In this episode of the Redefining CyberSecurity Podcast, host Sean Martin engages with Cassie Crossley, a leading voice in supply chain security at Schneider Electric, to dissect the intricate complexities of securing IT, OT and IoT systems in an ever-evolving cybersecurity landscape. This conversation not only illuminates the pressing challenges businesses face but provides actionable strategies, making it an essential listen for anyone keen to expand their understanding of software supply chain security.
Guest: Cassie Crossley, VP, Supply Chain Security, Schneider Electric [@SchneiderElec]
On LinkedIn | https://www.linkedin.com/in/cassiecrossley/
On Twitter | https://twitter.com/Cassie_Crossley
On Mastodon | https://mastodon.social/@Cassie_Crossley
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
___________________________
Episode Notes
In this episode of the Redefining CyberSecurity Podcast, host Sean Martin chats with Cassie Crossley, Vice President for Supply Chain Security at Schneider Electric, and author of the book "Software Supply Chain Security". Crossley emphasizes the need for increased awareness and understanding of software supply chain security, not just among technology companies but also in the broader business sector including procurement, legal, and MBA graduates.
Crossley highlights the intricate complexities involved in securing IT, OT and IoT ecosystems. These include dealing with decades-old equipment that can't easily be upgraded, and accounting for the constantly evolving nature of cybersecurity threats, which she likens to a 'Wild West' environment.
Crossley brings attention to the importance of businesses understanding the risks and impacts associated with cyber vulnerabilities in their supply chain. She touches on the potential vulnerabilities of pre-installed apps on iPhones, the need for more memory-safe languages, and the complexities of patch management in OT environments.
Additionally, Crossley talks about the potential for cyber disasters and the importance of robust disaster recovery processes. Discussing the EU Cyber Resilience Act, she raises an important issue about the lifespan of tech devices and the potential impact on the security status of older devices.
To help businesses navigate these challenges, Crossley’s book provides a holistic overview of securing end-to-end supply chains for software, hardware, firmware, and hardware; it is designed to serve as a practical guide for anyone from app developers to procurement professionals. She aims to enlighten and equip businesses to proactively address supply chain security, rather than treating it as an afterthought.
Key Questions Addressed:
___________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
___________________________
Resources
Software Supply Chain Security: Securing the End-to-end Supply Chain for Software, Firmware, and Hardware (Book): https://amzn.to/47m6gIg
___________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring this show with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Book | Software Supply Chain Security: Securing the End-to-end Supply Chain for Software, Firmware, and Hardware | A Conversation with Cassie Crossley | Redefining CyberSecurity Podcast with Sean Martin
Sean Martin: [00:00:00] Hello everybody, you're very welcome to a new episode of redefining cyber security podcast here on the ITSP magazine podcast network. This is Sean Martin, your host, where I get to talk about all cool things, cyber related, ultimately to help the business protect the revenue it generates and hopefully even get in a position where we can help.
Securely generate more revenue. And, uh, I think with most organizations, I think what's the term most, most organizations or tech companies now, because they're all building their own software, uh, today's topic is super important and, uh, we're going to be looking at software supply chain. And I'm thrilled to have Cassie Crossley on Cassie.
Thanks for, thanks for joining me.
Cassie Crosley: Thank you for having me, Sean.
Sean Martin: It's a, it's gonna be a fun chat. And as with many things on my show, uh, it's rooted in a post that I saw, uh, in this post. Uh, my [00:01:00] response, I believe was Congratulations on, on, uh, getting your book published, . There was a lot of, uh, a lot of comments in the, in the chat about that or in the, in the thread about that software, supply chain security.
It's the first edition. Uh, written by you, Cassie. Congratulations on that. We're going to talk about a bit about the book and what it means to have a software supply chain security in the business and beyond. So before we get to that, though, a few words about you, what you've been up to, what you have going on right now.
Great.
Cassie Crosley: Sure, sure. Well, I work at Schneider Electric. I am the vice president for supply chain security, so it's more than just software. It's the hardware also, and have been part of the cybersecurity and product security office for, I believe, about eight years now, but I've been with the company for 14. My background is in software development.
Where I was a long ago, a developer, but moved more into engineering management, project management, and program management, [00:02:00] both on the R and D and product development side, but also on the it. So I go back and forth depending on what's more challenging at the time. And when I was working in the cybersecurity office, uh, specifically working with a lot of our suppliers, uh, I.
Was very aware, of course, the risk that suppliers can bring into organizations and have, you know, in the past lead, uh, disaster recovery processes and all sorts of different areas of, uh, you know, let's just say security and resilience. And then when I moved into the product security office, I was. Very eager to, uh, work on increasing the posture of products and we have a very large portfolio.
Schneider Electric is a 36 billion euro company headquartered in France and we have a large number of SKUs, let's say hundreds of thousands of SKUs. But [00:03:00] if you look at the intelligent products, software, hardware, OT products, that level is OT for operational technology and, and of course, IT and other kinds of products, uh, our 15, 000 SKUs, that's a lot of products.
We have over 12, 000 people in R& D. So a large. Group to, uh, concern with the product security and application security. And part of that again is the supply chain of which Schneider Electric is part of, but also the suppliers who work with us. And I had developed a process not just to do assessments of our suppliers that provide software or intelligent hardware components for our products, even the manufacturing organizations that touch our products as it goes through the life cycle and having an assessment, but also evidence based assessment process.
I realized that the suppliers out there with, you know, you know, not intending to, [00:04:00] but their product security posture was not As, uh, as much as we had hoped. Um, and we also acquire companies. And, you know, when you're looking at a large organization like Schneider Electric, where we have an established office and we follow the IEC 62443 4 1 secure development lifecycle standard at the highest level of maturity.
So I spent a lot of time working with suppliers and also our ecosystem subsidiaries that Uh, what do they need to do, um, in stair step fashion to increase the security posture of the products, but also how do we mitigate That risk, um, in the meantime. So that could mean things like we perform penetration tests because they may not have been performed on those products.
And we do in depth analysis and talk about secure coding the same kind of things as if they were our own. Developers because we have to think of them as that, right? You know, we're, you know, when [00:05:00] we're reselling or repackaging or putting something with our name on it, that, uh, puts the warranty and the responsibility as much on us as it does on who supplied that to us.
Those two, you know, second tier, fourth party, fifth parties, suppliers. And so that was a very important part of the process and the learnings that I did, especially working with like 2000 intelligent. You know, suppliers that they're all at these various levels. And so I'm heavily in the application security community at the leadership level as part of a community that launched during covid called the purple book community.
We wrote a digital book about application security and they asked me to do the process chapter because I have a very, you know, extensive process background and I went to them and I said, I really want to write this chapter called software supply chain security. And they're like, well, You know, what does that tell us more about it?
And this was pre SolarWinds, but having [00:06:00] been a developer, I knew all the risks. This is pre Google Salsa or any of any of the other kinds of things, but understanding the risk, you know, uh, of knowing who had access to the source code, how it was put through build processes. Um, all of that. It was really important to me from the beginning, both setting that structure.
So I wrote the Chapter and before we even released solar winds came out. So of course I had an update and their ghost editor that they had I told him oh, yeah, there's enough for a full book and he said you should write it I'm like, oh, I don't have time to write a book. I've got a very large and very busy.
Um, uh life And uh, he's like no you really should write it because no one's And so he introduced me to O'Reilly Media and I gave them the book proposal and wrote the book. It took about a year and a half. Um, and things are changing all the time. So I already have an errata sheet. And, you know, I told them, I said, this is going to need a new edition every two years.
Because it is, [00:07:00] Rapidly changing. I was writing things that are still in draft form when I was writing about the software attestation form by Cisco, all of that, you know, those things haven't been solidified, but yet, uh, we're having to update everything every day. So that's, that's how it came about.
Sean Martin: It's, it's fascinating.
And yeah, cause I was, I was wondering with the big picture view of. Of hardware and, and suppliers of components and software that makes all that stuff work, why, why you would focus in on software specifically. Um, so clearly it was because you wanted to write that chapter, but is there something more to it than.
Cassie Crosley: Yes. Yeah. Well, um, first, first off, when I first started it, I didn't have the role of just supply chain security, but the subtitle of the book is securing the end to end supply chain for software, hardware, firmware, and hardware, because You know, let's just say you're [00:08:00] using Intel chips. Well, you know, there's, you know, there's, uh, there's libraries, there's things involved with those, um, intelligent components, semiconductors, anything that has these libraries and other areas from a supply chain.
So. You know, it could have just said supply chain security because I actually did include All of it in there, but software supply chain security. It's a it's a big topic all around the world right now Um, so the book is for both audiences You really can't Uh, talk about hardware supply chain security without talking about just cyber security.
In general, there's a whole chapter on infrastructure security, uh, for development environments for test labs, you know, a lot of companies, they have IOT test labs if they're building IOT products and how are they securing that, you know, to make sure that it doesn't get in and affect Their normal corporate systems.
And that's what I, you know, [00:09:00] could see is that, uh, folks, they would understand it security, but they stayed hands off to development environments. They didn't understand how developers, uh, would do the work because they didn't want to restrict them. But there's also the risk that developers, we have the ability to download plugins to build our own code, um, to take whatever we need just on those environments, um, that we're building and any of that could be a path for an attacker into the actual.
Uh, code base itself at some point in time. I mean, if somebody had a keylogger, boom, you know, if they didn't have MFA and there's still, you know, there are still environments. It's not, you know, until the most recent years that GitHub has, you know, done more to force MFA and other areas where, um, people are.
Let's just say being more careful about the source code that they're keeping proprietary and so it is all goes hand in hand. There's a specific chapter. I put it near the end of the book because in case people [00:10:00] don't have this environment, but it's about the manufacturing environment because. I wrote this book, not only for the people who are building things themselves, but anyone who's buying something.
There's no CISO out there that hasn't bought an IoT product, right? You know, of course they buy software and, you know, SAS and, you know, all of that. But they're also buying printers and laptops and things like that. And you really have to understand and ask your suppliers, what are you doing? in your manufacturing environments to ensure integrity of the entire process.
And, you know, that's why I wanted to cover holistically throughout the book.
Sean Martin: Yeah, it's interesting that it's easy to forget about the, having a software background. I understand the The build process is a little check in. Somebody actually builds it and releases it and it goes to QA and all that stuff.
But probably a different animal when you start talking [00:11:00] about hardware and it in my head, and I can't stop thinking about it is. Software on the device. So embedded, embedded stuff. I pretty much, I presume you talk about that as well. Yes. It's a different, different animal, right?
Cassie Crosley: Right. Right. Yeah. And I used the word firmware and I explained the difference between embedded software and firmware, but just generally, uh, it's, it's all very important.
And I explained the difficulty with, uh, With when you're creating and working with embedded software and firmware is unlike, let's just say, uh, an environment, uh, that's that you may use every day. Let's, you know, outlook or or anything that you're accessing over the web. You know, those kinds of components could be.
Generally swapped out very quickly. But when you are tied to hardware architecture, even when it's got some extensible or more of an open architecture so that it's out there, if you [00:12:00] are working with products that are safety related, such as medical devices or the, you know, the products and in many of our world, which is the critical infrastructure, you know, that Making sure that that just upgrading that library doesn't cause any kind of failure.
is extremely important. So it's a very careful process that you have to do when you've got embedded software and firmware, uh, in your devices to make sure that it doesn't, um, affect even just, uh, let's just say if there's latency added by changing out the library. That can impact a safety. So there's rigid testing that has to go through.
So I think that those that come from a straight software world, especially those, um, that, you know, that are, uh, working on container based systems these days or anything else. It's like, well, I'll just swap it out. You know, it's a new service and, uh, we, you know, that risk is always [00:13:00] present when you're working with the firmware.
And I think that we saw a little bit of that. Yeah. With some of the other, uh, attacks like Heartbleed and some of the other ones where, you know, just one change and update, uh, to a chip caused people's devices to brick, you know, it was like, they were useless. And all of a sudden everybody's like, don't patch, don't patch.
We've got to fix this other thing. Um, because when you're rushing to do that, things like that can happen. And we can't afford that to happen in certain situations.
Sean Martin: So I'm going to combine this, this next part together. It's, it's the two, who, who, and what do you hope they get from it? Because I can see you, you mentioned a few already.
There's people manufacturing parts to get used in assembling of bigger things. And then there's the embedded, the firmware, there's a software, there are people that use those things to. And then add their own [00:14:00] software components to build up business processes, and then people buying those completed things.
Do you, do you touch all of those and others? Yes. And you're writing the book? And if so, how, how do you reach all of those people? An app developer is different than a hardware manufacturer, right? And so how do you reach all those different people? Is there an individual goal for each of them or do you have a general goal
for the book?
Cassie Crosley: I didn't do individual goals. And I would say that if somebody was already an application security expert, uh, this is a book that they would hand to other people because it's not, it's, it's, technical in the stance, it'll talk about cryptography and what it means and why it's important, but it doesn't.
And it'll talk about, let's say, for hardware trusted platform modules. And that's so that somebody who wants to understand, you know, why would this Add to security that gives 'em enough basis. There's over 200 references, um, in the book so that they can [00:15:00] go read more. So I'm not trying to, uh, become an application security technical expert for somebody reading this.
I truly wrote it so that anybody in procurement. And in legal, because I work every day with procurement and legal folks, um, and they do not have a cyber background and cyber is this scary word still out there, you know, if it says cyber, oh, bring in the cyber expert and, uh, let's just let them handle it.
But cyber folks are not legal experts. And they, you know, there's so much that, uh, working together as a team. So the book is written. It does have a set of, uh, controls through there. So 78 controls in general, and it'll talk about what are the key important pieces for that area. So, for example, in the development environment, it'll be like, you know, make sure that you, um, Do asset management of the developer tools in addition to your normal I.
T. processes and that includes software and so [00:16:00] that's written more for the I. T. security, but I have an entire supplier chapter that it talks about, you know, assessments and how to understand suppliers and what you should focus on and that those infrastructure. Sorry. Those controls in that supplier chapter are more geared toward it.
procurement and legal folks to say, you know, make sure you have in your contracts this kind of information. So it's really meant to be a practical guide that you can pick up and go back to, or provide. I have a lot of, um, people I know that are buying it for their sales and marketing organizations. If they're in a cyber company, it's like, Oh, you just started working at a software supply chain company.
Now you need to understand that there are different risks. Um, so I really, Did my best to write it as an expert. And I really think O'Reilly to help do this is the development editor didn't have a software supply chain background. Um, that editor had worked on other [00:17:00] technical books, but, uh, you know, they're right when I first started writing it, I was.
I was making leaps of, of, you know, where, oh, they, they probably understand this, but, you know, I, I realized based off the comments and, and over time, you know, to even go a little bit more into why this is. And what I have in there a lot is explaining the risks. And why this is important, because there's no sense in reading something just because I want to learn how to do it.
But everything is based off of a here's a risk and here's examples, especially a section on data protection and intellectual property. It's pretty, you know, for some people, it's an exciting topic, but for other people, it's a bit of a dull topic. And. Um, I really wanted to show examples to say, you know, this is where the passwords and keys and this is the impact to the business it had.
You know, this meant [00:18:00] millions of dollars to this company. And, uh, you know, here's all the areas. So I really tried to bring it home so that somebody could learn. Uh, something is they're going through and not just be sitting there reading a technical document. That's, uh, uh, trying to prove. Oh, I know all this stuff.
It's really to, uh, give them the backbone so that they can, uh, continue learning because in this world, especially as what we've got, uh, this is becoming more and more important. And as I mentioned, I work with procurement folks, All the time, not just from my company, but also from other companies, and they're eager to understand more about this.
You know, they really want to know, you know, more than just I know, I. T. security. I can learn when a sim is, but why. Is this important to have, and I think that sometimes in what we're educating and teaching, we assume [00:19:00] somebody already has a basis going into it, and I didn't want to do that in this book.
Sean Martin: Yeah. And so it's an important, it's interesting because granted, I've been talking. Third party stuff. Uh, the past few episodes, not that many of them have been produced yet, but anyway, third party risk and procurement keeps coming up. Obviously it's an obvious one, but you don't think about them too much sadly.
Um, and they have a hard job when you mentioned the SIM, right? How does, how does the procurement team? Verify the supply chain for a, for a SIM, which as you know, has a bunch of connectors and plugins and threat intelligence feeds and the list goes on and on and on. Um, just that one thing. And then you start, you go to the hardware side where you, you guys are delivering.
Cool things for critical infrastructure. A lot of, a lot of downstream stuff there too. [00:20:00] How do you, how do you hope procurement is a procurement role? Then do you think maybe put it this way to kind of be the hub? For that, because we all know engineers go off and buy that new, or, or, or subscribe to a new, new service that gives them an API that lets them do credit card transactions or whatever it is.
Right. Um, outside of procurements purview. So, so how does procurement play a role in kind of getting a view of all this stuff, or is there somebody else that really. Owns that and procurement. It's just there. The right hand person.
Cassie Crosley: That's that's a really good question because I think that as I mentioned, it's it's the word cyber comes up, they immediately go to where's the security person in the room.
Um, and for, you know, when a financial question comes up, they don't automatically go, [00:21:00] where's the CFO in the room? Uh, and I think that it'll take a long time before In business classes and just normal programs where people are starting to understand technology that in the future, maybe 20 years from now, everybody will have a baseline enough of cyber and we're not there yet.
And so I do think that this is more of a partnership. I think that the purpose for one is for them not to ignore the subject to have that familiarity to know when they're it. Evaluating or let's just say that somebody else didn't pick something that they're told, you know, here, I want you to assess these three suppliers that one of the first things that they would know to do in the future is have any of these undergone a significant cyber attack?
Do they have a lot of vulnerabilities in their products? Doesn't take a cyber security expert. If they really understand why that's important and [00:22:00] what it is, then just going out, let's say supplier one, two or three that they can evaluate some of the cyber risk. Like, you know, if somebody had, uh, let's just say all of their source code compromised and, and they may have a cyber score on one of the risk rating systems, you know, really bad.
Uh, in a really low score that they would be able to say without somebody else telling them this is a cyber risk, probably not a good choice. I'm going to take it off. And they do that already when they're looking at, let's just say down in Bradstreet financial scores and things like that. And so we want to see that.
Some time in the future where they're more comfortable, um, making those pre qualification decisions. Now, when you have the case where, which I think is the majority of the cases, uh, somebody, you know, in the technology area says, Oh, I have all these suppliers. Um, [00:23:00] sometimes, especially, you know, if they're coming from an I.
T. Background and not a cyber background. They also don't know some of those same practical things like let's just judge the cyber initial cyber posture before going into it. Not just because we saw them at this conference. Um, and they sent us lots of emails, and that is something that I think that we're all sort of overwhelmed and tired of assessments, because if somebody fills out an assessment, and you're not making any taking any action on it, I fill out assessments for years, and I was shocked that they would never come back and ask additional questions.
But. You know, what's the purpose? I probably could have said, you know, we hire, you know, we hire pandas to do, you know, this and, and we have crocodiles in the basement and nobody would have read it. And, um, I think that if you're going to take, uh, that next step of [00:24:00] really evaluating your suppliers, uh, work with the teams together to say, here's what you can do to pre qualify.
From the suppliers, you know, here's the kinds of things and then at the next layer, here's some of our criteria and our decision making criteria for selecting the supplier and what that means. And I mentioned that, um, in in the chapter on suppliers is that means you should be adjusting. Your templates and your cyber templates to set certain.
Let's just say if they didn't meet the qualifications, you put it in the statement of work. You can ask for discounts. You know, we're concerned about your cyber posture or, you know, we need this S. L. A. Um, we need you to notify us. So it's not the sake of getting an assessment. It's to create that relationship.
And I cover that quite a bit about how important it is. If you're critical suppliers are not Having cyber conversations with your cyber leader, [00:25:00] uh, in cyber the cyber kind of leadership. Um, then you've still got a gap because let's just say you're a startup or a medium sized company and you don't have all the nice cool tools that are monitoring and and checking all the threat intelligence and all the feeds going out there.
And you're hoping that the supplier or you'll see it in the news, um, that such and such had an event. Um, you may notice it when you're when the app stops working or something like that, you know, and it's just, who are you going to call? Um, so that by having that and knowing your assets and your critical vendors, and that's part of the procurement, a lot of procurement teams, especially large organizations, they have these quarterly reviews, right quality checks or yearly reviews.
And is cyber involved in them? I would say 99 percent are not. And yet, when, you know, for our critical suppliers, when we go to that conversation, [00:26:00] we have, you know, the scoring system. You know, here's our concern about this. You've got an open, you know, footprint. Or, you know, you've had these vulnerabilities and we had to react to that.
And sometimes that, you know, I can have those conversations because I know those suppliers, uh, which is really important and we, as a large supplier, do the same for our customers. If there's something out there and we hear it, we contact them. We, there was, there was a customer out there that had an event, um, in 2023 and we contacted them and afterwards they told us, you're the only supplier that contacted us to see how you could help.
Right. And that's all relationships that you've developed during that third party process. And it's just really important.
Sean Martin: Yeah, I think it's no question super important all the way through. And I mentioned this on another episode that I heard from some CISOs that they actually bring some of their [00:27:00] key suppliers in as part of their IR tabletops.
That's right. So it's all good to have a policy, all good to have a score. When it, when it hits, if, and when it hits, how are you going to respond together? So having that there is cool. Um, are there differences? I'm looking at this a couple of different ways. One from The way we look at risk, the way we run ops, the way procurement deals with it versus OT.
Cause I know when we're talking cybersecurity, it's, we have the, we have the it stuff, we're not great at it, but we have it figured out, right? We kind of know what we need to do. We're not great at doing it. And my perspective is an OT. It's still kind of a Wild West and IT security is trying to form that's my naive, naive view of it.
[00:28:00] How, how close to reality is that? What do you see, uh, obviously in the context of supply chain as well?
Cassie Crosley: Sure. Um, well, I. I, I actually don't see OT as much of a wild west. I, I would say a lot of products that are container based or just anything that's, you know, quick development is more where they haven't addressed as much cyber security or scalability or things like that from it.
But from a management standpoint, an OT management, uh, that has been definitely not considered it. Even though it has the word technology and operational technology, it hasn't been considered a technology. You know, it's to a lot of folks. It's no different than a hammer, right? This, this is a, this is something that's going to perform a function.
Uh, we set it up. We wanted to run, um, working in critical infrastructure, even [00:29:00] manufacturing environments. These are expected to be 24 by 7. Uh, some places don't have, uh, patch windows at all. Uh, it's just it's running. If you know if it ain't broke, don't fix it. It's not like your car that you take in to get an oil change every 5000 miles.
And now you know where there's over the air firmware updates and patches that are happening to the vehicles. That's not the case for the operational technology. And so the I. T. Folks, you know, it's very, uh, I would say, let me let me just say it this way. There has to be an alignment. Alignment. And of the processes and the parameters by which they work together.
And the reason that is, is, um, in many, as I mentioned, OT environment safety is involved. So let's say you take a wastewater plant that has operational technology running, you know, the pumps and the filtering system and this and that. Now, OT, the majority of it [00:30:00] is not intended. To be internet facing and when something is internet facing and it's found on Shodan That's a problem.
Now if you have a Edge devices and things like that that are meant to be that communication layer between those Um, those are going to have a different level of security and that's more Where you would see something in between but what happens is, you know, the standard culture for it security is If it's not patched then Uh, it's it's completely vulnerable.
And, um, you know, we've we've it's we've got to get this done and we've got to fix it. And the concentration needs to be on the defense in depth, the compensating controls and the mitigations that are in place, you know, threat modeling the entire environment and the landscape is extremely important because you're looking for those.
Uh, it could be that changing out just one set [00:31:00] of Uh, technology in the O. T. Space could mean a million dollars by the time you not only buy the equipment, but also all the engineering time it takes to change something out. Whereas you could secure, you know, the entire environment for, you know, 20 grand or something at that level.
Right. And, and enhance your monitoring tools. There's, there's lots of tools out there now that are monitoring those OT environments, um, for anything, um, that may be out there because a lot of this OT product we intended to be decades to live for decades. Right? This is very, uh, very different than an IT, you know, your phone you change out every three or four years that gets a patch every other day.
Um, this OT operational technology is, uh, has generally for us a 30 year PKI certificate, right? Because it needs to [00:32:00] be. In existence that long and running nonstop, uh, so we don't see a lot of technologies that are out there today. So I think that, um, what can help the best is have I. T. folks take some O. T.
training to really understand that really understand. That's why I cover so much of it in the book is explaining, you know, as I mentioned earlier, the complications for hardware, but that it is not intended. To be accessible to the Internet and, uh, so integrations and things like that have to be done very carefully on a small OT or even IOT device.
You don't expect your printer, you know, your IOT printer to have a. very detailed, um, uh, structure to handle massive scale DDoS attacks, right? It's not a cloud flare. Well, these OT devices can't do it too. They've got a very small footprint and they need to focus and work, you know, [00:33:00] that they're processing technology.
They have to run at certain speeds and be able to do what they need to do to be able to manage the environments, that physical environment that they're managing. And You know, adding in layers and layers and layers these, you know, there's not enough that you could do. I mean, try to imagine adding that to a Philips light bulb, right?
A smart light bulb. You can't do all of that. So I see and, you know, a lot of, let's just say, uh, public government documents that are coming out and they don't take OT into mind. And they're written for IT practitioners and they're written by IT practitioners. You can't do MFA on a building sensor. Right.
Who is it gonna call? You know, where's the code gonna go when you have to read, you know, reset it. So there's a lot we have to do to be able to, um, bring that product, you know, where it can be added to those environments. And there's different [00:34:00] kind of zero trust technologies that O. T. Products are being looked toward.
But it also has to talk to the one you've been had there for 15 years. And, you know, I've seen products where You know, they still require HTTP because the web servers have to talk to the other products in that same chain. And it's important for the I. T. groups to secure that communication, uh, chain and and what's going across, you know, end to end.
And they can do that without swapping out those full components.
Sean Martin: Super enlightening. It's uh, it's funny because when one of the questions I spend most of my time looking at I. T. ops stuff and cyber in that world. OT is really fascinating and I, I'd like to learn more of course. Um, but one of the questions I often ask is, is it, is it possible for security [00:35:00] to have a greater impact on how the business is built?
Before it's actually built back in the definition and architecture phase so that we're not patching security on later when it's and oftentimes I get yes, yes, it can or yes, but but what I'm hearing now is you almost can, you almost can't do that in OT, you have to prepare for the mitigating controls and, and the, the abstractions for security and the separations of networks and, and all this kind of stuff that not device specific.
Okay. Type security or systems even specific type security stuff, which is really interesting.
Cassie Crosley: Yeah. And that's one of the, you know, 15 years ago, 20 years ago, everybody did admin admin, right? We didn't know it. And now we do. But, you know, are you going to rip all of that out? Or are you going to defend it against anything like that?
And we're going to see [00:36:00] that over and over. Like, I mean, just the complexity of the attacks. It's different than something physical or something out of science where you can say, you know, one plus one equals two. Cyber is an event that happens, you know, all these attacks and they change and they get more sophisticated every day.
Um, and that's why really, you know, keeping up and having understanding the entire landscape is really important because, uh, unless you plan to swap out every single thing in your, Environment. I mean, if you've got again, I'm going to mention that like a printer. So you're going to swap that out every two years because, you know, then it has to be able to defend against this and this and this.
And, um, you know, it's different than Like building a car tire where you've got the science and the physics where cyber it just continuously grows and one of the, um, uh, one of [00:37:00] the areas which is coming up a lot is memory safe languages. Well, you know, it's not proven that rust. Can handle the processing speed.
That's, you know, certain men, let's say older languages, um, can be able to do at that processing level. You've got to start somewhere, right? I mean, there's there's a chicken and egg here. There's always a level of instruction sets that are being created and used. And so we're going to see a lot of this where, you know, moving toward, you know, the latest and greatest.
You can't do that. and fully rip and replace everything every single time. And that's why we've seen software packages grow tremendously in size over the years. Now we need to work on that technical debt. But a lot of O. T. And, you know, environments we removed as much as possible because again, I said it was a small footprint and back to software supply chain security in general.
Just if you've got an iPhone [00:38:00] for anybody out there, it comes pre installed with 50 apps. You've got the operating system and 49 apps. You know, where who's betting those apps. Those are some of the questions that should be asked. Not necessarily, you know, from an OT, you know, how do I, we used to have to add our own VPNs and now it has, you know, things, you know, there's additional features built in, but you also can't use an iPhone that's eight years old.
Because it requires hardware at a certain performance speed to be able to work. And we need to consider that when, um, working with, uh, all these devices. I'm sure everybody would wish that their iPhone could last 20 years. I was very sad when mine wouldn't even handle the latest version. You know, I was using an iPhone 7 until it stopped doing auto updates.
Uh, so, you know, there's a lot that we need to consider. Um, the EU Cyber Resilience Act is requiring manufacturers and software publishers to say, here's how long at a minimum we're going to commit to for [00:39:00] this product, and it's requiring three to five years. And, you know, I'm sort of worried about buying cars that don't, you know, pieces of it don't operate in 15 years.
You know, I could go buy a 69 Mustang and I know I can keep it running. But, you know, what about that, uh, that car that requires on thousands of modules? You know, what's, what's the lifespan of that
Sean Martin: exactly, or the, or the cloud service provider that everything's orchestrated through? Yes. Ah, boy, 40 minutes.
I have a gazillion questions left. Um, I'm going to hold them. Maybe, maybe I'll entice you to come back on. We can, we can take another dive on some, some of these other topics that are floating around in my head. I want to leave you with, with a final thoughts on the impact you hope this will have. For folks that read it.
Cassie Crosley: So the [00:40:00] impact is, uh, and this is where I'm just honored that so many people that I know are buying multiple copies and, uh, you know, buying it for their organizations, buying it for the, you know, for the people they, they are in touch with and also, uh, professors, I've got a long list now of people who want to use it in their classes because.
When you, somebody hears like solar winds or this or that, um, that's just a piece of it. Right. Um, and whether you're a computer science student or anybody in technology or someone in business, I mean, this is a book for MBAs. Right. There should be no reason why if somebody is going to business today, they don't, they have to understand the technology risks and their third party risks.
Um, so I'm just really thrilled and pleased and astounded by how many people are [00:41:00] really taking this up and seriously. And, and it makes me think we should be doing this more. It's a. It's a business book in all senses. Um, and I think the more that we could do this, um, I think the bigger the difference will be, and that way we'll democratize.
Some of this, this, uh, area that cyber books are only written read by technical people.
Sean Martin: Fantastic. Uh, one of the names is, this show's gone through many iterations. One of its names was, uh, the Business of Security . So, oh, I, I love, I love that, uh, that it, it's a business book and, and that it's for MBAs. Uh, I think we need to be teaching this stuff to the business folks for certain.
Um, we put a lot of pressure on the, uh, the CISO to, to be business minded. I think the business needs to be cyber as well. So congratulations on this and, uh, hopefully. [00:42:00] Loads of people pick it up and get tremendous value out of it, uh, not just for their sake, but for our sake. Yes. We're all relying on this stuff.
So, um, Cassie, the pleasure, pleasure meeting you. I do hope you come back. I think more on OT and supply chain and I don't know, EU cyber resilience. There's loads of stuff floating around in my head now. Sure. But until then, uh, hope everybody enjoyed this episode. I'll put a link into the book, uh, Supply Chain, Software Supply Chain Security by Cassie Crosley.
And, uh, please do subscribe and share. Connect with Cassie if you'd like. Um, say bad things about me in the, in the comments. And we'll see everybody on the next one. Cassie, thank you.
Cassie Crosley: Thank you so much, Sean.