September 28, 2024 • 20 mins
A chemical manufacturing company grinds to a halt when a cyberattack locks up their entire assembly line. Kurtis Minder, a renowned ransomware negotiator, answers their call for help and explains why manufacturing companies are uniquely vulnerable to these kinds of disruptive attacks. Then David Adrian from Chrome chats with Kate about how a web-focused strategy can help manufacturers transform what are commonly thought of as massive vulnerabilities into secured points of access and visibility.
This episode is sponsored by Chrome Enterprise.
See omnystudio.com/listener for privacy information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:02):
The bad guys like to attack over holidays, so it's
really not fun for me.
Speaker 2 (00:06):
That's Curtis Minder, a renowned ransomware negotiator, telling me about
a time when he picked up an emergency call on
a major holiday.
Speaker 1 (00:13):
The initial call is always very emotional, as you can imagine,
even in the large companies, you know, you may have
a boardroom of people with it's very emotional.
Speaker 2 (00:22):
On the other end of the call was a chemical
manufacturing company who'd been locked out of their own assembly line.
Speaker 1 (00:29):
They had a complete operational interruption, so they couldn't manufacture
their product.
Speaker 2 (00:33):
Costs can add up quickly when a cyber attack delays
at game studio's next release or leads to a data
breach at a bank. But when attackers shut down a
manufacturing line that's part of a global supply chain, you
can almost see the money circling the drain.
Speaker 1 (00:46):
They were losing millions of dollars a day in revenue.
Speaker 2 (00:49):
And for this chemical manufacturer, like with any business shut
down by ransomware, the losses went way beyond a few
days of missing shipments.
Speaker 1 (00:56):
I call it the ransomware blast radius. It's like we
know the base impact. It's operational interruption, But what about
these other things? And so that's cost of goods going bad,
supplier confidence, that's hey, wait, you didn't make payroll for
two weeks, the attrition that just occurred, wuldn't that cost you?
Speaker 3 (01:11):
Those are all part.
Speaker 1 (01:12):
Of the fairly complex equation on total cost of impact.
That formula, if you will, kind of helps his decide
on whether to pay a bad guy or not, or
to engage a bad guy or not.
Speaker 2 (01:24):
In this case, after finishing this exhausting analysis with Curtis,
the company decided to pay the ransom.
Speaker 1 (01:30):
And my job as a negotiators to make sure we
don't pay the price on the window.
Speaker 3 (01:35):
On the sticker.
Speaker 2 (01:37):
Before long, the systems were back online, products were going
out the door again, and Curtis was helping the company recover.
But when he sat down with the companies see so,
he heard something that changed how he thought about the industry.
Speaker 1 (01:49):
He said, Curtis, here's my biggest concern. We have been
the manufacturer of this particular product for almost one hundred years,
and the way that we manufacture this product and the
materials we use to manufacture this product are our trade secret.
I am concerned that that information has left the building,
and I won't know about that risk for some time
(02:10):
until a competitor of mine makes the exact same product
in five years from now and puts me out of business.
Speaker 2 (02:20):
From Bloomberg Media Studios and Chrome Enterprise, this is Security Bookmarked.
I'm your host, Kate Fazzini. I've been a cybersecurity professional
and journalist for over twenty years, and on this podcast,
I'm talking with leaders in gaming, finance, and manufacturing about
what security looks like in a workplace that's moved to
(02:41):
the cloud. In twenty twenty three, ransomware attacks against manufacturers
and other industrial companies increased by fifty percent, and since
twenty nineteen, cybersecurity incidents targeting operational technology have risen exponentially.
So today I'm speaking with Curtis about why manufacturs are
facing more ransomware attacks than ever and how AI is
(03:04):
amplifying threats and offering new defenses for cybersecurity leaders.
Speaker 1 (03:08):
I'm the founder of Group Sense, which is a digital
risk protection company. I'm also the lead ransomware negotiator at
group Sense, and I have about thirty years in what's
now just called cyber.
Speaker 2 (03:18):
Then i'll chat with David Adrian security product manager for
Chrome about how a web focused strategy can help manufacturers
secure the connection between their IT and their OT. The
job title of ransomware negotiator is still fairly new, but
Curtis has been dealing with cyber attackers since the early
(03:40):
nineties when he worked on systems for an Internet service provider.
He's seen pretty much every kind of ransomware scenario you
could imagine.
Speaker 1 (03:47):
Incidence where the victim has started the negotiation before we
showed up and has made some very very novice mistakes.
Speaker 3 (03:56):
We've also had incidents.
Speaker 1 (03:57):
Where we're in the middle of the negotiation and the
thread actors get back in and do more damage, where
there's some confidence from the victim that hey, we've got
the doors locked, they can't get back in, and they
were wrong about that, and that causes issues.
Speaker 2 (04:12):
Going back to his ransomware story, Curtis couldn't reveal exactly
how the attacker got in, but he told me they
didn't have to be very creative.
Speaker 1 (04:19):
One of the things that is frustrating for us is
that at the end of this we're taking stock on
how the thread actors gained access, and it can be
distilled down into like seven to eight sort of preventable things.
Speaker 2 (04:33):
Strong passwords, multi factor authentication, staying on top of your
updates and patches, securing remote access. These are just a
few of the things Curtis considers low hanging fruit for
any company.
Speaker 1 (04:45):
They're trying to gain access to your systems as cheaply
and as efficiently as possible, and so they're not buying
zero days on the dark web to break into your
to break into your network because they don't have to.
They can use some very simple mistakes and so fiber
hygiene or processes to gain access, and often that is
the case. It is something fairly simple to gain the
(05:05):
initial access, and then once they're in, they're very good
at expanding their access and pivoting.
Speaker 2 (05:11):
Later in the episode, i'll chat with David Adriene at
Chrome about how a web focused strategy can secure that
point of access.
Speaker 3 (05:17):
But first i'll hear.
Speaker 2 (05:18):
More from Curtis about his experiences helping manufacturers recover from
ransomware attacks and what he sees in the near future
for enterprise cybersecurity.
Speaker 1 (05:29):
You know, when you talk about partners or constituents who
lose confidence in the manufacturing and supply chain space, a
lot of these companies have a fairly robust supply chain
resiliency strategy, right, and if one of your manufacturers in
your supply chain stops producing, you've got a backup or
(05:50):
two or three, and you might not never ever go
back to that manufacturer. When I'm talking to companies about
how to prepare and respond to this in ants of
an attack, I tell them that when the dust settles
on an attack, you're going to need a tremendous amount
of goodwill from your community, and the quickest way to
(06:11):
make that go away is to lie to them or
make them think you're lying to them or withholding information.
And so their ability to address this quickly and also
communicate transparently is so important.
Speaker 2 (06:25):
Yes, I am so kind. You're saying that I've seen
the communication piece goes so wrong, both as a practitioner
and then as a reporter, even though that doesn't have
to be the case. So thank you for emphasizing that. Now,
going back to the start of your ransomware story, I
want to ask something more simple. Why are manufacturers and
in particular, operating technology itself a target? To begin with?
Speaker 1 (06:48):
Yeah, I think increasingly, like everywhere else in the world,
the devices and manufacturing are connected, and the reason why
we're connecting them is data. We want to manage them,
we want to optimize them, we want to look for
errors and mist and things like that. And so as
we've implemented technology to manage those manufacturing devices and connected
(07:08):
those systems to the network, we've introduced a new attack
vector for the bad guys.
Speaker 2 (07:14):
And it's not just one attack vector, right, there's this
whole Internet of things now, lots of new devices attached
to the network.
Speaker 3 (07:20):
They're all targets. Yeah.
Speaker 1 (07:22):
So in a manufacturing environment that is dealing with something
that is sensitive to temperature control, the HVAC system is
very important. So the thread actors obviously have gotten better
at this. They know that impacting those devices and those
systems makes a bigger impact operationally. And so HVAC systems
and IP phone systems and product life cycle devices.
Speaker 3 (07:43):
You lock one of those up.
Speaker 1 (07:44):
In manufacturing stops, things stop getting built.
Speaker 2 (07:49):
It's just devastating. And when you think about the kind
of leverage that an attacker can get when they deploy
ransomware on these operational devices, it's astonished.
Speaker 1 (08:00):
Yeah, I mean, the thread actors have gotten better at
learning how to disrupt our businesses and ot or ICs
devices industrial control devices. They are computers, they are running
an operating system. It is typically not a normal operating system,
and so one of the challenges for organizations is how
(08:22):
do you secure those And on top of that, those
devices are often not managed by the IT staff or
even the organization itself. Sometimes whoever's making these devices have
a maintenance contract to manage those devices inside the network.
So you've got a third party who's responsible for keeping
that device up to date and secure, et cetera. And
(08:44):
then you've got an IT staff who's responsible for the
overall organization. And it makes for an interesting dynamic that
creates a sort of a paradox for the IT security
folks in those organizations as far as protecting those devices,
and they are connected, so that connected he needs to
be closely monitored and managed and also be minimalistic, so
(09:04):
it only the things that need to talk need to talk,
and that is it right, and keep it very very tight.
Speaker 2 (09:10):
That's great advice, Thank you so much, Curtis. Now you're
constantly reminding business leaders that they don't want to have
low hanging fruit, that attackers have plenty of old tricks
that still work so, and I know you also do
reconnaissance on thread actors. So looking to the future, do
you see it change happening in the way cyber attackers
are approaching their attacks?
Speaker 1 (09:29):
You know, I think having done quite a bit analysis
on this, and my core company does a lot of
work around intelligence, I think right now our biggest concern
is synthetic content. So the phishing campaigns are more effective,
the landing pages that they send you to to carvesture
credentials are more real. I'll just give you a quick
example of one of those. The thread actors will go
(09:51):
to your management page of your company and they'll pick
out all the names of your board members, and then
they will have AI generate a fake email threat between
those people on a particular topic, and it looks very
very real.
Speaker 2 (10:05):
Okay, that's a new one. That's new. I haven't heard
that before.
Speaker 1 (10:07):
Yeah, you're a mid level finance person and then suddenly
you're looped in on this email thread by a board
member and they say, hey, we need you to do this,
and you scroll back and you look at Oh my gosh,
it's the board they need you know, I feel important.
I'm going to do this thing right away. I'm not
going to ask any questions. We've seen evidence of that,
(10:27):
and the AI makes that very easy for the bad
guys to do, to create the sort of synthetic content
that looks very very real to the average person and
create sort of a social pressure in the email chains
and things like that. And I say that in lieu
of are the bad guys using AI to write custom malware?
Not yet, we haven't seen any in the wild yet,
but it is plausible that AI can write, you know,
(10:48):
polymorphic malware for bad guys. But primarily they're not doing
that because they don't have.
Speaker 2 (10:52):
To exactly, it's just totally unnecessary.
Speaker 1 (10:55):
Yeah, they're running a business, and this is it's just
easier to trick you into giving your credentials or wiring money.
Speaker 3 (11:00):
That's easier and cheaper for them.
Speaker 1 (11:02):
Where I do think AI will play a risk, if
it hasn't already, is the volumes and volumes and volumes
of data that have been collected, you know, prior to
generative AI, finding the needle in the proverbial haystack in
that data was difficult and time consuming. So in some
ways we were sort of protected by the fact that
(11:22):
they have too much data right, But now AI, they
can train a model in AI and say this is
the kind of information that I'm looking for in this haystack,
and it will go find it for them in seconds.
Speaker 3 (11:33):
And that is dangerous. Now on the.
Speaker 1 (11:36):
Flip side, you could say the same On the defense,
one of the biggest challenges the security teams have is
log data.
Speaker 3 (11:43):
It's just huge. They can find they're finding a needle
in a haystack too.
Speaker 1 (11:47):
AI can also help with that, right, AI can help
them find the bad guys quicker.
Speaker 2 (11:52):
So I'm just thinking that what we know about technology
and how it's always part of this race between attackers
and their targets, what do you say to CISOs who
maybe feel like they're losing this race, especially when it
comes to AI, or maybe to put this another way,
we often know the first steps in attacker will take
to compromise your business. What's the first step a cybersecurity
(12:14):
leader needs to take so their operation can stand up
to that risk.
Speaker 1 (12:18):
Yeah, So cyber risk, in mitigating cyber risk is a
top down thing for organizations. I think that it does
start with culture and education for the greater staff. That
is step one is understanding that you know cybersecurity is
not an overhead. It is a fundamental operational part of
(12:39):
the business. When we start talking about how to mitigate
these risks, there's this very well known set of cyber
risk practices that all companies should use. That said, you
should also assume that that's not always going to work.
What organizations can do, and manufacturers specifically can do, is
put in place a response in mitigations strategy that contains
(13:01):
these things quickly.
Speaker 2 (13:07):
The AI assisted phishing emails that Curtis told me about,
the warning that attackers will eventually breach your perimeter, these
reminded me that the first step of so many cyber
attacks is using your own accounts against you.
Speaker 4 (13:20):
Step one is like, if an employee doesn't have access
to something, they can't leak it right, whether intentionally or
because their account was taken over by an attacker or otherwise,
so strong access control sort of limits the problem down.
Speaker 2 (13:33):
That's David Adrian and the security product manager for Chrome.
When I brought up the equipment that attackers can target
after they gain account access, David took a step back
and looked at the overall posture. He explained how the
network connections that make them vulnerable could be transformed into
points of defense.
Speaker 4 (13:50):
I saw some research recently about we'll call it industrial
control systems or ICs systems, these sort of factory floor
management systems, and it was saying that the core sort
of ICs protocols, you weren't really seeing them online as
much anymore, which is good because these protocols don't really
have any security in them, but they do expose a
(14:12):
web interface HTTP configuration pages for this equipment for managing
factories or other industrial control systems or other manufacturing processes.
It's bad if these administration pages are accessible, but it's
good because it kind of shapes the problem from how
do I secure this old protocol that wasn't built for security,
(14:34):
that's confusing, that's used for somewhat niche applications for like
managing centrifuges or whatever it is that you're using in
your manufacturing process, And instead it just boils down to
limiting access to websites on the front end and then
sort of strong network segmentation on the backside. And then
you can build access controls on top of a system
(14:56):
that was never built for this in the first place,
right by just routing all of the traffic and all
of that access through an enterprise browser.
Speaker 2 (15:03):
I think if you were talking ten years ago, you
might say you wanted the OT and IT systems to
be not connected at all, or that you would want
an OT system never to connect to the Internet. Talk
to me a little bit about why, with the way
that we work today, that's not as realistic.
Speaker 4 (15:20):
Yeah, air gappening sounds nice in practice, but in reality,
systems end up needing to be connected directly to the
Internet or to some other network that is then connected
to the Internet, and so it makes way more sense
to adopt these sort of zero trust approaches where each
device is behind its own sort of authentication proxy, and
then you access the configuration pages through the web browser,
(15:42):
through the enterprise browser, and you leverage everything that's built
into the enterprise browser, and then you can do that
without any of these devices actually needed to be updated
to understand all of these sort of modern authentication and
device authentication protocols.
Speaker 2 (15:56):
That's the point that I think is really important because
it's many conversations about OT developments while you can't keep
updating all of these different operating systems all of the time,
and you know it's just never going to get better.
But then another layer of security on top is what's helpful.
Speaker 4 (16:11):
Absolutely or alternatively, if you somehow made a mistake and
there is a way to access sort of the configuration
or the management of some ot device that doesn't go
through the browser, then hopefully that's a lot more obvious
than the sign of like immediate concern because commands are
getting sent or configuration is being pushed to some device
on the manufacturing floor and isn't corresponding with some sort
(16:33):
of known employee log in, like this is a red flag, and.
Speaker 2 (16:36):
It's an instantaneous red flag too.
Speaker 4 (16:38):
Absolutely, So one thing you get from Chrome Enterprise is
sort of real time reporting and analytics of what all
of your users are doing. And if you have strong
authentication of all of your users, you know they're your employees.
Then if you have you know, corresponding visibility on the
say factory floor manufacturing floor that isn't aligned with what
you're seeing out of the Chrome braan houser, then you know, well,
(17:00):
something is wrong. Something is accessing something on the manufacturing
floor and is not going through one of my managed browsers,
and that's an immediate red flag.
Speaker 2 (17:08):
So David, just looking forward as technology improves, we've seen
a lot of new approaches by attackers using that technology
and making it more sophisticated, so particularly attackers using AI
to their advantage. One example, which I had never heard
before was an attacker using generative AI to create a
very realistic email chain that included basically spoofs of the
(17:31):
target's bosses and even board members, and then after that
they looped the target into the email.
Speaker 4 (17:37):
In this type of situation, with this sort of AI
phishing email, it sounds more like they're trying to trick
the user to go to a legitimate site and do
the wrong thing. And I think the best way to
defend against that is to make sure that your organization
has processes in place for doing things that are sensitive.
And then once you have those sort of processes in place,
these sort of steps in your workflow that get pushed
(18:01):
to some sort of application in the browser is then
another opportunity to have someone else verify that yes, this
is actually the business process we expected. And so as
you start to route these business processes through web apps
through the browser, then every single step in the process
where you do that is a step where you can
secure it in the sense that you can make sure
(18:22):
that the people participating in it are actually your employees
and give more people an opportunity to identify when something
is going wrong.
Speaker 2 (18:30):
This is a really cool way of looking at it too,
I think from a security person's point of view, where
you have this visibility now that we didn't have before.
You can see each step of a compromise or each
step of an attempted breach. Now you can also see
each step of the pre breach, the pre boom scenario
in a way that's really systematic. That's actually really exciting.
Speaker 4 (18:52):
Yeah, in the modern web based workplace that we've all
become accustomed to, there's a ton of opportunities to solve
enterprise caity problems that have plagued companies for years. Using
a managed browser like Chrome enterprise can be a critical
component of these solutions. But I think we're really understanding
that there's a leadership aspect to cybersecurity that's absolutely critical
as well. So I hope that we've been able to
(19:15):
help leaders understand the direction that cybersecurity is headed in
and demonstrate how much companies can benefit from setting up
their teams with protections that take into account the way
that we all work on the web.
Speaker 2 (19:28):
To learn more about how the most trusted enterprise browser
can help protect your organization, visit Chrome Enterprise dot Google.
Speaker 3 (19:36):
Security.
Speaker 2 (19:37):
Bookmark does a podcast from Bloomberg Media Studios and Chrome Enterprise.
Check out our other episodes about cybersecurity and finance and
gaming in your podcast app. I'm Kate Fazzini. Thanks for listening.
The bad guys like to attack over holidays, so it's
really not fun for me.
Speaker 2 (00:06):
That's Curtis Minder, a renowned ransomware negotiator, telling me about
a time when he picked up an emergency call on
a major holiday.
Speaker 1 (00:13):
The initial call is always very emotional, as you can imagine,
even in the large companies, you know, you may have
a boardroom of people with it's very emotional.
Speaker 2 (00:22):
On the other end of the call was a chemical
manufacturing company who'd been locked out of their own assembly line.
Speaker 1 (00:29):
They had a complete operational interruption, so they couldn't manufacture
their product.
Speaker 2 (00:33):
Costs can add up quickly when a cyber attack delays
at game studio's next release or leads to a data
breach at a bank. But when attackers shut down a
manufacturing line that's part of a global supply chain, you
can almost see the money circling the drain.
Speaker 1 (00:46):
They were losing millions of dollars a day in revenue.
Speaker 2 (00:49):
And for this chemical manufacturer, like with any business shut
down by ransomware, the losses went way beyond a few
days of missing shipments.
Speaker 1 (00:56):
I call it the ransomware blast radius. It's like we
know the base impact. It's operational interruption, But what about
these other things? And so that's cost of goods going bad,
supplier confidence, that's hey, wait, you didn't make payroll for
two weeks, the attrition that just occurred, wuldn't that cost you?
Speaker 3 (01:11):
Those are all part.
Speaker 1 (01:12):
Of the fairly complex equation on total cost of impact.
That formula, if you will, kind of helps his decide
on whether to pay a bad guy or not, or
to engage a bad guy or not.
Speaker 2 (01:24):
In this case, after finishing this exhausting analysis with Curtis,
the company decided to pay the ransom.
Speaker 1 (01:30):
And my job as a negotiators to make sure we
don't pay the price on the window.
Speaker 3 (01:35):
On the sticker.
Speaker 2 (01:37):
Before long, the systems were back online, products were going
out the door again, and Curtis was helping the company recover.
But when he sat down with the companies see so,
he heard something that changed how he thought about the industry.
Speaker 1 (01:49):
He said, Curtis, here's my biggest concern. We have been
the manufacturer of this particular product for almost one hundred years,
and the way that we manufacture this product and the
materials we use to manufacture this product are our trade secret.
I am concerned that that information has left the building,
and I won't know about that risk for some time
(02:10):
until a competitor of mine makes the exact same product
in five years from now and puts me out of business.
Speaker 2 (02:20):
From Bloomberg Media Studios and Chrome Enterprise, this is Security Bookmarked.
I'm your host, Kate Fazzini. I've been a cybersecurity professional
and journalist for over twenty years, and on this podcast,
I'm talking with leaders in gaming, finance, and manufacturing about
what security looks like in a workplace that's moved to
(02:41):
the cloud. In twenty twenty three, ransomware attacks against manufacturers
and other industrial companies increased by fifty percent, and since
twenty nineteen, cybersecurity incidents targeting operational technology have risen exponentially.
So today I'm speaking with Curtis about why manufacturs are
facing more ransomware attacks than ever and how AI is
(03:04):
amplifying threats and offering new defenses for cybersecurity leaders.
Speaker 1 (03:08):
I'm the founder of Group Sense, which is a digital
risk protection company. I'm also the lead ransomware negotiator at
group Sense, and I have about thirty years in what's
now just called cyber.
Speaker 2 (03:18):
Then i'll chat with David Adrian security product manager for
Chrome about how a web focused strategy can help manufacturers
secure the connection between their IT and their OT. The
job title of ransomware negotiator is still fairly new, but
Curtis has been dealing with cyber attackers since the early
(03:40):
nineties when he worked on systems for an Internet service provider.
He's seen pretty much every kind of ransomware scenario you
could imagine.
Speaker 1 (03:47):
Incidence where the victim has started the negotiation before we
showed up and has made some very very novice mistakes.
Speaker 3 (03:56):
We've also had incidents.
Speaker 1 (03:57):
Where we're in the middle of the negotiation and the
thread actors get back in and do more damage, where
there's some confidence from the victim that hey, we've got
the doors locked, they can't get back in, and they
were wrong about that, and that causes issues.
Speaker 2 (04:12):
Going back to his ransomware story, Curtis couldn't reveal exactly
how the attacker got in, but he told me they
didn't have to be very creative.
Speaker 1 (04:19):
One of the things that is frustrating for us is
that at the end of this we're taking stock on
how the thread actors gained access, and it can be
distilled down into like seven to eight sort of preventable things.
Speaker 2 (04:33):
Strong passwords, multi factor authentication, staying on top of your
updates and patches, securing remote access. These are just a
few of the things Curtis considers low hanging fruit for
any company.
Speaker 1 (04:45):
They're trying to gain access to your systems as cheaply
and as efficiently as possible, and so they're not buying
zero days on the dark web to break into your
to break into your network because they don't have to.
They can use some very simple mistakes and so fiber
hygiene or processes to gain access, and often that is
the case. It is something fairly simple to gain the
(05:05):
initial access, and then once they're in, they're very good
at expanding their access and pivoting.
Speaker 2 (05:11):
Later in the episode, i'll chat with David Adriene at
Chrome about how a web focused strategy can secure that
point of access.
Speaker 3 (05:17):
But first i'll hear.
Speaker 2 (05:18):
More from Curtis about his experiences helping manufacturers recover from
ransomware attacks and what he sees in the near future
for enterprise cybersecurity.
Speaker 1 (05:29):
You know, when you talk about partners or constituents who
lose confidence in the manufacturing and supply chain space, a
lot of these companies have a fairly robust supply chain
resiliency strategy, right, and if one of your manufacturers in
your supply chain stops producing, you've got a backup or
(05:50):
two or three, and you might not never ever go
back to that manufacturer. When I'm talking to companies about
how to prepare and respond to this in ants of
an attack, I tell them that when the dust settles
on an attack, you're going to need a tremendous amount
of goodwill from your community, and the quickest way to
(06:11):
make that go away is to lie to them or
make them think you're lying to them or withholding information.
And so their ability to address this quickly and also
communicate transparently is so important.
Speaker 2 (06:25):
Yes, I am so kind. You're saying that I've seen
the communication piece goes so wrong, both as a practitioner
and then as a reporter, even though that doesn't have
to be the case. So thank you for emphasizing that. Now,
going back to the start of your ransomware story, I
want to ask something more simple. Why are manufacturers and
in particular, operating technology itself a target? To begin with?
Speaker 1 (06:48):
Yeah, I think increasingly, like everywhere else in the world,
the devices and manufacturing are connected, and the reason why
we're connecting them is data. We want to manage them,
we want to optimize them, we want to look for
errors and mist and things like that. And so as
we've implemented technology to manage those manufacturing devices and connected
(07:08):
those systems to the network, we've introduced a new attack
vector for the bad guys.
Speaker 2 (07:14):
And it's not just one attack vector, right, there's this
whole Internet of things now, lots of new devices attached
to the network.
Speaker 3 (07:20):
They're all targets. Yeah.
Speaker 1 (07:22):
So in a manufacturing environment that is dealing with something
that is sensitive to temperature control, the HVAC system is
very important. So the thread actors obviously have gotten better
at this. They know that impacting those devices and those
systems makes a bigger impact operationally. And so HVAC systems
and IP phone systems and product life cycle devices.
Speaker 3 (07:43):
You lock one of those up.
Speaker 1 (07:44):
In manufacturing stops, things stop getting built.
Speaker 2 (07:49):
It's just devastating. And when you think about the kind
of leverage that an attacker can get when they deploy
ransomware on these operational devices, it's astonished.
Speaker 1 (08:00):
Yeah, I mean, the thread actors have gotten better at
learning how to disrupt our businesses and ot or ICs
devices industrial control devices. They are computers, they are running
an operating system. It is typically not a normal operating system,
and so one of the challenges for organizations is how
(08:22):
do you secure those And on top of that, those
devices are often not managed by the IT staff or
even the organization itself. Sometimes whoever's making these devices have
a maintenance contract to manage those devices inside the network.
So you've got a third party who's responsible for keeping
that device up to date and secure, et cetera. And
(08:44):
then you've got an IT staff who's responsible for the
overall organization. And it makes for an interesting dynamic that
creates a sort of a paradox for the IT security
folks in those organizations as far as protecting those devices,
and they are connected, so that connected he needs to
be closely monitored and managed and also be minimalistic, so
(09:04):
it only the things that need to talk need to talk,
and that is it right, and keep it very very tight.
Speaker 2 (09:10):
That's great advice, Thank you so much, Curtis. Now you're
constantly reminding business leaders that they don't want to have
low hanging fruit, that attackers have plenty of old tricks
that still work so, and I know you also do
reconnaissance on thread actors. So looking to the future, do
you see it change happening in the way cyber attackers
are approaching their attacks?
Speaker 1 (09:29):
You know, I think having done quite a bit analysis
on this, and my core company does a lot of
work around intelligence, I think right now our biggest concern
is synthetic content. So the phishing campaigns are more effective,
the landing pages that they send you to to carvesture
credentials are more real. I'll just give you a quick
example of one of those. The thread actors will go
(09:51):
to your management page of your company and they'll pick
out all the names of your board members, and then
they will have AI generate a fake email threat between
those people on a particular topic, and it looks very
very real.
Speaker 2 (10:05):
Okay, that's a new one. That's new. I haven't heard
that before.
Speaker 1 (10:07):
Yeah, you're a mid level finance person and then suddenly
you're looped in on this email thread by a board
member and they say, hey, we need you to do this,
and you scroll back and you look at Oh my gosh,
it's the board they need you know, I feel important.
I'm going to do this thing right away. I'm not
going to ask any questions. We've seen evidence of that,
(10:27):
and the AI makes that very easy for the bad
guys to do, to create the sort of synthetic content
that looks very very real to the average person and
create sort of a social pressure in the email chains
and things like that. And I say that in lieu
of are the bad guys using AI to write custom malware?
Not yet, we haven't seen any in the wild yet,
but it is plausible that AI can write, you know,
(10:48):
polymorphic malware for bad guys. But primarily they're not doing
that because they don't have.
Speaker 2 (10:52):
To exactly, it's just totally unnecessary.
Speaker 1 (10:55):
Yeah, they're running a business, and this is it's just
easier to trick you into giving your credentials or wiring money.
Speaker 3 (11:00):
That's easier and cheaper for them.
Speaker 1 (11:02):
Where I do think AI will play a risk, if
it hasn't already, is the volumes and volumes and volumes
of data that have been collected, you know, prior to
generative AI, finding the needle in the proverbial haystack in
that data was difficult and time consuming. So in some
ways we were sort of protected by the fact that
(11:22):
they have too much data right, But now AI, they
can train a model in AI and say this is
the kind of information that I'm looking for in this haystack,
and it will go find it for them in seconds.
Speaker 3 (11:33):
And that is dangerous. Now on the.
Speaker 1 (11:36):
Flip side, you could say the same On the defense,
one of the biggest challenges the security teams have is
log data.
Speaker 3 (11:43):
It's just huge. They can find they're finding a needle
in a haystack too.
Speaker 1 (11:47):
AI can also help with that, right, AI can help
them find the bad guys quicker.
Speaker 2 (11:52):
So I'm just thinking that what we know about technology
and how it's always part of this race between attackers
and their targets, what do you say to CISOs who
maybe feel like they're losing this race, especially when it
comes to AI, or maybe to put this another way,
we often know the first steps in attacker will take
to compromise your business. What's the first step a cybersecurity
(12:14):
leader needs to take so their operation can stand up
to that risk.
Speaker 1 (12:18):
Yeah, So cyber risk, in mitigating cyber risk is a
top down thing for organizations. I think that it does
start with culture and education for the greater staff. That
is step one is understanding that you know cybersecurity is
not an overhead. It is a fundamental operational part of
(12:39):
the business. When we start talking about how to mitigate
these risks, there's this very well known set of cyber
risk practices that all companies should use. That said, you
should also assume that that's not always going to work.
What organizations can do, and manufacturers specifically can do, is
put in place a response in mitigations strategy that contains
(13:01):
these things quickly.
Speaker 2 (13:07):
The AI assisted phishing emails that Curtis told me about,
the warning that attackers will eventually breach your perimeter, these
reminded me that the first step of so many cyber
attacks is using your own accounts against you.
Speaker 4 (13:20):
Step one is like, if an employee doesn't have access
to something, they can't leak it right, whether intentionally or
because their account was taken over by an attacker or otherwise,
so strong access control sort of limits the problem down.
Speaker 2 (13:33):
That's David Adrian and the security product manager for Chrome.
When I brought up the equipment that attackers can target
after they gain account access, David took a step back
and looked at the overall posture. He explained how the
network connections that make them vulnerable could be transformed into
points of defense.
Speaker 4 (13:50):
I saw some research recently about we'll call it industrial
control systems or ICs systems, these sort of factory floor
management systems, and it was saying that the core sort
of ICs protocols, you weren't really seeing them online as
much anymore, which is good because these protocols don't really
have any security in them, but they do expose a
(14:12):
web interface HTTP configuration pages for this equipment for managing
factories or other industrial control systems or other manufacturing processes.
It's bad if these administration pages are accessible, but it's
good because it kind of shapes the problem from how
do I secure this old protocol that wasn't built for security,
(14:34):
that's confusing, that's used for somewhat niche applications for like
managing centrifuges or whatever it is that you're using in
your manufacturing process, And instead it just boils down to
limiting access to websites on the front end and then
sort of strong network segmentation on the backside. And then
you can build access controls on top of a system
(14:56):
that was never built for this in the first place,
right by just routing all of the traffic and all
of that access through an enterprise browser.
Speaker 2 (15:03):
I think if you were talking ten years ago, you
might say you wanted the OT and IT systems to
be not connected at all, or that you would want
an OT system never to connect to the Internet. Talk
to me a little bit about why, with the way
that we work today, that's not as realistic.
Speaker 4 (15:20):
Yeah, air gappening sounds nice in practice, but in reality,
systems end up needing to be connected directly to the
Internet or to some other network that is then connected
to the Internet, and so it makes way more sense
to adopt these sort of zero trust approaches where each
device is behind its own sort of authentication proxy, and
then you access the configuration pages through the web browser,
(15:42):
through the enterprise browser, and you leverage everything that's built
into the enterprise browser, and then you can do that
without any of these devices actually needed to be updated
to understand all of these sort of modern authentication and
device authentication protocols.
Speaker 2 (15:56):
That's the point that I think is really important because
it's many conversations about OT developments while you can't keep
updating all of these different operating systems all of the time,
and you know it's just never going to get better.
But then another layer of security on top is what's helpful.
Speaker 4 (16:11):
Absolutely or alternatively, if you somehow made a mistake and
there is a way to access sort of the configuration
or the management of some ot device that doesn't go
through the browser, then hopefully that's a lot more obvious
than the sign of like immediate concern because commands are
getting sent or configuration is being pushed to some device
on the manufacturing floor and isn't corresponding with some sort
(16:33):
of known employee log in, like this is a red flag, and.
Speaker 2 (16:36):
It's an instantaneous red flag too.
Speaker 4 (16:38):
Absolutely, So one thing you get from Chrome Enterprise is
sort of real time reporting and analytics of what all
of your users are doing. And if you have strong
authentication of all of your users, you know they're your employees.
Then if you have you know, corresponding visibility on the
say factory floor manufacturing floor that isn't aligned with what
you're seeing out of the Chrome braan houser, then you know, well,
(17:00):
something is wrong. Something is accessing something on the manufacturing
floor and is not going through one of my managed browsers,
and that's an immediate red flag.
Speaker 2 (17:08):
So David, just looking forward as technology improves, we've seen
a lot of new approaches by attackers using that technology
and making it more sophisticated, so particularly attackers using AI
to their advantage. One example, which I had never heard
before was an attacker using generative AI to create a
very realistic email chain that included basically spoofs of the
(17:31):
target's bosses and even board members, and then after that
they looped the target into the email.
Speaker 4 (17:37):
In this type of situation, with this sort of AI
phishing email, it sounds more like they're trying to trick
the user to go to a legitimate site and do
the wrong thing. And I think the best way to
defend against that is to make sure that your organization
has processes in place for doing things that are sensitive.
And then once you have those sort of processes in place,
these sort of steps in your workflow that get pushed
(18:01):
to some sort of application in the browser is then
another opportunity to have someone else verify that yes, this
is actually the business process we expected. And so as
you start to route these business processes through web apps
through the browser, then every single step in the process
where you do that is a step where you can
secure it in the sense that you can make sure
(18:22):
that the people participating in it are actually your employees
and give more people an opportunity to identify when something
is going wrong.
Speaker 2 (18:30):
This is a really cool way of looking at it too,
I think from a security person's point of view, where
you have this visibility now that we didn't have before.
You can see each step of a compromise or each
step of an attempted breach. Now you can also see
each step of the pre breach, the pre boom scenario
in a way that's really systematic. That's actually really exciting.
Speaker 4 (18:52):
Yeah, in the modern web based workplace that we've all
become accustomed to, there's a ton of opportunities to solve
enterprise caity problems that have plagued companies for years. Using
a managed browser like Chrome enterprise can be a critical
component of these solutions. But I think we're really understanding
that there's a leadership aspect to cybersecurity that's absolutely critical
as well. So I hope that we've been able to
(19:15):
help leaders understand the direction that cybersecurity is headed in
and demonstrate how much companies can benefit from setting up
their teams with protections that take into account the way
that we all work on the web.
Speaker 2 (19:28):
To learn more about how the most trusted enterprise browser
can help protect your organization, visit Chrome Enterprise dot Google.
Speaker 3 (19:36):
Security.
Speaker 2 (19:37):
Bookmark does a podcast from Bloomberg Media Studios and Chrome Enterprise.
Check out our other episodes about cybersecurity and finance and
gaming in your podcast app. I'm Kate Fazzini. Thanks for listening.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy And Charlamagne Tha God!
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.