Matt Fleharty Of Forescout On What We Must Do To Protect Critical Industrial Systems From Cyber Attacks
An Interview With David Leichner
Final step to make this work and protect industrial systems from cyberattacks, the IT security teams, OT asset owners, and network architects need to collaborate as a team and be open to listen and learn from each other to find the approach to securing the sensitive industrial environments.
Ransomware attacks have sadly become commonplace and increasingly brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack? In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about what we must do to protect critical industrial systems from cyber attacks. As a part of this series, I had the pleasure of interviewing Matt Fleharty.
Matt Fleharty currently works at Forescout as OT SME Director. His responsibilities include contributing to the development of professional services offerings and in the execution of cybersecurity engineering consulting services across a variety of large commercial enterprises. Matt Fleharty is also tasked with architecting and implementing comprehensive cybersecurity solutions in OT/ICS production environments. Prior to working at Forescout, Matt was OT Manager, US Onshore at Equinor.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
Hi, thanks so much for this opportunity! I grew up in the desert, in a small town in west Texas near Midland/Odessa. I love it out there, from the lifestyle to the pace of living, to the people and values. Most of the folks I know have a healthy disdain for the rural, desert landscape, but I think it has a beauty of its own.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
My career was really influenced more by my lack of cybersecurity awareness. I’ve always been drawn to computers, and I put that desire and experience to work leading multiple OT teams in the oil & gas industry. During my consulting and operational engagements, we paid very little attention to the cybersecurity aspect. Instead, we were much more focused on safety, uptime, and lowering operational expenses. Cybersecurity didn’t really factor into any of those engagements. When the opportunity came along with Forescout, I explained the priorities and focus of those engagements, and the hiring managers told me to “come onboard and share that experience with our customers.” Having the industry knowledge and understanding the priorities within the various industries, has allowed Forescout to better understand how we can add value for our customers.
Can you share the most interesting story that happened to you since you began this fascinating career?
My former colleagues would tell you how ironic it is that I ended up in a cybersecurity role, after my time in the oil & gas industry where we were primarily focused on getting visibility into the production values, with very little attention on the security aspect.
On the other hand, since I have been with Forescout, the most interesting aspect of the job is the moment when our customers gain visibility into their ICS environment. Each customer is different, but every engagement has some form of an “aha moment” when they see rogue devices, misconfigurations, or devices getting time updates from China. I wish I had known about these types of technologies during my time in the industry, as I believe I would have been a more effective leader with the additional visibility into the devices and types of traffic that were traversing the OT network.
You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?
First, integrity. Make sure you can live with yourself and look yourself in the mirror at the end of each day. Having character and integrity pays dividends in the long-term, in both business and personal aspects.
Second, identify the requirements. Most of my shortcomings can be traced back to not completely understanding the requirements. It could be something as simple as saying “we need to generate a weekly report on vulnerabilities,” without understanding the audience or the details within that report. Or it could be understanding the differences in how companies interpret/define “OT.”
Third, be in a defendable position. Whether you’re right or wrong, put yourself and those around you in positions to defend the actions/choices.
Are you working on any exciting new projects now? How do you think that will help people?
We recently made the decision to expand our OT solution offering with more services, which gives organizations’ IT security and engineering teams — customer or not — access to our security experts and new threat detection, investigation, response and threat hunting capabilities. In addition, our Assist service is a huge support for clients that lack the technical resources, skills or both, that are needed to protect their environment. Our cybersecurity expert team analyzes and triages detected risks and escalates the true threats providing remediation guidance.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks?
Sure thing. First, there’s ransomware attacks, which could soon target IoT and OT. Already we are seeing IT devices inside OT networks being held hostage, leading to stalled operations. Even if OT environments are not attacked themselves, the interconnectivity to crucial IT systems, such as order or stock management, can be attacked and halt production. Ransomware attacks have been increasing as it’s a lucrative business for attackers. There is also a new type cyberattack that is mainly looking to cause havoc, called disruptionware.
In addition, we see zero-day exploits and advanced persistent threats (APT) that are careful to remain unnoticed and are going deeper in the OT-networks attacking industrial controllers and specialized devices.
For the benefit of our readers, how would you define a critical industrial system? Can you please explain with some examples?
A critical industrial system is anything that is connected to, is associated with, or controls physical equipment: PLC controlling a turbine, an HMI to monitor and control a chemical process, etc. and the systems associated with that equipment. Critical infrastructure systems such as power generations and distribution, and drinking water utilities, are example of critical industrial systems.
Can you share some examples of recent and notable attacks against critical industrial systems? Why do you think these attacks were so significant?
Colonial Pipeline is top-of-mind and Log4j. The attacks are significant because of their scope: by definition, they are attacking critical and industrial systems and we just defined Critical Industrial Systems as the space where cyber meets physical. So, it’s significant because of the potential ramifications. This isn’t just merely shutting down or locking folks out of critical systems. But rather, Colonial Pipeline impacted society so suddenly that it’s no longer just an issue between the attacker and the attacked company, it affected the rest of society as well.
Why are critical industrial systems particularly vulnerable to attack?
These systems are particularly vulnerable to attack because they weren’t built with security in mind. Forescout recently released OT:ICEFALL, a set of 56 vulnerabilities affecting devices from 10 operational technology (OT) vendors caused by insecure-by-design practices in OT. The findings of this report show that these systems were created with the assumption that they’d operate in a safe, secure environment without harm of disruption to their operations. That being said, they often have no authentication, no patches installed, and they weren’t designed to deal with the increased connectivity.
What makes critical industrial systems such an attractive target for bad actors?
The scope and scale of what can be affected, as well as the ease. The industrial systems are tied to physical devices that impact our lives on a daily, continual basis: disrupting the power grid, or contaminating the water supply are two examples that come to mind, because the industrial systems are directly connected to these physical assets. While in IT it’s common to educate employees on cybersecurity measures and best practices, in addition to monitoring systems, in OT this is less common. Only recently have companies begun doing this and there’s still many gaps that can be leveraged by bad actors to cause disruption, ask for ransom, or steal production data.
Who has to be most concerned about cyber attacks? Is it primarily businesses or even private individuals?
While the threats are different, the impact can be equally devastating for both individuals and businesses. Think about how we both interact, and rely, on cyber-based systems on a daily basis: how many times per day do we send personally identifiable information over the internet? If those systems are compromised, it can negatively impact individuals. Similarly, since we rely on basic services such as electric and water, it likewise impacts all of us if those critical systems are compromised.
While critical infrastructure organizations need to be concerned about cyberattacks, so too should manufacturing, banking, and individuals. With the number of interconnected systems in our society, we have to work together to be more cautious about what data we share, what system we connect to each other, and what security-by-design practices should be considered when designing new systems.
Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert?
It depends on the nature and severity of the attack. Generally, it is best to alert the authority for the compromised system: for example, if your credit card is compromised, contact your credit-card company to have your card de-activated. The primary focus is to stop the ongoing attack, then depending on the type and severity of the attack, next steps can be evaluated.
What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
I am as guilty of this as anybody. The biggest mistake is not considering cybersecurity as a function of a company’s safety culture and instead focusing on production/uptime and lower operating costs. For example, it’s not uncommon to find employees using the same password across multiple systems. In fact, some customers don’t ever change their default passwords and some OT systems even use hardcoded credentials.
Our most successful customers understand cybersecurity as a function of safety. In Operational Technology, critical industrial systems are connected to physical equipment. And cyberattacks impact those critical industrial systems; therefore, physical equipment- pumps, motors, pipelines- are at risk when industrial control systems are compromised.
Getting operational data — production volumes, cash register-influencing information — back to the enterprise, cannot be done at the expense of security, because it directly impacts the safety and integrity of the physical equipment.
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
I would recommend they start by understanding the requirements, then gaining visibility into their operating environment. As we like to say at Forescout, “you can’t protect what you can’t see.” Security starts with visibility. By gaining visibility into their operating environment and assessing their potential cyber and operational risk organizations can help limit the severity of these attacks. All it takes to make a start is a network capture of the OT environment to see what kind of devices are connected to the network and how they behave and communicate. This simple assessment can already tell an organization a lot about the potential threats to the environment.
Additionally, I would recommend they emphasize safety as a part of the culture and include cybersecurity as a function of safety.
Ok, thank you. Here is the main question of our interview. What are the “5 Things We Must Do To Protect Critical Industrial Systems From Cyber Attacks” and why?
The 5 things we must do to protect critical industrial systems from cyberattacks boils down to one larger initiative: encouraging organizations to become more cyber resilient. Cyber resilience starts with the continuous application of four activities, all of which align with the five functions of the NIST Cybersecurity Framework (CSF).
The first of these activities that organizations can start with is identifying what cyber assets they have and then assessing the current security and operational risks of each connected asset. This will help determine the security perimeter and interconnectivity. We have seen systems that have been decommissioned are still connected to the network.
Second, NIST’s CSF Protect function is centered around deploying security controls to reduce the risks and ensure vulnerable assets that are unable to be patched or upgraded are protected. Industrial systems cannot be patched as regularly as IT systems, so we see techniques such as network segmentation to limit unnecessary connectivity being used to protect them until patching is possible.
Next, NIST’s CSF Detect function is about being able to identify threats before they lead to downtime. Passive network monitoring techniques are preferred with sensitive OT/ICS environments to help monitor infrastructure and confirm assets remain in compliance or alert if they show unwanted behavior. This allows early detection of threats and enabled efficient incident response.
The next step of this framework that can help protect critical industrial systems from cyberattack is what NIST CSF calls Respond and Recover functions. Essentially, this helps apply the appropriate measures to response to the threat and restore the desired system operation and the network’s cyber resilience. At the IT and OT network perimeter we are seeing more and more automated response actions being taken, so that malware or unwanted remote access doesn’t get to the critical industrial systems.
In addition, the fifth and final step to make this work and protect industrial systems from cyberattacks, the IT security teams, OT asset owners, and network architects need to collaborate as a team and be open to listen and learn from each other to find the approach to securing the sensitive industrial environments.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)
Focus on positively impacting people’s lives. Whenever I’m asked about “what do you want out of your career,” my response is always the same: when the final chapter is written, I want to have positively impacted peoples’ lives. So, my challenge to your readers is, what are you doing to positively impact people?
Here is a specific example for your readers to consider for the upcoming holiday season: instead of exchanging gifts this holiday season, use that budget and donate that amount to charity! It does a tremendous amount of good and has a much broader positive impact.
How can our readers further follow your work online?
The best way to follow all the latest updates and news is to visit Forescout’s website at https://www.forescout.com/ or follow Forescout on LinkedIn: https://www.linkedin.com/company/forescout-technologies or Twitter: @Forescout
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is a member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.
