The “Original Cyber-Physical System”: Legacy Devices and Key Trends in OT Cybersecurity

Transcript

John Vecchi (00:25):

Well, hello, everybody. You’re listening to the IoT Security Podcast live on Phosphorus Radio. I’m John Vecchi.

Brian Contos (00:31):

And I’m Brian Contos. And we’ve got a really special guest today. Joining us is Danielle Jablanski. Welcome to the show, Danielle.

Danielle Jablanski (00:39):

Hi. I was expecting some moves, you know?

John Vecchi (00:42):

Yeah, with that… It’s kind of British, right? We were moving. We were jamming.

Brian Contos (00:46):

For those of you listening, we like to dance a little bit during that introduction number. It’s snappy. It’s snappy. But it’s mostly-

John Vecchi (00:51):

That’s right.

Brian Contos (00:52):

… below the waist, so people just can’t see what we’re doing. It’s crazy.

John Vecchi (00:54):

They can’t. No, they can’t. But welcome, Danielle. It’s awesome to have you finally. We’ve been trying to get you on here for a little bit, and it’s great to have you.

Danielle Jablanski (01:03):

Thanks, guys. Good to be here.

Brian Contos (01:05):

So Danielle, as we get started, maybe you could give our listeners a bit of background about how you came up in this space and what it is that you do now.

Danielle Jablanski (01:12):

Sure. So I’ll start with the last question first. And I hope not to take too much time, but I’ve had a really interesting roller coaster of a career so far. But at Nozomi Networks, I serve as an OT cybersecurity strategist. What that really means is a lot of horizontal collaboration, a lot of translating. I do SME research and public awareness, but I also do product, partner, and go-to-market strategy as well as government relations. And I lead the ETHOS group, if anyone’s heard of that nonprofit that was started by a number of competitors in this space in conjunction with the OT Cybersecurity Coalition in DC, which is again an awareness group of subject matter experts in the industry.

(01:47):

My background, very multidisciplinary. Early in my career, I worked for a nonprofit doing policy analysis on nuclear weapons development. And I particularly enjoyed looking at cybersecurity implications and impacts to nuclear weapons command and control. I joke with folks that that is the original cyber-physical system. That led me down a policy bent and then back to industrial control systems via the electric sector and energy research before I came to Nozomi. So they actually poached me from a market position where I was a quote, unquote, “expert,” I hate that term, on intrusion detection systems for industrial control systems, which is obviously where this market started 10, 15 years ago.

Brian Contos (02:26):

Mm-hmm. So you could’ve just said slacker. I mean, that’s all you had to say. Yeah.

Danielle Jablanski (02:32):

Yeah. I have a fellowship at the Atlantic Council and I teach at Dallas College.

Brian Contos (02:36):

Oh, wow. Wow.

John Vecchi (02:37):

Wow.

Brian Contos (02:37):

And the list goes on.

Danielle Jablanski (02:38):

Yeah.

Brian Contos (02:38):

Well, awesome. Well, what an incredible background. And every time we have somebody on the show, which isn’t that often with somebody with as broad and deep of a background as you in this space, I like to ask this question. You’ve seen this from all angles now. Public sector, private sector. You’ve been on multiple sides of the equation. What are some of the trends that you’re seeing in terms of where we were and where we are and where you think we’re going as it relates to just cybersecurity in general?

Danielle Jablanski (03:08):

I love talking about trends because in some sense, they haven’t changed in 10 years and in some sense, we see something new every year. There’s a lot of capacity building, a lot of bridges between customers and sales teams, industries and government partnerships, policy wonks and practitioners, network admin experts and these industrial engineering geeks. One I like to pick on is the word visibility. Everyone loves it, but it’s meaningless because it has a different definition to everyone that uses it. People say you can’t protect what you can’t see. You also can’t do any root cause analysis. And a lot of the times, we see misconfigurations, poor firewall rules, right, things that matter more internally, but we use visibility to really think about external threats and vulnerabilities. It all matters, but it’s more than being able to see. You want to cover your assets and devices and network traffic, but you need more than a flashlight, I like to tell people. So that’s one trend.

(03:56):

Another really cool one that I’ve witnessed recently is this reflection on manipulation versus loss of view and control. This is actually old in terms of the literature, but nobody reads books anymore. So I cited it in my research, but it’s coming back. I didn’t create it myself, but it’s coming back. It hearkens back to nuclear weapons. It hearkens back to weapons systems, but it’s also now appeared in the NIST 800-82 guide to OT security that was recently revised. It’s also in the SANS survey this year. And the reason I like it isn’t because it’s catchy. Manipulation of control, manipulation of view, loss of control, loss of view. It’s because those conditions and impacts are explainable regardless of the scenario. So it really focuses on, “Hey, I don’t care who the threat actor is. I don’t care what vulnerability is being exploited. I don’t care what the lateral movement looks like. This is the condition you want to avoid because this is the impact it’s going to have.” And I’ve been talking for years about effects-based rather than means-based security, and I’m starting to see us as a group turn that corner.

(04:53):

But again, it’s historical. It’s not a new corner. It’s a corner we’ve explored before. We just have better tools and capabilities to do it. So that’s a cool trend that I think we’re seeing a lot today.

John Vecchi (05:01):

Hmm. That’s really cool. And it’s almost… I just got back from a war gaming summit in Vegas this week, and they talked a lot about this consequence-based, cyber-informed engineering. It’s very similar to what you were just laying out. It’s really thinking through and what has to happen to actually make that consequence occur, and then what is the impact of that consequence.

(05:26):

And this was really talking about how could a hacker, which is… I’m going to talk a little bit about the OT/ICS side. I know that’s seriously a big focus of yours, Danielle. And though this summit was specifically talking about on the OT side, you’re going to have the Formula 1 in Vegas. You’re not going to have the Super Bowl. What could happen bad if someone really wanted to stop those events? And looking specifically at cyber-physical systems… And it’s pretty incredible the options an attacker could have. But a lot of that was this consequence-based, this informed thinking through that. Does that match, would you think, with that trend you were talking about? Does that seem to make sense?

Danielle Jablanski (06:11):

Absolutely. Yeah. So consequences matter. You hear a lot of people in security say, “There’s no one size fits all,” or “It depends,” and that’s so true.

John Vecchi (06:16):

Mm-hmm.

Danielle Jablanski (06:17):

So you start to see people think of what I call Hollywood scenarios. And there’s good intentions. They want to avoid the worst-case scenario, but they get Hollywood really quick.

(06:26):

I think consequence-informed engineering, it underscores the fact that contingencies matter. And we constantly tell people in OT that security folks have to talk to engineers, and engineers have to talk to security folks. It’s not so that security folks can create PID loops in their sleep. It’s not so that engineering folks go home and explain to their spouses identity access space roles and responsibilities. It’s so that we prepare for the right contingency. So the Oldsmar example, regardless of whether or not that was a hack, there was actually another stop gap that was introduced into the engineering that would’ve prevented somebody poisoning a large swath of people based on the engineering in that world, right?

John Vecchi (07:02):

Yeah.

Danielle Jablanski (07:03):

So we do this defense in depth strategy for security, but there’s defense in depth in engineering, which is really what that program is all about. For cities, I did a tabletop long time ago and they wanted to basically map out what if somebody turned all of the lights green in both directions all at once. Across the city, you’d have these cascading crashes, and you’d overwhelm 911 and the phones and communications. And I was like, “Oh, the logic in most of these systems actually doesn’t allow for that.” And what do you mean? What’s the logic? And I’m like, “well, everything is programmed, right? It’s digital. It’s based on programming logic.” And so just having that understanding, they were able to consider a different contingency and scenario, and that was something that looked at meters, which were much more open and available in public and accessible and had other third-party concerns and were an easier target.

(07:48):

So with those scenarios that you mentioned of high-profile events happening in one location, having the right experts to talk about planning for the right contingencies instead of “And then little green men also fall out of the sky” and you prepare for the wrong scenario, I think is really important. And I love to see it, and we’ve got some folks on our team that do a lot of that. I wish I could do more of it now, but it’s the best type of interaction I think, is planning for those scenarios and doing your best to avoid them.

Brian Contos (08:15):

It’s so great to hear that people are at least thinking along those lines and vetting these scenarios out to see which ones are actually applicable and which ones are a little bit more farfetched. Are there any segments, if you look at manufacturing versus power generation versus transportation, et cetera, that you feel are… They just get it, right? They’re making the right moves. They’re hiring the right people. They’re doing the right things, investing in the right tech. Is anybody leading the charge on the critical infrastructure side of things?

Danielle Jablanski (08:47):

Again, it depends of course. Oil and gas is all about monitoring. Electricity has their own compliance mitigation for bulk impact, so they’re really focused on prioritizing what impacts the most amount of people. To me, it actually is more about locations. I think some locations are really getting this right rather than sectors. The city of New York is doing a lot. Other cities are similarly ahead of the curve. Singapore, right? We have some really great examples of getting this holistic cyber picture better than others. But I actually think what is interesting across the sectors is that not only are there really specific OT incidents that aren’t the same across the sectors regardless of similar technologies and equipment, but the supply chain issues that are increasing across those that SBOMs are wrapping their arms around, but some of their forms are difficult for people to use, end users that don’t have asset inventory or not readily adopting SBOMs, but I think it’s interesting because across the sectors, the supply chain issues are threefold.

(09:51):

Either it’s ubiquitous, right, so it’s a software program that’s used throughout many sectors, many pieces of equipment, many OEMs. It’s a critical interdependence, it matters the most, or it’s a just-in-time production. So it actually doesn’t have to be that important. As long as I have to have X amount to do my job regardless, it becomes a critical interdependence. Even if it’s not my crown jewel system, it’s the chemicals that I need to purify the water. It’s the component in the vehicle that I get shipped in every Friday for my processes to complete. This is uptime that I’m beholden to for my shareholders. Those supply chain incidents that we used to think of as very tech focused in cyber-physical systems are very outcome focused. And so I think that that’s, across the board, what I see sectors now struggling with more so actually than understanding OT networks and visibility and continuous monitoring. People get what that means and they understand if they can afford it or not, to be quite honest. This supply chain risk, I think, is really starting to unsettle a lot of sectors.

John Vecchi (10:53):

Mm-hmm.

Danielle Jablanski (10:54):

Yeah.

John Vecchi (10:55):

Yeah, I can see that. And especially when you’re thinking about cyber-physical systems and all the complexities, and you just think of all the different organizations who are in that supply chain, whether they’re providing part of the network in the environment or they’re, like you said, providing a substance or something that’s critical to deliver whatever it is they’re doing, it’s incredible when you think of all of the various supply chain third parties, right?

Danielle Jablanski (11:22):

Yes.

John Vecchi (11:23):

That can be in the scope of things and completely overlooked, right?

Danielle Jablanski (11:27):

It’s very transactional and there’s not a lot of redundancy built in. And that doesn’t matter what sector. Those are typically true for any sector.

John Vecchi (11:34):

Yeah, yeah. Well, and again, with Nozomi, obviously you’re focused a lot on the OT side, right, the industrial control systems. And you were mentioning before some things don’t change in a decade in cyber, and I was thinking. Brian and I always talk about the fact that working in this xIoT security feels like we’re back in the ’90s. When you think in terms of the actual cyber-physical systems, I mean we’re still talking about the most basic, fundamental things that we were trying to do to laptops in 1994, right?

Danielle Jablanski (12:06):

Definitely.

John Vecchi (12:09):

Update the software. Rotate your credentials. Shut off things. All these different things. And so when you-

Brian Contos (12:16):

Just enable authentication. Just turn it on.

John Vecchi (12:18):

Yeah, enable authentication. Yeah, just simple stuff like that.

Brian Contos (12:22):

Give the user the opportunity to have a password.

John Vecchi (12:23):

Yeah.

Danielle Jablanski (12:24):

But then they’ll just share it with everyone else on that shift.

John Vecchi (12:26):

Yeah.

Brian Contos (12:27):

And then write it down on a card and tape it.

John Vecchi (12:30):

Yes, exactly. Well, which is a lot of reasons why a lot of times they want to keep one password, so it’s easy for everybody to know. But-

Danielle Jablanski (12:36):

Yeah, but then they want to take their engineering laptop home. So it…

John Vecchi (12:40):

Yeah, it’s so true. When you look at the time you’ve spent in this particular space, you think in terms of the IoT, OT, industrial, ICS security, how have you seen it maturing in the years that you’ve been working in it that would be interesting? At high level, 30,000 foot, how would you sum that up?

Danielle Jablanski (13:02):

I’m glad you said high level because the equipment hasn’t changed.

John Vecchi (13:04):

Exactly. Yeah.

Danielle Jablanski (13:05):

So yeah, the protocols are the same. It’s interesting. When I first started looking into this space a couple of years ago, I kept referring to this 2005 testimony actually in Congress here in the US, and it listed the top five ICS security concerns. They’re the exact same five concerns today.

John Vecchi (13:19):

Today.

Danielle Jablanski (13:20):

Exact same five. It’s legacy systems. It’s remote access. It’s connectivity to the internet. It’s known information about systems on the internet. Off the top of my head, I got four out of five. So you can go find that testimony, but it’s not rocket science.

(13:31):

What I have seen more recently is there’s less reluctance to put hands on keyboards for the systems that do run the intermediary systems, that do run and operate process control systems. There’s less of a initial focus on the field devices. We really don’t want to tamper or tinker with those. We don’t want to override the warranties from OEMs, and we don’t want to really get into a battle about what OEMs can and can’t do to their own equipment. But the intermediary systems, the Linux and Windows-based agents that we typically put in the demilitarized zone, right, those kinds of things that operate that level three of the technology, we’re seeing more hands on keyboard, more script running, more “Hey, I told the OEM not to run PowerShell on this agent. Are they doing that?” And beforehand, it was set it and forget it. We trust the vendor. We’ve integrated the vendor. We have the SIs that have plugged everything in. We did our testing phase. It’s acceptable. We’re ready to go. We’re off to the races. And from then on, it wasn’t really reviewed, right?

John Vecchi (14:27):

Mm-hmm.

Danielle Jablanski (14:27):

So we’re seeing more review, but that review isn’t just checking spreadsheets and contracts. It’s actually checking scripts and logs. Is the hardening done? Are ports closed? Are services that we don’t need disabled? In the past, that was a quote, unquote, “best practice,” but it wasn’t happening, right?

John Vecchi (14:42):

Mm-hmm.

Danielle Jablanski (14:42):

They didn’t have the people to do it. They had IT folks focusing a little bit on security, and they had a lot of directions to be pulled in. And I think what’s really interesting now is we’re seeing more adversary emulation and pen testing in the ICS space. Not a ton, but more. And I think that the more knowledge we share about what that looks like and what it means to actually interrogate a system because you know how to interrogate it rather than flooding your network with scanning tools that aren’t built for OT and don’t know what protocols look for and can mess things up, that level of specificity and expertise we have today we can do it. We can do it well.

(15:15):

That’s not even what Nozomi specializes in, but that’s something that’s out there that’s definitely new. Whereas before, you’d have an incident, you’d call in an IR person or a team, they would parachute in, and the first thing they would want to do is run some scripts. And they would say, “No, you can’t touch that. You can’t do that. You can’t query this system.” So I think that’s really interesting.

(15:35):

And then the last thing… I’m rambling here, but a lot of people harp on metrics. They want to see better security outcomes. Anytime CISA does something, Dale Peterson [inaudible 00:15:43], “Show me the metrics. Show me the metrics. Show the metrics.” But the SANS report this year at 2023 said that there were three things that were really important for this space. It was ICS threat detection, forensic data sources, and response techniques. And to me, that sounds like three categories of metrics that are extremely meaningful. They don’t necessarily… I mean detection otherwise, but detection doesn’t necessarily point towards one particular category of tool or capability. You can do detection without automated tools if you can manage and handle that. But those three things seem like metrics. So I think we’re getting somewhere, right?

Brian Contos (16:17):

Mm-hmm. Yeah, no, that makes a lot of sense. You know what I always find interesting in this space? I think for a while now, decades even, people have been talking about make sure the PLCs are secure, your Historian. Make sure you’ve got a unidirectional diode or some level of segmentation between the various levels of the network. But then in these OT environments on the operational side, you’re seeing a lot of IoT solutions being introduced, which could be security cameras, digital door locks, printers, and about a million other things that they’re basically little Linux servers, most of them. Android, Ubuntu, some flavor of Linux. As you know, they haven’t been updated or patched since somebody bolt them into a wall probably 10 years ago. There’s no passwords, or it’s a default password. And usually, they’re running level eight, nine and 10 vulnerabilities, so they’re really easy to compromise.

(17:10):

Do you feel that within these environments that were just now slowly starting to really embrace a security structure around as it relates to OT, are they starting to think about the IoT that lives within these environments as well? Because on the other side of the house in the offices, it’s pretty slow in the coming. There has to be a lot of evangelism to get them up to speed about what the risks are. I’m just wondering, are the OT folks perhaps a little bit more savvy when it comes to this space because they’ve been living in the OT world much longer?

Danielle Jablanski (17:44):

Yes and no. Back to what I said about bridge building and capacity building, and I mentioned sales, there’s this trifecta that has taken hold of budgets, and that is centralization, interoperability, and analytics. We see it everywhere, not just in ICS. We see that across many industries that are changing, keeping up at scale. They want more data. But I didn’t mention security in that trifecta, unfortunately.

(18:09):

And so now, you’re seeing folks say, “Wait a minute. I’ve adopted this model where I want to utilize and profit from centralization, interoperability, and analytics, but now I have this gaping security hole. I have these multiple devices that are insecure by design or their encryption is too short that their passwords can’t even be updated in the future to be quantum secure.” Some of these sensors and things are buried underground with hard-coded passwords in them, so this problem became larger than life really quickly.

(18:39):

And really, the difference between regular IoT or commercial IoT and industrial IoT is just scale. But that centralization, interoperability, and analytics is still the premise of that. So even massive lighting that goes into a warehouse or an airport or something, that’s still just a giant version of commercial sources.

(18:55):

So the issues that really arise from that is number one, you can’t do one-on-one device security. You’re not going to send somebody out to do this manual field-level updating a firmware as you guys know. This is your bread and butter. But the other issue we see for the ICS folks is that it’s a third-party ownership.

(19:13):

So it’s not technically rented, but it could be paid for… The hardware’s installed and paid for over time as a subscription model. And so how that blends with the ownership and roles and responsibilities of security and even the security controls that can be extended to that third-party network that is now interoperable with your own whatever it is for centralization, analytics, and tool sets, that’s the big question, is well, if it’s not mine but I let it touch mine, do I own the risk? Can I absolve myself from the risk? Am I liable for issues?

(19:43):

We see this in smart cities, airports like I mentioned, healthcare facilities. Like I said, you guys know this better than anybody, but the device conversation is out there. The third-party risk conversation is less out there, but that’s what I hear from folks.

John Vecchi (19:58):

Yeah, that makes total sense.

Danielle Jablanski (20:00):

People ask Nozomi if we do device central security like patching and updates at scale, right?

John Vecchi (20:06):

Mm-hmm.

Danielle Jablanski (20:06):

And that’s something that we partner, of course, to do and showcase. It’s not our main thing. We still focus on network security, but I know people are looking for it because that centralized benefits of data, now we’ve realized that that was optimization for business, but it wasn’t optimization for security. So now, you need another tool to centralize the security management. It’s ironic, right, what we think of. Especially in building management, right, you’ll see building management bring the HVAC and the elevators and everything together. That Facebook incident a couple of years ago where they locked out of their own doors, right?

John Vecchi (20:37):

Yeah.

Danielle Jablanski (20:38):

That was a contingency that they didn’t consider because they hadn’t actually brought in those building controls to their security frameworks. They hadn’t thought of that contingency. So it’s definitely out there. And then there was a really great report from a German researcher on some of the hard-coded password issues with building management systems that was showcased at S4 last year. So I know it’s out there as a big topic of focus.

Brian Contos (21:00):

Yeah.

John Vecchi (21:01):

Yeah.

Brian Contos (21:02):

Well, I’m glad you brought up healthcare because that’s what… Healthcare providers specifically, although sciences and payers get involved to some extent. But you’ll walk into these organizations that will have… or these hospitals that have a million-dollar MRI machine and they’re paying $30,000 a year for some contract through some vendor to maintain it, maintain everything, the software, the hardware, and any type of repair issues they have. And then you look back at what they’re actually doing, some of these devices, they’re running Windows NT 4.0 which has been end of life for, what, 15 years, 20 years? And it’s amazing to see where they stand.

(21:38):

So you’re pouring about liability. How much are legal teams actually getting brought into this and basically telling the vendors, “Look, we’ll abide by your OEM rules. And we don’t want to break our warranty, but you’re operating a system in our environment that is so insecure. You’re putting all of our other systems at risk. What are we going to do from a legal perspective”? Is legal starting to take, I guess, a more prominent role in these decisions now?

Danielle Jablanski (22:04):

Yeah, so legacy devices in ICS, not in healthcare, are ubiquitous. They’re widespread end of life. And instead of going to legal immediately, we say, “Okay, if you can’t rip and replace that system or the vendor doesn’t have a more secure by design system and it’s still running on some of the old Windows XP or older intermediary stuff, then we can build controls around that.” Right?

John Vecchi (22:26):

Mm. Mm-hmm.

Danielle Jablanski (22:26):

So just understand that that’s a reality, understand what’s critical in that setup and build controls around that, build defense in depth and segmentation and all of the architecture principles that we talk about. In healthcare, I think it’s really interesting because when NotPetya happened years ago, in Europe there were definitely some cascading impacts from that. And a lot of these hospitals and medical environments got scolded, but it wasn’t that they couldn’t update that system. It was that there were so many other systems that relied on that system running on that software or that update. And if you change that, you then had to update or purchase all of these new pieces of equipment that interoperate with that equipment. So it’s this wholesale idea that patching isn’t the most perfect solution to everything. So I felt that was a little unfair for them.

(23:14):

So for ICS, typically we can build some other controls around that. Sometimes that control, that redundancy, is not islanding. Sometimes it is have a backup HMI on hand. Now, that’s not perfect for everybody, but that type of contingency planning is really important.

(23:28):

I’ve seen that in West Texas, for instance, big oil and gas, that you would never have NIST come out and say, “A good practice for redundancy for everyone is to have a backup piece of million-dollar equipment sitting around.” But in this case, it was remote enough and critical enough, and they knew what the threat landscape looked like. They knew what the outdated, legacy, end-of-life software they were running and they said, “This is our best security practice.” And it worked. And they needed it, and it was a great thing to have. So again, this not one size fits all matters.

(24:00):

For legal, I think it’s more of an insurance conversation, and you’re starting to see… I think it was a couple of years ago I did some deep research on insurance. And the average number of pages for a cyber policy application grew from a handful of pages to 12-plus pages. And this was just a couple of years ago. Today, I bet it’s probably 15. And you’re seeing these boutique firms understand cyber risk and doing the assessments, doing the external access point searches.

(24:28):

So before, you would just tell a giant insurance company, “Yeah, we do cyber. We do security. Check, check, check, check, check.” And they were never verifying that you were actually doing what you said you were doing. Now, anyone who’s really focused on cyber insurance or providing that policy is saying, “Show us those receipts. Verify that you can do the thing you said you were doing so that when it comes down to it, I will actually pay out your policy because you confirmed to me that you had these controls in place and you were safeguarding the criticality of the business that I’m insuring, right, or the process.” Depends.

John Vecchi (24:59):

Yeah. And, I mean, around cyber insurance, what are you seeing when you think of cyber insurance when it comes to all of this, we call it xIoT, but the IoT, the OT, the ICS, the industrial IoT, the industrial medical? All these things that are in the equation, but oftentimes when you hear discussions about cyber insurance, those aren’t even in the picture. Should they be? Are they getting to be in the picture, or what are you seeing there?

Danielle Jablanski (25:27):

So yes and no. For a number of years, the insurance market had quote, unquote, “hardened,” which just meant there were fewer providers offering coverage, which meant that they could charge a higher premium or basically any premium they wanted because the market was in their favor and hardened. The big shift I think we’ve just seen is the national cybersecurity strategy that the ONCD came out of with the White House, saying that liability for companies is a real thing now and it’s not going to be shifted.

(25:54):

Now, we’re not seeing the ramifications of that yet and that’s not a piece of ironclad legislation, but it is a huge shift in the way we talk about liability for technology providers, for any company really, saying that you bear the responsibility, you bear the burden, and you bear the liability for what you create, what you bring to market, what you sell, and what you service over its lifetime. Period. So I think all of the cyber insurance real experts out there took that and said, “This means that the market’s going to be less hard, but it also means we need to verify every piece of security control a company says that they have purchased. And not just purchased, plugged in and integrated.”

(26:36):

So when I was an analyst, I talked to other analysts and a lot of them were auditors. So I was in the research wing, but we had a lot of auditors, and we talked to a lot of auditors at other companies. And they would go in hypothetically to an electric utility and say, “Hey, you purchased this cybersecurity tool. Where is it?” And they’d be like, “Oh, we bought this subscription, the service, but we haven’t integrated it yet. We’re going to do it in six months.” Six months later, “Hey, where’s this tool you bought?” And they would kick a box and say, “We’re going to integrate it.” But really, they were just paying the license fee.

John Vecchi (27:08):

So they said [inaudible 00:27:09].

Danielle Jablanski (27:08):

Because that made them compliant, and technically they were compliant. That’s not going to work anymore. You see what I’m saying?

John Vecchi (27:14):

Yeah. Yeah, yeah. That’s so true.

Brian Contos (27:19):

So this is the part of the conversation where I like to get to the tea. So any cool use cases, stories from the trenches that you could anonymize and share with us about some crazy incidences that you’ve been exposed to or things that you’ve seen in the field?

Danielle Jablanski (27:34):

I can’t get really specific about our customers, but I will say there was a major OT incident that was close and near and dear to Nozomi’s heart. And they called us and said, “Do you guys do IT too?” That was one of my favorites.

(27:48):

And then when the Ukraine invasion happened, I had actually just started at Nozomi, and we were able to work with some countries in region that we were already close to. We have a huge presence in Europe. Of course, we were founded originally in Italy. And then again, in San Francisco, we have dual headquarters. I say Italy. Our headquarters is Mendrisio, Switzerland just over the border. But when the Ukraine evasion happened, we had such close ties with some of those organizations. We were able to work with other CERT teams, other governments to provide visibility and telemetry data for that ongoing conflict. That was really cool with my background in international security. We’re seeing similar things come out of the JCDC arrangement for other conflicts around the world, but that was one.

(28:30):

And there’s another one I want to tell you, but I can’t be opaque enough that you wouldn’t be able to guess. But when we’re off air, I’ll tell you.

Brian Contos (28:39):

All right.

John Vecchi (28:40):

Yeah, it’s [inaudible 00:28:41].

Brian Contos (28:40):

No, fair enough. We know it’s a sensitive area, so thank you for that.

(28:45):

As we wrap up here… And this could go on for hours. I just love your perspectives on everything. What are some closing thoughts that you can share for some of our listeners as it just relates to the broad spectrum of OT security and where we’re going from here and what the future is holding?

Danielle Jablanski (29:03):

Yeah. I think on a technical basis, I would say trust and verification go hand in hand. And what I mean by that is develop relationships with your vendors. Ask more of your vendors.

(29:12):

When I did a cloud presentation, I talked about the shared risk responsibility model that the cloud providers have. A lot of people haven’t really delved into what that looks like. Back to liability. What are you responsible for? What am I responsible for? What does that, as a service model, look like for cloud adoption? Do that with every vendor. Ask for the documentation. Ask for the updates. Ask for the disclosure process if there’s a vulnerability in that. Develop those relationships before you decide to outsource things because again, trust and verification go hand in hand. So in order to verify something, you have to trust that somebody’s going to do something that you ask them to do. And then you’re going to demonstrate that. So stop outsourcing. If you’re going to outsource, build those relationships with trusted vendors.

(29:49):

And then build up your own advisors. I’ve said this before. I think people hate it, but there is no agnostic advisor out there. Everyone, even if they don’t come from a vendor, everyone comes with a school of thought. And that’s the way I’ve been putting it to folks. They have a school of thought for the best way to do security. They may be right, but the best way to build an advisor is to build internal leaders, internal subject matter experts, and those trusted advisors that you can count on within your team. It’s never too late to stop learning, and your team can do it or learn it if given the opportunity.

(30:19):

There are a lot of hungry and eager career people out there. And they see companies buying new tools and not plugging them in and saying, “Wait, I want to take a SANS course. I want to do this. I want to learn. I’m willing to learn. I’m in community college. I came from a network security background, and now I want to do cyber. I have a CSS degree and I want to do security.” And we say, “That’s nice.” And we invite them to happy hour, but we don’t actually say, “How can I invest in that for you? How can I be a part of your professional development instead of outsourcing our best talent and then having our internal folks look for better jobs elsewhere?” Right?

John Vecchi (30:52):

Yeah, that’s-

Brian Contos (30:52):

Good advice.

John Vecchi (30:53):

That’s great advice. And, I mean, certainly in this space, when you think in terms of OT/ICS and the whole industrial side, that’s really, really important. So that’s fantastic advice.

Danielle Jablanski (31:05):

A lot of retirees out there. So.

John Vecchi (31:07):

Yes. And so Danielle, where can our listeners find you? Do you have channels on social you can tell them about? Are you going to be anywhere where they might meet you? Anything you can tell our listeners?

Danielle Jablanski (31:20):

Sure. Yeah, so I’ll be in the Copenhagen ICS event next month if you’ve got any folks over in Europe listening to this before then. I think that’s November 13th. I’m on main stage at S4 next year with my Atlantic Council research. I actually was able to… I published a methodology, and then I was invited to run that methodology with the WaterISAC for prioritizing scenarios for tabletop exercises. So I’ll be at S4 on that.

(31:43):

And then I’m active on LinkedIn. I think I’m the only Danielle Jablanski. Not totally sure. With an A. There are some Os out there. And then on X, formerly known as Twitter, I’m still CyberSnark. And I just can’t give up that handle, so I’m still pretty active on there as well.

John Vecchi (31:56):

That’s awesome.

Brian Contos (31:56):

John Vecchi (31:57):

Yeah, never give that up.

Danielle Jablanski (31:58):

No.

John Vecchi (31:59):

That’s amazing. It’s a fantastic discussion. Danielle, thank you so much for joining us today. And so listeners, you know where to get ahold of Danielle. You know where to see you. We’ll see you at S4, Danielle. We look forward to that.

Danielle Jablanski (32:10):

John Vecchi (32:12):

Remember, everybody, the IoT Security Podcast is brought to you by Phosphorus, the leading provider of proactive, full-scope security management and breach prevention for the extended internet of things. Thanks again to our guest, Danielle. And until we meet again, I’m John Vecchi.

Brian Contos (32:28):

And I’m Brian Contos.

John Vecchi (32:29):

We’ll see you next time on Phosphorus Radio.