Posted by: Greg Ness | December 21, 2019

The Coming Security Revolution will be Messy

Within the next ten years half of today’s network security leaders will be either: 1) replaced by a new generation of leaders built upon advanced architectures; or 2) will have acquired new architectural offerings [while they still can] and evolved; or 3) be acquired by firms which have crossed the new chasm of scale and complexity: IIoT.


A friend just sent me a link to a blog predicting yet another CSO/CISO year of living dangerously.  It’s a safe prediction. Since the spring of 2017 (or perhaps sooner) every year has become more precarious than the previous.


With thousands of security companies and billions in public vendor market caps offering protection, we still worry.  We’re more exposed than any time in cyber history. You could say we’re dumbfounded.

The exposure problem is easy to comprehend, with just three key drivers:

  • Escalating complexity;
  • Escalating scale; and
  • Channel/architecture/message fatigue.

Escalating Complexity

From the original network, now partially virtualized (and partially frozen in time), to the rise of the cloud and various hybrid operating models, CSOs are trapped in unprecedented layers and levels of complexity. “Divide and conquer”, the maxim of Napoleonic battle strategy, has been flipped on its head as infrastructure has become fragmented beyond recognition, and rendered ripe for the picking by bad actors with even primitive hacking tools.  Billions in security vendor market caps cannot fix this. Can any organization address this without breaking up with the network security / infrastructure cartels who themselves are trapped in monetizing complexity to the detriment of their customers’ careers?

Escalating Scale

As if complexity weren’t enough, thanks to the digital transformation traditional IT networks are now converging with OT networks, adding billions of insecure devices to the internet, creating new attack vectors which are much harder to protect from exploitation. We learned this in 2017 when NotPetya and WannaCry ravaged hundreds of global entities already investing heavily in cyber protection. The IIoT evolution represents a fundamental shift in scale and complexity.  And the cartels will help you “discover” your problems so they can extend the complexity addiction deeper into your organization. More vulnerabilities, more jobs, more gear needed.

Stack Fatigue

Today’s network security cartels (and their wildly successful channel partners) that evolved to create today’s infrastructure served an invaluable purpose. They brought us from mainframes to deep, computerized connectivity in a matter of a few decades. They also engineered their own obsolescence. Unprecedented scale and complexity have broken their fundamental architectures, rendering them incapable, despite billions in market valuations, in providing fundamental protection, from edge to cloud. I’ve introduced this topic via panel to the next Future in Review.

These three drivers combine to force an ongoing churn of shifting, enigmatic choices and paradoxes that will start upending balance sheets tomorrow as they upend careers today.

Today’s Architectures are Very Profitable and Obsolete

For the established security vendors it’s deeper than a messaging problem, it’s a fundamental architecture problem that leads to a messaging problem.  In short, how can these leaders white paper and webinar their way out of today’s deep, destructive architectural paradox?  Maybe hire a leading analyst and have him/her perform a card trick that mesmerizes CSOs for another buying cycle?

I cannot help but think of the highly profitable 1950s tobacco companies advertising the health benefits of tobacco. Today’s security vendors, in effect, could be accused of doing the same thing today, monetizing CSO career dead ends with the mantra “All you need is complexity and more and more trained security pros.” That won’t last.

Hence my prediction: Within the next ten years half of today’s network security leaders will be either: 1) replaced by a new generation of leaders built upon advanced architectures; or 2) will have acquired new architectural offerings [while they still can] and evolved; or 3) be acquired by firms which have crossed the new chasm of scale and complexity: IIoT.

The cloud needs the edge and the edge needs the cloud…

While pundits debate the edge versus the cloud (flashback reminder: the hybrid cloud debate of 2013) there will be a growing realization that the edge needs the cloud and the cloud needs the edge and both need a new vision of security and connectivity. The multi-billion cartel of today is out of sleight of hand card tricks… and a new infrastructure is needed.

Posted by: Greg Ness | October 29, 2019

The Firewall Chasm is…

Network Effects are Powerful


Since the early days of TCP/IP, connectivity has created waves of multi-billion-dollar markets, seemingly out of thin air. All of the successes have had one thing in common: they created unprecedented network effects.

The 1990s ushered in the power of network effects. New levels of connectivity and scale allowed consumers then enterprises to deliver content and services virtually. The consumer web blended with the enterprise web, supply chains and so on.

The TCP/IP stack (developed almost fifty years ago) underneath this connectivity was promiscuous by design, almost to a fault. From communications to commerce we saw a radical reduction in friction and fortunes shift from manufacturers and services to connectors.

[Note: The “radical reduction in friction” link is to Bill Janeway’s amazing 2016 Future in Review keynote (start at 7 minutes in) on Flows. This is a must see for anyone interested in tech and economics.]

Network Effects are More Powerful than TCP/IP Inventors Could Imagine

Network effects have become more powerful than anything envisioned by the creators of the TCP/IP stack. Wave after wave of devices and functions, from supercomputers and dumb terminals to today’s industrial internet of things (IIoT) have been connected. And the connection process is still underway. The results are profound on almost unimaginable scales.

We’re still underestimating the power of network effects, this time to our detriment.

Let me first take you through some examples of the power and transformation underway in this new IIoT networking era. A commercial real estate developer can almost immediately increase the value of a portfolio of buildings by connecting their environmental controls to the cloud so that heating, cooling, etc. can be managed much more efficiently and at scale. Similar network effects play out in manufacturing, health care and even maritime, from smart factories and hospitals to advanced ships at sea.

Air Gaps Protected Sensors and Controls from Cyber Mayhem

Vast transformations taking place at the edge as it connects and interacts with the cloud are changing the fundamental chemistry of the internet from the standpoint of remote control of physical infrastructure. In effect, we’re creating “programmable perimeters” of sensors, controls and devices once built and installed exclusively for local/onsite control.

This massive leap from onsite to remote control crosses the air gap, the previous defense mechanism protecting the physical control of a facility from cyber mayhem. Because they were previously air gapped, very few of the billions of IIoT devices deployed had either cyber security designed in or even allowed for security updates (commonly known as patches).

Network Effects are Double-Edged Swords (they cut both ways)

Network Effects PowerfulI talked about this issue in more detail at The Digital Cyber Security Paradox and in a recent theCUBE panel with Gabe Lowy (author of  Securing Critical Infrastructure against Cyberattack [IIOT Cybersecurity: Apocalypse Now or Later].

Billions of industrial controls are already connected to the network, to the internet. And hundreds of millions are insecure and may never be patched. This level of susceptibility of facilities and data, makes the preconditions to the creation of the firewall industry in the 1990s trivial by any measure. And that is the core challenge of our digital generation IMHO.

The Firewall Chasm is… IIoT

While nations fret about “unskilled” workers at their borders ( a hint back to that Janeway address you probably passed over because the internet has shrank your attention span) the bigger problem is “skilled” workers easily traversing networks and nations.

We Need a New Firewall Vision based on the Concept of an Air Gap: We Need an Airwall

The firewall was created in parallel with the rise of network security.  First came the network, then came network security. Now we have an internet enabling remote control of our physical places/spaces… an Internet of Places. We need secure networking, in the form of an Airwall, an air gap firewall built specifically for the secure networking demands of the digital age.

What are those demands?  Think Purdue Model cybersecurity based on IIoT  (versus IT) cybersecurity requirements. We need to shift our thinking from the “next-generation” UTM-think (“defense in depth” kluge of layers and logs and skills shortages) to a fundamentally new approach to secure networking for IIoT. Otherwise this new digital age is a nightmare.

Posted by: Greg Ness | October 6, 2019

The Digital Age Maginot Line as Foreseen by Mel Brooks

Blazing Saddles tollbooth

Attack Vectors in the… Trillions?

The growing attack surface of the new industry 4.0 internet is a big problem. On this everyone agrees. But underneath the headlines and the frequent “patch now” warnings from firewall vendors is a more ominous reality few are talking about: the exponential vector problem.

Yes the attack surface is huge and growing. 127 new devices per second are being connected to the internet, many of them insecure by design, creating a global hacker’s superhighway. Got that. I discussed this in more detail in The Digital Cyber Security Paradox:

In 5 years there will be 75 billion devices connected to the internet, perhaps a few billion insecure and unpatchable.  An estimated 2 billion run VxWorks and perhaps a couple hundred million of those will not be patched in any reasonable length of time. – Archimedius

[Here is a great collection of IoT connectivity and market size stats from Cisco, Gartner, etc. on various aspects of the Saganesque “billions and billions” IoT estimates.]

OOPS- We’ve Gone Global

While everyone is focused on the massive, unprecedented growth in the IoT attack surface, the bigger problem is the exponential increase in attack vectors. This quiet reality is buried deep inside the WannaCry/NotPetya “oops- we’ve gone global” cyber attack. Remember when IIoT targets in Ukraine were unintended back doors into the UK health system, Maersk and FedEx? “Exponentially increasing attack vectors” is the hidden byline underneath our growing digital age cyber security malaise.

 The Maginot Line, when lateral movement trumped massive security investments.

Based on France’s experience with trench warfare during World War I, the massive Maginot_Line_1944Maginot Line was built in the run-up to World War II… French military experts extolled the Line as a work of genius… The line has since become a metaphor for expensive efforts that offer a false sense of security.”– Wikipedia

The Maginot Line was built based on the assumption that the next French war would be fought based on the technology of the last one. When the Germans quickly and easily conquered France, they did it by simply going around it.

Most firewalls deployed today were architected in the 1990s…. when there was only one way into a network. Today there are trillions of attack vectors and growing.

Old Architectures versus New Realities

Deploy a firewall in front of each device?  That would bankrupt most organizations. That is, if they could find enough skilled security pros to manage them. The new digital era problem: how old architectures address new realities. It’s complicated… and expensive… just like the Maginot Line.

A few weeks ago this came up on an episode of theCUBE, recorded after Gabe Lowy published his thought-provoking paper: Securing Critical Infrastructure Against Cyberattack. I mentioned how “we don’t even have the semblance of a Maginot Line when it comes to IIoT infrastructures. And these infrastructures offer access to critical systems in factories, hospitals, cruise ships and even power and water stations.

An Important Realization

At the close of IIoT and Cybersecurity: Apocalypse Now or Later John calls the IIoT  problem “one of the most important stories in the tech industry in a long, long time…” He’s right.

Perhaps Mel Brooks saw this futile digital age scenario coming decades ago. Imagine a toll booth sign saying “’Zero Trust’ courtesy of your firewall vendor.” Now that’s comedy, or at least tragicomedy.


See You at Torrey Pines!

On October 10 I’ll be discussing this problem further at Future in Review with Anne Hardy, Steve Fey and Derek Harp. I hope to post the panel video here in a few weeks.

Posted by: Greg Ness | September 7, 2019

The Digital Cyber Security Paradox

Digital Paradox

Everything is Connected

In 5 years there will be 75 billion devices connected to the internet, perhaps a few billion insecure and unpatchable.  An estimated 2 billion run VxWorks and perhaps a couple hundred million of those will not be patched in any reasonable length of time.

About 200 million Internet-connected devices—some that may be controlling elevators, medical equipment, and other mission-critical systems—are vulnerable to attacks that give attackers complete control, researchers warned on Monday. – Ars Technica

Deep Asset Risk

It’s no longer just about data ex-filtration but instead also the specter of the loss of physical control. Thanks to the overwhelming business advantage of digitalization many organizations are creating massive, porous attack surfaces of insecure devices responsible for controlling physical infrastructure, from water, HVAC and power to medical, manufacturing and even maritime structures.

What Could Go Wrong?


The digital paradox is the inherent conflict between business advantage and deep asset exposure to bad actor control. And we’ve already seen the opening moves in the new hacker game. The lines between networks, nations and organizations are getting blurred by vanishing air gaps that once protected these devices from unseemly remote actors.

Unintended Consequences

Let’s face it, we’re emerging from the perfect Sorites Paradox scenario, where a heap of sand (the growing business value of interconnectivity) is eroded just one grain at a time by malware or remote bad actor control. Today, as billions of insecure devices connect, there is a growing, critical mass of exposure where many more grains can exit at a time.

I discussed this in more detail with Gabe Lowy, Tempered’s Bryan Skene and SiliconANGLE’s John Furrier a few weeks ago on theCUBE. You can read more about it as well at A Clear and Present Danger.

For example, attacks against critical infrastructure in Ukraine in 2017 (WannaCry and NotPetya) inadvertently spread globally and shut down hospitals, ships at sea and even distribution centers. They were among the most devastating and unintended cyber attacks of all time. OOPs.

These attacks aimed at Ukraine accidentally cut globally like a hot knife through warm butter, from network to network, nation to nation, seeping into the critical systems of some of the most well-defended companies. Read excellent coverage of NotPetya in Wired.

IT isn’t ready for IIoT

Gabe on firewalls

The firewall vendors warn you to patch and segment, segment, segment.  How many skilled security experts will it take to protect you?  How many lines of code? How many ACLs?  The answer: you’ll never have enough resources.  See this 102 second explanation from former Wall Street infrastructure analyst Gabe Lowy on the futility of the firewall in the age of IIoT:

“So if you’re an organization moving IIOT data from your OT systems across your network into IP analytics systems or software, that’s lateral movement. Your firewall- traditional firewall, just not going to be able to handle that and protect against it…”

From Geeks and Greeks to Rolling Stones

That brings us to another insight from the ancient Greeks: the myth of Sisyphus. The firewall and segmentation problem is, at its core, a scale and resilience/availability challenge exacerbated by the direct link between skills shortages and human error in the security chain. Every step up the mountain, a step back. All the while the attack surface grows and the attack vectors proliferate.

What could go wrong?

cyber war and IIoT

A recent theCUBE panel on IIoT and cyber war concluded that the bad guys were already in your network.  They are being held back by the threat of attacks against their own soft underbellies. But what about private players who are primarily playing defense and have no offensive countermeasures?

The digital enterprise merely connecting IIoT devices to the internet?  Do they launch attacks against bad actors or do they just pay ransom? Today I suspect they’re simply paying up or suffering the losses. Maybe they’ll take out cyber attack insurance.

The ancient Greeks took exception to rolling stones uphill. It was a notable curse.

Think you can hire and spend your way to the top with your existing security stack? Get Gabe’s paper here.

Gabe cover


Posted by: Greg Ness | August 10, 2019

IIoT: Apocalypse Now or Later

The IIoT problem no one has been talking about, despite high profile attacks:

“The hyper-converged infrastructures we’re building because of overwhelming business advantage is putting us at an overwhelming cybersecurity disadvantage.” – Archimedius blog

Had a chance to talk about the problem with John Furrier, Bryan Skene and Gabe Lowy, the author of the recently published paper “Securing Critical Infrastructure against Cyberattack” on SiliconANGLE theCUBE this week: watch the panel on YouTube

IIoT Power Panel

If you’re not concerned about the security risks of digitalization then you’re not paying attention. “The level of scale, porosity and risk is unprecedented…”

Right after we celebrate the birthdays of two of the most destructive cyber attacks ever launched (WannaCry and NotPetya) a disturbing VxWorks advisory is issued for billions of IoT devices, and perhaps millions of them are unpatchable. There is a simple, fundamental equation that no one seems to grasp when it comes to IT skills, resources and capabilities: IT<IIoTIT IIoT (1)

It’s clear the digital era we’re being pulled into is creating a massive attack surface; and there are not enough people, training courses and/or funds to deploy another layer of traditional firewalls, access control and segmentation solutions fast enough to keep up. And the security and networking cartels would rather sell you more of the same (see below):

Archimedius Traditional Networking at Scale

This stack is DOA for IIoT.  It’s too cumbersome, complex, expensive for the digital era we’re entering (of billions of connected devices, many of which are easy targets to get inside a network).  And, even worse, none of these solutions were architected for the demands of IIoT. An upcoming paper by unencumbered network infrastructure analyst Gabe Lowy spells out the critical shortcomings of the current network security stack:

Traditional firewall and VPN solutions were not architected for Industrial Internet of Things (IIoT) initiatives.  They were designed to protect against earlier generations of malware.  As such, they are no match for the IIoT threat environment.

      – Gabe Lowy, “Securing Critical Infrastructure against Cyberattack” – August 2019

His five requirements (availability/resilience; scale; visibility; management; and security) will certainly stir the pot with the traditional network stack vendors. I’ll share a link to the paper in August when it’s published.

It is readily apparent the network security stack has arrived at the same place it was in the 1990’s, with the advent of the firewall in response to primitive worms and viruses attacking small pockets of connected networks (what we called the information superhighway). Yet that highway was nothing compared to today’s emergent digital era.

What the New Equation Means in Terms of Risk: “We’re not in Kansas Anymore”

What’s at risk beyond the new ability to compromise physical spaces, from lighting, to water, employee/customer access, patient care and diagnosis, production lines and transportation?  The basic tenants of the digital era… or some could say the tenets of western civilization itself. Hyperbole, you say?  Well, read this sobering report​ on the prospects for cyber war based on Richard Clarke’s new book (The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats) and how this new reality levels the playing field between the “superpowers” and the isolated upstarts once solely obsessed with nuclear weapons:

In the real world, Iran does have significant offensive cyber capabilities. The barrier to entry to having a meaningful cyberwar offensive force is low. Countries that could never defeat the United States in a purely conventional military battle can pose significant asymmetric risks to us in cyberspace.

– Fast Company Editors reviewing Richard Clarke and Robert Knake’s The Fifth Domain

A new approach is needed. But first we have to realize that IT<IIoT.

The hyper-converged infrastructures we’re building because of overwhelming business advantage is putting us at an overwhelming cybersecurity disadvantage.

Future In Review: See You There?

I’ll be talking about this paradox at Future in Review on a panel entitled: IT isn’t ready for IIoT with Steve Fey, CEO of Totem Building Cybersecurity; Anne Hardy, Chief Security Officer at Join Digital; and Derek Harp, Founder of CS2AI.


The advantages of digitalization are well documented and understood, especially in health care.  Patients, for example, benefit when their doctors can access critical data by simply plugging a device into a wall jack. That wall jack typically connects to every other connected device in the hospital.  If the hospital is part of an MPLS network then the scale of access and convenience is even greater.

Patients benefit because those caring for them are more productive, more knowledgeable and faster to respond. The problem, however, is that easy access can extend beyond the wall jack to the internet.

Health Care

Digitalization can expose more critical care processes and controls to the internet and that’s a big problem.

Two years ago this week WannaCry took down hundreds of thousands of systems globally in a matter of hours, including about a third of England’s hospital trusts and 8% of the nation’s general practitioner offices. In June we’ll note the anniversary of NotPetya, one of the most devastating cyber attacks of all time. Like WannaCry, it had devastating impacts, including hospitals and clinics. And WannaCry is still out in the wild, continuing to infect computers:

In its global list of countries where WannaCry variants have been detected over the past two years, India is at the top with 727,883 WannaCry infections, followed by Indonesia (561,381), the US (430,643), Russia (356,146) and Malaysia (335,814).

– Dev Kundaliya, WannaCry remains a serious IT security threat worldwide, researchers warn, May 2019

While tens of thousands of appointments, including surgeries, were cancelled or scheduled, no one has yet to die because of a cyber attack. Hospitals are starting to realize that there are 1000’s of devices connected to Hospitals that if breached, could hurt or worse kill someone. These include devices that deliver medication, drugs, chemotherapy and radiation.

A recent study predicted that by 2020 70% of medical devices will be running on unsupported, insecure operating systems, many of which are tied to patient care(CSO Australia):

Some 38 percent of connected devices related to patient identification and tracking systems, while 32 percent were infusion pumps, 12 percent patient monitors, 5 percent point-of-care testing, and 3 percent medication dispensing systems.

               – David Braue, For breach-weary healthcare CISOs, Internet of Medical Things is yet another headache, May 2019

There are scores of vulnerable medical devices (see Melanie Evans and Peter Loftus Rattled by Cyberattacks, Hospitals Push Device Makers to Improve Security):

The Department of Homeland Security last year issued 30 advisories about cybersecurity vulnerabilities in medical devices, up from 16 the year before, according to MedCrypt, which makes security software for medical devices.

The situation is getting worse just as we commemorate the rise of powerful cyber attacks and ransomware:

Reports show that ransomware and other cyberattacks are on the rise — and health care is one of the biggest targets. Just this week, researchers in Israel announced that they’d created a computer virus capable of adding tumors into CT and MRI scans — malware designed to fool doctors into misdiagnosing high-profile patients, Kim Zetter reports for The Washington Post.

Hospitals are attractive targets because they have a shared infrastructure. Like an airport, they also have lots of 3rd party vendors working on the same L2 network through hundreds of VPNs, some connected directly to critical care equipment. Giftshops, vending machines, bio-medical services, laboratories can also share that same common network.

Hospitals often have no idea what’s on their network at a particular moment. They’re often using networks built incrementally over decades and no one ever made a map. Very few have done any inventory of connected devices. And those devices can be plugged and unplugged from the network in seconds. Many of them are running outdated and unpatched. operating systems.

Around 10% of the devices on hospital networks run outdated operating systems (XP, Windows 2003 as examples). Hospitals are also starting to realize that there are 1000’s of connected devices that if breached, could hurt someone. These include devices that deliver medication, drugs, chemotherapy and radiation.

So as hospitals converge OT/IT infrastructure new demands, from attack surface, to vector sprawl confront firewalls and segmentation solutions architected for quite different challenges.  See Happy Birthday WannaCry

Posted by: Greg Ness | May 16, 2019

Happy Birthday WannaCry


Microsoft released a patch update to… Windows XP? What’s up with that?

Here are highlights from Ars Technica ( Dan Goodin) augmented with recent commentary:

 Microsoft is warning that the Internet could see another exploit with the magnitude of the WannaCry attack that shut down computers all over the world two years ago unless people patch a high-severity vulnerability. The software maker took the unusual step of backporting the just-released patch for Windows 2003 and XP, which haven’t been supported in four and five years, respectively.

“Exploitation of the vulnerability, as described in the advisory, would simply require someone to send specific packets over the network to a vulnerable system that has the RDP service available,” Brian Bartholomew, a senior security researcher on Kaspersky Lab’s Global Research and Analysis Team, told Ars in an email. “In the past, exploits for this service have been pretty easy to craft once the patch is reversed. My best guess is that someone will release an exploit for this in the next few days.”

A different security company, CyberX, analyzed traffic from 850 operational technology systems, which are used to manage factory production lines, gas monitoring, and other types of industrial operations. Researchers found that 53 percent of them run unsupported versions of Windows, many of which are likely affected by the just-patched vulnerability. The lack of upgrading stems from the difficulty of taking computers offline in mission-critical environments that operate continuously. Phil Neray, VP of industrial cybersecurity at Boston-based CyberX said a stop-gap measure for these companies is implementing compensating controls such as network segmentation and continuous network monitoring.

Network Segmentation, However, Faces its Biggest Challenge: Converged Infrastructure

WannaCry and NotPetya, two of the most devastating cyber attacks of all time, have at least two things in common: 1) both were able to spread quickly around the world in hours; and 2) and effortlessly spread beyond IT assets into OT devices. They also occurred within a few weeks of each other. Yes, we’re about the celebrate the birthday of yet another devastating attack.

Network segmentation solutions have had there share of issues when it comes to deployment, especially internal political and technical challenges –see the Zero Trust Paradox. Complexity behind the firewall has escalated to such an extent that security innovation on a macro-scale is almost impossible without transforming the TCP/IP stack. That’s the old news: network segmentation pain.

With OT/IT convergence attacks like WannaCry and NotPetya have a massive global attack surface of interconnected IIoT things that have the potential for catastrophic effects:

Tod Beardsley, director of research at security firm Rapid7, said an alternate Internet scanner, BinaryEdge, shows there are an estimated 16 million endpoints exposed to the Internet on TCP ports 3389 and 3388, which are typically reserved for RDP. – Ars Technica

Traditional firewall and segmentation solutions were not architected to protect massively converged infrastructures of IoT, IIoT and IT systems.  They were created in a different era of security with very different challenges. As a result the defense in depth stack has become complex and expensive. Yet innovation outside what we used to call the perimeter  continues to gather increasing levels of sophistication,  from cryptocurrency ransomware to aaS delivery models.

Perhaps Wired best summarized the problem:

Recent CyberX research indicates that more than half of industrial sites run unsupported Windows machines, making them potentially vulnerable. There’s not much opportunity to test the impact of a patch on those types of systems, much less to interrupt operations to install them.

That applies to health care systems, too, where the process of updating critical software could interrupt patient care. Other businesses run specialized software that’s incompatible with more recent Windows releases; practically speaking, they’re trapped on XP. And while the best way to protect yourself from this latest vulnerability—and the countless others that now plague unsupported operating systems—is to upgrade to the latest version of Windows, cash-strapped businesses tend to prioritize other needs. – Brian Barrett


The net result: millions of devises running XP won’t be able to be patched (in time or perhaps never)  and the traditional security stack is already overtaxed by stack fatigue.

A major problem area is health care IIoT, where devices are integral to patient care:

Healthcare institutions are still rocking that 10-year-old Windows 7 or Windows Server 2008, putting themselves at serious risk of cybersecurity breaches, data theft, ransomware and all other kinds of nasties. – Sead Fadilpasic, ITProPortal

Happy Birthday to one of the most destructive cyber attacks of all time…

May 30 2019 update: WannaCry Still Launching 3500 Attacks/hour


Posted by: Greg Ness | May 10, 2019

The Zero Trust Paradox

Or The Zero Trust Graveyard… your choice.

I just glanced through an analyst report on “zero trust” and noted the sizable eco-system of startups and security cartel players who have all managed to join the party. After all, it’s a noble aim.  If there isn’t a way for an untrusted user, app or file, etc. to enter a TCP/IP network from the internet that would be a great thing.  A great thing indeed.

Yet startups embracing zero trust in their messaging have had little success.  And I don’t think its because the security cartel players embracing zero trust (perhaps merely for thought leadership points) have succeeded.

What is the zero trust problem hinted at by the analyst?  Why is there a higher correlation between zero trust startups and new office space filled with old cubicles… than with hackers declaring bankruptcy?

I have a theory, inspired by conversations with security execs who’ve dabbled in the use of zero trust firewall and segmentation solutions.

Zero Trust Paradox

The Zero Trust (Complexity) Paradox

For traditional TCP/IP-architected security solutions the security landscape (defense in depth) is so complex that anything added ends up creating more complexity than actual enforcement efficacy.  In short, it’s a declining sum game, where every new investment ends up costing you more because of stack fatigue.

I’d prefer to call this zero sum scenario a zero trust paradox. Rising complexity makes it harder for innovation to have a meaningful impact.  Deployment is politically and/or technically painful and protracted because of the limited “elbow room” for innovation.  And security stacks are getting even more complex as IIoT devices are being added at a healthy clip.

Cities are getting poorer while hackers are getting richer. Indeed, rising complexity is more likely a hacker’s playground than an increasingly secure infrastructure.

This came out loud and clear over an incredible steak dinner with an old friend with some major security insight and responsibilities. So I won’t name him. 🙂

Is there a solution to the paradox? Yes: the transformation of the TCP/IP stack to include a new overlay layer, which should have been included in the first place.

Posted by: Greg Ness | April 24, 2019

Connecting the Dots on OT/IT Convergence

Gabe is Back

In the heady days of massive network infrastructure growth there was a single analyst who knew the vendors cold.  And all of us on the Wall Street briefing circuit knew Gabe Lowy.

Gabe didn’t waste time with small talk. On the way to the conference room he would ask you a few questions, then tell you what you were about to tell him, from your product update to your competitors’ strengths and weaknesses. And you hadn’t even fired up your laptop…

And why, you ask, is reminiscing about Gabe’s insight in the early days of enterprise networking important to cyber security for converged infrastructures?

Because he’s back, but this time unencumbered. So I was naturally interested in reading his recent post: Will Catastrophic Loss Drive OT/IT Convergence?

OTIT Teamwork

In addition to pointing out the inherent problems with today’s “business as usual” mindset when it comes to physical cyber risks, Gabe offered a solution. He drew an insightful parallel between the emergence of DevOps and the much-needed convergence of OI/IT, and what happens if that doesn’t happen.

A common, blended organization tackling both makes the most sense. The alternative, which cannot be fixed by money or trained personnel, is a bigger deal than losing email and social security numbers…

April 25 Update: Another European manufacturer crippled by ransomware

And he promises more.  Gabe is well worth following.

Podcast: New Age Piracy

A chilling Unsolicited Response podcast on Marine Cybersecurity with a Master Mariner at Moran Cyber is a wake up call, and not just for the risks of ships being hijacked by hackers. At about ten minutes there is a discussion about the common control infrastructures between ships and hospitals, factories and office buildings.

In a nutshell, with converged infrastructure virtually any “smart” physical environment is hackable. I wrote a Tempered blog (The Stakes are Higher than Ever) in response to the podcast: “These systems control the physical environment. Whomever controls them controls virtually everything.”

Forbes: Are Smart And Sustainable Buildings An Unsolvable Equation?

Tempered CEO Jeff Hussey weighed in on the issue of convergence in Forbes as he also explained what motivated organizations to make their facilities smart. But there is a catch:

Despite the sizable number of positive business impacts IoT devices can have on businesses, many organizations have balked at the idea of deploying IoT devices and control systems, citing an overwhelming level of complexity and a lack of personnel with IoT training as their reasoning. The gap in IoT skills is a direct result of the information technology (IT) and operational technology (OT) convergence. Unfortunately, bridging that gap isn’t an easy equation. Simply adding IT staff to an OT team does not produce the correct answer. It’s back to complex mathematics again.

Connecting the Dots

OT/IT convergence needs to be a team sport.  Or else almost everyone loses.

Older Posts »