(electronic music) >> Hi, welcome to today's very special in-studio presentation of theCUBE, I'm Peter Burris, Chief Research Officer of Wikibon, and we've got a great guest, we're going to talk about critical infrastructure today, which is a topic that deserves a lot of conversation, but sometimes ends up being a lot of talk and not as much action, and we've got Phil Quade, who's a Chief Information Security Officer of Fortinet to talk about it. Phil, thanks for coming to theCUBE. >> Appreciate being here, thank you. >> So Phil, the issue of security is something, as I said, that's frequently discussed, not often understood, and therefore often is not associated with action, or perhaps as much action as it should be. Talk about the conversation that you're having with customers and peers in the boardroom about the role that security is playing in business thinking today. >> Sure, thank you. The folks I've talked to, they're not dumb people, you don't make it into the C-Suite without having some type of intellect and perspective. What I found is that they recognize indeed that we are in the midst of another computing revolution, and the roots of that trace back from mobility to the cloud and now the Internet of Things. What they don't quite recognize, though, is that we're in the midst of a security revolution as well. And I look at that as going from security from being point solutions to being ubiquitous security everywhere, to having that security integrated so it works as a team. To have that team-oriented security simplified so it doesn't overwhelm the operators. And importantly into the future, much more automation, so highly automated to the degree that it will actually execute the intent of the operator and of the security people. >> So Phil, you made a very interesting point, you said security everywhere, we usually think about security as being something that existed at the perimeter, almost now, I guess, to walking into a building and securing the outside of the building, and once we secure the outside of the building, everything else was fine. But the nature of security everywhere means that the threats seem to be changing. Talk a little about the evolution of some of the threats, and why this notion of security everywhere becomes so important. >> You're right, we all know how well relying on boundary security alone works. It doesn't. You have to have boundary security where there is indeed a defined boundary, but increasingly, networks are borderless. You'll work from home, you'll work from your car. You'll work while you're taking a stroll in the park, but you also need to recognize that you have important assets there in your data centers, there in your clouds, so it's not about having point solutions at the border, it's about having ubiquitous security that can operate in your pocket, on your laptop, on the edge, in the data center, in the cloud as well, but this is importantly, having all those pieces working together as a team. >> We like to talk at Wikibon about the idea of, everybody talks about digital transformation, but to us, that means ultimately is that, companies are using data as an asset, that's the essence of digital transformation. This notion of border security becomes especially important, because our data becomes our representation of us, of our brand, data is acting on our behalf right now. So what are some of those key new things that we're concerned about, in terms of the new viruses? If we think about a hierarchy of concerns, bullying all the way down to strategic, where are we in understanding that hierarchy, and how we're dedicating the right resources to making sense of it? >> Sure, it's tempting to think that WannaCry and NotPetya represent the new normal, or the cutting edge of the cybersecurity threats we're seeing today, but I think we need to take a step back and recognize the intent of such threats. Some threats come at you because someone simply wants to cause mischief. Others because they are trying to bully you into doing certain things. Some of these threats are based on a criminal element, where they're trying to get some type of financial gain, but now others are much more, much more, I'll say harmful. Some might be due to revenge, so, look at the Sony incident. The Sony incident was primarily because a foreign leader was upset of a film company's portrayal of his country, or himself. And the two that are especially worrisome to me are threats that are motivated by military tactical advantages, but most importantly, strategic advantages, so for example, there's some countries that hope to hold our strategic assets at risk, and what I mean is, they'd like to be able to impose their national will on the United States, or other democracies, by holding some of our critical infrastructures at risk, as in preventing their reliable and safe operation, or causing folks to have a distrust of their financial system. So I'm really worried about the threats that come after us from a strategic perspective. Don't worry, WannaCry and NotPetya are important, but they're very different than being strategic threats. >> Now, this issue of strategic threats sounds like there's also a continuum of the characteristics of the threat, from, you totally bring something down, to you actually introduce behaviors that are not expected or not wanted. So talk a little bit about this notion of critical infrastructure, and how we're getting more, both planful, and subtle, and strategic in our responses to the threats against critical infrastructure. >> Well, it's the subtle ones, you're right, it's the subtle ones that worry you, meaning, it's relatively easy to recognize when something bad happens to you, 'cause you can immediately try and fix it, but when something subtle, oftentimes it passes, your prickly sensors don't come up. And the problem is, when all these subtle things build on top of each other, so that all of a sudden, 10 subtle things turn out to be one very big thing, and those are the types of things we need to worry about with some particular critical infrastructures. So for example, a terrorist's malicious activity might simply be looking for one big high-visible attack, meaning, causing heat and light to happen on a TV screen for an exploding oil field, or something like that, but a much more subtle malicious activity would be the gradual degradation of the quality or availability of water, or the gradual degradation on the precision of some of our critical manufacturing, so I'm with you, that some of the subtle things are what we need to worry about. We call those low-and-slow attacks, so it's, you not only be prepared for the loud and stealthy ones, but also the low and slow ones. >> Now, we used to think for example of one of the more famous portrayals of security concerns in movies and whatnot is the idea that I take off the last six decimal places of a transaction, I somehow amass millions of dollars. Is that the kind of thing you mean by low and slow? Those aren't necessarily the kind of threats, I know, but that kind of thing, it's subtle, and it doesn't have an immediate, obvious impact, but over time, it can lead to dramatic changes in how business, or an infrastructure, a national asset, works. >> That's a great analogy, the old financial attacks where they bleed off 0.01 cent per transaction, that adds up very quickly into a very high-volume loss. Well, imagine applying that style of attack on something that could result in not simply a financial loss, but could cause a physical or safety event, whether it be a pressure explosion on a pipeline, a degradation of water, or something of the sort. Those are very, very important, and we need to make sure we're looking for those too. Now, the question might be, well, how do you find such things? And the answer is automation. Human cognition is such that they're not going to be capable of tracking these very low and subtle and slow attacks, so you're going to need to use some always-on analytics to find those types of things. >> So I want to bring you back to a word that you use that, in the context of this conversation, it actually becomes very important. Simple, small word. We. In this world of security, when we start thinking about, for example, the internet, which is a network of networks, some of which are owned by that person, some of which are owned by that corporation, some of which may have more public sponsorship, the idea of we becomes crucially important. We all have to play our role, but to secure critical infrastructure's going to be a public-private effort. So talk a little about how we go about ensuring this degree of control over the public infrastructure. >> So bingo, oftentimes when I say we, it's the royal we, because as you know, as I know, critical infrastructure's not owned and operated by any one place, in fact, it's owned and operated by hundreds if not thousands of different entities. Unfortunately, some people think that the government, the US government, is going to swoop in and do something magical and magnificent to secure critical infrastructure. And the other, certainly, intent, not intent, there's a will to do such a thing, the government doesn't have the authority nor resources nor expertise to do such thing. So what it means is we, this is the royal we, the public sector, the private sector, and there's an even a role for individual citizens, we need to come together in new and innovative ways to get the security critical infrastructure to a much better place. >> And this is part of that conversation, having the conversation about the role that critical infrastructure plays in the economy, in social endeavors, in government, in democracy, becomes a crucial element of this whole thing, so when you think about it, what do the rest of us need to know about critical infrastructure to have these conversations, to be active and competent participants in ensuring that we are having, focusing on the right thing, making the right investment, putting our faith in the right people and corporations? >> I think the first step is taking a long-term approach. I'm a big believer in the old Chinese proverb, a journey of 1,000 miles starts with one small step. The problem with critical infrastructure security is that the problem is so big, and it's so important, that we're often paralyzed into inaction, and that gets back to the point we were talking about earlier, that no one single person is in charge. But we need to recognize that and get past it, we need to recognize that the solution lies in several folks, several communities coming together to try and figure out what we each can bring to this problem. And I believe there's some actional things we can do. I don't know what those 1,000 steps look like to get to where we need to be, but I do know what those first five, 10, 15, 25 things are, as do other folks in the community. So why don't we start acting on them now, and that has the side benefit of not only making incremental progress towards them, but it develops what I call muscle memory between the public and private sector, of how we go about working together on problems where no one entity owns the whole problem, or solution. >> So one of the things that makes critical infrastructure distinct from, again, this goes back to the idea of what do we need to know, is that critical infrastructure is distinct from traditional networking, or traditional infrastructure, in that critical infrastructure usually has a safety component to it, and you and I were talking beforehand about how IT folks like to talk about security, OT folks, or operational technology people, the people who are often responsible for a lot of these critical infrastructure elements, talk about safety. Bring that distinction out a little bit. What does it mean to have a perspective that starts with safety, and figures out how security can make that easier, versus starts with identity, and figures out how to control access to things? >> Right, I think that's an important point, because too often, the folks in the IT, information technology community, and folks in the operational technology community, the OT community, too often were talking past each other, and one of the reasons is just as you said, one focuses on the security of bits and bytes, and other focuses on the safety of water and chemical and electrons and things like that. >> Well, at the end of the day, it's hard to say, "I'm going to secure water by not letting this group drink." >> Right, that's right. >> You can do that kind of thing in the IT world. >> Right. So, very much so, the industrial control system folks, the OT folks, what's number one on their mind is the safety and reliability of their systems and equipment. They're serving the public with reliable transportation, water, electricity, and the like, and so one of the first things we need to do is recognize that, it's not either/or, security or safety, it's both, number one. Number two, I think an important solution is, an important part of the solution is mutual respect, meaning that, yes it's true that the IT folks have some important strategies and technologies to bring into the OT space, but the opposite's also true. The OT folks, some of the smartest folks I know in the business, have been doing what people recently breathlessly call the Internet of Things. So in the critical infrastructure world, they have what's called the Industrial Internet of Things, and they've been using these lightweight distributing appliances for decades successfully. And so I think that we need to take some of the lessons from IT, and apply it to the OT space, but the same is also true. There's some OT lessons learned, so we need to apply the OT space. So, the real solution though is now, taking both of those who are working together to address the increasingly blended critical infrastructures, IT, OT worlds. >> So Phil, if you were to have a recommendation of someone who has worked in, been familiar with the black security world, the black ops world, the black hat world as well as the white hat world, if you were to have a recommendation as to where people should focus their time and attention now, what would it be? What would kind of be the next thing, the next action that would recommend that people take? >> If I could, I'd like to answer that in two parts. First part is, what are the group of activities where we could naturally make some progress? Well, the first one is, getting some like-minded thought leaders together in agreeing that this is in fact a 10-year problem, not a one-year problem. And no matter what jobs we're all in, commit ourselves to working together over that period to get to a good spot, so one is a forming of like-minded people to agree on the vision and determination to help us get there. But then there's some practical things we can do, like, the mundane but important automating information-sharing. There's some critical infrastructures that do that very well today, the financial sector's often brought out as one of the best in that field. But some of the other sectors have a little ways to go, when it comes to automating information-sharing of the threats and the risks in the situations they're seeing. Another thing that I think we can do is, I call 'em pilots. Specifically, we need to explore all the dimensions of risk. Right now when we think about mitigating risk, we think about, how can I stop a threat, or how can I fix a vulnerability. But too often we're not talking about, what are the bad consequences I'm trying to avoid to begin with? And so, the critical infrastructure community especially is ensuring a discipline called consequence-based engineering, so it's mitigating risk by engineering out the bad consequences from the very beginning, and then using your technology to address the threats and the vulnerabilities. So I'd like to see us do some public-private partnerships, some pilots, based on consequence-based engineering, and that will not only reduce overall risk, but it will create, as I mentioned earlier, that muscle memory. >> Consequence-based engineering. >> That's right. >> So is there one particular domain where you have, like when you sit back and say, "I want to see these public-private partnerships," is there a place where you'd like to see that start? Part of the whole critical infrastructure story. >> Right. You can't ignore the electric critical infrastructure. And the good news is that they've been practicing this science, this art, consequence-based engineering, for some time now. So for example, in the electric grid, as you certainly know, there are three major interconnects in the United States, the eastern, western, Texas interconnect. So they already create segments, or islands, so that one failure won't propagate across the whole US. So the mythical US-wide power grid is in fact a myth. But even within those segments, the eastern, the western, and the Texas interconnect, there's other further segmentation. They don't quite call it segmentation, they call it islanding. So when things fail, they fail in a relatively safe way, so islands of power can continue to be generated, transmitted, and distributed. So, in the sense, some of the folks in the electric companies, the electric sectors, are already practicing this discipline. We need to, though, pivot that and use it in some of those other disciplines as well. Think, oil and gas, transportation, water, critical manufacturing, and possibly a couple others. >> So Phil, I find it fascinating, you were talking about the electric grid as a network, and all networks have kind of similar problems, we have to think about them in similar ways, and Fortinet has been at the vanguard of thinking about the relationship between network and security for a long time now. How is your knowledge, how is Fortinet's knowledge of that relationship, going to manifest itself when we start thinking about bringing more networking, more network thinking to critical infrastructure overall? >> You're right, the strategy of segmentation is still king in the security business, and that's especially true in the IT space. At Fortinet, we offer a range of security solutions from the IoT to the cloud, and can segment within each of those different pieces of the network, but more importantly, what we offer is a security fabric that allows you to integrate the security at the edge, at the cloud, in the data center, and other parts of your network, integrate that into a fully-cooperating team of security appliances. What that allows you to do is to integrate your security, automate it much more so, because you don't want to bring a knife to a gun fight, meaning, the adversaries are coming at us in lots of different ways, and you need to be prepared to meet on their terms, if not better. But it also greatly decreases the complexity in managing a network, by leveraging greater automation and greater visibility of your assets. So, you're right. Segmentation is a strategy that's proven the test of time, it's true of the IT space, and it's especially true to the OT space, and at Fortinet, we'd like to see the blending of the planning and implementation of some of these strategies, so we can get these critical infrastructures to a better spot. >> Well, Phil Quade, thank you very much for coming on theCUBE and talking with us about critical infrastructure and the role the network is going to play in ensuring that we have water to drink and we have electricity to turn on our various devices, and watch theCUBE! Philip Quade, CISO of Fortinet, thank you very much. >> My pleasure, thank you. >> And I'm Peter Burris, and I'm, again, Chief Research Officer working on SiliconANGLE, you've been watching theCUBE, thank you very much for being here as part of this very important discussion, and we look forward to seeing you in the future! (electronic music)