C (13:02)

Now, it's not like it which you know, I decide the brand of the laptop of the CEO as well as the brand of the laptop of the plan manager. It's more in partnership because it is still the plan manager or the operations people or the production people that decide, you know, what kind of whether it's Rockwell or Siemens or Schneider or GE or Mitsubishi, what combination of vendors they're going to have, sometimes it's not a decision, sometimes they come via an acquisition. And as we discussed, the life of this asset is longer. So you can't just say, okay, I bought this plant and I decided that I don't like the vendor that they use. I'm just going to go change it. That is not in the cost structure of the plant.

D (13:43)

And we are here at RSAC 2026 right on the show floor. And joining me is Edgar Capdeviel. He is the CEO of Nozomi Networks. Edgar, thank you so much for joining us.

C (13:54)

Thanks for having me.

D (13:56)

We find ourselves in a very interesting moment in history with the activities going on in Iran, the conflict there. What does that mean for the world of industrial control, critical infrastructure, all those things.

C (14:12)

As you might expect, Iran and that region relies heavily on critical infrastructure, both on the defensive and the offensive side. Iran has been a long time active threat actor in terms of various apts and in particular addressing critical infrastructure and industrial control networks. Now that the conflict is very, very active and very, very kinetic, the threat landscape has been, you know, Heitland really very much. We have a ton of customers in the region and we have been able to get a lot of threat intelligence around what Iran is doing and there's been very significant Activity both in transportation, manufacturing and energy.

D (15:04)

Can you give us some insights of the types of things that you're tracking? What sort of activity are we talking about?

C (15:10)

We're tracking various groups that have been known for, for a long time. Yeah, Apt 33, 34 in the 40s as well. And these groups are like I said, very active. We are able to do a lot of visibility. I'm going to actually turn it back to maybe a different conflict.

B (15:29)

Yeah.

C (15:29)

When the Russian Ukrainian conflict was starting, we saw also a lot of Russian activity and we were able to see the peak and the low of those attacks in the rise you see kind of the early MITRE activities like these credentials identity in the beginnings maybe of lateral movement. And we're starting to see that now. We're in the early chapters of this Iranian. So we've seen a lot of early attacks, a lot of reconnaissance work, a lot of credentials acquisition and even some lateral movements.

D (16:04)

That's interesting. So you really see echoes of previously tracked trade craft. History does sort of repeat itself.

C (16:12)

Absolutely. In the world of it, you're able to move much faster. In the world of OT and critical infrastructure, these attacks take longer. They're the discovery phase or the early phases of those APT attacks are longer. There's a lot more discovery required.

D (16:26)

We've seen reports that Internet has basically been shut down in Iran. How does that affect everything? Does that, does that get in the way of the threat actors themselves being.

C (16:37)

I mean some communications have been affected, but these are very organized groups that work in tandem with the government. Their Internet is not shut down. They're very, very active. I see, yes.

D (16:48)

What about the other threat actors around the world? Are they taking advantage of this as a misdirection so they can do their own things?

C (16:57)

I think the level of attacks around the world is so far relatively unchanged. This Iranian set of activity has gone up significantly in volume.

D (17:08)

Can we take a step back and maybe looking down from a higher altitude, how would you describe the state of things globally when it comes to protecting critical infrastructure?

C (17:19)

Yeah, of course. Critical infrastructure security has gone through a journey. Right. Nozomi is now celebrating, celebrating its 12 years. 1112 years in business. Congratulations. Thank you, thank you. And we've seen all the different journeys. We went through the very nascent journey where only innovators adopted the technology. Then we went through the growth journey which is like people are aware of the threat, but it's a new investment. And therefore since budgets are not infinite, you need to work through the trade offs. And how do you you digest this New investment through the business model of the company. You can't just invest in something new very much like a household budget. If you have all of a sudden a new kid, you can't just all of a sudden say, okay, calibrate, my salary should go up. That doesn't happen, right? So you need to work this new item through the business model of the companies. And now we have entered the mainstream part of the market where everybody is aware we have been investing in this technology for a while. So the budget that we're working on this year is slightly bigger than the budget that existed last year, but we're not working from zero, right? So most companies have budget allocated for industrial, OT or IoT cybersecurity. And we're just getting better and better with the adoption of AI. The evildoers, the hackers, are always ahead of us. They're not burdened by regulation, they're not burdened by decision around technologies. They just adopt it and use it right away. So one of the new effects is that a mediocre hacker with AI becomes a sophisticated hacker. And in the world of critical infrastructure, you can have an IT hacker become an OT hacker fairly quickly. They don't have to learn the intricacies of industrial control systems or how each plant basically is a snowflake, right? Each plant is very unique, even though if you're copying them, the industrial controls, internals are very, very unique. So navigating through that uniqueness is something that people can do easier and easier with AI.

D (19:34)

It strikes me that over the past few years, well, the past few years that I've been keeping track of the type of work that you and your colleagues do, it felt like we were for a while in kind of a reactive stage. You know, the conversations were about, particularly on the OT side, the update cycles of these pieces of equipment are measured in decades, not digital machine speed. Do you feel as though we're in a place where we're more proactive now, that there's more recognition that we have to get ahead of these things, that the velocity is different than it was?

C (20:13)

So I think the proactiveness is not going to be measured by how the cycle of the equipment changes, because the cycle of the equipment and the deployment of technology is not going to change. When you look at a substation, that substation is supposed to live for 20 to 30 years. Sometimes your laptop is so only supposed to live three to five years. And those two things are not going to change. What is going to change is the disposition of the different partnerships, the vendors the users, the operators, in terms of how frequent and how flexible we're going to be in terms of patching equipment, incorporating security if it wasn't there in the first place. So I think the days of number one, I believe the huge myth that my facilities are air gapped, that's no longer the case. That's a myth. That's a lie. Everybody knows that. The fact that you still have very outdated versions of software, Windows XP running the thing, which is an infestation, it's basically a honeypot, if you will. And the fact that you decide that, hey, I'm just going to spend a lot of time or I'm going to let a long time pass without patching and I'm going to wait, maybe not this maintenance cycle or maybe the other one, but the other one that those that is also changing. So keeping up with the versions, keeping up with the patching, because security now is as important as consistency when it comes to optimum availability.

D (21:42)

Do you feel like there's been a cultural maturation? We used to talk about the IT folks and the OT folks and they didn't always see eye to eye. Have we. Is there been improvement there?

C (21:57)

I think we have evolved quite a bit. At the very, very beginning, the OT folks were in charge of availability and production. And don't bother me, I need to keep up with my production schedule.

B (22:08)

Right.

C (22:08)

And the IT folks were in charge of their kind of IT systems. And in the past, you know, if a vendor sold you the interconnect of your industrial automation, that was part of that vendor's footprint, whether or not it was an ethernet cable connecting everything together. Right. Okay. Nowadays, it would be a fireable offense if a CISO were to believe that TCP IP connection is not under his or her responsibility, whether or not that's connecting a printer or connecting a plc. I see. So now the CISO has centralized authority, centralized responsibility, and centralized budgeting. Now, it's not like it, which, you know, I decide the brand of the laptop of the CEO as well as the brand of the laptop of the plan manager. It's more in partnership because it is still the plan manager or the operations people or the production people that decide, you know, what kind of. Whether it's Rockwell or Siemens or Schneider or GE or Mitsubishi, what combination of vendors they're going to have. Sometimes it's not a decision, sometimes they come via an acquisition. And as we discussed, the life of this asset is longer. So you can't just say, okay, I bought this plant and I decided that I don't like the vendor that they use. I'm just going to go change it. That is not in the cost structure of the plant.

D (23:27)

Well, Edgar Captiviel is CEO of Nozomi Networks. Thank you so much for joining us.

C (23:32)

Thank you for having me.

B (23:38)

There's a lot more to this conversation than we have time to share here, so please check out the full unedited interview. You can find a link to that in our show. Show Notes.

A (23:59)

K Pop Demon Hunters, Haja Boy's Breakfast Meal and Hunt Tricks Meal have just dropped at McDonald's. They're calling this a battle for the fans. What do you say to that, Rumi? It's not a battle. So glad the Saja boys could take breakfast and give our meal the rest of the day.

B (24:13)

It is an honor to share.

A (24:15)

No, it's our honor.

C (24:17)

It is our larger honor.

A (24:19)

No, really, stop. You can really feel the respect in this battle. Pick a meal to pick a side

B (24:27)

and participate in McDonald's while supplies last. And finally Once upon a time, classic Pre OS X Max had a reputation for freezing if you merely looked at them wrong. Modern macOS, by contrast, feels rock solid right up until day 49.7 of continuous uptime. Researchers at Photon discovered that after exactly 49 days, 17 hours, 2 minutes and 47 seconds, a 32 bit counter in the XNU kernel quietly overflows and freezes the system's internal TCP clock. When that happens, closed connections in the time wait state never expire, ephemeral ports accumulate, new TCP sessions fail, and services slowly lose the ability to talk to anything at all. Ping still works, which deepens the mystery. The issue surfaced in long running imessage monitoring systems and was reproduced experimentally, then traced to a single comparison guarding the kernel's TCP timestamp counterpart. The result is a silent countdown Timer built into macOS networking. The only reliable fix today is a reboot before the clock runs out. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwiren2k.com N2K's lead producers, Liz Stokes, were mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher. I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Sam.