The Bad Guy's Different Set of Rules

Show Notes

Not to continue to beat our collective heads into the same wall, but by now everyone knows that manufacturing leads the way in targeted cyberattacks, as well as year-over-year increases in areas like ransomware attacks, DDoS shutdowns and data breaches. 

Yet, the industry continues to demonstrate some troubling behaviors in the face of these realities. 

Kiteworks recently found that only 36% of organizations have visibility into where their data is utilized by external partners. So, think supply chains, distributor fulfillment agreements and technology contractors that have access to your data, but may not be applying the appropriate security strategies. 

This means you could be the victim of an attack, but remain in the dark about its origins, enabling the intrusion to happen again and again.

Fortunately, we do have some good guys working to correct these vulnerabilities, and we’ll talk with one in this episode. Watch/listen as Tim Freestone, the Chief Strategy Officer at the aforementioned Kiteworks, discusses:

• How attackers are leveraging new technology more quickly than the white hats, and why AI might be the tool that evens the playing field.
• Why response plans need to focus more on "the big rocks than the little ones."
• The difference between input from "champions" versus "complainers."
• How CMMC could have an impact beyond just the defense supply chain.
• The continued use of IT and OT silos that might might make sense from a business perspective, but demand a paradigm shift when dealing with cybersecurity.
• Why regulations might be the most important agents of change.

As a go-to podcast for our listeners, we want to help you align your brand with our expertise. By sponsoring our podcast, your brand will build trust, and your message will stand out to an audience searching for tools to assist their cybersecurity efforts.
Click Here to Become a Sponsor.

To catch up on past episodes, you can go to Manufacturing.net, IEN.com or MBTmag.com. You can also check Security Breach out wherever you get your podcasts, including Apple, Amazon and Overcast.

If you have a cybersecurity story or topic that you’d like to have us explore on Security Breach, you can reach me at jeff@ien.com.

Chapters

• 1:51: Why Manufacturers Get Targeted
• 3:35: OT Connectivity And Common Missteps
• 3:52: Silos That Block Real Security
• 6:46: Champions Who Move The C Suite
• 8:26: Regulators As The Change Lever
• 11:12: More Spend Still More Breaches
• 13:30: AI As A Cyber Force Multiplier
• 15:58: Beating Tool Sprawl With AI
• 18:58: Protecting Data In Transit
• 20:46: Microlearning That Prevents Mistakes
• 22:57: Secure By Design Needs Proof
• 25:22: Incident Response Starts With Data
• 27:18: The Next Wave: AI Agents
• 29:09: Where To Learn More And Connect

Transcript

SPEAKER_01 0:58

Hi, I'm Jeff Frankie, editorial director of Manufacturing.net and Manufacturing Business Technology. Welcome to Security Breach. Not to continue to beat our collective heads into the same wall, but by now everyone knows that manufacturing leads the way in targeted cyber attacks, as well as year-over-year increases in areas like ransomware attacks, DDoS shutdowns, and data breaches. Yet the industry continues to demonstrate some troubling behaviors in the face of these realities. Kiteworks recently found that only 36% of organizations have visibility into where their data is utilized by external partners. So thanks supply chains, distributor fulfillment agreements, and technology contractors that have access to your data, but may not be applying the appropriate security strategies. This means you could be the victim of an attack but remain in the dark about its origins, enabling the intrusion to happen again and again. Fortunately, we do have some good guys working to correct these vulnerabilities, and we'll talk with one of them in this episode. Tim Freestone is the chief strategy officer at the aforementioned Kiteworks, and he's here to offer some insight into the missteps manufacturers have taken with AI and other security tools, as well as the strategies that can get those numbers going in the right direction for the industrial sector. Thanks for joining us, Tim, and welcome to Security Breach. Well, Tim, again, thanks so much for the time and welcome to Security Breach.

SPEAKER_00 2:16

Yeah, thanks, Jeff. Appreciate it.

OT Connectivity And Common Missteps

SPEAKER_01 2:18

So one of the big challenges we have in the manufacturing sector is we're adding all this new technology. We're putting a lot more stuff out there potentially on the threat landscape or on the OT landscape. And as a result, you know, there's some missteps that are going to be taken, whether it's endpoints, credentials, segmentation strategies, whatever it is. What are you seeing right now as we do bring more of this connectivity to the OT environment? What are some of the biggest missteps that you're seeing right now?

Silos That Block Real Security

SPEAKER_00 2:45

Yeah, I mean, it's a good question. And, you know, it's not uh OT without the T, so that's gonna be a problem that never ends, right? Um some of the challenges transcend just OT. I mean, one of them is just operating in silos, right? So you have teams that are looking towards the requirements, the business requirements or the functional requirements of uh the operations. Um, and then you have teams that are looking at the functional requirements of uh the internal IT systems, and then you have teams that are looking at the requirements around security. So general siloed uh requirements rolling up to the ultimate business objectives, but as it filters down into the actual operators of all those different silos, you just get uh well siloed. Uh and it's it's just generally hard to operate in those scenarios. And today, with uh the threat landscape what it is, uh the fast pace of technology being what it is, this is all just getting compounded right now.

SPEAKER_01 3:52

Yeah. We talk a ton about silos on the on the program with it's always a problem, it continues to be one. I think not just in manufacturing, but in a lot of different industries, a lot of different environments. What have you seen has been key there? Because it seems like everybody knows this is an issue, but we just we struggle so much to break those down. Is it just a paradigm? Is it just a legacy dynamic with an organization that they're just so used to having IT and OT separate, they don't know how to bring them together? What's been your experience there, I guess?

Champions Who Move The C Suite

SPEAKER_00 4:22

Yeah, I think that's that's it. Um and then when you get up into the as those teams start to go up the organizational hierarchy, the leadership just becomes so abstracted from the the functions that it's hard to create roadmaps of integration that are actually operationally executable. So I I'm I'm I'm a C-level here, right, at the company at Kiteworks. Um we're obviously not an OT company, but it's something we struggle with in our day-to-day operations. How do we get insight into what actually happens on the ground and mid-level? Um, what challenges are they having integrating across functions? Uh, and how do we set realistic objectives and manage to those realistic objectives? It's the same in OT. It's just the stakes are a lot higher for that. So I think, and again, especially today, um, leadership, approaches to leadership and organizational operations has to change um and has to cross paradigms within those companies. So instead of having you know a CIO and then another functional leader for the operational technologies that maybe have a different objective down lower on that totem pole and even at that level, shared responsibilities and objectives versus siloed responsibilities and objectives?

SPEAKER_01 5:53

Yeah, I think a big, uh really an important part of what you just mentioned there was getting that executive level buy-in. Is that just something that is innate? It's just organic for some leaders, or is it something that sort of our champions, if you will, on the plant floor or immersed in the OT side of things? Are there things they can do to sort of elevate this and get the C-suite more involved? Because that seems to be so key in really transitioning the culture and getting everybody on board for what we need.

SPEAKER_00 6:20

Yeah, there has to be champions. I've never seen in any organization in my career not come to some sort of realization like this without departmental champions pushing up the needs and the objectives in a way that isn't um posturing for excuses as to why something isn't working, right? You don't want to, that's not a champion, that's a complainer. So a champion brings challenges to operational effectiveness, comes with potential solutions, and delivers it in a way that's uh understood by the leadership as an impediment to business outcomes. So those champions are critical. Uh, and then you do actually have to have people in leadership roles that are don't want to just push the narrative uh and get through the next day, they want to be agents of change themselves and find solutions to the difficult problems. Those two things have to come together.

Regulators As The Change Lever

SPEAKER_01 7:14

I mean, are there are there tactics that that you know, those that are pushing for a greater cyber investment or awareness or appreciation? Have you seen any tactics that they can use to help get that message across? Is it ROI? That's pretty tough. We don't like to scare people too much. I mean, are there different ways that we can get that message communicated internally?

SPEAKER_00 7:33

Yeah, ROI is tough because nobody believes it. Right? It's anybody can create a spreadsheet that says you're gonna get a significant return on investment. Um and then to your point, yeah, the scare tactics. Um, you know, one of the biggest levers for change happen to be a little bit out of the hands of the internal employees or teams, but to some extent can be uh manipulated by it, and that's external regulators. Um, you know, the agents of change that really drive functional changes in organizations tend to be regulators, um, when businesses so need to need to um need to adjust and change how they operate. Uh, I do think there are there are ways that um industries as a whole can force regulations and drive um sort of broad-based operational requirements. Um there are a lot of examples of of industry packs and things um driving those those um narratives of change through regulators. I mean, think about like uh, I mean, this isn't manufacturing, but if in the financial services, it's not even federal, it's um PCI compliance. Those are just groups of companies coming together and saying we're not gonna do business with you unless you comply to these security requirements. It's not unrealistic to think of other um or uh or other uh industries could do the same, OT being one of them.

SPEAKER_01 9:05

No, absolutely. I think it's gonna be interesting to see how some of that CMMC stuff kind of plays out, making folks just be more aware of their landscape, their connection points, all of that type of stuff.

SPEAKER_00 9:16

Yeah, look, this is a really good point. We've, you know, I've been working in cybersecurity for nearly 20 years with Kiteworks for almost five. It's really been the last five that I've seen pretty dramatic shifts in the impact of regulators. And you mentioned CMMC. This is probably the biggest one I've seen in years, if not, you know, outside of PCI, which I already mentioned. But there were so many gaps in data controls in the manufacturing supply chain that people just had no incentive to fill. Uh, and CMMC drove that incentive to fill because they'll lose business if they don't do it, right? Uh so I think that's a really good example. Uh, and regulators can and regulations can sometimes impede business uh effect efficiencies, but sometimes it's required.

More Spend Still More Breaches

SPEAKER_01 10:10

Yeah. Well, there's no bigger efficiency drain than downtime and getting hit with a cyber attack. So very true. Yeah you can play it, play that card as well. It's very interesting. So, you know, one of the things that's interesting too here, Tim, is you guys did some research, others have as well, in talking about the level of investment increasing in the industrial sector when it comes to cybersecurity investment. But man, we are still getting hammered with attacks and successful attacks. What do you think? There's such a weird disconnect there. Are we not investing in the right things? Is it is it still a lot of feeling out? Why are we spending more money and still getting hit so hard?

SPEAKER_00 10:46

Yeah, you've asked the hardest question and the most easy answer. The short answer, not fully sure um why that's still happening. There are a lot of theoretical and philosophical answers to that. I mean, one of them is um we we have to play by rules, the bad guys don't. Uh, so all of the innovation and all the technical advancements of our day are immediately leveraged by the bad guys uh because they can. They don't have bureaucratic um loopholes to jump through, they don't have tiered systems uh that they have to operate within, and making a mistake is totally fine and nobody cares um because what's the downside? So that's that's a lot of it. Um the other thing is you know, the stakes are much higher, so the resources that people that companies and OT organizations need to put towards these innovations and the spend is a lot higher, and there's obviously a big resource gap uh between the spend, the technology, and the people to use it. Um, and that's just not relegated to IT or cyber. It's that's just a general problem. I think I saw one recent survey uh that 20% of uh only 20% of technology investments are fully uh leveraged. Uh I believe it, I believe that absolutely, and the reason for that is just there's not enough human resources to um effectively uh leverage all of these different technologies. So it's complexity, it's resources, it's the fact that we have to jump through internal and external um organizational hurdles, all that makes it a lot easier for the bad guys to leverage the same tech faster.

AI As A Cyber Force Multiplier

SPEAKER_01 12:33

Yeah, a lot to unpack. There's a lot of good points that you made. I'll jump the gun here a little bit. There's no way we can have this conversation without getting to AI eventually. So is this maybe one of the biggest places where artificial intelligence can help the good guys in sort of getting gaining ground on the bad guys? We know we're always chasing, but can AI sort of shorten that gap a little bit?

SPEAKER_00 12:55

Yeah, it can, and I think the dynamic is different between what I just said because one really talented technologist or cybersecurity professional in an organization can do what 20 to 30 people at the same level prior to AI could do. But it was hard, if not impossible, to find 20 to 30 of the same people. You know, it's the old Pareto principle 20% to uh 20% of the people do 100% of the work. Um, so you can make those 20% a lot more effective with AI. And so I think that that is an edge, and there is a levy level leveling playing field because of that simple dynamic. Uh, at the same time, we are still a little bit back towards uh we have to onboard, you have to get approval. Um, so the tech is there, you still have to go through all the operational hurdles to get it functioning, whereas you know, the the bad guys don't again don't need to do that. But I do think it helps, it does level the playing field quite a bit just because you can extract more value out of an a more capable person than you could before.

SPEAKER_01 14:12

Yeah. Well, that kind of goes back to that whole topic of culture and getting the right culture in place so people are empowered to make these decisions, get the technology in use more quickly as opposed to dwelling on the process.

SPEAKER_00 14:23

Yeah, and you look, the other thing is the job descriptions are have got to change and are changing. So, you know, organization-wide, if you're putting out a job description that read like it did a year ago, you're putting out the wrong job description. Uh, so you have to hire towards that capability set as well. Um, you can't, it's very hard to retrofit the that capability set into your current uh organizational structure. So job descriptions are changing, responsibilities are changing, levels are flattening, all as a response to AI. And the companies that are embracing that are the ones that are going to be more effective at cybersecurity.

Beating Tool Sprawl With AI

SPEAKER_01 15:04

Absolutely. You know, sort of staying on this investment uh tone here, our topic, one of the things that we're seeing is just this proliferation of tools and different strategies, different options out there for the manufacturers to use, maybe in abundance. You know, I think we see that investment number going up. Are folks maybe investing in too many tools or not the right ones, or still trying to figure it out, or could you offer some advice there in terms of tool selection and the right stuff to use?

SPEAKER_00 15:30

Yeah, you're right. It is and it is getting worse because of AI. There's the whole vibe coding um movement that's happening, or um as more professional engineers like to call it, um, I think they call it agentic engineering, is happening. The build of uh the tool set is happening 10, 100 acts faster than it was before, and we already had a problem with too many technologies to filter through. You know, you go to any OT trade show or any cybersecurity trade show, and it's a floor of you know 2,000 vendors um representing 200 different technologies. So it's just it's massive to begin with, and now we have this uh level of explosion from from vibe coding and and new cybersecurity tools coming out every day and OT systems coming out every day. The one I've been thinking about this a lot lately. I I think that organizations need to put in in place some sort of department that uses AI as a vetting instrument for systems onboarding. So, what technology are we looking at uh procuring? Doesn't matter where it comes from. Let's have our systems onboarding team or a systems filtering team filter that use AI to come up with recommendations, weigh the pros and cons, um, and kind of use AI to uh manage that whole process. I think historically you just had people sort of looking at websites and looking under the hood a little bit at a product demo and trying to figure out what they brought on board. They get it on board and 20% of it gets used, 80% of it gets thrown out the window. Three years later they replace it because the team left. It's just not sustainable in this era of proliferation. You have to you have to put that agent layer on it. So that one of my recommendations would be look at where you can put AI across your entire um organization. And there is a part of your organization's that that is technology onboarding and assessment, probably in the procurement system. Use it there too, so you can make better decisions.

Protecting Data In Transit

SPEAKER_01 17:49

No, it makes a ton of sense. I mean, manufacturing is used to digital twins and sort of vetting things out and and running different scenarios that way to see the best efficiencies and the best approaches. Taking a similar approach with AI beforehand would seem to be a real cost-effective way of going about things as well. Yeah, yeah. Matter of fact, I'm I'm gonna maybe I'll start that as an industry and a business and see what hey, in talking about the industry and the business here with Kiteworks, maybe you could tell us a little bit more about the company, what you have out there, and what you're doing to help uh manufacture specifically.

SPEAKER_00 18:22

Yeah, sure, absolutely. So our company has been around for about 22, 23 years. We went through sort of a transition phase six or seven years ago from sort of a focus on a secure file sharing infrastructure into a more secure data exchange platform approach. So if you think about what the point of all cyber is, with the exception of um you know, sabotage uh types of preventative measures, it's about the data layer. So protecting the data from going where it shouldn't. And that's really what Kiteworks does, is it puts the cybersecurity um technology focus on the data, uh specifically with data in transit. So it's a secure data exchange platform. Any data moving from point A to point B, if it runs on the Kiteworks platform, it's encrypted, it's controlled with uh what's called ABAC attribute-based access controls. You have a full audit trail. And so that data layer security um puts us in great in a great position to be supporting organizations that are highly regulated. So we're really good at helping customers become uh maintain their data within CMMC. We're really good at helping customers maintain their data in HIPAA environments, all those highly regulated industries, they rely on kiteworks to to help control their uh data and maintain uh compliance. So that's that's it in a nutshell, I guess.

SPEAKER_01 19:53

Well, you know, one of the biggest issues when you're talking about data is the human element of cybersecurity. It's always a big risk, it's potentially the biggest risk. Uh what are some tips that you would give to companies in looking to help alleviate some of those concerns? It's sort of this weird line we have to walk between scaring people and then they're afraid to share information if they do click on a wrong link, but still providing that training that, you know, it's not just white noise, so it has an impact. What have you seen being most effective in in helping those folks out?

SPEAKER_00 20:22

Yeah, so I what isn't that effective is giant brain dump training sessions on all cybersecurity tactics possible. You know, you sit there for two hours, um, 50% of the people pay their kids to do this cybersecurity training online, so they don't have to because they've seen it 50 times. It's just not you have to do it because it's sort of a checklist um process. You know, you can't say you didn't train at all, so you you come up with these really laborious video experiences that you have to take tests at the end. Um fine, but there's more of a movement to this concept of uh just in time prevention and training, so micro learnings uh as people go along throughout their day, um, embedding technology that says don't click that link when they try to click it, and then it explains why you shouldn't click the link. Human error prevention, if you try to send a sensitive document where it shouldn't, it will recognize that you're not supposed to. It's sort of like more advanced DOP, but instead of just blocking it, it'll say, I'm blocking this. Here's why, here's something you should learn. So these sort of micro learnings um are proving to be a much better way to control the human element than giant brain dumps in animated video form.

Secure By Design Needs Proof

SPEAKER_01 21:48

No, it makes sense. I mean, people are actually getting vested then in learning more about the situation. I think that's one of the biggest things, just in general. People do want to be like they're a bigger part of something. This is again, like you said, it's not just check the box training, it actually gets them engaged. Very good. You know, another big topic here we have in the industrial sector, I always like to talk about is secure by design. The the premise, I think there's a false uh understanding out there that a lot of the secure by design support comes right from the manufacturer of the technology, the supplier of it. And the user sometimes feels like they're covered, like they don't have to do something on their end. I think it creates a little bit of confusion. What have you seen in terms of advancements in secure by design and maybe the role of just communication between the two entities involved to help with more implementing all these new technologies to make sure they're good from the start?

SPEAKER_00 22:40

Sure. So, and just to parrot that back to make sure I get the question right manufacturing company A brings on a new technology from a vendor to support their business operations. That vendor says, hey, We've built this technology in a secure by design fashion. The manufacturer says, great, deploys it to all their people. What's the people's responsibility besides saying, ah, well, it's secure by design, I don't have to do anything, right?

SPEAKER_01 23:06

Exactly.

SPEAKER_00 23:07

Yeah, exactly. Well, I mean, it sort of falls back on my previous answer before. Um, and I think you're seeing a lot of this, which is those secure by design companies are embedding these micro learnings into their systems. I mean, we we actually recently bought a company that was that that did this, a company called Zivir out of the Netherlands that gave those micro learnings in in email security form. Definitely a secure by design developed product, um, but didn't leave it in the hands of of the people to understand or operate as such. And so those micro learnings were embedded into the human error prevention of the email security. So I think that's again, I didn't mean to answer the question with the answer I gave to the previous question, but I think that's that's probably the most effective situ or scenario in that situation. Um you know, when someone says is it secure by design, obviously don't just take their word for it, get all of their pen testing. What is their the layers of security that they um put into the development process? Uh and have they just bolted on that security so they can save secure by design, or did they start with design security principles, then build the product and the technology? So it's kind of on both sides.

Incident Response Starts With Data

SPEAKER_01 24:25

No, makes sense. Another just throwing some critical issues at you here. Response planning is a huge one for manufacturers. We've gotten better at sort of detection and understanding the threats, but then when something does break through, the response part is sort of eh, it hasn't been vetted as much. So therefore it's it's slower. It's uh it's maybe not as thorough as it should be. What would be your advice or your insight in terms of developing, implementing, executing those response plans?

SPEAKER_00 24:53

Yeah. Well, I mean, look, I have I hate to say this, but the response plans tend to be disjointed and they tend to be at different uh it's almost the same sort of silo problem. What happens if our network gets breached? What happens if our cloud instance or our Amazon S3 bucket gets breached? What happens if our our endpoints get breached? What happens if in all these sort of resilience strategies? I keep coming back to the sort of the same stance I have that propels the vision of the company, which is create a resilience strategy with what they're all trying to get after in the first place, which is the data, and then work towards the nuances of all of those different layers versus the other way around. So what's your someone breaches your endpoints? Fine. But what data they get, do you understand what data is on the endpoints? Can you uh do you have encryption on that data? You know, looking at that data layer first and building a resilience plan based on data exfiltration versus uh the particular pathway in which the breach happened is probably the best approach to that. Now, having said that, the best approach is still incredibly difficult. And I don't envy any of these companies and any of the cybersecurity teams that have to build resilience plans and recovery plans. Um, but you know, look look at the big rock, not the little rocks.

The Next Wave: AI Agents

SPEAKER_01 26:24

No, makes sense. So, Tim, this has been great. Really appreciate the insights and just sort of wrapping things up, question I like to throw at everybody who comes on the show is when you start looking forward, what are some of the biggest trends you see coming down the road? What are some things that we should be aware of and try to prepare for when it comes to cybersecurity?

SPEAKER_00 26:41

Sure. Well, last year or even two years ago, it was just generally AI. Um now it's agents. Uh and I I was sort of skeptical about the capability of this agent dynamic six months ago, uh, just because I'm a deep, deep user of AI systems, built agents, and and I understand all of that. But with what Anthropic has rolled out in terms of a capability set with their Claude Um Opus 4.6, and then today Sonic 4.6 with um OpenAI, um hiring the CEO of, I don't know if you've heard of OpenClaw slash motebot slash claud bot. Um, it's it's this big agent development open source platform, and just seeing what the agents can are capable of doing almost with agency, just giving them an objective, and they'll come back in an hour and a half with that objective complete. And then you can scale agents to the thousands, tens of thousands, millions based on the compute that you have. Uh, I think that is the trend that everybody's going to be looking at harnessing from an IT standpoint and protecting against from a cybersecurity standpoint. And we're going to just rinse and repeat all of the same challenges we have, which is the bad guys can move faster than the good guys.

Where To Learn More And Connect

SPEAKER_01 28:07

No, it's cat and mouse for sure. It'll be interesting to see how it plays out. But good fortunately, we have guys like you who can help guide us and give us some great insight like this. Excellent. Thanks, Tim. And for more information on the company's tactics and processes, you can check them out at kiteworks.com. I'd like to thank each and every one of you for joining us today. And to catch up on past episodes, you can go to manufacturing.net, Ien.com, or mbtmag.com. You can also check out Security Breach wherever you get your podcasts, including Apple, Amazon, and Overcast. And if you have a cybersecurity story or topic that you'd like to have us explore on Security Breach, you can reach me at Jeff at IEN.com. For Tim Freestone, I'm Jeff Rankey, and this is Security Breach.