AWS NZ region opens, Operational Tech Security, Microsoft AI model + more

Paul Spain:
Hey folks, greetings and welcome along to the New Zealand Tech Podcast. I’m your host, Paul Spain and great to have Joshua Alcock from Fortinet joining us today. How are you?

Joshua Alcock:
I’m great, thanks. Thanks for having me.

Paul Spain:
Yeah, great to have you on the, on the show. Real privilege. Maybe you can give folks an overview of, you know, where you fit into this big wide world of tech and cyber.

Joshua Alcock:
Yeah, so, so Fortinet is a cyber security vendor, obviously. We’ve been around for, for quite a while, have quite a large footprint specifically within the New Zealand market. But I fit into what we call operational technology, cybersecurity, which is focused on protecting what are effectively critical assets for a wide range of industries such as power generation, water, water treatment, manufacturing and so forth.

Paul Spain:
Pretty critical infrastructure, isn’t it? We kind of need that stuff going on an ongoing basis.

Joshua Alcock:
Yeah, it keeps the world moving. Yeah, yeah, yeah.

Paul Spain:
Oh, well, great to have you here. Before we jump in, of course, a big thank you to our show partners to One NZ, 2degree, Spark, HP, Workday and Gorilla Technology. Really appreciative of their support for the show and of course their broader involvement in New Zealand’s tech and innovation ecosystems. Now today we’ve kind of got, we’ve got some big news. It’s kept me pretty busy talking to different media today as AWS have, well, however you want to put it, finally launched. Anyway, they’ve got their, they’ve got their through availability zones here in New Zealand so they, they’re really, you know, turned on service for, for New Zealand locally and I think I, I can’t remember the exact discussion that we had but when Roger was in here a couple of weeks ago and you know, we were talking a little bit about, yeah, hyperscalers being in New Zealand and possibly this was a chat we had off here, I can’t recall, but anyway, we’re sort of chatting around. Well, some of the hyperscale data centers or projects had sort of been frozen in varying places and I was kind of starting to wonder, is AWS actually going to be launching something here? So, yeah, it was really encouraging to hear that news today. There’s probably a little bit of a mix up if you’re looking around some of the news headlines in the media.

Paul Spain:
I opened up stuff this morning whilst the story was under embargo and there was a headline that really was just a reprint of the headline that we had four years ago in terms of AWS’s original announcement of a seven and a half billion dollar investment and so on and that particular article didn’t actually mention that they were opening today, but I think the Prime Minister had mentioned something about it on a radio interview this morning. So there seemed to be a little bit of a mix up across some of the media trying to understand what had actually been announced and what was going on. But I think, yeah, really pleasing to see that we’ve now got Microsoft and aws a. And, you know, a pretty decent New Zealand capability. I think when you go into some of the, some of the details, it’s, it’s a, it’s a. Probably a little bit harder to unpack. You know, they talk about expecting to create a thousand jobs and look, I, I think there’s definitely a positive flow on for, you know, job creation. They also talk about a $10.8 billion economic impact over.

Paul Spain:
Over a decade and a half. All of those things are positive, but pretty hard to measure. What’s your take? Is this a good thing?

Joshua Alcock:
It’s been a long time coming, I think, and there’s probably one or two others that we’re still waiting on kind of standing up in New Zealand. But it definitely has. I mean, we use AWS quite heavily just within Fortinet, but yeah, from talking to a lot of customers, it is something that they’ve been waiting on, having local presence for. Quite interestingly, within operational technology actually there’s kind of been a cloud is not where we sit kind of thing, but that’s kind of mindset has changed in the last couple of years and we’ve done some work with AWS actually around specifically being able to design cloud first SCADA systems. So, you know, resilience is really important. So looking forward to maybe and, you know, some point in time seeing some of that stuff put into practice here.

Paul Spain:
Yeah, yeah. One of the things that caught my attention is that they’re waving a flag for using 100% renewable technology. And I just. It’s good for us to delve into that a little bit because you do get these sort of bullet point, you know, headlines around these sort of announcements and you do need to recognise that I guess these companies are trying to tell a really good story and I think there is a good story around them investing in renewables now through partnership with Mercury. They’re saying that they’ve effectively supporting more power generation than what they need through wind farm investment. However, I think just drilling in a little bit further, it’s worth being aware they plug into the national grid, so the power from that wind farm doesn’t just go straight to the aws. Data center that goes to whoever else is plugged into the grid. And so there’s a reality that if coal’s needing to be burnt at a particular time or whatever it is, they’re going to have to draw on that.

Paul Spain:
And so. Yep, you know, I guess, yeah, it’s just, I think a little bit of weariness sometimes for understanding that detail. But of course it’s quite commonly. In fact, when I was speaking to one of the journos this morning and I pointed that out to them from one of the media outlets, they were like, oh, I’ve written a whole article all about that. Oh, thank you for telling me. Maybe I now need to write another article to straighten up the record. Cause that was so, so excited about it. So, you know, the details do matter, I think.

Joshua Alcock:
Well, it’s good that there is a push to using, you know, renewable energy. We obviously do a lot with, with a lot of the power companies, but the, the, you know, from a generation perspective and a distribution perspective. But at the end of the day, they need to store that stuff somewhere otherwise it goes to waste. And thankfully they. That’s. It’s something that we’re starting to see get built up around New Zealand is, is the ability to store renewables. So.

Paul Spain:
Yeah, well, you’d be, you’d be seeing that through some of the organisations, you know, you worked with. Before we came on air, you were chatting, you know, around, you know, some of what you’d seen in terms of the battery storage for power. And that seems to really be picking up at quite a pace in New Zealand now.

Joshua Alcock:
Yeah, yeah, no, it’s good because otherwise it all just goes to waste. Right. Which, yeah, which is kind of the last thing that we need, especially when we’re trying to power these hyperscale data centers.

Paul Spain:
Yeah, yeah. Now you live out sort of west direction where a lot of these data centers have been visible. Now there’s one in particular that I think there’s a fair bit of news about in the past. And you know, it was saying, wow, they haven’t, you know, there’s been issues to do with, I think was it to do with water and resource consents and so on? And I think that was, you know, the media reports were sort of saying, oh, well, AWS is stalled because this data center doesn’t seem to be moving forward. But you’ve seen a fair bit of activity in some of those buildings, right?

Joshua Alcock:
Yeah, well, lack of building currently, but there is definitely activity on the site. So it’s definitely something that’s happening.

Paul Spain:
Yeah, yeah. So on that basis, part of the queries to AWS were in relation to who owns the infrastructure, where is it? And so on. And usually they just don’t. They don’t tend to answer those sorts of things. They’re like, oh, you know, for, you know, protecting everybody’s data, we would never tell you, and so on, but usually it’s just a period of time and most of that information does tend to.

Joshua Alcock:
You know, and they kind of become.

Paul Spain:
In the public domain. Right? Yeah.

Joshua Alcock:
And they stick out like a sore thumb as well.

Paul Spain:
Yeah, it’s kind of hard to miss.

Joshua Alcock:
It’s not just like trying really hard not to look like a data center. It’s probably a data center.

Paul Spain:
Yeah, yeah, yeah, yeah. I was at Dawn Aerospace in, in Christchurch yesterday and they’re funny because there’s. There’s no sign on the outside of the building to say that it’s. That it’s Dawn Aerospace, but it’s, it’s pretty easy to find out, you know, where Dawn Aerospace are. And as soon as you, you know, you come up, you know, close enough to sort of see through the windows, you can see big Dawn Aerospace, you know, logo on the, on the reception desk. But yeah, very nice of them to have me and y. I think, yeah, there are reasons why you keep some of this sort of stuff not completely public, but usually you can’t completely hide that information either.

Joshua Alcock:
Yeah, there’s a giveaway with all the generators and the air conditioning units that you see on the side of it. But you’re right, it is just ultimately to protect the data that’s inside.

Paul Spain:
Now, part of that sort of curiosity around the data centers is, you know, who owns them, you know, how much of this stuff is outsourced, has actually been built by, you know, by Amazon and fully owned by them. And yeah, we don’t have that, that full clarity at the moment. But also the, the announcement that they had made going back four years was in relation to, you know, the $7.5 billion investment, the thousand jobs, the 10.8 billion in economic impact over 15 years. Interestingly, when the country manager was questioned around those things and how, you know, what period is that investment and so on, there was an unwillingness to answer that question. So I do wonder whether there have been some changes from what was initially announced since they’re no longer necessarily committing to those same things. Look, it could just be that because the opening was delayed, that therefore some of the investment has been delayed and stretched over a slightly longer period. But it’s probably one of Those things that will remain something of a mystery.

Joshua Alcock:
Yeah, I think, I think so. I don’t think you’ll have a thousand people working in the data center, not at all. But I think regardless, it’s good that we have it here finally.

Paul Spain:
Oh yeah, I mean very pleasing. We haven’t heard much from Google for a while so they’ve made, I think they initially made an announcement 2022. So yeah, pretty quiet on their front but looking at the economy and other factors, look, it’s really pleasing that we now have AWS live here in New Zealand. So yeah, and yeah, each of those availability zones I think can be a minimum of one data center but that is just where it’s at right now. So we’ll have to wait and see how that sort of evolves over, over time. But yeah, I would imagine that there will be ongoing and future investments in these areas. We’d expect it now. Also on a New Zealand front, interesting to hear about field days which we’re used to that happening around Hamilton each year they’re taking it and it’s the largest agricultural event in the city.

Paul Spain:
Southern hemisphere, they’re taking it to Brazil to Sao Paulo in 2027. So yeah, that’s got to be a good thing for our agritech sector to be, you know, taking an event like that to, to Brazil which is a pretty massive market. And you know, I think the, the opportunity for New Zealand in terms of, you know, exporting more and more in the agritech sector is pleasing so it’d be one to follow with interest. But I’m sure there’ll be a bunch of companies in the agritech space that will be signing up to go and present what they’ve got to the Brazilian market.

Joshua Alcock:
Yeah, I think we’ve got a pretty good history in terms of innovating in the kind of agriculture tech side of things or precision agriculture, especially around IoT. But nice segue there with the Amazon to Amazon.

Paul Spain:
Yeah, yeah, funny. And on a global basis, interesting that Microsoft now have their own in house models. So they’re not, I mean they haven’t been fully reliant on, you know, on OpenAI because they’ve become, you know, something of a, you know, a go to with Azure where you could tap in and use whichever, you know, models that you, that you want. And of course they were actually very quick with, with GPT5 and making that available through Copilot. But the fact that they now have their own kind of homegrown in house AI models. Yeah. Mai voice 1 Mai 1 preview. And yeah, I guess this is natural for Microsoft.

Paul Spain:
Yeah, they’ve got the scale, they’ve got the capability to do this stuff. I think they’ve done very well through their partnership with OpenAI and their ownership there. But it’s hard to know how all that stuff plays out. These things can be somewhat volatile. You never know what the next day may bring.

Joshua Alcock:
Yeah, well, yeah, it’ll be interesting to see how this continues to evolve.

Paul Spain:
So, yeah, some of that stuff is available online now for those who want to jump in and, and try it out. Yeah, you can go in and actually try out the voice model, I believe. But yeah, I haven’t had any, any success with that yet. So I’ll, I’ll come back and let’s, let’s, let’s see how that actually plays out. But they’re saying they’ve, they’ve trained it on 15,000 Nvidia H100 GPUs. So, you know, that’s a reasonable investment right there.

Joshua Alcock:
It is. It’ll be interesting to see how, how the, the kind of, the threat actor side of things adopts this as, as well, because it’s always something that is, you know, we use things for the good side and, and the bad guys use this technology for the bad as well, so.

Paul Spain:
Always. Always. Yeah. Yep. And I mean, what do you, what are you noticing on, on that, on that front? You know, how, how much AI leverage are you seeing in the cyber security world from bad actors?

Joshua Alcock:
It’s, I mean, it’s definitely lowered the barrier for entry.

Paul Spain:
Right.

Joshua Alcock:
Like, I think there was an article the other day around sort of guardrails being bypassed in order to, you know, in order to elicit kind of some, some kind of attacks. But like anything, if it can be used for good, it can be used for bad. Synthetic voice obviously, is something that can then be used for, you know, for vishing and things like that. So. Yeah, but it has been just kind of, it’s just made everything easier for both the bad guys and the good guys to stop them.

Paul Spain:
Yeah. Workday have put out a new report research in relation to AI agents. And there were, there were, there’s a, you know, there’s a whole, a whole lot in there. And we’ll, we’ll link to that report from nztechpodcast.com site and the supporting post for the episode. But there were a couple of kind of headline numbers that jumped out at me. One, you know, the majority, 75% of workers are comfortable teaming up with AI agents. But it was the next one that really Caught me. But only 30% say they’re comfortable being managed by one.

Paul Spain:
I mean, I’m surprised anybody wants to be managed by AI agent. Right. That was like, what. So that is, it’s a, it’s an interesting. Yeah. Question actually to be surveying people on and. Yeah, an interesting reflection on where AI is actually able to operate and. Yeah, look, the reality is that for some types of roles and some work and things that you need to deliver across a whole wide range of roles, you could, you know, break elements of management down to a process and hand them over to an AI.

Paul Spain:
But boy, I can’t imagine that goes down very well unless you can, you know, fit that in as supporting real people and real managers. Not an actual complete replacement for, you know, for key management within a business.

Joshua Alcock:
It’s quite dystopian, isn’t it? It’s.

Paul Spain:
Yeah, but is this an inevitability from your perspective?

Joshua Alcock:
I mean, like anything. I’m assuming that we’re kind of seeing the peak hype for a lot of these things and then it’ll eventually kind of plateau once we’ve figured out what the actual, you know, real use cases are in real life. I think we saw that with, with generative AI in the last couple of years. Right. It kind of peaked and then fell into what, the trough of despair and then kind of normalised and people have kind of figured out what it’s good for and what it’s not. So I’m assuming we’ll see something similar too.

Paul Spain:
Yeah, look, I think we’ve got a pretty interesting road ahead and I think there’s certainly a lot that hasn’t been fully figured out and a lot that probably doesn’t make sense to most people at the moment. But yeah, we will keep progressing through those, I think. Yeah, some of the, the predictions around AI are probably well overhyped and you know, we’re now kind of seeing that, you know. Yeah. Multiple, multiple years in as we are. There’s a, there’s a range of issues that yet to be resolved. But there are areas where, you know, AI, whether it’s, you know, Gen AI or, you know, other sort of machine learning type uses. Yeah, there’s good places where they work well and places where they don’t.

Joshua Alcock:
Yeah, like, like any technology. Right. And I mean from a, from a threat detection perspective, it’s something that’s not new, you know, using machine learning for, for looking for anomalies and, and kind of suspic and then also from a reactive perspective as well, making people’s jobs Easier when it comes to security operations, but like anything, we’ll see when it kind of normalizes.

Paul Spain:
And yeah, before we sort of delve in a bit more into what’s happening in the Fortinet world and your recent report, other thing I wanted to tap in was there’s been coverage on Mastodon, you know, who of course got their Twitter competing platform, which is decentralised. And I see that they’ve been pushing back and saying, look, they can’t comply with new age verification laws. Specifically, they’re referencing Mississippi’s age verification law. And that also saw Blue sky pull out of Mississippi as well. It’s kind of interesting to me that we’re seeing these new approaches all over the world in terms of how to try and put some sort of control around social media. It’s been suggested for New Zealand that anyone under 16 should be blocked from access to social media, which of course, potentially can include the likes of YouTube. I’m yet to be convinced that that’s the. That that’s the right answer.

Paul Spain:
Although I understand the. I understand the perspective of we want to protect our children. I’m just not necessarily sure what the. What the best way is to do it. And in some ways, hey, yeah, you have to try something. But it’s, you know, how do you help families, how do you help parents? In good ways. But this type of, I don’t know, it feels like quite a sledgehammer approach is a. Is an interesting one.

Paul Spain:
And then it triggers, you know, potentially a whole, you know, a whole bunch of differing approaches that then have to be. Have to be followed.

Joshua Alcock:
Yeah, it does seem like it’s a bit of a. Throwing. Throwing stuff at the wall and seeing what sticks, but.

Paul Spain:
Yeah. Which is kind of sometimes the way the world works.

Joshua Alcock:
It is, yeah, yeah, yeah.

Paul Spain:
So that’ll be. It’ll be an interesting one to follow, of course. Yeah. Because we’ve got Australia, you know, so close to home with similar type of legislation. I think what we will see is lots of just reality checks of what does and doesn’t work, what are the side effects that maybe haven’t necessarily been fully resolved. So we’ll get some interesting examples, I’m sure, over the next little while.

Joshua Alcock:
Yeah. I think sometimes lagging behind the rest of the world a little bit can. Can be a bit of a benefit for us, you know, in terms of finding out what works and letting them kind of go through the, you know, the hard yards.

Paul Spain:
Yeah, yep. Ultimately, someone, a region, you know, country, whatever, does have to take some leadership in some of these areas, because as you were talking about before, there’s the good sides and the bad sides of how technology gets utilized. And when we do get our heads around, you know, at least to some degree, some of the bad sides, then we have to work on minimising those. All right, so I’m keen to hear a little bit about this new report. What can you tell us about the Fortinet 2025 industrial cybersecurity industry analysis? Who will this be of interest to?

Joshua Alcock:
I guess this will be of interest to anyone who operates anything that falls under that operational technology banner. And that’s kind of something that’s grown, I think, considerably in the past because.

Paul Spain:
We’Re all impacted by it. Right. Even if you don’t operate that, that type of operational technology, you know, if it goes down, if the power grid.

Joshua Alcock:
Goes down, lights stop working, if we can’t get clean drinking water, if we can’t get rid of waste, it’s. Yeah, it is. You know, I think a good example is what happened in Spain and Portugal earlier this year. Right. We saw quite quickly how society hit a little bit of a collapse. And given how everything’s connected now, you know, that wasn’t a cyber related incident, but we’ve seen in other parts of the world what can be done.

Paul Spain:
We have done, yes.

Joshua Alcock:
So we have to kind of anticipate that.

Paul Spain:
Yeah, that’s right. And yeah, sometimes it’s other things that impact. I mean, even here in New Zealand there were issues with, I think it was the pipeline from Northland through to Auckland, you know, a few years ago. And it wasn’t a cyber attack, but it impacted, you know, the availability of or that capability for transporting fuel, you know, between, was it North Port and Auckland. And when those things stop, that has sometimes a reasonably wide impact. So I think it’s important for all of us that these things are looked after. Right. How would you say that our state is from a cyber perspective when we look at, you know, this type of infrastructure and how it’s being protected from a cyber security perspective? You know, I think a lot of people would maybe hope for the best in terms of how things are looked after, but.

Paul Spain:
But it’s probably pretty variable out there, isn’t it?

Joshua Alcock:
It is. And I think because we’re looking at environments that traditionally haven’t been connected to the Internet in the past, things that have been running for sometimes 20 to 30 years. Right. They don’t understand what kind of traditional or what we’re used to. From a networking perspective, I think initially with a lot of and we learn a lot when it comes to sort of attacks on critical infrastructure from what’s happening in conflic. Right. And, and initially a lot of the stuff was, you know, what happens when someone gets in and they don’t know what they’re doing because a lot of the stuff may be exposed to the Internet and, and disruptions are caused there. If you, you know, are familiar with Shodan and you, you search on, on Shodan for, for Internet exposed, um, industrial control systems.

Joshua Alcock:
There is a lot of stuff out there unfortunately. And then we have obviously the kind of the nation state type targeting towards, you know, critical infrastructure. But it is definitely something that is nowhere near as mature as the IT side of, of businesses. But fortunately, you know, in my experience that the people that I deal with here in the industry all have kind of the right idea. They are all trying to do the best they can with what they’ve got. We unfortunately don’t have any kind of compelling event to mandate cyber security for critical infrastructure or operational technology like we do in other parts of the world. Australia is a really good example with the Security of Critical Infrastructure act, but with an industry everyone is doing their best. Which is, which is good.

Paul Spain:
Well, is one of the issues that, because a lot of these environments were not connected to the Internet in the past, that there just wasn’t the attention sort of paid to typical cyber security things. And then for varying reasons we end up connecting what is sometimes, yeah, archaic infrastructure and it gets connected up and actually in many ways it just, it shouldn’t be because it’s not maybe not fit for purpose from a security perspective.

Joshua Alcock:
Yeah, spot on. I mean there’s this kind of, yeah, maybe idea that everything is still air gapped like stuff used to be. I think kind of if we go back to what, 2010 with Stuxnet, that was kind of the first kind of exposure that the world had to kind of cyber attacks on sort of operational technology. But there’s business drivers to, to connect a lot of these things. You know, I think we’re all sick to death of the, the term digital transformation now, but it is. But yeah, we are, we’re kind of lagging behind, but that is often because these environments weren’t built to be connected and we’re trying to, to connect them. We say newer environments that are being built and, and energy, you know, specifically around green energy things being built, securely built with intent to be connected. And you know, we’re looking a lot better in that aspect.

Joshua Alcock:
But unfortunately a lot of the operational technology or critical Infrastructure side of things is still quite legacy.

Paul Spain:
So maybe tell us a little bit about the report. Is this an annual report that forgive.

Joshua Alcock:
Yeah, it’s an annual one that we put out. We’ve done it for the last few years and it’s kind of targeting a range of people across a range of organisations across the world to get a good picture of that. One thing though, I guess that kind of comes out at the end of IT is cybersecurity for operational technology is becoming more visible to the business. We take a very different approach than we do for traditional IT cybersecurity. It’s a safety and availability first approach as opposed to a lock everything down and segment IT and isolate it. Because what we’re used to doing for IT is supporting the business. But what we’re doing with OT is it is the business. If a power company can’t generate and distribute power or a manufacturing plant can’t make what they’re supposed to be making, the business, you know, suffers very quickly.

Joshua Alcock:
Or if, you know, they can’t keep people safe. It’s. Yeah, it’s a lot more than just kind of my emails or something like that, you know. Yeah, yeah.

Paul Spain:
How significant do you think the issues are at the moment? Because we, we’re not often, you know, hearing around, you know, cyber related issues for operational, you know, technology, you know, it’s not often that we hear that there’s been a major infrastructure issue that comes, you know, that that’s tied back to cyber at this point. But of course things can flip and change really quickly. Which is probably not a world that we want to imagine, you know, too much. Unless we’re, you know, reading a science fiction novel or something.

Joshua Alcock:
Yeah, yeah. I think outside of kind of regions of conflict, a lot of it is, you know, maybe attacks on IT infrastructure that then affects the OT side of the business. Colonial Pipeline was a really good example.

Paul Spain:
Yeah, that’s right.

Joshua Alcock:
It was an attack on, on the IT side of the business but just safe, you know, they shut down the, the distribution side. So whereas, you know, and then there’s kind of attacks on, on critical infrastructure from a nation state perspective where depending on who’s doing it and who the target is, it may not necessarily, they might not want to be seen. They might be doing it for espionage purposes or for pre positioning purposes or something like that. Whereas other countries may want to have a destructive impact. But yeah, it’s like anything in cyber security. We’re kind of dealing with people, process and technology. We’re trying to change mindsets. Unfortunately A lot of these mindsets that we’re kind of trying to change have been doing things a particular way for 20 plus years and people are difficult to sway sometimes.

Paul Spain:
Yes, we all like to not have to change. So how are attackers targeting ot different from how IT environments get targeted?

Joshua Alcock:
I mean, I don’t think up until recently it hasn’t really been anything different than, than how they’ve been targeting IT infrastructure. There’s a lot of commonality, there’s obviously a lot of differences between these sorts of environments. A lot of what’s used in OT environments is, you know, PLCs, SCADA systems, that sort of thing, which are unique to that. But then they also rely a lot on Windows systems. There’s, you know, your standard kind of switching and things like that in these environments. So vulnerabilities and those are targeted often a lot of the time it is just things are connected in ways they shouldn’t be and accidentally exposed. But yeah, there’s definitely, I think it was in the last kind of couple of years there’s been more specific attacks targeted towards these sorts of environments. But they have a lot of backing behind them.

Joshua Alcock:
They are generally nation state kind of backed or state adjacent or aligned. Whereas your kind of traditional script kitty is not going to, you know, necessarily have, have access to that tooling. But there is also a big crossover now between kind of cyber crime groups and that, that kind of state aligned side of things. So leveraging shared infrastructure and shared tactics and techniques.

Paul Spain:
Yeah. So are you seeing a lot of these sort of entities with, you know, that are responsible for our infrastructure or have operational technology getting those environments audited, Is that becoming more and more common, that they’re getting somebody to come in and sort of sense check where they’re at and reveal for them, you know, where they need to be investing and paying extra attention?

Joshua Alcock:
Yeah, definitely. It is something in the last couple of years that has become a lot more prevalent. Thankfully. A lot of it I think is looking at what’s happening in the rest of the world. We’ve got, you know, what, what’s happening in Australia with the Security of Critical Infrastructure act, which has been in place for a number of years now through a number of iterations, which means they’ve, they’ve kind of learned a lot of the, the hard lessons. A lot of what’s coming out of Singapore and other countries and the APEC region as well is giving us a good idea of what we should be doing. There’s still no mandate or anything here and hopefully there will be soon which because it would be nice to have kind of a you must be this tall to ride type type thing. Right.

Joshua Alcock:
A kind of a base level of security because at the end of the day this stuff affects everyone. But yeah, it is, there is definitely a focus and thankfully a lot of the organisations are taking notice of what should be or could possibly be coming their way in doing what should be done. None of it is really anything outside of what you should be doing from a good cybersecurity hygiene perspective anyway.

Paul Spain:
But I mean, there are some extras, I guess, I think about this. Our team at Guerrilla Technology often involved in going in and doing these sort of cyber security audits. And I have wondered, and this obviously varies from organisation to organisation, but yeah, how, how far, you know, should you, should you go and, you know, access control systems, I guess, sort of, you know, fit into this sort of world. And yeah, I’ve seen some interesting bits and pieces to do with the way, you know, some of these things are run. And I may have mentioned this previously, but I remember, you know, going into, during the COVID window into, you know, one of New Zealand’s, you know, largest, tallest office blocks. And for some reason the lifts weren’t able to take you up to, you know, the, the floors, so they just hand handed you a swipe card. And the swipe card that we were handed, I decided just to test it, to test it out on some other tenancies and on the tenancy we were visiting because it was really just supposed to get us access to that particular floor. It turned out that was kind of the master key fully enabled to access, you know, any entity within the building.

Paul Spain:
From what we could see, you know, whether that was a big multinational firm, a government agency or what have you. And it seems to be that that’s an area that often, you know, often misses out on attention. That’s sort of more on the physical kind of security side. But all of these things are part of the picture that probably don’t generally get a look in with a traditional cyber security audit. Certainly not for sort of smaller firms anyway.

Joshua Alcock:
Yeah. And kind of going back to what you’re saying about data centers, right, You’ve got all the access control, you’ve got all the power side of things, the cooling. You have, you know, CCTV cameras which are no longer really closed circuit anymore. They’re, you know, everything’s connected. The kind of, the scope of OT has kind of expanded to include a lot of the IoT stuff, the medical IoT devices. And it’s kind of funny you mentioning that story because a lot of these environments that you go into, they are effectively built on trust and they are flat networks. They have no access control between parts of the environment. So if you kind of get in, you kind of have the keys to the kingdom.

Joshua Alcock:
And that’s something that has been kind of pushed I think as a, an approach as Sans Institute have a really good list of five controls that they talk about for securing ot. The first one is. Well, it’s around figuring out what you’ve got, you know, in your environment because obviously you need to, you need to know what you’re protecting. But then you have things around, you know, what are your crown jewels, what actually do you need to protect and how can you project it? And in a lot of these environments you have legacy things that can’t be patched. You will see Windows XP systems, you’ll see things older than that that the vendor might not support if they are patched. So how do you secure those while still allowing a plant to function? It’s an interesting side of the business.

Paul Spain:
Yeah, it’s like what we were doing.

Joshua Alcock:
In it 15 years ago, right.

Paul Spain:
Yeah. I was in a factory, factory, you know, yesterday. And the equipment that they’ve happened to be running on the floor in that case was, was at the more modern end of things. But you know, anyone that has walked the floor and you know, some of these factories, some, some of that tech.

Joshua Alcock:
Is, it’s not bleeding edge.

Paul Spain:
Yeah. Is really old.

Joshua Alcock:
Yeah.

Paul Spain:
And if those things get connected to the Internet, which they can do for varying reasons, then yeah, probably opening up some pretty scary level of threats. Yeah.

Joshua Alcock:
And I think it’s taking a risk based approach to this stuff. You know, kind of do you need to do certain things? If you do, then are you aware of all the risks associated with it? But then it’s also the same thing around protecting them as well. You know, there’s a lot of vulnerabilities out there and software and a lot that are kind of being published around kind of industrial control systems as well. But they don’t necessarily exist in a position where they can be exploited. So you know, they might kind of fall kind of further down on your. On your list of priorities for patching if they ever get patched. So it’s taking some of that mindset that we’ve had in it, cybersecurity and applying it to kind of that safety and availability mindset as well, but in small pieces because it is something that this stuff that we’re talking about is very simple stuff. It’s just not easy to execute at all in these environments.

Paul Spain:
Yeah, that’s great. So folks are interested in having a look at the report. We will link that from NZ Tech podcast website and I think from, from the show notes. I believe so. Yeah. Anything else that you, you’d like to add there, Joshua?

Joshua Alcock:
No, I, I just think it’s, it’s, it’s really good that this is becoming a topic of interest for people because, because it is something that is kind of has a big impact on, on society in general. Right. And, and operational technology and critical infrastructure is becoming more and more of a target. We can’t really rely on being down the, you know, the far end of the world when you’re connected over the Internet. And you know, New Zealand in general I think is a bit of a soft target.

Paul Spain:
So it’s, which is sad, isn’t it? And some, some of this is our sort of size and scale economic capability. We see the Australian government really lent in a lot more in terms of, you know, multiple perspectives, but you know, how much money that they, they put in in these areas. Yeah, and yeah, New Zealand for, for varying reasons we end up in a, in a somewhat different world. And I, and, and you know, I just, I hope that we get on okay. But you know, hope isn’t, isn’t a strategy.

Joshua Alcock:
It’s, it’s not all. I mean there is, you know, we are, we are seeing, you know, a lot of these organisations take it upon themselves though to, to do a lot of stuff around, strengthen, strengthening their resilience even though they aren’t mandated to. So, you know, it’s good to see that and, and hopefully we end up, you know, continue on that, continue on that track where we end up in a position where we are, you know, more cyber resilient for, for our critical infrastructure systems.

Paul Spain:
Yeah. Yeah. Yep, good. And for folks that are listening in and, and they may be keen to, you know, to learn a little bit more. You know, what is it that Fortinet can do in terms of, in this space?

Joshua Alcock:
There’s kind of three key things that we sort of focus on for operational technology from a cybersecurity perspective. The first one’s around helping people get better visibility into their environment. You’ve got to protect stuff that, you know, exists. The second thing is kind of then exactly like you said with being able to walk throughout the building, how do you kind of restrict access within the environment? It’s kind of one of those things where it’s not a, we’re not talking about an if it’ll happen to you. We’re not even really talking about a when it’s now often when you discover that it’s actually been happening to you for quite a while type thing. But yeah, and then the other thing is that we’re focusing on quite a lot is around secure remote access into these environments. Because a lot of these environments are extremely complex, the skill set to manage them doesn’t often exist within the organisation. So third parties are going to be coming in and you know, managing a lot of the stuff and there’s some cowboy stuff that goes on out there.

Joshua Alcock:
So, you know, fortunately. True. Yeah. And we’re all part of a big supply chain, so we’ve got to kind of do our part.

Paul Spain:
Yeah. Oh, good stuff. Well, thanks very much for, for joining me on the show.

Joshua Alcock:
Thanks for having me, Paul.

Paul Spain:
Really good to have you. And of course, big thank you to our show partners to work day one NZ, 2degrees, Spark, HP and Gorilla Technology. Thanks everyone for joining us. Now, if you’ve been listening to the audio, then encourage you to follow us across on the likes of YouTube. You can follow myself on LinkedIn. We often livestream there on a Tuesday afternoon as well. And we’re on X and Facebook as well, from a video perspective. And of course, if you’ve been watching the video, then make sure you’re following us on those audio podcast platforms, the likes of Spotify, Apple Podcasts, your favorite podcast app.

Paul Spain:
And these days, I guess YouTube music as well is becoming an increasingly common platform for podcasts. So, yeah, thanks everyone. We’ll catch you again on the next episode next week. And if you’ve got any comments, feel free to get in touch via the website. All right.