In this in-depth conversation, Jason Waits, Chief Information Security Officer (CISO) at Inductive Automation, provides a comprehensive exploration of Industrial Control System (ICS) cybersecurity. With decades of experience securing critical infrastructure and navigating the complexities of Operational Technology (OT) environments, Jason offers actionable insights into the current state and future of cybersecurity in industrial sectors like manufacturing, energy, and water treatment.

The discussion begins with an overview of what makes ICS cybersecurity distinct from traditional IT security. Jason explains how OT systems prioritize availability and safety, presenting unique challenges compared to the confidentiality-driven focus of IT. The conversation highlights key vulnerabilities in ICS environments, such as legacy systems that lack modern security features, poorly designed protocols without encryption, and the risks posed by IT/OT convergence.

Jason dives into common attack vectors, including social engineering (phishing), lateral movement from IT to OT networks, and physical access breaches. He explores real-world case studies like the Colonial Pipeline ransomware attack, the Oldsmar water treatment plant hack, and the Stuxnet worm, illustrating how these vulnerabilities have been exploited and the lessons they offer for building stronger defenses.

The video also emphasizes the critical role of compliance and standards, such as ISA/IEC 62443, the NIST Cybersecurity Framework, and CIS Controls. Jason underscores the difference between compliance and real security, advocating for a "security first, compliance second" philosophy to ensure that organizations focus on mitigating actual risks rather than merely checking regulatory boxes.

As the conversation unfolds, Jason discusses the role of vendors and OEMs in securing ICS environments, detailing how Inductive Automation uses proactive measures like Pwn2Own competitions, bug bounty programs, and detailed security hardening guides to improve the security of their products. He highlights the importance of collaboration between vendors and customers to address challenges like long equipment lifecycles and the growing adoption of cloud services.

Emerging technologies also take center stage, with Jason exploring how artificial intelligence (AI) is transforming threat detection and response, while also enabling more sophisticated attacks like personalized phishing and adaptive malware. He addresses the implications of IT/OT convergence, emphasizing the need for collaboration between traditionally siloed teams and the importance of building shared security frameworks.

For organizations looking to strengthen their cybersecurity posture, Jason offers practical steps, starting with foundational measures like asset management and configuration baselines. He explains how leveraging free resources, such as CIS Benchmarks, and creating a roadmap for cybersecurity maturity can help organizations of all sizes navigate these challenges, even with limited budgets.

Timestamps
0:00 – Introduction and Overview of ICS Cybersecurity
3:15 – Meet Jason Waits: Background and Journey to CISO
6:45 – What Is ICS Cybersecurity? Key Differences Between IT and OT
10:30 – The Importance of Availability and Safety in OT Systems
13:50 – Challenges of Legacy Systems and Long Equipment Lifecycles
17:20 – Attack Vectors: Social Engineering, Lateral Movement, and Physical Access
20:10 – Case Studies: Colonial Pipeline, Oldsmar Water Treatment Plant, and Stuxnet
25:35 – Compliance vs. Security: Jason’s “Security First, Compliance Second” Philosophy
30:00 – The Role of Vendors and OEMs in Cybersecurity
34:45 – Inductive Automation’s Approach: Pwn2Own, Bug Bounties, and Security Hardening Guides
40:00 – Emerging Technologies: AI in Threat Detection and the Risks of Sophisticated Phishing
45:10 – The Growing Adoption of Cloud in ICS and Its Implications
50:00 – IT/OT Convergence: Opportunities and Challenges
55:15 – Practical Steps for Organizations: Asset Management and Roadmaps
1:00:10 – Building a Security Culture: Collaboration Between IT and OT Teams
1:05:30 – Future Outlook: Increasing Regulations, Ransomware Risks, and Innovation
1:10:00 – Using Cybersecurity as a Competitive Advantage
1:15:00 – Closing Thoughts: The Need for Continuous Learning and Proactive Action

About Manufacturing Hub:
Manufacturing Hub Network is an educational show hosted by two longtime industrial practitioners Dave Griffith and Vladimir Romanov. Together they try to answer big questions in the industry while having fun conversations with other interesting people. Come join us weekly!

******
Connect with Us

• Vlad Romanov
• Dave Griffith
• Manufacturing Hub
• SolisPLC
• Joltek