In this episode, security experts and authors Sarah Freeman and Andy Bochman of the Idaho National Laboratory discuss today’s cyberthreat to utilities, debunk myths about taking down the grid and explain just how significantly the 2015 Ukraine power grid hack shifted everyone’s thinking when it comes to protecting critical infrastructure.
Why you should listen:
Five Key Quotes:
Related Links:
Bella DeShantz: [00:00:00]Hey Jeremiah, how are you doing?
Jeremiah Roe: [00:01:56] Hey, Bella, how's going, uh, really looking forward to our. [00:02:00] Guests great time set aside for the weekend to cool down.
Bella DeShantz: [00:02:11] Yeah.So welcome Sarah and Andy, how are you both doing today?
Sarah Freeman: [00:02:46] We're great. Thanks so much for having us.
So we want to kind of jump in and talk a little bit about your book, which is called countering cyber sabotage, which by the way, is, is kind of an intense title. I like it a lot. Um, so you've gotten really amazing reviews already. Uh, it's been called. The Seminole and game-changing textbook of our time and a brilliant new methodology for defending critical infrastructure, which those are high, highly, like very wonderful reviews.
Um, so I want to start with sort of why you decided to write a book and what you hope this book achieves, uh, or [00:04:00] like what you hope people get out of this book.
Andy Bochman: [00:04:02] that thing about being the Seminole and greatest textbook of all time is that like all textbooks on all topics of all time. I mean, that's a bar so much higher than we were ever aiming for. Anyway, it sounds good though.
It sounds very promising. The a, the reason we wrote a book is because we had something to say, And then the second reason we wrote it is because our boss told us to in 2018, we covered this topic for the first time in a lighter format with Harvard business review, so many people happened upon that article and, uh, the case study on cheese that was inside it, that Sarah [00:05:00] Sarah helped build critical cheese infrastructure that, um, I thought we were done.
I thought we had gotten the early message out. And, uh, we had said as much as we needed to for a national lab anyway. And then towards the end of that year into 2019, our boss, whose name is Zach tutor. He runs the national and Homeland security directorate at Idaho national lab. He said that was the book coming along.
So from that moment on this project with Sarah and I gathering up things that we already do already, because we already sort of know a good, good deal about it.
Uh, in a sense enough to write a book on it. That's how it began.
Bella DeShantz: [00:05:52] so it sounds like the first time you published something related to this is when it was in 2018, obviously that's a little while ago. [00:06:00] I'm wondering since you've started talking about. This topic, you know, cyber attacks on the grid have utilities and critical infrastructure operators started to adjust based on this information or make changes.
Sarah Freeman: [00:06:11] Yeah, so the earliest documentation, and actually it goes back to 2016, but they tended to be kind of academic white papers and publications that were put out into the public domain. Some of those initial writings are at a very high level. And some of them were written almost as dyed documents as Idaho national laboratory started to move into the first engagements.
So it was important for us to clarify some of the things to evolve it slightly there's there's lessons we learned throughout the process. And so that, that was what we were really hoping to codify in the book. In terms of how critical infrastructure owner, owners and operators have evolved in terms of their security thinking.
There's actually been a lot of events that have helped shape. What we consider the mindset of today is if you go back and you consider [00:07:00] what people were talking about in 2013 and 2014 as the Havocs campaign was starting to be discussed in a public space, there was a lot of. Not necessarily naysayers, but there was this expectation that the only reason why people would target critical infrastructure would be to steal intellectual property.
That was the turning point, I think. So we had a, there was a major event that happened in 2015 that maybe you've heard of, but when do you crane and attacks occurred for a lot of people. That was a, a stark difference. They woke up on the 24th and it was completely different day. So in some ways, I think that the book is just part of that larger evolution.
I think people are starting to realize that this is unfortunately something that is here to stay and, um, you know, it's so interesting too, because we get a lot of questions now, do you think it's. More common. Do you think there's more attacks that are occurring? It's a combination. I think there were always attacks that were occurring.
I think we're more [00:08:00] sensitive to the fact that critical infrastructure is a target and it's targeted every day now. Um, but I think the other, the other unfortunate reality is it's really difficult to be first, but it's not so difficult to be second. So as the threat actors have seen other threat actors pull off these attacks to be successful, there are definitely more players that are jumping into the pool.maybe you could provide some clarification for those individuals that may not know the difference between operational technology and. How that relates to information technology.
Andy Bochman: [00:08:49] sure. Sure. Um, we ended up doing that a fair amount when we're on Capitol hill, one of, uh, Sarah MEI and some of our colleagues job is to give advice, uh, advisory [00:09:00] services to government leadership in different departments. And. Committees and stuff on the hill. And so, uh, we usually start with assuming they too are not operational technology or industrial control systems, cyber experts.
We'll start by talking about things that are more familiar to everyone. You know, I don't mean to oversimplify, but like this is a mouse. And, um, that, that was the sort of thing over here is a phone, a cell phone. And these things are computers that have memory and, uh, applications and they handle data. And now they're all connected to each other.
And so, um, we spend a lot of time trying to protect sensitive data on those it systems I'll save the person in your position. It's perhaps even more important that you become somewhat conversant in, uh, the other side of cyber, instead of information technology. It it's OT for operational technology, and these are the computers and the networks and the software that control, let's say in the energy sector, things that make, manage and move electricity.
[00:10:00] Something goes wrong with those computers or that software sum that up person comes in and miss operates them. The results can be rather catastrophic economically or to national security or to personal safety. And the government has a major role to play in, uh, overseeing and regulating, trying to coax the best possible behavior out of the companies that play in that market and the companies.
Bella DeShantz: [00:10:33] So, uh, I'm interested that you brought up sort of the government's role, because I was hoping to ask a little bit about that. I think in my role and my experience with. The the it side, the, of cybersecurity, I've seen a lot of debate about what the government's role is in sort of overseeing things, particularly in like the private sector of it, of, you know, cyber, everything.
And I'm wondering maybe if you could talk a little bit [00:11:00] on how that's different on the OT side and what the government's role is in kind of forcing regulation or mandating changes, things like that.
Sarah Freeman: [00:11:08] So one of the things that's really interesting about critical infrastructure protection, it versus OT in that previous conversation. And then if you look at the role of government is that the United States is different than a lot of countries because of the fact that our critical infrastructure is privately owned and operated in most cases.
So we're already playing a kind of a different game from the. Government's perspective. And it's kind of interesting because Idaho national laboratory is in this quasi, neither public sector nor private, but as a federally funded research and development center, we get to play with both parties. And we get to hear a lot of dairy, almost take grievances from both parties, but these are really complex issues.
And a lot of times people will come through and they'll just say things like well, we're going to regulate cyber security. We're going to make sure that.
people are secure. [00:12:00] And then we're going to regulate that you have to tell people when you have an attack or you have to share information when there's an event.
And, and these are things that definitely need to be done, but, but it's almost, I don't think anybody. Disagrees with that. I think part of the problem is having a truly holistic and beneficial feedback for both parties or both organizations. Um, and so there's a whole suite of people on both sides that are trying to make, make this a useful and meaningful relationship for both parties.
But there's this other interesting thing, that's that a lot of people don't really appreciate, but. But the role of the government In cybersecurity is a little bit different than the role of the private sector or the asset owner in cybersecurity. So you'll see it most starkly. I think if you look at cyber forensics, after an attack occurs, usually what happens is there's a bunch of people are running around who want to know exactly how the attack happened so they can make sure it never happens again.
They want to make sure that they've mitigated the risks. They've [00:13:00] made, you know, they've patched any holes they have and they can move forward from there. At that point, though, the government is actually most interested in who conducted the attack. And because of that, that that's primarily because that's where they're, they're following actions.
You know, they, they play in that more in that space. But the fact that there's two parties here and they have differing interests is, is. Uh, court, uh, issue that, that, uh, if you look at why there's disagreements or miscommunications, a lot of things come back to that. So the data that the government thinks is useful, isn't necessary and they're sharing to the private sector isn't necessarily useful and vice versa.
Andy Bochman: [00:13:34] In one sector. I'll, I'll try to use that as an example, and allow folks to make inferences into other sectors. The ones that they care about the most, it is a special one because it's the only one that really has heavy-duty mandatory security controls. And that's the one that Sarah and I are most closely connected to.
Although there's so much interdependency now. Between sectors. It's almost absurd to focus on just one and [00:14:00] pretend that that that's the only thing that matters. But so in the electric sector, the way government plays in the United States and more broadly in north America is for the higher voltages that's transmission, things that move hundreds of miles at a time on long, tall lines, large generation and control centers, and some of the big substations that step up or step down the voltages.
That falls under the purview of, and I'm not going to spell acronyms, but I'm going to try to not use too many of them either. But so that falls under FERC and NERC two, um, both issue and then audit and enforce these mandatory Medicare security controls called the NERC critical infrastructure protection standards.
Everybody grumbles about them. Uh, do we have to do that? We could be more secure if we had our own choice. If we had our own freedom to do it, I bet we would do it. But, um, the government was concerned. They wouldn't do it. [00:15:00] And this is in the post nine 11, uh, period where we were worried we could get blindsided by other directions, uh, that we hadn't thought of before the old failure of imagination.
So that eventually began these NERC critical infrastructure protection standards. And the, uh, big utilities and some of the smaller ones have to demonstrate compliance with them. And most people say has significantly improved the level of cyber hygiene in the, uh, in the sector. Although then other folks will say never confuse compliance with actual security.
And I believe that's true, whether you're an it OT or whatever sector you're in.
Sarah Freeman: [00:15:39] government moves slowly, perhaps you've noticed this. And so by that point, Wait time when you put these regulations into place, they're usually reactive. They're responding to a past event.
That's I should say at some point that that's not a useful tool. The government [00:16:00] should use it is, and they do. The problem is we want to be more proactive and how we get ahead of some of these cyber attacks.
Andy Bochman: [00:16:06] The other part of regulation of the electric sector, we left off with NERC. It's part of DOE DOE FERC, and NERC is a corporation that's charged with enforcing, crafting, and developing and enforcing these mandatory regulations for the transmission level bulk power system it's called, but below that, and what's feeding all of us right now in our homes, or if you're in your office and almost wherever you are is distribution level voltage.
And that's stepped down and it's the things that get you from the long distance transmission to the towns and the cities and the con the businesses and the houses that we live in. The federal government doesn't have purview over that. So check this out. The people that are supposed to make sure that stuff is also a cybersecurity as possible, are the state public utility commissions, [00:17:00] all 50 states have a PUC.
Sometimes they call it something different. And, um, they're made out of people who are generalists. Uh, in and sometimes expert in other categories like, uh, natural gas and water and communications and finance and stuff. But cyber is a new thing for them. Some of them have no one who's ever said the C word out loud, others have one or two, but they themselves, those are immigrants from something that they were doing just a couple of years go.
And they are the, they are the oversight for distribution level cybersecurity of electricity, which some will say is the most critical of critical infrastructures.
Bella DeShantz: [00:18:14] So you've talked a little bit about like different areas of focus, depending on the different entities and different entities with different like regulations and things like that. I guess I'm curious, is there one central thing that you would recommend utilities change or like start or stop doing that could help with security?
Sarah Freeman: [00:18:36] you would be surprised how many organizations do not have dual factor authentication, enabled it's a lot, and that doesn't [00:19:00] stop every attack from happening, but it definitely cuts out a lot of the less successful, less good attackers, which you know, is better than nothing.
I think that. If people are already doing that then, and a lot of organizations are, um, especially in a sector that, that Andy was talking about. It's important that people are aware of what a threat activity is present today. Like how attackers are using the environment to their advantage. So a lot of times you're talking about active directory attacks because we're fundamentally looking at windows environments, but, but whether it's active directory or something else, you have to understand how the attacker is going to not just gain access to your networks, but ultimately gain access to the accounts that are the most valuable.
So where are those crown jewel accounts? And so that is a thing that we, we really try to encourage that people actively watch out forwhen we were training people after the attacks in Ukraine, one of the things, and even coming back, trying to take those lessons here to the U S it was interesting how many people weren't, um, Empowered to make a timely security decisions.
And so we really want people to not just say, okay, these are the phone numbers you call. When you get hacked, you know, these are the managers you have to inform, but like really give people the opportunity to respond quickly in those environments because the organizations that. Respond within, you know, something like with the power being cut off within that 30, 45 minute window, their event is, is much less devastating.
Andy Bochman: [00:21:13] one of the best things you can do to be empowered to make decisions is to have a governance structure that supports this in the early days of cybersecurity, the most senior person with the word cyber in their name was a former network administrator.
Way, way, way down in the bowels of it. Person couldn't do a damn thing without begging for permission from junior managers and stuff. At one point, all of the CEOs of the big utilities were gathered [00:22:00] together by DHS. I'll just say a few years ago. And some of them admitted, they never even met their, their head security person.
They wouldn't know their name. They wouldn't recognize if they ran into them in a, in the street. The governance message I've been saying is to create a position in charge of it and OT, cyber, and physical. And, uh, get them up near the CEO and the C-suite get them out of the CIO world, whose job is to create new projects because sometimes they could have conflicts.
And so the most senior person would the word cyber in their title, ideally is at least at the VP level. And we're starting to see more and more of those. And again, caveat not because I was saying they should. I think it's because the world is making it clear to people and boards are getting educated to that person needs to be somewhat approximate to the CEO and the board and have lunch with them and brief them regularly and have a nice two-way flow of information and the rapport that enables that to happen.
That's the governance angle. The other response to the question [00:23:00] Vela is what will you do if you decide to do one or two things, or sometimes people say, if you had only. You got a million dollars to spend on cyber? What would you do? Or $1? I liked the, uh, our friends at the sands global cyber training Institute and, uh, and in general, and then particularly their ICS cyber practice.
It's just, uh, they're just amazingly great. And, um, if you look at the Sans top 20, which also goes by some other names to other organizations, but they all basically start like this all 20 things. You've got to do all these things perfectly all the time. Never make any mistakes and just keep doing them forever.
Um, number one is, uh, inventory, asset management. Another way of saying it is know what you have. I know the way I say that is how can you secure what you don't even know you have and guess what? In industrial companies and maybe everyone, but I'm just talking about the ones that I know about it. They don't know what they have.
They don't know what they have. Sometimes they'll ask their suppliers. Do you know what we bought from you? And then the suppliers will look around going, [00:24:00] ah, it looks like you bought this. And then there's some kind of dialogue there, but it's definitely imperfect to say the least. So there are tools out there now, and there's new imperatives to find out what you have, what you operate, what you depend on.
. There's some other interesting things that, that were, uh, brought up recently, uh, in the conversation. Sarah, you mentioned them as well. You've kind of alluded to. Multi-factor authentication and Ukraine. There's some interesting things that happened around that.
I know you both sort of have spent a lot of time picking apart the Ukraine, uh, cyber attack on the infrastructure that was over there in the power grid. Maybe you could speak a little bit more in depth about that.
Sarah Freeman: [00:26:45] Sure. In December, 2015, there was an event. Um, it, it was an attack against three distribution entities over there, which are in the Ukrainian energy infrastructure. Referred to as Oberlin, Eric [00:27:00] goes, if anybody needs that for a trivia question, at some point in the future, essentially what happened though?
They'd been breached previously, uh, and there's some debate about this. There was at least one spear phishing campaign that predated it around the March timeframe, but there was also a spear phishing campaign that went. Um, going on the entire year before that. So it's a little unclear when, when the compromise occurred, but for most people, they look at that March date and they say after that point, the actor had free reign to maneuver through the networks over a, you know, depending on who you ask six, nine, 12 month window.
So during that timeframe, um, they, they prepared an operation, a cyber attack that was frankly, Grotesque in some aspects, it was completely manual. They essentially access through the, the equipment that had already been set up the networks that had already been in place, the hardware that was already in position, all that stuff that was there for normal operation [00:28:00] of those distribution networks, they, uh, targeted it.
And they accessed it and then they use those connections to open breakers. In most cases, although it looked a little different in every case, but in most cases, just using the engineering workstations that the operators themselves would use. So just that normal gooey. So that just that graphic user interface and.
Just clicked on the boxes and there you go. And they cut power because again, the whole system is set up to operate in that way. There was one instance, there, there was a situation where the, they were actually VPN into certain assets and then controlling the grid. Um, but there was, it was like a, a very, very large number of VPN connection.
So as soon as that operator. That, uh, that Oakland ergo realized that was what was going on. They, they obviously severed those connections, so they weren't allowing the VPN connections. And, but, uh, you know, it, it was a turning point, not just because it was an attack against critical infrastructure, but it was also a turning point [00:29:00] because I think we, we like to put on our, you know, these.
I guess our superhero capes as defenders or something here. And you always want to think that your, your mortal enemy is, is like spectacularly. Awesome. You know, they have to be your arch nemesis. And this was like, not that, but it was still hyper successful. And so it really. You know, there's a crisis of confidence that occurred.
I mean, even at Idaho national laboratory after this, because we'd been talking about certain things and what sophisticated looked like, and this was not that. And suddenly we're like, oh shoot. I mean, we may have completely missed judged misjudged the attacker, but also how effective the attacker could be with such such little resources.
And what they were, um, the elegant portion of that.
attack was actually the coordination among multiple humans. And so to be able to conduct that in near simultaneous fashion, uh, they definitely spend some energy and, and, uh, we're in a lot of meetings prepping for that [00:30:00] thing. So however they did that, that, I mean, it's pretty, it's pretty interesting, but yeah, it's, you know, It's a, it's a hard lesson, but it's one that keeps on coming up.
I'm sure you've heard about ransomware lately. If you weren't already familiar, that's a problem. But again, it's this it's a horrifically. It's like the most basic kind of attack. It's so unfortunate that. I mean, we don't have a great solution there. Everybody wants to know what the, what the fix is There's not a great fix and it's so stupid. It's so basic, but it's so effective. And, and yeah, those are those kinds of attacks tend to be a little bit like sucker punches if you're trying to be the superhero master defender of critical infrastructure.
Andy Bochman: [00:30:48] this is a golden age for cyber attack. And, uh, last I come across as promoting it. Ransomware is just a tremendous business. Don't go, don't do it. Don't encourage other people [00:31:00] to do it, but it's not going to go away. It's just a tremendous model where you can make lots of money with no risk. People are going to keep doing it.
It's going to keep getting more sophisticated. As Sarah was saying, the 2015 attack on Ukraine was a, a lot of heavy lifting though. It wasn't a lot of sophistication, like a super villain, 2016 and December. They kept doing these pre-Christmas things. Not very nice was much more sophisticated. Crash override is the name of a attack.
You can look up in the case of the first one that Sarah touched. They both had an impact that was relatively similar in that hundreds of thousands of people lost electricity for several hours. The one in [00:32:00] 2016 touched one transmission substation and, uh, did the same thing. And, uh, it was automated. So you didn't have all these people involved, pull in switches. The software did the job once it was crafted.
Jeremiah Roe: [00:32:13] there's some interesting aspects about, about the first one in 2015 that I think we're. Touched on, in a different context a little bit. Right? So one of them was, was multifactor authentication because, you know, had they been using multi-factor authentication during that attack that would have thought, did you know a number of their attempts and, and manually navigating the graphical user interface because that's the, they weren't employing those basic countermeasures.
That we look at today are, are instrumental in any sort of technology-based system. You know, you want to have these basics in order first, before you move forward. And then the next aspect was, I believe during that time, they also had the ability to rewrite [00:33:00] some of the firmware in those substations as well.
Right. Which put them down to a much greater capacity even after they were operational manually. After the fact. Right. And so how does that compare with the us, uh, in some of our power grids and power facilities, is this something that, that we may or may not be susceptible to? If someone were to go about perpetrating an attack similar to this in the us, how would that affect us in a different capacity?
Andy Bochman: [00:33:31] But basically the first thing I would want to ward off, and this gets spread on TV and social media. The idea of take down the grid just as there is no air gap, there is no take down the whole us grid. I mean, unless the sun explodes or that thing under Yellowstone, the caldera goes off, but that would take down the grid, but through cyber means, um, [00:34:00] there's havoc that could be caused in various.
Pieces and parts of it, but because it's almost like the voting, when you talk about, when you talk about the going after the voting systems, there's, there's enough diversity and different configurations and weirdness that it's extremely inefficient in one way, but that diversity can protect you too. And so I think, uh, that's that's as far as I'm gonna say, the only other thing I would say was there's no one standard of, uh, maturity or competency among in any sector, including the electric sector.
So you'll see some that are really exemplars and you'd be proud to say you were part of that organization from a cyber defense point of view. And there's others.
Sarah Freeman: [00:34:42] Yeah. Um, I guess the first thing I'll say just to, to kind of go back slightly to my previous point, you know, the funny thing about that firmware overwrite was it wasn't even tapered just it wasn't an elegantly crafted pack that they just like literally overwrote the thing. They didn't make any [00:35:00] changes to change the functionality, but it's fine.
It's fine. It's just the security on the device probably could have been better, but, um, it's it's
Andy Bochman: [00:35:08] you can't talk about that without breaking into
Sarah Freeman: [00:35:10] well, because the thing is.
Andy Bochman: [00:35:12] a, it's such a comedic, uh, attempt at, uh, cybersecurity.
Sarah Freeman: [00:35:17] not the, that's not the thing I'm laughing at. I think it's actually a funny attempt at a cyber attack. It just probably means that I will, you know, maybe regret those words.
Jeremiah Roe: [00:35:28] It was great.
Sarah Freeman: [00:35:29] Yeah. Yeah. It's just, um, I think it's really important that people, I think there's, there's a lot going on right now with the tax and it's very easy to fall into the dark hole of despair and think that.
You know, these are the world's most sophisticated criminals or something. And it's it's, I think that there are those people out there and we need to. Be clear about who they are, but we shouldn't be bestowing those titles of people who don't deserve them. Because I think one of the biggest problems we're trying to combat, I mean, there's like for so many people, [00:36:00] because cyber is such a complex issue and people just don't feel comfortable in that domain at all.
And so, I mean, I don't like taxes or cars. And so if you try and talk to me about my car or taxes, I like get, I break out into hives. So there's. Part of what we're trying to do with this book. And part of what item national laboratory has been doing long before the book is to try and take out some of that uncertainty.
Um, if you can get rid of that uncertainty, then people aren't as fearful to address some of these things. And it seems like a more manageable problem, but at the same time, a key part of that is. Recognizing where sophisticated actors are and where they're not. If you just say everybody is the most sophisticated attacker of all time, then the problem is it's almost too big of a problem to start dealing with.
So, um, I'm actually trying to promote these more realistic assessments of capabilities I'm going to get. T-shirts made. It's going to be awesome, but, um, this kind of big game hunting, but I want to hunt. The hunter. So w we'll see if I [00:37:00] am successful in some ways, but yeah, I it's really easy to read those descriptions and, um, some of them in the press, for example, have been really probably over-exaggerated.
There were lots of amazing things about that attack, but not everything in that attack was amazing. So yeah, I think it's important to have those, those differentiating features, but you know, it's interesting cause you talk about, this is something that came out of it immediately in fact, was what can the U S if the United States electric grid was attacked in this way, what would our response and recovery plan look like?
There is actually a set of substations that were not successfully attacked. They weren't successfully attacked because they were not connected. There was no remote connectivity to those that substation equipment. So there was no way that they could remotely control it and cut off power. So it is a logical to say things like at some level.
I should qualify everything I'm saying here. The more manual a system is the harder it is to hack. That is a true statement. [00:38:00] The problem with making everything simpler is that you lose some of the engineering efficiencies that have been gained through the technological evolution. You know, there's, there's a reason for everything.
Um, I've learned working with engineers and they've thought about it. I mean, they've spent hours thinking about what I would consider. Very minute and not relevant to my life details, but they've spent a lot of time developing these systems to make them as resilient as possible, um, to make them as efficient as possible to, to ensure that there's a reliable source of power.
And the utility is. Making money and is capable of simultaneous controlling multiple devices. So every single time when there's a reaction that there's a cyber attack, now we have to make things more secure and the reaction is okay, we're going to take away connectivity, or we're going to take away that smart device.
I just caution people to think about what the outcome is of some of those, those changes.
Andy Bochman: [00:40:47] I just got off a call with a think tank and we were talking about a DOE program, which people can Google called Citrix. C Y T R ICS. And, um, it's, uh, [00:41:00] basically a, uh, program involving multiple labs, the department of energy itself, some of the big household names, suppliers of industrial equipment, all of its smart industrial equipment, all of it connected and beautifully testified for remote diagnostics and all that.
And, um, what happens is these, um, these systems are identified sometimes by government, sometimes by asset owners, themselves, large utilities, and then sent to Idaho, or sometimes to one of our sister labs. And, um, they basically are given a biopsy, basically opening it up and going what's in their hardware, software firmware. We also do a provenance check. And where did it come from to the extent that that can be determined, especially tricky with software, but it can be done to a certain extent. And we do it. Then the team looks for something naughty in there, [00:42:00] things that were intentionally or unintentionally, but dangerous to the people that own them, because it could allow someone else to take, take over operation of those things.
And finally, some of that is informed by our connectivity, with the intelligence community, things that they're seeing. Do they play a role in what we're finding in, in that particular box, that information, those learnings, those findings, then go back out to the community, both to the suppliers like, Hey, we found these things in your, in this version of this box, you might want to fix the high severity ones real fast.
You might want to change all of it for your next iteration of this product that does this function. And, um, so they learn the government learns what's weak and what's strong about that particular product. And, uh, so don't the asset owners. They need to know the thing they bought, what do they need to do to help it become more secure?
Jeremiah Roe: [00:43:12] that's awesome. I personally love that. Um, I know that there's some other initiatives that, you know, the DOE and, and others within the governmental space are doing to, to really. Make steps towards hardening these devices and doing what's right and, and addressing the basics. You know, I believe that there's even, um, an event that Idaho participates in called the cyber fire event and inside of the cyber fire event, one of the big things that they try to push and work on are something that you very much touched on there, Andy, which is, you know, testing out these, these industrial control systems and flushing out any sort of potential vulnerabilities that might be there.
Where did they come from? What ways could an attacker address or target these things from a memory perspective or enumeration perspective. [00:44:00] So I, I love that you addressed that, um, and, and tying that back into sort of the book, right. And, and addressing these methodologies and how these things could be looked at.
I was wondering if you could maybe briefly touch on consequence driven, cyber informed engineering and how that layers into these things.
Andy Bochman: [00:44:18] The primary reason it was created. Those is different than why was the book written? We did that. It was the methodology was created because we saw our colleagues past and present, including the Microsoft who has a big role in the book, noticed that almost no matter what we do using this strategy of hope and hygiene, certain adversaries are going to get in.
And certain adversaries are going to stay in, in a stealthy way and learn about everything and, uh, potentially have their way with us. And we were, we were incrementally improving every year and the adversaries were improving in a non incremental meaning much faster way. The gap between the offense and the defense was [00:45:00] just getting untenable from a national security point of view.
So we look to engineering first principles rather than just throwing more products. More security products at the problem. Those things by the way are necessary. And we try not to come across as don't worry about, you know, proper, uh, cyber posture and hygiene do all the things that you do every year and do them the best you can and add new technology when it seems helpful.
But on the backend of CCE after we've prioritized by consequence, the things that could kill your company or kill your military mission on the backend are, uh, engineering, mitigation and protections. Fail-safes and stop gaps that would keep, that do keep large capital intensive, uh, equipment, which our civilization depends.
Or at least that company depends. Keep them from killing themselves. The first person to go through a CC engagement in a pilot form a few years ago was a Florida power and light. And the CEO came up to [00:46:00] Washington and told a group gathered there. And we say, I think we reprise this in the book. He said, um, I can handle disruption.
We're in Florida. We have hurricanes passing through all the time. We have nothing but disruption. Sometimes what I can't handle is destruction of long lead time to replace capital equipment five. I'm going to lose a bank of large generators or transformers that I'm not going to be able to replace for months on end.
Then that's kind of the end of my company and kind of the end of Florida from an electricity point of view. From a national security, energy, security, public health. And just so that, you know, um, zombies don't break out, we have to make sure that those things can not happen. And Sisi is designed to make sure that the absolute worst things can not happen.
A marketing firm is starting to play around with this and calling it catastrophe prevention as a category. That's what it's for. And one last thing is, you know, our first target. [00:47:00] Is the best, sorry. It keeps referring to them, but we'll call them top tier adversaries, the most capable, the best resourced, but as colonial points out, sadly, and, uh, as the first Ukraine pointed out, sadly, it doesn't take the very, very best to create grievous harm and, and disruption and chaos to us.
Jeremiah Roe: [00:47:19] And when we say colonial, we're talking colonial pipeline, right?
Andy Bochman: [00:47:22] Yeah. Colonial pipeline. We, we wish that really good cyber hygiene and best practices and conformance to standards. Would protect against that. Uh, but it's becoming somewhat apparent that you probably want to make sure that you have some engineering processes in place to protect against even a lesser, lesser, talented adversaries who worked their way into, certainly into it.
And who are getting precariously close to crossing the DMZ into OT.
I have a question about sort of, um, cybersecurity in general. I think there's been, uh, I see, especially what, all the things that you've talked about with CCE, this need to shift to that, like.
Uh, it, it, it kind of reminds me of threat modeling and other cybersecurity areas. This idea of like, let's enumerate the possible things that could go wrong ahead of time. And I've seen a bit of that shift in other areas of cybersecurity. And I'm wondering if you know, the whole of cybersecurity making that shift.
Is that important for, um, specifically ICS?
Threat modeling, uh, threatened numeration, attack trees, all analysis. That's I mean, there is a huge focus of that. Now in cybersecurity, there has been for a few years, but it was important to try to bridge the gaps perfectly into engineering domains, because believe it or not in a lot of engineering domains, there was cyber, it was tapped on after the fact like they made the.
The purpose. There was a lot of, um, the system was designed and engineered for a specific purpose, but at the end of the day, the cyber portion of it, these were ad-ons. And, and there's actually a ton of systems that are still in operation, where there was no, um, the cybersecurity wasn't there when they first started with us.
So there was no cybersecurity because it wasn't, I mean, it wasn't digitized, so it's, it's kind of mind blowing if you look at it, but there's, um, but it's important [00:50:00] that. You know, we talk about the differences between it and OT, but just like the difference between cybersecurity and threat modeling, all of this stuff really needs to be merged.
Cause what we don't want is people to say, oh, those are just the OT cybersecurity professionals over there. You know, it, the problem is cyber is here to stay and everybody needs to take part in this security process.
Jeremiah Roe: [00:51:16] so really we want to highlight you your views and some of the things that you all talk about in the book. So if you could just let us know how, um, our listeners. Could learn more about you find more about your book and where we can hear more from you specifically.
Andy Bochman: [00:51:31] the book is a fairly easily easy to Google. Countering cyber sabotage. Should pull, pull you at least into the Amazon site. And the publisher is CRC, press Rutledge. So they have it on their site. Taylor and Francis, I mean, and um, there is a website the Idaho lab maintains for CCE. It has a surprisingly simple URL.
I would expect it to be horrible. It's uh, inl.gov/cce.Jeremiah Roe: [00:52:40] awesome. And then one last bet, uh, something that we could know about you that we wouldn't necessarily. Find in your LinkedIn profile, something unique, something that that would say this is me.
Sarah Freeman: [00:52:53] ISo I [00:53:00] actually am really interested in chasing eclipses solar eclipses, but I'm pretty sure there's a photo on my LinkedIn profile. So people are probably like, wait, why is that there? You know, she doesn't work in space anyway.
Andy Bochman: [00:53:17] I have a business one and a personal one. The business one is I'm starting to merge, uh, cyber defense of critical infrastructure with defensive infrastructure against climate, physical risk and increased symbol.
And increasingly angry mother nature is starting to throw stuff, heavy duty stuff at infrastructure, and I'm interested in keeping it working, uh, long enough so we can solve all the other problems too. The personal thing is that I was wanting to say conga drama for an African women's dance group in Denver.
And they made me a dashiki. And even that I didn't quite fit in, uh, but I kept, I kept the rhythm reasonably well.
Jeremiah Roe: [00:53:58] that was awesome. Andy, [00:54:00] Sarah, thank you so much for your time and thank you for joining us.
Bella DeShantz: [00:54:03] Yeah, thank you so much. It was great to get to talk to you.