A

So not all cybersecurity attacks on critical infrastructure are these well thought planned out attacks. Some of them are opportunistic. So what can you do to stop it? We'll talk about it on this episode of Safe Mode. Welcome to Safe Mode. I'm Greg Otto, editor in chief at cyberscoop. Every week we break down the most pressing security issues in technology, providing you the knowledge and the tools to stay ahead of the latest threats while also taking you behind the scenes of the biggest stories in cy Cybersecurity. An attack is coming. It's about keeping us safe. He's just a disgruntled hacker.

B

She's a super hacker. Stay alert. Stay safe.

A

Stay safe. This is Safe Mode. Welcome to this week's episode of Safe Mode. I am your host, Greg Otto. In our interview segment, we are going to be talking to Chris Grove, the director of cybersecurity strategy for Nozomi Networks. But first talking with Tim Stark, senior reporter for cyberscoop. We had some interesting news this week. In the realm of federal cybersecurity policy, OMB issued a memorandum that rolled back some previous memorandums from previous administrations. Dive into what I believe it was OMB memo 2218, which just the most exciting title on the face of the planet. But despite the title, there are some really big implications for federal agencies when it comes to their cybersecurity. So tell us what happened.

B

Yeah, this is one of those things that can sound kind of minor at first, but then you look at it more closely and you're like, hmm. So the OMB rolled back a memo from the Biden administration that was, stemmed from the, the big executive order that the administration put out in its first year. So we're going back many years now for this. But what this memo did was create a, I hate this term, but I'm going to use it just so people understand what it is. A, a self estimation attestation method that led to a common form that would be used across government that essentially is saying I'm, I'm a vendor who wants to sell software to you, the federal government. I, I am vouching that I meet these standards that are security standards for being a part of this process of being a vendor for the United States government. And um, this was something that maybe didn't seem like that big a deal at the time. Maybe at, at first glance, again doesn't sound that huge. But essentially what the administration said was this is too, this was very, this is a burdensome thing. It was, it was creating a one size fits all for agencies that need to be doing their own assessments. What I heard from someone who was in the Biden administration was that this is actually one of the first, the first major big policy rollback on cybersecurity. This administration, the Trump administration, has done

A

so with regards to that. What did the critics really say from the sources that you talk to? What is the biggest fear with the rollback? Is it weaker security, less accountability, just more inconsistencies across the board? What did your sources tell you?

B

It was a little bit of all of that. One of the things that stood out is that, you know, certainly this was something that was put in place that was meant to be like a marketplace like response to cybersecurity. It was less to be. It was meant. It was not meant to be burdensome. It was actually meant to be a streamlining, if you will. And the 2021 executive order was a response to SolarWinds. It was response to some other major events that happened around the time. And this was meant to make it so that the software could be developed securely. And it might actually lead to not just vendors who work for the federal government doing a good job, but vendors who want to work for the federal government and anyone else would certainly start coming up with processes for making sure that their software was secure. So in the sense that that is going away and not leaving anything explicitly in its place. Nick Leeserson, who was in the Biden administration, is now with the. The Institute of Standards and Technology. I believe I might be. I might be saying the nist.

A

It's Institute for Security and Technology. Nick, we apologize if we're butchering the name.

B

Sorry, sorry. Both to IST and. And nist. So the other thing that was, I think, stood out about what he had said about this was critical, is that the administration has been saying, you know, we want to harmonize all these conflicting regulations across agencies. This says, no, that's going to be a bunch of different ways potentially. Now, now, the memo doesn't say, you can't use that form that was created. It ended up being created a couple years later by cisa. You can't. It didn't say you can't use that form. But it does open up the possibility that we're going to be seeing a proliferation of different kinds of rules.

A

I say that if this is no longer required, do you expect agencies to create their own versions? And as someone that has followed the way that the policy has been rolled out over the past couple years, what does that do to vendors that are trying to sell to Multiple agencies.

B

Yeah, I think time will tell on how agencies respond to this. I think it's possible that agencies will keep using the form that exists because that's easy. Obviously there are a lot of personnel and manpower issues that agencies are going through right now. So maybe they don't want to create their own common form. So it might not make, make a big, big difference, but it certainly has the potential to make a big difference.

A

So in that vein, because OMB is saying that this form can be voluntarily used or in concert they can request an SBoM in order to sort of maintain inventories and figure out what they want to do. Based on your reporting, do you think that agencies are now looking at them as like nice to haves or do you think that even with this rollback it's rolled back, but does it realistically preserve the core intent of the original policy? Like, well, there's just this stick around and it's just not on a piece of paper anymore.

B

Yeah, I think that's up in the air. You know, this memo came out on January 25th, I believe.

A

Okay, so.

B

So we're only a few days into this and we haven't heard much from agencies on what they're actually going to do with it. You know, there was, there were some other parts of this memo that, that, that the, this current administration basically said we're going to leave this in place. Like there was a part of that memo that said you've got to maintain a complete inventory of software and hardware that, that kind of match their risk determination. Basically. There were, there were some things that they're keeping, including that SBOM thing that you mentioned. So I think, I think that there, it didn't roll back the entirety of the memo, but it rolled back one of the key parts of the memo and a major part to hear the criticism of it.

A

So speaking of that, what comes next from the conversations that you've been having? Are you hearing any signals that the administration may roll back other Biden cybersecurity directives too and if ones which ones are most likely to be targeted and I would posit further in that or will that net. It won't necessarily be a one to one recension like we've seen now. It'll just be different because the cybersecurity strategy will be released, will sort of set the rules of the road for the next few years.

B

Yeah, that's what's interesting about this is this kind of came out of nowhere. There was, there's always this process by which the administration will signal what regulatory plans it has for the coming year. This wasn't in it. This wasn't anything that seemed to be on anybody's agenda. It caught people by surprise that they were doing this. Certainly they had a unified response, revision, rollback of the Biden executive order that happened in 2025, like basically the days of the final, final days of the Biden administration as they were getting ready to leave. I think nobody was surprised that they changed some of those things because it happened right before Trump is about to take over. I think people were immediately questioning whether that was something that was going to stand the test of time. This was something that I don't think anybody expected to be like a. I mean, if you're looking at what the administration says they want to accomplish, this could be viewed as a contradiction of that. So, you know, we keep seeing with this administration a number of surprising oh, they got rid of that. This is another one of those. So I can't say that we've seen the end of it, especially because this is one that seemed to be dormant and settled policy for many, many years. So I guess I wouldn't be surprised to be surprised.

A

All right. Well, no matter if we're surprised or not, I'm sure you will keep our readers and audience up to date on all of it. So, Tim, really appreciate you hopping aboard. Happy to be here for our interview segment this week. You know, one of the easiest mistakes to make in critical infrastructure security is to over attribute. We see it all the time to assume every incident reflects a tightly scoped, bespoke operation. But a lot of what hits OT in practice starts the opposite way. Opportunistic actors, a dog looking for a bone, if you will. Someone finds an exploited edge device, a misconfigured remote access path, a flat trust relationship between environments, or an engineering workflow that was never really designed with the adversary in mind. And then they see how far it goes. So in our interview segment this week, to talk through what opportunistic OT attacks look like today and how teams can stop small issues from turning into real operational problems, I'm joined by Chris Grove, director of cybersecurity strategy for Nozomi Networks. Check it out.

C

All right.

A

And joining us on this week's interview segment, I'm joined by Chris Grove, the director of cybersecurity strategy at Nozomi Networks. An interesting conversation here because back in December, the Justice Department charged a Ukrainian national for alleged involvement with two pro Russia groups that were linked to attacks on critical infrastructure. And what stood out about the alleged progression of these attacks was that it went from a DDoS style disruption into more intrusive activity that touched industrial control systems, that had some real world impacts on water and food processing plants. And it really served as a reminder that look, a lot of this activity can be opportunistic and that reducing Internet exposed OT remains a very high leverage defense. So, Chris, really glad that you could come on and unpack this with us. We'll jump right into this. You know, when a campaign starts as noise like DDoS and then moves toward OT, what usually makes that escalation possible?

C

Well, that's a very complex question. So there's a lot of different moving parts to what could make that possible. First, we have a more and more of a reliance on the technologies to keep our civilization moving forward from our power, our water, all of our transportation systems, things that used to be manual operations are almost completely automated or have some reliance on cyber. Even if you tried to coordinate manual operations, you still have cyber usually to do that coordination. So we are so dependent on, in all regards, on these complex parts that all move together to create our critical infrastructure. Without the water, we don't have power. Without the power, we don't have water, without the fuel, et cetera. So it's a very complex bulb of spaghetti to untangle. Just from a broad perspective, when you start getting into the actual technologies that they're trying to protect, the digitization of all of these industries has really created a more complex landscape for the defenders to have to protect. They have these IoT devices, things that are monitoring and reporting directly up to clouds, for example. We have a different type of connectivity that we never really thought about. The early days when many of these infrastructures were being designed. The life cycles on the operational technologies that make up our critical infrastructure aren't measured in like one to three years. Like an IT asset is. These are 10, 20, 30 year pieces of, of infrastructure out there that we have to protect against these new modern threats that are appearing. And then at the same time, we not only have more and more people that rely on these things, we have more demand on it. New AI is requiring power and water and so on. So the demands are going up, our reliance on these systems are going up at the same time that we are expanding this landscape that enables the attackers to come in and take advantage of these weaknesses that we, that we have in these.

A

So I know that OT is wildly different from it, but the way that you're describing things there about how more and more is moving into the technology Space. It reminds me of the conversation that we have had over the 10 or 15 years prior about cloud and moving to the cloud and cloud security. So I'm wondering, where is OT most like cloud security today, specifically in terms of, like, the control planes that attackers can abuse? Because you talked about all the different technologies there, that that's just an attack surface. Like you said. You had a good metaphor there. Just a bowl of spaghetti. So is there any real comparison between where OT is and the way people are talking about, like cloud security, for instance?

C

Yeah. And even another example to back that one up is the Internet itself. There was once a time when organizations were challenged with, why would I even connect the Internet to my business? And today it's like, how could you run a business without an Internet connection? And with cloud, at first it was, why would I put myself in someone else's computer? Now almost every app we use is built and backed by cloud technologies. And cloud has become. It initially was a little bit of a hot topic when it came to OT because it was. You really didn't want to put control of the power grid in the cloud, or, you know, you want to move control up there. But there are a lot of technologies leveraging the cloud that can bring benefits to these operational technologies. So there was a lot of. There is a lot of valid reasons why these things would be connected up. I mean, when you're trying to run a very large enterprise of water systems across a very large geographical space, you really need to network these devices so that you can run them efficiently and safely and up to par with what modern standards really require. And if you rely on completely manual operations to do all that stuff, it's not really the way that a lot of these facilities and these pieces of infrastructure are being run. The more we can control it manually, sorry, automatically, the more resilient it becomes. Like the power grid, for example, the lights. If there's a problem, it should just flicker. You shouldn't have to wait an hour or two for someone to come and flip switch to fix the grid for you. And that's kind of what we expect in society. And the only way to build it is through this automation. So it's a struggle to build automation in a way that is secure and can be done without risking too much. So the cloud was definitely a topic that when it came to ot, the adoption initially was like, no way. And it's become, hey, here's the benefits. And now we're in a place where it's hard to acquire products that don't Use the cloud of some sort as a backend for a lot of things. There's historians. That's a way to record all of the operational things and messages that are moving. There's vast amounts of data that are stored in them. That's a great candidate for the cloud. Being able to scale the storage and have it safely off site and it checks a lot of boxes. So small benefit, things like that really helped break the dam between cloud and OT years ago. Now all the greatest technologies that are available are using the cloud of some in some way.

A

So you talked a lot there about like automation and how it goes into the different parts of the OT landscape. I'm wondering what is the most common way that automation or any sort of engineering intent when it comes to OT technologies, does that become an attack surface? Like, is it within the way that companies are handling project files or like logic templates for PLCs, golden images for HMIs, is it backups? Is it everything? Like I'm, I'm, I'm wondering there what you see across the landscape, especially like the common issues.

C

Oh yeah, for sure. I mean any, any technology is going to have a weakness of some sort. So anything can be exploited when the attackers are looking for a weakness. But the more you get into ot, the more the bar is raised on the skill set required by the attacker. So it's not like it's commonly found someone who can manipulate a plant. In most attacker circles, they're going to be more geared towards websites and email Systems, DNS attacks, DDoS attacks, things like that, rather than being able to manipulate an industrial protocol. So it depends what they're after and what they're trying to do. In many cases what they could do is interrupt things on the IT side in a way to influence the OT side, the operational side, without actually hitting IT itself. So there's ways of affecting what they want to, without actually having to touch the exact systems that they wanted that they are targeting.

A

Okay, so pivoting a little bit, what is the most dangerous but well intentioned modernization move that you're seeing? Is it the convergence between IT and OT or managed services? Like I'm wondering what is besides all of this other technology that is being put into the OT side, I'm wondering what else can expand the attack surface or the blast radius that gives you pause as you talk to your customers?

C

Not including cybersecurity in the design from the beginning and a lot of times what we have to deal with is bolting on security as an afterthought and a Lot of times it's not funded, it's more expensive to, to get done. And in the industrial control system world, you have a lot more of that because the systems are older and have been around longer. So the rush to come in and bolt on something to patch up a problem is sometimes not the best route. It's looking. We're not. The risks out there are always going to look for the weakness. And if that is a water system in our town that can influence another part of it, which is usually going to be a water system, that's where they're going to go. So if the one thing that would like, make me pause the most during one of these attacks would be something like my organization has a reliance on power and water and labor, etc. And any one of those that are impacted because that's my weakness is what I should be worried about. And not accounting for these things or not planning for these things is sometimes worrisome.

A

So one of the ways that I think, at least in my opinion, better accounting or making sure that cybersecurity is baked in could be like a standardization process when it comes to critical infrastructure. So I'm wondering, should, in your opinion, should there be more of a push towards standardization when it comes to integrating cybersecurity or should it be more of a. Well, let's, let's make this. Yeah, we should be able to secure it, but we want to make sure that stuff is hardened to the point where there isn't like a mass compromise. So I'm wondering where you fall on that spectrum.

C

Yeah, there is some of that happening. We have different sectors of our critical infrastructure that CISA has issued guidance on and they're not standards, but they sort of steer everybody towards standards. We do have some that are very effective when well implemented, like ISA 62443 and there's depending on what sector you're in, you'll have some sector specific ones as well. But they're not for everyone all the time. They can be challenging for some organizations to get off the ground. They could require rebuilds of networks and restructures of organizations and they can be very difficult to get. So without having something like, you know, board level authorization and executives and leadership pushing this, it can be very difficult. So sometimes being more tactical and taking small steps that might be able to help the system be better defended might also be the right approach. It really is going to depend on what they're defending and what level they're at and what type of organization that we're talking About. Yep.

A

So let's talk about the actual attempted attacks or like tradecraft that we see from attackers. I'm wondering, in your experience, what tradecraft failure are you seeing that is repeated in OT focused attacks that defenders could exploit? Something we see attackers failing to do or stopping to do because they go, well, OT is not like going after a server or a cloud instance or something like that. And what defenders are doing to sort of leverage that into their own defenses,

C

hard to say a failure of the attacker. Can I. I think it's better to probably look at where we might not be able to protect against certain things, such as. Okay, yeah, so it's not really the failure of the attacker. And I don't really want to frame this in a way that would allow them to exploit it or something.

A

Yes, of course.

C

So it sounds like we're giving advice to the attackers. But one of the things that has been successful on their front, I think, and that fortunately they're not exploiting more, is being able to impact operational technology sides by shutting down the IT side and. Or creating the impression that they can impact that. We've seen that with like Colonial Pipeline. We saw that with some others where there's bad things that could happen if the operational technologies are impacted. Like a chemical plant could blow up, it could influence a train, it could influence a lot of things. And just the fact that they are near it on some networks or that they were able to pierce it or have credentials to it or can like give the impression that they have access to those networks is something that is a lot more than sometimes even having the access. If they can give the impression that they do, that could be enough for a lot of systems to have to shut down for safety reasons. If you have the impression that the attacker has control of the train, the best thing to do is to stop it and unload the passengers, basically. So if we have factories with people involved in moving around with the robots, or we have water safety systems, monitoring things, H Vac, et cetera, we need to make sure that we have the integrity of those systems, that we trust them. And if an attacker could potentially influence those operations, and human safety is our first and foremost, most tenet, that's going to drive us to stop the operation, basically. And that's sometimes what their goal is to stop the operation, hold the organization for ransom or extract what they want out of that organization.

A

Okay, so then going back to really the more cybersecurity focused side of it, if you could instrument only one thing for detection, whether it's the network endpoint, engineering tools, remote sessions. What do you think is the best thing to defend against and what is the best thing to defend? To provide early warning that a nation state level attacker, or any attacker that is skillful is actually trying to cause some harm?

C

Yeah. So if you start with what the operation is going to start with, which is looking for that weak link in the infrastructure, it's going to be making sure that the visibility goes across all of the things that you just mentioned. If you pick one or pick two or pick three, whichever one you didn't pick is the one that they're going to probably enter through. So ensuring that from the process itself all the way out to everything, you have as much visibility and you can work with that information. Creating data isn't necessarily the answer. A lot of products can create a lot of noise and a lot of false positives and alerts and traffic, et cetera, but it's how can you analyze that information, extract intelligence that actually matters from it? And this is where now we get into the AI and more mature products versus things that just do a point solution rather than being part of like this platform. You need to be able to see across all these things, not just the IT side, but all the way to the process. Because a lot, sometimes it's various little clues along the way that make up the head and the tail of that whole attack. And you need to be able to put the whole scenario together in order for it to make sense. You need to see the entry points where they went. A lot of times the final question is, hey, is my factory safe for the employees to go back inside or not? And that's going to boil down to being able to trace all the footsteps and know whether or not and they actually got into the industrial control systems and had some kind of an impact on the industrial controllers or anything to do with the process. If they just went in, like for Triton for example, and were able to tamper with the safety system and make it dangerous where the operators would not be able to go in because we don't trust our safety system anymore. That is a very expensive outage for any kind of an organization to go through. Just the thought of that is enough for some of these organizations to, you know, pay ransomware or shut down or just, you know. So it's not always the exact tactical like vulnerability that we could patch to fix things. It's being resilient, understanding that the day is coming, it's going to happen to everyone at some point. And being able to get out of those tricky situations because you've done like tabletop exercises and you've worked through communications plans and you kind of walk through the activities of a recovery that let sometimes some organizations realize, wow, back to your question now is that we didn't have visibility in this entire area and we needed it for this scenario so they can identify where they should apply more security. And a lot of times it'll land in the bucket of we need something that is holistic and can see across all these different types of technologies.

A

So speaking of having the visibility and also previously you talked about the intent is to stop whatever is what's going on. And I know that critical infrastructure is really going to be under a microscope during the year. Like, and it's not just in the us it's all over the world, especially around big time events. We have the Winter Olympics coming up, the World cup is coming up in the summer in the U.S. in North America and there's going to be a ton of different big events during the country's 250th birthday. So I'm wondering, you know, as critical infrastructure, sort of plans for these events, what do you freeze or like, what do you deliberately increase when watching OT systems for this? And I mean it's just beyond, you know, just going, oh, let's just go buy software or whatever. Is it, you know, is it more people, is it more staffing, is it better monitoring? Like what in your eyes are you talking about with your customers as they, you know, have this in the forefront of their planning for the year?

C

Yeah, so the it ranges from some of these facilities are being built for the event and they're being run for the event and then afterwards are left behind for the cities to manage afterwards. Some of the events are happening in cities that are already built out for large groups of people to come through and the crowds they're expecting aren't beyond their existing capabilities. So they have already things in place for that. So it varies and it depends on what part of the infrastructure we're talking about. But some of the events I've worked with, we've done lockdowns before where we have basically said, okay, we're going to freeze all of our changes right now. We're not going to do any like strange out of process maintenance or not. We're going to limit who can come through the gates, we're going to limit who can plug in and every single solitary action or anomaly or anything that smells strange is going to be tracked and a ticket created. And if anybody violates this, they have to have a good reason. I've seen cities locked down like that with all the layers in the industrial control systems to keep the waters going and other stuff. So some organizations are able to get very entrenched and invested in their security. Other ones lack the capability. Other water providers don't have the staff or the technology and tools to be able to do that. So they might be getting some help from partners and the, the event coordinators and sometimes CISA especially will come in and help fill some of those gaps and beef up and work with the security operations centers and the coordinators of all the federal agencies to make sure that, you know, even the Secret Service will be involved a lot of times with the cyber defense of the critical infrastructure for that event. Sometimes the knowledge and the tools are left behind. That's great. But other times they, they don't necessarily have the people to continue to monitor them or to keep that level of security up. So it's going to. There are some weak targets in that list of events and cities that you mentioned that do have the potential. There's some other ones that are used to these types of events and they're going to be. They're going to have more of a mature cybersecurity program that is going to be integrated with the federal government and they're going to have quick active defense capabilities and they'll be able to make the necessary changes with their partners and work with. The infrastructure sometimes needs to be modified, for example, and that's not easy to do. Sometimes that could take years. So they'll be more agile if they're more mature and ready for these types of things. But some cities do struggle with being able to. To do this. So they'll need some help where. Yep, where they can get it.

A

So finally, Chris, what is one thing that OT defenders should be willing to do now that they weren't willing to do five years ago?

C

Probably be more open to cloud computing. The benefits are here, and there's a lot of benefit, not just from the products that are using them, but also organizations that are using them. And now it's a competitive advantage. And it's not a matter of moving the control system to the cloud. It's a matter of using the cloud for what it does, which is compute technology and being able to store large amounts of information and be the backbone for artificial intelligence. Because with AI, we can do a lot more than we could do before. We can work with this large amount of data that we're trying to store. We can prioritize better. We can calculate better, summarize, look for trends, identify anomalies. We can just generally ingest and summarize and report back much better than we ever could before. All of those layers require the cloud. And I think today the cloud is no longer a bad word that it used to be 10 years ago and even just a few years ago. But AI is definitely something that is helping the defenders as well as the engineering side. And we need to make sure that we adopt that technology in a safe way. The safest way to do it is to make sure that everyone's on board with how we do it as an organization. And we're not. You know, we don't have shadow it starting up or shadow cloud or anything dangerous like that.

A

Now we started off talking about how the similarities between OT and cloud security are, and we're bringing it all together to wrap it up. So, Chris, really appreciate you hopping aboard. Fascinating conversation. We'll have to talk to you again soon.

C

Thank you very much for having us. Appreciate it.

A

Thank you. Thanks for listening to Safe Mode, a weekly podcast on cybersecurity and digital privacy, brought to you by cyberscoop. If you enjoyed this episode, please leave a rating and a review and share it with your friends, your co workers, your CISOs, your sysadmins, your mom, your dad, anybody that wants to know more about cyber security. To find out more information or to contact me, please look for all of our social media handles or visit cyberscoop.com thanks for listening. Check us out next week.