Critical Infrastructure

Hack the Plant Episode 32: Securing, Defending, and Bringing Resilience to Infrastructure with Robert Shaughnessy

February 28, 2024 – In this episode of Hack the Plant, Bryson sits down with Psymetis CEO Robert Shaughnessy to discuss his work with Psymetis, an Operational Technology security company that works on critical infrastructure; challenges to innovation in the private sector; and the role of government in developing new technologies. 

What ecosystem problem is Psymetis solving? How is the federal government involved? What threats do our critical infrastructure systems face? How is China involved?

“We’re not talking about shooting wars, we’re talking about wars where adversaries–to include economic adversaries–can have advantage,”  Shaughnessy said. “As we’re looking out over the next couple of years… there’s a lot of frightening indicators that want us to plan for these events, knowing the capabilities of our tier one adversaries.” 

Join us for this and more on this episode of Hack the Plant. 

Hack the Plant Season 4 is brought to you by ICS Village and the Institute for Security and Technology. View transcript.

Transcript

Bryson Bort: I’m Bryson Bort and this is Hack the Plant. 

For today’s episode, I’m joined by Rob Shaughnessy, the CEO of Psymetis. Psymetis produces Operational Technology (OT) security solutions that detect problems quickly and prevent electric grid outages and catastrophic infrastructure failures by detecting cyberattacks, equipment failures, and physical damage in real-time, enabling operators to take immediate actions. Rob has worked closely with organizations across the Intelligence Community, Department of Defense, and commercial industry and his work in Research and Development has contributed significantly to understanding and countering large-scale threats.

Robert Shaughnessy: “If something is going to take a couple of billion dollars to develop and there’s not a known, validated commercial return associated with it, why would any private industry take that on? It’s really the role of government. What’s interesting, Bryson, is that the United States is one of the few nations that absolutely isolates and separates private industry and government when it comes to things like this, when it comes to cyber protections and that hard gap. I think it’s also a significant contributor where there’s no easy cross pollination and there’s no easy cross drivers where you could have a government requirement directly fuel a private industry investment or a private industry investment directly fuel a government requirement.” 

Bryson Bort: We discuss some of the challenges hindering innovation that exist between government and the private industry as it relates to securing, defending, and bringing resilience to infrastructure. 

Rob Shaughnessy: “What we’re dealing with in critical infrastructure includes a lot of what some term as ‘living off the land,’ where you have threats that are already in… they’re already in the infrastructure. They’re already on the systems. In that case, more defensive measures isn’t…better. They are already there.” 

Bryson Bort: We explore why people should be focusing on building resilience capabilities to defend against threats to critical infrastructure that are already happening. 

Rob Shaughnessy: “ And so from a policy perspective, there’s an existing policy to use all means available and support of their national agendas. They have massive cyber force that has been focused for many years.  They have remarkable control over a remarkable amount of the supply chain and a stated stance to use those mechanisms in support of their domestic and foreign policies. So China stands alone, realistically, in its capability, in stated intent and in demonstrated opportunity to do all of this. At this point, it is only choice that is preventing it.”

Bryson Bort: Why is China our biggest threat to infrastructure and where are we most vulnerable? We talk about all of that and more on this episode of Hack the Plant.

What mistakes in life brought you here, sir?

Rob Shaughnessy: Oh, I don’t think it’s countable. the world is on fire. Someone needs to try to put it out. I think that’s what brings us here.

Bryson Bort: Okay. But why this podcast in particular? I understand not many folks get you on many podcasts.

Rob Shaughnessy: That’s true. So something I briefly mentioned, I do almost none publicly, certainly, but I think it’s a couple of factors in particular, the most important is that I have a strong belief that this is an area. So cybersecurity and cyber physical security specifically with ICS and with our critical infrastructures is something that can only be addressed by a community. No one group, company, person, thing is going to have the solution. I know that, I know you, and I know your position in the community and your thoughts in the community, and that they’re very aligned, with mine and ours. And I think it’s important to bring multiple perspectives to bear to move the community forward, but also to take advantage of every opportunity to do more, bring more, introduce more, remove some stigmas. Have more people, more interaction with the community and all of that combined when this opportunity came up, I thought I would do it myself.

Bryson Bort: And so what is this more you speak of?

Rob Shaughnessy: So what we’re doing here is just one example. There’s many where there’s net new invention occurring at U. S. National Labs in academia, occasionally in people’s garages that can help address some of the more challenging problems that we’re facing with securing, defending, and bringing resilience to infrastructure.

AI being a fantastic example of where there’s net new thinking and capability being developed that is not yet commercial. Where there’s a great idea or a great piece of science, a great piece of engineering that could make a real difference, but has to get commercialized, has to go from a lab to something in a box that someone can plug in without being an electrical engineer, without being a physicist. And so that’s a big part of the what. I know here at Psymetis, we’re doing that with technology from Department of Energy labs as well as other sources and taking that from where it currently is as a scientific idea or a piece of intellectual property, an early prototype, and building a larger capability that can be put into infrastructure.

Bryson Bort: What is the role of federal government or, and, or the national labs in this? Why can’t you just take this directly to the asset owners?

Rob Shaughnessy: That would be fantastic, and that would be a fantastic fantasy world to live in.

Bryson Bort: Tell me about fantasy world. Why is it a fantasy?

Rob Shaughnessy: In this case, it would be possible for private industry to develop some of this. There are aspects of it, though, where it wouldn’t be. A good example of that is components for the electric grid, where just in testing, for example, you may want to create a large-scale blackout. in order to detect that type of threat or to test resilience in that type of way.

In order to do that you have to have a large-scale electric grid that you can intentionally cause a blackout in, and that is well beyond the reach of most private organizations, but within the reach of the Department of Energy, who has facilities just for that. That’s one example. Others exist in other parts of physics where simply the risk, the potential for harm, all exceed liabilities that would be acceptable by commercial industry.

Also the time and cost with potential failure. If something is going to take a couple of billion dollars to develop and there’s not a known, validated commercial return associated with it, why would any private industry take that on? It’s really the role of government. What’s interesting, Bryson, is that the United States is one of the few nations that absolutely isolates and separates private industry and government when it comes to things like this, when it comes to cyber protections and that hard gap. I think it’s also a significant contributor where there’s no easy cross pollination and there’s no easy cross drivers where you could have a government requirement directly fuel a private industry investment or a private industry investment directly fuel a government requirement. So I think both of those things play a role.

Bryson Bort: So in summary, it’s the balance of physics, which is the unique and expensive part, particularly when we’re talking about the electric grid, it turns out it’s not just computers doing, passing data from point to point.

Rob Shaughnessy: That’s right.

Bryson Bort: And then, and when we go at scale, some of those numbers and the physics get quite expensive and quite unique. Then we bring in the cybersecurity element and then you finish there with a cross section of national security.

Rob Shaughnessy: That’s right. You have two separate scaling functions. So you have the OT environments, the physical networks. In the case of the grid, it’s electric transmission. In the case of water supplies, it’s the pipes. In the case of transportation, it’s roads, rails, and airspace. And you have the cyber component, which is arguably also electrons, but information-based, where you have these large information systems and data passages that are separate. So you have these separate analyses components for both physical and, broadly cyber–the IT, data, and information side of things–and they’re generally separately solved. But as we know all too well, they’re not separated. Even more today than ever those systems are actually combined and have not only intersections, but are fully intertwined. And so the necessity to solve for both individually and then to solve for their combined effect and impact is a substantial problem.

Bryson Bort: Okay. So what is your idea? What exactly are you solving? What are you doing?

Rob Shaughnessy: So where we’re at is at that intersection point. So we have, we are developing a capability that leverages artificial intelligence, in this case, machine learning. It is not a sexy, large language model. It’s actually the work a day AI that looks at both the OT side, through being able to ingest volumes of data from the operational networks without interfering with those networks, and volumes of cyber threat data and information about what’s happening on the IT side. Bringing those together, fusing the information and then inferencing against it to detect anomalies in real time and then contextualize them. The neat trick is the ability to detect in real time on the OT side an aberration as quickly as possible, as it happens, as early as possible, and then to provide context to that if it’s available from the, broadly speaking, cyber side. An example would be detecting something that is an effect of a particular cyber attack, to be able to identify it in real time, and to provide the context of what type of cyber attack is causing it, and then to do this and deliver to the operators, essentially an easy button. A green red blinky light that says there is a problem here, at this time, and it has this context.

So we’re doing a lot of science to simplify something that’s super complicated. The intersection of electrical engineering and computer science. Developing an AI assistive capability to reduce that to the minimum amount of information necessary for an operator to make an immediate action. And so that’s what we’re doing here, but it is symbolic of the greater problem set being solved of combining the physical and physics world with the computer science and cyber world and reducing that down to something actionable by somebody who is not an expert in either. 

Bryson Bort: And can you explain the experience that you have had with the federal agencies and the national labs? What’s gone well? What’s not gone well? If, this were fantasy land, how should this fantasy look?

Rob Shaughnessy: I can and you see me looking up to think of how best to describe this not to be negative. So we… 

Bryson Bort: [laughs] Rob this a safe space for all the listeners. Don’t worry! 

Rob Shaughnessy: Well if that’s the case [laughs]. No, we have a fantastic relationship, actually. So with Department of Energy and with the labs that we work with, we substantially work with Idaho National Labs, INL, and have a terrific partnership with them.

And I don’t hesitate at all in calling it a partnership. They have been absolutely wonderful. Now, they get something from this. So we’re not babes in the woods. We know that there has to be something received on both sides, but they’re a terrific partner. There are aspects working with the national labs that makes it hard as a commercial business. So there are elements to it that anybody who does this knows well, where there will be specific limitations that make it hard. So as you know Bryson, as you’re running a company, any kind of external limitation that changes your business approach is going to be impactful. In this case, we’re dealing with intellectual property that may have export restrictions, that may have restrictions on where it can be worked on, where the development occurs. All of that increases cost and complexity that has to be taken into account. From a business perspective, though, probably the biggest function that makes this challenging is financial. So we’re taking something that is currently at an early prototype stage at best and having to bring it to a state where it can be reliably installed in infrastructure dependably. In between is not income. 

And so how we’re able to traverse that bridge requires sufficient funding at the start in order to be able to actually deliver that. It requires having all aspects of the business on board with long horizons, long timelines to delivery. It requires having a substantive enough relationship with the government where the trust is there to have something that lasts for a couple of years without an end result. And so those things really make it challenging more than other types of development, because it’s front-loaded costs, it’s complexities, it’s legal complexities that can be difficult.

Bryson Bort: So a lot of time, a lot of collaboration, a lot of cost.

Rob Shaughnessy: For sure. And it’s something that, anybody who’s ever worked with DoD, can appreciate exactly where this sits. So the U.S. government, and picking on DoD because it’s the most well defined, has funding and appropriations for research development, tests, and evaluation, RDT& E, that is to the left side of acquisition.

So that starts with DARPA and IARPA, with ‘I have an idea,’ and goes through the prototype stage. So that’s all research and development funding the United States government provides. And there’s mechanisms for acquiring that and supporting it. Anybody who’s ever had a contract with DARPA has supported that.

And then there’s acquisition and programmatic acquisition. So when you have a commercial thing or, as we talk about in technology readiness levels, a TRL 8 thing, there are acquisition programs and funding for that to buy your thing or your service. In between, ‘I have a prototype’ and ‘I have a commercial item’ is what’s referred to in government contracting as the ‘valley of death.’ There’s no funding and there’s no programmatic acquisition in that space in between. So the innovation incubators, innovation community that exists in order to carry new technologies from the early prototype phase to the commercial ‘I have a thing’ phase are where we sit. And it’s challenging, a little nerve wracking. But it’s the way to bring actual new tech to bear against our problems. It has to cross that valley somehow.

Bryson Bort: So when we’re talking about security, security is the assurance against something happening to our operations. What have you seen in the environment? What kinds of threats, what kinds of education tied to those threats with respect to a potential customer base, asset owners, do you feel like you’ve had to do, has that been hard?

Rob Shaughnessy: So I don’t think it’s been hard technologically, with a caveat. As with a lot of things, a lot of attention is applied to the right side of this equation: the answer. And perhaps limited attention paid to the left side of the equation, or what is the better question we should be asking. And I think that plays a role in security. Where the current spate of solutions largely deal with prevention or intelligence.

So how do I prevent something from happening, someone from accessing. and the concepts around how to prevent that from happening from an intelligence perspective. So how to stop this group from doing this thing. Where what we’re dealing with in critical infrastructure includes a lot of what some term as ‘living off the land’ where you have threats that are already in. They’re already in the infrastructure. They’re already on the systems. In that case, more defensive measures, isn’t more better. They are already there. So it’s a turn from security being thought of as how to secure my systems to security being thought of as how do I ensure my systems? So it’s a resilience matter. 

There’s still absolutely the need for security in the traditional sense. You have to defend your systems. You have to keep up with the threat. You have to evolve those mechanisms, but also have to deal with where advanced adversaries will already be there. And you have to think about resilience. And so as somebody who’s developing capabilities, largely related to resilience, the education that’s happening is partly letting people understand that this is something that is happening today, right? Jen Easterly made a very forceful perspective on this just recently, and on your show, and joined with her peers in the community at Congress relaying this same strong message of, guess what? We’re there. They’re in the systems.

We have to think in those terms. And so I’m glad that happened. It definitely makes it easier for me to be able to steal their words to help educate further. But that’s probably the biggest piece.

Bryson Bort: What threats or what threat approaches, right? I mean, there’s a combination of how they’re gaining access and there’s really two aspects to that. The most common threat factor is actually through the IT environment, moving laterally, crossing over into the beachhead, which is the high level industrial control systems, and also direct access to industrial control systems.

And there’s kind of I think, two flavors of that. The most Hollywood is the vaunted military cyber weapon, like an Industroyer, Industroyer 2, seen and used by the Russians against Ukraine. But that’s actually not the most common threat profile either.

Rob Shaughnessy: No, I think that’s excellent. And when we think of it, we think of these buckets. We think of the supply chain, the actual number of manufacturers for components of our control systems is very small and not here in the U.S. And so the opportunity to introduce malicious capabilities exists early in the supply chain and is largely undetectable in an economic way. If you change the pins, if you interfere with chips, if you are at low level code in the components of the systems, it’s unlikely to be discovered. The cost and complexity of discovering it is too high. So we have significant concerns related to the supply chain. The second is where we focus on certain national infrastructures. It’s also what I like to think of as the yahoos that like to shoot up electric substations or mess with water supplies for any of uncountable number of reasons that has the same effect. And there’s some, very technical reasons where it’s possible to have a physical attack of that nature that then causes a cascading failure and is not largely detectable in that cascade through existing measures.

So there’s also the physical attack that has to be taken into account. And then the last is what you could think of as institutional hubris. Where an organization might say, I’ve spent 10 million dollars, which is a terrible metric to determine whether or not you’re secure. And we’ll point to, but I bought this thing and I plugged it in.

Okay, great. Right? You have the genuine threat and realistically a nation state threat to your point is not what you see in the movies. Like, there’s nobody sitting there in a command center that presses this special button that somehow injects this, cyber exploit from space into a particular controller that then blacks out New York. Like, that’s, no. But the part of it that’s potentially real is the blackout of New York. But probably introduced in the supply chain, realistically. Or by an insider, right? Because that’s easy. The second thing that we really get to is that combo cyber physical attack, which is where you have a component A in place from a cyber perspective, and then introduce a physical attack or impact that leverages whatever has been implemented from a cyber perspective to full effect. Because there are some things where just the cyber component alone won’t cause havoc, but you could introduce an operational circumstance that is the perfect storm for that cyber component. So we do think about that, the combination factor.

Bryson Bort: So let’s talk specific threats though.

Rob Shaughnessy: Specifically, high impact, hopefully not as high probability as we might think, threats from China that are related to geopolitics.

Bryson Bort: Okay. Let’s pick on that. Why China?

Rob Shaughnessy: Assuming some level of vulnerability has already been exploited, there’s a concept in warfare to include economic warfare of proportionality. So in the event of, say, planes running into each other over the South China Sea, or China invading Taiwan, or the U.S. introducing some draconian new tax or measure against China, proportional attacks would include economic impact in the U.S. So if we were to introduce something that caused an economic impact to China, one of the things at their disposal for proportionate response would be to impact U.S. infrastructure to cause a proportionate economic impact. So it’s not just shooting, we’re not talking about shooting wars, we’re talking about where adversaries, to include economic adversaries, can have advantage. And so as we’re looking out over the next couple of years, few years, there’s a lot of frightening indicators that want us to plan for these events, knowing the capabilities of our tier one adversaries, China in particular, on the cyber front, but also specifically the cyber physical front. Remember, they’ve done a ton of development in cyber physical, everything from soft radio to within power grids, and have a keen understanding of our environment, and let’s not forget, have sourced most of the components. Why would anyone think that would not be leveraged for effect at some point?

And so top concern, for me, my personal opinion, this is not the opinion of a broader body. China and China’s ability to target our infrastructure to cause a proportional impact that might be economically driven as much as militarily driven.

Bryson Bort: So I want to illustrate what you just said there because when we look at a threat, there’s three components. Intent, capability, opportunity. Opportunity is the asset, the person that enables the attack sequence to happen. Capability is my ability and my tradecraft around doing that. And then intent, which you tied back to economic warfare.

Is there something unique that you think ties to Chinese capabilities that made you call out China? Is it intent? What made you offer them as our Trojan horse here?

Rob Shaughnessy: So I think of China multidimensionally. So China has a stated perspective on policy of the use of cyber capabilities to advance national objectives. So it goes back decades. China realized that it could not win by military industrial complex with military systems, particularly at that time. So they weren’t going to build more, bigger, better ships, submarines, planes at that time, but they could advance in cyber and they could advance larger, faster than we could in cyber. And so institutionalized the policy to do that. But also remember what I said about the U.S. being nearly unique in that there is utter isolation between industry and government. In China, there’s no separation between industry and government. And by law, Chinese citizens and Chinese companies must cooperate with the Chinese government.

And so from a policy perspective, there’s an existing policy to use all means available in support of their national agendas. They have a massive cyber force that has been focused for many years. They have remarkable control over a remarkable amount of the supply chain and a stated stance to use those mechanisms in support of their domestic and foreign policies. So China stands alone, realistically, in its capability, in stated intent, and in demonstrated opportunity to do all of this. At this point, it is only choice that is preventing it.

Bryson Bort: Is there anything more you want to add on the geopolitical and threat side?

Rob Shaughnessy: Some of what I hear a lot about or get communicated with a lot is honestly, Bryson, it’s probably not different than communication you’re getting. Russia and Ukraine continues to be hot. I don’t think I go, maybe 48 hours without hearing from somebody wanting something related to that. With Israel, again, I don’t think I go 48 hours without hearing from somebody about something related to that. But those are hot areas that are being contested largely outside of the U.S., where our engagement is substantially a proxy engagement. Where in the case of China, it’s direct. China is our economic and geopolitical adversary, and for many, a political adversary, and it is very mano a mano. With the others, it is either through proxy actions, or because of treaties or other involvements, but it’s limited in its direct application. And yes, Russia of course has done and continues to do many, many, many cyber things against the United States directly.

But from a, ‘bang for the buck’ perspective and what’s on their mind right now, we’re still a thing for them, and maybe on top of their target list, but they don’t have the resources that they used to have and they certainly have resources that are nowhere near China’s resources in order to conduct this. So in the force rank of potential targeters to us and our infrastructure, China has to be on top.

Bryson Bort: So if you’ve listened to the podcast before and you claim to, then you are ready for the final two questions.

Rob Shaughnessy: Bring it!

Bryson Bort: If you could wave a magic, non Internet-connected wand, what’s one thing you would change?

Rob Shaughnessy: I would reduce defense spending by a large amount and put that funding towards community building.

Bryson Bort: What does that mean? You’re saying the government is going to take a lot of money and somehow pour it into community building. 

Rob Shaughnessy: So an example would be taking some large number of billions of dollars and apply a national effort towards a low cost, low impact desalinization of water. I would apply a substantive amount of funding towards micro investments in third world countries, and towards civilian infrastructure in some of the more forgotten communities of the world.

I think it is more cost effective and more impactful to create better circumstances for people than to try to deal with them after their life has been ruined. So that’s the non-technical, non-business wavy wand thing I would do.

Bryson Bort: That’s I think one of the more creative ones we’ve had.

Rob Shaughnessy: I believe it. In 30 years of causing mayhem for us, for the nation, for the world, I think preventing chaos is more effective.

Bryson Bort: You’ve now waved your magic wand. Let’s break out the crystal ball. One good and one bad thing that you think is going to happen in roughly the next five years. 

Rob Shaughnessy: I think the bad thing’s easy and it’s related to AI. I think AI is quickly becoming indistinguishable from real across multiple sectors. The news out of Hong Kong about a conference call with AI avatars that was realistic enough to cause fraud, I think is a clear wake up call. I think AI is going to be used for negative things in the same way that the Internet is for porn.

For a good thing, I think there’s going to be a reckoning at some point in our broader technology industry. I think some of the larger players have gotten so out of control that there’s going to be some normalization that happens, and I think that’s good for all. The negative that AI brings should hopefully bring with it a move away from certain social media and more human interaction.

Bryson, the easiest way to prevent being fooled by an AI is to actually talk to a human being in person. It’s very difficult to have an AI duplicate a person, in person.