I had the opportunity to interview Edgard Capdevielle, the CEO of Nozomi Networks regarding security issues. His answers underscore the experience shown in his bio.
Edgard Capdevielle has over a decade of leadership experience in IT, cybersecurity, cloud computing, and data storage. He brings an extensive background in successfully managing and expanding markets for both start-ups and established technology companies to his role as CEO. Previously, he was Vice President of Product Management and Marketing for Imperva, where he led product management of the company’s web and data security products and revamped the PR, AR, and social media strategies. Prior to that, he was a key executive at storage companies Data Domain (News - Alert) and EMC. At Nozomi, he has focused his efforts on developing and expanding the company's role as a global business leader. Edgard has an MBA from the University of California at Berkeley and a Bachelor’s degree in Computer Science and Electrical Engineering from Vanderbilt University.
Carl Ford (News - Alert): Nozomi Networks is known for its security detection, particularly focused on OT. Does this mean that OT traffic is different in its ingress and egress, or do you monitor based on traffic segmentation and or packet inspections?
Edgard Capdevielle: It can be different or the same, but we monitor in all directions, whether or not packets are in/out, networks are isolated (offshore oil rigs) or segmented (a drug factory), like they should be in certain cases, or whether they are flat networks, like they tend to be in other (IoT) cases. Whether it's power generation and distribution, water production, transportation systems, robots in a factory, or heating, air conditioning and ventilation in a skyscraper, the proprietary nature of the hardware and protocols combined with the network designs can pose challenges and also prevent catastrophes. Some industrial networks are so isolated they are surrounded by guards and wireless jammers, while others are wide open for threat actors to just plug in, invisibly.
For example, if you could bypass the guards at the front gate, get into the locked building, navigate to the correct part of the facility, and open a locked cabinet, you could possibly plug in malicious hardware, such as a laptop, and take over the industrial control assets, such as an industrial controller ‘PLC,’ by using the manufacturers proprietary engineering workstation software that’s designed for exactly that. In 99% of isolated cases, there’s no authentication or password needed to overwrite the programming of the device. It’s just sitting there waiting for someone to push new code. In some cases of PLCs, there’s a special physical key that can turn a switch from ‘Run’ to ‘Program’ to prevent some threats. In most of those cases, the key is located within eyesight of the PLC. OT/ICS infrastructure was typically designed with isolation and hardened perimeters, but a high degree of efficient usability within the boundaries.
When designing these types of systems, human safety supersedes all else. Making it more difficult or impossible to interact with the devices (by adding good security) makes industrial process management more difficult, which comes at a cost. As an example, imagine an operator having to use 2-factor authentication before hitting the emergency stop button to save the city.
OT is similar to IT, but the approach to solving problems is different.
CF: Your report makes it clear that cyber threats are on the rise and you mention nation states attacking. Are these attacks aimed at industrial espionage, stealing information to gain competitive advantage, or as a weapon for future conflicts?
EC: Only a few sectors of industrial tend to be targeted by nation-state espionage and are usually centered around the Defense Industrial Base due to the sensitive nature of the intellectual property they have access to, like top secret space sciences, munitions details, or design weaknesses within battle-tanks. But, a municipal water facility, a regional power grid operator, or a city port would have very little intelligence located on their industrial control systems. A crane or giant steel press doesn’t need a credit card, my personal information, or any sensitive data to operate safely. Nation-state attackers infiltrating civilian critical infrastructure where no espionage-relevant data resides leave their motives ‘open to interpretation’.
CF: I am constantly amazed at the lack of regard for privacy by people. That makes me think that employee security breaches are far more frequent than IoT. Am I wrong, and if so why?
EC: In any large organization, the security operations center (SOC) is always in the midst of an incident. Ranging from lost/stolen laptops, password breaches, attacks on websites, ransomware in the factory, odd network outages, unexplained glitches anywhere at all, compliance with regulations, best practices, standards, etc. Large, global enterprises are in a constant state of recovery, there’s always a breach, leak, active threat… .open incident. In our space of OT, some incidents can be traced to human negligence but, in most cases, it’s either compromised or malicious insiders or external threats that have the highest impact or pose the biggest risk to OT, particularly critical infrastructure.
CF: Around the world, it seems that little regard is paid to where hardware comes from. Should there be a list of vulnerable equipment manufacturers?
EC: Indeed. In our product, we currently track countries that are banned from commerce (see screenshot below) and, within the asset inventory we develop, we have a preset list, but that can be added or changed depending on the customer. It’s important to start tracking not on the source of the product, but its lifecycle, maintenance, and support status, and whether it has vulnerabilities, whether they’ve been exploited in the wild, or on this exact device, is reachable, etc. are among the risk management capabilities we deliver to our customers.
CF: I worry about our critical infrastructure, like reservoirs and the electric grid. Are some verticals targets more than others? Who is the most likely to be attacked?
EC: Different threat actors target different sectors, depending on their goals. Ransomware operators will tend to go for the low-hanging fruit, easy to penetrate systems that can pay a ransom. The less money they can spend on obtaining access, maintaining control, and extracting ransom the more profit left for them. Water and wastewater facilities tend to be caught in the middle between budgets that may be controlled by the public, and threat actors looking for easy targets. The nation's power grid system was partially designed from the beginning to account for certain risks and threats. However, cyber is a new frontier to consider when it comes to water and wastewater management. In many cases, taxpayers have not kept up with threats by allocating sufficient budget and manpower to enhance their cyber resiliency. That makes the water and wastewater sector particularly vulnerable to attack from ransomware operators.
What’s become more worrying is the recent intrusions into civilian infrastructure from nation-state actors, such as the Chinese Volt Typhoon, where the only motivator is crippling our infrastructure, not espionage or ransom. On the bright side, there is a lot of news, movies, webcasts, education, certifications, Netflix series, books, and other types of publications discussing this risk that wasn’t present a decade or two ago. An entire new generation of defenders and engineers are becoming interested in ICS cybersecurity because they understand the stakes are larger than just protecting corporate websites or personal laptops.
CF: I want to thank Edgard and his staff for their time and insightful answers.