andrew ginter – Waterfall Security Solutions

Andrew Ginter’s Top 3 Webinars of 2024

Andrew Ginter — Tue, 17 Dec 2024 11:38:14 +0000

OT Insights Center OT security standardsAndrew Ginter’s Top 3 Webinars of 2024

Andrew Ginter’s Top 3 Webinars of 2024

Discover Andrew Ginter’s top picks for the most insightful and engaging webinars of 2024, covering key trends and strategies in industrial security.

Andrew Ginter

December 17, 2024

As 2024 comes to a close, it’s traditional to reflect on the and maybe catch up on bits of reading and events that we missed throughout the year because of our busy schedules. To this end, I recommend to you three of this year’s Waterfall webinars, each an overview of Waterfall or other authors’ reports that read faster when we’ve seen an overview, so each of us can skip faster to the material we find most potentially useful.

My Top Three Webinars of 2024:

1) Cyber Attacks with Physical Consequences – 2024 Threat Report

By the numbers –Waterfall & ICS Strive produce the world’s most conservative and most credible OT / industrial security threat report. In this webinar the authors review the numbers – public disclosures of attacks with physical consequences. And we look at what the numbers mean for the practice and future of industrial cybersecurity.

To read further, the threat report is available here.

2) IEC 62443 for Power Generation

The IEC 62443 standards are cross industry, somewhat out of date, and deliberately vague in many areas – and so need to be interpreted to apply them successfully. In this webinar, Dr. Jesus Molina provides an overview of his report that shows how to interpret and apply the standards to conventional electric power plants.

To read further, the IEC 62443 for Power Generation report is available here.

3) Evolving Global OT Cyber Guidelines

This webinar is a favorite of mine because of big turnout and the thoughtful questions and comments from the audience. In this webinar, we explore the latest developments in OT cybersecurity regulations, standards and guidance worldwide and what these developments mean for industries navigating this complex landscape.

If you would like to read more, I recommend the brand new, multi-national Principles of OT Security – it’s good, and with only 9 pages of payload, it’s an easy read over the holidays.

These are my top 3. If you would like to see even more of our videos, I encourage you to subscribe to the Waterfall Youtube channel where we upload new videos regularly.

I don’t sign s**t – Episode 143

September 10, 2025

Secure Industrial Remote Access Solutions

August 28, 2025

Remoting Into Renewables – the latest guidelines for secure remote access applied to renewables generation

August 28, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Andrew Ginter’s Top 3 Webinars of 2024 appeared first on Waterfall Security Solutions.

Andrew Ginter’s Top 3 Podcast Episodes of 2024

Andrew Ginter — Mon, 16 Dec 2024 15:12:04 +0000

OT Insights Center OT security standardsAndrew Ginter’s Top 3 Podcast Episodes of 2024

Andrew Ginter’s Top 3 Podcast Episodes of 2024

As 2024 winds down, kick back and enjoy some of Andrew Ginter's best podcast picks

Over the past 12 months, it has been a pleasure and a privilege to co-host the Industrial Security Podcast. When I started the podcast 5-ish years ago, bluntly, I did not know if there was enough industrial security content in the world for more than a year or two of episodes. It turns out the OT security space is much broader and deeper than I knew, and I’ve both learned something in every episode and become aware of how much more that I don’t know that every one of my guests do know and give us a few insights based on that knowledge in every episode.

Choosing three from this year’s episodes was hard, but here are three that stood out for me. If you ask me for a theme for these episodes, I’d have to say all three provide insights into high-consequence attacks, risk blind spots, and of course defenses against these attacks. This is all consistent with the perspective of the Cyber-Informed Engineering initiative and with the themes I explore in my latest book, Engineering-Grade OT Security: A Manager’s Guide.

I hope you enjoy listening to these podcasts as much as I enjoyed the interviews and discussions. And stay tuned, we are working on many more guests and discussions in 2025!

My Top Three Episodes of 2024:

Episode #134: Insights into Nation State Threats with Joseph Price

In this episode, Joseph Price nation-state threats and attacks. Nation states are often held up as “bogeymen,” able to do anything to anyone for reasons that are opaque to mere mortals. Joseph peels back a couple layers for us, explaining how to interpret the data is available in the public domain. He walks us through what to expect in terms of attack capabilities, how the world’s superpowers routinely test each other’s defenses, responses and capabilities in both physical and cyber domains, and looks at what this means for both small and large infrastructure sites and defensive programs.

Episode #123: Tractors to Table Industrial Security in the Industry of Human Consumables with Marc Sachs

In this episode, Marc Sachs, Senior Vice President and Chief Engineer at the Center for internet Security, Chief Security Officer for Pattern Computer, and a former White House National Security Council Presidential Appointee, takes a deep dive into the cybersecurity challenges facing the food production industry.

He examines the industry’s growing reliance on automation, from farmers leveraging GPS, drones and self-driving equipment to large-scale food production facilities dependent on interconnected systems. While these advancements have dramatically improved efficiency and productivity, automation has also created important new vulnerabilities. Marc walks us through real-world examples of cyber threats targeting this critical industry, the potential consequences of a future attacks, and practical measures that organizations can take to bolster their defenses.

This episode provides an eye-opening look at how completely automated the high end of agriculture and food production has become, and how this is a problem as more and more operations deploy this kind of automation.

Episode #131: Hitting Tens of Thousands of Vehicles At Once with Matt MacKinnon

In this episode, Matt MacKinnon, Head of Global Strategic Alliances at Upstream Security, looks at a cybersecurity niche in the automotive industry that I did not know existed: protecting the cloud systems that vehicle manufacturers rely on to manage and interact with the vehicles they produce. From passenger cars to 18-wheelers and massive mining equipment, connected vehicles enable everything from diagnostics and updates to real-time remote control.

Matt explains how digital transformation and the pervasive use of cloud systems in automotive and heavy equipment industries has introduced new attack opportunities, with potential consequences ranging from unauthorized manipulation of vehicular systems, data breaches, and potential threats to safe and reliable operations.

How to manage these risks and protect cloud systems connected to vehicles? Matt walks us through protective technology and how it works – technology I did not know existed.

NIS2 and the Cyber Resilience Act (CRA) – Episode 142

August 18, 2025

SCADA Security Fundamentals

August 14, 2025

What is OT Network Monitoring?

August 14, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Andrew Ginter’s Top 3 Podcast Episodes of 2024 appeared first on Waterfall Security Solutions.

TSA NOPR for Pipelines, Rail & Bussing – Enhancing Surface Cyber Risk Management

Andrew Ginter — Tue, 26 Nov 2024 13:07:01 +0000

OT Insights Center TransportationTSA NOPR for Pipelines, Rail & Bussing – Enhancing Surface Cyber Risk Management

TSA NOPR for Pipelines, Rail & Bussing – Enhancing Surface Cyber Risk Management

The TSA Notice of Proposed Rulemaking for Enhancing Surface Cyber Risk Management is out. This is the long-awaited regulation that replaces the temporary security directives issued after the Colonial Pipeline incident.

Andrew Ginter

November 26, 2024

“This…replaces the temporary security directives issued after the Colonial Pipeline incident…[which] had to be re-issued annually. The new regulation will be permanent – at least until it’s changed or revoked.

The TSA Notice of Proposed Rulemaking for Enhancing Surface Cyber Risk Management is out. This is the long-awaited regulation that replaces the temporary security directives issued after the Colonial Pipeline incident. Those directives had to be re-issued annually. The new regulation will be permanent – at least until it’s changed or revoked.

So I’m trying to read through the proposed rule, and the document is daunting – 105 pages of technical language intermixed with very legal language, riddled with cross-references, only some of which I understand. That said, at a high level, the new rule, if passed as-is, looks to apply to some:

73 of 620 freight railroads in the USA,
34 of 92 public transportation & passenger railroads,
115 of 2,105 of the nation’s pipelines, and
71 bus owner/operators,

though the bussing rules seem focused on incident reporting rather than full-blown cybersecurity programs.

Some of the most confusing legal language seems focused on rationalizing how the TSA issues security directives, since before this it seems there were different procedures for security directives applicable to different forms of transportation. Another bunch of confusing language seems to be rationalizing physical security requirements and separating them from cybersecurity requirements. And then it gets a little bit more readable:

49 CFR Part 1580 – Freight Rail Transportation Security – starts on pp 71
49 CFR Part 1582 – Public Transportation and Passenger Rail Security – starts on pp 82
49 CFR Part 1584 – Highway and Motor Carrier Cybersecurity – starts on pp 92, and
49 CFR Part 1586 – Pipeline Facilities and Systems Security – starts on pp 96

The freight rail, passenger rail & pipeline sections have a lot of familiar language. I haven’t gone through them line by line comparing them to the previous security directives – eg: TSA SD 2021-02E the current directive that applies to pipelines – but just reading through the requirements rings a lot of bells in terms of language I’ve read before.

At a high level, in-scope owners and operators will need to:

Carry out annual enterprise-wide evaluations documenting the current state of cybersecurity and comparing that state to a ‘target profile,’
Document a ‘target profile’ that includes at least the measures and outcomes described in the new law / rule, and ideally includes all of the applicable parts of the NIST Cybersecurity Framework (NIST CSF),
Develop an implementation plan and identify people responsible for carrying out the plan, and

Identify critical cyber systems and detailed measures to protect those systems, as well as detailed measures to detect cyber incidents, respond to them and recover from them.

At a higher level, as you’ve probably guessed by now, I’m struggling to understand the legalese. I would welcome a call from someone who can explain how to make sense of the complicated cross-references. I promise to take detailed notes on the process and publish them as an article so other interested people can figure out how to do the same – with copious thanks to my generous instructor.

BTW – one of the reasons I’m trying to understand this new rule is because I’m hoping to include insights into the rule in a webinar that’s coming up: Evolving Global OT Cyber Guidelines, Recent Developments and What is Driving Them.

If you’re interested in seeing what’s common, what’s different, and what’s changing in this space, please do join us on Wednesday Nov 27.

I also invite you to get a complimentary copy of my latest book, Engineering-grade OT Security: A Manager’s Guide.

About the author

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 23,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.

What Is ICS (Industrial Control System) Security?

August 14, 2025

Network Duct Tape – Episode 141

August 13, 2025

Credibility, not Likelihood – Episode 140

August 6, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post TSA NOPR for Pipelines, Rail & Bussing – Enhancing Surface Cyber Risk Management appeared first on Waterfall Security Solutions.

Driving Change – Cloud Systems and Japanese CCE | Episode 132

Waterfall team — Tue, 19 Nov 2024 11:30:34 +0000

OT Insights Center OT security standardsDriving Change – Cloud Systems and Japanese CCE | Episode 132

Driving Change – Cloud Systems and Japanese CCE | Episode 132

Tomomi Aoyama translated the book Countering Cyber Sabotage - Consequence-Driven, Cyber-Informed Engineering - to Japanese. Tomomi recalls the effort of translating CCE to Japanese and looks forward to applying CCE and OT security principles to industrial cloud systems at Cognite.

Waterfall team

November 19, 2024

“…security was mostly discussed as technical topic. And there was not enough frameworks or ways of conveying important security and security risk in the way that the stakeholders can easily engage with. And CCE for me enabled that…”

Available on:

https://api.spreaker.com/v2/episodes/62429253/download.mp3

About Tomomi Aoyama and Cognite

Dr. Tomomi Aoyama is a distinguished figure in the field of industrial cybersecurity, currently serving as Private SaaS Operations Lead at Cognite (Website). With a robust academic background, Dr. Aoyama has dedicated her career to advancing cybersecurity practices, particularly in the realm of industrial control systems (ICS).

Her expertise spans several critical areas, including the application of Process Hazard Analysis (PHA) to cyber risk assessment, lifecycle security management, and the role of human factors in cyber incident response. Dr. Aoyama’s work is globally recognized, and she actively contributes to both public and private sectors. She serves as an expert advisor to Japan’s National Centre of Incident Readiness & Strategy for Cyber Security (NISC) and the Industrial Cyber Security Center of Excellence (ICSCoE) in Japan

In addition to her advisory roles, Dr. Aoyama is committed to knowledge sharing and education. She has translated essential ICS security literature into Japanese, including NIST SP 800-82 Rev.2 and the book “Countering Cyber Sabotage” by A. Bochman and S. Freeman. Her contributions have significantly enhanced the understanding and implementation of cybersecurity measures in Japan and beyond.

Dr. Aoyama’s career is a testament to her dedication to improving cybersecurity frameworks and her influence continues to shape the future of industrial cybersecurity on a global scale.

Cognite (LinkedIn) was founded in 2016 and has over 700 employees including top-notch software developers, data scientists, designers, and 3d specialists. Over the years, Cognite has positioned themselves as global industrial Software-as-a-Service (SaaS) leader, with an eye on the future and a drive to digitalize the industrial world. Cognite has created a new class of industrial software which allows asset-intensive industries to operate more sustainably, securely, and efficiently. Their core software product is Cognite Data Fusion (CDF), designed to quickly contextualize OT/IT data to develop and scale company solutions, using technology like hybrid AI, big data, machine learning, and 3D modelling to get there. Cognite’s clients include oil & gas, power utilities, renewable energy, manufacturing, and other heavy-asset industries. Cognite helps them operate through transitions, sustainably and to scale -without sacrificing bottom lines, paving the way for a full-scale digital transformation of heavy industry.

Transcript of this podcast episode #132:

Driving Change – Cloud Systems and Japanese CCE | Episode 132

Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Nathaniel Nelson
Welcome listeners to the Industrial Security Podcast. My name is Nate Nelson. I’m here with Andrew Ginter, the Vice President of Industrial Security at Waterfall Security Solutions, who’s going to introduce the subject and guest of our show today. Andrew, how are you?

Andrew Ginter
I’m very well, thank you Nate. Our guest today is Tomomi Aoyama. She is the principal development lead for Private SAS, that’s Software as a Service, at Cognite, which produces industrial control system software. And we’re going to talk a little bit about what she’s doing, but mostly of we’re going to talk about her translation of the consequence-driven cyber-informed engineering textbook, um Countering Cyber Sabotage, her translation of the book to Japanese.

Nathaniel Nelson
Then without further ado, your conversation with Tomomi.

Andrew Ginter
Hello, Tomomi, and welcome to the podcast. Before we get started, can I ask you to say a few words about yourself for our listeners and about the good work that you’re doing at Cognite?

Tomomi Aoyama
Thank you very much for having me, Andrew, by the way. I’m Tomomi, and I’ve been in the ICS security domain over a decade, and I started as an academic researcher. And my fascination for this domain was always about how can we enable this collaboration. um I started with and from understand trying to understand how safety and security risk assessment can be combined, how security risk specialists can communicate with safety risk specialists and share the metrics, share the value. That was the first research topic that I was working on. And then I ah gradually shifted more towards, okay, how cyber risk or auto security risk can be expressed to the business continuity risk or business risk.

And through the academic position I had in Japan and while while I was doing the PhD and doing doing the um assistant professor and teaching, I was lucky enough to be able to join some government project where I was so able to support a asset owners ah design and evaluate the cyber table topic exercises, um business content exercise ah drills ah for earthquake drills also, and also and develop help of government ah to develop this large auto security capability building center called ICCOE, where I supported building up the training curriculum and international engagement. And now I’m in Cognite and still I’m fascinated again, I’m still fascinated by this collaboration piece in OT security area. Cognite is a company that builds the OT data platform software in oil and gas, chemical, energy, and manufacturing and so on. so And the Cognite operation is based on software as a service on a cloud data platform.

And When we talk about the cloud security, and there is a shared responsibility model that the shared the security operation and responsibility together with the cloud service providers and asset owners. But they the usual model that they have is two-colored – very simplified to colored model, and there is no space for the SaaS company like Clonite. And especially when you consider about the most of the organization, most critical infrared operators would select a hybrid model where they have the public cloud, private cloud, on-prem system all together.

And asset owner wants to have the total visibility and data governance over all the platforms and all the um systems. um There’s no really guideline for that. There is no established model for that. So I cognize what I’m doing as using my background in research and also also in all the security domain trying to understand and navigate the conversation with customers, trying to navigate the Cognite towards how can we support this and new era for the asset owners where they want to have the data control and strong data ownership. So that’s where I am today.

Andrew Ginter
Cool. So you know the industrial cloud is coming. You know it’s great that you’re contributing to that at Cognite. Our topic is a little different today. Our topic today is Consequence-Driven Cyber Informed Engineering. And a couple of years ago, you translated the the book on the topic, Countering Cyber Sabotage, Consequence-Driven Cyber Informed Engineering, the book that Andrew Bachman and Sarah Friedman wrote, you translated the book into Japanese. So I wanted to ask you about that, but before I do, can I ask you maybe introduce the book to our listeners? What is ah you know CCE? What is consequence-driven cyber-informed engineering?

Tomomi Aoyama
Sure. CCE is quite mouthful, Consequence-Driven Cyber-Informed Engineering. It was originally part of the Cyber-Informed Engineering. It’s one of the pillars of the Cyber-Informed Engineering, which is the framework for combining cyber and engineering side and how we can enable security more by the design, security built into the engineering courses.

And INL, IDEC National DAB, especially focus on this consequence driven w risk analysis part. And they developed this CCE method. It comes with the four phases, starting from phase one, consequence prioritization, which is quite important one one for me. And phase two is system and system ah system analysis, meaning ah how systems or dependencies between the systems, resources, information, data, people, are contributing to the consequence, the worst, worst, worst case that you want to avoid to happen.

And phase three is the consequence-based targeting. This is where you bring in a little bit attacker’s perspective and margin in security perspective. how those dependency between the systems or the path to the consequence can be compromised, how can how attackers can take advantage of this dependency to make the consequences happen. And then phase four is all about mitigation and production. Okay, how can we a how can we cut those the dominant effect for attackers to enable the consequence to happen in the most efficient way. And preferably, how can we do that by combining the engineering method and traditional cybersecurity tools and solutions.

Nathaniel Nelson
Andrew, these are concepts that we’ve talked about in a number of episodes before, but for anybody who hasn’t listened to those, could you just do a quick review of CCE?

Andrew Ginter
Sure, CIE is the big tent, Cyber Informed Engineering. It’s all about engineering and cybersecurity together. You know, the engineering part has been neglected historically, overpressure relief valves, manual operations as a fallback. These techniques that are are used to manage physical risk can also be used to manage cyber risk.

CCE fits within the big tent. I mean all of you know a great A great deal of engineering is under the big tent, all of cybersecurity. CCE is a bunch of techniques, and it’s it’s more than what’s in the book, but the book itself has really three big chunks.

One is consequence evaluation, and they recommend don’t start with your simplest attacks. They recommend start with your biggest fish and and do something about them first so consequence analysis.

And then some a few chapters on you know engineering mitigations. But the bulk of the book is about system of systems analysis to understand your defenses, to look for choke points in your defenses where you can choke off attacks most efficiently with you know minimal investment, maximum return in terms of security for minimal investment. So that’s that’s the big picture. CIE is the big umbrella. CCE is actually a formal training program. It’s a piece of CIE.

But CIE is big enough that just about anything fits under it that that has to do with industrial security. And and CCE is a chunk of that.

Andrew Ginter
All right, so so that’s CCE. let’s Let’s come to the translation. Translating a book is a big job. the the The CCE book is hundreds of pages. And you’ve got to you’ve got to be sure that that the translation is right. you it’s It’s a huge investment. why Why would you undertake that big a job with this book?

Tomomi Aoyama
Right so When I first met the idea of CCE, I was a researcher at a university in Japan. and My research area was trying to understand how we can communicate and engage with stakeholders about OT security in an efficient way and how we can do the risk assessment that both understand security risk and also safety risk and also their implication to the business impact. And we struggle to find the way that how this can be achieved in one way or a simple way. And my running hypothesis back then, and also now, this is my belief is that the OT security is a communication problem. That they there are a lot of, it’s a team effort. OT security is definitely a team effort. You cannot just have very experienced or the expert Bob to save the world.

Every time, we need to engage the stakeholders in internal stakeholders, different teams to understand the security and in the same way as you do in their own job language. If it’s an operator, they need to understand what security means for their operation. If it’s a business leader, they need to understand cyber security or the security implication in terms of how it impacts their initiatives and their investment.

And it is, I found it very difficult because security at least back then when I was doing the research, academic research, security was mostly discussed as technical topic. And there was not enough frameworks or ways of conveying important security and security risk in the way that the stakeholders can easily engage with. And CCE for me enabled that, especially this first part of CCE in the consequence prioritization. You don’t talk about threat, you don’t talk about threat actors, you don’t talk about security solutions, you talk about what but what matters most for your business and business continuity. That makes it very simple but easy to align any stakeholder in the organization.

So that’s why I thought that this idea I really want to convey to my community in Japan in my mother language and I want to be that catalyst to deliver the message. That’s why.

Andrew Ginter
Okay so that’s why you felt it was important to to translate CCE into Japanese. Can I ask you how it came about? It’s one thing to read a book and say, hey, this is good stuff. It’s another thing to reach out to the authors and and actually make it happen. How did this happen?

When I first met the idea of CCE, it didn’t encourage me immediately about translating the book. I think back then there was no book yet published either. and I got to meet Andrew at S4 and he was presenting about idea of CCE. That’s when the idea of CC very much clicked with so that my academic interest.

And I want to talk to Andrew at the beer bash and say, hey, I really like your idea. I really want to and really promote this method in the community in Japan. and That’s the kind of beginning of my engagement with CCE teams.

And one of the big turnpoints was the Japanese government, in collaboration with the US government, we organized a capacity building training for Indo-Pacific countries. And ICCoE, the Industrial Security Center for Excellence, and which is the OT security training organization, that I support in Japan was the and the one that provided training together with US training trainer teams, which was INL. And we ended up providing the CCE training for the Indo-Pacific countries a and together with Andrew and CCE team in INL and trainers in ICCOE.

And it was very fun engagement and it was and interesting how CCE was received from the participants also. And after Andy and I were celebrating the successful delivery of that training, it really came to my mind immediately and said to Andrew that, can I translate this book? I really think I can translate this in a meaningful way. And and can you support this? And that’s the kind of beginning. And it took another two years or so to actually translate the book.

Andrew Ginter
Okay, so you ran into Andrew at S4, one of the authors of the book S4, sort of where the world of industrial cybersecurity today comes together. You also mentioned the Industrial Cybersecurity Center of Excellence in Japan, a government agency. How were you connected with them? How did you connect those dots?

So I was fortunate enough to be involved in, the from the very early stage of ICCOE, from the establishment phase of ICCOE at 2017. And they, my university, well, the university I used to belong as the the assistant professor and now still support as visiting researcher, they take care of one-third to one-fourth of the curriculum at ICCoE. So that is my connection to the organization and currently I also support the international engagement that ICCoE does. So when they want to do the international engagement such as the training, overseas training, or inviting the and international speakers to the ICCoE curriculum, I tend to support it. So the joint training we provided between Japan and the US, that’s also the some project that I supported.

And that’s why I was be involved in suggesting that CCE could be the good topic to introduce to Japanese and also in the Pacific audience.

Andrew Ginter
Cool, so you were at the university, you you had an opportunity to connect the dots and you did, good job. Let’s talk about the translation. I mean, today you can take a Word document and pump it through, I don’t know, Google Translate or something. There’s other translators on the market as well. And say here, try translate this into Japanese. When I’ve done this with my documents for a German market in particular, um I speak a little German. I looked at the result and it was full of mistakes and I had to correct it.

So what was involved in the translation? Did you press a button and it worked? Did you have to review it at in detail? Did you have other people reviewing it? How did how did the actual mechanics of the translation come about?

Tomomi Aoyama
Andrew, it was all me. It was one person operation and it was painfully long. and especially I haven’t I have done translation of, for example, NIST 800 series, some documents I have translated in Japanese.

So I have done many projects, but not the book. So it was really different level of beast. I definitely used the help of machine translation sentence by sentence just to create the baseline, but most of the time it was more confusing than helpful. So most important thing that that I needed to create was the dictionary. The translation dictionary to be consistent throughout the book on how we translate.

For example, well, as you can see in the title of the book, the consequence, this word appears unlocked in the book. And I was very intentional and also a little bit cheeky when I translated this in Japanese. I intentionally translated as business consequence because I didn’t want the readers to mistake in consequence as information breach or some technical consequences or piece of the consequences. But I want this to tar this book to be the starter of the conversation with different aspects and seeing the security from the different perspective, more from the business perspective, business risk perspective. So I and intentionally changed the translation from consequence in Japanese, business consequence.

And so this process of creating dictionary and be happy with this dictionary, and that was a very challenging part. There are a lot of terms in CC books that are very common for probably military domain or government people.

But it’s not so much a resonating word when it’s directly translated. So I also needed to understand each concept concept very deeply. And Andrew Bohman, one of the authors, was kind and generous enough to have multiple sessions for walking through those terms, what they mean, what’s the backstory of these terms one by one. So that really helped me a lot.

Andrew Ginter
So Nate, I’ve written a couple of books. I’ve translated some material, especially into German. and In my experience, exactly what Tomomi talks about, terminology is important, especially when you’re translating a technical document. In a lot of the world’s languages, a lot of computer concepts are showing up in those languages as English words sort of transplanted or adopted into the language.

This despite the language often having its own words for those concepts. In German in particular, sort of fairly words that in English have comparatively, short, simple words for a certain technical concept might have a, in English, they’d like to jam a a few adjectives and nouns together into a single, very long, very complicated word.

And what I observe in the the German community that I interact with is they’ve adopted a lot of the short English words rather than using the the long formal German words. And when you’re putting together a translation, you’ve got to figure this out. If you use the native language words and the community that you’re addressing isn’t using those words, they’re going to look at your stuff And it’s going to be a harder read. it’s It’s not the terminology they expect. And vice versa. If you use a bunch of English, transplant a bunch of English words into the the the translation. And this is not what the community is used to. They’re going to look at this and say, this doesn’t it it it again, it it impairs comprehension. And this is, this is not the only challenge with translation. What I found with German in particular, I don’t know Japanese, but I know that in German there are linguistic concepts, gender in particular, everything is gendered. When you’re when you’re doing a little bit of dialogue, A said this and B said that, and you use the word you, you’ve got to select the word very carefully. There’s the familiar you, there’s the formal you,

And in English, you don’t have all this stuff. And when you translate material from English to German, I used a machine translator. The machine translator just gets it wrong. The machine translator says, well, I need this concept in the German translation, and it doesn’t exist in English. So I’ll just make it up. And they pick the wrong one pretty consistently. So there’s there’s a lot of repair that Choose the terminology carefully and then you’ve got to go through it and and and just repair what the what the machine translator does.

Nathaniel Nelson
And I’m wondering how you felt about the particular point of translation she highlighted in her answer, how she translated consequences to business consequences, because, you and I talk about these concepts a lot. We don’t really focus on them through the business lens. Usually it’s like physical consequences, for example.

Andrew Ginter
I was thinking about that myself after the the interview here and, reflecting on it a little bit, I wonder if it’s because it sort of reflects Tomomi’s focus on risk assessment. She was doing a lot of risk assessment work in her research and, who consumes the results of a risk assessment?

It’s generally the business decision makers who have to decide, am I going to provide funding to my engineering team, to my IT t teams to fix this problem? Explain to me in one syllable words, how much trouble we’re in, and they want to understand the impact on the business. My own focus, I tend to work more with the engineering teams who are tasked with, okay, you have a budget, solve this problem and they change the design of the systems in order to prevent physical consequences, in order to keep things from blowing up, in order to keep trains from colliding. and so I might if If I were doing this, I might have been tempted to use to substitute business na sorryria physical consequence rather than business consequence.

But thinking about it, that might just be because of who I communicate with. And to what we said at the beginning, it’s all about communication. You’ve got to get these concepts across these sort of chasms of understanding.

Andrew Ginter
And if I may, I mean, I’m an an author myself. i’d I pushed my third book out just under a year ago. I’m curious about intellectual property. I mean, I see the Idaho National Laboratory logo on the the CCE book I know that Sarah Friedman and Andrew Bachman were employees, I think, of Idaho National Laboratory at the time they wrote the book. I’m assuming that INL owns the copyright on the book. But you did the translation. Can you talk about intellectual property? Do you own the Japanese translation? How how does that work?

Tomomi Aoyama
At least I know I don’t own the copyright. So it was primarily work for hire. It’s kind of twofold contract. So one sign is my contract with INL as the so service provider, meaning that the I will provide the this translation service for them so that they can have the Japanese version of manuscript in their organization. And on behalf of INL, I was sending the manuscript to the publisher. And ICCOE in Japan, they funded to publish this book in Japanese. So I was just bridging it in between.

Andrew Ginter
Okay, so, a lot of work doing the translation. How’s it been received?

Tomomi Aoyama
I got the very kind words from people in Japan that they enjoyed the book and some people mentioned about a specific part of the job that especially part of the book that touched they resonated with them very well, which is super rewarding to me. But the first review I got on a public platform on Amazon, was very funny to me. it was it was It said that the four stars, great book, great content, minus one star for the bad translation. So that really made me laugh.

Yes, it’s it’s I know I’m not the professional translator. I cannot translate the in the same level as how people would translate and yeah great novels into Japanese. I can’t yet. But at least I made them read. So that’s a win for me.

Andrew Ginter
Indeed. it’s It’s disappointing when you get stuff like that. I remember when I published my books, you get I get positive, I get negative. You you got to shrug it off. I think the the lesson is that the material is now available to a Japanese audience that doesn’t speak English. So Have you got any sort of reaction from even verbal or face-to-face from the industrial security in Japan. How useful has CCE been in Japan?

Tomomi Aoyama
Most of the people, majority of people reach out to me saying that the CCE is a very inspiring method and inspiring approach. But I’m reading between the lines and most of the times CCE is a little bit too big of the project and it’s not something bite-sized for most of the people to easily adapt to tomorrow.

So that is one challenge that I found during and duringing and then after this translation project. The great feedback I got, not necessarily negative, but I think it really, really represents what Japanese community’s character is, is that one person told me, he’s a risk assessment, OT risk assessment specialist. He supported many, many organizations. and He said that the Tomomi, CCE needs to be dumbed down. It needs to be easy and easy to do for anyone. Right now, CCE is only useful for the people who understand OT security at the deepest level. That’s not enough. It needs to be easy for any person possible.

And that’s something I’m thinking about a lot these days. I’m thinking about all the security solutions and a lot of all the security project, it’s naturally targeting towards the critical asset operators, critical infrastructure companies, and middle organizations, and government funded organizations. So the project fund in the side is huge.

But there is a concept of the cyber poverty line where organization, even they even if they know about cyber security and know about the risk, they just simply can’t afford it. They just don’t have the resource available and and any solution at their hand to mitigate the risk.

And CCE is elegant concept and right now I’m thinking how we can make CCE and any other OT security or cyber security concepts framework solutions to be affordable and easy as possible to implement fast. Because so especially when we talk women think about so supply chain security and security as a whole.

Andrew Ginter
Another, I don’t know, legal nit, maybe. In my understanding, CCE is trademarked. Idaho National Laboratory certifies training providers. You can only call yourself a certified CCE training provider if you’ve been certified by INL. I’m curious, is the Industrial Control system Center, Cybersecurity Center of Excellence, is it certified?

Tomomi Aoyama
No, I say theory is not certified to provide CCE or accessibility training, at least on my knowledge. and But I can talk a little bit about how we introduce CCE as a concept.

Tomomi Aoyama
So ICCoE runs a one year curriculum for industry professionals and they they basically leave the work for one year to um focus on the OT security training from basically nine to five plus their own research project hours. And in there we teach many principles from traditional IT security, network security aspect to and OT or engineering discipline and risk management business disciplines. And recently we also add cloud digital transformation, those domain too. And CCE fit into the category of security leadership.

And one of the trainer, Hiroshi Sasaki, a dear colleague of mine, he introduces CCE as part of the method that that they can use when they are building the security strategy for their own organization, where they go back to the company. So some of the framework they also introduced is NIST-CSF. They also mentioned about using the 62443 and other twenty ISO 27K also. and And as one of the other tools that they can use to frame their own security strategy, they introduced CCE.

So we don’t go into detail in the same way that the INL folks provide CCE training, but we we we explain the CCE concept and the trainees engage, trainee at ICCoE engage in CC and how they can use CCE concept and the framework to present their security strategy to the executives.

Andrew Ginter
So that makes sense. I’m curious, in the course of translating the book, you presumably developed a deep understanding of the material. You have to understand the material in order to to translate it correctly. How’s that served you? I mean Personally, you’ve developed a deep understanding of CCE translating the book. Your your name is on the book. Can you talk about, has has the experience of of doing this translation changed your career at all?

Tomomi Aoyama
The book was published last year, 2023 in June in Japanese, and we haven’t done any book tour or anything. And I’m also based in UK now. I’m not based in Japan. So I don’t really have day to day, way to engage with people actually and get the book in their hand. So I’m not really feeling any burning a change or anything, but internally. It was such a privilege to be able to dissect the word by word and really, really print the book in my brain by translating the work and to feel Andy and Sarah’s work so close. And also the the book has the part that written by Mike Asante, and I have never met him in person, but I can’t really express how I felt about translating his part of the book, because his word, the opening section that he wrote It was so powerful and it was such an honor to translate that in Japanese. so And when I hear the good word and good feedback from people in Japan, I always think about the part that Mike wrote in English and how I also tried to match his energy to put in the translation.

And yeah, so externally and career trajectory wise, I didn’t see a lot of changes, but internally it was a big change for me.

Andrew Ginter
And if I may come back to the present day, I mean, you’re working at Cognite. You’re doing some sort of cloud stuff on the industrial side. the industrial cloud is coming for everyone sooner or later in some capacity or another. is your sort of deep background in cybersecurity? Is that part of your role at Cognite today?

Tomomi Aoyama
Yes, and I have to say, when I first learned about what is Cognite’s mission and what they are trying to achieve, it it made me really anxious because I was very much focused, I was and I am also very much focused on and security and reliability and operation and I was more worried about how these new technologies disrupt the reliable operation. and So that that was in the beginning. But right now, as the in the project, what what we are trying to achieve is how can we make sure that the when we provide software as a service, a it doesn’t disrupt the security or reliability of the operation, the physical operation itself, especially the digital transformation transformation. It started in the enterprise area and then it’s getting closer and closer to the critical operations. And when I look into the most of the documents on how to deploy cloud technology in a secure way, a lot of government guidance and and best practice was and treating public cloud as the starting point. And there was not enough information about how do you manage the security and governance of a hybrid setup or the private cloud setup. And especially how do you continue providing a service

When the stakeholder between the SaaS providers like Cognite and Asset Owner and Cloud Service Provider, this and how how can you manage these three parties or more potentially more parties involved? How do you make this tight connection while giving the Data Owner, Asset Owners, therefore, visibility and full control on security?

Given this is largely driven by security requirements, my background gives a little bit of perspective and to balance out the need for digital digital transformation and need for pushing through the boundary and understanding and accommodating the asset owner’s needs and IT and security team’s concern. So that is where I am. And then I also see quite the connection between the CCE Again, and I’m seeing CCE as the tool to help the communication and understanding what is a consequence and especially in terms of what we do at Cognite, understanding the dependency between systems, dependency between the data and systems and people and critical process. That’s really important. Having a CCE framework in the back of my head it really helps me to have a dialogue with customers, industry and stakeholders internally and externally.

Andrew Ginter
Well, Tomomi, thank you for joining us. It’s been a real pleasure talking to you. Before I let you go, can I ask you to sum up for us? What are the the the the key messages we should take away here? We’ve been talking about CCE. We’ve been talking about translating a book. We’ve been talking about the importance of the cloud. What should we take away from this episode and from your experience in these arenas?

Tomomi Aoyama
Oh, it was really great fun and doing this interview with you, Andrew. Thank you for having me. My takeaway is that the communication and collaboration, that’s really key to enable all the security, especially at the same speed as digital transformation. CCE is a useful tool to enable that communication and collaboration. You get to examine your security strategies program from different perspectives.

And now the CCE book is available both in English and Japanese. So if you have Japanese colleagues, if you have somebody if somebody in Japan, reach out. They may know about CCE. And now you can talk about CCE together, which is awesome.

And right now, I’m in Cognite, i’m looking forward to adapt the CCE principle into industrial cloud systems and try to, again, enable that collaboration between the cloud service providers, asset owners, and sales providers like Cognite. And learning about how we can bring the data governance back to asset owners.

Again, the book is available, the CCE book is available in Amazon. And if you are coming to Japan, let me know or let ICSEoE know. We’ll be always happy happy to talk with you. And if you have experience with industrial cloud, public cloud, private cloud, hybrid, if you decide not to use a cloud in industrial space and why, let me know. I’m on LinkedIn. I’m happy to talk with you about your challenges and your experience and learn from you. Thank you.

Nathaniel Nelson
Andrew, that just about concludes your interview. Do you have any final word to take us out with today?

Andrew Ginter
Yeah, I mean, I’m looking at, a lot of the the the topics we talked about are very timely. i’m I’m a big fan of CCE and CIE. it’s all about consequences. Consequences drive the strength of of required security programs. And but, I’m looking at, I’m on the end of my career and I started in technology and sort of worked into cybersecurity and risk assessments. my My most recent book, The Topic is Risk. It’s not in the title, but it’s it’s all about how do you use an understanding of risk to decide how much cybersecurity, do how much engineering to do.

I see Tomomi working the other way. She started with risk and with sort of communicating with business decision makers and is now tackling what I believe is the future of industrial automation. And of course, industrial cybersecurity goes with industrial automation. She’s tackling the future, which is the cloud. And the vision for the cloud is very compelling. its The cloud can save enormous amounts of money. It can add flexibility. its it’s a tremendous vision. The question is how much of the vision can we realize safely? And I think the answer is almost all of it. We just don’t know how yet.

So I look forward to keeping track of of what Tomomi is doing at Cognite. I look forward to an opportunity to invite her back in a year when she’s sort of figured out a bunch of this stuff, because the world needs to understand how to reap the benefits of the industrial cloud without incurring unacceptable physical risk. So to me, it’s it’s huge that that she’s taking this deep understanding of risk and risk assessments and now diving into the technology and hopefully leading the way for us in in terms of the industrial cloud.

Nathaniel Nelson
Thank you to Tumomi Ayayama for speaking with you, Andrew. And Andrew, as always, thank you for speaking with me.

Andrew Ginter
It’s always a pleasure. Thank you, Nate.

Nathaniel Nelson
This has been the Industrial Security Podcast from Waterfall. Thanks to everyone out there listening.

Rethinking Secure Remote Access for Industrial and OT Networks

August 6, 2025

Unidirectional vs Bidirectional: Complete Integration Guide

July 30, 2025

The Top 10 OT-Capable Malware: What We’ve Learned and What Comes Next

July 20, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Driving Change – Cloud Systems and Japanese CCE | Episode 132 appeared first on Waterfall Security Solutions.

Webinar: Evolving Global OT Cyber Guidelines, Recent Developments and What is Driving it

Andrew Ginter — Wed, 06 Nov 2024 08:20:41 +0000

OT Insights Center OT security standardsWebinar: Evolving Global OT Cyber Guidelines, Recent Developments and What is Driving it

Webinar: Evolving Global OT Cyber Guidelines, Recent Developments and What is Driving it

Watch the webinar for a look into the recent evolution of OT security standards.

Watch the webinar for a look into the recent evolution of OT security standards. There are some common themes in the OT cyber security guidance published in recent years around the world. Governments and standards bodies are feeling the pressure to increase the level of protective measures and methodologies when it comes to highly consequential systems and infrastructure.

In this webinar, Andrew Ginter takes us through:

Who are the countries and standards bodies leading the way?

How Engineering and Security principles are influencing the approach to OT cyber?

What are consequence boundaries and how do they inform an OT security strategy?

Our prediction on the future of OT cyber best practices.

Meet Your Expert Guide:

Andrew Ginter

13 Ways to Break a Firewall

July 16, 2025

What Is Industrial Control System Software?

July 16, 2025

Cross-Domain Solutions: What They Are, How They Work, and Where You Use Them

July 14, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Webinar: Evolving Global OT Cyber Guidelines, Recent Developments and What is Driving it appeared first on Waterfall Security Solutions.

How Likely Is That To Kill Anyone?

Andrew Ginter — Thu, 26 Sep 2024 11:40:51 +0000

OT Insights Center OT security standardsHow Likely Is That To Kill Anyone?

How Likely Is That To Kill Anyone?

IT teams newly responsible for OT security are often appalled with the results of an initial vulnerability assessment. “Patch everything! Patch it now!” is often the directive issued to engineering teams. The correct response to such a directive is “How likely is that to kill anyone?” Engineering teams cannot proceed with any change to a system until they have a clear understanding of the answer. And the answer is almost never “zero likelihood.”

Andrew Ginter

September 26, 2024

Patching or applying security updates to some industrial networks is very hard. Why? Consider a typical refinery. The entire site goes down once every three years for a retrofit where every piece of physical equipment, large and small is inspected. What is worn out is replaced, and what is old may be upgraded. Necessary new systems and upgrades are installed. Control system computers and devices are similarly examined and replaced or upgraded. The entire process incurs enormous change. Engineering teams plan for, study, prototype, analyze and test every change for safety and reliability, sometimes for up to six years prior to the three-year outages. There are frequently two engineering upgrade teams working in parallel, staggering their results into three-year production outages, because there is that much work and analysis involved in these outages.

Every Change Is a Risk

But when everything is re-assembled, do we simply turn everything back on? Well no. Despite up to six years of analysis, we may have missed something. Every change is a risk, and we’ve changed everything. So, what do we do? Typically, all vacations are cancelled. All vendor representatives and services contractors are summoned to the site. Everyone starts putting in 12-hour days, and the plant is started and is brought up to 5% of capacity. Every technician, vendor and engineer is walking around the site, looking at things, listening to them, feeling them if it’s safe to touch them, and sometimes even sniffing at them. The plant operators, their supervisors and the engineers are clicking through the HMI screens, looking at every bit of each screen to see if both the plant and the screens are working as expected. The cyber people are looking at memory usage, network communications, and logs.

Nobody and nothing is perfect. We find problems, and we fix them. We bring the plant up to 25% of capacity. To 50%. And eventually to 100% of capacity. It’s been two weeks. Everyone is exhausted. Most of us haven’t seen our families in all that time, and still, we look for problems. We find fewer and fewer new problems. Each problem is triaged. Low-priority problems are documented and handed off to the team preparing for the next outage, three years from now. We start to stand down. At three weeks, the plant is at full capacity, the vendors have all gone home and we are back to a normal staff. Success!

“Every technician, vendor and engineer is walking around the site, looking at things, listening to them, feeling them if it’s safe to touch them, and sometimes even sniffing at them. “

Patching the System

But wait – on the Tuesday following, Microsoft issues a Windows security update with 17 fixes in it. Do we apply that update? If we do, will we introduce new problems that impact safe operations? Will we introduce a problem that trips the plant? How can we know? We do not have the source code for the changes, and even if we did, we most likely cannot find people who can analyze that much code with the degree of engineering confidence that we need. If we cannot analyze the code, must we shut down again, apply the patches, bring everyone back and start the commissioning process all over again?

Many industrial sites delay security updates. They delay installing updates until they are confident that the update will not impair operations unacceptably. Sometimes it takes months of testing on a test bed to prove that the update is safe. Sometimes the patch is simply delayed until the next outage in three years.

Engineering Change Control vs. Constant, Aggressive Change

Every change is a risk and engineering change control (ECC) is the discipline that engineering teams use to control that risk. Equipment that a vendor has certified for safety at a cost of up to a half million dollars cannot be used with security updates until the vendor re-certifies the equipment using the changed operating system. Other equipment is not updated until the engineering team is satisfied with the risk, and even then, the teams tend to apply the update to the least vital equipment first to see if the patch causes problems. Then they apply it to the machines that serve as backups for vital redundant equipment. Then they switch over to the updated backups. If there are any problems, they switch back to the unpatched primaries, and so on.

This is in sharp contrast with some aspects of enterprise cybersecurity programs that in some domains apply constant, aggressive change to stay ahead of the adversary: the latest security updates, as quickly as practical, the latest anti-virus signatures, and the latest software versions and keys and cryptosystems. These “constant change” practices fly in the face of the ECC discipline. There is simply no way to keep industrial equipment patched as aggressively as we patch enterprise networks. One consequence of this limitation is that most industrial equipment is vulnerable to known exploits for much longer periods of time than is typical of enterprise equipment.

Not All Systems Are Special

While ECC is misunderstood by many IT practitioners, ECC is misapplied by many engineers. Some patches – for example to remote access systems – may be very unlikely to impair safety, or even to impair reliability. Remote access is a convenience at most sites, not an essential element of safe or reliable operations. Worse, remote access systems tend to be among the systems at a site that are the most thoroughly exposed to external cyber attacks. These are the very systems that need to be patched the most aggressively – the IT approach of constant, aggressive change is precisely what we need for these systems.

In short, a truism of OT security is that (a) most IT teams need to learn that many OT systems are special, and (b) most engineering teams need to learn that not all of their systems are special. Yes, we need ECC to manage our most consequential systems, but we need the IT discipline to manage the most exposed systems. And if we discover in our design that any of our most consequential systems are also our most exposed systems, well then we have a very bad design, and we urgently need to change the design.

To dig deeper, click here to request a copy of this author’s latest book, Engineering-Grade OT Security: A manager’s guide.

Want to learn more about Waterfall’s hardware-enforced OT security?
Talk to an expert>>

About the author

Andrew Ginter

Lessons Learned From Incident Response – Episode 139

July 9, 2025

What is OT Cybersecurity?

July 6, 2025

How Industrial Cybersecurity Works in 2025

June 29, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post How Likely Is That To Kill Anyone? appeared first on Waterfall Security Solutions.

Hitting Tens of Thousands of Vehicles At Once | Episode 131

Waterfall team — Thu, 26 Sep 2024 08:44:39 +0000

OT Insights Center TransportationHitting Tens of Thousands of Vehicles At Once | Episode 131

Hitting Tens of Thousands of Vehicles At Once | Episode 131

Compromise a cloud service, and tens thousands of vehicles can be affected at once. Matt MacKinnon of Upstream Security walks us through the world of cloud security for connected vehicles, transport trucks, tractors, and other "stuff that moves."

Waterfall team

September 26, 2024

“…the idea that someone might impact a bunch of vehicles to cause accidents is real. That absolutely could happen.”

Available on

https://api.spreaker.com/v2/episodes/62075286/download.mp3

About Matt MacKinnon and Upstream Security

Matt’s experience prior to his role at Upstream Security includes working at JupiterOne, Shift5 and Armis Security.

Upstream Security (LinkedIn Page) provides a cloud-based data management platform specifically designed for connected vehicles. This platform specializes in automotive cybersecurity detection and response (V-XDR) and data-driven applications. Essentially, it transforms highly distributed vehicle data into a centralized and structured data lake, allowing customers to build connected vehicle applications. A key component of this platform is AutoThreat® Intelligence, an automotive cybersecurity threat intelligence solution that provides cyber threat protection and actionable insights. Upstream integrates seamlessly into the customer’s existing environment and vehicle security operations centers (VSOC). Upstream’s clientele includes major automotive OEMs, suppliers, and other stakeholders, and they protect millions of vehicles.

Transcript of this podcast episode #131:
Hitting Tens of Thousands of Vehicles At Once | Episode 131

Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Nathaniel Nelson
Welcome, everyone, to the Industrial Security Podcast. My name is Nate Nelson. I’m here with Andrew Ginter, the Vice President of Industrial Security at Waterfall Security Solutions, who’s going to introduce the subject and guest of our show today. Andrew, how’s it going?

Andrew Ginter
I’m very well. Thank you, Nate. Our guest today is Matt McKinnon, the Director of Global Strategic Alliances at Upstream Security. And I don’t know if you remember a number of episodes ago, we had a gentleman on talking about the CAN bus in automobiles, the hundreds of CPUs in in a modern automobile and how that CAN bus, that that network of of automation reached out to the cloud, to the vendor cloud, whoever built the automobile.

Matt and upstream secure that cloud. So we’re going to be talking about the security of of cloud systems connected to automobiles.

Nathaniel Nelson
Then without further ado, here’s your conversation with Matt.

Andrew Ginter
Hello, Matt, and welcome to the show. Before we get started, can I ask you to introduce yourself, to say a few words about your background and about the good work that you’re doing at Upstream Security?

Matt MacKinnon
Andrew, thanks for having me today. Yeah, I’ve been working in network security or cybersecurity in general for the better part of the last 25 years. Got started in network security, endpoint security, IoT security, did even some DOD work and some cloud security. So kind of been around the cybersecurity market in a lot of different ways. Most recently, I’ve been working in automotive or mobility IoT security.

This is in particular where I am today is upstream security where we protect cars and trucks and tractors and pretty much anything that moves around and is connected via cellular network. I was really drawn to this company because of the connection between mobility and things that physical things that move around in cybersecurity and it really is easy to relate to everyday life and very rewarding to be able to work on something that we can sort of see and feel and observe in our everyday life.

Andrew Ginter
And our topic today is automobiles. I mean, we had a guest on a little while ago talking about the CAN bus in automobiles, in trucks, in you know things that move. You’re not talking about the CAN bus. You’re still talking about things that move, but you’re up in the cloud. Can you explain to us what is that? What’s happening out there? How how does it work and and why should we be worried?

Matt MacKinnon
It’s a great question. And it’s really important to think about what’s happening with with cars and with trucks and how they operate today and and what’s how we think they’re going to change in the future as well. So if we think about your modern car, it has really got a lot of computers in it. Everything from the infotainment system to the the most modern things have autonomous driving. So in those cars, the car itself can be can be compromised.

Those cars communicate with the cloud. They send a lot of telematic data about where they are and what they’re doing into the cloud. This is very useful for a lot of different purposes. We also have app on our phones. We can schedule a remote start or we can schedule service of the dealer and things like that on our phones.

When we get into electronic vehicles, we have to charge them. And so we connect them to charging stations and we have to authenticate and pay for electricity. And so what Upstream has realized and recognized many years ago was that no longer can you worry about just securing the car itself. The car is part of this connected ecosystem. And if you’re not looking at that entire ecosystem at once, you’re really not looking at the full spectrum of what can be compromised. The other thing that’s interesting to look at from the last five or 10 years is Upstream does an annual report about the state of automotive cybersecurity. And we’ve been doing it since about 2019. There’s really been a pretty dramatic shift in in the cybersecurity or automotive cybersecurity over that time. If you look back 2014, 2015, people were trying to compromise or hack or steal one car at a time. But if you look at the data today, that’s not the case at all.

Over 95% of the attacks that happened last year didn’t even require physical access to the vehicle at all. Over 50% of the attacks that happened at last year were attacks against thousands, if not millions of vehicles at one time. So we’re no longer talking about bad actors just trying to steal your car or my car. We’re talking about bad actors who are really going after these connected systems that we just talked about and and how can they compromise that entire system, not just one guard car at a time.

Nathaniel Nelson
Andrew, before we get into all of the detail of what he said there, can you just give me a brief overview? We’ve talked about it in a couple of episodes before, but what does the threat attack surface of my car look like? Because I have some notion that my center console is a computer and maybe some other parts of the car, but it sounds like it’s more than that.

Andrew Ginter
Yeah, we had Ken Tyndall on and he was one of the designers of the CAN bus, which is the the dominant communication system that’s used in modern vehicles. I recall that he said, look, Andrew, at the rate at which we’re adding features to the vehicle. For example, if you have a feature that says you can only start the car if your foot’s on the brake. He says for each feature we used to run and a wire, a small wire with an analog signal from let’s say the brake sensor directly to the logic that that controlled the the key and the ignition.

And there was a lot of features being added. And so for every feature when one part of the car was relevant to another part of the car, you had to run a new wire. He said they did a projection at the rate at which new features were being added, they figured that new cars by the year 2050 would be solid copper, which is, of course, nonsense. And so they invented the CAN bus. And so now most devices in in vehicles that are relevant to a feature like the brakes when you’re starting a car or something like that, they have a little CPU.

And they get power on one wire, they get the the network communications on another little wire, and now every piece of the car has one, two wires, or maybe one if you can run both power and and signal over the same wire, has one or two wires running in with not a gazillion, one for each sort of feature that is affecting another part of the car, which means a modern car has two or three hundred CPUs in it with, each CPU has a little wire or two running to it. This is this is the modern vehicle. There’s a lot of software in the vehicle.

Nathaniel Nelson
And then how does that connect to Matt’s domain, the cloud?

Andrew Ginter
Yeah, so many vehicles are connected through the cellular network or by other means, satellite, whatever, but most often I think it’s cellular, to the vendor. Whoever made the car or Matt’s business upstream is upstream security is interested in the big 18 wheelers and tractors in anything that moves. But let’s stay with cars for now. You buy a car from whoever, Chrysler, Ford, whatever. A lot of the cars are connected cellularly into the cloud so that, you can on your cell phone start them remotely. You can affect charging for electric vehicles. There’s these networks of two and 300 CPUs in the vehicle now connected through the internet into cloud systems. And of course, anything connected through the internet can be attacked through the internet. The cloud systems can be attacked through the internet. And this is the focus of of today’s conversation is what’s happening in these cloud systems and how are they being protected?

Nathaniel Nelson
Great. Understood. And maybe you get to this later in the interview. I don’t know. But the statement that stood out most to me already from Matt was this notion that over 50 percent of attacks that happened in the last year were against like thousands or millions of vehicles at one time.

Now I personally, I don’t know if I’m just not up on the news, have never heard of a cyber attack against a vehicle that wasn’t conducted in a laboratory setting or in an experiment of some kind. So what exactly was Matt referring to there?

Andrew Ginter
Well, that’s a good question. And that in fact is kind of the next question I asked our guests. So why don’t we get back to Matt and have him give us the answer first?

Andrew Ginter
So that’s a lot, hundreds, thousands, millions of vehicles at once. Can you give us an example? What has happened? What are we worried is going to happen?

Matt MacKinnon
Yeah, there’s there’s a variety of things that are happening. And I can give you a couple of real world examples of things that we’ve seen in our in our and our company’s interaction. So a couple of things. One is what what we like to call sort of a VIN-spray attack. And this is kind of interesting. So imagine a bad actor using the their app on their phone to actually try to authenticate to many vehicles at one time. So not just connecting to their car, but connecting to many vehicles at one time.

If you can trick a user into accepting, sure you can connect, now you’ve basically given control over of your vehicle and can remote start or modify your car, steal data off your car. Your attacker doesn’t have to be anywhere near you. It could be the other side of the world, but using the APIs that are connecting your phone like you are supposed to, but using it in a malicious way.

Matt MacKinnon
Similar kinds of examples with using enterprise IT and API security type of techniques to generate tokens to connect to many vehicles at one time, execute remote commands, but also cases that aren’t directly stealing data, things like odometer fraud, to roll back odometers so that your mileage on your car isn’t as high as you think or it really is to be able to get a warranty claim.

Matt MacKinnon
Or stealing stealing power from an EV charging station. So these are all variations on real things that are happening right now today. Some are very bad with people trying to take over. Other things are people trying to steal data, and then other times just people trying to sort of steal service or steal some money.

Andrew Ginter
So can we talk a little bit about who’s doing this? I mean, rolling back the odometer, anybody who wants to cheat someone does this for their vehicle, for one vehicle. There’s little benefit to be had in rolling back the odometer for a million vehicles. So people might want to tamper with their own vehicle. Who’s tampering with other vehicles? Why why would people do this? What’s what’s in it for them?

Matt MacKinnon
Like a lot of things, at the end of the day, a lot of times it just comes down to money. A lot of these attacks are based around stealing data. And that and stealing data can be done by anybody. A lot of people all over the world, bad bad organizations that are, it’s ransomware effectively. It’s just a specific variety of ransomware, people trying to steal data, sell data, collect data from a variety of things. There’s another aspect which we’re not seeing a whole lot of, but it’s definitely a concern, which would be sort of the brand damage kind of thing. Imagine if someone were able to take control over an entire fleet of vehicles, some brand, some might make and model the the impact of the fear that would that would arise if that certain variety, I don’t want to name a specific one, obviously, but would just stop working tomorrow morning, right? That would be a tremendously upsetting to many, many people. So there’s a variety of things there, but at the end of the day, the vast majority of it is really about about stealing data that they can sell and other variations on ransomware trying to get data from these automotive manufacturers.

Andrew Ginter
OK. Now, we’re on the industrial security podcast. I worry about heavy industry. Now, what I don’t know is, how diverse the North American fleet of 18 wheelers, the big heavy trucks are. But I’m wondering, is it credible that let’s say a nation state, Russia or China, someone who is involved in a physical conflict and wants to impair the delivery of goods in either the country they’re fighting with or an allies like us of, let’s say, the Ukraine. Is it credible that that the Russians could break into one or two or three vendors, the people who build the big 18-wheelers and, I don’t know, remotely turn them all off? Like cripple a third of the nation’s 18-wheeler fleet by by GPS coordinate? Is that a credible scenario?

Matt MacKinnon
it is, and there’s there’s sort of two different dimensions that are worth talking about there. One is, as you’re describing, trucking is a huge part of our critical infrastructure and the, the CSIS definition of what is critical infrastructure. And it it ranges from manufacturing, emergency services and food and agriculture and healthcare and public safety. And it’s true that if you’re able to impact transportation, you can impact massively important components of the of the economy and our our defense systems.

So to your specific question, can you can you go after trucks and and and disable a fleet? in When we’re talking about cybersecurity, the big trucks are no different than cars. And frankly, heavy machinery for manufacturing or mining or agriculture, is they’re really all connected in very similar kind of ways.

And we have actually seen real attacks like that. Last year, there was an attack against something that’s called an electronic logging device. It’s not actually the truck itself. It’s actually an IoT device that gets installed in a truck. And that that device is used primarily for logging things like hours of service, speed and location, and used for expense management, fuel and tax records, and things like that.

But they’re also connected directly to the trucks and to the CAN bus of the trucks. So they become an attack factor. And if you can compromise this device, you now have access to the actual operating system of the truck. And this did happen last year. It was pretty pretty massive. There’s over 14 million trucks in the United States that use these things. I don’t know how many of them were actually impacted, but these devices were out for better part of a month. Drivers had to resort to paper and pencil to be able to track and log their hours. And to my knowledge, it didn’t actually impact the safety of those vehicles. Like your worst case scenario that you described again didn’t actually happen. But it gave it gave us a real sort of eye opener of how close you could get if you if you really wanted to.

Nathaniel Nelson
I was waiting for Matt to give some real life examples there and it sounds interesting although despite the severity of the case, I mean, he only mentioned it in one or two sentences. Andrew, I’m wondering if you have any more detail about that story he just referenced or any other similar ones like it.

Andrew Ginter
Well, I mean, waterfall does a threat report. And I remember considering that incident for the threat report. Our criteria are different, though. We count events that had physical consequences. And I remember looking at this event and saying, the logging was impaired, but the physical process, the trucks kept moving. They still delivered goods all over the nation. They weren’t delayed at all. some of the electronics, the the logging mechanism was impaired and the the operators, the drivers of the trucks had to fall back to manual operations, but the trucks kept going.

Andrew Ginter
In the report, what I recall, that transportation is the second biggest industry hit by cyber attacks where there were physical consequences. And most of those incidents were where IT systems were impaired that were essential to, let’s say, dispatching the trucks. So you had to stop the movement of the trucks because you couldn’t figure out where stuff had to go anymore. Shipments were delayed. This is the most common sort of physical consequence of of attacks where there were physical consequences in transportation. But this, the scenario here where the cloud’s involved, this is sort of more reminiscent of a story we talked about a few episodes ago. In the Ukraine, the the battlefront with the Russian invasion moved back and forth. And at one point, the Russian army stole a bunch of John Deere farm equipment, $5 million dollars worth of it from a a small town that they’d taken over, from a John Deere dealership. John Deere was unhappy with this, having their stolen equipment driven 700 kilometers into Russia. And so they reached through the cloud because they have cloud connections to all these vehicles and turned off all of the stolen equipment. So that’s an example, not of a cyber attack, but of a capability that, you know, that a lot of people looked at that incident and said, yay, stick it to the invaders. And then they said, just a minute. What just happened here? What if John Deere gets it into their head to turn off all of the vehicles, all of the tractors in Europe at planting at planting time? What if the Russians get it into their head to break into the John Deere cloud and do that? So this is kind of the scenario that we worry about. But in the the upstream threat report, most of the incidents I saw had to do with affecting thousands or millions of vehicles, had to do with theft of information from those vehicles and holding it for ransom.

Andrew Ginter
So that all makes sense. Now, one of the reasons I asked you on as a guest is because you folks in upstream have stuff that I’ve never heard of to address this problem. So, having defined the problem as, cloud systems can reach into cars and, there on the Internet, they can be compromised. Can you talk about your solution? What do you guys do and and how does that work?

Matt MacKinnon
Yeah. so if i were to to make For those of your listeners that are at enterprise IT or you’re familiar with enterprise security, maybe I’ll make an analogy and then I can dive into the details. The analogy if you understand sort of endpoint security or those kind of network security, you’re familiar with the term of an XDR platform, then you also need a Security Operations Center to manage that and you probably want some threat intelligence to support that. That’s effectively what we’ve developed for mobile devices, cars and trucks and tractors and other ones.

The three components there really are that XDR platform. And what does that mean? That means we collect data from the vehicle itself, from the telematics cloud, from the APIs that are calling in and out of it. And we stitch that all together in the cloud in what amounts to a digital twin of a vehicle. So for every vehicle we monitor, and we monitor over 25 million vehicles today, we’ve got a digital twin of exactly what it is, where it’s going, what it’s doing, how fast it’s going, everything from oil pressure to geolocation to what was the last remote command that came to it from some some API and in in the in the cloud. That gives us the ability to look for anomalies, look for patterns of bad behavior, to identify something like, hey, why did a remote start of that vehicle come from a country that the vehicle isn’t in?

Or little things like that, that seem very simple on the surface, but are very complex to see unless you have the breadth of data that we do. So that’s one piece. That’s the technology piece. But yeah you then need someone to actually operate this thing, right? So a Security Operation Center, or we’ve coined the term the Vehicle SOC or the V-SOC.

Matt MacKinnon
A lot of operators don’t really have this capability or the skill set themselves. So we offer that as a service on top of our platform. If you want, sometimes people would do it themselves. Sometimes people bring in an MSSP to do it. The last component of the solution, though, of course, is threat intelligence. And there’s lots of vendors out there, lots of providers that will do threat intelligence for classic enterprise things and some OT things. But what we do there is very, very specific to the automotive industry of every engine control unit and software version and hardware version and yeah there’s a cars are aggregations of many, many components. So we take that whole software bill of materials, hardware bill of materials, and we actually have a team that goes and does research and on the deep web, the dark web, interacts with the bad guys and figures out what they’re up to. And so when you put that all together, the XDR like monitoring the SOC service to actually operate the platform and then the threat intelligence of what are the bad guys really doing and what are they working on, you end up with this really complete end-to-end solution for being able to determine and monitor and make sure that vehicles and these devices are are actually secure.

Andrew Ginter
So you just described a detective capability, detection, threat intel, sort of deep knowledge or deep understanding of stuff. When there’s an incident, do you also respond and recover? And to prevent incidents, do you have anything that you embed in the vehicles or in the cloud of your protected customers?

Matt MacKinnon
Yeah, so you’re right. Our primary focus is on detection. But all those other sort of respond and recover and protection are equally as important. So you’re right, we are not in-line. We don’t have a way ourselves to natively block something that’s happening. But we do that via integration in the partner ecosystem around us. So it may be that if it is a sort of more modern vehicle that is a software-defined vehicle, then there are ways that we can actually send commands or updates back to a vehicle to tell it to stop a behavior or to integrate with the network itself. So if a device is cellular connected, can we talk to the cellular provider to drop that connection to to do that? So we can’t do it directly, but we can integrate to do it. From a protection, like in the design time phase, we do work with the automotive manufacturers directly themselves, the chip makers, as well as the software providers and everybody from Red Hat to Amazon and Google to Qualcomm and others where we’re involved and can be influential in the way that those systems are designed, using our threat intelligence, using our knowledge of what bad actors are doing to help make sure that there is a secure development process and that these these devices have the right level of onboard protection in place.

Andrew Ginter
And you folks have been doing this for a while. You have customers, the big automobile makers all over the world. Can you talk about your customers experience using this technology? What have you been finding? What’s of value to them?

Matt MacKinnon
It’s very interesting to see what people can use the platform for. We do see a lot of cyber attacks, and we talked about the VIN-spray and some of the API examples before. But the the platform we have, the visibility and vulnerability that we provide definitely lends itself to a bunch of other things. We’re seeing customers use the platform for identifying theft, stolen vehicles, and seeing vehicles being in places they shouldn’t be.

We’re seeing fleet operators use the data that we have to be able to monitor where fleets are or the vehicles being used appropriately. Everything from fast accelerations and breaking hard to other types of usage and mileage for fleet management. The other use case that’s emerging to be more common is related to electronic vehicles and the use of their batteries.

And there’s a lot of new behaviors people need to learn about properly but managing a battery. How do you charge it? When do you charge it? Things like that. And we can provide some really interesting insights to those kind of use cases. So customer satisfaction kind of things as well there. So it is one of the sort of fascinating and fun things about the the company and the product and the technology is the useages uses of the technology beyond just traditional cybersecurity.

Andrew Ginter
Nate, let me jump in here. The reason I asked that that question of Matt is that he’s got basically a detective, intrusion detection, attack detection technology here. And what I’ve observed is that almost whenever we deploy a detective technology into an OT system, we get operational insights as well as security insights. so I remember 20 years ago when I was deploying intrusion detection systems, the the first intrusion detection systems that went into industrial networks, the engineers at the site would be looking over our people’s shoulders while we were tuning the system, tuning out false alarms and figuring out the the the right way to to report on these systems. And they’d look over our shoulders and say, what’s that? That’s a lot of traffic between a a the engineering workstation and a particular PLC sucking up 80% of the bandwidth of the the network going to that you family of PLCs. What is that? And we dig into it. And well, a test had left had been left running on the on the engineering workstation that should have been turned off. This is why the whole system was a little bit sluggish, not slow enough that anyone raised an alarm about it, but once you lift the lid on these OT systems and you see what’s inside, often there’s operational benefits.

I mean, Matt talked about electric vehicles. Batteries are a huge part of electric vehicles. And these batteries, they’re chemical systems. If you deep discharge them or don’t deep discharge them enough or charge them sub-optimally, battery life is reduced. The lifetime of the battery, years of battery life, the range you get on the battery. And so, the sense I had is that before, the upstream security technology went in, fleet vehicle owners and electric vehicle vendors might not have had the data. They didn’t have the instrumentation to figure out, to gather all this data. well Upstream gathered all the data to figure out if there was an attack in progress, looked at the data and said, nope, there’s no attack in progress, and then go back to the vendors and say, by the way, we have all this data. Would you like to use it to change the design or improve the design or optimize the design of your electric vehicles so your batteries last longer? Yes, please.

So A lesson here is that there’s often secondary benefits to deploying detective security measures. You get insights by looking at data that you just didn’t have before.

Andrew Ginter
So this is all good. What I worry about as someone involved in industrial cybersecurity, heavy industry, mines, high speed passenger trains, I always worry about safety.

We’ve talked about sort of credible threats to safety sort of as as future concerns. Can you talk about what’s happening there? How how worried should I be about the the safety of my cloud connected vehicle?

Matt MacKinnon
It’s a really important topic. I think the good news is from your as an individual consumer, should you be worried about your connected vehicle from a safety perspective? Probably not. I certainly don’t worry about know driving my car every day. But I think and on a grander scale, safety really is important. Right. The fact that we’re talking about these software in vehicles, the connection between software and the physical world, you’ve got vehicles, cars, trucks, tractors, these things are thousands of pounds, they move at very high speeds. The implication of a cyber incident to safety is pretty dramatic. And fortunately, we’re not seeing that a whole lot, but it is possible and certainly could happen.

And so the idea that someone might impact a bunch of vehicles to cause accidents real. That absolutely could happen. We have seen, not quite safety, but we’ve seen attacks that were designed to cause congestion and gridlock by sort of car services all being called into one location and causing gridlock and that causes a lot of people start to panic when there’s gridlock. And so there’s variations on safety. But the other related concept that I think is also really important is actually I sort of borrow it from the military world. And that is the concept of readiness. And it applies to almost any industry, really. And that is your vehicle ready. And today a lot of people think about vehicles and readiness. They think about, is there gas in the tank? Did you change the oil? And is there air in the tires?

Well now that these vehicles are also software defined or have software connectivity, readiness includes is it cyber secure? And has someone impacted it from a cybersecurity perspective? And so it’s not a concept that I hear a lot of talk about today, but I do think it’s something we’re going to see more and more, especially in industries that rely on the vehicles for their business, like delivery and trucking and things like that.

Andrew Ginter
So that makes sense. You are deep into automotive cybersecurity. We’ve covered in this podcast a bit of what’s happening in the vehicle with you folks, a bit of what’s happening in the cloud. What’s the future hold? What is the future of of automation in vehicles large and small?

Matt MacKinnon
Yeah, what we’re seeing for sure is what is known in the industry as the software-defined vehicle, where really the cars and trucks and tractors and all these devices become computers first and vehicles second, almost. And so that increases the attack surface. I mean, the the power of these vehicles is pretty amazing in what they can do. And we’ve all been watching the future of autonomous driving. But that also applies to connected agriculture, autonomous agriculture, robotics in all sorts of ways. Right, so we’re seeing more and more of these vehicles or or mobile devices become connected and become software defined.

And that has amazing business benefits and and productivity benefits that we’re all going to benefit from. But it does increase the attack surface and just make these things much more complicated and much more targeted and secure. So it is an area that is rapidly evolving. we’d We’d be remiss to talk about this without throwing in the implications of Gen AI and how then the data that these things are going to generate and how that’s going to both make the bad guys better and make us better at protecting. But yeah, the the software-defined vehicle, the increased volume of software in vehicles is really the future of the industry, but then the impacts to cybersecurity are clear.

Andrew Ginter
Software-defined vehicles. That’s a scary thought for someone like me who’s focused on the worst that can possibly happen. But if we have people working on the problem, I’m confident we can work something out that’s going to keep us all safe. Thank you for bringing these insights and these worries to the podcast. Before I let you go, can I ask you, can you sum up for our listeners, what are what are the key takeaways here?

Matt MacKinnon
Yeah, thanks, Andrew. I would start by reiterating what you just said, which is, the good news is for the average consumer, the average driver, it’s just not something you have to spend that much time worried about. The manufacturers are taking it seriously. There’s, software vendors like upstream that are taking it seriously. We’re working on it. It does happen, but it’s not something everybody needs to – it’s like don’t stop driving. The next thing though is to also be aware that this isn’t just about cars, right? There are cars and trucks. I have alluded to agriculture and tractors but this is continuing to get bigger and bigger the the notion of software-defined anything and software to-defined vehicles of all varieties is is growing, not not slowing down.

As we get into autonomous vehicles, that’s going to make it even more and more complex. Don’t worry about it too much, but it is getting bigger at the same time. The last thing is, this is what we do at Upstream. The company was formed for this. It’s what we do. We take it seriously. We also care very much about sort of giving back and contributing. And that’s why we do the annual report and the research that we do that we publish, host webinars, most of which is information sharing and thought leadership and not trying to sell stuff. So please check us out and take a look at that report. It is free and anybody can take a look at it and we’re already starting to work on next year’s now.

Nathaniel Nelson
So, Andrew, cars are a microcosm for cybersecurity at large.

Andrew Ginter
Indeed, and the cloud is coming. The cloud is coming, and it’s coming to many industries. In my experience, manufacturing, all kinds of manufacturing, is using cloud systems quite intensively. More sort of conventional, critical infrastructure, water systems, power plants are using cloud systems somewhat and increasingly, and it looks like the cloud has arrived for automobiles and other kinds of moving equipment and is is being used fairly intensively. And all of those uses, I think, are going to increase. This is the future. And of course, what we have then is, lots more software involved, lots of opportunity to attack that software.

Attacks are targeting cloud systems and there can be physical consequences. So I think it’s a big new field. It’s just going to become more important as the years go by and is, I guess, something more, something new to worry about in, in the field of industrial cybersecurity.

Nathaniel Nelson
Well with that, thank you to Matt McKinnon for his interview with you. And Andrew, as always, thank you for speaking with me.

Andrew Ginter
It’s always a pleasure Nate, thank you.

Nathaniel Nelson
This has been the Industrial Security Podcast from Waterfall. Thanks to everyone out there listening.

13 Ways to Break a Firewall (and alternatives for OT security)

June 25, 2025

Secure Remote Access: Everything You Need to Know in 2025

June 16, 2025

Cross Domain Solutions Explained

June 12, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Hitting Tens of Thousands of Vehicles At Once | Episode 131 appeared first on Waterfall Security Solutions.

AI Takes on Polymorphic Malware | Episode 130

Waterfall team — Tue, 10 Sep 2024 07:47:42 +0000

OT Insights Center OT security standardsAI Takes on Polymorphic Malware | Episode 130

AI Takes on Polymorphic Malware | Episode 130

The bad guys keep getting better at what they do, and so must we, the defenders. Gary Southwell of Aria Cyber joins us to look at using AI to get ahead of constantly-changing malware.

Waterfall team

September 10, 2024

Available on

“We use a reactive AI in our methodology to actually pick the right counter measure which blocks the technique that the attacker is using that in that moment in time.”

https://api.spreaker.com/v2/episodes/60917498/download.mp3

About Gary Southwell and ARIA Cybersecurity Solutions

Gary Southwell is a cybersecurity veteran who worked on deploying some of the first Checkpoint firewalls back in the late 90’s. He has worked at Juniper Networks as an IDS Product director before going on to co-found Seceon, an early leader in the use of AI to find and stop cyberattacks. Today, he is the executive officer responsible for running ARIA Cybersecurity Solutions. Besides managing existing lines of business, his focus has been on leveraging his AI experience to develop simple to deploy and operate solutions which help manufacturers secure both their IT and their OT environments. His vision is to make it easy to automatically stop today’s most devastating cyberattacks before they can do harm.

ARIA Cybersecurity Solutions (LinkedIn Company Page) provides new ways for monitoring internal traffic, while capturing the right mix of analytics to security tools like SIEMs, or their ARIA ADR application, to substantially improve threat detection and surgically disrupt cyberattacks and data exfiltrations. Customers in a range of industries rely on ARIA’s solutions to improve their security posture—no matter their environment. ARIA Cybersecurity Solutions is a business of CSPi and includes ARIA Software-Defined Security (SDS), Myricom network adapters, and nVoy Security appliances. ARIA has a proven track record in supporting the Department of Defense and many intelligence agencies in their war on terror, and an award-winning portfolio of security solutions,

Transcript of podcast episode #130
AI Takes on Polymorphic Malware | Episode 130

Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Andrew Ginter
I’m very well. Thank you, Nate. Our guest today is Gary Southwell. He is the General Manager and Vice President at ARIA Cybersecurity Solutions. And we’re going to be talking about AI, a new use for AI in protecting critical infrastructure.

Nathaniel Nelson
Then without further ado, here’s your conversation with Gary Southwell.

Andrew Ginter
Hello Gary and thank you for joining us before we get started can I ask you to you know say a few words about yourself for our listeners and say a few words about the good work that you’re doing at Aria CyberSecurity.

Gary Southwell
Well thank you? Yeah, a little bit about me so my background I’ve been in cybersecurity really since the early days I was a system engineer in the 90’s working on some of the initial checkpoint deployments as firewalls. Spent a lot of time at Juniper Networks trying to improve the way we did network security with more of intrusion detection prevention systems moved on into a company called Seceon where we worked on adding artificial intelligence to a SIEM product so that we could do more advanced managed detection response solutions for MSSP’s and really over the last seven years I’ve been here at Aria CyberSecurity and we’ve really looked at how do we actually stop the attacks that we’re seeing in the news and if you date back. The attacks we’re talking about are the ones that are really going after the critical assets that are out there. Everything from the Colonial Pipeline on, we want to make sure that we’ve got a better way to actually go in utilize our artificial intelligence properly to find and stop these types of attacks.

Andrew Ginter
Thanks for that and our topic today is using AI to protect critical infrastructure and my understanding of the way that you folks use AI. Outfits like Juniper and others have used AI in their firewalls for a long time to look at the messages coming through and try and figure out do these things – are these things attacks? You’re doing something different is my understanding. You’re not focused on the firewalls. You’re focused on the hosts. So we already have in a sense antivirus on the hosts we have white listing on the hosts. What is the problem you guys are trying to solve? And why isn’t it already solved with with antivirus and whitelisting?

Gary Southwell
All great questions here. So we believe you want to actually stop the attacks at the point where they’re actually attacking their critical applications which is what drives your critical infrastructure. So the challenge with solutions. We call these active solutions that they’re going on the host. Is that if you look at traditional antivirus that’s been around with us for 20 years is that they are looking for files typically that land on the device and they have a known bad signature that’s calculated off of looking at the file you can calculate a hash and it comes up with a value – matches something bad that I’ve been told about I can block it from running. It’s a great concept. The problem is malware of all kinds including ranomware. The signatures are now polymorphic really over the last five years so you get a different value every time it lands on a different device so that type of. Antivirus really is not got an excuse me that approach really isn’t effective anymore as we’ve entered this decade the other approach as you mentioned is whitelisting it kind of got a bad name because it’s been difficult to use but whitelisting just means or we call it access control these days is it says I can delineate which application should be running on this device I can check their certs and then make sure that it is that application and then allow it to run.

And by default I’ll block everything else. So these are good approaches if we can make them work in today’s environments so we start there, we’re saying we need to make sure that the applications. The critical applications can run and anything else that would land. Like a file-based malware ransomware would not run. That’s just your very basics the challenges with these zero day attacks as I said before is that the can’t detect them with signatures so the industry kind of evolved over the last five years to looking at patterns. Ah, behavior or what we really call as industry indicators of compromise when something bad lands on a device. It does this and then this and then this through the killchain we can identify the pattern once we know the pattern if we have a way to then block one of those steps we can disable the attack. Call that next generation antivirus so vendors like Crowdstrike sentinel one do a really good job. With those types of of of approaches. However, when we get into what are the rest of the attacks. These are more sophisticated level attacks like the ones we’ve seen in the industry starting with.

Solarwinds where you’ve actually got humans behind the attacks they may use some form of credential use or deposit software through a legit channel like they did with SolarWinds. And then they progress and attack once they get in get a foothold and they begin to take additional steps so we’ve got a myriad of attacks so bringing this back to how do we use AI we want an approach that can actually detect the various attack techniques that are happening. And if they are somehow adulterating an application trying to to deposit a new one on the device or they’re coming in and using existing processes against themselves. We used to call those advanced persistent threats. They’re more generic. Very specific ones are like living off the land where they’re using the actual os processes against the actual device we need to be able to detect that and apply the right measure to stop that type of attack and this is what we believe is the role of AI on the device. It’s not your generative AI just make sure you understand that the technically massive horsepower. This is the opposite. We use a reactive AI in our methodology to actually pick the right counter measure which blocks the technique that the attacker is using that in that moment in time.

Nathaniel Nelson
Andrew, I would just like to second a lot of the points that Gary has made here. It feels like we might have crossed some sort of vague threshold in recent years where traditional detection antivirus has started to work a little bit less. I mean, as he mentioned, the number of variants and samples out there of your typical malware can get really crazy. I mean, only in recent months I recall a report about mobile malware. I think this was published by, I forget the vendor.

Where you you wouldn’t think of mobile malware as necessarily quite as subject to security analysis as traditional PC malware and yet so many malware families that target mobile devices these days have hundreds or thousands of samples out there. There’s a malware called Godfather with well over 1,000, Nexus, Sederit, Pix Pirate. So those kinds of solutions that would have picked up based on traditional fingerprints may not suffice anymore, even in the mobile realm, let alone PCs where we would expect it. And there’s also the fact he highlighted briefly their behavioral indicators of compromise. This to me seems like where cybersecurity across IT and OT has been going lately. Traditional indicators of compromise can help, but I recently came across a report from Mandiant about Chinese ORB, they call them, networks, ORB being short for operational relay box networks. It’s not an entirely new concept, but basically, in China, there is an entire economy of folks who provide infrastructure to threat actors across the Chinese spectrum.

And so where once we might have been able to say, look out for these servers, they’ve been used by this group. Well, now those same servers are being used by all kinds of groups. And so it’s less helpful now. So the way that we are adapting is by tracking behaviors of threat actors rather than static indicators like that. So this is a very long way to say that I agree with all of the points that Gary has made.

Andrew Ginter
Yeah, and you’re talking about polymorphic. These are are viruses that change frequently. Either the bad guys change them frequently, so there’s thousands of variants out there, or they change themselves. They self-evolve. So again, there’s thousands of variants out there, so that signature-based solutions have a hard time keeping track, publishing enough signatures fast enough to to track things as they change. The traditional sort of alternative to signature-based antivirus in the industrial space has been whitelisting or application control, some people call it, or allow listing. What it is is a list of programs that’s allowed to run on your industrial computer and blocks everything else. So it doesn’t matter what the latest signature of the virus is, if it isn’t allowed, if it’s not on the list of a allowed, then it’s blocked.

But that class of solution, allow listing, is itself limited. So for example, when you install software updates, you have to update the list of allowed applications because you’ve just changed a whole bunch of your applications. You’ve changed their signatures, you’ve changed their their sizes and their So having changed all that, that’s a vulnerability. If the bad guys can get in there and hack the update process, they can get their nasty listed as an allowed executable and they’re off to the races. Other ways that allow listing is is limited, everything is limited. I’m not knocking a allow listing. It’s a useful solution.

But be bear in mind that it tends to focus entirely on executable code. So, .dll’s, .exe’s, .com’s are coming off the hard drive into memory and that’s when they apply their checks. If your malware is scripted, well, I’m sorry, the Perl.exe is allowed because the operating system needs it or the the control system needs it. Python.exe might be allowed and now you’re loading a nasty as text off the drive and allow listing is kind of blind to that. They don’t really check text files. And, another class of application that that are of bad stuff that, allow listing is blind to is in memory attacks. So if you can compromise something and start executing with a buffer overflow or something and start executing your own code and inject, insert the malware into memory, again, allow us to look at things coming off the disk. It doesn’t look at what’s happening in memory. so yeah we need As malware becomes more sophisticated. We need more sophisticated tools to diagnose it and deal with it. And here’s a new kind of tool. And And these are some examples of why we are always looking for sort of the next step in these tools.

– OT Security Commercial Break –

This portion of this episode of the Industrial Security Podcast has an inserted audio commercial on the topic of OT Security that may vary from region to region, or may be omitted completely. If you’d like to find out how Waterfall might help you with your OT security needs, please set up a call with one of our OT Security Architects at a time that works best for you.

– OT Security Commercial Break ends and the industrial security podcast continues… –

Andrew Ginter
So that makes sense and I followed some of it. I know what a polymorphic virus is but and you talked about sort of attacks that that can defeat the the access control as well. Can you go into a little more detail. we’re we’re going to talk about AI in a second but can we nail down what is sort of a a modern advanced piece of malware. What’s it look like and and can you sort of not comprehens it not every kind of malware that come after us can you give us sort of one example of the kind of thing that existing antivirus and access control might struggle with.

Gary Southwell
Yeah I could probably pick one example that’ll let you read the audience get really significant. Let me pick one example to let the audience get their heads around the use of advanced malware and what do I mean by a sophisticated level of attack. So one comes to mind I mentioned it a minute ago. and this was the type of attack that really set the industry kind of on its ear. So I’ll date myself back to January 2021. This is when the discovery of the solar winds attack was happening. This was a nation state backed attack and if I step into it a minute. It was very very clever. The way they they did it. It was called a sunburst attack it used malware. But the way they decided to get in was to actually go into SolarWinds infrastructure and as they were packaging their Orion software for an update. They actually put in what we call a shim form of malware inside that update very very small so that would go through and. Not be easily detected. You didn’t want to like be doubling the size of the update that might get picked off so it’s very very thin and its so objective was to get in and as they Orion software update was initiated. It would be ready to do its one task.

And that’s one task was to call back out of the location back to a command and control location where the rest of the attack had happened. Okay, so this is very very small piece of malware. Actually being embedded is one of the tool sets inside of the Orion update was clever, but they also made it what we call polymorphic. So as it deposited inside there it slightly modified itself. So that. If you were to calculate a signature, it would be slightly different for each form of deposit this makes it a lot harder for us to go and say we can pick it off and because it’s now embedded in a toolset that makes it very difficult because most of today’s more sophisticated solutions weren’t looking at that level, trying to figure out what was happening and only really exhibited one behavior. It did a callback what happened next though was after the callback the attack actually had 12 more steps and the callback brought in another form of malware and that was more what I would call the business end of the attack so that had more capabilities inside of it to launch and step up the attack to allow it to figure out what was on and then its other role was then to attempt to spread inside the environment if it could and then pull back information. And that’s when humans would get involved and then would begin to take additional steps so that’s an example of polymorphic malware enabling the beginning of a sophisticated attack that would get by most of the protections we have today as an industry so the next part of the attack as it began to evolve had multiple steps and one of the steps that was in the attack and this was brought up in the senate hearings where they brought in some of the industry’s leaders Palo Alto and Crowdstrike of course Microsoft and SolarWinds were in the panel and they said to them and they all agreed it’s like.

And some of the situations you were present on these devices when this attack was occurring. I’m trying to quote Marco Rubio asked the question it was reported that you were bypassed and everyone in the panel said yes, that was in fact, the case. So bypass just means that in effect they either couldn’t see the attack or more likely, the attackers are actually able to have control of the system and basically disable them at the task master location at least temporarily they probably come back right? Up and boot up. But it then lets them get by if they’re doing something else that they might might see an attack so these were fundamentally new sets of challenges that the industry now had to face that you could use basic tools like malware but in the hands of sophisticated actors.

It could do an awful lot of harm and as we saw with SolarWinds it went on for almost a year without actually being detected. It was it was fortunate enough that firear actually saw some of their tools actually leaving their environment and that was the first time that was ever picked up since then we’ve had a series of similar. Think the industry the OT industry itself from last count had about 700 of these types of attacks actually happening not all from the same actor by the way but other actors because once the formula was figured out sophisticated attackers could then utilize some of these same techniques. So this has been so the the ones right after it were the Colonial Pipeline that was a simplified variant of what we just heard about but there’s other types of attacks that have gone over the years are you picking up that dog in the background.

Andrew Ginter
So thanks for that that that makes sense. Can we talk about AI where this is the the topic here if we had a magic AI sitting in our our industrial control system hosts. What would that AI do how would it detect attacks like this?

Gary Southwell
That’s the part. That’s the most challenging and that’s why you need some form of AI. There are very different techniques that are being applied. By the attack type some cases. It’s just recognizing that. There’s foreign code that’s appeared here in other cases. It’s like I’ve got to understand that there’s an abnormal operation happening in conjunction with this legitimate application. There’s some form I will call adulteration going on here. And other cases. It’s the application is running fine, but for some reason it’s going from a user level trying to escalate itself to a system level that allows them to get control of the application or. It’s trying to use processes inside the os that are not affiliated with an application or it’s a spoofed application variant. That’s actually trying to initiate the processes on the OS some of these I’ll bring that up is that came out in the pool party attacks at the last black hat and. The Uk they showed 8 different forms of thread processes that are available from the os for the applications to use that attackers could easily take advantage of so I’ve really described three different types of techniques.

And inside there’s a variety of combinations. So this makes it very difficult to figure out how to stop all forms of attack if I want to make sure that we’re doing the best job we can at the host to stop. Whatever may be happening whether it’s a zero day form of. Malware or ransomware that we haven’t seen before we haven’t seen the IOC patterns and it’s trying to just do its thing or it’s one of these variations of attacks that these sophisticated typically nation state back. But now it’s cyber crime backed attacks that are out there that. These kits are out there and they can vary their attacks. So the AI really needs to make sure it’s saying I can pick off what’s happening and then what do I do about it just like a human would I’ve identified. It’s a sophisticated attack. Someone’s using a privilege escalation I’m going to apply this countermeasure to block it I’ve discovered this is an interesting piece of code that’s arrived here and I need to block it I recognize that this application is no longer working the way it should. It’s actually. Copying things off into buffer spaces that it normally doesn’t do I need to stop that from happening and block that operation or I’ve got unattached processes from the os that and should not be running I need to make sure I can block them at this moment in time.

This is where the the AI comes into play from our experience here in industry.

Andrew Ginter
Okay, so let’s get specific here. We’ve been talking about the problem sort of in the abstract and we’re drifting into you folks have this stuff can you give us just a quick rundown. What do you have? How does it work? why do people deploy it? what are we talking about here?

Gary Southwell
Right? So in our particular application of this technology is we built a very lightweight agent and it’s different from your typical agents. We are going in at if you understand kernels especially in the Windows environment. Or Linux environment where we play is we attach at ring 0 right? at the kernel level. The reason we do that is we want to see everything that’s going on as far as processes from applications that are leveraging what’s happening into the kernel and vice versa. The other thing that we do that makes us fairly unique. We actually have some patents on this so we’re hoping it’ll stay unique is that we actually watch device memory continuously this is the way that we can actually pick off some of these techniques. When you’ve got abnormable use of buffer memory or you’re actually seeing some process kicking off where something’s being written over here into Notepad and that’s now being imported into the application because it’s probably giving them access to some form of change to the application that they want to to leverage. We do that inside our our our agent the markets we’ve chosen to go after though have a variety of requirements. We’re typically talking about operational technology environments.

And there’s many of them. If you think about manufacturing we’re talking about manufacturing floors. We think about utilities. We’re in the process devices out there that have an OS on them that are helping them run and control electrical generation and distribution. You’re talking about oil and gas same way, you’re dealing with the processes. So these are environments. We chose to go after because they are high value targets as we saw what the Colonial Pipeline is a good example when we get into these environments. We also find that you have got other constraints. Typically there’s not continuous internet connectivity. In fact, they purposely tried to limit that as one of the protections they often have limited processing power available left to anything else that’s going to run besides the production applications in some cases some of these devices that are old. or they’re running what I would call old versions of the OS because they’ve been trying to sweat that asset for many many years you know? For example, we’re deployed in a large pharmaceutical around the world in different locations. We’ll have devices. That are in these various lines and you’ll see oh I see Windows Server 2008 over here in some locations. We actually see Windows XP typically Service Pack 2 which is nice because it’s got nice controls and they’re still using that asset because they built their applications on top of that.

And everything just runs and in typical OT fashion if it works don’t change it and then their hope was let’s wall off the environment using passive protections from the networks if we can. And yet what they found is supply chain attacks get around the network protections. So what we did is made sure that our application could run on these older operating systems. It could run with very very limited amounts of cpu. And limited amounts of memory so that we could perform and not impact the performance of the production applications.

So the benefit of this approach is that we can go on to a myriad of these devices with many many different forms of applications and I’ll go one step further here is when we’re deploying in these environments. We expect to see tens of applications. In fact, in some cases we actually see upwards of 1000 of these applications. So our approach as we deploy is to prevent the adulteration of applications. 1 of the side benefits is in these environments is that. When you have this many applications you’re going to have known vulnerabilities inside those applications is by published by cbes and the chance of ever forever having in them all continuously patched even in IT environment is almost no and when you only have a chance to patch. Maybe once a quarter at the fastest and more likely in this pharmaceutical company. It’s once a year you’re never going to be patched. So one of the side benefits was because we go in and protect these applications from adulteration the ability to exploit these vulnerabilities. Become significantly less I won’t say zero but we can go down to a 99 % chance that we are going to block the exploit of these applications and this then becomes a real benefit because now you’ve dramatically improve the likelihood.

Gary Southwell
That we can keep these operations operational even during an attack because we will continuously block those attackers. That’s that’s the benefit when people went through the risk analysis they’re saying okay I can look at it. The cost of my line if it goes down for x number of hours is thousands of dollars and if it goes down for a month. It’s millions of dollars and if you’ve taken down my risk by a factor of 99% I can actually calculate a value to that. So these are the benefits that we’re offering now the challenge really that is you’ve got all these applications. How do we actually make it. Easy for these operators to use this technology. Do you want me to go into this or should I hold off on that is my question to you.

Andrew Ginter
So there was a lot of stuff there, Nate. Let me come back to the SolarWinds example. The Gary said the malware came in as part of the SolarWinds security update. So that would have defeated the the whitelisting, the the application control I was talking about, because it would have come in saying, hey, here’s a new authorized executable. And the malware would have been flagged as as authorized.

And then What the malware was, was something that phoned home. They called out to the Internet and said, hey, boss, I got a live one here, and did not much else. It was very thin. It was small. It was benign looking. A lot of malware phones home to the vendor, not not just malware, a lot of legit software phones home to the vendor and says, here’s what’s going on because the vendor is helping manage the software. So it’s not that suspicious, that the malware is phoning out to the Internet.

The alarming thing is that what it got on the internet was here’s another whole bunch of code and it copied the code that it got from the internet into memory and started executing it and at that point it became dangerous it really started doing nasty stuff and so again whitelisting would have missed it as part of the software update would have missed it as in memory pulling stuff off the internet or often after the the the the socket, the connection out to the internet and inserting it into memory and starting to execute it.

This is where we need sort of a deeper insight into execution. so I think that that one example sort of hit all the marks there.

Andrew Ginter
Okay, so so you’re doing things that that antivirus and access control don’t can I ask just a clarifying question when. When your stuff is deployed. Do you tend to see it deployed in addition to Antivirus or whitelisting access control or are you deployed sort of instead of that.

Gary Southwell
We’ve seen it both ways we designed it so it would run in parallel with some of these AV solutions that are out there because again we’re trying to go in there and say we’re not disrupting your existing infrastructure if you have a reason to keep running that great. We’ll just come in and and run alongside. we’ve never gone in and they’ve kept an application whitelisting solution. There. They’ve typically just moved to us so in many cases they’ll be running things like windows defender and we’re running in addition to that.

Andrew Ginter
Digging deeper – your stuff is installed in the kernel. In my experience, there’s long-standing reluctance to deploy any kind of security technology on existing hosts in existing OT networks existing Systems. The vendors sometimes push back and say no, no, no, you’ve installed somebody else’s software on my system I don’t support this anymore. You’re on your own there’s vendor support agreements. There’s legal agreements. It gets complicated. can you talk about that? How how has this technology been received in an environment that just doesn’t want to change anything.

Gary Southwell
Well, that’s an excellent point that you’re making and it is one of the inhibitors we we see but it is changing the the industrial automation vendors that typically which you speak are recognizing that there’s problems here and they can either be. Yeah, part of a solution or they can be held liable. It’s part of the problem and you’re seeing a movement there you know. For instance, we’ve just gone public with a relationship with Rockwell and they’re bringing us now in as part of their solution to solve these types of problems where appropriate. Um. We’re having these discussions with these other other vendors in some cases. They are very very regimented and others are much more open to provide more modern approaches if you will to stopping these threats because they are happening and they’re starting to happen in increasing fashion. So they can’t just. Tell the customer my leave agreement with you says you can’t run protection that I haven’t approved on your system and then find out that their system was compromised because their applications had vulnerabilities in them that were exploited so you can see the challenge is there. So these vendors are now starting to move and it is something that really has just really happened over the last couple of years.

Andrew Ginter
Another clarifying question comes to mind. You were talking about bad stuff shims that download other bad stuff. The shim looks benign but it winds up downloading code and and actually executing code. That’s not so benign just thinking about it. This is what happens in browsers. Browsers download javascript routinely they execute the code routinely. If your AI forbids downloaded code, does it break the browser? How do you work with browsers.

Gary Southwell
Yeah, so that’s that’s interesting point. So when we get into OT environments. You don’t typically see these types of behaviors happening so they’re not downloading apps through browsers and dynamically executing code. So that’s not your typical. Behavior that you’re going to see. We do have certain countermeasures though to all always to deal with things like malicious Javascripts running and picking off those those types of techniques because that may be running independent of your typical browser download. So we do stop that.

Andrew Ginter
And sort of another another thing that occurs to me. There’s a lot of applications in an IT environment and a lot of people surprised there’s a lot of applications in OT and industrial control system environment as Well. You might imagine that there’s fewer control systems in the world than it networks. but there’s still a huge diversity of applications of software of even hardware out there. Is it possible for you guys to learn all of those applications and keep track of them as vendors release new security updates? Do you do this sort of centrally? How do you manage that diversity?

Gary Southwell
There are multiple ways to do this and and we do try to work with the large and industrial automation vendors in advance to get as many of these as we can but we realized early on that we couldn’t depend on that. So we built our product so that once our agent became active on the device it would quickly inventory everything it found running on the host and they would slowly also look at everything that was over on the the disk again. The word slowly is there because we’re trying to make sure we stay within operational parameters. We don’t slow down the device at all. So when we do that we can inventory everything in some cases will let’s say we find a hundred applications. we’ll build that that list on the device. And each of our individual agents on all devices will build a list now to make it easy on the operator we can come up in a mode. We call prevent mode where we say okay, we’re going to assume that all the applications we just built.

Are good right? Chances are that probably the the situation and then we have these additional countermeasures that are going to watch and see if anything else happens which is not good. One of these attempt techniques and then those will then trigger us. To stop those techniques and zero it in on the application. So that that can be explored so this allows the vendors to deploy our agents out on the devices and just say okay, you come up and prevent you allow everything that’s running to run you turn on your countermeasures to look for bad techniques. And then what they do is they communicate to a centralized application that’s running inside this customer site typically and it could be right down on these manufacturing lands in some cases we’ve actually running an air-gapped environment factory floors as we speak. So they don’t have normal connectivity to the outside world but the hundred devices in a manufacturing floor communicate everything that they’ve learned on their devices and it builds the central manifest and then now you’ve got in a depopulate stuff you like. But now you’ve actually got an inventory of every single application. On which devices or which lines because it’ll actually give you that capability to name the lines and we found that’s of extreme use to a lot of these manufacturers because a lot of things they don’t know all the applications or the application variances that are running there on each of their OS platforms. So it gives them visibility of that.

And then they can say okay, this is a great I can now have an approved level of manifest and if something goes wrong I can look through that and take out those those bad applications or I can say what I’m looking through this list and I really don’t like that notepad is running on these applications because that’s something that could be used by an attacker. So I’m going to say I want to block that to the centralized control system or we call our trust center can then send an update out and and say block the use of those notepad so it’s a way for you to control the policies in which you allow certain applications to run. So. This was well received because I said we have this large global manufacturer and they were like this is good because the people on the sites trying to run these things don’t have time to go figure everything out they need something. That’s simple. But then when we’re looking and doing some periodic reviews. We can sit there and say okay we can examine what we have here we can decide what we don’t like running and we also can get an an indication of all the different variants of these various applications so that we can do better planning going forward. In the meantime they’re fully protected from these types of attacks that they’re most concerned with everything from the zero day ransomware malware all way up to these very sophisticated nation state back attacks. They’re typically coming in through their supply chain by the way.

Andrew Ginter
That struck me as as interesting, Nate. A lot of people have been on the show talking about asset inventory. You can only protect what you have. But asset inventory in most implementations, in my understanding, tends to focus on what kind of devices are there. There’s PLCs, there’s RTUs, there’s protective relays, there’s Windows machines, there’s Linux machines. What version what OS are they running? What patch level are they running? What software has been installed? Has the software been patched? What these folks are doing is sort of coming at it, I assume all of that and they’re going through and making a long list of all of the executables that are installed on the machine, which is sort of the next level of detail. I mean, he mentioned the example of Notepad. Therthere’s nothing in the the list of installed software that says Notepad’s installed. It installs when you install the OS. It’s not a separate install. so Having that sort of more detailed asset inventory is to me is interesting. It strikes me as potentially useful in terms of of additional hardening that you can apply to these machines.

Nathaniel Nelson
I’m not sure that this was the point of what you just said there, but you mentioned Notepad and he mentioned Notepad. I’m wondering, why is Notepad coming into any of this? That’s just the application that I never use on my computer.

Andrew Ginter
Yeah, it’s an application I never use either. It’s an application that lets you edit text files. And if you have a README file, nobody wants to edit it. They want to read it. You can read it in lots of things. The browser will let you read it. Notepad lets you create text files as well. And it’s one of the tools that attackers tend to use more than regular users because the attackers always need to put some script file down so you can execute it or put a stolen license key into a text file so it can be imported and so on. So I guess this is, again, one of the tools that that owners and operators might look at and say, I never use that. We don’t need that.

The only people that are going to use that are the bad guys. Take it off the machine. We had an episode, I think, recently talking about living off the land when touched on it briefly, the using tools that are part of the operating system to to launch attacks. This sounds like one of those tools that never really occurred to me. But yeah, when you say it, I never use Notepad either. So if if it’s only the bad guys doing it, that’s a a candidate to to take off the machine.

Andrew Ginter
Something you said triggered me a second ago. What about what you you were talking about the ability to run in sort of an advisory mode versus an enforcing mode. Um. Is this relevant to let’s call it upset conditions I mean how often do you start the plant from scratch. Maybe once a year and everything behaves a little bit differently during startup how often do you do an emergency shutdown hopefully no more than every few years. And in an emergency shutdown. Everything is different. Everything is changing. do you do you make make sort of provision make make exceptions in those cases?

Gary Southwell
Yeah, absolutely So. We’ll run in a mode where we’ve got prevent mode is our normal mode. But when we go into these. Let’s call them updates. Usually it’s maintenance windows emergency Shutdowns. We Just ask that the operators turn us into detect mode. that way the product keeps running but as they make these changes. We’re not going to try to get in the way of things happening especially like you see when there’s an emergency going on or you’re just getting a ah. Batch of updates coming in. Yeah from patches to new revisions of of applications coming in across the board then once things settle down you can look at what we detected as showing alerts or not it depends on what they want to do it depends on the situation. Of course. And then if you see everything is fine from what we reported you just accept all those changes you can say these are okay to run as is I basically start fresh and move back into prevent Mode. So All the changes have been accepted. And we run from there So That’s the way that we we deal with that and we find it works out pretty well because it’s just simple toggling of a switch and then toggling it back on once everything is stabilized and you still have an ability to track everything that happened during that mode where you were doing all those changes so we have all these wonderful operational logs that tell you about exactly what happened so in a lot of these environments that are definitely under a lot of scrutiny compliance reasons Now you now have a complete history of what’s happened. And we provide that for.

Andrew Ginter
Well, this has been great Gary. Thank you for joining us. before I let you go can I ask you to sum up for us. What should you know? what should we be be thinking about when we’re thinking about this space.

Gary Southwell
Well as I started off, you’ve got to make sure you’ve got a solution that has an ability to stop all these different variations of attack. It doesn’t help if you’re only covering 20% of the attacks out there. You’ve got to cover the full level of attacks in order to have a solution with efficacy.

The other point I think we want to briefly touch on is that you can have the best solutions out there. But if they’re not easy to actually implement and deploy and update. Then the solution will not be successful. It’s got to be that simple that operators with minimal training can figure out how to deploy it they can come up and then deal with this as they go through their normal operations as they run it. Or are going through a period when they’ve got a maintenance window running and they’re making updates to all their applications in their environment I would say there’s a call to action going on right here because for so long the industry has tried to stick with the old ways. In the old ways in the OT world where we’re trying to use passive defenses as much as possible air gap which means there’s no internet connectivity as much as possible and yet the attacks keep coming the problem is there’s the human element. The. Industrial automation vendors I don’t want to pick on them but they have to update their applications at some point.

So either they’re bringing in people or they’ve got third parties that are coming in or the customer has third parties coming in and that’s when we have people walking past the network and then plugging into these devices often with USB sticks or maintenance laptops and the updates happen and so do the problems so you can’t be myopic and think we can get away with approaches that worked in the last decade when there’s actually ways that defeat them every day in our environments. So. I would say the takeaway is you’re going to look at a solution. You’ve got to find one that that will work will drastically reduce your risk. That’s easy to deploy and then can deal with these situations where traditional defenses just don’t cover the problem.

Nathaniel Nelson
So Andrew, to close out here, Gary’s talking a lot about choosing the right solutions, which solution is a tricky word, right? Are we really solving something here or are we iterating on a long history of what we’ve been doing prior?

Andrew Ginter
That’s a good question. I would use the word innovating rather than iterating. The bad guys keep getting better at what they’re doing. They keep inventing new and different and subtler ways of of attacking us. And so our defenses need to become more capable as time goes by as well as the threat environment changes. And here’s an innovation, here’s a way to address a kind of attack that is becoming more widely used by the the sophisticated, the high end of the of the attack spectrum. putting something benign looking into a software update, putting something benign looking on a machine, and then loading the nasty in memory into that benign looking thing. This is this is the the world we live in. This is starting to happen reasonably regularly. We need technology that’s going to address this threat. the The bad guys innovate. We need to as well.

Nathaniel Nelson
Well, thank you to Gary Southwell for speaking with you, Andrew. And Andrew, as always, thank you for speaking with me.

Andrew Ginter
It’s always a pleasure. Thank you, Nate.

Nathaniel Nelson
This has been the Industrial Security Podcast from Waterfall. Thank you to everybody out there listening.

Risks, Rules & Gaps: The Latest on NIS2 and CRA

June 3, 2025

Experience & Challenges Using Asset Inventory Tools – Episode 138

May 27, 2025

Safety-Critical Clouds in Power Generation – 7 Designs Using Cyber-Informed Engineering

April 27, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post AI Takes on Polymorphic Malware | Episode 130 appeared first on Waterfall Security Solutions.

Webinar: Industry-Specific 62443 Insights for Power Generation

Waterfall team — Thu, 29 Aug 2024 08:04:22 +0000

OT Insights Center PowerWebinar: Industry-Specific 62443 Insights for Power Generation

Webinar: Industry-Specific 62443 Insights for Power Generation

Watch the webinar for an in-depth session that goes beyond the buzzwords and provides practical, industry-specific guidance on applying the ISA/IEC 62443 standards to safeguard critical power infrastructure

The ISA/IEC 62443 standards provide a robust framework for enhancing cybersecurity across various industries, yet interpreting the standards in power generation presents unique challenges and opportunities.

Whether you’re a cybersecurity professional, OT engineer, or industry leader, watch the webinar recording for an in-depth webinar that goes beyond the buzzwords and provides practical, industry-specific guidance on applying the ISA/IEC 62443 standards to safeguard critical power infrastructure.

In this webinar, Dr. Jesus Molina takes us through:

Decoding the complexities of 62443: Gain a clear understanding of the standards, their structure, and how they apply to power generation

Navigating the implementation challenges: Learn how to address the unique needs of safety-critical and equipment protection sub-networks.

Adopting a consequence-driven approach: Discover how to conduct effective risk assessments that account for high-impact, low-probability scenarios.

Architect secure networks: Implement zoning and interconnected structures that enhance OT resilience.

Strengthen defenses beyond SL4: Explore engineering-grade controls to complement cybersecurity measures and reduce reliance on expensive SL4 classifications.

About the Speaker

Dr. Jesus Molina

Jesus Molina is Waterfall’s Director of Industrial Security. He is a security expert in both OT and IT security. A former hacker, his research on offensive security in industrial systems has been echoed by many publications and media, including Wired and NPR. Mr. Molina has acted as chair of several security organizations, including the Trusted Computing Group and the IoT Internet Consortium. He is the co-writer of the Industrial Internet Security Framework and the author of several security-related patents and academic research papers. Mr. Molina holds a M.S. and a Ph.D from the University of Maryland.

Data Diodes vs. Unidirectional Gateways

April 14, 2025

Selecting OT “Secure” Remote Access Solutions – Options, Criteria & Examples

April 14, 2025

Building a Game Plan for OT Remote Access

March 17, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Webinar: Industry-Specific 62443 Insights for Power Generation appeared first on Waterfall Security Solutions.

New Resource: Adapting IT Advice for OT | Episode 129

Waterfall team — Sun, 25 Aug 2024 12:25:53 +0000

OT Insights Center OT security standardsNew Resource: Adapting IT Advice for OT | Episode 129

New Resource: Adapting IT Advice for OT | Episode 129

The CIS Top 18 is widely used in IT, and Jack Bliss of 1898 & Co. has adapted that list for OT/industrial, adding a lot of industrial context and lists of related OT-centric tools and technology.

Waterfall team

August 25, 2024

“…Cyber Tool Framework is the OT/ICS version of CIS TOP-18.”

Available on

https://api.spreaker.com/v2/episodes/60759066/download.mp3

About Jack Bliss and 1898 & Co.

Jack Bliss is a motivated cybersecurity consultant that enjoys working with others to achieve common goals. Experience with secure network architecture, risk mitigation, network/system hardening, cybersecurity assessments, and network configuration. Emphasis on the NIST cybersecurity framework, the ISA 62443 standards, and other best practices. Constantly embracing new challenges, and ways to make clients more successful.

1898 & Co. is a global business, technology and security consultancy serving critical infrastructure industries. We partner with clients to plan, secure and optimize their business. As part of Burns & McDonnell and our 120 years of industry experience, we understand the complexity of your asset-intensive business model, the trends impacting your industry, and the need to ground big ideas in operational realities.

Transcript of this podcast episode #129:
New Resource: Adapting IT Advice for OT

Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Nathaniel Nelson
Welcome everyone to the Industrial Security Podcast. My name is Nate Nelson. I’m here with Andrew Ginter, the Vice President of Industrial Security at Waterfall Security Solutions, who’s going to introduce the subject and guest of our show today. Andrew, how are you?

Andrew Ginter
I’m very well, thank you Nate. Our guest today is Jack Bliss. He is an industrial cybersecurity consultant at 1898 and co. And he’s just published a cyber tool framework. This is an adaptation of the the CIS, the Center for and Internet Securities. They have a well-known top 18 critical security control. So he’s adapted the CIS top 18 to the needs of OT and industrial sites based on his field notes of of working in the space for a number of years, capturing his best practices. So this is what we’re going to be discussing, his his contribution to the field here.

Nathaniel Nelson
All right, then let’s get into it.

Andrew Ginter
Hello Jack and welcome to the podcast. Before we get started, can I ask you to say a few words about yourself and about your background and about the good work that you’re doing at 1898 & Co.?

Jack Bliss
Yeah, thanks for having me, Andrew. My name is Jack Bliss, and I’m an industrial cybersecurity consultant with AT&T8 Co. My cybersecurity career started in 2016, junior year of high school, when I joined a competition called CyberPatriots, which is a nationwide computer networking and system hardening competition. In that year, we actually won nationals, making us the first team in Missouri to do so. In college, I worked as a computer networking consultant for IT organizations. And finally, for the past five years, I’ve been at 1898 & Co. Working as an industrial cybersecurity consultant which has been and an interesting journey i think my mom had a certain sense of security that i would be typing away in in a cubicle but after just a couple years in the job i was off to get underwater helicopter safety training which is required to go out to to oil rigs but but yeah it’s when i started we were a team of eight And now we’re a team of 80, so growing like crazy. And I couldn’t be more grateful to work for such an amazing organization and such an impactful role. The The experience I’ve gained during this time, learning from some really great mentors and colleagues has been invaluable.

Andrew Ginter
Nate, we don’t usually comment this early in the episode, but Jack mentioned the the offshore training and sort of the difference between a desktop and what you do on the OT side. I’ve never done the training, but I’ve heard about it. And it’s something else. If you physically want to travel out to a an offshore platform in, let’s say, the Gulf of Mexico or or the North Sea, I’ve never done it. But I’m told that, yeah, there’s a bunch of classroom training. And then the test is they put you in your your life jacket and your whatever into a dummy helicopter, a helicopter cabin. And They put physically a dummy beside you, set up the same way you are. And they have a crane drop you into a swimming pool full of ice cold water.

Your job is to get out of the helicopter and get back to the surface with your partner, dummy, who has been rendered unconscious by the fall. If you do it, you pass and you can go out to the platform. If they have to send the divers after you to save your life, you fail. Go do the training again. So, yeah, it you know, people imagine cybersecurity is a desk job. Sometimes it’s not.

Andrew Ginter
And our topic today is the Cybertool framework. This is something that you put together. It’s available at cybertoolframework.com. Can you tell us what is it? Where did it come from? Sort of what’s what’s the genesis of this thing?

Jack Bliss
Yeah, so in one sentence, cyber tool framework is the OT or ICS version of CIS top 18. So it takes the CIS top 18, which is an IT focus framework, but is easily digestible compared to other frameworks and standards, such as NIST, ISO, or 62443, and aligns those 18 controls or really requirements to OT cyber tools and practical insights. Being more digestible, this better speaks to small or medium-sized critical infrastructure organizations.

Jack Bliss
So the structure is as follows. With with the top 18 requirements in column 1, matched to cybersecurity tools in column 2, including OT-specific options where applicable, and complemented by field notes and best practices in column 3.

Throughout, I emphasize meeting these controls across three levels, people, processes, and technology, while reflecting real world scenarios. There is maturity referenced in some of the recommended controls. So if you’re a small organization, start with X. If you’re a more mature organization, you should aim to hit this threshold, et cetera. Free tools are also provided for each requirement, catering to organizations, looking to bootstrap their cybersecurity efforts.

the The idea for Cybertool Framework came from the fulfillment in consulting. In consulting, we get to work with a broad range of clients in different maturity stages and help them be successful. And so Cybertool Framework is really an extension of that. It’s a resource that can reach a bigger audience and make a bigger impact then than myself individually. So Cybertool framework helps to address the growing need for OT cybersecurity education and enablement, particularly among among organizations in the early stages of developing their cybersecurity programs. It aims to empower these organizations and practitioners to make informed decisions and cut through the noise of shiny marketing white papers.

I strongly believe that education and enablement outside of furthering regulation or mandating secure cyber design, education and enablement is one of the big pushes that can improve our overall cyber resilience across critical infrastructure, helping organizations and people make the right decisions at the right time, and utilizing what they already have, i.e. Working smarter, not harder. And at the core of this is knowing what you have, knowing how it functions or communicates, understanding what systems or risks cause the worst case scenario, and then going through a risk reduction process like 62443, 3-2, PHA or CCE that reduces risk to an acceptable level.

As you select these mitigated controls to get to an acceptable level, Cybertool Framework could be one of these many resources to help organizations or practitioners navigate that landscape.

Andrew Ginter
Okay. But let me ask you to to to back up a bit. You’ve used a lot a lot of terminology here. A I don’t have outstanding statistics on who listens to this podcast other than we get about 3000 downloads per episode. But anecdotally, just talking to people at events and and whatnot, The sense I get is that maybe one third, give or take, of our our audience here is engineers who are coming into cybersecurity responsibilities and have to come up to speed on cybersecurity issues and and approaches. And roughly one third, give or take, is IT people who have become responsible or are are becoming or are interested in becoming responsible for OT security and have to come up to speed on OT issues and OT mitigations, and one third is other. But to those two audiences, someone coming from IT, someone coming from engineering, let me ask you, can you explain For the people coming from the engineering side of things who may not have heard of the CIS top 18, what is the CIS top 18? Before we talk about how you adapted it, what is it? And for the other sort of third who are coming from IT who might know the CIS top 18 cold, first tell us what is the CIS top 18 and then can I ask you, why does it need to be adapted for OT?

Jack Bliss
Yeah, that’s that’s an amazing question. In security, there are different types of security frameworks.

Jack Bliss
There are control-based frameworks such as COVID, ISO 27002, CIS. There are risk-based frameworks. Like NIST, CSF, or standards such as 62443, 3-2. There are threat intelligence-based frameworks like MITRE, etc. Cis Top 18 is a control-based framework created by the Center for Internet Security, the same organization that maintains the CIS benchmarks which are very popular for system hardening.

Jack Bliss
Control-based frameworks give it to you straight. There’s no high-level process flowchart or models or hundreds of pages of reading material to follow. They are fairly prescriptive, requirement-based frameworks that list out the what and roughly the how, and in the case of CIS top 18, it lists out the top 18 things organizations should accomplish from a cybersecurity perspective. Again, straight to the point, it’s it’s one PDF that’s 54 pages, so it’s really digestible. Now, as as I mentioned, and as as you’ve sort of alluded to there, it’s tailored to IT t environments. So OT specific controls and guidance are missed, but the CIS topic team creates a great foundation for OT cybersecurity and tools, as well as guidance to be aligned to.

Andrew Ginter
so So that makes sense sort of from the engineering perspective. What is the CIS18? Why is it important? How does it differ from from other documents in the space? can you Can you address the engine or sorry the the the IT audience? IT t people coming into the OT space, in my experience, often the first question they ask is is why not just use everything I know already I already know the CIS top eighteen apply it why do they need in a sense application notes for OT why not just apply it.

Jack Bliss
Yeah, so there’s there’s a different methodology in how the CIS top 18 or cyber tool framework in this example would be applied. And in In IT, t it may be reasonably feasible to to blanketly apply these 18 controls. And you would do so in a risk-based approach. However, in in OT, there are different tools that IT doesn’t have. There are many different IDS solutions such such as Clarity and Dragos, but there’s also a different risk-based approach in OT that doesn’t exist in IT. T We’re talking about systems that have different security capabilities, and we’re talking about systems and environments that have different goals, and those goals are safety and availability first and security second. So you can’t just take the top 18 and start to address them sequentially one through 18. You have to go first through a thorough risk-based process and address them and in that sort of methodology. And so all those lessons learned All those lessons learned, the risk-based methodology, as well as how you can apply these 18 controls in an OT environment and for OT organizations are outlined on the Cybertool Framework website.

Nathaniel Nelson
Andrew, everything that Jack is talking about thus far makes perfect sense to me. But it strikes me that this top 18 and his specific cyber tool framework is yet another framework in years of doing this podcast. We’ve discussed so many. He mentioned a few of them in his answer there. I need a framework for frameworks here. When should I be focusing on what and how did these all fit in together?

Andrew Ginter
Good question. So let’s let’s pick it apart. What is a framework? A framework is a fancy word for a checklist. Ok, a framework is not a standard that says you must do X, you must do Y, you can do Z.

Andrew Ginter
A framework is not a regulation that says you must do X, Y and Z or you’ll be fined. A framework is a checklist saying, have you thought about your wireless? Have you thought about antivirus? have you And so when you look at the frameworks out there, the checklists out there, which of them should you use? well You’re going to use most of them eventually. The question in my mind is, where do you start? Do you start with the NIST cybersecurity framework? Well, you read the framework, and what I got the first time I read NIST cybersecurity framework was the five pillars, now six pillars, six sort of things, big picture things you have to think about. And then when you get into the individual specifics, they refer you to other standards. Oh, so

Andrew Ginter
It really is very high level, very abstract, and it’s it’s a bit hard to use because you have to keep flipping to these other standards. the the the beauty of and so let me let me say as well IEC 62443 is a standard, not a framework. You can think You can use it as a framework if you want. You can go through every security control that 62443 recommends in, let’s say, the 3-3 standard. You can go through every one of them and say, should I use this? Where would I use this? But it’s a lot to go through. The value that the CIS top 18 brings is they give you what the expert who who developed the framework, they give you the 18 security controls to consider. They don’t say you have to use them. They say you should think about them. That’s why it’s a framework, not a standard. And they say these are the ones that in our experience tend to be the most valuable.

If you’re just getting started, what’s the first thing you should do once you start thinking about security controls? Hit the top 18. Go through them. And once you kind of wrapped your head around them and sort of the the high value stuff you’ve got to do, you can take the next step and become more comprehensive. So this is this is it. Framework’s a checklist. And here’s a checklist to get you started. You’ll keep it in your pocket as you become more experienced, as your your system becomes more mature. But if if you’re a consultant going into one side after another starting from zero, you might wind up using it more often than not.

Commercial Break with OT Security Message

This portion of the podcast episode has a musical segway that breaks off to discuss a common OT security conundrum in which IT style solutions such as making an impossibly long password in order to avoid having a pressure boiler be compromised, when a engineering solution would make more sense such has having that boiler sport a pressure release valve that releases excess pressure if it ever gets hacked, instead of relying on the password strength in such a life-threatening vulnerability, not to mention threat to the industrial operation.

**We now get back to the Industrial Security Podcast**

Andrew Ginter
Okay, so you’ve taken this sort of very popular, almost standard document in the IT t space. You’ve applied it to the OT space. One of the things you did was you added a whole column on tools. And i’m not I’ve looked through the document. for For anyone who hasn’t looked at it yet, each row, each column of tools is not one or two tools. You’ve got dozens listed for each of these security controls in in some of these these rows. On the other hand, if I look at the next column over sort of the industry application, you almost don’t mention the tools in the industry applications. That seems to be a different topic. The title of the document is cybersecurity tools. Can you talk about tools? What’s what’s important about tools? How do we use that that column of tools there?

Jack Bliss
Yeah, so the tools in in version one or the the the MVP minimal viable product stage of cyber tool framework just has the tools listed in alphabetical order and that’s to get rid of any any any bias. And so later and in in a version two, we could potentially start to organize those tools based on certain common criteria.

But you’ll notice there’s paid tools as well as free tools for each of the controls. And so the difference looking at OT versus IT t tools you can really be seen looking at something like network monitoring and defense. And network monitoring and defense Data diodes are are really yeah prevalent and and a a strong remediation, mitigating control for on the network side. You also have, of course, just like IT, t you have next gen firewalls like Cisco Firepower, FortiGate, Palo Alto, but in the the third column there, the field notes and best practices considerations, I referenced that Fortigate is oftentimes a really popular firewall in the OT space because of the number of OT protocols that it understands in its and its IPS. And so that’s there’s there’s nuance to some of these controls and tools that are referenced that are specific to OT And not to it t continuous vulnerability management is another one and that sort of synergistic to asset inventory where tools like clarity dragos industrial defender for scout. These are tools that help with asset management, vulnerability management and also act as an IDS in these critical infrastructure organizations. Again, tools entirely unique to the OT space and and their implementation is is unique as well. So there’s there’s some examples there of the different tooling that that exists in the platform and how that differs from IT to OT.

Andrew Ginter
OK, thank you. And again, having having looked through the document, the the tools column, I was struck by what you added there. I was also struck by what you did not add. I mean, you mentioned in your introduction, you mentioned safety and protecting equipment and environmental safety as as priorities for physical processes that are are being automated but automated by control systems. But you did not mention that in the the in the document. I don’t see ah row a section on safety in the document. On the other hand, in the CIS18, there’s a whole section on protecting web browsers and protecting email systems and teaching people not to click on links, which seems irrelevant to the OT space because in OT networks, nobody can route packets to their email server. So i’m It seems to me that there’s still something missing here.

Jack Bliss
Right, agreed. So version one was strictly tied to the CIS top 18 to make it recognizable. As you mentioned, there’s certainly room to add requirements to make it more OT centric. Safety would certainly be something added to a version two, supply chain security, even secure control network and system design, legacy system security, which is a huge pain point comes up in almost every assessment. All of these organizations due to the system lifecycle time, and the cost to replace a system under OEM support contract is insanely expensive. So replacing legacy systems aren’t always an option. How do we live with these legacy systems? Maybe even assessment methodology. Some of the assessment methodology is described under Control 18, which is penetration testing, where I describe how in OT the approach is different than a penetration test in IT. T But it’s really important that organizations looking to hire third parties know what criteria to look for so that they get their expectations met. And And even other controls like physical security could be one that’s added. So there’s certainly room to grow these out. And you I’m sure you’re well aware that there’s a a top 20 secure PLC coding practices resource or standard out there. We actually have consultants on our team that contributed to that. So maybe down the road, cyber tool framework morphs into something similar, its own standalone resource or standard.

Andrew Ginter
Okay. That makes sense. So let’s let’s come back to the the the existing document. Can you give us a couple of examples? In a sense, what are sort of the the the most striking examples yeah in your mind of of sort of IT t versus OT differences in applying the CIS18? What are some of the the the the the key takeaways for one or two of your rows? Can you give us some examples as to as to the value people get from looking up the document and reading through it?

Jack Bliss
Absolutely. Yeah. So taking vulnerability management as an example, there seems to be a big push or emphasis on CVE-based vulnerability management in OT without any additional context. This is evident in the branding of tools that are sold, the marketing white papers you see floating around on LinkedIn and and as we go about our day-to-day consulting, buy our tool and go chase your tail trying to remediate these CVEs.

The CVE sentiment is that we mirror the approach we loosely mirror the approach of IT. However, an IT Everything is tied to tenable. Everything is kept up to date using WSUS and system refreshes that occur every three to five years. That’s a different landscape in OT, and that approach just won’t work. This is due to several reasons. The extended life cycle, 15, 20 year life cycle, means that many OT environments operate with outdated hardware and software that can’t easily be patched or upgraded. So naturally, version-based CVE’s can’t be widely addressed and security measures must therefore be tailored to these constraints. You’d probably be better off focusing on other mitigating controls such as network segmentation or allow listing as an example. However, getting back to CVEs, Even running agent-based scans like Tenable in combination with other solutions like AD and WSUS could, in some cases, introduce additional cyber fragility into the environment that could affect the overall availability of the process. So there’s a balance to this. The systems may not be able to support Tenable, AD or WSUS. Think obsolete operating systems, Windows CE, or industrial control systems. And And finally, frequently, our security teams double as engineers. Take a small utility. We’ve worked with plenty where network or system admins who are wearing the cybersecurity hat, they have limited time, knowledge, and resource. And so all of these real world reality scenarios shapes why our approach to CVEs has to be different.

To fix version-based CVEs, patching will help in some cases, but in others, a system refresh is required as a system itself is too old. And so both both of which patching or replacing the system could require OEM approval. And when approved by the OEM, upgrades can be prohibitively expensive. Many OT organizations upon analyzing their cyber ALE, which is Annualized Lost Expectancy, i.e. How much cyber risk they’re exposed to on an annual basis, this cost isn’t justified.

You wouldn’t want to spend more than your ALE on cyber to address that risk. And so you could spend several hundreds of thousands, if not millions of dollars conducting widespread patching and system refreshes. Just one of your many system vendors alone could charge a couple hundred thousand dollars to upgrade a few of their systems when your organizational see cyber ALE could be less than that as a whole. Therefore, the cost just doesn’t make sense a lot of the time. You’re spending more than your cyber risk warrants. So you could see the vast difference between IT t and OT. What’s one approach to effective vulnerability management in OT? First, we focus on security measures that reduces our risk. And these oftentimes may not be related to CVEs, but they’re important to point out. These are related to reducing catastrophic risk scenarios, safety system segmentation, secure network design, application whitelisting, et cetera.

But getting back to CVEs, we can prioritize high- riskk high risk systems where we may get a great ROI for replacing these legacy systems. Because sometimes replacing these legacy systems isn’t just about security, it’s the added benefit of increased availability. And so naturally by doing this, we will then greatly improve our CVE ticker, so to speak. And then next, organizations need to prioritize CVEs that are being exploited in the wild, starting with high-risk systems working their way down.

These could be version-based or configuration-based CVEs, but now we’ve sort of narrowed down the CVEs to a number that is more approachable by the organization and remeing remediating CVEs that will address real risk, hopefully without spending more than the organization’s ALE. So, vulnerability tools, vendors, they won’t provide this context. It’s about addressing CVEs within the the organizational constraints and within our OT restraints that exist in the real world. But all of that type of context or guidance is offered by Cybertool framework.

Andrew Ginter
So let me add something here, Nate. As someone who’s worked in the field for, god, it’s 40 years now, and pretty much all of my career representing vendors, you know, let me let me speak up sort of in def defense of vendors. Jack has indicated that, yes, and he’s right, patching, sort of what he calls the the common vulnerability exposure, the CBE approach. Patching security updates can be very expensive. Having, you know, industrial vendors approve these updates or even test and deploy these updates is very expensive. In my experience, it’s not because the vendors are gouging the owners and operators, it’s because of the different way that you evaluate risk in industrial networks. And and Jack mentioned this, the The buzzword he did not mention is engineering change control. Here’s the thing. Every change to a safety critical system, every change to a critical infrastructure risks messing something up. You risk making a mistake. If you make a mistake in a safety system, it’s possible that people die.

Andrew Ginter
If you make a mistake in a reliability critical system, it’s possible that you have unplanned shutdowns of your critical infrastructure. And so before engineers and we’ve We’ve discussed this many times. Before engineers patch anything, before they make any change in a system, they study the change. They test the change. This engineering study and this this engineering testing is a very expensive process. It doesn’t matter if the people at site do it or the vendors do it and you buy the tested components from the vendors. Someone has to do it. It’s a very expensive process because the consequences of making a mistake are unacceptable. And so this is why patching is expensive. This is why you have to do it differently. This is why all these compensating measures are so much more important in the OT space than the IT t space. His framework got it right. He’s got the the compensating measures in there that you have to evaluate. He maybe was a little bit soft on the why, but that’s feedback for for Jack that we can provide for for future versions.

Andrew Ginter
So thanks for that. Can we talk as well? you you talked about about consequences and brownfield systems, legacy devices. Can we talk about, I don’t know, call it applicability. A small shoe factory is a very different animal to secure than a high speed passenger rail switching system. Do you mention this in this version of the document? Is sort of the the the difference between the different sort of consequentiality, if that’s a word, yeah is that sort of taken into account?

Jack Bliss
Yeah, great question. The and and This really ties back to AOE, which we we just discussed. These these organizations, depending on their sector or or their size, they have different annualized lost expectancy. And so you you don’t want to spend more on cybersecurity to remediate risk that that would cost more than your ALE. And in in a version two, I think it would be interesting to sort of create a baseline of of controls for different sizes of organizations.

If you’re a small organization, you should aim to do these three things. If you’re a medium-sized organization, you should aim to do these five things. I think something like that would make CyberTool Framework that much more actionable. But no matter what size of organization that you are or what sector that you’re in, when you’re using a tool like CyberTool Framework, the first step should be conducting a thorough risk assessment to identify the most effective mitigating controls. So let’s suppose this risk assessment determines network monitoring and defense as a priority. The organization already knows what they have. They documented data flows. They determined that there’s too much bleed over from IT t to OT. Maybe a DMZ makes sense. The network infrastructure itself isn’t hardened. We aren’t using centralized authentication like RADIUS. We’re missing where you were using SNMP version one, et cetera. So the organization within a reference cyber tool framework to understand how to implement this requirement comprehensively, addressing this requirement from a people, processes, and technology standpoint. The governance driven by the people defines the organization’s risk appetite, standards, and budget, which and then which then in turn influences the the selection of technology And then these processes then guide how the chosen technology is implemented and maintained. So this integrated approach is how cyber tool framework is used effectively, not a rigid checklist, but a flexible resource reference to help organizations identify specific risks.

The cyber tool framework preface emphasizes that the 18 requirements aren’t meant to be addressed sequentially from 118. Instead, it should be based on risk. So risk really answers how these controls are are ranked or applied. However, risk aside, yes, there is a sort of natural ranking. In my opinion, I would follow the NIST, CSF, identify, protect, detect, respond, recover functions in order. Requirements like inventory and control of hardware and software assets would likely be first. Knowing what you have is a good foundation for you to now address other requirements like secure configuration of enterprise assets and software, which would fall under the protect function. And then of course, under each of the under each of these requirements, I do discuss maturity loosely. But again, I think this could be further built out. For example, looking at network monitoring and defense, a small organization may aim to establish IT t and OT segmentation best practices, like a DMZ. Vlan segmentation, have their configurations and rules audited by a third party or SAS, where medium to large organizations that may have a higher risk profile should aim a little bit higher, such as sending firewall logs to a SIEM or using something like a data diode. Having analysts or an MSS analyze these logs continually, deploying an IDS in the DMZ and then subsequently other network zones.

And then using things like active defense measures, like honeypots, maybe something like Finkist Canary. So future enhancements to Cybertool framework will include, like i like I mentioned, more detailed baselines that tie to organizational size size to these reference controls, but this is still a work in progress.

Andrew Ginter
Okay, so that makes sense. If I might switch gears, let me ask you a hard marketing question. it’s It’s great, it’s tremendous that you’re out there creating this knowledge, but bluntly, those of us who write things down, create knowledge, that’s of limited use if nobody ever reads it. How do you get the word out? How do you tell how you how do you may let people know that this resource exists?

Jack Bliss
Another great point, right now we we have analytics on Cybertool framework. So last month around 100 people were were using the the platform. So there’s a natural natural progression and and growth there. But down the road, Cybertool framework, the aim is is to have it be integrated with other solutions that I believe could add a lot of value to the community. Again, particularly in the education enablement of OT security. This will enhance the overall impact of these resources being unified and give it more weight, if you will. But, you know, 1898 keeps me pretty pretty busy, so I don’t plan to to embark on a major marketing tour for for for the time being. However, there isn’t there is that old marketing saying that a great product is free marketing, and so as I enjoy putting these resources together, I truly hope that they they help other people and organizations navigate the OT security landscape. And, you know, right now, I’m i’m content with that.

Andrew Ginter
Cool. So can I ask you, looking forward, you’ve talked about a version two a couple of times and and what might be in there. You know, we’ve talked about about getting the word out. I mean, there’s other I don’t know if there’s other podcasts you could consider. I would i would recommend you and any any of the listeners go on your cell phone to the Beer ISAC podcast. It’s not really a podcast, it’s a list of other podcasts. Every industrial security podcast that I’ve produced is in that list, but it’s a list of of other useful content out there in the in the podcast space and and who puts it out. So can you talk about the future? what What is the gleam in your eye for version two and and how are you going to get the word out for it?

Jack Bliss
Right. I I definitely feel Cybertool framework deserves a version two where we first introduce ICS specific controls, as you mentioned, safety, safety system segmentation, secure control network and system design, legacy system security assessment methodology, et cetera. Second, we could loosely rank the requirements on a maturity scale And then when within each requirement, we could create baseline or sub-requirements that align to organizational size. And we discussed this earlier, but I think this would make a make this resource more actionable and tailored. So if you’re a small organization, you should be able to meet this threshold. If you’re a medium-sized organization, there’s a higher threshold for you and so on and so forth. Finally, maybe there’s a methodology for ranking the cyber tools themselves.

Right now, all the tools are alphabetical to keep any bias out. But down the road, it would be interesting to rank them based upon some sort of common criteria. But before or maybe after version two, as I mentioned, I want to look to implement other resource ideas and and sort of combine them and and do a rebranding to Control Shield, which I think is a a sexier name than Cybertool framework. But for now, I’m just having fun. I’m I’m learning and organizing my thoughts as I put these resources together, growing as a consultant, and hopefully giving back.

Nathaniel Nelson
Andrew, I think I know even less about marketing than about industrial cybersecurity. So where do you start when you’re thinking about how to get the word out?

Andrew Ginter
You know I get questions like this on a regular basis. We we do a lot of face-to-face events. People come up. I’m very active in this space. I write a lot of articles. I’ve written three books. I didn’t start by writing a book. I started by writing a blog. I started by writing little articles. Today, what I recommend is put the articles on LinkedIn. Do an article on OT security every couple of weeks. Get your buddies to comment on the article. That raises the profile of the article. Develop a following. Use that following when you produce your first big piece, like a 50-page framework, and post it somewhere. Get your buddies to diligently amplify the the the comment on and like your your big announcements. That’s sort of if you’re if you’re on your own. If you’re working for somebody, do a couple of articles and show them to your marketing team. It’s their job to do marketing. You know, more than half the time they’re likely to come back to you and say, this is this is good stuff. Oh We want to promote this stuff and they will work with you to put it on the corporate blog or amplify it on LinkedIn or or whatnot. More fundamentally, the question is, what do you write about? Jack here is someone who came from IT, t so had some background, and has spent five years in the OT space, and what’s he writing about?

Well, he doesn’t have 30 years in the OT space like I do and is writing textbooks. He’s writing about what he’s learning. He’s he’s developed a checklist of knowledge and tips and tools that he uses in his everyday work. This is information he’s assembled because he needed it. Well, frankly, if he needed it, other people are going to need it too, especially other people coming through the same sort of learning chain is as he did coming from IT into OT. And so whatever learning chain you’re coming from, you’re learning stuff. As you learn stuff, whatever you find interesting, in stuff that you learned that week or two weeks, that’s worth writing about because if it if it was useful to you, it’s going to be useful to someone else. That’s how you get started. And then once you’ve got sort of a history of writing and a theme that you’ve developed, you can think about next steps and and yeah larger assets. But by all means, do get started.

Andrew Ginter
Well, this has been great. Thank you, Jack, for joining us. Before we let you go, can you sum up from us, you know, what are the main points that we should take away from your cyber tool framework?

Jack Bliss
Yeah, in relation to Cybertool framework, it’s really in its MVP or minimal viable product stage. It’s currently about 40 pages of total content and there’s certainly more detail to add. I have some of this documented for 2024 edits. And other Version 2 edits that we talked about, Andrew, in this episode. I hope that in its current form, it helps those trying to navigate this nuanced space that is OT security. Those IT t folks that are familiar with CIS Top 18 will be very familiar, and there’ll be OT-centric guidance for how you adopt says CIS Top 18 for OT. And for OT engineers or practitioners that are aiming to digest more of the IT t-centric information, CAS type 18 is a very digestible framework. So, again, I hope that that a resource like this helps to navigate the the OT security landscape. If I may, I’ll give a quick overall elevator pitch to organizations out there. Keep it simple, document your assets in parallel, and more importantly, document the connectivity, both physical and logical. You can manually cable trace, you can use protocols like CDP, LDP, SNMP, even even MAC address tables to help run packet captures at various segments of your network to start to develop this high-level diagram. It doesn’t have to show every device in a color-coordinated Visio, but get a good understanding of your environment. If you can achieve these things, you’re ahead of 75% of organizations at your level. Now, look at this documented environment and break it down into zones. One for IT, one for IT, OT, DMZ. If you have one, one for the OT or process network, one for each Wi-Fi zone and each system zone. Start there and now begin a risk assessment approach to identify what can cause a catastrophe in each of these zones.

Focus on those risks and finally break down your mitigating controls into two categories, cyber-based and non-cyber-based. What barriers can you put in place to prevent this catastrophe from both pools? Now, if you get to this level, you deserve you deserve a trophy. But finally, a shameless plug for 1898 and Co. At 1898 & Co., we help organizations throughout the security lifecycle from governance to technology. We assist clients in starting and improving their cybersecurity programs from the inception of materializing funding, writing policies and procedures, implementing technology, and conducting continuous assessments, vulnerability, risk, and pen testing.

We also, of course, do advising and recently finished our MSS or SOC based in Houston. So if you’d like to learn more or have feedback from me on Cybertool Framework, that’s cybertoolframework.com. You can leave feedback directly on the site or you can find me on LinkedIn at Jack Bliss.

Nathaniel Nelson
So that just about does it Andrew for your interview with Jack Bliss. Do you have any final thoughts that you might want to take us out with today?

Andrew Ginter
The resource here is is a great resource. If you want to find it, it is on the web, Cybertool Framework, no spaces, no dashes, cybertoolframework.com. The framework, it’s it’s short, it’s sweet, it’s usable, it connects the worlds of IT and OT. It’s a great place to get started with concepts that that lead into more advanced risk management and other advanced OT topics. And I think it’s great that Jack is doing this. I wish more people would write down what they’re learning, write down the knowledge that they use every day for other people to come up to speed and and take advantage of it.

Nathaniel Nelson
Well, thanks to Jack for sharing his knowledge with us. And Andrew, thank you as always for speaking with me.

Andrew Ginter
It’s always a pleasure. Thank you, Nate.

Nathaniel Nelson
This has been the Industrial Security Podcast from Waterfall. Thank you to everybody out there listening.

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post New Resource: Adapting IT Advice for OT | Episode 129 appeared first on Waterfall Security Solutions.

andrew ginter – Waterfall Security Solutions

Andrew Ginter’s Top 3 Webinars of 2024

Andrew Ginter’s Top 3 Webinars of 2024

Discover Andrew Ginter’s top picks for the most insightful and engaging webinars of 2024, covering key trends and strategies in industrial security.

Andrew Ginter

My Top Three Webinars of 2024:

1) Cyber Attacks with Physical Consequences – 2024 Threat Report

2) IEC 62443 for Power Generation

3) Evolving Global OT Cyber Guidelines

Share

Trending posts

Stay up to date

Tags

Andrew Ginter’s Top 3 Podcast Episodes of 2024

Andrew Ginter’s Top 3 Podcast Episodes of 2024

As 2024 winds down, kick back and enjoy some of Andrew Ginter's best podcast picks

My Top Three Episodes of 2024:

Share

Trending posts

Stay up to date

Tags

TSA NOPR for Pipelines, Rail & Bussing – Enhancing Surface Cyber Risk Management

TSA NOPR for Pipelines, Rail & Bussing – Enhancing Surface Cyber Risk Management

The TSA Notice of Proposed Rulemaking for Enhancing Surface Cyber Risk Management is out. This is the long-awaited regulation that replaces the temporary security directives issued after the Colonial Pipeline incident.

Andrew Ginter

About the author

Andrew Ginter

Share

Trending posts

Stay up to date

Tags

Driving Change – Cloud Systems and Japanese CCE | Episode 132

Driving Change – Cloud Systems and Japanese CCE | Episode 132

Tomomi Aoyama translated the book Countering Cyber Sabotage - Consequence-Driven, Cyber-Informed Engineering - to Japanese. Tomomi recalls the effort of translating CCE to Japanese and looks forward to applying CCE and OT security principles to industrial cloud systems at Cognite.

Waterfall team

Available on:

About Tomomi Aoyama and Cognite

Share

Transcript of this podcast episode #132:

Driving Change – Cloud Systems and Japanese CCE | Episode 132

Trending posts

Stay up to date

Tags

Webinar: Evolving Global OT Cyber Guidelines, Recent Developments and What is Driving it

Webinar: Evolving Global OT Cyber Guidelines, Recent Developments and What is Driving it

Watch the webinar for a look into the recent evolution of OT security standards.

In this webinar, Andrew Ginter takes us through:

Meet Your Expert Guide:

Andrew Ginter

Share

Trending posts

Stay up to date

Tags

How Likely Is That To Kill Anyone?

How Likely Is That To Kill Anyone?

Andrew Ginter

Every Change Is a Risk

Patching the System

Engineering Change Control vs. Constant, Aggressive Change

Not All Systems Are Special

About the author

Andrew Ginter

Share

Trending posts

Stay up to date

Tags

Hitting Tens of Thousands of Vehicles At Once | Episode 131

Hitting Tens of Thousands of Vehicles At Once | Episode 131

Compromise a cloud service, and tens thousands of vehicles can be affected at once. Matt MacKinnon of Upstream Security walks us through the world of cloud security for connected vehicles, transport trucks, tractors, and other "stuff that moves."

Waterfall team

Available on

About Matt MacKinnon and Upstream Security

Share

Transcript of this podcast episode #131: Hitting Tens of Thousands of Vehicles At Once | Episode 131

Trending posts

Stay up to date

Tags

AI Takes on Polymorphic Malware | Episode 130

AI Takes on Polymorphic Malware | Episode 130

The bad guys keep getting better at what they do, and so must we, the defenders. Gary Southwell of Aria Cyber joins us to look at using AI to get ahead of constantly-changing malware.

Transcript of this podcast episode #131:
Hitting Tens of Thousands of Vehicles At Once | Episode 131

Transcript of podcast episode #130
AI Takes on Polymorphic Malware | Episode 130

About Jack Bliss and 1898 & Co.

Transcript of this podcast episode #129:
New Resource: Adapting IT Advice for OT

Commercial Break with OT Security Message