Podcast: Episode #31 - Matthew Scott: Protecting Legacy OT in Mass Transit

September 7, 2023

About Matthew Scott: Matthew Scott is a technical leader with over three decades of experience in industrial automation, specializing in the design, deployment, and maintenance of cutting-edge SCADA systems across critical infrastructure sectors such as transit, oil & gas, energy, and water/wastewater. His expertise spans a wide range of hardware and software platforms. A trailblazer in cybersecurity, Matthew's contributions extend beyond his role as an OT security professional, as he has authored peer-reviewed publications and presented at technical conferences. With a commitment to fostering innovation and promoting a "Fail Fast, Fail Forward" ethos, he leads cross-functional teams in the development of secure and resilient industrial control solutions that ensure the reliable delivery of essential services.

In this episode, Aaron and Matthew Scott discuss:

  • Implementing security by design in legacy industrial control systems
  • Enhancing OT cybersecurity through code quality and dynamic rule sets
  • A step-by-step approach to improve cybersecurity and system resilience
  • Balancing regulations and technological advancements in OT cybersecurity

Key Takeaways:

  • The crucial strategy for securing OT involves a holistic approach, combining identification of exploits, rule creation, and integrated defensive programming within system design to counter malicious actions and ensure process reliability and security, moving beyond mere patching or hardware replacements.
  • In the rapidly evolving landscape of OT cybersecurity, the fundamental importance of well-disciplined code and comprehensive input validation is resurfacing as a potent strategy, enabling organizations to proactively mitigate a substantial portion of vulnerabilities and exploits, with the potential for machine learning to dynamically adapt and reinforce security measures over time.
  • Recent progress in system security has shifted from insecure designs to security-focused thinking, bolstering code against vulnerabilities in complex environments, yet the challenge remains in safeguarding legacy systems and maintaining uniform standards.
  • Amidst the focus on looming threats, the key lies in addressing foundational cybersecurity concerns, highlighted by upcoming regulations for industrial control systems, while cautioning against prioritizing advanced tech over resolving core technical issues.

"I don't necessarily see that AI is gonna make malicious actors more prevalent and more powerful. But I think we're gonna see the emphasis move to that. So until we have a regulation that forces us to clean up our code and be disciplined, we're gonna see organizations go out and spend money." — Matthew Scott

Triton Malware Exploited Zero-Day in Schneider Electric Devices:

Connect with Matthew Scott:  

Learn how to protect your ICS with PLC defensive programming techniques! Join Matthew and his colleague Tyler Lentz at the INCOSE Western States Regional Conference:




Connect with Aaron:


Learn more about Industrial Defender: