Public Utilities Fortnightly | November 1, 2019
RedSeal CEO Ray Rothrock was interviewed in a Cybersecurity Special Feature for Fortnightly Magazine, and discusses his security recommendations for the leaders of utilities and regulators, segmentation, NERC CIP compliance and more.
Forbes | December 20, 2018
In a recent conversation on the topic of cybersecurity, Ray Rothrock – CEO of cybersecurity firm RedSeal, and author of the 2018 book Digital Resilience – offered some interesting and sobering insights on the state of the cyber world and utilities. He commented that hackers are already likely sitting in various U.S. utility systems and reconnoitering, in what the Department of Homeland Security calls an Advanced Persistent Threat mode. The critical question, then, is what to do about that fact, and how to create resilient responses.
I recently came across a rather nice title for a webinar by A10 Networks’ Kevin Broughton– “Hide & Sneak: Defeat Threat Actors Lurking within your SSL Traffic”. “Hide & Sneak” is a good summary of the current state of the cybersecurity game. Whether our adversaries are state actors or less organized miscreants, they find plenty of ways to hide, stay quiet and observe. They can keep this up for years at a time. Our IT practices of the last few decades have engineered very effective business systems. On the other hand, they are sprawling and complex systems, made up of tunnels, bridges and pipes — much of which is out of sight, unless you take special pains to go look in every corner.
The “Hide & Sneak” webinar focuses on SSL, just one aspect of just one kind of encryption used in just one kind of VPN. This is worthwhile – I mean no criticism of the content offered. But if we think about how complex just this one widely used piece of infrastructure is, and then take a step back to think about this level of detail multiplied across all the technologies we depend on, it’s obvious that it’s impossible for any single security professional to understand all the layers, all the techniques, and all the complexity involved in mission-critical networks. Given staff shortages, it’s not even possible for a well-funded team to keep enough expertise in-house to deal in full depth with everything involved in today’s networks, let alone keep up with the changes tomorrow.
If we can’t even hire experts in all aspects of all the technologies we use, how can we defend our mission-critical infrastructure?
We can break the problem down into three parts – understanding the constantly-shifting array of technologies we use; keeping up with the continuous stream of new defects, issues and best practices; and thinking through the motivations, strategies and behaviors of bad actors. Of these three, the first two are highly automatable (and essentially impossible without automation). The third is the ideal domain for humans – no computer has the wit or insight to think strategically about an intelligent, wily adversary. This is why automation is best focused on understanding the infrastructure, and on uncovering and prioritizing vulnerabilities and defensive gaps.
The best security teams focus human effort on the human problem – understanding the thought patterns of the adversaries, not on learning every detail of every aspect of every technology we use.
THE DAILY CALLER | April 22, 2016
One of the National Security Agency’s (NSA) highest ranking officials warned Wednesday of a serious threat posed to the nation’s critical infrastructure from potential cyber threats