that first real client to trust you? it luckily when I started this last firm, I've been in the business for a little while. So uh when I was starting my first consulting firm, it was challenging because I just left the uh basically the regulatory space. I was a federal regulator in the U S. So some people knew who I was. A lot of people were afraid of me because I was a, I was an ex federal regulator. Um, so getting them to trust that, you know, I didn't, I wasn't going to report them for example, or I didn't still have ties to the regulator. But it was useful that I came out of the industry because I worked at a utility before I was a regulator. So I had trust on both sides, which was extremely useful to help get the first business off the ground. um Then I've gone through various forms of consulting firms and sold my stake in all of them. This last one, I started Bootstrap with my own funds. And by then it was more, you know, just getting people to know the new business and the new firm. by brand was really much just getting some brand recognition out there.

And what did the first version of the firm look like compared to what it is today? What has changed in the it was uh kind of, you know, three ex regulators trying to start a consulting firm. So it was, it was much more challenging, much smaller, no budget. We tried to bootstrap it, which we did a fair job and we actually were profitable. I mean, I've never sold for a loss, which is fantastic. I feel very lucky, but yeah, it was very difficult. We had to, uh You know, we did everything on ourselves. built the website. We built all the marketing while you're trying to, you're trying to build the plane while flying it. And that's incredibly challenging. And the OT clients tend to move slowly, right? Has there been some kind of moment where you could see the real risk exposure at the client side and still couldn't actually get them to move fast enough? Yeah, and there's two components to that. Just getting them to sign a contract, like the sales cycle for most OT companies, 18 to 36 months. That's just

a reality. I think a lot of organizations come into this thinking they're gonna start making profit or start getting clients within a year or six months, and that is completely unrealistic. It would be very rare for that to happen. Sometimes it happens when they're under some sort of pressure, whether it's an acquisition. whether it's a regulation, whether it's a security threat or a technology transition, that happens, but it doesn't happen regularly. So just getting the client first is hard and then getting them to change their environment takes a long time, as you mentioned. you can't change these environments quickly if things are very deterministic, they're very purpose-built. So if I've got a machine that costs me, I don't know, $40 million. And if I change one component in that machine and something breaks and it costs me $2 million because something broke, that's a pretty significant cost. uh An example of something breaking would be if I somehow caused the uh aluminum smelter to stop at the wrong time and the aluminum solidifies in the track and I've got to pull out a section of the machine and replace it. These can be extremely expensive problems. So you move very carefully, very cautiously. And when you make recommendations, you just make these knowing that this is going to take a while. So you have, can't say, buy this latest technology. That's just not usually the case. You've got to just say, take these steps over these years to get where you want to be. So it's a very different style of thinking.

Interesting. And what actually makes the sale cycle so long? They don't trust many people. They want to make sure you know their world because like I said, those mistakes can be extremely costly. I've seen some organizations will do just a standard vulnerability assessment and they will do something like launch an NMAP scanner on an industrial environment and something as simple as a ping to the wrong device can cause the device to hang and it just will stop responding on the network. So there's a lot of subtlety. in what we do. Everything is manual, no or low touch, no changes to the environment. You don't add anything to the environment. So it's a much different style of approach and they want to make sure you understand their world before they let you in the door. What has been the biggest challenge for you in terms of growing Ampyx Cyber? If there

is a challenge. There is. um I do my business a bit differently. I don't have a sales team. I do my best to try to create a center of gravity that people come to us. So I generate a lot of good content. ah Myself and my staff, we speak at conferences and hopefully say smart things and people see us and our brand and they trust us and then they'll ask us to come in. So far that's worked out quite well. So that part was a challenge to get in motion, but once it's in motion it begins to feed on itself and it becomes this the center of gravity grows even more I would say the hardest part is trying to balance the consulting load versus the consultants so I can't go out and get new consultants until I have the job and I can't get the job without the consultants. So that cycle is a bit challenging and I'm trying to find, make sure that work seems up so that if one project is rolling off, another project comes on so that the consultants aren't sitting there, you know, on the bench, so

to speak. And in terms of what nobody actually sees, like what does a typical OT security engagement actually look like in practice? Like is there something that people often don't realize or wouldn't expect? You know, I'm constantly faced with like the Hollywood or the movie version of hacking in these industrial environments, for example, like they click some, you know, really nice looking 3D graphic and then, you know, all the power goes out across the country. um It's remarkably mundane. It doesn't look like that at all. ah It's very simple, you know, command line interfaces, systems that just don't have graphic interfaces at all. uh There are purpose-built things that literally just do, they just move the box from this belt to that belt, and that's all the digital thing does. So it's not a fancy environment. doesn't often look like a data center. It's a dusty closet, you know, sometimes with raccoons or rats or snakes. So it's not very Hollywood sexy hacker world. It's actually much more. uh physical and real. But honestly, those are my favorite days are the days in a hard hat and a pair of boots and safety briefing. And you get to go check out some really amazing giant machine that's making something or some other really amazing industrial operation. Those are the best days for me at least.

And as of today, I feel like the threat environment around the critical infrastructure keeps getting noisier and noisier. Where do you think the OT security space is actually headed in the next few years? Yeah. uh I mean, AI will infiltrate everything. AI will be everywhere, whether we like it or not. So we're not putting a lot of AI in actual operations. So we're not seeing it on a plant floor, like in a power plant or in a water facility or a refinery, for example. Where we're seeing it is we're taking the data out of those environments, feeding that into AI and getting a lot of efficiencies. And whether it's machine operations or human operations or data quality or product quality, we're getting those components out of AI and then it's feeding back into the loop. ah So we will see AI, but I think there's an attack surface there where you could poison the AI and cause problems downstream in the product operations, for example. But as I like to say, um every... Every industrial company, every OT, every critical infrastructure company, they're now a data company with a product problem. They cannot operate without their technology anymore. You just can't do this manually. So I think the attackers know this and they're going after, know, traditionally they were going after like the operation to cause a problem. And this was everything from industrial espionage to, you know, criminal hacking organizations to nation states. Now they're looking for intersections where you're part of a bigger chain of events or dependencies upon you and they can cause a cascading problem based on that. think of like supply chain components or dependent infrastructures, like you can't get, you know, gas pumping without electricity, but you can't get electricity without gas feeding the generators, those kinds of things. So you're looking to most of the attackers now are trying to find these, I guess, compounding effects based on the dependencies between infrastructures. So I think that's where. a lot of the OT attacks are going other than your standard run of the mill ransomware, know, data theft kind of things.

Patrick, wrapping this up, uh if someone is running like a mid-sized industrial operation and is actually listening to this and they've been putting off a serious look at their OT security posture, what would you want them to walk away thinking and where can they find you? Fantastic. Well, first I'd want them walk away thinking that it's possible. You can do this. You don't have to secure every single thing in the plant. There are ways to do this that don't have, you they don't break operations. They don't interrupt operations. It's just got to be done carefully by the right people. So you can do this and it doesn't even have to cost a lot. So there are ways to get this done. There are some standard blocking and tackling. 80 % things you can do to minimize the risk. So just know that it can be done. The first step is get everything off the internet. If you have OT touching the internet, that's a very big problem. So do something about that first. um And then how to reach us would be ampexcyber, A-M-P-Y-X-C-Y-B-E-R.com. And again, we have operations in the US and Europe, so we can do both sides effectively. But we're pretty easy to find. then hopefully they can find us and get in touch and find our content useful too.

Great. Patrick, thank you for joining the podcast today and answering my questions. And thank you guys for watching. We'll see you in the next one. Awesome, thanks so much for having me.