Pipeline Podcast Network

The Source of Shared Knowledge for Pipeline Professionals

Episode 6: Risk Based Cybersecurity with Clint Bodungen

WIN A PRIZE PACK FROM PIPELINERS PODCAST  

Pipeliners Podcast

Our Host and Guest

Description

Do you want to feel instantly smarter? Listen to ICS cybersecurity guru, author, hacker, and educator Clint Bodungen talk about the latest cybersecurity issues and threats affecting the pipeline industry.

Learn about the history of cybersecurity, threats that involve national security, and the rapidly-changing technology that helps assess new and unique threats to know how to react in each situation.

Risk Based Cybersecurity Show Notes, Links, and Insider Terms:

  • Clint Bodungen is an ICS cybersecurity guru who teaches at the Gas Certification Institute. Find and Connect with Clint on LinkedIn.
  • ICS (Industrial Control Systems) captures the control systems and instrumentation used for industrial process control. These systems are used in oil & gas and other key industries.
  • HAZOPs (Hazard and Operability Study) is a structured and systematic examination of a complex planned or existing process or operation in order to identify and evaluate problems that may represent risks to personnel or equipment.
  • ISO 27005 refers to a published set of standards for information security risk management that includes security techniques.
  • NIST SP 800-30 is a government paper that serves as a Risk Management Guide for information technology systems.
  • CISSP (Certified Information Systems Security Professional) refers to the independent information security certification granted by the ISC. CISSP is a globally recognized certification in the field of IT security.
  • IDS (Intrusion Detection System) refers to a device or software application that monitors a network to find malicious activity or policy violations.
  • Situational awareness refers to how a person perceives environmental elements and events, comprehends their meaning, and projects their status after a variable has changed.
  • Anomaly detection is the identification of items, events or observations that do not conform to an expected pattern or other items in a dataset.
  • Dale Peterson of Digital Bond wrote this article on the “Insanely Crowded ICS Anomaly Detection Market.”
  • S4x18 is an ICS cybersecurity conference scheduled for January 2018 in Florida. The conference brings together industry leaders, guest speakers, and the overall cybersecurity community to learn about the latest trends and information.
  • GRASSMARLIN provides IP network situational awareness of ICS and SCADA networks to support network security.
  • Idaho National Laboratories is the leading U.S. nuclear science and technology lab. INL leads research, development, and demonstration projects to help the nation maintain and expand its use of nuclear energy.
  • NexDefense supplies ICS operators with the real-time knowledge needed to improve system and process integrity, and ensure cyber resilience.
  • NetFlow is a network protocol developed by Cisco for collecting IP traffic information and monitoring network traffic. By analyzing flow data, a picture of network traffic flow and volume can be built.
  • NetMiner is a software tool that allows users to visualize a significant amount of data over a large network. It is branded as social network analysis software.
  • High performance HMI is an advanced level Human-Machine Interface system that feeds data from a computer to the operator to make informed decisions.
  • Stuxnet is a type of virus known as a computer worm that targets SCADA systems. It is commonly referred to as the first cyber weapon.
  • Joel Scambray is the author of the “Hacking Exposed” book series that covers various cybersecurity threats and the latest topical issues.
  • Red Team vs. Blue Team draws from the military simulation strategy of the red team representing threats or opponents and the blue team representing defenses against these threats.
  • Pascal Ackerman is the author of “Industrial Cybersecurity,” released by Packt Publishing.
  • Capture the Flag (CTF) at the S4 conference is a virtual game and contest that simulates activity during a cybersecurity attack. Players are tasked with achieving various tasks during the event and the best score wins.
  • Dale Peterson of Digital Bond is an ICS leader who helps companies effectively and efficiently manage risk to their critical assets. Dale has pioneered numerous ICS security tools and techniques, such as the first intrusion detection signatures for ICS that are now in every commercial product.
  • PLC (Programmable Logic Controller) is a computerized system in operations that automates processes that require reliability within a given time period. PLCs are especially useful for pipeliners to automate difficult tasks in the field.
  • Grand Theft Auto is a popular action-adventure video game that tasks users with completing various missions in famous international cities.
  • Unity 3D is a video game engine that allows users to create three-dimensional simulations of different environments to test activity and responsiveness.
  • DCS (Distributed Control Systems) refers to a method of controlling processes within the operating location, utilizing a central operator for supervisory control. This increases reliability and security by keeping the central control functions at the operating plant.
  • Oculus Rift is a virtual reality system that allows users to virtually visit another environment through a headset.
  • PHMSA (Pipeline and Hazardous Materials Safety Administration) issued a new requirement for control room team training and exercises that include controllers and other individuals who would be expected to collaborate during normal, abnormal, or emergency situations.

Risk Based Cybersecurity Full Episode Transcript

Russel Treat:  This is Russel Treat. Welcome to the “Pipeliners Podcast,” episode number six.

[background music]

Announcer:  The Pipeliners Podcast, where professionals, bubba geeks and industry insiders share their knowledge and experience about technology, projects and pipeline operations. Now your host, Russel Treat.

Russel:  Thanks for listening to the Pipeliners Podcast. We appreciate you for taking the time to listen to this episode. To show our appreciation, we want to let you know about a signature prize pack. We are offering a free customized YETI tumbler for one listener each episode.

How do you register to win? Simply visit pipelinepodcastnetwork.com/win. That’s pipelinepodcastnetwork.com slash W-I-N to enter yourself in the drawing. This is our way of saying thank you for being part of the audience.

Today, we’re very fortunate. We’ve got with us Clint Bodungen. Clint is a cybersecurity ICS guru. You may have heard his name in an earlier episode with Will Gage, because he came up in the conversation.

Clint is the author of a book on ICS cybersecurity. He’s a hacker. He’s a teacher, an educator. He teaches with Gas Certification Institute and the cybersecurity part of our SCADA fundamentals. Really a fascinating guy to talk to. Without further adieu, let me welcome Clint Bodungen.

Clint Bodungen:  Thanks. Hi, Russel.

Russel:  Hey, Clint. How are things? How are things going for you?

Clint:  Busy, busy, and I think that’s a good thing. By the way, I just want to say I think, in the 10 years or so that I’ve known you, that’s the first time you actually got my name right.

[laughter]

Clint:  I’ve got a complex last name, so it’s okay.

Russel:  It’s pronounced exactly the way it’s spelled, but for some reason, you don’t want to do that. There you go.

Clint:  If you go to Germany and then tell them that, they’ll say I’m pronouncing it wrong, so it’s fair game.

Russel:  Several things I wanted to visit with you about. We’ve had the opportunity to work together on a few projects and do some interesting stuff. I think one of the things that I’m always fascinated about, Clint, working with you is how you approach this whole idea of ICS cybersecurity.

Maybe we’ll start by talking about the risk-based approach that you advocate to cybersecurity. Can you tell us what that is, what it’s about?

Clint:  Having been involved with the ICS industry, I think it’s funny that ICS is actually an acronym that just recently came about. Back then, it was just control systems, and I think, for a long time, this SCADA was the acronym. You’ve got all these different acronyms out there to describe control systems.

Throughout the years, there have been a lot of concepts about security that have come and gone. The convergence of control systems with traditional corporate systems brought the need for a lot of security.

It’s an old story by now, but there’s a lot of disagreeance in the industry about whether or not there’s a need for cybersecurity in ICS, how much. There’s a huge dichotomy about the philosophy of ICS cybersecurity.

One of the aspects that I think has gotten lost over the years is the risk-based approach. When we say a risk-based approach, we’re not doing cybersecurity for the sake of cybersecurity. We’re not trying to impose cybersecurity into control systems, but we’re focused on risk. It just so happens that’s a cyber element to risk.

For example, when we think of control systems, there’s been hazards analysis and HAZOPs done in control systems for decades. That is essentially the risk analysis or the risk assessment for control systems. Now with the convergence of cyber into that, you’re just adding a new element, so there has to be this cyber piece to that.

All too often, we see people trying to impose cybersecurity into ICS as a separate element. It really needs to be part of something that looks similar to the HAZOPs. I think, in the control systems, we’re really primarily concerned about reliability, efficiency, production and safety, and those things that are native to industrial control system.

Anything that threatens that is where our risk is. Ultimately, we want to identify, what are the things we really want to know? We want to know, where is our risk, or what is our risk? We want to know, what’s the likelihood that risk can be realized?

We want to know, what is the potential impact of that risk? Ultimately, we want to know, how do we manage that risk — reduce it or eliminate it if we can — with the resources that we have available to us? That’s really it.

It’s not so much that we want to do cybersecurity for the sake of cybersecurity. We want to protect the things that are dear to us in control systems. That’s reliable, efficient, production systems, and safe system.

Russel:  I think that’s right on target. In fact, I think that’s one of the things I like about the way you approach it. To me, in the pipeline world, it’s all about risk. We as pipeliners, we only get our name called, we only make it into the media, if we have a mistake or an error. Our job is to reliably and accurately move product and to do that without impact to the environment or the community.

Pipeliners, by their nature, are really familiar with the idea of risk management. You need to have the same approach being applied in leak detection. There’s actually some new API standards that are out that are addressing a risk management approach to pipeline safety.

To me, the idea of taking risk management and applying it to cybersecurity for the pipeliner is just another aspect of something that might be a threat, that might cause an issue or a problem, where we’re not able to operate reliably.

What I see, though, in a lot of risk management functions in organizations is the thing that, once a year or once a quarter, we go around, we look at the risk, and we write that down in a book, but it doesn’t necessarily change the way we operate or change what we’re doing.

I’m wondering, could you comment about that? One of the things I know about cybersecurity is the risk changes quickly.

Clint: There are two or three fundamental mistakes that people do when they’re looking at risk. This is not only just on the ICS side, but also from the cybersecurity side, the corporate business side. I think we really need to look at it from an ICS perspective if we’re going to do risk assessment or risk analysis properly.

The first is the data that we’re coming up with. For example, one of the problems I see is the typical risk assessment frameworks from ISO 27005, and then the NIST standards — NIST SP 800 30, 37, 39 — they all seem to have the same concept.

On one side of this heat map, you have a number that represents likelihood and another that represents impact. Even if you look at the CISSP model, where you’re looking at the annual rate of occurrence as a likelihood thing, it doesn’t matter if you’re talking about the CISSP model, the NIST model, or the ISO model. They’re all coming up with these speculative numbers.

We have no way of really knowing the likelihood of this impact happening, this attack happening, or this incident happening as a one, a two, a three, or a four, because it’s not attached to any real data. That’s one mistake.

When you’re doing your risk assessment, you have to attach actual data to give real value and numbers to your attributes like likelihood so that there’s something real and something that you can actually use to discern the likelihood of one threat over another.

We can talk about what that looks like in a bit, if you want, but that’s one mistake, is that you’re using speculative numbers. If you’re using speculative numbers in a risk assessment, then it’s pretty much useless.

Going back to what you said about the timing, and that’s the other mistake that I see, is people tend to treat risk assessments as this one off thing. Like you said, we’re going to evaluate our risk, and then see what we need to do about it, and then put it down.

Risk assessment needs to be a constant procedure, a constant behavior. It needs to be always on. A lot of people do this. You have these little mini risk assessments. Anytime something in your environment changes, you should be doing some risk evaluation or risk assessment or analysis on that change.

There’s lots of different ways to do it, which probably go way outside the scope of this podcast due to time. Again, even those little risk assessments, they still have that mistake of having speculative numbers.

Again, we can get into that if you want to, but those are the two areas of mistakes that I see. You need to have real data that can give you real results, and it needs to be an always on type of thing.

Russel:  What that brings up for me, and we’ve talked about this before, it’s the idea of a risk dashboard, like, “What is my risk at this moment in time, given data that I’m looking at and analyzing?”

One of the things I think that’s unique about cybersecurity, and particularly ICS cybersecurity, is achieving something like that would seem to be possible.

When you’re talking about integrity management in pipeline systems, where I might run a tool through a pipeline segment once every six months or once every several years, that’s not real time. What we’re talking about with cybersecurity is I might actually be able to do risk in real time. That makes sense. Do you see it that way and do you think we’re headed that way?

Clint:  Absolutely. In fact, one of the reasons why risk assessment and a risk-based approach has been left in the dust to much trendier and sexier buzzwords is that everybody uses risk assessment as a thing that you do initially and upfront and then you help figure out your gaps and you close your gaps, but then you get into things like threat monitoring, and IDS, an intrusion detection system. People view these as inherently two separate concepts when in fact, done properly, you should be using the same data points in your risk assessment to perform an element of threat modeling.

By the way, threat modeling and building these threat models and risk modeling is how you add real data to those likelihood attributes to your risk model so that you’re using something discernible.

You’re using threat intelligence and threat modeling to enhance your risk assessment but at the same time, if you want it to be always on, the data points that you use in terms of your monitoring and your threat detection and intrusion detection system, those data points are the exact same data points that you would use in threat modeling.

Thus, you should use those same data points in your risk assessment. It’s not different. You should actually use them the same.

Given the same data points you use in a threat monitoring system or an intrusion detection system, and threat hunting, and threat intelligence to input into a risk assessment so that you have threat modeling and real-time threat modeling and monitoring data into your risk assessment is how you give your risk assessment real usable data and how you make it always on.

You’re right, Russel. That’s something that you would correlate into a dashboard or a SIM or something like that, and we are starting to see certain technology out in the industry start to do that as companies are realizing that they can use threat monitoring and intrusion monitoring type data to be this always on risk assessment.

I’ve seen the buzzword out there, some people are starting to call it risk intelligence.

Russel:  [laughs] It amazes me, Clint. Every time we talk, you drop something on me that’s brand new that I haven’t heard yet. It’s one of the reasons I like visiting with you. I always feel behind when I’m talking to you. It’s just the situation.

Clint:  To be fair, I think I make some of this up.

Russel:  [laughs] Well, if you make it up and then everybody else is talking about it later, that’s called inventing, right?

Clint:  At least trendsetting.

Russel:  There you go. We were talking, as we were getting ready a little earlier, about one of these topics that you see is really hot right now, which I think ties to what we’re talking about, which is this idea of situational awareness and anomaly detection. What do you see going on there, and why is that a hot topic?

Clint:  This is a good segue from where we were talking because I mentioned this earlier in that the things that we refer to as basic blocking at tackling, your proactive defense, it’s lost its luster. People don’t focus on that so much anymore because it’s not sexy, it’s not cool, it’s not trendy, and they’re moving on to the shinier buzzwords.

For a while there, it was asset identification, which is still a thing, but then that’s moved into, you take asset identification, and you combine it with threat monitoring, and you get situational awareness.

That buzzword came out about a year or two ago and then now all of a sudden, you’re going to take that situational awareness and you’re going to add some AI, artificial intelligence, and now you’re going to use it to detect anomalies and now you’re going to have anomaly detection. Everybody is trying to find the next biggest, better mousetrap.

To me, this is the equivalent. Granted, there is a time and a place for threat monitoring, active monitoring, and the jury is still out on anomaly detection, I’ll talk about that in a minute.

But, by chasing this and focusing so much on this, it seems like the industry has basically done the equivalent of saying, “Well, I got this brand new house, or an old house. You know, it’s too hard to build a fence, and it’s too much trouble to remember to lock the doors and every single window, so I’m really just not going to worry about my fence, or locking my doors or my windows, and I’m going to rely on my burglar alarm to tell me when there is an intruder instead. Instead of trying to prevent the intruder from coming in, I’m just going to let my burglar alarm tell me when there’s an intruder and then I’m going to make a quick rational decision on how to respond to that.” That is what I feel like everybody is doing with anomaly detection. “There is this new burglar alarm out that’s really hot and sexy, so I always forget to lock the doors.” The problem with the anomaly detection is that, like I said earlier, it really is an unproven industry.

We’ve got more than 20 startup companies that have entered the market under situational awareness and anomaly detection in the ICS industry, and Dale Peterson put out an article, I think it was on his blog or maybe on LinkedIn, talking about all these different anomaly detection companies.

In fact, at S4x18 in January, he’s having a “bake-off” and he’s basically told these companies to put their money where their mouth is and said, “Look, prove that you can do it.”

The reason why is because there are a lot of people out there that just don’t see anomaly detection as a real viable solution at this point because it’s unproven even though there have been millions of dollars invested in it.

Ultimately, and I’m going to get into trouble for saying this, I probably shouldn’t say this on a podcast but I was going to write a white paper on this anyway, so I’ll give you the exclusivity here, Russel.

Russel:  Okay. You heard it here first as the first exclusive drop on the Pipeliners Podcast.

Clint:  I’m releasing a white paper soon, and my next book is actually on this subject. What really happened when this market dropped into the situational awareness topic, the NSA released GRASSMARLIN, and GRASSMARLIN is a java based but yet open source tool to help asset owners identify their IP based assets, and it does it passively.

Originally, the first passive asset identification tool and anomaly detection tool originally came out, I forgot what the date was, but it was released by Idaho National Laboratories or ICS CERT under the name of Sophia, and then Mike Assante carried that concept onto NexDefense when he left INL and founded NexDefense.

That was really the first concept of passive asset identification from an ICS perspective and then years later, that’s when the NSA released GRASSMARLIN. GRASSMARLIN is a little bit different look and feel but under the hood, it still has the same concept.

It has the capability of parsing certain industrial protocols and identifying ICS assets and a certain level of NetFlow or directionality and give you a little bit of situational awareness. That’s all open source, and all of a sudden, you start having all of these situational awareness companies popping up.

If you really look under the hood, for the most part, all these companies, situational awareness, at a basic concept, does the same thing. If you look closely, all of the source code from GRASSMARLIN and what GRASSMARLIN does is exactly what all of these other tools do.

Their differentiator is a little bit of secret sauce and a little bit of their, guess what, Russel? Their dashboard. The differentiator is how they do their visuals, and their dashboard, and a little bit of secret sauce, and their correlations, and the way that their correlations and how they do “anomaly detection.” 75 to 80 percent of what they do is no different than what GRASSMARLIN can do or what NetMiner can do.

One thing that we’re working on is why shouldn’t there be an open source solution or a cheaper solution to achieve 90 percent of the same thing for the industry? That’s one thing we’re working on right now to give back to the community is that we’re checking these open source tools like GRASSMARLIN and NetworkMiner and some of these industrial protocol dissectors.

We’re going to create — we’ll be releasing it early in 2018 — an open source tool and release it to the industry that will pretty much give asset owners, operators, a very cheap solution to get about 90 percent of where these commercials would get them anyway.

What it hopefully is going to do is spawn the industry to do what Dale wants them to do, to step up. Hopefully, these asset owners will give consumers more than just about 10 percent extra secret sauce and giving them what an open source tool could really give them in the first place.

Russel:  Again, it’s always interesting to me about what some of the themes are around technology. This theme about dashboards and open source tools and creating data and, as you say, the secret sauce being how you present that data, that’s very thematic.

You’ve got the same thing going on in the pipeline control room about what’s called the high performance HMI because everybody’s trying to come up with the best way to get graphics and animations and symbology that simplifies decision making and puts context around data and makes it meaningful.

I actually think that the technology’s getting easier. The understanding how human beings interact effectively with technology’s getting tougher at a broad level.

Clint:  You’re right. I think technology’s getting easier. I think that we as humans inherently try to find a way to complicate it because we think it should just be more complicated.

Russel:  [laughs] Oh my gosh, there’s lots of truth in that. Look, I want to segue. I want to talk about a couple other things while we got you here. One of the things I want to do is talk about your book. Why don’t you tell us about the book you wrote?

I know it’s been out for about a year. I know the story from way back when you first put out the idea of writing a book called “Hacking SCADA.” You got some visits that maybe you didn’t anticipate or didn’t want. That book actually made it to market. Tell us a little bit about the book that you have out currently.

Clint:  I’ll just say I can’t say too much about the old version. Back in 2007, this was BS — Before Stuxnet — back then, me and a couple colleagues decided to write a book called Hacking SCADA. We published the table of contents. Word got out. Let’s just say there are certain entities in the industry that was not ready for it yet and convinced me that I should wait.

Lo and behold, several years later, I was interviewing with Joel Scambray, didn’t even realize who he was at the time. The book series “Hacking Exposed” had been out since the ’90s. It was iconic. It was the original hacking textbook officially released. I was interviewing with Joel. Halfway through the interview, it hit me. I was like, “Oh wait, this is the guy from Hacking Exposed.” I felt like a dummy.

I actually didn’t get the job. He gave me a book deal instead. The job wasn’t quite right. He thought that the time was right to write an exposé on ICS from a red team perspective. There have been some really quality books already written from the blue team perspective or the defensive side.

Russel:  Would you define for the listeners, what’s a blue team? What’s a red team? What does that mean?

Clint:  Blue team typically refers to the defense, the network or the computer defense. Red team refers to the offense. That goes back to military terminology, red team, blue team. I don’t know. Maybe it goes back to video games, “Halo,” red team, blue team. Either way, blue team is typically referring to the defensive side. The red team is the offensive side or pretending to be the bad guys.

I assembled a team of great co-authors to help out. We wrote “Hacking Exposed, Industrial Control Systems.” It was the only red team perspective ICS cybersecurity book.

A colleague of mine has since written another industrial cybersecurity book that was just released in 2017, available through Packt Publishing, my friend Pascal. I like that he wrote it because it’s the second edition that I haven’t written yet. He saved me the trouble. That book’s been out for about a year.

There is talk of writing a second edition to that one simply because, as you mentioned earlier in this podcast, security and risk moves so fast that as soon as you publish it, it’s already outdated.

Russel:  I know when we first started working together, which was about 2007, 2008 when we were putting together the SCADA Fundamentals class, this whole domain of cybersecurity, much less industrial cybersecurity, wasn’t really even on my radar at that time.

Man, I have learned so much by listening to you teach the classes. I do the first couple of days of that class or have historically. My content hasn’t changed a whole lot. Man, yours changes every time we put the class on.

I really admire how you’re able to stay current on all this stuff because I know it’s not easy to do. I think your book Hacking Exposed for the Industrial Control System, it’s really interesting to put yourself in the mindset of the attacker because I think a lot of times, we don’t do that. It’s really clarifying. It certainly helps to better understand the risk when you’re able to do that.

Clint:  That was the whole point, was that there is a way and a time and a place to safely perform “penetration testing” in industrial environments. I think ultimately the whole theme of the book really is to put yourself in the mindset of the attacker to learn how to better defend against them. A lot of people would insert Sun Tzu quotes here. They’re overdone, so I won’t do it.

You really do need to know your adversary.

Russel:  Man, you are throwing in some pretty deep geeky references here which is perfect for this group of people. I love that stuff.

Clint:  I are one.

Russel:  Me too. Bubba geeks unite.

One other thing I wanted to ask you about, I had a really cool opportunity. Clint shared some stuff that he’s working on that is taking the software development tools that are used to create games and using it to create an experiential training tool for those trying to protect critical infrastructure.

Clint, tell us about what you’ve got going on in that domain. I don’t know if you’re ready to share everything. Man, that is some really cool and very compelling stuff.

Clint:  We are actually about ready to come out from underneath the radar probably this week or next week, so another exclusive for you, when we’ll be sponsoring the CTF, the Capture the Flag, at S4 with this technology.

Russel:  I need to ask you so the listeners know, what is S4?

Clint:  S4 is one of the more technical ICS cybersecurity conferences. I like to think of it as the technical, the hacker conference of industrial control systems. Don’t worry. It’s not scary or anything like that. It’s just a very technical…

Russel:  Is it like industrial cybersecurity geek week?

Clint:  Absolutely. Out of all the conferences, it’s definitely one of my favorites. Dale Peterson at Digital Bond is the founder of that conference. It’s an industry favorite. It’s in Miami, Florida at the Fillmore Jackie Gleason Theater. It’s a great time. Everybody learns a lot. Welcome for the plug, Dale.

[laughter]

Clint:  What you’re referring to is we have started in about 2013, 2014. We were trying to find ways to give better visual feedback during Capture the Flag contest or just even training.

It’s nice to be able to look at a computer readout and see, “Okay, I’ve changed the coils and the registers on that PLC,” or even, “Oh, look, I’m looking at this HMI, and I’m seeing the water in the tank go down. That’s nice.”

Looking at a HMI isn’t the same thing as looking at a real environment. A lot of people are providing physical demos by getting a tabletop full of clear tanks and tubes and hooking up the PLCs. Basically, you have a tabletop full of toys. I’m not trying to demean that. People put a lot of hard work in that. It works great. It doesn’t scale. It’s not a real environment.

We started thinking of ways that we can do this. I had the bright idea one day while I was playing another game called “Grand Theft Auto.” My character was running around shooting up this power plant.

My friend looks over at me. He says, “Man, that would be cool if we could just, if we could do this and make it all industrial and shoot up power plants and duh, duh, duh.” It was a, here, hold my beer moment. I said, “You know, why can’t we?”

I embarked on a journey to start learning how to program video games. I found out that wasn’t that difficult. There’s a lot of tools that help you do this. There’s some video game engines that help you. I discovered Unity 3D. We started using Unity 3D to replicate entire industrial environment.

Using Unity 3D, we have two offshore platforms, two oil refineries or chemical plants. We have an electric transmission yard, distribution substations, a neighborhood, a city. All of this stuff can replicate industrial processes. Anything that a plant or a process would do in real life, we can make it do in the virtual world.

Using gaming engine physics, we can get pretty realistic with it. In fact, we’re also augmenting the physics so we can produce a higher level fidelity of those physics so it’s even more lifelike.

We derived a way that we can hook up real-world control systems to that. We’re essentially taking all of the digital equipment, SCADA systems, DCS, the PLCs. We can hook that up to our virtual environment essentially just replacing all of the physical, non-digital equipment. All the SCADA equipment can control our virtual environment just as it would control a real plant or real process environment.

We can start to do things like getting real visual feedback for a process. Like if we hack this PLC, does it really cause a critical failure in the process or do we have to do more? We can start to do things like introducing even more variables into the equation. What if this pipe is corroded? What if some guy’s standing there with a cigarette or whatever?

We can start to do not only training but a little bit of cause and effect or a little bit of impact analysis simulations for these industrial environments.

To make it even more fun, just because obviously that wasn’t enough just to have a first person shooter like environment, we went and hooked Oculus Rift up to it, which is a virtual reality system. Now you have real-world control systems hooked up to a virtual environment that you can completely fully immerse yourself into and run around a plant.

Russel:  As a guy who has spent time building pipeline simulators and pipeline trainers, the idea, the what you’re doing here, it’s pretty dead gum cool. It’s a lot of work to work with one of these math models, one of these hydraulic simulators, and build a pipeline model and put a SCADA system on top of it.

The idea of creating a 3D virtual environment and then putting a SCADA system on top of that, what that opens up in terms of training…

There’s a brand new PHMSA requirement that came out middle of 2017 related to what they call team training. The idea of being able to get all of the people in the same room, your IT guys, your SCADA guys, your pipeline controllers, your field technicians, your measurement guys, and put them all into that environment.

What that could mean for the industry in terms of what we could do with training, it could materially change really the quality of what we do because the biggest challenge in pipeline operations is training in adverse or emergency operations.

A lot of that’s done even today is tabletop exercises. Tabletop exercises are great, but they’re limited in terms of what they can do in terms of physically creating the experience of the problem.

Clint:  That’s one of the used cases that we’re actually even focusing on, is enhancing tabletop exercises. We’re working on building that where not only, like we have CAT drawings, we can replicate customer processes in entire plants, but we’re also having a “level builder” so basically customers can drag and drop and build their own processes themselves.

Anyway, sorry, not trying to plug the product there, and we’ve got a lot of ways to go, before we have a viable product, but hopefully what started out as hobby is able to do something to help change and enhance the industry.

Russel:  All of technology, it starts with somebody having an idea, so I really appreciate your sharing the background of how you got the idea and how far you’ve come. I know you have spent a lot of effort and a lot of time getting as far as you have come and I’m really looking forward to see the product get to the market and you have a great deal of success with it.

Clint:  I appreciate it.

Russel:  Look, we’re running a little longer than our typical episode but man, it’s great stuff. I sure appreciate you joining us and…

Clint:  Good to be here.

Russel:  If somebody had questions about cybersecurity and some of the things you’re doing, what would be the best way for them to get in touch with you?

Clint:  I will do two things. I will provide my email address as well as my cell phone number because if I’m available to help someone, or I can help someone, then I’m here.

My cell phone number is U.S. country code 1+ 281-832-3129 and my email address is clint.bodungen@leocybersecurity.com.

Russel:  I know like with a lot of the episodes for the listeners, there’s a lot of buzzwords and jargon. If you’re not familiar with cybersecurity, you may not know a lot of what [laughs] Clint was talking about. I know I have some homework to look some of that stuff up, but all of that will get captured on the podcast site for the episode.

There will be show notes, there will be a whole library of links there for if you want to take some time and explore some of these ideas and learn more about some of the things that have been talked about.

Also on the website, we’ll have Clint’s LinkedIn profile linked up so you can find him that way, as well. Thank you for listening, and look forward to having you back next time.

Clint:  Thanks for the opportunity. It was fun being here.

Russel:  One of the key things I like to do is try to summarize the whole conversation down to some simple takeaways that any of us could use to be better at doing our job as pipeliners. I take away several. One is the idea of a risk-based approach to cybersecurity.

That, simply stated, as I understand what Clint was talking to us about, is to look at the real risk related to cybersecurity and build your program related to that real risk.

Number two, when looking at how you’re going to do that, when you do your risk assessment and you do your threat analysis, look at the data that you’re going to monitor and make sure that that data is tied to what you’re doing after the fact so that your ongoing risk assessment can be done in real time.

Lastly, I think probably my biggest takeaway in this is that, this issue of cybersecurity, there’s a lot here, it’s complex, like a lot of other kinds of technology, but probably more than anything else, it’s fast moving and to do a good job of managing the risk, you need resources that live and breathe every day this content.

That’s our three takeaways for this episode. I hope you enjoyed this week’s episode of the Pipeliners Podcast. I really enjoyed the conversation with Clint Bodungen, our guest, and I’m hoping he’s going to come back as he releases his new books and finishes some of these cool tools he’s working on.

Just a reminder before you go, you should register to win our customized Pipeliners Podcast YETI tumbler. Simply visit pipelinepodcastnetwork.com/win. That’s pipelinepodcastnetwork.com slash W-I-N to enter yourself in the drawing.

[background music]

Russel:  Thanks again for listening. I’ll talk to you next week.

Announcer:  Share your questions and comments with us at pipelinepodcastnetwork.com. You can support the show by liking and following us on SoundCloud, or by rating and reviewing the show on iTunes, Google Play, or Stitcher. Thanks for listening to the Pipeliners Podcast.

Transcription by CastingWords

Categories: Cybersecurity, Pipeliners Podcast

More Episodes