Episode Transcript
[00:00:00] Speaker A: But what if they call you and it sounds like you and it sounds like that person and, and they know what to say and then you believe like it sounds like again, you know, I've got hundreds of hours of, of my voice on the Internet from all of my podcast. So someone could very easily make a deep fake of me and my voice and call my wife and say, hey, send me 50 bucks because I lost my card. I need to get whatever you're listening to.
[00:00:26] Speaker B: Protect it all where Aaron Crow expands the conversation beyond just OT delving into the interconnected worlds of IT and OT cyber security.
Get ready for essential strategies and insights.
Here's your host, Aaron Crow.
[00:00:44] Speaker A: Hey. So today is another solo episode.
I've got some great recordings coming up with some amazing guests that are coming. Super excited about that. Seems like summer. Everybody's schedules are tough.
So loving doing, doing these, able to dive into this, a lot of the things that are going on in real time. So let's dive right in.
This week is, it's very, you know, it's, it's very much a high level tactical brief.
You know, there's there everything from critical zero days to, you know, AI threats and defenses, policy moves, shit that are, you know, shifting, you know, national security and what you could do to stay hit.
You know, if you're in cyber tech, energy, critical infrastructure or you just want to stay, step ahead. Definitely this episode's for you. So let's get into it.
Let's talk active zero day exploits. This month has been pretty freaking brutal.
Microsoft, SharePoint, there's been a CVE that came out and it was used to breach over 75 global organizations. Obviously everybody seems to have Microsoft. You use SharePoint, it's, it's kind of part of the system.
Not always really been a fan of, of, of SharePoint. I see the value in it. I use it all the time. Whether it be, you know, storing files or you know, obviously all the use cases that you can do with it. But you know, attackers chained, chained it with a remote access tool and you know, big players got hit. There's a lot of those that are still unpatched.
There's big deals. We even saw a, a hit from Ring Ring, the Ring camera got hit not by this thing, not by SharePoint, but was also impacted this week. So that's one to definitely check out. Crush FTP is another vulnerability that came out. The exploit gives full admin access to attackers.
So if you're running Crush FTP and you haven't patched, you need to get on Top of that, you know, Avanti, there's two more zero days used to drop Cobalt Strike.
It's, it's really, really impacting a lot of folks. You know, what, what's the takeaway of these? I don't normally dive into all the vulnerabilities and all the attacks necessarily, but really it's more of a bigger picture of what's the, what's the point? The point is, is that we have, especially in ot, have really had an intention of, you know, we don't patch all the time. We don't patch as frequently some, some of these things. Obviously SharePoint, you're probably not using ShareP, you're not probably using it in, in a lot of your critical systems. But you know, can they get in and then pivot from there? Right.
It's really around. You know, we're, we're seeing more and more weaponized exploits. They're happening faster. So these, once these things come out, they're weaponizing them so quickly. I'm sure a lot of that has to do with AI. AI is going to make it faster to respond from a, from a bad actor to take advantage of those vulnerabilities and do something with them. So we've really got to start looking at, you know, patch management like INC response like we are the incident has happened. We have to stop before we have to start closing the holes before the bad actors get in and not waiting and, and pushing it off, you know, weekends. You know, if, if you get outside the patch cycle and you have an outage, you know, on the weekend, then it may not be good to wait that long. Not everybody does it that's that quickly or, or, you know, it all depends on the criticality and the impact and all those things. Right. So.
All right, so next is let's dive into AI.
AI is always going to be, I think every episode I seem to talk about AI in some form or fashion.
Cyber security and AI are definitely intertwined from, you know, how can you protect and tools that have, are using AI to help see things, pattern recognition, you know, respond quicker, you know, get better data, all the things. But it's also can be used to attack us.
So Google's Big Sleep was an AI agent that identified a critical exploit before, before attackers could use it.
They detected the vulnerability and flagged it for immediate patching.
And you know, it, it's showing that AI can use, be used to predict and prevent an imminent cyber attack and could could be the future of defense. And this is where I'm really excited about the opportunity to use AI and even in critical infrastructure in ot, I definitely believe we should be looking at how can we use AI to stay ahead. Right. We shouldn't be waiting until someone finds a vulnerability and releases a CVE or a patch.
If these AI tools can start finding these vulnerabilities in our systems, that's the way we need to do. Especially when you think about how big and complex these systems are.
You have all these intricacies and you don't necessarily know, yes, they're patching the system, they're patching SharePoint, they're patching your server, they're patching your firewall, but there's no way they can replicate your entire environment.
So it's no way to really understand what the true vulnerabilities are out there, because nobody has that exact setup. So imagine a place that you could have a digital twin of your environment and you were able to run a red team. You can run having AI sitting there and looking at all of the software and all the things, and finding vulnerabilities in code, finding vulnerabilities in your setup and your configuration, your firewall and your network architecture in any of those types of things, and just continually sit there and run it. Like I've built labs and had amazing value out of them with a human doing things, but it's limited in how, how many scenarios a human can do just from a timing perspective, not to mention cost of all the things. So AI can really be great in that way.
But there's also a dark side to AI.
Researchers also trained in AI to bypass Microsoft Defender.
They used it, they used reinforced learning. It cost them, I think they said $1600 and they had a success rate of about 8% evasion.
So obviously that's not a super high percentage, but it's still taught an AI to bypass a security tool to get around it. It knows that, hey, this environment has Microsoft Defender, this environment has, you know, XYZ firewall, whatever those things are. You can start training AI specifically on this patch, this version, this PLC, etc. Kind of the inverse of what we were just talking about. And using AI to help find those vulnerabilities. We can also use AI to find them from a, from a bad perspective and start to attack them. Hey, I know this, this, this place that I want to get into, this environment that I want to get into has these things. How can I bypass those things?
The other is, is not exactly cyber, but it can, obviously it can, it can be used. It's a lot broader but it's, it's deep fakes. AI is obviously exponentially blowing up deep fakes from celebrities, any celebrity. You see, they have thousands of, of, you know, vulnerable deepfakes out there that are copying their songs, they're copying their movies, they're, they're using them in advertisements, they're, you know, people.
You, you really need to think about your incident response plan. Do you have a plan? Is, is part of your tabletop as part of your incident response plan. What if the CEO calls you? You know, we, we've all gotten the text messages from the CEO from the wrong phone number and we know it's not them or that, or your boss or your mom or whatever, but what if they call you and it sounds like you and it sounds like that person and, and they know what to say and then you believe like it sounds like again, you know, I've got hundreds of hours of, of my voice on the Internet from all of my podcast. So someone could very easily make a deep fake of me and my voice and call my wife and say, hey, send me 50 bucks because I lost my card, I need to get whatever. And she could very easily be tricked. So think about that and how are you protecting that social engineering, that fishing by using deep fakes AI is going to be able to be more successful in those things. That a few years ago was pretty EAS easy to detect.
India launched a vast of AI, a real time deep fake detection tool.
It's been, it's been rolled out into law enforcement and enterprise.
But the takeaway there again this entire conversation is AI in and of itself is becoming a battlefield.
It can be your shield, it can be the sword, it can be the gun, it can be, you know, the, the fortress.
You know, it can be, you know, the good guy or the bad, and it's going to be both. Both sides are going to use it. They're going to use their own models, they're going to use their own tools.
It is a tool. You know, just like a brick in and of itself can build a house or you can throw it through a window. The brick in and of itself is not bad.
It is, it is what you wield with it, it's what you do with it.
So that kind of moves into the next. And that's some, some moves happening in policy.
The FCC is proposing a ban on Chinese technology in undersea Internet cables. And this impacts, you know, 99% of global traffic.
But the concern is that they will be able to do surveillance and sabotage on, on that and obviously that's, that's a huge concern.
The Internet, everything goes across it, even if it's VPN'd. With quantum computing coming with them, expecting to be able to in the future break encryption.
What if they just stored all of that data until they had an opportunity in the future to use a quantum computer to just break everything?
Those are big rules and big, big scary things.
US Coast Guard made a cyber rule.
The new requirements for maritime and infrastructure to report incidents. Cyber. Excuse me, report cyber incidents.
Annual training and then having formal plans by 2027, which, you know, it's midway through 2025, so that's not too far away. They're, they're pretty basic, but still, these are good. Moving in the right direction of, you know, having formal plans, having training, you know, you should be doing tabletops. I know I've talked about it many times, but, you know, the auto tabletop that we use is, is so, in my opinion, revolutionary in that it's not the traditional physical, old school tabletops. It's really the ability to run that through AI, right? You'll be able to pivot and do this, you know, almost like a Dungeons and Dragons or a choose your own adventure. But you can use it as training. Like you can really get everybody in the game, as they say, to actually understand. Just like we do in a fire drill. I know I say this all the time, but, you know, we do fire drills in buildings. And the reason is because we want you to know how to respond in a safe environment so that if that bad thing does happen, you already know, hey, I know I take the elevator. I know I take the stairs. The muster point is in this corner of the building or this corner of the parking lot. Everybody meets out there. You don't leave until like all of these things we know because we've gone through it so many times.
Even if it's just once or twice, like you still remember a lot of those things.
And then it's easier to be triggered, to remember when somebody said, oh yeah, remember the muster point, don't take the elevator. Like, oh yeah, that's right.
So that's really what our training should be. It should be so that it's not the first time somebody's experiencing it. It's not the first time that they're thinking about, hey, this thing is happening. How am I supposed to respond? Who am I? Who should I call? Who's the right person to bring in? Do I have authority to, you know, shut down the network? Or what is the step that I should take in Scenario A, B and C.
So finally the State Department, I'm sure everybody has seen many changes in the last six months with, with firings and doge and all the things, but the State Department just cut cyber and AI staff.
We're talking dozens of roles eliminated the exact moment global cyber diplomacy is, is actually needed.
So the takeaway is government's trying to tighten screws, you know, cut costs, all the things. But you know, our infrastructure is, is important important and we, we need to be protecting it. And, and we need bodies that are looking at cyber, they're looking at AI and how's that going to impact infrastructure? How's it going to impact the grid? How's that going to impact our train and our transportation systems and, and our water? All, all of those types of things. Right?
So resilience is kind of the next piece. So we've, we've already talked about quite a bit in, in the, you know, from, from incidents, from vulnerabilities to, to policy, even you know, we're, we're about a year out from the crowdstrike outage.
Everybody remembers the crowdstrike outage. Where were you when that happened?
You know, a new study shows that 700 and more than 750 hospital U S based hospitals experience downtime, patients diverted, delayed care.
It's really, it's the next wannacry moment. You know, it's unfortunately we're, we're still vulnerable, right? We're vulnerable beyond.
And it's not just a crowdstrike issue, it's a, it's a policy. And, and going back to the training like we, we've got to understand how these systems and how the, the tools that we're adding and the configurations going back to the, the, the lab and, and the testing I was talking about earlier. We really need to understand at a very, very finite level how all these things tie together. It's one of the reasons why we don't change things in OT so often because we don't want a whole bunch of software and adding new tools and installations and clients and all the things because it just makes it that much harder to install. When I worked in a nuclear facility, nuclear power plant in Texas, we were installing weather stations and satellite, emergency satellite communications at all of the plants and the buildings and all the things. And I installed it across our fleet.
I think I had like a month and a half because a whole bunch of things happen, but I needed to do it very quickly.
So I was able to install again satellite communications in the control rooms on, you know, in Downtown Dallas on top of a, you know, 50 story skyscraper and get those into the boardroom and get those into the, you know, emergency response rooms, all that. It took me a year and a half to get something into the nuclear control room at the nuclear facility.
Why is that? Well, because to do a penetration into a control room at a nuclear facility takes a lot of paperwork and you've got to do a lot of studies and you got to make sure that, you know, by doing this you're not impacting the ability for, you know, it for that room to withstand the, you know, nuclear reactions going on outside, all those types of things. Right. And it, for good reason.
They understand absolutely everything that goes into that space.
Just putting a Cat 5 cable into that room takes a lot of tests, a lot of understanding. They don't change things like the architecture, the design, the, the, the tools that the gear has to stand up the test of time and they have to know everything about it from you know, the time the material was, was, was picked up out of the dirt.
Until that bolt shows up at the, at the facility, they have to really be able to understand it. So I'm not saying that we, obviously we can't afford to necessarily go to that level of detail and everything, but we really need to be deeper, diving into, you know, cyber informed engineering and really understanding what we're, what our systems do and, and where the, the, the, the impacts can be. They're not always going to be cyber impacts of course, but they're going to be impacts to our system. Like if I, if this thing goes down, this may shut this down and then what is the impact of that?
The risk to the business.
Cloudflare and Palo Alto networks are going all in on AI driven security.
Everything from anomaly detection to, you know, SAESE integration.
And it's really where the, the next war is going to be fought. CISOs are ranking AI enabled threats as like top three global risk factors. And they're not wrong. So you know, the takeaway is, is backup train detect automate resilience.
We, we focus on it so much in OT from operational we're you know, triple redundant systems and safety systems and backup systems and we do safety training and you know, we do pre job briefs and we talk about things before they implement. You know, what's the potential impact? What's our, what's our backout plan?
Are we doing that everywhere?
Should we.
Right. Resilience isn't a buzzword. It's, it's making sure these systems are functional, making sure that the critical Environments Whether, whether it's not, you know, it may not be a critical infrastructure. So your business may not be run power plant, but you know, your system is, that system is critical to your business and having it up and running, incapable. Maybe you're a small business in your website, you're selling things on your website. If that thing goes down, you don't make money.
If your store can't, you know, if, if you run a liquor store or a gas station and you can't pump gas, you can't, you can't make money. Right? Those are all impacts, right? And understanding what those, what the risks are from the systems and how they all tie together and how everything works is super important, right? So making sure that we're patching, you know, run at, run AI threat simulations, look at digital twins. Can your, can your team spot a deep fake? Again, are you telling your team a safe word or, or what is your policy on, you know, if the, the CEO, the cfo, the engineering manager, the plant manager, whatever those things are, if they call and say to do something out of the ordinary, how do you, how can you train your team to spot that and what procedure process can you implement? That doesn't make it too difficult, but still there's some kind of check safe, you know, that, that enables this to not spin out of control.
You know, update your incident response plans, you know, include AI and voice cloning scenarios, review the dependencies for your vendors.
You know, it's super easy to deep fake credentials badges.
You know, it's very easy to grab a hard hat, put the right sticker on it, show up with a badge that looks right. It's got the contractor badge, I take a picture of it, I recreate it myself. Like there's all these things that are super easy. So think about that process. The good thing is a lot of, you know, power plants, et cetera, they're small enough, they have few people on them. So if I showed up in that space and somebody doesn't know me, they may not let me in. But if I'm good enough at what I do, or they're busy or whatever that can, I can get through.
So that's the whole social engineering side. But I think the bigger piece is just to be proactive, right? Don't wait for a breach to tighten your defenses. And unfortunately some of the things that, that we see in the industry is, is that we don't really see a big change many times until something bad happens. Maybe it doesn't happen to you, maybe it happens to your neighbor, it happens to your, your competitor, whatever, and we use those to benefit, to justify the budget, the cost, the, the overhead, the implementation. But don't give up. Like, keep, keep fighting, right? AI is rising. 00 days are accelerating. You know, all these things are not going to change.
But yeah, that, that's it, guys. Thank you for listening.
You know, the, the AI thing is here to stay. It's going, it's really exciting. I love that, you know, a lot of the things that we talk about and that we're digging into are AI focused. But even beyond that, it's really just like, it's also scary at the same time, a lot of the guests, if you've listened the podcast, always have that, that final question at the end where it's, you know, in the next five to 10 years, what's one thing that's exciting come up over the horizon? And one thing that's scary, many times AI is both of those answers and it's both sides of the goal.
[00:21:31] Speaker B: So till next week, thanks for joining us on Protect it all, where we explore the crossroads of IT and OT cybersecurity.
Remember to subscribe wherever you get your podcasts to stay ahead in this ever evolving field. Until next time.
