It Only Takes One: Navigating Vulnerabilities with Dark Reading’s EIC

Transcript

John Vecchi:

Well, hello everyone. You’re listening to the IoT Security Podcast live on Phosphorous Radio. I’m John Vecchi.

Brian Contos:

And I’m Brian Contos. And we have a really special guest today. Welcome to the show, Kelly Jackson Higgins.

Kelly Jackson Higgins:

Hi, thanks for having me here, Brian and John.

John Vecchi:

Welcome Kelly.

Brian Contos:

Kelly, it’s great to have you on again and speak to you. It’s been a few years. You’re one of the podcasts that I always love to have on board because your visibility into what’s happening in the industry is quite different than bringing on a CISO or a technology vendor, has a completely different flavor. So I’m really excited for this. As we get started Kelly, perhaps you could give some of our listeners a little background about you and how you got into the industry and what exactly it is you do.

Kelly Jackson Higgins:

Certainly, so I am the editor-in-chief at Dark Reading. Dark Reading is a cybersecurity news site. We celebrated our 17th birthday this year, so we’ve been around for almost 20 years.

Brian Contos:

Oh wow.

Kelly Jackson Higgins:

Yes. And I was employee number three or four in June of 2006. So I’ve been with since the beginning. One month, I came one month on after they launched and I’ve been doing cybersecurity, well, technology journalism for probably 30 years, going to say it out loud and it kind of naturally flowed into security because it was an area that was really of interest to me. So I started covering that. Originally I was going to be a sports writer, but based on the news I’ve seen the last week, that was a really good decision that didn’t work out. Cause that’s not a very long and sadly not a great career right now for most journalists.

So I think that all worked out for the best. But yeah, I started at a, a tech writer. There were a lot of publications out there looking for journalists to write about technology. So that’s kind of how I got in there with my sports writing career. But over the years, obviously when you report on these things, you sort of become, not an expert, but a person who can really understand what’s going on, know the right questions to ask, and you have to portray it and communicate it to your reader so you have to understand what you’re talking about. So I’d say over the years I’ve asked a lot of knowledge. I started out really covering the networking space. So I followed sort of the internet evolution, TCP/IP protocol stack evolution, all that. So I watched that grow, wrote about that, and then have watched the cybersecurity industry explode the last 17 years basically into this massive thing. So that’s kind of how I got there.

Brian Contos:

That’s incredible. And you know, Dark Reading, I think pretty much everybody in the security industry is familiar with it. It’s one of those just go-to sites with so much great content. Was it always online or was Dark Reading at one point a physical magazine? Or how did that…

Kelly Jackson Higgins:

Yeah, so we were always online. So we started out as a website and of course I’d come from the print side of things that evolved into print and threw things up on the web was the terminology that was used when you had your online version of your publication. And that evolved quickly, obviously very rapidly as journalism changed. But yeah, we were always online, always a virtual site.

Brian Contos:

You were ahead of the curve, for sure.

Kelly Jackson Higgins:

Yes.

Brian Contos:

Because I remember at a time, well, maybe all of us remember, used to get those weekly magazines sent to your office or home. And some of them were huge. I don’t know why, but they were these really big form factors and you’d get like 10 of them a week and maybe you’d read like two of them. And I’m like, oh man, this is such a waste. Why aren’t these just online? And then of course, Dark Reading always being online I think really gave you an edge. So no, that’s awesome.

Kelly Jackson Higgins:

Yeah.

John Vecchi:

So Kelly, how has it grown? I mean, I’m just interested, but how big is Dark Reading now? You were like, like you said number six, or what did you say back in…

Kelly Jackson Higgins:

Yeah, so 2006, we were actually like three people. And then we were down to two people for a while. Tim Wilson and myself, who was one of the co-founders. So we worked, him and I worked together pretty much the whole site for a while by ourselves with a couple freelancers helping. And then we started adding on. And then to, the past year, we’re now up to the biggest staff we’ve ever had. We have eight people counting me, which is amazing.

So we have a huge staff. Huge, that sounds not huge, but for us it is. We still have a large contingent of freelancers who work with us on a regular basis and some on project by project basis. We kind of look bigger than we are in terms of staff. But the site has grown dramatically. So we had pretty much, we renew site for a long time and then we added something called The Edge, which is a feature section. So we added that a few years ago. And then two years ago we had a site called DR Technology that really gives us a place to, we found it was getting harder as more vendors around them were back in 2006.

There’s many thousands. And we realized we didn’t have a great place to put the new product news, the technology news, to let it stand out. Cause there’s so much other news happening around the threat scape and attack space. So we decided to put together this section called DR Technology, aka, DR Tech that’s really dedicated to that. So it gives us sort of to do deep dives on technology trends and then of course some product news and we can’t cover it all. There’s so much of it. And then we also have a news section we just rolled out.

It’s been a month now, DR Global, which is kind of exciting because this is our first official foray into covering more globally the cybersecurity space. And we decided to pick one region right now since we’re not that big. So our new editor is focusing mainly on the Middle East and Africa, which we see as a really majorly growing area in cyber. And we want to talk to the cybersecurity professionals in those regions. So he’s sort of starting to dig into that. So we have a new section called DR Global. So three sort of sections within the site, which is kind of cool in addition to our topical section. So we have grown a lot.

Brian Contos:

Well you said eight people, you could have told me you had 80 people [inaudible 00:06:18], oh my god, eight people. Yeah, we got eight people. Oh my gosh, that’s amazing.

Kelly Jackson Higgins:

We’re lean and mean as we like to say, and very efficient. That’s the other thing, we are very efficient.

Brian Contos:

Well, and I think it’s such a smart idea focusing on the Middle East as well. I was just out in Dubai maybe about a year ago now, and I was at a couple cybersecurity conferences and some of those were five, six times the size of RSA. I mean they’re huge. There’s a huge market there, especially in the OT side of the house, right? Because there’s a lot of oil and gas and things like that. So let’s kind of jump in because you’ve been doing this for so long and you see, you have so many different kind of angles on this. What are some of the hot cybersecurity threats or trends or priorities that you’re seeing right now?

Kelly Jackson Higgins:

As per usual? There’s more coming at us that we could even write about, that’s our daily. We call it the fire hose triage that we go through. There’s just so much. So we literally every morning we have these quick morning briefing debriefs of what we’re going to take on that day and also what we’re going to put into feature section or long-term coverage section. I think obviously the stuff that’s in the headlines is obviously the obvious stuff. Like ransomware has evolved into more of an extortion, actually kind of went full circle. It started out as just pure extortion and it’s kind of come back to that, I guess. So that’s one thing we talk a lot about and the whole AI thing was a bit of a, as everyone knows an overnight issue in security, we’ve been sort of talking about AI for decades as coming along and being a coming thing. But when ChatGPT dropped, I think everybody just sort of had a wake up call like wow, this is something we have to look at.

Brian Contos:

We thought we still had 20 years.

Kelly Jackson Higgins:

Exactly. I feel like we’re definitely digging into that more. There was a lot of hype at the beginning. We’ve done some myth dispelling kind of pieces on that. I think we still don’t really know what the impact’s going to be. I think one thing that we’ve been really interested is watching security vendors kind of adopting the technology very quickly now too. Incorporating it into their platforms, their services, using it for good. So I like to think that the good guys are a little ahead of the bad guys in that space right now, but I’m sure that’s not going to last for very long. But I think that’s really interesting to see how we can, as industry have a little bit of a leg up for once. I don’t know what you all think of that, but that seems like a pretty interesting theme to me.

John Vecchi:

Yeah, there’s no question, no question. And like said, you’re starting to report on some of the big companies coming and talking about their plans for AI and they’re starting to develop and their vision for how they’re going to incorporate it and the benefits of it. I mean, it’s incredible, like you said, it happened virtually overnight. I think most in security probably weren’t having those discussions before ChatGPT right and then suddenly it’s, we better have a roadmap and a vision for how we’re going to incorporate AI. I think every security company is looking at that right now, I would say. Do you think so, Brian?

Brian Contos:

Yeah, I think you said it the most honest way you possibly could, Kelly. We don’t know. We don’t know what’s going to happen. This is all net new and it’s the nefarious actors versus those folks that are trying to develop tools to protect us. And both sides are going to leverage AI. There’s no question about it. I like to judge things by walking through big security conferences like RSA and there’s always something that’s the thing each year, like a few years ago it was cloud, and I remember way back when it was like PKI. Certainly, it’s AI now and I think it’s going to be AI for a while. I’m wondering, in all the things that you’ve covered, have you started to see any kind of ransomware or attacks that are actually using some type of AI component? Or is that still, at least from what you’ve been exposed to, is that still a ways out?

Kelly Jackson Higgins:

Just full disclosure, I don’t get to do as much reporting as I used to, not as editor-in-chief, but from what we’ve written so far, there has been no big AI-based attacker yet. And that’s been the worry right? There’s some folks out there saying that that’s just not going to happen right away. And that’s nothing. It’s kind of a thing that’s kind of a scare thing right now and not a real risk yet, but they wouldn’t put it pas a nation state if they wanted to play with it that way right? That’s another possibility. But I still don’t think anything that’s ever happened in this industry that I’ve been covering has happened as quickly as that whole thing dropped. That was to me just, I’ve never seen anything happen so quickly and shift so quickly when that dropped, when ChatGPT dropped.

Brian Contos:

Yeah, well you made a great point. You mentioned nation states, which of course have in many cases seemingly limitless resources to put into these types of things. And Russia, just maybe a couple years ago, had a tool called Fronton, which was designed for the FSB by actually a firm of contractors to be an xIoT discovery, compromise and control tool to find these printers and these cameras and these digital door locks and these OT devices that might be accessible and taking those devices over for any number of things. One, maybe just to add them to a bot, two, to use them to pivot to sort of IT-centric assets and perhaps exfiltrate data or maybe maintain persistence and evade detection, all these things. And that tool got stolen by the Digital Revolution Hacking Group and released to the wild on various websites and locations you can download.

And if you speak Russian or if you can use Google’s Russian to English translate, you too can have a nation state designed xIoT hacking tool. So to me, it’s only going to take one of those types of things, one of those AI-centric types of attacks or some malware where the code’s released that will just start a snowball going where everyone’s going to jump on it, both other nations states as well as cyber criminals. Now who’s going to get their first, and how’s that going to evolve? I don’t know. But once that Pandora box is open though, I think we’re just going to see it everywhere. And I just don’t know what the timeframe for that is.

Kelly Jackson Higgins:

That is a little bit scary. But you’re right. That’s a good point. Historically this industry, there’s always been a watershed breach that changes things. I can think of five that I’ve covered over the decades, and that would be one of them if that happens. That one you just mentioned so yeah.

John Vecchi:

Yeah. And then the interesting thing, right, Brian, about Fronton is it also has an element to it that can quickly spawn hundreds of social media accounts. And so if you think in terms of why they would’ve done something like that and you kind of combine something like AI and think, well, what if they captured, what if they compromised a camera and captured an image. And as we know, most people sometimes don’t understand the cameras are capturing audio as well as the video, and they could perhaps put disinformation up on social media and use AI to maybe alter the image or alter the sound. So I think when I look at some of these nation state threats and the way that they’re built and some of the capabilities they have, you almost wonder if they’re already a few steps ahead thinking about how they might be able to use something like AI to…

Brian Contos:

Real time deep fake kind of crazy, oh geez>

John Vecchi:

Right. From a camera that’s compromised, which again leads us back to why we have this podcast. We call it xIoT, which is all these devices, there’s billions of them, right, Kelly. And that’s, we focus a lot obviously on the full threat landscape, but obviously we focus a lot on those, which is the IoT stuff, the OT, the ICST, the industrial IoT, the internet of medical things and all those devices. And you just think of that kind of threat playing and that attack surface is just massive. Is that something you guys, Kelly, as you look upon some of the trends that you’re looking at, is that popping up a bit more?

Kelly Jackson Higgins:

Oh, absolutely. Absolutely. So probably about 10 years ago or so around [inaudible 00:14:40] in that timeframe, whatever it was, I started covering IoT stuff, or excuse me, OT stuff and nobody was really excited about it. I remember, uh-oh, wasn’t a lot, didn’t get a lot of readers on our stories. I’m like, this stuff’s really important. And so about a year ago we added a new section on our site called ICSOT security because now everybody knows what it is. We had IoT. We kind of broke it into two parts. We kept IoT work for consumer, with the time, small devices, smaller devices. But we kind of were wondering how to, we’re kind of rearranging a little bit how we do that now because xIoT I think is probably a good way to look at it, kind of bringing all those different sectors together.

They’re all very different markets, but it’s the same concept. These are devices that people don’t think of as computers sometimes, and they are right, and they have connectivity and a lot of the manufacturers aren’t thinking about security when they’re building them. I feel like that whole OT space though, to me, what’s really interesting is after Stuxnet, for example, you saw Siemens suddenly just go all in with building out security team doing a patching program. Now they have security services. I’m in awe sometimes when I think about how much that part of the industry has changed. And then looking at, now they’re trying to build security into PLCs, they’re doing that, obviously not trying to, they’re doing it. All the other vendors too in that space. So I feel like it’s come a long way yet still a long way to go. I go to the S4 Conference every year and one of the comments, you might know Dale Peterson, who runs that conference, he’s super smart guy.

In his keynote, he was talking about how there’s still a visibility problem. Of course, this is a problem in IT for generations. It’s not a new problem right? And so he was talking about just the lack of OT that a lot, most OT sites don’t really have visibility obviously in their systems, and also they don’t have a lot of metrics to really track things. So there’s a lot of missing management of all this stuff. And then some of the research we saw recently was things like cellular routers on the plant floor, having vulnerabilities as a way to get in, and then management interfaces, web-based management interfaces, some of these little level one pieces of equipment that nobody cared about that you think, oh, they’re just on the plant floor.

I know we could get to those, but it’s just really interesting because we worried a lot of about some of the PLC stuff, but then the stuff on the floor, that’s the little devices you don’t think about have just as many vulnerabilities and can be another way for an attacker to get in. So I think there’s more, not just lore about attacks there, but I think there’s more of serious work going into there in interest. I honestly look back to not really Stuxnet, but probably Colonial Pipeline that I think shook everybody up because that was the first time we saw a big huge disruption in the US that really was something people could understand even though it wasn’t their OT environment. But the company getting attacked like that, I think really was a wake up call for that sector of the industry.

Brian Contos:

Yeah, and for me, I think one of the big wake up calls when I started researching this space was just the sheer volume of devices. What we find now is there’s about three to five xIoT  devices per employee in a company. So 10,000 people, you have somewhere between 30 to 50,000, which is usually about twice as many than most people would just naturally think. And they go, oh, I forgot about the voiceover IP phones. Oh, all the digital door locks, all the printers or the lights out management or HVAC or, there’s all these things now that are smart. And the other component of that, most of them are just Linux servers. They’re Android, they’re BusyBox, they’re Ubuntu, on the OT side, it’s real time operating systems like VxWorks. But these are smart systems. I mean, we’ve come across security cameras that are actually more powerful in terms of storage processing memory that a typical laptop.

So if you compromise one of those, you have a pretty beefy Linux server then that you can go ahead and use to attack other IT assets or cloud assets, exfiltrate sensitive data. And the thing about it is they’re not being managed, most organizations aren’t tracking it and they don’t know where they are. They have some default password that was put in when someone showed up in a van with a box and a drill and stuck these things on a wall 15 years ago. So they’re old firmware, they’re full of vulnerabilities, and there’s just this massive attack surface, which I think back to, we were talking about Fronton, why nation states have taken interest, why cyber criminals have figured out how to monetize these types of attacks. And I think to the old xIoT attacks where I’m going to add your device to a botnet and do bad things, or I’m going to use it for crypto jacking and I’m going to mine cryptocurrency on all your cameras, and you won’t know it until your power bill goes through the roof.

But now we’re seeing a lot more of these attacking IT assets. I’m wondering, I know this, you’re coming at this from a different perspective, but do you think the industry is ready for this or is this another one of those AI things where that event, that thing that watershed kind of happening is going to have to occur on the xIoT side or reoccur if we want to count Stuxnet for people to take interest? Or do you think we’ve learned that we’ve matured and people are starting to get ahead of this?

Kelly Jackson Higgins:

I think it’s both things. I’m a firm believer that unfortunately in our industry, it often takes a really bad experience or breach to really make change. I mean, you think about the retail breaches, you think about Stuxnet, you think about Colonial Pipeline, SolarWinds, I mean all of those themes. Then you see real work getting done, things people start getting on track with trying to address it. I think we did have a little bit of a taste of some of that. I was thinking about when you made me think, Brian, when you mentioned the Russian tool, do you remember, was it the riot attacks that went after the, which were the ones that were after the IoT home routers? There was an attack a few years ago where it was a Russian threat actor, reportedly that, cause I don’t remember, I wrote, but I can’t remember if it was confirmed, but basically compromised a bunch of home routers and it could have gotten much worse.

It got caught early on, but it was affecting so many of them. The question was why would they be going after consumer routers? What was the point of that, for spying. So those kind of things make you wonder. We’ve had brushes with it, but not a big enough widespread attack that probably people could feel it. One thing I think about too that you touch on this too is now you’ve got a bunch of companies with workers who are at home working from home from home networks that have IoT consumer devices that may not be secure also, and not all organizations are on top of their remote workforce security.

So you have that element of not particular, it wouldn’t be like your stove would cause a DDoS attack on the company, but there are some vulnerable devices on your home network if they’re not on top of that that could bleed into your corporate network if you weren’t on top of that with your strategy of identity, security, zero trust or whatever. But I think both, I think we’ve had some experiences to, we have examples now of what could happen. I think about Triton Two, that was another one that didn’t hit the US, but that was a pretty serious attack that could have been a lot worse. So I think unfortunately, I hope it doesn’t take a big event to make change, but that unfortunately has been a pattern in our industry for a long time, I think for more interest work understanding of what it means.

Brian Contos:

And John, I know you’ve been talking to a lot of healthcare providers lately as well. That seems to be a particular vertical, not even healthcare payers or sciences, so insurance or pharma, but actual hospitals and labs and clinics. This seems to be a awfully big topic for them, isn’t it?

John Vecchi:

It is. And Kelly, you talked a lot about the OTICS side and Dale and they asked for it and that whole area, you’ve got these, what I call mission critical operational technology devices that are running critical infrastructure, utilities, gas, it could be a manufacturer making medicines. So they’re very, very critical devices that no one wants to touch. In many cases they’re very old or they’re very sensitive and you just want, it’s very delicate, it’s very difficult to deal with. Then you look on the healthcare side, and it’s very similar. It just happens to be an infusion pump or a critical, what the healthcare organizations call life critical device. This is literally a device that’s by the bedside monitoring medicines or things like this. A very, very critical device. And in some cases, hospitals will even consider a camera that’s watching say, an ICU unit, which will recognize in combination with the badge, the nurses that are able to go into that facility.

So they’ll even consider some devices you might think of as just a typical IoT devices as a very life critical device. And they’re facing the same thing. Don’t touch them, right? My God, they’re life critical. We can’t see them. We don’t know how to find them. We don’t know what’s wrong with them. We don’t know how to fix them. All we know is they’re being highly targeted. And of course things like infusion pumps and IOMT devices right now, they’re targeted for ransomware and a lot of times, but you could do a lot of damage to a person if you wanted to with those. And it’s a really difficult situation for a lot of these organizations I think.

Kelly Jackson Higgins:

Yeah, safety’s definitely become more a part of the issue just as much as security because I think that’s where it gets real for people thinking about what could have happened or what could happen. So I think that does kind of play in it. Well, interestingly, those industrial environments, and of course the hospital safety is one of their number one things that they do. It’s a priority in the OT space, it’s been traditionally a priority over cybersecurity and safety is always first, physical safety for obvious reasons. So bringing those two things together is not so simple though, as we know.

Brian Contos:

Yeah, I was talking to a CISO for a pretty large regional healthcare provider, and they spelled it out pretty simply. They said every dollar we spend that’s not dedicated to patient care. For example, on security, security teams, assessments, what have you, that’s a dollar that’s not going to a doctor, a nurse, a PA, a MRI machine, something like that to keep patient care up there. Well, while safety and security certainly and privacy as well are certainly big components of that, that’s kind of how it’s looked at. And their margins are pretty thin as well. Probably not quite like retail, but they start at a deficit because they can’t refuse care of course. If somebody comes in off the street, they have to be able to treat them. That’s the right thing to do. So they kind of start from a negative spot and then work their way up. And their measurements are generally based on bed utilization, and I didn’t know this, but a lot of these healthcare providers, how big are you?

It’s based on how many beds. We have a thousand beds. Oh, we have 2000 beds. That’s kind of the number they do. So that’s how they put their calculus together. So it really just becomes a dollar here, isn’t a dollar there. And the result of that is just like in retail, I see a lot of similarities there. They run with razor thin teams. So somebody that might be responsible for enterprise security and identity, and maybe PII is also the person that when they do have a spare minute, Hey, track down all these printers and track down all these insulin pumps and track, they don’t have the cycles for doing this.

So if we look at verticals like healthcare providers, is it similar to retail where they’re just constantly trying to play catch up and hire enough people and get enough resources and get enough budget? Or have we gotten to the point now where we understand that, hey, patient safety and security is just as critical from a cyber side as it is for making sure they’re getting the right treatments and we have to make sure we’re protecting these people from all directions. I’d like to think it’s that way, but I don’t know if that’s really where things are going.

Kelly Jackson Higgins:

Yeah, just from what I’ve seen in our reporting, the larger healthcare organizations are moving that ideal direction right, but I think it’s still a struggle for some of the smaller ones. And they had some horrible experience with the ransomware the last few years that shut down ERs, and that’s just not okay. And that did give some visibility to the threat. And sadly, I think that’s probably the one good thing if there is anything good about ransomware is it actually is so visible. And so it affects things that you can’t hide anymore. It shuts down an operation. And so I think that probably was a wake up call, obviously for the healthcare field, but I think there’s still a ways to go. Like you said, you mentioned Brian, there’s a ton of, and John, you were talking about all different devices out there. I mean every time I go to a hospital visit or a doctor’s visit, I looked at all those things and you look at it from the cybersecurity perspective, you’re like, what’s that thing connected to?

Is it an IP address? Of course it does. And you think about all that and you know that the person working in, a lot of people in there don’t know that that are working with those systems. And a lot of them come with default connectivity or they’re beaconing out and they don’t know it. And that can be really, I don’t know how you get on top of that if you’re a small or mid-sized healthcare organization. I think I said, I think it’s really the funding point you made Brian is really good cause I think that’s a lot of it. If there’s money for it’s going to happen. I don’t know if it’s a comparison with the retail industry, I can’t really say that, but obviously the financial field has been way ahead everybody else in this, all the sectors, and they’ve always been ahead of the game in that and cybersecurity. But I’m hopeful that more healthcare organizations can catch up because it is very scary when you think about what could happen.

John Vecchi:

And on the other side of it, Kelly, I know you not only talk to different types of industries and experts, but you also talk to those vendors of course that are bringing technologies into market and God help you because they’re, like you said, thousands and thousands. And if you just even think of the sectors of security that have exploded since you first founded Dark Reading, but when you think in terms of OT, ICS, anything, what we would think of, xIoT, is there anything you’ve seen from a vendor perspective that’s interesting that you see even thinking of S4 and kind of what’s kind of hot, what’s happening. Is there any, is there something significant you’re seeing from a vendor perspective that matters in all the things we’re talking about to help companies, help with this and help secure these things?

Kelly Jackson Higgins:

I think overall, I remember when I first went to S4, they would have a little vendor demo and it was just a handful of vendors. There were just three or four that made factory firewalls very specific. And what I’ve seen over the last few years is how those functionalities have gotten folded into more comprehensive security views on those plant floors. So services based things for example, or platforms that have multiple, kind of like an IT, multiple functionality. I think probably the most important thing, and I think we touched on this earlier in this space, is just being able to see what you have out there and what it’s doing. Is it connected to something that’s not supposed to be connected to? I mean, there are veneers of all these internet, public internet scanning projects have been going on. And unfortunately when there’s one that happens now, we still find factory and industrial systems talking to the public internet that aren’t supposed to be.

So there’s still that problem of locking down those ports, knowing that particular system should not be, have a public internet, public internet connection. So I think the visibility thing is huge. I think the fact that these systems are getting a little more advanced, and of course they’re going into environments where the OT teams are more about the, what’s happening in their production and their manufacturing and their processes, they don’t have time to sit there and figure out zero trust right? So I think this idea of bringing more services based stuff and also stuff that combines with the IT side requirements is important. There’s still I think a bit of a gap sometimes for IT and OT just because they’re different worlds. But I think what I’ve seen is of the ICS spaces, that the OT spaces that the security vendors are moving more towards, giving them the tools they need that they don’t have time to figure out on their own to run those systems or to protect those systems. Excuse me.

Brian Contos:

Yeah, so you were mentioning some of the factory devices. I remember, boy, this might have been about 20 years ago, I was part of a project called Project Logic, which was linking oil and gas. It was a department of defense project and they were talking about ruggedized firewalls. And I had never heard that term before and they were showing them to me, these appliances at the time, essentially it was a regular appliance, like a [inaudible 00:31:03] appliance that they sprayed with something that I’m pretty sure was Line-X, the stuff that you actually spray in the back of a pickup truck. So if you throw rocks and wood back there, it doesn’t scratch it.

And they had these screens everywhere around it. And I was asking the folks there, what’s this screen for? And they said, well that’s so the spiders don’t crawl in and lay eggs. I’m like, so, that shows you some of the things that they have to consider. And they’re like, yeah, this thing is going to be sitting in a shack in the middle of nowhere next to a dam and it protects this one PLC that all it does is something like open dam, close dam. It does two things, probably does more than that, but just for the sake of argument. And that’s all it did. I was like, all right, yeah, it’s black widow proof. That’s awesome.

Kelly Jackson Higgins:

Well, a lot of those plants are not there, people don’t work there. They’re quote unquote unmanned plants where you can’t live there. They’re on some oil rig out in the middle of the ocean. And that’s why these cellular devices that were, they’re routers, if those are compromised, who’s going to be there to notice that or to take care of the system. They thought they were secure and they weren’t. So it’s just interesting.

Brian Contos:

I’m wondering, has Dark Reading covered in the past or are you covering this more frequently? This whole idea about biohacking and we’re seeing a lot of cases where like a heart monitor device or something that somebody might have is connected to Bluetooth to their phone and then can speak out to the doctor and the doctor can track heart rhythms and things like that. But there’s also things that people are just implanting so they can open their doors or start their car and doing all sorts of very interesting things. And I’m just wondering where that’s going to go. You’re not hacking someone’s home, you’re hacking someone. Is that something that’s showing up more and more in Dark Reading?

Kelly Jackson Higgins:

Yeah, we did cover a lot of those early days medical device breaches that were shown at Black Hat and DEFCON. I think DEFCON was always ahead of the game with the biohacking village. I’ve gone to that a few times. Similar, they show, I think that’s, we’ve covered it more from that perspective, not so much on a bigger scale. I’m sure there’ll be more of that there this year at DEFCON too. But I think people are still not as aware. I have a friend who has an implant in his hands. They can open his garage or used to be able to do that. I wouldn’t do it [inaudible 00:33:19] did it. But yeah, that’s another area that’s interesting. I don’t think it’s hugely big on our radar screen right now, but we do cover the quirky stuff like that too when it’s out there.

John Vecchi:

Yeah. One of the things lastly, wondering your thoughts on whether you’re seeing this. One of the things we’re seeing Kelly is just a movement toward actually trying to fix these things. The state of them, as we’ve talked about it here today, they’re a mess. And I always talk about what a mess they are. Credentials are almost all default. If they’ve ever been changed, they were changed weekly when they were provisioned and that’s it. But most default, the firmware’s six, seven, on some of these PLCs, it might be a decade or old, right? Ports and protocols open just wide open. You mentioned that. Just no ability to do anything. And we see yet almost every day we see CISO and more advisors say, here’s another critical CV on another PLC in one of these devices. And I think what we are seeing, curious if you’re seeing the same thing, is some exhaustion on the side of CISOs that say, I have plenty of technologies that try to tell me how sick these devices are, but I don’t really, I need to actually make them better.

I need to be able to fix them like an IT asset. These are table stakes. Let’s rotate the credentials. Let’s upgrade, let’s patch the firmware. Let’s shut off extraneous insecure ports and protocols. Let’s do some configuration management. Let’s get full visibility. How about maybe actually monitor these things, maintain state on these devices because they drift. Or as you mentioned, some of these things just pop up. I mean, they’re just there. They shouldn’t even be there. And they move and they change. So that’s something we are seeing, do you see that as this emerging kind of desire and anything you’re following there as that evolves these days?

Kelly Jackson Higgins:

Kind of depends on the industry sector. But you did touch on something I think is interesting. The weakness, as you mentioned, those were cited what, 10 years ago in Project Sonar that HD Moore did on his own when he was scanning the internet for stuff. So some of those things have been out there. We’ve seen that for 10 or 15 years. And here we are still talking about them. We still see research, same problems, same insecure by design issues. I feel like it depends on the industry. So for example, and you probably know this John, if you’re talking to folks in the industrial sector, they can’t patch everything. Some things you just can’t patch. I mean, if you have operational requirements that this, your manufacturing process or oil refinery process, whatever, that cannot be stopped for patching or that’s too dangerous to patch it, too risky, they’re not going to patch it.

So sometimes you’re seeing these like, oh, Siemens has a new patch or Schneider, a lot of companies aren’t even going to use it. So I always wonder what happens then? They’re not actually necessarily patching. I can’t remember what the data I saw was and how many of these industrial patches are actually applied. It’s not a high percentage. So, you touched on the other thing that I was thinking about too, and a lot of is just monitoring these systems, staying, not just doing all the security best practices, hygiene, et cetera, but also just monitoring what’s going on, making sure you have access controls, identity manage security, all those things. Everything you can do to minimize your risk. But they can’t necessarily update some of these products anyway, right? So that’s a, plus they’ll be, some are 20 years old, you can spend so much X dollars on, your going to swap that thing out, right?

To me, that’s always the big question. How in the world do we get on top of something like that? I think that’s the million dollar question. I do feel like there is, with the bigger vendors, we are seeing them obviously addressing this step-by-step, right? But then there’s a configuration piece. If you get one of these devices, you don’t configure properly, you’re leaving yourself open. So how do you get on top of that? That’s not always the vendor’s responsibility. I mean, sometimes there’s things come with default settings and maybe that gets ignored or whatever, but that can be devastating. We probably, almost all the cloud misconfiguration stuff we have seen the past couple years has been obvious that people need the configuration’s really important how you configure something. So I don’t really know the answer to that. Cause I don’t think there is one answer.

It really depends. I think, like I said, the bigger companies, I think the small consumer IoT companies, I got some new appliances, they have wifi capability, I don’t want it, I can’t shut it off. They’re not connected, but they have, they’re beaconing to my phone. I’m like, stop. I don’t want you. And I did all the things that the vendor told me to shut it down and it’s not doing it. Do I have to go in there and take something out of my stove? I don’t know. You know, I think about a lot of people who don’t know that half their house is wired, is smart, they don’t know. But that’s a consumer issue obviously too. But yeah, I don’t think there’s, I don’t really have an answer for that one. It’s complicated.

John Vecchi:

No, it’s great. I mean, you nailed, I mean, I think you said it very clear, that’s really kind of the state, right? It’s very difficult and in cases when, I think like you said, in cases when you can’t patch it or it’s very difficult to patch or there’s other things to do, as Brian and I say a lot, it doesn’t really, you shouldn’t spend a ton of time worrying that you have six critical CVEs if your credentials are default. And I can look them up on Google and just log right into the device. Probably should focus on maybe that first. So there are some things we can do aside from just focusing on the patching, right, Brian? To kind of…

Brian Contos:

Yeah. John and I have said this before as well. I often think of xIoT security today as IT security was in the late 1990s. Rotate your passwords, patch your devices, shut off stuff you don’t need. Enforce complex credentials, these kind of duh things we think about in IT because they’re easy to automate. Well, they’re not necessarily easy to automate with xIoT. And to your point, Kelly, sometimes you can’t. Sometimes the fix requires a desoldering iron and a wire cutter. So it’s not that simple. But I do think you made an excellent point, which was visibility. A lot of this comes down to simply knowing what you’ve got. We talk about asset intelligence. We often think, well, laptops and applications and user’s identities, cloud, SaaS, things like that. But often what’s overlooked is the xIoT stuff. And like we said before, there could be thousands or tens of thousands of IoT and OT devices in your environment, depending on your business vertical.

And again, they’re all little Linux servers running around probably with default passwords and 50 high level, level 10, 9, 8 CVEs. So I guess with that, as we wrap up, because I think we could probably keep this discussion going on for hours and hours, as you look into your crystal ball and kind of take a look at maybe some of the things Dark Reading will be covering over the coming quarters, you know, you mentioned ransomware before, but are there some other leading things that just seem to be hitting the wire just again and again that are going to be hot and things that maybe some of our listeners should be paying attention to?

Kelly Jackson Higgins:

I think, I mean this is not a surprising theme. We all kind of know this, but what still is kind of interesting to me and just we see it every day is how easy it is now to be a cyber criminal. You literally don’t need to know anything about malware, coding, nothing. You just have to have a foray into the dark web and sign up for a service or buy a credential and you can do something. So the whole ransomware as a service thing is terrifying to me. And just the fact that it’s not, it’s just so simple to go that direction and that just, that’s just mind boggling to me. And that feels like this is just going to keep going on and on and on because they don’t have to spend a lot of money to be a cyber criminal. And you’re not going to make the millions that a big gang would make, but you could actually make money that way.

It’s frightening. And I feel like that’s always going to be something that we’re going to be battling here. And as the technology gets stronger, both in things like 5G and quantum and AI, those are things that are going to make it easier and more painful. So it’s always kind of staying on top of the curve on the security side of things. But what I always think about is we always come back to the same, every time we interview somebody in a security story or talk to someone, it always comes back to, if you do these things, you can mitigate your risk. You know what those are right? We can name them all. We know those simple things you can do, but not everybody’s still doing them. A lot of organizations still aren’t. Or because of what you’re saying, they don’t see those devices are out there, they don’t know those devices are out there.

They can’t do it. I still think visibility is one of the main things that causes all the problems, but also just being, once you had the visibility, really getting solid, strong, whatever, I don’t want to use the word zero trust too much, but that kind of thing. You’ve got the, don’t trust anything, verify everything, approach to something getting on your network and doubling down on multifactor, all those things. Patching yes when you can, but as we know, you can’t always patch. And that’s true. A lot of, even just IT organizations, you can’t just put the patch out that day. You have to test some things. So I feel like it’s just, there’s always going to be more of the same in some ways. But I also think the easier way out is what the cyber criminal is always going to do. So that’s always going to be their, that’s always been their jam right is going for the easy way in.

So that’ll continue to be the case. But I feel like our industry’s gotten more, and even the business world have gotten more educated on cybersecurity. I mean, probably six years ago, if you told somebody what we did for living, they would be like, what is that exactly? Now you can talk about it like, oh, cyber, somebody knows what it is. So even your family knows what you do now. So I feel like there’s more education, and I guess I always come back to, if I was going to preach I think to the industry, I always say, I think it’s important for users to kind of be part of the equation.

Don’t make them feel like they’re the bad guy or the bad gal or person. They should feel like they have a stake in this too. They’re part of keeping the organization healthy moving forward. Just making, think of it as part of your job is to make sure that you secure all your stuff. I don’t know how you embed that in a culture, but I think that’s really important. There’s a lot of approaches to that out there I know in the industry, but I still feel like if people really understand that as a user, then they’ll be on board to kind of be vigilant and do the right thing.

John Vecchi:

Yeah, and that’s a great summary, and you think all of the things you just said are hard enough on kind of traditional IT, and you think, what about doing all of that on xIoT? It’s even harder. That’s a wonderful way to kind of summarize it and wow. Well, it was just a fantastic discussion, Kelly. It’s wonderful having you on. And thank you again so much for joining us today. And again, Kelly, can our listeners find you somewhere on social or anywhere that you want to tell them they can find you in case they want to go?

Kelly Jackson Higgins:

Yeah, I’ve not been kicked off Twitter yet, so I’m still, I haven’t said anything to kick me off. I’m @KJHiggins, also on LinkedIn under Kelly Jackson Higgins, and yeah, I’m pretty active on both those social platforms, so you can find me there. And also darkreading.com. I don’t get to write as much, but I live in that site.

John Vecchi:

Awesome. Well, it’s wonderful having you, and thank you so much again for joining us, Kelly.

Kelly Jackson Higgins:

Thank you so much for having me. It was a lot of fun. I enjoyed talking to both of you.

John Vecchi:

Awesome. And remember, everybody, the IoT Security Podcast is brought to you by Phosphorous, the leading provider of proactive, full scope security for the extended internet of things. And until we meet again, I’m John Vecchi.

Brian Contos:

And I’m Brian Contos.

John Vecchi:

And we’ll see you next time on Phosphorous Radio.