Convergence: Physical & Cyber Security Unite | Intel Business
(gentle upbeat music) - [Narrator] Welcome to What That Means with Camille. In this series, Camille asks top technical experts to explain, in plain English, commonly used terms in their field. Here is Camille Morehardt.
- Hi, and welcome to today's podcast What That Means, Cyber Physical Security. I have with me today two ladies who've just published an ebook called "Critical Convergence," and it's about the convergence of cyber and physical security. Antoinette King is founder of Credo Cyber Consulting which she founded in 2020, and also author of a book that shot to the top of the charts in Amazon when she published it, which is called "Digital Citizens Guide to Cybersecurity." Kasia Hanson works at Intel, and she is Director of Global Security Ecosystem Development. Now the two of them each have over two decades of experience in cybersecurity and security and technology more generally, and they both do a ton of work helping increase awareness and education in the cybersecurity space.
Lots of credentials. Welcome to the show. - Thank you. - Thank you. - Great to be here.
- How did you guys decide to write the ebook? - Antoinette was the inspiration because her and I would be at events and we would talk about physical security. We're both very active in the industry and then I realized, hey, wait a second. She wrote this book and it was really good, and I said, gosh, you know we've gotta do something together.
And so a lot of it was inspired by what she's been doing and the work she's done. - So let's start with what that means, cyber physical security. What does that mean? - When people think of security, depending on which side of the fence they're on, it's either physical security or cyber security. As the threat landscape has evolved over the last two decades, what we've recognized is that there really is only one security posture, because physical security is so interdependent on industrial IoT, that we need an element of cybersecurity to ensure our endpoint devices are secure.
And within cybersecurity there's an entire domain of physical security, but for some reason both domains have been siloed and they continue to be siloed. Really the catalyst for this ebook was Cassie and I having conversations and other people in the industry about the notion that we really can't have these siloed divisions anymore. It has to be one unified and holistic security posture in order to make sure that we're covering all of the threats that organizations face. - So I have to ask the question. It seems to me it's been ages ago now that we all read about a large retailer that had some of its customer information hacked through the payment system and the hackers got in through the roof, literally an HVAC system, and the HVAC system was connected to the payment system. That's been so long ago now.
How is it that this hasn't been corrected across the industry by now? - The bad guys continue to figure out new attacks. We also have the landscape of the internet exploding, right? I think the last number I saw was 30 billion of devices at the edge. Ensuring that you're protecting those and inserting cyber principles and protocols and more importantly, processing your organization whether it's physical or cyber, is really critical. Ensuring that you're taking that into account across your cyber plan, and I think why hasn't it been solved? Because it's really hard.
- It's also a matter of education because in the past facilities managers were responsible for HVAC systems and lighting systems, and in the past physical security professionals were responsible for the physical security of a plant. And now we still have all of those things separated but now we're IoT dependent. So when you're implementing solutions that were formerly analog, which did not require any cybersecurity because they were secure in and of themselves, there's no ability to hack into a lighting system in the past.
You are taking old technology and people with old mindsets and then thrusting them into this new environment. And if we don't keep up-skilling the people within those particular verticals like facilities or security, we're just gonna continue to implement insecure solutions. The answer, in my opinion to your question is it's just in some cases absence of education. If we don't educate the people that are putting these solutions in that it's important to bring IT and cybersecurity in from the design phase, in the beginning of an implementation, we are going to continue to create vulnerabilities for organizations. - What is your perspective on how the concept of zero trust plays into this combination of cyber and physical security? - So when we look at a zero trust environment, typically we think about the users. We used to have the trust but verify, and now we're saying we don't trust anybody and we need contextual security.
It becomes challenging when you think about devices, when we have to have a zero trust environment, you have to also have the manufacturers of those devices be able to play in that space. A huge example that I've faced for years was active directory, for example. So let's take like you know, 10 steps backwards from zero trust and just talk about active directory. IT people are used to working within an active directory environment, or single sign-on environment. A lot of manufacturers for camera devices are not or even access control devices, they don't support active directory.
So if you can't even manage the user credentials for the devices and you have 10,000 cameras, and they're manually being entered into a system, how exactly are you supposed to manage a zero trust? We need to make sure that the manufacturers of devices are also keeping up with the best practices and standards to secure their endpoint devices. - So I literally just watched a drone hover around a transmission line tower and actually check the lines on that. And what I found out when I chased down the truck to find out what was happening is they were actually looking for defects in the transmission line or wear and tear that could lead to sparks that could then lead to generation of wildfires. It made me think about devices like that that are instrumental in protecting our critical infrastructure. Like what kinds of things do we need to be aware of from a protection perspective, what kinds of vulnerabilities exist for devices like that that are out there literally looking and inspecting and hovering close to our critical infrastructure? - Yeah, secure by design, secure supply chain.
And that's a huge issue, not just critical infrastructure but just from a national security perspective, understanding where our chip sets are coming from, understanding where the components are coming from, having things in place for vendor assessments in order to ensure that they're getting third party PEN testing done on their products and third party inspections of code and stuff like that. It is really a key element. It's the supply chain, in my opinion is the Achilles heel of our entire nation, national security.
- You know, now you look at AI and its impacts on cyber, for example, both physical and cyber and you have video analytics being put into a camera, for example. That code or those models are in some cases being pulled from public sites that create models. Those models can be poisoned. So if you don't understand where they've come from, how are you using them? You're putting them in cameras, how are those being protected in your environment? Integrators are a really, really important component of that in the industry that Antoinette and I work in, because they are touching all of those cameras, they're touching that infrastructure, the perimeter protection, the protection of critical infrastructure. We're trying to do this education and really help the industry understand kind of the direction and the the level of risk that's out there, but also what can you do to implement better practices around cybersecurity for the physical environment.
- I think it's an interesting point that system integrators actually in some cases may be that one kind of tie across the entire ecosystem to say like are we doing a security check not just within each individual product or the operating system, or the cloud environment, or the edge, but like holistically. I think that's an interesting point. And Antoinette, you founded Credo Cyber Consulting. I'm just wondering, have you noticed any kind of a shift among your clients as a whole in terms of either awareness or like what people are worried about or focusing on now that's different? - It was fascinating to me that manufacturers were starting to be pushed by the end customers to develop products that had cybersecurity feature sets in them. So whether that's the ability to use certificates, secure elements, or TPM modules, we are working within an 802.1 X environment. All of these things were being pushed from the end customers because they're being regulated.
So regulations, were forcing these critical infrastructure organizations, schools, whatnot. In order for them to get funding, they had to be able to demonstrate that they were doing best practices and selecting manufacturers and products in a secure ecosystem. But nobody was focusing on up-skilling the integrators.
And I started in this industry as a technician, and back in the early two thousands when things were analog and just starting to phase over to IP, we had to know skills like backlight compensation, and lens calculators, signal attenuation, and cable. We don't need to learn those things anymore, right? Because it's all auto like, you know, PoE, it automatically adjusts the power, all that kind of stuff. We're not up-skilling the people that are actually implementing and designing these systems. And so if we're not investing in the channel, and we're not investing in the people, whether it's in physical security or any other operational technology, you mentioned HVAC systems, lighting, anything that has a device that sits on a network, if we're not up-skilling the people that are supporting those networks, then we're doing a huge disservice because you can have all of the security features that you want in a device. If they're not turned on and implemented, it means nothing.
So that was actually one of the catalysts for me to go out and evangelize for this. I had done, when I got my master's in Cyber Policy and Risk Analysis, I did my capstone project on CMMC, which is the cybersecurity maturity model certification. And it's this new idea, well not new, but it's an idea the DOD adopted where in order to even play in the space from a procurement level, you have to demonstrate a particular degree of maturity of cybersecurity within your organization. Specifically around how you house and control uncontrolled unclassified information, CUI. When I started doing that research, I realized that the supply chain truly is the biggest vulnerability that we have from a national security perspective for everything that we do. In manufacturing, in software development, what-food, you name it, it's our Achilles heel.
Then I started realizing that organizations need help. Not everybody has a CISO, not everybody has a CSO. If you wanna be a secure part of an ecosystem, you need to do it on both ends. It has to be how we're designing and implementing products, but it also has to be how we as a business are protecting your data and the information of our customers and our employees.
So that's really why I started my business. And then what I found was, business was kind of being attracted to me because the vendor assessment started coming out and everybody's like, "Oh my goodness we need to have a secure supply chain. We're gonna send out a vendor assessment," which is a spreadsheet typically of thousands of questions that people don't know how to answer. But then when they started becoming a little bit familiar they're realizing, it's not that I don't know how to answer it, I can't answer it. I'm not doing these things. I don't have, you know, awareness programs, I don't have any kind of SIM solutions, I don't have IDS and IPS, I don't have any of these things.
They're like, "Uh oh, we need to do something. We need to build a program." So a lot of my customers are working on SOC2 audits, or ISO or CMMC, or some sort of third party audit of their environment to make sure or to demonstrate that they are a secure part of someone else's ecosystem. - Kasia, if you were just hearing about this for the first time and you were a smaller and medium business, like what would be the first thing for you to do just to start and kind of survey this landscape of where you could plug in or assess what you may or may not be doing? - I have a local dentist that I go to.
My first meeting with the guy to get my teeth looked at and cleaned was all about cybersecurity. I was shocked at the fact that a dentist is sitting here and he's got an amazing practice, very, very busy, number one in my area. But cybersecurity was so important to him. I asked him how he got started.
He said, "Oh, one of my customers is a professor at Cal Lutheran." And he said, "and he teaches cybersecurity" "And so he started teaching me about it, and then I started developing." "So I use a service that monitors our environment." and you know, so first and foremost is I think get educated and that's what he did.
And then he looked at what are digital services? What kind of plan do I need to protect myself? What do I need to assess? And there's a lot of tools online that you can utilize from the government, right? The cybersecurity infrastructure agency, CISA, and you can utilize those to look and see how you can build a plan for your environment. And then of course, you know, it's all gonna start with education, understanding what do I need to protect? What is the data I need to protect? Like he has patient data, right? So he has to protect that patient data. So what is his role in that and understanding? So there is a lot of education out there in building that plan. But first you need to ask yourself, what do I need to protect? What is the risk here? And do that assessment and then of course build yourself a security program. If you're a small medium business getting yourself educated and leaning into an ecosystem. - The other piece to this is understanding the environment that you're working.
And so knowing what regulations apply to your business. So in the case of Kasia, they're gonna have HIPAA regulations 'cause they have personal health information. If you're working in a banking environment, what are those rules and regulations that they're required to have? You know, if you're an integrator, and you're working in those spaces you need to ask the questions, "Hey, do you have identity and access management rules that you need me to follow?" Because when you choose the technology that you're gonna implement in that environment you have to be able to adhere to the best practices of that organization.
So if you're an organization that is looking to protect themselves, as Kasia said, you know CISA has some incredible free tools online. What I always do and the way I work with my clients is start with a gap assessment. The other thing that I always suggest is you can't boil the ocean when it comes to this because then it becomes paralysis by analysis and you do nothing. So my advice is always pick your top five, or seven critical systems that are critical to your operation or manage and hold critical data.
And when you just start with those top five or seven systems it'll be much easier to manage the security around that and then you kind of branch out from there. But if you really harden the target, just like we do in physical security, and I tell Kasia all the time, I have a slide that I use in every presentation. It's a coin that's on its edge. One side says physical, one side says cyber and the principles are identical. The only difference between them is the asset. So just like we do in physical security, we figure out where are our crown jewels and then we harden our around it in layers of protection.
It's the same thing. Find out where our most critical information and critical data sets are, also the critical systems that for business continuity, and we harden around them, and then everything else is kind of like down the line and that's really where maturity comes in. - So, "Digital Citizens Guide to Cybersecurity." You wrote a book, this is your book, and it's skyrocketed to the best sellers list at Amazon in all of its categories within a couple of days of releasing. Why? And also what feedback have you gotten from people on the book that you were sort of surprised that they were picking up on within it? - So the book was inspired by a session that I did for K through 12. I was challenged with coming up with cybersecurity concepts for fourth and fifth graders for a digital learning day.
And I was used to speaking to adults and businesses around cyber practices and best practices. And I was challenged to do this for fourth and fifth graders and I said, "Okay, I'm just gonna go and I'm gonna try to figure it out." And I started talking about things like digital addiction. I was talking about click-bait, and being an upstander versus a bystander.
And these kids were so involved they knew what click-bait was when I was describing it before I say the word. I did four different sessions in every session there were two or three kids, the adults didn't know what click-bait was, talked about data monetization and what that meant, and identity theft. And these kids understood it.
Every single student in every session I did either had a cell phone, an iPad, a tablet, a computer, or a gaming system. - I did a podcast with a bunch of kids actually, all of them were involved in education in cybersecurity. So they had all been doing training and learning computer science and cybersecurity. And they were then teaching other people both older and younger than themselves. And I think the youngest one on the podcast was six years old, up through about 18 years old, like a freshman in college.
They were from all over the world and they absolutely understood the concept of privacy, the concept of cyber bullying, the concept that, you know, people were after their data. So it's a really different kind of a world now, I think kids understand all of these things, but they don't always know how to protect themselves from it or all the different forms of attacks that come but it's not like you have to educate them that there's a problem. They're well aware of that (laughs) - Those young people are the future of our workforce.
And then at the same time I started thinking about these ideas of vulnerability and I thought, you know we also have a much older generation that they, you know some people are still alive where there weren't even telephones inside the house. So they've gone through, you know, this digital, you know, transformation from no phones to the house, to now we've got, you know, satellites and all this other stuff and computers in our hands. And they don't understand how to protect themselves, and they're vulnerable. - I sent it to my dad because he always clicks on things and I always say, "Dad, don't click on things." Right? You know, so for that older generation, you know it's a great, it's a great book.
- The biggest issue with cybersecurity I think for most people is they feel like it is overwhelming, it's too technical, they don't understand it. And so people shy away from it. So the point of the book was to demystify cybersecurity. It's an extremely anecdotal book.
There's very little technical verbiage in it. There's even a glossary for things that might be technical. I wanted it to kind of dispel that mystery around cybersecurity and help educate people to have their own cybersecurity best practices.
When we talk about military actions, it's no longer nation state against nation state in wars. The countries and bad actors are going after the individuals and they're going after the individuals to get to the companies. It is incumbent on us as the individual to exercise our own cybersecurity practices. And then if the individual does that in their everyday life, then that will carry into the workforce. Many businesses never went back to the office.
I have three clients that are fully work from home. They, you know, I work with them in building out cybersecurity programs. Not only are fully remote, but they're fully bring your own device.
Which means that it, they are very heavily reliant on the individual to supply the security around the connectivity between their business services and the devices that they're using. So I wrote the book and feedback that I got was actually overwhelming, and it was the most difficult thing to put it out 'cause it's very vulnerable when you write personal stories about, you know, how you've made mistakes and you know sharing thing was a big topic about parents oversharing about their kids. And I've done that and I share a story about that in the book.
So it was, it was a scary experience but I got overwhelming positive feedback because it was written in plain English. I actually used AI tools to where I would use speech to text to write the book. So it is my, you know, as I'm speaking to you now it's kind of how the book reads. It's my conversation, my voice and I just wanted it to be kind of something where people can adopt and I created checklists after each chapter of things that people can do in their everyday life. I even did an acceptable use policy for kids and parents where they can together create an acceptable use policy around technology.
So the kids are invested in their own security and feel like they have a little bit of control over it. - But I love how Antoinette said that's our future. And so giving them the tools and all the opportunities by the way, I mean that's why Antoinette and I are very active in, you know helping to diversify the security industry and adding more women and growing that cyber talent and diversifying 'cause the bad guys are diverse, right? You know, we need to be doing the same thing on whether you're technical, or you're sales, or you're marketing. There's a role for everyone I think in the security world.
It's been a fun ride so far. - Congratulations on your ebook. We have a link to that of course below as well as to Antoinette's book that she published previously.
And it's been really wonderful chatting with you both. Again, Antoinette King, who is founder of Credo Cyber Consulting and Kasia Hanson, Intel veteran both of them, again, over two decades of experience in cybersecurity and technology. Really great to have you on the show. (gentle upbeat music) - [Narrator] Never miss an episode of What That Means with Camille by following us here on YouTube, or search for InTechnology, wherever you get your podcasts. - [Announcer] The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.
(gentle upbeat music)