Cybersecurity, Startups, and Examining Unconscious Bias with Galina Antova
@BEERISAC: OT/ICS Security Podcast Playlist
Podcast: Manufacturing Happy Hour (LS 41 · TOP 1.5% what is this?)Episode: Cybersecurity, Startups, and Examining Unconscious Bias with Galina AntovaPub date: 2020-06-30Galina Antova is a security savant and the Co-Founder of Claroty, a leader in cybersecurity for operations technology for critical infrastructure. But, we cover a whole lot more than attack vectors and the current security threat landscape on today’s show.In this episode, we kick off our interview discussing OT security strategies before moving to discussions on startups, managing rapid growth, and taking on unconscious bias in the workplace. Galina has thrived as a leader in a male-dominated industry, and she shares her story as well as the actions everyone can take to even the playing field.From leading through uncertainty to navigating through a “perfect storm” in OT cybersecurity, this episode is packed with value from start to finish.Make sure to visit ManufacturingHappyHour.com for detailed show notes and a full list of resources mentioned in this episode. Stay Innovative, Stay Thirsty. The podcast and artwork embedded on this page are from Chris Luecke, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.
Cybersecurity, Startups, and Examining Unconscious Bias with Galina Antova
Manufacturing Happy Hour
Galina Antova is a security savant and the Co-Founder of Claroty, a leader in cybersecurity for operations technology for critical infrastructure. But, we cover a whole lot more than attack vectors and the current security threat landscape on today’s show.In this episode, we kick off our interview discussing OT security strategies before moving to discussions on startups, managing rapid growth, and taking on unconscious bias in the workplace. Galina has thrived as a leader in a male-dominated industry, and she shares her story as well as the actions everyone can take to even the playing field.From leading through uncertainty to navigating through a “perfect storm” in OT cybersecurity, this episode is packed with value from start to finish.Make sure to visit ManufacturingHappyHour.com for detailed show notes and a full list of resources mentioned in this episode. Stay Innovative, Stay Thirsty.
Industrial IoT Security | With Galina Antova and Emily Miller | Chats On The Road RSAC 2019
In this podcast we spoke with two experts deeply entrenched in the world of industrial control systems and critical infrastructure. Galina Antova and Emily Miller join Sean Martin and Marco Ciappelli to give us a view of the state of security for this slice of society while connecting the dots to their RSA Conference panel, Why Industrial IoT Security Is Really about Saving Lives.All our RSA Conference coverage, including these chats on the road, is made possible by the generosity of our sponsors. We’d like to thank edgescan, Bugcrowd, STEALTHbits, Devo, Onapsis, and Nintex for their support and encourage you to have a look at their directory listing on ITSPmagazine to see how they can help you with your risk, security and compliance programs.Edgescan: www.itspmagazine.com/company-directory/edgescanBugcrowd: www.itspmagazine.com/company-directory/bugcrowdSTEALTHbits: www.itspmagazine.com/company-directory/stealthbitsDevo: www.itspmagazine.com/company-directory/devoOnapsis: www.itspmagazine.com/company-directory/onapsisNintex: www.itspmagazine.com/company-directory/nintexFor more Solving Our Cybersecurity Talent Shortage podcasts, please visit: https://www.itspmagazine.com/BetterTogetherSeminarRSAConference2019SanFranciscoFor more Chats on the Road to RSA Conference 2019, please visit:https://www.itspmagazine.com/itsp-chronicles/chats-on-the-road-to-rsa-conference-2019-san-francisco
[FFL 290] Women in Cybersecurity featuring Galina Antova
Power + Presence + Position
Galina Antova is a cybersecurity entrepreneur and co-founder of Claroty - a purpose-built cybersecurity platform for industrial IoT networks. Throughout her extensive career, she has worked with big-name companies such as Siemens and IBM. In 2011 she was awarded the prestigious MBA scholarship with IMD Future Leaders, to compliment her Bachelors in Computer Science. Also a mentor with SparkLabs, she is passionate about instilling her knowledge in future entrepreneurs and supporting women in in S.T.E.M careers. Keep Reading >> Today, Galina joins me to discuss the exponential growth of Claroty and how she liaises with employees, investors and beyond. She shares her views on the ever-changing-face of cyber-security, discusses her tactics for achieving success, and explains how to navigate male-dominated realms while managing your mental and physical well-being. She also shares her top tips and recommendations for fast growth and deliberate leadership, plus a little insight into what’s next for her and Claroty. “Sometimes you make mistakes. It’s really important to realize when a mistake has been made and correct that mistake immediately.” - Galina Antova Today on the Fierce Feminine Leadership Podcast: What she loves about the cybersecurity industry. The areas of business that we don’t realize need cybersecurity. The ‘perfect storm’ of industrial cybersecurity. Legacy products that leave our businesses at risk. Claroty’s growth in threat culture. How the Israeli army and Claroty ended up working together. How to get in front of the decision makers of a company. What to look for in investors. How she has successfully grown the company very rapidly. How to hire ‘trusted lieutenants’. Managing yourself - including your mental and physical energy. Navigating a male-dominated industry. Galina Antova’s Advice for Fierce Feminine Leaders: Recognize the help you’ve had and utilize existing ecosystems. When looking for investments or help, get in front of the decision makers as much as possible. The right thing is normally the hardest thing! Fierce Leadership Quotes: “When we talk about the cybersecurity of operational technology networks, those are actually the networks that literally run the world.” - Galina Antova “If we focus on the easy things to achieve, we only get a temporary sense of achievement.” - Galina Antova “If it makes you anxious, it’s probably the right thing to do.” - Galina Antova Resources Mentioned: A16Z Podcast The Hidden Brain Podcast Ayaan Hirsi Ali - Author Connect with Galina Antova: Claroty Website LinkedIn Twitter Grab Your Ticket to the Power. Presence. Position. 3-Day Workshop! Are you ready to ramp up your leadership skills, have more confidence in your instincts, cope with criticism and lead with conviction? Are you ready to unleash your inner-CEO and authentically position yourself in a category of ONE? Join me in Toronto, Canada on November 2-4 for the Power. Presence. Position. Workshop - the 3-day workshop designed to help you up-level your power, presence, and position within your business or organization. Grab your ticket to the Power. Presence. Position. 3-Day Workshop today! Join the Exclusive Incubator Program! Are you ready to build, leverage, and scale your business to the next level? Ready to maximize your leadership skills and grow your business to 7-figures and beyond? Join our Incubator Program - the 12-month high-octane program that blends leadership strategy, accountability, and business building support to help you propel your business to the next level and increase your earning power. Head over to EleanorBeaton.com to learn more about The Incubator Program and submit your application today! Dial Up Your Impact, Influence, and Income in 2018 Are you ready to take your leadership and influence to the next level in 2018? Join the Impact & Influence Leadership Lab for Women with Eleanor Beaton – the world’s premier leadership training and implementation program designed specifically for female leaders! This is a 8-week mentoring program for professional, ambitious women in business who are ready to take their leadership skills to the next level and truly step into their power. Visit the Leadership Lab for Women website to see all of the amazing content, tools, and services you will receive by registering today to claim your seat at the table! Love the show? Let us know! Are you a fan of the Fierce Feminine Leadership Podcast? If the tips and interviews we share in each episode have helped you gain the confidence and inspiration to become a better, more powerful leader, head on over to iTunes, subscribe to the show and leave your honest review to let us know! Each month, one lucky podcast reviewer will be selected to receive a free coaching session with me – Eleanor Beaton! What are you waiting for? Head on over to iTunes, subscribe and leave a review to enter your name into this month’s drawing! And, if you really want to ramp up your fierceness… Reach out to us for a free 30-minute Bold Women in Business Makeover Session with me or one of the fabulous coaches on my team! Explore your path and discover how you can be the fiercest lady-boss possible. Visit EleanorBeaton.com/discover.
Air Gaps Are Like Unicorns - An Interview With Galina Antova
Cyber Security Dispatch
Introduction:Welcome to another edition of cyber security dispatch. This is your host Andy Anderson. In this episode, Air Gaps Are Like Unicorns, we talk with Galina Antova. One of the co-founders of Claroty, a fast growing security startup in the world of industrial control systems. She shares her experience working to protect these critical systems and the journey that led her to found Claroty.Transcript:Andy Anderson: Everybody sort of ends up in cyber security in kind of a unique way. Like I don't think there is a single kid who grows up being like, "I want to be a cyber security expert." What was your path into this biz?Galina Antova: You're absolutely right, it was kind of like by accident to me. I started my career with IBM. So just the whole software development, security topic was fascinating. When I came across the industrial domain, it was basically the intersection of the stuff that runs the world and cyber security. And so I just became fascinated by that topic. And this is how I ended up just getting into it more and more, and eventually co-founding Claroty.AA: So Claroty has sort of established itself as sort of a thought leader and sort of a category creator in this industrial control systems and SCADA systems. For somebody who is as immersed in that world, what's sort of happening there for people who, if they haven't been reading all of the hacker news?GA: Well I think that what happened over the last few years really allowed for the industry to become a real market opportunity. The thing that is not new and that is not easy to change is the security posture of those industrial control system environments. So, in the office environment, we're used to kind of changing our laptops every couple of years. You can't really do that in the industrial control system environment.The lifecycle of those machines is 35, sometimes 40 years, and so we can't just rip and replace. So, you've got to work with existing infrastructure that, when that infrastructure was designed, security wasn't really an key requirement. That hasn't changed and that's kind of like the one of the sources of the problem.What has changed rapidly over the last few years is actually how interconnected those systems are. When the first POCs were designed, they weren't actually meant to be connected to non-control networks. So the fact that we've got everything on networks now means that everything is interconnected so therefore, no “air gaps.” So you've got to find a way of actually monitoring that environment.The third thing that has also changed significantly in the last couple of years, is that in terms of the threat landscape, first of all, I think a lot of folks have realized that those networks are critical; they are more valuable. Downtime can cost millions and an attack can damage expensive equipment or harm people. Once an attacker actually gets into the OT networks, from there on, they don't really need to exploit new or know vulnerabilities to cause damage. They can simply send legitimate commands, just leveraging the existing infrastructure and the existing commands to make changes to the process that can be catastrophic.So the threat landscape, together with “insecure by design” industrial control systems, is what is actually creating the opportunity.AA: Yeah, the sort of ability to really to cause physical harm is literally -GA: Exactly. The impact is completely different than that in the IT domain.AA: Yeah, and to sort of looking at the backdrop against the security, which you're looking to improve, obviously if you've been in this space you've heard of Stuxnet; maybe you heard about kind of what was happening in Saudi Arabia, where things were happening with Saudi Aramco; maybe some of the other stuff that happened with WannaCry. For someone who is just coming to this space, how do you see this increase of threat level, particularly like the involvement ... Attribution is always hard but potentially nation states fall apart.GA: No, I'm not going to talk about attribution, because nowadays it is almost impossible to do. There are so many sophisticated ways in which you can do a false flag, so I'll leave that for other hosts to discuss. But really at the core of the issue is the fact that those networks are really, really, really valuable. Valuable in many different ways. Valuable because they could be used to cause physical damage; valuable because in many cases they actually hold some of the IP of those companies, for example the way a chemical company produces things.So from that perspective, people will be people. I mean bad people will have interest in attacking industrial networks. Now it doesn't necessarily have to be a nation-state. There is “weaponized” malware available in the wild, so think of terrorists, think of all kinds of crazy people with agendas. I think what was proven over the last few years, starting with Stuxnet, is that it is possible to manipulate those networks. For many of those large companies, that had been the wake-up call, that industrial control systems could actually be manipulated so that it broke the process or equipment or could harm people.AA: And when you think about essentially the security that you're layering on to their systems, is it in many cases just sort of a mirroring of what has happened on the more traditional IT systems? Like are you essentially just taking those models and those processes and those tools and essentially adapting them to the other side?GA: We're trying to do the complete opposite. And this goes against probably every kind of common sense advice that you would hear in the cyber security industry. But basically there is about a 10 year gap in the cyber security posture of IT networks and industrial networks. And so if we repeat the same cycle, it's not going to get us anywhere. What we try to do with our technology is get to the end result, not necessarily by applying the same security controls, because many of those security controls will not be relevant.For example, something as simple and in many cases useless as anti-virus, is not even something that you can deploy on a controller because of the warranty issue. That's a real-time machine.I don't need anti-virus on the controllers and I don't need some of the other measures that do not give me what I'm looking for, and are destructive to the network. So, what we've done is our approach is a completely passive data acquisition approach. We read the networks so we're transparent. That also means that the attackers cannot see us on the network. But because of the ability in which we understand those networks, and the protocols that are running those networks, we're basically able to detect the very first steps the attackers make. In cyber terms, we are able to detect attackers at the earliest stages of the “kill chain” so that we can stop them before they progress.It's a different way of approaching the problem.AA: Very cool. And essentially then, who ever is managing your system for a company is then able to, once they've been alerted that there may be an issue, do you guys get involved in sort of remediation or understanding what to do? What's that next step?GA: Yeah, first of all for industrial control system networks, the ability to be able to see that something wrong is going on, it's a huge impact. Because right now the security teams are going into those networks completely blind. And if you look at any of the sophisticated attacks, I mean attackers were on those networks months, so that initial detection is kind of extremely key.In terms of the remediation, it depends on what level of the network. So if something is detected at the really lower levels of the network, where the controllers actually operate the physical process, no one should automatically block traffic from an automatic technology prospective. That needs to be handled in a more manual way, otherwise you can break the operational process or cause a real safety issue.If we see something from a higher level of the network, from the IT domain, then yes, absolutely. We actually integrate our technology with other security technologies that are able to then take action, based on that information and intelligence.AA: Very cool. As you think about some of the systems that you're getting involved with, they really are literally critical infrastructure. It’s power plants and those sorts of things. How in that landscape, what do you see in terms of the interaction between both technology providers like yourself, industry, as well as sort of the government sector as well? Is there collaboration that's happening or is it really very silo separate?GA: Well there is some collaboration but it's really hard to rely on the government or rely on a standard body, to kind of tell you what to do. I have a lot of respect for, and actually we're workingwith a lot of advisors centered around standard bodies. But standards creation and implementation take a long time and threat actors change tactics very quickly. And so we are creating a completely new paradigm of how to actually address the threat now.When it comes to governments involvement with standards, I think that a lot of the large companies have just taken that into their own hands, because the government can really interfere with some of those attacks. And as you mentioned, early attribution is really hard.AA: Yeah. Sort of switching gears, in terms of some of those major industrial players, I saw that you guy had some big partnerships recently. Schneider Electric.GA: Schneider Electric, and also Rockwell Automation. Yeah.AA: Walk me through kind of like that process and what that was like and what that's sort of been able -GA: It's a very long process because they go through a lot of checks now. But it's a great working relationship with all in industrial control system vendors that we're working with. First of all, I think that for us, it’s great to get the validation from them, that our technology works as intended and that it's not disrupting the industrial processes their customers are running, which is huge.And secondly, they also leverage our technology to go to market, because in a real-world scenario, whether you're and oil gas company or a large manufacturer, you don't just have one industrial control system, it’s better if you have all of them. And so our technology cuts across all of them, and so all of those partners can actually take this as a component and plug us into whatever cybersecurity offering they may have.AA: I mean it's a related question, but as you think about getting installed in major systems, large corporates, you potentially begin to become a threat back to yourself, right, if you have access? So how do you handle those concerns?GA: Good question.So one of the things that I mentioned is with our passive technology, we are actually completely out of band on the industrial network. So we don't exist to the attacker. The attacker would not see us as an IP on the network, etc. We're in stealth, so to speak in the network itself.Now of course we go through the regular and kind of rigorous security testing in our own lab and have third parties audit our own technology. But the biggest thing is we're actually passive, we sit on a SPAN port, not inside the OT network and not installed on the systems within the network. So we don’t provide an attack vector for bad guys.AA: So you're outside.GA: Yeah.AA: Great. We've been covering a lot of stuff. Anything you want to go over specifically to talk about? Is there anything that you're like, "I've been waiting to sort of tell people about?"GA: No.AA: Okay. Maybe in general sort of the IoT space, we've all seen the graph, like the number of devices and then it looks like a good investment return, right? Hockey stick. How do you think about that? Does that scare you? Does that excite you? Like there is just going to be everybody buying our stuff. From your perspective, how do you think about sort of a more connected world?GA: Good question and actually I do want to say something now. It's actually a great thing that you guys are covering industrial cyber security. It’s been kind of like such an isolated domain, so to speak, that even amongst the overall cyber security industry it has been kind of isolated. So part of what we're trying to do is bring it into mainstream cyber security so that folks talk about it. For example, at the last DEFCON we did a workshop on ICS together with some of the partners.We’re educating the overall cyber security industry.Now that kind of translates into your question about IoT. So IoT is everything. People can think of it as the networks that are running in nuclear power plants and then the intelligence in my toaster. So it's not really the same; there is a huge difference between what IoT is.AA: Hopefully a different, more sophisticated system.GA: The way I think about it is that you cannot stop it. The interconnectivity is a good thing if you can actually leverage the power that that gives you. But you can't stop it, right? So the initial push back against security technologies in the ICS domain, was because we're just going to air gap them. Well, it's not practically possible and it's kind of the same thing with the IoT-- you are deploying sensors everywhere in your plant and leveraging that data for all sorts of things.So I would say, for me, it's very exciting, because when everything is connected and everything is talking to each other, you can do so much more in terms of orchestration in how things flow. That being said, the more we think about security as a priority, and we bake it into the process, the better we'll be off. So it's a fact, you can't really change it.AA: I mean gosh, having not been involved in industrial control systems to the level that you have, I sort of read about them from afar. But gosh, I didn't realize that the lifecycle was really 35-40 years, that long.Are you seeing now that maybe the treat, the understanding of the potential threats is increasing -- at least vendors and people who are involved are starting to think about building systems?GA: Oh they started that a long time ago. A few years ago, all of the ICS vendors already started being much more open about their vulnerabilities and how they cover them. But again you’ve got to think through the timeline of that, right? So okay, you're getting really serious about improving your security postures, so you started the design of your next controller. That design phase itself, in most cases, is a five year process. And then you launch it on the market and that doesn't mean that the large multinationals are going to go and rip and replace the billions of dollars of infrastructure that they have invested. It might be another 15 years before they actually have to operate.So that being said, just last week I just came from probably one of the best, certainly the most technical, ICS cyber security conference in the industry, S4X18 in Miami. And what we saw there was Schneider Electric talking openly about the recent incident on the Triconic safety system, which was just absolutely admirable. The fact that they're so transparent about that, engaging with the community is something that would not have happened 7-8 years ago.So the fact that we're seeing vendors not just increase proactively their security, but being very open with the industry is a huge, huge step forward.AA: Yeah, it is. A sea change in a community when there are problems that everyone has quietly known exists, suddenly -GA: You might as well be upfront about it and show and tell the community what you're doing about it and how you're solving it.AA: Yeah, sunshine cures a lot of ills for sure.The session that you're in, you've made one of the best quotes I've ever heard, which was that, "Air gaps are like unicorns; lots of people talk about them, but we're not sure that we've ever actually seen one."GA: Especially in industrial control systems.AA: Oh, that's hilarious.So in general and part of the reason that this publication exists is, a lot of people talk about the problems, like what's wrong. And it's easy as a community whenever anybody's system goes down, pretty quickly that person get tarred and feathered. So we always try and talk about the positive, an actual focus on solutions. So what's working and who is doing a good job? Who is admirable right now? Whether that's yourself or partners or companies that you work with. You do not need to name names.GA: Actually, I'll take it from a different perspective. I think that one of the biggest changes that kind of enabled our industry to even exist is the fact that board-level members started paying attention and actually understanding what does it mean if they don't have cyber security for the industrial networks. So seeing that awareness at the board level, and then the board members asking the CEO, and then the CIO, to actually do something about it, creates the budget, which means that now we can actually solve the problem.No problem is unsolvable, you just have to have kind of like a focus on it. I think that most of the large Fortune 500 companies that have industrial networks, and the vast majority of them do, even if it's not things that we think about. I mean this building has HVAC, and elevators and lighting; all of that is ICS, right?So I think that the boards have done a really good job of asking the right questions. I think that specifically after Wannacry and NotPetya, when the security teams realized that, even though they're not targeted, some of that stuff can get into the shop floor. I think that was a huge wake-up call. And so we've seen quite a lot of interest after that. I think the security teams are also doing a good job of just asking practically, what they can do better in their networks.AA: Some sort of quiet, stunning headlines after that, in terms of like what Maersk is saying they potentially lost.GA: And that was just the tip of the iceberg. That was just really a very small fraction of what actually happened behind the scene.AA: We're really curious what happens, kind of post GDP on, because I think maybe some changes before that, but just in terms of the disclosure requirements and timing. We just see a flood of more information come out because they're worried about otherwise getting huge [inaudible 00:18:43].This has been great, just to sort of switch gears for a little bit. For people in the industry, what are you reading? What are you following? How do you kind of stay up?GA: Good question. Every once in a while I try to read stuff that's not related to cyber security. Which you know, I kind of have to remind myself, because I think what kind of the time that we live in right now is so fascinating, and there is so much that could be done, that it just kind of keeps me up to date.I actually talk to people. I'm privileged to have access to a lot of the smartest folks in cyber security, both on the technical side as well as the issues that they are facing; it’s just a tremendous challenges. What I tell a lot of my clients is that I never want to have their jobs because they have to be good all of the time and attackers just need to be good once an a while.But I also work with some of the smartest folks that come from an offensive cyber background. And so a lot of exciting things on just how we think about technology and what we can do with technology. I try to talk to people, because otherwise there is just too much hype in the media, no offense but, right? There is just a lot of hype, especially when it comes to critical infrastructure and those control systems, because the general public does not understand it that well, and usually we see headlines of like the world's exploding or the US grid is going to come down, or something like that.AA: If it bleeds, it leads, right?GA: Exactly.AA: Cool. Yeah. I mean that's most of what I wanted to cover. I mean thank you.GA: Wait well thank you for getting into that topic of international cyber security. Like I said, we need more education, not just for the general public, even for the folks that understand cyber in general really well. That's kind of a new domain.AA: If people wanted to kind of check out any of your stuff, or see sort of what you're doing, where would you have them go?GA: I think I’ve got most of the things that I write on Linkedin so probably they can check my pageAA: Thank you so much.