Subscribe
Share
Share
Embed
Felix explores Internet of Things (IoT) and Operational Technology cyber security. Perfect for project managers, developers, and those learning about penetration testing in this niche area.
Email Felix using helpme@yg.ht
Get more information at the website: yougottahackthat.com
Find You Gotta Hack That on LinkedIn and X @gotta_hack
Felix (00:09)
Hello and welcome to the You Gotta Hack That podcast. Today I am going to welcome Emily here to say hello and talk to us about some of your experiences. So Emily, do want to tell us a little bit about you?
Emily (00:24)
So I'm Emily, I'm principal industrial consultant at industrial security of do of consultancy stuff Get to see a lot of very interesting industrial places and help people figure out, you know, what's wrong and where they need to focus. But my experience that I also spent 12 years at a national utility company.
in various roles, but starting in the field, starting very much on the tools and kind of then holding all kinds of different roles until I became technical lead for IT cybersecurity. So quite a journey.
Felix (00:56)
For anybody who's wondering, Emily and I had the fortune in my case, or maybe misfortune in your case, Emily, of meeting at a conference recently. And we got chatting and I really enjoyed one of the conversations in particular. And so I thought maybe actually it would be a really good idea to share some of that and dig into it a bit more. So that conversation, it was surrounding something called ISA 62443. And I'm pretty sure some people...
say I've said the name wrong but I was fascinated by the kind of, I suppose almost like war stories, know, the kind of what it actually is like to live that experience
Felix (01:38)
For 2026, the You Gotta Have That team has two training courses. On March the 2nd, we start this year's PCB and Electronics Reverse Engineering course. We get hands-on with an embedded device and expose all of its hardware secrets. topics like defeating defensive PCB design, chip-to-chip communications, chip off attacks, and the reverse engineering process. On June the 8th, we launch the unusual Radio Frequency Penetration Testing course.
we dig into practical RF skills so that you can take a target signal and perform attacks against it in a safe and useful way. Both courses are a week long. They are a deep dive, they're nerdy, and everything you need other than you're enthusiasm As the unusual RF penetration testing course is brand new, you can be one of our beta testers and get £1,000 off.
There's more information available on our website at yougottohat.com slash courses. And we recommend booking straight away as we have to limit the spaces to ensure the learning experience. But for now, let's get back to today's topic.
Felix (02:34)
I don't know where to start with this really, because it's such a big topic. What sort of stuff were you playing with that meant that you had this exposure?
Emily (02:44)
In terms of the standard is back when I was working for that utility company, you're trying to get into grips with this really oddly shaped abstract thing, which is OTCyber. you do a search on Google, you're like, OK, well, I need some sort of stat, something to help me know where I'm at. You want to maybe have a standard that you can look at, get some baselines and go, right, this way we're at, and these are the things we need to improve on.
62443 is one of those that is mentioned all over the place. There's also ANSI, there's IEC, there's ISA, so all the various different international bodies. The idea is it's by consensus, so it's a complicated standard, but the whole point is it's a consensus base. There's a whole group of working groups that build individual parts of the standard. I was going out and trying to
understand this and then you know we keep saying 62443 but actually it's not one thing it's like i think 14, 15 different things it's growing there's more and more things coming out so it's a massive thing so my journey with 62443 started you know probably you know nine years ago probably
Felix (04:04)
or maybe a bit long in the tooth on this then. Interesting.
Emily (04:06)
But
that's okay because the standard is also looking at the you know, let's be honest that the standard is has been around for a number of decades now and it's taken quite a long time for various modules to be updated. You know, the one that comes to mind is 2.1, which is just one part of it. And it's, you know, that took nearly a decade to be updated. And if we think how much has changed in decade, right, it's...
Felix (04:32)
Yeah, okay, that's fair. the roots of it all are in... Am I right in thinking ISA 99? Have I got that right?
Emily (04:38)
Yeah, so there's this really interesting podcast about from, I totally forget the person's name, I should have thought about it. But they're one of the original founders who kind of, you know, identifying there was some good work from various vendors and organizations, but they wanted to formalize it, make it more international. So it's the Icelandite Night in and it was a group that's set up to focus on
producing these standards, which then moved into the 6443s group of standards. But it was all about, like, it makes sense. It covers the whole aspect of AT cyber from governance, risk and compliance type subjects, through to sort low level technical controls. So it tried to cover every single possible base associated with AT security.
Felix (05:30)
I don't know, in my own journey, I'm not as far along in terms of kind of the quite the level of depth of experience, certainly not the implementation side and kind of the running off. ⁓ But my own experience of OTCyber is that there's kind of, I don't know, there's quite a lot of good intent out there. But the reality is there's kind of nothing that really fits the bill in my opinion, particularly when you start looking at the more nerdy technical bits of it all. Like I was looking some work for
⁓ UK ⁓ airports recently and essentially you need to have completed two of the ISA 62443 exams to be able to do any work as a cyber security person for UK airports, officially at least. I was like, well, okay, but these exams are all well and good, but my job isn't anything to do with upholding the standard. It's about testing.
that the standard is, well, it's not even about testing the standard, it's testing the technical controls, you simulating the threat. And therefore, what does this make to me at all? Why would I bother? And so I've found, anyway, the point is, I've kind of found this has been quite frustrating in that a lot of people turn around and say, well, you what are we supposed to do? And I was like, well, you can go down this route. And it isn't a bad thing, necessarily, but ⁓ it's not necessarily exactly what you're expecting or hoping for.
Bye!
Emily (06:55)
basically
the situation I was in and you know it's really common like when you ask people you know how did you what made you go down the route of trying to adopt 62443 and they're like you know they were trying to get to grips with this thing and you know they once you kind of open the lid of 64 for 3 you realize how big it is and it's like when someone says oh yeah we're gonna do 62443
And that's the end of that conversation. I go, okay, you haven't quite opened that lid yet because as soon as you do, you'll go, what part of 62443 do you intend to adopt and focus on? So like 2.1 is the bit about like the security program for the industrial control system. And it's about understanding, you know, what kind of controls, what kind of level of controls you're going to have to apply to your industrial control system.
Then you've got things like 3.3, which is about security requirements. That starts talking to the technical controls you're to apply. Then there's the bits for developers of hardware and software. There's people who actually implement the equipment. If that isn't yourselves, then you can be an operator, can be an integrator, you can be an OEM. There's all different bits of the standard that you have to know about.
if you want to do it.
Felix (08:20)
I can see that being problematic quite quickly.
Emily (08:23)
Absolutely. Well, so like CAF, You know, Cyber Assessment Framework, in its third iteration, it's produced by NCSC, National Cyber Security Center. It tries to do its best to summarize a lot of kind of complex things into just like, you know, minimum viable product type stuff. But even that is covers, you know, it covers everything from, you know, board level engagement down to, you know, how you do backups.
That's still very very complex but it's nowhere near as complex as something like 64 for 3 if you look at it as a broad standard. yeah there's a lot of changes.
Felix (09:04)
So if you were to find this perfect environment where 62443 in its entirety, or at least in terms of the relevant parts have been applied to the system and it's perfect as it were, do you think that that gives a really good strong cybersecurity defensive stance or any other sort of buzzwords you want to put in there?
Emily (09:29)
to have got to that level, like right from the start of talking to your suppliers of equipment, you're building a new, basically you'd have to do it at a new plant. Be quite hard to, I mean, you could, retrospectively, though, it'd be incredibly challenging. know, you'd, via the selection of suppliers, you'd have to have a very competent team specifying, you know, what's what, what's the crowd from the supplier. You know, we've seen like RF, RFIs, RFPs that say, you know, you must comply with 62443 and.
What does that mean? It doesn't mean anything. You need to go into that detail. Let's say you do all of that. You also have all of the governance controls. So you have a CSMS, subscription management system that covers your OT. You've done your risk assessments. You've decided on a security level. You do all of these things. What I've seen at some companies that were doing a lot of this stuff is
about a decade ago is through time, mergers and acquisitions, staff changes, you could see in a lot of policies and standards it was rooted from, it was all based on 62443 because one of the people involved were heavily involved in 62443. And basically over time it just got the controls reduced because they weren't maintained.
which is kind of sad to see because you go wow you were at this like in a cutting edge level but it's because it's because the amount of you know every element of it requires maintenance. I should also say that and so that's why a company essentially has to commit you know for the life of of the asset the system the however you to break it is a massive massive commitment. If you want to
Felix (11:16)
commitment.
Emily (11:22)
⁓ sort of broadly adopt that. But that's true for any standard, if I'm honest. I don't we've quite realized that security is like safety. Like it's not so you just do once and go, should be right. You constantly have to reevaluate. Unfortunately, some people, you see amazing controls put in firewalls and network segmentation and all sorts of stuff. But over time, that just diminishes if you don't maintain it.
Felix (11:49)
you know what, I can even reflect on this as an individual, as a nerd who has, you know, at some point in my career, I've decided it's a really good idea to have, you know, VLANs at home and my wife can have her own like separate bit where she can do whatever she wants on whatever apps or weird IOT or whatever. And then ultimately I get to the point where I have to be the tech support person as well as continue to be the nerd doing the interesting things. And because something goes wrong or know, something breaks or whatever, you go, hmm, can I be bothered?
And the answer is usually no, because...
Emily (12:20)
It always happens when you're away from home as well. I had the same. I did exactly the same, right? And then something went wrong. You're just like, okay, just unplug this. You just plug straight into the free... God, what am going do? Yeah.
Felix (12:35)
Yeah, okay. I'm glad to know I'm not alone on that one as well, Emily. It's good to know. I think the bit that I sort of, I miss with all of this is, irrespective of what standard are we talking about, is people kind of see them as these silver bullets. And if only I can get compliant to insert standard here, no hackers can do me over. Nobody can destroy my system. Nobody can cause me any problems. And it's not true. If fundamentally, I don't think that's true. There's so many times where...
particularly around the slightly more managerial standards, know, so the ISO 27001 sort of thing. So, you know, it's about managing risk. It's not about eliminating. And whilst I think, please correct me, but I think, you know, 62443 is a little more about trying to eliminate some of the more obvious risks and trying to kind of narrow the field of variance and therefore only being able to manage risk rather than eliminate it. But even then.
I don't see this as the silver bullet everyone seems to think it is. And like you've pointed out, the kind of the overwhelming nature of maintaining something that vast and complex means that most of the time it's not actually in play anyway. Even if you did have those brilliant commitments and lofty aspirations, it's not likely that you'll actually manage to achieve it or maintain it for very long.
Emily (13:56)
I would say, know, it may surprise you to say that I am kind of a fan of 62443 in that because it's so synonymous and it's so out there. So when you think of OT security, know, most people think of 62443, you know, the world over, which is quite an impressive feat. And the irony is, and that people kind of forget this, is that, you know, virtually all standards, especially things like 62443, it's all about
managing risk. not about, you you can't stop, you know, cyber attack, you know, happening. There's no level of controls if you're against a skilled adversary that can prevent them, you know. There will always be some way in. it's about, you know, understanding your risk appetite. What are you willing, risk you willing to take? And then also the other things like making sure you've got good recovery and, you know, if considered about how you might detect them and these kind of things.
So I am actually, you I am a fan of 64 for 3 from that point of view. And I think it can be helpful to articulate kind of where you want to go. you know, security levels is a good example. Essentially, they define the type of threat you're trying to defend against. So everything from essentially someone with minimal skills, motivation, interest, money, up to sort of highly sophisticated actors. And it's like SL1 to SL4.
Now, and again, you know, it's really interesting listening to the person who was right there on ISO 99 and they were saying that people kind of misused SL levels these days because they were meant to just be a kind of notional idea of like, this is the kind of thing you're trying to do, but people really like fixate on the wording and things that people say, oh, SL4 is completely impossible. And it's, they weren't meant to be kind of like that. So I guess there's other things to help people. like,
They just released an updated version of 2.1. Security program requirements for IAX assets owners. ⁓ Beautiful. But the new kid on the block in that is security profiles. This will be really interesting because this starts to say all of this stuff you could do actually for your energy, for like water, for these different things, actually how
⁓ what might good look like because you can't do everything.
Felix (16:26)
That's ⁓ interesting that it's being formally recognised that you can't do everything and you should probably concentrate on your areas that are most useful.
Emily (16:35)
Forget standards for a second. Let's just take a step back and look at what the actual situation is in front of us. And if you still haven't got basic network segmentation and you know, everything is, you don't really know what assets you have. You don't have any network visibility. You know, you've notionally got some level of control on a boundary, you know, somewhere in your enterprise. You are not even close to being ready.
64 for 3 should be your focus. Your focus should be on getting some basics. Cyber essentials. Yeah. Yeah. So I mean, I love the sound five critical controls for ICS because it really, really, really tries to just go, okay, out of everything we could do, what are the five minimum things, focus areas. it's stuff like instant response plans, visibility, defensible architecture, vulnerability management. ⁓
very specific vulnerability management. you know, thinking of your boundary, you know, firewalls and network switches, for example, and not just go all that PLCs out of date, I need to patch it. Well, probably not. If you haven't got basic network segmentation, probably go after that first. sorry, I could rant about this. I feel really strongly about that sometimes. And I see it, you know, in my day to day is that for the best will in the world, people are trying to do the right thing. But, you know, they they've struggled to take that step back and just go, right, you know, we've got
no network segmentation, that means we're open to all kinds of very bad scenarios.
Felix (18:09)
Yeah, yeah, exactly. Are there any other like exciting bits or difficult bits or, you know, areas that you kind of a particularly passionate about?
Emily (18:17)
I would just say that 62443 has a lot of value. There's a number of updates that have happened are coming. So by all means, catch up with some of the updates in 2.1, especially the whole thing about security profiles. Well worth a look. unless you feel you have achieved the basics, so I will point out the five critical controls for ICS published on the SANS website. Unless you feel you're doing those five things pretty well.
then you're probably not ready to go down your journey on 63. Or certainly maybe you can go down certain elements of it, but you've got some other things you need to look at first. And just take the step back here.
Felix (18:59)
It's really interesting, isn't it? Because I guess one of your observations earlier was that if you are trying to retrofit 62443 into an existing environment, then the odds are against you. But equally, if you're building a new environment, ⁓ well, do you go down the, know, the sans 5 controls? do you go down the 62443 from the get go? Or do you try and do both? you know, that kind of, that could be quite a complicated thing for people to navigate there. Especially when ⁓
you've got these kind of startup companies that are doing something in this space that want to try and do good security because it's more, it matters more to those companies because they're a bit smaller and they need those differentiators from a market point of view, all that kind of stuff. So having security in their favor is a good thing, not just because it's intrinsically good. ⁓ And they're faced with this mammoth task of trying to implement 62443.
or they do something like the Sans 5 controls and instead end up in a position where they are probably not going to ever be able to implement 62443 in its entirety because by the time they get to the point where they're actually competent enough in it all other ways, not just in terms of like skill level, technical knowledge and so on, but in terms of like, I don't know, the business operational requirements to actually then go do it, well...
chances are it's probably too late and they've already got quite a lot of problems that are going to be massive hurdles to get over from 62443 or is that not maybe your experience?
Emily (20:30)
I've been there on a very large project where we were deploying a very large complex control system and you're sitting there as the OT technical cyber lead in going, how do I get some security into this? And my natural go-to was 64 for 3.
Then you're thinking, okay, well, which elements of it am I going to go down? And trying to specify all of that in a RFP document, a call for the vendors to, or an RFI document, a call to the vendors to say, are the kind of things we're looking at, these are the requirements. Actually, the problem is it requires a lot of discussion. And I would say that the reality of those discussions is you basically need to, on the operator side,
the person specifying what you need, you need a team of people, either that's through consultancy, either that's through you've got a seasoned team employed, whatever, you would need a team of people to work together to then specify your requirements, then present them to the ⁓ supplier. The supplier would equally need a team of people who are highly skilled.
So for us, it's not uncommon just to have it in RFI or RFP, just say 64 for 3 compliant, you just know exactly that it's going to be quite a long journey to explain.
Felix (22:09)
Well, I don't have any other thoughts or questions for you about 62443 today. I am entirely up for having another discussion about a slightly different topic in the future if you are, but... I hope that if anybody is listening to this today with questions, that they are able to get out and say hello. Do you frequent social media at all, Emily? This is a perfect opportunity for some people to go, yes, come find me on, or alternatively say...
Emily (22:21)
fun yeah
Felix (22:37)
I hate social media, I don't want to be on it.
Emily (22:39)
I have a love hate relationship with social media because it will occupy my ADHD brain for the rest of my life. I limit it. But I have LinkedIn. I'm EmilyH on LinkedIn. And by all means come find me there. I mean, I love talking to people. So by all means message me. But yeah, it's a murky world of this. I haven't got my Insta. I need Insta clearly. I'm missing things. Apparently there's all kinds of good stuff on there.
⁓ no, okay, maybe not.
Felix (23:10)
Well, no, I'm told the same, but I don't know. I'd rather be doing something that doesn't involve a social media platform.
Emily (23:19)
Love it.
Felix (23:21)
yes. Okay. Well, in that case, thank you very much for your time. ⁓ And yeah, if there are any questions and you don't want to just speak to Emily, which, feel free to go and do so. You can also get a hold of myself or anybody here at You've to Hack That. You can find us on Twitter at gotta underscore hack ⁓ and you can find us on LinkedIn. ⁓ And ⁓ hopefully you'll be able to get in contact and say hello and maybe even come on some training courses and other stuff that's
You've got to that provides. I'm not going to let you have an opportunity to sell your wares, but. ⁓
Emily (23:55)
Wait, so I want to go on one of your training courses. I'm really interested to be honest. mean, that's how we got chatting, right? As I came over going, oh, this is an interesting thing to do, and I can't wear reverse engineering. Yeah.
Awesome!
Thank you. See you soon. Cheers. Bye everyone.
Felix (24:21)
you