In our latest podcast: industrial security expert Joe Weiss talks to us about Triton, a new malware family targeting industrial safety systems. Also: Dave Aitel of the firm Immunity Inc. joins us again to talk about new legislation banning government agencies from using anti malware software by Kaspersky Lab. And, Alan Naumann* of the firm Contrast Security talks to us about the major insurance firm that joined the latest round of investment in his company, and why application security is everybody’s problem.
In our latest podcast: the security firms FireEye and Dragos Security warned last week that a new family of malware dubbed Triton was targeting industrial control safety systems with an eye to causing physical damage to the facilities. We talk with industrial security expert Joe Weiss, who says this isn’t the first time such systems Hello and welcome to The Security Ledger podcast.
Also, the Russian anti malware firm Kaspersky was in the news last week, with a Washington Post story about close cooperation between the company and the Russian FSB intelligence service. We invited Dave Aitel of the firm Immunity Inc. back in to talk about the company’s travails and whether the Internet security industry is at risk of being balkanized.
And finally: when application security start-up Contrast security announced a new round of funding recently, there was an unusual name on the list of the company’s new backers: French Insurance Giant AXA. In this week’s podcast, we talk with Contrast President and CEO Alan Naumann about what is behind that investment and how application security is turning into everyone’s problem.
Part 1: Industrial Safety Systems Targeted in Cyberattack
There were reports from two firms last week that disclosed a sophisticated cyber attack against an industrial facility in the middle east – reportedly Saudi Arabia. Used in the attack was a custom malware platform, variously called TRITON (FireEye) and TRISIS (Dragos), that was designed specifically to target the Triconex Safety Instrument System (SIS) controllers, manufactured by the firm Schneider Electric. Experts hailed it as the first ever attack on an industrial control safety system.
But our first guest this week, Joe Weiss of Applied Control Solutions, takes issue with that claim. Stuxnet, the world’s first, known cyber weapon, also tampered with safety systems operated by Iran at that country’s Natanz enrichment facility. Weiss argues that industrial and critical infrastructure firms around the world are vulnerable to similar attacks because they have failed to separate safety from control systems, opening a door to hackers to cause physical damage.
Part 2: Uncle Sam Cans Kaspersky
The Washington Post’s Ellen Nakashima last week reported on leaked court documents that suggest that FSB agents worked alongside Moscow-based Kaspersky Lab employees in that company’s headquarters to gain access to computers controlled by the cyber criminal group, dubbed Lurk, and to obtain copies of documents and data stored on those computers.
The report came a day after US President Donald Trump signed bipartisan legislation that bans the use of software made by Kaspersky Lab within the US government. In our second segment, I invited back Dave Aitel, the CEO of Immunity Inc. to discuss both the Post report and the new ban on Kaspersky. He said that, while he is skeptical of Kaspersky’s claims that it did not collude with the FSB on cyber offensive operations, the US government’s pursuit of sanctions on Kaspersky could have consequences that impact far beyond one, small Russian firm and could Balkanize the software industry.
Part 3: Application is Everyone’s Problem Now
What is a global insurance firm doing investing in a small, Silicon Valley start-up that helps companies secure software applications? That’s the question we had after reading about Contrast Security’s latest funding round, which saw French insurance giant AXA’s investment arm was sidling up next to Microsoft to help fund the company’s growth. In our final segment this week, we spoke with Contrast President and CEO Alan Naumann about why incidents like Equifax have put the arcane topic of web application security on the radar for many firms. Alan started by talking about how changes in the way applications are developed and deployed are changing the practice of application security.
Check our full conversation in our latest Security Ledger podcast at Blubrry. As always, you can also listen to it on iTunes and check us out on SoundCloud. And, if you like our intro music, give some love to the group JoeLess Shoe, who recorded “Baxton,” the song we use in just about every podcast.
(*) Correction: an earlier version of this story featured an incorrect spelling of Contrast Security CEO Alan Naumann’s last name. The story has been corrected. PFR 12.19.2017