Topics:
Nexus Conference is many things, foremost among them a community of cybersecurity experts, as well as an essential forum for exchanging ideas, and a gathering where priorities are level-set among peers responsible for cyber-physical systems protection (CPS).
Our recently concluded event in Austin, Tx., delivered on all fronts.
More than 250 influential cybersecurity leaders from industrial companies, healthcare delivery organizations, and the highest levels of government convened for Claroty’s fourth annual thought leadership conference. Our hope is that the messages that were conveyed by our presenters from the stage and between peers throughout the event, will help set agendas for the next year.
Those include:
Critical infrastructure rapidly becoming a target not only for profit-seeking threat actors, but also advanced, state-affiliated groups seeking political capital and to impose social disruption and mistrust in the systems and services critical to our way of life. Resilience can no longer be an abstract concept in CPS protection, it must be the North Star for these programs, the structure holding up risk management and risk mitigation efforts.
Global supply chains realigning in the wake of geopolitical and economic unrest, which is introducing unprecedented risk to CPS. CPS protection programs must align and focus on essential security strategies, such as third-party remote access and ensuring partners too are resilient against inevitable incidents targeting them.
A reliance on artificial intelligence and machine learning that is growing exponentially; data centers, for example, are being constructed at extraordinary speeds, bringing with them extraordinary energy and resilience demands. Leveraging AI for defense is the only viable way forward against attackers making use of the technology’s same speed and efficiency to construct and amplify attacks.
Let’s recap what our speakers had to say about each of these:
Make no doubt: Attacks that have only been theorized-about against connected medical devices and complex operational technology and control systems are becoming practical. China-nexus threat actors, adept at espionage, are ramping up their aggression against U.S. critical infrastructure. Volt, Salt, and Silk Typhoon—a trio of state-affiliated attackers—are deploying a variety of attack tools and using living-off-the-land techniques that experts believe would be viable in the event of a kinetic conflict in Taiwan or elsewhere.
Mandiant Chief Technology Officer Charles Carmakal shared the exploits of Silk Typhoon (UNC5221), one of the most prevalent espionage actors targeting U.S. interests. Their activities are characterized in a number of ways, from the use of zero-day vulnerabilities against enterprise technology, to the compromise of software supply chain providers in order to attack downstream customers, and the deployment of malware on edge devices such as hypervisors and remote access solutions that do not support endpoint detection and response (EDR) protection.
Carmakal said these groups are determined and dwell on compromised systems, sometimes for years. Their tools include custom-built rootkits, malware frameworks, and backdoors purpose-built for the hypervisors and networking gear they’re targeting. Networks and CPS dependencies are being mapped in order to understand traffic routes and better use lateral movement to compromise targets.
Carmakal concluded that CPS leaders must not only improve visibility and mitigations against these threats but to do so collectively.
Team82 Vulnerability Research Lead Noam Moshe, meanwhile, brought real-world threat intelligence to the conversation. He shared some of the tactics and learning materials threat actors are developing and sharing among themselves in online forums in order to understand and better target CPS. He also brought insight into real-world examples of attacks against CPS, where geographically these systems are being targeted, and likely by whom.
While our expert presenters adeptly laid out the threat landscape, Nexus 2025 was about CPS protection, with a focus on resilience and risk mitigation. Samantha Jacques, VP of Clinical Engineering at McLaren Health Care and copresenter Alexanne Collison, Information Security Director, Surface Area Management at food and agriculture company, Cargill, shared their experiences in mitigating risk for large, complex organizations. Jacques described the complexity within healthcare organizations brought on by the myriad of medical device manufacturers, devices, and configurations her teams must manage. Collisson, meanwhile, faces similar challenges with the operational technology in her environment, magnified by the numerous OEMs, control systems, and sensors involved in mission-critical processes.
The two shared strategies for managing this complexity, and mitigating risks, especially through the use of compensating controls to lessen the exposure posed by vulnerabilities awaiting patch approvals from the Food and Drug Administration, MDMs, and OEMs, respectively. They also talked about the importance of testing the effectiveness of the security controls in their environments in order to better mitigate risk.
O’Reilly Media author Christopher Frenz continued the messaging on risk management, urging attendees to consider an evidence-based, threat-informed defensive approach to CPS protection.
Frenz’s approach goes beyond what most compliance-based programs prescribe: the implementation of controls. While the frameworks’ recommendations have merit, he said, they are minimum standards. Organizations must constantly assess and measure whether controls are effective and whether they properly counter newly disclosed malware, exploits, and attacker techniques in order to defend against actual, practical threats.
Former National Cyber Director Chris Inglis and Jamil Jaffer, a Venture Partner with Paladin Capital Group and former Bush White House team leader within the Justice Department’s National Security Division, examined risk management from their lens of government experience during a panel moderated by NightDragon founder Dave DeWalt.
The two touched on many aspects of CPS protection and risk management, but also talked about the need for deterrence in cyberspace. Following up on Charles Carmakal’s discussion on the aggression of China-nexus APTs against U.S.-based critical infrastructure, Inglis and Jaffer discussed whether our response was on par. Did we do enough to impose consequences on our adversaries to deter further activities? The consensus was a resounding NO.
Inglis and Jaffer concurred that often it comes down to having the will and intent to react against APTs that are currently moving beyond espionage and are deploying offensive weapons on critical networks that can be activated during a time of conflict, as theories suggest.
AI and ML are already making an impact on many CPS protection programs. Innovative approaches to security are being deployed where tasks are being automated in order to free up staff for more strategic operations.
Jason Elrod, VP and CISO at MultiCare Health System, discussed how AI can help security leaders make high confidence assertions around identity and privileges, and ensure that authentication is as frictionless as possible. The journey at his not-for-profit healthcare organization includes offloading certain manual processes to AI-led automation such as provisioning reviews and managing a trouble ticket queue.
Meanwhile, John Frushour, VP and CISO at New York Presbyterian Hospital, described the path his organization has taken to eliminate passwords and institute a system of identity proofing based on biometric behaviors. Frushour said that clinicians and medical staff can save valuable time with patients through this system that recognizes individual keyboard and mouse behaviors in order to authenticate users to particular systems.
Comprehensive CPS Protection Programs require diverse strategies to adequately manage risk. Nexus 2025 delivered practical advice for every pillar of a program.
Tayefur Rahman of Danone North America and Jeremy Wilkinson of Standard industries discussed how digital transformation is forcing organizations to improve asset inventories and move beyond passive collection methods.
Merchian Tatlonghari of Transocean and Marc Pruett of American Honda Motor Company talked about the exponential growth of remote access requests and how to deal with tool sprawl within environments.
Mike Rogers of Hormel Food and Robert Mickey of International Paper presented about how recovery may require a different approach for CPS assets, and shared the essentials for a modern recovery program.
John Ballentine of the Port Authority of New York and New Jersey discussed another key CPS security strategy: segmentation. He presented a framework for segmentation that balances security and operational continuity requirements.
Our conference continues to be the epicenter of CPS protection. We’re proud to bring together the most experienced and innovative leaders in this space who are fostering a unique community within this niche of cybersecurity. These dedicated individuals have built a network of peers, colleagues, and friends that are sharing best practices that are being cultivated at Nexus and implemented inside enterprises worldwide. Nexus is growing and our mission is to continue to serve as the hub of strategic information sharing and community building around CPS protection.
Photos courtesy Jeff Pinnette Photography.
Yaniv Vardi is a dynamic and highly accomplished entrepreneur with more than two decades of global executive leadership experience. He has established a long-standing and impressive track record of developing and executing global business strategies and directing worldwide growth. As Claroty’s Chief Executive Officer, Vardi is leading the company through its next stage of growth and solidifying its position as the leader in cyber-physical systems security.
