James Nguyen Of Quantropi On What We Must Do To Protect Critical Industrial Systems From Cyber Attacks

An Interview With David Leichner

Ignorance of the threat landscape both present (ransomware) and future (Y2Q) is no excuse. The amount of online information (ex. National Strategy for Critical Infrastructure in Canada), working groups (ex. Cloud Security Alliance Working Group for Zero Trust Architectures) and major vendors (ex. Siemens Critical Infrastructure Defense ) may feel daunting, but a small amount of research can pay big dividends in finding the threat intelligence most relevant to an organization’s assets and infrastructure. In the case of Y2Q, NIST in the USA has been focused for more than a decade on evangelizing and educating the public and private sectors on the threat posed by Quantum Computing (and what can be done to prepare!)

Ransomware attacks have sadly become commonplace and increasingly brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack? In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about what we must do to protect critical industrial systems from cyber attacks. As a part of this series, I had the pleasure of interviewing James Nguyen.

Prior to leading Quantropi, James was Chief Investment Officer & VP of Asia Operations for a group of private and public real estate, mining, energy storage, graphene technologies and manufacturing interests, where, in his responsibilities for strategy, banking and global expansions, he secured large-scale investments and partnerships for commercializing graphene applications across multiple industries. A graduate of Carleton in Economics, he previously achieved success managing a mid-market portfolio (professional services, public sector, Asian markets) at RBC for over a decade. James has been on the HKCBA board, held advisory positions with technology start-ups and gives back as a volunteer, fundraiser and mentor.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I grew up in Ottawa, Canada, and I am the oldest of four boys. I attended Carleton University in Ottawa, where I studied Economics. I started my career with RBC Royal Bank straight out of university, where I was a personal banker, then went on to become a business banker and later, a commercial banker. I took on roles that were unique to the bank, such as launching the cultural markets for Ontario North and East and had opportunities to work with various entrepreneurs across different segments in supply chains, general commercial, real estate, and healthcare to name a few.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I’ll use this opportunity to recognize a few people that have had a big impact on my life, such as Marco Pagani. I like to say that, in Ottawa, entrepreneurs breed entrepreneurs. I wouldn’t have this opportunity if it wasn’t for another mentor of mine, but also an investor, Jeffrey York. He’s been a great sounding board for me, and he’s been supporting me. I jumped with him into a kind of new material science and some mining and graphene and since then, I’ve really become an entrepreneur. I always thought of myself as a corporate person, but he really opened that gate for me.

I’ve always been someone who’s looking for the next big challenge, to challenge myself as well as help solve meaningful problems that either protect our planet or protect the next generation. I started out with Jeff looking into low-carbon materials to create more sustainable solutions that can protect our planet. When it came to cybersecurity, I was also influenced by my time working in the bank. I remember saying, no security equals no trust, equals no bank. So really protecting our clients’ information, digital assets, and legacy by making sure that their privacy and data are protected because privacy and information are important to everyone.

Can you share the most interesting story that happened to you since you began this fascinating career?

I think the most interesting thing, and what fascinated me the most, is the fact that our vision of preserving truth and trust indefinitely resonated with so many people. This vision really resonated with a lot of unique individuals and iconic people, like global leaders for example. Iconic is a term that is embedded into our core values, so the thing that really fascinated me was how big this has become, and how much bigger it can become with the reach and impact of our solutions.

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

Three character traits that I think have been most influential, and all kind of tie into each other, are kindness, confidence, and thinking outside the box.

Kindness has helped me attract good people, and without good people, you can’t do anything great. Being able to attract the right people not only requires kindness but having a vision that people can resonate with as well.

Having a large vision is something that has really resonated with our Team. When we come to work, we’re there to protect everyone’s identity. Having that vision to continuously grow and the ability to problem solve by thinking outside the box when challenges arise is instrumental.

Confidence is at the root of it all, in my opinion. It’s essential for attracting investors and additional talent, but also in getting customers to trust us, by showing that we’re confident in our research, integrity, and approach. We’re a contrarian play, so the fact that we took a different approach, but have been able to instill confidence in our investors, customers, and employees has been critical to our success.

Are you working on any exciting new projects now? How do you think that will help people?

At Quantropi, we believe that the world needs to be prepared for the imminent quantum future. Our team members come from deep technology, quantum communication, cybersecurity, and entrepreneurship backgrounds and are recognized by world-leading organizations, like NASA. With six patents granted and many more pending — we believe that Quantropi’s technology is poised to become the quantum security standard.

Organizations ranging from NATO to the White House are acknowledging that quantum computers will inevitably break encryption methods in place today across national and global economies, defence systems, and public and private infrastructure. The as-yet-unknown date when this will occur has become known as “Y2Q.”

Hackers are already thought to be preparing for Y2Q by stockpiling identity-related data to decrypt using quantum technology. This nefarious practice is known as “steal now, crack later.” With current estimates placing the event as soon as two years from now, it is imperative for the continuity of our global digital economy that every organization fundamentally renew its security posture, starting today.

Driven by a mission to ensure the protection of the Truth and Trust underpinning our global digital society, we’re enabling enterprises to begin transitioning to quantum security — with minimal investment in new hardware or infrastructure. Best of all, our unique platform solution works over today’s Internet — providing a simple, evolutionary upgrade path to critically improved security.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks?

The Internet relies on two pillars, truth and trust, to be sustainable: without trust, you have no business. We’re here to protect that as a company. Classical computers operate in binary numbers, but quantum computers work with qubits based on quantum mechanics and they’re able to do certain calculations faster and better than classical computers. I like to use the example of looking for Waldo. He walks into a hotel with 10,000 rooms and a classical computer would have to check each room at a time. That takes a long time. A quantum computer would check all rooms simultaneously and find Waldo right away. That just gives you an example. So we’re looking for cures for cancer and diseases. At the molecular level, it gets very, very complex — so complex that classical computers haven’t been able to find these cures. We believe quantum computers will. But that same power that’s going to cure cancer is also going to break today’s encryption, break that trust and manipulate the truth. So Quantropi was founded to preserve trust and truth not only today but forever. Our tech will protect you forever because it’s derived from quantum mechanics.

For the benefit of our readers, how would you define a critical industrial system? Can you please explain with some examples?

A critical industrial system is one that is vital to a sovereign state and its economy. Examples would be (but are not limited to), the critical manufacturing sector, energy sector, chemical sector, water and wastewater systems, nuclear reactors, materials and waste sector.

Can you share some examples of recent and notable attacks against critical industrial systems? Why do you think these attacks were so significant?

A recent example can be seen in an attack against a UK water supplier, South Staffordshire PLC. The company supplies water to more than 1.5 million people in the UK and in August disclosed it was hit by a cyberattack, which security experts said highlighted potentially dangerous vulnerabilities in the country’s critical infrastructure. These attacks are significant, as manipulating chemicals in the water system can become hazardous and put lives at risk.

Why are critical industrial systems particularly vulnerable to attack?

They are particularly vulnerable due to the legacy systems in place that are connected to the internet, creating gaps for an attack.

What makes critical industrial systems such an attractive target for bad actors?

They say that if you want to take down a country, take down its critical infrastructures such as the power grid and water supply. Some of the greatest cyber capabilities are owned and operated by nation-states, so in cyber-warfare, critical industrial systems are such an attractive target because no matter how many layers of protection you have, if you are connected to the internet there is a gap to attack.

Who has to be most concerned about cyber attacks? Is it primarily businesses or even private individuals?

Every business and organization should be concerned. Quantum computers are gaining ground and will soon pose an existential threat to all standard encryption methods. Unlike the Y2K “millennium bug,” there is no timetable or due date for Y2Q. All we know is, it’s coming much faster than anyone predicted. That’s why bad actors around the world are already stealing and storing secrets, just waiting for the quantum computing capacity to decrypt them. Because if someone, an adversary, really wanted to know what someone is talking about right now, they could record an entire meeting session by tapping the line. Storage is cheap, they can sit on it till the day they get the big quantum computer, tear open the envelope, get the key, and watch the rest of the meeting. And if that happens — and there was something top secret under law, by law that must be protected for 25 years — If that adversary gets a quantum computer anytime in the next 25 years, you’ve failed to meet the obligation to keep the secret for 25 years. It’s called steal now, crack later. And the problem is every breach from now until you upgrade your technology, every byte of data that goes out the door is vulnerable to an adversary forever. You can never un-ring the bell.

Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert?

I think that if anyone is a victim of a cyber-attack, the first call they should make is to key stakeholders inside the organization. I think it’s important to stop the bleeding first and ensure that the Chief Security Officer or the Chief Technology Officer understands where the breach happened, and then make sure that they know the best steps or actions to take in order to minimize the damage or mitigate much of the additional spread of the attack. It’s also extremely important to be upfront and transparent with anyone who is affected by the attack, to ensure that everyone involved or impacted can take the necessary steps to minimize any damage to their business or reputation.

What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?

When it comes to cybersecurity, I think that more can be done by taking a proactive rather than a reactive approach. A lot of the cyber-attacks that we hear about are due to not having the proper protocols in place, which in turn creates loopholes and leaves one susceptible to internal fraud. It could also be a case of simple best practices not being followed, such as having the same password for everything or downloading software that generates malware attacks.

What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?

The biggest thing that government and tech leaders can do is provide education and awareness of this issue. Another key thing is to ensure that stakeholders at all levels are aligned when it comes to protecting assets and having action plans that are followed by everyone in your organization.

Ok, thank you. Here is the main question of our interview. What are the “5 Things We Must Do To Protect Critical Industrial Systems From Cyber Attacks” and why?

1. Get Patched

• Seems like the most basic advice but making sure *ALL* the devices in a critical industrial system are up to date with the latest software updates and patches is the #1 defence against threats of almost any kind. Why? Because governments and product manufacturers around the world collaborate 7x24 to identify and remediate new threats. Those that fail to keep up, despite knowing this is never “done”, often either fall into complacency or succumb to budget/resource pressures and defer until it is too late. Just look at the famous WannaCry worm from 2017 — millions of unpatched devices running out of date SMB communications protocols (for which protective patches were fully available) caused dramatic business disruptions resulting in Millions of dollars in business impact. Recent Ransomware attacks on infrastructure follow the same pattern!

2. Get Informed

• Ignorance of the threat landscape both present (ransomware) and future (Y2Q) is no excuse. The amount of online information (ex. National Strategy for Critical Infrastructure in Canada), working groups (ex. Cloud Security Alliance Working Group for Zero Trust Architectures) and major vendors (ex. Siemens Critical Infrastructure Defense ) may feel daunting, but a small amount of research can pay big dividends in finding the threat intelligence most relevant to an organization’s assets and infrastructure. In the case of Y2Q, NIST in the USA has been focused for more than a decade on evangelizing and educating the public and private sectors on the threat posed by Quantum Computing (and what can be done to prepare!)

3. Get Looking

• The tedious and unglamorous task of keeping an updated inventory of devices and users in a large installation, let alone the manufacturer and version of all associated software, may once again feel like an unrewarding overhead, but a true baseline is the only way to interpret the risk posed by a given threat vector and to understand the scope of potential impact or spread in the (inevitable) event of an incident. And it is not just machine and human identity, hardware and software configuration but it is also ‘behaviour’, What is ‘normal’ behaviour for a worker or a device? Stuxnet ushered in the era of the “advanced persistent threat” where small anomalies in system behaviour add up to major breaches or system shutdowns. Fortunately, automation tools for discovery and monitoring targeted at critical infrastructure continue to be developed. Examples include start-ups like Claroty which focus on system behaviour or Xage, which focuses on identity and access management. NIST has brought together a “who’s who” to tackle the inventory of cryptographic functions across an organization that will be vulnerable to Quantum attacks.

4. Get Testing

• The proverbial journey of 1000 miles starts with the first step. Security threats are moving FAST but so are solutions! A dedicated Lab / Cyber range requires investment in time, people, infrastructure and of course money, but it makes digital security preparedness just as much a part of organizational SoP as other health, safety, and efficiency initiatives. In the modern digital era, most (if not all) security technology vendors will gladly let you “try before you buy” offering free downloads, documentation, and training. It is of course self-serving (they want the sale) but they also are committed to preserving the critical operations the way Quantropi is committed to preserving Truth and Trust. Even better, there are often Open-Source communities that offer a *community* of like-minded folks passionate about the security threats they are solving. One great example is the Open Quantum Safe community that seeks to get Post Quantum Cryptography examples into the hands of practitioners so everyone can learn and contribute.

5. Get Serious

• Nearly all organizations are top-down hierarchies. Lots of teamwork, lots of collaboration and consensus, etc. But in the end, things roll downhill. There is an almost infinite list of things an organization *should* do, but no one has enough time, money, or resources to do them all. This tension between priority and funding inevitably leads to hard choices and in some cases, the deferred maintenance already mentioned can have catastrophic implications in the event of an attack. Sometimes those attacks aren’t even intended! A slew of manufacturing outages this past decade was discovered to be the result of “infection” from Stuxnet variants that coincidentally affected their industrial control systems. Cyber risk and Cyber defence must be a Board Level / C-Suite imperative tracked the same way quarterly P&L, Service levels, factory output, supply chains, etc. are tracked and reported. Great examples of security KPIs and frameworks are out there — they just need to be adopted.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

I think that bringing the greatest good to the most amount of people is not about technology, but about paying it forward. Sharing knowledge, being willing to try new things, eliminating the ego, and just continuously striving to challenge yourself and perform to the best of your ability.

How can our readers further follow your work online?

https://www.linkedin.com/in/jamesnguyen28/

https://www.linkedin.com/company/quantropi/

https://www.quantropi.com/

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is the Chairman of the Friends of Israel and Member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.