For those who are managing them properly, vulnerabilities can come in faster than a flood. It’s essential to have comprehensive insight into the risks present in your industrial environment so you can understand which of them need to be remediated quickly and which can wait. The Industrial Cybersecurity Pulse Podcast recently sat down with Thomas Pace, CEO and co-founder at Netrise Inc., to discuss his background, what the U.S. government does well versus private industry and managing vulnerabilities intelligently.
Listen to the full podcast here. The following was edited for clarity.
ICS Pulse: Let’s talk a little bit about your background and how you got to where you are. I know you have a military background. A lot of the people we talk to seem to have military backgrounds. Is that a common breeding ground for cybersecurity practitioners?
Tom Pace: I don’t know. It seems to be that way now. But my military background, I think it’s pretty reasonable for me to say is not the most common military background to end up in cybersecurity. I dropped out of college in 2004. I mean, I was a computer science major. It’s always what I wanted to do, but I dropped out and enlisted in the Marine Corps infantry. I don’t know how many former enlisted Marine Corps infantrymen are running cybersecurity companies, but I’d love to meet them if there are. I was actually a double major when I went to undergrad the first time, before I went back and finished. There was no cybersecurity program, so I double majored in computer science and criminology. That was the closest I could get.
Then, when I got out in 2008, which was only four years later obviously, everything had changed. I started school at University of Pittsburgh in 2009. It was an NSA Center of Excellence. They had this whole cybersecurity program. It was awesome. So I think that things have changed, and then you have U.S. Cyber Command came to be in 2010, which obviously gave a military occupational specialty for cyber people. My co-founder, in fact, was in Cyber Command in the Marine Corps, as well. I think there’s a much higher probability of a lot of military people ending up in cybersecurity these days. I took an uncommon path, but the only thing that seems to be common about cybersecurity paths is that they are uncommon.
ICSP: That does seem to be the case. What was it that made you want to go into this profession?
Pace: I consider myself very lucky that I just always knew what I wanted to do. When I got my first computer — maybe seventh or eighth grade, so that was ’97, ’98, something like that — I started doing things that you’re not supposed to do on computers. Figuring out that, “Oh, I can access this thing that I’m pretty sure I’m not supposed to be able to access,” was just a really fascinating thing for me. I just fell in love with that dynamic. I was always very interested in solving crime and detective stuff. It was really just applying that same curiosity to the cyber realm. I’ve never been an offensive guy. I’ve always been on the defensive side, like incident response and things like that.
ICSP: Looking at your background, you’ve worked for the police in criminal cybersecurity, you’ve worked for the Department of Energy, you’ve been in the private sector, you’ve been in the government. You’ve been on all sides of this. What does the government do well that private industry doesn’t and vice versa?
Pace: That’s a great question. When I was at Department of Energy, that was the best place I’ve worked, in my opinion, from what our capabilities were and our ability to implement and operate things in a super effective manner. I worked at a facility known as the Strategic Petroleum Reserve, and we just had a big stick that we could hit people with. When it came to end-of-life operating systems and just doing things the right way, we were able to really fall back on NIST frameworks and a number of other things. It just let us say, like, “This is what it says we need to do, and we need to do this to maintain our authority to operate.”
I worked for a big bank for a while, and the model is just totally inverted. Making money is that organization’s No. 1 goal. The Department of Energy doesn’t make money. That’s not their goal. Their goal is to generate energy, protect energy, capacity and generation and all these other things. However, where the private sector does do some interesting things is, their goal is to make money, so they will spend an inordinate amount of money to protect their ability to make money. It’s just a different incentive structure, more than a different capability structure.
ICSP: One of the things we track at ICSP is vulnerabilities. Is there a certain place people should look for vulnerabilities? Is there a one go-to place or multiple places we should be looking?
Pace: Obviously, you have the national vulnerability databases. And I say databases, because even in the U.S., there’s at least two: one from MITRE, one from NIST. I think that’s right. Might even be three. But then you also have national vulnerability databases in China, in Russia, in Korea, in Europe. None of them are the same. The reason I mentioned all of that is, the way we have approached this problem is by aggregating all of those different vulnerability databases and repositories. There’s a misconception that all of the vulnerabilities that are in existence are documented in these databases, which is 100% not true. It’s pretty well established at this point that a whole lot of software vendors, device manufacturers, whoever, know about a lot of vulnerabilities that they do not publish, and they patch them silently.
I think there are pros and cons to that, frankly. I’m not saying these companies are terrible people for doing that. I don’t think that’s true. There are good reasons to do that, and probably some self-serving reasons to do that at the same time. I don’t know that there is a singular source for vulnerability information that really makes a lot of sense. To me, it has to be aggregated. If you have to pick a starting point — if you only get one — I guess I would pick the U.S. National Vulnerability Database, but there’s just too many issues with any of them to say that is the source of truth, because it just isn’t.
ICSP: It can also be tricky. A company may know about a vulnerability for years before it actually gets published anywhere. That thing may be sitting there and be exploitable for a long time before everybody knows that it’s there.
Pace: That’s exactly right. I think it was the Siemens vulnerability that came out recently for the S7 devices that they have. It was, like, “Hey, there’s this vulnerability in these devices,” and Siemens is like, “Yep. Not fixing it.” When people get up in arms about all of that, I just say, listen guys, this is a private enterprise. Everybody has decisions to make in life. Also, it’s a PLC (programmable logic controller). If you have the ability to compromise that device from that vulnerability, that’s probably not the thing you would do. You would probably do something else, quite frankly.
People try to view things in a vacuum a lot of times, and context is just hyper-required as it comes to specific instances and things. Yes, you’re 100% right. There are numerous cases where vulnerabilities are responsibly disclosed to whomever, and it takes quite some time for those to be released. Once again, I think there could be some very, very good reasons for that, especially when you’re talking about a safety critical system, where significant regression testing is required. Whereas if you’re talking about something that’s in a very common component in an operating system, waiting two years probably is not a good thing.