Air Gaps Are Like Unicorns - An Interview With Galina Antova
Welcome to another edition of cyber security dispatch. This is your host Andy Anderson. In this episode, Air Gaps Are Like Unicorns, we talk with Galina Antova. One of the co-founders of Claroty, a fast growing security startup in the world of industrial control systems. She shares her experience working to protect these critical systems and the journey that led her to found Claroty.
Andy Anderson: Everybody sort of ends up in cyber security in kind of a unique way. Like I don't think there is a single kid who grows up being like, "I want to be a cyber security expert." What was your path into this biz?
Galina Antova: You're absolutely right, it was kind of like by accident to me. I started my career with IBM. So just the whole software development, security topic was fascinating. When I came across the industrial domain, it was basically the intersection of the stuff that runs the world and cyber security. And so I just became fascinated by that topic. And this is how I ended up just getting into it more and more, and eventually co-founding Claroty.
AA: So Claroty has sort of established itself as sort of a thought leader and sort of a category creator in this industrial control systems and SCADA systems. For somebody who is as immersed in that world, what's sort of happening there for people who, if they haven't been reading all of the hacker news?
GA: Well I think that what happened over the last few years really allowed for the industry to become a real market opportunity. The thing that is not new and that is not easy to change is the security posture of those industrial control system environments. So, in the office environment, we're used to kind of changing our laptops every couple of years. You can't really do that in the industrial control system environment.
The lifecycle of those machines is 35, sometimes 40 years, and so we can't just rip and replace. So, you've got to work with existing infrastructure that, when that infrastructure was designed, security wasn't really an key requirement. That hasn't changed and that's kind of like the one of the sources of the problem.
What has changed rapidly over the last few years is actually how interconnected those systems are. When the first POCs were designed, they weren't actually meant to be connected to non-control networks. So the fact that we've got everything on networks now means that everything is interconnected so therefore, no “air gaps.” So you've got to find a way of actually monitoring that environment.
The third thing that has also changed significantly in the last couple of years, is that in terms of the threat landscape, first of all, I think a lot of folks have realized that those networks are critical; they are more valuable. Downtime can cost millions and an attack can damage expensive equipment or harm people. Once an attacker actually gets into the OT networks, from there on, they don't really need to exploit new or know vulnerabilities to cause damage. They can simply send legitimate commands, just leveraging the existing infrastructure and the existing commands to make changes to the process that can be catastrophic.
So the threat landscape, together with “insecure by design” industrial control systems, is what is actually creating the opportunity.
AA: Yeah, the sort of ability to really to cause physical harm is literally -
GA: Exactly. The impact is completely different than that in the IT domain.
AA: Yeah, and to sort of looking at the backdrop against the security, which you're looking to improve, obviously if you've been in this space you've heard of Stuxnet; maybe you heard about kind of what was happening in Saudi Arabia, where things were happening with Saudi Aramco; maybe some of the other stuff that happened with WannaCry. For someone who is just coming to this space, how do you see this increase of threat level, particularly like the involvement ... Attribution is always hard but potentially nation states fall apart.
GA: No, I'm not going to talk about attribution, because nowadays it is almost impossible to do. There are so many sophisticated ways in which you can do a false flag, so I'll leave that for other hosts to discuss. But really at the core of the issue is the fact that those networks are really, really, really valuable. Valuable in many different ways. Valuable because they could be used to cause physical damage; valuable because in many cases they actually hold some of the IP of those companies, for example the way a chemical company produces things.
So from that perspective, people will be people. I mean bad people will have interest in attacking industrial networks. Now it doesn't necessarily have to be a nation-state. There is “weaponized” malware available in the wild, so think of terrorists, think of all kinds of crazy people with agendas. I think what was proven over the last few years, starting with Stuxnet, is that it is possible to manipulate those networks. For many of those large companies, that had been the wake-up call, that industrial control systems could actually be manipulated so that it broke the process or equipment or could harm people.
AA: And when you think about essentially the security that you're layering on to their systems, is it in many cases just sort of a mirroring of what has happened on the more traditional IT systems? Like are you essentially just taking those models and those processes and those tools and essentially adapting them to the other side?
GA: We're trying to do the complete opposite. And this goes against probably every kind of common sense advice that you would hear in the cyber security industry. But basically there is about a 10 year gap in the cyber security posture of IT networks and industrial networks. And so if we repeat the same cycle, it's not going to get us anywhere. What we try to do with our technology is get to the end result, not necessarily by applying the same security controls, because many of those security controls will not be relevant.
For example, something as simple and in many cases useless as anti-virus, is not even something that you can deploy on a controller because of the warranty issue. That's a real-time machine.
I don't need anti-virus on the controllers and I don't need some of the other measures that do not give me what I'm looking for, and are destructive to the network. So, what we've done is our approach is a completely passive data acquisition approach. We read the networks so we're transparent. That also means that the attackers cannot see us on the network. But because of the ability in which we understand those networks, and the protocols that are running those networks, we're basically able to detect the very first steps the attackers make. In cyber terms, we are able to detect attackers at the earliest stages of the “kill chain” so that we can stop them before they progress.
It's a different way of approaching the problem.
AA: Very cool. And essentially then, who ever is managing your system for a company is then able to, once they've been alerted that there may be an issue, do you guys get involved in sort of remediation or understanding what to do? What's that next step?
GA: Yeah, first of all for industrial control system networks, the ability to be able to see that something wrong is going on, it's a huge impact. Because right now the security teams are going into those networks completely blind. And if you look at any of the sophisticated attacks, I mean attackers were on those networks months, so that initial detection is kind of extremely key.
In terms of the remediation, it depends on what level of the network. So if something is detected at the really lower levels of the network, where the controllers actually operate the physical process, no one should automatically block traffic from an automatic technology prospective. That needs to be handled in a more manual way, otherwise you can break the operational process or cause a real safety issue.
If we see something from a higher level of the network, from the IT domain, then yes, absolutely. We actually integrate our technology with other security technologies that are able to then take action, based on that information and intelligence.
AA: Very cool. As you think about some of the systems that you're getting involved with, they really are literally critical infrastructure. It’s power plants and those sorts of things. How in that landscape, what do you see in terms of the interaction between both technology providers like yourself, industry, as well as sort of the government sector as well? Is there collaboration that's happening or is it really very silo separate?
GA: Well there is some collaboration but it's really hard to rely on the government or rely on a standard body, to kind of tell you what to do. I have a lot of respect for, and actually we're workingwith a lot of advisors centered around standard bodies. But standards creation and implementation take a long time and threat actors change tactics very quickly. And so we are creating a completely new paradigm of how to actually address the threat now.
When it comes to governments involvement with standards, I think that a lot of the large companies have just taken that into their own hands, because the government can really interfere with some of those attacks. And as you mentioned, early attribution is really hard.
AA: Yeah. Sort of switching gears, in terms of some of those major industrial players, I saw that you guy had some big partnerships recently. Schneider Electric.
GA: Schneider Electric, and also Rockwell Automation. Yeah.
AA: Walk me through kind of like that process and what that was like and what that's sort of been able -
GA: It's a very long process because they go through a lot of checks now. But it's a great working relationship with all in industrial control system vendors that we're working with. First of all, I think that for us, it’s great to get the validation from them, that our technology works as intended and that it's not disrupting the industrial processes their customers are running, which is huge.
And secondly, they also leverage our technology to go to market, because in a real-world scenario, whether you're and oil gas company or a large manufacturer, you don't just have one industrial control system, it’s better if you have all of them. And so our technology cuts across all of them, and so all of those partners can actually take this as a component and plug us into whatever cybersecurity offering they may have.
AA: I mean it's a related question, but as you think about getting installed in major systems, large corporates, you potentially begin to become a threat back to yourself, right, if you have access? So how do you handle those concerns?
GA: Good question.
So one of the things that I mentioned is with our passive technology, we are actually completely out of band on the industrial network. So we don't exist to the attacker. The attacker would not see us as an IP on the network, etc. We're in stealth, so to speak in the network itself.
Now of course we go through the regular and kind of rigorous security testing in our own lab and have third parties audit our own technology. But the biggest thing is we're actually passive, we sit on a SPAN port, not inside the OT network and not installed on the systems within the network. So we don’t provide an attack vector for bad guys.
AA: So you're outside.
AA: Great. We've been covering a lot of stuff. Anything you want to go over specifically to talk about? Is there anything that you're like, "I've been waiting to sort of tell people about?"
AA: Okay. Maybe in general sort of the IoT space, we've all seen the graph, like the number of devices and then it looks like a good investment return, right? Hockey stick. How do you think about that? Does that scare you? Does that excite you? Like there is just going to be everybody buying our stuff. From your perspective, how do you think about sort of a more connected world?
GA: Good question and actually I do want to say something now. It's actually a great thing that you guys are covering industrial cyber security. It’s been kind of like such an isolated domain, so to speak, that even amongst the overall cyber security industry it has been kind of isolated. So part of what we're trying to do is bring it into mainstream cyber security so that folks talk about it. For example, at the last DEFCON we did a workshop on ICS together with some of the partners.We’re educating the overall cyber security industry.
Now that kind of translates into your question about IoT. So IoT is everything. People can think of it as the networks that are running in nuclear power plants and then the intelligence in my toaster. So it's not really the same; there is a huge difference between what IoT is.
AA: Hopefully a different, more sophisticated system.
GA: The way I think about it is that you cannot stop it. The interconnectivity is a good thing if you can actually leverage the power that that gives you. But you can't stop it, right? So the initial push back against security technologies in the ICS domain, was because we're just going to air gap them. Well, it's not practically possible and it's kind of the same thing with the IoT-- you are deploying sensors everywhere in your plant and leveraging that data for all sorts of things.
So I would say, for me, it's very exciting, because when everything is connected and everything is talking to each other, you can do so much more in terms of orchestration in how things flow. That being said, the more we think about security as a priority, and we bake it into the process, the better we'll be off. So it's a fact, you can't really change it.
AA: I mean gosh, having not been involved in industrial control systems to the level that you have, I sort of read about them from afar. But gosh, I didn't realize that the lifecycle was really 35-40 years, that long.
Are you seeing now that maybe the treat, the understanding of the potential threats is increasing -- at least vendors and people who are involved are starting to think about building systems?
GA: Oh they started that a long time ago. A few years ago, all of the ICS vendors already started being much more open about their vulnerabilities and how they cover them. But again you’ve got to think through the timeline of that, right? So okay, you're getting really serious about improving your security postures, so you started the design of your next controller. That design phase itself, in most cases, is a five year process. And then you launch it on the market and that doesn't mean that the large multinationals are going to go and rip and replace the billions of dollars of infrastructure that they have invested. It might be another 15 years before they actually have to operate.
So that being said, just last week I just came from probably one of the best, certainly the most technical, ICS cyber security conference in the industry, S4X18 in Miami. And what we saw there was Schneider Electric talking openly about the recent incident on the Triconic safety system, which was just absolutely admirable. The fact that they're so transparent about that, engaging with the community is something that would not have happened 7-8 years ago.
So the fact that we're seeing vendors not just increase proactively their security, but being very open with the industry is a huge, huge step forward.
AA: Yeah, it is. A sea change in a community when there are problems that everyone has quietly known exists, suddenly -
GA: You might as well be upfront about it and show and tell the community what you're doing about it and how you're solving it.
AA: Yeah, sunshine cures a lot of ills for sure.
The session that you're in, you've made one of the best quotes I've ever heard, which was that, "Air gaps are like unicorns; lots of people talk about them, but we're not sure that we've ever actually seen one."
GA: Especially in industrial control systems.
AA: Oh, that's hilarious.
So in general and part of the reason that this publication exists is, a lot of people talk about the problems, like what's wrong. And it's easy as a community whenever anybody's system goes down, pretty quickly that person get tarred and feathered. So we always try and talk about the positive, an actual focus on solutions. So what's working and who is doing a good job? Who is admirable right now? Whether that's yourself or partners or companies that you work with. You do not need to name names.
GA: Actually, I'll take it from a different perspective. I think that one of the biggest changes that kind of enabled our industry to even exist is the fact that board-level members started paying attention and actually understanding what does it mean if they don't have cyber security for the industrial networks. So seeing that awareness at the board level, and then the board members asking the CEO, and then the CIO, to actually do something about it, creates the budget, which means that now we can actually solve the problem.
No problem is unsolvable, you just have to have kind of like a focus on it. I think that most of the large Fortune 500 companies that have industrial networks, and the vast majority of them do, even if it's not things that we think about. I mean this building has HVAC, and elevators and lighting; all of that is ICS, right?
So I think that the boards have done a really good job of asking the right questions. I think that specifically after Wannacry and NotPetya, when the security teams realized that, even though they're not targeted, some of that stuff can get into the shop floor. I think that was a huge wake-up call. And so we've seen quite a lot of interest after that. I think the security teams are also doing a good job of just asking practically, what they can do better in their networks.
AA: Some sort of quiet, stunning headlines after that, in terms of like what Maersk is saying they potentially lost.
GA: And that was just the tip of the iceberg. That was just really a very small fraction of what actually happened behind the scene.
AA: We're really curious what happens, kind of post GDP on, because I think maybe some changes before that, but just in terms of the disclosure requirements and timing. We just see a flood of more information come out because they're worried about otherwise getting huge [inaudible 00:18:43].
This has been great, just to sort of switch gears for a little bit. For people in the industry, what are you reading? What are you following? How do you kind of stay up?
GA: Good question. Every once in a while I try to read stuff that's not related to cyber security. Which you know, I kind of have to remind myself, because I think what kind of the time that we live in right now is so fascinating, and there is so much that could be done, that it just kind of keeps me up to date.
I actually talk to people. I'm privileged to have access to a lot of the smartest folks in cyber security, both on the technical side as well as the issues that they are facing; it’s just a tremendous challenges. What I tell a lot of my clients is that I never want to have their jobs because they have to be good all of the time and attackers just need to be good once an a while.
But I also work with some of the smartest folks that come from an offensive cyber background. And so a lot of exciting things on just how we think about technology and what we can do with technology. I try to talk to people, because otherwise there is just too much hype in the media, no offense but, right? There is just a lot of hype, especially when it comes to critical infrastructure and those control systems, because the general public does not understand it that well, and usually we see headlines of like the world's exploding or the US grid is going to come down, or something like that.
AA: If it bleeds, it leads, right?
AA: Cool. Yeah. I mean that's most of what I wanted to cover. I mean thank you.
GA: Wait well thank you for getting into that topic of international cyber security. Like I said, we need more education, not just for the general public, even for the folks that understand cyber in general really well. That's kind of a new domain.
AA: If people wanted to kind of check out any of your stuff, or see sort of what you're doing, where would you have them go?
GA: I think I’ve got most of the things that I write on Linkedin so probably they can check my page
AA: Thank you so much.