One-by-one, the lineup of public- and private-sector luminaries at the recently concluded Nexus Conference 2024 drove home the point to attendees that cyber-physical systems (CPS) protection is an undeniable mandate to preserve national security, economic stability, and the integrity and availability of critical infrastructure.
More than 300 influential cybersecurity leaders from industrial companies, healthcare delivery organizations, and the highest levels of government convened in Boston recently for Claroty’s third annual thought leadership conference. Attendees were presented with a number of messages that neatly summed up their collective challenges:
Adversaries understand the fragility of critical infrastructure and will target CPS to sow chaos and turn a profit
Litigation will soon challenge existing cybersecurity laws and orders, threatening deregulation for an industry that’s likely ready for more guidance from the government
Digital transformation and hyper-connectivity are an inevitability that must be accepted
The linchpin—or nexus, if you will—are cyber-physical systems. These indispensable systems have a direct impact on the physical world. Many of these industrial control systems, connected medical devices, and “smart” things are newly connected to the internet. They are also burdened by unacceptable exposures, known and unknown vulnerabilities, insecure connectivity, and a lack of overall visibility into what’s running on the local and public networks.
At the Nexus Conference, experts from industry and the government laid out a complete picture of the threats, pending regulatory changes, and practical perspectives from the CPS trenches. Let’s recap some of the highlights:
Cyber-physical systems are an attractive target to adversaries because of their control over physical processes and patient care. The spike in malicious activity impacting CPS has been noteworthy over the past decade, and the advances attackers made in understanding how exposed these systems are and how to invade them has CISOs and other leaders on alert.
At Nexus, Mandiant CTO Charles Carmakal and CrowdStrike SVP Counter Adversary Operations, Adam Meyers, opened the event with an overview of geopolitical threats and the doctrine shift among some threat actors away from exclusively conducting espionage to destructive cyberattacks.
A panel discussion later in the event featuring former NSA Director Adm. Michael S. Rogers, former White House Cybersecurity Director Chris Inglis, and U.S. Air Force Technical Director for Control Systems Cybersecurity, Daryl Haegley expanded on the topic further with a national-security focused discussion, and some insight into the activity of the China-linked Volt Typhoon APT. Volt Typhoon is accused of embedding destructive attack tools on U.S. military and critical infrastructure networks, reportedly with the aim of activating them in the event of military conflict.
US Cyber Command Executive Director Morgan Adamski brought a unique perspective on how the Department of Defense’s offensive strategies and operations also rely upon a measure of power projection in cyberspace. Advanced adversaries are becoming increasingly prolific, and Adamski shared her team’s perspective on those capabilities and how USCYBERCOM is prioritizing innovation, talent development, and partnerships with the private sector to maintain an edge against adversaries.
On a global front, two particularly impactful sessions painted pictures of the cyber threats faced by Ukraine in an actual kinetic theater of war, and also about how a collaboration between the FBI and Claroty Team82 helped unearth a state-affiliated actor targeting water systems in the U.S. and Israel.
First, Dr. Bilyana Lilly conducted a heartfelt interview with Col. Ivan Kalabashkin, Deputy Head Cyber Department of the Security Service of Ukraine (SBU). Kalabashkin provided his firsthand insight into Ukraine’s efforts to repel and withstand thousands of cyberattacks from Russia since the start of the war in February 2022. The story of Ukraine’s resilience to this existential threat was a moving moment, along with insight into its collaboration with private sector companies, and anecdotes about a volunteer army of hackers from inside Ukraine helping to defend its critical infrastructure.
Team82 VP of Research Amir Preminger, meanwhile, took to the stage with Diya Banerjee, a senior FBI computer scientist, to discuss their collaboration into the forensic investigation of the attacks against water treatment facilities. A group believed to be affiliated with Iran known as the CyberAv3ngers claimed responsibility for the attacks, which resulted in the defacement of a number of Israeli-made Unitronics PLC devices. The collaboration resulted in the extraction of forensic information from the PLCs, a unique technique for the ICS realm, and helped the government sanction members of the group.
Finally, our attendees spent time collaborating with industry peers during roundtable discussions that featured impromptu tabletop exercises where a given incident or relative industry challenge was presented, and leaders met to outline response scenarios and share industry specific strategic approaches to this kind of problem solving.
One attendee said: “Your approach to a conference with the community is the best I have seen,” adding they were appreciative of the candid feedback from peers and for the networking availability.
The Supreme Court’s decision in June to overturn the so-called Chevron Doctrine has opened the door for legal challenges to existing regulations in a number of industries—including cybersecurity. At Nexus, former acting National Cyber Director and current President of the Paladin Global Institute Kemba Walden covered the nuances of the decision and its impact on cybersecurity and national security. Sitting down with Claroty Chief Strategy Officer Grant Geyer, Walden stressed that she believed that CISOs and the industry recognizes it needs to be regulated because market forces have taken the industry as far as they can.
One sector knee-deep in regulation is healthcare. Nexus panelists, Erik Decker, VP and CISO of Intermountain Health, and Greg Garcia, Executive Director of the Health Sector Coordinating Council’s Cybersecurity Working Group covered the regulatory environment in healthcare, how breaches such as Change Healthcare and unabating ransomware attacks have impacted lawmakers’ view of the threats and risk, and what’s being done to improve the status quo.
This was also part of a discussion on boards of directors’ perspectives on CPS protection with NightDragon founder and CEO Dave DeWalt, Amtrak CISO Jesse Whaley, and Standard Industries Global CISO Dave Weinstein. This panel also hammered out the ways that CISOs can most effectively communicate to their boards about the need to build resilient CPS that withstand attack, and proper strategic planning and financial investments to meet those risk and compliance demands.
The benefits of enhanced connectivity are well documented, and by now, so are the risks these expanded attack surfaces introduce. At Nexus, a number of CISOs shared their practical perspectives on managing exposures, enabling secure remote access, and the foundational need and challenges of supply chain cybersecurity. Let’s look at some of those sessions and strategies—most of which begin with a thorough asset inventory and network visibility:
Luke Karkosh, Senior Director of Enterprise Architecture at Scripps Health discussed how asset management is the key to CPS Security.
Jim Miller, Director of OT Cyber Security at Magna, discussed his organization’s path to protecting the OT network at scale, from visibility to segmentation and, finally, automated firewall reviews.
John Ballentine, OT Cyber Security Lead, Port Authority of New York/New Jersey, covered how his organization monitors an extensive OT infrastructure and responds to threats.
Anahi Santiago, CISO, of ChristianaCare, provided her insight into an advanced approach to reducing risk through exposure management and the five steps necessary to move from a reactive to a proactive cybersecurity framework.
Ashish Agarwal, Director of Operational Technology, Agco, presented his perspective on the risks of insecure connectivity of CPS, and the operational and compliance risks it introduces.
Ted Douglas, Sr. Director, Global OT/ICS Cybersecurity, Pfizer and Jason Elrod, CISO, MultiCare Health System, tackled the challenges posed by third-party access and how to safely navigate these relationships.
Nexus Conference continues the hub for cybersecurity leaders adamant about cyber-physical systems protection. These dedicated individuals have built a community around Nexus, and a network of peers, colleagues, and friends that are sharing best practices that are being cultivated at Nexus and implemented inside enterprises worldwide. As Nexus grows, we expect the innovation and collaboration coming out of this community to parallel the needs of the industry, and lead by example as CPS continues to entrench itself as the critical technology force inside the enterprise.
Upa Campbell is the Chief Marketing Officer at Claroty. She is a seasoned executive with deep domain expertise in DevOps and cybersecurity. She is passionate about company building with a proven track record of bringing new businesses to market. She most recently served as chief strategy and marketing officer at Accurics (acquired by Tenable). Prior to that she was CMO of Prisma, the cloud security division of Palo Alto Networks, where she helped launch and scale the business. She previously held similar roles at RedLock (acquired by Palo Alto Networks) and Palerra (acquired by Oracle), and was part of the founding team at Zscaler (NASDAQ: ZS).