Back on June 25, 2018, the U.S. House of Representatives passed legislation aimed at securing technology used to power critical infrastructure from cyberattacks.
According to TheHill.com: “The bill offered by Rep. Don Bacon (R-Neb.) would codify work the Department of Homeland Security is currently doing to identify cyber threats to industrial control systems and mitigate them. Industrial control systems are used to run critical services in the United States, including the electric grid, water systems, and manufacturing plants.”
I can think of no one who can better articulate our current challenges and potential solutions regarding critical infrastructure cybersecurity than current Tenable CEO and Chairman Amit Yoran.
Yoran’s impressive career started at the United States Military Academy, and he was a founding member of the DoD’s United States Computer Emergency Readiness Team (US CERT). He was co-founder and CEO of Riptech. When the company was acquired by Symantec in August 2002, he became a Symantec vice president running global services.
Yoran ran the Department of Homeland Security’s (DHS’s) National Cyber Security Division (NCSD) and was the initial director of the US-CERT. Later he was the founder and CEO of NetWitness Corp in 2006, which was acquired by RSA in 2011. Yoran became the senior vice president of RSA from 2011 to 2014 and president of RSA from October 2014 to December 2016.
He has been the chairman and CEO of Tenable Network Security since January 2017.
You can get a sense of Amit Yoran’s speaking style in this RSA presentation from last year in the Middle East, which lays out some basic cyberprinciples and top priorities for the security road forward. He also articulates the concepts around cyberexposure in more depth.
I first met Amit back in 2002, just before Riptech was acquired by Symantec. We had several phone conversations over the years while I was Michigan government CISO. He even came up to Lansing, Mich., to spend a day with me and my team to help us build our award-winning cybersecurity program.
What immediately impressed me about him (when I met him 16 years ago) was his passion, drive and cutting-edge security knowledge, which is truly an extraordinary combination. He also offered global insights and worldwide experience with huge amounts of incident data that was beyond anything that I had seen up to that point in my career. Nevertheless, he can still relate in a kind, calm and easy to understand way that does not talk over your head.
Exclusive Interview Between Dan Lohrmann and Tenable Chairman and CEO Amit Yoran
Dan Lohrmann (DL): You have been an incredibly successful security leader for two decades. How has the cyberthreat landscape evolved since the 90s?
Amit Yoran (AY): As organizations increasingly rely on technology to manage their data and day-to-day operations, we now have a complex mix of digital compute platforms which represent the modern attack surface. Here, assets and their associated vulnerabilities are constantly expanding, contracting and evolving. The sheer breadth of recent cyberattacks means the stakes have never been higher for organizations of all sizes. Cybercriminals are constantly scanning for weakly defended systems and honing-in on high-value targets. This has made cybersecurity one of the most important tenets in an organization’s structure. The Cyber Exposure gap has made it difficult for an organization to understand its cyber risk at any given time. But bridging that gap is critical to managing and reducing threats. Without proper protections, organizations are susceptible to large-scale attacks like that of the Equifax breach of 2017, which left millions affected. A Cyber Exposure approach provides live visibility and makes cyber risk quantifiable.
DL: Just recently, the administration revealed that Russia had leveraged a multi-year campaign against the energy grid and other elements of critical infrastructure in the United States, what needs to be done by government agencies in response?
AY: It’s no surprise that our critical infrastructure is a prime target of cyberattacks. Our national infrastructure — whether a local water treatment system, nuclear power reactor or the federally operated Hoover Dam — is reliant on interconnected technology to deliver critical public services. The federal government needs to treat critical infrastructure the same as a military base or classified information. The Federal Energy Regulatory Commission (FERC) has proposed new rules to protect the power grid from cyberattacks, including the Critical Infrastructure Protection (CIP) Reliability Standard. This is a step in the right direction, but we can’t stop there. We need collective responsibility among private entities and the federal government to prioritize cybersecurity and change the status quo of critical infrastructure.
Recently Tenable researchers discovered a critical remote code execution vulnerability in Schneider Electric’s InduSoft Web Studio and InTouch Machine Edition. As a result, a malicious actor could compromise and control the system and be able to execute lateral transfer. Tenable was able to detect this vulnerability through extensive Cyber Exposure research and analysis, providing holistic visibility into how this vulnerability played into the larger gaps in the cyber landscape.
DL: How about the private-sector owners and operators? What actions are needed?
AY: Many of the attacks conducted by cybercriminals are the result of known, but unpatched vulnerabilities. Companies and the federal government need to practice good cyberhygiene, such as maintaining their systems, enforcing multi-factor authentication and using encryption. This is the basis of strong cybersecurity programs. Knowing their networks and continuously monitoring systems is critical, particularly as the compute base changes and the attack surface expands. There is an intense motivation from private sector owners and operators to better secure their networks and detect these threats as the landscape evolves.
DL: Is a 'Cyber 9/11’ or a 'Cyber Pearl Harbor' likely? Inevitable? Why or why not?
AY: Recent attacks by nation-state actors on critical infrastructure and election systems have demonstrated vulnerabilities and proven the cyberthreat is very real. But we shouldn’t get distracted by who is targeting our critical infrastructure, but how they’re doing it. The fact is that even sophisticated state actors are taking advantage of known, unpatched vulnerabilities. That's why focusing on the "who" is just a distraction. A major attack on our critical infrastructure, or the technology that keeps it running, could disrupt our financial systems, shut down cities, or leave millions without access to clean water.
DL: What are the positive steps you’ve seen happening in the public and private sector? Who's doing things right regarding cyberdefense? (Any case studies you can mention?)
AY: I view the increased discussion of cybersecurity in the C-suite, increased awareness of the importance of cybersecurity, and the inclusion of cybersecurity in IT enterprise solutions as positive steps forward.
Increased coordination between the public and private sectors is also an important step in the right direction. The NIST [National Institute of Standards and Technology] Framework exemplifies how the government has worked with the private sector to establish guidelines on how organizations can improve their overall cybersecurity posture. The framework is crucial for helping to raise awareness, increase transparency and support the sharing of best practices. The high adoption rate among the private sector speaks to the far-reaching impact of such initiatives beyond government agencies. The passage and funding of the MGT [Modernizing Government Technology] Act was also a positive step at the federal level. It authorized funding to upgrade IT projects at agencies, and USDA, DOE and HUD just received the first grants established by the program.
Tenable has played an integral role in several government-sponsored initiatives. The Defense Information Systems Agency (DISA) awarded Tenable the Assured Compliance Assessment Solution (ACAS). ACAS ensures DISA compliance and enables the assessment of DoD networks and connected IT systems against DoD standards and identifies known system vulnerabilities. Additionally, Tenable complies with Continuous Diagnostics and Mitigation (CDM) program requirements, allowing for seamless integration between government agencies and companies. By working side-by-side with the federal government, Tenable has been able to form a strong partnership that ensures better protection.
DL: What new and innovative solutions will emerge over the next year or two? Are there cyberinnovation stories that are not getting enough attention?
AY: Companies like Tenable are developing solutions to better evaluate companies’ Cyber Exposure, manage the elastic attack surface and further cloud security. Organizations are now understanding the value of continuous monitoring and are looking for tools to better mitigate cyber risk. Last year, we released Tenable.io, a cloud-based platform designed to protect any asset on any computing platform. Tenable.io has the capacity to provide overarching visibility into a company’s asset, including mobile devices and cloud infrastructure. Benchmarking Cyber Exposure means analyzing it across peer groups and industry. Tenable.io benchmarking data combines vulnerability intelligence and cybersecurity expertise. This allows for organizations to conduct important research, like the time it takes to remediate critical exploitable vulnerabilities. These kinds of tools will continue emerging as our adversary becomes more sophisticated.
DL: When I first met you, you were running worldwide managed security services for Symantec (back in 2002). You've also led multiple companies with very different corporate strategies, what's different about Tenable? How has your role changed?
AY: Tenable’s approach to cybersecurity is different from my previous experiences. The company is helping to change the industry with Cyber Exposure. As CEO, my role is to help lead the effort to evolve vulnerability management into a next-generation enterprise solution that addresses some of today’s most fundamental security challenges.
As the threat landscape continues to expand and the nature of cyberattacks evolves, Tenable is focused on helping organizations determine the best way to assess their cyber-risk. We have the capability to shift the conversation and make meaningful change toward a more secure future.
DL: I want to thank you Amit for taking the time for this important interview. Your industry knowledge and thought leadership has enabled millions of people to better protect their PCs, systems and enterprises services against cyberattacks. Keep up the great work!
Readers can follow Amit Yoran on Twitter: @ayoran