Every year, a new cybersecurity trend grips the industry, whether that’s MITRE ATT&CK, SBOMs or ransomware. At the 2023 RSA Conference, one of the hot topics was ChatGPT. Artificial intelligence (AI) and machine learning (ML) tools will unquestionably have a major impact on cybersecurity, from both an offensive and defensive standpoint, but how worried do we really need to be? And will ChatGPT really have an impact on industrial systems?
ICS Pulse recently talked to Lesley Carhart, director of industrial control system security incident response at Dragos, about how they got into industrial cybersecurity, why concerns about ChatGPT might be overblown and how cybersecurity needs to be more inclusive. Listen to the full podcast here.
The following has been edited for clarity.
ICS Pulse: You have one of those wonderful cybersecurity backgrounds that is really eclectic. So let’s start with your military background and how you found your way into industrial cybersecurity.
Lesley Carhart: I have such a prototypical background in cybersecurity that sometimes I don’t like talking about it because most people don’t do the goofy, hackery things that I did to get into cybersecurity, but you see it in every movie. I started out as a kid. I grew up on a farm in Illinois, and there were two things to do. There were farm or learn how to use the computer we used for inventory. So me being slightly allergic to the sun, I learned how to use the 286 at the time and learned how to program when I was 7 or 8. I got hired for my first programming job when I was 15 years old because it was a different era during the dot-com boom, and you could do something like that. I was kind of involved in that hackery space even as a kid. But, of course, the bubble burst, and I had to get back to reality.
And so me being a very spontaneous decision maker, I decided I’d go join the military because that sounded exciting. I enlisted and they asked me what job I wanted to do, and I wanted something with computers and they were very confused at the time. This was early on, long before cyber was a thing in the military. So they were like, “Well, do you want to fix airplane computers?” And I was like, “Yeah, sure, that sounds fun. Let’s do that.” So they sent me to nine months of school to learn how to solder circuit boards and control systems for broken airplane parts. I actually stayed in the military and then into the reserves for 21 years. I retired last year.
ICSP: What was the biggest thing you took apart in your parents’ house that made them the angriest? Because we just talked, full disclosure, before the podcast. I asked if you were one of those kids that took everything in your home apart, and the answer was yes.
Carhart: I don’t know if my dad is going to listen to this, so I don’t know if I’ve admitted to everything yet that I took apart that I put back together. But I do know at one point, I was learning how to connect to remote computer systems via modem, and he got so frustrated with me using the modem at all hours and using up the phone line that he installed a switch on the ceiling that was just too high for me to reach as a kid so he could flip off the phone line. So I’d be using the modem to connect to stuff, and he’d just walk into the basement. He was a lot taller than me, so he’d reach up there and he’d flip the switch, and he’d kill the line to the modem. I do recall that not so fondly. It was a constant war between us.
ICSP: Let’s talk a little bit about RSA since we’re here at the RSA conference. What have you been seeing here? What kind of trends, and has there been anything that has surprised you about the conference and about the conversations that are going on so far?
Carhart: This year, it’s been interesting to see some of the things that were really trendy last year kind of go away, and then there’s new trends. The objectives of these businesses, you do have to keep in mind as an attendee that they’re always trying to sell their products. They’re going to shape the narrative of whatever’s going on in the world and whatever’s the hot topic in cybersecurity around whatever it is that they sell. What I find intriguing just from an intellectual perspective is how do they sell their data diode or their SIM or their XDR around what’s going on in the world this month? They always have to shape their story around how it’s going to solve the problem du jour, so that’s been interesting this year. I mean, of course, there’s a lot of talk about ransomware. There’s also a lot more talk about SBOM (software bill of materials), which is really interesting, which is a real legitimate thing. That’s a real interesting problem to tackle. A lot of discussion about supply chain, of course.
As you walk around the floor in RSA, if you watch it all with a skeptical eye, what you’re doing is you’re walking around to see how people are taking these popular narratives. For a couple of years, it was MITRE ATT&CK, which is also a really important thing. But that was the flavor of the year, and everybody was shaping their product around MITRE ATT&CK. Then this year, they’re all shaping it around SBOM and around supply chain compromise — so real problems. It’s just interesting to see which one that people have picked to talk about that year.
ICSP: It was interesting for me yesterday going to the keynotes just to see how many people were talking about ChatGPT. It makes sense that it’s happening, but obviously that’s a story. When we were registering for sessions to go to, every one of the GPT sessions was full. So I guess that is going to be one of the big stories animating the future.
Carhart: I am doing my best to try to tune it out as best as I can. See, you go into industrial cybersecurity because you want to go back in the time machine. You just don’t want to go into the future because there’s things like ChatGPT there. So you want to go back to like 2002 and work with Windows NT some more, and things are OK.
No, we all have to deal with things like machine learning and ChatGPT. We have to be cognizant of them as security professionals. There are real implications of ChatGPT in all kinds of different defensive and offensive cybersecurity practices as well as cyber crime, absolutely. We have to be aware of how it can be misused and how it can be used as a tool. Are a lot of them overblown? I certainly personally think that a lot of the speculation about the wonders of ChatGPT are somewhat overblown, but it’s a tool like everything else, so we have to be aware of it existing in the toolkit.
ICSP: This is more of a personal question for you than about RSA, but I know you do a lot of teaching. Why has that become such a big part of what you do outside of Dragos?
Carhart: I enjoy teaching, selfishly. I think it’s a lot of fun to reach people and impart information on them, but also because when I was a kid and I wanted to get into cybersecurity, nobody helped me. It was extremely male dominated at the time. It was extremely exclusionary. There was a lot of gatekeeping in the ’90s. If you didn’t look a certain way, if you weren’t from a certain background, if you didn’t know the right people, you just could not break into the field unless you were just very, very lucky.
I had to go it alone for the most part in the beginning of my career, and I don’t want other people to have to do that. That’s ridiculous. It’s stupid. We need a lot of people. So, of course, I’m trying to do a lot of mentorship, and I’m trying to do a lot of outreach and teaching and things so that other people don’t have to do that because, gosh darn it, we really need the people.
ICSP: At this point, why would you want to do that gatekeeping? Everybody’s talking about the cybersecurity skills shortage. We sort of need anybody who is competent and wants to be in the field. It should be a pretty open door.
Carhart: It should be, but you still see it. I think some of that is just human nature. People see people like them more as human than people who look different or practice a different religion or come from a different background. They see them as the other. That happens in all kinds of fields, but we see that in cybersecurity, too. If you’re not the prototypical nerd, if you don’t quote “Star Wars” or “Star Trek” from heart, if you don’t look a certain way, if you aren’t from a certain background, people are going to be suspicious of your ability to do cybersecurity well in some cases, and we really have to fight that as an industry. We have to put people in less of a box to take advantage of these wonderful people who could be incredible cybersecurity professionals.