Hi, everyone. I'm Ned Amaroso, and this week I'm sitting with a very good friend of mine, Francis Cianfrocca, who is the chairman and CTO of Bayshore Networks. >> That's great. >> Francis, welcome. >> Always great to see you, Ed. >> How do you like sitting out here in the park? >> I think it's fantastic. It's like a couple of old guys here just sitting and we're going to break out the cards next and start playing cards here. >> Well, talk about cyber security and we'll play cards. >> Playing cards and cyber security are very tightly linked. We know this. There's literature on this. >> [LAUGH] Why don't you share with our community a little bit about yourself, tell us about your background. >> Yeah, thank you. So I'm a software engineer, software developer by profession and temperament. But I came at it in an unusual way. I've got an eclectic background. I've always felt and observed that the most creative and productive and effective software people tend to be a little bit different. So I went to music school. I've got a conservatory background. It's kind of interesting, we're here at NYU at the Tandon School of Engineering and I'm thinking it's a professional schools with a lot of young people who made a career choice early and they're here to learn a pretty esoteric craft. And that's what going to music school was like for me. >> [LAUGH] >> So i'm feeling pretty comfortable here. And of course great energy from these young people and they're going to be producing our next generation of great things. So it's wonderful stuff. But I started, I had a fascination with electronics and what I later understood to be electrical engineering. Okay, from a very young age I started at that. And I learned how to build digital logic back in the day. Now you and I are old enough. You had an Arpanet drop in your kitchen. >> [LAUGH] >> Okay, and I programmed Deck Elevens with an acoustic coupler and time share. Im sure all of your listeners are young people listening to us, are tired of hearing about old guys. At least Im not old enough that I programmed on batch cards on an IBM 360, I'm a little younger than that. What I found is learning electronics was great because you get a physical sense, a feel, for if you understand electrons and how charges move. Then when you go to computers, the way that we programs computers is that's the physical reality of it. All right, and so I first learned assembly language at a certain point when I was a very young person. After that when you've done all this hobbyist electronic work that kids can do very easily now. You've got the Raspberry Pis and the Arduinos. Build all that stuff, very good work to do, all right? And when I first learned assembly language I said, okay, that's a shift register. I can see how that works. Every little construct in the center language for a CPU maps directly to some pretty discrete piece of hardware. If you understand the hardware, programing makes perfect sense. And then, at a certain point I learned, you know, you´re good friends with Ryan Curnahan, who wrote the C language. I learned off the KNR book, which I think is one of the jewels >> It is. >> Of programming. Of any kind of computer science literature. And I learned off of their book. And when I first learned CS, I thought, wow, what a high level language >> [LAUGH] >> This is going to be so easy. [LAUGH] >> And so that background really came in very handy. >> Let's dive right into kind of the Bayshore Networks kind of value prop. >> Sure. >> What you guys do is where those electronics and electro-mechanical things touch computers, there could be some real significant security threats that pop up. Tell us about that. That interface is pretty important, isn't it? >> Yeah and its actually novel, its relatively new in the world. I mean of course, we're talking about. Industrial production like making cars, making gasoline, making electricity, moving things, running an airline and moving airplanes, okay. All these industrial things that require change in the physical world, moving energy around. >> Right. >> Right? Moving atoms around well people know how to do this. We're on, I think now, our third industrial revolution. People will say that cyber is another industrial revolution, I believe that. >> Right. >> But there were a couple of people before it. We know how to do all this stuff and if you go to people are in charge of auto assembly plants right, they'll tell you. We know how to do this. Security has never been an issue for us, why? Because we've always isolated our networks. The automation that they use in those networks, very much like computer networks. Same technology. Essentially the same stuff. It's different optimizations. Some stuff is different but it's still ease in that. >> RIght. >> It's still network cables. >> Right. >> Same voltages, the same packet switching, same technologies but they've always keep them isolated, strictly isolated and they've never had to think about security. They think about safety. That's top of mind for those guys. >> They being, industrial engineers, operational. >> Yeah what we call OT, operational technology, plant managers. People who are responsible for delivering that value as a business, right? Okay, great, so as with everything else, okay? There's been a revolution over the last ten years. Mostly because of small computing devices and real distribution of computing. And this whole thing we call data science- >> Right- >> Right? Producing business value, and business insights, and process improvements, and cost savings by processing information. It's worked tremendously well for people like Amazon, and for your old company AT&T. And we all know and believe and can see that if you could take the data that comes out of industrial production environments, you could save a few pennies of fuel, etc., etc. So what I call convergence between IT and OT is when you take production environments that have hither to always been isolated, because the connectivity is the same, the same networks. You connect them right to computer networks either in the IT side or in the Internet or customers and partners tremendously valuable, tremendously worth doing, now you got that security problem right through that wire. >> What are the threats? I mean is it kind of across the board. Like the usual kinds of hacking and access and denial of service, do they all apply in that IT interface? >> They do all apply but I think when, again and you've been, I love talking to you because you're literally one of the foremost security practitioners in America. And you've been at this for years and years and years at Bell Labs and then CSO at the great AT&T. Yes, all the stuff you've been thinking about and your colleagues for the last 20 years apply. But there's more to it. Specifically, the guys that run the industrial equipment, first off, that stuff is never hardened, never made resistant. It's highly functional. People who make robots and pressure vessels and industrial equipment, turbines and this stuff, jet engines, they compete with each other on features, the features are available electronically, and therefore, they present an enormous attack surface for attackers. >> More features means less hardened, typically. >> No. >> No? >> No, more features typically what'd you do and this is interesting. I think there's interesting economics here. We all use the computers that have a lot of hardening, security hardening in the OS and even in the hardware. When you make industrial hardware, you're so concerned about incredible reliability. Computer, you reboot it if it hiccups. And industrial machine like a PLC, you put it in and you expect it to run flawlessly for 20 years regardless of the environment. So tremendous amount of physical engineering goes into those devices to make them highly reliable and that precludes because you don't have the economics. You don't have the dollars and you don't have the compute power to put any hardening on them. >> Yeah, makes sense. >> Now you will hear expert people in cyber security say, The way to solve the industrial security problem is to harden the devices. It's a lot of good reasons, and that's one that's not going to happen. >> You know one thing I've heard people say and tell me what you think about this, they say. It's like aphorism and security that people are the real problem. >> Yeah. >> And then if that were true then you'd say, my gosh, industrial should be easy- >> Yeah. >> User devices, there's no people- >> Yeah. >> What do you think about that? >> Here's what I think, and you're right. The biggest vulnerabilities in cyber and you know this as well as anybody in the world All right? Come from people who, variety of reasons are. >> Yeah. >> You know, they click on the wrong link in the email. >> Yeah. >> That's your aperture, that's the way in for a bad guy. >> Wow. >> Once he's in, he can do all kinds of incredible things. And the convergence boundary between the IT space and the OT space is generally unprotected. It`s not a perimeter. You will usually not find firewalls there, although people are thinking this through. What you really need to do, to your point directly, because that was an insightful session, I thought, you can harden yourself against the vulnerabilities that people present. With machines, it's a lot more straightforward. And what we've found in our work is approaches like statistical baselining, anomaly detection, not useful. And this is counterintuitive to a lot of people. And we spent [LAUGH] a lot of time working on this prep and I got the patents to prove it, all right. >> Interesting. >> But they are not that useful. There's a much simpler way to do it. If you think about industrial machines, right, they're quite segregated in their functionality. So it's not like you take two pieces of software, put them in one computer, and they'll start interacting in ways that produce problems. They're pretty segregated. What we like to is think about transaction white listing Okay. So across the boundary between IT world carpeted space, I call it, and the cement floor space where the machines are. I just want to inspect that traffic in a high level way, protocol semantics and transactions. And allow or white list certain sets of transactions that are required for that process to run. And basically block everything else. If you think about that it's a technology akin to or analogous to a firewall. But it requires more semantical awareness and more domain knowledge is baked into it. The same basic principle though. And that's not that hard to do, and it's not a It's not that big a job for someone with the requisite domain knowledge. I can make a transactional white list for an auto assembly plant that's going to protect them against 85 or 95% of the threats that they face. The rest of it I don't worry about. >> Let me ask you, part of the learning community here. We've spent time looking at threats. And applying them to different types of assets. >> Yeah, yeah. >> And I tried to make clear to the whole community that there are some threats that are pretty frightening. >> Yeah. >> Let me ask you. You're an expert in Syria. Do you think it's reasonable to imagine that hackers, nation states, criminals, could do something truly awful to electromechanical systems, like to rring down an airplane or to turn the power off in a city. Or like these kind of really scary things. I know you and I would both point to problems in the small. >> Yes. >> But the question is. [CROSSTALK] Do you ever sit and wonder and think, gosh, you know, will these catastrophic things potentially happen and will they affect cities, societies, people? >> It's interesting we're having this conversation right after the want to cry attack just a few days ago. >> Yeah, ransomware attack. >> A ransomware attack that went through an aperture that turned out to have a tremendous surface underneath it. >> Right. >> Okay, so I think. >> Warm delivery. >> Well, yes. >> Microsoft vulnerability. >> Yes, thank you, exactly, and the thing that makes it industrial infrastructure what we call critical infrastructure, as well as industrial production system is the difference between them. And cyberspace is that the apertures for lateral attack are very restricted. Something like WannaCry, in one weekend, can impact 100,000 organizations because the lateral links, once you have an infiltration, are wide open. That doesn't exist in the industrial world because, again, the legacy of isolation and network segmentation. >> So, that would throttle cascading. >> Yeah. >> Where that explosion of cascade. >> Yes. >> Would be more limited. >> That's one part of the answer. The other part of the answer is, once you're in to a particular cyber physical space. Your availability of really nasty attacks I would say is far higher that it is with ordinary computers. >> So it's a more laser focused problem, but once you're in- >> You can do a lot of things. >> It can be life critical things versus breaking into an office and knocking out their computers. >> Don't worry about, you may have heard this in the news, city of Dallas, apparently, I'm not going to say any more about this, but the news stories will tell you that somebody was able to infiltrate the tornado alarm system. >> Yeah. >> That affected the whole city of Dallas. >> 2:00 in the morning everything blurring off. >> So that is scary because that show you that is a lateral attack potential that wasn't blocked and that's scary but that's the exception. >> Yeah, you're right. >> The real thing I worry about it is that industrial machines never having been designed for remote access now can be exploited. If they're exploits, they can produce massive effects on safety and on public health and on the environment. And so It's really just a matter of time. And I'll tell you where, just to fill that in a little bit. There was a famous exploited black hat at Defcon a couple years ago. Chrysler, okay? And this is in the news too, so I'm not- >> Right. >> Not spilling anything. And not saying that Chrysler is particularly vulnerable, because they all are, okay? But a couple of really smart guys figured out I can shut off the vehicle systems and cause at highway speed cause this vehicle to stop running. Catastrophic, okay. What was really interesting because being dedicated white hat guys, really smart hackers, okay? The aperture that they exploited take them about a day to find. The real exploit, the real damage, took them months of effort. >> That's so interesting. >> Okay, because cyber physical systems are opaque in terms of the way they function. But it's, you know, you mentioned Asian state earlier, the entities with the biggest motivation, okay. To figure out where those damage points potentially are, our nation states. And it's a huge surface and it's very much a cause for concern. >> I could listen to you all day long. >> I could listen to you all day long. >> Our time is limited. Next time you come back, \will you sing for everyone next time? >> I can sing for you right now. >> Some italian opera. Why don't you give a couple of bars like sing something that would be a arrivederci, a thank you, a good luck. >> No here's what it is. There's a gentleman named Figaro who says [FOREIGN]. And he's talking to his friend who's just a young girl, who was crazy for all the girls and the Count that they both work for, well she doesn't work for the Count, he does okay, is going to ship her off to command an army regiment to get her out of the neighborhood, okay So that's what that's all about. >> That's fantastic. Why don't you close us? Why don't you say thanks to everybody in a nice, Italian song. >> [FOREIGN] >> And thank you as well. Thanks, we'll see you all next time.
