Iran Came for US Dams and We Got Lucky: Frontline Insights from the OT Fight

Show Notes

When Iranian-linked cyber actors hit U.S. water, energy, and government facilities through internet-exposed Rockwell Allen-Bradley PLCs during the sixth week of the U.S.–Iran military campaign, they did it with attacks that were eightfold above baseline  and got within 30 to 40 minutes of opening dam gates. In Episode 7 of The GIST of Govt IT, Brian and Sean sit down with Matthew Shalbetter, Director of Strategy for Civilian Agencies at Armis Federal and a 16-year HHS veteran, to unpack what's really happening at the convergence of IT and OT. Matthew breaks down why cyber has become the great equalizer for nation-state actors, the difference between Iranian "disrupt and distract" tactics, and Chinese prepositioning ahead of a potential Taiwan invasion.  The conversation digs into the cultural chasm between IT and OT teams, what the Ukrainians taught a roomful of Western OT practitioners at RSA about why red teaming beats paperwork, and the basics that still aren't done. Trump's seven-page cyber strategy and what ServiceNow's $7.75B acquisition of Armis — closed April 20 — means for federal customers. Plus: Matthew's Hacker Name...DirtTrack

RESOURCES MENTIONED IN THIS EPISODE

Featured Guest

- Matthew Shallbetter, Director of Strategy for Civilian Agencies, Armis Federal
- Armis Federal

The Iranian PLC Attacks

- CISA Joint Advisory AA26-097A — Iranian-Affiliated Cyber Actors Exploit PLCs Across US Critical Infrastructure
- Rockwell Automation security advisories
- CyberAv3ngers / IRGC threat actor background

OT Discovery & Exposure Research
- Shodan — internet-exposed device search engine
- Censys — internet asset discovery
- Armis State of Cyberwarfare Report

OT/ICS Frameworks & Government Guidance

- NIST SP 800-82 — Guide to Operational Technology Security
- CISA Cross-Sector Cybersecurity Performance Goals (CPGs)
- DoD Zero Trust Overlays (including OT guidance)
- NERC CIP Standards (electric sector OT)

Federal Cyber Policy

- White House National Cyber Strategy (the seven-page version)
- CDM Program (Continuous Diagnostics and Mitigation)
- CISA Industrial Control Systems resources

The ServiceNow + Armis Deal
- ServiceNow completes Armis acquisition (April 20, 2026)

Threat Actor Tracking Partners Referenced
- Armis Centrix Threat Intelligence
- Dragos

Related Episodes
- Episode 5: Vibe Hacking” and Nation State Cyber Threats
- Episode 6: Cupcakes & OODA Loops: Inside(r) Insights Into The New Federal AI Cyber Playbook

Upcoming Event
- GIST 360 Breakfast Briefing at the National Press Club, July 14 - When the Perimeter Disappears Securing the Converged Federal Enterprise Across IT, OT and IoT Environments 

The Hosts & Show
- Swish
- GIST 360

CONNECT WITH US

Got an idea for a future episode? Want to be a guest? Let us know.

Brian Lake - blake@swishdata.com

Sean Applegate - sapplegate@swishdata.com

Subscribe wherever you get your podcasts: Apple Podcasts, Spotify, or gist360.com.

Chapters

• 0:00: Iran Linked Threat Hits OT
• 1:09: Meet Matthew Shallbetter aka “Dirt Track”
• 3:07: From Defacement To Real Disruption
• 8:41: The Basics Small Utilities Miss
• 10:45: AI Hype Versus Prepositioned Access
• 18:41: IT And OT Speak Different Languages
• 27:12: Red Teaming Lessons From Ukraine
• 32:10: Funding Limits And National Resilience
• 40:17: What Armis Shares With The Public
• 42:53: Policy Whiplash And What Still Works
• 53:36: ServiceNow Deal And Closing Actions

Transcript

Iran Linked Threat Hits OT

Brian Lake 0:00

A water plant in Pennsylvania, a substation in the Midwest, a chemical dosing controller somewhere you've never heard of. On April 7th, six federal agencies, the FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command, issued a joint advisory warning that Iranian-linked hackers were inside American critical infrastructure systems. We're talking the machines and systems that treat your water and light your homes. But here's the rub. They may have been built decades ago and running on software older than people that are operating it. So how are these cyber criminals doing it? They're not using zero days, they're not using malware. They're simply logging in through PLCs exposed to the open internet and protected by default passwords. And in today's world of shifting geopolitical events and AI, the threat may be even more severe. So to dig into these OT threats, you know what we have to do.

SPEAKER_02 0:51

Let's get down to the gist of it.

Brian Lake 1:08

Welcome

Meet Matthew Shallbetter aka “Dirt Track”

Brian Lake 1:09

to the Gist of Government IT, your weekly insights from the intersection of technology and the mission. I'm your host, Brian Lake, and as always, I'm joined with my co-host, Mike Compadre, the CTO Extraordinaire and the Old Marine himself, Mr. Sean Applegate. But today, we're excited to have a guest joining us in the studio, Mr. Matthew Schallbetter. He's the director of strategy for civilian agencies at Armis Federal, where he works with his customers on mitigating cybersecurity risks in real time. He spent his entire career working inside and outside of government buildings, securing their mission-critical IT infrastructures. Prior to joining Armis, he was at HHS for over 16 years and has held a number of leadership positions in both operations and policy components within the Office of the Chief Information Officer. As director of strategic technology in the communications division, he was responsible for identifying technology trends within HHS and the federal government, facilitating departmental relationships with HHS operating divisions, and providing leadership and subject matter expertise on emerging technology and cybersecurity. Welcome to the show, Matthew. Glad to have you here. Appreciate it, Brian. Well, uh listen, we were talking a little bit before the show started. And when we talk about these nation-state cyber hackers, we always like to ask the question of our guests or Sean himself, like, what would your hacker name be? And uh I heard you were you were kind of telling us the story that you've actually got a little experience bringing down some critical infrastructure uh back at a hospital in Tennessee in your early days of your career. So I don't know if you want to tell the story in in detail or in full, but uh what would that hacker name be, Matthew?

SPEAKER_02 2:47

It's it's I mean, it's so when I would fly back into Tennessee, there were two things you'd always see landing into Tyson Twinkey. And the first one was all the bright lights for the um the fireworks on the highway and then the dirt track. So I gotta go with dirt track.

Brian Lake 3:02

Dirt track. I like it. That's a good one. Yeah. So

From Defacement To Real Disruption

Brian Lake 3:07

uh what we're here today, we're here to talk about a couple things. So, and I'm really glad to have you, and we're really excited with your OT expertise and the things that you've been doing at Armis and other organizations at HHS. Really want to touch, start talking about this um this Iranian back hack back in March 26 uh with these internet-facing Rockwell, Bradley PLCs. So the advisor that came out, they said confirmed sectors were water, wastewater, energy, government services, facilities. I mean, we're talking serious operational disruption, um using legitimate software to manipulate HMI and scattered displays. Um we're, I mean, these are these are real, these are real problems and real and real issues with uh organizations that are responsible for critical infrastructure. Um the thing that I think that is is starting to get concerning for me when I think about this is it's is very the timing is around the sixth, the sixth week of the US-Iran military campaign. Sure. So what are we really dealing with here? Talk to us a little bit about this this hack, this what it means for a larger OT standpoint. Um it feels retaliatory and it feels like it's been escalating over the years and we're moving from defacement to disruption.

SPEAKER_02 4:22

Oh, I think I think I understand it. Particularly when you look at the different, you know, the goals of the different international actors, right? China's doing something different than Iran, than Russia, North Korea. They all have different goals and different capabilities. And certainly um you saw Iran um looking to disrupt and distr distract uh and attack in any way, shape they can. And I think that's where the cyber is the great equalizer, right? Right. It's not expensive, but you can make serious impact. And I think we've gained visibility into um uh just how much impact and how dangerous cyber attacks are with all the typhoons, right? All of China's impacts have everybody's watching Iran learning the same skills. So during during this war, you only have so many bombs, they're expensive to build. Sure. Right? That's why they that's why they like drones, they're inexpensive, they're cheap, uh, and they're effective. Same thing with cyber. It's cheap, it has global reach, and it's effective. Right.

Brian Lake 5:27

Um there's so much focus on the straight of Hormuz, you don't even need to you're taking taking the attack to your enemy shores without even like being being local.

SPEAKER_02 5:36

Aaron Powell And and you don't even you don't even have to execute the attack. You just have to threaten the attack, is when it comes to hormuz. And and I think a lot of that is um similar on cyber, where we've spent years and years trying to protect and plan what do we do um in 2027? What do we do uh like if they uh take these things down, how do we prepare? And you know, the the answer is pretty complicated and and we don't have a comprehensive solution. Um I think we talk a lot of policy, we talk a a lot of strategy around how to get there. Um but for the folks who are actually defending, it's a totally different experience. And I think um at some point um we'll have a big event. And the and the discussion will change. Sure. Right? And I we're not there. We got close. I think with Iran, I think some of those P PLC controllers, you know, they they connect to water systems. Most of them connect to water systems, they connect to power systems. They're used in the places that if it has a knob, dial, or switch, there is OT controls behind it and there are PLCs or SCADA systems running it. Right. And that's that's stuff we all take for granted. Yeah. Right? And so the discussion is 100% changed.

Brian Lake 7:03

Aaron Ross Powell And it's happening more, right? I mean, this is something that Armist looks at pretty, pretty closely, right? I mean, do you have any statistics on the amount of attacks that are occurring, the the depth, the the breadth of it?

SPEAKER_02 7:15

Well, I think f uh it's I think in terms of you know March to April, just to sort of this wartime, we saw an 800% increase. Oh, an eightfold increase in these attacks, right? They knew they were there, they knew they were available, they knew that we they could disrupt and distract, uh and and at some level try to bring the fight to us instead of leaving it in Iran. Sure. That was the goal. Um and I think you saw it multi-pronged, because uh even outside of the IT side, they were um there were um protests and and disruptions and various things in Europe, they were sort of releasing um parties, supportive parties, again, just to distract. But their focus on the PLC controllers and and the US We've heard some some stories on um that they were 30, 40 minutes away from opening dam gates. Like they were pretty close to making some really serious impacts, but um you know, we thankfully we averted it this time. Um but I think the the problem is is is widespread and uh it it's it's a very difficult problem to solve when you're talking about every power plant, every water station, every wastewater station, right? Right.

The Basics Small Utilities Miss

Brian Lake 8:41

You know, the variety of hundreds of thousands and organizations across the country.

Sean Applegate 8:46

Yeah, and imagine these sit at your small towns, rural facilities, they're not robustly staffed. Right. And so in a lot of cases, they really do just need to step back and and work through the the first principles, the basics at these small places, right? Because they don't have a ton of resources. But do the basics, for example, let's get the PLCs off the internet. That's a great place to start. Yeah, yeah. So put them back in your private network, make sure you can't just get anybody can't just get to them. That's a big first step. So segment the network, right? Sure. Um, change those default passwords. That's another really easy one that a lot of organizations and OT still forget to do. And in many cases, the person implementing this technology isn't your standard IT sysadmin. Yeah, they may be just, you know, the guy working the power plant or the water facility is going to rack stack, follow the install card, do his job, and then walk away. And that default password is in there. And those are things we changed.

Brian Lake 9:40

I mean, we were talking about literally the word password for password. Like that this is how basic we're the the challenge is right now.

Sean Applegate 9:49

It's like literally just just make a lot of the secure by design stuff that we care about, right? Like, hey, maybe force people to change the password in your first install. And unfortunately, a lot of stuff's really old, so that wasn't an option back then. But let's go in and take that account out and replace it with either a different account or a different password. And then on top of that, the other things to think about are hey, if you can do MFA or if we can do basic monitoring to make sure if bad guys get in there, you get alerted is a great next step. And we'll talk more about that later, I'm sure. But again, do the basics across all of these different facilities spanned across the U.S. And a lot of this is really a wake-up call for the OT people to go, hey, we need to shore things up because we really are pretty vulnerable in a lot of these environments. And this is where you know folks like SISA and the NSA or Cyber Command or the FBI and others are definitely trying to make people aware of these things at scale, but we still have to go take actions ourselves to fix those things in many cases. Right.

AI Hype Versus Prepositioned Access

Brian Lake 10:45

Well, I mean, it's it's it's we, you know, I know Sean, Sean and I, Matthew talked a little bit, we and we were talking a bit beforehand about this mythos, um, this AI-driven cyber offense. But Iran's not using mythos. They're using a playbook that's pretty well established. Um and when we think about this this this the concept of AI cyber criminals versus people just simply following this playbook, what what really does scare you more? I mean, it what keeps you up at night when you think about this stuff?

SPEAKER_02 11:15

I mean, the thing I worry about primarily is is prepositioned, right? So maybe maybe not uh Iran, but but China was more nervous to me that they have uh code and activity um prepositioned ready for um you know, presumably an invasion of Taiwan, right? Right. If that ever happens, uh then you know, presumably that's because if you've got spent years and years and years pre-positioning yourselves in power and water systems, um, you're not gonna burn that for something small. Right. Right? That is a lot of work and a lot of effort. You're gonna burn that when it's really important. So uh and that's you know, that's the state of nation-state cyber now. It used to be, when I was at HHS, I remember I I think um must have been, I don't know, 92 or something. We were we were in negotiation. FDA was in negotiation with China, and um we had a huge incursion of um Chinese attacks on our networks. And you could set your clock by when talks stopped in China, and then activity would pick up on our network, just trying to see what was going on, trying to capture information and back end information to help talks over there. And and then you could set your clock again for when the A team left and the B team came on, right? Because you because their tools, their techniques were completely different. Like you could you could see the A team would not leave any trails behind. The B team were following the script, but weren't quite as good, right? That's the other side of mythos and AI tools and packaging and the professionalization of all this. But there's not a whole lot of difference between A team and B team in terms of what they leave behind. It may drive their behaviors, right? You may see one team uh suddenly do something they've never done before because AI is saying, hey, here's a good idea. And it, you know, it's repeating the same thing. So you may see a change in tactics, but it's everybody's gonna be just as clean because they're using the same tools. It's you know, so that's so the the process is gonna be different. Um and we'll have to catch up again. Um But I think the pre-positioning and and the impact on people, um, not just dollars, that's the part that worries me, you know, where where cyber is a big threat. And when you I mean you look at you look at some of the stats we have where we've got you know over 5,000 internet-exposed OT devices that are easily discoverable on census.io or Shodan.io. You just go and ask, where are these things? Um that is information that you can feed into you know, Mythos and say, make me a plan. I'm going to Rome. What should I go visit? I want to take down a bunch of water sites, what should I do? Right. Here's some information. Same sort of process, right? That's nerve-wracking to me.

Brian Lake 14:30

Yeah, I mean, China, when I think about that too, you know, w what when you talk about pre-positioning and you think about when China maybe at one point will strike you know, Taiwan, you know, what what better way to keep the U.S. or an uh allies or you know, someone who out of the fight by then creating havoc in the in their countries, you know, at the same time. Oh, yeah. You have to keep them occupied. Yeah.

Sean Applegate 14:55

And let's be honest, if if things are broken in America or not working and citizens are up at arms, yeah, the focus is going to be on fixing stuff here. Um there's certainly we can balance, you know, and juggle lots of balls, but but that'd be a probably a pretty serious concern, I would imagine. Yeah. We take a lot of that stuff for granted. Again, I think generally um having good relations or at least reasonable relations with uh a geopolitical level is really important. And you know, with what's going on with uh the cyber avengers with the IRGC attacking these environments, I think it's it is definitely a wake-up call for a lot of people to go, oh, this is real. Right. Um we do need to shore up our our or put some moats up, if you want to call it that right, around some of these things that are are not just you know defacing a website. It's a it could impact somebody like opening a dam and having a lot of water flow down range causes flooding conditions. It could do really bad things. Um those are just you know things to be aware of. And obviously there's priorities as far as you know risk when we think of different OT or scattered systems. So I think a lot of the operators we've talked to take those things very seriously. And it's probably not the really large organizations we have to worry the most about. It's typically the really small ones or small rural utilities. Those are the ones that probably need the most help and are probably in not the greatest situation, probably.

SPEAKER_02 16:17

Yeah, I think um you know, even when you look at I spent the the week week on the hills or sort of talking uh about these issues um with the OTCC and and and folks, and it was just eye-opening. I think the same story we keep sharing, we keep hearing in in the language of the Bills, um, they're very focused on cyber, cyber, everybody knows it's very important, but all of that language is IT. Yeah. It's not IT and OT. Right. And so even we we go in and we talk about force projection and um you know how we support our military. And we know about weapon systems and and the supply chain, um, but uh a big base in a rural environment is dependent on a power source and a water supply. And you know, those things need to be part of that discussion because nobody's asking when they want to continue an up continuity of operations. Nobody's asking, what if you're out of water for two weeks? What if your power is gone for 10 days? Like, do you have enough uh fuel? Do you have your own water supply? Like, how do you survive those things? And those are those are really critical questions. Um and of course uh we focus on the military bases, but then there's also you know, we talked about dominion power and supplying energy to the Pentagon. Uh there's other supplies to other you you've got to prioritize these things out. And of course, who gets lost in that or uh uh rural people and and other small providers, I think um uh a stat, there's like I think 20-ish 20 to 30 large regional water providers, there's 150 smalls, uh like 40 to 50 percent of those serve less than 3,000 people each. It's just uh widely, um widely separated. And so the and so to circ circle it all back, you've got people talking about IT cyber risk, but the people who run those things, they're not concerned about cyber risk. They're concerned about delivering water, they're concerned about delivering power, they're concerned about you know, life safety stuff, and it's a completely different mindset. And and they don't they don't think the same way.

Brian Lake 18:39

Yeah, that's a great point.

IT And OT Speak Different Languages

Brian Lake 18:41

And it really kind of leads me into my next question for you about this convergence of the ITOT environment, even the IoT, right? Um what does it look like from a leadership level? How do they communicate? How do they need to be communicating, talking, sharing information? Do they have the I mean, do they talk at least talk a similar language that they should know what they're talking about? Or is it, you know, cling on talking to French? What's the what's the the the ground truth here when it comes to this convergence of all these different environments?

SPEAKER_02 19:13

I um another HHS story. We we had a we we'd found a server on the NIH network um that was, I don't know, serving up movies or something at the time and just sending terabytes of just nonsense out the network. And uh when we reached out to talk to the director, they're like, we are in the job of giving away data. That is what NIH does. This is not a priority for us. We have a lot of bandwidth, we give it away. This we do this all the time. So it just wasn't a priority. And that was just even within the IT space. So the concept of I'm a research organization versus I've got it like FDA has got to protect um, you know, in industry and information uh and IP, right? Completely different mindsets. And I think that it's true on OT. I think it's coming together, but you know, back to some of the language on the hill, there's all these requirements about doing um exercises and um, you know, tests and pen tests and tabletops, and they're all focused on the IT. And and if you just brought the OT people into the discussion and they could say to the IT people, I don't know where you guys are coming from. Here's my issue. And then the IT people could say, well, you know, that's all well and good, but your PLCs are out on the internet, right? You could have that discussion and they could find the place where they need to, okay, we can actually reduce the risk without compromising uh, you know, life safety.

Brian Lake 20:46

Right.

SPEAKER_02 20:47

Um, but you can't do that until that discussion happens within the organization. And you can't do that until you ask the right questions. Like people were at that those questions around what would you do if you're not with X for two weeks, three weeks. It changes your perception of, oh, I've got to think about this differently. And I and I think people you know you know, people who run cities, people who run big events, like they think like this. They think about all risks, but IT people don't. They don't think that same way. And and I think the OT people are closer to that sort of all risk. And and I think we just we need to get those cultures together, I think.

Sean Applegate 21:26

Yeah. Yeah, they're very different. Um I think coming together is the important part to take away. That's the thread that if you're if you're the CISO or you're the CIO, you know, reaching out to your OT partners. And some of these organizations, there are hundreds of OT teams because they sort all different types of businesses and functions. Um, to maybe, maybe tell a quick story, uh, you know, how different this is. We worked with a maritime commercial customer years ago, and we were we were basically brought in to do a I'll say a security assessment of a Maritime ship by the IT department, who obviously did not have a good working relationship with the OT part of the organization, right? And we brought them together, we had conversations, but at the end of the day, OT overruled what IT was allowed to do because it was their operational environment. Their systems could be impacted. And in that case, we were simply going to map the network and understand what ports were open, what devices existed, because they didn't know what was actually there. And uh we we were basically told by the OT team you will not scan our network. And we said, well, look, it's it's like one packet. It's it's not gonna put a load on it. It's literally one packet. We don't care. You cannot run a, can't run like an in-map scan of the hosts. They're not allowed. So we physically had to go walk the environment, inspect it with the OT people, you know, ask questions, inventory it. And so those are just different aspects. I think OT's come around a little bit since then. This was maybe 10 years ago we did this or nine. Um but it but even in our work with some of our army uh customers uh around the organic industry base, we see similar, you know, cultural differences, although I think they, since it's a DOD org, there's a bit more, you know, follow the chain of command. This is a big mission working on, let's all work on it together. So I think we're seeing some of those organizations, especially in DOD, come together because they're being required to come together and and collaborate. It doesn't decrease the concern from the OT team about our systems have to run and operate, and that's priority one. We'll they understand they need to be secure, but in their case, a lot of them are like, hey, it's offline maybe, or it's not connected to anything on the network. So that's secure enough for me because we have physical security. And as you modernize systems, typically there's a value in connecting those new more modern OT systems for monitoring at a facility level, or looking at you know, the the level of ink in a printer or the temperature of a lathe running, right? There's a lot of analytics around these new smarter devices or 3D printing, you think of like additive manufacturing. And just getting them together to open up the data as they do connect it, they can do their mission better. There's value for the OT teams there, um, especially in large organizations, but they do have to secure those things. The other thing we've we've often found too is if they don't coordinate with IT, when they go to bring all that stuff together to build, for example, manufacturing type operation, the data required um to feed the analytics can be pretty extreme because we're talking things like video sometimes, or they want to be able to build a digital twin of the OT environment to monitor, test, run, do preventative maintenance. And guess what? That's a lot of data. So not just securing the environment and connecting, make sure you can actually feed that data back into your localized manufacturing facility with the appropriate capacity of network capacity is also important. We've we've talked to a few manufacturing facilities where they they were doing so much data they upgraded their networks three times in about four years. And they they were effectively so congested they couldn't operate at scale. On an OT network, not an IT network. This is, yeah, this was uh this was an OT environment. It's a manufacturing facility where they kept adding more and more manufacturing capabilities that required more and more data export. Um and the data was very powerful, interesting what they found to make decisions and they could make faster, better decisions and make better uh digital twin kind of assumptions, test those out and then modify the real world. But again, the if that environment's not secure and isolated and well segmented, that data in the wrong hands is extremely risky. Or the person getting into that environment has a lot more ability to control and impact things because it's just so much more robust now.

SPEAKER_02 25:45

I think you, I mean, this is the same old same old problem in any sector, right? I mean, the financial sector is so well um resourced in terms of cyber capabilities, even and but then even within that sector, there are um the small local banks and that don't can't do the same thing. Healthcare sector, same thing, you know, manufacturing, again, if there is money and dollar on the line, it makes sense to invest in these things. If you are uh a municipal water system, if you are a uh a power um generation system that has a bunch of rules above you, like there's only so much you can do. You can only charge so much money to re recoup. And so you know, some of these technologies are just just beyond their ability to uh afford certainly. It's interesting to hear. But I mean, I think which is I think when you look at what Sissa put out in terms of how to apply ZT approach, which is a very IT-centric concept to OT, it really it's pretty straightforward, back to fundamentals, right?

Sean Applegate 26:52

Yeah, and then you've got to get back to validating, and that probably speaks to things like red teaming the environment. Let's go okay, you've shored things up. Yeah. You've said you did these things. Let's go validate whether they actually prevent our red teams from getting in, so we think we're better prepared for the bad guys. So what do we what do you see in Matthew around maybe red teaming approaches and OT?

Red Teaming Lessons From Ukraine

Sean Applegate 27:12

Yeah, I mean, that's a great story.

SPEAKER_02 27:14

Um back for talking internationally and had an opportunity in San Francisco at RSA to sit down with a bunch of international practitioners and talk about how to protect OT. What do we do with how do we how do we move this forward at at the at the state level? And um I think we get Canada and Germany and the UK and um they were talking a lot about their minimal viable Canada, uh, the Canadian delegation was, and talking about identifying those parts of the infrastructure that absolutely positively had to stay up. Yeah. And investing in that. And I think we're taking the same approach, and Australia is doing the same thing, U.S. is doing the same thing, and it a lot of good work there. Right. Um, and you know, we must have spent 30, 40 minutes talking about that, very energized. And um the Ukrainian delegation had come in soon after, and and and they were polite, but at some point they chimed in and kind of said, This is all sounds great, but it's it's just a lot of paperwork. You know, and and they said, we run on infrastructure that our enemy built. And the one thing that has been most successful for us is red teaming. And we do it regularly. We have we don't do it ourselves, we get our um uh European partners to do it, and we f they find vulnerabilities and break us, and we fix it, and we do it over and over again. And that's how we are resilient in the face of so at wartime, that's how we're resilient against Russian attacks. Wow. Now, we are not in a wartime footing.

Brian Lake 28:57

Yeah. I mean, can we do this?

SPEAKER_02 28:59

Nobody would ever let you do that in the in the States, but the but the idea is still there that you have to have you have to have good visibility, you have to have that kind of IT mindset, uh, and but you have to be able to um do it in a way that doesn't affect um the the life-saving operations of the environment. Um will we get there? I I don't know, maybe. Yeah. We have to have we'll probably have to have a big event.

Brian Lake 29:28

Um We're gonna have to like take a black eye for us to actually get there almost, right?

SPEAKER_02 29:33

Yeah, yeah. Or I think what's gonna happen is when we decide certain certain providers are really, really critical. I'm sure there's plenty in the DC area that that take this more seriously, understand the impacts, understand the risks, do a much more comprehensive and um uh collaborative approach to it.

Brian Lake 29:54

Is industry gonna lead this conversation or is government gonna lead this conversation? I I hope it's both.

SPEAKER_02 30:00

I mean honestly, it's gotta be both. Honestly, I think it's that same sort of story. Um because there's different levels to pull. Right. Um I know even on the armist side, when we we go in, I I have I take an IT approach, but when we go in and discover everything and and collect both IT and OT and IoT, um you know, people begin to see themselves in the information and people begin to ask questions because they don't know what these devices are and they've gotta go hunt down. So literally just bringing out the visibility of what's actually on the network is a huge um way to get those communities together. Oh yeah. Like, oh, I I don't even know what that is. I gotta go figure that out. Um when I was at H when I was back at Fort Sanders Hospital, I had I was managing the the UPS devices. And for some reason, every day around I was why I was managing HP OpenView, and every day like 10 minutes to 11 o'clock, all the UPSs would alarm and kick off and and start powering the this the closets, and then they'd be okay. And I was like, what is going on? I could not figure it out. I finally went to uh bumped into one of the building guys. I'm like, hey, I I got this problem. My UPSs keep flipping off. And he's like, Oh, that's when we reset the clocks. I was like, what? Yeah, yeah. All the clocks that are on the wire. We we communicate to the clocks over the power lines. And we reset the clocks so they're all the same time, so the entire hospital is on the same time. And that's when we do it. I'm like, oh, yeah, if you just tweak your UPSs a little bit, you'll you'll get over that little bump. You'll be fine. Crank it up and we're good. We never would have known. Right. That that we were all using the same network and that they were communicating on the power lines. But I think that's, you know, that's the kind of stuff that's got to come together.

Brian Lake 32:01

I mean, when I think about this, I mean, if we're thinking about all these OT systems across the United States, and it's great to hear these international partners are are doing this.

Funding Limits And National Resilience

Brian Lake 32:10

Yeah. What you did with the the country you didn't mention in that in that breath was the United States in that conversation outside of you guys, right? Yeah. But I mean, uh it what do at what point should I need to be really worried stocking up on water and living off the grid and with some solar panels here? I mean, is is I mean to your point, uh, do we have to take the black eye? Do is some of that really gonna happen, or is there anything in our system that's gonna help us or make us unique or make it make this harder than it is?

SPEAKER_02 32:39

Uh well, I mean, it's a haves and had nots things, right? So I think the energy and the waters water folks are all are concerned about it. They're concerned about the typhoons, um they're concerned about the PLC's N Iranians attack. They're they're concerned about this. Um they're concerned about mythos uh uh as a risk, um, all of these things they are watching. And you know, as organization, they are looking at these same problems. They've developed great standards that that follows zero zero trust um concepts. Um but the biggest challenge is do they have funding? Um and can they re-architect in a way that follows some of the basic recommendations? Like it's one thing to say I've got to encapsulate and take my PLCs off the network, I've got to separate those networks so that if something happens here, it's not gonna affect over here. Um but you know, technology has to be in place to do that, funding has to be in place to do that. You know, one of the outcomes of um of Glasswing is that there's gonna be a huge number of vulnerabilities to fix. And yes, it's gonna be a huge backlog, and probably we all create our own um solution will be created with generative AI to fix those problems. But somebody's still got to deploy them, right? Somebody's still got to put them in place. Yeah. And that's hard.

Sean Applegate 34:10

Just hit them up.

SPEAKER_02 34:10

Yeah, just a patch.

Sean Applegate 34:11

Just a patch, you've got to do a lot of work. Like again, imagine these PLCs or a lot of the OT systems, if they're not on the network, you're not, you're not just automating a patch. You're rolling a truck with a guy and a and a USB or a disk and a or a laptop, and he's gonna physically connect and go update a few systems, and then he might have to go do that another hundred times. Right. It's not as easy in the IT environment where you just go, oh, we're just gonna automate updates and it'll be done on patch Tuesday. Don't worry about it.

SPEAKER_02 34:36

And it's it's a funny, it's a f it, you know, and of course the solution in the internet side or the IT side is uh it's always modernized, go to the cloud, um new software, mm make it um more mobile, more agile. And there's a lot of value there, right? But the question needs to be asked, is that the right answer every time? Sometimes it's not, right? Sometimes it might be, especially it might be just pulling things off um the wire. And maybe you have to be able to practice both. Maybe your normal operations is connected, IT, let people be at home, they can manage everything wherever they have a better quality of life. But at some point you have to practice. All that goes away. Does the plant still run? How do I do that? Do I enough people? Do I have enough resources?

Sean Applegate 35:26

That's they've got to be able to do that. Yeah. And I think stepping back and being able to do that planning is important. Yeah. You know, I was a you know as an old Marine. We did this thing called intel preparation for the battle space, and it was really about identifying all the key targets. Yeah. We were more mapping out the the you know, adversaries environment. And uh we were ship, I was sitting on ship years ago, and uh we worked with some Navy SEALs that pop into the joint intel center, and one of the SEALs one day was just bored, and he goes, Yeah, yeah, we have to do this operation. We uh we we kind of talk through like if we had a six-person SEAL team or a small SEAL team and we had to take out the United States, like how would we do that? And it's scary talking to very effective operators where they go, look, if I don't need 2,000 people or 5,000 people, if I have the six people that know the right things to hit, the right things to take out, because they've done the thought process of planning out the most critical points to target that have the desired impact. Yeah. And they're determined and uh and well resourced, it's it's it's scary what is capable.

Brian Lake 36:23

And neither one of you are making me feel a lot better thinking starting to circle some areas on the map where I want to buy a cabin here.

Sean Applegate 36:31

So it's but it you know, at the end of the day, I think again, most most people aren't like that. And uh in and I think in general, we're if they if something like that does happen, right? It may be a little more isolated, but it'll be it could be very visible for sure. Um but anyways, yeah. AI's here to save the day, probably. So we'll see.

Brian Lake 36:51

Is there I mean, is there anything about our uh the OT systems in this country that makes them at least somewhat resilient in some ways, besides the fact that there's one guy probably undertrained, underpaid, and none of them look the same. Okay.

SPEAKER_02 37:08

Which is great. It's this is the same way our voting systems are resilient, right? They're locally run. Um they they don't look the same. There's very, very difficult to say that looks like that, looks like that. Sure. Unless it's you know a manufacturing facility or postal service where they want to make sure that this factory and this factory and this factory have the exact same plan because that's how it it makes it easy to manage. That just isn't true for power or water. Right. They are all different. Sure. So that kind of variety is huge for national resilience. Right. Right. Maybe not locally, but let nationally, it it'll it's a big help. We're highly diversified. We're highly diversified. Yes. That's good. Yeah, it's a it's just it's a serious it's it's a key concept. Okay. That makes you feel a little bit better.

Sean Applegate 38:04

Yeah, and a good example, right? In this the most recent announcement we're talking about from SISA and and the partners, they really only targeted two types of devices. So it wasn't like they targeted hundreds of things. They targeted two specific manufacturers with specific devices that were connecting the internet that they knew how to get access to. And and again, right, two simple things. If you're an OT implementer, don't connect things to the internet directly and change your default passwords. It's great. Those are two great first steps. Yep.

SPEAKER_02 38:32

So I that's probably that's probably the best. Yeah, all the recommendations um that I see coming out on OT from an IT perspective seem like palm slap, no duh. But but it means they're simple. Sure. Easy to implement. Right. You know, they're doable. Right. Um and and the next steps are are technologies coming out to help you segment those networks, help you separate them, keep them, keep them um hidden. Sure. So I I think those are all those are great um capabilities. I also think the the the threat community is um very aware. Uh you know, looking at these actors is is part of the data stream now. Um you know, Armist is is tracking them, Dragos is tracking them, CIA, NSA, everybody is tracking these activities and they are being fed into the processes. And so the awareness of the risk is there. And and that is, you know, again, first step. I got a problem.

Sean Applegate 39:34

Right. Yeah. Yeah. And I think one of the things we often take for granted is we we have amazing resources at a national level. Yeah. Getting those down to the local level to to leverage and engage with is tricky. And that's that's where I think you know, folks like SISA or the FBI are great resources because they have regional liaisons that could help go do that work. Getting that out to the local community level, you know, that small rural town with 800 citizens and not even one IT guy. It might be the guy that moves the lawn, also happens to take care of the local routers connecting to his local cable company. And there's some OT stuff floating around that he doesn't have a lot of help with. Those are the folks that I think need the most help in in a lot of cases.

Brian Lake 40:16

And um,

What Armis Shares With The Public

Brian Lake 40:17

what do you guys do at Armest kind of in that in that line of thinking to work with local communities or try to educate more about in this area? I mean, what do you are do you guys have any programs or um do you put out regular report? I know you do some reporting, right?

SPEAKER_02 40:32

Yeah, I mean, we do we do the regular threat reporting. We we we have our whole threat research arm. We have um in terms of the community, we have become our own authority to um name vulnerabilities. We've um published our um uh collective intelligence engine data out publicly to sort of support um the gaps in the NVD. So you know, we we have a resource out there now publicly that you can go and and uh research any any company, any sector, look at get some stats on um what kind of vulnerabilities are out there, um, whether or not they are um in our early warning database. So we we have uh another process that um uses AI and ML to interact with um threat actors on the dark web, understand what they're looking at, not those kind of vulnerabilities they're looking at, and then we will um create and pre-position honeypod devices that entice them to test their um new code against those things and hopefully burn some of their early work. So we get an ins before they're actually got code that they can deploy, we begin to see what vulnerabilities they're looking at. So sometimes there's our CVEs that are four or five years old, ten years old, and they're trying to chain together. Sometimes, you know, they're sometimes they're zero days that we find and we we get to name them. Um, but essentially trying to add time to uh and space to um folks who um need to take action to protect those things, give them more time. So I I think those reports on what we're finding, we did one for Iran, the database to support the NVD. Um who knows what's gonna happen with that? Like I if that whole process is gonna change, um we'll have to see. Um but uh as that has that has lost funding and minors lost funding on those things, the industry's had to step up to maintain that discussion around vulnerabilities, whether they're IT or OT. And that's that's part of what Armis is trying to do.

Policy Whiplash And What Still Works

Brian Lake 42:53

Let's let's shift the conversation for you both here a little bit to policy and kind of the reality of the new administration. So Trump's Trump's cyber strategy. Seven pages long. Like I think the previous administration, it was 600 pages, right? So seven pages, six pillars, much very much like a boardroom presentation. You know, pillar three, modernize federal networks, pillar four, secure critical infrastructure, pillar one, shape adversary behavior. Um there's a lot of executive orders, some new NIST guidance uh for digital twins and IoT. I mean, there's a lot going on. There's a lot of guidance being put out there. Um but really, if you're a federal leader, what do you with the conversations you're having with your customers, what do these federal leaders need to focus on when it comes to this, this, these new guidance and all of this new policy that's coming out?

SPEAKER_02 43:48

I'm a little more cynical here. Um having having been in it, um uh you know, there's that that old the old adage about walking your dog and the dog. Dog's path is weather and and your your uh your path is sort of is the environment, right? So um I always felt like the the best leaders I saw had a goal for their program that followed the fundamentals of visibility, telemetry, response, right, and and risk assessment. Sure. And they could always work the policy into that. Okay. So no matter what the dog policy was doing, walking around, walking around, you could stay on your path. I think the best leaders do that. Challenge, of course, we've gone through Doge, and and a lot of the that leadership is gone. And so we we are now in this time where we've got new leadership, a new changeover, and and lots of new policies. Um and I think um, you know, there's a struggle there to follow on that. I think when it comes to OT, it's back to do they have the right people and the right discussions to know what they are. I think that's where um doubling down on um the baseline visibility helps you get into that discussion. So not treating, not looking at things as compliance. CIS is doing a great job delivering technology into the agency. They've been doing it for 12 years on the CDM program. Um a lot of federal agencies um sort of left that over as a sidecar. You can't do that now. If if you've got resources coming in, you need to figure out how to turn it, put it into your program. You need to how to make it your own and and make it valuable. That's that's that's the way it's gonna work. Um so if you don't have visibility in OT, leverage that CDM program to get there. Right. If you you know if you if you if you're getting the thumbnail, yes, we're okay, figure out how to audit that and make sure you they really are. Um red team it. Or red team it. Yeah, red team it. 100%. Um now that's um I I think there's a step before that, right? You need to know enough about your network and and you need to understand what you really need to red team, right? Yeah.

Sean Applegate 46:12

You have to do it thoughtfully.

SPEAKER_02 46:13

You gotta do it thoughtfully. Um but I I think the basics are still still a challenge.

Sean Applegate 46:22

So yeah, and getting back to maybe policy basics, right? If you're a federal client, a great place to start is your your NIST Special Publications 882. It's it's kind of your your OT industrial control system scatter basics for security. And that's something you can provide to your OT teams and have a liaison and a Sys office to kind of help them so you can kind of work together on it. Um but back to the visibility piece. I mean, logging is great, but the having the real-time views into like indicators of compromise with good network monitoring and sensors is is a great step to be proactive at looking for bad guys in your environment that that often we find the OT teams aren't even aware you can do that. And you can do it in a way that's extremely safe when you think of just a simple tap or span port, a sensor off of it. And the the amount of stuff you're gonna learn from that's amazing. The other thing we found with a lot of folks, and our Armis is one of those, is often you can provide value through that sensor because it can also collect OT environmental specifics, not just things for cyber, but value for the OT teams themselves as well. And so then there's a bit more of a carrot versus a stick approach when you think about that for your OT partners in the system.

SPEAKER_02 47:30

Aaron Powell And that can be done passively, right? So you can say, I I'm I am not going to impact your operations, I'm not impacting life safety. That kind of that kind of recognition of their concerns and bringing value back to them.

Sean Applegate 47:44

It's a great step. And then the other thing often too, when you think of NERC SIP requirements in the energy industry, you'll see similar things in zero trust policies and federal now, whether it's from from DOD's OT zero trust recommendations or SIS. And so things like now that you get everything mapped out, you know where it's at. Maybe we need to shore up things like remote access, for example, make sure that's especially secure for OT and you have specific ways to log and record and audit the OT access, because it's going to be a little bit different than IT. And again, that gives value to the OT teams because they feel like, hey, it's it's specialized for me, it's unique, it's secure, it's not going to break my system, it's built for my environment. And I can maybe do some stuff where I don't have to roll a truck all the time. So again, there's value that the CIO or the CISO can bring to the OT partners that is really good for the business, it's good for operations, it's good for keeping things up and available and working, um, but does allow the to do that in a way that's secure and keeps adversaries out, which is important.

SPEAKER_02 48:45

Back to the you know, Ukrainian eye roll at the policy discussion. I think um the the CISO Council, uh the CIO council in past administrations um did a great job of simplifying um all everything that a CIO was responsible for, right, when it came to risk. The government's great at making lists, the special publications are great, but they're there are a long list of things to do. And uh, you know, not everybody needs to do all of them. Right? You you just don't have to. To protect what's really important, you don't actually have to do everything. So what is it that's really, really important?

Brian Lake 49:23

Right, it's like prioritization.

SPEAKER_02 49:24

You've got to prioritize and and and and if you're gonna you know if you have PLC controllers that are unencrypted on the internet, you're not gonna go spend money on mythos. It's not gonna get you anything, right? Go take those things off. But and that's that's the kind of um work that they did in discussion. What do we really need to do? And and so then it was always multifactor authentication, controlling our our admin password again. It's the same sort of thing IT went through that OT needs to go through. And and you don't do the high impact, low-cost things first. Right. Done. And then you work up the chain. And that's that's the approach we need to take with with OT.

Sean Applegate 50:09

Yeah. And uh you when you look at look at things like Viper Pro from Armist, for example, the ability to do exploit management, not just vulnerability management, is very powerful when you think of scoring the exploitability of a vulnerability. So what are the right things to focus your time on? What are those priorities? What gives us the best bang for the buck are create super important with if you're an IT shop and an OT shop because it's it gives you basically your prioritized list with that and put a lot of thought behind it. So you don't need to spend three days thinking about it. It it tells you every day what it is. You just got to go knock those things out in the morning. And that's an ex great example we do in our IT department, right? Is hey, go in the morning, when you log in, you know, junior IT admin guy that patches my systems, right? Look at my report, look at the most critical vulnerabilities to patch and go patch them as quick as possible. Okay. So we reduce that time of of vulnerability and try to do that on a quick oodle loop as uh as possible. As fast as you can.

SPEAKER_02 51:02

Yeah. No, I 100% agree. And and where you can say, hey, I've got one action that can fit clean 500 vulnerabilities. Right. And I talk to four people to get that done. Like that kind of decision making on the backside is really where rubber really reads meets the road. Like, okay, I'm gonna do this one first, then this one, then this one, and they get more and more complicated. And because you can't just look at criticals and highs, because that's not what's being attacked anymore. You have to know what it's a part of, what the risk is, and whether it's whether it's vulnerability. All of those bits, the threat and your usage and your services all need to come into that discussion.

Sean Applegate 51:45

Yeah. And the good thing too is if you do that exercise with those key people, eventually you build muscle memory with them. The team knows how to run the playbook, they're used to it, they don't push back, they know why they're doing it as well, which is important, and then they'll go get it done because they know it's important. Right. And that's I do think that's where, from a leadership perspective, you have to have leaders align. If you have an OT couple key OT leaders, a couple key folks in IT and the CISO, um, and they come together and they say the right message, they work on it together jointly, everybody's aligned. It makes it a lot easier for the frontline people to go execute that to collectively as a team.

SPEAKER_02 52:19

And I I think this is this is where we'll begin to see the AI and ML really show impact. Like uh Armis has done a great job of implementing the AI and ML to identify devices, make the prioritization, begin to make the recommendations, but um we're gonna start at adding that same capability to the action to fix. And we'll you'll begin to have AI and ML be tell you, you did it this way last time, maybe this is the way you should do it this time, right? You will you will use those processes not just to automate the action, but to do the after-action report and the analysis to show you how you behaved and suggest ways to streamline it. And and and that's where it'll start to really escalate and and make things um make things uh m much more secure, even to the point of um you know, attack back mapping, attack path map mapping, back to digital twins, like that kind of analysis will um AI and ML will will help and escalate the the speed to um security.

ServiceNow Deal And Closing Actions

Brian Lake 53:36

So uh on that note, I mean I think we would be remiss and we could probably put we'll close it on this on this these couple last thoughts, but um April 21st, ServiceNow close the acquisition of Armist, largest uh acquisition deal for ServiceNow ever. That's amazing. 7.75 billion. Congratulations. Thank you. What does this mean for federal customers? What does this this joining of these two these two companies and mean for the federal government as a whole?

SPEAKER_02 54:05

I I I think um you know, ServiceNow is uh is a huge platform, has lots of pieces. I I think the ability to combine um trusted, comprehensive asset visibility into your organizational control and the ability to take action. I I think we've extended the reach and extended the ability of the CIO and the CISO to really manage and reach out to different parts of the organization and bring them together in a way that is more efficient and drives better security and hopefully drives better business outcomes, mission outcomes. Um as you begin to consolidate this information and as different people see themselves in it and have a way to expedite what they want out of it, you get that muscle memory and it just improves over time, improves over time. So I'm I'm really bullish on on this joining. I think it's gonna be great.

Sean Applegate 55:13

It's exciting to see how it's gonna play out. Yeah. Absolutely. Well, I think it's back to whoever knows the most about their environment can can make better decisions. Yeah, probably you and not the bad guy. Yeah, exactly. So that is critical. Absolutely. So yeah, if you're not monitoring your OT environment today, give us some serious thought. I think that's important. And then you know, do the basics. Uh you the your environment changes all the time. So again, don't just do them once, do them regularly, monitor the environment, monitor the configs, and look, just put one foot in front of the other and continue sling proof. Yeah. Um, put priorities in place. That's okay.

Brian Lake 55:49

I I love the the prioritization conversation. Really, it's uh you go if you have to eat the elephant, you got to take a bite, but make sure it's a make sure it's a really good bite, right?

SPEAKER_02 55:57

Aaron Powell You know, we've been trying to do these basics for decades, but I think Garmer's has got a great solution for it. And when combined with ServiceNow, like it's a it's a great opportunity.

Brian Lake 56:08

Well, we're we're excited for you guys, excited for the federal government, hopefully that it will force more of these leaders to come together. So, Matthew, thanks for joining us. We hope we have you back. Uh and for those listening, everything's in the show notes, everything we miss, let us know, hit us up what you want to hear more of when it comes to OT. We're gonna be talking about OT security probably a lot on the show. Uh, but if you're in the DC region on July 14th, uh Armis, Sean, my uh Matthew, Sean, myself, Armis and Swish, we're having a breakfast briefing at the National Press Club where we're gonna be talking about these issues even further by diving into some really great use cases. We're gonna have some government speakers there as well. More details to come. If you want to learn more, go to gist360.com to register for the event if you're gonna be in the region. Uh, if you haven't, subscribe, like, follow us, tell us what we missed. And uh we'll thanks for listening. We'll see you next time. Thanks, Matthew. Thank you. All right, Sean. See you later, man. Good to see you. Let's hit it.