Subscribe
Share
Share
Embed
Bernard Montel, Tenable, talks to Elizabeth Corner about how AI, cloud complexity, identity sprawl, and IT/OT convergence are creating a completely new attack surface for critical infrastructure.
Bernard offers a clear-eyed look at why detection-only security models are failing, why exposure management is the new frontline, and what pipeline leaders must prioritise to stay resilient in a post-AI threat landscape.
We cover:
- How AI is reshaping the cyber threat landscape.
- Why cloud and hybrid environments introduce major blind spots.
- The limits of detection-only security.
- The growing skills and awareness gap.
- The role of business-critical risk prioritisation.
Creators and Guests
What is World Pipelines Podcast?
The World Pipelines podcast, with Elizabeth Corner, is a podcast that connects and unites pipeline professionals to learn about issues affecting the midstream oil and gas industry.
Hello, and welcome back to the World Pipelines Podcast, a podcast for pipeliners featuring some of the most forward thinking minds in the oil and gas industry. I'm Elizabeth Corner, and I'm pleased to bring you a series of conversations with experts from across the sector. The goal for each episode is simple, to give you real life perspectives on the topics shaping our industry. For this episode, I am pleased to welcome Bernard Montel, who is field CTO for EMEA at Tenable. Bernard's role at Tenable is to guide organizations through the fast evolving landscape of identity, AI, and cyber defense.
Elizabeth Corner:With more than two decades of experience in cybersecurity, he helps customers understand Tenable's strategy and vision and provides expert insight on things like emerging threats, technology trends, and exposure management. Tenable has become one of the most influential names in modern cybersecurity, grounded in its long history with vulnerability scanning, yet now recognized for a much broader and more strategic view of organizational risk. In September 2025, Tenable issued a major report on the new risks that companies are facing in a post AI business landscape, and we'll talk about what that means in a moment. The new report highlights how listed companies are losing the battle against cyber attacks. Before we get started on this episode, I wanted to tell you that I will be hosting the World Pipelines CCS Forum on the 03/18/2026 in London, and I'm so excited about it.
Elizabeth Corner:It's a full day dedicated to The UK's CCS pipeline build out. We'll get updates on High Net Northwest, the East Coast cluster, and more from expert speakers with lots of time to meet and greet and eat. If you've ever thought someone should put all The UK CCS pipeline people in one room, well, we're doing exactly that next March. There's even a special joint session with our friends at World Cement, where we can all learn about the pioneering Peak Cluster Project together and what it means for pipeliners and the cement industry. If you want to stay ahead of where the CCS industry is heading in The UK, or if you just want to spend a day with some very clever people who know a lot about CO2 pipelines, visit worldpipelines.com/ccsforum2026 or search worldpipelinesccsforum.
Elizabeth Corner:Okay. Back to the episode. So hello, and welcome to the World Pipelines podcast, Bernard.
Bernard Montel:Hello, and I'm very pleased to be here today.
Elizabeth Corner:Now defining post AI cyber threats is exactly where I want to start. The new report looks at how AI, cloud and hybrid environments are reshaping what we have come to need in terms of cybersecurity. Perhaps you can outline what you're seeing in terms of new risks.
Bernard Montel:I think we are already in the post AI cyber attacks. We can see that attackers are starting to use AI performing their attacks and Defender as well. We see AI as a new part of the attack surface. This is a new attack surface. I think, yes, we can look after attackers and defenders and everyone started to use AI.
Bernard Montel:That is just a fact. Defining the fact that we have a new attack surface, which is AI, everyone is using AI today. I mean, I don't know anyone daily not using AI. So the first part is really AI use and usage within an organization. And that is very important that we need to handle that part.
Bernard Montel:And the second part is how AI are building their own AI project because everyone want to go to AI, they want to have their own AI service to their customers or they want to use AI for performing better existing services. So this is a very brand new blind spot and this is a new attack surface that organisations need to handle immediately.
Elizabeth Corner:It's so brand new and so current, I'm really pleased that we're talking about it today. Now the report finds that AI driven workloads and data flows add complexity and increase attack surfaces, which sounds like bad news all around. How does that complexity create those new blind spots for pipelines?
Bernard Montel:If you look back, well, years ago, even fifteen years ago, had classical infrastructures service with having a server, having classical remote access to them. And then we moved to the cloud and everyone moved to the cloud. Moving to the cloud has multiplied by 10 the complexity of an infrastructure, because we have much more services, they are all connected together, and the cloud itself is much more complex. And that was a move we've done roughly ten years ago and has accelerated during COVID period of time. Adding AI on top of that, can you imagine the complexity that we have on top of it?
Bernard Montel:The more we go ahead, the more the infrastructure that organisations are using is much more complex than it was before. That is creating a challenge for security practitioners and the people which are in charge of security for organisations because that expansion of the attack surface and the complexity attached to it is creating clearly a blind spot. They cannot handle it, you know, into one place that they were before, they need to be able to have the capacity to understand everything and that is the blind spot that they have.
Elizabeth Corner:And what would you say is the biggest misconception misconception about about AI and security right now? That it's the cure or that it's the threat to energy security?
Bernard Montel:I think first of all AI is an opportunity for organisations. We don't have to look after AI only at the bad part of it. For the energy sector, for example, it's an opportunity because for energy, we need more and more energy in the world. And so we need to optimize, we need to be able to predict and project how much energy we would need going ahead with electric vehicles, with more the need of power, AI itself needs a lot of power. We are circling back to the same subject.
Bernard Montel:So energy sector and energy providers will need to be able to predict and project more and more to optimize their energy, the fact that they want to provide energy. The AI will help them on that space specifically. So AI is first of all an opportunity, but in the meantime, that need that they need to go quick and they need to deploy it and then, and no one want to be the last organization having AI capacity for their own business. But the problem we have is that everyone is going very fast in deploying, testing, trying AI okay and that is creating what we call the threat and you know we have a knife with two sides one is really you know an opportunity another one is if we don't protect it properly that would be a threat for organisation instead of a benefit.
Elizabeth Corner:Tenable works with thousands of enterprises. I wonder if you can tell me how many of them are really investing in cyber security as a priority? And perhaps how many are still, I don't know, treating it as a line item cost to be minimised, to be down prioritised until something goes wrong?
Bernard Montel:We're dealing, as you said, with a lot of organisations, with a lot of size of organisations, and I think it's not the smallest organisations which are less mature compared to the biggest one. I think it depends on the sector and depends on the activity they are running. I think the energy sector and the pipeline sector are very conscious of the threat they could have, so from a maturity standpoint, we are here into a set of organisations which are a very good maturity level. I think what we can see here in and I think your questions are very important the key element is being able to handle the new threats which are around us today, being able to understand that and having a risk based approach and not just checking the boxes of the compliance within security. One other element which is very important is organizations have invested in detection and response for the past fifteen years, tried to detect and detect attacks.
Bernard Montel:I think they need to change their mindset and go to a preventive and prevention is better than cure and then this is where I think organizations need to think about it differently. Having an alarm system is great but if you don't close the door when you leave your house then you do not prevent attackers or in this case bad guys who enter into your house. So that is exactly the mindset I think organizations, whatever the size, need to detect today.
Elizabeth Corner:That's a really nice analogy. I'm going to remember that one. The research that I referred to earlier calls identity management one of the biggest weaknesses in modern cloud security. Tell me, how does poor identity governance show up in industrial environments and why is it so difficult to tackle?
Bernard Montel:When I started my career, I started twenty five years ago in a space called identity and access management, okay, and at that period of time I think we only had one account just to open a desk desktop, not even a laptop, a desktop you know if you remember that we only had only one user and password only one. Since how many passwords do we have in our own life? Our daily life we have 100 sometimes close to 500 accounts everywhere. That is the same challenge within organizations. When we go back to what I said previously about the attack surface, it's growing, you know, we moved from a single laptop to multiple applications, and we only had access to those applications which were deployed in this machine.
Bernard Montel:And then we moved to the cloud and having 100 applications. Okay. And then today, we're going to use a lot of identities in the cloud. I said, you know, going to the cloud is 10 times more complex. So we have 10 times more complexity as well within identities.
Bernard Montel:We are counting one user identity for 10 non user identity. Applications as well have identities. Again, 10 times more complex. The cloud is also giving opportunities, but also this complexity and at the end of the day the identity is the last control to access to some services okay. We need to go back to what we call least privileges.
Bernard Montel:We need to have an approach where we do not give access to applications and services that users or applications shouldn't have, we have to reduce the bare minimum and that's the approach we need to take but for that we need to have the visibility we need on the identity management and the identity usage within the cloud environment as well.
Elizabeth Corner:Are we then seeing a bit of a skills gap open up in cybersecurity teams within energy infrastructure. I'm wondering how much responsibility needs to fall to vendors like cloud providers versus the operators themselves.
Bernard Montel:I think we see skill gaps everywhere, not only in that specific sector, because everything is going so fast and the threats are really growing as well and security practitioners and security specialists and experts need to learn more and more every single day. And AI clearly has accelerated that. And again, it's a very good question. I think we have the IT and OT, cloud and IoT convergence awareness and this is one of the key elements regarding the skills. People need to be aware about the fact that those legacy systems they were using a long time ago are highly connected.
Bernard Montel:Example is if you go to an OT system in the energy sector on the pipeline sector, twenty five years ago, no connection at all. Today they are highly connected with sensors, with webcams, and those are connected to the cloud. So first of all, I think the skills are here to be aware about the risk. And that is something which is a first element of hope. If people are aware about the risk, they are acting accordingly and that is a very key element.
Bernard Montel:The second part is supply chain. We've seen recently more and more attacks not only coming from third party, which are providing those services to critical infrastructure organizations. And this is also something that people need to take care about from a risk perspective. So going back to your question, the skills are very important but awareness and being aware about the threat and any kind of threat that you have around us is one of the more important skills that we need to have today.
Elizabeth Corner:Very important. Tenable describes itself as an exposure management company rather than a traditional cyber security firm, I believe. Can you explain what that means in practice and how that model applies to something like pipeline monitoring?
Bernard Montel:I mean, organizations are running today a cyber security in silo. So we have different teams in charge of identity, in charge of OT, in charge of cloud, and that doesn't work anymore. And as I said to you before, most of organizations have invested in detection and response, only alarm system. And again, that is not enough anymore. So they have what we call an alert fatigue.
Bernard Montel:We have too much alerts and then most of them are false positive. We need to take the attacker view, we need to change the angle. When I say we need to change the mindset is, hey, how an attacker is trying to compromise a system. They're trying to look after any kind of vulnerability, misconfigurations, or identity misconfiguration of privilege they can get, and they are crossing over what we call an attack pass. Exposure management is trying to bring all of those weaknesses with a unified approach.
Bernard Montel:You cannot go after each and single tool already deployed in those different areas and then having a sort of partial view, otherwise you will have some blind spot. Our approach is to have a proactive approach of cyber security assessing and remediating the cyber risk around the attack surface but only looking after what matters for the business and what have an impact for the business. That is exposure management. If you compare that to traditional vulnerability management, this is an evolution, but having a holistic view and unified view of weaknesses and obviously within the attack surface.
Elizabeth Corner:Bernard, if we're talking again in five years' time, what do you think will be keeping security leaders busy? Will it still be AI and the cloud or do you see something else, another wave of talent is forming already?
Bernard Montel:Again, excellent question and because the world that we are living today is super fast, five years looks like it's science fiction, would say, or it's very far from us, but I think we can try to project. Let's go back to one element which is AI. I think we are really at the very early stages of the use of AI by attackers and by defenders as well. If we project us five years from now, I think we will see certainly more orchestrated attacks by AI because that started already but I think that will clearly accelerate in five years definitely orchestrated AI and automated attacks will pop up much more and will be certainly the standard in five years from now. Another part is the cyber world and the physical world, and specifically around the energy sector and the pipeline sector, having a direct impact to people is something that we see more and more.
Bernard Montel:To take another example, there has been an outage and a very big disruptive attack against airports that had a direct impact to people. Going back to the energy sector, you know that the main risk is blackout and shut down. If you go back a couple of years ago, Colonial Pipeline, you know the people shut it down the pipeline, because they were afraid about attackers going to the OT system. With AI popping up, certainly those shutdown and blackout could be something that we will see more and more.
Elizabeth Corner:Okay. And I want to finish on something that our listeners have been asking about. Pipeline operators will want to avoid outages, as you say, that they're inconvenient, but they also have serious physical and safety and environmental consequences. So how best can organisations strengthen their resilience when they have lots of different digital dependencies sitting across different cloud and AI environments that they don't fully control?
Bernard Montel:I think what they need to do is having first of all a risk based approach, you know, focusing what matter the most for their organizations, what kind of business critical applications or infrastructure, if those are attacked, that could really put their organization in a very bad shape, okay? We cannot fix everything, okay? We cannot detect everything, but we need to matter on what is the more important for the business. I think that is one of the key elements, having a business approach and a business risk based approach. The second part is obviously being more proactive than reactive.
Bernard Montel:Having that holistic view and unified view of all of those exposures will be able to help you know decision makers and not just security practitioners, we're talking about people that every single day opening the newspaper and say, hey we have, there is an attack against our sector, we are potentially at risk. Are we exposed? Is the main question they should be able to answer each and single day. So having an exposure management and a risk based approach together is a key element going ahead to be more proactive and instead of just you know running after alerts and running after incident and then it's too late, know. When we have solutions detecting the ransomware, great, it's important to detect it, but when you are already attacked, it's too late.
Bernard Montel:The more you are proactive, the more we are reducing the risk of an exposure within the attack surface. And that is something I think we should have as a mantra or mindset today.
Elizabeth Corner:Wonderful. Thank you so much Bernard.
Bernard Montel:Thank you very much. You as well.
Elizabeth Corner:That was Bernard Montell at Tenable on taking a holistic approach to exposure management to equip modern pipeline organizations with the power to tackle security challenges in a unified manner. Thanks for listening to the World Pipelines podcast. Subscribe for free wherever you get your podcasts. If you have enjoyed this episode, please rate and review and forward to a colleague or friend. I wanted to tell you that I will be hosting the World Pipelines CCS Forum on the 03/18/2026 in London, and I'm so excited about it.
Elizabeth Corner:It's a full day dedicated to The UK's CCS pipeline build out. We'll get updates on High Net Northwest, the East Coast cluster, and more from expert speakers with lots of time to meet and greet and eat. If you've ever thought someone should put all The UK CCS pipeline people in one room, well, we're doing exactly that next March. There's even a special joint session with our friends at World Cement, where we can all learn about the pioneering peak cluster project together and what it means for pipeliners and the cement industry. If you want to stay ahead of where the CCS industry is heading in The UK, or if you just want to spend a day with some very clever people who know a lot about CO2 pipelines, visit worldpipelines.com slash ccsforum twenty twenty six or search World Pipelines CCS Forum.