Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Nathaniel Nelson
Welcome listeners to the Industrial Security Podcast. My name is Nate Nelson. I’m here with Andrew Ginter, the Vice President of Industrial Security at Waterfall Security Solutions, who’s going to introduce the subject and guest of our show today. Andrew, how are you?

Andrew Ginter
I’m very well. Thank you, Nate. Our guest today is Joseph Price. He is a senior manager and the program lead for the OT cybersecurity program at Deloitte. And our topic is nation states, more or less. the The word credibility comes to mind. How worried should we be? I mean, how likely are is the is the average site to be the target of a nation state grade attack? This is the the kind of thing that Joseph is an expert on.

Nathaniel Nelson
Then without further ado, here’s your interview with Joseph.

Andrew Ginter
Hello, Joseph, and welcome to the podcast. Before we get started, can I ask you to say a few words of introduction? Please tell us a bit about your background and about the good work that you’re doing at Deloitte.

Joseph Price
Sure. Thank you very much, Andrew, for having me on. followed you and it’s exciting to be be a part of your podcast. So thanks for this opportunity. My name is Joseph Price. I go by Joseph and I’m zeroing in on about 30 years of being in cyber. I started back in the mid 90s with what we called information warfare. We didn’t use the term cyber back then as an active duty military officer in the Air Force I spent about four years defending networks in various places around the world, and then I switched over into the offensive cyber side of the things I don’t get to talk a lot about that, obviously because details are are not things we can discuss openly. But I will tell you this, the one thing we’ve spending 16 years in that community is I didn’t just learn about how we conduct offensive operations, but how other nations and other groups and organizations can conduct offensive operations and really what they can do, whether we’ve seen it, mentioned in the news or not. So I enjoyed about 20 years total working for the Department of Defence in various caps.

And after that I moved here to Idaho Falls ID where I now live. I joined Idaho National Laboratory and was the deputy director for Critical Infrastructure Protection there. And then three years ago, I shifted over to Deloitte and Touche or just Deloitte if you prefer. And I’m a senior manager there and the program lead for our OT cybersecurity program. So I helped develop our capabilities and service offerings and deliver them to our clients who have OT systems. To help them secure and protect and create more resilient. Architectures that’s supporting their OT systems, so that’s where I focus now and it’s a pleasure to be here.

Andrew Ginter
And the world needs more OT security, so thanks for that. Nation states is our topic and we read about nation state threats in the news. I’m I work for a vendor. I go to a lot of these face to face conferences. I hear a lot of vendor pitches. I’m sorry, a lot of vendors get up there and wave the nation state threat flag and, fear, uncertainty and doubt. the the sky is falling, the sky is falling. We’re all going to die. And yet, here we are. you being on the inside without stepping on on, anything you’re. Not allowed to tell us how. Accurate is the the news? How really what’s going on behind the scenes? How? How worried should we be?

Joseph Price
That’s a great question. I think in the absence of details and information, a lot of times people just make presumptions about what a nation state might do. In terms of capability, nation states don’t tend to just be opportunity. There’s certain amount of opportunistic elements to any campaign, but they’re not just necessarily saying, ohh let’s see what we can find. Often actions are deliberate. Now the problem we have is we don’t necessarily know what they might target. So we might talk about a few examples or ideas around. Some things we’ve seen recently in the news, but for most processes, it’s a deliberate it’s a deliberate activity. Nation states have the resources they have access to talent. They have the patience to do things. So in many ways we might conclude that they’re 10 foot. Tall and bulletproof. Now, that’s not entirely true, but I think we were. We are fooling ourselves to think that. The best capability out there is some closely related version to what we’ve seen in the news. When a particular operation was exposed.

I think that capabilities are really only limited by imagination and one’s dedication to a particular operation or operational objective. And so I tell people that yes, nation states are highly capable. They aren’t necessary. a lot of people say, well, do I have to worry about them targeting me? Well, that depends. But I would say on on the whole operational technology systems are more attractive. For targeting for military or diplomatic purposes, then IT systems, or I should say they’re they’re attractive for a different reason. And that’s as we all know, those of us who tried to defend them is that impacts from the cyber domain. Can manifest themselves in the physical domain. And so if you think about it, you can achieve. Military goals, which may be to, cause some destruction or to impact the availability of some critical resource, all through the cyber domain. And so I believe. There’s a lot of capability and a lot of emphasis and focus out there and so we, we can’t just sit idly by and say, oh, well, the worst thing we’ve seen is XYZ. Ukraine, they they flipped a few Breakers. That does not necessarily mean that’s the limit to the imagination and capability of nation states at this time.

Nathaniel Nelson
um Andrew, to get us started here, we’re talking about nation-state APTs. It could sound like it’s all one thing, but in reality, we’re talking about a wide tapestry of different threat actors from different places with different motivations. Which are the ones that we are most interested in in this podcast today?

Andrew Ginter
There’s a lot of different capabilities out there. And, this is not comprehensive, but maybe just to give people sort of a a taste of of what’s possible. Let me cover off maybe a half dozen of the threat actors and sort of the different ways they approach the, nation state-grade attacks. Starting at the low end, Iran is accused of sponsoring hacktivist groups. most recently they targeted some PLCs that were on the internet that were manufactured by an Israeli manufacturer. They disabled water distribution in a small town in Ireland, and doing this by sort of low tech, low investment targeting of internet exposed assets. North Korea has more sophisticated professionals that are paid every day. The activists aren’t paid, they’re amateurs.

Andrew Ginter
The professionals are paid every day to attack things and Mostly what they do is ransomware because this is how the sanctioned regime makes a lot of its foreign currency is Stealing it in ransomware attacks. So they’ve got some very sophisticated ransomware groups China sort of is credited with bringing nation-state-grade cyber attacks to the forefront. Back in the day, the the DHS at the time in 2006, 2007 put out alerts about advanced persistent threats. That was code for Chinese intelligence agencies.

And they pioneered sort of the public use of what’s now the classic remote access Trojan or remote access targeted attack, where you get a foothold on a network. the the the You install a rat, a remote access Trojan, a piece of malware, it calls to a command and control center on the internet and you operate that malware by remote control. You use it to attack other machines on the compromised network. You spread the rat to other machines. You might spread different versions of the rat in case your first version is found out and you establish a persistent presence. The very latest there is volt typhoon, which is saying there isn’t even a rat anymore. They’re using the facilities in the operating system to maintain remote control. Extremely difficult to detect that the remote control is there.

The Russians take a different approach. Historically, they’ve produced malware artifacts for attacks. Think Black Energy had code in it to manipulate DNP3 devices. DNP3 is a a widely used protocol in the electric sector.

The latest out of Russia or credited to Russia, I mean, none of this is officially confirmed, is Pipedream, which again is a code that has, it’s a tech code that has a lot of capability in it for manipulating devices in control systems, presumably maliciously. up And we haven’t heard much about them lately, but back in the day, I think 2010,

American and Israeli intelligence was accused and has never officially accepted responsibility, but is widely thought to have produced Stuxnet, which is a very sophisticated artifact that once you let it loose in a target network, it just does its thing. It’s autonomous. It spreads autonomously. It finds its target. It sabotages the target. It does not need remote control, the way the Russian tools do, the way the the Chinese prefer to sort of silently volt typhoon living off the land, remote control systems. The Stuxnet was was autonomous. so This is sort of the spectrum from from low-tech, hacktivist attacks to remote control attacks, some of which are very sophisticated to autonomous attacks, some of which have been historically very sophisticated. And there’s probably more that I’ve missed, but it’s it’s a it’s a sobering set of capabilities.

Andrew Ginter
OK. And you know. We read about these nation states in the news. A lot of the nation state grade attacks that make the news are espionage breaking into governments, breaking into nonprofits, breaking into, anybody who who dares to, voice any opposition to a regime. Breaking into these places and stealing information, you mentioned a couple of of instances. the Russia breaking into the Ukraine twice causing, physical power outages. the the I guess the. The question is we hear a lot comparatively about espionage, not so much about sabotage, you know? Is there sabotage happening that just isn’t being reported? What’s what’s going on there?

Joseph Price
That’s a great question, Andrew and. when I mentioned earlier that. That. The activities you see in the news are not the limit of the capabilities of a nation state level actor. It’s important to realize, like these are not singular transactions. Especially when you consider targeting OT systems. This is a campaign, right? So it evolves overtime and sometimes our defences are good. We catch them early on in the campaign. So even the simple acts within Ukraine 2015, were there a number of of were there a number of circuits that were? That were opened as part of that particular action. It started with a lot of information gathering, a lot of reconnaissance. We even saw. Right after the 2015 activity in January of 2016 that Ukraine ERGO, which is the transmission company that was later the target in December of 2016 of the follow on attack. Was part of a phishing scam. And some of the particular people that they targeted in that scheme or protection engineers.

So you start to put these pieces together and you realize they’re looking at those people who are responsible for the overall protection system of the transmission network. And in December of 2016, rather than throwing several Breakers in several different distribution companies, they threw 1 breaker in a transmission company and. It was something on the order, like an order of magnitude more power lost in that one breaker trip than in all the rest of the 2015. During the 2015 attack. And so you realize that there’s deliberate processes going on. And sometimes, like I said, we’re lucky we enter. We interrupt the process early. But. The goal for. To to attack a particular OT system, let’s use the United States as an example. The goal is not to let’s get in there, gain access. pull all the information we can and then cause sabotage. Because when your sabotage takes place in the physical realm, the chance of reprisal, the chance of every anything from a diplomatic to a military response, certainly it raise it or excuse me rises considerably.

But if you had those assets to hold at risk, if you can gain access, secure that access and hold it at risk, you can integrate that the the whatever sabotage or whatever attack scenario into a suite of capabilities that you could have as part of a campaign plan. And it could be very effective too. So. The the adversary is going to use. The most minimal force required. To gain access and if they can use something that let’s say is out there in the wild. But they can tell you’re not patched against. Well, sure, they’re going to use that. They’re going to use that before they go to some zero day that they know and no one else knows. Right. You’re going to be economical in your use of your various offensive. Crown jewels. Once they’ve gained a foothold, once they’ve secured their position. They may do. They’ll need to do additional reconnaissance to figure out. What are our options?

I always felt that Ukraine 2015 was kind of a hastily, hastily executed operation. Because so many things happened at once, and then they burned all the infrastructure at the end. But if you go back and look at each individual action that was taken at each of the distribution companies. You recognize that in some cases? They obviously had people that couldn’t read or understand Ukrainian. Because they had messages on the screen that they were remotely operating. That said, this is just a test. System. And yet they continue to try to do things. They opened a they they opened a tiebreaker, which in general, unless you’re under some maintenance function, tiebreakers aren’t going to shut the power down anything. And so. What we saw as as things progress and you get into the December 2016 event, you realize that. Things are more specific to the equipment that’s in use.

It’s highly targeted. There clearly had someone who knew what was going on in that system and I think we need to recognize that a nation state adversary. Will understand your process. They may not understand your systems and exactly your processes for running through things or your contingency measures, etcetera, but they’ll understand the physical process that you’re controlling. So that they can understand the effects they may have. And then they may just sit on that access. Monitor it. It may only phone home once in a blue moon. Because they don’t need to. Risk detection by having frequent and regular communications or a massive amount of information flowing back and forth between that target. They have it there they could hold it and they can use it again for. What I would say is, potential military or even just diplomatic. Influence operations. But without having to. take any physical action themselves. They can do it remotely. So I think that’s that’s something that that is the reasons why they’re not necessarily going straight to sabotage. It’s not because, as I’ve seen in an article recently, ohh, they wouldn’t mess with us. No, actually, this is the exact way that people would wouldn’t mess with the United States. attacking it asymmetrically. Using capabilities to cause damage or to. Cause service outages or even uncontrolled environmental release. Risk safety of risk of safety basis or violate a safety basis and cause potential harm to humans. Those are all things that could be done from afar via the cyber domain. That’s that’s a nice capability to have. an arrow in your quiver if you will. That nation states would want to hold on to. For some future conflict.

Andrew Ginter
So the example you gave of campaigns developing capabilities that sort of describes Volk typhoon to a T. But in the news lately, there’s been a lot of sort of lesser stuff. I mean Russian, state sponsored Russian hactivists are are accused of, I don’t know, overflowing a a water tank in Texas. The. Iran, Iran’s nation state sponsored hactivists are accused of targeting an Israeli made PLC that’s used in a couple of small water systems and turning off the water to 180 people in Ireland for two days. None of this seems terribly consequential. I mean. What? What really is the goal here? That doesn’t sound like a campaign.

Joseph Price
It’s interesting when you and I think this is again, this is a that tendency I think especially within the media to presume that what we see is the totality of the operation. And I just don’t think that’s the case. So you mentioned a couple of really good examples. In fact, we had a very recent example on Monday, there was a the Arkansas city, KS. Was also attacked its water Water authority was attacked. Very little details have come out. I’m very interested to hear what they find when and we’re trying to get some additional details through some contacts, but because it. It on the face, it just looks like, well, not only did they not really have much of an effect. The plant in the in Arkansas City went into manual mode.

Similar situation with some of the examples from Cyber Avengers. The ones you mentioned attacking water authorities and and kind of defacing the PLC’s. The only place that actually caused an impact was that village in Ireland that you mentioned and you’re like well and now they’re exposed. So like you said, what did they really? What did they really gain from that? And so my answer to that is let’s think deeper about the campaign. The campaign ultimately has, let’s say, high value targets at the end of it. And maybe that high value target is a major municipal water system in the US, one that cannot be ignored. If you were to have significant impacts. Yes. So how do you how do you target that? And everyone might think, OK, well, let’s jump straight to. I’m going to. Learn about their systems. If I can. Who are the key people? I might start fishing, etcetera. But part of you has to ask. Wait a minute. If we were to get caught early in the campaign. And there were to be any repraisals. And that would, would that completely wipe that campaign opportunity off the map? Do we need to use better tools? Do we need to invest more time in a human related human related operation? there’s a lot of things to consider, and so even starting, you might say, how’s the US going to react? When we cause. When we launch an attack and cause any impact whatsoever. To a water system.

Well, we need a we need a lab environment, right? So there’s, I’m sure. Plenty of nation states. I’m sure they all have labs where? They go test things out. But to really get ours to measure our response, they need to. Do it somewhere. Well, what is? if you sit, if you consider large metropolitan areas, New York City, Los Angeles, Philadelphia, Baltimore, those you’re going to get those going to get pretty big reactions pretty quickly for sure. Right. A lot of people will know if something. It’s there. Well, what about Muleshoe, Texas? Probably not a large number of people even are going to know where Muleshoe Texas is on the map. So we’re going to hit some of these smaller rural areas, number one, it’s going to be easier target, right, because these water authorities suffer from what I call STP. Same three people, the same three people are responsible for making sure they have all the necessary chemicals for treatment of the water that the water. Distribute sourcing and distribution all works. they go and deal with issues. They’ve got to handle and manage the budget. They’ve got to handle the maintenance calls the late night calls of issues, the water main breaks, all those things. Same three people are responsible things so it’s a pretty good bet they’re not going to have high end cybersecurity capabilities.

So and then we’re going to do some, we’re going to take an action and that action isn’t going to directly cause loss of life or anything major like that. So. They had to go into manual operation mode. Big deal, right? That of all the potential impacts, that’s probably the least not for those same three people, because now they’re probably a lot busier, even more so than usual. But that’s going to give us a window to does that cross a threshold, how fervent. Is the US’s response at the executive level at the DHS CISA level at the state governors level? What are? How do we respond as a community, as a nation? When we recognize that a foreign actor is taking action against these life critical. Services. That we just take for granted every day? And so I think that again part of this can’t part of the campaign is figuring out where are those limits to government response, what’s going. To. What’s going to trip a a greater response or something? What will those responses look like? It’s no different in in my mind. Like when you have Russian bombers flying into our air defence identification zone up near Alaska, they’re not crossing into our our national airspace, but they are in those areas just outside of it. And they watched with their radars and their surveillance. Planes, how quickly we scramble, how quickly we are able to intercept their aircraft. what tactics we use. I believe that’s also going here going on here because. In the end. If we believe, I mean so one of the things I mentioned earlier was, hey, we can’t guide our, our our greatest adversaries capabilities based on what we see in the news.

I was quite honestly, shocked in 2019 when the Director of National Intelligence published an unclassified threat assessment. And in it identified a couple of interesting facts. Number one, they named Russia and China in there, which? for those of us who have worked with the intelligence community before, that wasn’t, it wasn’t surprising that those were the the potential adversaries they named. It was surprising is that they were saying this at the unclassified level and it said that Russia could cause a power. Impact an impact to our our our power whether it be generation distribution that could last from hours to days that China could impact our water systems in in, in, in such a means to last from days to weeks. Like those are pretty bold statements coming out in an unclassified Intelligence Report. So I I think there’s a recognition at other levels of the government. Nation state adversaries do have a greater capability than what we might presume just by watching the media and the smaller activities.

You know, yes, they could be isolated incidents in the case of the Cyber Avengers, they were trying to deface the the HMI screen on Israeli made equipment. OK, that might have been an isolated campaign, but. For the other things I sit there and I think, how could this be used as part of a a larger, more diverse campaign to see how we respond to see what we put in place as a result of those attacks and how can we can, use that as part of our? Higher value target, higher value target operations and in preparing for those to have capabilities there, so.

Andrew Ginter
If I were to summarize, the one sort of surprising thing that I took from from the detail is the concept of a campaign. It’s not just that small water systems are easier targets, and so let’s go after them. I never really thought of these attacks as stepping stones. I really hadn’t thought of these attacks as testing our response capabilities. i mean the one concrete example that springs to mind is, I forget, it was a few years ago the the American administration announced that attacks on critical infrastructure, civilian infrastructure, would be regarded as acts of war. Well, someone just overflowed a water tank in Texas. Did anyone declare war?

No. So, yeah, it does, it almost does feel like, people are pushing a little bit, the bad guys are pushing a bit to say, well, really? When would you? When would you respond? How would you respond? this This makes sense.

Nathaniel Nelson
True and what I didn’t hear him say that I believe is also occurring is when nation-state APTs use one of their targets as a springboard or a relay point to another so for example you are targeting one major utility or telecommunications organization or whatnot, you go after a smaller target, and then you can use that as a relay point to hide your malicious communications, for example, among other things.

Andrew Ginter
Yeah, I mean, where I have heard of that is in supply chain, more than targeting one critical infrastructure to get into another. You tend not to have that kind of connection between a smaller water utility and a larger water utility. In my recollection, at least in North America, you might have stronger connections like that in Europe, where things tend to be sort of closer to each other, more connected. So yeah, that’s that’s a good point.

Andrew Ginter
So so work with me. we’ve been talking about the threat and, I’m convinced that that nation state threats are real. The question becomes, what do we do about them? if. I mean the the, the, the truism, I don’t know if it’s true, but the truism is that a nation state military essentially has unlimited money and talent and time to come after us. And when you have that coming after you, it’s hard to imagine how you could stop an attack like that. given what you’ve said about the threat. You know. We, as defenders from small water systems to large high speed passenger rail switching systems, we as defenders, what should we be doing about the threat?

Joseph Price
The challenge in answering that question is that the problem is multidimensional and multifaceted. But in general, I believe what we should be doing, first and foremost, is recognizing that this is a business risk or an operational risk, not a technical risk. So often. When you bring up the topic of a potential cyber attack, let’s say you’re talking to a CEO or a board. Well, well, go talk to the CISO or go talk to the CSO. Right? That’s that’s that’s their responsibility. But. When we consider that impacts. Can directly impact the business whether we’re brewing beer or providing clean drinking water to millions of citizens. The ability for cyber to now create business impacts means it should get some degree of attention.

And the consideration for what should be done should not be reserved to, well, I I did the minimum. I followed the checklist. I’m compliant with this standard. Because as we all know, in any standard. Your interpretation your your finding for how you’ve met that standard. The exceptions that you might apply for and get granted. For that standard, all could become your own undoing.

So to start with, how do we talk about? Security of security of OT systems to for the business risk. When you have attention at that level. Then you you start to recognize. The investment that’s made in any. Business activity, whether it’s bringing on new equipment, whether we’re upgrading, let’s say we’re a utility and we’re upgrading to a, we’re a large provider. We’re upgrading to a new. Energy management system. Right part of that capital expense. Is the security. And. With that, we’re not trying to meet some minimum required. Now we’re recognizing that. Just as the adversary is dynamic and can be active at different times, we need to make sure that our systems are actively monitored. That there is a responsibility whether it’s done. Locally by organically within a given company or provider, or if it’s contracted out, or if there’s some higher level organization that provides that. We talked earlier about, rural water systems and the fact that you’ve got maybe the same three people are responsible for everything. It’s unreasonable. To go tell the community of Muleshoe, Texas. Or Dubois. Idaho. Hey, you have to come up with and fund. Your own cybersecurity expert and oh, by the way, you’ve got to pay him or her healthy sum because there’s a lot of demand in the market and they’re going to, they’re going to cause a a hefty cause, a hefty price.

But what we. Could look at is to say OK. The threat? To those smaller water systems. Is not only is it probably lower in terms of somebody trying to cause sabotage? That is probably lower also. The resulting impact if that rural. Community where without water for let’s say hours to days. There are means at certain levels of government, state, federal, etc. To help compensate. For that temporary outage. It is a lot harder to compensate as the population served by that water system goes up, or the demand on that water system goes up considerably. So there’s still challenges within certainly agricultural areas and things like that that rely rely on the water supply for for growing crops, etcetera. But if you could, instead of telling every individual function you’re responsible for your own defence, you do give them some minimum amount of requirement, or maybe even assist them in meeting some minimum safe configuration. A firewall that’s properly configured to serve business to allow business purposes but not allow unsolicited communications in from the outside. You have some continuous monitor on there, even if it’s not monitored by those individual by that particular water authority. But look at like the state level and look at there are emergency response centres. Popping up in all states.

Joseph Price
And being able to be able to handle different incidents, right? Some sort of incident management or incident response capability at the state level and maybe you bring it up there. I’ve always said, when I look at the state of Idaho, we have three kind of population centres. In Idaho Falls, Pocatello, where I live on the southeastern side, the capital city of Boise and the southwest side and then the town of Coar-de-laine, not that far from Spokane, WA. Up in the northern end of the Panhandle. So you might be able to attract some talent to those population centres and have a regional secure operation centre or let’s say the water sector. When we pivot over to power. Now you’re talking about, well, you have regulated utilities, you have Merc sip certainly a lot more investment in. What? what is being done right now to set the bar to begin with. For regulated utilities, you also have. Private owner operators, right. You have companies that that might have a little more bandwidth if you will within the budget. To do things, and so you might require more self-sufficiency in that kind of scenario. Because in the end. What you don’t want to do is pass all of these, costs on to the consumer. I think we all probably pay for it one way or another, but you don’t want to suddenly triple somebody’s water bill or their power bill to say ohh well, we have to do. This particular cyber thing, because we have these two requirements.

You want to look at, how can I pool resources and use where it makes sense. Other sources of funding and support for those activities where it’s just not feasible. To bring the talent or the capability and run it organically within that organization. I think if we, then then we start to expand to the federal level and say what’s the federal government’s responsibility now? To be clear, I’m not speaking on behalf of my company or the Department of Defence. My former employer or anyone like that. But I did notice that recently Jenny Jenny Easterly, the director of CISA. Started talking. Out. Pushing responsibility for software vulnerabilities vulnerabilities onto the vendors themselves or software hardware. So that is one tact that can be taken as you start spreading that around the equipment and and software manufacturers in addition to requiring. The owners operators to provide some level of protection in addition to looking for communities of interest that might be able to come together and assist in providing active monitoring where.

It’s just not feasible to have the organic capabilities. So those are some of. The ways that I think. getting off the dime and and thinking that this is just an issue of like for checklist security. That no, we need to move beyond that and we need to be actively monitoring our systems someone and we need to be able to share that information. We’ve got a great model, we’ve got information sharing, analysis centres, ice sacks out there. Let’s make sure that they’re, properly funded and resourced so that when something does happen in Muleshoe, TX. Or in Arkansas City, KS.

That information can be pulled in quickly and shared elsewhere. So that if part of that campaign is hitting multiple small utilities. You can make them aware and quickly disseminate even response measures to help protect against them or to counter anything that’s been done. I think those are some ways we can start getting after this problem, but it again it it requires a shift in our thinking that this is just this is a CISO problem or this is just a. the network shops problem to solve.

Joseph Price
You know, as I was talking about what we should do. How we should sort of change our approach? I’m reminded of when I attended my first sans ICS security conference in 2015. I had. Just less than a year ago moved to Idaho from Germany. I I knew Mike Asante, who many in this community, if they’ve been around at all, know who Mike Assante is. And. I was listening to somebody give a talk at that conference. Kim Zetter was in attendance and she’s the author of the book Countdown to 0. And so almost every speaker up to this, I think we were on Day 2, almost every speaker had received some. Sort of question about Stuxnet. Right. And and and based on on. Zedler’s book. And they want to know how do I protect against, the nation state level attack that is Stuxnet. And the speaker. Sure. I forget his name, but he said, he said. I find it kind of funny. Said. Everyone’s sitting here, going around, saying. How do we solve against Stuxnet? He’s like most of you, don’t even know what assets you have on your network so. So there’s probably there’s probably a preparatory comments to be made, which is if you have. No cybersecurity program, or maybe a very nascent one. You can be bombarded with. All these different tools that people will bring you or say, oh, bring us on and we’ll do this for you. We’ll do that for you and it can become. Quite noisy and confusing.

What is the best step I should take? What are the first steps I should? Think. And so I will caveat my previous response by just saying. Consider first and foremost, knowing yourself. Knowing what you have on your network, identifying that, and certainly there’s automation and tools that can assist you in doing that, but know what you have. Have some sort of policy So that how you’re going to treat these systems, right. And there’s lots of policy examples out there you can you can use somebody to assist you in that or you can, if you’ve got the ability you. Can. Study examples that are out there. But know what you have have some policies how you’re going to treat whether to go onboard, off board that equipment, dispose of it, how it’s going to be configured, how you’re going. To let users access.

And then put some sort of monitoring. Capability in place. So that you can assess what is going on and and then you can start to graduate to. The more complex cases, how do I need to integrate threat intelligence? How do I do attack surface management? What are my exposures? To a very highly capable advisor or an advanced persistent threat. It’s important to recognize that you can’t. Just make all that happen overnight. So I would just. Say. broadly we need to think about. Monitoring active monitoring, having responses, rehearsing our instant response plans, knowing what assets we have in in our systems. If we can get there, then I think as a nation we’ll be better prepared. To start dealing with the more nuanced and advanced threats and being able to respond when we see a noise somewhere in the system and recognize that might be part of a broader campaign, how do I need to respond to whatever happened? There. To make myself more protected, more resilient.

Andrew Ginter
So Nate, what struck me there, long discussion of what smaller utilities can do, how important, detection is. I’m reminded of the incident in Denmark, the sector cert documented the the Russians compromising some 22 internet-facing firewalls that they’ve been monitoring. What is not widely known about that incident is the funding model for the Denmark SektorCERT. The SektorCERT is not publicly funded.

It serves some 200 or 300 utilities, most of which are tiny. It serves three large utilities. I don’t know if they’re power or or water, but three large utilities is is my recollection when I was talking to these people. I might have the numbers off by one or two, but it’s a very small number of large utilities. And those large utilities pay for the sector cert. And the sector cert provides its services to the tiny, hundreds of tiny utilities for free.

What’s the benefit? Well, part of it it is the larger utilities giving back to society. Part of it is in my in sort of the the analysis, Joseph’s analysis here, part of it is the larger utilities benefit from visibility into what’s going on in the smaller utilities. If the smaller utilities are being attacked as part of a larger campaign, the larger society, the larger utilities want to know what steps the enemy is taking, want to know how much trouble they’re in. So this is an interesting funding model. He’s right. The same three people do not have the skills nor the ability nor the the money to set up their own monitoring system, to pay for their own threat intelligence feeds. Whereas a central sector search style organization that is sort of providing service to the smaller utilities can afford to buy threat intelligence feeds from the the the commercial providers of these things, can afford to have a relationship with their government and get access to classified information. having sort of the the big fish, be it the government or the larger utilities, pay for these services for smaller utilities seems to me to make a lot of sense in terms of a funding model to bring about the kind of capabilities that Joseph was talking about.

Andrew Ginter
So I’m putting words in your mouth here, but what I kind of heard you say was the perspective of the government. I mean, in the United States, the federal government, in other nations, the national government may be somewhat different from the perspective of the tiny utilities. The same three people. you’ve talked about the the need for monitoring. Absolutely. The nation needs to monitor these campaigns and figure out, how many doors is the enemy knocking on. But in terms of monitoring, most small utilities they want. the attacks kept out. They, they don’t want to focus on the detect part of the NIST cybersecurity framework. They want to focus on the protect part. And, to me, this is them saying, well, we can if the nation wants, insight into my systems, let them pay for the monitoring because I’m, that’s benefiting the nation, not me. I need to put protection in for those small utilities when they’re designing their security program, you know? Should there be assistance? I mean I don’t wanna again I I guess I don’t want to drift into into monetary. How much should the small utility be focused on sort of assisting the nation in terms of detecting widespread campaigns and how much should the, how much of the the nation state threat should each small or large utility regard as credible, credible threats to their own their own user base, their own citizens?

Joseph Price
Yeah, those are great questions. Let’s start by. Recognizing that. As we discussed earlier, as I mentioned earlier. Smaller utilities are not going to have the resources or access to the. The skill sets to take. To take on all the responsibilities on their own, and I agree with you, let’s not drift too much into, the policy of of who pays, etcetera. But let’s think in terms of where is that expertise, who can assess. What is credible and what is not? I. I pause a little bit at the use of that term because. If we talk about. In engineering, if we talk about design basis threats, I mean we look in terms of, OK, I have two gears are made of a certain metal. We put them together, they’re going to turn, we’re going to use some sort of lubrication or something. But I can with relative accuracy predict when that’s going to fail or when it needs to be replaced to avoid it failing in operation. Right. Because we know how metals breakdown overtime and exposed to certain elements and temperatures, etcetera and stresses.

When we look at measuring risk for natural disasters, we look historically we rely on the fact that, well. There’s a. 30% chance. That we’re gonna have a, a hurricane between categories 1 and categories 2. Strike somewhere within this 100 miles of our shoreline. in the next three years. We we base everything off of the the the historic. Occurrences and use that and extend that into a. probability statement for it happening again. The challenge we have in cyber is there’s a. In most cases. There’s a human actor involved and really at some level there’s a human actor deciding to do to take certain actions. And so. When you talk, start talking about. is the threat credible and do I need to be worried? It’s it’s very difficult. I think you’ll you’ll get some broad statements made based on how critical that service or that utility or that. Function is. And then you’ll think in terms of how likely is it that a nation state level adversary would want to have that impact on them? And I say, well, again, go back to our earlier conversation. I think holding that. Infrastructure at risk is a much. Bigger coin in their pocket. Then causing some impact.

So for that reason. I look at in terms of prioritizing and and looking at credible threats, I think, OK. If. If you could. Either cause interruption of a critical service like water, power, transportation. In a large metropolitan area. There is, there is the potential of bending political will. I’d always tell people, why is why is the US Navy such a, the most powerful fighting force, on the on the seas, anywhere in the world? Well, it’s because they can park in. a dozen acres of sovereign territory 12 miles off somebody shore and give them pause. Give them time to think. And recognize that, maybe whatever action that prompted that there might be a, a diplomatic solution to. Well.

If the suddenly the populace of the US or significant number of the populace of the US are threatened. With the loss of. Life critical services. I think we’d be foolish not to believe that that might give us political pause, right? That might cause. the executive branch to. Think. Carefully, what is the next move? If they could hold that large of a? A population at risk. What are our options now? It will probably. I’m sure it will drive. Multiple different options, political, military, etc.

Andrew Ginter
It occurred to me when you’re talking here, is it credible that Vault Typhoon is is is in the news, living off the land extremely difficult to attack to to detect these adversaries? Is it? Is it reasonable to believe that hundreds of other utilities have been compromised in the same way and the Chinese? Deliberately leaked the fact that they’ve taken over these 50 odd this way to make. the the authorities aware that this capability exists because it does no good to hold, when when the when the Navy parks off the shore of of some other nation and and says let’s think twice about this the the the the the the sort of the response capability. That the capability of the Navy is clear. OK, these ships. Are sitting there if, if nobody knows that the Chinese have the ability to cause, widespread physical consequences, is it credible that the Chinese leaked Volk typhoon, deliberately or or or, really accidentally, but weren’t that dismayed by it because they have these other capabilities and it does, those other capabilities do no good. It’s a threat if nobody knows they exist.

Joseph Price
So that’s a great question, Volt Typhoon. In my mind, as an example. Of. Or I would say it’s an an exposition of an extended campaign. Right. As as you’re well aware, as you mentioned in your question. It uses living off the land techniques very difficult. To detect. And in fact in the. In the infection details that I reviewed or, excuse me, in the instances of bolt typhoon attacks that I reviewed. Quite often they say we have no idea how they landed. And so that to me. Reeks of an extended campaign of holding assets at risk. Because. Once you have them #1 remove all traces of how you got there to use living off the land, techniques to to maintain that access. And like I said, occasionally phone home and when I say phone home it’s probably to some other listening post so that you know. You have access. But if you’ve done that. And you sit back and say haha, we have all these infrastructure operations that we hold at risk. Do you need to actually create cause sabotage or create mayhem. To be able to have an have an effect, the answer is no.

But it might be worth letting them know you have. A certain. Amount of assets held at risk. Now. If you’re smart, and I believe. Our nation state level adversaries are very smart. You’re not going to, let’s say, manage and care for all of the places you hold at risk with the exact same infrastructure, right? You’re going to spread it around the technique by which you by which you connect with them and contact them. Do any of your, your your maintenance of that connection if you do collect information? You’ll use different infrastructure to. Get that back. That information back to you, so you don’t necessarily have to burn the entire the entirety of your targets held at risk.

But you absolutely. Could take a portion. Leak sufficient information. Or maybe it was found because of just, great sleuths. Looking carefully at crash dumps, but the point is at. Some point. When your target knows they’ve been owned significantly. You might have leverage to, let’s say, accomplish some diplomatic objective or some other political objective, short of military conflict or things of that. Nature. That might be very helpful in, let’s say, talks that are upcoming about, trade or. About. conditions in adjacent territories or other other nations that that are. That are allies to one of the countries in question and and and not to the other.

I mean, there’s a lot of of ways that that could be useful and. And again it causes a response. You see how willing is the target to negotiate? As a result of recognizing you hold some of their key infrastructure at risk. So I think that also would explain in my mind why the government has been so united and adamant that we do what is necessary to root out and. To identify and cleanse Vault tycoon. From our systems. It’s a. It’s in me. It’s it’s a compelling. Conjecture and again, this is all conjecture, not neither one of us is talking from a position of some greater knowledge of exactly what’s happening or what happened with Volt Typhoon, but it certainly makes sense to me. That you would possibly burn some of your infrastructure to sort of. Or show one of your cards, or maybe two of your cards to give you leveraging power. In whatever’s going on. Globally or between the between those nations at that time.

Andrew Ginter
Well, Joseph, this has been sobering, thank you for for joining us before we let you go, can you sum up for us what are sort of the the the key things we should take away from this, this nation state threat business?

Joseph Price
I would say the first nugget is. Let’s keep in mind that the capabilities of any adversary are not merely defined. By what we read in the news, what events or activities were essentially caught? And then publicized. Computers will do exactly what we tell them to do, right? The computers and digital devices that run our OT systems are not all that different from the ones that are running our IT systems. And if if someone with sufficient access and authority. Tells it to do something. It will absolutely do it, and when those logical actions are tied to physical systems or impacting the physical world. Again, the the the range of potential effects are limited by our adversaries limitations. Excuse me? They’re limited by our adversaries, imagination and further by what we do to actively defend and protect those systems from mal-operation.

The other point that I would say. To keep in mind is that. We can’t protect. Everything against everything. We need to prioritize. But. If you consider where OT systems and OT cybersecurity is. I often feel like. For 20 years or more behind of where we are with IT. And so, and yet these are the systems. That. Most affect our day-to-day lives and an impact to them would be felt much stronger. I always tell people somebody hacks my computer and gets my online banking password. It’s a bad day for me. But if someone goes in and and hacks a power distribution substance or. If they hack the water treatment facility, it’s a bad day for a whole lot of people. So there’s a certain degree of scale and again. Reliance upon. Our critical infrastructure and we should we should give it. Uh. Due diligence and and that includes resourcing, funding, attention. To those systems. Over and above some of the other areas that we maybe emphasize right now.

And then the last nugget is? Recognizing. That. These capabilities are out there. Obviously doesn’t hit the easy button easy button on solutions. So. There’s really no excuse to, I would say, basic levels of having basic levels of hygiene. But in order to. Achieve that and move on to like you said earlier, right, protecting. Not defending when they’re already there, but protecting against these capabilities then we really need to take a much more active role and we need to move the decision from. Maybe the lower end of the C-Suite to the higher end and certainly for OT systems. Again, whatever it is, whether you’re. Whether you’re manufacturing something manufacturing pharmaceuticals or. Treating wastewater in a city. Those OT systems control your business. And therefore it is a business risk. That takes the attention of not just. CSO or CISO, but the CEO, the COO, the board, even those who recognize that. The proper investment needs to be made. To protect these systems that are core to whatever service. Or product they provide.

I’ve really enjoyed getting to be on this podcast. Andrew, this is an area that’s been near and dear to me for quite some time. Like you, I’ve spent a lot of my career focused on cybersecurity in various areas. The last 10 of it solely focused on OT systems if. I and I, I work at Deloitte. I have to tell people when I show up. Hey, I’m not here to do your taxes because that’s what Deloitte is often known for is it’s a as a tax and company, which it is that for sure. But we also have for 12 years running the largest cybersecurity consultancy within the United States and so, if anyone wants to learn more about how Deloitte can assist them in tackling some of these challenges, I urge you to go to www.deloitte.com and look at the services there. You can certainly reach out to me on LinkedIn and I can connect you too if there’s an interest to have the professional discussion.

But in the meantime, Andrew Great podcast again, I really appreciate you inviting me and allowing me to come on here and talk with you about these subjects with you. You’ve actually encouraged me to think a little bit deeper on some things too, so I’m excited.

Andrew Ginter
I’m delighted to hear it. Thank you so much. the the podcast would be nowhere without without guests like you, experts coming in and and sharing, you know. I call it a piece of the elephant. Show us the face of the elephant and the nation state face is something a lot of people like I said bandy about. But it’s it’s tremendous to be able to dig into it in some depth. Thank you so much.

Nathaniel Nelson
So I know it’s just one little sentence and a much longer answer there, but Joseph mentioned that in his view, IT was like 20 years ahead of OT security, which struck me as very surprising. In what universe is IT that far ahead, if if ahead at all? I mean, based on the conversations we have here, these are much more in-depth technical forward thinking conversations than I tend to have with people in IT.

Andrew Ginter
I fear that your perspective on OT security has been tainted by a hundred episodes of the, of the, the podcast here. Um, partly, on the podcast, we interview people who are very active in OT security, and sort of the examples I gave out of my own experience at, at waterfall, we work with the most cyber secure industrial operations on the planet. We’re on the on the very high end of industrial cybersecurity. So, you’ve been sort of seeing that side of the coin. Joseph, in my recollection, he worked at Idaho National Laboratory working with lots of different kinds of stakeholders in the in the OT security space, large and small, advanced and not at Deloitte. He’s working with presumably a very wide cross section of the industry much more so than you know we have on the show here, much more so than I have in my practice. You know the the the sort of the The leading edge of industrial cybersecurity is very sophisticated.

The average is probably much closer to what he’s pointing out, saying, no, no, there’s a lot of people out there. yeah you know We had an episode, I don’t know, a year ago talking about starting from zero. We interviewed a gentleman who made it sort of his calling to walk into industrial sites who had done absolutely nothing, one after another after another. So there’s a lot of zero out there.

What I took away from the episode you know was sort of two things. One is was sobering, thinking about sort of bigger picture campaigns. I have been focused on sort of individual breaches, individual sites. What can the small sites do? I wasn’t really thinking about how a multi-site campaign might work and what would be the the advantages to a nation state in carrying out such campaigns. So that’s that’s sort of some sobering food for thought.

The other thing I took away, again, i’m I’m reminded of the Denmark SektorCERT model where the largest utilities or presumably if you’d rather the government, but you know big fish pay for a facility that A, protects the little fish because it’s the right thing to do, and B, provides intelligence to the big fish about large-scale campaigns that might be feeling their way through the little fish in the course of you know eventually targeting the big fish. that you know To me, that’s that’s a ah nugget of solution here that you know maybe we should be, as a society, considering applying more widely.

Nathaniel Nelson
All right, well, with that, thank you to Joseph Price for speaking with you, Andrew. And Andrew, as always, thank you for speaking with me.

Andrew Ginter
It’s always a pleasure Nate, thank you.

Nathaniel Nelson
This has been the Industrial Security Podcast from Waterfall. Thanks to everyone out there listening.