Tools and Techniques for Better Network Visibility and Vulnerability Management with Kylie McClanahan

Episode 10 June 03, 2024 00:56:07
Tools and Techniques for Better Network Visibility and Vulnerability Management with Kylie McClanahan
PrOTect It All
Tools and Techniques for Better Network Visibility and Vulnerability Management with Kylie McClanahan

Jun 03 2024 | 00:56:07

/

Hosted By

Aaron Crow

Show Notes

In Episode 10 of Protect It All, titled "Tools and Techniques for Better Network Visibility and Vulnerability Management with Kylie McClanahan," host Aaron Crow and guest Kylie McClanahan dive into the critical elements of enhancing cybersecurity through advanced tools and strategies. Kylie, CTO of a company specializing in this field, shares her insights on overcoming the challenges of consistent naming conventions, accurate vendor data, and breaking down silos for effective communication across teams.

 

They explore the utility of tools like Spartan and Network Perception in visualizing network vulnerabilities, mapping asset inventories, and planning effective patch management. They emphasize the importance of correlating vulnerabilities with business priorities rather than just CVSS scores and the need for a layered security approach.

 

The episode also discusses cybersecurity risks to non-technical stakeholders, highlighting the business implications. The duo discusses the evolving landscape in the power utility sector, the dual nature of physical and cyber threats, and the ever-present need for continuous adaptation.

 

Kylie shares her excitement about machine learning and graph neural networks for grid state estimation while expressing caution about AI tools' accuracy. Aaron and Kylie stress the importance of reliable data, automated processes, and vendor security advisories in maintaining effective asset management.

 

Key Moments: 

 

03:47 Discussion focused on improving cybersecurity classifications and communication.

08:48 Compliance sometimes leads to minimum effort for benefit.

11:17 Vendor security advisories prioritize patch tracking.

14:46 Testing for security vulnerabilities and potential exploits.

17:20 Understanding and communicating cybersecurity risk to non-professionals.

20:50 Disagreement on consistent product naming causes confusion.

25:46 NVD website publishes overwhelming recent vulnerabilities.

27:07 Understanding the importance of asset management.

32:13 Challenges of tracking change management in organizations.

33:33 People, process, and technology are crucial investments.

37:34 Spartan takes any scan, offers change management.

39:55 Vision of the future: a dynamic ecosystem.

43:19 Vendors acknowledge changes in control systems effectiveness.

48:09 Equations useful, AI for optimization, caution with models.

49:28 Questioning truthfulness of AI in HR replacement.

53:01 Toyota and Lexus prioritize reliable, tested technology.

 

About the guest : 

 

Kylie McClanahan is the Chief Technology Officer of Bastazo, Inc and a doctoral candidate in Computer Science at the University of Arkansas. She has nearly a decade of experience with cybersecurity in the electric industry, including both professional experience and frequent collaborations with industry as a graduate researcher. Her research explores the automation of vulnerability analysis and remediation using natural language processing and machine learning. She holds a GCIP certification from GIAC and speaks frequently about cybersecurity in industrial control systems.

 

How to connect Kylie: 

https://www.linkedin.com/in/kyliemcclanahan/

https://www.bastazo.com

https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc

 

Connect With Aaron Crow:

 

Learn more about PrOTect IT All:

 

To be a guest or suggest a guest/episode, please email us at [email protected]

 

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: You're listening to protect it all, where Aaron Crow expands the conversation beyond just ot delving into the interconnected worlds of it and OT cybersecurity. Get ready for essential strategies and insights. Here's your host, Aaron Crow. Hey, Kylie. Welcome to the show. I appreciate you taking the time. I'm glad that you were able to carve out this time, and I'm excited to talk about the topic. So why don't you introduce the listeners to you and the company and kind of what, what you guys do. [00:00:33] Speaker B: Yeah, absolutely. Happy to be here. My name is Kylie McClanahan. I'm the CTO of a company called Bestazzo. We do vulnerability and patch management primarily for electric utilities. Looking at the NRCIP requirements to help with that compliance piece. [00:00:54] Speaker A: Yeah, I've got a lot of experience in that space and vulnerabilities and NRC and all those different things. So we were just at a conference. Well, we've been a lot of conferences together over the last while, but. But the most recent one was in Chicago. It was really smaller, smaller space. I mean, and I like those. I saw somebody else posting about that. Right? Yes. Four is great. And all the big conferences are wonderful. I'm going to them all. I love them all. But sometimes those small conferences are really, they're intimate and you really get to, I don't know, you get more convert. I'm able a lot to really understand the talks and be able to be there and have more dialogue, whereas some of the big ones, man, I just. There's so many great things going on. As for, you just can't catch them all. Like, same thing, right? [00:01:34] Speaker B: Yeah. Yeah. And, like, we, you know what I really like about the smaller ones? If you get a lot closer to the end users or the end consumers, it's really easy to get kind of caught up in the buzzwords and miss what the experience is like for the person actually doing it. [00:01:52] Speaker A: Yeah, absolutely. Well, so let's dive in, man. Let's go. So vulnerabilities are a huge topic that everybody's concerned about, especially in OT, because we have all this aging architecture and we don't have staff to patch like we do in it. And there's just all these, you know, and we're getting these passive sensors that are telling us about vulnerabilities. They're telling us all these things, but then what do we do about it, right? It's such a big problem across so many verticals that have ot, which just about everything has ot nowadays. So. So what? How are you guys approaching it. And what are you guys doing to kind of help in that vast space that we need vulnerabilities in Ot? [00:02:29] Speaker B: Yeah, you know, I think. I think actually, first I'll go on a little bit of a tangent. I was at Voncon recently. It's the first year they've done it. It was a phenomenal event, really going to Vulncon after primarily going to these OT conferences. One of the things that I noticed very quickly was that there's a totally different vocabulary. There's a lot of focus, for example, in Cwe's, the common weaknesses and numerations and associating that with, with Cve's, which is great, right. To be able to look historically and say, like, you know, memory safety is a huge problem. What can we do about memory safety, safety, or, you know, whatever class of vulnerability, but your, your, you know, I'll say end user, with the person charged with remediating these vulnerabilities, that doesn't matter to them. [00:03:29] Speaker A: Sure. [00:03:30] Speaker B: Because that doesn't help them at all with fixing it. And I think, honestly, even more so in OT, where the person tasked with that, or cybersecurity in general, is less likely to have any formal training or education in cybersecurity because they were brought on for their engineering expertise in many cases. And so I actually had a lot of really good conversations there with people asking, like, how do we make CVSS better? How do we make the NVD better? How do we make these classifications? You know, one of. One of the conversations I had was with someone on the CVSS working group, which was, how can we get better? Real world examples of, like, the difference between network and adjacent network. Like, I get conceptually, but I did computer science. Like, this is something that we, you know, if you've never taken a networking class or even like, professional education, what are ways that, like, we can better communicate to you? Like, what the difference between that is? [00:04:31] Speaker A: Right. Yeah, I mean, language is so important. And to your point, a lot of the people that are, that are at the front lines, that are, that are defending and protecting these environments or remediating these environments, they don't come from a background of technology. They don't come from. Not that they're not capable. That's just not what they do. [00:04:48] Speaker B: Yeah. And I spend most of my time in the electric sector, and you see so much of that there. Now, of course, sip is not, is not new at this point, but, you know, around 2015, 2016, when version five was becoming mandatory and enforceable, you saw a lot of people who were told all of a sudden they were now the cybersecurity head at their plant or in their department. And I think to go with the funding and staffing issues that everyone has, a lot of places are still trying to play. Play catch up with that. [00:05:34] Speaker A: Yeah, absolutely. I mean, there were. There were a number of folks that, you know, they'd been at the plant for 40 years and they're the most capable and understanding of the environment, but they're not technology people. Right. They're not. They don't. They don't think in networking and vulnerabilities and ip and routing and firewalls and all that kind of stuff. It's not that they don't understand it, it's just. That's just not their primary job. So. So we're constantly fighting this uphill battle of trying to make it where it makes sense to them again, not because they're not, they're stupid or anything like that. It's just, you know, French and English. Right. It's just different languages. Right, exactly. If you teach it to them, then they'll get it, but they're not going to just get it out of the box. It's not so simple that just anybody can pick it up and. Oh, yeah, well, obviously that makes sense because it's very complex. [00:06:18] Speaker B: Absolutely. And that's something, honestly, that I've really tried to make something important to Bestazzo. As we're kind of getting started. We're still very, very new, which is that when you go into these environments and you find out that the newbie on the team has been there for 15 years, right. One of the greatest assets there becomes the intuition. The intuition that something is wrong. And what I've seen a lot of is teams or plants, whatever, with incredible amounts of this learned experience who spend their time doing. And I want to be clear, I'm not saying useless, right, but somewhat, somewhat dull or repetitive compliance evidence, whether it's taking screenshots to prove that you've checked a vulnerability source or trying to pull documentation together in audit prep. And one of the things that's been really important to me is how can we help to automate some of these things? Keep them in a database instead of a network of folders, for example, so that the intuition and the experience that they have can be better used and they're not just spending time doing these very menial tasks. [00:07:39] Speaker A: Yeah, I've been around Nerxip a long time. All the way back, version three and implementing five and six and all the different things I grew up in power utility and generation and transmission. So I've seen that firsthand and how difficult and how the language is, and I've seen it across multiple organizations, very large organizations. So I've seen how the same, it's kind of like religion. You read the same line in the Bible, and two different people take two different complete things from the same words that are on the page. Right. The way that they interpret it and the way they implement it are vastly different. And that's where the language and the NRCP language is meant to be, you know, fairly vague so that you can implement it for your organization. But, you know, you can also misunderstand. There's a lot, it's not black and it's very, very complex. And again, I've seen vastly different implementations of the same exact thing. And they're both compliant. Right. So they're both checking the box for compliance, but they're not doing the same thing. [00:08:40] Speaker B: From a cyber perspective, it comes down to doing, doing what you, what you've said and set out that you're going to do. [00:08:48] Speaker A: Right? Yeah. Right. Yeah. But, but sometimes I think it's a double edged sword because sometimes I'm, I, I don't like compliance in that I think many people do just the bare minimum to check a box for compliance instead of using that opportunity to do the right thing. Or right is not really necessarily the correct answer or the word, but the most beneficial to the organization from a, not just trying to not get fined. It's kind of like, you know, I'm going to go this speed because I don't want to get a ticket instead of, I want to go this speed because it's safe and it's the right, all the other factors are the right thing to do. My kids are in the car and, you know, there's a dog on the street and the stoplight's not working. And all those other factors, it gets to the same answer sometimes, but other times it's vastly different. Sometimes it's like, hey, I'm just going to take a different road because that road is problem. I'm going to go the back way because it's safer and that's probably the better way. I'm not going to connect. I'm not going to, you know, drive the fast car. I'm going to drive the other car. Like, so my analogy is breaking down a little bit, but you get what I'm trying to say. [00:09:52] Speaker B: No, absolutely. Absolutely. And sometimes, I mean, not even just sometimes it becomes a question of funding. Requisitioning funding. You know, if you can say, I have to be able to demonstrate this, here is a tool that will do this. It costs this amount of money. You know, that's something that may be achievable versus I need a tool to protect my network. Okay, well, what does that mean and how far and how many people do we need? Right. I think especially talking with, like, cooperatives and municipalities where you're not, you're not just trying to get money, you know, from. From shareholders, from. You're going back to ratepayers, you're going back to, like, a city board. It could be. Can be difficult. [00:10:35] Speaker A: Well, and those are even beyond just funding. So funding is a hard thing. But even beyond that, like, you know, I worked for a power utility, and again, I've worked across very large power utilities and even smaller ones, too, but they have teams. Like, maybe it's a small team, but they still have somebody that has that job. When I go to municipalities and water, uh, districts, they don't probably have anybody like, well, Todd knows the most about it, but that's not his job, and he's not a cyber person, and he doesn't even have ot in his title, and he doesn't even really do it, but he can speak that language better than anybody else, which is still probably at a, you know, 8th grade level compared to the, you know, multiple PhDs that you need to have an expert level of understanding in these environments. [00:11:17] Speaker B: Right, right. Well, and I think, you know, to kind of, kind of go back to the. To the beginning and the difference in language, I think this is where, you know, vendors success, security advisories start to become really important. And I think it's why a lot of Nerc Sep, at least in practice, Sip seven has leaned towards the patch side. You got to keep track of patches and vulnerabilities are kind of more of a. If you have time. Right. And I think part of that is this, is this language that the advisories from vendors, or at least the notifications of patches, is something that you can do without requiring your end user, analyst, operator, whatever the term is, to have an understanding of the vulnerability and its capabilities. Whereas if you have somebody just to scroll through the NVD, you have to figure out if it applies to you, and then also if you can even do anything about it. That's not easy to determine. [00:12:16] Speaker A: Well, again, going back to what you're saying, right, is applying a patch is black and white. It's binary. Did you apply it or not, period? I did or I didn't. Or if I can't, then here's my reason why. It's a justification. Because I don't have that version of software or it doesn't work with this other thing that I have. And the vendor gave me an exception because if I install it, it breaks something like whatever that case may be. But to your point, like when, when you're looking at vulnerabilities, there's a lot of ways to mitigate. You can put in a firewall rule, you can, you know, uninstall or disable RDP or whatever the thing is for the attack vector. There's a lot of different ways that you can do that. And it becomes a lot muddier to be able to, to prove, especially from a compliance perspective, because that's what, a lot we're talking about here is how do I prove that I've remediated it? How do I prove that I've mitigated this vulnerability without just being able to say, is this patch number installed on this machine? Because that's a very yes or no. It either is or it isn't. And if it's not, then here's my exception. Right. But when it's, you know, when, when it's, it's all, you start looking at s bomb and all these vulnerabilities that we have underlying, like how do you know that you've remediating those things? And the answer is you can't know. So, which means it's hard to regulate. It's hard to have a compliance program around that because compliance is always looking for this checkbox of it. Either is yes or no. It can't be anything else. There's no gray area, there's no purple, there's none of that. It's yes or no. [00:13:41] Speaker B: Exactly. Exactly. To that point, finishing up grad school at the same time doing stuff with this sazo and I was part of a grant called vent for vulnerability intelligence. And it's what I spoke about at s four this year. We had finished a big piece of it. So it was the University of Arkansas and the University of Arkansas at Little Rock and then Vestaso and network perception. So network perception for any listeners who don't know. Right. They can still take in firewall configs and give you kind of a graph model of your, of your network. They've been around for a while, particularly in the electric sector. And so the goal of the grant being if we have this network model and we have vulnerabilities that we know apply to your devices, we know that it's this vendor, this product, this version. Can we place an attacker completely? You know, theoretically we're not doing, not pin testing in any sense. Can we place an attacker and then see how far could an attacker get with available exploits? What if they had a high level of credentials? What if they had active directory, you know, what and how far could they get? With the goal being to get kind of a binary, safe or unsafe, to be able to give you reasons for that. It's safe because this vulnerability requires RDP and you've blocked RDP in the path to that device, to be able to say you still can't know for sure. There's still the chance that a malicious insider is going to come wreck your system. But to say in the simulation, you've blocked network traffic, and then when you look at it from the graph view of the network, hopefully spur other mitigation actions. You mentioned firewall rules to look at. If we have a set of assets across the network that may be vulnerable and maybe they are unsafe vulnerabilities, is the best remediation to go patch each one of those, or could we do something broader? Is this a time to start putting in better network segmentation? Would that help us? Could we patch an upstream node and then just, just one, and then prevent exploitation of these further on to be able to help get closer to the question, like, am I at risk? I know my device is theoretically susceptible, but is my system at risk? [00:16:27] Speaker A: And being able to calculate that, like, to a number or be able to understand, yes, I'm at risk. Risk is never zero or rarely ever zero, unless I just don't do anything and I unplug everything, turn everything off and go home. Right? Then my risk is zero. [00:16:41] Speaker B: Right? [00:16:41] Speaker A: But, but that's all we're talking about here. But your risk is never zero. Like you never can secure your network. Like you can improve your security, you can expand your security, but, you know, we all know, given enough time and opportunity, somebody can get in. It's just like the lock on my front door, like I can buy the most expensive lock in the world, but I'm never going to just depend on a lock. I'm going to have a lock and a security system and cameras and a dog and a gun and like all the different layers of security, because I know exactly, if somebody wants in, they're going to get in. Like if enough time and opportunity, they're going to get in, they're going to drive a car through my front door. Like that doesn't help. How great of a lock I have. If they drive a pickup truck through it. [00:17:18] Speaker B: Exactly. Exactly. [00:17:20] Speaker A: So that really under, given those tools, that's a better way to understand. That's really a lot of the struggle that we have today is a communicating the struggle that we have and what risks we have. Right. Cause, again, board level conversations, they wanna understand what is my risk. Right. But they don't, they're not cybersecurity professionals. They're not necessarily technologists, cetera. They're, they're, they're really looking to be able to put it into business terms and financial terms. What is the risk? Like, if, here's my risk and I were going to lower it, you know, is it, is it a $10,000 cost? Is it $100,000 cost? What is my risk? How much it cost me if I don't do it? Like, and a bad guy takes action, how much is it going to cost me if I, if I try to remediate so that the bad guy can't get in? What's the delta? Um, and ultimately, that's what we're talking about here is we're, we're, we're always weighing the pros and cons, the risk and reward of every, every conversation of how do I get funding? And where, if I have a dollar, where am I going to spend that dollar? Is it better to patch all the systems? No, t usually not. So what about these systems? Are these more critical if I do that one up there, does it, does it lower my risk enough that I'm comfortable with the risk? Because they, we've gone all the, and that's the conversation that today is difficult. Difficult to understand, especially if you have multiple sites and multiple types of sites. I've got power generation, I've got manufacturing. I've got gas pipeline, I've got warehouses. I've got buildings with elevators and H Vac. It's this vast problem that nobody can grasp their hands around to really understand the true business risk, because ultimately, that's really what we're talking about. [00:19:00] Speaker B: Right. Right. And I think we have to factor in the it risk as well to be able to say, you know, is that going to be the point of first compromise, or is that going to trigger us to take steps in our Ot network, even if the attackers don't ever get there? [00:19:20] Speaker A: Right. [00:19:21] Speaker B: And I think everyone wants a lovely equation that we plug in the eight variables and we get a number. And I think people are starting to realize that it takes an incredible amount of expertise, and you're not going to end up really with a percentage. You know, if you are being given a percentage, please ask them exactly where that's coming from. [00:19:45] Speaker A: 42. [00:19:46] Speaker B: Yeah. Right, right. It's the answer to everything. [00:19:49] Speaker A: That's right. Well, yeah, you know, it's so complex. Even, again, going back to, you know, you look at your municipalities and your wastewater and small organizations, even a small organization, it's a complex problem. But you get into large organizations and multiple sites and multiple types of verticals inside of a business unit and all of that like it side and ot side and supply chain. And, I mean, there's just so many factors that ultimately were, I know personally, a lot of folks that are just throwing their hands up because they don't want to do, they're just like, it's so complex. I don't know where. I don't know where to start. Like, I've got a firewall. I don't know what else to do. [00:20:26] Speaker B: Right, right. You know, and honestly, honestly, I think it feels that way for the vendors, too. Yeah. I was talking at Vulncon with someone from Siemens, and I'll say first, this is not me hating on Siemens. They do an incredible work. We were talking for a bit about software identification, which is, of course, one of the big problems. How do you associate that? He was talking about internally between the product development teams, the sales teams, and the security teams, trying to agree on a consistent, a consistent naming. He'll say, customers will come to the security team and say, am I vulnerable? I have a green box and a gray cabinet. And that could have been called eight different things. Not to hate on sales teams either. That's not my point. But in different markets, in different areas, in different times, that same box running, essentially the same software could have been called many separate things. And so, you know, I could talk for a long time about cpes because there's all kinds of stuff there. But it's not even just a question of it getting in correctly from the vendor, because within vendors, it becomes really difficult to determine consistent naming. [00:21:47] Speaker A: Well. And you hit something right there, especially in these ot spaces rot. People look to their vendors and they look to them like they're deities and everything they say is truth from God's mouth. Right. And as we know, it's. It's not always that way. Right. They're doing the best, and again, not to hate on them. I have a lot of great relationships, a lot of these vendors, but there's no way they can know everything. So they, they do their best, they test, they do a good job of those things, but it doesn't always. It's not always the right answer, and it's not always 100% true. Right. It's. It's true to the best of their knowledge. I'm not recommending or suggesting any of their lying or doing anything malicious. [00:22:27] Speaker B: No. [00:22:28] Speaker A: It's just they're not. They don't know everything. [00:22:31] Speaker B: Exactly. Exactly. And, you know, when you talk about, especially the, you know, big international oems to, there may be information in one area that doesn't fully get communicated to another area, you're trying to break up the silos, as the buzzword goes, you know, it becomes. It becomes really, really difficult. And so I think, really, everyone is kind of in a lurch, hoping someone else has the answer, and we're all in this together. [00:23:08] Speaker A: That's right. So one of the things you talked about at that conference in Chicago was on this integration with network visibility and being able to get those firewall rules and the routing tables and all that kind of stuff, and integrate that with vulnerability and really be able to try to understand perspective. How have you seen that help conversations, even just being able to associate and really understand where my network is, how it really lies out and where my vulnerabilities are, versus just looking at a CVE score, right. Of an asset that, you know, PlC number one has this many vulnerabilities, and what does that mean to me? I don't. I don't know what to do with that. Right. [00:23:53] Speaker B: Yeah, no, yeah, yeah. Okay. So I think here's where it really starts to help. It can be very easy to get in a whack a mole mindset with patching. You have the mole pops up, you whack it with the hammer, you patch that one. Congrats. And so it becomes really easy to lose track of the bigger picture because you're handling what's right and right in front of you, you're trying to meet the deadline, you're trying to get the audit evidence, etcetera, especially if you are the one in charge of doing that analysis. Finding the patches is getting people together to do what you need to, to actually install it. It is very, very difficult, just because of the grind that you're in, to take a step back and look at the big picture. What is helpful in this grant, in this collaboration, is to have the visualization, say, we can show you the network model of your system and the assets. Now, we still have little pop ups that tell you the vulnerabilities that are there, but it helps, even just visually, to have the piece of this is what my network looks like I can see here, looking at the picture, that there's a connection. These four devices have a vulnerability. Here's the RTU. I better protect the RTU, and they can't get down to the sensors or I better. Whatever it is, it looks like it's a lot easier to see the connections between devices that are networked. Right. Obviously. And look for bigger remediations. [00:25:39] Speaker A: Yeah. And what's that saying? A picture's worth a thousand words. Right. So being able. [00:25:43] Speaker B: Yeah, it makes a big difference if you, if you go to NVD's website and it's not me hating on the NVD, put that disclaimer out there, but you go to the page that's just the most recently published vulnerabilities for a living. And it is an overwhelming experience. Right. They get published in blocks and so you're trying to click through a few and they all basically look the exact same because they're just slightly different. They were all published at once. It's very overwhelming. And you end up with essentially an Excel spreadsheet with a ton of numbers that have limited connection to your actual network. And you're expected to make sense of that in a system that is dynamic. [00:26:30] Speaker A: Right. [00:26:31] Speaker B: And really, you know, I think visualizations, not just a dashboard, not just a graph that says, here's the CVSS scores. Those have their place, but something to say like, you know your network intuitively. Let me show you what it looks like from a cybersecurity perspective and let you superimpose those in your brain, superimpose your knowledge of how the system works with kind of a top level view of your vulnerability exposure, and start to see where things may be vulnerable. [00:27:09] Speaker A: Even taking it a step back from that. I know, again, I've been doing this a long time, both as an asset owner and as a consultant, as a CTO of a software company in the product space. So I've seen it from a lot of different angles and perspectives. One of the most common things I see is I walk into a place and they don't truly understand their network, they don't truly understand where their assets are, which ones are critical. Like if I had a list of 100 assets on their environment and even correlated the CVSS score to the, hey, these are the ones that are the most risky from a CVSS perspective. They don't know which ones are the most important to their business. So yeah, they could cat, they could sort it by CVSS score, but that's not necessarily the right place to focus their effort because the one that's at the top, maybe. I say, this is the analogy I give. You can have the same PlC. One's controlling a turbine and one's controlling the ice machine in the break room. Right? [00:28:05] Speaker B: Exactly. [00:28:05] Speaker A: Which one should I work on? Right. Obviously, I'm going to work on the turbine before I work on the ice machine. I may have some upset people, but it's not going to shut down my plant. But if you don't have that correlation and understand not just what your asset list is and what vulnerabilities and all that kind of stuff, all those things are, I believe, needs, not desire, not, not wants. They're absolute needs to be able to understand and protect your environment. But you also have to have some kind of translation into what do those things do and what is the risk and priority in your organization. Because I can't just understand, because it's a Rockwell plc, that it's, I can't, there's no way I can know what. Because I can make a Rockwell Plc do anything I want to do, right? So I can't know by the make and model what, what the thing does. [00:28:47] Speaker B: Right. You know, and I think, I mean, I think there's some, there's a lot of almost castle in the air answers. I would love to be handed an asset inventory. I think, I think I would weep. I would weep tears of joy. Truly. [00:29:03] Speaker A: Most people don't have it. [00:29:05] Speaker B: Yeah. Right. Right. You know, Cisa has the SSVC, the stakeholder specific vulnerability. Categorization. Categorization. I think that's right. And they have a calculator on their, on their web website. One of the things I really, really like about the SSVC is there's two questions to start off with about the vulnerability itself. Is it, you know, what's the exploit level? Is it automatable? And then you get to mission and well being to say, how critical is this to your mission? And we're going to give you high, medium, low. Well, the equivalent, the actual values are a little different, but end up with high, medium, low. And we're going to give you some examples. And then how does this affect, when you're considering critical infrastructure, the public well being? If this were compromised, how much would it affect that? And then you get to a decision of track, attend or act. [00:30:13] Speaker A: Right. [00:30:15] Speaker B: And what I really like about the mission and well being piece is that you don't have to be a technical person or have all of the specs to be able to answer that question. Now, it's not gonna get you a complete asset inventory but you could, without knowing details about uptime or rate of response, you can answer that question of how critical is it to keeping what we're doing here up and running? And if it failed, how big would the impact be to the public? I think that's a really good step towards a workforce that is not trained in cybersecurity, but is expected to perform it. [00:31:03] Speaker A: Yeah. And it's sad that so few organizations have an asset inventory. Right. I did an assessment on a power plant earlier this year, and they had an asset list. They gave me one. Hey, here's what they. What we have. And I walk in, and I think there were ten assets on the list. All ten were wrong, and there were a hundred assets that I found. Right. So they were vastly off. Right. And it was obvious it hadn't been updated in forever, but that was the best information that the local people had. Right. So I'm like, I'm looking at this list. I'm like, okay. And I'm sitting with the person in the room. He's not the OT guy, but he is the. The most knowledgeable person about the control system. Right. He is the guy, guy or gal, whatever the situation is, and, you know, wherever it is, but that is the person that is responsible for it. Right. So he. I'm asking him questions like, what is this? I don't know. Like, where is this? I don't know. Like, is there a router here? Yeah, it's over there. I'm like, okay, but the one you showed me is not this one. Is there a different one? He's like, no, that's the only one we have. Okay, so this list is an update. I don't know. Because it's worthless. [00:32:13] Speaker B: Well, yeah, yeah, exactly, exactly. And it, you know, it almost comes back to change management. If you don't have a system to track change management, how are you going to keep an updated asset inventory to know if something's replaced, if something dies and you have to go get a new one? If a vendor comes in to do maintenance, that's actually one piece that I've heard can be really difficult, is even for organizations that really try to track some sort of change management or work tickets, whatever you want to call it, that it can actually be difficult to always grab hold of the tech who comes on site to do updates and say, hey, I need you to tell us, what version are we on now? What did you update it to? Can we get the information that we want to store for audit purposes? It's hard to get that. [00:33:08] Speaker A: Yeah, it's a hard conversation. Obviously there are products and tools. I used to work for one that did some of that stuff, but again, a tool is only as good. I've said this a thousand times, too, but a tool is only as good as you use it. Right. I can have the best woodworking tools in my garage, but having the tools alone are not going to build me a shelf or they're not going to build me furniture. Right. I have to actually get out there and use them, learn how to be good with them, and then I have to get the materials, but I have to spend time. It's really it, you know, that's why it really comes down to OT is in with anything. It's people, process and technology. It's not just buying a tech. Right. I can buy the best tech in the world, but it's not going to do it for me. I have to put people and resources and time and effort into these things to maintain them because, you know, every control system that was ever installed had an asset list. When they installed it, they got as built documentation with gorgeous engineering diagrams, but that probably hasn't been updated. Some of these plants are 40 plus years old and that was the last time they were touched. Maybe there's red lines for some period of time. They may have done red lines, but at some point, every time it seems like they just stopped doing it. Like it's not enforced. Yeah, they're ten years old at best. The last time they did a major upgrade. [00:34:18] Speaker B: Yeah, yeah. No, no. Absol. Absolutely spartan. We're going to help with that. We're going to help with the kind of intermediary step of even once you have a somewhat complete asset listing, we're going to help you map that to cpes because that's how you're going to match against the NVD. And that's a complete other can of worms. Because I don't want to sell Spartan to you if it's not going to be useful to you. Sure, if it's not going to be helpful, but I want to have something that's useful that you don't need a whole team to manage that tracks changes as you use the tool. And if part of that is that we come on site for a week and help you set up, I'm more than happy to do that. [00:35:13] Speaker A: Yeah, absolutely. And it comes down to that, right, is the greatest tool in the world. Doesn't matter unless you're using it. Right. So, like we just said, so that. That's awesome. So why don't you tell what what is spartan and what, how specifically does it work and how does it help folks map their vulnerabilities and their assets and all the things? [00:35:29] Speaker B: Yeah, yeah. So it works without, you know, we don't, we don't have a sensor, we don't have a box that plugs in, but we take an asset inventory and map that to the NVD to be able to pull vulnerabilities. And then the second step, to be able to associate those vulnerabilities with patches. A lot of that comes down to vendor security advisories that say, here's our product, here's the vulnerability, here's the patch. The CSAF standard, the common security Advisory framework standard, is a machine readable way for vendors to publish these advisories. I know that BSI, the german cybersecurity department, has been huge in kind of publishing that. That becomes a really great resource to be able to associate these. And then based on features of the asset and of the vulnerabilities, we can say, you know, we have a decision tree. That's what we use to say, you know, I said, do you do it now? You know, for Sip within your 35 calendar days, do you do it at the next maintenance cycle when you have an outage? Or do you apply a mitigation and then organize those into plans based on the due date to say, these are the ones that you have to address within 35 days. These are the ones that you need to go send, you know, here's your mitigation plans. Go send them to your sips and your manager. Here's the mitigations that you have. With that comes a way to manage baseline configurations for SiP ten. You're looking at patches, ports, system services, and software assets. So to track those, track any changes and then keep that updated. We do this so we don't do any active scanning. Spartan does not do any scanning with our customers so far. We'll essentially take any scan that you want us to take. We'll work with you on that. So we'll take in one of our customers uses Winaudit. We'll take in Winaudit files in map, Netstat Nessus. Right. Any of these, of these file types that we can pull data from, I'm more than happy to write a parser and use that data. Getting the work plans out into change management. You know, if you have an external change management tool, happy to make tickets in that just to be a way to manage a lot of the, I'll say, banalities of this patch management piece will give you the evidence to say, here's when we checked these vulnerability sources or these patch sources. You can print out this report when audit time comes and it's going to have everything. When you, you know, we have one of the reports is designed, what was designed specifically for that level two evidence request. Once they've done the statistical sampling and they come back, say, okay, here's the assets. Here is everything we have for the audit period for sip seven. And so really the idea is what, what of the, you know, what of the. That admin we'll say, can be handled automatically. There's a lot. And also, how can we enrich the data that you have? How can we give you a view for this partnership with network perception? How can we give you a view of the network? How can we give you a better understanding of how this vulnerability would affect you and then make it available for download. Make that data available. [00:39:28] Speaker A: Yeah. That's so huge. It sounds like a simple, not simple thing, but that's the pieces. There is no silver bullet. There is no. There's a lot of tools out there that do great things. Again, I used to work for one, and I've implemented hundreds of others, and they're all great tools, but they solve their own problem. And if I looked at a Venn diagram, there's all these different areas. So what I see, the vision of the future, if I were God and could just make this perfect thing, there would be this ecosystem of all these tools giving their data to something that can extrapolate and take, hey, I need that information and I could use that information. I could use that information, and I build this into a system, single picture, and I do something with it, right? So taking the network map and taking the asset list and the firmware levels that are on my system, connecting that with the NVD, and, you know, when's the last time I checked on these things? And last time, all those things together, and then I can print a report that says, hey, these are the things that matter, right? So when I have that and I have something I can look at, visualize, whether it's in a picture or even just in a spreadsheet that I can export, and say, hey, these are the things that we have in our environment, not because it's ten years old and that's the last time we updated it, but because somebody scanned it, whether it's a tool or whatever it is, that becomes a more dynamic and real thing that we can actually do something with. Right? And then I know, hey, go do it over there. Like fix that thing first, like fix the firewall rule or this asset over here that's controlling the turbine. Let's go fix that thing because it's a really known good vulnerability. Let's go fix that first. [00:41:09] Speaker B: Right, right. Well, I think pulling in resources like Cisa's Kev, you know, to be able to say there's, you know, there's, there's places where we can get, we can get good, good data. I don't, I, I don't need to hire ten people. [00:41:29] Speaker A: Sure. [00:41:29] Speaker B: Just to do, you know, generation of this, this kind of data. There's a lot of very good and well maintained data sources. You know, Cisa, it's, the Kev is great. And this is very, very upfront about the fact that there are things that may have active exploitation that aren't on the Kev because they don't have a remediation. There's other lists that will maintain things that are actively exploited regardless of remediation status. I think the more we can honestly communicate, not even shortcomings, but the things that we do well and the things that we don't do as, as well, the better the situation for the end, the end user. You know, I have no, if someone wants an intrusion detection tool, Spartan is not for them. And I'll be upfront about that. I don't feel the need to move into intrusion and detection. But if it's something that would work in your. If Spartan, something that would work in your environment, absolutely. Let's figure things out. [00:42:43] Speaker A: Well, and I think more and more folks are going to start because again, I've been, I've been at this long enough that, you know, it started out with, oh, I've got a firewall, I'm done, right? Or I've segmented my network, I'm done, right. Or I've disconnected, I've air gapped, or I've got a data diode or whatever the thing is. And I think we see now, I think we've always known, but I think the end or, or business sees now there is no silver bullet. There is no, I can implement this thing and I'm good, I'm done. I never have to approach this thing again. It's not that. Right. It's always, it's always changing. My vulnerabilities are constantly changing. I'm always having to adapt. I'm always having to adjust. And honestly, a lot of this is coming from the vendors themselves because the vendors have changed. You know, 20 years ago, the control systems didn't have these problems. A, they weren't connected to the network, and b, even if they were, everything was proprietary. Like, you know, you couldn't talk to it unless you had one of their boxes. Like, now we're using ip and normal commercially off the shelf available equipment and software and everything else. So we've brought all these problems into Ot, and it's going to get, it's not going away because it's just, it's so much more efficient than it is building a custom operating system and protocol. And, like, why would you do that? Like, let's just fix what we have. And I can fix. I can mitigate those problems other ways. And honestly, as we know, know, security by obscurity is not a good thing either. Right. You don't know about the problems. It doesn't mean they're not there. [00:44:07] Speaker B: Right. Well, and, you know, I think some of that, we can look at it from a threat perspective with an analogy to physical security. There's a lot of backup data centers that are off in the middle of the woods. I'll joke with people that I was born into the industry, and it's a little bit true. My dad was at an electric utility for 40 years, and so I grew up. You know, he'd have to, he'd have to drive out, I'm in from Arkansas, drive out to the middle of nowhere, Arkansas, to check on a, you know, disaster recovery center. And I'd be like, eight. Be like, can I come? That sounds fun. Yeah. And in that, you know, physical security, if nobody knows your data center's there. Right. [00:44:57] Speaker A: Right. [00:44:57] Speaker B: It's a little, it's, well, it's not a little different. It's very different with cybersecurity. You don't, you know, as opposed to casing a joint where you're going to do a ton of research about a site, you don't have to do that with a cyber attack. Now. You can and some do, but you can also just throw a bunch of darts and hope something sticks and things will. And so, you know, I think, I think they're, we're looking at a very different landscape of threats when you don't have to have intricate knowledge of one system to be able to try and compromise it. [00:45:35] Speaker A: Yeah, absolutely. Yeah. That's funny. Obviously, we have very similar background. My dad also was 40 plus years in power utility, so it's also how I got my start. [00:45:45] Speaker B: Yeah. Well, and actually, so I know that you also know Philip Huff, and I don't remember if I told this story at the cyber, cybersecurity forum in Chicago, but one of my first internships was the summer before Sip V five became mandatory and enforceable, and I was actually working for Philip Huff. Of course, now we work together, but at the time, I was in turning, and it was at the point where we weren't entirely sure if blocking ports meant physically or logically. There was still some wiggle room. And so I spent part of that summer in a data center with a bag of plastic port lockers and an excel spreadsheet putting in the serial number of the port locker and the serial number of the device. It's also give him a hard time about that, like, you know, because he was in the industry for a long time, incredibly capable, and so he'll, you know, to kind of talk about his qualifications, and I'll be like, yeah, yeah, actually, Philip, do you remember that time during that summer that I put port lockers in. [00:46:50] Speaker A: Them? [00:46:50] Speaker B: Exactly. Yeah. Yep. [00:46:53] Speaker A: We've. Yeah, it's. It's. It's been. I've done those same things, and I've had teams doing stuff that, you know, five years later, you're like, man, that was a waste of time and energy, but again, at the time, you're doing the best that you can with the knowledge you have. Right, so. [00:47:05] Speaker B: Exactly. [00:47:05] Speaker A: Yeah, that's funny. So. So next five to ten years, I asked everybody this question, but, you know, what is something that maybe you see that you're excited about coming in the next five to ten years on the horizon in this space, and maybe something that's concerning? [00:47:18] Speaker B: Yeah, so I. This is going to be a little bit out of left field. So. So I do a lot of machine learning research, particularly in my graduate work. There's some very interesting research on state estimation. State estimation of the grid using graph neural networks. So, graph neural networks being a graph structure to do processing a little bit different, even more than typical neural neural net works. And there's been some research about how to get a better and faster, a more correct, maybe we'll say sort of better estimation of the state of the grid, because a lot of these equations have been around and in use for a long time. I'm not saying that they're not useful. They absolutely are. And I'm not here to say that AI is going to take your jobs. Please don't take that away from this. But I do think that's a really interesting point, to allow a machine learning model to look for optimizations, perhaps that we don't necessarily have the time to have someone sit down and try by hand to look for that. I'll stay on the same track for the other half of the question, which is that I'm gonna, you know, be a cautionary voice about large language models. Now, again, I'm not on the doomsday train. It's not gonna be Skynet. However, you know, I think there's a risk in these large language models of, it's called hallucination. And so it's the, it's easy to say the model makes something up. I don't love that terminology because that's putting too much agency on the machine learning model. It has no idea what it's doing. It's giving it text. And right now, particularly, it's difficult to find a model that will give you any indication of the authenticity or the truthfulness, maybe we'll say, of what it's telling you. I see a lot of, of places, I mean, they're not putting it in control system, so like, that's. But having some sort of employee chat bot or having, you know, kind of a knowledge portal. And I still, I have a lot of hesitation towards that because how are you knowing that it's keeping its answers to what you have told it to now? There's ways that there's a lot of research about how can you, you know, how can you get things to be more. More truth, truthful? A lot of that's very, very fascinating, but I'm hesitant about. This is an easy way to replace HR. No, it's not. It's really not. [00:50:32] Speaker A: It's not. No, it's not. Yeah, I play a lot with, with, you know, chat GPT and the local models and things like that too. And. Yeah, it doesn't know. Like, it's. And I, it never says I don't know. Right. Not never, exactly. It's going to give you an answer and it may not be an accurate answer, but it sounds, and especially if you're not knowledgeable enough in the first place. So, like, I use it and I'll have it reword things for me and I'll just do a data flow of what I want to say. And instead of worrying about syntax and formatting and all that kind of stuff, then I can dump it in chat GPT and it'll give me out a thing and then I can modify it. Oh, I don't like that. I don't like that. [00:51:11] Speaker B: Right. [00:51:12] Speaker A: But it makes me be creative. But you've got to be careful because when it dumps it out, I know I'm the one that gave it the content, so I know, hey, this is supposed to say red, not blue. Right, exactly. I told it what it's supposed to say as opposed to what color should it be? And it says green, like, well, I don't know any different. So green's a good color. [00:51:30] Speaker B: Yeah. Yeah, right. It is. It's a great tool for those things. Like, you want to edit a draft, not stare at a blank page. That's like, I am all on board for that. That's so, that's so helpful. But I think, I think you hit the nail on the head. If you're asking about, if you're asking it about things that you are unsure of, that's where I would say, let's hands off. Let's go ask Google or, you know, let's, let's go do some research. Let's go look at manuals or like, whatever, whatever. The, the question is, it is not looking up in Wikipedia for you. It's making statistical correlations and it's guessing. [00:52:06] Speaker A: And it's not signing its sources. [00:52:07] Speaker B: Yeah, exactly. Or it is, but they're, it's making them up. [00:52:11] Speaker A: Right. It cited a source that doesn't exist. [00:52:13] Speaker B: Did you hear about. There was a legal case. [00:52:16] Speaker A: Yes. [00:52:16] Speaker B: Okay. Yeah. It had made up a citation. [00:52:19] Speaker A: Go ahead and say it. [00:52:20] Speaker B: Yeah, no, there was a case where a lawyer had cited a particular case in a briefing, and the judge came back and said, we can't find this anywhere. And he said, oh, yeah. Oh, Jack GPT told me about that one, actually, so I wouldn't want that on the court record. But congrats, my dude. [00:52:41] Speaker A: Yeah. It's inevitable to happen. And I think, I'm very excited to your point. I'm very excited about the opportunity that AI and machine learning and large language models, et cetera, are going to bring to us. But we also have to be very careful. Like, there's a reason why the OT world is ten years plus behind the it world. On the technology side, I drive a Toyota or a Lexus or, you know, there's a reason why their, their technology, if you, if you look at a brand new Toyota versus a brand new Chevy or Mercedes or whatever, it's not the same tech level. And the reason behind that, if you look at it, because they never put anything into their car that they haven't tested for ten years. [00:53:20] Speaker B: Yeah. [00:53:21] Speaker A: Yeah. So, but that's also why you look at the most reliable vehicles on the road and they're always Lexus and Toyota. Like, those are the two, and they're the same company. Right. So there, there's a reason why, you know, you can drive, you see a 15 year old. I had a 2008 Toyota four runner, and it had 300,000 miles on it, and it was like a perfect vehicle. Yeah. Nothing wrong with it. I could. You rarely get a. Another manufacturer not to beat up on any of them individually, but you rarely are going to get a Hyundai or a BMW that has 300,000 miles unless you put a ton of maintenance into that thing and rebuilt motors and replaced car, you know, all sorts of stuff. Whereas my tools, Toyota, you just put oil in it, and it basically just runs forever. [00:54:04] Speaker B: Yeah, exactly. [00:54:06] Speaker A: So we need the Toyota implementation of AI and use cases for OT. [00:54:13] Speaker B: Exactly. The move fast and break things approach to tech isn't really working in OT. [00:54:19] Speaker A: It doesn't work here. It doesn't work here. Well, awesome. So, hey, anything kind of closing out any places you want to pee, anybody, as far as the audience, how do they get ahold of you or if they want more information about spartan or anything that you guys are doing? [00:54:37] Speaker B: Yeah. Well, I'll be sure there'll be links in the show notes to Bestazzo's webs. You can find me on LinkedIn. Just my first and last name has. There's not a lot of people with the name Kylie McClanahan, which is really, really kind of nice. I end up at conferences a lot, and you can always grab me and say hi. Always. Like, I'm always happy to meet. Meet new people in. In the field. Well, whether you're new in the field or you're just new to me, either one. And, yeah, if, you know, if you. If Spartan sounds like something that could work for you. Sorry, I'm not a salesperson, but, like, absolutely feel like, please, please get in touch. I'd be more than happy to talk with you. [00:55:22] Speaker A: Awesome. Well, yeah, definitely. We'll have all those in the. In the show notes and definitely click it out. Check out Kylie and Spartan. And. And thank you for your time today. I appreciate it. Like I said, I know we can talk for hours on vulnerability and ot. We'll leave it at this, and I'm sure we'll probably do it again. So thank you very much for coming and spending your time with me today. [00:55:41] Speaker B: Thanks for having me. [00:55:43] Speaker A: Thanks for joining us on protect it all, where we explore the crossroads of it and ot cybersecurity. Remember to subscribe wherever you get your podcasts to stay ahead in this ever evolving field. Until next time.
Previous Episode
Next Episode

Other Episodes

Episode 17

July 22, 2024 00:46:53
Episode Cover

Bridging the Security Gap: How HERA Transforms Remote Access in Industrial Environments with Andrew Ginter

Welcome back to *Protect It All*! In Episode 17, host Aaron Crow is joined by Andrew Ginter, VP of Industrial Security at Waterfall Security...

Listen

Episode 5

February 27, 2024 00:51:34
Episode Cover

Navigating Cybersecurity Challenges: A Conversation with Ted Gutierrez on Bridging OT and IT

In this conversation, Ted Gutierrez, the leader of Security Gate, discusses the challenges and strategies in implementing cybersecurity solutions in the critical infrastructure sector....

Listen

Episode 16

July 15, 2024 00:18:12
Episode Cover

Understanding IT OT Convergence: Dealing with Challenges and Building Trust

In this episode, host Aaron Crow delves into IT OT convergence, a crucial yet often misunderstood topic. Listeners will gain insights into the distinct...

Listen