1 00:00:00,080 --> 00:00:02,359 Speaker 1: We can't just said idly buy and say oh, well, 2 00:00:02,600 --> 00:00:05,440 the worst thing we've seen is x y Z. That 3 00:00:05,480 --> 00:00:08,839 does not necessarily mean that's the limit to the imagination 4 00:00:08,919 --> 00:00:11,240 and capability of Nation States. 5 00:00:13,720 --> 00:00:17,320 Speaker 2: Welcome listeners to the Industrial Security Podcast. My name is 6 00:00:17,399 --> 00:00:20,640 Nate Nelson. I'm here with Andrew Ginter, the vice president 7 00:00:20,719 --> 00:00:24,800 of Industrial Security at Waterfall Security Solutions, who's going to 8 00:00:24,839 --> 00:00:27,800 introduce the subject and guests of our show today. Andrew, 9 00:00:28,000 --> 00:00:28,399 how are you? 10 00:00:29,559 --> 00:00:31,960 Speaker 3: I'm very well, Thank you, Nate. Our guest today is 11 00:00:32,079 --> 00:00:35,520 Joseph Price. He is a senior manager and the program 12 00:00:35,640 --> 00:00:40,240 lead for the OT Cybersecurity program at Deloitte. And our 13 00:00:40,280 --> 00:00:45,280 topic is Nation States more or less you know the word, 14 00:00:45,399 --> 00:00:48,840 you know, credibility comes to mind. How worried should we be? 15 00:00:49,000 --> 00:00:51,479 I mean, how likely are is the is the average 16 00:00:51,520 --> 00:00:55,200 site to be the target of a nation state grade attack? 17 00:00:55,320 --> 00:00:58,439 This is, you know, the kind of thing that Joseph 18 00:00:58,520 --> 00:00:59,159 is an expert on. 19 00:01:00,119 --> 00:01:05,319 Speaker 2: Without further ado, here's your interview with Joseph. 20 00:01:05,879 --> 00:01:09,280 Speaker 3: Hello Joseph, and welcome to the podcast. Before we get started, 21 00:01:09,280 --> 00:01:11,439 can I ask you to say a few words of introduction. 22 00:01:11,560 --> 00:01:14,120 Please tell us a bit about your background and about 23 00:01:14,159 --> 00:01:16,159 the good work that you're doing at Deloitte. 24 00:01:17,280 --> 00:01:19,319 Speaker 1: Sure, thank you very much Andrew for having me on. 25 00:01:19,400 --> 00:01:23,719 I've followed you and it's exciting to be a part 26 00:01:23,760 --> 00:01:26,959 of your podcast, so thanks for this opportunity. My name 27 00:01:27,000 --> 00:01:30,719 is Joseph Price, I go by Joseph, and I'm zeroing 28 00:01:30,760 --> 00:01:34,280 in on about thirty years of being in cyber I 29 00:01:34,319 --> 00:01:38,519 started back in the mid nineties with what we called 30 00:01:38,599 --> 00:01:41,200 information warfare. We didn't use the term cyber back then. 31 00:01:41,680 --> 00:01:45,280 As an actiduty military officer in the Air Force. I 32 00:01:45,319 --> 00:01:48,840 spent about four years defending networks various places around the world, 33 00:01:49,200 --> 00:01:52,560 and then I switched over into the offensive cyber side 34 00:01:52,560 --> 00:01:55,879 of things. I don't get to talk a lot about that, obviously, 35 00:01:55,959 --> 00:02:00,239 because details are not things we can discuss open. But 36 00:02:00,280 --> 00:02:02,640 I will tell you this, the one thing of spending 37 00:02:02,680 --> 00:02:05,840 sixteen years in that community is I even just learn 38 00:02:05,879 --> 00:02:10,919 about how we conduct offensive operations, but how other nations 39 00:02:11,000 --> 00:02:15,840 and other groups and organizations can conduct offensive operations and 40 00:02:15,879 --> 00:02:20,000 really what they can do, whether we've seen it mentioned 41 00:02:20,000 --> 00:02:22,319 in the news or not. So I enjoyed about twenty 42 00:02:22,360 --> 00:02:25,159 years total working for the Department of Defense in various capacities, 43 00:02:25,800 --> 00:02:29,080 and after that I moved here to Idaho Falls, Idaho, 44 00:02:29,080 --> 00:02:33,520 where I now live. I joined Idaho National Laboratory and 45 00:02:33,800 --> 00:02:38,400 was a deputy director for Critical Infrastructure Protection there, and 46 00:02:38,439 --> 00:02:42,039 then three years ago I shifted over to Deloitte and 47 00:02:42,080 --> 00:02:45,360 Touche or just Deloitte if you prefer, and I'm a 48 00:02:45,400 --> 00:02:48,479 senior manager there and the program lead for our OT 49 00:02:48,680 --> 00:02:54,039 cybersecurity program. So I help develop our capabilities and service 50 00:02:54,080 --> 00:02:57,280 offerings and deliver them to our clients who have OT 51 00:02:57,439 --> 00:03:00,919 systems to help them secure and protect and create more 52 00:03:00,960 --> 00:03:05,560 resilient architectures that are supporting their OT systems. So that's 53 00:03:05,599 --> 00:03:08,199 where I focus now, and it's a pleasure to be here. 54 00:03:09,520 --> 00:03:12,639 Speaker 3: And the world needs more OT security, so thanks for that. 55 00:03:14,400 --> 00:03:19,400 Nation states is our topic, and you know, we read 56 00:03:19,520 --> 00:03:24,240 about nation state threats in the news. You know, I'm 57 00:03:25,080 --> 00:03:27,039 I work for a vendor. I go to a lot 58 00:03:27,039 --> 00:03:29,280 of these, you know, face to face conferences. I hear 59 00:03:29,360 --> 00:03:32,159 a lot of vendor pitches. I'm sorry, a lot of 60 00:03:32,240 --> 00:03:35,000 vendors get up there and waive the nation state threat flag. 61 00:03:35,159 --> 00:03:38,039 And you know, fear, uncertainty, in doubt. You know, the 62 00:03:38,280 --> 00:03:40,039 sky is falling, the sky is falling, We're all going 63 00:03:40,120 --> 00:03:46,280 to die, And yet here we are you know you've 64 00:03:46,319 --> 00:03:49,680 been on the inside without stepping on on you know 65 00:03:49,719 --> 00:03:53,120 anything you're not allowed to tell us. How accurate is 66 00:03:53,960 --> 00:03:56,840 the the news, How you know really what's going on 67 00:03:56,879 --> 00:03:58,879 behind the scenes. How how worried should we be? 68 00:04:00,280 --> 00:04:03,840 Speaker 1: That's a great question. I think in the absence of 69 00:04:03,919 --> 00:04:07,479 details and information, a lot of times people just make 70 00:04:07,560 --> 00:04:12,039 presumptions about what a nation state might do. In terms 71 00:04:12,080 --> 00:04:17,560 of capability, nation states don't tend to just be opportunity. 72 00:04:17,560 --> 00:04:21,959 There's certain amount of opportunistic elements to any campaign, but 73 00:04:22,360 --> 00:04:24,639 they're not just necessarily saying, oh, let's see what we 74 00:04:24,680 --> 00:04:28,720 can find. Often actions are deliberate. Now, the problem we 75 00:04:28,759 --> 00:04:32,360 have is we don't necessarily know what they might target. 76 00:04:33,040 --> 00:04:35,319 So we might talk about a few examples or ideas 77 00:04:35,360 --> 00:04:37,959 around some things we've seen recently in the news. But 78 00:04:38,000 --> 00:04:42,480 for most processes, it's a deliberate it's a deliberate activity. 79 00:04:43,680 --> 00:04:47,040 Nation states have the resources, they have access to talent, 80 00:04:47,600 --> 00:04:50,959 they have the patience to do things. So in many 81 00:04:50,959 --> 00:04:54,040 ways we might conclude that, you know, they're ten foot 82 00:04:54,079 --> 00:04:58,079 tall and bulletproof. Now that's not entirely true, but I 83 00:04:58,120 --> 00:05:01,839 think we were we are full in ourselves to think 84 00:05:01,920 --> 00:05:07,439 that the best capability out there is some closely related 85 00:05:07,560 --> 00:05:11,319 version to what we've seen in the news when a 86 00:05:11,360 --> 00:05:17,120 particular operation was exposed. I think that capabilities are really 87 00:05:17,160 --> 00:05:23,759 only limited by imagination and one's dedication to a particular 88 00:05:23,800 --> 00:05:28,879 operation or operational objective. And so I tell people that, yes, 89 00:05:29,439 --> 00:05:34,759 the Nation States are highly capable, they aren't necessary. You know, 90 00:05:34,759 --> 00:05:35,879 a lot of people say, well, do I have to 91 00:05:35,879 --> 00:05:38,199 worry about them targeting meat? Well, that depends, But I 92 00:05:38,240 --> 00:05:43,480 would say on the whole, operational technology systems are more 93 00:05:43,519 --> 00:05:50,759 attractive for targeting for military or diplomatic purposes than it systems, 94 00:05:51,360 --> 00:05:53,720 or I should say they're attractive for a different reason, 95 00:05:54,600 --> 00:05:57,319 and that's as we all know, those of us who 96 00:05:57,360 --> 00:05:59,680 tried to defend them, is that impacts from the cyber 97 00:05:59,680 --> 00:06:05,839 domain can manifest themselves in the physical domain. And so 98 00:06:05,879 --> 00:06:09,319 if you think about it, you can achieve military goals 99 00:06:09,319 --> 00:06:14,040 which may be to cause some destruction or to impact 100 00:06:14,079 --> 00:06:18,680 the availability of some critical resource, all through the cyber domain. 101 00:06:19,439 --> 00:06:23,879 And so I believe there's a lot of capability and 102 00:06:23,920 --> 00:06:26,800 a lot of emphasis and focus out there, and so 103 00:06:26,879 --> 00:06:29,480 we can't just sit idly by and say, oh, well, 104 00:06:29,720 --> 00:06:33,160 the worst thing we've seen is xyz. You know Ukraine 105 00:06:33,199 --> 00:06:36,839 they flipped a few breakers. That does not necessarily mean 106 00:06:36,879 --> 00:06:40,160 that's the limit to the imagination and capability of nation 107 00:06:40,279 --> 00:06:41,360 states at this time. 108 00:06:44,920 --> 00:06:47,240 Speaker 2: Andrew to get us started here, we're talking about nations 109 00:06:47,240 --> 00:06:50,160 state apts. It could sound like it's all one thing, 110 00:06:50,279 --> 00:06:53,439 but in reality, we're talking about a wide tapestry of 111 00:06:53,480 --> 00:06:57,879 different threat actors from different places with different motivations. Which 112 00:06:57,879 --> 00:07:00,480 are the ones that we are most interested in in 113 00:07:00,519 --> 00:07:02,439 this podcast today. 114 00:07:03,240 --> 00:07:06,519 Speaker 3: There's a lot of different capabilities out there, and you know, 115 00:07:06,959 --> 00:07:09,360 this is not comprehensive, but maybe just to give people 116 00:07:09,399 --> 00:07:13,920 sort of a taste of what's possible, let me cover 117 00:07:14,000 --> 00:07:16,839 off maybe a half dozen of the threat actors and 118 00:07:16,959 --> 00:07:19,399 sort of the different ways they approach the you know, 119 00:07:19,519 --> 00:07:22,759 nation state great attacks. Starting the low end. Iran is 120 00:07:22,800 --> 00:07:28,680 accused of sponsoring activist groups. You know, most recently, they 121 00:07:28,759 --> 00:07:31,639 targeted some PLCs that were on the Internet that were 122 00:07:31,680 --> 00:07:36,720 manufactured by an Israeli manufacturer. They you know, disabled water 123 00:07:36,800 --> 00:07:41,800 distribution in a small town in Ireland, and you know, 124 00:07:42,000 --> 00:07:47,800 doing this by sort of low tech, low investment targeting 125 00:07:47,800 --> 00:07:54,560 of Internet exposed assets. North Korea has more sophisticated professionals 126 00:07:54,600 --> 00:07:57,519 that are paid every day the ransom Sorry, the activists 127 00:07:57,519 --> 00:08:02,279 aren't paid. Their amateurs professionals are paid every day to 128 00:08:02,560 --> 00:08:05,959 attack things, and mostly what they do is ransomware, because 129 00:08:06,000 --> 00:08:08,360 this is how the sanctioned regime makes a lot of 130 00:08:08,360 --> 00:08:12,639 its foreign currency, is stealing it in ransomware attacks. So 131 00:08:12,680 --> 00:08:17,240 they've got some very sophisticated ransomware groups. China sort of 132 00:08:17,759 --> 00:08:23,759 is credited with bringing nation state grade cyber attacks to 133 00:08:23,879 --> 00:08:28,839 the forefront back in the day. The DHS at the time, 134 00:08:28,920 --> 00:08:30,839 in like two thousand and six two thousand and seven 135 00:08:30,839 --> 00:08:34,440 put out alerts about advanced persistent threats that was code 136 00:08:34,480 --> 00:08:39,039 for Chinese intelligence agencies, and they pioneered sort of the 137 00:08:39,039 --> 00:08:43,399 public use of what's now the classic remote access trojan 138 00:08:43,679 --> 00:08:48,519 or remote access targeted attack, where you get a foothold 139 00:08:48,600 --> 00:08:54,440 on a network, you install a RAT, a remote access trojan, 140 00:08:54,480 --> 00:08:57,480 a piece of malware. It calls to a command and 141 00:08:57,480 --> 00:08:59,960 control center on the Internet, and you operate that malware 142 00:09:00,039 --> 00:09:02,799 by remote control. You use it to attack other machines 143 00:09:02,840 --> 00:09:05,480 on the compromise network. You spread the RAT to other machines. 144 00:09:05,799 --> 00:09:07,919 You might spread different versions of the RAT in case 145 00:09:07,960 --> 00:09:10,759 your first version is found out and you establish a 146 00:09:10,799 --> 00:09:15,080 persistent presence. The very latest there is volt Typhoon, which 147 00:09:15,120 --> 00:09:17,759 is saying there isn't even a rat anymore. They're using 148 00:09:17,799 --> 00:09:21,600 the facilities in the operating system to maintain remote control. 149 00:09:21,840 --> 00:09:26,320 Extremely difficult to detect that the remote control is there. 150 00:09:27,320 --> 00:09:31,600 The Russians take a different approach. Historically, they've produced malware 151 00:09:31,759 --> 00:09:36,600 artifacts for attacks. Think Black Energy had code in it 152 00:09:36,679 --> 00:09:41,759 to manipulate DNP three devices. DMP three is a widely 153 00:09:41,799 --> 00:09:45,840 used protocol in the electric sector. The latest out of 154 00:09:45,919 --> 00:09:48,720 Russia or credited to Russia, I mean, none of this 155 00:09:48,799 --> 00:09:53,799 is officially confirmed, is pipe Dream, which again is a 156 00:09:53,840 --> 00:09:56,519 code that it's attack code that has a lot of 157 00:09:56,600 --> 00:10:03,840 capability in it for manipulating devices in control systems, presumably maliciously. 158 00:10:05,000 --> 00:10:08,919 And you know, we haven't heard much about them lately, 159 00:10:09,000 --> 00:10:11,720 but back in the day, I think twenty ten, you know, 160 00:10:11,759 --> 00:10:16,240 American and Israeli intelligence was accused and has never officially 161 00:10:16,279 --> 00:10:19,720 accepted responsibility. But you know, is widely thought to have 162 00:10:19,759 --> 00:10:23,360 produced stucks net, which is a very sophisticated artifact that 163 00:10:23,600 --> 00:10:26,519 once you let it loose in a target network, it 164 00:10:26,639 --> 00:10:29,639 just does its thing. It's autonomous, It spreads autonomously, it 165 00:10:29,720 --> 00:10:32,440 finds its target its sabotage is the target. It does 166 00:10:32,480 --> 00:10:36,000 not need remote control the way the Russian tools do, 167 00:10:36,159 --> 00:10:41,320 the way the Chinese prefer to sort of silently volt 168 00:10:41,399 --> 00:10:45,720 typhoon living off the land remote control systems. The stucks 169 00:10:45,759 --> 00:10:49,799 net was autonomous. So this is sort of the spectrum 170 00:10:49,360 --> 00:10:54,200 from low tech activist attacks to remote control attacks, some 171 00:10:54,240 --> 00:10:58,519 of which are very sophisticated, to autonomous attacks, some of 172 00:10:58,559 --> 00:11:03,320 which you know, have been historically very sophisticated. And there's 173 00:11:03,360 --> 00:11:06,360 probably more that I've missed, but it's you know, it's 174 00:11:06,440 --> 00:11:14,519 a it's a sobering set of capabilities. We read about 175 00:11:14,799 --> 00:11:18,200 these nation states in the news. A lot of the 176 00:11:18,320 --> 00:11:23,480 nation state grade attacks that make the news are espionage, 177 00:11:23,639 --> 00:11:27,840 breaking into governments, breaking into nonprofits, breaking into you know, 178 00:11:27,919 --> 00:11:32,000 anybody who who dares to you voice any opposition to 179 00:11:32,080 --> 00:11:37,159 a regime, breaking into these places and stealing information. You know, 180 00:11:37,200 --> 00:11:40,279 you mentioned a couple of instances, uh, you know, the 181 00:11:40,399 --> 00:11:43,960 Russia breaking into the Ukraine twice, uh, causing you know, 182 00:11:44,080 --> 00:11:49,320 physical power outages. You know. The the I guess that 183 00:11:50,240 --> 00:11:56,399 the question is we hear a lot comparatively about espionage, 184 00:11:56,480 --> 00:11:59,639 not so much about sabotage. You know, is there sabotage 185 00:11:59,639 --> 00:12:02,759 happening that just isn't being reported. What's going on there. 186 00:12:05,159 --> 00:12:08,559 Speaker 1: That's a great question, Andrew. And you know when I 187 00:12:08,639 --> 00:12:15,759 mentioned earlier that that the activities you see in the 188 00:12:15,799 --> 00:12:18,320 news are not the limit of the capabilities of a 189 00:12:18,399 --> 00:12:22,919 nation state level actor. It's important to realize like these 190 00:12:22,960 --> 00:12:28,279 are not singular transactions, especially when you consider targeting O 191 00:12:28,399 --> 00:12:32,159 T systems. This is a campaign, right, so it involves 192 00:12:32,159 --> 00:12:35,279 over time, and sometimes our defenses are good, we catch 193 00:12:35,360 --> 00:12:39,120 them early on in the campaign. So even the simple 194 00:12:39,159 --> 00:12:41,399 acts within Ukraine twenty fifteen, were there are a number 195 00:12:41,399 --> 00:12:46,200 of were there a number of circuits that were that 196 00:12:46,240 --> 00:12:51,039 were opened as part of that particular action. It started 197 00:12:51,080 --> 00:12:54,320 with a lot of information gathering, a lot of reconnaissance. 198 00:12:55,080 --> 00:12:58,960 We even saw right after the twenty fifteen activity in 199 00:12:59,120 --> 00:13:03,519 January of twenty six that Ukrenergo, which is the transmission 200 00:13:03,559 --> 00:13:06,480 company that was later the target in December of twenty 201 00:13:06,519 --> 00:13:11,159 sixteen of the follow on attack was part of a 202 00:13:11,200 --> 00:13:15,039 phishing scheme and some of the particular people that they 203 00:13:15,080 --> 00:13:20,919 targeted in that scheme were protection engineers. So you start 204 00:13:20,960 --> 00:13:24,200 to put these pieces together and you realize they're looking 205 00:13:24,240 --> 00:13:26,799 at those people who are responsible for the overall protection 206 00:13:26,960 --> 00:13:32,279 system of the transmission network. And in December of twenty sixteen, 207 00:13:33,000 --> 00:13:36,519 rather than throwing several breakers and several different distribution companies, 208 00:13:36,519 --> 00:13:40,039 they threw one breaker in a transmission company and it 209 00:13:40,120 --> 00:13:42,159 was something on the order like an order of magnitude 210 00:13:42,200 --> 00:13:46,799 more power loss in that one breaker trip than in 211 00:13:47,080 --> 00:13:50,320 all the rest of the twenty fifteen during the twenty 212 00:13:50,320 --> 00:13:54,960 fifteen attack. And so you realize that there's deliberate processes 213 00:13:55,039 --> 00:13:58,799 going on, and sometimes, like I said, we're lucky and 214 00:13:58,879 --> 00:14:07,200 we interrupt the process early. But the goal for to 215 00:14:07,879 --> 00:14:11,360 attack a particular ot system, let's use the United States 216 00:14:11,399 --> 00:14:15,960 as an example target. The goal is not to let's 217 00:14:15,960 --> 00:14:19,559 get in there, gain access, you know, pull all the 218 00:14:19,559 --> 00:14:23,960 information we can, and then cause sabotage. Because when your 219 00:14:24,000 --> 00:14:28,960 sabotage takes place in the physical realm, the chance of reprisal, 220 00:14:29,000 --> 00:14:31,919 the chance of every anything from a diplomatic to a 221 00:14:31,919 --> 00:14:38,720 military response, certainly it raise it or excuse me, rises considerably. 222 00:14:39,879 --> 00:14:43,039 But if you have those assets to hold at risk, 223 00:14:43,679 --> 00:14:46,639 if you can gain access, secure that access, and hold 224 00:14:46,639 --> 00:14:49,919 it at risk, you can integrate that the you know, 225 00:14:49,960 --> 00:14:56,240 the whatever sabotage or whatever attack scenario into a suite 226 00:14:56,279 --> 00:14:58,639 of capabilities that you could have as part of a 227 00:14:58,679 --> 00:15:03,240 campaign plan, and it could be very effective too. So 228 00:15:04,519 --> 00:15:10,919 the adversary is going to use the most minimal force 229 00:15:11,039 --> 00:15:15,679 required to gain access. And if they can use something that, 230 00:15:15,799 --> 00:15:19,679 let's say is out there in the wild, but you 231 00:15:19,720 --> 00:15:21,720 know they can tell you're not patched against, well sure 232 00:15:21,759 --> 00:15:23,840 they're going to use that. They're going to use that 233 00:15:23,879 --> 00:15:25,840 before they go to some zero day that they know 234 00:15:25,919 --> 00:15:28,039 and no one else knows. Right, you're going to be 235 00:15:28,360 --> 00:15:33,799 economical in your use of your various offensive crown jewels. 236 00:15:34,480 --> 00:15:37,919 Once they've gained a foothold, once they've secured their position, 237 00:15:38,960 --> 00:15:41,960 they may do the need to do additional reconnaissance to 238 00:15:41,960 --> 00:15:46,480 figure out what are our options. I always felt that 239 00:15:46,559 --> 00:15:50,200 Ukraine twenty fifteen was kind of a hastily, hastily executed 240 00:15:50,240 --> 00:15:55,600 operation because so many things happened at once, and then 241 00:15:55,600 --> 00:15:58,600 they burned all the infrastructure at the end. But if 242 00:15:58,639 --> 00:16:01,000 you go back and look at each individual action that 243 00:16:01,080 --> 00:16:04,759 was taken at each of the distribution companies, you recognize 244 00:16:04,759 --> 00:16:09,320 that in some cases they obviously had people that couldn't 245 00:16:09,320 --> 00:16:13,600 read or understand Ukrainian because they had messages on the 246 00:16:13,639 --> 00:16:16,600 screen that they were remotely operating that said, this is 247 00:16:16,679 --> 00:16:19,399 just a test system, and they continue to try to 248 00:16:19,440 --> 00:16:24,200 do things. They opened a tiebreaker, which in general, unless 249 00:16:24,240 --> 00:16:28,080 you're under some maintenance function, tiebreakers aren't going to shut 250 00:16:28,120 --> 00:16:33,399 the power down anything. And so what we saw as 251 00:16:33,480 --> 00:16:36,840 things progress and you get into the December twenty sixteen event, 252 00:16:37,440 --> 00:16:42,759 you realize that things are more specific to the equipment 253 00:16:42,799 --> 00:16:47,039 that's in use. It's highly targeted. There clearly had someone 254 00:16:47,080 --> 00:16:49,000 who knew what was going on in that system. And 255 00:16:49,039 --> 00:16:52,120 I think we need to recognize that a nation state 256 00:16:52,159 --> 00:16:56,240 adversary will understand your process. They may not understand your 257 00:16:56,279 --> 00:17:00,600 systems and exactly your processes for running through things or 258 00:17:00,600 --> 00:17:04,119 your contingency measures, et cetera, but they'll understand the physical 259 00:17:04,160 --> 00:17:08,000 process that you're controlling so that they can understand the 260 00:17:08,000 --> 00:17:10,839 effects they may have. And then they may just sit 261 00:17:10,880 --> 00:17:15,920 on that access monitorp it may only phone home once 262 00:17:15,960 --> 00:17:21,119 in a blue moon, because they don't need to risk 263 00:17:21,599 --> 00:17:25,680 detection by having frequent and regular communications or a massive 264 00:17:25,680 --> 00:17:29,640 amount of information flowing back and forth between that target. 265 00:17:30,039 --> 00:17:32,400 They have it there, they can hold it and they 266 00:17:32,400 --> 00:17:35,319 can use it again for what I would say is 267 00:17:35,400 --> 00:17:41,799 you know potential military or even just diplomatic influence operations. 268 00:17:42,519 --> 00:17:47,119 But without having to you know, take any physical action themselves. 269 00:17:47,160 --> 00:17:50,440 They can do it remotely. So I think that's that's 270 00:17:50,440 --> 00:17:53,759 something that is the reasons why they're not necessarily going 271 00:17:53,799 --> 00:17:55,920 straight to sabotage. It's not because as I've seen in 272 00:17:55,920 --> 00:17:58,920 an article recently, Oh, they wouldn't mess with us. No, Actually, 273 00:17:58,960 --> 00:18:00,960 this is the exact way that people would put in 274 00:18:00,960 --> 00:18:04,559 bess with the United States, you know, attacking it asymmetrically, 275 00:18:05,359 --> 00:18:11,599 using capabilities to cause damage, or to cause service outages 276 00:18:11,799 --> 00:18:17,079 or even uncontrolled environmental release risk safety of risk a 277 00:18:17,119 --> 00:18:21,799 safety basis or violated safety basis, and cause potential harm 278 00:18:21,839 --> 00:18:24,519 to humans. Those are all things that could be done 279 00:18:24,519 --> 00:18:28,519 from AFAR via the cyber domain. That's that's a nice 280 00:18:29,160 --> 00:18:31,640 capability to have, you know, an arrow in your quiver 281 00:18:31,720 --> 00:18:34,559 if you will, that Nation States would want to hold 282 00:18:34,559 --> 00:18:36,480 on to for some future conflict. 283 00:18:37,880 --> 00:18:42,160 Speaker 3: The example you gave of, you know, campaigns developing capabilities 284 00:18:42,200 --> 00:18:46,000 that sort of describes volt Typhoon to a t. But 285 00:18:46,480 --> 00:18:49,200 in the news lately there's been a lot of sort 286 00:18:49,200 --> 00:18:54,400 of lesser stuff. I mean Russian uh, you know, state 287 00:18:54,440 --> 00:18:57,880 sponsored Russian activists are are accused of I don't know, 288 00:18:57,960 --> 00:19:04,799 overflowing a water tank in Texas. The uh you know, 289 00:19:05,440 --> 00:19:09,960 Iran's nation state sponsored activists are accused of targeting and 290 00:19:10,000 --> 00:19:12,920 has really made PLC that's used in a couple of 291 00:19:12,960 --> 00:19:15,039 small water systems, and turning off the water to one 292 00:19:15,079 --> 00:19:18,240 hundred and eighty people in Ireland for two days. None 293 00:19:18,279 --> 00:19:23,160 of this seems terribly consequential. I mean, what really is 294 00:19:23,200 --> 00:19:25,559 the goal here? That doesn't sound like a campaign. 295 00:19:28,000 --> 00:19:32,519 Speaker 1: Yeah, that's a great question, a great observation, Andrew. It's 296 00:19:32,559 --> 00:19:34,319 interesting when you and I think this is again, this 297 00:19:34,440 --> 00:19:38,319 is a that tendency I think, especially within the media, 298 00:19:38,880 --> 00:19:43,319 to presume that what we see is the totality of 299 00:19:43,359 --> 00:19:46,440 the operation. And I just don't think that's the case. 300 00:19:46,680 --> 00:19:48,920 So you mentioned a couple of really good examples. In fact, 301 00:19:49,200 --> 00:19:52,680 we had a very recent example on Monday, there was 302 00:19:52,720 --> 00:19:58,640 a the Arkansas City Kansas was also attacked. Its water 303 00:19:58,680 --> 00:20:01,720 authority was attacked. Very little details have come out. I'm 304 00:20:01,839 --> 00:20:05,119 very interested to hear what they find, and we're trying 305 00:20:05,119 --> 00:20:07,759 to get some additional details through some contacts. 306 00:20:07,799 --> 00:20:13,279 Speaker 4: But because it on the face, it just looks like, well, 307 00:20:13,480 --> 00:20:15,880 not only did they not really have much of an 308 00:20:15,880 --> 00:20:20,160 effect the plant in Arkansas City went into manual mode 309 00:20:21,000 --> 00:20:24,599 a similar situation with some of the examples from cyber avengers, 310 00:20:24,599 --> 00:20:27,599 the ones you mentioned attacking water authorities and kind of 311 00:20:27,599 --> 00:20:28,799 defacing the PLCs. 312 00:20:29,039 --> 00:20:31,720 Speaker 1: The only place that actually caused an impact was that 313 00:20:32,160 --> 00:20:34,799 village in Ireland that you mentioned. And you're like, well, 314 00:20:34,839 --> 00:20:37,640 and now they're exposed. So, like you said, what did 315 00:20:37,640 --> 00:20:41,960 they what did they really gain from that? And so 316 00:20:42,079 --> 00:20:45,799 my answer to that is, let's think deeper about the campaign. 317 00:20:46,200 --> 00:20:51,720 The campaign ultimately has let's say, high value targets at 318 00:20:51,759 --> 00:20:53,599 the end of it, and maybe that high value target 319 00:20:53,680 --> 00:20:58,000 is a major municipal water system in the US, one 320 00:20:58,039 --> 00:21:01,240 that cannot be ignored if you were to have significant 321 00:21:01,279 --> 00:21:05,200 impacts against. So how do you how do you target that? 322 00:21:05,839 --> 00:21:08,240 And everyone might think, okay, well, let's jump straight to 323 00:21:08,279 --> 00:21:11,200 I'm gonna learn about their systems. If I can, who 324 00:21:11,200 --> 00:21:13,720 are the key people, I might start fishing, et cetera. 325 00:21:14,559 --> 00:21:16,440 But part of you has to ask, wait a minute, 326 00:21:17,519 --> 00:21:20,839 if we were to get caught early in the campaign 327 00:21:23,160 --> 00:21:27,160 and there were to be any reprisals, like would would 328 00:21:27,200 --> 00:21:31,440 that completely wipe that campaign opportunity off the map? Do 329 00:21:31,519 --> 00:21:33,640 we need to use better tools? Do we need to 330 00:21:33,680 --> 00:21:37,079 invest more time in a human related a human related operation. 331 00:21:37,680 --> 00:21:39,440 You know, there's a lot of things to consider, and 332 00:21:39,480 --> 00:21:43,160 so even starting, you might say, how's the US going 333 00:21:43,200 --> 00:21:50,640 to react when we cause when we launch an attack 334 00:21:50,720 --> 00:21:57,200 and cause any impact whatsoever to a water system. Well, 335 00:21:57,240 --> 00:21:59,319 we need a we need a lab environment. Right, So 336 00:21:59,359 --> 00:22:02,000 there's I'm sure funny in Nation States. I'm sure they 337 00:22:02,039 --> 00:22:04,480 all have labs where they go test things out. But 338 00:22:04,599 --> 00:22:07,920 to really get ours to measure our response, they need 339 00:22:07,960 --> 00:22:12,359 to do it somewhere. Well, what is you know, if 340 00:22:12,880 --> 00:22:19,319 you consider large metropolitan areas New York City, Los Angeles, Philadelphia, Baltimore, 341 00:22:19,920 --> 00:22:22,759 you know those you're gonna get. Those are gonna get 342 00:22:22,759 --> 00:22:25,200 pretty big reactions pretty quickly, for sure, Right, a lot 343 00:22:25,200 --> 00:22:27,599 of people will know if something happens there. Well, what 344 00:22:27,680 --> 00:22:33,759 about Muleshoe, Texas. Probably not a large number of people 345 00:22:33,839 --> 00:22:36,440 even are gonna know where Muleshoe, Texas is on the map. 346 00:22:37,519 --> 00:22:41,519 So we're going to hit some of these smaller rural areas. 347 00:22:41,960 --> 00:22:45,000 Number one, It's gonna be easier target, right, because these 348 00:22:45,200 --> 00:22:49,240 water authorities suffer from what I call stp same three people, 349 00:22:49,640 --> 00:22:53,119 the same three people are responsible for making sure they 350 00:22:53,119 --> 00:22:55,880 have all the necessary chemicals for treatment of the water 351 00:22:56,279 --> 00:23:00,400 that the water distribute sourcing and distribution, all works. You know, 352 00:23:00,519 --> 00:23:04,440 they go and deal with issues. They've got to handle 353 00:23:05,039 --> 00:23:07,799 and manage the budget. They've got to handle the maintenance calls, 354 00:23:07,880 --> 00:23:10,240 the late night calls of issues, the water main breaks, 355 00:23:10,279 --> 00:23:13,079 all those things. Same three people are response for everything. 356 00:23:13,160 --> 00:23:16,039 So it's a pretty good bet they're not going to 357 00:23:16,119 --> 00:23:21,599 have high end cybersecurity capabilities. So and then we're gonna 358 00:23:21,599 --> 00:23:23,759 do someth We're gonna take an action, and that action 359 00:23:23,880 --> 00:23:26,480 isn't going to directly cause loss of life or anything 360 00:23:26,519 --> 00:23:30,559 major like that. So they had to go into manual 361 00:23:30,759 --> 00:23:36,000 operation mode. Big deal, right that of all the potential impacts, 362 00:23:36,039 --> 00:23:38,960 that's probably the least not for those same three people 363 00:23:39,000 --> 00:23:41,119 because now they're probably a lot busier, even more so 364 00:23:41,160 --> 00:23:44,720 than usual. But you know, that's going to give us 365 00:23:44,759 --> 00:23:48,680 a window to does that cross a threshold? How fervent 366 00:23:49,359 --> 00:23:53,680 is the US's response at the executive level at the DHS, 367 00:23:53,839 --> 00:23:57,039 is a level at the state governor's level, what are 368 00:23:57,640 --> 00:24:01,079 how do we respond as a community as a nation 369 00:24:02,160 --> 00:24:06,440 when we recognize that a foreign actor is taking action 370 00:24:06,559 --> 00:24:13,920 against these life critical you know, services that we just 371 00:24:14,119 --> 00:24:17,720 take for granted every day, and so I think that 372 00:24:17,799 --> 00:24:20,640 again part of this camp, part of the campaign is 373 00:24:21,200 --> 00:24:24,559 figuring out where are those limits to government response, what's 374 00:24:24,599 --> 00:24:27,839 going to what's going to you know, trip a greater 375 00:24:27,960 --> 00:24:30,240 response or something, and what will those responses look like. 376 00:24:30,480 --> 00:24:32,839 It's no different in my mind, like when you have 377 00:24:33,319 --> 00:24:36,480 Russian bombers flying into our air defense identification zone up 378 00:24:36,519 --> 00:24:40,480 near Alaska. They're not crossing into our national airspace, but 379 00:24:40,559 --> 00:24:43,759 they're in those areas just outside of it, and they 380 00:24:43,880 --> 00:24:47,599 watch with their radars and their surveillance planes, how quickly 381 00:24:47,640 --> 00:24:52,359 we scramble, how quickly we are able to intercept the aircraft, 382 00:24:52,519 --> 00:24:56,240 you know, what tactics we use. I believe that's also 383 00:24:56,319 --> 00:25:00,759 going here, going on here, because in the end, if 384 00:25:00,799 --> 00:25:03,119 we believe, I mean so, one of the things I 385 00:25:03,160 --> 00:25:07,319 mentioned earlier was, hey, we can't guide our greatest adversaries 386 00:25:07,359 --> 00:25:10,160 capabilities based on what we see in the news. I 387 00:25:10,319 --> 00:25:15,359 was quite honestly shocked in twenty nineteen when the Director 388 00:25:15,359 --> 00:25:21,640 of National Intelligence published an unclassified threat assessment and in 389 00:25:21,720 --> 00:25:28,960 it identified a couple of interesting facts. Number One, they 390 00:25:29,039 --> 00:25:33,240 named Russia and China in there, which you know, for 391 00:25:33,279 --> 00:25:36,400 those of us who have worked with the intelligence community 392 00:25:36,440 --> 00:25:40,680 before that wasn't it wasn't surprising that those were the 393 00:25:41,039 --> 00:25:43,799 potential adversaries they named. What was surprising is that they 394 00:25:43,799 --> 00:25:46,480 were saying this at the unclassified level, and it said 395 00:25:46,480 --> 00:25:49,960 that Russia could cause a power impact, an impact to 396 00:25:49,960 --> 00:25:53,640 our power, whether it be generational distribution that could last 397 00:25:53,680 --> 00:25:57,680 from hours to days, That China could impact our water 398 00:25:57,759 --> 00:26:02,200 systems in you know, in such a means to last 399 00:26:02,200 --> 00:26:05,839 from days to weeks. Like those are pretty bold statements 400 00:26:05,839 --> 00:26:10,200 coming out in an unclassified intelligence report. So I think 401 00:26:10,240 --> 00:26:13,680 there's a recognition at other levels of the government that 402 00:26:14,960 --> 00:26:18,920 nation state adversaries do have a greater capability than what 403 00:26:19,000 --> 00:26:22,160 we might presume just by watching the media and the 404 00:26:22,279 --> 00:26:27,160 smaller activities. You know, Yes, they could be isolate incidents. 405 00:26:27,160 --> 00:26:29,440 In the case of the cyber Avengers, you know, they 406 00:26:29,440 --> 00:26:36,759 were trying to deface the the HMI screen on Israeli 407 00:26:36,799 --> 00:26:41,640 made equipment. Okay, that might have been an isolated campaign. 408 00:26:41,720 --> 00:26:44,559 Speaker 5: But for the other things, I sit there and I think, hmm, 409 00:26:44,759 --> 00:26:48,319 how could this be used as part of a larger, 410 00:26:48,559 --> 00:26:52,240 more diverse campaign to see how we respond, to see 411 00:26:52,279 --> 00:26:56,319 what we put in place as a result of those attacks, 412 00:26:56,599 --> 00:26:59,839 and how can we can you use that as part 413 00:26:59,839 --> 00:27:04,599 of of our higher value target, higher value target operations 414 00:27:04,599 --> 00:27:08,279 and preparing for those you know to have capabilities there. 415 00:27:08,359 --> 00:27:14,119 Speaker 3: So, if I were to summarize the one sort of 416 00:27:14,440 --> 00:27:18,240 surprising thing that I took from from you know, the 417 00:27:18,279 --> 00:27:23,079 detail is the concept of a campaign. You know, it's 418 00:27:23,079 --> 00:27:27,759 not just that small water systems are easier targets and 419 00:27:27,839 --> 00:27:31,000 so let's go after them. It's you know, I've never 420 00:27:31,039 --> 00:27:34,599 really thought of these attacks as stepping stones. I really 421 00:27:34,640 --> 00:27:38,920 hadn't thought of these attacks as testing our response capabilities. 422 00:27:38,960 --> 00:27:41,559 I mean, the one concrete example that springs to mind 423 00:27:41,599 --> 00:27:43,759 is I forget It was a few years ago the 424 00:27:44,079 --> 00:27:49,799 American administration announced that, you know, attacks on critical infrastructure, 425 00:27:50,519 --> 00:27:55,119 civilian infrastructure would be regarded as acts of war. Well, 426 00:27:55,640 --> 00:27:59,079 someone just overflowed a water tank in Texas. Did anyone 427 00:27:59,119 --> 00:27:59,720 declare war? 428 00:28:00,519 --> 00:28:00,680 Speaker 1: No? 429 00:28:01,079 --> 00:28:05,039 Speaker 3: So yeah, it does. You know, it almost does feel like, 430 00:28:05,160 --> 00:28:07,200 you know, people are pushing a little bit, you know, 431 00:28:07,240 --> 00:28:09,720 the bad guys are pushing a bit to say, well, really, 432 00:28:09,920 --> 00:28:13,079 when would you when would you respond? How would you respond? 433 00:28:14,640 --> 00:28:14,920 Speaker 2: This? 434 00:28:14,920 --> 00:28:15,680 Speaker 1: This makes sense? 435 00:28:16,640 --> 00:28:20,039 Speaker 2: True? And what I didn't hear him say that I 436 00:28:20,039 --> 00:28:24,720 believe is also occurring is when nation state apts use 437 00:28:25,119 --> 00:28:28,400 one of their targets as a springboard or a relay 438 00:28:28,440 --> 00:28:34,240 point to another. So, for example, you're targeting one major 439 00:28:34,359 --> 00:28:39,440 utility or telecommunications organization or whatnot, you go after a 440 00:28:39,480 --> 00:28:42,559 smaller target and then you can use that as a 441 00:28:42,599 --> 00:28:47,519 relay point to hide your malicious communications. For example, among other. 442 00:28:47,359 --> 00:28:52,480 Speaker 3: Things where I have heard of that is in supply chain. 443 00:28:52,759 --> 00:28:56,880 More than you know, targeting one critical infrastructure to get 444 00:28:56,880 --> 00:29:00,079 into another. You tend not to have that kind of 445 00:29:00,480 --> 00:29:03,200 connection between a smaller water utility and a larger water 446 00:29:03,279 --> 00:29:07,039 utility in my recollection, at least in North America. You 447 00:29:07,119 --> 00:29:09,799 might have stronger connections like that in Europe where things 448 00:29:09,839 --> 00:29:12,519 tend to be sort of closer to each other, more connected. 449 00:29:12,880 --> 00:29:17,559 So yeah, that's that's a good point. So work with me. 450 00:29:17,920 --> 00:29:20,440 You know, we've been talking about the threat, and you know, 451 00:29:21,319 --> 00:29:25,720 I'm convinced that the nation state threats are real. The 452 00:29:25,839 --> 00:29:29,000 question becomes what do we do about them? You know, 453 00:29:29,119 --> 00:29:32,759 if I mean the the the truism, I don't know 454 00:29:32,759 --> 00:29:35,200 if it's true, but the truism is that a nation 455 00:29:35,319 --> 00:29:39,519 state military essentially has unlimited money and talent and time 456 00:29:39,680 --> 00:29:42,039 to come after us. And when you have that coming 457 00:29:42,079 --> 00:29:44,319 after you. You know, it's hard to imagine how you 458 00:29:44,359 --> 00:29:48,480 could stop an attack like that. You know, given what 459 00:29:48,559 --> 00:29:53,279 you've said about the threat. You know, we as defenders, 460 00:29:53,359 --> 00:29:56,799 from small water systems to large high speed passenger rail 461 00:29:56,839 --> 00:29:59,920 switching systems. We as defenders, what should we be doing 462 00:30:00,119 --> 00:30:01,440 about the threat? 463 00:30:01,960 --> 00:30:04,519 Speaker 1: The challenge in answering that question is that the problem 464 00:30:04,559 --> 00:30:08,599 is multi dimensional and multifacting. But in general, I believe 465 00:30:08,640 --> 00:30:12,359 what we should be doing first and foremost is recognizing 466 00:30:12,400 --> 00:30:16,359 that this is a business risk or an operational risk, 467 00:30:16,720 --> 00:30:23,599 not a technical risk. So often when you bring up 468 00:30:23,640 --> 00:30:27,920 the topic of a potential cyber attack, let's say you're 469 00:30:27,920 --> 00:30:31,359 talking to a CEO or a board, Well, go talk 470 00:30:31,400 --> 00:30:34,440 to the sizzo or go talk to the CSO, Right, 471 00:30:34,480 --> 00:30:42,160 that's their responsibility. But when we consider that impacts can 472 00:30:42,200 --> 00:30:46,920 directly impact the business, whether we're brewing beer or providing 473 00:30:47,039 --> 00:30:51,720 clean drinking water to millions of citizens, the ability for 474 00:30:51,839 --> 00:30:54,680 cyber to now create business impacts means it should get 475 00:30:54,720 --> 00:30:59,640 some degree of attention, and the consideration for what should 476 00:30:59,680 --> 00:31:03,480 be done should not be reserved to While I did 477 00:31:03,480 --> 00:31:07,720 the minimum, I followed the checklist. I'm compliant with this 478 00:31:07,839 --> 00:31:14,519 standard because, as we all know, in any standard, your interpretation, 479 00:31:14,920 --> 00:31:22,000 your finding for how you've met that standard, the exceptions 480 00:31:22,039 --> 00:31:26,480 that you might apply for and get granted for that standard, 481 00:31:27,039 --> 00:31:32,279 all could become your own undoing. So to start with, 482 00:31:32,839 --> 00:31:37,400 how do we talk about security of security of OT 483 00:31:37,559 --> 00:31:42,160 systems to thwart the business risk. When you have attention 484 00:31:42,240 --> 00:31:49,039 to that level, then you start to recognize the investment 485 00:31:49,640 --> 00:31:54,079 that's made in any business activity, whether it's bringing on 486 00:31:54,119 --> 00:31:57,799 new equipment, whether we're upgrading. Let's say we're a utility 487 00:31:57,839 --> 00:32:00,599 and we're upgrading to it. You know, we're large provider 488 00:32:00,640 --> 00:32:04,200 and upgrading to a new energy management system. Right, part 489 00:32:04,240 --> 00:32:12,480 of that capital expense is the security, and with that 490 00:32:13,200 --> 00:32:16,680 we're not trying to meet some minimum required. Now we're 491 00:32:16,759 --> 00:32:22,559 recognizing that just as the adversary is dynamic and can 492 00:32:22,599 --> 00:32:25,359 be active at different times, we need to make sure 493 00:32:25,400 --> 00:32:32,480 that our systems are actively monitored. That there is a responsibility, 494 00:32:32,480 --> 00:32:38,279 whether it's done locally by organically within a given company 495 00:32:38,359 --> 00:32:42,000 or provider, or if it's contracted out, or if there's 496 00:32:42,039 --> 00:32:47,400 some higher level organization that provides that. We talked earlier 497 00:32:47,400 --> 00:32:51,160 about rural water systems and the fact that you've got 498 00:32:51,240 --> 00:32:53,920 maybe the same three people are responsible for everything. It's 499 00:32:54,039 --> 00:33:00,279 unreasonable to go tell the community of Muleshoe, Texas or 500 00:33:00,359 --> 00:33:03,079 do Boys, Idaho, Hey, you have to come up with 501 00:33:03,200 --> 00:33:07,599 and fund your own cybersecurity expert. And oh, by the way, 502 00:33:07,640 --> 00:33:09,759 you've got to pay him or her a healthy sum 503 00:33:09,799 --> 00:33:11,920 because there's a lot of demand in the market and 504 00:33:11,960 --> 00:33:14,680 they're gonna cause a have to cause a hefty price. 505 00:33:15,680 --> 00:33:18,400 But what we could look at is to say, okay, 506 00:33:19,559 --> 00:33:25,480 the threat to those smaller water systems is not only 507 00:33:25,599 --> 00:33:29,079 is it probably lower in terms of somebody trying to 508 00:33:29,119 --> 00:33:37,359 cause sabotage, that is probably lower, also the resulting impact 509 00:33:37,440 --> 00:33:42,279 if that rural community were without water or let's say 510 00:33:42,599 --> 00:33:48,200 hours to days. There are means at certain levels of government, state, federal, 511 00:33:48,240 --> 00:33:54,400 et cetera, to help compensate for that temporary outage. It 512 00:33:54,480 --> 00:33:57,680 is a lot harder to compensate as the population served 513 00:33:57,720 --> 00:33:59,640 by that water system goes up or the demand on 514 00:33:59,640 --> 00:34:02,559 that water system goes up considerably. So there's still challenges 515 00:34:02,599 --> 00:34:06,319 within certainly agricultural areas and things like that that rely 516 00:34:06,400 --> 00:34:10,800 on the water supply for growing crops, et cetera. But 517 00:34:11,000 --> 00:34:15,400 if you could instead of telling every individual function you're 518 00:34:15,440 --> 00:34:18,960 responsible for your own defense, you do give them some 519 00:34:19,320 --> 00:34:22,920 minimum amount of requirement or maybe even assist them in 520 00:34:23,079 --> 00:34:30,039 meeting some minimal safe configuration. A firewall that's properly configured 521 00:34:30,920 --> 00:34:33,360 to serve business, you know, to allow business purposes but 522 00:34:34,559 --> 00:34:41,119 not allow unsolicited communications in from the outside. You have 523 00:34:41,559 --> 00:34:44,320 some continuous monitor on there, even if it's not monitored 524 00:34:44,320 --> 00:34:47,559 by those individual by that particular water authority. But look 525 00:34:47,599 --> 00:34:50,760 at like the state level, and look at you know, 526 00:34:50,840 --> 00:34:56,760 there are emergency response centers popping up in all states, 527 00:34:59,559 --> 00:35:01,280 and you know, being able to be able to handle 528 00:35:01,800 --> 00:35:04,719 different incidents, right some sort of incident management or incident 529 00:35:04,760 --> 00:35:07,719 response capability at the state level, and maybe you bring 530 00:35:07,760 --> 00:35:10,159 it up there. I've always said, you know, when I 531 00:35:10,159 --> 00:35:12,440 look at the state of Idaho, we have three kind 532 00:35:12,480 --> 00:35:17,079 of population centers in Idaho Falls Pocatello where I live 533 00:35:17,119 --> 00:35:19,960 on the southeastern side, the capital city of Boise in 534 00:35:20,000 --> 00:35:22,599 the southwest side, and then the town of Portalaine not 535 00:35:22,639 --> 00:35:25,599 that far from Spokane, Washington up in the northern end 536 00:35:25,639 --> 00:35:29,000 of the Panhandle. So you might be able to attract 537 00:35:29,039 --> 00:35:32,559 some talent to those population centers and have a regional 538 00:35:33,039 --> 00:35:37,920 secure operation center for let's say the water sector. When 539 00:35:37,920 --> 00:35:41,480 we pivot over to power now you're talking about, well, 540 00:35:41,760 --> 00:35:45,119 you have regulated utilities, you have NERD SIP certainly a 541 00:35:45,199 --> 00:35:48,880 lot more investment in what you know, what is being 542 00:35:48,960 --> 00:35:51,119 done right now to set the bar to begin with 543 00:35:51,599 --> 00:35:58,119 for regulated utilities. You also have private owner operators, right, 544 00:35:58,719 --> 00:36:03,639 you have companies that might have a little more bandwidth 545 00:36:03,679 --> 00:36:06,159 if you will, within the budget to bill do things, 546 00:36:06,159 --> 00:36:11,000 and so you might require more self sufficiency in that 547 00:36:11,079 --> 00:36:15,000 kind of scenario because in the end, what you don't 548 00:36:15,039 --> 00:36:17,440 want to do is pass all of these you know, 549 00:36:17,559 --> 00:36:19,840 costs onto the consumer. I think we all probably pay 550 00:36:19,920 --> 00:36:21,760 for it one way or another, but you don't want 551 00:36:21,800 --> 00:36:25,119 to suddenly triple somebody's water bill or their power bill 552 00:36:25,440 --> 00:36:28,280 to say, oh, well, we have to do this, you know, 553 00:36:29,360 --> 00:36:33,000 this particular cyber thing. Because we have these to your requirements, 554 00:36:33,079 --> 00:36:35,800 you want to look at how can I pool resources 555 00:36:35,840 --> 00:36:39,679 and use where it makes sense other sources of funding 556 00:36:40,360 --> 00:36:44,280 and support for those activities where it's just not feasible 557 00:36:45,039 --> 00:36:48,079 to bring the talent or the capability and run it 558 00:36:48,199 --> 00:36:52,519 organically within that organization. I think if we you know, 559 00:36:52,639 --> 00:36:54,719 then we start to expand to the federal level and 560 00:36:54,760 --> 00:36:58,519 say what's the federal government's responsibility? Now? To be clear, 561 00:36:58,559 --> 00:37:01,480 I'm not speaking on behalf of my company or the 562 00:37:01,480 --> 00:37:06,280 Department of Defense, my former employer, anyone like that, but 563 00:37:06,599 --> 00:37:11,280 I did notice that recently Jenn Easterly, the director of SIZA, 564 00:37:11,880 --> 00:37:18,480 started talking about pushing responsibility for software vulnerabilities vulnerabilities onto 565 00:37:18,519 --> 00:37:22,119 the vendors themselves or software hardware. So that is one 566 00:37:22,280 --> 00:37:25,559 tact that can be taken is you start spreading that 567 00:37:26,119 --> 00:37:30,519 around the equipment and you know, and software manufacturers in 568 00:37:30,559 --> 00:37:34,880 addition to requiring the owners operators to provide some level 569 00:37:34,920 --> 00:37:39,480 of protection. In addition to looking for communities of interest 570 00:37:39,559 --> 00:37:42,480 that might be able to come together and assist in 571 00:37:42,599 --> 00:37:47,199 providing active monitoring where it's just not feasible to have 572 00:37:47,280 --> 00:37:50,800 the organic capabilities. So those are some of the ways 573 00:37:50,800 --> 00:37:54,320 that I think, you know, getting off the dime and 574 00:37:54,760 --> 00:37:57,960 thinking that this is just an issue like for checklist security, 575 00:37:58,880 --> 00:38:00,800 that no, we need to move on that, and we 576 00:38:00,840 --> 00:38:05,400 need to be actively monitoring our systems someone and we 577 00:38:05,440 --> 00:38:07,000 need to be able to share that information. We've got 578 00:38:07,000 --> 00:38:09,920 a great model. We've got information sharing analysis centers ice 579 00:38:10,000 --> 00:38:13,960 acs out there. Let's make sure that they're properly funded 580 00:38:14,000 --> 00:38:18,000 and resourced so that when something does happen in Muleshoet, 581 00:38:18,039 --> 00:38:23,840 Texas or in Arkansas City, Kansas. That information can be 582 00:38:24,159 --> 00:38:28,880 pulled in quickly and shared elsewhere, so that if part 583 00:38:28,880 --> 00:38:33,920 of that campaign is hitting multiple small utilities, you can 584 00:38:33,960 --> 00:38:37,960 make them aware and quickly disseminate even you know, response 585 00:38:38,079 --> 00:38:41,920 measures to help protect against them or to counter anything 586 00:38:41,960 --> 00:38:44,280 that's been done. I think those are some ways we 587 00:38:44,280 --> 00:38:47,840 can start getting after this problem. But it again, it 588 00:38:48,199 --> 00:38:50,400 requires a shift in our thinking that this is just 589 00:38:51,159 --> 00:38:53,639 this is a a Sizzo problem, or this is just 590 00:38:54,360 --> 00:38:57,880 you know, the network shops problem to solve. You know, 591 00:38:58,000 --> 00:39:01,559 As I was talking about what we should do, how 592 00:39:01,599 --> 00:39:06,280 we should sort of change our approach, I'm reminded of 593 00:39:06,320 --> 00:39:09,679 when I attended my first sans ICs security conference in 594 00:39:09,679 --> 00:39:13,599 twenty fifteen. I had just less than a year ago 595 00:39:13,679 --> 00:39:17,559 moved to Idaho from Germany. I knew Mi Casante, who 596 00:39:17,559 --> 00:39:20,400 many in this community, if they've been around at all, 597 00:39:20,800 --> 00:39:25,480 know who Mi Casante is. And I was listening to 598 00:39:25,519 --> 00:39:29,000 somebody give a talk at that conference. Kim Zetter was 599 00:39:29,000 --> 00:39:31,840 in attendance, and she's the author of the book Countdown 600 00:39:31,840 --> 00:39:37,039 to Zero Men, and so almost every speaker up to 601 00:39:37,079 --> 00:39:38,719 this I think we were on day two almost every 602 00:39:38,760 --> 00:39:41,239 speaker it received some sort of question about stucks meant 603 00:39:42,079 --> 00:39:46,679 right and based on Zera's book, and they wanted to 604 00:39:46,719 --> 00:39:49,360 know how do I protect against, you know, the nation 605 00:39:49,519 --> 00:39:52,960 state level attack that is stucks meant And the speaker, 606 00:39:54,360 --> 00:39:57,239 I forget his name, but he said, you know, he said, 607 00:39:57,239 --> 00:39:59,800 I find it kind of funny, said everyone's sitting here, 608 00:40:00,000 --> 00:40:02,800 one are out saying how do we solve against stuxtent. 609 00:40:02,880 --> 00:40:05,400 He's like, most of you don't even know what assets 610 00:40:05,400 --> 00:40:10,400 you have on your network, So there's probably there's probably 611 00:40:10,400 --> 00:40:14,920 a preparatory comment to be made, which is, if you 612 00:40:15,079 --> 00:40:19,599 have no cybersecurity program, or maybe a very nascent one, 613 00:40:20,719 --> 00:40:24,679 you can be bombarded with all these different tools that 614 00:40:24,719 --> 00:40:26,960 people will bring you or say, oh, bring us on 615 00:40:27,079 --> 00:40:28,840 and we'll do this for you, we'll do that for you, 616 00:40:29,320 --> 00:40:34,639 and it can become quite noisy and confusing. What is 617 00:40:34,679 --> 00:40:38,400 the best step I should take? What are the first 618 00:40:38,440 --> 00:40:42,559 steps I should take? And so I will coveyat my 619 00:40:42,639 --> 00:40:48,920 previous response by just saying, consider first and foremost knowing yourself, 620 00:40:49,119 --> 00:40:52,199 knowing what you have on your network, identifying that, and 621 00:40:52,280 --> 00:40:54,840 certainly there's automation and tools that can assist you in 622 00:40:54,880 --> 00:40:59,599 doing that, but know what you have, have some sort 623 00:40:59,599 --> 00:41:02,679 of pop so that you know how you're going to 624 00:41:02,760 --> 00:41:06,280 treat these systems right, And there's lots of policy examples 625 00:41:06,280 --> 00:41:10,639 out there. You can you can use somebody to assist 626 00:41:10,719 --> 00:41:12,280 you in that, or you can you know, if you've 627 00:41:12,280 --> 00:41:16,559 got the ability, you can study examples that are out there. 628 00:41:17,280 --> 00:41:20,840 But know what you have, have some policies. Is how 629 00:41:20,880 --> 00:41:24,639 you're going to treat whether you're onboard, off board that equipment, 630 00:41:24,679 --> 00:41:27,239 dispose of it, how it's going to be configured, how 631 00:41:27,239 --> 00:41:30,519 you're going to let users access and then put some 632 00:41:30,559 --> 00:41:37,079 sort of monitoring capability in place so that you can 633 00:41:37,159 --> 00:41:41,880 assess what is going on and you know, and then 634 00:41:41,960 --> 00:41:46,159 you can start to graduate to the more complex cases. 635 00:41:46,199 --> 00:41:48,719 How do I need to integrate threat intelligence? How do 636 00:41:48,800 --> 00:41:54,639 I do attack surface management? What are my exposures to 637 00:41:55,039 --> 00:41:58,960 a very highly capable adviser or an advanced persistent threat. 638 00:42:00,039 --> 00:42:04,199 It's important to recognize that you can't just make all 639 00:42:04,239 --> 00:42:09,400 that happen overnight. So I would just say, you know, broadly, 640 00:42:09,440 --> 00:42:15,079 we need to think about monitoring, active monitoring, having responses, 641 00:42:15,719 --> 00:42:18,679 rehearsing our instant response plans, knowing what assets we have 642 00:42:19,400 --> 00:42:22,239 in our systems, if we can get there, then I 643 00:42:22,280 --> 00:42:26,199 think as a nation we'll be better prepared to start 644 00:42:26,199 --> 00:42:28,920 dealing with the more nuanced in advanced threats and being 645 00:42:28,920 --> 00:42:32,440 able to respond when we see a noise somewhere in 646 00:42:32,480 --> 00:42:36,519 the system and recognize that might be part of a 647 00:42:36,519 --> 00:42:40,000 broader campaign. How do I need to respond to whatever 648 00:42:40,159 --> 00:42:44,760 happened there to make myself or protected more resilient? 649 00:42:48,480 --> 00:42:51,639 Speaker 3: So nate what struck me there? You know, long discussion 650 00:42:51,760 --> 00:42:56,000 of what smaller utilities can do. How important you know 651 00:42:56,159 --> 00:43:01,280 detection is. I'm reminded of the incident in Denmark. The 652 00:43:01,320 --> 00:43:06,320 sector cert documented the Russians compromising some twenty two Internet 653 00:43:06,320 --> 00:43:10,679 facing firewalls that they've been monitoring. What is not widely 654 00:43:10,760 --> 00:43:14,960 known about that incident is the funding model for the 655 00:43:15,000 --> 00:43:19,679 Denmark sector cert. The sector cert is not publicly funded. 656 00:43:21,400 --> 00:43:25,039 It serves some two or three hundred utilities, most of 657 00:43:25,039 --> 00:43:30,519 which are tiny. It serves three large utilities. I don't 658 00:43:30,519 --> 00:43:33,400 know if they're power or water, but three large utilities 659 00:43:33,639 --> 00:43:35,840 is my recollection when I was talking to these people. 660 00:43:35,920 --> 00:43:37,840 I might have the numbers off by one or two, 661 00:43:38,239 --> 00:43:41,400 but it's a very small number of large utilities, and 662 00:43:41,559 --> 00:43:44,800 those large utilities pay for the sector cert and the 663 00:43:44,840 --> 00:43:47,800 sector sort provides its services to the tiny hundreds of 664 00:43:47,840 --> 00:43:52,639 tiny utilities for free. You know what's the benefit. Well, 665 00:43:52,679 --> 00:43:54,840 part of it is, you know, the larger utilities giving 666 00:43:54,840 --> 00:43:58,079 back to society. Part of it is in my in 667 00:43:58,239 --> 00:44:01,280 sort of the analysis, you know analysis here. Part of 668 00:44:01,320 --> 00:44:06,679 it is the larger utilities benefit from visibility into what's 669 00:44:06,760 --> 00:44:09,920 going on in the smaller utilities. If the smaller utilities 670 00:44:09,920 --> 00:44:12,239 are being attacked as part of a larger campaign the 671 00:44:12,320 --> 00:44:16,920 larger society, the larger utilities want to know what steps 672 00:44:16,960 --> 00:44:18,920 the enemy is taking, want to know how. 673 00:44:18,880 --> 00:44:19,840 Speaker 1: Much trouble they're in. 674 00:44:20,679 --> 00:44:23,360 Speaker 3: So this is an interesting funding model. You know, he's right, 675 00:44:23,519 --> 00:44:26,400 the same three people do not have the skills, nor 676 00:44:26,480 --> 00:44:30,679 the ability, nor the money to set up their own 677 00:44:30,800 --> 00:44:34,480 monitoring system to pay for their own threat intelligence feeds, 678 00:44:34,639 --> 00:44:38,599 whereas a central sector search style organization that is sort 679 00:44:38,639 --> 00:44:42,719 of providing service to the smaller utilities can afford to 680 00:44:42,880 --> 00:44:46,920 buy threat intelligence feeds from the commercial providers of these 681 00:44:46,960 --> 00:44:50,320 things can't afford to have a relationship with their government 682 00:44:50,400 --> 00:44:55,639 and get access to classified information, you know, having sort 683 00:44:55,679 --> 00:44:58,480 of the big fish, be it the government or the 684 00:44:58,519 --> 00:45:02,840 larger utilities, pay for for these services for smaller utilities 685 00:45:02,880 --> 00:45:04,880 seems to me to make a lot of sense in 686 00:45:04,920 --> 00:45:08,599 terms of a funding model to bring about the kind 687 00:45:08,639 --> 00:45:14,800 of capabilities that Joseph was talking about. What I kind 688 00:45:14,840 --> 00:45:19,199 of heard you say was the perspective of the government. 689 00:45:19,280 --> 00:45:21,159 I mean, in the United States, the federal government. In 690 00:45:21,199 --> 00:45:26,039 other nations, you know, the national government may be somewhat 691 00:45:26,039 --> 00:45:28,559 different from the perspective of the tiny utilities. With the 692 00:45:28,559 --> 00:45:32,599 same three people. You know, you've talked about the need 693 00:45:32,679 --> 00:45:37,119 for monitoring. Absolutely, the nation needs to monitor these campaigns 694 00:45:37,199 --> 00:45:40,559 and figure out, you know, how many doors is the 695 00:45:40,679 --> 00:45:45,519 enemy knocking on. But in terms of monitoring, you know, 696 00:45:45,760 --> 00:45:53,119 most small utilities they want you know, the attacks kept out. 697 00:45:53,280 --> 00:45:55,079 They you know, they don't want to focus on the 698 00:45:55,119 --> 00:45:58,280 detect part of the cybersecurity framework. They want to focus 699 00:45:58,280 --> 00:46:01,280 on the protect part. And you know, to me, this 700 00:46:01,360 --> 00:46:03,400 is them saying, well, you know, we can if the 701 00:46:03,480 --> 00:46:06,840 nation wants uh, you know, insight into my systems, let 702 00:46:06,840 --> 00:46:09,199 them pay for the monitoring. Because I'm you know, that's 703 00:46:09,239 --> 00:46:12,840 benefiting the nation, not me. I need to put protection 704 00:46:13,000 --> 00:46:18,239 in for those small utilities. When they're designing their security program, 705 00:46:18,360 --> 00:46:22,440 you know, should there be assistance. I mean I don't 706 00:46:22,440 --> 00:46:24,800 want to you know, again, I guess I don't want 707 00:46:24,800 --> 00:46:29,199 to drift into into monetary How much should the small 708 00:46:29,280 --> 00:46:33,280 utility be focused on sort of assisting the nation in 709 00:46:33,360 --> 00:46:38,679 terms of detecting widespread campaigns and you know, how much 710 00:46:39,000 --> 00:46:42,159 should the how much of the nation state threats should 711 00:46:42,239 --> 00:46:47,639 each small or large utility regard as credible that credible 712 00:46:47,679 --> 00:46:52,320 threats to their own their own user base, their own citizens. 713 00:46:53,679 --> 00:47:00,280 Speaker 1: Yeah, those are great questions. Let's start by recognizing that, 714 00:47:01,559 --> 00:47:06,800 as we discussed earlier, as I mentioned earlier, smaller utilities 715 00:47:06,800 --> 00:47:09,719 are not going to have the resources or access to 716 00:47:09,760 --> 00:47:14,599 the skill sets to take to take on all the 717 00:47:14,639 --> 00:47:16,960 responsibilities on their own. And I agree with you, let's 718 00:47:17,000 --> 00:47:19,159 not drift too much into you know, the policy of 719 00:47:19,639 --> 00:47:21,679 who pays, et cetera. But let's think in terms of 720 00:47:21,719 --> 00:47:28,039 where is that expertise who can assess what is credible 721 00:47:28,639 --> 00:47:32,800 and what is not. You know, I pause a little 722 00:47:32,800 --> 00:47:37,199 bit at the use of that term, because if we 723 00:47:37,239 --> 00:47:41,840 talk about in engineering, if we talk about design basis threats, 724 00:47:42,000 --> 00:47:44,199 I mean we look in terms of Okay, I have 725 00:47:44,239 --> 00:47:46,440 two gears are made of a certain metal, we put 726 00:47:46,440 --> 00:47:49,239 them together, they're gonna turn. We're gonna use some sort 727 00:47:49,239 --> 00:47:54,280 of lubrication or something. But I can relative with relative accuracy, 728 00:47:54,880 --> 00:47:56,840 predict when that's gonna fail or when it needs to 729 00:47:56,840 --> 00:48:01,199 be replaced to avoid it failing in operation, right, because 730 00:48:01,239 --> 00:48:03,400 we know how metals break down over time and expose 731 00:48:03,440 --> 00:48:08,440 to certain elements and temperatures and stresses. When we look 732 00:48:08,480 --> 00:48:13,920 at measuring risk for natural disasters, we look historically, we 733 00:48:13,960 --> 00:48:17,280 rely on the fact that, well, there's a you know, 734 00:48:17,360 --> 00:48:20,760 thirty percent chance that we're gonna have, you know, a 735 00:48:20,840 --> 00:48:27,000 hurricane between categories one and categories two strike somewhere within 736 00:48:27,039 --> 00:48:30,239 this one hundred miles of our shoreline, you know, in 737 00:48:30,320 --> 00:48:36,280 the next three years. We base everything off of the 738 00:48:36,320 --> 00:48:40,519 you know, the historic occurrences and use that and stend 739 00:48:40,519 --> 00:48:46,079 that into a you know, probability statement for it happening again. 740 00:48:47,559 --> 00:48:51,760 The challenge we have in cyber is there's a in 741 00:48:51,880 --> 00:48:56,840 most cases, there's a human actor involved, and really at 742 00:48:56,880 --> 00:49:00,159 some level there's a human actor deciding to do to 743 00:49:00,159 --> 00:49:06,079 take certain actions. And so when you talk start talking about, 744 00:49:06,880 --> 00:49:09,159 you know, is the threat credible? Do I need to 745 00:49:09,199 --> 00:49:12,880 be worried? It's very difficult. I think you'll you'll get 746 00:49:12,920 --> 00:49:17,239 some broad statements made based on how critical that service 747 00:49:17,320 --> 00:49:22,000 or that utility or that function is. And then you'll 748 00:49:22,000 --> 00:49:23,960 think in terms of how likely is it that a 749 00:49:24,400 --> 00:49:27,960 nation state level adversary would want to have that impact 750 00:49:28,000 --> 00:49:30,719 on them? And I say, well, again, go back to 751 00:49:30,840 --> 00:49:36,599 our earlier conversation. I think holding that infrastructure at risk 752 00:49:36,880 --> 00:49:42,000 is a much bigger coin in their pocket than causing 753 00:49:42,079 --> 00:49:48,840 some impact. So for that reason, I look at in 754 00:49:48,960 --> 00:49:55,239 terms of prioritizing and look at credible threats. I think, okay, 755 00:49:55,320 --> 00:50:02,480 if if you could either cause interruption of a critical 756 00:50:02,559 --> 00:50:11,639 service like water power transportation in a large metropolitan area, 757 00:50:11,840 --> 00:50:16,760 there is there is the potential of bending political will. Right. 758 00:50:16,800 --> 00:50:19,000 Always tell people, you know, why is why is the 759 00:50:19,119 --> 00:50:21,840 US Navy such a you know, the most powerful fighting 760 00:50:21,840 --> 00:50:25,559 force you know on the on the seas anywhere in 761 00:50:25,559 --> 00:50:28,280 the world. Well, it's because they can park you know, 762 00:50:28,360 --> 00:50:31,559 a dozen acres of some renewed territory twelve miles off 763 00:50:31,840 --> 00:50:34,559 somebody shore and give them pause, give them time to 764 00:50:34,639 --> 00:50:39,119 think and recognize that, you know, maybe whatever action that 765 00:50:39,159 --> 00:50:42,000 prompted that, there might be a you know, a diplomatic 766 00:50:42,079 --> 00:50:47,440 solution to well, if the suddenly the populace of the 767 00:50:47,559 --> 00:50:50,360 US or a significant number of the populace of the 768 00:50:50,440 --> 00:50:55,880 US are threatened with the loss of life critical services. 769 00:50:58,039 --> 00:51:01,119 I think we'd be foolish not to believe that that 770 00:51:01,360 --> 00:51:07,480 might give us political pause, right, that might cause you know, 771 00:51:07,519 --> 00:51:13,000 the executive branch to think carefully, what is the next 772 00:51:13,039 --> 00:51:17,159 move if they can hold that large of a population 773 00:51:17,239 --> 00:51:20,920 at risk, what are our options now? It will probably, 774 00:51:21,000 --> 00:51:24,800 I'm sure it will drive multiple different options, political, military, 775 00:51:24,800 --> 00:51:25,280 et cetera. 776 00:51:26,000 --> 00:51:28,840 Speaker 3: It occurred to me when you're talking here, is it 777 00:51:29,239 --> 00:51:33,159 credible that you know, voult Typhoon is in the news, 778 00:51:34,039 --> 00:51:36,960 living off the land, extremely difficult to attect and to 779 00:51:37,400 --> 00:51:41,719 detect these adversaries. Is it is it reasonable to believe 780 00:51:41,760 --> 00:51:46,000 that hundreds of other utilities have been compromised in the 781 00:51:46,039 --> 00:51:52,039 same way, and the Chinese deliberately leaked the fact that 782 00:51:52,039 --> 00:51:56,320 they've taken over these fifty odds this way to make 783 00:51:57,280 --> 00:52:03,559 you know, the the authorities aware that this capability exists, 784 00:52:03,880 --> 00:52:06,360 because it does no good to hold you know, when 785 00:52:06,400 --> 00:52:08,760 when the when the Navy parks, uh, you know, off 786 00:52:08,800 --> 00:52:11,239 the shore of some other nation and says, you know, 787 00:52:11,519 --> 00:52:15,360 let's think twice about this. The the the sort of 788 00:52:15,400 --> 00:52:19,199 the response capability, the capability of the navy is clear Okay, 789 00:52:19,239 --> 00:52:22,920 these ships are sitting there. If nobody knows that the 790 00:52:23,000 --> 00:52:27,559 Chinese have the ability to cause you know, widespread physical consequences. 791 00:52:27,800 --> 00:52:30,639 You know, is it credible that the Chinese leaked volt typhoon, 792 00:52:30,760 --> 00:52:34,199 you know, deliberately or or or you know, really accidentally. 793 00:52:34,239 --> 00:52:37,599 But weren't that dismayed by it? Because they have these 794 00:52:37,639 --> 00:52:40,519 other capabilities and it does you know, those other capabilities 795 00:52:40,639 --> 00:52:43,000 do no good as a threat if nobody knows to exist. 796 00:52:44,000 --> 00:52:48,320 Speaker 1: So that's a great question. Volt Typhoon, in my mind, 797 00:52:48,400 --> 00:52:52,480 is an example of or I would say, it's an 798 00:52:52,559 --> 00:52:58,760 exposition of an extended campaign, right as as you're well aware, 799 00:52:58,760 --> 00:53:02,360 as you mentioned your question, it uses living off the 800 00:53:02,440 --> 00:53:08,920 land techniques very difficult to detect, and in fact, in 801 00:53:09,000 --> 00:53:14,199 the in the infection details that I reviewed, or the 802 00:53:14,320 --> 00:53:18,360 excuse me, in the instances of volt typhoon attacks that 803 00:53:18,400 --> 00:53:21,840 I reviewed, quite often they say we have no idea 804 00:53:22,679 --> 00:53:28,599 how they landed. And so that to me reeks of 805 00:53:28,719 --> 00:53:34,719 an extended campaign of holding assets at risk, because once 806 00:53:34,800 --> 00:53:37,599 you have them, number one, remove all traces of how 807 00:53:37,639 --> 00:53:40,760 you got there. To use living off the land techniques 808 00:53:41,239 --> 00:53:46,360 to maintain that access, and like I said, occasionally you 809 00:53:46,559 --> 00:53:49,159 phone home and I say phone home, it's probably to 810 00:53:49,199 --> 00:53:52,800 some other listening post, so that you know you have access. 811 00:53:53,760 --> 00:53:57,800 But if you've done that and you sit back and say, haha, 812 00:53:57,800 --> 00:54:02,239 we have all these infrastruate ructure operations that we hold 813 00:54:02,239 --> 00:54:07,639 at risk. Do you need to actually create cause sabotage 814 00:54:07,719 --> 00:54:13,199 or create mayhem to be able to have an have 815 00:54:13,280 --> 00:54:17,280 an effect? The answers no, but it might be worth 816 00:54:19,360 --> 00:54:26,199 letting them know you have a certain amount of assets 817 00:54:26,199 --> 00:54:31,480 held at risk. Now, if you're smart, and I believe 818 00:54:32,719 --> 00:54:37,880 our nation state level adversaries are very smart, you're not 819 00:54:38,039 --> 00:54:42,079 going to, let's say, manage and care for all of 820 00:54:42,119 --> 00:54:45,559 the places you hold at risk with the exact same infrastructure, right, 821 00:54:45,639 --> 00:54:49,440 You're going to spread it around the technique by which 822 00:54:49,440 --> 00:54:52,480 you by which you connect with them and contact them, 823 00:54:52,920 --> 00:54:55,559 do any of your you know, your your maintenance of 824 00:54:55,599 --> 00:54:59,880 that connection. If you do collect information, you'll use different 825 00:55:00,400 --> 00:55:05,760 infrastructure to get that back that information back to you, 826 00:55:06,360 --> 00:55:09,039 So you don't necessarily have to burn the entire the 827 00:55:09,199 --> 00:55:15,840 entirety of your targets held at risk, but you absolutely 828 00:55:16,960 --> 00:55:23,360 could take a portion leak sufficient information or maybe it 829 00:55:23,400 --> 00:55:26,519 was found because of just you know, great sluice looking 830 00:55:26,519 --> 00:55:29,079 carefully at crashed ups. But the point is, at some point, 831 00:55:31,360 --> 00:55:38,079 when your target knows they've been owned significantly, you might 832 00:55:38,119 --> 00:55:43,320 have leverage to, let's say, accomplish some diplomatic objective or 833 00:55:43,360 --> 00:55:48,280 some other political objective short of military conflict or things 834 00:55:48,280 --> 00:55:51,960 of that nature. That might be very helpful. And let's 835 00:55:51,960 --> 00:55:57,480 say talks that are upcoming about you know, trade, or 836 00:55:58,000 --> 00:56:07,840 about conditions in adjacent territories or other other nations that 837 00:56:08,000 --> 00:56:12,760 you know that are that are allies to one of 838 00:56:12,760 --> 00:56:15,480 the countries in question, and and and not to the other. 839 00:56:15,519 --> 00:56:18,159 I mean, there's a lot of ways that that could 840 00:56:18,159 --> 00:56:24,039 be useful. And and again it causes a response. You see, 841 00:56:24,719 --> 00:56:30,480 how willing is the target to negotiate as a result 842 00:56:30,480 --> 00:56:34,760 of recognizing you hold some of their key infrastructure at risk. 843 00:56:35,280 --> 00:56:39,000 So I think that also would explain in my mind 844 00:56:39,119 --> 00:56:47,440 why the government has been so united and adamant that 845 00:56:47,480 --> 00:56:52,360 we do what is necessary to root out and you know, 846 00:56:52,360 --> 00:56:57,920 to identify and cleanse vault typhoon from our systems. It's 847 00:56:57,960 --> 00:57:02,719 a it's in me, it's it's a compelling conjecture. And 848 00:57:02,760 --> 00:57:05,400 again this is all conjecture. Not neither one of us 849 00:57:05,480 --> 00:57:08,199 is talking from a position of some greater knowledge of 850 00:57:08,239 --> 00:57:11,840 exactly what's happening or what happened with both typhoon, but 851 00:57:11,920 --> 00:57:17,079 it certainly makes sense to me that you would possibly 852 00:57:17,119 --> 00:57:21,719 burn some of your infrastructure to sort of, you know, 853 00:57:21,880 --> 00:57:23,679 or show one of your cards or maybe two of 854 00:57:23,679 --> 00:57:29,320 your cards, to give you leveraging power in whatever is 855 00:57:29,360 --> 00:57:33,119 going on globally or between the between those nations. 856 00:57:32,880 --> 00:57:38,559 Speaker 3: At that time. Well, Joseph, this has been sobering, you know, 857 00:57:38,679 --> 00:57:40,960 thank you for joining us. Before we let you go, 858 00:57:41,360 --> 00:57:43,000 can you sum up for us what are sort of 859 00:57:43,000 --> 00:57:46,199 the key things we should take away from this nation 860 00:57:46,320 --> 00:57:47,960 state threat business. 861 00:57:48,360 --> 00:57:51,360 Speaker 1: I would say the first nugget is, let's keep in 862 00:57:51,440 --> 00:57:56,039 mind that the capabilities of any adversary are not merely 863 00:57:56,079 --> 00:58:00,920 defined by what we read in the news. Events or 864 00:58:00,960 --> 00:58:07,960 activities were essentially caught and then publicized. Computers will do 865 00:58:08,039 --> 00:58:10,199 exactly what we tell them to do. Right, The computers 866 00:58:10,199 --> 00:58:12,920 and digital devices that run our OT systems are not 867 00:58:13,000 --> 00:58:14,880 all that different from the run the ones that are 868 00:58:14,960 --> 00:58:18,960 running our IT systems. And if someone with sufficient access 869 00:58:19,119 --> 00:58:23,320 and authority tells it to do something, it will absolutely 870 00:58:23,400 --> 00:58:26,880 do it. And when those logical actions are tied to 871 00:58:27,639 --> 00:58:34,039 physical systems, are impacting the physical world again the range 872 00:58:34,039 --> 00:58:40,800 of potential effects are limited by our adversaries limitations, excuse me, 873 00:58:40,840 --> 00:58:45,920 They're limited by our adversaries imagination, and further by what 874 00:58:46,039 --> 00:58:50,880 we do to actively defend and protect those systems from maloperation. 875 00:58:54,119 --> 00:58:57,079 The other point that I would say to keep in 876 00:58:57,119 --> 00:59:03,159 mind is that we can't prote everything against everything. We 877 00:59:03,239 --> 00:59:08,800 need to prioritize. But if you consider where OT systems 878 00:59:08,840 --> 00:59:14,480 and OT cybersecurity is, I often feel like for twenty 879 00:59:14,599 --> 00:59:16,559 years or more behind of where we are with it, 880 00:59:18,239 --> 00:59:24,480 and so and yet these are the systems that most 881 00:59:24,559 --> 00:59:27,800 affect our day to day lives, and an impact of 882 00:59:27,840 --> 00:59:31,599 them would be felt much stronger. I always tell people 883 00:59:32,039 --> 00:59:35,000 somebody hacks my computer and gets my online banking password, 884 00:59:35,039 --> 00:59:37,599 it's a bad day for me. But if someone goes 885 00:59:37,639 --> 00:59:42,280 in and hacks a power distribution subsystation, or if they 886 00:59:42,760 --> 00:59:45,639 hack the water treatment facility, it's a bad day for 887 00:59:45,679 --> 00:59:48,840 a whole lot of people. So there's a certain degree 888 00:59:48,880 --> 00:59:55,639 of scale and again reliance upon our critical infrastructure, and 889 00:59:55,679 --> 01:00:03,119 we should we should give it due diligence, and that 890 01:00:03,159 --> 01:00:10,760 includes resourcing, funding, attention to those systems over and above 891 01:00:11,239 --> 01:00:14,000 some of the other areas that we maybe emphasize. Right 892 01:00:14,039 --> 01:00:23,360 now and then the last nugget is recognizing that these 893 01:00:23,400 --> 01:00:28,679 capabilities are out there. Obviously doesn't hit the easy button, 894 01:00:28,880 --> 01:00:35,920 easy button on solutions, so there's really no excuse to 895 01:00:36,039 --> 01:00:40,239 I would say, basic levels of having basic levels of hygiene. 896 01:00:40,440 --> 01:00:43,960 But in order to achieve that and move on to, 897 01:00:44,960 --> 01:00:49,760 like you said earlier, right, protecting, not defending when they're 898 01:00:49,800 --> 01:00:55,119 already there, but protecting against these capabilities, then we really 899 01:00:55,159 --> 01:00:58,320 need to take a much more active role, and we 900 01:00:58,400 --> 01:01:02,239 need to move the decision from maybe the lower end 901 01:01:02,320 --> 01:01:05,559 of the C suite to the higher end, and certainly 902 01:01:05,559 --> 01:01:10,079 for OT systems. Again, whatever it is, whether you're whether 903 01:01:10,079 --> 01:01:18,159 you're manufacturing something, manufacturing pharmaceuticals, or treating wastewater in a city, 904 01:01:18,920 --> 01:01:23,159 those OT systems control your business and therefore it is 905 01:01:23,199 --> 01:01:26,559 a business risk that takes the attention of not just 906 01:01:27,400 --> 01:01:31,400 a CSO or a CIZO, but the CEO, the COO, 907 01:01:32,079 --> 01:01:37,400 the board, even those who recognize that the proper investment 908 01:01:37,440 --> 01:01:40,800 needs to be made to protect these systems that are 909 01:01:40,840 --> 01:01:47,360 core to whatever service or product they provide. I've really 910 01:01:47,480 --> 01:01:50,199 enjoyed getting to be on this podcast, Andrew. This is 911 01:01:50,280 --> 01:01:52,760 an area that's been near and dear to me for 912 01:01:52,880 --> 01:01:55,519 quite some time. Like you, I've spent a lot of 913 01:01:55,559 --> 01:02:01,800 my career focused on cybersecurity and various areas. The last 914 01:02:01,800 --> 01:02:07,440 ten of it's solely focused on OT systems. If you know, 915 01:02:07,639 --> 01:02:09,880 and I work at Deloitte, I have to tell people 916 01:02:10,320 --> 01:02:12,079 when I show up, hey, I'm not here to do 917 01:02:12,119 --> 01:02:15,119 your taxes, because that's what Deloitte is often known for 918 01:02:15,440 --> 01:02:18,840 as a taxon audit company, which it is that for sure, 919 01:02:19,199 --> 01:02:22,079 But we also have for twelve years running the largest 920 01:02:22,079 --> 01:02:25,920 cybersecurity consultancy within the United States. 921 01:02:26,119 --> 01:02:26,559 Speaker 3: And so. 922 01:02:28,280 --> 01:02:31,079 Speaker 1: If anyone wants to learn more about how Deloitte can 923 01:02:31,119 --> 01:02:34,599 assist them in tackling some of these challenges, I urge 924 01:02:34,599 --> 01:02:38,920 you to go to www dot Deloitte dot com and 925 01:02:39,400 --> 01:02:42,760 look at the services there. You can certainly reach out 926 01:02:42,760 --> 01:02:45,280 to me on LinkedIn and I can connect you to 927 01:02:45,960 --> 01:02:49,239 if there's an interest to have a professional discussion. But 928 01:02:49,559 --> 01:02:54,719 in the meantime, Andrew great podcast Again, I really appreciate 929 01:02:54,880 --> 01:02:56,760 you inviting me and allow me to come on here 930 01:02:57,079 --> 01:02:59,119 and talk with you about these subjects. With you, you've 931 01:02:59,119 --> 01:03:01,760 actually encouraged me to think a little bit deeper on 932 01:03:01,840 --> 01:03:03,199 some things too, So I'm excited. 933 01:03:04,760 --> 01:03:07,880 Speaker 3: I'm decited to hear it. Thank you so much. You know, 934 01:03:08,079 --> 01:03:11,599 the podcast would be nowhere without guests like you, experts 935 01:03:11,599 --> 01:03:16,440 coming in and sharing. You know, I call it a 936 01:03:16,440 --> 01:03:18,400 piece of the elephant, show us a face of the elephant. 937 01:03:18,440 --> 01:03:21,400 And you know, the Nation State face is something a 938 01:03:21,440 --> 01:03:25,239 lot of people like I said Bandy about but you know, 939 01:03:25,320 --> 01:03:27,320 it's tremendous to be able to dig into it in 940 01:03:27,360 --> 01:03:28,639 some depth. Thank you so much. 941 01:03:32,039 --> 01:03:34,280 Speaker 2: So I know it's just one little sentence and a 942 01:03:34,360 --> 01:03:40,039 much longer answer there. But Joseph mentioned that in his 943 01:03:40,159 --> 01:03:45,360 view it was like twenty years ahead of OT security, 944 01:03:46,719 --> 01:03:49,840 which struck me as very surprising. In what universe is 945 01:03:49,880 --> 01:03:52,639 it that far ahead? If ahead at all? I mean, 946 01:03:52,679 --> 01:03:56,039 based on the conversations we have here. These are much 947 01:03:56,079 --> 01:04:00,440 more in depth, technical, forward thinking conversations than ten to 948 01:04:00,440 --> 01:04:01,320 have with people in it. 949 01:04:02,639 --> 01:04:07,239 Speaker 3: I fear that, you know, your perspective on OT security 950 01:04:07,280 --> 01:04:09,480 has has been tainted by one hundred episodes of the 951 01:04:09,800 --> 01:04:14,119 of the podcast here, you know, partly, you know, on 952 01:04:14,159 --> 01:04:17,880 the podcast we interview people who are very active in 953 01:04:18,320 --> 01:04:21,159 OT security, you know, and sort of the examples I 954 01:04:21,199 --> 01:04:23,800 give out of my own experience at Waterfall, we work 955 01:04:23,880 --> 01:04:30,159 with the most CyberSecure, you know, industrial operations on the planet. 956 01:04:30,840 --> 01:04:33,599 We're on the on the very high end of industrial cybersecurity, 957 01:04:33,760 --> 01:04:36,599 so you know, you've been sort of seeing that side 958 01:04:36,599 --> 01:04:40,639 of the coin Joseph in my recollection, you know, he 959 01:04:40,679 --> 01:04:44,639 worked at Idaho National Laboratory, working with lots of different 960 01:04:44,719 --> 01:04:47,960 kinds of stakeholders in the in the ot security space, 961 01:04:48,239 --> 01:04:51,840 you know, large and small, advanced and not. At Deloitte, 962 01:04:51,960 --> 01:04:56,480 he's working with presumably a very wide cross section of 963 01:04:56,519 --> 01:04:59,280 the industry, much more so than you know we have 964 01:04:59,400 --> 01:05:01,159 on the show here, much more so than I have 965 01:05:01,280 --> 01:05:05,960 in my practice. You know, the sort of the leading 966 01:05:06,039 --> 01:05:12,599 edge of industrial cybersecurity is very sophisticated. The average is 967 01:05:12,639 --> 01:05:16,440 probably much closer to what he's pointing out saying, No, no, 968 01:05:16,480 --> 01:05:17,960 there's a lot of people out there. 969 01:05:18,199 --> 01:05:18,400 Speaker 1: You know. 970 01:05:18,440 --> 01:05:20,480 Speaker 3: We had an episode I don't know a year ago 971 01:05:20,519 --> 01:05:23,519 talking about starting from Zero, which interviewed a gentleman who 972 01:05:23,519 --> 01:05:26,880 made it sort of his calling to walk into industrial 973 01:05:26,880 --> 01:05:30,679 sites who had done absolutely nothing one after another after another. 974 01:05:30,719 --> 01:05:34,400 So there's a lot of zero out there. What I 975 01:05:34,440 --> 01:05:36,280 took away from the episode, you know, was sort of 976 01:05:36,480 --> 01:05:41,360 two things. One is it was sobering thinking about sort 977 01:05:41,360 --> 01:05:45,320 of bigger picture campaigns I have been focused on sort 978 01:05:45,360 --> 01:05:48,679 of individual breaches, individual sites. What can the small sites do? 979 01:05:49,039 --> 01:05:52,840 I wasn't really thinking about how a multi site campaign 980 01:05:53,199 --> 01:05:58,239 might work and what would be the advantages to a 981 01:05:58,360 --> 01:06:01,480 nation state in carry out such campaigns. So that's that's 982 01:06:01,480 --> 01:06:05,000 sort of some sobering food for thought. The other thing 983 01:06:05,239 --> 01:06:08,280 I took away again, I'm reminded of the Denmark sector 984 01:06:08,320 --> 01:06:12,880 cert model where the largest utilities, or presumably if you'd rather, 985 01:06:12,960 --> 01:06:16,599 the government, but you know, big fish pay for a 986 01:06:16,639 --> 01:06:19,760 facility that a protects the little fish because it's the 987 01:06:19,840 --> 01:06:23,679 right thing to do, and b provides intelligence to the 988 01:06:23,719 --> 01:06:29,360 big fish about large scale campaigns that might be feeling 989 01:06:29,440 --> 01:06:32,599 their way through the little fish in the course of 990 01:06:32,800 --> 01:06:36,519 you know, eventually targeting the big fish. That you know, 991 01:06:36,639 --> 01:06:40,880 to me, that's that's a nuggative solution here that you know, 992 01:06:41,239 --> 01:06:45,920 maybe we should be as a society considering applying more widely. 993 01:06:46,960 --> 01:06:49,440 Speaker 2: All right, Well, with that, thank you to Joseph Price 994 01:06:49,519 --> 01:06:52,199 for speaking with you, Andrew, and Andrew, as always, thank 995 01:06:52,239 --> 01:06:53,440 you for speaking with me. 996 01:06:53,920 --> 01:06:55,320 Speaker 3: It's always a pleasure, Nate, thank you. 997 01:06:55,960 --> 01:06:59,599 Speaker 2: This has been the Industrial Security Podcast from Waterfall. Thanks 998 01:06:59,639 --> 01:07:01,360 to everyone an out there listening.