A

Today on Inevitable, our guest is Roman Arutanov, co founder and SVP of products at Zage Security, and our topic is the intersection of cybersecurity and our energy systems. Zage Security is a series B stage startup that seeks to protect energy and other critical infrastructure from cyber threats. They've raised money from major energy companies including Chevron Technology Ventures and Aramco, as well as venture investors including Piva Capital, Valor Equity Partners and Overture. I don't know much about cybersecurity and I was interested to learn from Roman about where the threats in our infrastructure are and what motivations bad actors might have in exploiting them. I was also interested to hear about how these threat vectors are changing as our energy systems increasingly become distributed and electrified and as AI grows up around us. But before we dive in from McJ, I'm Cody Sims and this is inevitable. Climate change is inevitable. It's already here, but so are the solutions shaping our future. Join us every week to learn from experts and entrepreneurs about the transition of energy and industry. Roman, welcome to the show.

B

Thank you, Cody. Thanks for having me.

A

Well, this is a topic we really haven't covered on this show very much at all, but so important, which is one of cybersecurity and our energy systems. I know energy isn't your whole focus at Sage Security, but it's certainly an area that you do have a significant business in. So excited to have you on. You were referred to us by multiple people, including our friend Shomik Dutta at Overture, who said, yeah, if you want to talk about this topic, you got to talk to Roman. That's a ringing endorsement. Welcome to the conversation.

B

Thank you, Cody. It's exciting times for the intersection of energy and cyber for sure.

A

Why don't we start with a very high level description of what is Zage Security, and then we're going to spend some time unpacking cybersecurity at the highest of levels and then take it from there. So what is Zage Security really?

B

We founded Z Security to help organizations protect their critical infrastructure. This is the hardest to protect type of asset. Organizations today are struggling with enabling access so that work can be performed both by people as well as applications and systems, but at the same time are worried about their core assets, the assets that run the critical infrastructure and they need to protect them. So Zage really was founded to solve some of these hardest problems, which is a critical infrastructure access and protection. What we do uniquely is we really focus on critical infrastructure sectors like energy, utilities, manufacturing, defense as well.

A

You've Got a ton of logos all over your website of players in the energy space, from the USDOE and NREL and to large energy producers like Saudi Aramco, Petronas, pipeline companies like Kinder Morgan. You're clearly working at this nexus of energy and infrastructure companies. Let's start with a little bit of Cybersecurity 101. What are some of the key terms that I and we should know about when it comes to protecting critical assets and what are things that these companies are feeling most vulnerable about when they reach out to you?

B

I've been in this space for quite some time now, and I would say about 10, 15 years ago, the mentality in the energy companies was no one's really going to want to hack a utility. What are they going to get from it? That was a false sense of security that radically changed over the years, especially in the last five years. There is an increasing number of attacks and Factors, you know, 60 plus attacks per day on energy infrastructure alone. There are a couple motivations here. One primary motivation is ransomware. So where malicious actors are going after the energy infrastructure to extract essentially financial gain for themselves and that's dramatically on the rise. The other big aspect though is attacks from nation states and those are very hard to protect against and they are very sophisticated, launched by nation states. They may be in the environment for a very long time and organizations are obviously on a hook to protect against those as well.

A

Ransomware is obviously companies getting into a system, taking it over and basically saying you can have it back for some amount of reward for financial gain. For the nation state attacks, does it tend to be looking for IP theft? Does it tend to be focused on sabotage? Is it purely espionage and leverage? Do you have a sense of the rationale or reasons why these might be occurring?

B

Yeah, it depends on the nation, but it's all of the above. The big component there is just to extend the control, make sure that you have the controls. The nation states have controls in the critical infrastructure of other nations and US critical infrastructure. So then when they need it, they can be leveraged.

A

Now, one of the most infamous versions of that that I think has come to light in the last year or so, actually it's not in the energy sector per se, but is in the telecom sector. The whole salt typhoon hack that I believe was Chinese actors coming into the US telecom system that people have said is the single largest cyber attack known in the history of the world, or something crazy like that. Can you share a little bit about that and parallels that that might play to the Types of attacks that our energy infrastructure is trying to prevent.

B

We seem to be setting records with every new major attack or every major new discovery of an attack. There have been similar scope attacks in the energy sector as well. There's nation states that have penetrated our energy sector through supply chains, through various third party connections, and have been living off the land essentially within the energy networks. With the salt typhoon attack, you had the discovery of the Chinese state actors being in our telecom infrastructure. The infrastructure is pretty old. It's came to light similarly in the energy space though, we have infrastructure that's decades old and very hard to protect and easy for nation states to penetrate and get in there, live off the land and spread as needed. That becomes very hard to detect as well.

A

I've read a bit on your website and some of the writing you've done about the intersection of operational technology or OT and information technology or it. And in particular these nexus points. Where these two meet is often where you have extreme vulnerabilities because you have technologies of very different age and vintages trying to interface with one another. Particularly with this salt typhoon attack that we referenced, it was in that nexus as well, where some of the vulnerabilities look like they may have come in. Can you talk about these two terms and what we should know about them? Again, just sort of a little bit of Cybersecurity 101 for all of us.

B

When you think of it, it is really the traditional enterprise infrastructure information technology infrastructure. The goals in securing that infrastructure really tend to center around protecting the information databases, the data that's being generated, securing and protecting access to it. And that data, at the end of the day is driving business decisions. It is core intellectual property of companies and needs to be protected rightly.

A

So this would be Your modern enterprise SaaS level software layers that users of these systems are logging into and interacting with. Would that be right?

B

That's right. When it comes to that, think of things like software as a service applications. Think about your enterprise resource management systems, your HR systems, even your employee endpoints, laptops and workstations and the software that gets installed on those. It could be intellectual property that's on that as well, or data that needs to be secured.

A

And then what is ot operational technology?

B

When it comes to ot, it's quite different. OT is driven by assets like sensors, meters, control systems. These assets are now digital and they are essentially also gathering data about the state of the energy system and processing that data, making decisions and taking action in a highly automated fashion.

A

Often have been running for 20 years, 30 years. These are Windows NT systems, or even older in many cases, that are just cranking.

B

Yeah, they're just cranking the automated systems. A portion of them are the operating systems we're familiar with, like Windows NT at least, or XP or Windows in general. But majority of them are embedded systems. They are controllers. Their software is proprietary, lives inside and accessible, and many times very hard to patch or update. These are the machines that are driving the industry. They are balancing the grid, they are helping to deliver power, they're keeping the lights on the factories running. These types of machines, there's oftentimes some human interaction with them, but they're oftentimes just very highly automated. They've been there for a very long time, and their goal is to make sure that their specific operation keeps running. If it doesn't. Oftentimes the issue is not so much as proprietary data loss, but more about bigger issues like environmental damage, fires, blackouts throughout the whole territory, life and safety issues as well that arise from that. So the stakes are a lot higher.

A

If you're sensors that are detecting some kind of heat or thermal anomaly are hacked and rendered inoperable, then obviously the safety of your plant becomes hugely at risk.

B

That's right. And unfortunately, these systems are pretty easy to take advantage of and to hack. Essentially, if you're able to overwrite or reconfigure a controller that's sitting out there for a critical process, it will not take a safety action when it's needed, and instead you've configured a higher threshold for it. So you may have a widespread damage or a fire before it even takes action.

A

Now, I'm guessing a lot of these systems were not originally built considering Internet connectivity in mind. They were built as local on PREM software that runs that. You need to walk into the plant or the factory or whatever and be on site to pull the data off of them. But today we're retrofitting a lot of them with remote access control and things like that. Is that where this intersection of OT and it comes together and creates issues?

B

Absolutely. So that's exactly what's going on. And there's digital transformation that's taken effect in our energy sector, where we want to drive business optimization in the way that we deliver energy, the way that we balance energy consumption and supplies. For that, you need to connect them to business systems, business applications, as well as people accessing these assets remotely. We're also working in a much bigger scope with our partner companies and service providers. Any company may be working with hundreds of partners, and the supply chain to deliver that energy or deliver that resource that they're producing. And they all need access as well. And their systems also do need access to this data. So now we have this intersection between enterprise systems and IT and ot. People use this word convergence. In a sense, it is convergence because they're collaborating to deliver the ultimate goal. But security practices is quite different. In IT vs OT, it's protecting operational systems. The techniques are very different compared to protecting enterprise systems like SaaS applications.

A

Where does Zage come in? I see on your website you use this phrase, zero trust security. What does that mean?

B

What Zage has really created is a way to to use zero trust principles, which means that there is no implicit trust. Any type of an asset or interaction with an asset needs to be explicitly authenticated and authorized before it can take place. Traditionally, the type of architectures that have been in place assume trust. If you're inside of the operations network, if you're on site, if you walked into a substation or you accessed a substation remotely, you're trusted. You can access everything.

A

If someone looked at your ID and said you're the right person, then you have access to do anything. Whereas going forward, you can't necessarily assume that because you're not being physically validated with your face on prem, you're logging in through some remote IT application.

B

Yes, exactly. And people used to say that if you walked into a power station or power plant, if you accessed the power plant, it's too late. You automatically have access to really everything. And today those architectures are falling short in a big way. With us, everything needs to be verified, everything needs to be authorized. For every single interaction, whether it's from human or from another application or machine, we control those very tightly, including, I'm.

A

Guessing, resetting all the passwords from a username of admin and a password of password.

B

Absolutely. It's still not uncommon to find that though, there is big initiative for energy companies to get rid of shared credentials or default credentials on these types of assets. But they have a real challenge. And that challenge is unlike IT systems, operational systems are highly distributed and they're becoming even more distributed in the energy space. With renewable energy coming in, you have renewable assets really all over the place, and tying them back to some sort of a central control is just not an option. So you need a really highly distributed approach to be able to manage those credentials and manage that access, where the access is and where the assets are.

A

Let's break down some of the major customer types within energy that you work with. And how their challenges differ as we contemplate a world that is today still primarily powered by oil and gas and is in the process of transitioning to one that's powered by renewables, how does the vector of attack surface change as that transition happens today? I know you do support a number of companies in oil and gas managing their pipelines, managing their refinery assets. How does that change to a world of solar farms and a world of distributed wind energy and battery storage resources over the next decade or two, just in terms of different types of cybersecurity challenges that those two customer types deal with?

B

The similarities is that the energy oil and gas infrastructure, as well as the utility energy infrastructure is both are very highly distributed, both are now highly connected and driven by business applications and now starting to be driven by AI enabled applications. The other similarity is they all have a mixture of assets. Some of them are new, some of them are quite legacy. They've been there for a while. An approach to cybersecurity is that you got to protect them all. You got to find a way to protect assets across highly distributed spaces, no matter how old they are, because attackers will find the weakest link and go from there. The differences are, interestingly enough, and specifically in the energy space is that with the introduction of renewable energy resources, the dynamics are quite different. Because all of a sudden a utility may not actually own those resources. They may be owned by somebody else. In fact, there's a different owner, there's a different operator, there's a different service company.

C

Hey everyone, I'm Yin, a partner at mcj, here to take a quick minute to tell you about the MCJ Collective membership. Globally, startups are rewriting industries to be cleaner, more profitable and more secure. And at mcj, we recognize that a rapidly changing business landscape requires a workforce that can adapt. MCJ Collective is a vetted member network for tech and and industry leaders who are building, working for or advising on solutions that can address the transition of energy and industry. MCJ Collective connects members with one another with MCJ's portfolio and our broader network. We do this through a powerful member hub, timely introductions, curated events and a unique talent matchmaking system, and opportunities to learn from peers and podcast guests. We started in 2019 and have grown to thousands of members globally. If you want to learn more, head over to MCJ VC and click the membership tab at the top. Thanks and enjoy the rest of the show.

A

The whole evolution of the Power Purchase Agreement and Virtual Power Purchase Agreement means you're accessing electrons that you don't control and frankly, you may not even know exactly where they're being produced necessarily at any given moment.

B

That problem is scaling fast. We're not talking about just one site or one wind turbine. We're talking about thousands and thousands of them spread across large territories, hundreds of various companies that are responsible for them. The goal of the utility company is to deliver reliable service. So they need to be integrating these renewable resources in a way that they can rely upon. That means that they have to rely on the capacity that will be there when asked for it from these renewable sources to balance out the grid. Cybersecurity plays a critical role in that, you know, being able to make sure these resources conform to the right levels of cyber controls and are available when they need it, are not taken down by malicious actors, and even though they don't directly control them, but need these requirements to be met nonetheless.

A

Is there a regulatory regime that is creating standards that are required of on grid energy assets regardless of renewable or not?

B

There's work to be done there. I mean, the energy sector in itself is highly regulated, as we all know, and has taken cybersecurity and seriously for the last couple decades with NERC SEP and various iterations of that. There's a new iteration of that that's putting in even stricter controls. It is reclassifying some of the assets that were previously did not have to go through these stringent security regulations. They're reclassifying these assets to be required to be secured as well. That now includes renewable energy assets.

A

One of the things we hear with renewable energy is the regulatory and permitting requirements are causing everything to be deployed much more slowly than we would all like. And yet I'm also hearing from you the criticality of some of these requirements. If we want to ensure that what we're deploying is safe and secure.

B

Exactly. It's a balance. It's sort of a pendulum swing. We swung it the other way for a while. We're building a lot of assets, a lot of distributed resources without strict regulation. And now we're starting to swing the other way where there's lots of good regulation that's coming in. I'm sure it'll balance itself out and start swinging back to building large capacity again. The other big part of that is, you know, as I mentioned, and the new iteration of the NERC SIP is focus on supply chain security. It's not just supply chain in terms of the actual vendors requirements to meet certain vulnerability and disclosures and patching updates, but it's also how you enforce your security Requirements onto third parties that are accessing your systems by requiring them to use secure remote access solutions, multifactor authentication by needing to segment out and provide zero trust access to individual assets. That's all great stuff. That's exactly what we want.

A

You said earlier, as more and more distributed energy resources come on the grid, the utilities have less and less end to end control over them. Whereas they may operate their own gas peaker plants, they're not operating the wind farms or solar farms that are ultimately supplying power to the their grid. But I would also think that the distributed nature of these assets makes them more redundant in a good way. Meaning if one goes down, your whole system doesn't go down. As opposed to a coal plant or a large centralized power plant that's providing a huge chunk of power to the grid. To what extent are the utilities throwing up their hands and saying hey, we have built in security in distribution?

B

Some of that is true in a sense that you have more optionality and more granularity and more things to fail over to. But when it comes to attacks, there's wide recognition, when specifically when it comes to cybersecurity, there's white recognition that attackers will exploit the weakest point and spread from there. So that means that even though you thought that it's okay for them to hack a single wind turbine or wind farm, they have, there were ways to spread from there. Now you have a chain reaction of events and there's a big recognition in the new NORCIP requirements around that as well.

A

You talked a bit about AI coming into these systems. How does that adoption both help and hurt security? I'll take a crack at my own hypothesis right now, particularly of our operational technology that is old and in many cases not Internet connected. I would think that these systems to some extent are insulated from attacks. And the more they start getting web based hooks into them and automation working together with them, it creates openings. I recorded a podcast recently that we just published with the CEO of a company called Line Vision that is doing basically sensing and detection of our transmission lines. He had a quote that he said his doorbell at home is smarter than the average transmission line is because they are just quite literally electrical wires connected and weren't ever built with any kind of monitoring in place and they're now going and retrofitting those. As they do that, it starts to open up vulnerabilities that these quote unquote dumb systems maybe didn't have before. That's I guess the bear case for AI coming into the workplace in these areas. The bull case is, I guess it also can increase your ability to detect bad actors and issues.

B

It's definitely getting a lot easier for attackers, especially with AI Leveraging AI tools and the fact that our energy systems are are highly connected. The whole connectivity in an energy sector started 20 plus years ago. The energy sector today is one of the most widely internetworked and connected systems in the industrial space period. Specifically focusing on AI. How easy it is today to just use gen AI tools that exist and launch a phishing attack. It's extremely easy to do so. In fact, AI generated content oftentimes looks even better than the company's own marketing content. Companies are leveraging gen AI for their marketing purposes. It's very hard for any normal employee or user to detect a phishing attack versus the AI generated phishing attack versus a legitimate company email. That's a real problem. And yet at the same time most attacks are happening because of stolen credentials or stolen accounts. Attackers utilize the VPN connections that exist everywhere to get into the network, find an asset, enumerate, find other assets, and then spread laterally and start encrypting data and holding companies to ransom. That's the cookie cutter recipe for 80 plus percent of the attacks out there. And now with AI making it a lot easier to launch these, it's a real challenge for the industry.

A

The current like major threat of AI is just the increase in phishing you would expect to see as a result of AI just being better at targeting the right people and writing the right content to get you to write, reveal some credential or log into some fake website that gives a bad actor access to the system through which they can then tunnel into other things.

B

Attackers can launch this type of attacks within a couple hours today. As simple as that. Now this is why there's also an acceptance that in order to protect against these types of attacks, the training of employees is one thing, but it's also becoming very difficult to even train employees on detecting phishing attacks because they're so real. Now organizations need to really take proactive protection measures assuming that this phishing attacks will happen. The proactive measures are what good security hygiene is. Change those credentials often restrict access with zero trust to only the assets that are required for any one user just in time. Access, adaptive MFA and segmentation. Those are the proactive techniques to protect from these phishing attacks in general.

A

Read an article recently about IT departments that are increasingly getting clever at fake phishing attacks to their employee base to like help employees understand how they can get trapped in these Attacks, they run.

B

Tests, periodic tests on how well their organizations are doing in terms of that. It's really hard to keep up. It's very easy to stand up. And these emails and these phishing attacks look very real. There was a recent attack also with MFA fatigue, for example, where essentially if you bombard a technician or even let's say a manager in the middle of the night with an MFA request, they're likely to wake up and just click Accept on their phone. Hey, just I didn't go back to sleep, I'm going to hit Accept. And all of a sudden that malicious actors leverage. The fact that you're so tired and fatigued from using MFA to get into the systems, that kind of stuff can be very highly automated with AI as well. Those phone calls, especially the AI voices that are being generated, look very, very real. There's a number of AI tools out there that will take for example your website and create a podcast around it just like we're doing today, but in a very realistic sounding voice. You won't be able to tell that it's actually AI in a backend.

A

What percentage roughly of successful attacks are socially engineered in some way like hitting a vulnerable human versus through technology cracking your way into a system?

B

Most of them aren't. I'm not sure exactly what's the number for social engineering, but I do know that 80 plus percent of it is through techniques like stolen credentials that have been exposed on the web. Social engineering phishing attacks, whether it's done by individual actors or automated software, majority like 86% of them is through this type of attack vector. Very low percentage is through actual exploits of a vulnerability on a system where organizations really need to focus more are on protecting those credentials and that access in the first place versus overly rotating on things like patching vulnerabilities.

A

So really focused on employee training and testing employee setups for password management and how they react to adverse threats coming their way that they may be unsuspecting about.

B

Like phishing today, training is one component, but majority on a focus should be on proactive protection measures to actually ensure that MFA is required to access any type of an asset. It's still very surprisingly even in the enterprise, MFA is only at low 70% penetration. In operational space it's 10 20% penetration.

A

MFA for folks who aren't familiar with multi factor authentication.

B

Multi factor authentication? That's right.

A

Text message or a Google authenticator like number that you have to enter in after you enter your password.

B

That's right. You would think that it's used everywhere. It's ubiquitous today. But it's not so requiring that zero trust security meaning control access. Do not trust anyone, even your own employees to give them access to entire factory or entire power plant. Only assets they actually need to do their job. That should be the policy. And then just limiting the attack surface meaning that most assets don't need to interact with each other. We don't actually need a network for every device to talk to each other in operational space because you only need certain devices to talk to each other to perform that process. But not everything. So limit that and control that access.

A

Could you maybe elaborate on a few specific real world examples of known attacks that have been publicly disclosed at this point as a way to help us understand how these various factors come together and provide us with some tangible examples of worst case scenarios coming to life.

B

A good example that I like to give is there was an attack I think about five years ago, I think was publicized by Washington Post or the New York Times where we detected that Russian state actors have actually infiltrated the energy grid. It went into great detail describing on how they did it. The learning there was that even though utility had pretty good controls for access with their own employees, the issue was that the state actors leveraged remote access through a contractor or contracting firm. So basically a partner company that this energy grid operator was working with and they didn't have as good of controls in place. Their employees were able to access the energy systems. So that's a big concern.

A

Was that the solar Winds attack?

B

I don't believe it was a solar Winds. It was another attack. I don't recall the name anymore, but it was highly publicized. But similar winds is another great example. Once they're in and the energy operator is not prepared, they will be in there for quite some time and they will able to spread across the whole entire infrastructure. The techniques that are used, they're called rats. So Remote Access Trojans, short for rat. And that RAT may be sitting in there for some time until the state actors needs to exert control. They will be looking for commands essentially at the right time. Once that command is given, it will inflict the action which may be to shut down power for some time. Today these types of attacks are often used and very easy to set up as well.

A

Helpful to hear the context of how it comes together. Love to just hear a little bit more on Zage. I think you guys are what a series B stage startup right now and you've raised a few rounds of capital including some strategic energy players involved on the Investment side, maybe share a little bit about how you've capitalized the business and what's next for the company.

B

We are a series B company and we're growing quite fast. The funding for Zage is a combination of traditional venture capital as well as strategic investors from the industrial space as well as from the defense. We have investments from Saudi Aramco. We have investments from saic which is a big federal contractor. We had early investments from General Electric as well. These companies are all users of Zage products also, as well as strategic investors in the company. It's exciting times, I think, in the operational, cybersecurity in general, but especially in energy. Energy is going through a big transformation with renewables as well as, like I mentioned, infrastructure, networking and the critical nature of the energy infrastructure, period. We're seeing strong growth in the sector become even stronger as they adapt more and more AI technologies themselves to drive their operations. It's good times. The company itself, we're a little over a hundred people now, long ways from just the two of us when we started. So it's been an interesting journey for myself personally in this space and I've spent the last 20 years, I would say, in cybersecurity and industrial infrastructure myself. So protecting industrial infrastructure is sort of my passion.

A

It's certainly a fascinating time. And one of the trends we didn't even talk about was how with distributed energy resources, more and more companies are bringing power management under their own umbrella as well. And so you're seeing a lot more behind the meter power, off grid power, where companies are doing on site power production in a greater and greater way. We're seeing this in spades with the data center boom right now. And I expect we'll continue to see it with other forms of industry too. Which I think speaks even more to just how important managing end to end security operations of these assets will become in the world ahead of us.

B

That's very true. I mean, you sparked a thought for me. If you actually think back just maybe 15 years ago, utilities didn't even know that power was out in your house. Your meters weren't connected and there was really no way for them to tell. There was no network infrastructure in place. So you actually had to call them to let them know about that. Today we all have smart meters. We have resources behind the meters. Not just that, we have thermostats, we have power generation and storage facilities. They have very good understanding of what's going on in your house at any given time. That creates also challenges for them because now all of a sudden they went from really no connected devices in the last 15 years to billions of connected devices that they have to now manage and secure as well.

A

My home with rooftop solar is a power generator and with an EV charger is a gas station. It's all my own home. It wasn't that way five years ago.

B

There's more to come so definitely exciting space.

A

Roman, thank you so much for your time. Really appreciated learning from you. Good luck as you continue to build Zage and thanks for helping to keep our assets as secure as possible.

B

Thank you Cody and thanks for having me. Good talking to you.

A

Inevitable is an MCJ Podcast At MCJ we back back founders driving the transition of energy and industry and solving the inevitable impacts of climate change. If you'd like to learn more about mcj, visit us at MCJ VC and subscribe to our weekly newsletter at Newsletter MCJ vc. Thanks and see you next episode.