November 25, 2025 • 37 mins
Remember when critical infrastructure defenders had to convince people that cyber attacks were even possible? Those days are gone. Today's challenge is prioritizing defenses in a landscape where threats are multiplying faster than resources.
Sarah Freeman, Chief Engineer for Intelligence Modeling and Simulation at MITRE's Cyber Infrastructure Protection Innovation Center, takes us on a journey through the evolution of industrial security. With over a decade of experience protecting the systems that power our world, she offers a refreshing perspective that cuts through both complacency and fear.
The conversation explores how industrial security has matured from basic awareness to strategic defense. Sarah reveals how threat actors have shifted tactics, increasingly targeting third-party providers as a way to compromise multiple critical infrastructure customers simultaneously. "More and more of the actors target those companies deliberately," she explains. "By compromising this one entity, they have theoretical access to all of these customers."
We dive into the practical challenges of security in operational technology environments, where the sheer volume of vulnerabilities has become overwhelming. Rather than attempting to patch everything, Sarah advocates for a more targeted approach based on anticipating adversary capabilities—a "cyber forecast" that helps organizations focus limited resources where they matter most.
The discussion also tackles the integration of artificial intelligence into traditionally isolated control systems, offering insights on balancing innovation with security. For threat intelligence professionals looking to specialize in industrial security, Sarah provides guidance on essential resources and community connections.
Whether you're responsible for critical infrastructure protection or simply interested in understanding the unique challenges of securing systems where digital meets physical, this episode offers valuable perspective from someone who's been on the front lines since before most people recognized the threat existed.
Listen now to gain insights that will help you think more strategically about protecting the systems that power our modern world. Want to connect with other CTI professionals? Join our LinkedIn group "Cyber Threat Intelligence Podcast" to continue the conversation.
Thanks for tuning in! If you found this episode valuable, don’t forget to subscribe, share, and leave a review. Got thoughts or questions? Connect with us on our LinkedIn Group: Cyber Threat Intelligence Podcast—we’d love to hear from you. If you know anyone with CTI expertise that would like to be interviewed in the show, just let us know. Until next time, stay sharp and stay secure!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Sarah Freeman (00:00):
More and more of the actors target those
companies, individuals,organizations, kind of
deliberately.
Rachael Tyrell (00:06):
Hello and welcome to Episode 20, Season 1,
of your Cyber ThreatIntelligence podcast.
Whether you're a seasoned CTIexpert, a cybersecurity
professional or simply curiousabout the digital battlefield,
our expert guests and hosts willbreak down complex topics into
actionable insights.
On this episode of Season 1,our host, Pedro Kurtzman, will
chat with Sarah Freeman, ChiefEngineer for Intelligence
(00:28):
Modeling and Simulation withinMITRE's Cyber Infrastructure
Protection Innovation Center.
Sarah provides governmentsponsors and private sector
partners with actionable cyberthreat intelligence and
innovative security solutions toprotect critical infrastructure
.
She has more than a decade'sexperience in industrial
security and formerly served asan industrial control systems
analyst at Idaho NationalLaboratory before joining MITRE
(00:50):
in 2022.
This year, industrial cybernamed her to its hall of fame.
Over to you, Pedro.
Pedro Kertzman (00:57):
Sarah, thank you so much for coming to the show.
Thanks for having me Happy tojoin you.
Would you mind telling us alittle bit about you and how
your journey within MITREstarted and where you are today?
Sarah Freeman (01:09):
Sure happy to start there.
You know, I think I know we'regoing to immediately jump into a
little bit of my career, but Ithink the two are kind of linked
, Because I actually know I'vebeen at MITRE since July of 2022
.
But I met many people andstarted working with MITRE long
before I joined it, so probablystarted working with MITRE
(01:34):
directly around 2020.
And then I had had exposure, ofcourse, to MITRE in the past,
being in the space forcybersecurity and critical
infrastructure protection, sonew of them.
I also had the opportunity whenI joined in 2022 to join a team
that was already in progress,already being developed, and
(01:56):
work directly with a lot ofpeople that I knew from my
former life.
So I came from Idaho NationalLaboratory, which is a DOE
research lab, and in thatcapacity I actually work
directly with a number of thepeople that I work with now.
So everyone to include probablymost importantly, my current
director, Mark Bristow.
(02:16):
So having kind of that exposureand experience just is probably
a good metaphor for what it islike to have a career in ICS and
industrial control systems.
It is an extremely smallcommunity, yeah, I imagine
Sometimes painfully small.
So the industrial securityspace is one where people change
(02:37):
jobs.
People, you know, kind of gointo the outskirts.
Maybe they go to the government, maybe they go to the private
sector work for a utility, maybethey do the research route, but
people almost always end upcrossing each other's paths
again.
Pedro Kertzman (02:48):
Thank you.
And within this journey, wouldyou say you saw any differences
in the way people used to thinkor used to do security for ICS
and how it looks like today?
Any insights around that?
Sarah Freeman (03:02):
I mean, things have changed drastically.
So when I started at IdahoNational Laboratory, they hired
me in 2013.
Before that, I had had a littlebit of exposure to the space
and the challenges of criticalinfrastructure protection,
primarily because I was workingin a role doing cyber threat
intelligence.
So I would occasionally havevarious customers come up and
(03:26):
ask kind of pointed questionsabout whether or not, the time I
was working, russian criminalunderground stuff.
So they'd ask very pointedquestions about whether or not
any Russian criminal elementswere talking about SCADA or ICS
and I'd be like I don't know,I'll check for you.
But the interesting thing aboutit is, at that time, the only
(03:49):
people who really worried aboutnon-state actors, the only
people that were really hiringmy company at that time, were
all in the financial sector.
And I think it's like a reallyinteresting place to start,
because when that whole thing,when cybercrime became a problem
within the financial sector, itwas originally a financial
(04:10):
decision.
The original plan was basicallyto cover the cost of fraud
through a series of fees andthings, and so it was written
into the books as we anticipatethat these companies, these
credit card companies, thesebanks will experience X amount
of damages based on cybercrimeactivity per year and so because
of that, they kind of ignoredit.
(04:32):
Beyond putting that line itemon the books to be prepared to
basically pay out of pocket Overtime, I think because they
watched the growth, theexponential growth and costs to
these companies.
They really started 2005, 2010timeframe to be the forefront of
(04:53):
organizations that were tryingto do something a little bit
more proactive than just waitinguntil after they had a problem
and then paying for it.
So that, but, but at that timethey were the only sector that
was really doing this.
Um so that, but, but at thattime they were the only sector
that was really doing this.
Um, when I joined IdahoNational Laboratory, which again
Department of Energy focused,they were the group I joined at
(05:16):
the time.
Mission Support Center was verymuch of the opinion that, well,
certain cyber attacks had nothappened against the critical
infrastructure sectors.
They were very possible, theywere very feasible and that was
actually a really uncommonposition to hold.
In fact, the common statementwhen he brought up things like
attacks on the US electric gridwas that why would anybody do
that?
There's no money in it, whichyou can see both sides of that.
(05:38):
At the time there wasn't muchmoney into it.
But I find that usually whenmarket forces are huge things
and where if there is anopportunity, there will
eventually be somebody who'sasking to pay for it, so the
thing that has really changedover the years is having to
constantly beat that drum to putthat message out there that
(06:00):
critical infrastructure is atrisk.
And we're now finally enteringa phase sadly because of some
cyber attacks but we're finallyentering that phase where we no
longer have to push as heavy onthat message that says that this
is at risk, but rather we canstart to talk about who needs to
address this risk and how tobest address it.
(06:20):
And so it's really shifted fromkind of a conversation among
governments, of like governmentorganizations, to one that is
really grassroots.
Now, very, very many companies,utilities, asset owners I talk
to not only are aware of thisrisk, but they're actively
pushing forward.
They're at the forefront oftrying to address it, which is
(06:41):
completely different from whereI started.
Pedro Kertzman (06:44):
That's great to hear.
I feel like in general, as anindustry, we shifted from having
to justify the importance.
You know, everybody knows it,and we're just kind of a go to
work now we don't need tojustify why we are here anymore.
That's awesome and a broadtopic all over the place.
Awesome and a broad topic allover the place, but have you
(07:04):
seen any like AI also cominginto the ICS conversations?
How is it like?
How's the current state of AIat MITRE?
Sarah Freeman (07:14):
So AI is 100% a nearly daily topic of
conversation even within thecritical infrastructure space.
There's kind of a running jokeand series of memes.
You only need to know.
It's been kind of true for acouple of years.
But you go to some of theseconferences, like RSA, for
example, and the number ofpeople on the vendor floor that
(07:35):
are pushing AI-based solutionshas just gone through the roof.
It is a difficult thing toavoid right now.
You'd actually it'd beimpressive if you could.
That being said, it's becomepopularized in the last couple
of years, but it's not a newphenomenon.
So, if you go back to even,what does it mean to talk about
(07:57):
adversaries leveraging AI?
And what does it mean tomanipulate data flows and things
like that?
Machine learning and how thatdata is being integrated has
been a topic of conversationwithin the security and the
hacking community for a longtime.
So, even going back to DEF CONcirca 2017, 2018, there were
(08:17):
actual presentations aboutmanipulating data flows to these
kinds of systems so that theydon't perform the same way to
these kinds of systems.
So that they don't perform thesame way.
So part of this is I think youknow my colleagues in the AI
Innovation Center would want meto highlight some of this has
been going on for a really longtime and, depending on where you
are in as a historian of allthings computer, you may mark
(08:39):
the dawn of AI in 2010,.
You may mark it all the wayback before you know 1980.
But the reality is it has gonefrom a thing that was, I don't
want to say notional, but it wasnot something that most people
dealt with in every day, and nowsuddenly it has become this
(09:01):
thing that people are just beinginundated with.
But there was a very similararc that happened within the
cybersecurity space or criticalinfrastructure that particularly
popularized in the nuclearcommunity Again, a little bit of
a nod to INL here again.
But there was a period of timewhere there were not digital
(09:23):
control systems.
There was a period of timewhere there were not digital
control systems and most peoplehave never seen a pneumatic
control for a nuclear reactor intheir entire life.
But you can see pictures of itonline.
It's kind of impressive.
But this was the state of theindustry not that long ago, in
my lifetime.
That was the state of theindustry In my lifetime.
That was the state of theindustry.
(09:43):
And when there was this big pushto move from analog controls to
digital control systems, a lotof people hesitated, the same
way that when you adopt anytechnology, it comes with one
change and two potential risk,but the reality was the market
forces were going that wayregardless of what we thought
about it, and the whole point ofthis really is.
(10:06):
Similarly, we're on the top thecrest of a wave right now that
is very AI-centric, and so muchof MITRE's work related to
artificial intelligence isfocused on ensuring transparency
and safety and trustworthinessof these systems, as well as
being very strategic in how wewant to leverage that technology
.
You've probably heard thestories of people's jobs being
(10:30):
replaced entirely with AI.
Again, looking back at history,we know that that kind of
transition is not fast, but whenit does occur, there is a
strategic and intelligent way togo about doing it.
We want to grain all of theefficiencies possible from the
new technology, but do it in asafe, secure, appropriate way.
(10:52):
So we're actually in myresearch with some of my AI
co-workers and research partners.
We're very much focusedactually on what does it mean to
bring this technology to helpindividual humans do their job
better and faster and cheaper?
Pedro Kertzman (11:10):
Absolutely! That's the main thing.
I think the AI conversation gotso popular in our days because
of LLMs, so it just brought tothe forefront people can
interact with it.
Back in the day, it used to belike, like you mentioned, more
like a numeric engineering typeof a back end.
Um, one of the things forspecifically for ai, at least on
(11:33):
my limited view to me, isalways, or for the most part,
something that will be requiringlike a cloud, the ai living on
somebody else's data center andall that.
On the other hand, ics systemsfor the most part, they would be
on isolated air gap networksand all that.
(11:53):
How do you kind of combinethose two different universes or
connecting them?
Sarah Freeman (11:59):
Yes, the cloud, the evil cloud.
Of course, before AI we hadclouds, so there's a couple
parts and pieces here.
You know, it's always thedevils in the details.
Cloud-based infrastructureintroduces, first, a number of
advantages in terms ofresiliency, in terms of the
(12:20):
types of analytics that can beperformed, in terms of the
quantity of data you can store.
However, cloud-basedinfrastructure is not obligated
to be on a third-partyinfrastructure, so I, as a
utility, can run a cloud-basedsetup and not ever have any data
leave my environment.
I can also allow certain datastreams to leave my environment,
(12:43):
and so there's this weird thingthat happens where, in general,
sounds bad, but you start tolook at the details and you're
like, okay, not all bad andthere's more than one way to
implement it.
So it's kind of similar pushesfor, essentially, ai LLMs as a
(13:04):
service.
What does it mean to do, whichis just a natural extension,
honestly, of data, big data,analytics, big data.
Before there was cloud, therewas big data, this idea that
somebody else who's an expert ishelping you do these things and
very much you know, going backto even the dawn of time, almost
, when we talk about initialindustrialization in the US.
(13:27):
What does it mean to be HenryFord and produce Model Ts this
idea that people have a certaindegree of specialization, they
are experts in this one thingand we serialize the process so
that we can gain efficiency.
So there's part of this thatmakes a lot of sense, and then
there's less of this that makessense from a security standpoint
.
So, as an industrial securitypersonnel as that being critical
(13:51):
infrastructure protection beingmy focus I have to be cognizant
of working with utilities thatwant the AI advantages but maybe
want to do it in a safe andsecure way.
And what does that mean?
I think similarly, again, youknow, working with some of my
colleagues at mitre who areprimarily focused on the
construction and design of someof these unique solutions.
(14:14):
It's not a given that thosethings have to be so large that
they have to be run onthird-party infrastructure, or
that they live in the cloud orthey're sold as a service.
That is just the easiest waytoday for individual companies
to experience the wonder of theAI revolution.
(14:35):
I think what you will see is agrassroots effort of a number of
different organizations.
I mean, even now, if you wereinterested in it, you could buy
yourself, you know, a new Maclaptop and be able to run a
number of the open source LLMmodels on that device.
The internal computationalresources on that unit are good
(15:00):
enough for most applications.
The question really becomes oneof data resourcing and
computational power, and thathas a lot more to do with how
companies or organizations wantto use the technology and how
much data they need for that usecase, and less about where it
lives.
Again, pluses and minuses.
Not every criticalinfrastructure sector, utility
(15:24):
or organization has the samebudget.
Not every organization has thesame number of staff.
In some places they have aseparate OT, operational
technology security team.
Other places it's one guy.
He also runs IT security,physical security, and has an HR
gig on the side.
It's a huge variation here.
Has an HR gig on the side.
(15:44):
It's huge variation here.
And so it's not.
I learned that it is not good.
The best approach is notnecessarily to highlight all of
the weaknesses and the bad partsof what people are trying to do
, but help them do what theyneed to do better and safer,
absolutely.
So it'll be interesting, forsure, because those are
definitely two camps.
There will definitely becausethere's a market there now.
(16:06):
So there will be people thatare pushing to sell big AI in
the cloud, probably as a service.
I mean, you can already seethat now.
But the question really is isthat what an organization needs
and is that the most securething for them to be doing?
Pedro Kertzman (16:26):
no, I love that approach.
Yeah, I'm looking forward tosee next chapters, for for sure,
and and uh, you know talkingabout you're talking about
industrial control systems andum ot systems any like best
practices around understandingthe design of the system, those
systems, and uh, nowadays is itlike hardware, virtual ones that
are the the recommended ones,or digital tweens Any thoughts
(16:46):
around that?
Sarah Freeman (16:47):
There is a debate that won't die, that
periodically pops up at everyconference, and it goes
something like if you have tostart from zero, what's most
important, that you have a goodasset inventory or you know what
your critical functions are.
And by critical functions Imean what are the things that
you need to do in your companyto survive to the next day, the
(17:09):
next week, the next month.
So we think criticalinfrastructure space.
If we talk about an electricutility, it becomes really
obvious for some parts of this,at least at the top level, in
order to survive as a utility,you have to produce, transport
and deliver power to yourcustomers.
Like that is your reason forbeing and, yeah, there's some
(17:30):
variation about where you are inthat ecosystem, but that's your
role Now, in order to protectthose assets, the things, the
technology systems, data thathelp you do that deliver
electricity like what are themost critical things there.
And so most people start with abasic asset inventory that may
(17:51):
be somewhere between 40 and 60%accurate.
It may be missing a vastmajority of equipment, but they
start somewhere.
Then I'd say they kind ofunderstand a little bit about
what they need to do on a dailybasis to be effective.
So that first step is actuallyreally easy.
It's what happened.
(18:17):
Next.
That is kind of complicated isthat companies start to then
look at what happens when eitherthose technologies or those
data flows or those processes nolonger work as a result of a
cyber attack.
Now, you could say, as a result.
In fact, I was just reading apaper just now.
It's grounded in probabilisticrisk assessments and whether or
(18:39):
not hazard analysis issufficient to meet the needs of
cyber attacks.
It's a little bit dry, frankly,if I'm going to be honest.
But that aside, this idea thatyou can then start to say, hey,
what are all the disruptions Ianticipate seeing?
And have I properly considereda malicious and deliberate cyber
actor?
Because cybersecurity,particularly within an
(19:02):
operational technology space, isalmost entirely grounded in
this concept of resiliency.
So what things can I cut?
What is my minimally viableprocess that I need to survive
as a company, and how do Iensure that that continues?
And so, again, start by askingyourself what do you have, what
(19:23):
do you need to do and how can Ianticipate these things would
break in the future?
There's more nuance to it thanthat, but that is definitely the
starting foundation for, Iwould say, most successful
security organizations withinthe critical infrastructure
space.
Pedro Kertzman (19:41):
That's great within the critical
infrastructure space.
That's great, and so youmentioned about those critical
assets, depending on thespecific end goal of those
companies.
Do you see any differences?
Maybe in the past or nowadaysthat everybody knows critical
infrastructure, even though theydon't necessarily will pay
(20:02):
ransom, but that's not the endgoal of the threat actors on the
other end but do you see anydifferences how people are
trying to reach thoseinfrastructures from an attack
standpoint, maybe linking to theICS matrix.
Is this through the SCADAsystems or the ICS systems, or
(20:25):
they will be now like the crownjewels, they are the end goal
kind of thing and not like theentry points anymore.
Sarah Freeman (20:33):
Sure.
So kind of highlighting what Iwas just talking about.
One of the reasons why stepthree is understanding how the
threat actors can attack ordisable your systems.
Part of the reason why peoplefocus there is because there
were certain trends in the inthe attack space and the
attacker space that we'veobserved over time.
(20:54):
So if we talk about miters,attack for ics frameworks or
some of the attack uh other, youknow the other frameworks not
even ATT&CK for enterprise,att&ck for mobile the point of
that historical review is tounderstand the trend analysis
about what actors are doing,what threat actors are doing,
(21:14):
what capabilities they have,what their interests are.
The interesting thing that hashappened since, comparing
basically where I started in2010 to where we are today, is
that there was a lot more fearat the time because we had a
smaller subset of attacks, thatwe were going to see a run on
attacks against the core crownjewels of the SCADA system.
(21:36):
That the systems that weresupposed to be isolated, not
internet connected, havemultiple security protection
layers, that they would be thetarget of cyber attacks.
Now what has happened since Istarted at International
Laboratory and today, as I findmyself at MITRE, is we've seen,
as always, the market forcescome into play, and so we
(21:57):
started to see things likeransomware as a service pop up.
Now, ransomware as a service isone of those things that was
kind of unfortunate if you werea cyber threat intelligence
analyst such as myself,responsible for providing weekly
updates to some of my sponsorsabout what was going on in the
(22:17):
world, because the weeklyupdates got more and more boring
the more weeks, months, yearswe got into this process.
About 2017, an enterprisingindividual released SamSam and,
as ransomware as a servicereally took off and suddenly
something that was being done inonesies and twosies as an
(22:38):
unfortunate day, but notnecessarily targeting critical
infrastructure, asset owneroperators just blossomed, just
turned into this whole marketspace and suddenly, as a as an
asset owner, somebody who'sworking with asset owners to
protect this infrastructure, Inow have to include basic
questions like where are yourdata backup storage?
(22:58):
Do you have instructions abouthow to respond to cyber
incidents on paper?
Like, do you have gold copiesof your SCADA system?
And it's certainly less excitingor interesting than some of the
other cyber attacks we've seenthat are purely in the realm of
operational technology, but Ithink it very much highlights
the reality of the environmentwe see today, which is still the
(23:21):
majority of attacks are oninformation technology
infrastructure, data andresources, and most attacks are
enabled via internet connectedsystems.
That being said, there is asmall subset that if, again, if
you're interested in trackingthese actors and, frankly, you
don't want to be bored by justrepeating every ransomware
(23:42):
attack by the way, there is aransomware database where you
can get them all now.
At the time we didn't have oneof those, but if you're curious
I can share those resources.
But now we have this subset oftrend activity of kind of the
upper echelon in terms of skillset of attackers, where they're
actually targeting third partyproviders, suppliers,
integrators.
These are companies thathistorically, when we look at a
(24:04):
security profile, were kind ofleft off the discussion because
it was a different company.
But we're seeing more and moreof the actors target those
companies, individuals,organizations kind of
deliberately.
It makes a lot of sense from acyber attack operations
standpoint because a lot ofthese companies are providing
services, technology,engineering, design, you know,
(24:29):
assistance to multiple companiesand so by compromising this one
entity, they have theoreticallyaccess to all of these
customers, all of these endusers.
So it's a lot of hackingsmarter, not harder going on.
That is interesting because itchallenged for many years a lot
(24:50):
of how we thought about security, including things like
regulations.
So everything was was.
As an electric utility, I amresponsible under nurxip to make
sure that electricity is beingdelivered in a safe and secure
way.
But the onus fell on theutility and now we're starting
to say there's more parties thatare responsible within this
(25:11):
ecosystem for ensuring thetechnology is secure.
And how do we bring peopletogether in a way that, again,
is effective and efficient tomake sure that we're making the
best technology and we'redeploying it in the best way?
Pedro Kertzman (25:22):
That's perfect, thank you, and you touched a
little bit about like programsand maturity as well, overall
how you see the ICS programsmaturing over time since you
started working with companiesto like help them on that on
that journey as well.
Sarah Freeman (25:39):
Well, as I mentioned before, one of the
first kind of big shifts and howcompanies were addressing this
was recognizing that there was abad guy on the other end.
A lot of people when I firststarted just didn't want to
believe that they were activelybeing targeted by anyone.
They really struggled with thatconcept, good or bad.
All of the cyber attacks sincethen have made that argument
(26:01):
much easier for me to make.
I no longer have to.
Sometimes I have to puttogether a slide deck that just
highlights the sheer quantity ofattacks that have happened,
because I think it's hard tokeep them all in your head.
But the good news is peoplehave moved beyond that hurdle.
So then it kind of becomes thisquestion of what does it mean to
do proactive security?
(26:22):
Because you can do thingsaround resiliency planning.
So there was a large swath oftime where that was the primary
focus and we've kind of evolveda lot of that thinking.
But now we're at the stagewhere all of the proactive
security and resiliency planningis resource intensive.
For many companies it wasuntenable anyway.
(26:43):
But we've kind of gone intothis space where there is so
much security nobody can do itwell, and that's regardless of
whether or not it's regulatoryor some of these proactive
measures, if you were to say.
Consider the number ofvulnerabilities that have been
disclosed.
There's been a massive increase, just even the last three or
four years, to the point where Ithink there was something like
(27:06):
40% increase from last year ofvulnerabilities identified.
These are vulnerabilities thatare given CVEs which side note,
there's actually a lot of thingsthat are exploited that
technically aren't CVEs, butwe'll just count the CVEs for
the purposes of thisconversation.
It is more difficult every dayfor organizations to maintain
(27:27):
even a basic patching schedule,let alone the fact that some of
these are criticalinfrastructure systems, cyber,
physical systems that are nottypically taken offline, so they
actually don't have patchingwindows unless they're scheduled
.
So the plan now and the push isreally to do something that's a
little bit more targeted.
So if we can get ahead of thethreat actor instead of waiting
(27:49):
until after the threat actor hasmanifest themselves in a
certain way and attack thesesystems, maybe then we can be a
little bit more strategic aboutwhat systems we patch and in
what order.
Or maybe we can identifysecurity controls that are not
(28:17):
manipulatable by a cyberadversary, a way to understand
what the future adversarycapabilities will be, as a kind
of cyber forecast withininfrastructure susceptibility
analysis, so that we canprioritize mitigations or
potential weaknesses fororganizations, so that they can
come in and really just focus onthose areas that they're likely
(28:39):
to see the greatest risk fromadversary attacks.
So I think that whole shiftbetween let's identify all the
vulnerabilities, first of all,there was no bad guy there were
no attackers and then, oh no,the attacker is attacking
everything.
Let's find all thevulnerabilities To.
Oh no, we found all thevulnerabilities.
There's too many to address Tonow circling back and let's
(29:01):
ground what needs to be done.
Let's triage, based on what theactor is actually interested in
doing and capable of doing,which is really helping to
reduce the burden on securityteams.
Pedro Kertzman (29:12):
No, I love that and, honestly, the idea about
cyber forecast for sure.
If you can anticipate what youropponents will be doing in one
month or year, and so on and soforth, especially as the
technology evolves as well, itwould be absolutely important.
I agree, and I love the way you, you, you frame it.
(29:34):
We cannot handle everything, solet's focus on the things that
sometimes things are vulnerablebut not really exploitable, so
let's focus on the ones thatpose a greater risk for the
overall company.
No, I love that approach, thankyou.
And for the CTI folks, anypreferred learning sources when
(29:59):
it comes to the ICS space forthe CTI audience?
Sarah Freeman (30:05):
Sure, I guess I would recommend first that
because of the nature of cyberphysical systems big moving
objects, large safety-centricdesigns so things are designed a
little bit differently overthere in operational technology
land.
Because of that it's kind ofimportant that people interested
in being cyber threatintelligence analysts in that
(30:27):
space really embrace thedifferences between IT and OT.
There are a lot of similaritiesin every day where the two
fields are looking more alikethan they are different,
particularly with the adoptionof AI, big data, all those cloud
services, all those things youmentioned.
But the core of operationaltechnology comes down to this
concept of a cyber physicalsystem where there is a digital
(30:50):
system that's controlling alarge usually large, but
frequently a physical object.
So disruptions of thattechnology result in physical
manifestations.
Again, electric grid outage onyou know, disruption in a
substation means that you don'thave power.
So recognizing that reality iskind of core, because if you
(31:11):
show up and then try and kind ofextrapolate what a cyber threat
actor is doing without anyknowledge of those systems, you
can oftentimes misunderstand thepotential risk, because
thankfully there is still.
Frequently it occurs that athreat actor who also doesn't
(31:33):
understand the underpinningcyber physical systems will come
into a space and try andmanipulate these systems
ineffectively.
And, as a cyber threatintelligence analyst, it's
critical that you not be in thebusiness in my mind anyway of
propagating fear, uncertaintyand doubt, and so recognizing
(31:53):
what is actually possible basedon the technology or the typical
processes within these spacesis paramount.
A lot of times we have peopletransition from traditional
threat intelligence spaces intothe ICS land and they don't
recognize that difference.
They also will sometimes go toofar over, so they will
(32:18):
immediately jump to the sky isfalling mentality because
somebody manipulated a thing ina certain way.
And it's important that you bereally careful when making those
pronouncements Because, again,there's a safety implication for
many of these systems that isnot present when we're talking
about a data center.
So the other part of this isokay, great.
(32:40):
So it's challenging, it'sdifferent.
How do I learn more about it?
The good news is there is, Iwould say, a fairly robust,
small but robust industrialsecurity community that really
goes out of their way to helppeople understand the
differences between thesetechnologies and the mechanics
of how these cyber attacks canoccur.
So conference resources and youdon't actually have to secret
(33:03):
secret here.
You don't actually have tosecret secret here, you don't
actually have to attend theconferences.
You can actually watch most ofthe conference material on
youtube after it's beenpresented, if you are in a
position where you can't affordsome of these conferences
because they can be veryexpensive.
But things like s4 is one thatalways comes up.
Uh, traditionally held in miami.
(33:24):
I think they may be moving itin the future.
Um, the sans, industrial controlsystem security summit,
traditionally held in orlandoagain, a lot of resources online
there.
Also, sans does a lot of uhfree webinars and things all the
time.
Um, the rsa committee does havea cyber physical systems
committee.
(33:44):
So if you're you're interestedin in um you know, kind of an
alternative perspective, there'sa lot of good material in that
subset there.
Uh, besides, which is adistributed security conference,
but they will frequently haveum ics specific or industrial
security specific speakers.
(34:05):
Again, you have to kind of lookon a case by case basis.
But we're coming up against, youknow, def CON besides Las Vegas
, as far as I know, they stillhave free admittance.
It's been a while since I'vebeen down there, but.
But a lot of people will godown there and then go to DEF
CON, even if they don't go toBlack Hat, because Black Hat can
be be on the little little bitexpensive side.
(34:27):
Def CON is is very accessibleand it's not nearly as scary as
as you may have been led tobelieve.
So all of those resources and,frankly, the artifacts that
those, those conferenceorganizations have put out there
are, you know they're, they'reall kind of very accessible for
people getting into the field.
(34:48):
There are also new ones that areeither returning to their ICS
roots or industrial securityroots, or have touched on the
topic in the past or are new andemerging.
So there's a new conferencecalled Level Zero, very
accessible.
There's QSecCon, veryaccessible.
There's Recon, which, granted,is a little bit more technical,
(35:09):
that's a reverse engineeringconference that's based out of
Montreal, but again, many, manyresources available on YouTube
and elsewhere.
For people who that may havebeen a really long list and
somewhat intimidating.
The other piece of advice Iwould provide is that if you
find a speaker who you like,they will often have presented
(35:33):
at multiple conferences.
So even if you're not familiarwith all the conferences, you
can look based on thoseindividuals and find their
research for many, many years.
So that's another way to goabout doing it as well.
Pedro Kertzman (35:45):
No, I love it Like follow the trail right.
You go through a speaker kindof all the posts and all that
you might find the resourcesthat you want.
No, that's perfect and Sarah,any like?
Closing thoughts for thelisteners.
Sarah Freeman (36:01):
I guess I would only add one thing that the
industrial security community isreally accessible and there's
many, many friendly, veryfriendly people in there.
So if people are interested inlearning more, they can
certainly reach out.
They can reach out to me.
They can also reach out to thecommunity of people who kind of
accepted me and brought me intothe fold all those years back
when I came from financialthreat intelligence land, all
(36:23):
those years back when I camefrom financial threat
intelligence land.
I'm also a big proponent ofwhat is the sometimes
unfortunately named BeerInformation Sharing and Analysis
Center, which is an informalgroup of industrial security
community members that's veryopen and welcoming to anyone who
would like to learn more.
Pedro Kertzman (36:41):
That's amazing, sarah, thank you so very much
for so many insights.
Really appreciate you coming tothe show and I hope I'll see
you around.
Thank you.
Sarah Freeman (36:49):
Thank you, it was fun talking to you.
Rachael Tyrell (36:54):
And that's a wrap.
Thanks for tuning in.
If you found this episodevaluable, don't forget to
subscribe, share and leave areview.
Got thoughts or questions?
Connect with us on our LinkedIngroup Cyber Threat Intelligence
Podcast.
We'd love to hear from you Ifyou know anyone with CTI
expertise that would like to beinterviewed in the show.
Just let us know.
Until next time, stay sharp andstay secure.
(37:14):
We'll be right back.
More and more of the actors target those
companies, individuals,organizations, kind of
deliberately.
Rachael Tyrell (00:06):
Hello and welcome to Episode 20, Season 1,
of your Cyber ThreatIntelligence podcast.
Whether you're a seasoned CTIexpert, a cybersecurity
professional or simply curiousabout the digital battlefield,
our expert guests and hosts willbreak down complex topics into
actionable insights.
On this episode of Season 1,our host, Pedro Kurtzman, will
chat with Sarah Freeman, ChiefEngineer for Intelligence
(00:28):
Modeling and Simulation withinMITRE's Cyber Infrastructure
Protection Innovation Center.
Sarah provides governmentsponsors and private sector
partners with actionable cyberthreat intelligence and
innovative security solutions toprotect critical infrastructure
.
She has more than a decade'sexperience in industrial
security and formerly served asan industrial control systems
analyst at Idaho NationalLaboratory before joining MITRE
(00:50):
in 2022.
This year, industrial cybernamed her to its hall of fame.
Over to you, Pedro.
Pedro Kertzman (00:57):
Sarah, thank you so much for coming to the show.
Thanks for having me Happy tojoin you.
Would you mind telling us alittle bit about you and how
your journey within MITREstarted and where you are today?
Sarah Freeman (01:09):
Sure happy to start there.
You know, I think I know we'regoing to immediately jump into a
little bit of my career, but Ithink the two are kind of linked
, Because I actually know I'vebeen at MITRE since July of 2022
.
But I met many people andstarted working with MITRE long
before I joined it, so probablystarted working with MITRE
(01:34):
directly around 2020.
And then I had had exposure, ofcourse, to MITRE in the past,
being in the space forcybersecurity and critical
infrastructure protection, sonew of them.
I also had the opportunity whenI joined in 2022 to join a team
that was already in progress,already being developed, and
(01:56):
work directly with a lot ofpeople that I knew from my
former life.
So I came from Idaho NationalLaboratory, which is a DOE
research lab, and in thatcapacity I actually work
directly with a number of thepeople that I work with now.
So everyone to include probablymost importantly, my current
director, Mark Bristow.
(02:16):
So having kind of that exposureand experience just is probably
a good metaphor for what it islike to have a career in ICS and
industrial control systems.
It is an extremely smallcommunity, yeah, I imagine
Sometimes painfully small.
So the industrial securityspace is one where people change
(02:37):
jobs.
People, you know, kind of gointo the outskirts.
Maybe they go to the government, maybe they go to the private
sector work for a utility, maybethey do the research route, but
people almost always end upcrossing each other's paths
again.
Pedro Kertzman (02:48):
Thank you.
And within this journey, wouldyou say you saw any differences
in the way people used to thinkor used to do security for ICS
and how it looks like today?
Any insights around that?
Sarah Freeman (03:02):
I mean, things have changed drastically.
So when I started at IdahoNational Laboratory, they hired
me in 2013.
Before that, I had had a littlebit of exposure to the space
and the challenges of criticalinfrastructure protection,
primarily because I was workingin a role doing cyber threat
intelligence.
So I would occasionally havevarious customers come up and
(03:26):
ask kind of pointed questionsabout whether or not, the time I
was working, russian criminalunderground stuff.
So they'd ask very pointedquestions about whether or not
any Russian criminal elementswere talking about SCADA or ICS
and I'd be like I don't know,I'll check for you.
But the interesting thing aboutit is, at that time, the only
(03:49):
people who really worried aboutnon-state actors, the only
people that were really hiringmy company at that time, were
all in the financial sector.
And I think it's like a reallyinteresting place to start,
because when that whole thing,when cybercrime became a problem
within the financial sector, itwas originally a financial
(04:10):
decision.
The original plan was basicallyto cover the cost of fraud
through a series of fees andthings, and so it was written
into the books as we anticipatethat these companies, these
credit card companies, thesebanks will experience X amount
of damages based on cybercrimeactivity per year and so because
of that, they kind of ignoredit.
(04:32):
Beyond putting that line itemon the books to be prepared to
basically pay out of pocket Overtime, I think because they
watched the growth, theexponential growth and costs to
these companies.
They really started 2005, 2010timeframe to be the forefront of
(04:53):
organizations that were tryingto do something a little bit
more proactive than just waitinguntil after they had a problem
and then paying for it.
So that, but, but at that timethey were the only sector that
was really doing this.
Um so that, but, but at thattime they were the only sector
that was really doing this.
Um, when I joined IdahoNational Laboratory, which again
Department of Energy focused,they were the group I joined at
(05:16):
the time.
Mission Support Center was verymuch of the opinion that, well,
certain cyber attacks had nothappened against the critical
infrastructure sectors.
They were very possible, theywere very feasible and that was
actually a really uncommonposition to hold.
In fact, the common statementwhen he brought up things like
attacks on the US electric gridwas that why would anybody do
that?
There's no money in it, whichyou can see both sides of that.
(05:38):
At the time there wasn't muchmoney into it.
But I find that usually whenmarket forces are huge things
and where if there is anopportunity, there will
eventually be somebody who'sasking to pay for it, so the
thing that has really changedover the years is having to
constantly beat that drum to putthat message out there that
(06:00):
critical infrastructure is atrisk.
And we're now finally enteringa phase sadly because of some
cyber attacks but we're finallyentering that phase where we no
longer have to push as heavy onthat message that says that this
is at risk, but rather we canstart to talk about who needs to
address this risk and how tobest address it.
(06:20):
And so it's really shifted fromkind of a conversation among
governments, of like governmentorganizations, to one that is
really grassroots.
Now, very, very many companies,utilities, asset owners I talk
to not only are aware of thisrisk, but they're actively
pushing forward.
They're at the forefront oftrying to address it, which is
(06:41):
completely different from whereI started.
Pedro Kertzman (06:44):
That's great to hear.
I feel like in general, as anindustry, we shifted from having
to justify the importance.
You know, everybody knows it,and we're just kind of a go to
work now we don't need tojustify why we are here anymore.
That's awesome and a broadtopic all over the place.
Awesome and a broad topic allover the place, but have you
(07:04):
seen any like AI also cominginto the ICS conversations?
How is it like?
How's the current state of AIat MITRE?
Sarah Freeman (07:14):
So AI is 100% a nearly daily topic of
conversation even within thecritical infrastructure space.
There's kind of a running jokeand series of memes.
You only need to know.
It's been kind of true for acouple of years.
But you go to some of theseconferences, like RSA, for
example, and the number ofpeople on the vendor floor that
(07:35):
are pushing AI-based solutionshas just gone through the roof.
It is a difficult thing toavoid right now.
You'd actually it'd beimpressive if you could.
That being said, it's becomepopularized in the last couple
of years, but it's not a newphenomenon.
So, if you go back to even,what does it mean to talk about
(07:57):
adversaries leveraging AI?
And what does it mean tomanipulate data flows and things
like that?
Machine learning and how thatdata is being integrated has
been a topic of conversationwithin the security and the
hacking community for a longtime.
So, even going back to DEF CONcirca 2017, 2018, there were
(08:17):
actual presentations aboutmanipulating data flows to these
kinds of systems so that theydon't perform the same way to
these kinds of systems.
So that they don't perform thesame way.
So part of this is I think youknow my colleagues in the AI
Innovation Center would want meto highlight some of this has
been going on for a really longtime and, depending on where you
are in as a historian of allthings computer, you may mark
(08:39):
the dawn of AI in 2010,.
You may mark it all the wayback before you know 1980.
But the reality is it has gonefrom a thing that was, I don't
want to say notional, but it wasnot something that most people
dealt with in every day, and nowsuddenly it has become this
(09:01):
thing that people are just beinginundated with.
But there was a very similararc that happened within the
cybersecurity space or criticalinfrastructure that particularly
popularized in the nuclearcommunity Again, a little bit of
a nod to INL here again.
But there was a period of timewhere there were not digital
(09:23):
control systems.
There was a period of timewhere there were not digital
control systems and most peoplehave never seen a pneumatic
control for a nuclear reactor intheir entire life.
But you can see pictures of itonline.
It's kind of impressive.
But this was the state of theindustry not that long ago, in
my lifetime.
That was the state of theindustry In my lifetime.
That was the state of theindustry.
(09:43):
And when there was this big pushto move from analog controls to
digital control systems, a lotof people hesitated, the same
way that when you adopt anytechnology, it comes with one
change and two potential risk,but the reality was the market
forces were going that wayregardless of what we thought
about it, and the whole point ofthis really is.
(10:06):
Similarly, we're on the top thecrest of a wave right now that
is very AI-centric, and so muchof MITRE's work related to
artificial intelligence isfocused on ensuring transparency
and safety and trustworthinessof these systems, as well as
being very strategic in how wewant to leverage that technology
.
You've probably heard thestories of people's jobs being
(10:30):
replaced entirely with AI.
Again, looking back at history,we know that that kind of
transition is not fast, but whenit does occur, there is a
strategic and intelligent way togo about doing it.
We want to grain all of theefficiencies possible from the
new technology, but do it in asafe, secure, appropriate way.
(10:52):
So we're actually in myresearch with some of my AI
co-workers and research partners.
We're very much focusedactually on what does it mean to
bring this technology to helpindividual humans do their job
better and faster and cheaper?
Pedro Kertzman (11:10):
Absolutely! That's the main thing.
I think the AI conversation gotso popular in our days because
of LLMs, so it just brought tothe forefront people can
interact with it.
Back in the day, it used to belike, like you mentioned, more
like a numeric engineering typeof a back end.
Um, one of the things forspecifically for ai, at least on
(11:33):
my limited view to me, isalways, or for the most part,
something that will be requiringlike a cloud, the ai living on
somebody else's data center andall that.
On the other hand, ics systemsfor the most part, they would be
on isolated air gap networksand all that.
(11:53):
How do you kind of combinethose two different universes or
connecting them?
Sarah Freeman (11:59):
Yes, the cloud, the evil cloud.
Of course, before AI we hadclouds, so there's a couple
parts and pieces here.
You know, it's always thedevils in the details.
Cloud-based infrastructureintroduces, first, a number of
advantages in terms ofresiliency, in terms of the
(12:20):
types of analytics that can beperformed, in terms of the
quantity of data you can store.
However, cloud-basedinfrastructure is not obligated
to be on a third-partyinfrastructure, so I, as a
utility, can run a cloud-basedsetup and not ever have any data
leave my environment.
I can also allow certain datastreams to leave my environment,
(12:43):
and so there's this weird thingthat happens where, in general,
sounds bad, but you start tolook at the details and you're
like, okay, not all bad andthere's more than one way to
implement it.
So it's kind of similar pushesfor, essentially, ai LLMs as a
(13:04):
service.
What does it mean to do, whichis just a natural extension,
honestly, of data, big data,analytics, big data.
Before there was cloud, therewas big data, this idea that
somebody else who's an expert ishelping you do these things and
very much you know, going backto even the dawn of time, almost
, when we talk about initialindustrialization in the US.
(13:27):
What does it mean to be HenryFord and produce Model Ts this
idea that people have a certaindegree of specialization, they
are experts in this one thingand we serialize the process so
that we can gain efficiency.
So there's part of this thatmakes a lot of sense, and then
there's less of this that makessense from a security standpoint
.
So, as an industrial securitypersonnel as that being critical
(13:51):
infrastructure protection beingmy focus I have to be cognizant
of working with utilities thatwant the AI advantages but maybe
want to do it in a safe andsecure way.
And what does that mean?
I think similarly, again, youknow, working with some of my
colleagues at mitre who areprimarily focused on the
construction and design of someof these unique solutions.
(14:14):
It's not a given that thosethings have to be so large that
they have to be run onthird-party infrastructure, or
that they live in the cloud orthey're sold as a service.
That is just the easiest waytoday for individual companies
to experience the wonder of theAI revolution.
(14:35):
I think what you will see is agrassroots effort of a number of
different organizations.
I mean, even now, if you wereinterested in it, you could buy
yourself, you know, a new Maclaptop and be able to run a
number of the open source LLMmodels on that device.
The internal computationalresources on that unit are good
(15:00):
enough for most applications.
The question really becomes oneof data resourcing and
computational power, and thathas a lot more to do with how
companies or organizations wantto use the technology and how
much data they need for that usecase, and less about where it
lives.
Again, pluses and minuses.
Not every criticalinfrastructure sector, utility
(15:24):
or organization has the samebudget.
Not every organization has thesame number of staff.
In some places they have aseparate OT, operational
technology security team.
Other places it's one guy.
He also runs IT security,physical security, and has an HR
gig on the side.
It's a huge variation here.
Has an HR gig on the side.
(15:44):
It's huge variation here.
And so it's not.
I learned that it is not good.
The best approach is notnecessarily to highlight all of
the weaknesses and the bad partsof what people are trying to do
, but help them do what theyneed to do better and safer,
absolutely.
So it'll be interesting, forsure, because those are
definitely two camps.
There will definitely becausethere's a market there now.
(16:06):
So there will be people thatare pushing to sell big AI in
the cloud, probably as a service.
I mean, you can already seethat now.
But the question really is isthat what an organization needs
and is that the most securething for them to be doing?
Pedro Kertzman (16:26):
no, I love that approach.
Yeah, I'm looking forward tosee next chapters, for for sure,
and and uh, you know talkingabout you're talking about
industrial control systems andum ot systems any like best
practices around understandingthe design of the system, those
systems, and uh, nowadays is itlike hardware, virtual ones that
are the the recommended ones,or digital tweens Any thoughts
(16:46):
around that?
Sarah Freeman (16:47):
There is a debate that won't die, that
periodically pops up at everyconference, and it goes
something like if you have tostart from zero, what's most
important, that you have a goodasset inventory or you know what
your critical functions are.
And by critical functions Imean what are the things that
you need to do in your companyto survive to the next day, the
(17:09):
next week, the next month.
So we think criticalinfrastructure space.
If we talk about an electricutility, it becomes really
obvious for some parts of this,at least at the top level, in
order to survive as a utility,you have to produce, transport
and deliver power to yourcustomers.
Like that is your reason forbeing and, yeah, there's some
(17:30):
variation about where you are inthat ecosystem, but that's your
role Now, in order to protectthose assets, the things, the
technology systems, data thathelp you do that deliver
electricity like what are themost critical things there.
And so most people start with abasic asset inventory that may
(17:51):
be somewhere between 40 and 60%accurate.
It may be missing a vastmajority of equipment, but they
start somewhere.
Then I'd say they kind ofunderstand a little bit about
what they need to do on a dailybasis to be effective.
So that first step is actuallyreally easy.
It's what happened.
(18:17):
Next.
That is kind of complicated isthat companies start to then
look at what happens when eitherthose technologies or those
data flows or those processes nolonger work as a result of a
cyber attack.
Now, you could say, as a result.
In fact, I was just reading apaper just now.
It's grounded in probabilisticrisk assessments and whether or
(18:39):
not hazard analysis issufficient to meet the needs of
cyber attacks.
It's a little bit dry, frankly,if I'm going to be honest.
But that aside, this idea thatyou can then start to say, hey,
what are all the disruptions Ianticipate seeing?
And have I properly considereda malicious and deliberate cyber
actor?
Because cybersecurity,particularly within an
(19:02):
operational technology space, isalmost entirely grounded in
this concept of resiliency.
So what things can I cut?
What is my minimally viableprocess that I need to survive
as a company, and how do Iensure that that continues?
And so, again, start by askingyourself what do you have, what
(19:23):
do you need to do and how can Ianticipate these things would
break in the future?
There's more nuance to it thanthat, but that is definitely the
starting foundation for, Iwould say, most successful
security organizations withinthe critical infrastructure
space.
Pedro Kertzman (19:41):
That's great within the critical
infrastructure space.
That's great, and so youmentioned about those critical
assets, depending on thespecific end goal of those
companies.
Do you see any differences?
Maybe in the past or nowadaysthat everybody knows critical
infrastructure, even though theydon't necessarily will pay
(20:02):
ransom, but that's not the endgoal of the threat actors on the
other end but do you see anydifferences how people are
trying to reach thoseinfrastructures from an attack
standpoint, maybe linking to theICS matrix.
Is this through the SCADAsystems or the ICS systems, or
(20:25):
they will be now like the crownjewels, they are the end goal
kind of thing and not like theentry points anymore.
Sarah Freeman (20:33):
Sure.
So kind of highlighting what Iwas just talking about.
One of the reasons why stepthree is understanding how the
threat actors can attack ordisable your systems.
Part of the reason why peoplefocus there is because there
were certain trends in the inthe attack space and the
attacker space that we'veobserved over time.
(20:54):
So if we talk about miters,attack for ics frameworks or
some of the attack uh other, youknow the other frameworks not
even ATT&CK for enterprise,att&ck for mobile the point of
that historical review is tounderstand the trend analysis
about what actors are doing,what threat actors are doing,
(21:14):
what capabilities they have,what their interests are.
The interesting thing that hashappened since, comparing
basically where I started in2010 to where we are today, is
that there was a lot more fearat the time because we had a
smaller subset of attacks, thatwe were going to see a run on
attacks against the core crownjewels of the SCADA system.
(21:36):
That the systems that weresupposed to be isolated, not
internet connected, havemultiple security protection
layers, that they would be thetarget of cyber attacks.
Now what has happened since Istarted at International
Laboratory and today, as I findmyself at MITRE, is we've seen,
as always, the market forcescome into play, and so we
(21:57):
started to see things likeransomware as a service pop up.
Now, ransomware as a service isone of those things that was
kind of unfortunate if you werea cyber threat intelligence
analyst such as myself,responsible for providing weekly
updates to some of my sponsorsabout what was going on in the
(22:17):
world, because the weeklyupdates got more and more boring
the more weeks, months, yearswe got into this process.
About 2017, an enterprisingindividual released SamSam and,
as ransomware as a servicereally took off and suddenly
something that was being done inonesies and twosies as an
(22:38):
unfortunate day, but notnecessarily targeting critical
infrastructure, asset owneroperators just blossomed, just
turned into this whole marketspace and suddenly, as a as an
asset owner, somebody who'sworking with asset owners to
protect this infrastructure, Inow have to include basic
questions like where are yourdata backup storage?
(22:58):
Do you have instructions abouthow to respond to cyber
incidents on paper?
Like, do you have gold copiesof your SCADA system?
And it's certainly less excitingor interesting than some of the
other cyber attacks we've seenthat are purely in the realm of
operational technology, but Ithink it very much highlights
the reality of the environmentwe see today, which is still the
(23:21):
majority of attacks are oninformation technology
infrastructure, data andresources, and most attacks are
enabled via internet connectedsystems.
That being said, there is asmall subset that if, again, if
you're interested in trackingthese actors and, frankly, you
don't want to be bored by justrepeating every ransomware
(23:42):
attack by the way, there is aransomware database where you
can get them all now.
At the time we didn't have oneof those, but if you're curious
I can share those resources.
But now we have this subset oftrend activity of kind of the
upper echelon in terms of skillset of attackers, where they're
actually targeting third partyproviders, suppliers,
integrators.
These are companies thathistorically, when we look at a
(24:04):
security profile, were kind ofleft off the discussion because
it was a different company.
But we're seeing more and moreof the actors target those
companies, individuals,organizations kind of
deliberately.
It makes a lot of sense from acyber attack operations
standpoint because a lot ofthese companies are providing
services, technology,engineering, design, you know,
(24:29):
assistance to multiple companiesand so by compromising this one
entity, they have theoreticallyaccess to all of these
customers, all of these endusers.
So it's a lot of hackingsmarter, not harder going on.
That is interesting because itchallenged for many years a lot
(24:50):
of how we thought about security, including things like
regulations.
So everything was was.
As an electric utility, I amresponsible under nurxip to make
sure that electricity is beingdelivered in a safe and secure
way.
But the onus fell on theutility and now we're starting
to say there's more parties thatare responsible within this
(25:11):
ecosystem for ensuring thetechnology is secure.
And how do we bring peopletogether in a way that, again,
is effective and efficient tomake sure that we're making the
best technology and we'redeploying it in the best way?
Pedro Kertzman (25:22):
That's perfect, thank you, and you touched a
little bit about like programsand maturity as well, overall
how you see the ICS programsmaturing over time since you
started working with companiesto like help them on that on
that journey as well.
Sarah Freeman (25:39):
Well, as I mentioned before, one of the
first kind of big shifts and howcompanies were addressing this
was recognizing that there was abad guy on the other end.
A lot of people when I firststarted just didn't want to
believe that they were activelybeing targeted by anyone.
They really struggled with thatconcept, good or bad.
All of the cyber attacks sincethen have made that argument
(26:01):
much easier for me to make.
I no longer have to.
Sometimes I have to puttogether a slide deck that just
highlights the sheer quantity ofattacks that have happened,
because I think it's hard tokeep them all in your head.
But the good news is peoplehave moved beyond that hurdle.
So then it kind of becomes thisquestion of what does it mean to
do proactive security?
(26:22):
Because you can do thingsaround resiliency planning.
So there was a large swath oftime where that was the primary
focus and we've kind of evolveda lot of that thinking.
But now we're at the stagewhere all of the proactive
security and resiliency planningis resource intensive.
For many companies it wasuntenable anyway.
(26:43):
But we've kind of gone intothis space where there is so
much security nobody can do itwell, and that's regardless of
whether or not it's regulatoryor some of these proactive
measures, if you were to say.
Consider the number ofvulnerabilities that have been
disclosed.
There's been a massive increase, just even the last three or
four years, to the point where Ithink there was something like
(27:06):
40% increase from last year ofvulnerabilities identified.
These are vulnerabilities thatare given CVEs which side note,
there's actually a lot of thingsthat are exploited that
technically aren't CVEs, butwe'll just count the CVEs for
the purposes of thisconversation.
It is more difficult every dayfor organizations to maintain
(27:27):
even a basic patching schedule,let alone the fact that some of
these are criticalinfrastructure systems, cyber,
physical systems that are nottypically taken offline, so they
actually don't have patchingwindows unless they're scheduled
.
So the plan now and the push isreally to do something that's a
little bit more targeted.
So if we can get ahead of thethreat actor instead of waiting
(27:49):
until after the threat actor hasmanifest themselves in a
certain way and attack thesesystems, maybe then we can be a
little bit more strategic aboutwhat systems we patch and in
what order.
Or maybe we can identifysecurity controls that are not
(28:17):
manipulatable by a cyberadversary, a way to understand
what the future adversarycapabilities will be, as a kind
of cyber forecast withininfrastructure susceptibility
analysis, so that we canprioritize mitigations or
potential weaknesses fororganizations, so that they can
come in and really just focus onthose areas that they're likely
(28:39):
to see the greatest risk fromadversary attacks.
So I think that whole shiftbetween let's identify all the
vulnerabilities, first of all,there was no bad guy there were
no attackers and then, oh no,the attacker is attacking
everything.
Let's find all thevulnerabilities To.
Oh no, we found all thevulnerabilities.
There's too many to address Tonow circling back and let's
(29:01):
ground what needs to be done.
Let's triage, based on what theactor is actually interested in
doing and capable of doing,which is really helping to
reduce the burden on securityteams.
Pedro Kertzman (29:12):
No, I love that and, honestly, the idea about
cyber forecast for sure.
If you can anticipate what youropponents will be doing in one
month or year, and so on and soforth, especially as the
technology evolves as well, itwould be absolutely important.
I agree, and I love the way you, you, you frame it.
(29:34):
We cannot handle everything, solet's focus on the things that
sometimes things are vulnerablebut not really exploitable, so
let's focus on the ones thatpose a greater risk for the
overall company.
No, I love that approach, thankyou.
And for the CTI folks, anypreferred learning sources when
(29:59):
it comes to the ICS space forthe CTI audience?
Sarah Freeman (30:05):
Sure, I guess I would recommend first that
because of the nature of cyberphysical systems big moving
objects, large safety-centricdesigns so things are designed a
little bit differently overthere in operational technology
land.
Because of that it's kind ofimportant that people interested
in being cyber threatintelligence analysts in that
(30:27):
space really embrace thedifferences between IT and OT.
There are a lot of similaritiesin every day where the two
fields are looking more alikethan they are different,
particularly with the adoptionof AI, big data, all those cloud
services, all those things youmentioned.
But the core of operationaltechnology comes down to this
concept of a cyber physicalsystem where there is a digital
(30:50):
system that's controlling alarge usually large, but
frequently a physical object.
So disruptions of thattechnology result in physical
manifestations.
Again, electric grid outage onyou know, disruption in a
substation means that you don'thave power.
So recognizing that reality iskind of core, because if you
(31:11):
show up and then try and kind ofextrapolate what a cyber threat
actor is doing without anyknowledge of those systems, you
can oftentimes misunderstand thepotential risk, because
thankfully there is still.
Frequently it occurs that athreat actor who also doesn't
(31:33):
understand the underpinningcyber physical systems will come
into a space and try andmanipulate these systems
ineffectively.
And, as a cyber threatintelligence analyst, it's
critical that you not be in thebusiness in my mind anyway of
propagating fear, uncertaintyand doubt, and so recognizing
(31:53):
what is actually possible basedon the technology or the typical
processes within these spacesis paramount.
A lot of times we have peopletransition from traditional
threat intelligence spaces intothe ICS land and they don't
recognize that difference.
They also will sometimes go toofar over, so they will
(32:18):
immediately jump to the sky isfalling mentality because
somebody manipulated a thing ina certain way.
And it's important that you bereally careful when making those
pronouncements Because, again,there's a safety implication for
many of these systems that isnot present when we're talking
about a data center.
So the other part of this isokay, great.
(32:40):
So it's challenging, it'sdifferent.
How do I learn more about it?
The good news is there is, Iwould say, a fairly robust,
small but robust industrialsecurity community that really
goes out of their way to helppeople understand the
differences between thesetechnologies and the mechanics
of how these cyber attacks canoccur.
So conference resources and youdon't actually have to secret
(33:03):
secret here.
You don't actually have tosecret secret here, you don't
actually have to attend theconferences.
You can actually watch most ofthe conference material on
youtube after it's beenpresented, if you are in a
position where you can't affordsome of these conferences
because they can be veryexpensive.
But things like s4 is one thatalways comes up.
Uh, traditionally held in miami.
(33:24):
I think they may be moving itin the future.
Um, the sans, industrial controlsystem security summit,
traditionally held in orlandoagain, a lot of resources online
there.
Also, sans does a lot of uhfree webinars and things all the
time.
Um, the rsa committee does havea cyber physical systems
committee.
(33:44):
So if you're you're interestedin in um you know, kind of an
alternative perspective, there'sa lot of good material in that
subset there.
Uh, besides, which is adistributed security conference,
but they will frequently haveum ics specific or industrial
security specific speakers.
(34:05):
Again, you have to kind of lookon a case by case basis.
But we're coming up against, youknow, def CON besides Las Vegas
, as far as I know, they stillhave free admittance.
It's been a while since I'vebeen down there, but.
But a lot of people will godown there and then go to DEF
CON, even if they don't go toBlack Hat, because Black Hat can
be be on the little little bitexpensive side.
(34:27):
Def CON is is very accessibleand it's not nearly as scary as
as you may have been led tobelieve.
So all of those resources and,frankly, the artifacts that
those, those conferenceorganizations have put out there
are, you know they're, they'reall kind of very accessible for
people getting into the field.
(34:48):
There are also new ones that areeither returning to their ICS
roots or industrial securityroots, or have touched on the
topic in the past or are new andemerging.
So there's a new conferencecalled Level Zero, very
accessible.
There's QSecCon, veryaccessible.
There's Recon, which, granted,is a little bit more technical,
(35:09):
that's a reverse engineeringconference that's based out of
Montreal, but again, many, manyresources available on YouTube
and elsewhere.
For people who that may havebeen a really long list and
somewhat intimidating.
The other piece of advice Iwould provide is that if you
find a speaker who you like,they will often have presented
(35:33):
at multiple conferences.
So even if you're not familiarwith all the conferences, you
can look based on thoseindividuals and find their
research for many, many years.
So that's another way to goabout doing it as well.
Pedro Kertzman (35:45):
No, I love it Like follow the trail right.
You go through a speaker kindof all the posts and all that
you might find the resourcesthat you want.
No, that's perfect and Sarah,any like?
Closing thoughts for thelisteners.
Sarah Freeman (36:01):
I guess I would only add one thing that the
industrial security community isreally accessible and there's
many, many friendly, veryfriendly people in there.
So if people are interested inlearning more, they can
certainly reach out.
They can reach out to me.
They can also reach out to thecommunity of people who kind of
accepted me and brought me intothe fold all those years back
when I came from financialthreat intelligence land, all
(36:23):
those years back when I camefrom financial threat
intelligence land.
I'm also a big proponent ofwhat is the sometimes
unfortunately named BeerInformation Sharing and Analysis
Center, which is an informalgroup of industrial security
community members that's veryopen and welcoming to anyone who
would like to learn more.
Pedro Kertzman (36:41):
That's amazing, sarah, thank you so very much
for so many insights.
Really appreciate you coming tothe show and I hope I'll see
you around.
Thank you.
Sarah Freeman (36:49):
Thank you, it was fun talking to you.
Rachael Tyrell (36:54):
And that's a wrap.
Thanks for tuning in.
If you found this episodevaluable, don't forget to
subscribe, share and leave areview.
Got thoughts or questions?
Connect with us on our LinkedIngroup Cyber Threat Intelligence
Podcast.
We'd love to hear from you Ifyou know anyone with CTI
expertise that would like to beinterviewed in the show.
Just let us know.
Until next time, stay sharp andstay secure.
(37:14):
We'll be right back.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.