Jose de Castro of Mapped On What We Must Do To Protect Critical Industrial Systems From Cyber Attacks
An Interview With David Leichner
Limit the attack surface. Products like Mapped provide a single unified touchpoint into the OT network, minimizing the number of “boxes” and vendors present in a typical built environment.
Ransomware attacks have sadly become commonplace and increasingly brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack? In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about what we must do to protect critical industrial systems from cyber attacks. As a part of this series, I had the pleasure of interviewing Jose de Castro.
Jose de Castro is the CTO of Mapped and spends his time fine-tuning product strategy and working with customers to ensure that Mapped continues to add value and security at every step of their digital transformation journey. He has a passion for solving big problems with 10+ years experience in building platforms that bring people closer together via communications and collaboration technologies. Jose is a true believer that we are on the cusp of an exponential leap in technology that will make the Internet, and everything that has come after it, seem like tiny blip in comparison.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
Born in Miami. I’m first-generation American. My parents grew up in Venezuela. My dad was a software engineer, so I was fortunate to grow up around computers and gadgets in the 80s. I wasn’t super into school but loved reading, mostly non-fiction. One summer, when I was 10, I read three volumes of the Encyclopedia Britannica cover to cover.
Is there a particular story that inspired you to pursue a career in cyber-security?
I went to Riverside Military Academy for high school. One day my friend, Petrush, showed me this little box with a battery hanging out of it. He called it a “red box” and showed me how you could use it to play tones in a pay phone to get free phone calls. I was blown away. Not only because of the free phone calls to Venezuela but the fact that a 5-year-old kid was able to circumvent the security of a major telco: BellSouth. Later that day, I spent hours reading Gopher forums on network security, intrusion detection, and social engineering. I was hooked.
This experience resulted in a 20-year career in real-time communications, APIs, and helping telcos adopt modern web technologies to securely open up their networks.
You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?
Curious: I love reading, as mentioned above
Methodical: I’ll spend hours (or days) in my head coming up with an elegant approach to a problem before I write the first line of code. This allows me to break the problem into chunks which feeds into the third trait.
Persistent: once I can see a path to solving a problem, I will set a goal for each day and not sleep until I cleanly finish the current chunk.
Are you working on any exciting new projects now? How do you think that will help people?
We recently partnered with a Fortune 20 technology company to bring a suite of ESG solutions to market. Our combined solution will enable building owners and data center operators to significantly reduce their energy footprint. Climate change is the single biggest threat to humanity, and I’m so proud that Mapped, along with its partners, is helping to make a dent in the problem.
Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks?
Believe it or not, most building automation protocols have zero security. No encryption, no authentication, nothing. Anyone with physical access to the operations network (OT network) can send commands to the HVAC, electrical, fire safety, and lighting systems in a typical building. It’s no wonder why these systems remain siloed, with their data (and any possible insights) trapped in the building.
Attempts to bring these systems and networks together have led to very public attacks, including the now infamous Target HVAC to Point of Sale attack in 2013.
For the benefit of our readers, how would you define a critical industrial system? Can you please explain with some examples?
A typical building automation system (BAS) consists of three layers. Starting from the southernmost layer, you’ll find a bunch of sensors and devices speaking a variety of very old protocols (BACnet, Modbus, KNX, etc.) Some of these protocols are IP-based, but many are still on traditional serial buses. These sensors and devices are managed by a field controller. Field controllers create a logical grouping of sub-systems, such as lighting for the 10th floor or HVAC for the parking garage. Further up in the stack, you will find a master controller or supervisory controller. The job of a supervisory controller is to expose a web interface for administrators on the northbound side and a control interface to the other controllers on the southbound side.
Why are critical industrial systems particularly vulnerable to attack?
Two main reasons:
- The devices and controllers speak very old protocols with little to no security.
- The companies making these devices and controllers have enjoyed the luxury of operating in dark networks for decades. As customers demand that these systems be connectors to IT and cloud-based applications, these vendors have been scrambling to adopt modern web security practices.
Who has to be most concerned about cyber attacks? Is it primarily businesses or even private individuals?
Building owners and operators often subcontract network management to reduce their liability, shifting the problem to companies like Cisco, Honeywell, and Schneider Electric. It’s these companies that carry the financial burden in the event of an attack.
Who should be called first after one is aware that they are the victim of a cyber-attack? The local police? The FBI? A cybersecurity expert?
The FBI is a good start. More information can be found here: https://www.fbi.gov/investigate/cyber
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
Trusting communications within the walled garden of a network allows bad actors to target a weak link and spread from there. Modern architectures promote a zero-trust model where each link in the chain is properly authenticated and authorized. Tools like docker, istio, JWT, and the many great products from companies like Cloudflare can dramatically help improve your security posture.
Ok, thank you. Here is the main question of our interview. What are the “5 Things We Must Do To Protect Critical Industrial Systems From Cyber Attacks” and why?
- Limit the attack surface. Products like Mapped provide a single unified touchpoint into the OT network, minimizing the number of “boxes” and vendors present in a typical built environment.
- Newer solutions might offer increased security, but updates can be infrequent, leaving devices and software pathways open and vulnerable to attacks. A quick scan using Shodan.io shows how many vulnerable devices and pathways are connected to the internet.
- Each IoT-driven system, with its own physical and software components, is a potential vector for cyberattacks. This risk is compounded as more vendors with cloud connections join to BAS and require patchwork updates. Furthermore, vendors frequently retain access even when their products are no longer in use. Such shadow deployments are usually not maintained and pose additional dangers. They need to be removed when vendors dissociate themselves from the accounts.
- Commercial building managers can modernize their approach to cybersecurity by taking cues from the May 2021 White House executive order on cybersecurity, improving their efforts to identify, deter, and respond to attacks and bad actors, and ensuring compliance from vendors. This approach is a smarter and more robust way of capitalizing on the potential of IoT.
- Zero trust principles coupled with an API, this infrastructure can ingest IoT data from several disparate sources, including HVAC, lighting controls, air quality monitoring, fire safety systems, visitor management, and more. This enables building management professionals to better control authentication and authorization and can fine-tune identity access based on the length of service contracts and other relevant parameters.
If you could inspire a security-first movement or movement that would bring the most amount of good to the most amount of people, what would that be?
Too often, cyber security is relegated to a small department within an organization. While it’s important to have central oversight and policy management, it’s important for all engineers to consider building secure systems a regular part of their job. It starts with product managers. Great PMs act not only as a “voice of the customer” but of all stakeholders, including investors and internal security teams that are on the hook to respond in the event of an attack.
How can our readers further follow your work online?
Check out our website at Mapped.com!
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is a member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.
