Learn How New Context Services Is Building Secure Attribution and Threat Detection Into ICS Security

A year ago my engineer daughter sent me a podcast by RadioLab that described a potentially scary future created by advanced video and voice manipulation technology that would allow anyone to recreate or initiate recordings of fake events that appeared very realistic – essentially putting a fake news weapon of high counterfeit quality into the hands of anyone. I have been pondering the possible ramifications of this technology and what could be done to offset it ever since. So I got quite excited when I met Daniel Riedel of New Context at a recent IACD conference and got to talking to him about his company’s research into “synthetic identities” and “secure attribution” among several other interesting things his company is doing in the ICS security arena. Daniel graciously accepted an interview request which you can read below. Learn how New Context is helping ICS companies to secure their infrastructure by developing secure attribution capabilities, applying AI to behavioral models, and advising on how to build a secure DevOps framework – all to help fingerprint ICS activities and identify bad actors from good actors in this interview with Active Cyber.

Spotlight on Mr. Daniel Riedel

» Title: Mr. Daniel Riedel, Founder and CEO New Context Services
» Website: https://www.newcontext.com/
» Linkedin: linkedin.com/in/riedelinc

Read his bio below.

August 13, 2018

Chris Daly, ActiveCyber: Hi Daniel – Thanks for joining me today. Please provide me and my subscribers some background on you and your company.

Daniel Riedel, CEO New Context: Thanks, Chris, great to meet you.

I got into software game development in the 7th grade, and I discovered I was an entrepreneur at the age of 19. I founded a company building media projects for the National Science Foundation, SGI, AT&T and Disney. As early as I can remember, my peers and I always talked about when data is created, people can steal it and more importantly, the manipulation of data can lead to the manipulation of people. From there, my passion was security and keeping the connected world safe.

I founded New Context in 2013 to build secure critical infrastructure – I felt it was something I had to do. I was fortunate have a team of talented and inspired engineers join the mission and we began building orchestration and deployment software with integrity.

The most exciting time for New Context is now – we’re building data platforms and products that will help support secure critical infrastructure systems. It’s incredibly rewarding to do this work and see the safety we provide during these very turbulent times.

ActiveCyber: What target market are you pursuing?

Riedel: Our focus is data security in critical infrastructure. The work we’ve done in the utility sector is keeping the bad guys out and supporting the global cybersecurity community – support that’s central to our mission. In the industrial sector we help the enterprise get product to market faster at a lower cost. Together our work in ICS/OT is driving our innovation in our security products.

Our large MNC customers look to New Context to help build systems and frameworks with strategic business value: Speed to market, innovation, compliance, etc. We’ve found solving big business problems is where we deliver the greatest value.

ActiveCyber: What are the key offerings your company provides?

Riedel: The heart of our work is consulting – building secure infrastructure for large scale data products and platforms. As we have grown, we leveraged our knowledge in AI, automation and security to build a practice around security research within OT networks. Our partnerships with National Laboratories have led to big growth in this group.

Our product innovation evolved naturally from our consulting and we’re seeing strong growth from two products in particular. One passion of ours is to significantly improve the way humans build software, and the LS/IQ platform is that transformation. LS/IQ is essentially Maturity Assessment meets Secure DevOps, and we’re pushing hard to keep up with demand.

Another product we’re excited about leverages our expertise working with utility grid infrastructure. While this technology is still in stealth, I can say our Grid Security Platform will work to help utilities respond faster to cyber security threats.

ActiveCyber: You mention the term “synthetic identities” in your blogs. Please describe what are synthetic identities and what problems do they create in day to day interactions in our virtual and social worlds? What can be done to combat these problems?

Riedel: Synthetic Identities are often the combination of real and fake data to create a new online identity. The phenomena are not new but they are growing and becoming more complex. Bad actors and cybercriminals are “harvesting” them – often with supporting bots and malware – to steal data, commit bank fraud and worse.

Today, online criminals are creating what we might call a synthetic identity ecosystem that will be among the larger threats in infosec over the next 5 years. I expect users on LinkedIn, Facebook and Twitter will see a growing number of farmed profiles that are very difficult to distinguish from accounts from real people. The credibility that comes with the connections in our online communities is important – it makes access and fraud more difficult to prevent.

Advances in identity and attribution will be our strongest weapon to combat synthetic identities, but I also see those weapons being used by the synthetic identities themselves. Our organizations are going to need to be educated in the threat and always be wary of anyone they do not personally know that they interact with online.

ActiveCyber: Advances in artificial intelligence are beginning to outstrip a human’s ability to discern engagement with non-human entities during casual interactions. What cybersecurity problems, legal issues, and business issues do you foresee due to these advances? How are these advances particularly impactful to the security of critical infrastructure systems?

Riedel: I agree, humans – as well as corporations and governments – are facing new security challenges as non-human identities manage personal data. When Google showed-off their new AI that can book a hair appointment the crowd cheered, but it reminded me of the Netflix series Black Mirror, when the future sends chills down your spine.

As we build systems that will help human customer support and sales expand their capabilities and to scale their efforts through virtual support we are going to need think carefully about the technologies we develop. Beyond Google’s AI we are now able to create realistic artificial faces and can manipulate videos of people to say and behave differently. These same tools will also be used by criminals to defraud people.

The impact to critical infrastructure will be advancement on the same phishing scams to gain access and dupe people into giving away their identities so that criminals will gain access to networks.

ActiveCyber: Reputation systems are sometimes used to ferret our bad actors or misbehavior in today’s ecosystems. Are reputation systems effective in combating problems with synthetic identities?

Riedel: Reputation systems do help, but multiple strategies need to be deployed to keep ahead of the bad actors. Keep in mind that the reputation system itself will also be under attack by the synthetic identity, so part of the answer lies in multiple levels of verification. As mentioned before most of the technologies being used for synthetic identities will be deployed in sales and marketing systems for legitimate business needs.

Reputation systems have a place in helping make discerning decisions but I worry long term they will be susceptible to attack. We have been using IP reputation for email for many years and it seems to have helped but it also can be subverted by criminals as well.

ActiveCyber: What is meant by the phrase “secure attribution” and how can secure attribution offerings improve the resiliency and speed to respond to cyber events? What types of secure attribution offerings does New Context provide and how do these secure attribution offerings fit into the portfolio of critical infrastructure protections?

Riedel: Understanding the concept of secure attribution is actually pretty simple – the hard part is in the execution.

Can we fingerprint every interaction of a coder or operator interacting with a machine and network? That’s the concept – what we might call the security opportunity – of secure attribution. Creating a trace enabling engineers to access the history of all executables and code they are running.

This attribution history enables the organization to connect any malicious activity to the original entity. The challenge is that we can’t is boil the ocean – trying to enforce zero anonymity across the broader internet is not achievable politically or technologically. But in critical infrastructure is we have the opportunity to attribute smaller networks which is more manageable.

We have a team working on secure attribution in controlled networks – smaller systems operated within critical infrastructure. This methodology is part of our application development framework, including the LS/IQ platform. The good news is, there are many common sense actions that organizations can take today to build stronger attribution into their architecture.

ActiveCyber: Trust systems such as blockchain are beginning to emerge as a method to provide immutable identities on the Internet. How is New Context taking advantage of blockchain technology in your cybersecurity offerings for critical infrastructure?

Riedel: New Context has been working in blockchain cybersecurity since our beginning. In 2013 we had a commercial partnership with a blockchain company integrating their solution into infrastructure orchestration. Our approach was pretty straight-forward: A distributed ledger that ensured immutability and data integrity. Five years back that approach was very new, and we built on it to refine our secure orchestration techniques.

One area of blockchain security I’m excited about, is work to push for a serialization standard for JSON. The lack of standards in JSON create challenges in data transport, making global signing of JSON between API platforms very difficult. One of our engineers, John Mark Gurney, is leading our team’s investigation and putting forward some papers to move the industry forward. JSON standards will be a major step towards being able to sign and serialize and add data to ledgers.

ActiveCyber: In January, you announced: “New Context and INL are collaborating on research for machine-to-machine advanced threat detection and automated orchestration for Industrial Control Systems (ICS) networks. The project is funded by the Cybersecurity for Energy Delivery Systems (CEDS) Program in DOE’s Office of Electricity Delivery and Energy Reliability (OE).” Where has this research led you to date and how will your findings impact the basic Purdue model for ICS security?

Riedel: The value of the Purdue model is in prioritizing and protecting the safety and reliability of industrial control systems. The research and development for advanced detection and/or automation and orchestration in ICS markets doesn’t necessarily require substantial changes to the Purdue model. We are already seeing ICS vendors develop automation systems for OT networks.

What most in the field are concerned about is how can we maintain the level of separation as defined in the Purdue model, while also supporting the convergence of IT and OT. We will have to be adaptive and innovative with our approach while also providing the ability to protect those assets which would be placed in lower zones of the Purdue model.

I do not see our research impacting Purdue directly, but I do see the Purdue model becoming more muddy as ICS technology includes more characteristics of IT. Operating Systems, applications and network protocols are converging. The goal of posting all the data into the SIEM of choice is changing some of those approaches, including Control and Telemetry.

Our research is focused on the behavioral characteristics, and how to describe them to facilitate sharing between organizations.

ActiveCyber: AI can help and hurt (via an attacker’s use) cyber defenses – what is the right approach to employing AI to help? What role does AI play with security orchestration for critical infrastructure systems?

Riedel: I’m very bullish on the advancements in AI as it’s used to help humans make decisions faster. It’s remarkable to watch technology process tremendous amounts of data, and help with decisions that help the OT operators respond to threats and breaches more quickly. There’s lots to like in the applications of AI in cybersecurity.

We still have a long way to go however. A great deal of AI is non-deterministic, and I am concerned with industry relying too strongly on the technology for cybersecurity in the short term. As an example, handing-over AI for cyber defense around anomaly detection could easily become an arms race. Bad actors certainly have a strategy to build AI of their own – we’ve seen early signs of the weaponization of AI by bad actors.

In our solutions AI anomaly tools do play a part, as well as helping incident responders be able to work more quickly. Our focus is a holistic approach that includes methods of security that can be sustained alongside innovation.

ActiveCyber: What emerging standards do organizations need to consider when developing an active cyber defense capability?

Riedel: Great question. Today I’m introducing colleagues to the ATT&CK work from MITRE that’s built on STIX. ATT&CK is a comprehensive toolchain that allows organizations to build-out their defense capabilities. We’re pulling it into our own tools as well – including our cybersecurity roadmap platform LS/IQ – to leverage the good work they are doing.

In addition, the NIST standards are solid, UL is building smart OT security standards, and the Cloud Security Alliance is also putting together comprehensive tools. We’re also working closely with the OpenC2 standard around command and control messaging for machine to machine response systems.

ActiveCyber: How would you characterize the state of ICS security today? What are the major gaps in ICS security protections?

Riedel: The effectiveness of ICS security varies greatly based on the maturity of the organizations managing the devices and the resources allocated. The organizations that have funded their security programs and have board-level visibility have created very mature programs to protect their infrastructure. The organizations that don’t have the budget or support of senior leadership are at higher risk.

I would say ICS security it maturing rapidly, there is definitely a lot of focus and conversations. We need to set those good ideas into actions and be very careful on what ICS platforms we modernize or we might create potential vulnerabilities that didn’t exist before with legacy equipment that is now reachable by the Internet or via internal business systems and being manipulated in ways it hadn’t before.

Thanks, again for the chance to talk cybersecurity Chris, New Context appreciates every opportunity to move the industry forward and keep the internet safe.

Thank you Daniel for sharing information about New Context’s offerings and insights into securing the ICS environments of today. I believe the different innovations your team is working and delivering on will certainly help in securing our critical infrastructure. I am a big proponent of developments in secure attribution as there are many benefits to be gained across many domains from cyber to social, and political to intelligence. I truly hope that advances in secure attribution outpace the ability of fraudsters to fake, phish, and impersonate persons, devices, and events. Please return again when your innovations emerge from stealth mode as well to give me and my audience an update on your offerings and their associated use cases.

And thanks for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, autonomous security, securing the Internet of Things, or other security topics. Also, email marketing@activecyber.net if you’re interested in interviewing or advertising with us at ActiveCyber.