In The Boardroom With...
Mr. Marc Blackmer
Product Marketing Manager, Industry Solutions
Security Business Group
Updated October 19, 2016
SecuritySolutionsWatch.com: Thank you for joining us again today, Marc. The headlines since we last talked again remind us about how challenging today’s cybersecurity threat environment truly is.
OVH, one of the world’s largest hosting providers, reported that its systems had been hit by simultaneous attacks that peaked at nearly 1 terabit per second (Tbps). Your thoughts?
Marc Blackmer: Thanks for having me back. This attack is proof positive that IoT devices can be turned against us with devastating effect and it perfectly demonstrated the power of scale when it’comes to the IoT. I think of it as the Stuxnet moment for IoT where we’ve moved from theory to reality in how these devices can be abused and weaponized. It’s also very emblematic of the IoT in that almost anyone can create a connected device, but not everyone understands security, which leaves us with millions of vulnerable devices. Consider that many of the devices used in this attack were using insecure services, such as telnet, and default credentials. This attack could have been mitigated simply by using secure services and by changing the user credentials.
SecuritySolutionsWatch.com: We read with great interest in Cisco’s Industrial Control Systems (ICS) Buyers’ Guide proposed high-level questions to ask of any prospective vendor looking to secure anindustrial control system. “It will provide you a path to determine critical information about the vendor’s ability to offer a successful ICS security solution.” Want to walk us through this resource?
Marc Blackmer: Sure. Industrial control networks in the past had been air-gapped and made use of point-to-point serial connections, but that’s all changing. There are many efficiency gains to be had byusing routable protocols and interconnecting industrial networks to some extent. The flip side of that coin is that these networks are now vulnerable to cyber attacks that weren’t relevant all that long ago.
Now that means the operators of industrial networks have to deploy cybersecurity solutions in their environments, and it’s important to note that you can’t take the same approach to cybersecurity in anindustrial environment that you would in a data center, for example. So operators find themselves in a tricky situation of ramping up on cybersecurity concepts and trying to weed through a bunch of jargon to figure out which cybersecurity vendors truly understand and can meet their needs.
We created the buyers’ guide to help operators through that process. We came up with what we felt were the top ten questions operators should ask their vendors. We also provided the answers theyshould expect and why these are important for industrial operators. Of course in the end, we’d love to have them select Cisco, but as long as our critical infrastructure is properly secured, we all benefit.
SecuritySolutionsWatch.com: Last time we chatted, you mentioned, and we couldn’t agree more, that “We also can’t lose sight of the fact that networks must provide value for the humans that use them.”
What is your perspective, Marc, regarding the opportunity for profitable new business models to emerge in today’s IOT environment?
Marc Blackmer: That’s something we’re asked about a lot, especially from our service provider partners. First, please let me just level set. We think of the IoT pie consisting of three parts – IT (information technology), OT (operations technology for industrial networks), and CT (consumer technology) – with service providers wrapping around the whole thing.
One area where we see strong potential is in the area of managed security services. We estimate that the cybersecurity field will face a deficit of 1 million trained professionals in a few short years, so organizations need help in supplementing their security teams. Managed security services isn’t anything new to service providers, but the IoT is increasing the need for these services as organizations try to keep up.
Penetration testing (pen testing) services is another area where I’m hearing increasing interest in starting new lines of business, in particular, for industrial control systems and IoT devices. There is a general notion that pen testing is a nice-to-have, but I disagree. I just finished reading “Hacking Exposed: Industrial Control Systems” in which the authors make the argument that pen testing helps to prioritize spending, and is therefore, an efficient input to budget planning. I couldn’t agree more.
Lastly, for telecommunications service providers, providing secure services for over-the-air connectivity for such things as fleet management, mining, smart cities, and geographically distributed industrial networks is another area where we see service providers looking to expand their business models.
Marc Blackmer is a technologist, blogger, and cybersecurity professional who has spent more than 15 years assisting some of the world's top energy producers, financial institutions, and governments worldwide defend their critical assets from cyber threats. His technical background in information technology engineering, ICS cybersecurity, and IT governance, risk, and compliance, brings a unique perspective to addressing the threats facing critical infrastructure today and the coming Internet of Things.
SecuritySolutionsWatch.com: Thank you for joining us today, Marc. Before discussing IoT & Security in the Industrial Sector in greater detail, please tell us about your background.
Marc Blackmer: I started my career in IT back in the ‘90s, moved into security about 10 years ago, and for the last few years have been focused on security for critical infrastructure and the Internet of Things. I also run a non-profit aimed at getting kids into cybersecurity careers and I’m the marketing director for a regional STEM network where I live in central Massachusetts.
SecuritySolutionsWatch.com: One will read on Cisco.com that, “There’s never been a better time to automate the world’s most dangerous jobs”. Care to elaborate?
Marc Blackmer: Our world isn’t getting less connected. We estimate that there will be 50 billion – with a “b” – connected things by 2020, and that includes critical infrastructure, mining, manufacturing, energy production, and so on. Accordingly, malicious hacking is becoming more lucrative and impactful as this connectivity increases. We’ve already seen how malware can be used to help take down a power grid. Therefore, if we are to reap the benefits of greater connectivity, then we need to be sure we are connecting security to protect human health and safety, as well as environment safety.
SecuritySolutionsWatch.com: What are the biggest security challenges within the IoT today?
Marc Blackmer: The biggest challenge is scale; just think of that 50 billion number. How are security teams expected to protect their users, their networks, with such a proliferation and variance in connected devices? It’s not as if security budgets are scaling up with the threats. That’s the reality we’re all left with, so our approach is focused on services, products, and integrated partnerships.
From a product perspective, we are platform-based – so that customers can pick and choose what they need to meet their requirements, while knowing these products will integrate with each other – to build security architectures. Point solutions can leave gaps or create redundancies that are inefficient from the technology, budget, and administrative perspectives. But we know that one company cannot do everything, so we continue to build a robust, integrated technical partnership ecosystem. All that being said, the best technology doesn’t help if it’s not properly deployed and administered, so we provide our customers with a wide range of consulting and managed services offerings, and partner with other services organizations, as well.
SecuritySolutionsWatch.com: Where do you think security innovation within #IoT should be moving toward?
Marc Blackmer: I would say “usability.” I’ve long argued that the security industry, as a whole, is trying to engineer its way out of a human problem. Yes, the foundation of IoT is about connected technologies, but the benefits we hope to gain are benefits for humans. It’s also we humans who must secure the IoT, and this is why I say usability is vital. Powerful technology has no value if nobody knows how to use it properly.
To that end, we have been working on an open, standards-based approach to securing the IoT called Manufacturer Usage Description. In short, the approach uses the respective expertise of connected device manufacturers and security providers to simplify the life of security administrators. I won’t go into all of the details now, but you can find the RFC here: https://datatracker.ietf.org/doc/draft-lear-ietf-netmod-mud/ . What’s been really great is that we’ve been contacted by some big players interested in the concept, and wanting to contribute to the standardization process. We’d always intended this to be a community effort and welcome the collaboration.
SecuritySolutionsWatch.com: Any ‘wins” or success stories you would like to discuss?
Marc Blackmer: Understandably, not a lot of organizations want to publicly speak about their security challenges, and I’ll respect those concerns. What I can do is give you a couple of anonymous examples. In one case, a US electric utility was facing a malware outbreak and they just couldn’t get their arms around it. Once they’d cleaned a certain amount of machines, the same number of new infections would show up elsewhere. This went on for about four months, until they decided to deploy our advanced malware protection, or AMP. By the customer’s estimate, they were able to detect all infected nodes and remove the malware en-masse in about 40 minutes.
Another example is how we were able to help out a global oil company with their security staffing needs for their industrial network operations. I’d mentioned the importance of humans in properly deploying, configuring, and administering security technology. The complicating factor is that there is a talent shortage to the point that we estimate that there will be a deficit of 1 million trained cybersecurity professional in a couple of years. We now staff and manage their industrial security operations center for them, and bring the benefit of years of experience in securing industrial environments.
SecuritySolutionsWatch.com: Can you share with us an inside look at the journey industrial customers take with the Cisco team?
Marc Blackmer: I’ve been seeing a trend globally in a number of different industrial verticals where IT security is being asked to take responsibility for at least some portion of the industrial networks. The approach we have been taking in these cases is to first have our consultants assess and inventory the networks, as well as review existing policies and procedures, or lack thereof. Based on the resulting gap analysis, our solution architects can design a security architecture for that environment while our consultants can help fill in the policy and procedure gaps. After deployment, we can provide training and staffing, as needed.
SecuritySolutionsWatch.com: Cyber attacks, whether from a foreign government, a sophisticated hacker group, or lone wolf, are in the headlines just about every day now. Unintentional Insider Threats are an equally serious problem where employees/users might innocently click on phishing messages, visit nefarious websites, run risky/outdated software, or fall into any number of other traps. We read with great interest your intriguing blog “How To Lose the Cyber Security War in 3 Easy Steps”. Please share with us your thoughts on this.
Marc Blackmer: Thanks. My point in that blog post was that defenders need to step back and think unconventionally about protecting their networks. Defenders know better than anybody how to break their own networks. It may seem counterintuitive to think in terms of ways to damage what you’re trying to protect, but I guarantee you that that’s exactly what the bad guys are doing. If you’re not adapting accordingly, the bad guys will eventually find their way in.
SecuritySolutionsWatch.com: It’s safe to say that today’s constant threat environment has never been more challenging. Please share with us your thought on “best practices” in this IoT, mobility and BYOD environment.
Marc Blackmer: We, as security practitioners, have to keep our eyes on the basic blocking and tackling of security – segmentation, defense-in-depth, etc. Granted, these aren’t new exciting things to talk about, but they work. Period. And we can’t lose sight of that. The harsh reality in security is that the good guys need to get it 100% right 100% of the time, while the bad guys only need to get it right once. We need to start with that solid foundation to be effective.
We also can’t lose sight of the fact that networks must provide value for the humans that use them. The priority for us in security, of course, is to keep the network safe, but if we put barriers in front of the users that they perceive to keep them from doing their work, they will find ways around those protections. That doesn’t do any of us any good. But we can’t expect users to become security professionals, so it’s important to secure networks in a way that ensures the usability for the users.
SecuritySolutionsWatch.com: Thanks again Marc for taking us on our journey today...are there any other subjects you would like to discuss?
Marc Blackmer: Thanks. I really appreciate the opportunity to have this conversation. The only other thing that comes to mind is a reminder that security is a journey, not a destination. The threat landscape is constantly evolving, and we, as defenders, must evolve with it. The moment we think we can relax is the moment we give the edge to the bad guys.