BLOG
Meet our OT team: Rhiana Cooke
We’re the OT security specialists, and we want you to get to know our team better. We sat down with Rhiana Cooke, OT Security Architect, to find out more about her OT journey, OT cyber security concerns, and core advice for those interested in getting into the industry.
How long you have been working in or with OT for?
I started by studying mechatronics engineering, which is essentially robotics, or specialises in different levels of control systems. The first internship I had through my degree was with a manufacturing machining company working mainly with CNC (Computer Numerical Control) machines. I was working with Ladder Logic printed on A3 sheets of paper, trying to understand how the machines worked from that. It was rudimentary but very cool. That was back in 2018 and I then moved into mining in 2019.
I started out working on site, then after I graduated, moved to the technology teams based in Brisbane. Here, I worked with engineering teams and then moved into operations, both specialising in mobile machinery. Pretty much anything on a mine site that rolls or moves around, that was within my domain. I did that for a year before doing a full 180-switch into cyber around 2022 where I was instantly drawn into the cyber security space and everything it had to offer. So, overall, I’ve been working in or with OT for around six to seven years.
So, what made you so interested in OT cyber security and made you want to pursue that more?
Initially I was extremely interested in penetration testing and ethical hacking. I started in that area, trained up those skills, and then realised I preferred incident response after I enjoyed my incident response experiences both in mobile mining and in cyber.
I didn’t actually know cyber was an option for me, as a mechatronics engineer – I thought I was going to have to stick with project management, but then somebody mentioned shifting into cyber to just try it. Especially as I was in my graduate program where you can try out different roles, I saw it as my only opportunity to delve into that area. So, I did it more with the mindset of: “I’m never going to be able to do this again, so I’ll just branch out and give it a go,” and just loved it. I was only meant to be there for six months, but it turned into “I’m actually really passionate about this. I really enjoy this,” and it stuck!
What are you most concerned about when it comes to cyber security risks, specifically OT cyber security risks?
In the last couple years, we’ve seen a lot of sophistication develop in attacks, both in OT and in IT. It’s becoming easier and easier to fall victim to things like social engineering. Malicious actors are getting increasingly good at those guilt-trip, panic-ridden emails that just get you to click things. I remember there was that “Hey Mum” text chain that came out which was quite effective – “Hey mum, I really need money, send it to XYZ,” – and I think seeing how many people fell victim to that scam shows how hard it is to tell scammers apart.
With generative AI and the development of deepfakes, you can pretty much pretend to be anyone on the internet. We’ve seen those videos of people pretending to be political figureheads playing video games, but it’s just AI-generated content. So, it’s becoming really easy to convince people to click links or divulge their personal information. It’s getting harder and harder to make sure that people aren’t falling victim to that.
Preventing that initial step of access and protecting people from falling victim to social engineering is probably something that I’m really worried about, especially because it’s affecting both OT and IT. Except with OT, you can have the biggest impacts on the physical world. So, getting that initial access and then being able to potentially hurt someone or shut down an entire plant – that can be extremely dangerous.
Are you able tell us a funny story that has happened to you in the field?
I have both a cyber security story and one that’s very OT specific. There was a funny one with an endpoint monitoring tool, it had detected a user on a corporate network who was googling some malware. They didn’t click anything, they didn’t download anything, nothing had happened. But it was very confusing… “Why? Why is this user searching for malware?” The user was asked, “Hey, like, what are you doing?” Well, it turns out there was a hairdresser in their town with the same name as a very specific piece of malware, and they were just looking to get a haircut. A simple enough solution but also a good reminder of what corporate devices shouldn’t be used for.
The other story I have is from a couple years back. There was this really cool photo that was circling around of an autonomous truck, which had detected a potential collision event and stopped on a mine. However, in this photo, there was this cute, light brown, same-colour-as-the-road dog from a neighbouring farm that had managed to sneak onto the mine. It was actually a great example of how sophisticated those machines can be, because they picked up on the dog and completely stopped. The dog was completely fine – the workers gave him some treats and the farmer came to pick him up. But it was a really cool image that has stuck with me of this almost camouflaged dog in front of this huge mine truck – just sitting there, not a worry in the world.
What advice would you give someone looking to work in OT or OT cyber security?
The biggest one is the importance of having a good mentor. You want somebody that understands both the technical and the people sides, especially in OT, and someone who is going to love watching you succeed. I’m lucky enough to have had amazing mentors throughout my career who have been super supportive of where I’ve gone and what I’ve done but have also just been an absolute wealth of knowledge. I genuinely don’t think I would be where I am now if it weren’t for them.
Another piece of advice, and this was something that I learned from my journey, is to try to get experience both along the engineering and design side, as well as the operations day-to-day/BAU side. It’s so important to understand not just how a system is designed and installed, but also how it’s maintained, how it’s used, and how it’s useful. Understand whether teams genuinely benefit from a new system. It was awesome that I was able to experience moving from an engineering team into an operations team that were both working in the same space, and I learnt a lot from first implementing new systems and then trying to make sure that they kept working and making sure that they added value.
What’s something (surprising) about the roles that you’ve had in OT that people might not know about?
The sustainable engineering side of OT was something that I found, not necessarily surprising, but super interesting. I started on the OT side and then moved into cyber, so I knew a lot about the site technology than I did about the cyber stuff. I went about it differently than I think most people do. A lot of people, especially in OT cyber security, start in cyber and then learn OT.
I think it can be concerning for people on the cyber-to-OT journey that come in and realise there’s a lot about these systems that are potentially vulnerable but because availability and reliability is such a huge requirement, you may not be able to fix it all, at least not right away. Basically, the systems that you’re engineering (or architecting) need to be sustained. We can’t just install whatever we want on them. There are so many fancy tools and different things that you can just plug in, and they might fix the immediate problem, but that doesn’t mean that they are designed for longevity and they could also cause other issues in the long term.
Many sites that we work in, as OT or industrial control systems engineers, are rural or remote. A lot of them are industrial – they’re dirty. It’s not a super clean environment. You can’t fit all this fancy technology out there and expect it to keep working. You need to consider that these systems may not be maintained, they may not be able to be patched and upgraded, and you’re not always going to be able to get rid of legacy systems. There are a lot of old-school systems in industrial control. You have to make sure that you’re installing and/or upgrading systems that aren’t going to break or cause more frustration to workers, but that are also improving their safety. If the fancy tool is a burden on the system or causes delays, it’s just going to get yanked out.
So, I think that sustainable engineering side is what I always try to keep in mind. Have conversations with the people that are working directly with the machinery, understand what’s going to cause them issues, understand what they actually want, and making sure that’s what you’re implementing. Not the fancy new technology with all the bells and whistles, because at the end of the day, those are probably not going to be long term.