Podcasts
The Microsoft Threat Intelligence Podcast
Ep 58
The Microsoft Threat Intelligence Podcast 12.3.25
Ep 58 | 12.3.25

The Grid, a Digital Frontier: E-ISAC on Securing the Power Grid

Show Notes
Transcript

Sherrod DeGrippo: Welcome to the "Microsoft Threat Intelligence" podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week, dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries and shape the future of cybersecurity. It might get a little weird. But don't worry, I'm your guide to the back alleys of the threat landscape. [ Music ] Welcome back to the "Microsoft Threat Intelligence" podcast. I am Sherrod DeGrippo, director of Threat Intelligence Strategy here at Microsoft. And, today, we're getting into the invisible backbone of everyone's modern life, the North American power grid. It's a system so sprawling and so interconnected that it tends to really only get our attention when something goes wrong. And, lately, as you may know, threat actors are trying very hard to make things potentially go wrong. So operational technology, quietly aging in substations, threat actors experimenting with new techniques, the stakes have never been higher. So how do we actually protect something this big, this fragile and this essential? Well, we're going to find out. Joining me today is Matt Duncan, the vice president of Security Operations and Intelligence at the North American Electric Reliability Corporation's E-ISAC. What does that mean? He's one of the few people who sees both the day-to-day threats against the grid and understands the big picture patterns shaping its resilience. Matt, thank you so much for joining me.

Matt Duncan: My pleasure. Good to be here.

Sherrod DeGrippo: So let's talk a little bit about critical infrastructure. This is something that my listeners are constantly worried about. We see threats against critical infrastructure from a variety of nation-sponsored countries, whether that means for espionage value, for criminal value, for disruptive value. What are some of the things that you're seeing play out on the grid? What are the threats that are happening out there right now?

Matt Duncan: Well, it's usually bad form to begin a podcast by correcting the host. But --

Sherrod DeGrippo: Oh, no!

Matt Duncan: -- I do want to say despite it being the world's largest machine, the North American power grid is actually quite resilient and not fragile. But I do agree with you that people do tend to notice when the lights go out. And that's why folks like me and my team at the E-ISAC and folks at the utility industry all have a job to do and that's essentially to be guardians of the grid. And, as you mentioned, you know, the threats, whether they're geopolitical, criminal, hacktivists, it attracts all types because it is so pervasive and such an important engine and symbol of our economy and our nation. So it keeps us busy, certainly.

Sherrod DeGrippo: So do you think -- from what you see, do you think that threats really are getting more advanced or we're just getting better at catching them?

Matt Duncan: Yes and yes. So the unfortunate challenge of being a guardian of the grid is as you get better and block the latest tradecraft or IOC, the adversaries come up with something else to do. It's the classic build a fence and someone gets a slightly taller ladder. And, today, I think there's a lot of different things going on. Certainly, AI is making hacking easier. You mentioned OT in the opening. OT attacks are increasing largely because the barrier for entry, the technical skill to go after OT systems has gone down because you can use AI toolkits to look for these things. The second, everything's interconnected. Just like the power grid itself, in order to run your switches, your substations, your turbines, your wind farms, your solar panels, even your thermostat at your house, all of it has to be connected and there's great efficiency and amazing abilities having all these devices connected. But it also increases the attack surface. And our adversaries are very clever. They are finding new and novel ways to get in. It's not just phishing emails anymore. And they're using multi stages of the kill chain and various techniques to access critical infrastructure and it may not even be through that power plant's network. So it is certainly an interesting time.

Sherrod DeGrippo: When you talk to your policymakers, your regulators, the private utilities, the big ones, the little ones, when you talk to those constituents, what kinds of things are they worrying about? What are they asking you for?

Matt Duncan: They don't know what they don't know. They know that when they flip the switch, the lights come on. They know bad guys are targeting the grid. And their first question is always, "Are we safe?" "Well, yes, but" is the unfortunate answer. And we're to a point culturally from a defender's perspective that we can no longer say "if," but we need to say "when something bad happens." And taking that mindset is really important when you're designing your defenses, when you're talking to policymakers, regulators, et cetera, because true resilience, true security is having the ability to accept, "Okay, an adversary got in through the supply chain, stolen credential, internet-facing device that shouldn't have been. What do we do about it?" And, you know, this type of response and recovery mindset is a hallmark in the electricity industry because you can't prevent hurricanes, you can't prevent tornadoes or earthquakes and so the industry has it in its DNA to respond to these types of incidents and get the lights on as quickly as possible. So too with cybersecurity.

Sherrod DeGrippo: You know, you just said you can't prevent tornadoes and earthquakes, but I kind of wonder if there's going to be an AI startup in the next year or two that's like, "We're going to use AI and control the weather." You never know. Maybe they'll get into that. We'll see. The AI companies can be wild. So I know you're collaborating with industry, government, all of these different stakeholders. Do you feel like they're on the right track? Do you feel like there is kind of hope on the horizon? If you were to take the temperature of these really important critical systems, where would you say we are?

Matt Duncan: I think hope is good to have, but I think there is clarity at how important these systems are and that investment is needed to defend it, to support this vital critical infrastructure. And, when you talk to policymakers, one of the first things you need to reassure them is that there's a lot of really talented people working on this and they share information so that when one utility or one other piece of critical infrastructure gets attacked through an ISAC, through the government, through vendors, people are able to learn from those attacks and improve so that when it becomes their turn, they're able to respond a lot faster. And while that may not give you the warm comfort of "Oh, you can prevent this from happening," I think people need to take comfort in these folks know how to respond, they share information and they're always going to keep an eye on for what might be coming next. And that's really the bread and butter of what we do at the Electricity ISAC.

Sherrod DeGrippo: Can you kind of give me a success story of where that collaboration has been successful and you've felt like really good about it?

Matt Duncan: Yeah, certainly. So one of the services that we provide at the E-ISAC is we proactively go out and look up our members' infrastructure using search engines, Censys, Shodan are some of the more popular ones, because if we can find your systems open on the internet, the bad guys can, too. And so we actually worked with our partners at the Cybersecurity Infrastructure Agency, CISA, to get some heads up on some hacktivist activity that was going to be targeting the electricity sector in North America. And we were able to get some indicators ahead of time before it became public and we were able to spot a couple score worth of utilities that had some internet facing devices that needed to be either have a port closed or patched. And when the actual CISA bulletin came out a few days later, the adversaries tried to attack those particular utilities and they were blocked. That was a really great moment and talked about the partnership, the information sharing that we all do. It felt really good to keep the lights on that day.

Sherrod DeGrippo: I love that. I love a shoutout for Censys and Shodan, first of all. I think that's fantastic. I think that the practitioners that are listening now love those tools. They're very popular. And I think that, you know, talking about what we're actually using to do these things to complete security projects to get the intelligence we need, I think that's really important. I want to talk about hacktivists. So, in my world, it's particularly at customer briefings and talking with our, you know, constituents and what are we thinking about when it comes to threat, talking about defenders. I am spending 90%, 95% of my time on crime and nation-sponsored. Talk to me about hacktivists. Tell me about that threat landscape, those threat actors. What are you seeing there? What is the urgency around that? I have ideas, but I want to hear from you who's actually really working in an organization that has that kind of threat profile and working with all of these partners that hacktivism is a real genuine concern there. What are you seeing there?

Matt Duncan: Well, first of all, you know, I think the term "hacktivists," it gives hacktivists a bad name. These threat hacktivists, whether they are truly ideologically or politically motivated or they are kind of shadow teams on behalf of criminal groups or nation-states, but, regardless, over the last couple of years we have seen a significant increase in hacktivist activity. And it's usually low-level stuff like defacing websites, conducting distributed denial-of-service, DDoS, attacks. But it is also they have shown interest in OT, in operational technology, and trying to mess with HMIs, human machine interfaces, where they can. And what I think is driving this is the geopolitical threat landscape. Pick your conflict zone, pick your cause and chances are there's a threat hacktivist somewhere that wants to use that to make a name for themselves, that they want to boast on Telegram or an image board. And they may not have tremendous success, but, you know, you take a major organization's website down for a couple of hours and you can put the Check-Host proof on Telegram, you feel pretty good about yourself. Secondarily, there is always a question of whether or not they are true hacktivists or are they working on behalf of somebody else and so some societal chaos in the environment given what's in the news that day. So it is something that we've worked hard to educate the industry and all of critical infrastructure about. You know, I am sure your practitioners are like, "Oh, man, DDoS, that's no big deal. Website defacements, this isn't, you know, 1999."

Sherrod DeGrippo: For critical infrastructure it's a huge deal.

Matt Duncan: But for critical infrastructure, sure. Yeah. But, for critical infrastructure, that's a bad day. If you take a utility's website down, customers can't pay their bills. If you DDoS a call center, you may not be able to get, you know, crews out to your house to fix a down line. And that's actually a real life and safety --

Sherrod DeGrippo: Huge.

Matt Duncan: -- issue.

Sherrod DeGrippo: Huge.

Matt Duncan: So hacktivists --

Sherrod DeGrippo: Especially when you combine it with, you know, whatever's receiving the electrical. Sure, your house, but also a hospital, a school, an assisted living facility, a grocery store, you know, any of those things that get caught up in that chain can be -- have really bad effects.

Matt Duncan: And that's what I think the guardians of the grid that worked in our industry in cybersecurity, there's so much more at stake because safety, lives are in the balance. And I think that sense of mission is what draws a lot of people to work in the electricity industry, that to work in cybersecurity. And you can feel good at the end of the day 'cuz you helped keep the power flowing. And it's something that, you know, you may not make as much money as if you go to a large tech company, but you have a solid job, you have an important job and you have a lot of really interesting things to look at it every day for sure.

Sherrod DeGrippo: I think another thing, like just relating it to my own reality, I live in Atlanta, Georgia, I am a native, I have lived here almost my entire life and we are an ice storm just like capital. Like it's going to happen. Power's going out. Trees are coming down, the power is definitely going out. And it's a big reason I love having a gas stove and gas water heater because I can take a hot shower with a flashlight and it's lovely. It's kind of nice. But it's a scary time for me. You know, like, in the winter, trees coming down, everyone's texting like, "Hey, if your power goes out, come over here," et cetera. And so I guess my question is, "Do you feel whether it's socially motivated or a hacktivist, whether it's financially motivated crimeware, whether it's espionage and disruption motivated, nation-sponsored, etcetera, do you feel that there is a heightened preparedness at those times for a cyber threat as well? How does that work? What does that look like?

Matt Duncan: Absolutely. After the weather report comes in and the projections for outages are made, the next question is, "What are the cyber threats that are going to take advantage of what's going on?" And -- 'cuz we have seen this. If you go back to Winter Storm Uri in Texas a few years ago, just as electricity and gas, mind you, sorry, your --

Sherrod DeGrippo: No.

Matt Duncan: -- stove wouldn't have worked --

Sherrod DeGrippo: No.

Matt Duncan: -- in Texas during Uri because everything had frozen up. Weatherization is a different topic we can get into another time. So you go back to Winter Storm Uri, there were ransomware criminals that were looking to place malware inside wind turbines because those were absolutely critical to get started to generate electricity and they saw it as a great opportunity to get paid, for the financially motivated type. Now, thankfully, that didn't happen. It got stopped. But this is why I think whether you're a hacktivist, a nation-state or a ransomware gang, OT is really interesting to you because that's got to be on, that's got to get restored quickly and maybe the owner of that infrastructure is more likely to pay you. So that I think is one of the other reasons OT has become a more attractive financial target for a lot of these adversaries.

Sherrod DeGrippo: Let's talk about OT a little bit. That's something that I don't know a ton about. So help me understand. Are threat actors getting better at understanding operational technology in the grid? Like are you seeing from a threat actor activity perspective, do they seem more educated today than they were let's say five or 10 years ago?

Matt Duncan: Unfortunately, yes. The one thing you have to say about the cybersecurity community is they love to read and they love to find new and interesting things to break or fix. And this awareness has actually made it more dangerous for operational technology 'cuz, as you alluded to earlier, there's a lot of end-of-life equipment there. A lot of Windows 7 that is still operating and nobody wants to touch it --

Sherrod DeGrippo: You've got to upgrade that Windows 7. Coming from Microsoft right here, go ahead and upgrade that.

Matt Duncan: Yeah, you're required to say that, I know. But the mentality is, "Hey, this has been running for 20-30 years. I'm not -- why would I mess with that? The lights might go out." And because of that technology baseline perhaps being so old and not supported, it's a really interesting target. The challenge, of course, is finding that initial access to get to the OT. And, in probably the lower-level cases, unfortunately, people connect things they shouldn't to the internet. And I referenced the hack in this case where we've made some shares earlier. It's those internet-connected devices that have open ports on patch vulnerabilities that, you know, enable an engineer to work from home and make his -- up his or her updates, you know, from the comfort of their couch. That is actually an incredible liability for that utility so -- because a lot of these adversaries are looking for it, AI is helping them find it. And that's kind of the first challenge that we have when thinking about the threats from OT. The secondary, the bigger, the nation-states, those primarily are a lot of espionage. Although, I will note that the Microsoft 2025 MDDR mentioned that only about 4% of the telemetry that you all have looked at is actually espionage based. But that's a big 4% 'cuz they're looking to XO Trade diagrams, they're looking to XO Trade configurations, schematics to prepare for potential larger-scale disruption, which they can't do unless they know the topography of critical infrastructure.

Sherrod DeGrippo: For those of you listening, that's referencing the Microsoft Digital Defense Report for 2025. It just came out last month. Go ahead and use Bing Search to find that. And, yeah, so I like to talk about espionage versus disruption when it comes to critical infrastructure because, in many ways, the espionage value of a lot of critical infrastructure is pretty low. Right? Like they've got, like you said, the diagrams, the technology capability, all of those things. But, at Microsoft, when we see nation-sponsored going against critical infrastructure low and slow, quiet, really trying to obfuscate where they're coming from, it generally a lot of times is a disruption play. Almost all of the intelligence that we have indicates that when nation-sponsor threat actor groups are going after critical infrastructure, the end game is holding a position that allows disruption at some point. And, just personally, like on a personal level, Matt, are you sleeping okay? How stressful is having to think about that so frequently?

Matt Duncan: Well, I have young kids and an old dog so I don't sleep very much, so it gives me something to think about in the middle of the night. And the phrase that we like to use is "adversaries will conduct espionage to hold infrastructure hostage so that, at the time of their choosing, they could look to influence the U.S., Canada, allies to not take another action." It's a type of kind of gray hybrid warfare. And just having the ability, the nuclear weapons, you know, if you, back in the Cold War, mutually assured destruction, if I'm able to take out your critical infrastructure, maybe you aren't going to attack me. And it's a very sobering thought to have about our civilian critical infrastructure in North America. But, you're right, they are doing a lot of reconnaissance. They have lots of data. They are low and slow, very patient. This is not smash and grab. This is not stealing intellectual property. Although, sometimes that does happen. But this patience and learning about the systems and sitting on this for years and watching how an organization runs its cybersecurity, what is it they're monitoring, what are they change their configurations, what is their file structure, because they learn from previous attacks as well. So what may have been a mistake by an organization in Europe, another organization in Asia may say, "Okay, so now we really need to learn how the file structure works so we don't get caught." 'Cuz, at the end of the day, what helps my analysts, what helps the industry analyst is looking for those human fingerprints, the small mistake in the code or the small mistake in timing and tradecraft that the adversary makes. And those are invaluable for detecting because they're getting so good at hiding where they're coming from. You mentioned the Orbital Box Relay networks, the ORB networks, just geoblocking certain IP addresses from countries that you don't like is not sufficient anymore because they're going to be using these networks coming from what looks like a local exchange to get into your network. And it is a big problem. And it requires working not only across this industry and government, but working with other industries to shore that up.

Sherrod DeGrippo: Can we take a quick box on that, Matt? My listeners might not know about the ORB situation. Could you kind of walk us through that? Unless you're specialized in specific particular threat actors, my listeners might not know. So can you kind of give us your take on that?

Matt Duncan: So we're Orbital Box Relays, or ORB, networks are obfuscation networks. They're set up by adversary using other types of infrastructure that looks legitimate so that, when a defender is looking at traffic coming into their network, no red flags are raised. And because these ORB networks can be set up in multiple places and changed very quickly, you never quite know where it's going to come from. Now, thankfully, through the sharing of information, working with government partners, you are able to eventually identify some fingerprints and some tradecraft that is inherent in ORB networks. But they really make identification very tricky for defenders.

Sherrod DeGrippo: That's something that we have been tracking, too, at Microsoft through our intelligence capabilities is these small office/home office networks that become the launching plane for a variety of threat actors targeting critical infrastructure and targeting a variety of other types of industries and espionage targets because, if you can launch everything from a nice residential IP address that maybe has a really nice fiber connection, like I do at my house, then the threat actors have this nice cover that allows them to kind of blend in with regular residential traffic coming into that network. Which, like you said, may be a employee working from home that day or something like that. That's one of the reasons that, as the holiday season approaches, the best gift that you can give your family is an updated network architecture and go ahead and update the software on all of the routers that are in the parents' home and grandma's network. She loves her Wi-Fi, but maybe she's operating off a 10-year-old AP that's been end of lifed. So check that out and maybe you give the gift of network security this Christmas to your family this holiday season.

Matt Duncan: And then you can always change their default password that they haven't changed off the box that is sitting on their --

Sherrod DeGrippo: Yes.

Matt Duncan: -- on their home network. Although, there's probably a couple of routers that are on Santa's naughty list this year that you can probably encourage people not to buy, but you'll have to DM me to figure out who's on that list.

Sherrod DeGrippo: Yes, as Matt is very diplomatically saying, make sure you check the integrity of the network hardware manufacturer before installing or purchasing new network hardware. This is the most inside of inside takes that only very few people will understand. But, yes, I absolutely agree, we have got to make sure in the United States that our home networks, which are used for so many things that end up being critical, are safe to operate from and are safe to not become the, you know, launch and pivot points for threat actors. So let's talk a little bit about, you know, this idea that the grid in the United States is part of kind of the battlefield or the geopolitical cyber war landscape. Do you think that's true? And, if it is true, how do we work with policymakers to make sure that they have what they need, they're doing the right things? Just, you know, before you get into that, I work with policymakers a lot and the number one thing that they want is information and advice. And so how do you do that when you're looking at what is essentially, you know, a sort of secondary virtual battlefield?

Matt Duncan: Unfortunately, the oceans don't protect us the way they used to in North America and the North American electricity industry is on the front line of a global cyber war. And it happens daily. And that's just the unfortunate reality that we live in. And I want to commend our U.S. and Canadian 'cuz it is a North American grid. That's very important to keep in mind.

Sherrod DeGrippo: The Canadians, eh?

Matt Duncan: Yeah, the Canadians, eh. We -- you -- it's very difficult to power the Northeast U.S. and Northwest U.S. without Canadian hydropower. So there's my shoutout to my friends --

Sherrod DeGrippo: Thanks, Canada.

Matt Duncan: -- in electricity in Canada.

Sherrod DeGrippo: Thanks electricity Canada for keeping the lights on down here for us.

Matt Duncan: We appreciate that. But, with talking with the policymakers, they get it. And, in fact, next week coming up, we have our GridEx exercise, grid security exercise. This is the eighth iteration we've done. We do a two-part exercise. The first part is for the utilities. We have something like 370 utilities across North America that are playing. But what we always tell them to do, "It's not enough to play internally. You've got to play with the sheriff's office, you've got to play with Homeland Security, the FBI field office, your regulator, your suppliers, your gas company, your telecom company." And we give them a really, really difficult scenario that's designed to break the grid and they have to figure out how to put it all back together. And, in our eighth iteration now, we've gotten pretty good at causing impacts not only to electricity in the scenario, but all of this interdependent infrastructure network requiring government to make prioritization decisions. And it can get really messy. But it's better to get messy in a drill than messy in real life. The second element that we do to inform policymakers is we have an executive tabletop here in Washington, D.C., where we bring in the CEOs and the cabinet secretaries of various U.S. and Canadian government departments to play through these very difficult scenarios and talk about how they can respond faster and what changes can be made in policy and procurement to ensure that there's more resilience in the system. So it's top of mind and we're going to see it here in a few days in the middle of November, how it plays out. And, hopefully, we'll put the grid back together at the end of GridEx VIII.

Sherrod DeGrippo: So, okay, I'm interested. Tell me about these personalities. It sounds fun, but also this kind of specialist can be an interesting personality. So what are the people like? What are the attendees like?

Matt Duncan: There's a lot of interesting personalities in the electricity industry. It's incredibly diverse. You have engineers, you have scientists, you have financial accountants, you have business people, you have government regulators, you have cyber warriors, you have army warriors, you have folks that believe in innovation and getting new technology. So it's a real interesting mix. And, when you get that group of people together, they come up with some really cool ideas and some of them are really simple. So, back in GridEx V, I think it was -- no, GridEx IV, they talked about the need to have mutual assistance like we do for hurricanes in the cyber world. And a direct result of that exercise was the creation of something called Cyber Mutual Assistance where utilities will get together with other utilities that might be under duress, that might be experiencing a cyber incident, a ransomware or you name it, and they provide support at cost to that utility to help them get their lights back on just the way they would if a hurricane hits Florida. You'll get crews coming from the Pacific Northwest, Canada all driving down to Florida to help people restore power. And it's a really cool part of the industry the way we work together. And that was a direct outcome of one of the GridEx exercises.

Sherrod DeGrippo: That's awesome. I think most people, especially, again, like living in the South and being from the South, this is a part of our, you know, seasonal reality. We just accept like it's either going to be a tornado, the leftovers of a hurricane or an ice storm and it is coming for us every time. And there really is that -- and all of the people that I've worked with that have energy backgrounds or OT backgrounds, there really is what I see as a commitment to resilience and a commitment to getting through the odds because the mission is kind of greater than any one person. And you see those caravans of like trucks going when things happen. And we shout -- we gave a nice shoutout to Canada, I'm going to give a nice shoutout to Georgia Power. My friends at Georgia Power put me at the top of the list for when this stuff happens. But I think that it's, you know, something that is very unseen. Right? It is quite literally the example that many security practitioners use is where you'll go to the security team at a bank or, you know, any of those kinds of -- anywhere and they're responsible for securing the organization like, "Well, we're like a utility and no one notices us until something really bad happens." And you're living the actual example of that. And so I think it's really important to point out that there is people like you and these -- the -- this concept of the grid guardians doing this constant vigilance to make sure that everyone has the literal power that they need.

Matt Duncan: Literal power that they need and it's a big team. Cybersecurity is a team sport. And we're just one organization, but the fact that we're able to share relatively and sometimes very sensitive information across 1,500 utilities in North America to help them be more resilient, it's a real privilege. And we couldn't do it without the utilities that work with us. And, just a quick point, you talked about the line crews driving South during storm season and people not really thinking about it until the lights go out. I would say the same is true of your poor IT shop at your organization.

Sherrod DeGrippo: Yeah.

Matt Duncan: At any time I speak in front of a group of utility cyber people, I said -- I like to highlight the work the IT team does because it's in the basic network architecture, the segmentation, the protection of identity, the stuff that those folks do every day without very much praise and sometimes a lot of frustration is what actually is the first line of defense in cybersecurity. So, you know, thank your local IT department and appreciate the work they do 'cuz when there's a vulnerability, there's a supply chain compromise, those folks are going to lose their weekends and holidays 'cuz they have to put your systems back together. And very true in the electricity industry, too.

Sherrod DeGrippo: It's 100% true. And I think -- you know, I started early in my career as a systems administrator, I mean early in my career, like teens. And I feel that a lot of personalities in security bring the systems administrator vibes approach. Sometimes we're a little salty, but it comes from being in the trenches, I think, and knowing it doesn't matter what's happening, we've got to get it done. It's kind of like the concept of the sys admin sort of disappeared and became like a DevOps thing. But, us old school people, and I believe Matt is one of the old-schoolers as well from what I know of him, it was one of those things where like you've just got to get this done. Like you've just got to get it up. People are freaking out. And that was your life as an employee with -- when you're like in IT or a sys's administrator. And I think, in security now, we're getting similar kinds of responsibilities where it's like you just have to make it work, you just have to figure it out, so bring your grown-up brain and just figure out how to make it happen. I'll ask you one final question. If you could get rid of a single misconception about securing the grid that's out there, what would that be?

Matt Duncan: If I could get rid of one misconception, it's that it is impossible to defend the grid and networks because it's so big.

Sherrod DeGrippo: So you believe that there really is a positive pathway ahead to making wins against threat actors on the grid?

Matt Duncan: Absolutely. Defense is doable. And we have to start with the basics, we have to be brilliant at the basics. And, with all due respect to large security and software companies, it's not always about the latest AI-enabled sims or system. It is about doing really good access management, really good principle of leased privilege, really good network architecture, doing the real basics there. And that is something that is in the control, I think, of most IT teams and utility teams. It just doesn't get the attention or the importance that maybe getting a new internal network security monitoring system put in place does. So, you know, I think, as AI makes these attacks faster and faster at scale, we've got to focus on what we can secure and focus on not only the technologies that will protect us, but also the people and processes that are going to protect us. And we can do that. We can absolutely do this.

Sherrod DeGrippo: Good. I love the positivity. I think that's important. And I think we do plenty of AI reality checks on this podcast. So I agree. I think that we can't just try to take AI like peanut butter and smear it on something and say, "Oh, look, it's great now." That's not reality. That's not how tools are used. Tools are used to accelerate, tools are used to scale, tools are used to make things less painful and more pleasant for the work you're doing. They are not a security strategy. AI is not a security strategy.

Matt Duncan: It is not a security strategy, but AI is certainly an important security tool. Don't get me wrong.

Sherrod DeGrippo: It's a tool, it's a great tool.

Matt Duncan: And using AI to do some of those basics that I just talked about is a really good use case for them, sharing information with appropriate controls and humans in the loop is also really good, as well as forecasting what are the future vulnerabilities going to be like, what are some pathways through the system that you haven't thought about. I think AI is going to be a real boon for penetration testing, adversary emulation and, you know, we shouldn't be scared of it, but we should also be, you know, smart about how we use it and not, as you say, just spread it over like peanut butter and assume everything's going to be okay 'cuz that's probably not going to happen.

Sherrod DeGrippo: I agree. I think it's really important, especially for our security teams to get hardcore and intentional. Have your intentions with AI, know what you're going to use it for, know what you expect of it. Again, this is a tool. It's a tool that takes a big investment. It can be a force multiplier, it can help you scale, it can help you accelerate. But AI is not a security strategy and you've got to build your security strategy implementing your tools, AI is one of them, that's going to be the best for your organization. Matt, thank you so much for pulling back the curtain. I think a lot of people picture security as clouds and laptops and things like that, but there is a lot of risk out there that we don't think about, that don't talk about as broadly. So I'm glad that you got to bring that to the conversation. It's not just infrastructure, it's a system that lives and grows and changes and is impacted by the weather and capacity and policymakers and the systems that are all supporting and surrounding it, and then layer on top of that threat actors. I think that makes the grid one of the hardest things to defend. So, Matt, thank you, again, for joining us. Thank you for all the work that you're doing around the E-ISAC with your team and we hope to have you back soon.

Matt Duncan: My pleasure. And a special shoutout to all of the guardians of the grid out there, the folks that are doing the hard work day in and day out. You're the ones that keep the lights on and just really appreciate it. Thank you.

Sherrod DeGrippo: Thanks for keeping my lights on. [ Music ] Thanks for listening to the "Microsoft Threat Intelligence" podcast. We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode, we'll decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, msthreatintelpodcast.com for more, and subscribe on your favorite podcast app. [ Music ]

The Microsoft Threat Intelligence Podcast
Podcast Info
HOST(S):
Sherrod DeGrippo
Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft, is a frequently cited threat intelligence expert with a 19-year career leading global threat research and analyst teams. She was named Cybersecurity Woman of the Year in 2022 and Cybersecurity PR Spokesperson of the Year for 2021. Sherrod has provided expert commentary for BBC News, Wall Street Journal, CNN, and New York Times and has presented extensively at conferences including Black Hat, RSA Conference, RMISC, SleuthCon, and others.
Schedule: Bi-Weekly
Credits: Producer is Rob Petrillo, Production Manager is Max Solomon, Scheduling and Administrative Support is Elliot Volkman, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft