Jack Nichelson Of Inversion6 On What We Must Do To Protect Critical Industrial Systems From Cyber Attacks
An Interview With David Leichner
Do not allow remote persistent vendor connections into the control network. Require any remote access be operator controlled, time limited, and procedurally like “lock out, tag out.” Use the same remote access paths for vendor and employee connections; don’t allow double standards. Use two-factor authentication where possible. Remove modems wherever possible, as these are fundamentally insecure.
Ransomware attacks have sadly become commonplace and increasingly brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack? In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about what we must do to protect critical industrial systems from cyber attacks. As a part of this series, I had the pleasure of interviewing Jack Nichelson.
Jack Nichelson is a Chief Information Security Officer for Inversion6 and a technology executive with 25 years of experience in the government, financial, and manufacturing sectors. His roles have included leading transformation and management of information security and IT infrastructure, data management and more for organizations in numerous industries. Jack earned recognition as one of the “People Who Made a Difference in Security” by the SANS Institute and received the CSO50 award for connecting security initiatives to business value. Jack holds an Executive MBA from Baldwin-Wallace University, where he is an adviser for its Collegiate Cyber Defense Competition (CCDC) team. He is certified in the following: CISSP, GCIH, GSLC, CRISC, CCNP, CCDA, CCNA and VCP.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I am a Northeast Ohio native. I went to Youngstown State for my Bachelor’s in Computer Science and Baldwin Wallace for my MBA.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I love to play video games! I learned how to edit the game code to unlock and change features, which led to my interest in programing. My curiosity to understand how things work and how to change these processes is what got me interested in cybersecurity.
Can you share the most interesting story that happened to you since you began this fascinating career?
I detected an active hacker on a server and prevented them from gaining access to sensitive data. Then tracked them back to another location they have been using for months to attack other companies. I worked with law enforcement to shut it down.
You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?
Passion — If you want to reach your goals, it helps to care a lot about what you’re doing.
Emotional intelligence — A high EQ helps you to build relationships, reduce team stress, defuse conflict and improve job satisfaction.
A Desire to Improve — Successful people don’t consider themselves to be perfect.
Are you working on any exciting new projects now? How do you think that will help people?
October is Cybersecurity Awareness Month. Effective security awareness training helps employees understand proper cyber hygiene, the security risks associated with their actions and to identify cyber-attacks they may encounter via email and the web. In a recent study, 80% of organizations said that security awareness training had reduced their staffs’ susceptibility to phishing attacks. That reduction doesn’t happen overnight, but it can happen fast — with regular training being shown to reduce risk from 60% to 10% within the first 12 months.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks?
Social Engineering is the number one form of cyber-attack. It works by psychological manipulation to trick people into making security mistakes or giving away sensitive information. 98% of cyber-attacks involve some form of Social Engineering.
For the benefit of our readers, how would you define a critical industrial system? Can you please explain with some examples?
Critical infrastructure is the body of systems, networks and assets that are so essential their continued operation is required to ensure the security of a given nation, its economy, and the safety of the general public.
Can you share some examples of recent and notable attacks against critical industrial systems? Why do you think these attacks were so significant?
In May 2021, a ransomware attack targeted Colonial Pipeline Inc. in the US — bringing the facility to a complete halt for a few days. This caused an acute fuel shortage, and the prices soared through the roof.
Hackers entered the company’s network through a dormant virtual private network (VPN) account that had remote access to the company’s computer network. The company had to pay a ransom of $4.4 million to the hacker group DarkSide in exchange for the decryption tool to restore its computer network.
In May 2020, Taiwan’s state-owned petroleum and natural gas company, CPC Corp, saw its payment system crippled by a ransomware attack.
Threat actors used a USB flash drive to infect the company’s computer network. Although it did not affect oil production, it pushed CPC Corp’s payment card system into chaos. Winnti Umbrella, a China-linked group known for targeting software companies and political organizations, is credited for the attack.
Why are critical industrial systems particularly vulnerable to attack?
Core infrastructure is the most vulnerable due to the impact an attack or outage would have on citizens. Critical industrial systems are often older systems and software that have been connected to the internet to ease the remote access by staff not trained in cybersecurity. These older systems and untrained operators are ripe targets for hackers and nation-state threat actors.
What makes critical industrial systems such an attractive target for bad actors?
Core infrastructure is the most vulnerable in any global crisis due to the massive impacts that an attack or outage would have on citizens. Critical industrial systems are often older, running out-of-data systems and software that have been connected to the internet to ease remote access by staff not trained in cyber security. These older systems and untrained operators are ripe targets for hackers and nation-state threat actors.
Who has to be most concerned about cyber attacks? Is it primarily businesses or even private individuals?
Thinking “it won’t happen to me” is one of the biggest mistakes both a business and private individual can make regarding cybersecurity. Businesses are the biggest target because they hold the most data about private individuals. But after the data breach the individual is at the most personal and financial risk due to the potential misuse of their data.
Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert?
If you have cyber insurance, that should be your first call as they can provide both legal and technical expertise and services specifically tailored to enhance the cyber response and defenses. Assemble a team of experts to conduct a comprehensive breach response.
What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
The biggest security vulnerability in any organization is its own employees. Whether it’s the result of intentional malfeasance or an accident, most data breaches can be traced back to a person within the organization. The number one mistake companies make is undertraining their employees and providing them with more access to sensitive data than they need for their job.
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
Cybersecurity awareness training helps employees spot phishing attempts and other social engineering-style attacks, so they know better. A policy of least privilege keeps users from having access to too much data at once, making it harder for them to steal or share the information with the wrong people.
Ok, thank you. Here is the main question of our interview. What are the “5 Things We Must Do To Protect Critical Industrial Systems From Cyber Attacks” and why?
1. Application Whitelisting
Application Whitelisting (AWL) can detect and prevent attempted execution of malware uploaded by adversaries. The static nature of most Critical Industrial Systems, such as database servers and Human-Machine Interfaces computers are ideal candidates for Application Whitelisting.
2. System Configuration/Patch Management and Isolation
Attackers target unpatched systems connected to open networks. A configuration/patch management program will help keep control systems more secure from known vulnerabilities. Isolate Critical Industrial Systems networks from any untrusted networks, especially the Internet. Segment networks into logical enclaves and restrict host-to-host communications paths would limit damage from network perimeter breaches. This can stop adversaries from expanding their access, while letting the normal system communications continue to operate.
3. Multi-factor Authentication
Implement multi-factor authentication where possible. Reduce privileges to only those needed for a user’s duties. If passwords are necessary, implement secure password policies stressing length over complexity. Require separate credentials for corporate and control network zones then store these in separate trust stores.
4. Secure Remote Access
Do not allow remote persistent vendor connections into the control network. Require any remote access be operator controlled, time limited, and procedurally like “lock out, tag out.” Use the same remote access paths for vendor and employee connections; don’t allow double standards. Use two-factor authentication where possible. Remove modems wherever possible, as these are fundamentally insecure.
5. Security Monitoring and Incident Response
Defending a network against modern threats requires actively monitoring for adversarial penetration and quickly executing a prepared response. Have a response plan for when adversarial activity is detected. Such a plan may include disconnecting all Internet connections, running a properly scoped search for malware, disabling affected user accounts, isolating suspect systems, and an immediate 100 percent password reset. Such a plan may also define escalation triggers and actions, including incident response, investigations, and public affairs activities.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)
Federal requirement with 3rd party audit requirements to ensure that all Critical Industrial Systems meet NIST 800–171.
How can our readers further follow your work online?
https://www.linkedin.com/in/nichelson/
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is the Chairman of the Friends of Israel and Member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.
