There is positive momentum in the field of industrial cyber security and an exciting aspect of it is the energy that a new generation of ICS security expert / entrepreneur is bringing to the field. An example of this generation is Andrea Carcano, the co-founder and Chief Product Officer of Nozomi Networks.
You have likely never heard of Andrea Carcano but it is worthwhile getting to know him because of his academic research and because the industrial security solution he pioneered is making protecting critical infrastructure a lot easier.
I interviewed Andrea about how his research and development efforts are making a difference not just in ICS security but also in improving reliability through better operational monitoring.
HM: You have completed both your Masters and Ph.D. degrees in industrial cyber security. Why did you choose this area of study?
AC: Since my teenager days I have been interested in figuring out how computer systems work and how to defend them. In high school, I used to have fun doing things like causing documents to print out on my friends’ home printers, for example. That fascination led me to doing my undergraduate degree in computer science.
After I completed my Bachelor’s degree I applied for and won a European scholarship in industrial security. My project was focused on how to build malware and viruses tailored for Industrial control systems. My thesis was called “Critical Infrastructure: protocols, threats, vulnerabilities, attacks and countermeasures.” As part of this work I developed malware specifically designed to take advantage of the lack of security in some SCADA protocols. I also analyzed the consequences of my ICS-focused attacks.
Thanks to the encouragement of Prof. Igor Nai Fovino, an excellent mentor and motivator, I went on to do my Ph.D in the field of critical infrastructure security. My research in this area concerned the development of software that detects intrusions in SCADA systems, particularly by taking advantage of weaknesses in the Modbus and DNP protocols.
When Stuxnet was revealed in 2010 it was fascinating for me to see that the idea behind Stuxnet was like the SCADA malware PoC (Proof of Concept) I had developed. I was also able to test my defensive system against Stuxnet and was pleased to see that the software I developed during my Ph.D. could detect and alert based on the changes on PLCs caused by Stuxnet. In essence my software was able to detect zero day attacks. (HM: A list of Andrea’s published papers is available at the end of this article.)
HM: Near the end of your Ph.D. degree you started working in the Security Operations Center (S.O.C.) of Eni, an oil and gas producer with facilities in 72 countries. How did that experience shape your approach to ICS security?
AC: Working at Eni was a great experience because it introduced me to the needs and language of both the IT side of an organization and the Operations Technology (OT) side. I also experienced first-hand the tension between the two groups. I was part of the IT team, but my role took me for weeks at a time to production sites, such as remote facilities in Tunisia and oil rigs in the ocean.
I learned how to build relationships with industrial engineers in the field who were initially skeptical about IT people. I also had the realization that the software I developed during my Ph.D. would be useful in solving the day-to-day issues that we had as a cyber security team. I could see how some cyber security analysis and tasks could be automated, simplifying the challenges faced by industrial engineers.
HM: Is that what led you to decide to start Nozomi Networks?
AC: Yes. Eni is not a software development company, so it was not possible for me to develop the solution I envisioned internally. I left Eni and founded Nozomi Networks with the person I most respected as a programmer and technologist, Moreno Carullo.
Since starting the company in 2013 we have gone on to develop and implement the Nozomi Networks’ solution at several very large organizations, including Enel, a multi-national power company. Our technology was initially deployed at an Enel Regional Control Center (RCC), one of many such centers that monitor the 500 power generation plants in Italy. It was then rolled out to all the RCCs with our Central Management Console implemented at the company’s central control room.
It was exciting to participate in the roll-out, but even better was seeing how the extensive operational insight our products provide helped Enel improve the reliability, efficiency and cyber security of the Italian power generation system.
HM: As Nozomi Networks expands into the North American markets what do you want industrial operators and critical infrastructure providers to know about ICS security solutions?
AC: The first thing I want them to know is that there is a whole new class of software application that can provide tremendous help. Nozomi Networks’ products are examples. They use advances in computer science, such as machine learning and artificial intelligence, to build an internal representation of an industrial network and its physical process. Then they deploy behavioral analytics and continuous monitoring to detect changes to individual baseline profiles.
The outcome of using such a powerful toolset is that it does the hard work of knowing and monitoring the ICS and provides the real-time visibility and detection needed to ensure cyber resilience.
The second thing I want them to know is that Guardian provides a lot of value, not just in cyber security, but also in operational visibility. For example, on the cyber security side it can detect complex or zero day attacks with no fixed pattern or signature, and on the operations’ side it detects things like communication failures and configuration changes. To truly ensure reliability, cyber security and real-time operational monitoring go hand-in-hand.
HM: Thanks Andrea and good luck!