Podcasts
Data Security Decoded
Ep 42
Data Security Decoded 1.6.26
Ep 42 | 1.6.26

Ransomware, Remote Access, and the OT Reality Check

Show Notes
Transcript

>> Dawn Cappelli: In 2022, in February, when the Russia-Ukraine war broke out, everything kind of changed as far as cyber threats against critical infrastructure. Before that, for the most part, state actors didn't want to attack critical infrastructure in another country. Next thing you know, there are cyber attacks against NATO critical infrastructure. So first of all, the gloves are off, and so the threat environment has escalated.

[ Music ]

>> Caleb Tolin: Hello, and welcome to another episode of Data Security Decoded. I'm your host, Caleb Tolin. And if this is your first time joining us, welcome to the show. Make sure you smash that subscribe button so you're notified when new episodes go live. And if you're already a subscriber, thank you for coming back. We encourage you to give us a rating, drop a comment below, let us know what you think about the show. Now, in this episode, I have the pleasure of sitting down with Dawn Capelli, director of OT-CERT at Dragos. Dawn has over two decades of experience in cybersecurity with a particular focus on operational technology, or OT, and insider threats. Prior to joining Dragos, she served as CISO at Rockwell Automation, where she founded the CERT Insider Threat Center at Carnegie Mellon. Dawn is incredibly passionate about improving the cybersecurity posture of industrial organizations, and her extensive experience in both the private and public sectors has given her a unique experience on the intersection of security, technology, and human behavior. I really enjoyed our conversation, and I'm sure you will too. Let's get into it.

[ Music ]

Well, thank you, Dawn, for joining us. I'm really excited to have this conversation with you on Data Security Decoded. Before we dive into the meat of the conversation, what is something that's not related to cybersecurity that you're obsessed with lately? I'll go first. My thing is I've been making these homemade pizza pockets. They're kind of like if you take an Uncrustable meets Totino's pizza roll, but make it an actual meal. And they're like high protein with, you know, Greek yogurt and all this stuff in it. So it's kind of a healthy version of it. But I've been eating them so often. They're a great quick dinner to have and I can prep them every week. So that's something I'm obsessed with lately, but what is your obsession lately?

>> Dawn Cappelli: You totally hooked me off guard with that question, but I am always obsessed with my grandchildren. I retired so that I had more time with my grandchildren, but then cybersecurity drew me back in. So now I'm kind of splitting my time between the grandkids and trying to save the world.

>> Caleb Tolin: Wonderful, wonderful. Well, congratulations on being a grandparent and for coming out of retirement to kind of help save the world. So I would love to kind of start at more of the beginning of your career, where you started as a software engineer programming nuclear power plants for Westinghouse. What led you to pivot from cybersecurity specifically into OT? And for those of our listeners who may not be familiar with OT, could you briefly define it and explain how it differs from IT?

>> Dawn Cappelli: Yes, let's start there. So OT is operational technology. So IT is the laptop or your phone or whatever you're using right now to listen to this podcast. OT, think of factories, electric, water, manufacturing, where the electronic meets the physical. So the programming actually makes something happen, that's OT. Critical infrastructure depends on OT, because critical infrastructure produces physical results. So I started out programming nuclear power plants, as you said, which is OT, by the way. But really, I was just doing software engineering. I wasn't doing Ladder Logic. I wasn't doing PLC programming. I wasn't programming the OT devices. From there, I went to Carnegie Mellon University, and just was still doing software engineering, but they drew me into this project for the Center for Disease Control, and it was to create a bioterrorism portal. So if there was a bioterrorism attack, we'd have to bring together the CDC, state departments of health, FBI, National Guard, you name it, pharmaceutical companies. And so we created this portal for them, and it was a prototype. But I realized, hmm, we didn't even talk about security. And it seems to me that if we had a bioterrorism attack, security would be important. And I knew nothing about cybersecurity. This was in around 2000, so I am old. So, CERT, the CERT Coordination Center, the very first cybersecurity organization in the world, is at Carnegie Mellon University. So I thought, oh, I think I'll try to get a job there. And I did, and this was August of 2001. And my first job was to work with the Secret Service to protect the Olympics from potential cyber attacks. And I was the project manager. I knew nothing about security. And I thought, this is the coolest job in the world. I get to work with the Secret Service protecting the Olympics.

>> Caleb Tolin: Yeah, that is a pretty cool job. That's a really cool job.

>> Dawn Cappelli: Yeah, yeah. I thought, how did I manage to get this job? I can't believe I'm getting paid for this.

>> Caleb Tolin: Absolutely.

>> Dawn Cappelli: But then a month later, 9/11 happened. And the intelligence community really thought the Olympics would be the next target, because they were in February of '22. And so suddenly that cool, fun job was not cool and fun, it was very real. And that awakened this passion in me to protect, protect everyone. So from there, I ended up -- long story short, insider threat was seen to be an issue with the Olympics. And so we started an insider threat study with the Secret Service, and that grew into the CERT Insider Threat Center. So over 13 years, we created this insider threat center. I was the founder and the director. And then Rockwell Automation came along and they said, we'd like you to come here and create an insider risk program. And Rockwell Automation makes OT devices. They make industrial control system devices. And when I was at CERT working on insider threat, the thing that I felt like we had not figured out was how to stop insider cyber sabotage. And when Rockwell came to me about creating this program, I realized, what if someone, an insider at Rockwell, deliberately planted a backdoor into their products? So if they did that, any terrorist, any malicious threat actor out there, could use that backdoor to get into any Rockwell customer in the world. And so that awakened that passion in me, and that's why I went to Rockwell. Went there and built the Insider Risk program. And then in 2016 became the CISO. And that's when I realized, oh, I'm responsible for the security of all of our manufacturing plants. And I knew nothing about how to do that. And in fact, nobody really did back then. There were no, no real standards out there for security, except for IEC 62443, which is very, very complicated.

>> Caleb Tolin: So now you've made your way over to Dragos, where you're director of OT-CERT, and you're tackling things like insider risk and mitigating a lot for the OT community. And you provide a lot of critical resources for that group. What are some of the emerging threats that are facing OT environments that your team is observing? And how do you think the free community-driven programs like OT-CERT that you're running are helping mitigate these threats?

>> Dawn Cappelli: So in 2022, in February, when the Russia-Ukraine war broke out, everything kind of changed as far as cyber threats against critical infrastructure. Before that, for the most part, state actors didn't want to attack critical infrastructure in another country. Because it was kind of like, if you think back to the Cold War, nuclear war, Russia wouldn't drop a nuclear bomb on the US because the US might then drop one on them and then you have a full blown nuclear war and civilization is destroyed. And it was kind of the same way with cyber. For years, we talked about what would happen if a state actor attacked US critical infrastructure? What would the US do? And there was never really a good answer put on the table, at least not that we know of. And so, you know, there was this kind of hands-off, Cold War kind of mentality. But then when the Russia-Ukraine war broke out, Russia attacked Ukraine's critical infrastructure. Ukraine attacked Russia's critical infrastructure using cyber. NATO countries started getting involved and controversy surrounding NATO. Next thing you know, there are cyber attacks against NATO critical infrastructure. The Israel-Hamas war started, and they attacked each other's critical infrastructure using cyber attacks. We have the US and Iran that are now involved. And of course, we have the China and Taiwan situation. And we know the FBI director has said China has compromised US critical infrastructure. So first of all, the gloves are off, and so the threat environment has escalated. But the other thing that we've seen is hacktivists becoming involved. So hacktivists traditionally have conducted DDoS attacks, website defacements, very unsophisticated cyber attacks. And they didn't really have much disruption, and certainly not in OT. But in the past, like, two and a half years, we have seen hacktivists aligning with state actors. And that's according to the US government. Dragos does not do attribution. But the US government has said that we have the CyberAv3ngers aligned with the government of Iran. We have the Cyber Army of Russia Reborn aligned with the Kremlin. And these hacktivist groups are using more sophisticated methods to actually disrupt our critical infrastructure. And that's because these state actors can give them the tools, the tactics, the techniques, that they can use to perform that disruption. And yet the state actors still have plausible deniability. I had nothing to do with that, that was those hacktivists, that wasn't us. And so that has dramatically increased the risk to critical infrastructure around the world. Because now we have these hacktivist groups that are ideologically motivated. And with the geopolitical climate what it is, they have the motivation, and now they have the ability, and they have been carrying out cyber attacks, disrupting water, power, manufacturing, transportation. So it is happening. And it worries me that organizations still just are going too slow.

>> Caleb Tolin: Right. And these organizations are the ones that are obviously caught in the crossfire of this giant geopolitical all-out war that we're seeing. And so how do the threats that are facing these kind of critical infrastructure organizations, other ones like manufacturing, logistics, things like that that you mentioned, how do the cyber threats facing those organizations differ from what we're seeing more in the commercial space? And how do the threats that we're seeing or the attacks we're seeing from these hacktivists, from these state-backed groups, how do they operate? Like what is that entry point and what does the life cycle of that attack look like?

>> Dawn Cappelli: So I'm going to kind of answer your question in a roundabout way, which is by talking about the SANS 5 Critical Controls for ICS security. The reason that I'm going to talk about those to answer your question is because Tim Conway from SANS and the CEO of Dragos, Rob Lee, they sat down and they looked at all of the different attacks that have happened in OT environments. And they looked at what controls would have been effective in preventing those attacks or leading to quicker detection and response. And that's where those five critical controls came from. So I think by talking about those, we talk about what are the threat actors doing? So for instance, having an ICS incident response plan. If you have a plan and you do tabletop exercises, and because you have that plan, you realize, oh, we don't have the logs that we need, you can prepare better for an attack and hopefully prevent it. Secure remote access, that's being exploited by a lot of adversaries right now. And that's one that organizations really need to think about. During COVID, we all opened up remote access, we had to. And most of it was not secure. We just, boom, had to do it one week. I remember, I was CISO at Rockwell at the time. But a lot of CISOs went back and made sure that that access was secure. But in OT, we find a lot of either insecure remote access, or we see third parties that come in, systems integrators and engineering firms, service providers, that come into your plant and they think, well, I'm just going to put this remote access in so that I can get in easier next time to fix things, and I don't have to travel to the plant. Third is a defensible architecture, and that includes securing your OT from IT. Because a lot of ransomware attacks that we see, as well as hacktivists and state actors, they get in through IT. They use phishing, they use unpatched vulnerabilities, they get into IT, and then they're able to move into OT. So a defensible architecture is very important. Risk-based vulnerability management. Vulnerability management is very different in OT than in IT, but there are vulnerabilities that come up in OT environments that are actively being exploited by threat actors, and they have the ability to disrupt your plants. And so those have to be addressed right away. So, you know, in OT, organizations tend to say, oh, we can't patch like you can in IT. We just patch when we have some downtime. Sometimes you can't wait. Usually you can, but sometimes you can't. And then finally, there's visibility and monitoring. They get into OT and you don't even know they're there. And so imagine running an IT environment without any monitoring capability, any network monitoring and visibility. None of us do that. But in OT, it's very common. You just have no idea what's in your network. So those five controls were developed based on what is being done. And so I think I'd rather answer the question with what to do about it than what are they doing.

>> Caleb Tolin: I want to talk a little bit about ransomware as well. We haven't really touched on that as much. What do ransomware attacks look like for OT operators and how are they impacting their environments and what trends are you noticing as you're doing your research?

>> Dawn Cappelli: So we have someone at Dragos that does nothing but track ransomware attacks impacting OT environments every day. And it is escalating dramatically. It doubled from 23 to 24, and right now we're compiling all of our statistics from 2025 to do that comparison. But we do quarterly ransomware reports, and I can tell you it's probably way more than doubled this year. And they primarily, the ransomware groups, they want to make money. So they're solely in it for money. It's not ideology, it's just money. And they go where the money is and where they think they can collect. And they've realized, years ago they realized, if we hit manufacturing companies, chances are they're going to pay, because they don't want us to bring them down. And to try and recover a manufacturing plant is much more complicated than recovering in an IT environment. So they're going after manufacturing. They're also going after any critical infrastructure that they can. So it's important for organizations to realize, if you think, oh, this won't happen to me, we just manufacture food, crackers, cookies, no, they will go after you, because they know that you will pay if they attack you. So it's a very important third threat group that organizations definitely need to be aware of. How do you combat it? Those SANS 5 Critical Controls that I talked about earlier.

>> Caleb Tolin: Right, absolutely. Now I want to talk a little bit about everybody's favorite two-letter word, and that is AI, and specifically agentic AI. We've heard a lot from guests on the show about how AI agents can help with specific things like SOC analysts who are evaluating, managing, and prioritizing alerts and risk management. How is AI, and more specifically the idea of agentic AI, augmenting the approach organizations take to securing their OT?

>> Dawn Cappelli: Well, you know, I just talked about lack of visibility and monitoring in OT, and you need data to create these AI models. And so without the data, it's very dangerous to just have things happening in OT. But at Dragos, we do have a lot of data. We have a lot of data from years that we have had our platform. And so we are looking at how can we help those SOC analysts. There's such a shortage of OT security experts. And so how can we take that data and help the analysts that are looking at our platform, looking at the dashboards, figure out what does this mean and what actions might I consider taking? But I think we have to be really careful in OT, because we're just -- OT security in general is behind IT security by decades.

>> Caleb Tolin: Right. And the idea of autonomous AI agents kind of running amok in your OT environment is something that can strike fear into the hearts of many people, I believe.

>> Dawn Cappelli: Very scary. I heard a vendor once say, and then the AI will take over and just take care, protect your plants. And I just cringed. I thought, oh, please don't let the AI take over in the plant. OT is not like IT. If you do one thing wrong, you could have safety issues, you could shut down the plant, you could have quality issues.

>> Caleb Tolin: Well, Dawn, thank you so much for the conversation. Where can folks learn more about the incredible work that you're doing and all of these free resources that OT-CERT is providing at Dragos?

>> Dawn Cappelli: Just go to Google, Google Dragos OT-C-E-R-T. We have free resources, 75 at the moment, but it's always growing. Any organization with an OT environment anywhere in the world is welcome to join. And our big push is the ecosystem. So it's not just about you. I like to say, if you're -- let's say you're a manufacturing plant. Where are your plants? They're probably not in the middle of a city. They're probably out in the middle of nowhere. And so where do you get your power and your water? Probably from some small rural or municipal water or electric utility. And they, chances are, have no OT cybersecurity. In fact, you're lucky if they have IT cybersecurity. And if they get hacked, they get brought down, you can't run your plant without water or electricity. Same with any office building. You can't run your organization without water and power. So it's imperative that we all look out for each other. Right now, I talked about what the threats are like, and they're not just going after big organizations. They're really going after the small organizations, the small critical infrastructure organizations. So urge your supply chain, urge your critical infrastructure providers, to also join OT-CERT. It's totally free. We provide practical resources for creating an OT cybersecurity program. So while, you know, other organizations say, here's what you need to do, and they give you the list. And you sit there and say, well, fine, but how do I do that? We give you the how. We give you demonstration videos, guides, templates, a free tabletop exercise. So come to OT-CERT, please join, and encourage your systems integrators, your engineering firms. Because they're the ones that are working in your plants and they don't probably understand cybersecurity. And so we need -- that's another part of that ecosystem. In addition, Dragos has the Community Defense Program. For utilities, water, electric, and natural gas in the US and Canada with under $100 million in annual revenue, they can get our platform totally free. Threat hunting, enrollment in our collective defense system, Neighborhood Keeper, OT-CERT, education, they get it totally free. And we meet with all of these organizations on a monthly basis. Our Community Defense Program, we meet with them separately, because they're all small utilities, and so we work with them in one way. And then OT-CERT, we meet monthly with those members, and it's my favorite day of the month. You have large, medium, small organizations, US, Europe, Latin America, Canada, all in there working together and helping each other, sharing lessons learned. It's a great community, so please, please, join us.

>> Caleb Tolin: That is wonderful. Thank you so much, Dawn. We'll link to all of those free resources in the Show Notes as well. Thank you for joining us for this conversation. I learned a lot about OT environments and how they operate and the unique risks facing these environments. Dawn, thank you again for joining, and until next time.

>> Dawn Cappelli: Thank you so much for the opportunity.

[ Music ]

>> Caleb Tolin: That's a wrap on today's episode of Data Security Decoded. If you like what you heard today, please subscribe wherever you listen and leave us a review on Apple Podcasts or Spotify. Your feedback really helps us understand what you want to hear more about. And if you want to reach out directly about the show, email me at data-security- decoded@n2k.com. That is N2K.com. Thank you to Rubrik for sponsoring this podcast. The team at N2K includes senior producer Alice Carruth and executive producer Jennifer Eiben, content strategy by Ma'ayan Plaut. Sound design by Elliott Peltzman. Audio mixing by Elliott Peltzman and Tre Hester. Video production support by Brigitte Criqui Wild and Sarelle Joppy. See you next time.

 

[ Music ]

Data Security Decoded
Podcast Info
HOST(S):
Caleb Tolin
As the host of Data Security Decoded, Caleb Tolin dives deep with cyber experts to deliver actionable, vendor-agnostic insights to reduce data security risks and improve cyber resilience outcomes. Caleb asks the incisive questions that you need answered, extracting actionable guidance for defenders. Come be obsessed with improving your organization's cyber resilience.
Schedule: Two times per month. Every other Tuesday.
Credits: Data Security Decoded is a podcast by Rubrik.
Creator: Rubrik
Data Security Decoded