Cameron Over Of CrossCountry Consulting On What We Must Do To Protect Critical Industrial Systems From Cyber Attacks
An Interview With David Leichner
Perform penetration testing regularly. Don’t just use penetration testing as check the box exercises! Consider Red Team scenarios for increased realism and sophistication of attack types with a third party.
Ransomware attacks have sadly become commonplace and increasingly brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack? In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about what we must do to protect critical industrial systems from cyber attacks. As a part of this series, I had the pleasure of interviewing Cameron Over.
Cameron Over leads CrossCountry’s National Cyber & Privacy Practice and their newly launched offensive team, Icebreaker, where she is responsible for the overall strategy, practice development, and client delivery. Cameron has over 25 years of experience in the fields of cybersecurity and privacy serving department of defense, private, and public organizations. Cameron leads a team of talented cybersecurity and privacy experts across strategy, risk management, cloud and application security, privacy and data protection, and offensive security.
Prior to joining CrossCountry, Cameron was a Senior Associate at Booz Allen Hamilton, where she led a large portfolio of cybersecurity programs for the department of defense, including critical infrastructure systems such as the defense industrial base, satellite communications infrastructure, and classified networks.
Cameron received her BS in Computer Science from the University of Mary Washington and is a Certified Information Systems Security Professional (CISSP).
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I was born overseas in Germany where my father was an officer in the U.S. Army Signal Battalion. My early life consisted of travelling around parts of Europe and Asia, and eventually the U.S., as my father’s assignments changed. While travelling, I developed a love of diverse cultures, cuisines, and unique experiences which I still seek out and try to give my own children exposure to today. I also developed a passion for horseback riding, taking lessons from the age of five through adulthood, and have owned horses for over 20 years.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I was able to intern with the Defense Information Systems Agency (DISA) in the mid-90’s supporting a program called Information Transport Engineering Systems Operations (ITESO) in Reston, VA. What could have been a boring summer job pushing paper, became a great opportunity to learn about transport layer communications, network engineering and infrastructure, and the backbone networks that our military depends on for their critical missions to protect our nation. That strong sense of service and mission focus has driven much of my interest in cybersecurity, pursuit of my degree in Computer Science, and client service to both DoD and commercial clients throughout my career. I am and have always been extremely mission focused.
Can you share the most interesting story that happened to you since you began this fascinating career?
It’s difficult to pick just one. Some of the most interesting work I’ve had the opportunity to support and lead were critical programs for the DoD including worldwide satellite communications programs. The role of Information Security Officer for that multi-billion-dollar program afforded me the opportunity to travel once again to other parts of the world, work alongside satellite engineers, vendors, and facilities security teams to ensure both baseband and satellites were secure.
Since being on the commercial side these last seven years with CrossCountry, I have had the opportunity to support clients across a variety of industries — as cyber and privacy challenges are not just concerns for the military or financial institutions. We have served clients ranging from Series B-funded tech startups poising for IPO, to multi-national banking institutions, to casino and gaming organizations. The breadth, depth, and variety is extremely interesting to our team, because all have critical needs for cybersecurity.
You are a successful leader. Which three character traits do you think were most instrumental to your success?
Resilience: No failure is absolute, and it provides the chance to learn, to follow your “true north,” and find positivity, integrity, and adaptive capacity.
Humility: The desire to continuously learn, be a good listener, to collaborate, and the healthy understanding of what you don’t know, and being vulnerable and open to that.
Creativity: Our work and the complexity of the world, and especially technology, are ever-changing. We must be willing to create and realize new solutions to complex challenges and to see potential innovative new ways to solve new challenges.
Are you working on any exciting new projects now? How do you think that will help people?
We recently launched our Cyber & Privacy practice’s offensive cybersecurity capabilities into a newly enhanced offering called Icebreaker which will provide our clients threat assessment, penetration testing, red teaming, and remediation services. Companies are facing unprecedented threats against the integrity of their organization and require an enhanced level of assessment and testing to ensure their infrastructure and data remain secure. Cybersecurity attacks have become more sophisticated, coordinated, and wider reaching. Our Icebreaker offensive security capabilities enable us to provide our clients with threat simulations and assessments that identify companies’ infrastructure vulnerabilities that are critical in this high-risk environment.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks?
I’m not sure that there is enough space here to cover them all, so I will share a few that we see most often in our line of work.
The most prevalent attacks typically start with some form of social engineering via phone call, text, or email (commonly known as vishing, smishing and phishing). In some cases, attackers take a very targeted and carefully crafted approach in singling out specific executives or individuals with elevated privileges in a high-value area — such as Finance, IT, M&A, or HR.
Human risk will always be one of the top attacks that we see succeeding, as they are designed to create a sense of urgency around responding and are often sent at opportune times to drive victims to provide sensitive information (such as insider information or credential capture). Many organizations are still not adequately training their employees and partners or performing regular exercises to evade phishing attacks.
Ransomware continues to be a top threat to organizations, as do other types of malware, which are essentially malicious code that executes on host machines. This may lock systems down until a ransom is paid, exfiltrate data outside of the environment through a C2 channel, or perform other nefarious actions.
There are other types we see, particularly in the financial sector, such as man in the middle (MITM) attacks whereby attackers are trying to find their way into the middle of a business process to the extent that they are in receipt of critical business information (i.e., transaction data, credentials, or actual funds), and Distributed Denial of Service (DDoS) attacks that are meant to disrupt network traffic by overwhelming the target devices with a flood of traffic until they fail or the service is denied.
For the benefit of our readers, how would you define a critical industrial system? Can you please explain with some examples?
Critical industrial systems are assets that our nation relies upon for critical resources and products essential to society. A few include healthcare, financial services, energy, food water, and transportation.
Can you share some examples of recent and notable attacks against critical industrial systems? Why do you think these attacks were so significant?
In early 2021, community water supply systems in Florida and California were hacked; attackers gained access to critical systems and tampered with programs that support the process to treat drinking water. In both cases, administrators were able to fix the changes that the hackers made to the programs, but it still pointed to glaring issues in the lack of robust security controls in our critical infrastructure.
In May of 2021, a ransomware attack of the Colonial Pipeline was initiated by what is thought to have been a breached employee password versus a direct attack; this ultimately caused a shutdown of the entire gas pipeline so that the attack would not also affect critical pipeline equipment. This chain of events led to widespread panic, multiple days of gas shortages, and price hikes that affected the southeastern United States. An emergency was declared across 17 states, resulting in the largest cyber attack on oil infrastructure in history.
In June of 2021, JBS, the world’s largest meat processor, paid an $11M ransom after critical business systems were shut down due to a cyber attack, affecting the U.S., Australia, and Canada. Because of this disruption, cattle processing was delayed for multiple days, causing a ripple effect in the meat market economy and shortages in the food supply chain. This led to further price inflation already exacerbated by the COVID-related disruption.
Upon these and a few other examples, the Cybersecurity and Infrastructure Security Agency (CISA) warned that infrastructure like water and power plants, emergency services, and transportation systems make “attractive targets for foreign powers attempting to do harm to U.S. interests or retaliate for perceived U.S. aggression.” Clearly an area prone to targeted attacks, and systems that need resilience to cyber threats.
Why are critical industrial systems particularly vulnerable to attack?
Critical infrastructure and their associated systems are valuable targets for cyber criminals as foreign threat actors are seeking to harm our Nation or retaliate for perceived aggressions. They are also highly visible, and the success of these attacks garner massive media coverage, speculation, and create additional unrest from the general public; often this is the goal of our adversaries. Additionally, many of our critical industrial systems contain specialized equipment, including legacy systems, and sometimes their cybersecurity programs are less mature or less funded, making them easier targets for attack. Aging infrastructure sometimes results in those systems becoming increasingly connected to enable newer workforce to manage them remotely, but also often results in layering of newer coding languages overtop, which leads to further complications and dependencies.
Many of these attacks come down to good password policies, employee education, effective detection, response and recovery systems, and a strong incident response plan that is regularly maintained and tested.
What makes critical industrial systems such an attractive target for bad actors?
High impact, high visibility. This creates a question of our security and comfort as a Nation, which is a big target for some of the Advanced Persistent Threat (APT) groups that do target this area: big headlines, big news, notoriety for those hacking groups seeking attention and notoriety.
Who has to be most concerned about cyber attacks? Is it primarily businesses or even private individuals?
We should all be concerned. What used to be considered an IT issue and responsibility is now a material, increasingly regulated/ mandated requirement and fundamental to the safety and soundness of our Nation. We as individuals need to expect that those organizations that we give our data and information to are handling it with care and managing the risks appropriately.
With many of the breaches we see, organizations have not heeded the warnings of their IT and security teams or put the appropriate investment or rigor in their programs, their governance, or performed rigorous testing in the form of penetration testing and robust red teaming exercises to emulate those scenarios that are at most risk of occurring to them.
Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert?
If an organization suspects they’ve had an incident, they should follow their Incident Response Plan. That plan should have a detailed process that is also tested regularly with appropriate parties in a Tabletop Test, including critical areas like containment of the breach that utilizes an appropriate forensics team, working with legal and insurance providers to ensure that appropriate steps are taken, communications plans (both internal and external), remediation activities, and finally, ensure regular testing to incorporate the latest evolution of attacks that are most prevalent to organizations like yours.
What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
Lack of security awareness and training.
Lack of tone at the top around the importance and commitment to protecting their Crown Jewels (the data most important to the organization) and integrity of their brand in the market.
Lack of phishing simulations and insider threat programs.
Using penetration testing as a box-checking exercise to look at wide-spread vulnerabilities and not performing periodic rigorous red team testing against realistic real-world threats.
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
To work together. CISA is doing an incredible job advancing the public/ private partnership. The various ISACs (Information Sharing and Analysis Centers) also are incredible resources for organizations. There are sector-based consortiums that can be a wealth of information to organizations to come together and discuss with similar companies, the risks, threats, and mitigations that are working for them, their partnerships, etc.
Ok, thank you. Here is the main question of our interview. What are the “5 Things We Must Do To Protect Critical Industrial Systems From Cyber Attacks”?
1. Maintain strong password policies, implement strong technical controls (including using password vaults), enforce the concept of least privilege, and perform password cracking tests across the organization to identify and mitigate weak or non-conforming passwords.
2. Train and test employees and organizations with phishing exercises on a recurring basis, including tailored testing for specific user groups with elevated privileges or critical business functions.
3. Perform penetration testing regularly. Don’t just use penetration testing as check the box exercises! Consider Red Team scenarios for increased realism and sophistication of attack types with a third party.
4. Ensure that you understand who your third parties are, which are most critical, what data they have, and how you’re working to validate and mitigate any concerns around their services.
5. Collaborate with other organizations in your sector, participate in ISACs (Information Sharing and Analysis Centers) if available, know your insurance and legal processes in the event of a breach, and utilize available threat intelligence to know your threats.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)
Technical literacy. Teaching kids through seniors how to safely interact with technology. Teach parents the steps to take to review apps their kids want to download on phones, who designed them, what country they’re from, and the risks that these apps can bring to their safety, mental health, and data security.
How can our readers further follow your work online?
Check out our work at CrossCountry-Consulting.com and icebreaker.team. Also connect with me on LinkedIn.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is the Chairman of the Friends of Israel and Member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.