I had the pleasure of speaking with Lucian Niemeyer on this week's episode of the PrOTect OT podcast. We discussed a wide range of topics related to national security and safety as it relates to OT security, connected technologies, and cyber physical concerns. Lucian is the CEO of the non-profit Building Cyber Security, which aims to address these issues by creating performance frameworks for designing, installing, integrating, and operating connected operational technologies. I highly recommend listening to the full episode for more insights. Here's a preview of the beginning of our discussion.
Aaron: Lucian, I appreciate you taking the time. Tell us a little bit about yourself, where you came from and what you're doing now.
Lucian: I've been in mostly federal government. I'm an Air Force vet, and then spent 11 years on the United States Senate Committee and Armed Services professional staff where a small group of us made recommendations and proposed legislation for the Senators to act upon. So, 11 years on the committee gave me a pretty good background on national security for doing some consulting. I was asked to come back into government 2017, and ultimately appointed to be the Assistant Secretary of Defense for the largest real estate portfolio in the world, and all the energy and environmental programs that goes along with that.
If you go back and look at the 2018 National Defense Strategy, its specifically written in there that our national security strategy needs to realize that the homeland is no longer a sanctuary. That any adversary whether it be a terrorist or a nation state, has the ability to ultimately impact our way of life here in the United States, right? By a cyberattack or a connected technology. And that's more real than it's ever been, and it's something that we need to address as a nation.
I took guidance from the Secretary of Defense very seriously, spent some time with the National Security Agency and CYBERCOM. On a snowy Friday afternoon we called in some of the leading manufacturers of control systems: Johnson Controls, Schneider Electric, Rockwell, Honeywell, and a few others. And we started asking ourselves, okay, how collectively do we address this issue of a growing insecurity and growing threat to safety posed by smart control systems?
And you know, that group of OEMs has had a tendency to not want to cooperate because they're the ones producing it. But on other hand, I really give them credit. They say, yes, let's dig in and solve this problem. Ultimately we formed a working group that became eventually a nonprofit in 2020 called Building Cyber Security. I am now the CEO of Building Cyber Security (BCS), which is a nonprofit entity that was created specifically to establish performance frameworks for how we design, install, integrate and ultimately operate connected operational technologies and to mitigate the cyber risk that is so openly inherent in them.
Aaron: How do you approach something so vast from architectures that's dying 40 years ago to new things that are being put in tomorrow? How do you bridge that gap? Because you can't just go replace it all.
Lucian: Yeah, cybersecurity is a huge issue. The protection of technologies is even a bigger issue. And one of the first things we did, we realized this is not necessarily a cybersecurity issue, this is a human safety issue.
You know, a car these days has anywhere from 1500 to 2000 microchips in it. This includes some chips and processors that manage critical systems in a car. And we're living with this threat. Any 17-year-old kid with a laptop can do some terrible things to a car. And yet we don't have a dashboard light that says, “Hey, someone's messing with your data, you need to pull over.” So really it starts with convincing a lot of people that we need to design cyber safety. In a car, your home, a building, a water treatment plant, a rail line. We have to start asking ourselves what are we deliberately doing to reduce cyber risk? And that's really what our nonprofit is working on.
What can we do that’s not just an assessment and a certification? But ultimately, how do we drive better design requirements in anything: your smart TV, your smart coffee maker, what can we do to ensure that that device that's in your home does not ultimately pose a risk to you? We see in our organization a compelling concern to get in front of it before we start seeing property damage and casualties and folks actually getting hurt. That for us is a very compelling statement that drives a lot of interest when you start talking safety. Particularly now if you're looking at an incentive that insurance companies can bring in that are also concerned about rising claims, not just in cyber insurance, but what could ultimately happen in properly casualty claims as a result of an OT cyber attack.
Aaron: Yeah, OT is really bridging that gap of I'm not just worried about a light turning on and off. I can hurt people, I can spin things up, I can explode things. I can crash a car. I can do a lot of things that are different. In IT, I lose my email or my web server goes down…
Lucian: Or the FAA can go down, or the Colonial Pipeline can go down. I would never call the Colonial Pipeline an OT attack. I want to be true to my profession. That definitely was an IT ransomware attack. There was a decision by the CEO to shut down a pipeline, partially because he was moving product for free, but more importantly, they did not know how far into the OT from the billing system to the meters to the valves, how far they'd gone in. That creates now a huge environmental threat or human safety threat. So when we start talking about ransomware attacks to your IT, there's going to be a physical impact. We are starting to see even IT attacks have a physical impact. That's really what we're trying to address within our nonprofit.
Aaron: What response are you getting from the marketplace?
Lucian: We've got CISOs that are losing their hair right now, who are jumping and down saying, “Hey, we need to spend money on this.” It's really difficult for a CFO or CISO to justify it unless they can't get insurance. They can no longer get insurance. Which we're starting to see in the cyber insurance world a little bit, that some of the traditional players are saying, “Hey, we're not gonna touch this market anymore. Because the risk is just too high.” For us, and we're seeing this crest right about the time where ransomware attacks are going through the roof, we're starting to see a greater concern about where's their client risk.
We're starting to see insurers proactively say, “Hey in order for us to give you insurance policy, you have to do the following things. Number one, multifactor authentication. And if you don't do that, we will not honor your claims.” That's pretty good. We're starting to see some progress there. Now, what we've done with the BCS is turned it into a performance framework where it's not an audit coming in once a year; It's real-time data that's being accumulated by a company that ultimately can be fed to an insurance company if they want it. To assure that the programs are in place and operating effectively.
Our nonprofit is built for multiple sectors. And we've built a framework around a global standard called ISA 62443. We are partnered with the International Society of Automation on taking that framework and wrapping a performance framework around that. It's a pretty complicated framework, and it's mainly built for oil and gas, so what we've done is we've built a series of vertical sectors (water, healthcare, robotics, industrial controls). But our first sector is commercial real estate. And there are three reasons for that: First of all, it’s the easiest set of controls to map. It's basic building systems. So we start with the easy and then move to the hard. But more importantly, you're dealing with an industry that is relatively immature on their cybersecurity protections. They don't know that all this smart technology they're putting in their buildings potentially could create a risk. And there are about 37 trillion of assets around the world with a significant property and casualty exposure, and insurance exposure.
And as I raise awareness on the cybersecurity threat, the first thing we get from building owners or operators is, “I wish you wouldn't have told me that, because now I've got to act on it.”
Really what we're saying is, yes, the threat's real, but here's a framework that's easy to use. All you have to do is this if you want to be cyber bronze, cyber silver, cyber gold - based on what you’re willing to invest and what your risk is, and we'll take care of the rest.
This has been an excerpt of a PrOTect OT Cybersecurity Podcast episode (edited for clarity). For the full conversation, listen and subscribe here: https://podcasts.apple.com/us/podcast/the-protect-ot-cybersecurity-podcast/id1662081824