Richard Ku and Ryan Flores with tx One talk about Industrial Cyber Security Threats, Challenges and Risks
In this week's Industrial Talk Podcast we're talking to Richard Ku and Ryan Flores with txOne Network and Trend Micro about “Cyber Security Threats, Challenges and Risks in the Industrial Control Environment”. Get the answers to your “Industrial Cyber Security” questions along with tx One's unique insight on the “How” on this Industrial Talk interview!
Trend Micro Event: Cyber Security Perspectives. Hold Your Seat Here.
Finally, get your exclusive free access to the Industrial Academy and a series on “Why You Need To Podcast” for Greater Success in 2020. All links designed for keeping you current in this rapidly changing Industrial Market. Learn! Grow! Enjoy!
RICHARD KU'S CONTACT INFORMATION:
Personal LinkedIn: https://www.linkedin.com/in/richardku1/
Company LinkedIn: https://www.linkedin.com/company/trend-micro/
TX One Networks Company Website: https://www.txone-networks.com/en-global
Trend Micro Company Website: https://www.trendmicro.com/en_us/business.html
RYAN FLORES' CONTACT INFORMATION:
Personal LinkedIn: https://www.linkedin.com/in/ryan-flores-4800b8a/
PODCAST VIDEO:
Other Powerful Cyber Security Resources:
https://iiot-world.com/industrial-iot-cybersecurity-from-the-shop-floor-to-the-board-room/
https://iiot-world.com/ics-security/cybersecurity/9-best-cybersecurity-practices-itot-environment/
THE STRATEGIC REASON “WHY YOU NEED TO PODCAST”:
OTHER GREAT INDUSTRIAL RESOURCES:
NEOM: https://www.neom.com/en-us
CAP Logistics: https://www.caplogistics.com/
Hitachi Vantara: https://www.hitachivantara.com/en-us/home.html
Industrial Marketing Solutions: https://industrialtalk.com/industrial-marketing/
Industrial Academy: https://industrialtalk.com/industrial-academy/
Industrial Dojo: https://industrialtalk.com/industrial_dojo/
Safety With Purpose Podcast: https://safetywithpurpose.com/
YOUR INDUSTRIAL DIGITAL TOOLBOX:
LifterLMS: Get One Month Free for $1 – https://lifterlms.com/
Active Campaign: Active Campaign Link
Social Jukebox: https://www.socialjukebox.com/
Industrial Academy (One Month Free Access And One Free License For Future Industrial Leader):
Business Beatitude the Book
Do you desire a more joy-filled, deeply-enduring sense of accomplishment and success? Live your business the way you want to live with the BUSINESS BEATITUDES…The Bridge connecting sacrifice to success. YOU NEED THE BUSINESS BEATITUDES!
TAP INTO YOUR INDUSTRIAL SOUL, RESERVE YOUR COPY NOW! BE BOLD. BE BRAVE. DARE GREATLY AND CHANGE THE WORLD. GET THE BUSINESS BEATITUDES!
Reserve My Copy and My 25% Discount
PODCAST TRANSCRIPT:
SUMMARY KEYWORDS
cybersecurity, trend micro, industrial, people, industry, organizations, network, business, ryan, attackers, cyber, important, pay, attacks, Iot, ransomware, richard, colonial, challenges, gain
Welcome to the industrial talk podcast with Scott MacKenzie. Scott is a passionate industry professional dedicated to transferring cutting edge industry focused innovations and trends while highlighting the men and women who keep the world moving. So put on your hard hat, grab your work boots, and let's get
All right. Welcome to the industrial talk podcast, the number one location for all things industrial. Yep, industrial talk, go figure. We talked industrial. We've got a five part series, a five part series that focuses in on industrial cybersecurity, we're going to be featuring some incredible at trailblazers, let's put it that way in the world of cybersecurity, and I believe, and I think you believe if you're going down this world of digital transformation, and you want to take advantage of industrial for Dotto, you need at the forefront of this particular decision, this strategic decision to help create greater resiliency in your business. cybersecurity, let's get cracking. So, yeah, I, I've been very fortunate. And of course, you know, as well as I do, that there's a lot of conversation out there about cyber security, you have the colonial pipeline. And so industrial talk as a whole wants to be this just a central location for industrial related information. So you don't have to go around. We want to promote events, we want to promote individuals that are speaking at these events, we want to facilitate this knowledge, because we believe that education is it, education, collaboration, and innovation is where success will be in the future. And that's just a reality of it. So I mentioned briefly about this particular five part series, this is the first of five, this is cybersecurity threats, challenges, risks in industrial control environments, and this just came out after the colonial pipeline, which on the industrial talk website, we will have a white paper that was produced by incredible people at trend, micro and Trend Micro sponsoring this particular series, they are fabulous to work with a. I mean, when you think about cybersecurity, when you think about all the stuff that has to be thought of and, and how they facilitate this digital transformation. They're not meant to get in your way. They're, they're meant to make sure that that your life is not interrupted by unfortunate situations within cybersecurity. That's what Trend Micro is all about. Now, number two in this particular series will be industrial business and tech, not technical challenges facing industry. Number three cybersecurity best practices, number four, industrial cyber solutions, which is pretty cool. And then finally, CEO, CEO talk. So we're gonna have a conversation on I mean, we've just got to recognize that this is important now, because I'm all about getting that information out there is an event. This is an event that is featuring and Trend Micro, it is a live event, it is June 16. This is for the Americas June 16. It is from 11am to 4pm. Eastern Time, and they're going to be talking all things cyber, because it's important. It's like the the the topic is ready for a new perspective, don't miss this exclusive one day virtual event. And it's going to be featuring the CEO of Trend Micro and then a gentleman by the name of Neil McDonald, VP and distinguished analyst at Gartner. How about that. And if you're not if you're in Europe, they have one for you, too. It's on June 16. But it's 10am to 3pm. And then if you're in the Middle East Africa and Mediterranean, same thing, June 15 11am, to 4pm. And then finally an Asia Pacific 10am to 3pm. A go out and I'll have the link. Don't worry about it. I'll have the link out there. But I think that this is an important conversation to have. I think you need to be a part of it. I think you need to hear from leaders within this space because well,
if you want that digital transformation journey, if you want to embrace that, if you want to reap the benefits associated with all of that, you need to have a sound and strong cybersecurity strategy, Trend Micro reach out to them. Alright, this particular podcast which we're going to convert into the industrial Academy, because I think it's a it's a series that warrants an industrial Academy type of approach. So this particular podcast we're going to be talking about cybersecurity threats, challenges and risks to industrial Control environment, it features a gentleman by the name of Brian Flores as well as a Richard Kuh. bolt with Trend Micro enjoy. Ryan and Richard, thank you very much for joining the industrial talk podcast listeners, what we're going to be talking about is cyber security threats, challenges and risks in the industrial control environment. I don't know where you set on that, and then anything cybersecurity, but that for that particular topic is dead sexy. I am excited about having this conversation. For the listeners and Ryan, give us a little background on who you are level set, figure out who you are. And then then we're gonna go to Richard, do the same thing. And then we're gonna go into that topic.
All right. Hi, everyone. I'm Ryan florists. I'm happy to be here. I've been working in the cybersecurity space for more than a decade now. Investigating attacks and incidents. So you know, the recent attacks that have been happening, it's some quite close to my passion. And in my field.
It's interesting. I, I'm looking at your stat card out on LinkedIn, you've been with Trend Micro for 18 years. Oh, yeah. Oh, yeah. Why don't you just start at age one?
No, no. Um, yeah. Right on it right out of college? Oh, yeah. So if I just one of those young guys that are doing reverse engineering, you know, solutions for viruses and malware that are coming around, and then, you know, progressed to, to looking at cyber criminals and the other technologies and infrastructure that, you know, that is being used, and that is emerging. So I'm excited, we are excited to be in the space.
I'm telling you, you have a tiger and you got to hold on to that tail, because it's they're very creative people out there very nefarious individuals that never stop thinking about how to, unfortunately, gain access to where they're not supposed to gain access. All right, Richard, give us a little background on who you are, and why you're such an incredible cyber guy.
Thank you, Scott. Yeah, so I've been around in the cyber security space for a little bit over 30 years. And, you know, over the last, I will say, five years or so I've been very focused on, you know, I just had no development and understanding of, you know, cybersecurity in the industrial space. But I am, you know, in the cybersecurity for more than 30 years, with the company. Previously, I involved in a lot of product development, a lot of research. So, yeah, I've been very passionate about, you know, cyber security, specifically on the industrial area, right, because I think over the last, you know, couple years, we have been having a lot of challenge, you know, especially in some of the critical infrastructure. And so we're going to talk about that a little bit more, but I'm excited to be here.
Yeah, here's the interesting part. You know, there's that the good side, bad side, double edged sword type of thing with this digital transformation journey, right? It just is. Yeah, you leverage the the available. innovation that exists out there that give you greater insights into what your business is doing. But then again, again, you're opening up areas of weakness, potentially, if you're not a business, if you're not an industrial business, not thinking about, Hey, this is great IoT stuff. What's that cyber side? Ryan, let's talk a little bit about, from my perspective, just lay the foundation of what I say, what's a cyber one, what is a cybersecurity threat? What does that mean? And why are people interested in trying to gain access to the industrial, you know, infrastructure?
Yeah. So, um, basically, a cyber threat is something that can, uh, adversely affect your network or your digital assets, right. So it can be something in a more traditional IT network, it can be like the server, it can be a user account that has access to certain information. And in other networks, like in an OT network, that can be an ICS endpoint that is responsible for controlling a certain process or monitoring certain conditions, right. But the thing that we've learned in, you know, in studying these kind of attacks, is that a lot of times the attackers don't don't really target or maybe they don't have an initial idea who they were able to compromise or gain access to, is just that, they learn about it when they are able to gain access, and then Okay, this looks like an important company. This looks like an important server in the network, I'm going to attack it, ransom, ransom it. So, and then I think like, for example, in colonial attack, right, the attackers even admitted that they were not aware of the impact of of that back that they have done.
So, again, let's get into the psychology of it. Why Why? Why is that appealing? To some? It's like, I know, I don't outside the fact that I'm, I might be considered lazy, but I don't sit around saying how do I, you know, penetrate get into? for no reason. It's like, Oh, yeah, I don't understand what's the psychology behind that.
It's it's just the money. Um, it's, it's a business out there. Um, so a lot of the attacks that are happening right now is its monetary driven, they plan to gain profit from the attacks on either via extorting for, for the files that that has been, or the network that has been held ransom, or by by by blackmailing that, hey, if you don't pay me up, I would I would reveal this information, this, this data that I have on you that I have stolen from your network, or are building up a supply value chain in the cybercrime underground network, meaning, if I, for example, have stolen several credentials, and it's quite important, I can then resell this to somebody else who might be interested in this credentials for later use. So it's really an economy out there and everything is doing with money. So
we can add it right. Because I think if you look at the history of cyberthreat, right, yeah, back in the 90s, right, most of these cyber incident or threat is really coming from I think, you know, kids or college students, and, you know, laboratory, right, that's kind of early 80s and 90s. Right, and it's proving they can do it, but then as over time, right, and you start to see these, all these digital transformation, and people are starting to see that there's a, you know, economically gain from it, right. And so, all these you know, you know, attack, or these hackers now try to basically transform their business model right, from not just, you know, I tried to prove they can do it, but now they are, you know, really focused on monitoring gains and gaining access to, you know, confidential information. So all those underground, right, and that whole underground market. Oh, it is the economy, actually is quite big. I mean, it's probably a couple of trillion dollars in terms of the whole economy underground. Right. And so, well, then it's easy for them to make money, right. I mean, you know, we work. Yeah, it's easy for them. So,
the T word, oh, my jaw just dropped. I said, I can't you dropped a trillion on that
hole, maybe 100 billion, you know, I can't remember the exact number. But the last look, it was something like, I can't remember Ryan. But what something two or $300 billion, or something economy or something. Right. So it's more on the beat, not on the team? Yeah.
Holy cow. Yeah. I better get I better sharpen up my skills. If that's the case. No, no, don't even don't even contact me and say that. Okay. So, me, business owner, I'm still very confused. And the reason I'm confused is, is where are the laws that in this case, let's let's let's use the the elephant in the room. Let's just take a take that, for example, you got this ransomware situation on colonial pipeline, it is impacting me, and it's impacting a lot of people around the United States. And they I guess, they tracked it back to Russia and all of this good stuff. What What do we do we we pay for that extortion? What What do we do?
What are the laws? Unfortunately, a lot of victims actually opt to pay or not a lot. You know, a significant number of victims pay because it's it's also difficult for them to to recover. Once, for example, your network is hacked. They also they also play the economic game, right? So it takes us one month to recover and pay this amount of money to contractors to software licenses and everything like that instead of just paying it so they have you know, they did have to juggle that with the time constraints that they also have.
Yes. Now I understand it's like, boom, incident happens ransomware bring where we've got a problem. Now the decision on the business side is like, okay, we can pay it. Okay, I see it, or I haven't got to find somebody or some company or some entity to remove it has a price. This has a price. And you got to look at it. from that. That point of view. Yes. Oh, that's ugly. I'm sorry.
Oh, yeah. And that's really difficult, especially in in industrial environments, because you also need to factor in, you know, last time. Yes, right.
Yes. So let's, let's, let's sort of pull on that string a little bit with the colonial pipeline ransomware. Do you by chance, Ryan have any insights into what what took place with that event?
Alright, so I'm not going to speak about anything that I don't factually know. But for example, it's been known that these ransomware groups don't operate by themselves, they have other affiliates or partners that would do the actual hacking for them. And they just, you know, it's like, commission based, you install a ransomware into a compromised network, we don't do the compromise ourselves. We don't do the hacking ourselves. But if you've managed to hack the network, contact us, and you'll get a cut of whatever profit we make from that. So there's also like a, you know, tiered model there. And then it's also depends on whom they're able to, to hack or compromise. If it's a bigger company, they would ask for a bigger ransom. If it's a smaller company, you know, they actually judge the cup the capability to pay of the victim. So and how would the initial compromise or hack happen? several things. There are there might be unpatched systems that are exposed to the internet, there might be, you know, fished user accounts, user credentials, that attackers were initially able to gain access to, or there might just be some security misconfigurations that are made available, or, you know, the hacker was able to, by happenstance, able to access and these things happen, and we've seen, you know, all of these things played out in previous incidents.
So this is it. This is unnerving. Right? You and others would turn micro, this never stops, right? No, they don't just say, Hey, guys, Trend Micro there, they've, they've pretty much should protect everything. And so we might as well just shut it down. That's not the case. They're gonna continue to try to figure out ways of penetrating these because the financial rewards are too great.
Oh, yes, definitely. That's why for example, you know, one of the push is not just for, for having security products, but also having people in, in the industry advocate for more cybersecurity, or tailored cybersecurity for this particular niche, right. Industry niche. Yeah, and also having people in the industry, talk to each other share information, share best practices, in order to have a higher raise the bar for the attackers, you know, to overcome.
So I hear what you're saying, I'm uncomfortable, I'm getting. Now if they hack me, I've got $20 out there, I'll pay for it. But that's about it, that I don't have anything beyond that. But let me ask you this. What are the actionable items that we could do today? If I was a business? Give us a little, you know, 123 do these things today?
All right. Um, yeah. So so one of the things that we've seen is that, um, basic security, hygiene or cybersecurity hygiene is not, or, you know, it's not as widespread as we would have hoped. There's a lot of small companies out there that that have what one ID administrator guy who's managing the whole network, both it and ot network side, and that is not enough. One of the things that, that contribute to that is, is that there's the awareness of the business owner of the magic Assuming that security is important, cybersecurity is important. So I think if we have to start somewhere, we have to put out the word out there that, first and foremost, cybersecurity is important, specially, if you have critical infrastructure and critical equipment process for that you maintain and run, right. And the next step of that would be make the investment, the investment in hiring the right people, and implementing the right technology in order to properly protect all of this assets and processes. And third, would be having good knowledge on what is in your network. A lot of times, what we've seen is that the reason why an attacker is able to enter the network is because there is one computer out there, that has been forgotten that it's not part of the audit, that was just lying there connected to the network, and everybody has forgotten about it. And that was the what the attacker was able to gain access to. So having complete visibility and audit on what assets you have, and what were those where those assets are connected to, and what these assets mean to the network would be, you know, a good step to be able to know, your network and to be able to properly protect the network.
Yeah, a couple of things as well. I think in addition to you know, Ryan's point, when I speak to many of my customers appointment, there are kind of four key pillars that I typically recommend them, right. And those are, you know, people process technology and culture within an organization, right. And so, I think people play a very important role in cyber security or your cyber strategy, right? If you have a good train, security awareness organization, that can reduce your cybersecurity risk, as well as having the competence peoples and risk to deal with such instances, the employer was I think the people pieces are also very important. And then you know, followed by that process, right, you know, to get a good cybersecurity strategy, you need to have some type of process in place, right, so that you can some kind of governance or some type of auditing, to make sure that you as you implement your cyber strategy, you continue to evolve, you continue to basically make sure that you get improved over time, right, and so a good process in place, and that they're also very good in the technology itself, specifically on the industrial control side, right, in industrial control, because some of these systems have been around for decades, right, and many of this system have, or operating system, you know, it was never designed to have security. So you wanted to build the right security solution implement right solution, is to make sure that the solution, you actually mean to that environment can be adapt, right and work in that environment. Because my experience, we have many customers, where they try to take an IT product and try to deploy it on an OT environment, and does not always solve the problem, because they actually create more problems than, you know, solving it. So understanding technology, right, you know, validate, verify, and make sure the technology can be worked on that environment. And then of course, last but not least, is that culture thing, right? You know, it's, you have to create some kind of like culture, cybersecurity culture within the organization. And, you know, and that will really going to help people to kind of, you know, evolve around and make sure that can be done. Otherwise, you know, people just don't care too much and put us in cybersecurity very low. So, at least those are the on a very big picture with a fundamental thing I think organizations need to consider, and then you talk about what are my cyber security cyber framework need to look at? Right, so
those are the things very good on both both accounts, very interesting. Now. It makes sense. What are the roadblocks what what are preventing people to do the what is right for their organizations in the world of cybersecurity? What what are they not getting?
Me? Wrong, you can add? Right, as you know, I think that especially in the industrial sector, there are some definitely business challenges. Right. And, and we can talk about a little bit and also there's some technical challenges, you know, and those are the roadblocks. I think in in especially on the OT world, right, you have kind of four areas that I see it a big challenge. One is that lack of domain knowledge and expertise right especially on you know, in cybersecurity for ot or industrial control side. There's a lack of skill set lack of expertise in that area. So that's one big, I think, kind of issue on that. And then, you know, traditionally you have this conversion between it ot Yeah, you don't have that before I before, which is it, and then ot they are completely separate. But now you have this convergence. And that roles and responsibilities become very unclear as to who need to manage or need to make decision on soon, let's say a cyber incident. Right. And that is also a big, big challenge for many, many organization. And then another piece, is that legacy liability, right? You know, you have all these all environment going around for that? And how do you make sure that you can implement the right technology, the right solution into those environments? So that's a big challenge for them, because maybe this environment being worked and, you know, will continue to work, you know, for the next five or 10 years. Right. And I want to touch it. Right. And, you know, in always a day, it will work in you know, why? Why bought it right? So I think that's a big, you know, obstacle for folks. And I think last but not least, and it is from my perspective is that, you know, organization tend to kind of put ha, I will say priority on the economic side, versus cybersecurity, right, cybersecurity is always going to kind of draw or color the secondary, you know, I think priority. And so, I think that had to change giving someone a very current incident, like from the colonial pipeline, or the solar wind attacks, or even some of the, you know, Microsoft, you know, vulnerability, right. These are, it should be, you know, upfront and impiety for many organizations. So it is those are some of the challenges in know, people maybe last thing is, is that all I write people don't see your return on investment, as you will come to investing in cybersecurity. Right. And so, they want to see the economic and sometimes, you know, you don't see that. So it's those are some of the I think, potential challenges for many organizations. Well,
I guarantee a colonial knows about the ROI understands the economic impact. That's for doggone sure you have anything to add to that, right.
Oh, yeah, I think the one thing that I would like to add is that I think there's still big discrepancy you between what the IT people think, and ot people think. And I think it's just a matter of them. Getting into a room together, understanding each other's priorities and what we are they're trying to achieve, such so that the digitization that is happening right now proceeds with security in mind, and also supports both the it objective and the OT objective.
And that's cultural. None. And, yes, Richard brought that up. And that's a cultural thing. And we've all been in organizations where that, that they don't talk. They they just don't.
Yeah, unfortunately, you know, in this industry, especially for the industrial control side, right, these people haven't been talking to each other for so so many decades, right. And now, you know, because this convergence is forcing people to have that conversation and talking, and I think it's very difficult, right?
So I've got a couple of other sort of insights here that I want to ask you guys. First off, let's say I'm a I'm a business. And, and I think Ryan and Richard, you painted a picture that it's a dynamic environment out there, and you got to keep current and you got to constantly consume this information in some way, shape or form. You got to find the organizations to be able to share their story, which is pretty hard when it comes to cybersecurity people are not really sharing information from a business, what's going on? Now? I've got limited, let's say limited resources, fine. Is there a value proposition for what I would call a fractional cybersecurity expert? Like, I can't have a guy on on board? I can't pay that. But I can try to fractionalize and say, I've got I've got somebody over here that keeps current with all the information that's out there. I can draw upon that. There's a it makes sense for my financials, but I'm in the I'm moving forward in a secure or a secure strategy. Is there is there any value proposition there?
I think I'm within the industry. There are industry specific cert computer emergent emergency response teams. I believe there's ICS cert. that exists, and they are the they would have, they would send regular notices on certain incidents that are happening. that are affecting the industry. So there are organizations out there that do this kind of things that help distill, you know, that stream of information and turn it to the right. Industry and to the right, people. I think also, there's some isaaq type of organizations that is also for for ICS, and to. So I think, you know, if you're a business, and you're, you know, you want to have industry relevant information regarding cybersecurity, it would be best to subscribe into these types of organizations and mailing lists, because, you know, the information that that arrives to us already filtered out, and it would be relevant to your industry.
We talk about and I think, I think, Richard, you brought it up, which is very important. In in the world of utilities, when we start talking about legacy liability, there are assets out there that are 5060. And beyond years of age, and it still works still current churning along, I see a real challenge to say, how do we create a secure environment for those, and that's also in the water, right? You don't you don't want compromises in the water world, you just don't? And, and given the realities that have taken place recently, with colonial and others? I don't, I want to compress my time. So how do I get ahold of somebody at Trend Micro to help me with my learning curve to get up to a speed where I feel comfortable. And then I can start deploying the things that I need to do to process or begin to think through it. Because I just, if you want this digital transformation, world we want to live in, you cannot ignore the cyber side, cybersecurity side, is there a way of being able to contact Trend Micro?
Yeah, so, you know, as you know, turnback have been around for over 30 years, right. And we have many partners, as well, as you know, you know, reseller across in the US or across multiple regions are, and, you know, and each of these partners, and, you know, partner, we actually do a lot of training for them, right? available need to buy used to be, you know, person to person in the past, but now we have not online materials, that, you know, anyone can actually come into our website and get that training, and you get that education. And that's available today through our partners or through some our retailers. Right. And, of course, you know, there are tons of information that we are making available for anyone that who are interested in learning more of this, you know, at our website, where you just contact Trend Micro directly, and we'd be happy to send you all the necessary information needed.
Yeah, out on the trend micro.com website. And I'm looking at everything you've got, it's, it's easily navigate, I can navigate around it, I can see every thing that exists out there, I see partners to see support. I think it's an easy, easy peasy way of being able to sort of begin that education and cybersecurity just because, I mean, let's just let's just lay it on the table. You have to you can't ignore it, right. You're just Yeah, sorry. You might want to, and, but you're gonna have to do it.
So to add, if you know, our viewers or listeners can just google Trend Micro IoT security, we actually have a dedicated page for IoT security related news and research straight from the research team, such as from my team and other teams inside Trend Micro, and that's, you know, condensed, organized into that single page for the relevant information.
All right, listeners, we're gonna have all these links, including some of the other resources that they were talking about. So Fear not, you'll be able to find everything you possibly can. There it is. I just, I've been on the the Trend Micro site. I just popped into the Trend Micro IoT security site. Excellent. Yep. resource rich. No complaining, baby. Not. You're not gonna listen to it. If I did complain, I'm already nervous. Yeah. All right. We're gonna have to wrap it up. This and I want to make sure everybody notes this. This is a real important conversation. We're going to continue to expand upon it because we have more in the area of cybersecurity. So, don't, don't just say this is one a done, we've got more that are is very important. This is a very important topic that is meaningful to your business. This was on cybersecurity stretch challenges and risks. Big, big, we're going to give you some links out there definitely. This is going to be an A video, it's going to be often. So learn your cybersecurity. Ryan, absolute wonderful meeting you. Thank you, Scott, for having us. always enjoyed your conversation. Richard, you're all great. Thanks, guys. Awesome job. Yep, thank you. And once again, listeners, we're gonna wrap it up on the other side, we're gonna once again figure out how to can contact with his Jensen and everything that's associated with cybersecurity. You're listening to the industrial talk, Podcast Network. All right, once again, this is number one in a series of five regarding cybersecurity, and digital transformation and why it's important for you, as a manufacturer, as anybody within industry, to reach out to Trend Micro find out more, it'll all be out there on industrial talk COMM And remember, we're going to have this as a featured industrial Academy, learning management opportunity, as well with all of the links, all of the contact, all of the information that you could possibly need to gear up and make sure that you are truly ready to go in your cyber world. Once again, let's talk a little bit about that event that we're talking about. June 16. Put that on your calendar 11am 4pm. I have the links out there. Just Just go out to industrial talk, find the right time zone. But remember, you need to have this conversation. You need to be able to do this. It is exceptionally important. Now, before I go, second podcast, industry, business and technology trends, stay tuned. We're gonna have another great conversation.
Transcript
Welcome to the industrial talk podcast with Scott MacKenzie. Scott is a passionate industry professional dedicated to transferring cutting edge industry focused innovations and trends while highlighting the men and women who keep the world moving. So put on your hard hat, grab your work boots, and let's get
All right. Welcome to the industrial talk podcast, the number one location for all things industrial. Yep, industrial talk, go figure. We talked industrial. We've got a five part series, a five part series that focuses in on industrial cybersecurity, we're going to be featuring some incredible at trailblazers, let's put it that way in the world of cybersecurity, and I believe, and I think you believe if you're going down this world of digital transformation, and you want to take advantage of industrial for Dotto, you need at the forefront of this particular decision, this strategic decision to help create greater resiliency in your business. cybersecurity, let's get cracking. So, yeah, I, I've been very fortunate. And of course, you know, as well as I do, that there's a lot of conversation out there about cyber security, you have the colonial pipeline. And so industrial talk as a whole wants to be this just a central location for industrial related information. So you don't have to go around. We want to promote events, we want to promote individuals that are speaking at these events, we want to facilitate this knowledge, because we believe that education is it, education, collaboration, and innovation is where success will be in the future. And that's just a reality of it. So I mentioned briefly about this particular five part series, this is the first of five, this is cybersecurity threats, challenges, risks in industrial control environments, and this just came out after the colonial pipeline, which on the industrial talk website, we will have a white paper that was produced by incredible people at trend, micro and Trend Micro sponsoring this particular series, they are fabulous to work with a. I mean, when you think about cybersecurity, when you think about all the stuff that has to be thought of and, and how they facilitate this digital transformation. They're not meant to get in your way. They're, they're meant to make sure that that your life is not interrupted by unfortunate situations within cybersecurity. That's what Trend Micro is all about. Now, number two in this particular series will be industrial business and tech, not technical challenges facing industry. Number three cybersecurity best practices, number four, industrial cyber solutions, which is pretty cool. And then finally, CEO, CEO talk. So we're gonna have a conversation on I mean, we've just got to recognize that this is important now, because I'm all about getting that information out there is an event. This is an event that is featuring and Trend Micro, it is a live event, it is June 16. This is for the Americas June 16. It is from 11am to 4pm. Eastern Time, and they're going to be talking all things cyber, because it's important. It's like the the the topic is ready for a new perspective, don't miss this exclusive one day virtual event. And it's going to be featuring the CEO of Trend Micro and then a gentleman by the name of Neil McDonald, VP and distinguished analyst at Gartner. How about that. And if you're not if you're in Europe, they have one for you, too. It's on June 16. But it's 10am to 3pm. And then if you're in the Middle East Africa and Mediterranean, same thing, June 15 11am, to 4pm. And then finally an Asia Pacific 10am to 3pm. A go out and I'll have the link. Don't worry about it. I'll have the link out there. But I think that this is an important conversation to have. I think you need to be a part of it. I think you need to hear from leaders within this space because well,
if you want that digital transformation journey, if you want to embrace that, if you want to reap the benefits associated with all of that, you need to have a sound and strong cybersecurity strategy, Trend Micro reach out to them. Alright, this particular podcast which we're going to convert into the industrial Academy, because I think it's a it's a series that warrants an industrial Academy type of approach. So this particular podcast we're going to be talking about cybersecurity threats, challenges and risks to industrial Control environment, it features a gentleman by the name of Brian Flores as well as a Richard Kuh. bolt with Trend Micro enjoy. Ryan and Richard, thank you very much for joining the industrial talk podcast listeners, what we're going to be talking about is cyber security threats, challenges and risks in the industrial control environment. I don't know where you set on that, and then anything cybersecurity, but that for that particular topic is dead sexy. I am excited about having this conversation. For the listeners and Ryan, give us a little background on who you are level set, figure out who you are. And then then we're gonna go to Richard, do the same thing. And then we're gonna go into that topic.
All right. Hi, everyone. I'm Ryan florists. I'm happy to be here. I've been working in the cybersecurity space for more than a decade now. Investigating attacks and incidents. So you know, the recent attacks that have been happening, it's some quite close to my passion. And in my field.
It's interesting. I, I'm looking at your stat card out on LinkedIn, you've been with Trend Micro for 18 years. Oh, yeah. Oh, yeah. Why don't you just start at age one?
No, no. Um, yeah. Right on it right out of college? Oh, yeah. So if I just one of those young guys that are doing reverse engineering, you know, solutions for viruses and malware that are coming around, and then, you know, progressed to, to looking at cyber criminals and the other technologies and infrastructure that, you know, that is being used, and that is emerging. So I'm excited, we are excited to be in the space.
I'm telling you, you have a tiger and you got to hold on to that tail, because it's they're very creative people out there very nefarious individuals that never stop thinking about how to, unfortunately, gain access to where they're not supposed to gain access. All right, Richard, give us a little background on who you are, and why you're such an incredible cyber guy.
Thank you, Scott. Yeah, so I've been around in the cyber security space for a little bit over 30 years. And, you know, over the last, I will say, five years or so I've been very focused on, you know, I just had no development and understanding of, you know, cybersecurity in the industrial space. But I am, you know, in the cybersecurity for more than 30 years, with the company. Previously, I involved in a lot of product development, a lot of research. So, yeah, I've been very passionate about, you know, cyber security, specifically on the industrial area, right, because I think over the last, you know, couple years, we have been having a lot of challenge, you know, especially in some of the critical infrastructure. And so we're going to talk about that a little bit more, but I'm excited to be here.
Yeah, here's the interesting part. You know, there's that the good side, bad side, double edged sword type of thing with this digital transformation journey, right? It just is. Yeah, you leverage the the available. innovation that exists out there that give you greater insights into what your business is doing. But then again, again, you're opening up areas of weakness, potentially, if you're not a business, if you're not an industrial business, not thinking about, Hey, this is great IoT stuff. What's that cyber side? Ryan, let's talk a little bit about, from my perspective, just lay the foundation of what I say, what's a cyber one, what is a cybersecurity threat? What does that mean? And why are people interested in trying to gain access to the industrial, you know, infrastructure?
Yeah. So, um, basically, a cyber threat is something that can, uh, adversely affect your network or your digital assets, right. So it can be something in a more traditional IT network, it can be like the server, it can be a user account that has access to certain information. And in other networks, like in an OT network, that can be an ICS endpoint that is responsible for controlling a certain process or monitoring certain conditions, right. But the thing that we've learned in, you know, in studying these kind of attacks, is that a lot of times the attackers don't don't really target or maybe they don't have an initial idea who they were able to compromise or gain access to, is just that, they learn about it when they are able to gain access, and then Okay, this looks like an important company. This looks like an important server in the network, I'm going to attack it, ransom, ransom it. So, and then I think like, for example, in colonial attack, right, the attackers even admitted that they were not aware of the impact of of that back that they have done.
So, again, let's get into the psychology of it. Why Why? Why is that appealing? To some? It's like, I know, I don't outside the fact that I'm, I might be considered lazy, but I don't sit around saying how do I, you know, penetrate get into? for no reason. It's like, Oh, yeah, I don't understand what's the psychology behind that.
It's it's just the money. Um, it's, it's a business out there. Um, so a lot of the attacks that are happening right now is its monetary driven, they plan to gain profit from the attacks on either via extorting for, for the files that that has been, or the network that has been held ransom, or by by by blackmailing that, hey, if you don't pay me up, I would I would reveal this information, this, this data that I have on you that I have stolen from your network, or are building up a supply value chain in the cybercrime underground network, meaning, if I, for example, have stolen several credentials, and it's quite important, I can then resell this to somebody else who might be interested in this credentials for later use. So it's really an economy out there and everything is doing with money. So
we can add it right. Because I think if you look at the history of cyberthreat, right, yeah, back in the 90s, right, most of these cyber incident or threat is really coming from I think, you know, kids or college students, and, you know, laboratory, right, that's kind of early 80s and 90s. Right, and it's proving they can do it, but then as over time, right, and you start to see these, all these digital transformation, and people are starting to see that there's a, you know, economically gain from it, right. And so, all these you know, you know, attack, or these hackers now try to basically transform their business model right, from not just, you know, I tried to prove they can do it, but now they are, you know, really focused on monitoring gains and gaining access to, you know, confidential information. So all those underground, right, and that whole underground market. Oh, it is the economy, actually is quite big. I mean, it's probably a couple of trillion dollars in terms of the whole economy underground. Right. And so, well, then it's easy for them to make money, right. I mean, you know, we work. Yeah, it's easy for them. So,
the T word, oh, my jaw just dropped. I said, I can't you dropped a trillion on that
hole, maybe 100 billion, you know, I can't remember the exact number. But the last look, it was something like, I can't remember Ryan. But what something two or $300 billion, or something economy or something. Right. So it's more on the beat, not on the team? Yeah.
Holy cow. Yeah. I better get I better sharpen up my skills. If that's the case. No, no, don't even don't even contact me and say that. Okay. So, me, business owner, I'm still very confused. And the reason I'm confused is, is where are the laws that in this case, let's let's let's use the the elephant in the room. Let's just take a take that, for example, you got this ransomware situation on colonial pipeline, it is impacting me, and it's impacting a lot of people around the United States. And they I guess, they tracked it back to Russia and all of this good stuff. What What do we do we we pay for that extortion? What What do we do?
What are the laws? Unfortunately, a lot of victims actually opt to pay or not a lot. You know, a significant number of victims pay because it's it's also difficult for them to to recover. Once, for example, your network is hacked. They also they also play the economic game, right? So it takes us one month to recover and pay this amount of money to contractors to software licenses and everything like that instead of just paying it so they have you know, they did have to juggle that with the time constraints that they also have.
Yes. Now I understand it's like, boom, incident happens ransomware bring where we've got a problem. Now the decision on the business side is like, okay, we can pay it. Okay, I see it, or I haven't got to find somebody or some company or some entity to remove it has a price. This has a price. And you got to look at it. from that. That point of view. Yes. Oh, that's ugly. I'm sorry.
Oh, yeah. And that's really difficult, especially in in industrial environments, because you also need to factor in, you know, last time. Yes, right.
Yes. So let's, let's, let's sort of pull on that string a little bit with the colonial pipeline ransomware. Do you by chance, Ryan have any insights into what what took place with that event?
Alright, so I'm not going to speak about anything that I don't factually know. But for example, it's been known that these ransomware groups don't operate by themselves, they have other affiliates or partners that would do the actual hacking for them. And they just, you know, it's like, commission based, you install a ransomware into a compromised network, we don't do the compromise ourselves. We don't do the hacking ourselves. But if you've managed to hack the network, contact us, and you'll get a cut of whatever profit we make from that. So there's also like a, you know, tiered model there. And then it's also depends on whom they're able to, to hack or compromise. If it's a bigger company, they would ask for a bigger ransom. If it's a smaller company, you know, they actually judge the cup the capability to pay of the victim. So and how would the initial compromise or hack happen? several things. There are there might be unpatched systems that are exposed to the internet, there might be, you know, fished user accounts, user credentials, that attackers were initially able to gain access to, or there might just be some security misconfigurations that are made available, or, you know, the hacker was able to, by happenstance, able to access and these things happen, and we've seen, you know, all of these things played out in previous incidents.
So this is it. This is unnerving. Right? You and others would turn micro, this never stops, right? No, they don't just say, Hey, guys, Trend Micro there, they've, they've pretty much should protect everything. And so we might as well just shut it down. That's not the case. They're gonna continue to try to figure out ways of penetrating these because the financial rewards are too great.
Oh, yes, definitely. That's why for example, you know, one of the push is not just for, for having security products, but also having people in, in the industry advocate for more cybersecurity, or tailored cybersecurity for this particular niche, right. Industry niche. Yeah, and also having people in the industry, talk to each other share information, share best practices, in order to have a higher raise the bar for the attackers, you know, to overcome.
So I hear what you're saying, I'm uncomfortable, I'm getting. Now if they hack me, I've got $20 out there, I'll pay for it. But that's about it, that I don't have anything beyond that. But let me ask you this. What are the actionable items that we could do today? If I was a business? Give us a little, you know, 123 do these things today?
All right. Um, yeah. So so one of the things that we've seen is that, um, basic security, hygiene or cybersecurity hygiene is not, or, you know, it's not as widespread as we would have hoped. There's a lot of small companies out there that that have what one ID administrator guy who's managing the whole network, both it and ot network side, and that is not enough. One of the things that, that contribute to that is, is that there's the awareness of the business owner of the magic Assuming that security is important, cybersecurity is important. So I think if we have to start somewhere, we have to put out the word out there that, first and foremost, cybersecurity is important, specially, if you have critical infrastructure and critical equipment process for that you maintain and run, right. And the next step of that would be make the investment, the investment in hiring the right people, and implementing the right technology in order to properly protect all of this assets and processes. And third, would be having good knowledge on what is in your network. A lot of times, what we've seen is that the reason why an attacker is able to enter the network is because there is one computer out there, that has been forgotten that it's not part of the audit, that was just lying there connected to the network, and everybody has forgotten about it. And that was the what the attacker was able to gain access to. So having complete visibility and audit on what assets you have, and what were those where those assets are connected to, and what these assets mean to the network would be, you know, a good step to be able to know, your network and to be able to properly protect the network.
Yeah, a couple of things as well. I think in addition to you know, Ryan's point, when I speak to many of my customers appointment, there are kind of four key pillars that I typically recommend them, right. And those are, you know, people process technology and culture within an organization, right. And so, I think people play a very important role in cyber security or your cyber strategy, right? If you have a good train, security awareness organization, that can reduce your cybersecurity risk, as well as having the competence peoples and risk to deal with such instances, the employer was I think the people pieces are also very important. And then you know, followed by that process, right, you know, to get a good cybersecurity strategy, you need to have some type of process in place, right, so that you can some kind of governance or some type of auditing, to make sure that you as you implement your cyber strategy, you continue to evolve, you continue to basically make sure that you get improved over time, right, and so a good process in place, and that they're also very good in the technology itself, specifically on the industrial control side, right, in industrial control, because some of these systems have been around for decades, right, and many of this system have, or operating system, you know, it was never designed to have security. So you wanted to build the right security solution implement right solution, is to make sure that the solution, you actually mean to that environment can be adapt, right and work in that environment. Because my experience, we have many customers, where they try to take an IT product and try to deploy it on an OT environment, and does not always solve the problem, because they actually create more problems than, you know, solving it. So understanding technology, right, you know, validate, verify, and make sure the technology can be worked on that environment. And then of course, last but not least, is that culture thing, right? You know, it's, you have to create some kind of like culture, cybersecurity culture within the organization. And, you know, and that will really going to help people to kind of, you know, evolve around and make sure that can be done. Otherwise, you know, people just don't care too much and put us in cybersecurity very low. So, at least those are the on a very big picture with a fundamental thing I think organizations need to consider, and then you talk about what are my cyber security cyber framework need to look at? Right, so
those are the things very good on both both accounts, very interesting. Now. It makes sense. What are the roadblocks what what are preventing people to do the what is right for their organizations in the world of cybersecurity? What what are they not getting?
Me? Wrong, you can add? Right, as you know, I think that especially in the industrial sector, there are some definitely business challenges. Right. And, and we can talk about a little bit and also there's some technical challenges, you know, and those are the roadblocks. I think in in especially on the OT world, right, you have kind of four areas that I see it a big challenge. One is that lack of domain knowledge and expertise right especially on you know, in cybersecurity for ot or industrial control side. There's a lack of skill set lack of expertise in that area. So that's one big, I think, kind of issue on that. And then, you know, traditionally you have this conversion between it ot Yeah, you don't have that before I before, which is it, and then ot they are completely separate. But now you have this convergence. And that roles and responsibilities become very unclear as to who need to manage or need to make decision on soon, let's say a cyber incident. Right. And that is also a big, big challenge for many, many organization. And then another piece, is that legacy liability, right? You know, you have all these all environment going around for that? And how do you make sure that you can implement the right technology, the right solution into those environments? So that's a big challenge for them, because maybe this environment being worked and, you know, will continue to work, you know, for the next five or 10 years. Right. And I want to touch it. Right. And, you know, in always a day, it will work in you know, why? Why bought it right? So I think that's a big, you know, obstacle for folks. And I think last but not least, and it is from my perspective is that, you know, organization tend to kind of put ha, I will say priority on the economic side, versus cybersecurity, right, cybersecurity is always going to kind of draw or color the secondary, you know, I think priority. And so, I think that had to change giving someone a very current incident, like from the colonial pipeline, or the solar wind attacks, or even some of the, you know, Microsoft, you know, vulnerability, right. These are, it should be, you know, upfront and impiety for many organizations. So it is those are some of the challenges in know, people maybe last thing is, is that all I write people don't see your return on investment, as you will come to investing in cybersecurity. Right. And so, they want to see the economic and sometimes, you know, you don't see that. So it's those are some of the I think, potential challenges for many organizations. Well,
I guarantee a colonial knows about the ROI understands the economic impact. That's for doggone sure you have anything to add to that, right.
Oh, yeah, I think the one thing that I would like to add is that I think there's still big discrepancy you between what the IT people think, and ot people think. And I think it's just a matter of them. Getting into a room together, understanding each other's priorities and what we are they're trying to achieve, such so that the digitization that is happening right now proceeds with security in mind, and also supports both the it objective and the OT objective.
And that's cultural. None. And, yes, Richard brought that up. And that's a cultural thing. And we've all been in organizations where that, that they don't talk. They they just don't.
Yeah, unfortunately, you know, in this industry, especially for the industrial control side, right, these people haven't been talking to each other for so so many decades, right. And now, you know, because this convergence is forcing people to have that conversation and talking, and I think it's very difficult, right?
So I've got a couple of other sort of insights here that I want to ask you guys. First off, let's say I'm a I'm a business. And, and I think Ryan and Richard, you painted a picture that it's a dynamic environment out there, and you got to keep current and you got to constantly consume this information in some way, shape or form. You got to find the organizations to be able to share their story, which is pretty hard when it comes to cybersecurity people are not really sharing information from a business, what's going on? Now? I've got limited, let's say limited resources, fine. Is there a value proposition for what I would call a fractional cybersecurity expert? Like, I can't have a guy on on board? I can't pay that. But I can try to fractionalize and say, I've got I've got somebody over here that keeps current with all the information that's out there. I can draw upon that. There's a it makes sense for my financials, but I'm in the I'm moving forward in a secure or a secure strategy. Is there is there any value proposition there?
I think I'm within the industry. There are industry specific cert computer emergent emergency response teams. I believe there's ICS cert. that exists, and they are the they would have, they would send regular notices on certain incidents that are happening. that are affecting the industry. So there are organizations out there that do this kind of things that help distill, you know, that stream of information and turn it to the right. Industry and to the right, people. I think also, there's some isaaq type of organizations that is also for for ICS, and ot. So I think, you know, if you're a business, and you're, you know, you want to have industry relevant information regarding cybersecurity, it would be best to subscribe into these types of organizations and mailing lists, because, you know, the information that that arrives to us already filtered out, and it would be relevant to your industry.
are assets out there that are:Yeah, so, you know, as you know, turnback have been around for over 30 years, right. And we have many partners, as well, as you know, you know, reseller across in the US or across multiple regions are, and, you know, and each of these partners, and, you know, partner, we actually do a lot of training for them, right? available need to buy used to be, you know, person to person in the past, but now we have not online materials, that, you know, anyone can actually come into our website and get that training, and you get that education. And that's available today through our partners or through some our retailers. Right. And, of course, you know, there are tons of information that we are making available for anyone that who are interested in learning more of this, you know, at our website, where you just contact Trend Micro directly, and we'd be happy to send you all the necessary information needed.
Yeah, out on the trend micro.com website. And I'm looking at everything you've got, it's, it's easily navigate, I can navigate around it, I can see every thing that exists out there, I see partners to see support. I think it's an easy, easy peasy way of being able to sort of begin that education and cybersecurity just because, I mean, let's just let's just lay it on the table. You have to you can't ignore it, right. You're just Yeah, sorry. You might want to, and, but you're gonna have to do it.
So to add, if you know, our viewers or listeners can just google Trend Micro IoT security, we actually have a dedicated page for IoT security related news and research straight from the research team, such as from my team and other teams inside Trend Micro, and that's, you know, condensed, organized into that single page for the relevant information.
All right, listeners, we're gonna have all these links, including some of the other resources that they were talking about. So Fear not, you'll be able to find everything you possibly can. There it is. I just, I've been on the the Trend Micro site. I just popped into the Trend Micro IoT security site. Excellent. Yep. resource rich. No complaining, baby. Not. You're not gonna listen to it. If I did complain, I'm already nervous. Yeah. All right. We're gonna have to wrap it up. This and I want to make sure everybody notes this. This is a real important conversation. We're going to continue to expand upon it because we have more in the area of cybersecurity. So, don't, don't just say this is one a done, we've got more that are is very important. This is a very important topic that is meaningful to your business. This was on cybersecurity stretch challenges and risks. Big, big, we're going to give you some links out there definitely. This is going to be an A video, it's going to be often. So learn your cybersecurity. Ryan, absolute wonderful meeting you. Thank you, Scott, for having us. always enjoyed your conversation. Richard, you're all great. Thanks, guys. Awesome job. Yep, thank you. And once again, listeners, we're gonna wrap it up on the other side, we're gonna once again figure out how to can contact with his Jensen and everything that's associated with cybersecurity. You're listening to the industrial talk, Podcast Network. All right, once again, this is number one in a series of five regarding cybersecurity, and digital transformation and why it's important for you, as a manufacturer, as anybody within industry, to reach out to Trend Micro find out more, it'll all be out there on industrial talk COMM And remember, we're going to have this as a featured industrial Academy, learning management opportunity, as well with all of the links, all of the contact, all of the information that you could possibly need to gear up and make sure that you are truly ready to go in your cyber world. Once again, let's talk a little bit about that event that we're talking about. June 16. Put that on your calendar 11am 4pm. I have the links out there. Just Just go out to industrial talk, find the right time zone. But remember, you need to have this conversation. You need to be able to do this. It is exceptionally important. Now, before I go, second podcast, industry, business and technology trends, stay tuned. We're gonna have another great conversation.