Roark Pollock: Hey, I'm Roark Pollock, and this is the second season of the Secure Tracks podcast, where we host rail industry leaders to talk about operational rail technologies and cybersecurity. In this episode, we're talking with Doctor Greg Adamson from the Department of Transport and Planning in the state of Victoria, Australia. One quick disclaimer: Greg's views and opinions expressed in this podcast are his own and do not represent the views and opinions of the Department of Transport and Planning. Greg is the Chief Information Security Officer at the Department of Transport and Planning in Victoria, and he's been in this role for just under 18 months. Previously, Greg held roles in both the healthcare and banking industries. Greg is also a 15 year Fellow and Visiting Professor at the University of Melbourne and has been an active IEEE member and committee chair for over 9 years. Greg, welcome to the show and thank you for joining us today.

‍

Greg Adamson: Thanks. Great to be here.

‍

Roark Pollock: Awesome. Well, Greg, one of the things we like to do here is start off with something a little personal. So maybe you can tell us a little bit about how you got into cybersecurity to begin with and then more recently how you got into the rail industry.

‍

Greg Adamson: Yeah. So it was a while ago. I was working in federal government, the Australian Federal government in the quarantine department in the early 90s and in 93, I was managing the comms area there. And the question of cybersecurity first emerged. At that point, someone said we've got to manage cybersecurity. Well, I didn't use the term cybersecurity at that stage. This is before the World Wide Web. This is a long, long time ago. And and I, you know, I always put up my hand always grab any opportunity. So I so in early 93 I did a training course on introduction to cybersecurity, and 31 years later I’m a CISO.

‍

Roark Pollock: Alright.

‍

Greg Adamson: So that was and through that through that path I so initially in federal government I did I was with the Air Services Australia for a while. So that was my first taste of transport, then Medibank Private, then in banking and then in then a few other roles, and now in Victorian Government in transport.

‍

Roark Pollock: Awesome. All right. Well, Greg, I know a lot of our listeners are familiar with Australia. They may be a little bit less familiar with Victoria specifically. Maybe you can tell us a bit about the Department of Transport and Planning and a bit more about your scope or the scope of your role at the organization.

‍

Greg Adamson: Victoria is one of the major states. It's the main industrial state In Australia, people know it for Melbourne, they know it for tennis. If you're a tennis fan, you've probably been looking at Melbourne the the last week and the Department of Transport and Planning has responsibility for all, all transport and all planning. It's it covers roads, rail, light rail, the IT covers all of the planning functions the all the all the land titles work. It includes the digital, the Victorian digital Twin and so it's a very and ports as well. So it's it's an enormous, it's one of the three main state government departments. My role here is my responsibility and the responsibility of my team is the security of all of the technology across all of those environments. So it's a fair, it's a very, very large portfolio and that includes both operational technology security and information technology security. So it's sort of pretty big.

‍

Roark Pollock: Yeah, sounds very big, Greg. Does that include freight railroad in addition to metro and light rail?

‍

Greg Adamson: Yeah. So we have a V line. The which is the major freight provider is a separate agency to the department. But that agency and several other agencies including the major projects offers for the state government, the a very, very large rail, suburban rail loop and various other agencies all still fall within the portfolio. So we have the department and then we have the wider portfolio and my responsibility extends across from a governance point of view, extends across the whole environment.

‍

Roark Pollock: OK. OK. That makes sense. Well, Greg, now that you're you're relatively new, I'll say to rail, it's been about 18 months. Maybe tell us what did you find? It perhaps surprised you the most or was perhaps different than you expected, especially about the rail environments, the the operational rail environments within Victoria?

‍

Greg Adamson: Yeah. So rail has obviously rail has been around since the 1820s. It's a very important technology and the security of rail has been an issue. Well safety of rail has been an issue all that time. So there's it's just in our culture we have we have a culture where we know train crashes are about and they're dangerous. So when I came into the department the there was nothing surprising about the length of the, the length of time of investment in rail, about the very traditional areas of rail control, about the various areas that were being modernized. I think what surprised me what was most different was that as we start to look at critical infrastructure rail is a very important part of that. And so while I've worked on critical infrastructure projects before, this was the first opportunity I had to really think how do we embed safety in critical, how do we embed cyber safety in critical infrastructure. So that's been, I wasn't really thinking about that when I started and that's been and the combination there of different legislation and new players and new threats and all that sort of stuff, that's been a great new challenging area.

‍

Roark Pollock: OK, OK, great. Well, Greg, You're now in your second year of your journey as the CISO they're covering rails specifically and the cyber risk within the the where we focus which is the operational part of the rail environment. Maybe you can tell us how you got how you started thinking about the cyber risk within the operational rail tech environments as you came into the Department of Transport and Planning.

‍

Greg Adamson: Yeah. So for me, I start thinking about something when there's an issue that I have to address up until that point, you I might philosophically think, oh, you know, that'd be interesting to think about. But it when somebody asks you a specific question and you're unprepared for the question, that's like a yeah, you got to start thinking about that. You deeply deeply need to start thinking about that. For me the that moment was about 3 months into my previous assignment. So it was about six months before I started the site the CISO role and that was and and I was asked a question about how do we secure communication-based train control CBTC and I thought well that's a really good question And as I and then I, I looked around the world and I found and this is not meant to be an offensive statement. I found that in general the train standards were not aware of the cyber threats. Even the train cyber standards weren't weren't really aware of cyber threats. And so that's and so that's what got me in. And then I started and the the first people I went to were the engineering area and they tend to be civil or yeah, they they tend to be civil or mechanical engineering people. And I'm an electrical engineer so it's you know not a big jump.

‍

Roark Pollock: I'm a mechanical, so we've got both sides covered.

‍

Greg Adamson: Yeah. And then, but I found the the challenge there was that I wanted to talk to them and they wanted to talk to me. But it was unclear what the, what was the point of the discussion? OK, we want to keep the train safe. But beyond that, you know what? What do we have to change? What do we have to emphasize? What do we have to stop? What do we have to start? And for me, that's that's what's really exciting about the current OT Cyber journey because there is no best practice in the world today that I've been able to find.

‍

Roark Pollock: Well, it's, even though I guess the OT cybersecurity world's been kind of popularized now, let's say for the last half a dozen or more years, it's still very much early days. I think we can agree. So where did you start? You know what were, what were your early priorities, what you tackle first, you know, as you started digging into it.

‍

Greg Adamson: Yeah. So my main focus and once again, this is more a cultural thing than a this is certainly not a criticism within the within. In my experience over the last couple of years, within rail safety, speed is not the most important issue. The most important thing is getting things right and and that relates to a conversation about cybersecurity as well as establishing standard appropriate standards, making sure the procurement processes a right, aligning the requirements of the planners with the requirements of the operators. All of those things they all, they all take time. So I kicked off the engineering discussion, but it really it's taken me over 18 months to for that discussion to really come to fruition to to build that to find the right people to identify, to identify the right, the right pieces. So for the first, for the first year in my role the focus wasn't on addressing OT and rail. The focus was on making sure that a major project we had we have a major uplift program that that major program was on track and that we had the right, the right, the right processes, the right vendors that we brought everybody else to say the technology operations people along that we had that we built the right team. So those were the those were the things. I mean, there are lots of specific pieces, but in general that was my priority.

‍

Roark Pollock: Yeah, I think that's been a running theme with a lot of the Cesos on this show is the the issue of just making sure the right people are involved and have a seat at the table as we do a lot of this. Greg you just mentioned a minute ago about the standards and the frameworks and you felt like you they maybe they have a ways to go and we said it's early days in this industry certainly. Where do you feel like there are some gaps and maybe you can give us some examples?

‍

Greg Adamson: Yeah, yeah. So Australia is a federation. We have several different States and when we reach agreement on like we don't have a common track with what we never had and we still don't have. And so the question of track gauge is sort of like a metaphor for a federation. And so they those group to bring a a group of those people together and reach consensus on a standard which is very important for standards building it is very easy for a topic that they're not super aware of. It is very easy to accidentally go back to a common, say, a common benchmark. If you're if you're developing a standard in 2020, it's very easy for that common benchmark to be technology in 2010, very, very easy. And if you if you use a 2010 benchmark to describe how to protect cybersecurity, you miss ransomware. For example, ransomware wasn't a thing before 2015. So you can develop a very good standard that everybody agrees on that relates to technology 10 years ago. And in cyber, in a lot of areas, all that means is that you have an opportunity loss. You don't, you can't benefit from the latest discoveries. But in cyber it means you have enormous vulnerabilities because you're not addressing the latest or even attacks that would have developed in the last five years. So to give you, to give you an attack, to give you an example, if I look at one major European rail safety standard, they talk about, they talk about the advantage of automation in addressing something like driver death. And they, they say this will enable you to be more aware of if a driver has died or had a heart attack or something like that. Within this discussion, there's no mention that by automating these activities, you're significantly expanding the attack surface of your train. So the more technology that is there is on the train, the larger the attack surface of the train. And that from a cybersecurity point of view that's dead obvious, relates 101. From a standards development point of view, unfortunately, it was obviously that they weren't guided by a cybersecurity mentality I think in when they were thinking about that particular area. It's not a I'm not criticizing rather standards developers. I think standards are extremely important. You see the same problem with public quite often with public policy and legislation. They don't actually have anybody working on the legislation who has a fundamental understanding of the topic they're trying to address.

‍

Roark Pollock: What do you think? You mentioned one major European standard. I would guess you're talking about 27 O or 5701, but in general of the different standards that govern rail, whether they're government standards or industry standards, what do you think can be done to improve on them?

‍

Greg Adamson: So one thing I love about 6443 which is 5701 sort of sits under is the concept of zones and conduits. So the the idea that you don't group, you know you, you don't group all your tech from a security point of view. You don't group all your tech by railway station, you group it by by importance and vulnerability. So you have a, you have a zone which is highly protected which would include you know which would stop someone hacking the train braking system. Whereas maybe you you have something else you have you have your advertising network that sticks the advertisements up on the on the displays and you don't have that connected anywhere near the train breaking system. And so that concept of zones and contravit for me is key to moving forward in in relation to threats that are. But to make to make an obvious statement where I mentioned, I mentioned ransomware that's less than 10 years old. The trains that we're currently designing or the trains that we're putting together the nonfunctional requirements for today will be approved in five years, built in 10 years and run for the next for the following 30 years. So the idea that you know I we know that something like ransomware some basically new fundamentally new threat will emerge every five years. I'm not talking about minor ones, they emerge every month but minor significant ones but major ones. And so we need to, we need to think at a very high level. We need to in in terms of the principles that we follow, we need to use some very high-level, very foundational. I'm sorry, mixing my metaphors there.

‍

Roark Pollock: No worries.

‍

Greg Adamson: Concepts that that will that won't be superseded in by the next technology advance.

‍

Roark Pollock: Yeah, that makes, that makes a lot of good sense, Greg. Greg,, one of the things we like to do or at least I like to tease out sometimes is sometimes. You know the mistakes we make are our best teachers. You've got 18 months now under your belt at the Department of Transport and Planning. Any embarrassing moments or lessons that you've had to learn the hard way in your first 18 months?

‍

Greg Adamson: Yeah. So we have we have a very large and and diverse ecosystem of vendors because because we cover so much territory like we you know we're an enormous GIS environment we're an we're an enormous signal in the environment. We're the largest video CCTV environment in the state and so on. So we have a we're a big player in a whole lot of places and we depend heavily on vendors for that. The I say that the lesson I've the lesson I've learned is that if I have to establish a strong relationship with a vendor from day one, if I've got significant concerns about a vendor from day one, then I have to address them on day one. They're not gonna get better as I go along and so that's and this isn't about any particular vendor. This is just I have learned the I have learned the complexity of trying to make a put lipstick on a pig. I think it's an Australian phrase.

‍

Roark Pollock: No, that's a worldwide phrase. We use it too. Yeah, say no more. We understand what you mean. So you're you're kind of into year two. Have your priorities started to change in the Department of Transport and Planning and what are you thinking about for the next 18 to 24 months as far as priorities and things you're going to be working on?

‍

Greg Adamson: Yeah, Yeah. So specifically in the OT space, A significant there has been a significant change and that is that if we look at, if we look at malicious actors focusing on OT in the past, it was just too hard. You know you could figure out a way, you could figure out a way of hacking a Windows. You know someone smart figured out a way of hacking an old Windows operating system and you know then somebody productised it and then somebody made it simple and then somebody made it trivially simple and then the script kiddie could use it. So that's sort of like my experience of how of how threats evolve. The one of the benefits of OT was that, you know, nobody paid any attention to it. They couldn't understand it. They was too complicated. It wasn't digital, you know, and and so on and and and that meant that we were sort of it wasn't security through obscurity, but it was a little bit related to that. It was security through attacker ignorance and and then quite a long time ago we started to see enormous promises from vendors claiming the by eliminating OT environments and making everything digital you could actually save yourself a heap of money. That was usually the argument without understanding what they were actually doing to the safety and the security of the of the environment. Then in 2021-22, we saw a fundamental shift. So I think I think it was early 22 there was a conference where they offered rewards for people who hacked hackers to identify flaws fundamental flaws and I think there were 56 fundamental flaws that they paid out for at that conference and I thought 56 floors one conference it was sort of like for me it was a light it was a light bulb moment And and then I thought OK if this is happening in early 22 how long is it going to take for that to turn into script giddy stuff And there's you've got to go through the steps that I talked about firstly there'll be an APT who has the unlimited resources to exploit things and then you'll get the attack as a service people who take what the APTs have done and produce and offer it as a service. And then you'll get the people who productize it and sell it as a as kit. And then you'll get the people who take that kit and dumb it down for naive very very ignorant attackers and then it'll be with the script kitties and my I haven't looked at that. I haven't done a study of this. I want to do a study at some stage, But in my experience, that's like a two to three-year journey from vulnerability to trivial attack. Now if I'm looking at early 20, or early 2022 for those vulnerabilities, I reckon the first half of 25 we're going to face an A trivially easy bunch of attacks. That'll and at that stage we'll need to worry about our hygiene. We won't be worrying. And you know, AP TS are a different ball game. You know, if somebody, you know, if if if a president somewhere announces that he's put vulnerabilities into the power system of someone somewhere else, then so be it. You can't do anything about that. But you know and if somebody really, really, really wanted to damage you know our network our highway control system or our or something like that, you know, we'd be we'd struggle to defend but we don't want to make it easy for simple attacks to occur and so what I'd say in the next couple of years what we're going to see is the need for hygiene, basic cyber hygiene across the whole surface, the whole, across the whole OT environment. It it'll be like patching is today.

‍

Roark Pollock: You you you paint a pretty you you paint a pretty frightening picture and I've seen it happen in the IT world in the last 15 years or so. So let's hope we're ahead of it. And kind of Speaking of being ahead or behind, Greg, read I Triple E white paper that you authored here recently in preparation for this show. In the paper, you asked this question about can't I think I quote this correctly? Quote: You asked if the I Triple E can play a significant role in reversing the deteriorating state of cybersecurity UN quote. And you go on to further say that cybersecurity is getting less effective annually. And personally I feel like, you know, a lot of us feel like the cybersecurity industry is making progress annually because we work in the industry. So do you, I guess the first question is do you generally believe we're falling behind every year and if so, maybe give us some examples and say something about you know, how do we change the dynamic?

‍

Greg Adamson: Yeah, yeah. So when I when I was a kid I had an Introduction to physics book for kids and it had a picture of a guy had a a picture of a stick figure trying to lift up a chair and the chair was nailed to the floor. Obviously with these huge tacks, cartoon tacks and the and the and the wording said this man is not doing any work because you take the physics definition of work, which is.

‍

Roark Pollock: He's not moving anything.

‍

Greg Adamson: He's not moving anything and for me the fact that he felt he was you know I mean this cartoon figure was meant to feel they were doing a lot of work didn't it was irrelevant if you don't see get the results this is not a this is not for a moment to doubt the value of the three million cybersecurity professionals in the world today. Three and a half million this is to say and the the evidence that I'd give you is can you provide us this is a negative evidence. Can you provide me any report from any security organization or any security reviewer that says annual annual attacks for 2023 were less than successful, attacks for 2023 were less than 2022, the cost of the average cost of attack went down from 2023 to 2022 and so forth. If you just sort of stand back and look at all of these reports, they all say things are getting worse and this one's going to get worse, worse. So that's the I I don't want to set myself up as a professional doubter of the of the importance of of cyber. What I what I'm trying to do is to say we need to think differently and just I'll give you a couple of examples. We have in Australia we have a there's a there's a group of cybersecurity practices called the central 8. I was. I facilitated a discussion with Bruce Schneider a couple of years ago where he said any any system like that is simply telling the hackers what not to bother with. So they'll know OK, we don't we don't bother. We assume they've done their daily backups. We assume they've got their white list. We assume they've got this and that. We'll go off and this. We'll we'll attack them in other ways which are usually social engineering. Which are the ones they're the ones that have the have the best benefit anyone. And if we unless, unless we think differently, just to throw out a couple of challenges, most awareness campaigns fail because people don't learn the way cyber professionals think they learn. So if I tell you not to open the door because there's a bad guy on the other side of the door, people still open the door. And you have to understand, I'm talking about Nigerian scams here. People still open the door, you know. ״But he loves me״ and if we don't under, if we don't listen to psychologists who tell us that's not how people learn. People do not learn because you tell them that's not how human the human mind functions or things like up until very recently there was no cost for a company of producing insecure product. Now in a speciality area like rail or medical, there is because, you know, there are lots and lots of rules. But in general and when we think about the threats to the, it's a rail, we're thinking, we're thinking about the threats to all the devices sitting out there. We're not thinking about the threats to the rail safety devices. We're thinking about the whole environment that makes it easy for attackers to attack. So that's. Yeah.

‍

Roark Pollock: Yeah, and and Lord knows it's a it's a very wide, diverse environment. I've I've heard several quotes recently saying that you know it takes on the order of 40 or 50 different systems to operate the the rail environment on the whole, which is, which is a a a large environment to get your hands around certainly.

‍

Greg Adamson: Yeah. If you look at, say the, if you look at the, the attack on on the Danish rail operator in late 22. What happened there was the rail system was fully secure, except one part of the rail system was sitting on the business system, the emergency manual. Now, I mean, OK, I'll say it, how stupid is that? They they got it almost completely right. But they didn't have that zones and conduits mentality. They didn't have the idea that everything required to operate at train safely needs to be protected from, you know, the the the system that allows you to submit your overtime.

‍

Roark Pollock 

Well, as as you said, it's quite often the weakest link. And regardless if if we don't bring all the systems up to par, then then we're open. Opening a can of worms that could buy this eventually. Greg, let's get back there. Kind of specifically addressing the operational rail tech, I heard you mentioned previously and this is a problem, I don't know that all the rail seesaws have, but you mentioned that you had tripled the size of your cybersecurity team at the Department of Transport and Planning in the last 18 months?

‍

Greg Adamson: Right. We needed the people and the organization is on board with. I'll give you an example. We have a in Australia we have a a rail safety standard called AS 777 and and this while it's a little bit, it's a little bit long on the tooth but it's sort of nice, it's sort of lots of nice helpful points. One of the one of they have a set of principles and their number one principle is if it's not secure it's not safe. Right now the the Department of Transport and Planning has a history going back a long long long time about the importance of rail safety and road safety and and other transport safety. So they've been and we've been very fortunate that as each of the as each of the threats comes along and we're able to respond to that appropriately that the the work we're doing is respected and the resources were given. And the area of responsibility partly the reason for the growth is because that area of responsibility has has expanded. So we've picked up, say, the risk, risk functions that we didn't previously have. But but at the end of the day, yes, people are people, understand, You can't, you cannot undertake protection without people.

‍

Roark Pollock: Right, right. Well, it's great to hear quite frankly in other places you hear how people are having a difficult time bringing people on. So it sounds like some of it's just adding capacity and some of it you're bringing you're you're bringing on new functions and and new roles and and widening the area of responsibility overall?

‍

Greg Adamson: Yeah, So one area we're very focused on is the responsibility across our portfolio. So the way it's struck in Victoria the way it's structured is that we will we will have a a whole lot of different say the the freight, the freight network. We'll have a whole lot of different organisations which may or may not be part of the department but if they if something goes wrong it will the the the buck will stop with either the secretary of the department or with the minister the state minister responsible for the for the the particular area. And so while you know while we could say well you know they're you know they're not part of us we don't need to worry about them. The truth is if we worry about them that helps us do our job much better And so that idea and and the the other side to that is I don't when I approach that I don't say give me resources and I'll do a new job.

‍

Greg Adamson: I'll I say I'll start to do a new job and if you see that I'm doing, if you say that this is working, then it's appropriate that you give me more resources for.

‍

Roark Pollock: That’s certainly a better approach. Prove yourself and then the team and then get more resources for it. So I know some of the folks have had a hard time either recruiting, training, maintaining their existing staff of experts. Maybe you've got some tricks of the trade. Have you? Have you gone about recruiting expertise, developing your expertise? Especially getting people that are knowledgeable both on the cybersecurity side and have enough understanding of the operational rail tech environment to be effective. What's your, What's your? What's your trick there?

‍

Greg Adamson: Yeah, so the what we've been able to do there fortunately is find great underappreciated people. I'd say that's the the single most important thing is you got to find people who are great and underappreciated.

‍

Roark Pollock: OK.

‍

Greg Adamson: Because, and we're we're a government organization, so we don't pay top dollar. We you know, we can't compete with a vendor. We can't compete with a large corporate, but we can provide a way more interesting job than a large corporate. You know, 'cause I tell you, I, I tell you rail, rail, cyber today is about, that's pretty exciting. If anyone who's into into cyber rail, cyber is pretty exciting.

‍

Roark Pollock: There's a lot going on and that's why we like this podcast.

‍

Greg Adamson: Yeah, yeah. And and so that means. So the people that I'm recruiting, they may be, say, from a criminology background and you sort of think of that and you think, oh, OK, criminals, hackers are criminals. And maybe that helps. But the the truth is people from a criminology background have a really good understanding, a really good appreciation of what makes things go wrong in a criminal sense. And they've just got a terrific mindset but their pay scales are way way lower than than cyber pay scales. So you I can I can offer someone a significant promotion and still afford it within the within a public service salary. If I find the these right people then then you have to build it and you can sort of tell here I'm not building a team of stars so so that the problem of outstanding stars who want to be the ones who discover the the solve the problem and make everyone look bad. We don't that's that's not a problem we have so it's very cooperative. The other another thing we have a very important sorry, we have a major, not very important. We have a very large cyber conference here in in Victoria every year it's about 5 1/2 thousand people which by Australian standards it's very big. And last and last year I just bought 20 tickets and took the whole team along and that was and people really appreciated that. You know they people were saying I haven't received any. I've never been to a conference before. I haven't received any training for five years, that sort of those sort of things. And you can do stuff like do stuff like that that you know makes people happy, makes people think, helps them, you know, better than sending off 20 people to a paintball competition.

‍

Roark Pollock: OK. I guess I will agree with that one. I I like that idea. All right. That may be the quote of the day, by the way. So so Greg, be on staffing. I know there's a lot of things you deal with. One of them is obviously peering into the future. You know, what do you expect rail operators are going to do to kind of continue to up their cybersecurity game going forward? What's and and kind of what's next for you and how do you think about improving your game as you go forward into the future?

‍

Greg Adamson: Yeah. So what I'm looking, what I'm looking closely at at the moment, I've been looking at this for a while, but it's starting to get to the pointy end and that is the the intersection between digital and OT technologies. And for me, when I, when I think about, people talk about I think dismissively. I've already mentioned this dismissively. They talk about security through obscurity when what they're actually talking about is the separation of environments. And what I what I think we've seen over the last 30 years is we've gone from an approach of separation to an approach of segregation. So you have connections, say the the Purdue model, you have connections but they're they're tightly policed and there's a very small number of connections and and things are pretty isolated but you still, you know, you you your control system, you can still monitor your control system from a central location or something like that and and then they've gone. So you have separation then then segregation and then they go to segmentation. And with segmentation, I don't know a software defined Wan or whatever it is you've got, you stick everything on the same in the same environment and you use rules to keep them separated and by the time you get to that stage you're really only one rule failure away from losing your losing that separation altogether and threatening your OT environment. So and that you know what I've just said, you know I've, I've, I've used those terms, which is a little bit different but the ideas been around for a while. But what the thing I think is going to come next is we have to have a way to think about what should stay separate, what should say separate regardless of how we describe it. We've got to say you've got to keep these things separate and we've got to think of it as separate. And if they're physically connected on the same wire or through the same router or something like that, we've got to think, OK, we need like 5 controls to make sure, you know, we need, we need security and depth on anything, anything like that and that. But that, that methodology, A methodology to think about what should be separated and what doesn't need to be separated. I don't see that again. And I think that's that's something that you know in a few years time Gartner will or something like that.

‍

Roark Pollock: I like the analogy we talk about understanding your assets. Which assets are most critical kind of defining them as your crown jewels if you will as an analogy and and working from there out right, making sure that you're isolating those those crown jewels effectively. But yeah, completely understand and agree with that direction. So lastly, if you think into the future about the threat landscape, I'm sure that's a big part of your job and understanding and being able to articulate as to see. So where you think the threat landscape's going? What's your biggest concern and and and what do you worry about the most that might threaten rail operations?

‍

Greg Adamson: OK. So AI is right at the beginning of its take off. You know I sort of think it's going to be it's going to be like that and we're you know we're still you know we're still at that point. Generative AI has made it easy for millions of people to use AI and that that's the main thing Gen. AI did. So Gen. AI doesn't actually do something that you couldn't do before Gen AI, that just means you you had to have a a computer science doctorate and a test lab to do it. Whereas whereas now you log on to a site and you you stick in some words and you get some better, some better syntax coming back, they there is a very, very strong push from from some quarters to apply AI to absolutely everything. And if I said OK let's let's let's have AI do our train movement planning yeah surely you know it could surely do that and then a couple of trains crash or something like that. We we don't want to go down that path. We don't we don't want to learn we want to learn lessons in a nice friendly supportive non damaging way And but some of the voices the some of the voices I'm hearing out there are you know if the technology exists let's try it out. This this is. Culturally this is some summed up in the difference between traditional OT and IT skills. So OT will talk about 5 nines of reliability and that sort of stuff. IT will talk about releasing beta and by releasing beta that's about a a .8. It's not 5 nines, it's about a .8. So we need to make sure that as we that we address the demands, the financial demands that the financial pressures we push back against the financial pressures that would cause us to lose the skills, the skills of rail engineering that have been developed through experiences over more than 100 years. We need we need to keep those and those they're partly mechanic, largely mechanical, partly electrical, partly civil. We need we need to make sure that those don't get lost in some tsunami of enthusiasm for for Gen AI and.

‍

Roark Pollock: Yeah, yeah. OK. Well, that's a that's a different take on the on the threats to the environment. So Greg, let's wrap things up a little bit. You're at Ceso, you're kind of in the early days still the first couple of years of building your cyber and risk program, risk management program for Victoria's rail systems.

‍

Roark Pollock: What bit of advice would you want to leave with other rail operator Cesos that are perhaps pursuing a similar journey?

‍

Greg Adamson: Yeah. So I'd say be aware of the realistic threat landscape. So you've got to, you've got to follow that. That changes every month. Be be aware of the threat landscape, but address the threats that are realistic to you. Don't get caught up in someone spinning a fancy story about an APT attacking you. Because if you do that, you don't have enough. You're not a Department of Defence, you don't have enough funds to protect yourself from an APT. So focus on protecting yourself from the far more likely, far simpler attacks and a lot of that is about hygiene. Having said that, as I say the threats are called the threat landscape is changing. So what was hygiene six months ago is no longer adequate hygiene today. Well that's that's where I'd. That's where I'd.

‍

Roark Pollock: Love. Awesome. I love it. All right. Well, Greg, lastly, if somebody wanted to reach out, have a conversation, talk about some of today's show or some of your thoughts on things, what's the easiest way to get a hold of you?

‍

Greg Adamson: So I've got my personal e-mail on LinkedIn. If you go to my LinkedIn profile, I've got my phone number there as well. If Although it's sort of hard to get me on the phone because all the phone calls are from vendors. So yeah, but yeah that that e-mail is best if you and if if you want to have a discussion sort of royal organization to royal organization, I'll give you my work e-mail through through my personal e-mail.

‍

Roark Pollock: Awesome. All right. So LinkedIn is kind of the best place to start. All right. Well, Greg, thank you so much for joining us today. It's been a pleasure having you on the show and talking to you on the Secure Tracks podcast and we'd welcome you back anytime, quite frankly.

‍

Greg Adamson: Thanks for all really be really great to be here and this is a like I say, this is a really exciting time to be doing this work.

‍

Roark Pollock: Yeah, I agree. It's a it's a fun, fun industry to be and quite frankly, I've been in it. I've been in cyber for a long time, but in OT for a while, but in rail about the same amount of time you have. So, and for our Secure Tracks audience, thank you for listening today. That's the end of our show. Until next time, keep those tracks secure.

‍