Managing vulnerabilities and weaponizing OT: ICS Pulse Podcast, Eric Byres, aDolus Technology

S4 2023 in Miami
Courtesy: CFE Media and Technology

In February 2023, Industrial Cybersecurity Pulse traveled to the S4 show in Miami to learn about the major trends in our field. While there, we sat down with Eric Byres, CTO and board member of aDolus Technology, to discuss the show’s themes, managing vulnerabilities and the difference between cyber criminals and nation-state actors. Listen to the full podcast here.

The following was edited for clarity.

ICS Pulse: So what have you seen at S4 so far? It seems like it’s been a busy show. You guys are in the software bill of materials (SBOM) room.

Eric Byres: I’m sure it’s no surprise to anybody who’s here, but this show has really exploded. I remember 17 years ago coming to it, and it was 40 people in a tiny room. Now, we’ve got a show that’s sold out. It’s packed. It’s probably well over 1,000 people. So what’s interesting about that is that the whole market has grown up. It’s no longer having to convince people there’s an issue. The talks are much less about fear, doubt and uncertainty, and trying to get interest, and much more about, “Here’s how you deal with stuff. Here’s the technology. Here’s the capabilities.”

So there have been really good talks on the use of, say, machine learning for all sorts of different topics including software bill of materials and supply chain. But just the show is much more focused now on solutions and processes to make things work and to get security into industrial control systems.

ICSP: What are some of the trends you’ve seen people talking about? What are some of the big recurring themes that keep coming up?

Byres: Certainly machine learning, AI (artificial intelligence), trying to take [care of] some of the workload problems. Over the last 20 years, we’ve used people to do some pretty mundane tasks that are a really, really poor use of human resources. So we’re starting to see more and more, everybody is talking about AI.

Of course, ChatGPT has really caught the world with enhanced machine learning. That particular program really illustrates what can be done in an automated fashion, in a very efficient fashion. And that’s what I’m seeing here. One of the things is that use of enhanced machine learning. It’s something we use all over the place. For example, there are 900 vulnerabilities a day coming in or new — what we call CVEs. Who’s going to dig through 900 vulnerabilities and see if one of them is their problem? Every single day? No way. If some poor guy has to do that, I feel sorry for him. So that’s one of the things we see.

Then, the second thing — of course, I am biased — but the whole interest and understanding that we’ve got to deal with the software supply chain is really taking off. Two years ago, it was people like myself and Alan Friedman just saying, “Hey, this is a problem.” Now, there’s a whole section dedicated to dealing with the threat to our software supply chain. So those are the two things that I’m seeing that really have changed.

ICSP: Let’s talk about managing vulnerabilities first. Especially in the operational technology (OT) space, I remember talking to you a year ago, and you used the phrase “an avalanche of vulnerabilities.” That has always stuck with me. But likely only a few of those vulnerabilities have been proven to impact OT. Or, if you take a risk-based approach, only a few of those are going to actually impact your systems. How much can AI and machine learning help with managing vulnerabilities so you aren’t chasing your tail and trying to find all of those 900 vulnerabilities that are coming up every day?

Byres: I think that’s absolutely critical that we make that an automated process because you’re absolutely right. We see hundreds of new vulnerabilities coming in, and we are constantly optimizing that so that we can say, “This is the vulnerability we care about, and you can ignore the rest.” We’re starting to see some really good standards coming out to be able to report that to people. It really shouldn’t be the end user having to worry about what’s exploitable and what isn’t. It really should be the security analysts and, ideally, the companies producing the software for them to be able to say, “Hey, you know that problem in, say, OpenSSL? It affects these products. It doesn’t affect these products even though the actual software is everywhere.”

What’s really good news, and particularly through CISA and also the German government, [is that they’re] really promoting standards like VEX, Vulnerability Exploitability eXchange. Here’s a fast, easy way for a company that provides software to communicate to its customers and share that information so they can say, “That’s exploitable.” Then, there’s a second part of that: Who’s actually exploiting it? When you have an exploitable vulnerability that some foreign nation-state is actually having a campaign to use, well, now that’s on the top of your list.

It’s really that triage system. Go from, “There’s a component that’s got a vulnerability; it’s buried deep in your software,” to, “There’s a component that has a vulnerability that’s exploitable,” to, “There’s a nation-state that is exploiting that exploitable vulnerability buried in your software.” It’s that last one, and you need to be able to triage that. It’s really a filtering problem.

ICSP: You and I have talked about this before, that idea of a nation-state attacker. People are obviously worried about cyber criminals, people who are out for a quick buck. But the nature of a cybercriminal and a nation-state actor is very different and needs to be treated that way.

Byres: The question is, “What is the motivation of the attacker and the resources?” Those are the two things. So cyber criminals, I don’t discount them. I mean, I’m sure the guys at Colonial Pipeline do not like cyber criminals a lot. They can have major impacts, particularly the move over the last two years where they realize that they can monetize large-scale ransomware attacks. That’s a real risk.

But like you said, their interest is finding the low-hanging fruit, the easy victims, and their patience and their capabilities are usually somewhat limited. But their objective is just to get cash. So if you can be either not the easiest target or not particularly a cash-rich target — or a target that is really mission-critical, and if they interrupt you, you’ll cause a lot of trouble — if you can avoid being what we call an attractive target, you’re probably less likely to get impacted.

Nation-states, on the other hand, are much, much more interested in a long-play game. And it is a long-play game. You can’t attack a control system in a sophisticated manner without putting a lot of resources into it. It’s not just a matter of hacking in and throwing a few switches or starting a few motors. So there’s not that much capability, but there is capability. Every year, we’re seeing new actors from new nation-states with that capability. They may focus on a particular industry. They may focus on the grid. They may focus on the water industry. They may focus on natural gas. But they’ll be focused, and they’ll start to understand the processes. Those guys are the really scary guys because they’re there usually not for money. They’re usually there to use it as a weapon, and they’re effectively weaponizing OT.




Keep your finger on the pulse of top industry news