Podcast

The Next Wave: AI, Infrastructure, and IoT with Mark Weatherford

In this episode, John and Brian talk with Mark Weatherford, a skilled cybersecurity veteran with a diverse background in both government and private sectors. Having held positions such as CISO for California and Colorado and serving in the Obama administration as the Deputy Under Secretary for Cybersecurity, Mark has a unique perspective on IoT security and critical infrastructure protection challenges. In addition to his government roles, Mark has ventured into the private sector, working with startups and as the Chief Security Officer at NERC. His expertise in IoT security is incredibly valuable for cybersecurity professionals looking to stay informed in this rapidly evolving field.

Listen in for a conversation on:
  • Navigating the complicated obstacles involved in securing IoT devices and defending crucial infrastructure
  • Identifying the underestimated hazards linked to the perception that air-gapped networks are entirely protected from breaches
  • Acknowledging the powerful impact of education and awareness in tackling IoT security challenges
  • Recognizing the importance of implementing more regulatory measures and policies for bolstering IoT device security
  • Investigating the escalating threats of IoT attacks and the need for integrating security solutions within IoT devices
As a cybersecurity professional, staying up-to-date on IoT security challenges is crucial to protecting critical infrastructure. Don’t fall for the common misconceptions – Mark Weatherford will share the truth with John and Brian about the complex challenges of securing IoT devices and infrastructure. Stay informed and stay protected.

John Vecchi:

Well, hello everybody. You’re listening to the IoT Security Podcast live on Phosphorus Radio. I’m John Vecchi.

Brian Contos:

And I’m Brian Contos. And we’ve got a really special guest today joining us. Welcome to the show, Mark Weatherford.

Mark Weatherford:

Hello Brian and John, I am happy to be here with you guys today.

Brian Contos:

Welcome. We’re thrilled to have you. I’ve been looking forward to this interview for a while because you’ve got one of the greatest backgrounds, I think in cyber. We were talking before the show how somehow you’ve crammed like three or four careers into one, but you’ve done so much. Maybe you could share with our audience members your journey and what you’ve done and how you’ve gotten into cyber and all that good stuff.

Mark Weatherford:

Oh my gosh, you give me the opportunity to go over my resume here. Well, I’ve told this story a lot of times. I joined the Navy and I thought I was going to be a CB and drive tractors, and the Navy had different ideas for me, and they sent me through this program, electronics and computers, and set the course of my career. And then I actually went to grad school in the early 90s, and when I came time to write my thesis, literally somebody said, “Hey, what about this information assurance, information security stuff?”

So I wrote my thesis in the early 90s on information security, and as you might imagine, there wasn’t too many people talking about information security back in the 90s. So that set my career. And I got out of the Navy, and I’ve been in and out of the public sector and the private sector a couple times I worked in state government. I was the CISO for the state of Colorado. And in the Schwartzenegger administration in California, I was worked in the Obama administration as the deputy under secretary for cyber security. I was the chief security officer at the North American Electric Reliability Corporation where we worked with all electric utilities in North America. And then I’ve done a few startups and yeah. So I’ve been in this business for like… I don’t know, it’s like my whole life.

Brian Contos:

Yeah. Well, I always wondered, Mark, because not very many people have done state and federal like you have. Did you notice a big difference, I guess, California, obviously the biggest state, but working as the CISO for California juxtaposed to working for the federal government, were there big difference in process and policy or approach, or was it pretty much the same, but just at a different scale?

Mark Weatherford:

Yeah, I think… Good question. It really is just a scaling issue. So first off, like Colorado, we had 24 state agencies. California, we had over 160 different agencies, boards, councils, commissions, departments. And then I get to DHS and all of a sudden I have… The scope was unbelievable. I had two jobs. One of them was working with all of the civilian federal agencies. That basically means everybody outside of DOD in the intelligence community. But probably the bigger and more important in my mind job was working with all of the critical infrastructures in the nation. And it was an interesting time to be doing that in the 2011, 12, 13 timeframe.

John Vecchi:

Wow. And what’s interesting, Mark, is you’ve got both sides, right? You’ve spent a lot of time on the state, federal government side, but you’ve also been in the industry side. Tell us a little bit about the difference between those two. I mean, did one help with the other? Were they complimentary in many ways? And in what ways were they really, really different?

Mark Weatherford:

It’s funny, and I haven’t ever thought of this. Just thought just now occurred to me, John, but I said… I think the one thing going back into private sector after being… And working with the White House and at the top levels of… I don’t get intimidated by CEOs anymore. I mean, when you’re sitting in a room with the president and the cabinet having a meeting, that’s pretty damn intimidating. But been going back and sitting with a board and a CEO, eh, it’s not so intimidating anymore.

Brian Contos:

Well, plus you got to sit in the office with Arnold Schwarzenegger. Did you not?

John Vecchi:

Yeah, really.

Brian Contos:

They’re in that time timeframe.

Mark Weatherford:

Well, so while I worked for Schwarzenegger, several levels down, I probably saw him maybe a half dozen times in the two years. He was still a celebrity governor. And I mean, I loved the guy. I think the world of him. I think he’s an amazing person and an amazing life story. But yeah, I didn’t get to spend as much time with him. I mean, the one thing I wanted to do, he had in the interior of the capital in Sacramento, it’s just a big like a garden area, and he had a tent set up out there so he could go out and smoke cigars. And my one life goal was to smoke a cigar with Schwarzenegger, but it never happened.

Brian Contos:

That would’ve been the best. Well, Mark, one of the things that I think is really interesting about your background as well is the time you spent with NERC, and of course working on that side of critical infrastructure obviously gave you perspectives into things that not all of us are aware of. But how have you seen the cybersecurity landscape change specifically as it’s related to that OT SCADA Critical Infrastructure side of the house? You’ve been exposed to this now for decades. Is it getting better? Is it getting worse? Are we actually making improvements? What’s the state of the state there?

Mark Weatherford:

Great, great question. So just for perspective, I was in my job for seven days at NERC when Stuxnet happened.

Brian Contos:

Oh, geez. I didn’t even know that.

John Vecchi:

Wow.

Mark Weatherford:

Stuxnet consumed my life for the next year. But I think from a is it getting better or is it getting worse. I think some things are getting better. There’s certainly more awareness now of it. And one of the biggest challenges that I had when I was there, I mean, I would go to some of these big OT vendors and I’d say, “Hey, you guys, you’ve got to up your game. You’ve got to be building more security into your technologies.” And almost a hundred percent of the time they would say, “Hey, customers aren’t willing to pay for it, so we’re not going to do it.” So I think that has changed. Now customers are beginning to get more demanding about it, about wanting to know and making sure that the vendors have actually considered security, that they have actually built certain controls into their security. I think that the whole SBOM initiative is really having a huge impact on the industrial control sector of vendors because now vendors want to know where did this… Who wrote this code and where did it come from?

So we’re getting a… There’s a lot more activity, a lot more involvement there than we’ve ever seen before. But I think from a trend perspective, and I don’t know if you’re familiar with it, but Momentum Cyber is a venture, a VC firm in the Bay Area, and they put out this, they call it their momentum cyber graphic, I think every quarter or so. And this graphic, it started out five years ago, it was, I don’t know, probably 10 different categories of security products and tools.

And today there’s probably 20 or 30 different categories, in each one of these categories there’s dozens and dozens of different tools, and it’s so complicated. So the aggregation of all these technologies, it makes it difficult for ACISO or anybody, any security professional today, to actually be able to evaluate all the potential technologies that are out there. And I don’t think that’s a good thing, by the way. I mean, I’m all for diversity of security and diversity of security tools, but there’s just so much out there that it’s impossible to… I say it today, 20 years ago, I think I could reasonably call myself a cybersecurity expert. Today I don’t even go down that road because it’s just there’s so… I don’t even know all the technologies that are out there today.

John Vecchi:

Yeah, wow. And Mark, we talk about these kind of connected devices, these smart devices, we refer to them as xIoT, simply because there are so many and they’re very diverse. And when we talk about xIoT, it’s all the enterprise IoT. It’s all the network devices that people forget about switches and load balancers and wireless routers and all that. And of course, it’s all the OT ICS, PLC, SCADA stuff. But specifically as you talked about the OT side, the utilities, the critical infrastructure, right? Let’s talk a little bit about the difficulty of that because they’re in the OT bucket and in many cases it means they haven’t historically been in the IT bucket, right?

What we’ve seen is they’ve somehow avoided the typical scrutiny of cybersecurity, but like a PLC is an ICS, is an OT, it’s an xIoT and you know, mentioned Stuxnet. I mean, oftentimes we bury our head in the sands and say, “Oh, well just put them on an isolated network and we’re good.” Well, Stuxnet was an isolated network. Can you talk a little bit about the challenges with the OT side and even maybe a little bit about why did you spend so much time on Stuxnet? Was it the fact that that did get attacked and we thought that’s not going to get attacked? I mean, can you talk a little bit about that and some of the challenges there?

Mark Weatherford:

Yeah, I mean if you think about Stuxnet, oh, certainly it was a very complex attack. I mean, for sure the most complex of all. But if you think about how they actually did it, they were on a air gap network. They compromise by person to get the malware installed in there. And I think we have… This is again, this is one of the core tenants of security that we’ve been, we’ve talked about and worried about for years is the insider threat. And it doesn’t have to be malicious. And that’s what I always tell people. It’s like, don’t think you’re going to see a guy wearing a black hat walking down the halls. Oftentimes it’s a naive or someone who isn’t paying attention and they’re the ones, they’re the vector into your organization. And I think going back to this at the xIoT, we’re really bad about creating terms in the security community.

We created IoT, and I can remember giving talks 10 years ago saying, “Hey, we have an opportunity here to actually get it right. Let’s start working on embedding security technologies into IoT, into the frameworks of IoT that are coming out.” Of course, we didn’t do that, but xIoT, it’s difficult because it’s a term that includes, as you said, IT, OT, and even physical devices connected to the internet. So Wendy Nather, she’s at Cisco now, she was at Duo, with Duo when they acquired her, but Wendy said a couple of years ago, the greatest quote I’ve ever heard, and I use it all the time, it’s like she said that the perimeter is anywhere you make an access control decision. I mean, oh my gosh, we talk about the perimeter going away, and it’s exactly for that reason. Anywhere you make an access controls decision today, that is your perimeter.

So this digital transformation that’s occurring across the globe, and every company has made these network boundaries almost impossible to define. And when we think about COVID, what has COVID done to us? I mean, we went from organizations including the government by the way, and including some very sensitive places in the government. We went from working in an office one day to working from home the next day. So we created this environment where people are accessing data and systems from places we never even dreamed of three years ago. So it’s a complicated issue, and I think we’re getting better at it. And some of those technologies that I talk about that are exploding are helping us to understand and how to get better at some of these things.

John Vecchi:

Mm-hmm.

Brian Contos:

Yeah, I think you hit the nail on the head in terms of we had the opportunity to really do this right, based on lessons learned from IT security. Hard lesson learned. And we missed the pow and John and I are always talking about some of the stats around this, there’s about 50 billion, depending on whose stats you look at, plus or minus. There’s a lot of xIoT devices, far more than there are servers in the cloud, far more than there are traditional endpoints, which are decreasing every quarter actually now. Traditional laptops and workstations, things with keyboards. So we know the attack surface is massive and growing, touches every vertical throughout the enterprise or personal use or home or healthcare, whatever, it’s everywhere. But when you start looking into the security of it, half the time, 50% of the time, the passwords on these devices are just default passwords that you can do a quick Google query or it’s hard coded and they’re so easy to find.

And when you tell somebody, “Hey, you probably have about three to five devices per employee in your company.” So if I’ve got 10,000 people, I’ve got 50,000 devices, 25,000 of those devices have some hard coded or default password. Most of them are just Linux servers. It’s not some obscure system on the OT side its real time operating systems like VxWorks on the network side, it’s like BSD, but it’s usually a Linux derivative. It’s Ubuntu or it’s BusyBox or something like that. They’re loaded with vulnerabilities. And the reason they’re loaded with vulnerabilities is two reasons. One, they never upgrade the firmware. A lot of the firmware is end of life or it’s just old. And then the other side of it, there’s a lot of shared libraries and white labeling that’s done. So the vulnerability on a voiceover IP phone exists on a printer, exists on audio video equipment, exists on a security camera.

It’s just all over the place. So we know this and we know the bad guys know this, nation state actors, cyber criminals. Looking into your crystal ball, and I know cybersecurity predictions are worth what you’re paying for, but looking into your crystal ball, do you think this is going to be the new new, as it relates to either monetized attacks by cyber criminals or truly destructive attacks or attacks focused on spying and things like that from nation states? Is xIoT the new new in terms of how they’re getting in juxtaposed to banging their head against all the IT security controls that are already out there?

Mark Weatherford:

Yeah, I do. Unfortunately, I always mock people who make predictions because in this business I can say, “Hey, attacks are going to go up next year,” and guess what, I’m going to be a hundred percent right.

Brian Contos:

Yeah.

Mark Weatherford:

But yeah, I agree. I do think… Again, I’m going to go back to this technology complexity. Our environments are getting more complex. We’re adding, and I can remember two or three years ago we talked about artificial intelligence was the next wave. And I actually think artificial intelligence is the next wave. I think AI is going to create both value and challenges for us. I do think in the short term, I think that it’s going to get worse. And the longer term, I think it’s going to get better. And in the longer term, I have a vision where my job goes away. You don’t need a CISO anymore because our technology’s going to be self-healing, it’s going to be self detecting, self monitoring. And I don’t know, maybe not, but I think that it is going to get worse before it gets better. There’s some amazing technologies out there right now, they’re just mind-blowing. They’re so good. But weeding through the wheat from the chaff to find the good stuff can be pretty damn hard.

John Vecchi:

Yeah, and only because we can’t resist. We often talk Mark about the fact that looking at xIoT security is going back to the 90s in IT security. You wrote your thesis on that. So do you see the parallels with… You think about in the 90s when we were trying to deal with even endpoint security, we were trying to figure out who the heck is using a password and how to rotate those and get anything intelligent in there. We were trying to figure out where they are and what they were and what firmer version they’re on and all these things. And you think back to… You look at where we are with xIoT and it seems, wow, we’ve just been transported back to the 90s. Do you see that similarity when you think about it?

Mark Weatherford:

It really is. I mean, you hit it on the head. But I’ll tell you, when I first got in this business, my biggest… You’re going to laugh at this. My biggest concern was website to defacements. That was the daily thing. I’m like, whose website got defaced today? But yeah, no. You’re absolutely right. And again, I add in the physical security piece of this, when you think of gates guards and guns, that piece, I mean, it’s still there. It’s back to the future. We’ve just automated it and we’ve digitized it and we’ve added layers of technology on top of old technology, which is by the way, what we’ve done with OT in many cases too. So yeah, it is. And somebody wrote a paper, I think it was Andy Bachman wrote a paper a couple of years ago. Andy Bachman and Tim Rocks I think wrote a paper, they’re both power guy, electrical guys.

And they wrote a paper and said, “Hey, we need to have backup capabilities that we can go to manual operations so that we can manually pull switches, that we can manually do things that we have automated just to keep the grid alive in the case of an emergency.” And believe it or not, a lot of companies have actually… I mean, wouldn’t say they’re investing a lot of money on doing that, but they’re making investments that allow them to retain some of those old functionality while they’re layering this new technology in. I mean, you think about it, a relay at a substation, somebody can trip that remotely. Wouldn’t you like to be able to go in there and grab a lever and go [inaudible 00:20:09], and go, “Okay, this relay is back on live now.” So it’s back to the future for sure.

Brian Contos:

Yeah. I’m wondering, and again, pulling maybe from your exposure in the federal government, I mean this security has always moved fast and it’s always… Or generally moved faster than most policies and policy makers can keep up with. xIoT, is that on steroids. It’s just a completely amplified version of what we’ve already seen. And we go into some organizations and we ask them, what are you doing for xIoT security? A lot of them are in the very early stages. Again, like you and John said back to the early 90s where I’m just trying to discover what I got. I don’t even know what I have on my network. And I’m always like, “Yeah, discovery is really important,” but discovery is not the thing. Discovery is the thing that gets you to the thing. And that’s preventative controls and do I have good credentials?

Do I have updated firmware, my start strong? Are my devices hardened in all these other steps that we take? But given that, the industry, and I’ve… With Phosphorus, I’ve been all over the world, I’ve been meeting with different organizations in different verticals. So this isn’t specific to any vertical or any geography. A lot of folks are still in that very, very early, well, I’m just trying to find out what I’ve got stage. If they’re there, what hope do we have for the policy makers to help the… Make sure that these vendors that are building this as xIoT devices are embedding security, are making sure that they’re more secure in terms of following best practices and things of this nature, don’t have these default embedded passwords worked into the code. Is the federal government going to be able to keep up with this in any way, shape, or form, or are we doing better than we used to? Or maybe I’m just being too cynical thinking that their ability to keep up with their rate of this space is just not going to happen?

Mark Weatherford:

Well, I can’t even believe I’m going to say this, but I can remember laughing at the policy people thinking they don’t really understand security. I’m down here skimming my knuckles, I’m in the trenches every day doing security stuff. But I almost think that I’ve changed, and when I was at DHS, it’s actually this metamorphosis of my brain began because I started seeing actually policy can drive technology. Now, I am not a huge fan of regulation, but I think we’re at a point in our society now where technology can actually impact the safety and security of citizens, can impact our economic stature in the world. So I think there’s a place now, and it’s been proven over and over again that security companies are not going to invest money just because it’s the right thing to do. There has to be some enforcing factor, some incentive to get them to do it.

So I think that policy is… Policy almost needs to lead technology. Now that can’t happen because you have to have the technology that says, “Oh wait, we need policy to drive this.” But I think we’re going to get… I don’t know if you’ve seen it, but the National Cybersecurity Director, the office of the National Cybersecurity Director has been working on this new national cybersecurity policy. It hasn’t been released yet, but there’s been some leaks of it that have been out. And what I’ve seen is there’s a huge focus on more regulation for critical infrastructures. Now, five years I would’ve said that’s overreached by the government, but today we cannot ignore that. We need, instead of this, I call it the whack-a-mole, the legislative whack-a-mole. You have a Colonial pipeline event and some legislature says, “We need to regulate the pipelines.” And then you have an FAA event like last week, and then a legislator says, “We need to regulate the FBI or the FAA.”

And this is the entirely wrong way of doing this because you’re going out and you’re cherry-picking different slices of critical… I’m sorry. Not even the, NOTAM is just one little nit bitty piece of the aviation community, but now we have a legislator wants to regulate this. My position today is that we need to take more of a holistic approach to critical infrastructure. We’ve said for a long time, Brian, you know this and the NERC Critical Infrastructure Protection, CIP standards, the electricity industry, even today is the only critical infrastructure sector in the nation that has mandatory and enforceable standards for cybersecurity. Well, the nuclear power industry also. But why don’t we have this for some of the other critical infrastructure sectors that our society depends on? So I think we need, and that’s where this, at least the leaked versions of what I’m seeing of the National Cybersecurity Strategy is going to call for more of that holistic regulation instead of the whack-a-mole approach to regulation.

John Vecchi:

Yeah, I was going to say Mark it’s interesting, and I wonder, you almost think recently the FCC actually banned. They moved from just a requirement that a lot of this equipment not deployed on say, government networks, but they recently leveraged the Secure Equipment Act and actually banned devices made by certain Chinese manufacturers because they pose a threat to national security into the persons of the United States, which was a pretty big step from an FCC perspective. I almost wonder, based on what you said, which is very interesting that you see them leveraging that even up to a level of the FCC, even something that touches the public.

And one of the things we actually did from a Phosphorus perspective is to be able to identify these devices for organizations. Specifically after that ban lot of organizations said, “Geez, I mean, I don’t even know if how many of these things I have,” and they wanted to actually find them and do a soft brick to put them out of commission. But back to the point, do you see that move from an FCC almost really validating the point you made from a critical infrastructure perspective, actually moving to things like cameras, which you wouldn’t think it’s a cyber physical system, but kind of is in some ways, right?

Mark Weatherford:

Well, absolutely. We’re going to see more of this, I think. And cameras are one of those things that Brian was talking about a minute ago. Half of them have default passwords embedded in them, half of them have, or the other half of them have hard coded passwords in them. I mean who would’ve ever… And by the way, some of these IoT devices are things that they never… There’s no life cycle on them. There’s no end of life of them. You put a camera on the wall outside of a building and you expect it to be there for 20 years. So not only is security not embedded in them, but whatever vulnerabilities exist with them are going to be there forever. Yeah, we’re going to see. I mean, it’s going to be called a lot of things. It’s going to be called government overreach, it’s going to be called Big Brother. It’s going to be called a lot of things.

But you know what, I think again, we’re at a point in our nation’s history… And no, in the global history where when a guy with a laptop in Moldova can take down a network and turn off the lights for a city, we need more regulation. We need more oversight to say, “No, we know that you haven’t done this on your own because it was the right thing to do. So now we’re going to provide some incentives for you to do that.” And by the way, there’s a lot of ways you can incentivize good behavior. It doesn’t always have to be the stick. There are some carrots that can incentivize good behavior as well.

Brian Contos:

Yeah, that’s a great point. The camera is… What’s really interesting about cameras, and we’ll just keep on double clicking on this for a bit, is we’ve yet to go into organization that has hundreds of cameras. Every organization that we go into has thousands, if not tens of thousands if not more.

Mark Weatherford:

Yes.

Brian Contos:

And they’re installed by some engineer that shows up in a van with a box and a drill, or she’s not thinking about security development lifecycle. They’re thinking about bolting into the wall and connecting the cable and getting out there. And John mentioned some of these that are… Yeah-

Mark Weatherford:

Brian, just a funny diversion. So I told you I just moved into my new house. I had the alarm guys come in, and so I am grilling these guys like, “Where did that come from? What kind of certifications you have?” They’re looking at me like, “Hey, we do this a thousand times a day.” I’m like, “Not in my house you don’t.”

John Vecchi:

Yeah.

Brian Contos:

Well, yeah. And now you take that and you multiply it by a hundred thousand in a business. We’ve been in organizations where, for the life of me, I think they have some cameras that just watch other cameras. And like John said, some of these now, they’re illegal to import, right? They’re illegal to sell. A couple years ago it was just said, “Hey, don’t use these in government organizations. Don’t use these with any government contractors. We know they’re bad. We know if you say stop recording, they turn the green light to red but they still record audio, they still record video, and they still scream it to some foreign location.” And they’re saying, “Okay, now we’re going to step up.”

So in November of 2022, they actually pulled the trigger. I’m actually proud. And they said, “Look, we’re going to stop the importation of sale, period.” Well, that’s great. That’s in the United States. I was at a conference in Dubai where one of these cameras in particular was the primary sponsor of this conference that I had 150,000 people on with a big booth. And so it’s not like they’re done, it’s not they’re over, it’s just that they’re not used on US soil. But it was really nice, I think, to see that. I thought that the government stepped up in a pretty quick way to say, “That’s it. We know this poses a significant threat,” and stops it.

Mark Weatherford:

I agree though but that’s cameras. Okay. What about medical devices? I mean, you look in some of these other sectors and we’ve got a lot of devices that are made… Who knows where they’re made? Or even if the devices are put together here in the US, where was the code developed? And we still don’t have a good grasp of that, I don’t think. I agree. Again, I can’t even believe I’m saying this, but I think we need to have more oversight right now. I won’t call it regulation, but we need to have more guidance right now.

Brian Contos:

Yeah. Yep. No, no, that makes perfect sense. Like what you just said there about the medical devices and things like that. If we think about one of the first well known attacks and xIoT, it was the Mariah Botnet, right? It was an opportunistic attack. Basically some people went out on Shodan, show me where all the cameras are that are also running Telnet Port 23. I can access it from the internet and it’s got a default password or one of about a dozen passwords. Based on that they amass a very large botnet. However, what they found out was what, there’s a lot of other devices that are also running Telnet with the same default password. There were printers, there were voiceover IP phones, there were UPS systems. And their reason was is they were all using the same shared libraries and they had white labeling with the same code, so the same vulnerability on that camera was on that printer, was on that other device.

So now, instead of just a botnet of a whole bunch of cameras, they had a botnet of a whole bunch of other xIoT devices. The sad part of that story is we go into organizations today, and not only do we still find devices that are vulnerable to Mirai. Again, this came out, this was back in 2016, because no one’s ever upgraded their firmware, but there’s devices that are actually running Mirai, it still has the malware on those devices because as long as the printer’s still printing, or the camera’s still filming, or the TV’s still working, no one’s paying attention to either everything else that’s happening around it.

So yeah, there definitely is a little bit of education and awareness that’s it’s happening in xIoT. It did, I think, focused on the SCADA, OT world over the last decade or so. It’s picking up at a pretty increased rate though, because now people can’t ignore it because the bad guys aren’t ignoring it and they’re using this as a stepping stone. So to your point, I think regulatory mandates and policy and vendors, and like you said about the OT stuff earlier, the vendors aren’t going to make stuff more secure unless people are going to pay to have more secure devices. And if people aren’t asking for it, they’re not going to build it. So it’s almost a tail wag the dog, right? And maybe that’s happening now.

Mark Weatherford:

It is. It has become… And again, we’ve been saying this for several years now, but it’s become a board level issue now. Boards are saying, “Wait a minute, you told me this how I want to validate this. Show me some evidence of what you just said.” I mean, you mentioned Shodan, and Shodan is one of those technologies I wish didn’t exist because it can be used for good and evil. You may have heard me tell this story before Brian, think I was at NERC, so this was 12 years ago. I was given a talk and I took a screenshot. I had taken a screenshot on the slide and I had it on my slide.

It was a screenshot of a company then that I just looked at Cisco routers, I think of what it was, and it showed this company that had all these, the guy, the CISO for the company was in the audience, and he was so pissed at me. He came up afterwards like shaking his finger and really mad at me. But Shodan is one of those tools, like you said, I can just pick any device or any company and I can go look and then I I say, “Oh, wait a minute, this device has open passwords,” or “I know what vulnerabilities exist with this device.” So I mean it is a roadmap to being evil.

Brian Contos:

Yeah, it’s ChatGPT before ChatGPT.

Mark Weatherford:

Yeah. Oh my gosh. Wait till D4 comes out. Oh my goodness.

Brian Contos:

Oh boy. Well, Mark, we could talk about this for hours, that your insights are always so amazing and we love hearing from you. As we wrap up here, any closing thoughts, words of wisdom for any of our listeners out there that are… They’re fighting the good fight every day out there in cyber and dealing with IT and xIoT issues?

Mark Weatherford:

Yeah, I collect great quotes from people and Dan Gear, Dan is a luminary. Dan said a few years ago that joining the security community is not a career, it’s a crusade. And I couldn’t agree more. Again, we talk about how technology changes so fast that we need to recognize, I think when we get in this business that what we worried about 12 months ago is probably not what we’re worried about today. The technology that we were experts on 12 months ago is probably obsolete today or honest way to being obsolete. And I think words of wisdom, pay attention to the regulatory environment because we’re going to see a change today and not just in the critical of critical infrastructures, not in just telecom and manufacturing and oil and gas and electricity, but everything, every critical infrastructure. And xIoT is right at the center of that because there’s just so much of it out there that we don’t really know about and that we have embedded in our companies and our organizations that, yeah, we’re going see a lot more regulation and I don’t think it’s a bad thing.

John Vecchi:

Yeah. Well, fantastic advice and predictions and fantastic discussion from a real crusader. So thanks so much, Mark, for joining us today.

Mark Weatherford:

Thanks, John. Thanks, Brian.

Brian Contos:

Absolutely. Thanks Mark. Thanks for coming on.

John Vecchi:

Yeah, thanks so much. And thanks Brian to my co-host and our very special guest today, Mark Weatherford. Thanks so much for joining and remember everybody, the IoT Security podcast is brought to you by Phosphorus, the leading provider of proactive full scope security for the extended internet of things. And until we meet again, I’m John Vecchi.

Brian Contos:

And I’m Brian Contos.

John Vecchi:

We’ll see you all next time on Phosphorus Radio.

Author

Phosphorus Cybersecurity

Phosphorus Cybersecurity® is the leading xTended Security of Things™ platform designed to find, fix, and monitor the rapidly growing and often unmonitored Things of the enterprise xIoT landscape.