Proactive Defense for Critical Infrastructure | What's the Problem

Transcript

Opening

Mike Krass: Hello, everybody, and welcome to What's the problem the podcast where we dive deep into the most pressing issues facing cyber and data security later leaders today. And each episode, we're joined by expert guests who are going to share their insights with you and their experiences on some of the things that they're seeing in the world of security. So whether you are a seasoned veteran or a new leader in the field, this show provides valuable info and some strategies to get your organization moving up into the right to the next level. So join us today as we explore the ever evolving landscape of security and discover a few things that you can take away from the episode and immediately incorporate into your your business. This is what's the problem. I am your host, Mike Krass today. Let's get started. We're joined by YiYi Miao. He's from OPSWAT. Say hello to our listeners and our viewers.

YiYi Miao: Hello , everyone. It's nice to meet everyone here. Thank you for having me. Thank you, Mike.

Mike Krass: Absolutely. So he tell our viewers, you know, what's your background? Why you qualified to talk about security? Sure.

YiYi Miao: So I actually currently work for a critical infrastructure protection cybersecurity company named opswat. The reason I think I'm qualified for this conversation is because I have served as the company over 14 years, and over the time that we have worked with multinational companies, all in critical infrastructure, international governments, domestic companies, which are all critical for our way of life. And we have dealt with a lot of solutions, technologies that help the customer solving real challenges in their current or future planning and strategies for to cybersecurity, and how to protected their infrastructure, which provides the infrastructure for for our day to day lives.

Mike Krass: Are you one of the original opswat team members? You said 14 years you've been there for a while?

YiYi Miao: That's exactly right. When I joined the company was only about 20 something people and today the company has grown over 600.

Mike Krass: Wow. That's pretty impressive. Thank you. Well, today, besides gushing over the impressive growth of OPSWAT. Really what we wanted to explore the listeners and the viewers today is ways to proactively strategize your defense against potential critical infrastructure incidents. And I think we're going to take a specific vertical to start with right, ie, we're going to talk about energy first. So yes, could you just start by telling our viewers a little bit about, you know, building that strategy for that defense for that, that energy infrastructure?

YiYi Miao: Great. I think this is a great starting point. So the reason I think picking energy is important is, first of all, let's talk a little bit about how to define a critical infrastructure. Now, of course, every country or region have their own definition. But all in all, it looks very similar. We use the definition from Homeland Security, which defines pretty much 16 sectors. But everybody should realize that there is one vertical, which is the energy the accident provides the core demand for every other critical infrastructure to even function, right. Energy is the core for our life for everything. And the rain, the main reason to strategize the protection for the critical infrastructure in energy sector, is pretty much the same principle and how you will protect the other verticals, whether it's a bank or the government or it's a critical manufacturing facilities. Because the overall architecture and the infrastructure, the network structure, everything is very complicated in those states, and typically, in the last, I would say, during the pandemic. And in the last couple years, the trend hasn't stopped in terms of in nation state sponsored attacks, and a lot of additional incidents and breaches that has happened to these critical infrastructures. And anytime these things happen, it it causes real pain and very destructive outcomes for people's life, such as the pipeline disruption, the mail service stopping, you know, the hospital shutdown, think about what can happen if some of these infrastructure got sabotaged because of there is not enough defense strategies being deployed. lined and actually being pushed all the way from the it all the way to the OT side. And that's what we think we should focus on today as a topic. 

Mike Krass: Yeah. So let's I see two, two discussion points here, there's, there's probably the viewers who have some sort of strategy already in place. And then there's probably others who are just starting to think about this. Or they're in the initial stages, maybe, because their business is kind of up and coming, they haven't had to think about this just yet. Right. So they're now they're facing that growing pain of like, congrats, we're getting big enough to have to have a plan about this kind of stuff. So let's take, let's take that audience first, if you don't have a plan, or a strategy for defense, what are some of the tenants especially, you know, specific to the energy space and critical infrastructure or some of the tenants of building that plan that you would recommend?

YiYi Miao: That's great starting point, in fact that we actually helped new facilities or organizations that are planning for their expansion of a footprint, or building additional infrastructure on top of their current ones, or even renovating the existing ones architecting and designing how to protect and block the loopholes and attack vectors while they're designing the infrastructure, because it is very important to do that from the beginning. Instead of you designed infrastructure, and then you try to back patch, a where are the gaps and the lupins. That's very important. And also, as the recent years, we start hearing a lot of these, I would say terminologies such as zero trust concept, you know, there's particularly for the energy sector, there are lots of regulations, there are a lot of regulations that already kind of mandates, certain security practices, or even a particular business processes, they have to be secured. And there are lots of penalties for not fulfilling that. So we could do

Mike Krass: Maybe one of those regulations or mandates just to throw an example into the chat. 

YiYi Miao: Absolutely. For example, just state wise, for energy sectors. NERC CIP is actually one of the very famous one. And, you know, during those analysis for all of these compliance mandates, and the guidelines, organizations are required to either transform, or re implement a lot of security control processes to make sure that they are auditing, they are preventing threats, and any particular loopholes that couldn't be ignored in the past, because people would not think about how to block those loopholes in the early days, and now the mandates almost like, drop on top of them, right, it's not like the mandates are newly developed, those things could already be existed for decades, it's just a matter of priority for the organization to start thinking about. So when you start new start fresh, it's always to, to the best practice to start planning that together, without trying to back patch it after, after you have already done your initial scoping.

Mike Krass: That's a perfect segue. Here, you're, you're not starting fresh, and we are happy to back patch, you know, any recommendations for for that approach? Because I'm sure that you run into clients all the time that are in that situation is probably not antologia time.

YiYi Miao: Exactly. So that's actually today, there are so many cybersecurity companies in the world. And I have to say that and there are lots of solid solutions, a great leaders in the space. A lot of customers we met, you know, there is concepts of I want to buy the best of breed solutions for every single category of solutions that I know of, and there's I won't say there's anything wrong about that thought. However, the overarching problem is that when you start accumulating a long list of vendors and solutions and a way of trying to put them together when you try to integrate them together because critical infrastructure is not like a business office or you know, enterprise offices. It's not simple, you know, there is not a single networks or something that you can just provide a whole protection layers and you can see everything through there are so many things that will remain undiscovered or because of you know, the whole distributed fashion thinking about power generation stations, which sometimes is completely in the places where there is no human access to those stations, what are you going to do with those stations? How do you really transfer the data in and out of those stations? How do you identify problems? How do you patch the systems? Right? Thinking about how do you move the data from the operational side, back into your IT infrastructure for security analysts to to do anything about it. And a lot of security solutions today is very good at identifying the existing infrastructure, maybe in one of the isolated space. But it's very difficult to integrate. So for that, you kind of need a platform that is able to see the data flowing between these different domains. And you will be able to kind of build these passages so that you can kind of look through who brought the data, when to where and is this person per village to do some, and just this example, questions, if you ask to a lot of organizations, they may not actually have a simple answer for you. Because it wasn't that visible.

Mike Krass: Is opswat, that platform is this an opportunity to plug opswat here. 

YiYi Miao: So not to make it overly marketing ish. But our approach is less of, hey, you know, we're, we're big platform so that you get everything off the platform, I think the main thing we're trying to focus on is helping customers solving the real problems. And really the angle is, when we talk about zero trust, it is not just about the definition of what zero trust is, it's, it's almost like, do you really know can you really identify what you're missing out there already know what you have? And how to establish that zero trust concept to provide the right access to the right people to the right. Access Point. Right? And also, how do you audit this entire trail? And how do you build a process, because a lot of organizations, they have business processes, but they don't have business processes that kind of fused with security practices. So when security mandates start coming on top of it, the business process got disrupted, or people will be like, that's how I used to do things. Because that's what we have been documented for decades, right. And when you trying to reinvent a whole process, that's expensive, that's sometimes completely infeasible. So the way for security to be laying over on top of existing business process, it's very critical is how do you help them define it, and most importantly, is integrated into their business process. So they are transferring data. So you help them to securely transferred the data. They're monitoring their assets, you help them to widen the visibility's and to be able to automate a lot of visibility's. And that's, I think, is the new approach. And I think that's what a lot of the buyers or the leaders are currently looking for, is for solutions that is effective. And another important part is human. Because one of the things I found during conversations with customers is there are lots of great solutions out there. But the customers simply do not have the human resource to operate. They don't have their well training resources, the place where they want them to be at. And that's the challenge is you can probably sit on a very expensive investment from a solution perspective. But the people sitting on top of that solution, they don't really know how to use it the best way or they don't have, they don't know how to implement it the best way.

Mike Krass: Which I can imagine that leads to, I guess the word I would use is maybe friction within the organization using the example you started our session with today. These organizations want the best in breed of every category, and that's great. But if you're sitting on the best resource for every category, and every need that you have, but you don't have actually the the human resources to use them and, and not just use them, to your point, grow with them, right, because as new mandates come on top, it's not like they could just buy at once and use it the same way forever. Right? It's going to change over time. So it seems like that's a big barrier as well that goes beyond just being a technology product in and in addressing the critical infrastructure defenses, whether you're starting from scratch or whether you're back patching, it seems like the human the human resources component is, is the big wildcard, they're the big question mark of how much do you have? And and are you able to leverage your investments? Or are they not going to be leveraged to the best of their ability, because you don't have the resources to do so.

YiYi Miao: Yeah, and typically, when any organization decided to invest, and they already felt that they have invested in the things aren't working, they will most likely keep things going on. Because the concept is a if it's a working while we break it. But typically, what happens is that, you know, sometimes they will not be very well prepared to explore, you know, additional replacement, or any newer technologies that could possibly, you know, change in the save a lot of redundant processes already in place, even though things are already working, but it's not efficient. Or just, it could be way too expensive until they realized. So our recommendation typically is to really trying to look for the use cases and the technologies that you have chosen, and put the operational cost on top of that, and do a analysis of the overall our eyes and also kind of like the really the operational maintenance overhead, that you need to operate these solutions, integrating the solutions together to get where you want it. And maybe by looking at that, and also look at where is your weak link, because typically, the malicious actors they like to explore the easy paths in and of those easy paths may not be actually protected in any ways by those very heavy investment, they may find a complete different looping, that is super easy to catch, but it's not being covered. And how do you identify that and redirect some of your existing investments to block those attack vectors? Would it be very much important, and I would say is the economical way to really do that in a strategize your future investment, and choose the right technologies in the implementations to kind of block those and reduce your attack surface. Of course,

Mike Krass: As we come to the end of our session today, a couple rapid fire questions. So you mentioned and keep me honest here. Homeland Security to find 16 different types of critical infrastructure? I got that number, correct. Right. 16?

YiYi Miao: Correct. Yes.

Mike Krass: Just in your experience, since you, you've been at opswat for almost a decade and a half. And you've got experience before that. What? What are some of the easiest, easiest paths within those 16 sectors? And which ones do you see that are more four to five? Essentially, which ones do the bad actors look at and go, Oh, this is, this is going to be a whole lot of work to try and get an air versus Ooh, like, this is easy money over here, we should focus this direction, do you have any experience to share there.

YiYi Miao: I don't want to throw any panic here. But in fact that almost all the critical infrastructures are struggled in some ways, whether they are heavily invested, or they're just getting started. Because the because the impact to bring down some of those critical infrastructure can have real, real heavy consequences on people's live beings. And nowadays, everything can be explained whether it's from communication or government, banking, financial services, energy sectors, water, wastewater, critical manufacturing, you name it. But of course, I think regardless of how prepared versus not prepared, these verticals are the mandates, also, they have, I would say a different timeline, because for example, energy sectors, they actually had more, I wouldn't say mandates in the regulations compared to some other verticals who just get started. But that doesn't mean that those mandates will not start spreading over and it's just a matter of time that the government may start requiring a similar standard across all of those critical infrastructure. And the not only its domestic governments also expanded all the way to the international governments who actually learned from each other and trying to protect their critical infrastructure, particularly during the current times. It's very, very important to strategize. is almost every vertical possible, no matter which industries you're in.

Mike Krass: Well, I appreciate you I put you on the spot there that question. So II, I appreciate you kind of sharing that last bit of knowledge with our listeners and our viewers, and to our listeners and viewers. Today that is a wrap for this episode of What's the problem. We hope you found our conversation with email. To be informative to be insightful, I hope that you walked away with a few things that you can immediately take away and implement. And remember to tune in next time for more discussions on similar topics. Also want to give a quick shout out to MKG marketing. MKG is focused on helping cyber businesses get found to get leads and close deals. So if your security business is struggling to do any of those things, let us help you to learn more you can visit the website mkgmarketinginc.com. Thank you again for listening. Don't forget to subscribe leave a rating. He has told me he only likes six star ratings out of five star scales so please don't let our guests down six stars. Until next time, my friends he say goodbye to the viewers. 

YiYi Miao: Thank you. Goodbye everyone.