I think people are very optimistic about an economic recovery. It's possible. But in no way what I'm seeing in my convos. I'd give the advice to startup/tech founder/CEOs to really only invest in what adds revenue in the short term. Don't make bets right now that lead to layoffs I am fortunate to get into some good conversations these days with the heads of investment banks, late stage funds, etc. not small amounts but those managing ~1T type amounts. Yes things could be ok. But a very big blood bath could be coming too.

Supply chain woes are real folks. I cannot imagine the complexity this is going to cause for folks over the next two years. An example of what happened to us today: We work with $WellKnownAndRespected hardware provider and have for years

We placed another order of their bread and butter equipment.

Told it’ll be available in 3-4 months at $X price

My best NSA Story isn’t some classified or crazy experience. It’s the time I screwed with my future brother in law from Holland. Y’all can say what you want it was hilarious. A small thread: I had met my future wife (Dutch girl I met when stationed in Germany), early dating. She and her family didn’t know what the NSA was. I wasn’t public about my affiliation. But then the Snowden leaks happened and it was obvious.

Unpopular thought: the jobs gap is largely inflated/a lie. Your entry level jobs aren’t entry level and your principal level jobs are paying people at entry level rates. “Why can’t we find someone with five years of experience in this technology that’s three years old?!?”

“Why can’t we find a principal incident responder with 15 years of experience for $60k USD?!”

Today the US Government announced a new ICS malware that has been designed to disrupt industrial operations. CISA/FBI/NSA put out a great advisory; also I appreciate the callout/thanks to @DragosInc in the advisory - we call the malware PIPEDREAM cisa.gov/uscert/ncas/al… Dragos has been analyzing this since early 2022 and working with our partners the best we can to make sure the community is aware. We also appreciate the other partners around the table that have been working hard on this.

I’m glad CISA is providing a companion document w/ the DOJ indictment of the Russian govt operators who targeted ICS. Lots of great info but please don’t follow their mitigation advice for ICS. It’s not practical & in some cases dangerous. A quick thread: us-cert.cisa.gov/ncas/alerts/aa… Under network segmentation they push for data diodes “wherever possible.” There are some good use cases for diodes, but they are really not something you’d want wherever possible and are very impractical in modern ICS environments in most cases.

No the White House notice isn’t really actionable for cybersecurity professionals and yes many are already tired, but it’s still significant and cybersecurity personnel are not necessarily the core audience. I’m not sure they had many better options than to publish what they did. Speculation: White House likely has detailed insights into Russian intent but without the technical details using a variety of sources and methods. Just sitting on that because they don’t have the technical details isn’t really an option.

Cyber attacks on industrial infrastructure (such as utilities, mfg, and pipelines) are a powerful tool in and preceding conflict. But denying the full effects of misinformation after the attack is a powerful defense. A thread: One of the reasons such attacks can be powerful is the shaping of behavior. I.e. perform attacks to make the public or policy makers hesitant to continue. Russia could attack US infrastructure in smaller ways to try to keep US out of a conflict or impose less sanctions.

Internet accessible ICS is not good - but just for the record it’s VERY unlikely screwing around on an HMI causes any sort of explosion. It’s a lot harder to cause physical destruction than people realize. It’s possible. Disruptions are possible. But be careful of the hype. If you’re interested in how these things look I’d review the ICS Cyber Kill Chain paper Mike Assante and I wrote here: sans.org/white-papers/3…

And the Dragos whitepaper by @jfslowik on the 2016 Ukraine cyber attack dragos.com/wp-content/upl…

When people talk about IT it’s not about the technology but about the function supporting the business. Same thing in OT. Sure there’s some specialized systems like PLCs but there’s also Windows systems. It’s about the systems that support operations. IoT is a class of technology. Same thing with IIoT.

IT = defined by its mission function
OT = defined by its mission function
IoT = defined by the technology
IIoT = defined by the technology

One of the most frustrating things I see at organizations is when the security teams themselves try to accept significant risk on behalf of the business instead of surfacing the risk to the Exec Mgmt team with advise and recommendations. As an example - we often undersize or underestimate the risk as individuals. “This plant is important. That plant isn’t as important” instead of having a discussion with the Exec Mgmt that would pull in insights like revenue, health and safety, environment, etc. to decide

If you are a critical infrastructure company that experiences a cyber attack and you do not have an actual CISO your Congressional hearing is going to suck. If your CISO reports to the CIO it’s likely to signal that cyber isn’t an important topic to the executive team. At a minimum make your the CISO has regular time with the CEO monthly or very minimum quarterly.

I’ve seen a number of press releases/conferences the last two years on ransomware cases only impacting the IT and not OT of companies. In many (not all) how they defined IT was anything Windows (even HMIs/EWSs) or they had 0 insight into OT to know anything. I don’t think it’s generally malicious but there’s a perceived cost and public fear/severity in acknowledging control system environments were impacted. I’d like to see us move away from the hype and fear in 2022. Control systems have been and will be hit more often. That’s ok.

The folks surprised that certain applications like SolarWinds and Kaseya tell users to exclude their folders from antivirus scans are going to be floored about what happens in ICS. It’s standard practice to see ICS vendors asking for almost everything being excluded. However, it’s not as simple as just blaming the OEMs. Modern anti-virus is built/trained/tested on enterprise IT systems. That leaves a lot of gaps on ICS/OT applications/systems.

The debates around working from home from employers is fairly odd. You want to recruit and retain productive and happy teammates. The responsibility is on the employer to provide that environment. Employees should have choices of in person, remote, or hybrid whenever possible. It feels some of this stems from measuring employees by hours instead of productivity. It’s certainly not always easy but hours as a crutch is misleading. It’s important to drive accountability between individual contributors and supervisors and trust their choices.

I’m scheduled to join @jimsciutto on @CNN at 10am Eastern to talk about ransomware and intrusions into our industrial infrastructure in context of the Colonial Pipeline incident. Join me if you can and thanks for tuning in. In my opinion there’s some bad takes out there but overall it’s completely reasonable that folks are paying attention. This is the most disruptive incident we’ve seen on US energy infrastructure from cyber intrusions. Colonial Pipeline is the victim and has done a lot right.

To the security professionals facing difficulties getting an entry level job, being properly resourced, facing internal policy issues, being beaten down by competing frameworks/guidance/advice even from USG...the “if NSA could monitor your networks we’d fix it” is insulting. I really do like the NSA; having served there I know the amazing work they do. I’m also a privacy advocate as many there are. There’s real roles and responsibilities for government to help private sector. More surveillance isn’t the answer. Actually there is no one answer.

There’s a new @nytimes article out on a @RecordedFuture report coming out tomorrow ok potential Chinese activity targeting Indian electric sites. I’ll hold broad thoughts for the report to drop where I can dig in but a few initial thoughts: nytimes.com/2021/02/28/us/… First, it’d be no surprise to find that between two states that have conflict (and with some skirmishes bordering on going larger) that there would be targeting of critical national infrastructure such as the electric system (power grid). So the claim seems very reasonable

A quick thread on intelligence analysis in the context of cyber threat intelligence. I see a number of CTI analysts get into near analysis paralysis phases for over thinking their assessments or over obsessing about if they might be wrong. (1/x) Consider this scenario. A CTI analyst identifies new intrusions and based on the collection available and their expertise note that the victims are all banks. Their consumer wants to know when threats specifically target banks (not just that banks are victims).

Yesterday in the Congressional hearing on homeland cybersecurity @C_C_Krebs and @DAlperovitch very kindly called out @DragosInc as a good example/company to work with in ICS/OT. Not “buy Dragos stuff” but “here’s a good example of an approach” and I just want to say thanks We’ve been afforded a really cool place in the community to be allowed to focus on ICS/OT and have a ton of support from around the community.

What mostly stood out to me on this topic is that both recognized the unique approach required for ICS (Dragos or not)

The fact that so many are focusing on the water plant using Windows 7, which had nothing to do with how the attack was done, is interesting. Folks have an obsession with vulnerabilities and while they can matter a lot it is a fundamentally different value prop in ICS. The attack took advantage of TeamViewer. In this instance the OS didn’t matter. The TeamViewer application was Internet facing and available. The attack took advantage of the HMI, that’s not a software vuln issue, they just did what operators could do on the system natively