Stephen Shoaff of 443ID On What We Must Do To Protect Critical Industrial Systems From Cyber Attacks
An Interview With David Leichner
Firmware and Patch management. Keep all systems fully patched with the latest updates including firmware as manufacturers frequently release security updates for their devices. The Conti Ransomware group is responsible for several attacks on organizations and are known to exploit firmware vulnerabilities to facilitate attacks. A few years ago, researchers discovered that many healthcare devices are still operating on outdated operating systems leaving them vulnerable to attack.
Ransomware attacks have sadly become commonplace and increasingly brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by Ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a Ransomware attack? In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about what we must do to protect critical industrial systems from cyberattacks. As a part of this series, I had the pleasure of interviewing Stephen Shoaff.
Stephen has a proven track record building and leading tech companies of all growth stages from pre-revenue startups, VC funded, Private Equity backed, through successful IPO. His strengths are identifying and executing on strategic priorities, building winning teams by attracting and retaining top talent and driving significant growth for successful exits. He is an industry expert in Identity Management and Security. Stephen currently serves as the CEO and Co-Founder of 443ID, an Identity Security SaaS provider. Prior to co-founding 443ID, Stephen served as the Chief Product Officer and GM of SaaS at Ping Identity (NYSE: Ping), an Enterprise SaaS and Software provider of Intelligent Identity Security solutions for the Fortune 1000 and Global 2000 Enterprise Market. He joined Ping via the acquisition of UnboundID, a Consumer Identity Management company he co-founded and served as CEO.
Thank you so much for joining us in this interview series !Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I’m not sure, as this could be an easy phishing test… Regardless, I’ll take the leap and share that I grew up in the United States as part of a traditional family. My dad was an officer in the Navy and my mom was a school teacher. I received my degree in computer science from George Mason University, a public university in Virginia.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I think my dad’s career got me interested in all things security. “If I told you, I would have to kill you,” was my dad’s daily answer to how his day was when I was young. I’m sure he was joking, but that Navy “loose lips sinks ships” mantra was definitely instilled from an early age. The cyber aspect of this hit home for me while I was a computer science student at George Mason University. One of my professors made every student come to her office to compile and demonstrate the completion of an assignment. I showed up, sat down and logged in at the only workstation in the room, hers, and got started. At the end, she told me I had passed the assignment but failed her security test as she had just stolen my credentials! Lesson learned, and my career as a paranoid cyber security professional formally began.
Can you share the most interesting story that happened to you since you began this fascinating career?
I have many stories since the onset of my career; almost too many to share. I will say I’ve been extraordinarily blessed to work with amazing people at iconic companies like Netscape and Sun Microsystems. Jim Barksdale, Ed Zander and Greg Lavender are amazing leaders who I learned a lot from, especially Greg who is now the CTO of Intel. Amazing guy.
You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?
- As a CEO, I’ve found these four things to be most important:
-Attract and retain top talent;
-Make your vision the team’s vision;
-Keep the vision consistent; and
-Remember the field is always ahead of headquarters
- These four leadership traits have stood the test of time in pre-revenue startups, large private and large public companies. I’ll focus my storytelling on the last two points. I worked in an organization where admiration for people trumped execution and solid business decision-making. All of a sudden, we acquired companies not core to the vision. Worse, our spending to buy these companies seriously impeded our ability to execute. Leaders get to meet many people, and some of them are truly amazing. But don’t let your admiration for their smarts blow up your organization or execution. Value the people that get stuff done, like your field personnel rather than the smartest person in the room. Also realize that it’s rare that the smartest, most charismatic person in the room is most important to getting things done. Execution requires hard work and accountability. I’ve found charisma and polish to be contra-indicators to execution at the most senior levels of leadership.
Are you working on any exciting new projects now? How do you think that will help people?
Oh yes. I’m very excited about my current project. Identity and Access Management (IAM) is a $60+ billion USD market which has seen tremendous innovation in how you and I log into websites and user profiles. The possibility of killing the password is becoming more viable too, which will be great. However, the focus has almost exclusively remained on access, not identity. The question, “Can this person log into this system?” has become more important than first determining “Is this person who they claim to be?” and “Does their current level of risk support giving them access?”. Today, I can access anything with the correct username/password/multi-factor authentication (MFA) combination with no real need to validate my identity or trustworthiness. Knowing the right password doesn’t prove your identity. In fact, the most common hack in 2022 involved the use of stolen credentials to steal data. What type of data? More credentials!
My current company has brought together the power of Open Source Intelligence (OSINT) and IAM to answer the “Who is this?” and “Are they worthy?” questions: the Identity part of IAM. After all, the what, when, where, why and how of something are all nonsensical without the “who”. Remember, my mom was a school teacher so I’m a victim of the 5W’s and H! Imagine writing something with no subjects or nouns. Turns out, “who” is the anchor for everything else. I can’t imagine trying to make critical security decisions without more confidently establishing the identity of the actors involved.
In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks?
- I’ll focus on the most prevalent: account-based attacks. These are just some attacks that look to leverage a legitimate account for illegitimate purposes.
- Registration Fraud is in the news today with Elon’s abandonment of Twitter. Bots and other fraudulent, fake accounts make the platform less valuable.
- Login Fraud is getting unauthorized access via compromised credentials. This can be something as simple as sharing credentials to a full-fledged use of stolen credentials; hackers access lists of stolen passwords to perform credential stuffing attacks; phishing attacks are on the rise. This nefarious activity aims to gain illegitimate access to a user or machine account.
- Promotion Fraud is a specific type of registration fraud that has a negative impact on organizations. We are all familiar with getting a perk or benefit when we create an account. Promotion fraud is creating multiple accounts to repeatedly get some benefit. It costs organizations large amounts of money and riddles their systems with fake accounts created exclusively to get some benefit.
- Bot exploitation of real accounts is another emerging threat vector related to promotion or platform fraud. For example, I signed up for a premium account giving me some service of value. Then I program a bot to use my account to programmatically get this value and use it at scale somewhere else.
For the benefit of our readers, how would you define a critical industrial system? Can you please explain with some examples?
- First, it’s important to acknowledge that attacks on industrial systems are usually about control, not data. Control systems and embedded controllers are attractive targets in today’s hyper-IOT world. Everything is connected, which means everything can become a point of attack. For example, a smart vending machine became the point of entry to attack a NY office building, causing severe monetary damage from loss of work while the building couldn’t be used.
- While most industrial control systems are deemed critical, I like to categorize these as life/death, economic or convenience systems. Water processing, power and safety systems can result in human death or danger when compromised. For example, hacking a power grid may not seem like a life and death attack unless a hospital is involved. Just read 5 Days at Memorial by Sheri Fink if you want to understand the absolute horror a lack of power can bring to critical care environments. This particular example was an act of nature but most electrical grids around the world are vulnerable to shutdown via cyber attacks.
- There are lots of examples we could discuss but folks should generally be aware that these types of attacks are about gaining control via one or more connected systems. The groundwork for an attack can take place during the manufacturing process too, so be mindful about the country of origin and manufacturer of any system you put on your network. I would also recommend implementing bandwidth constraints on anything connected to your network. Don’t give your vending machine too big of a pipe a hacker can use.
Can you share some examples of recent and notable attacks against critical industrial systems? Why do you think these attacks were so significant?
The US Department of Justice recently charged three Iranians with hacking hundreds of “local governments, state governments, transportation companies, aerospace, power utility companies and even a domestic violence shelter” in an effort to extort ransomware payments.
The Colonial Pipeline attack from 2021 is a particularly notable one. Not only was it a ransomware attack that cost millions of dollars but it also created significant disruption to life on the East Coast. This was a significant attack because it stemmed from a compromised set of credentials rather than a direct system intrusion attack — all the more illustrating why it is important to focus on account-based attacks.
Why are critical industrial systems particularly vulnerable to attack?
- Visibility, availability and vulnerability. High-value, highly visible targets are more likely to be attacked because of the attention they draw. The sheer number of connected systems found in an industrial setting creates several vectors of attack. The age, complexity and lack of investment in many of these environments create challenges to secure them. Finally, it can be hard to identify the most vulnerable links in these incredibly complex chains found in large scale industrial systems.
- In the US, the sheer number of utility providers and suppliers also makes these segments attractive targets. We don’t have large, nationally owned utilities which means hackers have lots of smaller, local targets with very different degrees of expertise and information sharing.
What makes critical industrial systems such an attractive target for bad actors?
They are attractive targets because corporations have the ability to pay higher ransomware amounts than most individuals, and a large, public attack can dramatically increase the pressure to pay. I’ve read that the average ransomware payment is now approaching $1 million US and has risen by 71%. While that average payment seems high to me, successfully compromising a large industrial system can undeniably result in a substantial payout.
Who has to be most concerned about cyber attacks? Is it primarily businesses or even private individuals?
Businesses and highly valued or highly visible individuals, for the reasons listed above, need to be aware. Anyone who offers a critical service or would pay a ransom to make their troubles go away are prime targets.
Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert?
Call your State’s Attorney general office if you are in the United States, and check out https://fightcybercrime.org for useful resources. You could also call the FBI or an organization that specializes in forensic cybersecurity. Victims have to immediately deal with limiting the current scope of the damage, getting back up and running, protecting evidence — which can be helpful in recovering any ransom payments or a prosecution — and finally, improving security to prevent repeat attacks.
What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
Having poor Identity Management and firmware management are common mistakes. You have to regularly patch your systems and keep them up to date; failure to do so will bite you. Over provisioning access is another mistake. Don’t give people or systems more access than they need. Improve real-time monitoring and alerting of all your systems so you can detect changes or anomalies like bandwidth used, new connections, etc. Use two-factor authentication, don’t share passwords and invest in risk and fraud services, like 443ID, that can help identify risky actors before they attempt to login.
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
- The government needs to continue building international pressure to catch and more severely punish bad guys. That means holding other governments accountable. Russia, China, North Korea and Iran can’t continue to be safe havens for hacker organizations. That’s going to be a tough one given how dependent we have made ourselves on China. In the US, State Attorney General’s offices need to become experts and trusted resources for victims of cyber attacks.
- Industry will continue to improve our security capabilities and training but we need to remember that this will be a constant good guy versus bad guy, cat and mouse environment. Constant vigilance will be required.
Ok, thank you. Here is the main question of our interview. What are the “5 Things We Must Do To Protect Critical Industrial Systems From Cyber Attacks” and why?
- Identity Access Management. Invest in modernized IAM platforms that protect user accounts and logins. Look for systems that offer MFA, ZeroTrust architecture and emerging techniques, like OSINT to secure user logins. The Colonial Pipeline attack discussed above is a good example of why this is critically important. Account-based attacks are becoming more and more prevalent so protecting user accounts through a variety of techniques can be helpful in combating those attacks.
- Privileged Access Management (PAM). Reduce the use of shared credentials and use a PAM solution if you are required to do so. These shared credentials are a key area of risk as they give access to systems and accounts. Days before the Super Bowl, a hack was detected at a water treatment plant in Florida, while it was quickly mitigated, it stemmed from compromising an account that used a shared password.
- Firmware and Patch management. Keep all systems fully patched with the latest updates including firmware as manufacturers frequently release security updates for their devices. The Conti Ransomware group is responsible for several attacks on organizations and are known to exploit firmware vulnerabilities to facilitate attacks. A few years ago, researchers discovered that many healthcare devices are still operating on outdated operating systems leaving them vulnerable to attack.
- Network Management. Separate critical network traffic. There is never a reason your vending machine, room thermostat or coffee maker should be on the same network as your industrial systems. While some of the security postures of these IOT devices may not seem all that important at first, it’s important to remember that if they are on the same network as the critical infrastructure they can be the origin of the attack. One of the classic examples of this is the university where an attacker compromised a vending machine, then took over their smart light bulbs to eventually bring the entire campus network down.
- Security Information Event Monitoring (SIEM). Inspect everything, all the time. Invest in a great SIEM platform with strong monitoring, alerting and reporting, so you can confidently monitor everything connected to your network and detect changes in device behavior, which would indicate a potential attack. The world moves quickly — new exploits and vulnerabilities are happening all the time. In addition to doing what you can to protect yourself, it is important to keep an eye on what’s happening inside your systems so any abnormal activity can be stopped and mitigated as quickly as possible.
If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)
Make Identity the centerpiece of Internet Security. I feel that any solution is better when Identity is fundamental to its design. I also feel like we missed an opportunity to build Identity into IP V6. Imagine if every packet on the Internet came in two flavors: anonymous or identity verified. This could really help protect people online and make the entire system more trustworthy.
How can our readers further follow your work online?
You can follow what my team and I are working on by checking out 443ID on any of the platforms you are on — LinkedIn, Twitter, etc or checking out our company blog at 443ID.com.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is the Chairman of the Friends of Israel and Member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.