Ports, Cranes, and Zero Trust: Defending U.S. OT — w/ Booz Allen’s Brad Medairy & Dave Forbes
Season 2 Episode 32 •Show Notes
In this episode of Cyber Focus, Frank Cilluffo is joined by Brad Medairy, Executive Vice President at Booz Allen Hamilton, and Dave Forbes, who leads Cyber Physical Defense for the firm. Together, they unpack their joint report with the McCrary Institute, Anchored in Zero Trust, examining the cybersecurity vulnerabilities of U.S. ports. The conversation explores China’s cyber activities, the significance of Volt Typhoon, and the risks posed by Chinese-made cranes operating at American ports. They highlight how economic and national security intersect at ports, the unique challenges of operational technology (OT), and why zero trust must become more than a buzzword. The discussion also looks ahead at how critical infrastructure sectors can harden defenses, reduce tech debt, and build resilience against persistent adversaries.
Main Topics Covered
- China-linked cyber threats to U.S. ports.
- Risks from Chinese-made cranes; ports as a “one connected battle space.”
- OT basics: know your assets, segment networks, lock down vendor access.
- Zero Trust for OT: assume breach, pilot fast, scale what works.
- Why port disruptions matter: major economic ripple effects; plan and drill.
- What’s next: adversarial AI and stronger public-private collaboration.
Key Quotes
“Our adversary doesn’t see the United States infrastructure environment as a Department of Defense, [or] as a global economy, [or] as a Department of Transportation. They see one connected battle space with a great number of… seams that they want to exploit.” – Dave Forbes
“There’s no real intelligence value in terms of what [China was] doing [with Volt Typhoon]. They were pre-staging capabilities in the US critical infrastructure. And the only real explanation is to achieve some sort of potential future kinetic effect.” – Brad Medairy
“It doesn’t need to be a devastating attack. It needs to be a disruption. It needs to be a distraction. It needs to be something that we’re worried about… throwing things off balance on our economy and national security posture. – Dave Forbes
“Our adversaries don’t look at our nation in isolation… They look at our nation as one holistic battle space… So if we flip that… I’m not sure any of us can solve this problem alone, but together we’re stronger. – Brad Medairy
“[W]e’ve been able to remediate [Volt Typhoon] in certain cases… That was just step one. This is going to be forever… it’s going to be a game of cat and mouse for years to come.” – Brad Medairy
Relevant Links and Resources
- Booz Allen Hamilton Cybersecurity
- Anchored in Zero Trust: Report ‘Fast Facts’
- Anchored in Zero Trust: Full Report
Guest Bios
Brad Medairy is an Executive Vice President at Booz Allen, where he leads the firm’s cyber practice. He is also a Senior Fellow at the McCrary Institute for Cyber and Critical Infrastructure Security, co-leading research efforts on China and cyber threats.
Dave Forbes leads Cyber Physical Defense at Booz Allen and was a primary contributor to the Anchored in Zero Trust report. His work focuses on bridging physical and cyber domains to strengthen critical infrastructure protection.
Transcript
1
00:00:00,000 –> 00:00:01,000
Dave Forbes [00:00:00]: Our adversary doesn’t see the United States infrastructure environment as a Department of Defense, as an, as a global economy, as a Department of Transportation. They see one connected battle space with a ton of, with, with a great number of seams. Port is really the textbook example. Approximately 80% of cranes that we use at U.S. ports are purchased from Chinese companies.
2
00:00:01,000 –> 00:00:02,000
Frank Cilluffo [00:00:25]: Welcome to Cyber Focus from the McCrary Institute where we explore the people and ideas shaping and defending our digital world. I’m your host Frank Cilluffo and this week we have a special episode with two guests to go over a report we recently did jointly with Booz Allen and Hamilton. And it is on Anchored in Zero Trust looking at the role that our ports and port security, the significance and how we can translate some of the nouns into the verbs. Today we have Brad Medairy who is an executive vice president and leads all of Booze’s cyber efforts. Dare I say he’s also a senior fellow at the McCrary Institute, co leading an effort we’re doing on all things China. Joining Brad, we also have Dave Forbes who is a whirling dervish, getting a lot of the work done in the paper itself, doing some amazing work and he runs the physical and cyber practice at Booze. Brad, thanks for joining us. Dave, thanks for joining us.
3
00:00:02,000 –> 00:00:03,000
Frank Cilluffo [00:01:22]: So I thought we’d start with putting the paper into context. And, and this isn’t just coming up with an idea of a vulnerability. We, we have endless vulnerabilities, but this is something that’s imminent, it’s here, it’s now, and there’s a bad actor who’s driving some of this, so dare I say the People’s Republic of China. But, but Brad, maybe to help us put it into context, the typhoons and why did we zero in on the zero trust issue?
4
00:00:03,000 –> 00:00:04,000
Brad Medairy [00:01:50]: So putting the paper in context of China and the cyber activity, I think it’s important that we kind of look at some of the key wave tops over the past few years. So as we look at the Chinese cyber activity and the cyber threat, I think a few things. One, I think it’s marked by growing sophistication. We’ve seen an accelerated evolution of their TTPs. CISA released a great report around their living off the land TTPs. And so the Chinese are growing in sophistication. So I think one is we’ve seen them continue to accelerate their tradecraft and making them harder to detect. Second, I would say it’s escalation.
5
00:00:04,000 –> 00:00:05,000
Brad Medairy [00:02:39]: And as we saw with the typhoons, we saw the Chinese going after the defense industrial base. And we’ve seen that for years in terms of IP theft. We saw with Salt Typhoon attacking or going after the telecommunication infrastructure. And probably the most alarming is what we’ve seen in terms of the tax against the or the pre staging of capabilities against the US critical infrastructure, Volt Typhoon. And from my perspective Volt Typhoon is probably the most significant because there’s no real intelligence value in terms of what they were doing. They were pre staging capabilities in the US critical infrastructure. And the only real explanation is to achieve some sort of potential future kinetic effect.
6
00:00:05,000 –> 00:00:06,000
Frank Cilluffo [00:03:33]: You know, and that’s line one in our report is they’re already inside US infrastructure. So, and I think Volt Typhoon was a great example and a wake up call because to your point, we’ve seen intelligence preparation in the battlefield for many years, but this is living off the land, in the system. So this isn’t a tomorrow issue, this is a here and now issue.
7
00:00:06,000 –> 00:00:07,000
Brad Medairy [00:04:00]: Yeah, 100%. You know, the adversary, they’re behind the walls. And you know, we talk a lot about advanced persistent threats and we tend to focus on, on the advanced and the threat piece, right? You know, we talked about living off the land, that goes to the advanced techniques, the threat in terms of the impact that they can pose on the infrastructure. But I think the key thing in my mind is the P, which is persistence, and this adversary is persistent, meaning that we’re in a forever war in cyberspace. The adversary is going to continue to look to embed themselves in our infrastructure. They’re going to continue to evolve their capabilities.
8
00:00:07,000 –> 00:00:08,000
Brad Medairy [00:04:43]: It’s not like we figured out Volt Typhoon, we’ve been able to remediate it in certain cases and then they’re just going to go away. That was just step one. This is going to be forever. And so I think that we just need to prepare for the long haul here and you know, we need to continue to up armor our cyber defense infrastructure and our cyber defense posture and you know, it’s going to be a game of cat and mouse for years to come.
9
00:00:08,000 –> 00:00:09,000
Frank Cilluffo [00:05:10]: Awesome. And Dave, to pull you into the discussion, there have been some reports on ZPMC and other concerns with our cranes, surface the shore cranes. But why ports?
10
00:00:09,000 –> 00:00:10,000
Dave Forbes [00:05:22]:
11
00:00:10,000 –> 00:00:11,000
So we went right into this discussion talking about protecting critical infrastructure, right? And ports are critical infrastructure. When we talk about the threat landscape, the cyber threat landscape at Booz Allen, we talk about one connected battle space. And that’s a really important context I think to bring up early on in this discussion. One connected battle space means that our adversary, okay, doesn’t see the United States infrastructure environment as a Department of Defense, as an, as a global economy, as a Department of Transportation, they see one connected battle space with a ton of, with, with a great number of seams, right, seams that they want to exploit.
12
00:00:11,000 –> 00:00:12,000
Dave Forbes [00:06:04]: And when I look at the port environment, port is really the textbook example of one connected battle space. Okay? Ports as critical infrastructure, it’s, you know, they represent how we move material, how we move equipment. It’s the nexus of economy and national security. In some scenarios, it’s, ports are key factors in how we move national security equipment and personnel, right? So approximately 80% of cranes that we use at US ports, right, material handling equipment are purchased from Chinese companies.
13
00:00:12,000 –> 00:00:13,000
Dave Forbes [00:06:40]: So when you bring together this idea of protecting critical infrastructure in a Volt Typhoon environment, furthermore, in an increasingly connected world where platforms and infrastructure are now talking to each other, you’ve got a bigger problem on your hands that needs to be looked at closely.
14
00:00:13,000 –> 00:00:14,000
Frank Cilluffo [00:06:58]: Absolutely. And I love how you painted it in the Volt Typhoon, because sometimes we look at these issues as disconnected. And, and I also love the fact that, I like to say our government tends to look at the world through its own boxes and org charts, its own authorities, understandably, to one extent or another. But that’s not the case with, with our adversaries. And just to put a fine point on it, we’re saying it impedes, it has the potential to impede the ability to project power, deploy forces, move material, move people. And not only on the defense side, but economically, how, how significant are US ports to our economy?
15
00:00:14,000 –> 00:00:15,000
Dave Forbes [00:07:36]: Well over $2.1 trillion of our economy on an annual basis is dependent on port throughput, right? The, the United States intermodal transportation…
16
00:00:15,000 –> 00:00:16,000
Frank Cilluffo [00:07:45]: Trillion?
17
00:00:16,000 –> 00:00:17,000
Dave Forbes [00:07:46]: Yeah, trillion dollars.
18
00:00:17,000 –> 00:00:18,000
Frank Cilluffo [00:07:47]: Let that sink in.
19
00:00:18,000 –> 00:00:19,000
Dave Forbes [00:07:48]: The United States intermodal transportation system is on a daily basis at the center of throughput of goods and services to the United States. So let me also kind of, when we’re talking about critical infrastructure, cybersecurity, yeah, we sit here and we talk about and prepare for responding to potentially devastating attacks. But it doesn’t need to be a devastating attack. It needs to be a disruption. It needs to be a distraction. It needs to be something that we’re worried about. So 80% of cranes that we use on a daily basis at every port, you take the port of Long Beach, right, the largest port on the West Coast. It doesn’t take a lot to make you worry about throwing things off balance on our economy and national security posture.
20
00:00:19,000 –> 00:00:20,000
Frank Cilluffo [00:08:34]: And then if we just look back to COVID, how significant that was from a supply chain, but Brad, jump in.
21
00:00:20,000 –> 00:00:21,000
Brad Medairy [00:08:40]: Yeah. Well, let me comment on COVID. Um, if you think about, like, you know, back, back in the COVID days, you know Frank, you and I were talking about just the impact it had on us personally. And, you know, I remember, you know, during COVID you know, we were all stuck at home. You know, I wanted to buy a bike, and I went to the shop, and they’re like, well, you can get a bike in probably 12 to 18 months, because, you know, it’s, it’s floating, it’s floating on a ship, and we’re not sure when it can actually get into port.
22
00:00:21,000 –> 00:00:22,000
Brad Medairy [00:09:07]: And so cyber effects can certainly have economic and affect us as a society. But one of the points I wanted to bring up was really the impact of ports on national security. And, you know, I think one of the phrases that I’ve heard that I love, cybersecurity is national security. And one of the reasons that this paper we vectored in on ports is because ports are really so strategic to us in terms of our military readiness and national security. You know, the Department of defense, they identify 22 strategic ports, you know, as, you know, as, you know, essential to operations. And 17 of those are commercial ports. And as Dave talked about, those commercial ports are using, you know, OT equipment, some of it is running Chinese software, and it’s vulnerable and, you know, impact on, you know, a cyber, a major cyber event, as we’ve seen in Singapore, as we’ve seen in Seattle, where there was a ransomware attack that certainly disrupted port operations. Those ports get disrupted in wartime, it’s going to impact our ability to fight and impact our military readiness.
23
00:00:22,000 –> 00:00:23,000
Frank Cilluffo [00:10:20]: Which is everything. I mean, there’s the old adage, amateurs talk strategy, professionals, logistics. But at the end of the day, ports are at the hub of all logistics.
24
00:00:23,000 –> 00:00:24,000
Dave Forbes [00:10:27]: Definitely.
25
00:00:24,000 –> 00:00:25,000
Brad Medairy [00:10:28]: Definitely.
26
00:00:25,000 –> 00:00:26,000
Frank Cilluffo [00:10:29]: If you can’t move people, food, equipment, game over. And looking at the risk landscape, ransomware is obviously not only a port concern, it’s literally democratized cyber risk. But, but anything unique to the ports, in addition to cranes?
27
00:00:26,000 –> 00:00:27,000
Dave Forbes [00:10:50]: Well, I think that to that point, the ports are a center of a whole string of other infrastructure. Okay, so it’s the, it’s the equipment, the transportation system, and the goods that come into the port that, that get uploaded onto maritime vessels. And then at the other end, it’s the throughput and output on the other port. So every, this, the supply chain is represented at the port. And it’s also important to note that we’ve, we’ve identified the maritime port as a use case. Right? It’s, it’s one use case in our transportation system, in our supply chain that we’re examining. But these problems around protecting vertical infrastructure in this environment, they run into other parts of the supply chain.
28
00:00:27,000 –> 00:00:28,000
Frank Cilluffo [00:11:35]: Really good point. And I want to pull that thread in two different ways, both from a zero trust perspective, but first from an OT perspective. And I, you can’t escape our podcast without a brief discussion around operational technology, but shed some light on that, Brad.
29
00:00:28,000 –> 00:00:29,000
Brad Medairy [00:11:53]: Yeah, let’s talk, I mean, let’s think about, you know, the cybersecurity journey that we’ve been on for the last 20 years. You know, it really started with us getting control of the enterprise. And you know, in the enterprise cybersecurity, we really focused on, you know, understanding the environment and be able to bound the cybersecurity risk. Now that got complicated as the attack service continued to expand. We saw cloud, mobile, SaaS, and now everything is connected, you know, through 5G and you know, other types of comms, right? So, you know, the, we spent years trying to bound the enterprise environment.
30
00:00:29,000 –> 00:00:30,000
Brad Medairy [00:12:28]: It’s gotten, you know, more difficult with the growing attack surface. But really we haven’t spent as much time focused on the OT environment. And I would say probably over the last, you know, seven to eight years, we’ve really started the conversation around OT and frankly, it’s just different than the enterprise IT environment. If you, let’s take like a manufacturing facility. You know, a manufacturing facility, you generally capitalize that over a 20 year period. And so, you know, I was thinking back in preparation for this conversation, some work I’ve done in the pharmaceutical space and you know, I had the opportunity to go visit and work on the shop floor and we started looking at the attack surface there. And as we looked at the environment, there was not only controllers, but there was devices there that had operating systems dating back to the 90s, Windows NT, Windows 95. And so I would say these OT environments are super complex. I would say that it’s kind of become the Smithsonian of IT, meaning you have a little bit of everything in the environment.
31
00:00:30,000 –> 00:00:31,000
Brad Medairy [00:13:37]: They tend to be capitalized over a very long period, meaning that you’re not going to do major tech refreshes until you actually fully realize, you know, the, the, the, the life cycle of that, that particular facility.
32
00:00:31,000 –> 00:00:32,000
Frank Cilluffo [00:13:50]: Sometimes that’s not even possible. Right? I mean, if you think of the old challenges we had with industrial control systems, to take them offline could actually cause consequences.
33
00:00:32,000 –> 00:00:33,000
Dave Forbes [00:13:59]: In OT, the uptime is paramount. That’s right. You know, the, the OT Systems are up, it means it drives revenue, it drives dollars. And anytime an OT system is not functioning, it affects the bottom line of that organization.
34
00:00:33,000 –> 00:00:34,000
Brad Medairy [00:14:14]: So I think the reality is we’re still trying to get our arms around the OT environment. And step one was bridging the gap between the operational community and the technology and the IT community. We’ve been on that journey for a period of time. We’ve started to harden the environments. But the reality is these environments are plagued by a tremendous amount of tech debt. And it’s a real challenge in terms of, you know, how do you address this problem when you have so much tech debt across so much of our critical infrastructure.
35
00:00:34,000 –> 00:00:35,000
Frank Cilluffo [00:14:46]: You know, unrelated to our report, but significant in the way to think about sort of that IT OT convergence and physical cyber convergence, with new infrastructure spends, that’s the time when you can get this right, isn’t it? Because I mean, you’ve got legacy systems that are up and running. Now they’re netted by Internet of things devices, which brings about a whole new attack surface, but the time to make the biggest difference is when you have a new spend I think.
36
00:00:35,000 –> 00:00:36,000
Brad Medairy [00:15:20]: Yeah, 100%.
37
00:00:36,000 –> 00:00:37,000
Frank Cilluffo [00:15:21]: And I’ve been an advocate. You guys can disagree with this. I think in a perfect case on any IT spends, about 12 to 14% of that should include security. Then if you unpack that a little further between IT OT, OT is still the Rodney Dangerfield of the community there. How do we, how do we bump that up?
38
00:00:37,000 –> 00:00:38,000
Brad Medairy [00:15:45]: I mean one of the things…
39
00:00:38,000 –> 00:00:39,000
Frank Cilluffo [00:15:46]: And disagree with the premise.
40
00:00:39,000 –> 00:00:40,000
Brad Medairy [00:15:47]: I mean, I mean, I think it’s certainly much, it costs less baking in security.
41
00:00:40,000 –> 00:00:41,000
Frank Cilluffo [00:15:54]: And it saves way money over the life cycle.
42
00:00:41,000 –> 00:00:42,000
Brad Medairy [00:15:57]: Right. I mean there’s, you know, there’s, you know, whether you call it, you know, baking in security, whether you call it secure by design, you know, the reality is anything that you can do, you know, before you actually get that system in production is going to buy down cost and it’s going to increase the, the cybersecurity posture.
43
00:00:42,000 –> 00:00:43,000
Frank Cilluffo [00:16:14]: Anything to add on that?
44
00:00:43,000 –> 00:00:44,000
Dave Forbes [00:16:15]: Yeah, I know I’m, I’m always very happy when Brad brings up the tech debt issue and just adding a little bit more on this, OT needs to be baked into new construction and new build, right, we’ve established that. But in parallel to that, we are going to be dealing with legacy infrastructure and legacy OT for years to come. We have solutions now that are achievable and more affordable and accessible to asset owners. So one of the key takeaways needs to be, yeah, we got a budget for baking in OT. But in parallel to that, let’s move quickly to access what’s available now to protect those legacy systems that go, that are working side by side with those new build.
45
00:00:44,000 –> 00:00:45,000
Frank Cilluffo [00:16:57]: Any other thoughts on what some of those solutions are? I do want to get to the Zero Trust.
46
00:00:45,000 –> 00:00:46,000
Dave Forbes [00:17:00]: It’s a great segue into talking about zero trust.
47
00:00:46,000 –> 00:00:47,000
Frank Cilluffo [00:17:03]: There you go.
48
00:00:47,000 –> 00:00:48,000
Dave Forbes [00:17:03]: I mean, there are three, there are, there are three things that in the OT space we need to be doing. Number one, we need to have asset visibility. You can’t protect what you can’t see. Number two, it’s imperative that we begin to integrate advanced technology solutions, advanced control solutions. And number three, along the way we need to do OT modernization and inevitably there are things that need to be replaced. Okay, so zero trust comes in because it’s one of those advanced technologies that we can, we can chat about here now. But those are the three things that need to be done.
49
00:00:48,000 –> 00:00:49,000
Frank Cilluffo [00:17:34]: Brad, anything to add on the Zero Trust? And how do we take the bumper sticker and buzzword and, and make it real?
50
00:00:49,000 –> 00:00:50,000
Brad Medairy [00:17:42]: Yeah, I mean, I think, you know what Dave said in terms of, number one, know your environment.
51
00:00:50,000 –> 00:00:51,000
Frank Cilluffo [00:17:46]: You gotta do that.
52
00:00:51,000 –> 00:00:52,000
Brad Medairy [00:17:47]: And it sounds pretty, pretty basic and pretty fundamental, but I would say pretty consistently when we go into an OT environment, one of the things that we see quite often, and we actually highlighted that in the report, the report talked about, you know, a communication device in the crane system that allowed for remote communications. And that’s actually pretty, pretty, pretty standard in what we see in a lot of environments. And one of the reasons is vendors want the ability to be able to remote in, to be able to maintain, upgrade and diagnose issues with their systems, and they will put sort of, you know, communication back doors into those environments. And in a lot of cases, the environment owners, you know, aren’t tracking that at all. I was thinking back on a client engagement and we were sitting in McLean, Virginia and we were working with a European company and we were talking to them about their environment and they said, look, we’re not too concerned about our OT environment because we’ve implemented segmentation, there’s no access and we’ve kind of created this big castle wall around the environment. And we’re like, well, we appreciate that. However, right now we’re actually able to VPN directly in to your OT environment because here is a comms link that wasn’t secured.
53
00:00:52,000 –> 00:00:53,000
Brad Medairy [00:19:08]: And so we help them sort of diagnose that. But you know, the reality is step one is really kind of understand the battle space, understand your environment. So you know what you have to defend.
54
00:00:53,000 –> 00:00:54,000
Frank Cilluffo [00:19:18]: Absolutely. And this goes all the way back to Sun Tzu’s principles to know yourself, know your enemy. And I feel like we learn that lesson the hard way all too often. So taking that zero trust set of issues, we were very deliberate in looking at ports, but this cuts across all critical infrastructure, including those that are purely economic. But I have a hard time differentiating some of those too, because I think it, it blends with, with the national security issues. And honestly, economic security is national security, but what are some other sectors? What are we doing next, Dave?
55
00:00:54,000 –> 00:00:55,000
Dave Forbes [00:20:00]: Well, so going into the, the work that we’ve done with McCrary on this report, you know, our, our baseline understanding was the work that we have done and are doing at, at DoD installations. Okay. So this discussion around zero trust at ports and zero trust at, you know, for critical infrastructure stems from our work protecting critical infrastructure and OT across DoD installations, right? So you know, Brad touched on knowing your environment and knowing the OT systems that you’re working with. Okay, so, so where do we go from here? You know, the audience needs to understand that if you are protecting OT and you have asset visibility and you’re employing solutions out there that provide continuous monitoring on your OT networks, you’ve already started your zero trust journey. Okay, so now we’re, you know, we’re in DoD, we’re here focused on the paper that emphasizes zero trust at ports. It’s, it’s all of the critical infrastructure sectors, Frank.
56
00:00:55,000 –> 00:00:56,000
Dave Forbes [00:21:03]: And it’s also going back to other DoD and service installations. It’s marrying up zero trust protection of OT to, for the strategic goals that we have for national security.
57
00:00:56,000 –> 00:00:57,000
Frank Cilluffo [00:21:16]: And in addition to knowing, lighting up your own system and knowing where, because I agree with that. It’s pretty hard to do it if you don’t even understand where you fit in. But resilience is, is a key part of this. Right? Because I think it’s fair to say even if you are implementing as robust of a zero trust process, you can’t protect everything everywhere, all the time from a thinking enemy. The perpetrator bases their actions on our actions. So in a way you, you batten down risk and that’s the best we can do. But that’s not game over, right?
58
00:00:57,000 –> 00:00:58,000
Brad Medairy [00:21:55]: I mean, I, I think when you talk about resiliency, I mean in general, OT environments are usually designed to be fairly resilient.
59
00:00:58,000 –> 00:00:59,000
Frank Cilluffo [00:22:04]: Because they were built with three mile aisle prevention types of things.
60
00:00:59,000 –> 00:01:00,000
Brad Medairy [00:22:07]: Yeah, I mean they, but they were built to kind of to fail over. They were built to assume that there were going to be issues and then how do you, how do you be resilient and fail over in those environments? But I don’t think that they were, you know, when they were designed, they thought about an advanced cyber actor behind the walls. And as we talk about zero trust, I think the whole premise of zero trust is that you assume breach. And what that means is, you know, in your environment, from a cybersecurity perspective, you have minimal trust and continuous verification. And so I think that, you know, our advice to operators is when we talk to folks about the cyber, the cybersecurity world, the cybersecurity professionals tend to be fear mongers. And so they walk into environment and they paint this awful picture. And in many cases folks are like, thank you, I don’t know what to do now. And so I think that working through, okay, let’s assume an adversary is on my network, how are they going to move, how are they going to operate, what are they going to do? And that gives you the ability.
61
00:01:00,000 –> 00:01:01,000
Brad Medairy [00:23:18]: Because the problem with zero trust is it’s this big ambiguous term, right? And you know, in the cybersecurity landscape, I often talk about, hey, there’s 8,000 cybersecurity product vendors, there’s 20 billion in annual investment. And of those 8,000 companies, you know, 4,000 of them are AI and 4,000 of them are zero trust, right? And so, you know, everyone is just looking for this silver bullet in terms of how to protect their environment. And the reality is, you know, there is no silver bullet. You need to really assess your environment. You need to understand your unique characteristics, your unique threat posture and your unique challenges.
62
00:01:01,000 –> 00:01:02,000
Brad Medairy [00:23:55]: And then you need to tailor the, the particular solution around that. But it all starts with the recognition that, hey, someone could be in my environment. Now how do I need to think about that?
63
00:01:02,000 –> 00:01:03,000
Frank Cilluffo [00:24:06]: You want to build on that?
64
00:01:03,000 –> 00:01:04,000
Dave Forbes [00:24:07]: Yeah, let me build on that. Because it’s, it’s a, it’s a great foundation for what zero trust is and it is not. And I’ll tell you what, zero trust is a framework for actionable solutions. We’ve gotten really good at doing assessments in OT over the last several years. Okay, assessments need to be faster, they need to be focused on the priority infrastructure. You can’t protect and you can’t afford to protect everything the same way. But zero trust is the implementation of technical solutions that you know, you’re, you are in an assumed breach environment.
65
00:01:04,000 –> 00:01:05,000
Dave Forbes [00:24:37]: So you know, it’s, it’s testing out the use cases and they look different. You know, you got OT SDN, you got different types of network cloaking. But it is an actionable implementation of technical solutions to protect the network. Going well beyond just assessing what your vulnerabilities are.
66
00:01:05,000 –> 00:01:06,000
Frank Cilluffo [00:24:52]: And not to go too off piece, but there’s also an active cyber defense set of questions here too, right, where we can be proactive defensively. And what are some of those technologies? Either of you have a good, and obviously we’ve had other people discussing some of those, but any good anecdotal examples of where zero trust has made a big difference?
67
00:01:06,000 –> 00:01:07,000
Dave Forbes [00:25:15]: Well, I think that zero trust has forced the conversation about innovation in OT in particular. Let me give an example. We are now testing solutions that bring AI into the OT environment. We are looking at machine to machine identity capabilities that go beyond the traditional network visibility. We have tremendous vendor technologies and partners that are out there now that do asset visibility. But we are seeing AI, machine to machine identity detection capabilities that we haven’t seen before. And I really think that this move towards zero trust, frankly, the mandate for zero trust on OT networks has forced the discussion about faster innovation in the space.
68
00:01:07,000 –> 00:01:08,000
Frank Cilluffo [00:26:03]: Anything to add?
69
00:01:08,000 –> 00:01:09,000
Brad Medairy [00:26:04]: Yeah, I also think that, you know, when, when you think about like the outcomes you want from, from zero trust, right, you know, why are you doing this? And I think two things. One, you want to be more effective, meaning that you want to have a better security posture for your network. The second piece is you want to be more efficient, meaning that you want to be able to buy down some of your tech debt. And the reality is, I think you can actually drive down a lot of license cost in your environment. I think that when we go into our client spaces, we tend to see a lot of tools and technologies, but there’s a lot of ways to be able to kind of consolidate and be much more efficient there. And so I think about some of the work that we’re doing across the Department of Defense on a program called Thunderdome.
70
00:01:09,000 –> 00:01:10,000
Brad Medairy [00:26:53]: And Thunderdome is really at the, the intersection of infrastructure modernization and cybersecurity. And we’re working to roll that out across the broader Department of Defense. And it’s increasing the collective security posture. And it’s actually a lot more efficient because we’re doing it at scale and we’re able to retire a lot of tech debt out of the environment.
71
00:01:10,000 –> 00:01:11,000
Frank Cilluffo [00:27:12]: And I love, and this should be obvious, but it’s not always so obvious. But having an outcome based perspective in mind is probably, you would think that everyone would do it, but not everyone does. Right? So I want to put us in the shoes or sandals or whatever of a port security, owner operator, what are the two things, and when you look at sort of surface to shore cranes, that’s a bigger issue, that’s a manufacturing issue. There are not many US cranes, if any. We have other countries we can turn to, Japan and others who are investing in that space.
72
00:01:11,000 –> 00:01:12,000
Frank Cilluffo [00:27:53]: But what would be the three things you would tell the, the head of a port right now, whether Los Angeles Long Beach or…
73
00:01:12,000 –> 00:01:13,000
Dave Forbes [00:28:01]: I, I would say that number one, have, have systems in place to have visibility on, on the data going to and from your material handling equipment on ports. Number two, prioritizing those systems and processes. Which ones on the port, which MHE which cranes are non negotiably needing to be ready and capable and undeterred? And then number three, what technologies and what are you using, what’s in place to track that data and alert you if there’s an anomaly that has taken place that’s going to prevent, prevent you from conducting and continuing those port operations?
74
00:01:13,000 –> 00:01:14,000
Frank Cilluffo [00:28:48]:
75
00:01:14,000 –> 00:01:15,000
Any additional points you’d bring up here?
76
00:01:15,000 –> 00:01:16,000
Brad Medairy [00:28:50]: You know, Dave is, mine are probably a little more, more basic. But you know, if I’m running in a port, probably the last thing I’m thinking about is cybersecurity. Other than…
77
00:01:16,000 –> 00:01:17,000
Frank Cilluffo [00:29:02]: When it’s too late.
78
00:01:17,000 –> 00:01:18,000
Brad Medairy [00:29:03]: Right. Other than ransomware attacks that happened a couple years ago in Singapore, in Seattle, you know, most operators aren’t thinking about cybersecurity on a daily basis. And so one, I think I would suggest, you know, run a tabletop exercise to really understand the threat and the risk. And then the second is really understand, once you understand that threat, understand your environment, you know, what, what, what, what IT, what OT assets do you have across your environment? And, and what is the risk posture associated with that? And I think it starts with just the basics.
79
00:01:18,000 –> 00:01:19,000
Frank Cilluffo [00:29:43]: And, and I would even say not theoretical, just take the Typhoons and use them as the use cases within that tabletop because the impact, consequence and intent is very different from a Volt Typhoon which is living off the land, and, and as we discussed, it’s taking intelligence preparation in the battlefield to a whole nother dimension versus espionage, but they all matter.
80
00:01:19,000 –> 00:01:20,000
Brad Medairy [00:30:11]: A lot of the operators that I talk to, you know, cyber is abstract and it can never, you know, it’s the it can never happen to me mentality until it does. And so I really think that awareness and understanding of both the threat and the environment, the faster that we can get there, then we can actually get to more informed conversations around okay, how do we buy down that risk?
81
00:01:20,000 –> 00:01:21,000
Frank Cilluffo [00:30:37]: Absolutely. On the tech stack, I want to hear a little.
82
00:01:21,000 –> 00:01:22,000
Dave Forbes [00:30:42]: Part of that speed to the faster that we can get there is having a not just willingness, but easy processes in place to prototype solutions at ports. You know, Brad mentions Thunderdome. You know, one of the things we’re enabled to do on that program is to do pilots for zero trust for OT networks and to go into DoD spaces, you know, and test out solutions based on, based on asset owners priorities. Yeah, it is about what’s most important to you and how you keep the mission going at a port and making it easier for port operators and port owners to test out different solutions in many ways. You know, one of the things we’ve realized around zero trust for OT is you identify a relatively safe environment where you can test out OT solutions and see what the outcomes are and then you scale the ones that you think that work best for your environment.
83
00:01:22,000 –> 00:01:23,000
Frank Cilluffo [00:31:40]: We’re coming near the end of our time. Any questions I didn’t ask that that I should have?
84
00:01:23,000 –> 00:01:24,000
Dave Forbes [00:31:44]: Frank, I would just offer that for asset owners on ports and across the federal space in particular. You know, these zero trust solutions are accessible. We need to be a little, we need to be more creative and more willing to collaborate and just try stuff in the field. We can’t rely upon the status quo. We can’t rely upon just assessing and understanding our vulnerabilities. We got too much good technology and innovation out there not to try it.
85
00:01:24,000 –> 00:01:25,000
Frank Cilluffo [00:32:19]: Awesome. Brad, you’ve got the final word and call to action.
86
00:01:25,000 –> 00:01:26,000
Brad Medairy [00:32:22]: You know, you ask any questions you didn’t ask, I would say, what’s next? As we look over the horizon, we started by talking about we’re in a period of, you know, escalation in cyberspace. And so I would say in terms of what’s next is it’s going to be continued escalation. But I think things are going to start moving faster. And you know, with AI, AI is going to be used by advanced adversaries to accelerate cyber capabilities and cyber effects. And so I think that we’re going to see a, we’re in a period of, you know, things escalating at a much faster pace than we’ve ever seen. We’ve got to be prepared.
87
00:01:26,000 –> 00:01:27,000
Frank Cilluffo [00:33:02]: Adversarial AI is at the top of the list.
88
00:01:27,000 –> 00:01:28,000
Brad Medairy [00:33:04]: Yeah, I think that we’re there and I think that we’re going to continue to see things happen that blow our minds.
89
00:01:28,000 –> 00:01:29,000
Frank Cilluffo [00:33:13]: Any final thoughts around undersea that we need to be thinking about here?
90
00:01:29,000 –> 00:01:30,000
Brad Medairy [00:33:17]: I mean, I, I think that…
91
00:01:30,000 –> 00:01:31,000
Frank Cilluffo [00:33:20]: Because the ports is the water’s edge. There’s, there’s more that goes to the ports, right?
92
00:01:31,000 –> 00:01:32,000
Brad Medairy [00:33:23]: I mean, I think anything in the digital world is at risk.
93
00:01:32,000 –> 00:01:33,000
Frank Cilluffo [00:33:26]: Awesome.
94
00:01:33,000 –> 00:01:34,000
Dave Forbes [00:33:27]: Yeah. And, and yeah, we’re, we’re finding the conversation around, around OT and the cyber physical domain and the cyber physical aspect of, of warfare and defense spans surface, subsurface, aviation, space.
95
00:01:34,000 –> 00:01:35,000
Frank Cilluffo [00:33:43]: And, and I feel like we still treat those in isolation. Someone’s got to bring it all together to get that true rich picture. Sea, undersea, land, space, cyber. Is that Booz?
96
00:01:35,000 –> 00:01:36,000
Brad Medairy [00:33:57]: Well, I, I think that we play a key part in that. And you, you ask for kind of like the call to arms. And, and maybe, maybe the final thought is Dave talked about a term that we use called one battle space. And so when we talk about one battle space, we mean that our adversaries don’t look at our nation in isolation. They don’t look at it as the utility sector, ports, the US Federal government, hospitals, manufacturing. They look at our nation as one holistic battle space. And when they’re preparing to impose cyber effects against us, they’re looking at it holistically. So if we flip that from a one battle space perspective in terms of call to arms is I’m not sure any of us can solve this problem alone, but together we’re stronger.
97
00:01:36,000 –> 00:01:37,000
Brad Medairy [00:34:48]: And I think forums like this where we can actually have a conversation, where we can educate each other, where we can partner together, collectively, we’re much stronger. I think that’s the call to arms. It’s going to take all of us and it’s going to take sharing information, collaborating around solutions, understanding the adversary at speed so that…
98
00:01:37,000 –> 00:01:38,000
Frank Cilluffo [00:35:10]: Failing fast so you can get better too, right?
99
00:01:38,000 –> 00:01:39,000
Brad Medairy [00:35:12]: So we can continue, we can continue to get better.
100
00:01:39,000 –> 00:01:40,000
Frank Cilluffo [00:35:14]: Gentlemen, thank you. Very insightful, very thoughtful and onward and upward. Thank you.
101
00:01:40,000 –> 00:01:41,000
Brad Medairy [00:35:19]: Thanks, Frank.
102
00:01:41,000 –> 00:01:42,000
Dave Forbes [00:35:20]: Thank you, Frank.
103
00:01:42,000 –> 00:01:43,000
Frank Cilluffo [00:35:20]: Thank you. Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing. Your ratings and reviews help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes, or individuals you’d like for us to host. Until next time, stay safe, stay informed, and stay curious.