Rachael Lyon:
Welcome to To the Point cybersecurity podcast. Each week, join Jonathan Knepher and Rachel Lyon to explore the latest in global cybersecurity news, trending topics, and cyber industry initiatives impacting businesses, governments, and our way of life. Now let's get to the point. Hello, everyone. Welcome to this week's episode of To the Point podcast. I'm Rachel Lyon here with my co host, Jonathan Neffer. John, welcome, welcome, welcome. I'm excited we're kicking off this fun new series together.

Rachael Lyon:
How you feeling?

Jonathan Knepher:
Absolutely. I'm feeling great, Rachel. Thanks for thanks for having me here. I, appreciate the opportunity.

Rachael Lyon:
Awesome. Well, we're gonna have an amazing conversation today on on such a hot topic. I'm I'm pleased to welcome to the podcast Richard Robinson. He's the CEO of Cynalytica where he leads an international team of developers and industry experts dedicated to delivering pioneering security machine analytics technologies to protect critical national infrastructure. I can't think of more important work today. Richard, welcome to the podcast.

Richard Robinson:
Thank you very much. That sounded very impressive. So thank

Rachael Lyon:
you. It is. It is.

Richard Robinson:
Thank you, and and thank you for the opportunity. I I appreciate this.

Rachael Lyon:
Wonderful. Jonathan, you wanna kick this off?

[01:18] IT-OT Convergence and Collaboration

Jonathan Knepher:
Yeah. Absolutely. Richard, I was hoping you could start us off with, can you give us a high level overview of the the differences between IT and OT networks?

Richard Robinson:
Fantastic. And it's a great starting point. So, for definition and purpose, when we think about information technology, we mostly think about data. And from a cybersecurity perspective, you know, we talk about the CIA, you know, confidentiality, integrity, and availability of systems and data for business applications, databases, and your cloud infrastructures. OT kind of flips that on its head. So instead of thinking of CIA in that order, it's kind of reversed where it's AIC. You know, so IT or OT systems, you know, are focused around industrial control systems, SCADA, you know, supervisory control and data acquisition, embedded sensors for cyber physical processes, for critical infrastructure. So it really becomes the priority is availability, integrity, then confidentiality.

Richard Robinson:
So when you have those two things, you know, you really kinda have priorities cross purpose between IT and OT. Right. When we look at IT and its primary risks, we're mostly focused around data and data breaches. Mhmm. Whereas in OT systems, it is more about availability and security of those physical systems. Right. Another big difference between IT and OT as they come together is really life cycles and getting those in sync. So when we think of IT systems and life cycles, you know, you're looking at things between three to five years between when you do refreshes.

Richard Robinson:
In OT, that's not the case. You know, you might have systems that, you know, run for decades Right. You know, that are tens of millions of dollars, especially when we look at critical infrastructure. The other big difference between IT and OT for me is security priorities. Mhmm. So IT focuses and prioritizes kind of vulnerabilities and patching as quickly as you can. Kind of walk a mole, in the vulnerability and patching space. But in OT, you don't have that luxury because you've got, you know, cyber physical processes that are running, and you really have to understand what that impact to that system is going to be because, you know, it may be life, you know, threatening if you make these type of changes.

Richard Robinson:
So that patching is delayed or maybe not even done. So the focus now is really on up time and safety constraints when you have those vulnerabilities.

Rachael Lyon:
Yeah. You know, it's Yeah. It's interesting. Sorry, Jonathan. Did you have a question?

Jonathan Knepher:
No. Go ahead, Rachel.

Rachael Lyon:
No. I was just gonna, you know, because we we talk about, like, IT and OT a lot and traditionally operating in silos. Right? And and kinda as you describe them, one could understand, you know, how how it came to be that way. But obviously, in today's world, this digital world that we live in, you you have to have a blurring of the lines of how do they integrate these two domains together. And I would love your perspective on, you know, how how are we able to get there when they're really kind of, you know, serving a couple different masters.

Richard Robinson:
Yeah. So, a lot of the organizations really kinda struggle with this IT, OT conversion. And a lot of it has to do with visibility and priorities. So, you know, the challenges to OT visibility for well, actually, I'll take a step back. So what I'm actually seeing is what we saw in the early days of voice over IP. So this confluence of your IT systems with your PBX administrators. And I was working in San Francisco when that was actually starting to take place, and I really saw all of the struggles between two different groups with different priorities kind of being forced together. Now back then the protocols weren't as diverse as they are in the OT space, but we're seeing that same type of paradigm where you've got kind of two, you know, competing interests that are coming together with different priorities.

Richard Robinson:
So how do organizations manage that? How do they get their head wrapped around that stuff, is, you know, kind of the priority. So I think what organizations need to do is recognize and, address the key barriers to those IT, OT collaborations. And then once they identify those, bridge that gap. So I break it down, you know, going back to the telecom days is the cultural divide. So understanding that. So in IT, you know, the team's gonna prioritize cybersecurity while OT is gonna prioritize uptime and safety. You know, we talked about that early. That's a pretty entrenched difference between folks.

Richard Robinson:
You know, and that's really religion versus religion, in this space. That becomes very complicated. The other one is is gaps in communication. So OT engineers, you know, they understand the cyber physical processes. They understand their industrial control protocols. Understand the cyber physical processes. They understand their industrial control protocols, how things work, the ladder logic, all of that stuff, but they're not trained in cybersecurity generally. So you've got another huge gap that you're gonna address.

Richard Robinson:
And then the IT professionals, you know, they lack that OT expertise. Mhmm. And culturally, when you look at your typical, OT engineer, it's a specific type of demographic. So, and you have those those clashes. And in the OT space, it's not the same subset of IT Ethernet protocols that you have. You know, OT protocols, you know, you've got Modbus, Profibus, hundreds and hundreds of different type of industrial control protocols. And to effectively monitor and manage that stuff, you have to understand that. And that's a whole new world for IT folks.

Richard Robinson:
Then the other one is, you know, risk tolerance differences. You know, IT is kinda rapid response to an incident. OT, it's like, woah, time out. Let's really understand what's going on. And again, that's one of those cultural barriers. To bridge that, I think, you know, organizations have to embrace cross training and joint exercises. So developing programs to do that, that takes resources, that takes expertise that not a lot of organizations have. So that's a big bridge to to build.

Richard Robinson:
The other one is is adopting, unified risk management frameworks. So in the IT space, you know, we talk about the risk management framework. We talk about NIST eight hundred fifty three. And then in the OT space, we talk about, you know, like, IEC six two four four three. You know, those are different. So figuring out how to map those, I'm actually sitting on two of the ISA work groups that are looking at that. So, I do think there are a lot of smart people working on how do we start bridging that. And then, you know, coming up with technology solutions that work for both IT and OT.

Richard Robinson:
And that's one of the areas that we've really spent, you know, the last ten years is addressing that come up with solution that works for both folks at the same time.

Jonathan Knepher:
I wanna dig in a little bit more. You kind of bring it, brought it up as kind of a religious divide, if you will. But, like, the the distinction between, like, OT being focused on uptime and availability, and and IT focusing on, you know, in modern day around the security elements of it. But but you you point out, right, the the whole life safety element of the OT side of things. And that kind of brings a whole new dimension to the the cybersecurity element of it. How do how do we how do we get that cybersecurity element entrenched in the OT space since it really does affect the life safety components?

Richard Robinson:
Yeah. You know, it's it's a real challenge. You know, we talked about all of those kind of barriers to doing that. So I I think the big one is, you know, from a, a governance in organizations, really finding a thought leader or a person that can bring those teams together, in environments that are actually indicative of what is actually happening in the real world. So one of the challenges that we see is organizations will build these laboratories, you know, for cyber research, in the ICS and the OT space, where folks can they they can bring them together. But those environments aren't really representative of what's happening out in the real industrial control process. And, again, that's one of those areas, you know, we've really focused on is a significant amount of those communications are non IP based. So if you're bringing everyone together and it's just purely IT Ethernet centric, you're kinda missing the boat, especially on getting those folks together and understand all of that stuff.

Richard Robinson:
So, I think that's one of the key things that folks can do is create realistic laboratories that are representative of what's out there and then bring those folks together and, you know, do those exercises, do those team building events, do that training and education and awareness.

Rachael Lyon:
That's yeah. I just I love this topic, you guys. I could talk about it all day. You know, in one of the more interesting aspects too and, you know, you hear a lot about it today, particularly relative to, you know, protecting data, digital security, is visibility control. Right? And I think historically organizations have struggled a bit with that visibility across OT environments. Right? And I I like to joke honestly, Richard, like, maybe we should just unplug everything and just go back to the days where everything was manual, but I I realized that that ship has sailed. But, you know, what kind of what kind of strategies and technologies could could be leveraged to enhance monitoring and threat detection without disrupting, you know, critical operations?

Richard Robinson:
Well, that that's an awesome question. And and actually your thought of unplugging things isn't something that isn't being talked about. So there are tools and technologies, and that's one of those things that we do that kinda take that philosophy. If you don't need to connect it to a network other than just the monitoring, then don't do it. So we've actually seen these, discussions in the oil and gas pipeline industry. You know, saying, hey. We just need to monitor certain controls. I don't necessarily need to have it connected to the Internet to do that.

Richard Robinson:
And so coming up with platforms and technologies that allow operators to collect all of those ICs communications, IP and non IP, in a passive fail safe way to monitor those cyber physical processes and not just looking at the IT data of the, you know, acknowledgment, send, here was the packet, here was the header, is actually understanding in those industrial control protocols what are the what are those telemetry points? What are those cyber physical elements? And they don't have to be connected to the Internet. Right. You know, you can do those via different types of backhaul, be it satellite or cellular. So there is technologies that allow you to do that and not introduce that threat vector. But candidly, it's very hard to like you said, you know, that ship is set sail. And I think there's a lot of marketing that has made sure that that ship is set sail, but, you know, maybe we take a couple of those lifeboats and and go see where they take us.

Rachael Lyon:
I love that.

Jonathan Knepher:
Yeah. So I think that I mean, this is a a perfect, opportunity to kinda maybe dig into the next level. Right? Like, if if things are connected today, can you talk about, like, what are some of the the things that have happened? Like, what what were the bad actors doing behind the colonial pipeline and water system attacks? And, you know, how did they take advantage of these vulnerabilities, you know, that that, you know, potentially disconnecting would solve for us?

Richard Robinson:
Yeah. So the the list is long and infamous as they say, you know. And and Colonial Pipeline introduces kind of a whole different thought process for folks, and I think sometimes it misinforms on the OT side. So the Colonial Pipeline ransomware was an IT infection. You had a compromised VPN that didn't have multifactor authentication, and adversaries were able to, you know, get ransomware into the system, which is, you know, hacker one zero one. You know? But when you have OT systems that are now interconnected to your IT systems and you don't have visibility, you lose confidence. Mhmm. And I'm not speaking for the folks at Colonial, but if I were that IT or OT operator and said, hey, I've got adversaries in my network.

Richard Robinson:
I can't see what's going on. In the abundance of caution, until I can figure this out, I have to shut down.

Rachael Lyon:
Right.

Richard Robinson:
Now conversely, if you're using certain technologies, you are able to monitor those cyber physical processes. Mhmm. And I'll go a little bit off the rails here. And Stuxnet, you know, going back to old school, is a really good example of that type of of context. So, Stuxnet had specific payloads that was looking for specific PLCs. If your system didn't have that particular brand of PLC, it moved on. But if you were looking at it just holistically saying, oh, I've got malware or virus in my system, I don't have the visibility, I gotta shut down, you know, you would have shut down, without needing to. But if you would have had that visibility into those cyber physical processes, you can see what's happening and know if it's actually impacting you to make those decisions.

[14:30] Cybersecurity Paradigm Shift

Richard Robinson:
So, again, it's kind of a paradigm shift. If you understand your assets and you're monitoring that stuff, and you're in a contested space, you have the ability to do that. You know, we we we talk about the there's the Oldsmar, Florida water treatment hack, you know, where someone they had an exposed device, someone on the Internet was able to get onto it, access TeamViewer with a known user ID and password and attempted to modify, you know, the chemical levels in the water. Again, that's one of those things. There are technologies and platforms that avail you to monitor those things baseline and alert on that. So we have the technological tools to solve this problem. Do we have the resources? Do we have the intellectual capacity? You know, those things to to to actually do it.

Jonathan Knepher:
Yeah. So as as you talk through those, like, what what do you think are some of the prime, you know, targets and and, mechanisms that that the bad guys are are intending to use that we should kind of focus on for the next level of protection?

Richard Robinson:
Yeah. So the predominant thing right now is ransomware attacks.

Rachael Lyon:
Yep.

Richard Robinson:
You know, they exploit phishing. It's easy to do now with, you know, AI and phishing has gotten a lot more targeted, a lot more sophisticated. So we actually operate under the philosophy of you are compromised regardless. So, you know, bad actors have gotten very, very good at credential harvesting, credential theft. So even if you've got systems in place that are monitoring for that, if you think you have a credentialed user doing things, you're not stopping them. So you're kind of looking at the wrong thing. You need to be looking for those cyber physical telemetry behavioral things that are happening in your industrial control environment. And unless you're looking at all of the communications, you're missing a big piece of this.

Richard Robinson:
Mhmm. So, you know, high level ransomware attacks seem to be the priority. Remote access exploits, So unsecured VPNs, you know, remote desktop protocols, cloud services where you've lost your credentials or their unknown credentials access. Other things that I think we need to think about more, supply chain access and ICS specific malware exploits. So, you know, recently we saw, you know, in the, Israeli Gaza war, you know, the supply chain introduction of the exploding, pagers. This isn't new. You know, this wasn't a, you know, revelation for industry. These type of exploits have been going on for decades.

Richard Robinson:
We really, will be forced to look at how do we solve that problem in our industrial control space. I mean, a lot of our PLCs and HMIs come from China. You know, even though they're, you know, nationally branded, they we know that OEMs don't monitor for those type of things because they don't have that capacity. So that's a future real threat that we need to be able to to work on. And really, you know, the only way to help mitigate that is understand what assets you have and monitor their behaviors.

Jonathan Knepher:
Right. Yeah. So, you know, I I think, you know, a lot of, like, the early things you talked about there are kind of your traditional IT security. But then, like, what what today do we need to, like, actually be doing? Right? Like, you know, the counterfeit chips from China, like, I I've seen that in my own hobbies get, you know, ordering online chips and getting not the right things that are clearly fake. You know, and kind of how how do we find the cybersecurity things specifically on the OT side since that I mean, it feels like that is is a gap.

Richard Robinson:
Yeah. Absolutely. And again, it goes to, you know, holistic monitoring. So, you know, the first thing you need to do is understand your assets and your inventory, on the IP side and on the non IP side. Be able to collect and baseline that data is absolutely critical. Mhmm. You know, one of the things that we do, and it happens 100% out of the time 100% of the time, is we'll go out, we'll get a customer, collecting data, they'll start to look at their ICS data, and, again, 100% of the time, they'll go, I did not know that that's how it was working. Or I did not know that was talking to that.

Richard Robinson:
Or I did not know it was doing that way. Because they just see, you know, you know, kind of at a the the meta view of the device working, but not, you know, what's actually happening under the hood. So until you can do that, you really won't be able to address the problem. But once you start collecting all of the data, doing your baselining, You can then start to use machine learning and AI. I know everyone rolls their eyes. I did till, you know, about two years ago when someone would mention AI. But you can use those to actually help you do that. We've currently been working with folks where we've been teaching industrial control environments to learn specific nation state techniques.

[19:42] Training ICS Defense with MITRE Techniques

Richard Robinson:
So if you're familiar with the MITRE for ICS attack framework, so in there MITRE's done an excellent job of taking certain nation state campaigns and attacks on specific industries and walking through kind of the attack kill chain saying, here are the techniques that the adversary used on this industrial control environment. So what we've been able to do is replicate those real cyber physical environments, use a specific technique, a very discreet technique, to train the environment to identify those techniques. So then what you do is kind of the wash, rinse, repeat on all of the different techniques and build these kind of neural networks that now understand what the you know, when an attack is happening, with a high degree of fidelity. So again, the the tools are there and they're evolving quickly, but we seem to be way behind the adversaries as far as the deployment of of what it is that we do.

Rachael Lyon:
Absolutely. You know, it is you kind of said something interesting there, you know, addressing the problem. And like, as we know in security, a lot of times, you know, it's like, well, we've not had any incidents. We must be okay. But as we know, it's not a matter of if, you know, it's when. Right? You know, so I'm curious on kinda how your conversations go with leaders on, you know, trying to address these issues and vulnerabilities, particularly within this space. And and and how do you kinda get them kind of thinking along the lines of what they need to be accounting for and and how to mitigate the challenges?

Richard Robinson:
Yeah. That's an excellent question. And, you know, as I mentioned, I'm on two ISO work groups, if you're familiar with ISA. And one of them is around detection, and the other one is around incident response for industrial control environments. And as part of, the white paper that we just, that that we're working on, I sent out a survey, to, several of the ISA members that are operators. And it was very specific and very detailed on what are they detecting, how are they detecting it, who's in charge, you know, just get a layout of of the environment. And the feedback was very, very interesting because what we were hearing was counterintuitive to what we were seeing. Right.

Richard Robinson:
So most of the operators were saying, hey. We're not being impacted. You know, we'll see some malware, but we're not seeing the nation state stuff. We're not seeing this. We're not seeing that. We're not seeing significant impact. The thing

Jonathan Knepher:
sounds like an invitation.

Richard Robinson:
And it was it was you know, I I was getting the back and I'm all, this is this is insane, because we know that this isn't the case. Right. So, you know, one of the things that we thought is, well, you know, if maybe it's a self selecting problem. You know, most folks that, are proactive are gonna be part of ISA members. You know? So it's probably that subset of non ISA members that is which is a much larger community that's it's probably the the the bigger, problem. But it was really interesting in in understanding not only what do people think is happening in their environments, what do they think it is that they're actually collecting? And that's another area where we saw a huge, divergence and understanding of what data they're collecting, what are they doing with it, who's assembling it, who's analyzing it. So it's one of those things. It seemed like a very straightforward easy problem, but when you start breaking it apart, you kind of understand the chains and the complexity of those chains.

Jonathan Knepher:
And in what you know, you started to talk about incident response a little bit in there. And, what what what are the key components of an effective incident response plan, and how does it differ on the OT side instead of the IT side?

Richard Robinson:
Yeah. So key are you know, starting at the high level. When we look at incident response, you you break it down into several areas, you know, preparation, identification, containment, eradication. I don't wanna sound like a NIST book here, and then recovery. And each of those are different. So in an IT environment, to prepare for it, you should have your regularly updated incident response policies, you know, establish a dedicated response team, and conduct routine training, simulations, and education. That's difficult for a lot of organizations because that takes resources. And we always say if you're calling someone for the first time because you have an incident, it's already game over.

Richard Robinson:
You know? So it really gets to that preparation and exercise and knowing if this happens, who am I calling? How quickly can I be there? Do I have to get, you know, a retainer or a contract, those things in place? Because to your point, it will happen one way or another, whether it's outsider or an insider. In OT environments, some of those same principles, but you need to create more tailored, response procedures that take into consideration the safety and reliability of the system. So again, now you've really focused from just getting the system back up because it's data to, hey. I don't wanna blow anything up. I don't wanna kill anybody. I wanna keep, you know, services running. So it's a different mindset. The identification piece, you know, IT uses, you know, your event monitoring tools and IDS, to identify those anomalies.

Richard Robinson:
For OT, again, it's a different set. You need to be able to passively, you know, fail safe, securely get those data out of those systems. So really deploying those passive monitoring solutions to identify irregularities is critical. Containment, you know, IT gens tends to focus around isolation of the system to prevent lateral movement. In OT, you still you know, you're really focusing on, continuity and safety. And then maybe even having to go to manual intervention. So having that plan of, hey, we've got to disconnect. Can we still keep things up and running is critical.

Richard Robinson:
Entirely different mindset in the IT space. And then recovery, you know, IT, get it back up the line as quickly as possible, get rid of the residual threats. OT, you're gonna bring things up a little bit slower. Especially in the OT space, we've seen a lot of the the adversaries, they focus on disabling safety systems. So if you think of this philosophically, what they wanna do is get you to the point where you jump for something, then you go to a safety system that fails. So that is a mindset of a lot of the OT operators and rightfully so is, you know, we have to be cautious when we do this.

Rachael Lyon:
So coming back today, I'm always fascinated about these conversations on planning. Right? Because as we know, this is not something you just kinda, hey, we did it. It's set and forget, and we can, you know, move on for the next ten years. You know, and a lot of times, particularly as as fast as threats evolve, you know, what you created maybe two years ago, you know, would maybe fail a real world attack today. You know, so really how should organizations be thinking about this? How often should they be re look at re looking at it, but also pressure testing it and and also being cognizant of, yes, this is resource intensive, but it's also critical infrastructure we're trying to protect here.

Richard Robinson:
Yeah. Yeah. Well, I'll go back. You know, a lot of what drives it is awareness and resources.

Rachael Lyon:
Right.

Richard Robinson:
And I will say I was very, very fortunate when I worked in San Francisco, under Gavin Newsom. The city was very, very well prepared because they'd gone through a lot of disasters. Right. So it was, you know, do your regular testing because if you don't and don't exercise them regularly, you're gonna be unprepared. Right. The other one was by doing that is, to your point, you make sure you don't have outdated procedures. You know, technology moves really, really fast. You know? So it'd be nothing worse than going out there and grabbing a run book from a system to restore it and seeing that it's ten years old and it's not even close to what you have out there.

Richard Robinson:
The other thing that we see is, insufficient communications. Mhmm. So poor coordination amongst teams. Again, if you haven't done that exercise, you haven't worked together, you don't know who to call, you're gonna fail. So establish that stuff upfront. And then make sure that you're not overlooking the OT specific stuff. So, what we have seen historically is all of this is moving into the IT environment, the IT knock and sock. So it's the the IT CIOs that are starting to inherit this stuff, not really understand the, you know, kind of the philosophy, the strategy, and the impact of OT systems.

Richard Robinson:
So making sure that you, not only initially bifurcate those to look at it individually, but then look at how do you bring those things back together.

Jonathan Knepher:
And you bring up, like, the the CIO and stuff. Like, you know, on the IT side, it's real common to use threat intelligence or red teams to to kind of proof your incident response capabilities and so on. Is that something that can be effectively integrated into this process on the OT side as well?

Richard Robinson:
Absolutely. You know, it gets back to to prep preparation. You know? So when you're looking at threat intel, it affords you a couple things to get integrated into to that response. So you've got, proactive threat identification, you know, bringing that intelligence lets you detect things early. Again, being proactive. If you're doing it reactive, you know, you're you're up a creek a little bit. The threat intelligence also helps you if you're doing these exercise to make sure that you're doing informed decision making. Mhmm.

Richard Robinson:
It's not, you know, personality driven because that's another thing when you've got this OT IT convergence. Until the governance in those organizations kind of mature, a lot of this can be personality driven, not function driven. And that becomes a real challenge. And then by integrating it, it gives you kind of enhanced detection and analytics. But again, that goes back to if you haven't prepared for it and you're not monitoring and collecting those things and looking to detect those, you're really, really behind the the eight ball.

[29:39] Personal Insights and Industry Reflections

Rachael Lyon:
So I wanna kinda segue a little bit kind of to my my favorite part of the conversation where we get a little more personal, Richard. I I actually have a two part question Oh. Eric. A two parter. First, I'm always fascinated on how people found their way to the cybersecurity industry, right? Because it's not always a linear path as we know. And then the second part of that, I'm really fascinated by the work that you've done, you know, working in San Francisco, right, as CEO and director of enterprise technology, particularly when we know, you know, cities are incredibly vulnerable and and a lot of times lack the resources and and things, but they're very much targets, particularly looking at California, you know, big cities like that and and kinda what were some of your biggest takeaways, of your time there?

Richard Robinson:
Yeah. Perfect. So the first one's interesting. Like you said, best laid plans of MICE event, you know. So when I started right after after graduation, my background and my degree was in manufacturing engineering and industrial control systems. And so I got hired by a research an international research institute, that had locations, in Western Europe, Eastern Europe, Asia. And when we were doing work, this was pre Internet. So this was right at the dawn of Internet when, if you remember, BDSs.

Richard Robinson:
And so, you know, being kind of at the time the millennial working with the older research folks, I was really, really frustrated with the only way that we could communicate was setting up a phone call, you know, via international times or faxes. And I'm like, hey, you know, we've got this thing called BBSs. So I just said, you know what? I'm gonna create my own BBS in Central California. So did a mile long trench, worked with AT and T, brought up, put a hundred modems into my garage, and built a BBS with a company out of Florida called GalactiCom. So now we had a a dial up way for all of the the folks to get on. They could do chats. They could upload their files and stuff like that. It was, you know, it was very

Rachael Lyon:
Very cool.

Richard Robinson:
Very efficient, until they got the phone bill. Quite literally.

Jonathan Knepher:
A hundred different lines adds up pretty quickly. Yeah.

Richard Robinson:
Well, my phone bill and their phone bill too. So, you know, they they were at their businesses, and and then, you know, I'm sure they got a call from accounting. What the hell is this called? The Central California type of thing. So we were fortunate with who we worked with, was able to go to the National Science Foundation and actually get a grant to connect that BDS to the Internet. So we were actually the first connections, from San Luis Obispo to Santa Barbara and first, kind of dial up provider. So that gave me two options. Do I wanna become an ISP, or do I wanna continue doing what I'm doing? Windows 95 came out, which crushed the idea of becoming an ISP because you were just talking on the phone with everyone trying to understand, you know, what SLIP was, what PPP was, and I'm like, I do not wanna do this ever. And so I got all of this up, and I had to go do a presentation down at UC Irvine.

Richard Robinson:
And the night before I left, I came downstairs to to just check on the system, and I literally saw on the screen something that looked like, you know, the opening to the matrix. And I'm all, this does not look good at all. So long story short, what happened is is, there were folks in in the area that we live that would do war dialing. And so they found a way to get on via one of the modems into the system and infect it. Very low level stuff, but now I was now pulled into the world of cybersecurity. At the time, you know, it's like, well, what do I do? They just hacked a very expensive system, that we built. Do I call local police? Do I call you know, who what do I do?

Rachael Lyon:
Right.

Richard Robinson:
And so that was a really

Jonathan Knepher:
At that time, none of them cared. Right? Like, there'd be no response.

Richard Robinson:
Yeah. I remember when so I I called the police first because they go, I gotta get this recorded, you know, some way. So someone says, hey. Rich isn't, you know he's still sane. And I just remember the the police officers in my garage looking at, like, what do you want me to do? Exactly. Tell me what you want me to do. So from there, you know, it was like, hey. Okay.

Richard Robinson:
I guess now I'm into, you know, IT and cybersecurity. From there, I ended up going to work, for Stanislaus County, as, I sold that part of the business. I had my first kid, and, you know, life kinda takes over. So, okay. I gotta get a stable type of job. So I worked in in Stanislaus County as the IT director, while I was there, because we were providing IT support to law enforcement, and other folks really got into the kind of cybersecurity and the high-tech crime, joined the high-tech crime investigation association for several years. Wow. And so I was really kind of focused in that and seeing a lot of things.

Richard Robinson:
Transitioned over to San Francisco. And San Francisco was really unique because they were recovering at the time from the Loma Prieta earthquake. And prior to that, all of the IT for the city and county of San Francisco was, aggregated at city hall. So you had an IT department that was really supporting all almost hundred different customers, from, you know, public health, law enforcement, public safety, utilities, transportation for the city. After the earthquake, they had to, get rid of all of that and redistribute all of IT. So it went from completely centralized now to completely decentralized. So every department now had their own IT department, was building up their own capabilities, which without a plan was, you know, very hard to bring that back in. And so that's when I came in at that time when it was, hey, we need to do consolidation of all of these departments, as well as there was no such thing as cybersecurity.

Richard Robinson:
There was no budget for cybersecurity. There was no cybersecurity team. To them, cybersecurity was, is the AS 400, you know, password protected? You know, is the IBM mainframe password protected? That was kind of the the context of it. That's and this kind of transitions into the the the second part of the question. That entire process was going on of re centralizing. At the same time, you know, having a very progressive, government there in San Francisco at the time, we really pushed, and I think we're one of the first counties to push for cloud first policies.

Rachael Lyon:
Oh, wow.

Richard Robinson:
So not only as part of the the re centralization, it was moving to a data center and having everything be cloud first. And this was the early days when Cisco had Project California. They were saying, hey, you know, everyone's gonna move to a data center. Other companies like Nutanix. So that was really interesting. But it also tripped an event in San Francisco. So we had a network administrator during the the this process, that was not happy with what we were doing on this recentralization. Had a prior criminal background, there was a lot of other stuff that was going on, as far as unions and politics and that stuff.

Richard Robinson:
And we ended up having a very significant event in San Francisco where we were locked out of our entire IT system for a couple days. Wow. Absolutely. Yeah. And it was like, you know, that philosophy, if it can go wrong, it will go wrong. Right. And we went through a series of that. So that was very, it was, very enlightening to me.

Richard Robinson:
And so once we recovered from all of that and got everything back up and running and and we were confident, we had all of the best, you know, AT and T and Cisco and everyone rebuilding the the the city and county's network from the ground up. I had a red team come in, from overseas to pen test it. And it was one of those moments where I'm, oh, okay. I can sit down. I can take a deep breath, have a cup of tea, and literally got sat down and I heard a knock on the door. And I'm all, what is it? And they're all, you gotta see this. And it was just like, oh my God. And and that was kind of the big epiphany of just how large the cyber community the international cyber community was and how sophisticated they were.

Richard Robinson:
So it was a real eye opener for me. And so I started looking more and more, into this, and I was frustrated too at the time because we would hear a lot from the federal government of, oh, we've got a cyber czar. We're doing all of this stuff. And I'm all I hear a lot of stuff, but none of it's flowing down Right. At all. And so that was about the time when there was a transition in the San Francisco government. Gavin Newsom went from being the mayor to, I think, the, the, deputy governor. So my boss left and went to the White House.

Richard Robinson:
So I figured, hey, now's a good time to make a transition. So that's when I transitioned to, I was really, really focused on cybersecurity and went to Lawrence Livermore National Laboratories where I became the CIO there. And that was interesting because they were focusing on cybersecurity in their own kind of, I wanna say clandestine ways, but, you know, security ways. Yeah. So I was open, you know, to a whole, you know, slew of tools that actually could be helping folks. And so I was fortunate enough to be able to work with folks from DOD and DHS and DOE, to help come up with a program that would help pull some of those technologies that the government had developed into the commercial market to solve some of those problems that we saw firsthand that at Stuxnet wasn't coming down. And then that ultimately, you know, I I found a technology that was focused on, Stuxnet that DOE and DOD said, hey, we've got a significant problem here. And then ultimately that led to me taking, some of those ideas and starting this company to address, those industrial control problems.

Rachael Lyon:
Not fun.

Richard Robinson:
I mean, it was bland. It's like, oh, yeah, what's happening today?

Jonathan Knepher:
A very impressive, lineage there for your, your experience. That's, that's excellent.

Rachael Lyon:
So are there so then in all your time, you know, in in doing this, right, being in this world, you know, has there been a moment, like a pivotal moment, and it's probably been several, right, on, you know, kind of a a lasting impact on kind of your approach to security. And and I almost think about there's probably milestones. No? Chapters perhaps, given how long you've been in the industry and what you've seen.

Richard Robinson:
Yeah. I think, you know, and I talked kind of the three critical ones Yeah. That I brought up was the, you know, the first one when I started, you know, my my ISP is part of the the manufacturing stuff. And then, you know, you come downstairs and you go, okay, the world has changed whether you realize it or not. In San Francisco, it was that same thing when we had the network administration problem. You're working things, you're working things, and now something comes, you know, it's like that black swan event that just kinda lands on your lap. And again, you go, okay, this is gonna change my trajectory for a while. At the National Labs, there were several.

Richard Robinson:
One is getting a clear understanding or a better understanding of what nation state cap capabilities are. Mhmm. And I still think that there is a significant gap in what the public understands, what we talk about, and what's really, really happening out there. And there's a lot of challenges in closing those gaps. So from a government side, you know, it's that big epiphany is they know the problem is there, but how do we resource it? How do we prioritize it? We've got 50 other problems. And, you know, so how do you become the megaphone that people start listening to? And in this day and age with all of the other ginormous megaphones, it makes it very, very challenging.

[42:05] Future Trends and Recommendations 

Jonathan Knepher:
On on that point, though, are there things that you think the industry should be doing that they're that they may not even know that they should be doing yet?

Rachael Lyon:
Right. Right.

Richard Robinson:
This is where I probably go off the rails a little bit with with most folks. And I go back to 2017 where there was a lot of capital that was raised for ICS companies. At crazy valuations. So an insane amount of influx of capital came into the industrial control security market. It was focused on a few vendors that talked about a few things. And I think they did the industry a disservice because I to some extent, I think they misinformed the community and the market as to what the holistic real threats were and really focused on their niche piece. And then from their niche piece, because of the investment pressure said, oh, well, we do everything. You know, we solve that problem when they really don't.

Richard Robinson:
And so I've been really fortunate the last two years to work with a lot of, startups, very innovative startups. At the beginning of last year, we were able to work in The UK with the NCSC, and other tech companies in The UK. And there are some phenomenal technologies that do solve our problems today. But getting those tiny voices, you know, out to the market and educating folks is probably the biggest challenge Right. For folks.

Rachael Lyon:
So how do we do that though, Richard? I mean, it's it's obviously really critical. Right? And everybody's really stressed out. Right? You know, because we're just that that one event. Right? You know, that you keep hearing about and and inevitably coming perhaps. You know, it's you need we need all the the resources we can get, but how do we give them a megaphone or or five megaphones Yeah. To to find that voice?

Richard Robinson:
Yeah. I will say it we've started to get some traction for us. We've just signed some integration partnerships. But it's education awareness. It's it's things like this in the podcast. Right. You know, and, hopefully, you know, a a CIO or a CISO will listen to this, and they'll go back to his team and say, hey. Are we doing this? And does our vendor really solve that problem? How do we know that what they're telling us is true? If we get those conversations going, we'll get some movement.

Jonathan Knepher:
Right.

Richard Robinson:
The other piece is it's been challenging to kind of bring it all together, where people can cognitively see and understand the problem space Mhmm. And the solutions. And in the ICS space, like I said, we really focus on you need to look at everything, IP and non IP, but there's very few folks that can actually unless you're actually in that facility, which is problematic, it's hard to bring that together. So we're actually getting ready next week to, with one of the integrators. We'll be several countries in The Middle East. Will be in Central Europe, where we're able to train and demonstrate, you know, kind of holistically, you can capture this data. You can use AI and build AI frameworks and baseline and monitor this. And the other thing that we're trying to solve is get out of what I call the cyber tool debate.

Richard Robinson:
So in the industrial control space, we have something very unique. We have telemetry data. We've got cyber physical processes that we can take that data, we can use machine learning and AI to bring a bottom line return on that investment through predictive maintenance, prescriptive maintenance, anomaly detection, and all of those things. So that's one of the areas that we're really, really focusing on is being able to demonstrate, hey, If you spend this money, you're actually gonna see a return on investment in your operations, and better cyber hygiene becomes the derivative benefit, not the cost center.

Rachael Lyon:
Right. Now this is great. I love the work that you're doing because it's just so critical, Richard. I mean, particularly now more than ever. You know, so I I do hope that this podcast can help help you reach a a wider audience because it, you know, these discussions need to be happening and and happening, you know, on a much broader level.

Richard Robinson:
Fantastic. Well, thank you guys. You know, it's kinda that x file, you know, that poster is, you know, the answer is out there.

Rachael Lyon:
Absolutely. Yeah. Thank you. This has been such a great conversation and I know our listeners are gonna really, really appreciate it. You know, so to everyone again, you know, please please please, listen to this ticket to heart, you know, follow-up with Richard, at Signalytica if you have any questions, because they are doing great work. And, to all of our listeners out there, again, thanks for joining us for yet another episode with an amazing guest. And as always, I I love to say, you know, don't forget to smash the subscription button, because you get a fresh episode every single Tuesday in your inbox. I mean, how convenient is that? So to everyone again, thank you, and until next week, stay safe.

Rachael Lyon:
Thanks for joining us on To the Point cybersecurity podcast brought to you by Forcepoint. For more information and show notes from today's episode, please visit forcepoint.com/podcast. And don't forget to subscribe and leave a review on Apple Podcasts or Google Podcasts.

About Our Guest

Richard Robinson, CEO, Cynalytica

Richard Robinson is the Chief Executive Officer of Cynalytica. With decades of leadership experience in product and technology development, operational management, and large enterprise systems, Richard leads an international team of developers and industry experts dedicated to delivering pioneering cybersecurity and machine analytics technologies that help protect critical national infrastructure.  Richard has experience across both the private and public sectors and previously served as Chief Information Officer of Lawrence Livermore National Laboratory as well as the Chief Operations Officer for the City & County of San Francisco’s Department of Technology and Information Systems. He also has many years of consulting experience in product development in Industrial Control System (ICS) cybersecurity, focusing on both modern and legacy critical infrastructure. Richard graduated from California Polytechnic in San Luis Obispo, California with a BSC in Engineering, with emphasis on Manufacturing Technologies and Industrial Control Systems. He has earned Executive Management Certificates in Strategy & Innovation and Technology, Operations and Value Chain Management from Massachusetts Institute of Technology and holds several IT and OT security certifications: GISCP, GRID, GCIP, CISSP and CISA.

Check out his LinkedIn