Control Loop: The OT Cybersecurity Podcast 1.11.23
Ep 16 | 1.11.23

Shifting into the OT space.


Dave Bittner: It's January 11, 2023, and you are listening to "Control Loop." In today's OT cybersecurity briefing, a Canadian mining company shuts down its mill following a ransomware attack. The Port of Lisbon has sustained a cyberattack with a LockBit ransomware gang claiming credit. Rail company Wabtec begins notifying victims of data breach following a ransomware attack. And New York's governor signs legislation seeking to secure power grids. Also, an upcoming NATO study will analyze hybrid warfare. The Learning Lab is taking a break and will return in our next episode. Our guest is Kaleb Flem, senior cyberthreat intel analyst at Southern California Edison. Kaleb returns for the second part of his interview on the transition from the military and intelligence community to the OT space.

Dave Bittner: The Copper Mountain Mining Corporation was hit by a ransomware attack on December 27, The Record reports. The Vancouver-based mining company said in a statement that the attack impacted its IT systems, forcing it to switch to manual processes. Copper Mountain has also shut down its mill to investigate any possible effects on its control systems. The company stated that there have been no safety or environmental incidents as a result of the attack. 

Dave Bittner: Portugal's Port of Lisbon on Christmas Day sustained a cyberattack that took its website offline, Cybernews reports. The extent of the attack is unclear, though port officials stated that operational activity was not compromised. The LockBit gang has claimed responsibility and also claims to have stolen financial reports, cargo and crew information, customer data, mail correspondence and contracts. The gang is threatening to publish the stolen data if the ransom isn't paid by January 18. 

Dave Bittner: International rail and locomotive giant Wabtec has suffered a data breach following a ransomware attack that hit the company in July. The Pittsburgh headquartered company began notifying affected individuals on December 30, explaining that the stolen data contained a variety of personal information depending on the individual's roles and nationalities. The Record notes that Wabtec's data was posted to a leak site by the LockBit ransomware gang in August. 

Dave Bittner: New York Governor Kathy Hochul, on December 23, signed legislation designed to improve cybersecurity for the state's electric grids. The governor's office said in a statement that the law will require utilities to prepare for cyberattacks in their annual emergency response plans, similar to what utilities do to prepare for storms. The legislation will also provide the Public Service Commission enhanced auditing powers to ensure that critical infrastructure and customer data is secured. Governor Hochul stated, we understand that as the financial capital of the world and a leader in clean energy, New York is a target for hackers. This critical legislation will help protect millions of New Yorkers who depend on reliable electric service and ensure a smooth transition to clean energy. 

Dave Bittner: The Atlantic Council's Arnold C. Dupuy has published an article describing efforts to defend against hybrid warfare, particularly as it relates to Russia's war against Ukraine. Dupuy will serve as chair of NATO's Systems Analysis and Studies, which was formed in October 2022. Dupuy said of the new study, attention will be particularly devoted to the Black Sea, which is at the center of the current military conflict between Russia and Ukraine and which deserves priority focus. Another area of concentration in SAS-183 is advanced early warning cyberdefense, whereby the study's cyber team will create a prototype to improve maritime security by protecting critical energy infrastructure from cyberattacks. 

Dave Bittner: Kaleb Flem is senior cyberthreat intel analyst at Southern California Edison. He returns for the second part of his interview to discuss his transition from the military and intelligence community to the OT space. 

Kaleb Flem: What's true with many in the cybersecurity realm is it is a fairly nontraditional path, which I believe brings the great diversity of experience we have in this field. I began my intelligence career in intelligence about 10 years ago, first learning Arabic and working in signals intelligence, later going back to learn Russian, spent about eight years in military intelligence, worked my way into the intelligence community and then, a few years ago, switched out to the private sector in order to protect critical infrastructure. And so taking all of that cybersecurity experience and then turning it into OT experience has been the big journey but been the most rewarding part thus far. 

Dave Bittner: Well, give us some insights as to what that was like. I mean, obviously, you know, there are some things you had to get up to speed on technically, but I would imagine there's also quite a bit of a culture shift as well. 

Kaleb Flem: Absolutely on both accounts. So initially, the skills transfer is - it's twofold. First, you know more than you think you know. But then there's also an incredible amount to still learn. And a lot of military intelligence and intelligence community style of intelligence - it's hard to articulate that to the private sector. And so making that jump is difficult at first. But once you make it, it's much easier to understand, OK, here's how that experience relates to what I do now. And the biggest lessons learned are that a lot more was relevant than I realized before I made the jump. 

Kaleb Flem: On the other side of it is that skills gap. There's always going to be a skills gap. In cybersecurity in general, in the OT space, you are never going to know everything. If you ever think you know everything, then you're losing the battle. So having humility and going to somebody every day and say, hey; I don't know that; I don't understand that; please help me out - once again, never had a single individual in 10 years of professional experience that turned me down because people want to help you grow - and so having that humility to say, hey; can you please teach me, help me, make me better incrementally, a little bit every day. 

Kaleb Flem: On the OT side, it's trickier because there's less resources. The cybersecurity side has done a really good job of developing free resources, setting up better pathways for helping people get into the space. OT's a little trickier. It's a little less mature on the education side. And so it's a lot more of just finding individuals who've been around for longer and asking them questions. It's especially true when you start looking at from company to company because every company's environment is going to look very different. So there's no textbook on what your company's environment looks like. So it's especially imperative to go find out the individuals who have the experience and understand what your assets look like and to have them take you under their wing as much as possible just to learn your environment. 

Dave Bittner: You know, you mentioned your experience with foreign languages. And I suspect, I mean, that experience must serve you well because probably a lot of what you're dealing with these days is, in a way, translation. 

Kaleb Flem: So that has been an interesting aspect. It comes up especially because at utilities, you look at who are the primary threats facing utilities. It is a lot of the major nations that are coming after the very sophisticated threats. And sometimes with that, you see raw intelligence, obviously on the open source side, coming from different channels that may not be translated. And so there have been instances where we've been able to utilize those skills. Then again, we also have other vendors who are providing finished intelligence products about some of those very sophisticated threats. They've already done some of it as well. So it's kind of hit or miss, but it's definitely nice to have in the back pocket. And realistically, having the cultural experience helps a lot because it helps you see the world from a different perspective. In intelligence, understanding your biases and understanding different world perspectives is paramount to being a successful analyst. 

Dave Bittner: I suspect, too, that you provide a translation layer, you know, between the OT side and the IT side or between the technical folks and management to be able to crossover between those groups, the ways that they communicate, the ways that they think. Do you find yourself doing that as well? 

Kaleb Flem: Absolutely. And that's one of the key assets of threat intelligence programs - is that the individuals that are typically attracted to and are pulled into threat intelligence programs tend to be your communicators. And like you said, we have to be able to tailor our products to showing what's important to our customers because an executive is going to care about a different level of the view than what our threat hunters are going to care about and, even more so, looking at your IT to your OT side. So when I'm talking to an engineer at a substation, they're going to have a very different set of priorities. And their mitigations are going to look very different than if I'm talking to somebody in an IT business unit. And so being able to do that type of translation is very important because that way, you are speaking the language of your customer to meet their needs. 

Dave Bittner: What is your advice for folks who are on the government side, maybe in the military, who are looking at making that jump to the private sector? Do you have any words of wisdom based on your own experience? 

Kaleb Flem: So first of all, I'd say you have to understand the pros and cons of both. There are amazing opportunities, and I absolutely credit my success thus far to my strong foundation in the military and the intelligence community. And there are some of the most amazing analysts that I have ever run into on that side of the house. But then there's also some greater degree of flexibility on the outside and the ability to choose your focus a little more that you don't always get on that side. And so making that transition is very scary because there are so many unknown unknowns. 

Kaleb Flem: So doing your homework is key. Finding others who have made the transition to help mentor you is really helpful in that process. That is what made my transition infinitely easier. It was because I had contacts who were already doing the job, who were - I mean, you never know who's going to be possibly working on the team that you want to go to in the future. So not only do you get that better understanding of the job that you're walking into, but you're also able to better prepare yourself for those opportunities. 

Kaleb Flem: And the other thing is take the most advantage of the training and learning opportunities that you have in the military and in the government because a lot of the - those opportunities are unique, and you're not going to find them outside. And at some point, whether you stay in the military for a career and retire or you transition out earlier, you're going to have to leave at some point. So setting yourself up for success while you're in is key. And trying to build those skill sets helps you succeed in the military and in the government and succeed when you come out. You're going to be an asset no matter where you go. 

Dave Bittner: I guess that's a tricky thing for a lot of folks - is the timing of it all, you know, knowing when is the right time to pull that ripcord or stay in there. Right? It's a tough decision for people. 

Kaleb Flem: Exactly. And the timing is honestly the scary part because on the civilian side, it's very easy to say, hey; I found a better opportunity. Here's my two weeks notice. In the military, you may be planning your transition for multiple years. So the downside is if you find a great opportunity that needs you in two weeks, you can't take it. But the upside is that it gives you plenty of time to prepare and to make contacts so that way, when you do get closer to that transition, that you are maximally prepared. 

Dave Bittner: What are some of the things that go into being a good analyst, a good threat intel analyst? Are there particular personality traits that you find suit you well? 

Kaleb Flem: I'd say first and foremost the having a curiosity about the world around you because if you get tired of reading and doing research, then you're probably going to get a little mentally exhausted because a good portion of the day is constantly viewing the threat landscape from various angles and doing research, finding out what are the latest trends, what are the latest vulnerabilities and being able to keep that all focused. So if - you have to keep that curiosity going day after day. And if you are curious, it's the best job in the world because you get to research and learn about all these very interesting things. 

Kaleb Flem: Secondly, you need to be a good communicator. If you're not able to communicate this amazing intelligence that you've put so much work into, then it's worthless. You're not able to get your point across, and it's not going to accomplish the end goal of mitigating the risks and protecting your - the cyber environment of your organization. And also, you need to have the - a good ability to have humility, to constantly be learning and to know that, hey; I don't know everything, but I can find who does because opening those communication channels with other units will help you, help those around you and will help you provide better intelligence - so not being too nervous to pick up the phone and call somebody to say, hey; here's the issue I'm running into. How can I better accomplish this task? Or if it's a customer, how can I better provide this intelligence to you? And take that feedback, and apply it. And so that way, your intel is just a little bit better, and your reporting is a little bit better next time. So that way, you're constantly improving and providing better actionable intelligence for your customers. 

Dave Bittner: That's Kaleb Flem from Southern California Edison. And that's "Control Loop," brought to you by the CyberWire and powered by Dragos. For links to all of today's stories, check out our show notes at Sound design for this show by Elliott Peltzman with mixing by Tre Hester. Our senior producer is Jennifer Eiben. Our Dragos producers are Joanne Rasch and Mark Urban. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.