Mike Pedrick Of Nuspire On What We Must Do To Protect Critical Industrial Systems From Cyber Attacks
An Interview With David Leichner
Work to address what we traditionally call technology debt. If older, outdated or legacy systems can be updated, update them. If they can’t, implement compensating measures to isolate them further from risk, including borderline fanatical logical separation between network segments.
Ransomware attacks have sadly become commonplace and increasingly brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack? In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about what we must do to protect critical industrial systems from cyber attacks. As a part of this series, I had the pleasure of interviewing Mike Pedrick.
Mike Pedrick, VP, Cybersecurity Consulting at Nuspire has been providing technology, security, compliance and risk management consulting services to organizations across several industries for nearly 20 years. The holder of multiple industry credentials, Mike is an accredited trainer and chapter board member for ISACA, mentoring cybersecurity and risk management professionals.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
My childhood was split up between living with my grandparents and my father in rural upstate New York and my mother, who was serving in the Air Force. I had the tremendous benefit of living in multiple places (including England for a good portion of my high school years) and being raised by multiple generations with unique worldviews. I was an avid reader; I think that I had read nearly everything Stephen King had published up to the start of the ’90s before I’d finished middle school.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
As the IT leader for a manufacturing firm, following a production floor accident, our security program was audited by our insurance provider. I thought I knew all that I needed to know and was doing all of the right things until that audit was performed. After feeling like I’d had my hair lit on fire, I knew I had to get better at cybersecurity and risk management fast. I also came away with the belief that if I didn’t know what I didn’t know, a lot of others in the SMB space might not either. I moved into the consulting world exclusively not long after.
Can you share the most interesting story that happened to you since you began this fascinating career?
The day before Christmas Eve a few years ago, the MSP I was working for experienced a ransomware event within the MSP’s environment as well as hundreds of their clients’ systems. There’s a lot to unpack from that story.
You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?
I like to mentor and try to treat every leadership role I’ve had as an opportunity to share what knowledge and experience I’ve gained over the years. Additionally, I subscribe to the idea that leaders should be willing and ready to roll up their sleeves and do what they’re asking of those in their charge. And, finally, I try to ensure that anyone in my charge knows that I see them as people first — with their own histories, their own priorities and their own perspectives.
Are you working on any exciting new projects now? How do you think that will help people?
For several years now, I’ve been teaching certification preparation classes for the ISACA Denver Chapter. I recently added a new credential to what I teach — which has resulted in an expansion of my repertoire, but also presents challenges from a logistical perspective.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks?
A non-textbook answer… Cyberattacks are initiated against either systems or users for the purposes of obtaining/retrieving non-public information or removing the utility/availability of something. Complex, sophisticated attacks might be performed in multiple steps, incorporating tactics that alternate between systems and users as the target.
Systems-based attacks are often unnoticed by people, but when they are the focus of a social engineering attack, that’s often more obvious for those who know what to look for.
For the benefit of our readers, how would you define a critical industrial system? Can you please explain with some examples?
Perhaps one of the most recognizable industrial systems are those systems integral to the delivery of utilities that we rely on in our personal lives. Electricity, water and natural gas get to our homes through a series of systems that we don’t often think about — and I think we often have an expectation that these systems are resilient to the types of attacks we might hear about being launched against, say, financial institutions or medical facilities. There isn’t much sensitive information involved in these systems, but interruption in services is painful. Attackers — nation-state, organized cybercrime and opportunists — are aware of this and are increasingly targeting these systems.
Can you share some examples of recent and notable attacks against critical industrial systems? Why do you think these attacks were so significant?
Famous but less recent, the use of the Stuxnet virus against critical uranium enrichment centrifuges in Iran in 2010 often springs to mind. This event was a wake-up call for a lot of folks who manage critical infrastructure and the subject of many keynote presentations at cybersecurity-related conferences for years to come. A more recent example, however, is the Colonial Pipeline ransomware compromise, which cost the organization millions of dollars and impacted tens of thousands of Americans — fuel prices skyrocketed following the event and even the cybercrime gang that claimed credit for the compromise admitted that their goal was financial, not to cause the severe disruption that resulted. It’s not hard to imagine that the ‘success’ of the Colonial Pipeline attack could be inspirational for other would-be attackers.
Why are critical industrial systems particularly vulnerable to attack?
Simply put, many of these systems are legacy, reliant on aging source code that lacks robust defenses. Such systems may not be maintained any longer and support professionals not immediately available should updates be required. They’re often in places that are not as closely guarded or watched as systems in other industries might be. It’s fair also to say that, for many years, these systems were not targeted based on the perception that there wasn’t much to be gained by doing so.
What makes critical industrial systems such an attractive target for bad actors?
Low risk of being caught, simple and now well-documented attack chains, and a high likelihood of success in the case of ransom-based attacks. Easy money in a lot of cases.
Who has to be most concerned about cyber attacks? Is it primarily businesses or even private individuals?
Ultimately, whether an attack is launched against an individual or a business, at some point, the individual will be affected. Businesses that have to carry insurance policies with high premiums will almost certainly pass those costs along to the consumer via their products or services. Many organizations have been closed forever due to ransomware — for example, an Illinois-based college with almost 160 years of history closed its doors in 2022 following a ransomware event — impacting hundreds of currently-enrolled students and countless more employees, alumni and their families.
Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert?
Lean into your incident response plan and notify those on your team that need to know. Operationally, most folks are encouraged not to say anything to anyone; relaying information to the wrong sources can pose additional risk to the organization and, frankly, can redirect careers in an instant.
Beyond that, though, your best friends should be your legal counsel and your insurance provider.
What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
The basics. Patch management, asset management, access control protocols … and, frankly, a little hubris or willful ignorance in some cases. No organization is ever ‘too small’ or ‘too unimportant’ to be targeted, and not knowing where sensitive data might live or be accessible represents dramatic risk to any company.
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
‘Frequency’ and ‘severity’ sound an awful lot like ‘likelihood’ and ‘impact’ — the two primary variables for calculating risk. If I have any advice for tech leaders, it’s to adopt the practice of looking at cybersecurity less as a box-checking exercise and more as a measured risk response acumen. Not all risks need to be mitigated, but there’s no way to know without going through the process. Keep up the good fight, commit to diligence regarding program basics and continue being vigilant.
Ok, thank you. Here is the main question of our interview. What are the “5 Things We Must Do To Protect Critical Industrial Systems From Cyber Attacks” and why?
1. Work to address what we traditionally call technology debt. If older, outdated or legacy systems can be updated, update them. If they can’t, implement compensating measures to isolate them further from risk, including borderline fanatical logical separation between network segments.
2. Harden the humans in the environment. Focus on effective awareness training and culture of healthy suspicion initiatives that will empower users to recognize when they’re under attack or instances where their actions can pose undue risk to the organization — and have ready access to the mechanisms and channels through which they can report or act on such cases.
3. Hold vendors and suppliers to the same or higher standard. As in the business world, in critical industrial and/or infrastructure environments, there are many teams and stakeholders involved. Some of these include third-party organizations providing key products or services. Don’t automatically trust these organizations and continue to maintain a healthy skepticism of their own posture throughout the relationship. ‘Trust but verify’ should probably be revised to ‘verify before trust.’
4. Continually identify, prioritize and address vulnerabilities. Enact — and work to continually improve — vulnerability management protocols across *all* systems, platforms and applications. Prioritize action items and commit to following through on those efforts. Leverage third-party penetration testing to validate the efficacy of the vulnerability management process.
5. Make security a cultural acumen, not an unending chore. Bake risk management focus into all operational efforts, no matter how comprehensive or perceptibly trivial. Resist the urge to allow convenience to increase risk without careful consideration of potential impacts.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)
Call me an idealist, but I envision a day when all of the world’s governments and law enforcement agencies have a concerted, unified approach to attribution when it comes to cybercrime — and a measured approach for swift retribution. Cynically, I think that all of the mechanisms that might make this feasible will be dangerous for the law-abiding, innocent denizens of the internet while not fully addressing cybercrime and nation-state attackers. I would like to hope that, in this utopian future where our world leaders can somehow set their differences aside long enough to work against cybercrime, that they can also lean into protecting the rights and privacy of the average individual.
How can our readers further follow your work online?
I can always be found on LinkedIn at https://www.linkedin.com/in/mpedrick or through Nuspire’s incredible feed.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is the Chairman of the Friends of Israel and Member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.
