We are in a new era of cyberattacks with massive social, business & geopolitical consequences. All are happening at a time of rapid digital adoption exposing more attack surfaces to bad actors. Enterprises are adopting automated security, built on open technologies & aligned to business needs. Joining Chris will be a senior security leader for a real-world discussion on cybersecurity in this new era.
>> SPEAKER: Please welcome General Manager and Vice President of IBM Security Services, IBM, Chris McCurdy.
>> CHRIS McCURDY: Wow! This is great. Thank you so much for joining us today.
This has been such an energizing week, and so wonderful that we're able to get back after two years apart. Of course, over those two years, the bad guys kept their profile really low as well, saving us a lot of time. Obviously, that’s just a joke. In reality, some of the most epic and challenging moments in our security industry that we faced have passed -- have happened in just the past two years. Data breaches kept happening, impacting some of the biggest brands in hospitality and other industries. In fact, we saw the cost of a data breach increase to $4.2 million per incident during the pandemic. We saw attempted attacks on the COVID Cold Chain, uncovered by our very own X Force team at IBM. Major software supply chain attacks like Kaseya. And, of course, SolarWinds have all of us, even the government, rethinking our software partnerships.
But I'd say something even more significant has happened over the past two years in security. Imagine if you got a call on your phone, your kids couldn't go to school because of a cyberattack. Imagine if you had to wait in line for hours for gas due to a cyberattack. Imagine that meat you grill on the weekends cost $2 more per pound because of a cyberattack. Well, we don't even have to imagine any of those scenarios. All of them happened over the last year plus. In fact, just a year ago last month, the Colonial Pipeline was impacted by ransomware. Did you know the price of gas rose 10% following the attack?
So, here's what's changed. Cyberattacks are leading to real-world consequences, including rising prices, critical supply shortages, and even investor angst. We've entered into a new age in cybersecurity where adversaries have found leverage in these real-world repercussions. The fusion of the cyber and physical world has played out before our very eyes in just the past few months. Global conflicts are now spilling into digital realm, traversing the traditional borders of war, even putting banks, critical infrastructure, and manufacturing at risk.
So, let me ask, who here is familiar with six degrees of Kevin Bacon? All right. Very good. A bunch of you. So, for those who don’t, a bunch of college students in 1994 came up with a theory and game. The game showed that anyone in the film industry can be linked through their film roles to Kevin Bacon with six steps. So, this is actually based on the six degrees of separation, which assumes any two people on Earth are six or fewer acquaintances apart. Why is this important? Why do I tell you this? Well, it's an important lesson for us in business and government as well. While Kevin Bacon has a max of six links to a connection, I'd propose that businesses might max out at two links. We very much have entered into an era where all of our collective actions or inactions impact each other at a scale we have never imagined. In fact, look to your left, now look to your right. These might be your two degrees of separation. These people are your best defense and potentially your greatest weakness.
Never before in cybersecurity have we had more interdependence on each other for stopping and limiting the impact of a cyberattack. I get asked, Chris, why is this happening, and what changed to get us here? I could say the attackers have gotten more sophisticated or they are better financed, but that’s cliché. You've heard that before. I think the answer is more sobering. Ransomware and its ubiquity and ease of deployment has caught us at our most vulnerable moment. Data theft is no longer a lucrative business model for attackers. It is expensive, it’s difficult to monetize, and defenses have been focusing on stopping it. Ransomware has given criminals a means to cut out the middleman and move to the direct payment model.
If the pandemic has taught us anything, it is that our supply chain is incredibly fragile, and this did not go unnoticed by attackers. The best way to explain this is to take a look at some of the data from our 2022 X Force Threat Intelligence Report. It showed manufacturing was the most attacked industry last year, unseating financial services for the first time in over five years. Cyber criminals found a leverage point in the critical role manufacturers play in global supply chains to pressure victims into paying a ransom. In fact, 23% of all attacks in manufacturing were ransomware. Attackers wagered on the ripple effect that disruption on manufacturers would cause their customers and partners pressuring them to paying a ransom. Ransomware attacks on manufacturing are affecting the bottom line, and it's beginning to affect consumers' household budgets.
How does this evolve? Well, financially motivated cyber criminals now have critical infrastructure in their sights. The FBI, CISA, NSA observed incidents involving ransomware against 14 of the 16 U.S. critical infrastructure sectors in 2021. In 2022, we've already seen similar disruptions in energy in Europe with an attack interrupting services at over 233 gas stations in Germany alone. Simply put, attackers have gone from chasing data to hunting for chain reactions. All of us are feeling that in our day-to-day lives. Attackers found leverage in the real-world repercussions, and I argue they are not going to go back to their old ways. They will continue to push our limits as a society.
Okay. So, what do we have to do better to defend ourselves? I have some very unorthodox advice, but please stay with me. Last October for Cybersecurity Awareness Month, Charles Henderson, who heads up our IBM X Force team, I'm sure he's in the room somewhere, published a byline in the Financial Times that essentially told businesses simply give up. Exactly. That’s what I thought when he shared this idea. I said, Charles, have you gone mad? We can’t tell our clients give up. But what Charles is really saying is give up on trying to keep attackers out. We all need to change our mindset to one that assumes the attacker is already in, finding their way to your prized possessions. Your focus should be on detecting and stopping the attackers. I'm sure many of you are hearing about this approach. It's called Zero Trust. I'd argue Zero Trust is not just a "buzz" phrase, single action, or tool the industry is marketing. It is a set of principles on which to build a security strategy. It is not something you buy off the shelf.
What else can we do as an industry to combat this shift with the real-world ramifications now needing to factor into our cybersecurity programs? I have an idea that I've been bantering around since I met with some of the clients in the industrial space. In fact, I’ll bring one out here in a moment. I saw many of their meetings beginning with what they called a safety moment, and it intrigued me. Safety moments are considered a critical element of workplace safety in construction and industrial settings. I'm sure some of you are familiar. You begin a meeting, five to ten minutes on a briefing, and focus on anything related to the wellbeing of the team. This can cover safety protocols, training, education, and even mental health. You have seen those signs at the work site that talk about days without an accident. Those are part of that safety moment as well. I'd propose every company might want to adopt this practice and call it a security moment to discuss cybersecurity at the beginning of every single meeting. Cybersecurity is now a shared risk across every department of a company or institution. It does not just sit with the CISO. Security needs to be a top agenda for all departments. As I shared earlier, the continuing kinetic effects of security events are elevating our monetary risk, but more convincing is their potential physical risk to our employees and our customers. So, its time we start connecting security and safety into the same conversation.
To help bring this to life for you, I'm fortunate enough to have CISOs from two of our largest companies who are a critical part of the global supply chain. Please join me in welcoming to the stage Fernando Madureira, CISO for Cosan, Charles Tango, CISO for Sysco Foods. Grab a seat.
Gentlemen, thank you for joining us here today. You just heard my kickoff here about the real-world impact cybersecurity is now having on our physical world. Both of your companies are critical and vital to the global supply chain in different ways.
First, Fernando, I want to pose a question to you about Cosan. Cosan Group is a huge part of the Brazilian economy, critical infrastructure with diverse but integrated businesses in the energy sector, including fuel and natural gas, also complemented by logistics and agribusiness. How do you manage security across the different businesses and help 60,000 employees keep your business secure?
>> FERNANDO MADUREIRA: Thank you, Chris. Good morning, everyone. It's a pleasure to be here. So, yeah, it's a huge group with amazing companies, and I'm proud to be part of Cosan Group, of course.
So, the way we are doing that, we have diverse operations and business, as you said, so we have energy, we have renewables, we have logistics and transportation, lubricants, natural gas. So, they are all different, right? And they have their teams and different operations. So, just to give you some examples on who you are, right, so we are moving at least 50% of the economy in Brazil through our trains and our logistics. So, it's a big deal. And on the other hand, if we are a country, we would be the second largest sugar producer in the planet. So, it's huge.
So, what we are doing and how we are putting in place our governance there. We established two central teams, so we have an information security team, and we have a cyber defense team, and they are acting across all of the group companies, sharing intelligence, process, standards, and then we can make sure everybody will be at the minimal level as a group, right, but then we have the BISOs, the business information security officer, that I am sure most of you know already this, but in Brazil, this is quite new. It's not common to see BISO in Latin America. So, we need them, of course. They are there in the business, in the operations. They are listening to them, helping them to take decisions every day.
Now, I have two takeaways, actually, to share with you guys. So, my first takeaway is on the M&A process. We must be the enabler, not the blocker in the M&A process, but we have to make sure we are there, part of the M&A process. Why? Because we have to help the business to identify in both companies what is the situation, the risks in place, and then we have the commitment from them to fix that in a timeline. And more than that, we can even document this and be transparent with our regulators. You can imagine we have a lot of regulators in the group. So, on the day one after the M&A, everybody knows already what is the situation. So, that's my takeaway number one.
Now, my takeaway number two is about supply chain security and vendor risk management. So, the point is I see everybody really focusing on assessing the vendors, assessing the risks, the suppliers, and enforcing them pretty much to fix the things because we have the security, but they have to be also with a high security level there, too. So, but most of the time, what I see, we really need to take a second step here because we are enforcing them to do so many things, and sometimes, or most of the time, it's a different company. They are a small company. They don't have the same budget or even they don't have security people. So, I'm making my guys available to help them, and I'm bringing them to our ecosystem, including trainings. We are doing phishing testing with them, we are bringing them, for example, to our crisis management exercises, and we are giving them our process, our procedures, so they have to be part of our ecosystem.
>> CHRIS McCURDY: Thanks for that, Fernando. Our teams are seeing firsthand the efforts you're putting in, and proud to partner with you and Cosan.
Charles, you heard from Fernando how he manages security for such a critical part of the Brazilian economy. Interestingly, Sysco Foods and the whole food services industry is now considered critical infrastructure by the government. It's obvious why. You play a critical role in keeping our families nourished. So, question to you: With this new focus, what are you and your peers doing differently?
>> CHARLES TANGO: Thank you, Chris. First of all, let me say that the food services industry takes cybersecurity very seriously and we have for a while. Clearly, the JBS Meats incident, which occurred roughly around the same time as Colonial Pipeline, was a seminal moment for our industry, and the designation of critical infrastructure is meaningful, but I wouldn't call either of those gamechangers for us. We had been focusing on cyber risk for an extended period of time; however, that doesn't mean that we aren't doing some things differently because we clearly are.
In fact, if you think about how we were categorizing our risks in the past, five years ago, we probably would have been focused on data exfiltration or regulatory compliance, whereas now we are clearly more focused on ransomware. It's hard to ignore that as your primary risk. And what that means is you start looking at your programs that support detection, response, prevention. You have to take that as kind of the north star in how you are defining those programs. I would also say that if you look at how we are managing where we deployed our cybersecurity resources, we were probably focused on our own digital perimeter, and now we are hyper-focused on the interconnected supply chain, and it's hard to dismiss the cyber risks associated with that.
What is interesting, though, if you think about it, those risks are not unique to our industry. Most of the CISOs in this room and the security professionals in this room would probably cite those as their top concerns. And because of that, I think the most important resource that a CISO can have is a strong peer network. I regularly collaborate with other large organizational CISOs across a number of industries. We have similar challenges, and we have similar solutions, so it's important to collaborate and share those ideas.
>> CHRIS McCURDY: Thanks, Charles. Our food supply chain really has become frontpage news. Interesting to hear your perspectives on how while things seemed to have changed, their priorities really do remain the same.
Fernando, the attack surface is expanding beyond our wildest imagination. In fact, IBM just announced our plans to buy a company called Randori. That happened just yesterday. Simple challenge for you, Fernando. You’ve shared the importance of ESG, how, at Cosan, it’s impacting the environment from the very front, and I know you were working closely with us on OT and it’s been a new challenge for you with your attack surface. You’re clearly leveraging those tools to help meet your goals with the environmental safety. So, tell me, how are you managing the expanding attack surface area that OT environments are creating?
>> FERNANDO MADUREIRA: Good question, Chris. So, yeah, ESG agenda is high priority for us at Cosan. Right? And cybersecurity, information security is part of the ESG scope and agenda. So, the way we are doing it is we did a big, huge step on the IT part, on the IT environment with those teams and everything we are doing with our cyber defense center and the BISOs and all of that. Now, for the OT environment, from my point of view, it's a completely different environment. Of course, we have operations, we have PLC devices, systems. Just to give you some idea, we have more than 100,000 connected devices, IoT, OT, and all of those devices. So, it's huge. Right? So, we are partnering with IBM, doing now the biggest project, really focusing on OT security right now. So, in my perspective, the technical part, of course, you are going to find challenges and roadblocks, but I'm sure we are going to find solutions always. Right?
But my takeaway on that question is we have another challenge that we need to watch out, and that challenge is on the employees and the people working on the operations. Right? Imagine, they have been working for years and years and years pretty much focusing on availability of the systems. Right? Now we have to teach them cyber. Now we have to tell them why they have to listen to us, that we need to stop a system, or we need to apply a patch in a system that has been running for 50 years or even more. Right? So, for me, that's my takeaway and recommendation.
>> CHRIS McCURDY: That’s fantastic.
So, Charles, like Fernando and Cosan, I know computing is also everywhere in the food industry. I have to imagine connected trucks, refrigerators, and the other machinery that is part of your expanding your attack surface. What are some of the best strategies you're seeing to be applied to manage OT and IoT environments?
>> CHARLES TANGO: So, OT is not really a new attack surface. It's existed for a while. What is new is our recognition of it being an attack surface. I think that’s an important note. But similarly to what I said before, that's not a risk that's unique to our industry. And as a good example of that, food is perishable and can need refrigeration. You mentioned cold chain in your presentation. That's something that pharmaceutical companies and logistics companies, they have been addressing those risks for a while, which means it's a fantastic opportunity for us to leverage their lessons learned, and we have done so in building our programs. One of the fundamental things is the sooner you recognize that your challenges are not necessarily unique, the sooner you can start leveraging the work that other people have done.
I think we are seeing two broad themes. First would be the external third-party management of OT devices appears to be increasing, and the always on and probably more importantly the full connectivity, especially external connectivity of OT devices. And while I won't go into the specifics that we are using to address some of those risks, there are some fundamental things such as ensuring proper segmentation. That's been a key control for a while and will continue to be a key control. I also think organizations typically overlook including OT in their incident response. And frankly, that's one of the easiest things that you can work on because it is based on playbooks. And finally, Zero Trust, which I know is a "buzz" word, but it's a buzz word for a reason.
>> CHRIS McCURDY: Very good.
Charles and Fernando, thank you so much for your insights. It's rare we get to see the inside and look at how leaders like yourselves are managing the coming together of the business resiliency and cybersecurity goals of major global companies to help to protect the supply chain. Some critical lessons for us all. Let's give both of them a round of applause. Thank you.
>> CHRIS McCURDY: So, as we've been talking about in
this session, we're dealing with levels of unpredictability in every area of business, and cybersecurity has no shortage of it. The interconnectedness we discussed here is not slowing down. It is only growing exponentially. As Fernando and Charles described, they are a big part of an even bigger interdependent network. I'm sure many of you have the same challenges. As consumers and citizens, we also feel the interconnectedness in our days that we have to handle.
The big takeaway for me here is around resetting our perspectives on cybersecurity. We need to assume we are breached. We need to hunt for the threats. But more importantly, we need to understand our place in the stability of this world. Now let's make those security moments a reality in our meetings every single day, help ensure our teams can celebrate hundreds of days without a security incident. Thank you all for joining us today and have a fantastic show. Thank you.
Cloud Security Security Strategy & Architecture
cloud security network security security architecture supply chain zero trust
Share With Your Community