If you were to attend a cybersecurity gathering 20 years ago, there were probably only a few people who were even aware of operational technology (OT) systems, much less saw them as a possible attack vector. These days, there are entire conferences dedicated to OT/industrial control system (ICS) cybersecurity, and attackers definitely have these systems in the crosshairs.
In the seventh episode of our Cybersecurity Awareness Month podcast series, we were joined by Eric Byres, CTO of aDolus Technology and leading authority on software supply chain security. He talked about the improvement in regulatory frameworks, how Stuxnet changed the game and why OT/ICS systems have become a juicy target for attackers. Listen to the full podcast here.
The following has been edited for clarity.
Gary Cohen: Every October, we highlight some key behaviors — what should be basic cybersecurity functions — like multifactor authentication, strong passwords, recognizing phishing. What do you think people should be focusing on this month?
Eric Byres: Overall, I think those are pretty good things to start focusing on. Hopefully, all of our people in the ICS space have already done two-factor authentication, password management. If they haven’t, they should probably just get off, stop watching this podcast, and go do it.
If you don’t have two-factor authentication and password management and you’re still expecting your staff to remember passwords, you are just asking for trouble. So those basic things, and I think that’s really key because password management, two-factor authentication, tools like that — even better, single sign-on systems — are taking the human element out of the risk and out of the security risk equation. I think that’s really important because no matter how much we can harp at the users to pick strong passwords, it’s not human nature. Human nature is to do something you can remember. For years, we’ve told people to do better, and, quite frankly, it’s not working. We’ve got to use the tools available and make it easy for people to do the right thing.
Tyler Wall: As we’re heading toward 2024, what trends or developments in cybersecurity are you particularly excited about?
Byres: There are a few things I’m very, very excited about. First of all, on sort of the regulatory environment: In previous years, we had a mixture of some pretty good regulations and frameworks coming out, some things that were supportive to the market. We also had some real train wrecks, occasionally. I won’t call out any government agency in particular today, but you know my opinion on a few of those. We’re starting to see much more of a move toward risk-based compliance, risk-based security planning that I think is terrific. For example, in Europe, we’re seeing the Security Resiliency Act coming out. It’s still in draft form, but we’re starting to see a move there. We’re seeing something similar in the U.S. We’re seeing companies start to adopt these. I think that’s really exciting to see this move away from box checking to security by design, security by risk analysis. That’s a good overall trend.
Cohen: You’ve been doing this in the OT/ICS space for a while. Can you share an experience or a case from your career that for you really highlighted the importance of cybersecurity?
Byres: Wow, it’s hard to say where to start there. Certainly, for me, Stuxnet was an eye-opener because it switched the game. I remember it was a sunny August weekend, and I’m sitting on the beach near my home and looking at this — and this is before it got widely announced. Actually, I have to hand it to Joel Langel for pointing it out to me and saying, “Eric, you’ve got to start watching this.” And I’m going, “Uh-oh, there goes all my weekends for the next year.” And it was a pretty good description of what happened because that security incident really drove awareness into the industry that we were not immune to the things that were going on in the IT (information technology) world. Suddenly, we were starting to get invitations to speak to the boards at major oil companies, things like that. It just pushed it up.
Then, we did the same thing a few years ago. It just got pushed up another notch when two incidents occurred. One was the whole SolarWinds incident, which was a supply chain attack, and then the Colonial Pipeline. It’s just made OT security, ICS security, whatever you want to call it, something that became important to the board, important to the senior management. It stopped being sort of a side conversation. As a result, I think that’s really good. I gave some legislative examples and regulatory examples, but I see it in the companies today. There’s just a different attitude. Companies are no longer saying, “Oh, yeah, Joe, the PLC (programmable logic controller) expert looks after all OT security in this company.” No, there’s a program now. So we’re really making some moves forward. Personally, I think probably some of the most interesting cybersecurity events are ones that are more accidental.
One that I remember that really, really struck me was a security event that came about at one of the large chemical companies. It was because the operators decided they wanted to be able to play games on the internet during the night shift on the control system HMIs (human-machine interfaces). So they started changing IP addresses so they could get out onto the internet. Nobody was meaning to be malicious, but the results were really ugly. Often, the way things go bad is because people don’t understand the impact of their decisions. They don’t understand what they’re doing, and that’s due to a lack of training and a lack of awareness.
Wall: In recent years, there have been plenty of cyberattacks. What have we learned from those recent major attacks?
Byres: Well, the first thing we’ve learned is that OT is an interesting target to the bad guys. I think there are way more attacks because simply just like the defenders didn’t know, the executive management didn’t know they had an OT system, the bad guys didn’t know there was a juicy OT system to go after. I remember early S4 conferences, or even the early conference that we ran at the British Columbia Institute of Technology back in 2003, two decades ago, and there was only a couple of hundred people in the world that were vaguely interested. We didn’t call it OT security then. We called it SCADA security of all things. And very few people, unless you worked in a plant floor, even knew that SCADA, OT, ICS, whatever you want to call it, actually existed. So the bad guys are aware of us, and they realized it’s a good juicy target.
There’s money to be made, particularly if you’re running a ransomware operation. But also if your job is to steal intellectual property secrets for your nation, or the national companies in your nation, hacking control systems is a very lucrative, profitable and can also achieve some military objectives. So there are more attacks. There’s no question.
Cohen: You mentioned Stuxnet earlier. It’s not that we didn’t know it was possible to have physical consequences from a cyberattack, but I imagine that opened a lot of people’s eyes on boards and in C-level jobs.
Byres: Yeah, it did. It opened eyes. People who made a living on control systems generally knew that there were some issues there, but anybody sort of one level away had no idea that the control system even existed, never mind attack. That was one of the things that I found very quickly after Stuxnet. My first job was to explain to people what control systems were — and it was often the senior executives in the company. Control systems were in such a bubble two decades ago. It was such a little private place. We’re no longer private. Everybody in the world is watching us.
Cohen: What emerging technologies do you see impacting the field of cybersecurity in the near future?
Byres: No question, artificial intelligence is going to impact us, first of all, in a bad way. The bad guys are already realizing that they can use AI to identify their victims and to use them as a form of optimizing their attacks. For example, in the supply chain area, we’ve seen a number of attacks where the bad guys are using something like ChatGPT to fool, basically tricking, developers into making bad decisions. So we’re already seeing AI being used in an evil way. We’ve got to start using AI to get more efficient. We don’t have time to manually do a lot of the things that we used to do.
Response time has to be quick when you’re dealing with a cyberattack or protecting yourself against a new attack. Right now, every day going and looking up hundreds and hundreds of vulnerabilities and trying to figure out if they apply to your plan, is something that AI could do quickly. As a security analyst, you should not be doing that. It’s a waste of your time. You should be looking at the results of the AI. So AI is going to have a huge impact over the next few years on optimizing the decision making on defending our systems. I think that’s probably the very first technology I see.
Wall: What is your favorite movie or TV show that has something to do with cybersecurity?
Byres: Wow. It’s not my favorite movie; it’s my most memorable movie that drove me nuts. It was “Independence Day,” and you guys probably remember where the guys were hacking into the alien spaceships. Now, that was a long time ago when there was a lot of incompatibility between control systems. I remember looking at that and saying, “Oh, come off it guys. I can’t get two control systems to work and to talk together. I can’t get that ADD system over there to talk to my Allen Bradley, never mind an alien system that I don’t have a user’s manual for. Go move 30 years ahead.”
Actually, it’s interesting that hacking control systems actually is something that is possible now, partly because of the way that, in a good way, we’ve made it possible to standardize the way we communicate. It’s no longer little islands of communications, little islands of automation. We’ve actually made some progress, and that’s made automation so much more efficient. But that movie also, when I thought it was absolutely ridiculous 30 years ago, unfortunately, I think probably it might actually be somewhat predictive of what’s happening today.