Summary:

Timothy De Block sits down with Mike Holcomb, founder of UtilSec, to discuss the critical and often misunderstood world of Operational Technology (OT) and Industrial Control Systems (ICS) security. Mike shares the origin story of BSides ICS, a global community-driven event designed to bridge the gap between IT security, engineering, and plant operations. The conversation dives into the "myth" of the air gap, the physical security risks in manufacturing, and why small utilities are the next major front in the cyber arms race.

The Reality of OT Security

• The Vanishing Air Gap: While many believe OT systems are isolated, true air gaps are rare. Connectivity is driven by contractors dropping 5G hotspots for remote troubleshooting or employees charging phones on engineering workstations, inadvertently bridging OT networks to the internet.

• Physical Security is Cyber Security: If an attacker can physically touch a device, they can own it. Mike shares a story of a VPN concentrator being stolen from a data center because there were no cameras and physical access was loosely controlled.

• IT/OT Convergence: OT security is now "cyber security" because it involves TCP/IP packets, Windows machines in production environments, and networked PLC (Programmable Logic Controllers) and HMIs (Human Machine Interfaces).

BSides ICS: A Practical Community

• Origin Story: BSides ICS was born out of a desire for a practical, down-to-earth alternative to highly academic or expensive "bleeding edge" conferences.

• Global Expansion: Following a successful flagship event in Miami, BSides ICS is expanding globally in 2026 with events planned for Australia, Singapore, Argentina, Mexico City, and Bristol (UK).

• Miami Flagship Details:

  • Date: February 23, 2026 (Monday before the S4 conference).

  • Location: Miami Dade College, Wolfson Campus.

  • Keynotes: Bryson Bort and Dr. Emma Stewart.

  • Features: Lockpick Village, ICS Village CTF (Capture the Flag), and a focus on diversity (achieving 50% women speakers last year).

The Threat Landscape: State Actors vs. Activists

• The Hybrid Threat: Mike discusses his research on the alignment of state adversaries (low frequency, high impact) and activists (high frequency, low impact). The concern is a move toward a high-frequency, high-impact threat environment.

• The "Long Tail" of Utilities: There are 50,000 water utilities in the U.S. 35,000 of them serve fewer than 500 clients. These "mom and pop" utilities lack the budget for basic IT security, let alone advanced OT monitoring, making them highly vulnerable targets.

• Lessons from Colonial Pipeline & Jaguar Land Rover: Major incidents have shifted executive mindsets. Jaguar Land Rover's plants were down for five weeks due to fundamental failures in backup and recovery, highlighting that even large companies struggle with security basics.

How to Get Started in OT/ICS

• Empathy is a Tool: The biggest problem in the field is a lack of empathy between IT and OT teams. Successful security requires understanding the engineer's goal (keeping the plant running) before enforcing security controls.

• Free Resources: Mike provides over 40 hours of free course content on YouTube, covering OT essentials, OSINT, and pen testing for OT.

Resources Mentioned

• Mike Holcomb’s Website: mikeholcomb.com (Training, consulting, and course links).

• BSides ICS Website: bsidesics.org.

• Standards: IEC 62443 (The global framework for securing OT/ICS).

Support the Podcast:

Enjoyed this episode? Leave us a review and share it with your network! Subscribe for more insightful discussions on information security and privacy.

Contact Information:

Leave a comment below or reach out via the contact form on the site, email timothy.deblock[@]exploresec[.]com, or reach out on LinkedIn.

Check out our services page and reach out if you see any services that fit your needs.

Social Media Links:

[RSS Feed] [iTunes] [LinkedIn][YouTube]