Loading summary
A
You're listening to Cyber Leaders. I'm James Lyon and I've spent more years than I care to admit buried in malware samples and hunting down the bad guys online, one might say proudly a nerd.
B
And I'm Kieran Martin. My world's been more the policy and operations side of cyber security, including building the UK's National Cyber Security Centre from the ground up. Definitely not a nerd, but between the two of us, James and I cover the technical and the strategic. That's kind of the point. Cybersecurity is too important and too complex for just one perspective.
A
That's right, Kieran. This show is brought to you by sans, where we both work. And it's made for the people carrying the weight out there in the community, ciso security directors, and frankly, anyone else in a leadership role trying to defend their organization. We're here to cut through the noise, share what actually works, challenge what doesn't, and help you move a little bit faster and smarter on the things that matter.
B
And it's a first today, James, new introduction that. It's quite a serious backdrop to this episode.
A
Yeah, a double first in a way. Although with the introduction, probably a triple first. But one first we're very happy about the other. Well, maybe less happy in an ideal world.
B
No, I think we better explain what we're on about here, James. We're being as cryptic as an Enigma machine powered by Claude Mythos.
A
I like that reference. That's superb. I do think the Claude Mythos discussion is one for another day, though, Kieran.
C
It is.
B
Yes.
A
We better get to that soon. But look, here are the two new things we're doing today.
C
First.
A
First, the good news. It is an absolute pleasure to bring back one of the absolute stars of a previous episode of the show. That's the legendary Tim Conway, the technical Director of Industrial Control System Security at sans, who has more experience of protecting critical infrastructure than basically anyone else alive and has worked on cybersecurity in the context of war in Ukraine to tremendous positive effect. And who it is a pleasure to have back on the Cyber Leaders podcast.
B
Yep, absolute pleasure to have you back, Tim. I recall fondly our debate about the relative aesthetic beauty of nuclear power stations or the wilderness. And I remember which side of the discussion you were on. Welcome back, Tim.
C
Thank you again for having me, which I cannot believe you brought me back, but here I am, and I'm pleased to be here. And James, the worked in this space more than anyone alive, makes me feel extraordinarily old, and I'm 50 in about a month, so I'm already feeling pretty old.
B
Well, your first guest to appear for a second time. But I'm afraid it's extraordinary reasons that brings you back, isn't it, James?
A
It is indeed, Kieran. I should say up front. We promised Tim last time we'd bring him back for something fun.
B
Yeah.
A
So in advance. Sorry, Tim. But that brings us to the second reason. This is a special episode to discuss the role of cyber in some extraordinary events. So that's the other first we're talking about. When Tim, Kieran and I were talking about the beauty of critical infrastructure and hard plant and all that, we were talking about how to protect the essential public service and such infrastructure from, well, the face of a tumultuous geopolitical world. And so now we're talking about it again in this special episode, but not hypothetically anymore.
B
Indeed, James, as everyone knows, at the end of February, war broke out with the bombings of Iran by the United States and Israel, and then the subsequent missile attacks by Iran on, well, a range of regional neighbors. Now, I guess we should be clear when we're talking. It's early to mid April, and we're in the early part of the fragile ceasefire announced by President Trump and Pakistani intermediaries and the Iranians themselves. So this episode will bring it to you as quickly as possible, but by the time it comes out, who knows what the next few days, weeks and months will bring? But given how important geopolitics and the associated risks are for cyber defenders across this wonderful network of listeners and contributors, we wanted to bring Tim back, not on a happy occasion, but on this much more serious one, to discuss what we're learning so far, as three of the world's most potent cyber actors clash militarily, and one of them, the Iranians, of course, lashes out directly against Western digital targets.
A
That's true, Kieran. We might produce this episode and find that we have to reproduce it several times with changing events. Now, look, no one is saying this conflict is or was, I guess we don't yet know, primarily a cyber war. But this network and this podcast is about learning. And there are cyber dimensions to this conflict, which understandably haven't been given as much of an airing as other topics. I also think there's some more world firsts layered in here, and much of the world's military powers have watched as some of those firsts have played out.
B
Absolutely, James. And while it should be time to bring Tim in, we obviously on this podcast have a tradition of very long introductions. So I'm going to lengthen it further, but not for the typical reasons of just us being a little bit on the long winded side. I think it's important to set out the facts insofar as we can tell what they are about cyber in this conflict. And I think there are three points. First, in Iran we're dealing with an established, capable set of actors who really specialize in disruption. We'll come to it later, but since 2012, if not before, they've had a history of wreaking havoc on Wall street, in US critical infrastructure, in Gulf critical infrastructure, in mainstream US businesses, even in Europe. They have a long history of doing disruptive cyber attacks outside of wartime. They know how to prey in the weak points. They know those vulnerabilities between enterprise and operational technology system that can stop them from working. So that's the first point. Second, while this isn't a cyber war, cyber is part of it. The United States have been more than usually open about their own cyber operations this year, both in Iran and Venezuela. But if we focus on the threat from the Iranian side, they have capabilities. Now, those capabilities are probably degraded. This is after all a war. Some of the infrastructure of the state based hackers, the best of the bunch if you like, the most threatening, some of their infrastructure will be destroyed. Some of the non state hackers will be in hiding. Some of them will be suffering from the Internet blackouts that the regime have imposed on the rest of the country. But that being said, however degraded they may be, the Iranian hackers are still active. Yeah, they're doing some intimidating type stuff, propaganda stuff like hacking the FBI Director's old Gmail to embarrass the US Government. They're sending horribly unpleasant and intimidating messages to Iranian dissidents based in the US but fundamentally they're about wrecking things. And they still have enough capability to, for example, cause a shortage of medical equipment not just in the United States, but beyond in the wider western world by hacking Stryker, the well known medical services company, a critically important company for global medicine and global surgery. And they're offline in one of those classic political geopolitical attacks that looks like ransomware without a ransom. So the second point is there are operations here, there is a threat. And the third is the long term uncertainty which may lead to a heightened threat. Look at what Iran can do when it's been degraded. Now, no one knows. As you've said, James, we may have to update this podcast because we're here at a moment in time, but there doesn't appear at this point in time to be any version of the final outcome of this war that's going to be anything other than highly tense in the long term. So we're not in the gray zone now. This is a war. But even if we get back to a gray zone, the capabilities of Iran will probably recover. So more of that striker type of event will happen. There will almost be a prize, for example, from the Iranian perspective, for causing this sort of chaos, chaos that criminal hackers caused in the United States with the Colonial pipeline hack in 2021. Because what is the ultimate economic webbing right now, it's fuel shortages. So even if the cyber war hasn't cut through that much so far, we are probably in this for the long term. Tim, would you agree with that?
C
It was a wonderful summary and I would agree 100% that when colonial happened, we treated it like any of this is criminal ransomware groups, they didn't understand that the response from a safety perspective was going to impact liquid natural gas delivery. They were going after data. There was that assumption, but there was other groups that looked at this as, yeah, but kind of fog of war. Those adversary groups work with nation state groups and exchange information. So any information collected in a ransomware campaign is passed for future targeting. Access all of the above. And after the Ukraine war started, those conversations were immediately front and center. How would we respond differently if the Colonial Pipeline event happened again before it was kind of a shoulder shrug. Ah, those Russian ransomware, extortion, criminals going
A
after money, naughty Russians.
C
If it happened post invasion of Ukraine, it would have been viewed very, very differently. And right now, at the peak of this conflict with Iran, if that same attack happened now, 100% would be treated as declaration of war. Same events, same cyber capabilities, same targets, same adversary groups, treated completely different because of the geopolitical situation.
B
Well, thank you, Tim, for agreeing with me after that lengthy monologue you had to endure. I have to say, given your expertise, I'm rather relieved you agreed with me. But let's get started with you. You're the guest, you're the expert. Now, some of these questions may overlap with that monologue, but I wanted our listeners, and perhaps people who may be listening, who follow this less obsessively than the likes of Yumi and James. I wanted them to have a clear picture of what's been happening so far. But at the risk of repetition, why don't you set out in your own words what's been happening?
C
Yeah, I would say difficult questions get difficult answers, complex. But I think both of you from a perspective of this audience and leaders around the world working in governments, working in critical infrastructure, I think it's important to kind of divide this up and not look at it from a perspective. To your statements earlier on, hey, is this specifically a cyber war and is there cyber attacks as a retaliatory or a commensurate response? I think we are now in a state where kind of cyber digital is embedded in all elements of military conflict and any expanding geopolitical conflict. So everything is on the table from the perspective of independent commercial entities, government sites, anything that can be targeted to sort of cause some level of societal chaos or act as a deterrent. As you kind of look at the targets going against oil and the impacts the gas prices here in the US On a daily basis, that is what is being talked about is the price of the pump constantly from a perspective of impacting those types of critical infrastructure and those types of feeders into that market. That is what is getting the attention. Even less so than sites that are being targeted or military objectives or impacting nuclear weapons development. The news is being led by the price at the pump. So from a Iranian perspective, if you can impact that by targeting different sites, impact that by targeting critical infrastructure, that is absolutely fair game, and it will start to add deterrence and sway public opinion long, long ago. And both of you have been working in this space for a very long time. I imagine a lot of CISOs who are a member of this network have been working in this space for a long time. And going way back, there were very, very kind of established statements on, hey, an attack on critical infrastructure is a declaration of war.
B
Yeah.
C
And in the US from the Clinton era, that was statements from White House attacks on critical infrastructure will not be tolerated. And they are a declaration of war. Discussions across NATO, from early attacks in Estonia in 2007, in Georgia in 2008, that involved some telecommunications impacts, involved some electric, involved some oil. There was discussions immediately of, if this occurred in NATO countries, would this be an article 5. All of those things were happening and it was very, very defined, kind of line in the sand and even I'll say it now once, but I'm certain it's going to come up again just because of where we are, the Stuxnet events and kind of the discussion of a how do we start to determine whether that was a military target or whether that was sort of commercial power and energy targets that are critical infrastructure. Where do those two things overlap? And is it an attack on critical infrastructure or was back then The Natanz facility, a military strategic target. So the definitions have been blurring of what is an attack, what was the intent, who was the attacker? Were they state sponsored? Was it criminal kind of pulling in? What happened in Colonial Pipeline? Was that state sponsored? Was it just criminal financial gain? And how do we respond? Those things have shifted and I think in recent times, cyber attacks, critical infrastructure, they are just part of the target list. And this long list of this conflict that has begun between US, Israel and Iran has now spread across uae, Bahrain, Kuwait, Qatar, Jordan, Oman, Saudi and Iraq. And then as you look across, I've been running this list of my own different critical infrastructure sites that have been impacted and it's grown to the point of telecommunications, petrochemical sites in the dozens, oil refineries in the dozens, oil fields, water desalinization plants, like absolutely impacting human health, pharmaceutical plants, steel facilities, data center, LNG. The list is massive and kind of in the 20, 30, 40 different sites and locations, even in areas outside of the conflict zone, from a pipeline in Azerbaijan to sites in Norway. Anything that has to do with kind of these critical sectors that can sway public opinion. And if it's in the immediate zone, you can assume physical and cyber will be jointly used, coordinated. If it's beyond where missiles and rocket capability can strike, it's going to be pure cyber to achieve the same goal.
A
Yeah, Tim, it's fascinating, isn't it? I mean, we've spent years on this podcast talking about what might happen when a major cyberpower goes to war. And you know, everything you're describing now, we don't really have to hypothesize anymore, but it's a pretty fascinating laundry list of different happenings and not just the kind of early hours of the conflict where, you know, there were prayer apps being hijacked for kind of psyops operations and hijacking of traffic cameras. I mean, the Supreme Leader being tracked by his own city's traffic cameras. It sounds like a spy novel and yet it's something that's actually played out here. Also interesting that Iran made some pretty interesting mistakes here, but they've been in the Cyber game since 2010, 2011, longer than most CISOs have been in their current jobs. No snide remarks intended there on CISO longevity. But Tim, given that we've now had several major wars recently, most obviously the long running horrors of Ukraine, are we learning anything comprehensively about all of this? Are there marked similarities or differences between the cyber dimension of Iran and Ukraine? Has it moved on in some for Ways we should pay attention to.
C
Yeah. So definitely both events have highlighted absolute focus on critical infrastructure targets and kind of the overlap of when conflict begins. Critical infrastructure targets are absolutely in scope through physical, through cyber, through coordinated as they impact a nation's capability, their communications, their power to feed critical sites. So they're 100% targeted. I can remember even as long ago as the Iraq war, some of the teams that went in when they saw sites and they needed to sort of occupy and they just took the approach of taking them out through physical kinetic methods and then the amount of time, effort and energy that was spent in rebuilding and reconstructing and the amount of American lives that were lost in that effort and allied lives because they're less defended, less protected while they're up reconstructing transmission lines and power plants. So ideally, the ability to sort of disable through a cyber means and then turn back on without the long kind of restoration and rebuild efforts and all of those things. Cyber has long been a desired capability for any nation to develop for a conflict. And time has passed and now we've seen that across the Russia, Ukraine war. We've seen it here, we've seen it in a number of different places with Venezuela and the impacts to kind of power system there, joint with the operation that occurred in that country. Just looking across many, many locations and seeing this kind of nexus of cyber and physical operating together. The one thing that I will say looking across, there's some parts of this that you sort of like, yep, this is exactly what would have predicted in this type of thing with a response from around on the Cyber side with DDoS attacks, wipers. But there are some unique things that are starting to occur, like we've seen with Stryker and where we've seen progressions from some of the cyber attacks that occurred on critical infrastructure that tied back to the October 7th events when that occurred. Some of these Iranian groups went after water treatment facilities and water pumping stations in many nations, going after anybody who was using Israeli hardware or Israeli devices and what the scope and the intent of those attacks were has now progressed into a broader campaign that's kind of being talked about across all the US now with specific control system devices and control system targets where it's not just making those devices unavailable, they've matured in attacks to misusing those devices and potentially causing misoperation and damage. The between what I would say we can learn, meaning US UK people joining this call, the variations in the retaliation and aggression and commensurate impacts. So early days in 2022, 20, 23, out of the attacks in Ukraine, they were much a defensible position and looking for allies and ally support and continuing to provide and sort of sustain capabilities across the country. And it wasn't until late where retaliatory actions started to begin in that conflict here, retaliation was instantaneous. And you're seeing multiple impacts across the region. Cyber, physical, all of the above. I think, in both areas, what you're seeing from lessons learned in drone capability and communication attacks, gps, Sapcom mobile device, intel, sort of disinformation campaigns, this is definitely at a more elevated level than what we saw in the early stages of the Ukraine, Russia conflict as well.
B
Wow.
C
So things are absolutely progressing.
B
Okay. There's so much to pick up on there, Tim, particularly on the defensive side, and I'm sure we'll spend most of our time on that, fascinated by your reference to the implications of rising gas prices in the US the price of the pumps, the reference to colonial pipeline. I sometimes wonder what would happen, what the political implications be if there was a colonial pipeline type operation against the U.S. right now that actually led to shortages. But we'll come back to that. I want to spend a little bit of time just asking you about, from the US Perspective. And obviously you're in the US about the offensive side. So to frame this, let's start with your reference to Stuxnet. Fascinating observations on to what extent that was regarded as a military target. But the other thing about Stuxnet was that the essence of Stuxnet was to prevent the need to go to war. It was to say, look, we don't have to bomb the nuclear facilities because we can degrade it using cyber. But in this operation, James has already mentioned the apparent Israeli hacking of traffic cameras to prepare the attack on the late Ayatollah Khamenei. You've referenced Venezuela. The president, in his own inimitable communication style, referred to what he called the discombobulator, which had unknown but apparently helpful effects in helping to land US Forces in the dark of night in Caracas. So it seems that there is, on the face of it, a more aggressive use of offensive cyber in the context and the support of military operations by the US I guess my question is, is that your impression? If so, did it surprise you? And are there any implications of a more militarily aggressive posture in offensive cyber from the United States?
A
Before you answer that, Tim, I do just have to note, Kieran, I think on the discombobulator, murky discombobulator is another potential candidate for a threat Name we need to get into our show notes.
B
Well, absolutely. And maybe Tim will tell us what the discombobulator was. But yeah, what are the implications and were you surprised?
C
I will speak nothing of that device. I would suggest that again, it's an interesting discussion where you kind of look to your audience and the people that I see on my screen are the two of you. So as I think of you as my audience, I don't think anything about this is surprising at all. Meaning when Stuxnet occurred and the ongoing concerns of a nuclear program in Iran for over two decades and you sort of looked at if something were going to impact that in any way. Even now with the conflict that's occurring, being able to completely take that down and take that risk off the table, that is almost impossible to do simply from error and simply from cyber. There needs to be some level of boots on ground, people working with them, kind of doing the right thing and going in and obtaining it's very, very well protected and defended. Back during the Stuxnet era, that was a pure play cyber physical kinetic impact that I think was new and novel and sort of an exquisite attack that most were not aware of from a capability perspective, or they certainly weren't thinking that way. Once that was sort of publicly understood and known. I think a number of people like those of us on this call and CISOs that are joining have now put that in the realm of capability understanding in their mind. But then since then, we've seen significantly less complex attacks having impacts on companies around the globe. So there's this realization that in the realm of possible, there's some very, very advanced things that we became aware of during the Stuxnet days. We've sort of worked on at national labs and demonstrated in conferences and seen at proof of concept research events. And then we've seen them in the real world where kind of understanding this nexus of intel capabilities and where that integrates with cyber and you see long campaigns like the pager and radio attacks, that was something that for even those of us who've been working in this area for nearly three decades, when that happened, we started stepping back and looking at it, the complexity of doing that across supply chains and tracking and communicating and knowing that once that capability was burned and you used it once it's gone. And now so kind of your, your catalog or your library of capabilities, just like Stuxnet, once it's used, it's gone. So from a nation state perspective, you're not going to want to burn those over and over and over. Again, if you don't need to, of course. And with so much critical infrastructure and so many of the organizations that are listening to this call, they don't need to be that complex, they don't need to be that exquisite kind of from a capability perspective to achieve a result from a cyber, and certainly not from physical, with low price point entry drones that can have a significant package carry weight and some physical impact in the region. There's a lot of things that can be done at a very, very basic level. And then the corollary to that from a cyber perspective as well, where some of the attacks that we're seeing, they're using cybersecurity tools against organizations.
B
Yeah.
C
So the people who are doing all the right things and going out and investing and building maturity into their environments now, they've added tools not just for themselves, but also for the adversaries.
B
So Tim, that brings us nicely to the issue of Iran's attack capability in cyberspace. This isn't their first cyber war rodeo. They have not been in a full scale war with the US until you can argue last year, certainly this year. But they were hacking Wall street back in 2012, they were hacking Saudi Aramco, causing devastation to that strategically Crucial Company in 2013. When the late American billionaire Sheldon Adelson made a very belligerent speech advocating strikes in Iran in 2014, he found his casinos wiped out. And you mentioned NATO and Article 5 and Declarations and Thresholds of War. As recently as 2022, the Government of Albania was brought to its knees because it was hosting an anti Iran dissident group at the request of the US and cyber attackers affiliated with Iran destroyed lots of government networks and the Albanian government was so badly damaged they considered going to the rest of NATO and saying that they'd suffered an act of war. So given all of that and given what we've known about the Iranian threat actors, how would you assess their capability going into the war? Who are they and what sort of things do they do do that we should have been worrying about already?
C
Yeah. I think from that perspective, and I'd be interested to hear both of your comments on this, especially on the IT side where a tremendous amount of activity that Iranian groups have been focused, it has been loss of availability. So impacting from DDoS attacks, impacting data, impacting systems and access from a wiper campaigns that has been going on for a very, very long time. So that means from a capability perspective they're doing things that are relatively predictable for initial access. So large use of spear Phishing campaigns for initial access, eventually progression into targeting perimeter devices and known vulnerabilities where they could sort of start using a perimeter device as a pivot point. And some interesting things where not necessarily going direct after target, but going after second order effects. So going to a third party and hopping through a third party, doing some research, going to a third party that has connections into a target, so contractors and construction companies and vendors or providers so they could get to their actual target and simply pivoting. So those initial access campaigns, those have been things that we've been seeing for over a decade from groups in this space, not necessarily to the level of the typhoons, the salt typhoon, Volt typhoon, linen typhoon, from a complexity and maturity in infrastructure, not to the complexity and maturity of what we've been seeing from bespoke packages being created from Russian adversary groups and shared across attacker campaigns. Definitely more in line with sort of who I would compare say in North Korea from that perspective on the IT side, on the OT side and the intent to sort of in the early shamoon campaigns, moving from, hey, can we live in this IT space and remain undetected so that we could then use it to pivot into the OT space, which is our actual target. So going after again, from an oil, from an industry perspective, those were viable targets and getting into their operations networks so they could cause longer term outages there. Not just in their IT networks where it's impacting data, but instead using that environment to live in, to pivot down and go after specific operational areas to cause kinetic effect. That is a unique area that we've started to see them move into in some cases earlier than others like North Korea and other adversary groups. So on the IT side, I don't think it's anything surprising. I think it's fairly well understood over the last decade where we've been seeing them move on more industrial targets and having impacts kind of leading the way from other adversary groups. I wouldn't say leading the way from Russia or from China, but definitely from North Korea and other kind of activist groups around the globe.
A
They're in the club.
C
Stay with us. We'll be right back.
A
Hi everyone, James Lyne here, the CEO of the SANS Institute. A quick thought for you. Cybercriminals have networks, dark web forums where they share what works, what doesn't, and where they're constantly sharpening their playbooks against us, so why shouldn't we do the same? That's exactly what the SANS Cyber Leaders Network is about. It's a place where CISOs and security leaders share what's actually working inside their organizations and what isn't, while getting access to world class experts sharing insights into latest threats and trends. You'll find me in there surfing around, sharing what works. So come join us at go.sans.org CLS that's Charlie Lima November. And if you're enjoying the show, one teeny tiny small favor hit subscribe. That's genuinely all we'll ever ask of you. And in return we'll keep fighting to bring you the guests and conversations that you want to hear. Appreciate it all. Now let's get on with the show. Aren't they Tim, they may not be the most bleeding edge, but they're in the club in terms of efficacy and engagement and thoughtfulness of some sorts. Right?
C
Yes, of course. Again, you can almost still see them learning. Whereas some of the OT systems that they've impacted, like let's talk about the October 7th stuff, the things that were happening to the water treatment sites, the devices that they were going after, the level of access that they had in those devices and what they did, they impacted sort of the operator screen. So they caused a loss of view and a loss of availability because the operators couldn't directly operate. But on that same device where they basically just did a website defacement from the 90s where they changed the operating screen so there was nothing that the operator could see or use, they could have just as easily changed all the logic and changed what was happening within that process to cause manipulation, cause misuse. They were on the same device. They had admin level access. They could have done a lot of things, but they didn't. And so you question did they understand where they were and what they could do? And now you've seen them progress to that level in the warnings that are coming out across the US for electric, for water, for a number of critical infrastructure here in that they have made that progression of if we're here we can go change what this environment is doing and manipulate it to achieve an effect. So you see them sort of developing on target and progressing over time. Whereas for example Russia, by the time we were aware of capabilities to impact safety systems, they were already out in the wild and occurring. And we weren't even talking about that at proof of concept events at Black Hats, defcons, teaching it in courseware, it was already being used and exploited in the wild on specific targets that could have impacted just about any process environment in the world.
A
Yeah, a quick little underline in here and then I got a follow on Question for you. I think for those listening, when you think about nation states and you listen to how you described their focusing their evolution of tactics on what they're doing, it's very tempting. I find myself doing it so sometimes to quickly frame them into this incredibly capable high tech Persona. But I think what's interesting what you're describing is it's a lot of description of effectiveness and how they think about their targets. It doesn't necessarily come with high tech or high capability in terms of execution. I know we'll get to this a little bit later, Tim, and you can correct my messy description of this, but handler who, you know, associated with a number of attacks, including the attack on Striker, they took responsibility for it. You know, Department of Justice formally attributed them to Iran's military and intelligence and security division. But you know, they didn't need a zero day in that particular very sizable attack. They needed a password. So, you know, I love every CISO listening to, kind of let that sink in and make sure as we think about this stuff that it doesn't necessarily, you know, have to be the case. We conflate high end capability and targeting of these more complex environments with geopolitical goals, with high end capability. In this instance, they didn't even deploy any malware. They logged into Microsoft intune. Tim, this might actually be the ultimate living on the land attack of all time. But we'll come back to that in a moment because I'd love to get you to walk us through what CISOs could learn from it.
B
And isn't it living off the land? Have I caught you out in something technical, James?
A
Did I say living on?
B
I'm afraid you did. That will not be edited out.
A
It's my desire to pivot into farming.
B
I just don't want our CISO listeners at a time of crisis thinking that there's some crazy new technique that they didn't know anything about that sounds the exact oppos, sort of what they need to worry about.
A
When you live off the land and you combine it with AI, then you get living on the land. It's a T shirt waiting to happen.
B
Okay, Just for the avoidance of doubt, listeners, that's not true. Anyway, back to the somber war.
A
Back to the somber war. How's the war affected these capabilities that, you know, you're describing here? I mean, have these folks working directly for the state or through these kind of franchise connections been affected? Presumably have been affected by the bombings of key state offices. Are those with a kind of looser connection to the state affected in the same way, are they affected by this massive Internet blackout where it's very hard to get connectivity at all? Have we seen any major shift in tactics as the conflict has evolved?
C
Yeah, I think it would be silly to assume that from a cyber capability that they haven't been affected, meaning loss of communications, loss of access, just daily life. Even if you are kind of going in nine to five and this is your day job, facilities that you'd be going into in some cases have been disrupted, power has been impacted. Certainly your communications are limited. If you're a hacktivist group loosely affiliated with government, loosely affiliated with irgc, again, you're living a life, you might have a family. Of course you're impacted by what's happening in country and that's going to limit time and focus to go retaliate and do a number of things. I think the things that are absolutely capable, that don't require that are some of the physical attacks and some of the physical elements. And that's where you haven't seen a slowdown. That's where you've seen a retaliatory commensurate response happening across the entire region targeting critical infrastructure, targeting impacts, impacting power and water. Sort of at that similar level of if this happens to us, this is what we're going to do globally to impact the world. The more this sort of calms down from a physical kinetic impact, you're going to see a rise in cyber being reintroduced. And I don't think that's going to end even after a regime change, even after kind of conflict ends. We're creating sort of a generation long level of retaliation and sort of impact. Especially from a cyber perspective. I believe that is going to go on for some time. Just in a similar aspect to what's going to happen if we ever get to a build back better and war is over in Ukraine and Russia. What this has done across those two countries and other countries and the surrounding areas, to families and to people, this is going to be a long, ongoing, maybe non state sponsored, but retaliatory sort of strikes. And to the degree that it can be done with little cost and it can be repeatable and target multiple areas, that's where cyber is a perfect fit. So I think as we start to draw down on the kinetic and physical impacts, you'll start to see a continued rise in cyber. And of course that will sort of correlate to increases in Internet and communication restoration and power stability. And then we'll get back to sort of where we were with Russia. And China for years of attacks that are coming from those nations, to what degree are they complicit as a country in allowing that from happening? And then to what degree does that start to spark additional geopolitical conflict? Because they're allowing those types of criminal groups or hacktivist groups to operate within their nation and not bringing them to
A
justice, let alone with any gentle encouragement they might offer. Just the space to operate is dangerous enough, of course. And Tim, it's interesting. I'd not really thought as clearly about it till you were describing it there, but the demarcation between kinetic and cyber, the kind of moment a ceasefire is struck, is much more clear and kinetic than with cyber. And I think you're warning that this will, you know, continue in retaliation and may even result in a higher run rate of attack in business as usual in years to come? I think it's quite likely. But to add an example there, Tim, tell us a little bit about Stryker and, you know, CISA's general kind of warning of targeting of water and energy in the us. Firstly, what happened and is this the type of thing we might expect to see more of?
C
Absolutely. So if you think about any classroom you've ever found yourself in, James, and people that you've talked to from a CISO perspective, and you think of all the great things we've done in sort of trying to add controls and build frameworks and strengthen companies and, and really try to balance that, where are you going to spend the $1 you have and the CIS critical controls and the top five ICS controls and all the things where we're trying to help companies shape programs and where they're just asking, just tell me what to do. And you think about every one of those steps of, hey, you gotta make sure you're doing backups. And then you pause for a second and say, well, wait. So if we're doing that across a thousand substations, we certainly don't have backup systems and servers at every one. That means we are opening up firewall rules, we are allowing systems to go talk to central locations to perform backups. So we're opening paths, trusted paths, then we're installing agents, and then we're doing the same thing for monitoring and for alerting and for change management and for asset management and for asset health. All the things that we will tell CISOs and everyone listening, go do this to improve your cybersecurity. We're building all of those paths.
B
Paths.
C
And now we get to a point where if an adversary can get an initial access into that space, they can ride over all those same paths. And it's not necessarily that they're targeting SolarWinds, it's not necessarily that they're targeting Microsoft or Intune. It's that they're targeting a tool that you've connected to everything that you care about. So they care about that tool and what we have now kind of from a. If you're a large multinational company, the tool sprawl that you're facing is absolutely massive. And the sort of siloed people who I work on this tool or I work in this space and that's what I do without understanding sort of what that means organizationally or operationally or how that could be misused is become very, very complex where it may not even be truly understood what could happen. And if you look to Stryker and you see, well, sure, we've integrated and we have a federated user model and we have active directory spread across and we're, we're using it at plant floor and we're using it across corporate so we can have authentication and accountability even down to the plant floor. Look at all the great things we've done. Awesome. And then when that's misused and devices are wiped, you're not operating anymore. But if you step back from that and say, okay, now ciso, how would you prevent this from happening to you? Well, sure, you're going to have a different active directory for this line at this facility and a different for this line at this facility. And you're going to have directory segmentation and you're not going to allow them to talk. And then they look at that and say across all the countries we operate, that's going to cost us 30 to 60 million dollars to go deploy and support and do. And now we have this even more complex environment. So it's this discussion of after the event happened for Stryker, for example, what do we go do? How do we rate limit device wipes from a utility perspective? We looked at the same thing. Hey, we're going to go deploy 4 million smart meters. Awesome. All of our customers got it. Now what if an adversary gets in and through our meter data management system pushes a corrupt firmware and that firmware forces all the meters to open the latch and everybody's power goes off. That creates a frequency issue, causes power generation to trip offline, cascading event. And it can happen from a very simple system that we put in place. So how do we limit that from happening? Well, if we limit it, that's a software control, meaning an adversary can Overcome it. So how do we have to limit it from an architecture perspective? Multiple compacts, well, that's going to cost a ton of money across every service territory. If you're a company that's water, gas and electric, that's three different meters. So the overall interconnectivity and interdependency that we've driven to has created very complex environments. The biggest thing that you would ask kind of this audience is do you understand those interdependencies and interconnectedness and what are your greatest high consequence events that you cannot live with with. And if you can answer those questions, then you can start to work with your engineering and operations teams to design around it and operate through an attack.
A
Yeah, Tim, I think that makes a massive amount of sense. And of course what is really interesting here is that some of the seemingly most mundane attack tactics and in some ways mundane targets can then lead to kind of outlandishly sized and quite scary ramifications for kind of life and limb and everyday life. But I will point out for those listening again, not to be a kind of drumbeat on this, the CISA advisory around Striker and the kind of various issues and how you'd avoid it. I mean, it reads like the greatest hits of things we've been telling people to fix for a decade. Patrol systems use multi factor authentication. Don't leave industrial controllers on the open Internet. Personal favorite of mine. I mean, the advice hasn't much changed, but the reality seems to be that it is then hard to actually get that done and get it done comprehensively enough on scale scale to not present these attackers with significant opportunity. But I think from what you're describing here, the advice hasn't changed. The urgency of applying it meaningfully has.
C
The piece that I would highlight from the CISA report is those are written. So number one, when you see something that's coming out from multiple agencies, badged as multiple agencies, that should immediately drive a little bit more attention. When you see it from multiple countries, even more so. But in this case, looking at it, I would say it's abstracted from the nuances and context of all the different targets. So in some cases we're going to sound like we're talking out of one side of our mouth and in other cases from another. Meaning it almost comes off as schizophrenic, like, hey, get the PLCs off the Internet. Well, of course, and there are absolutely some small municipalities, some cooperatives, some manufacturing sites that that is a legitimate problem where what they're doing for port forwarding what they're doing for the perimeter firewalls is very, very weak. It's not great. And some devices are directly accessible and can be modified and impacted, of course. But that same kind of a scope of could an adversary get into the IT networks, pivot down, find a data historian, pivot down, pivot down, get to an engineering set of tools and modify, and their source is coming across the Internet. Sure. So is that get your devices off the Internet statement still accurate? It absolutely, but it's to a completely different degree. And what you're looking at then is segmentation and detection and various controls, different remote access and mfa. But it's still that statement in that report is sort of asking the asset owners and the operators to understand their environments, how they're supported, how they're accessed remotely, and looking at areas where they can get to those engineering tools to modify operations.
B
So, Tim, that's an excellent answer. Some really practical and specific tips on the sort of tools that people need to be thinking about to counter this threat. But because we're running out of time, sadly, we could talk about this all day of the unenviable task, or maybe the easy task is it's just teeing up, James, to try to take us back to the big picture, but to get us to a point where we have actionable takeaways for our listeners. Now, thankfully, we reached the stage early in this podcast and they always tell you to get to the stage in government, particularly in a crisis, get an agreed analysis of the problem and the threat and the prognosis going forward. And we did that early on. Then we've got into some of the details, what's happening on the offensive side, what threats people need to be aware of. You've given some very specific tips and examples, but James will want to ask the big question. So over to you, James, for the so what in all this.
A
So, Tim, I think we're going to break show protocol here. You know, normally we have this wonderful smooth transition to my favorite bit of the show, but I think Kieran's question is much the point and it probably fits my very favorite 30 second takeaway. Although, again, to break the rules, given that we're, you know, merging your last question with the 30 second takeaway, I'm going to allow you 42 seconds. It is, after all, the answer. So, Tim, what I love you to talk to, if you wouldn't mind, what are the takeaways here for cyber defenders, for operators, for businesses? I mean, there's all this going on. You've predicted that the next few years are likely to see a greater volume of retaliation attacks, more of what we've seen here, even if the war ends tomorrow. So I'd love you to take 42ish seconds and give some advice to those who may be subject to these types of attacks and frankly for those who aren't to be able to learn from these relatively high priority events in how they might better prioritize their security controls.
C
I'll go very tactical first and I'll just talk fast to get tactical and strategic. But the tactical side, the CISA alerts, the events that happen to Stryker, don't look at those as company specific, don't look at those as kind of a Rockwell PLC specific issue or even a US specific. This is an opportunity for everyone to learn the types of devices that do cyber physical impact. Any controller, any system, not just Rockwell, not just Rockwell protocols. The targeting of those in US and beyond in critical infrastructure, that is something everyone needs to stand up and pay attention to. So looking at that alert and not just shrugging a shoulder like oh well this is us, we're safe over here in UK or hey, this is Rockwell, we're doing real good here because we're on a Siemens system. I would very much read into that as this is tactical that are easily modified regardless of location and controller or device. The other piece that I would say that is more kind of strategic forward looking is with what's happening in Iran and what we expect to continue to happen. From a cyber perspective. Don't lose sight of the salt typhoons and the Volt typhoons of the world and the things we've been worrying about for the last three years. Those haven't gone away, those haven't stopped. This is just in addition to that, that so all of that sounds bad and scary. On the good side, look towards the human capability development, how you can pre position systems before an attack happens against your environment. Look to detect and threat hunt, understand your conservative and emergency operations and how you can sort of restore system integrity. The main thing from a good news perspective, enable and equip, kind of encounter the dedicated men and women who defend critical infrastructure every day for lightning strikes, tornadoes, squirrels, rodents, cyber attacks, drones, all of the above. They are focused on delivering reliable operations. It's what they do for their careers. We are all blessed to have them in those roles. They need assistance, they need resources and that's where CISOs and leaders come in.
A
I agree wholeheartedly Tim and I think related to the theme of our episode, Kieran and I will now promptly put you in for the Nobel Prize of brevity. I assume there's one of those and Kieran and I are never going to win it. I would note on the end here as well. We mentioned at the time, top of our show today the Enigma machine. Obviously some incredible mathematics and technology involved in breaking that. But for the record, it was partly cracked because the operators got lazy with their key settings. Some things in cyber security never change. So I do like your closing advice there, that we pay attention to the basics and who's doing the work and don't assume all of this is necessarily high tech. It just requires as day to day focus and kind of hygiene work Kieran, over to you.
B
And against a difficult backdrop and a lot of challenges for cyber leaders and obviously a very concerning time for everybody trying to make ends meet as prices go up and worrying about contagion and spread of conflict and so forth. I did like the way that for cyber leaders you finished on a number of upbeat notes. One is relying on human capital and the other is even though there are lots of other threats out there, you mentioned the Chinese state sponsored typhoon operations and so forth. So much of what you're recommending is the done in organizations can mitigate all of those threats and not just this specific one. So, Tim, you did an impossible task condensing advice for cyber leaders in this extraordinary situation into such concise and actionable words. So thank you so much for coming back on the show and do come back again. We promise you a happy episode at some point.
A
Next time. Next time.
C
If you've ever seen Saturday Night Live, when they have repeat visitors, they get to a point. I think after your third episode where you're fourth, you get a jack jacket. So you guys are going to come up with a members only jacket from the 80s with some patch or a symbol with the number of attendees.
B
Well, you're on the top of the leaderboard right now and not only have we seen Saturday Night Live, they've just launched a British version. I don't think the Prime Minister likes it very much, but I guess that's kind of the point. Well, we have to leave it there. That's it.
A
Okay. And can I just suggest that the jacket is branded with living on the land. Okay. Anyway, go back to your point.
B
We'll get back to the point and we hope that there has been some levity amidst this somber backdrop. But that's it for this special episode. You can leave us feedback at the podcast site, you can email us@cyberleaderspodcastans.org if you're on the podcast site or any of the other sites, leave us a rating. Apparently it really helps.
A
And with that, thank you very much for listening.
B
Yes, thank you for listening. And keep cybering for me, Kieran Martin
A
and me, James Line, it's goodbye. And please try and keep your industrial controllers disconnected from the Internet net if you can.
Date: April 22, 2026
Host: SANS Institute
Guests: James Lyne (A), Kieran Martin (B), Tim Conway (C)
This special episode of Cyber Leaders, hosted by James Lyne and Kieran Martin, features Tim Conway, Technical Director of ICS Security at SANS, and delves into the rapidly evolving cyber threat landscape during the newly erupted military conflict between the United States/Israel and Iran. With critical infrastructure under both physical and digital attack, the conversation centers on what cyber defenders and leaders are learning in real time from a war zone dominated by some of the world’s most capable cyber actors. The episode delivers actionable insights for CISOs and security professionals on how to protect essential services in high-stakes, high-impact environments.
Quote:
B: “So the second point is there are operations here, there is a threat. And the third is the long term uncertainty which may lead to a heightened threat. ...even if the cyber war hasn't cut through that much so far, we are probably in this for the long term.” (06:37)
“Same events, same cyber capabilities, same targets, same adversary groups, treated completely different because of the geopolitical situation.”
— Tim Conway (08:52)
“Critical infrastructure targets are absolutely in scope through physical, through cyber, through coordinated as they impact a nation's capability... The news is being led by the price at the pump.”
— Tim Conway (10:25)
“Some of the attacks that we're seeing, they're using cybersecurity tools against organizations. So the people who are doing all the right things... they've added tools not just for themselves, but also for the adversaries.”
— Tim Conway (22:54)
“They didn’t even deploy any malware. They logged into Microsoft Intune. Tim, this might actually be the ultimate living on the land attack of all time.”
— James Lyne (31:31)
“The overall interconnectivity and interdependency that we've driven to has created very complex environments.”
— Tim Conway (38:44)
“The advice hasn’t much changed, but the reality seems to be that it is then hard to actually get that done and get it done comprehensively enough on scale to not present these attackers with significant opportunity. But... the urgency of applying it meaningfully has.”
— James Lyne (40:45)
“Don’t look at [CISA alerts] as company specific... This is an opportunity for everyone to learn the types of devices that do cyber physical impact... not just Rockwell, not just Rockwell protocols.”
— Tim Conway (44:32)
| Segment | Start | End | |----------------------------------------|---------|---------| | Context & Introduction | 00:02 | 04:04 | | Geopolitics and Cyber Threat Framing | 04:04 | 07:47 | | Rules of Cyber War & Critical Sectors | 07:47 | 14:54 | | Iran vs. Ukraine Cyber Lessons | 14:54 | 18:20 | | Offensive Cyber by US & Allies | 18:20 | 23:25 | | Iranian Capabilities & Behaviors | 24:34 | 32:11 | | Evolving Adversary Environment | 32:11 | 35:55 | | Stryker Attack & ICS Exposure | 35:55 | 42:33 | | Practical Advice for Leaders | 42:33 | 46:29 | | Takeaways and Closing | 46:29 | 48:56 |
| Recommendation | Details/Further Considerations | |-------------------------------|-----------------------------------------------------------| | Read all advisories carefully | Assume global applicability, not just local relevance | | Map interdependencies | Analyze how connected tools/services can be leveraged | | Invest in ops & people | Training, processes, recovery planning, cross-team drills | | Fundamentals matter most | MFA, asset management, patching, segmentation | | Don’t conflate sophistication with risk | Even basic attacks (e.g. stolen credentials) can be devastating | | Prepare for protracted threat | Build resilience for “business as usual” attack volume |
The episode blends pragmatic, often sobering analysis with dry humor and a strong call for smart prioritization in times of crisis. The overwhelming message: the best defense is a well-led, well-trained human team, rigorous (but realistic) security basics, and a sharp understanding of your own environment’s weakest links. As attackers evolve and conflicts spill into cyberspace, learning quickly—and acting on those lessons—is imperative for cyber leaders everywhere.
“Some things in cybersecurity never change. ... pay attention to the basics and who's doing the work and don't assume all of this is necessarily high tech. It just requires day to day focus and kind of hygiene work.”
— James Lyne (46:56)