CyberWire Daily - CyberWire Live: Hack the Port 2022 Fireside chat. [Special Edition]
Episode Date: April 17, 2022At the Hack the Port 2022 event, the CyberWire held a CyberWire Live event. CyberWire Daily Podcast host Dave Bittner was joined by Roya Gordon, OT/IoT Security Research Evangelist at Nozomi Networks,... and Christian Lees, CTO at Resecurity. During this fireside chat format session, Dave and our guests discussed ICS, OT cybersecurity, the role of security research and demos, supply chain compromise, and IT/OT security trends among other things. Thanks to the team at MISI/DreamPort for this opportunity. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing
the world what AI was meant to be.
Let's create the agent-first
future together. Head to
salesforce.com slash careers
to learn more.
Clear your schedule for you time
with a handcrafted espresso beverage
from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
Hello, everyone. I'm Dave Bittner.
The Cyber Wire was a media partner for the Hack the Port conference held in Fort Lauderdale, Florida, in March 2022.
Over the course of the week-long event, we enjoyed a variety of speakers, educational and training sessions, academic and professional villages with a number of competitive challenges and boot camps, and a VIP awards dinner honoring excellence in cybersecurity.
The event was produced by Dreamport and MISI and inspired by U.S. Cyber Command. The highlight for me was a session I moderated featuring Roya Gordon,
Security Research Evangelist at Nozomi Networks, and Christian Lees, CTO at ReSecurity. Thank you very much.
My name is Dave Bittner, and I am the host of the Cyber Wire podcast.
Thank you all for joining us here today, and to all of our friends who are out there online, welcome as well.
We're going to have a really interesting conversation today. I'm excited to have our two guests here with us.
So before we dig into our topics, why don't we begin just with some brief introductions.
our topics, why don't we begin just with some brief introductions. I know some of you were here for Christian's presentation earlier today, but for the purposes of this podcast, I'm going to ask
Christian and Roya to both introduce themselves. Roya, why don't I start with you? Can you give
us just a little brief bit on your background and what you do professionally today?
Yes, of course. Ooh, I like how my voice sounds. So yes, my name is Roya Gordon. I work
for Nozomi Networks. I just started about a month ago, so I'm a brand new Nozomier, super excited
about it. I'm a security research evangelist, so I work with a lot of our technical folks,
and I kind of help broadcast all the work that they're doing to kind of help secure critical infrastructure and OT.
I have a history in, you know, consulting doing OT. I worked at a national lab doing OT.
I did intelligence in the military. But yeah, I'm happy to be here in my role and everything's like
full circle. So yeah, happy to be here. And Christian Reese from, I'm sorry, the company, Rees Security.
No, it's easy to find.
Apologies.
So many security names.
Welcome, and please tell us a little bit about yourself.
My name is Christian Rees.
I'm the CTO of Rees Security, and it's a Los Angeles-based firm.
And we primarily focus on threat intelligence harvesting for major brands.
All right.
Well, let's dig in.
Roya, you mentioned in your introduction that your background, you've done many things in your background.
And I want to start there.
When we're talking about OT, I'm curious what your insights are on the approach that different types of organizations take to that.
So when we talk about the military, when we talk about government, when we talk about private networks,
can you give us some ideas of how each of those has to come at this from a unique perspective?
Yeah, absolutely.
So, yeah, being in the military, doing government contracting, so essentially doing government work, working for the government,
being in consulting and then now at a tech company,
I've noticed that there's been so many different approaches to this thing.
So when I was in the Navy, I did intelligence,
but there was no cyber element to the Navy at the time.
So this was from 2005 to 2011.
So there was no cyber element.
So I just did regular threat intelligence, you
know, foreign threats, terrorism and stuff like that. Now, of course, I still have contacts in
the Navy and they're kind of starting with the basics of like asset discovery, you know. But,
you know, they're moving forward when it comes to cybersecurity for sure. When I got out and I
started at Idaho National Laboratory, you know, pretty much government,
DOE, I was in a lot of DOE projects, and it was straightforward, there was no wooing,
there was no selling, there was no trying to convince, it was more so we're going to come in
and help you all and tell you what you need to do, and kind of incentivize these companies,
so it was pretty straightforward. When I got to consulting, right, I worked at
Accenture, but any consulting firm, whether it's Deloitte or Slalom, they're run essentially the
same. It was a lot about the relationship building. You have to get industry to trust you.
And leveraging partners for sure, but it was all about the relationship with the CISO, with C-suite,
enabling board members, helping them to understand to cut funding.
So it was cyber, but then there was like the business aspect of it. Like you're undergoing
an M&A and what are the implications from a cyber perspective? So that's how I kind of got out of my
cyber bubble. And I started looking at business and I began bridging that gap between technical
and just kind of what the company is doing as a whole from a business standpoint.
And now being in tech, you know, I kind of feel like a little bit of a superhero.
You know, like we're solving real problems with the technology that, you know,
the consulting firms are leveraging, partnering with government.
And it's like there is no security if there's no one developing the technology.
So I don't know if that's your experience,
but that's kind of been my very unique experience across all of these different organizations. Christian? And just out
of curiosity for the listeners, would you define OT for everyone? Because that's a lot of overtime.
Yeah. Operational technology. So, you know, critical infrastructure, pipelines, oil and gas,
they run on a separate network that's not the IT,
where it's moving physical systems to open and close things.
So that's what we refer to as operational technology, or OT for short.
So not over time.
Not over time.
I'd just be curious, in your transition into,
sounds like a lot of security, et cetera, right?
Yeah.
What are the friction points that you run into?
I know I myself, for example, like security theater,
single pane of gas, glass, not gas.
Very difficult to overcome some of these, right? And internally talking about risk and the appetite for risk
or using the right words of risk.
I'd just be curious if you run into that.
Yeah, I guess some of the pain points I've had
was, you know, you think it's going to be obvious
that, you know, hey, we need to invest in security,
but there's a lot more convincing, right?
So obviously we know the industry is like reactionary,
so you have to have Ukraine power grids shutting off or colonial pipeline happening for people to take it
seriously. And even then there's still kind of the, the extra convincing that, Hey, you need this,
or this is going to happen. And I still see that being a struggle and a pain point. I mean,
obviously, you know, um, the industry is doing a better job of highlighting, you know, through
these conferences, but I see that, you know, just companies, you just got to do a little bit more convincing.
You do. Yeah, absolutely. And going to a C-suite that would gladly talk to you for eight hours
about, you know, profit forecasting and you got about 30 seconds to say, well, according to the
CVE, you know, you got a buffer, beep, you're done, right? And you're a cost center. And a lot of times you manage up and convince them that it's the best idea
they ever had. I think that's all they want. They want you to tell them what they should do.
You know, I used to go into meetings and it would kind of be like the chicken before the egg thing.
Like, you know, what are you looking for from a cyber perspective?
And they're like, I don't know.
Why don't you tell me?
And, you know, we're going back and forth.
And then it's like, you know what?
We're the experts.
They're looking to us like we're the experts.
We're just going to come in with solutions.
And then it's a good starting point for them to provide their input.
But it's never industry really driving it.
They don't know what they need as far as security.
You know, the experts do.
True.
I agree. Yeah.
To what degree do you find yourself serving as that translation layer for a board? In other words,
it strikes me that they speak in terms of risk, which is different from the technical aspects
that a lot of, certainly the IT people are used to, their discourse circles around that.
So do you end up being the, you know, the Rosetta Stone between those two worlds?
I actually, so my title is an evangelist, but I'm like, if there was another title,
it would be translator for sure. So yeah, so working, you know, with technical teams,
doing threat assessments, you know, they're on the dark web.
You know, presenting that and then just bringing it in front of, you know, a CISO that has to go to the board to justify why they need more funding when there's all these other things they're trying to invest funding in.
It just doesn't translate.
So I kind of take that and then I look at, you know, this is what the, you know, there's an acquisition going on.
So maybe they don't want to hear about building a threat intel program. Let's do cybersecurity around this M&A. Let's
figure out how secure that acquisition will be, assets that they're going to acquire, access
vectors that they're not considering. So I kind of bridge that gap to kind of help them look at,
apply cybersecurity to like the broader aspects of their business. And it is a translation. So
when I go on LinkedIn and I see a lot of evangelist jobs pop up it my mom she hates the fact that I'm an evangelist like she grew up in
the church and she's just like there's no way I'm gonna call you an evangelist but it makes sense
there needs to be people to bridge that gap and to do this translation you know I believe so yeah
and it's interesting that you know in the modern day today if a company is going under an M&A, right,
well, hold on.
You know what you got to do.
Yeah.
Former Accenture, right?
They conduct 60, 90-day cyber study.
Is anyone dwelling?
Are there any threat actors within here?
And I don't know.
I don't think it was like that five, ten years ago. Yeah, I don't think anybody was thinking
about cyber implications for M&A.
Yeah, like, yeah, so it's, but it's good.
And that's kind of why I feel like a strategy is to, you know, not stay, everyone, you know, we're in our cybersecurity bubble.
Even conferences, you know, you just kind of see the same people.
And I'm like, no, I want to go out to where people aren't thinking about security. You know, the conferences that are industry conferences,
that's not a cyber security industry conference, and then be there talking to them and changing their minds
about how they're applying cyber security.
Getting back to the differences between, you know,
military government and private sector, where do you,
what are those differences to you?
Are, is one more nimble than the other?
Is one less resistant to being...
Does one need more convincing that they need to focus on this?
Are there budgetary differences, the cadence of their budgets?
Operational differences.
Can you contrast those between those types of organizations?
Yeah, I can talk to it for a little bit because I
haven't really been involved in budgeting in all of them, you know, but obviously government,
we know that they're just kind of slow to move. So budgeting can hold up some things. But I would
say I see similar pain points in each, you know, I see there and I don't want to give away my talk
on Thursday. But, you know, from a talent perspective,
you know, there just not being enough people.
You still have to do some convincing,
maybe on the government side, not so much,
but definitely in private and consulting or tech,
you know, so, yeah, I would kind of see that
there's similarities, but there's also differences, too,
when dealing with customers, you know,
being a part of those different organizations.
Can we dig some into things like research and demos in OT security?
You know, the place that that plays when it comes to the folks doing OT.
First of all, for folks who might not be familiar with that,
can you give us a little bit of insight as to where that sits in the day-to-day operations
of the folks who are
keeping the OT side of the house running? Yep, absolutely.
No, you're the OT master. I love it. So I've been very involved in, you know, a lot of
demos, mostly in the resources space. You know, that's the background I came from.
And it ended up branching out into broader critical infrastructure. So it wasn't just oil and gas and utilities. It was like,
hey, pharmaceutical manufacturing, auto industry, and things of that medical devices and things of
that nature. So when, you know, talking about demos and research, I think it just kind of glues
everything together. It's one thing to talk to a client about, hey, this is the bad that could
happen. But then when you show them, I kind of feel like it's less convincing you have
to do because they see it. But the other side to it, which is, you know, I work with research teams
to do this, is to build that additional context to drive the message home. So instead of saying,
like, hey, this is what an actor can do, it's like, okay, well, how, why, the intent of these actors,
and then what are the solutions?
There's times that I've given threat assessments to major oil and gas companies, and if you don't leave them with action items, it's like you probably shouldn't have just said anything to them at all.
Because they're going to look at it as like, this is great information, but you're not telling me what to do about it, so it may not be that big of a deal. So I do think demos and research is beneficial in helping us get ahead of the threat
because obviously before you're exploited, you know what the vulnerabilities are, you know what
the weak points are, but you also have to provide that context on the front end and then at the end
tie it together with some action items. And I see that kind of missing in some demos, so I'm hoping
that as an industry we can kind of foster that. Is it a struggle sometimes to get budgeting for
demos, for research, for those sorts of things? As you know, people are just trying to keep things
running on the OT side. And of course, no one ever has enough time or money. To what degree
do you have to convince folks that that's a worthwhile investment? You know what? So when
I was preparing my presentation for Thursday,
I looked at some statistics, right? Statistics are key. And budgeting really isn't an issue when it comes to OT anymore. So Nozomi and Sands did a recent study and they were like, hey, you know,
what are the issues? And, you know, they surveyed X amount of professionals. Like, what are the
issues when it comes to OT security? And a lot of them said personnel. So when you ask people, the issue with OT security is lack of personnel.
That means obviously there's a direct correlation.
But then the other statistics showed that there's an increase in budgeting.
So there's companies want to hire more people and they want to do things in OT.
So and I think that's changed and we're still thinking, you know, there's no budget, but there is increased budget.
I mean, there might be a little no budget, but there is increased budget.
I mean, there might be a little tug of war between IT and OT budgeting, but I think we are starting to see increased budget for that to where it's not an issue. It's just making sure that we're sending the right message, you know, and hiring the right people.
I could not agree with you more.
I'm non-military, right?
So, I probably don't have all the similar buzzwords,
but I do see similarities, right?
I mean, hiring seasoned veteran security people,
security engineers, right, that have the ability.
In my mind, there are similarities in the private industry
where data flows and just building that out, one of the problems
that I see is the lack of ability to make precise prioritized intelligence requests.
Knowing something about that dark world, even having the ability to go, these are the threat actors that are most likely to hit me
because they specialize in this, right?
And having the ability to understand
your entire environment, the demarcation,
what's your endpoint, what's your API?
And are you able to do these correlations?
I feel like sometimes organizations
are still really struggling to kind of
see the trees through the forest, unfortunately,
which has, in my opinion, been there a long time.
Now, I know there's a lot of organizations that do that really well,
but on my side, just seeing the lack of ability to be able to prioritize intelligence requests
from externally or the untrust side has been a problem.
I want to piggyback on that.
So during my time at consulting, you know, there was a lot of, you know, they don't know
what their intel requirements are. So as in, you know, cyber threat intelligence, you know, we had
intel collection requirements, which is so funny because when I did intelligence in the Navy, when
there was no cyber element, that's what drove intelligence. It was ICR's intel collection
requirements. So what are you looking for? What industries? Who?
And then having the feedback loop, talking to companies to make sure you're not collecting
on a whole bunch of things that they don't care about, right?
But the step further is companies need to have their own Intel collection requirements.
So from a CTI perspective, we know what we're collecting on, but as a company, like, what
regions are you interested in based on where your assets are?
So we were kind of helping them think through that but you're right like they just
have no clue and they just think they just want to get someone in to do cyber
for them and we're just like it's a process it's a it's a deeper process
than they think it's a collaboration right yeah in order to go into these
dark places something I see a lot right we may send out an alert right like hey
you see this on this forum most people people in the enterprise, they do not even have the ability to go onto the dark web, right?
You know, and so they're like, what do I do with this? Yeah. But I love the example of OCR driving
the pivot collection. Yeah. That's fantastic, right? And a lot of times organizations, they just don't
even, they're not sure, what is it that you're protecting? Yeah.
Oh, cardholder data.
Okay, all right.
Well, then what's your infrastructure?
And it's, I also like the example of a roadmap, right?
You're absolutely right.
If you can't milestone it and roadmap it for these people,
it's hard. Yeah.
It's a lot of hand-holding.
Yeah.
But I'm here to hold hands, so.
Can we touch on the threat intelligence element,
though? Because you don't know what you don't know, and it seems to me like a lot of organizations,
when they're engaging with a threat intelligence organization or figuring out how to ingest that
information into their process, sometimes there are surprises, right? Like they didn't know that
such so-and-so were talking about them. Or as you say, it could be a part of the world they've never
even thought about before. And to what degree do you think that the threat intelligence element
is important, is critical to the operations on the OT side?
is important, is critical to the operations on the OT side?
OT.
I mean, it's so funny because I think things are obvious,
but then I have to remember the audience and I have to remember that a lot of people don't realize it.
So if there's geopolitical strategic intelligence
or what incites cyber threat activity,
obviously we're seeing it with what's going on with Russia and Ukraine.
But even prior to that, any kind of regional tension or any kind of political instability
can incite cyber threat activity and dealing with resources,
specifically mining, chemicals, oil and gas.
They're operating in so many parts of the world.
So they don't think like, hey, I probably need to know geopolitical news.
They're thinking it's a waste of time
just telling me the cyber stuff.
But I'm like, yeah, if there's like an election coming up
or if we did a sanction
or if they're kind of dealing with this
from a regional standpoint, there's instability,
then your facilities might get caught in the crossfires.
So it's helping them think through that
because obviously cyber threat intelligence is not just like indicators of compromise. might get caught in the crossfires, you know? So it's helping them think through that because
obviously cyber threat intelligence is not just like indicators of compromise. It's the whole
context. It's what's going on on the dark web. So yeah, so that's kind of been something that
I've been trying to help them understand. Now, when it comes to attribution, I have mixed feelings
because we know that threat actors, they steal other threat actors' tools. And you're thinking, oh, it's Russia, and it's not.
And then a lot of nation states, they use threat groups that are independent.
So you kind of don't know that Russia, China, Iran, they're tied to that threat group.
So there's a lot of, if you waste a lot of energy trying to figure out who,
then you could miss actually trying to secure your networks networks and we'll figure out the who later, you know. Attribution obviously is important because
there could be different motives, whether it's cyber espionage, you'd want to know, okay,
why is China behind this? But for the most part, you don't want to spend too much time,
secure right away, and then kind of dig into the weeds of who is targeting you and why.
I like that, yeah. I mean, my experience is many times when industries come in,
they just want to fast forward to the ending credits, right?
Like, roll the credits, we're done.
And that's exactly right.
First question, who?
Who's doing it?
Like, okay, everyone, back up, right?
Like, let's start on page one, chapter one, right?
Let's get to know about your environment, right?
Like, where, you know, tell me about it, right?
We need to know something about it, right?
You know, why would I be sending you alerts
if you're a pure Linux shop about RDP, you know?
And why would I correlate any of these threat actors
that pivot off of that?
You know, I like that approach,
is learning something about your environment, right?
Like, let's start with what's your risk?
What are your exposures?
What's the most likely methodology?
What is it you're protecting?
And from that, you build upon pivoting in your collections
or what's most likely.
Yeah, attribution is just hard.
Because even with what happened with Colonial Pipeline,
how everyone just kind of jumped to the conclusion,
like the Russians.
And yeah, there has been a history of that,
a little bit of probing into our grid.
But because I know the dark web, you know the dark web,
we know that there's that whole ecosystem.
So whoever's developing the ransomware,
they're not necessarily the ones launching the attack. They're selling it to the bad people. And then you can, you know, walk in,
and I always say it could be a very inexperienced person who knows nothing about cyber, and you're
like, oh, let me get those credentials there. Like you were saying, let me get network access,
and let me get this ransomware, and now you're a sophisticated threat actor by your capabilities.
So attribution is just hard, and, you know, it came out later on once everyone
dissected all that, who it was, because Russian based and Russian speaking is different from a
nation state threat actor that's, you know, doing it on the behalf of the Russian government. So
it takes time to explain that, but let's figure out what the issue is and secure it first. And
then let's do the background later, you know? Agree, right. Skip attribution, right?
Because most of these threat actors
tend to pivot off of CVE within three months.
Yeah.
Right?
Okay, so you're focusing on who?
No, you should be focusing on now, right?
Yeah.
Like, get patching, get backporting.
Yeah.
There are, I've seen some organizations,
some security organizations,
say that they don't believe attribution matters.
Completely, you know, as a policy, dismiss it.
Is that a bit too far in your mind?
I would say, because you don't want to just not care about who's doing it, you know.
Because I know, you know, depending on, I guess, whatever companies
have different service offerings, sometimes you could just get that API and you just get the data
and that's it. You don't care about the details. You just want to know I need to block this and
that's all I care about. But then you're still missing a good chunk of what threat intel is.
So I think it has to be a good balance. And, you know, again, just a little prioritization. It's
good to have that, but it's also good to kind of know if you're being targeted and why.
So, like, going back to M&As, you might want to know, like, if you're doing a major M&A in a certain market, if there's another country that's interested in that.
You know, sometimes it kind of helps give you a little bit more context.
But I wouldn't say that it's to be depended on.
It's just like you can't do one without the other.
I think both is important to create the bigger picture.
Yeah.
I agree.
Yeah.
I mean, attribution helps paint a better story and further pushes the cause, right?
Might be the convincing factor that sometimes they're like, whoa, we've got to fix this, right? I would just say, if we could replace the word who as our first step with if, you know, and build.
And who could come potentially later?
I don't know.
Yeah.
I mean, you know it's someone bad.
Right.
So it's never good.
Start there.
And narrow it down over time, right?
Yeah.
Can we touch on supply chain issues?
As we sit here today,
we have this breaking, developing story
that it's speculated that Okta may have been compromised,
and certainly they have a lot of big-name clients
around the world.
And I think the past year or so has certainly shown a bright light on this whole notion of supply chain security.
I'm curious on your insights on to specifically how that applies to this space.
Yeah.
Yeah, absolutely. So I think what's really being targeted is that trusted relationship because you know that if there's an update or there's this technology from your vendor, you're automatically going to trust it.
You think that they're doing due diligence and making sure it's secure, but no one's ever asked that. And I think it's a big problem. And obviously, we've seen it within the past year and how it can you know kind of affect organizations however I think
another part of the supply chain compromise that we need to think about
is hardware supply chain compromise and I don't want to wait until something
happens like a log 4j or solar winds or all of that for it to kind of now be the
thing that we focus on so I I know in the Zomies threat
intel report, we do it every quarter or every half a year, you know, we get into the details of that
and then, you know, starting to do research around it. So if it's a USB, if it's a mouse, like what
are the different components that could be compromised? And then if it's connected to,
you know, cause everyone's big into air gap, right? So they're like, I have this USB and
it's air gap, but not if it's preloaded with malware, which that was a study. And it showed
that there's also even Stuxnet variants like in a USB. So I think that as everyone kind of shifts
to that concept to make it to, I guess, have a more secure environment, it's like we need to
start digging into hardware supply chain compromise and the cyber implications that that could have.
hardware supply chain compromise and the cyber implications that that could have. But yeah, absolutely. I think supply chain is a huge issue right now. And I'm actually happy that it's
the focus. I know a couple years ago before all of this happened, we discovered on the dark web
that there was a small third-party supplier whose network access was for sale. And, you know, then we saw that it was sold. So that small supplier, obviously,
wasn't the main target.
It's, you know, threat actors are going to target
like the smaller companies that are less secure
so they can get to their main target.
So we're able to notify, you know,
a global oil and gas company of this
and they're able to take action and all of that.
But again, supply chain is being highly targeted.
So I'm happy that there's a lot of focus around it now.
Agree.
I mean, history always tends to repeat itself, right?
Like way back when, getting your time machine,
and we saw the compromise of an HVAC lead to Target.
But I guess one thing, and again, allegedly,
this incident we've learned of today,
I find interest in the fact that it's,
if it is the Lapis group,
again, this is an organization
that's moved out of the traditional forum
and they announce it via Telegram, right?
And a very evasive and targeting infrastructure.
I don't know if you noticed this,
but there's a lot of threat actors that are like,
you know, you don't hear from them for a little bit,
they're laying low,
and then all of a sudden there's a new group
that pops back up.
And I'm like, I think they just did a name change.
Like, they're not fooling anybody.
Rebranding?
Yeah.
Under new management.
Yeah, so we think that there's all of these groups,
and I do think that there are,
but then we have to think a lot of times
they're just popping up and changing their name
and making it seem like they're different when they're not.
That would require attribution, though.
Ah, yeah.
Can we dig a little deeper into the hardware side of things?
I mean, when you're thinking of hardware
in the supply chain and the vulnerabilities,
can you give, what's the spectrum of the types of devices we're talking about hardware-wise?
Well, definitely chips, you know? So something like that, like if I purchase a keyboard,
I'm not, I'm trusting the keyboard, right? And then whoever's putting it together,
they have like so many different vendors, different people making all the different pieces.
So within whoever's building the keyboard, no one's checking to see like, is this chip legit?
Is it compromised?
So it's like a long line of no one double checking.
And then when it gets to like an oil and gas company, then all of a sudden they're the ones hit really, really hard by it.
So, you know, we're talking about the different components that make up the hardware.
And it comes from so many different places all over the world. Where do they come from? No one keeps track of it. So, you know, we're talking about the different components that make up the hardware, and it comes from so many different places all over the world. Where do they come from? No one
keeps track of it. And there is something called, you know, the SBOM, the software bill of materials,
but then there's even like inconsistencies with that. It's a good start to know where the many
devices in this device are, but again, I think it's going to take some time for us to really
get a good strategy around understanding the hardware
supply chain. Right, yeah, what's the guarantee
of this Huawei ARM
chipset and built in
some other country? Yeah.
Agreed.
To what degree are you finding organizations
are having a
struggle or just pondering
how deep, how far down
the chain to go?
Because I have suppliers, they have struggle or just pondering how deep, how far down the chain to go, you know, because, um,
why I have suppliers, they have suppliers, they have suppliers to say, you can get down to the component level. Um, but there's a lot of layers there. And so who do you trust? How do you verify,
um, you know, what is that chain of custody of complex devices?
Valid question. I don't know.
I mean, I'm not going to say I know,
but I have something to say in regards to what you just said.
So I think it makes sense for everybody to have
like some kind of third party agreement
that includes security, right?
So there are times on the dark web,
we've seen companies that have satellites
and geospatial data from all these different companies
and then they get breached
and their data is uploaded on the name and shame sites.
And it's just like, wait a minute,
that's one of our clients.
They're not breached,
but their data is compromised through a third-party breach.
However, the third-party company
isn't going to notify
all of their customers or all of their clients.
So that could be a start to kind of say,
hey, maybe there needs to be an agreement in place.
So if you're the victim of a ransomware attack,
you have to tell me because you have my data
and my sensitive information.
And then from there, I just think,
if everyone just kind of does that down the chain,
then that could hopefully help foster
a more secure supply chain.
But that's a laborious thing to do.
I'm sure we can figure out how to automate that
in the future, but I just think that companies,
larger organizations need to protect themselves
and their data, not just what's housed on their servers
or even cloud service providers,
but all of those third parties that have sensitive data.
And the stuff that was leaked,
it was like geophysical stuff
and drilling areas and coordinates and stuff.
You don't want this getting in the hands
of the wrong people.
I mean, how about Samsung?
Recently, all the handsets compromised by,
again, Lapis.
Yeah.
Retooling that is years.
Yeah.
And to pivot on that, I would think, right?
Like, how long did it take to make the Samsung Galaxy?
I don't know.
It's a tough, you ask a tough question, I think.
Well, yeah.
I also think about, you know, it's my understanding,
like particularly on the OT side of the house,
that you have components that could be in a system for decades.
that you have components that could be in a system for decades.
And so if there's a problem discovered down the line,
it's not like these things get swapped out and updated regularly.
Yeah.
Yeah.
I mean, that's the problem that we face,
and here we are at a cybersecurity conference to talk about it and to help, you know, make things better.
Data controls from the 50s, you know, in existence today. Sure. Before we wrap up,
I want to make sure we touch on sort of the cultural side of things. You know, the relationship
between the IT side of the house and the OT side of the house. Do we sense that there's more hand-holding, you know, we're getting together
and we're singing We Are the World together so that there's an understanding that this needs
to happen and we're moving in that direction? Could I ask, in the private world, is it fair to
say the concept of IT and DevOps might be a similar contrast?
Because I was just thinking,
OT and IT, is there a big finger pointing at one another?
Yeah, I tend to see that.
So obviously there's not a lot of skilled people in general
that understand OT.
And then you try to pull from IT because you're like, at least they know technology, but then there's still kind lot of skilled people in general that understand OT. And then you try to pull from
IT because you're like, at least they know technology, but then there's still kind of that
learning curve. So it becomes, you know, difficult for people in OT to have the people that understand
what needs to be done. So everyone understands the IT space, security, what needs to be done.
It's easier for them to kind of fight for that funding. So yeah, there is a little bit of tug of war. There is a little bit of, you know, okay, well now if I'm going to shift to OT, then
screw cyber hygiene. And then it's just like, well, that's not what you do either. It's like,
it's not an either or type of thing. It does have to be like a kumbaya moment between both sides.
So what I do like though, is that now there's technologies that allow you to get
that same visibility into your OT environments like the IT.
So shameless plug here,
that's what Nozomi Networks does.
Well done.
I'm just saying, it ties into the message and you're able to
kind of see not just the components,
not just what's normal behavior and
get alerted on what's anomalous behavior.
You get to see packets.
Before there was never that kind of visibility into ot
And now that you have that and it can all kind of be fed into this sim
So when you're in a sock you can see everything I'm like that's cohesion. We don't have to fight
Someone just needs to understand what this ot stuff means, but it can all be done together
Real quick before we wrap up. Can you give us a little teaser, a little preview
of the presentation you're giving later in the week? Absolutely. I'm so passionate about the
topic. So I talk about bridging the gap between universities and the OT industry because I didn't
come into this field in a traditional type of way. Yeah, I had an Intel background. I was on my way
to the NSA. I thought I was just going to be in the Intel community. And then I ended up, you know, getting a job, working at the National Labs, learning OT
security hands-on. And now I've just kind of been head first, feet first, wherever, into this field.
And it's been amazing. So I just, I like to talk about my journey and how to kind of help people
like me that want to get into this field. And's really no avenue for it. It's on Thursday
at 2.30pm
so hopefully you all will
still be there because there's just so many of you out there
just so interested in what we have to say right now.
Everyone must go.
Alright, well Roya Gordon from
Nozomi Networks, thank you so much
for joining us and of course Christian Lees
from ReSecurity. Thank you for being on
our panel today. Thanks to all of you for being here. Appreciate it. Thank you.
Our thanks to Dreamport and Missy for including the Cyber Wire in the Maritime and Control Systems
Cybersecurity Con, Hack the Port 22. You can learn more about the event at hacktheport.tech.
Thanks to senior producer Jennifer Iben for coordinating the session.
Our executive editor is Peter Kilpie. I'm Dave Bittner. Thanks for listening.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.