Why hacking industrial control systems is an extension of statecraft

When I have a bad day it's a bad day for a lot of people, says Sergio Caltagirone, former NSA cyber-defense expert and director of threat intelligence at Dragos.

Why hacking industrial control systems is an extension of statecraft

TechRepublic's Dan Patterson sat down with Sergio Caltagirone, former NSA cyber-defense expert and director of threat intelligence at Dragos about his career path and cybersecurity. The following is an edited transcript of the conversation.

Sergio Caltagirone: Yeah, I started as a traditional computer scientist. Got into cybersecurity when "cyber" wasn't the word we used and, honestly, information security wasn't a thing. And, I jumped--I jumped into some interesting stuff at the University of Idaho, which led me to the National Security Agency.

I was at the National Security Agency doing National-level cyber defense for nine years. And, got to work a whole bunch of nation-states and foreign threats to the US Government and our allies.

SEE: Research: Defenses, response plans, and greatest concerns about cybersecurity in an IoT and mobile world (Tech Pro Research)

After that, I joined Microsoft, and was the Director of Threat Intelligence there. So, I got to work on threats broadly across the world, to consumers and enterprise, cyber crime, nation-states, and any threats that affected both Microsoft and the customers worldwide. You know, over a billion people.

Now I'm at Dragos. And, so now we're working industrial control threats. So, I like to say that I used to work with threats that went bad, and now I work threats that go boom. And that's probably the best way to put it. Now, when I have a bad day, it's a bad day for a lot of people.

Industrial control are the systems and processes, both digital and analog, which manage industrial processes. So, that's manufacturing, food manufacturing, water, electricity, transmission, generation, distribution, oil and gas. You know, oil production. You drive by it every day. You get touched by it every minute. It's the light you turn on. It's the water you drink. It's the toilets you flush. And so, literally, this is about--industrial control is about people's lives, fundamentally.

And so, industrial control is really--the cyber threats against industrial control are really an extension of statecraft. Right now, the only actors in the space are effectively state actors. The reason is that cyber criminals really have no interest in it. There's no money to be made. It takes so many years of development and understanding to do something. And, honestly, you do something in that space, and you might get put on a list you don't want to. So the risk is really high for the actors to ultimately do it.

SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)

So, we're really right now limited to nation-states. A big issue, though, is that between when we first started talking about this issue, which was, back in 2005, -6, and -7, to now, what we've really seen is an explosion of the threat landscape in industrial control. There was a German steel mill that blew up. And, we kind of moved forward.

But what we've noticed is that, of all the threats that we've been tracking, most of their activity started in 2016 and 2017. And so, we've got a massive explosion of growth in the space, which really concerns us. But, fascinatingly, most of those adversaries are not ready to do anything bad yet. They're still very much in research and development, in testing, in early operations. They're trying to get access and learn what that access means, and what they do to it.

Image: Dan Patterson