[00:00:36] Camille Morhardt: Hi, and welcome to today’s podcast, What That Means, cyber physical security. I have with me today two ladies who’ve just published an ebook called Critical Convergence, and it’s about the convergence of cyber and physical security.
Antoinette King is founder of Credo Cyber Consulting, which she founded in 2020, and also author of a book that shot to the top of the charts in Amazon when she published it, which is called Digital Citizens Guide to Cybersecurity. Kasia Hansen works at Intel and she is director of Global Security Ecosystem Development.
Now, the two of them each have over two decades of experience in cybersecurity and security and technology more generally, and they both do a ton of work helping increase awareness and education in the cybersecurity space. Lots of credentials. Welcome to the show.
[00:01:32] Antoinette King: Thank you.
[00:01:33] Kasia Hanson: Thank you. Great to be here.
[00:01:35] Camille Morhardt: How did you guys decide to write this e-book?
[00:01:38] Kasia Hanson: Antoinette was the inspiration because her and I would be at events and we would talk about physical security. We’re both very active in the industry. And then I realized like, “Hey, wait a second. You know, she wrote this book and was really good and I, I said, gosh, you know, we’ve gotta do something together. So a lot of the content and a lot of it was inspired by what she’s been doing and, and the work she’s done.
[00:02:00] Camille Morhardt: So let’s starts with what that means cyber physical security. What does that mean?
[00:02:05] Antoinette King: So when people think of security, depending on which side of the fence they’re on, it’s either physical security or cybersecurity. And as the threat landscape has evolved over the last two decades, what we’ve recognized is that there really is only one security posture because physical security is so interdependent on industrial IOT, that we need an element of cybersecurity to ensure our endpoint devices are secure. And within cybersecurity there’s an entire domain of physical security. But for some reason, both domains kind of have been siloed and they continue to be siloed.
So the really, the catalyst for this ebook was Kasia and I having conversations and other people in the industry about the notion that we really can’t have these siloed divisions anymore. It has to be one unified and holistic security posture in order to make sure that we’re covering all of the threats that organizations face.
[00:03:00] Camille Morhardt: So I have to ask the question: it seems to me it’s been ages ago now that we all read about a large retailer that had some of its customer information hacked through the payment system and the hackers got in through the roof, literally, uh, an HVAC system. And the HVAC system was connected to the payment system. So that’s been so long ago now. How is it that this hasn’t been corrected across the industry by now?
[00:03:28] Kasia Hanson: We can do a whole other podcast, like for three hours on that. Um, I think my view on it is I think the bad guys continue to figure out new ways, right, new attacks. Um, we also have the landscape of the internet things is expanding and, and essentially exploding, right? I think their last number I saw was 30 billion devices at the edge. Ensuring that you’re protecting those and inserting cyber principles and protocols and more importantly process in your organization–whether it’s physical or cyber–is really critical.
And so ensuring that you’re taking that into account across your cyber plan, right, and I think why hasn’t it been solved? Because it’s really hard. If we look at a tax. You’re never gonna be completely be able to stop them, right? I think a lot of experts in the industry say that, but how can you protect yourself and reduce the risk and reduce the impact of those attacks?
And so Antoinette and I chatted about the physical world, right? You think about there’s a billion cameras on the face of the planet, and you have all these physical security implementations, you have the IOT and the edge, and how do we enable the industry and help bring the industry forward in best practices and methods to further protect those devices at the edge?
So we’re on a journey, right? We continually need to develop solutions, ecosystems to help customers protect themselves and reduce their risk.
[00:05:01] Antoinette King: It’s also a matter of education because in the past, facilities managers were responsible for HVAC systems and lighting systems; and in the past, physical security professionals were responsible for the physical security of a plant. We still have the, all of those things separated, but now we’re IOT dependent, as Kasia said. So when you’re implementing solutions that were formally analog–which did not require any cybersecurity because they were secure in and of themselves, right, there’s no ability to hack into a lighting system in the past–you are taking old technology and people with old mindsets and then thrusting them into this new environment. And if we don’t keep upskilling the people within those, um, particular verticals like facilities or security, we’re just gonna continue to implement insecure solutions.
And so, um, the answer in my opinion to your question is it’s just in some cases just absence of education. So, um, if we don’t educate the people that are putting these solutions in, then it’s important to bring it and cybersecurity in from the design phase in the beginning of an implementation, we are going to continue to create vulnerabilities for organizations.
[00:06:10] Camille Morhardt: What is your perspective on how the concept of zero trust plays into this? A combination of cyber and physical security?
[00:06:20] Antoinette King: So when we look at a zero trust environment, typically we think about the users, right? We used to have the “trust but verify,” uh, and now we’re saying we don’t trust anybody and we need contextual security. It becomes challenging when you think about devices. So when we have to have a zero trust environment, you have to also have the manufacturers of those devices be able to play in that space.
A huge example that I’ve faced for years, uh, was active directory, for example. So go take, let’s take like, you know, ten steps backwards from zero trust and just talk about active directory. IT people are used to working within an active directory environment, you know, or single sign-on environment. A lot of manufacturers for camera devices or even access control devices, they don’t support active directory. So if you can’t even manage the user credentials for the devices and you have 10,000 cameras and they’re manually being entered into a system, how exactly are you supposed to manage a zero trust?
So from a zero trust philosophy, we need to make sure that the manufacturers of devices are also keeping up with the best practices and standards to secure their endpoint devices.
[00:07:25] Camille Morhardt: So that’s another question, right? As I think of critical infrastructure in the United States, for example, and all of the different components at the edge that go into that kind of broader infrastructure or even the supply chain that puts it together.
So I literally just watched a drone hover around a transmission line tower and actually check the lines on that. And what I found out when I chased down the truck to find out what was happening is they were actually looking for the power companies looking for defects in the transmission line or wear and tear that could lead to sparks, that could then lead to generation of wildfires.
It made me think about devices like that, that are instrumental in protecting our critical infrastructure; like what kinds of things do we need to be aware of from a protection perspective? What kinds of vulnerabilities exist for devices like that?
[00:08:22] Antoinette King: Yeah. Secure by design, secure supply chain. And that’s a huge issue within not just critical infrastructure, but just from a national security perspective, right? Understanding where our chip sets are coming from, understanding where the components are coming from. For me, what really scares me is the code. The people who create the code really have the key to all of this. And so, having things in place for vendor assessments in order to ensure that they’re getting third-party PEN testing done on their products and third party inspections of code and, and stuff like that.
Supply chain, in my opinion, is the achilles heel of our entire nation. National security.
[00:08:59] Kasia Hanson: Yeah. Yeah. I, I agree on the code development. You know, now you look at AI and its impacts on cyber, for example, both physical and cyber, and you have video analytics being put into a camera. That code or those models are in some cases being pulled from public sites that create models. Those models can be poisoned. Um, so if you don’t understand where they’ve come from, how are you using them? You’re putting them in cameras, how are those being protected in your environment? That close collaboration between cyber and physical is a must. But I think if we flip it, big companies tend to have a CSO, a CISO, right? You, you hope the organizations are working together. I know many that do. But then you also have the smaller, medium business companies that may not have that. And so, you know, our intent is to really start talking about this with the integrator community to back to Antoinette’s point, to educate them, right?
What are all the things you should be looking at? And what kind of value can you provide to your customer so that you’re educated on what the risks are, you’re educated on what technology is being used, whether it’s software or hardware, how should those be protected? You know, because I, I’ve always said like the ecosystem is really important that you choose to work with. And it goes back to the supply chain assurance, too. You wanna know the products you’re getting are coming from a safe place, right? And they’re, they’re not necessarily been tampered with.
So I think that’s such an important component of all of what we do in physical security especially, is what do those models look like that are being used? Um, the protection of like critical infrastructure as an example: that tight alignment between physical and cyber, understanding the landscape and, and what’s happening is crucial at this point in time. And integrators are a really, really important component of that in the industry that Antoinette and I work in, because they are touching all of those cameras. They’re touching that infrastructure, the perimeter protection, the protection of critical infrastructure. Now more than ever it’s the physical industry and then you, you talk about physical oftentimes, too, that includes the, the operational technology, right? Whether it’s in manufacturing or in hospitals.
So IOT includes anything that’s kind of sits at the edge, right? But it, it can be that critical infrastructure, it can be hospitals and so forth. So, um, you know, that’s why we’re trying to do this education and really help the industry understand the direction and the level of risk that’s out there. But also what can you do to implement better practices around cybersecurity, for the physical environment.
[00:11:46] Camille Morhardt: I think it’s an interesting point that system integrators actually, in some cases, maybe that one kind of tie across the entire ecosystem to say like, “are we doing a security check, not just within each individual product or the operating system or the cloud environment or the edge, but holistically?” I think that’s an interesting point. And Antoinette, you founded Credo Cyber Consulting a couple of years ago, 2020. Three years ago, I guess I’m a year behind. And uh, I’m just wondering, have you noticed any kind of a shift among your clients as a whole in terms of, you know, either awareness or like what people are worried about or focusing on now that’s different in 2023 from– it’s a, what an interesting timeframe to have founded a consulting firm, right?
[00:12:35] Antoinette King: Yeah. Yeah. So, so two things I wanna touch on real quickly. The driving force behind me opening my consultancy was in fact what you both were just discussing, and that is, shoring up the integration piece to this ecosystem.
When I was toying with this idea of going outta my own, it was fascinating to me that manufacturers were starting to be pushed by the end customers to develop products that had cybersecurity feature sets in them. So whether that’s the ability to use certificates, secure elements, or SI or TPM modules, we’re working within an 8021x environment.
All of these things were being pushed from the end customers because they’re being regulated. So regulations were forcing these critical infrastructure organizations, schools, whatnot–in order for them to get funding, they had to be able to demonstrate that they were doing best practices in selecting manufacturers and products in a secure ecosystem. But nobody was focusing on upskilling the integrators.
And I started in this industry as a technician, and back in the early two thousands when things were analog and just starting to phase over to IP, we had to know skills like backlight compensation and lens calculators and signal attenuation and cable. We don’t need to learn those things anymore, right? Because it’s all auto–like, you know, POE it automatically adjusts the power, all that kind of stuff. We’re not upskilling the people that are actually implementing and designing these systems. And so if we’re not investing in the channel and we’re not investing in the people–whether it’s in physical security or any other operational technology, you mentioned HVAC systems, lighting.
anything that has a device that sits on a network–if we’re not upskilling the people that are supporting those networks, then. We’re doing a huge disservice because you can have all of the security features that you want in a device. If they’re not turned on and implemented, it means nothing. Right? So that was actually one of the catalysts for me to go out and evangelize for this. The other one was, um, I had done, when I got my Master’s in Cyber Policy and risk analysis, I did my capstone project on CMMC, which is the Cybersecurity Maturity Model Certification, and it’s an idea the DoD adopted where in order to even play in this space from a procurement level, you have to demonstrate a particular degree of maturity of cybersecurity within your organization, specifically around how you house and controlled unclassified information, CUI.
When I started doing that research, I, I realized that the supply chain truly is the biggest vulnerability that we have from a national security perspective for everything that we do–in manufacturing, in software development, food, you name it; it’s our Achilles heel. So, Then I started realizing that organizations need help. The vast majority of our nation’s commerce is done with small to medium businesses and they have no idea how to get this done. Right.
So again, going back to the integration space, most of them are small to medium businesses, and I thought, you know what? We need to support not only secure implementation of endpoint devices, but also how they’re managing their businesses. If you wanna be a secure part of an ecosystem, you need to do it on both ends. It has to be how we’re designing and implementing products, but it also has to be how we as a business are protecting your data and the information of our customers and our employees.
And then what I found was business was kind of being attracted to me because, the vendor assessment started coming out and everybody’s like, “oh my goodness, we need to have a secure supply chain. We’re gonna send out a vendor assessment,” which is a spreadsheet typically of thousands of questions that people don’t know how to answer. But then when they started becoming a little bit familiar, they’re realizing “it’s not that, I don’t know how to answer it, I can’t answer it. I’m not doing these things. I don’t have, you know, awareness programs. I don’t have any kind of SIM solutions. I don’t have IDs and IPSS, I don’t have any of these things.” They’re like, “uh oh, we need to do something. We need to build a program.”
So a lot of my customers are working on SOC2 audits, or ISO or CMMC or some sort of third-party audit of their environment to make sure, or to demonstrate that they are a secure part of someone else’s ecosystem. So it really all comes together.
This is the true convergence that we’re talking about. It’s business practices internally, it’s best practices in implementation, it’s best practices in how we actually go and manage lifecycles of devices. So that, that kind of is how it happened. And, and it was, it was serendipitous as a perfect time to kind of go out and do that. (laughs)
[00:16:58] Camille Morhardt: Yeah. And as more and more I, I mean more and more companies, and I would say large enterprises are looking left and feeling more and more responsible for their entire supply chains. That puts additional pressure on anybody who’s supplying them to make sure that they can show where they’re compliant or what efforts they’re making in that space. So it’s growing in intensity.
So Kasia, if you were just hearing about this for the first time and you were a smaller and medium business, like what would be the first thing for you to do? Just to start and kind of survey this landscape of where you could plug in or assess what you may or may not be doing?
[00:17:39] Kasia Hanson: A funny thing. I have a local dentist that I go to and my first meeting with the guy to get my teeth looked at and cleaned was all about cybersecurity. I was shocked at the fact that a dentist is sitting here and he’s got an, an amazing practice. Very, very busy. Um, but cybersecurity was so important to him. I asked him how he got started, right? How he understood. He said, “oh, one of my customers is a professor at Cal Lutheran” and he said, “and he teaches cybersecurity.” And so he started teaching me about it: “and then I started developing. So I use a service that monitors our environment and you know.” So first and foremost is I think get educated and that’s what he did.
And then he looked at what are. Digital services, what do I need to assess? And there’s a lot of tools online that you can utilize from the, the government, right? The Cybersecurity Infrastructure Agency, CISA, and you can utilize those to look and see how you can build a plan for your environment. It’s just getting yourself educated and leaning into an ecosystem too who can help you. That’s around you, right? The steps for someone to take is understand your business. Understand your risks. What are your objectives? What kind of services can you use to protect yourself? What kind of documented plan can you put in place? What happens if you get hacked? What is that plan? You know, you’re gonna have to build a plan, right? And, again, leaning on that ecosystem. I’m sure Antoinette has some thoughts to add to that, too.
[00:19:15] Antoinette King: Sure. So the other piece to this is understanding the environment that you’re working. And so knowing what regulations apply to your business. So in the case of Kasia, you know they’re gonna have HIPAA regulations cuz they have personal health information. If you’re working in a banking environment, what are those rules and regulations that they’re required to have?
And you know, if you’re an integrator and you’re working in those spaces, you need to ask the questions. “Hey, do you have identity and access management rules that you need me to follow? Do you use certificates?” Because when you choose the technology that you’re gonna implement in that environment, you have to be able to adhere to the best practices of that organization.
What I always do and the way I work with my clients is start with a gap assessment. So we just find out like, where are we? and what is our minimum, like where we’re at right now. Then we level set and we go from there. The other thing that I always suggest is you can’t boil the ocean when it comes to this because then it becomes paralysis by analysis and you do nothing.
So my advice is always pick your top five or seven critical systems –That are critical to your operation or manage and hold critical data. And when you just start with those top five or seven systems, it’ll be much easier to manage the security around that, and then you kind of branch out from there.
But if you really harden the target, just like we do in physical security, I have a, a slide that I use in every presentation. It’s a coin that’s on its edge. One side says physical, one side says cyber and the principles are identical. The only difference between them is the asset.
So just like we do in physical security, we figure out where are our crown jewels and then we harden around it in, in layers of protection. It’s the same thing. Find out where our most critical information and critical data sets are also the critical systems that for business continuity and we harden around them and then everything else is kind of like down the line. And that’s really where maturity comes in.
[00:21:05] Camille Morhardt: So Digital Citizens Guide to Cybersecurity, wrote a book. And it skyrocketed to the best sellers list at Amazon in all of its categories within a couple of days of releasing. Why?
[00:21:17] Antoinette King: So the book was inspired by a session that I did for K-12. I was challenged with coming up with cybersecurity concepts for fourth and fifth graders for a digital learning day; and I was used to speaking to adults and businesses around cyber practices and best practices. And I started talking about things like digital addiction. I was talking about clickbait, cyber bullying, right? Being an upstander versus a bystander. And these kids were so involved. They knew what clickbait was when I was describing it before I say the word.
[00:21:47] Camille Morhardt: They knew (laughs).
[00:21:49] Antoinette King: They really do. So not only do they understand it, but they’re all connected. So every single student in every session I did either had a cell phone, an iPad, a tablet, a computer, or a gaming system. But anyway, uh, it was inspired by this session and I realized, “okay, we’re, we’re doing a disservice to young people because they are vulnerable population that we’re giving adult tools too. And we’re not giving them any ability to protect themselves, nor do they understand the risk. And those young people are the future of our workforce.
And then at the same time, I started thinking about these ideas of vulnerability and I thought, “you know, we also have a much older generation that some people are still alive where there weren’t even telephones inside the house. So they’ve gone through, this digital transformation from no phones to the house, to now we’ve got satellites and all this other stuff and computers in our hands, and they don’t understand how to protect themselves and they’re vulnerable.”
And the biggest issue with cybersecurity, I think for most people is they feel like it is overwhelming. It’s too technical. They don’t understand it, and so people shy away from it. So the point of the book was to demystify cybersecurity and help educate people to have their own cybersecurity best practices.
I firmly believe that when we talk about military actions, it’s no longer nation state against nation state in wars. Countries and bad actors are going after the individuals and they’re going after the individuals to get to the companies; they’re going after the individuals to influence thought patterns with myth and disinformation. So it is incumbent on us as the individual to exercise our own cybersecurity practices.
And then if the individual does that in their everyday life, then that will carry into the workforce, especially as we transform from, you know, most people working within an office to work from home and remote work. Many businesses never went back to the office. Not only are fully remote, but they fully bring your own device. Which means that it, they are very heavily reliant on the individual to supply the security around the connectivity between their business services and the devices that they’re using. And I created checklists after each chapter of things that people can do in their everyday life. I even did, um, a, uh, acceptable use policy for kids and parents where they can together create an acceptable use policy around technology.
So the kids are invested in their own security and feel like they have a little bit of control over it.
So it was a really great project, super fun labor of love. Uh, but it was something that I felt that I can contribute. And hopefully help young people and older people just secure the themselves better and protect themselves online.
[00:24:26] Camille Morhardt: That’s really very cool.
[00:24:28] Kasia Hanson: I sent it to my dad because he always clicks on things and I always say, “dad, don’t click on things!” Right. You know? So for that older generation, you know, it’s a great, it’s a great book.
[00:24:42] Camille Morhardt: Yeah. So I did a podcast with a bunch of kids, actually. All of them were. Involved in education in cybersecurity. So they had all been doing training and learning, computer science and cybersecurity, and they were then teaching other people, both older and younger than themselves. It’s a really different kind of a world now. I think kids understand all of these things, but they don’t always know how to protect themselves from it or all the different forms of attacks that come.
But it’s not like you have to educate them that there’s a problem. Right. They’re, they’re well aware of that. Yeah.
[00:25:15] Kasia Hanson: Absolutely. But I love how Antoinette said, you know, like, that’s our future. And so giving them the tools and the opportunities, by the way, I mean that’s why, um, Antoinette and I are very active in, you know, helping to diversify the security industry and adding more women. And growing that, that cyber talent. Um, and, and diversifying cuz you know, we, the bad guys are, are diverse, right? And, we need to be doing the same thing. Whether you’re technical or you’re sales or your marketing, there’s a role for everyone I think in, in the security world. So it’s been a fun ride so far.
[00:25:48] Camille Morhardt: Congratulations on your ebook, and we have a link to that, of course below as well as to Antoinette’s book that she published previously, and it’s been really wonderful chatting with you both.
Again, Antoinette King, who is founder of Credo Cyber Consulting and Kasia Hansen, Intel veteran; both of them, again, over two decades of experience in cybersecurity and technology. Really great to have you on the show.
[00:26:13] Antoinette King: Thank you. It was an honor.
[00:26:14] Kasia Hanson: Thank you, Camille. Appreciate it.