Podcasts
Special Editions
Ep 43
Special Editions 4.17.22
Ep 43 | 4.17.22

CyberWire Live: Hack the Port 2022 Fireside chat.

Show Notes
Transcript

Dave Bittner: Hello, everyone. I'm Dave Bittner. The CyberWire was a media partner for the Hack the Port conference held in Fort Lauderdale, Fla., in March 2022. Over the course of the weeklong event, we enjoyed a variety of speakers, educational and training sessions, academic and professional villages with a number of competitive challenges and bootcamps and a VIP awards dinner honoring excellence in cybersecurity. The event was produced by DreamPort and MISI and inspired by U.S. Cyber Command. 

Dave Bittner: The highlight for me was a session I moderated featuring Roya Gordon, security research evangelist at Nozomi Networks, and Christian Lees, CTO at Resecurity. As you'll hear, Roya Gordon has deep domain expertise when it comes to OT, ICS and IoT security, and it was a treat for me and Christian to witness her takes on a variety of topics firsthand. 

Dave Bittner: Thank you very much. My name is Dave Bittner, and I am the host of the CyberWire podcast. Thank you all for joining us here today. And to all of our friends who are out there online, welcome as well. We're going to have a really interesting conversation today. I'm excited to have our two guests here with us. So before we dig into our topics, why don't we begin just with some brief introductions? I know some of you were here for Christian's presentation earlier today, but for the purposes of this podcast, I'm going to ask Christian and Roya to both introduce themselves. Roya, why don't I start with you? Can you give us just a little brief bit on your background and what you do professionally today? 

Roya Gordon: Yes, of course. Ooh, I like how my voice sounds. 

(LAUGHTER) 

Roya Gordon: So, yes, my name is Roya Gordon. I work for Nozomi Networks. I just started about a month ago, so I'm a brand-new Nozomier (ph) - super-excited about it. I'm a security research evangelist, so I work with a lot of our technical folks, and I kind of help broadcast all the work that they're doing to kind of help secure critical infrastructure in OT. I have a history in, you know, consulting doing OT. I worked at a national lab doing OT. I did intelligence in the military. But, yeah, I'm happy to be here in my role, and everything's, like, full circle. So yeah - happy to be here. 

Dave Bittner: And Christian Lees from - I'm sorry - the company Resecurity. 

Christian Lees: No, it's easy to... 

Dave Bittner: Apologies. There's so many security names. Welcome. And please tell us a little bit about yourself. 

Christian Lees: My name is Christian Lees. I'm the CTO of Reed Security, and it's a Los Angeles-based firm. And we primarily focus on threat intelligence harvesting for major brands. So... 

Dave Bittner: All right. 

Christian Lees: Have fun. 

Dave Bittner: Well, let's dig in. Roya, you mentioned in your introduction that your background - you've done many things in your background. And I want to start there. When we're talking about OT, I'm curious what your insights are on the approach that different organizations - different types of organizations take to that. So when we talk about the military, when we talk about government, when we talk about private networks, can you give us some ideas of how each of those has to come at this from a unique perspective? 

Roya Gordon: Yeah, absolutely. So yeah. Being in the military, doing government contracting - so essentially doing government work, working for the government - being in consulting and then now at a tech company, I've noticed that there's been so many different approaches to this thing. So when I was in the Navy, I did intelligence, but there was no cyber element to the Navy at the time. So this was from 2005 to 2011. So there was no cyber element. So I just did regular threat intelligence, you know, foreign threats, terrorism and stuff like that. 

Roya Gordon: Now, of course, I still have contacts in the Navy. And they're kind of starting with the basics of, like, asset discovery, you know? But, you know, they're moving forward when it comes to cybersecurity for sure. When I got out and I started at Idaho National Laboratory, you know, pretty much government - DOE - I was in a lot of DOE projects. And it was straightforward. There was no wooing. There was no selling. There was no trying to convince. It was more so, we're going to come in and help you all and tell you what you need to do and kind of incentivize these companies. So it was pretty straightforward. 

Roya Gordon: When I got to consulting - right? - I worked at Accenture, but any consulting firm, whether it's Deloitte or Slalom - they're run essentially the same. It was a lot about the relationship-building. The - you know, you have to get industry to trust you. And, you know, leveraging partners for sure, but it was all about the relationship with the CISO, with C-suite, enabling board members, helping them to understand the cut funding. So it was cyber, but then there was, like, the business aspect of it. Like, you're undergoing an M&A. And what are the implications from a cyber perspective? 

Roya Gordon: So that's how I kind of got out of my cyber bubble. And I started looking at business, and I began bridging that gap between technical and just kind of what the company is doing as a whole from a business standpoint. And now being in tech, you know, I kind of feel like a little bit of a superhero, you know? Like, we're solving real problems with the technology that, you know, the consulting firms are leveraging, partnering with government. And it's like there is no security if there's no one developing the technology. So I don't know if that's your experience, but that's kind of been my very unique experience across all of these different organizations. 

Dave Bittner: Christian. 

Christian Lees: Yeah. And just out of curiosity for the listeners, would you define OT for everyone? - because that's a lot of overtime... 

Roya Gordon: Yeah. 

Christian Lees: ...That you've got. 

Roya Gordon: Yeah. Operational technology - so, you know, critical infrastructure, pipelines, oil and gas - they run on a separate network. That's not the OT, where it's moving physical systems to open and close things. So that's what we refer to as operational technology or OT for short. 

Christian Lees: So not overtime. 

Roya Gordon: Not overtime. 

Christian Lees: I'd just be curious. In your transition into - sounds like a lot of security, etc., right? 

Roya Gordon: Yeah. 

Christian Lees: What are the friction points that you run into? I know I myself, it's - you know, for example, like, security theater, single pane of gas - a glass, not gas - very difficult to overcome some of these - right? - and internally talking about risk and the appetite for risk, using the right words of risk. I'd just be curious if you were into that. 

Roya Gordon: Yeah, I guess some of the pain points I've had was, you know, you think it's going to be obvious that, you know, hey, we need to invest in security, but there's a lot more convincing, right? So obviously we know the industry is, like, reactionary, so you have to have Ukraine power grids shutting off or Colonial Pipeline happening for people to take it seriously. And even then, there's still kind of the extra convincing, that, hey, you need this or this is going to happen. And I still see that being a struggle and a pain point. I mean, obviously, you know, the industry is doing a better job of highlighting, you know, through these conferences. But I see that, you know, just companies, you just got to do a little bit more convincing. 

Christian Lees: You do, yeah. Absolutely. 

Roya Gordon: That's always a pain point. Yeah. 

Christian Lees: And going to a c-suite that would gladly talk to you for 8 hours about, you know, profit forecasting and, you know, about 30 seconds to say, well, according to the CVE (ph), you know, you got to buffer it. Beep - you're done, right? 

Roya Gordon: Yeah. 

Christian Lees: And you're a cost center. 

Roya Gordon: Yeah. 

Christian Lees: And a lot of times, you manage up and convince them that it's the best idea they ever had. 

Roya Gordon: I think that's all they want. They want you to tell them what they should do. You know, I used to go into meetings, and it would kind of be like the chicken before the egg thing. Like, you know, what are you looking for from a cyber perspective? And they're like, I don't know, why don't you tell me? And, you know, we're going back and forth, and then it's like, you know what? We're the experts. They're looking to us like we're the experts. We're just going to come in with solutions. And then it's a good starting point for them to provide their input, but it's never industry really driving it. They don't know what they need as far as security, you know? The experts do. 

Christian Lees: True. I agree. Yeah. 

Dave Bittner: To what degree do you find yourself serving as that translation layer for a board? You know, in other words, it strikes me that they speak in terms of risk, which is different from the technical aspects that a lot of, you know, the I - certainly, the IT people are used to. 

Roya Gordon: Yeah. 

Dave Bittner: Their discourse circles around that. So are - do you end up being the - you know, the Rosetta Stone between those two worlds? 

Roya Gordon: I actually - so my title is an evangelist, but I'm like, if there was another title, it would be translator for sure. So - yeah, so working, you know, with technical teams, doing threat assessments - you know, they're on the dark web, you know, presenting that and then just bringing it in front of, you know, a CISO that has to go to the board to justify why they need more funding when there's all these other things they're trying to invest funding in - it just doesn't translate. So I kind of take that, and then I look at, you know, this is what - you know, there's an acquisition going on, so maybe they don't want to hear about building a threat intel program. Let's do cybersecurity around this M&A. Let's figure out how secure that acquisition will be, assets that they're going to acquire, access vectors that they're not considering. So I kind of bridge that gap to kind of help them look at - apply cybersecurity to, like, the broader aspects of their business. And it is a translation. So when I go on LinkedIn and I see a lot of evangelist jobs pop up - my mom, she hates the fact that I'm an evangelist. Like, she grew up in the church, and she's just like, there's no way I'm going to call you an evangelist. 

Dave Bittner: (Laughter) Right, right. 

Roya Gordon: But it makes sense. There needs to be people to bridge that gap and to do this translation, you know? 

Christian Lees: I believe so. Yeah. 

Dave Bittner: Yeah. 

Christian Lees: And it's interesting that, you know, in the modern day today, if a company is going under an M&A - right? - well, hold on. You know what you got to do. 

Roya Gordon: Yeah. 

Christian Lees: You form a - you know, Accenture (ph) - right? - they conduct 60, 90-day, you know, cyber study. Is anyone dwelling? Are there any threat actors... 

Roya Gordon: Yep. 

Christian Lees: ...Within here and - I don't know. I don't think it was like that five, 10 years ago. 

Roya Gordon: Yeah, I don't think anybody was thinking about cyber implications for M&A. Yeah, like - yeah. So it's - but it's good, and that's kind of why I feel like a strategy is to, you know, not stay - everyone, you know, we're in our cybersecurity bubble. Even conferences, you know, you just kind of see the same people, and I'm like, no, I want to go out to where people aren't thinking about security - You know, the conferences that are industry conferences, that's not a cybersecurity industry conference - and then be there talking to them and changing their minds about how they're applying cybersecurity. 

Dave Bittner: Getting back to the differences between, you know, military, government and private sector, where - what are those differences to you? Are - is one more nimble than the other? Is one less resistant to being - does one need more convincing that they need to focus on this? Are there budgetary differences, the cadence of their budgets, how - you know, operational differences? Can you contrast those between those types of organizations? 

Roya Gordon: Yeah, I can talk to it for a little bit because I haven't really been involved in budgeting in all of them, you know? 

Dave Bittner: Sure. 

Roya Gordon: But obviously government - we know that they're just kind of slow to move, so budgeting can hold up some things. But I would say I see similar pain points in each. You know, I see there - and I don't want to give away my talk on Thursday, but, you know, from a talent perspective, you know, there just not being enough people. You still have to do some convincing - maybe on the government side, not so much, but definitely in private and consulting or tech, you know? So yeah, I would kind of see that there's similarities, but there's also differences too when dealing with customers, you know, being a part of those different organizations. 

Dave Bittner: Can we dig some into things like research and demos in OT security or the place that that plays when it comes to the folks doing OT? First of all, for folks who might not be familiar with that, can you give us a little bit of insight as to where that sits in the day-to-day operations of the folks who are keeping the OT side of the house running? 

Roya Gordon: Yep, absolutely (laughter). 

Christian Lees: No, you had, like... 

Roya Gordon: (Laughter) OK. 

Christian Lees: You're the OT master. I love it. 

Roya Gordon: (Laughter) So I've been very involved in, you know, a lot of demos, mostly in the resources space. You know, that's the background I came from. And it ended up branching out into broader critical infrastructure. So it wasn't just oil and gas and utilities. It was like, hey, pharmaceutical manufacturing, auto industry and things of that - medical devices and things of that nature. So when, you know, talking about demos and research, I think it just kind of glues everything together. It's one thing to talk to a client about, hey, this is the bad that could happen. But then when you show them, I kind of feel like it's less convincing you have to do 'cause they see it. But the other side to it, which is - you know, I work with research teams to do this - is to build that additional context to drive the message home. So instead of saying, like, hey, this is what an actor can do. It's like, OK, well, how, why, the intent of these actors, and then what are the solutions? There's times that I've given threat assessments to major oil and gas companies, and if you don't leave them with action items, it's, like, you probably shouldn't have just said anything to them at all 'cause they're going to look at it as like, this is great information, but you're not telling me what to do about it. So it may not be that big of a deal. So I do think demos and research is beneficial in helping us get ahead of the threat because obviously you're - before you're exploited, you know what the vulnerabilities are. You know what the weak points are. But you also have to provide that context on the front end and then at the end, tie it together with some action items. And I see that kind of missing in some demos. So I'm hoping that, as an industry, we can kind of foster that. 

Dave Bittner: Is it a struggle sometimes to get budgeting for demos, for research, for those sorts of things as, you know, people are just trying to keep things running on the OT side? And of course, no one ever has enough time or money. Is - to what degree do - is - do you have to convince folks that that's a worthwhile investment? 

Roya Gordon: You know what? So when I was preparing my presentation for Thursday, I looked at some statistics, right? Statistics are key. And budgeting really isn't an issue when it comes to OT anymore. So Nozomi and SANS did a recent study, and they were like, hey, you know, what are the issues - and, you know, they surveyed X amount of professionals. Like, what are the issues when it comes to OT security? And a lot of them said personnel. So when you ask people, the issue with OT security is lack of personnel. That means obviously there's a direct correlation. But then the other statistics showed that there's an increase in budgeting. So there's - companies want to hire more people, and they want to do things in OT. So - and I think that's changed, and we're still thinking, you know, there's no budget. But there is increased budget. I mean, there might be a little tug of war between IT and OT budgeting, but I think we are starting to see increased budget for that to where it's not an issue. It's just making sure that we're sending the right message, you know, and hiring the right people. 

Christian Lees: I could not agree with you more. I'm nonmilitary, right? So I probably don't have all the similar buzzwords. But I do see similarities, right? 

Roya Gordon: Yeah. 

Christian Lees: I mean, hiring seasoned veteran security people, security engineers - right? - that have the ability, in my mind, there are similarities in the private industry where, you know, data flows and, you know, just building that out. One of the problems that I see is the lack of ability to make precise, prioritized intelligence requests - right? - knowing something about that dark world, you know, even having the ability to go, these are the threat actors that are most likely to hit me... 

Roya Gordon: Yep. 

Christian Lees: ...Because they specialize in this, right? And having the ability to understand your entire environment, the demarcation, what's your output, what's your API, and are you able to do these correlations? I feel like sometimes organizations are still really struggling to kind of see the trees through the forest, unfortunately, which has, in my opinion, been there a long time. Now, I know there's a lot of organizations that do that really well. But on my side, just seeing the lack of ability to be able to prioritize intelligence requests from externally or the untrust side has been a problem. 

Roya Gordon: I want to piggyback on that. So during my time at consulting, you know, there was a lot of - you know, they don't know what their intel requirements are. So as an, you know, cyberthreat intelligence, you know, we had intel collection requirements, which is so funny because when I did intelligence in the Navy, when there was no cyber element, that's what drove intelligence. It was ICRs, intel collection requirements. So what are you looking for? What industries? Who? And then having the feedback loop, talking to companies to make sure you're not collecting on a whole bunch of things that they don't care about, right? But the step further is companies need to have their own intel collection requirements. So from a CTI perspective, we know what we're collecting on. But as a company, like, what regions are you interested in based on where your assets are? So we were kind of helping them think through that, but you're right. Like, they just have no clue, and they just think - they just want to get someone in to do cyber for them. And we're just like, it's a process. It's a deeper process than they think. 

Christian Lees: It's a collaboration, right? 

Roya Gordon: Yeah. 

Christian Lees: You know, in order to go into these dark places - something I see a lot, right? We may send out an alert, right? Like, hey, do you see this on this forum? Most people in the enterprise, they do not even have the ability to go onto the dark web, right? You know, and so they're like, what do I do with this? 

Roya Gordon: Yeah. 

Christian Lees: But I love the example of OCR driving the pivot collection. 

Roya Gordon: Yeah. 

Christian Lees: That's fantastic, right? And a lot of times, organizations, they just don't even - they're not sure - I mean, what is it that you're protecting? 

Roya Gordon: Yeah. 

Christian Lees: Oh, cardholder data. OK. All right. Well, then, what's your infrastructure? And it's - I like - I also like your - the example of a road map, right? 

Roya Gordon: Yeah. 

Christian Lees: You're absolutely right. If you can't milestone it and road map it for these people, it's hard. 

Roya Gordon: Yeah. It's a lot of hand holding (laughter). 

Christian Lees: Yeah (laughter). 

Roya Gordon: But I'm here to hold hands, so (laughter). 

Dave Bittner: Can we touch on the threat intelligence element, though? Because, you know, you don't know what you don't know. And it seems to me like a lot of organizations, when they're engaging with a threat intelligence organization or figuring out how to ingest that information into their process, sometimes they're surprises, right? Like they didn't know that such so and so were talking about them. Or as you say, it could be a part of the world they've never even thought about before. And to what degree do you think that the threat intelligence element is important, is critical to the operations on the OT side? 

Roya Gordon: I mean, it's so funny because I think things are obvious, but then I have to remember the audience, and I have to remember that a lot of people don't realize it. So if there's geopolitical strategic intelligence or, you know, what incites cyber threat activity, obviously we're seeing it with what's going on with Russia and Ukraine. But even prior to that, any kind of regional tension or any kind of political instability can incite cyber threat activity and dealing with resources - specifically mining, chemicals, oil and gas - they're operating in so many parts of the world. So they don't think like, hey, I probably need to know, you know, geopolitical news. They're thinking it's a waste of time, just tell me the cyber stuff. But I'm like, yeah, there's like an election coming up, or if, you know, we did a sanction or, you know, if they're kind of dealing with this from a regional standpoint, there's instability, then your facilities might get caught in the crossfires, you know? So it's helping them think through that, because obviously cyber threat intelligence is not just like indicators of compromise. It's the whole context. It's what's going on the dark web. So yeah, so that's kind of been something that I've been trying to help them understand. 

Roya Gordon: Now, when it comes to attribution, I have mixed feelings because we know that threat actors, they steal other threat actors' tools and you're thinking, oh, it's Russia and it's not. And then a lot of nation states - they use threat groups that are independent so you kind of don't know that, you know, Russia, China, Iran, they're tied to that threat group. So there's a lot of - if you waste a lot of energy trying to figure out who, then you could miss, you know, actually trying to secure your networks and we'll figure out the who later, you know? Attribution obviously is important because there could be different motives, whether it's cyber espionage, you'd want to know, okay, why is China behind this? But for the most part, you don't want to spend too much time. Secure right away and then kind of dig into the weeds of who is targeting you and why. 

Christian Lees: I like that. Yeah. I mean, my experience is many times when industries come in, they just want to fast forward to the ending credits, right? Like, roll the credits, we're going to - done. And that's exactly right. First question, who? Who's doing it? Like, OK, everyone back up, right? Right? Like, let's start on Page 1, Chapter 1, right? 

Roya Gordon: Yeah. 

Christian Lees: Let's get to know about your environment, right? Like where, you know, tell me about it, right? We need to know something about it, right? You know, why would I be sending you alerts if you're a pure Linux shop about RDP, you know? And why would I correlate any of these threat actors that pivot off of that? You know, I like that approach, is learning something about your environment, right? Like let's start with what's your risk? What are your exposures? What's the most likely methodology? What is it you're protecting? And from that you build upon pivoting in your collections or what's most likely. It's a process. 

Roya Gordon: Attribution is hard. Because even with what happened with Colonial Pipeline, how everyone just kind of jump to the conclusion like the Russians. And yeah, there has been a history of that, a little bit of probing into our grid and - but because, you know, I know the dark web, you know, the dark web, we know that there's that whole ecosystem. So whoever's developing the ransomware, they're not necessarily the ones launching the attack. They're selling it to the bad people. And then you can, you know, walk in. And I always say it could be a very inexperienced person who knows nothing about cyber and you're like, oh, let me get those credentials there. Like you were saying, let me get network access, and let me get this ransomware. And now you're a sophisticated threat actor by your capabilities, so attribution is just hard. And, you know, it came out later on once everyone dissected all that, who it was because Russian based and Russian speaking is different from a nation-state threat actor that's, you know, doing it on the behalf of the Russian government. So it takes time to explain that, but let's figure out what the issue is and secure it first and then let's do the background later, you know. 

Christian Lees: Agreed. Right. Like, skip attribution, right? Because like most of these threat actors tend to pivot off of that CBE within three months, right? 

Roya Gordon: Yeah. 

Christian Lees: And OK, so you're focusing on who? No, you should be focusing on now, right? 

Roya Gordon: Yeah. 

Christian Lees: Like, get patching, get back porting. 

Roya Gordon: Yeah. 

Dave Bittner: And there are - I've seen some organizations, some security organizations say that they don't believe attribution matters - completely, you know, as a policy, dismiss it. Is that a bit too far in your mind? 

Roya Gordon: Yeah, I would say. Because you don't want to just not care about who's doing it, you know. 

Dave Bittner: Right. 

Roya Gordon: Because I know, you know, depending on, I guess, whatever companies have different service offerings, sometimes you could just get that API and you just get the data and that's it. You don't care about the details. You just want to know, I need to block this and that's all I care about. But then you're still missing a good chunk of what threat intel is. So I think it has to be a good balance. And you know, again, just a little prioritization. It's good to have that, but it's also good to kind of know if you're being targeted and why. So, like, going back to M&As, you might want to know, like if you're doing a major M&A in a certain market, if there's another country that's interested in that, you know, sometimes it kind of helps give you a little bit more context. But I wouldn't say that it's to be depended on. It's just like you can't do one without the other. I think both is important to create the bigger picture. 

Christian Lees: Yeah, I agree. I mean, attribution helps paint a better story. 

Roya Gordon: Yeah. 

Christian Lees: And further pushes the costs, right? Might be the convincing factor that, it's sometimes like, woah, we've got to fix this, right? I would just say if we could replace the word who as our first step with... 

Roya Gordon: Yeah. 

Christian Lees: ...If - you know? - and build. And who could come potentially later? I don't know. 

Roya Gordon: Yeah. I mean, you know it's someone bad. 

Dave Bittner: Right. 

Roya Gordon: So it's never good. 

Dave Bittner: Start there and narrow it down over time. 

Christian Lees: Right. 

Roya Gordon: Yeah. 

Dave Bittner: Yeah. Can we touch on supply chain issues? As we sit here today, we have this breaking developing story that it's speculated that Okta may have been compromised. And certainly, they have a lot of big-name clients around the world. And I think the past year or so has certainly shown a bright light on this whole notion of supply chain security. I'm curious on your insights on to specifically how that applies to this space. 

Roya Gordon: Yeah. Yeah. Absolutely. So I think it's, you know, what's really being targeted is that trusted relationship. Because, you know, you know that if there's, like, an update or if there's this technology from your vendor, you're automatically going to trust it. You think that they're doing due diligence and making sure it's secure, but no one's ever asked that. And I think it's a big problem. And obviously we've seen it within the past year and how it can, you know, kind of affect organizations. However, I think another part of the supply chain compromise that we need to think about is hardware supply chain compromise. 

Roya Gordon: And I don't want to wait until something happens like a Log4j or SolarWinds or all of that for it to kind of now be the thing that we focus on. So I know in Nozomi's threat intel report, we do it every quarter or every half a year, you know, we get into the details of that and then, you know, starting to do research around it. So if it's a USB, if it's a mouse, like, what are the different components that could be compromised? And then if it's connected to - you know, because everyone's big into air gapped, right? So they're like, I have this USB and it's air gapped, but not if it's preloaded with malware, which that was a study. And it showed that there's also - even Stuxnet variants, like, in a USB. 

Roya Gordon: So I think that as everyone kind of shifts to that concept to make it, to, I guess, have a more secure environment, it's like we need to start digging into hardware supply chain compromise and the cyber implications that that could have. But yeah, absolutely. I think supply chain is a huge issue right now and I'm actually happy that it's the focus. I know a couple of years ago before all of this happened, I - we discovered on the dark web that, you know, there was a small third-party supplier whose network access was for sale. And, you know, then we saw that it was sold. So that small supplier obviously wasn't the main target. It's, you know, threat actors are going to target, like, the smaller companies that are less secure so they can get to their main target. So we're able to notify, you know, a global oil and gas company of this and they're able to take action and all of that. But, again, supply chain is being highly targeted. So I'm happy that there's a lot of focus around it now. Yeah. 

Christian Lees: Agree. I mean, history always tends to repeat itself, right? Like, way back when, get your time back - you know, time machine and, you know, we saw the compromise of a HVAC lead to Target and - but I guess one thing - and, again, allegedly this incident we've learned of today, I find interest in the fact that it's, you know, if it is the Lapsus$ group, like, again, this is an organization that's moved out of traditional forum and they announce it via Telegram, right? And a very evasive and targeting infrastructure. 

Roya Gordon: I don't know if you noticed this, but there's a lot of threat actors that are like, you know, you don't hear from them for a little bit. They're laying low. And then all of a sudden there's a new group that pops back up and I'm like, I think they just did a name change. Like, they're not fooling anybody, you know. 

Christian Lees: Rebranding? 

Roya Gordon: Yeah. 

Christian Lees: Under new management. 

Dave Bittner: Right. 

Roya Gordon: So we think that there's all of these, you know, groups, and I do think that there are. But then we have to think a lot of times they're just popping up and changing their name and making it seem like they're different when they're not, so... 

Christian Lees: So that would require attribution, though. 

Roya Gordon: Ah. Yeah. 

Dave Bittner: Can we dig a little deeper into the hardware side of things? I mean, what - when you're thinking of hardware in the supply chain and the vulnerabilities, can you give - what is the spectrum of the types of devices we're talking about, hardware wise? 

Roya Gordon: Well, definitely chips, you know? So something like that. Like, if I purchase a keyboard, I'm not - I'm trusting the keyboard, right? And then whoever's putting it together, they have, like, so many different vendors, different people making all the different pieces. So within - whoever's building the keyboard, no one's checking to see, like, is this chip legit and is it compromised? So it's, like, a long line of no one double-checking. And then when it gets to like an oil and gas company, then all of a sudden, they're the ones hit really, really hard by it. So, you know, we're talking about the different components that make up the hardware. And it comes from so many different places all over the world. 

Christian Lees: Where do they come from? 

Roya Gordon: No one keeps track of it. And there is something called, you know, the SBOM, the software bill of materials. But then there's even, like, inconsistencies with that. It's a good start to know where the many devices in this device are. But, again, I think it's going to take some time for us to really get a good strategy around understanding the hardware supply chain. 

Christian Lees: Right. Yeah. What's the guarantee of this Huawei ARM chipset and built in some other country and... 

Roya Gordon: Yeah. 

Dave Bittner: To what degree are you finding organizations are having a struggle or just pondering how deep, how far down the chain to go. You know, because I have suppliers, they have suppliers. They have suppliers. As you say, you can get down to the component level. But there's a lot of layers there. 

Roya Gordon: Yeah. 

Dave Bittner: And so who do you trust? How do you verify? You know, what is that chain of custody of complex devices? 

Christian Lees: Valid question. I don't know. 

Roya Gordon: I mean, I'm not going to say I know, but I have something to say in regards to what you... 

Dave Bittner: Yeah. 

Roya Gordon: ...Just said. So I think it makes sense for everybody to have, like, some kind of third-party agreement that includes security, right? So there are times on the dark web, we've seen companies that, you know, have satellites and, you know, geospatial data from all these different companies. And then they get breached and their data is, you know, uploaded on the name and shame sites. And it's just like, wait a minute. That's one of our clients. They're not breached, but their data is compromised through a third-party breach. However, the third-party company isn't going to notify all of their customers or all of their clients, you know? So that could be a start to kind of say, hey, maybe there needs to be an agreement in place so if you're the victim of a ransomware attack, you have to tell me because you have my data and my sensitive information. 

Roya Gordon: And then from there, I just think if everyone just kind of does that down the chain, then that could hopefully help foster a more secure supply chain. But that's, you know, a laborious thing to do. I'm sure we can figure out how to automate that in the future. But, you know, I just think that companies, larger organizations need to protect themselves and their data, not just what's housed on their servers or even cloud service providers, but all of those third parties that have sensitive data. And the stuff that was leaked, it was, like, geophysical stuff and drilling, like, areas and coordinates and stuff. Like, you don't want this getting in the hands of, you know, the wrong people. 

Christian Lees: I mean, how about Samsung? Like recently, all the handsets, you know, compromised by, again, Lapsus$. You know, it's... 

Roya Gordon: Yeah. 

Christian Lees: ...Retooling that is years. 

Roya Gordon: Yeah. 

Christian Lees: And the pivot on that, I would think, right? Like, how many - how long did it take to make the Samsung Galaxy? I don't know. It's a tough - you ask a tough question, I think. 

Roya Gordon: Yeah. 

Dave Bittner: Well, but - yeah. I also think about, you know, it's my understanding, like, particularly on the OT side of the house, that you have components that could be in a system for decades. And so if something - if there's a problem discovered down the line, it's not like these things get swapped out and updated regularly, right? 

Roya Gordon: Yeah. Yeah. I mean, that's the problem that we face. And here we are at a cybersecurity conference to talk about it and to help, you know, make things better. 

Christian Lees: There's data controls from the '50s, you know... 

Dave Bittner: Yeah. 

Christian Lees: ...In existence today, sure. 

Roya Gordon: Yeah. 

Dave Bittner: Before we wrap up, I want to make sure we touch on sort of the cultural side of things. You know, the relationship between the IT side of the house and the OT side of the house. Do we sense that there's more hand holding? You know, we're getting together and we're singing "We Are The World" together so that there's an understanding that this needs to happen and we're moving in that direction? 

Christian Lees: Could I ask it - in the private world, is it fair to say the concept of IT and DevOps might be a similar contrast there? Because I was just thinking, like, what's - OT and IT, is there a big, you know, finger... 

Roya Gordon: Yeah. 

Christian Lees: ...Pointing at one another? 

Roya Gordon: Yeah. I tend to see that. So obviously, there's not a lot of skilled people in general that understand OT. And then you try to pull from IT because you're like, at least they know technology. But then there's still kind of that learning curve. So it becomes, you know, difficult for people in OT to have the people that understand what needs to be done. So everyone understands the IT space security, what needs to be done. It's easier for them to kind of fight for that funding. So yeah, there is a little bit of tug of war. There is a little bit of, you know, OK, well, now if I'm going to shift to OT, then screw cyber hygiene. And then it's just like, well, that's not what you do, either. It's like, it's not an either-or type of thing. It does have to be like a kumbaya moment between both sides. So what I do like, though, is that now there's technologies that allow you to get that same visibility into your OT environments like the IT. So shameless plug here, that's what Nozomi Networks does. 

Dave Bittner: Well done. 

Roya Gordon: I'm just saying, I mean, it ties... 

Dave Bittner: Yeah. 

Roya Gordon: ...Into the message and you're able to kind of see not just the components, not just what's a normal behavior and get alerted on what's anomalous behavior, you get to see packets. Like before, there was never that kind of visibility into OT and now that you have that and it can all kind of be fed into this sim so when you're in a soc, you can see everything. I'm like, that's cohesion. We don't have to fight. Someone just needs to understand what this OT stuff means, but it can all be done together. 

Dave Bittner: Real quick, before we wrap up. Can you give us a little teaser, a little preview of the presentation you're giving later in the week? 

Roya Gordon: Absolutely. I'm so passionate about the topic. So I talk about bridging the gap between universities and the OT industry because I didn't come into this field in a traditional type of way. Yeah, I had an intel background, I was on my way to the NSA. I thought I was just going to be in the intel community. And then I ended up, you know, getting a job working at the national labs, learning OT security hands-on. And now I've just kind of been head first, feet first, whatever, into this field and it's been amazing. So I just - I like to talk about my journey and how to kind of help people like me that want to get into this field. And there's really no avenue for it, you know? So it's on Thursday at 2:30 p.m. So hopefully you all will still be there because there's just so many of you out there just so interested in what we have to say right now. 

Christian Lees: Everyone must go. 

Dave Bittner: All right. All right. Well, Roya Gordon from Nozomi Networks, thank you so much for joining us. And, of course, Christian Lees from Resecurity. Thank you for being on our panel today. Thanks to all of you... 

Christian Lees: Thank you. 

Dave Bittner: ...For being here. We appreciate it. 

Roya Gordon: Yeah. Thank you. 

(APPLAUSE) 

Christian Lees: Good job. 

Roya Gordon: That was awesome. Oh, I'm still (inaudible).  

Dave Bittner: Our thanks to DreamPort and MISI for including the CyberWire in the Maritime and Control System Cybersecurity Con Hack the Port '22. You can learn more about the event at hacktheport.tech. Thanks to senior producer Jennifer Eiben for coordinating the session. Our executive editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.

Special Editions
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Creator: CyberWire, Inc.
ADVERTISEMENT
Enveil
Enveil

Enveil protects Data in Use to enable secure search, sharing, and collaboration. Enveil’s privacy-preserving ZeroReveal® solutions enable the secure use of third-party data assets without revealing the contents of the search itself or compromising the security/ownership of the underlying data. Learn more at www.enveil.com.