In this Spotlight Podcast, In this Spotlight episode of the Security Ledger podcast, I interview Chris Walcutt of DirectDefense about the rising cyber threats facing operational technology (OT). Chris and I talk about how organizations that manage OT – including critical infrastructure owners – are being targeted by sophisticated cyber actors and the strategies best suited to manage increased cyber risks to OT environments. [Video Podcast] | [MP3] | [Transcript] Cyber attacks on critical infrastructure have gone, in the past two decades from the hypothetical, to the actual, to the epidemic. Today, malicious actors from cybercriminal ransomware gangs to nation-state affiliated hacking groups are teeing up vulnerable operational technology (OT) environments. As CISA noted in a February Advisory about Chinese infiltration of critical infrastructure providers, the goal of many of these groups is long term persistence and – eventually – disruption of critical functions such as power distribution at a time of their choosing. Christopher Walcutt is the CSO at DirectDefense How should companies respond to the increasing risks to OT systems and environments? In our latest Spotlight episode of the Security Ledger podcast, I sat down with Christopher Walcutt, Chief Security Officer at DirectDefense, to talk about the changing cybersecurity landscape for critical infrastructure and the challenges (as well as the solutions) that organizations face today. Chris’s Cybersecurity Journey Starting his career on a help desk for a Fortune 200 energy firm, Christopher’s path to infosec is a testament to the many unexpected routes leading to cybersecurity expertise. Starting out on a help desk, Chris worked his way up to roles as a system administrator and network engineer, eventually taking the IT helm at a power provider with a portfolio of over 30 North American plants, including three nuclear facilities. Chris’s time in the industry saw the inception of NERC CIP regulations – the first cybersecurity rules directed at critical infrastructure (with the exception of nuclear facilities). Since then, the dialogue about cybersecurity has evolved from a focus on checking compliance checkboxes to addressing cybersecurity as an existential organizational risk amid mounting threats and attacks. Chris and I dig deep on this paradigm shift, and the growing focus within critical infrastructure sectors on resilience vs. simple compliance. Addressing the Human Factor in OT Cybersecurity While OT environments present a number of challenges, many of the most significant risks facing OT environments stem from “layer 8” in other words: “the human factor.” As Chris and I discuss, social engineering attacks are the first step in many sophisticated attacks. Accordingly, Chris stresses the importance of security training for employees that is focused on creating memorable learning experiences. For example: by sharing real-world examples as a part of awareness education, organizations can discuss practical measures they use to bolster defenses against sophisticated cyberattacks, underscoring the nuanced nature of cybersecurity threats which defy mere technical solutions.