SynSaber Saber sensor
Blog

What SynSaber 1.0 Means to Me

Ron Fabela, SynSaber CTO & Co-founder
Ron Fabela
Co-founder

SynSaber 1.0 is a culmination of years of experience out in the field. Not just an incredible and fresh look at the OT visibility problem, but one born from seeing firsthand the critical infrastructure deployed worldwide and the cybersecurity challenges we all face.

So pull up a chair, grab your favorite brew ☕🍺 and as our CEO Jori says, “regale me with thoughts of Ron.”

Operators Are the Key

Ask any seasoned ICS cybersecurity person out there what’s the most important source of information regarding industrial cyber and risk, and they’ll say it’s the Operator. Efforts to close the IT / OT divide are often those of discussion, mission, and 🍩 donuts. It’s never been enough to say things must happen with security because of INSERT REASON. Applicability of real-world impacts of safety and reliability were always considered when assessing true risk in the industrial space.

Questions like, “What does a bad day at the plant look like” are common and welcome as they get to the heart of the potential impact in relation to security risks. What if, instead of constantly asking what bad days looked like, operators had a way to interface with the security telemetry collected by OT security?

What if instead of hearing all of us talk about “Well, if someone remotes into an HMI, then that HMI sends a command to a controller, which results in an operational failure condition” the operational knowledge could be codified into a collection/analytics platform by the operators themselves?

⚔️ SynSaber 1.0 Means: Operator-Based Intelligence is the Future. No One Else Knows Better Than They Do

Operations Happen at the Edge

For years, myself and the OT security community focused on attack paths and choke points. These were the logical starting points for monitoring, risk reduction, assessments, and other security control implementations. But it was just the beginning… a reactionary push once everyone accepted these enclaves were converged and modernized. We were no longer trying to convince the community of the reality of the risk, but how to best address it.

Enter the concept of the “Crown Jewels” — The idea that there could only be so much accomplished reducing cyber risk in OT due to resources, budgets, and other constraints. I used to call it “Angling the Deflector Shields” and now see it’s only the first step in a longer journey.

Ask any operator what their “Crown Jewels” are in the operating environment, and they might very well say “everything”. There are no useless substations, units, manufacturing lines, or wellheads in ICS, and while some have more impact than others when disrupted, all are important.

As we are focused on OT visibility and monitoring, of course, the next thing to say is “monitoring everything.” In principle, I agree with this but always with an eye on implementation. Since most industrial traffic is “east to west” or horizontal, it doesn’t make much sense to only monitor vertical or “north and south” networks. 

Operations happen at the edge, and without that data, no system can properly identify assets, discover vulnerabilities, detect threats, and provide the key insights necessary to protect ICS. Don’t let “Crown Jewels” thinking mask the scalability and cost-effectiveness challenge of monitoring at the edge.

Monitoring at the edge provides a wealth of knowledge; we just need technology purpose-built for the edge.

⚔️ SynSaber 1.0 Means: Visibility at the Industrial Edge, Because Technology or Cost Shouldn’t Prevent Full Coverage

Empowering Heroes

Legend of Zelda old man in the cave handing out swords
Image source: Hylian pi & Zelda Wiki

Our mission at SynSaber is not to be Link, but rather the guy in the cave who is handing out swords. Technology needs to be wielded, not Swords as a Service, or swords that only work when professional fencers handle them.

By empowering frontline security and industrial operators with visibility tools they can use, the community can overcome numerous other challenges. An example that once inspired me as a young pentester was the “Pwnie Express.”

Pwnie Express was the commercial version of what the community often called a “dropbox,” it was a small prebuilt set of scanning and exploitation tools built into a portable and accessible package. There were even versions hidden in surge protectors! It was an amazing time. (I have a heart for putting small computing platforms into cases/form factors that surprise).

The idea was to empower the field operators (internal security teams, consultants/advisors, etc.) with a unified set of tools, a repeatable process, and built to fit on anywhere and anything. But this toolset was really for the attacker. What about the defender? Where was the blue team version of the Pwnie Express?

SynSaber Saber sensor

Monitoring at the edge meant our focus was on an ultra-small, software-first, automated collection and analysis platform that could empower security at scale. But it’s not limited to just permanent installations of Sabers out in the field. A virtual machine on an old laptop or a DIN-rail industrialized device can easily serve the security/industrial operator in all their cyber or compliance needs. Oh, and the Sabers can ingest packet capture files directly, no tedious replay necessary.

⚔️ SynSaber 1.0 Means: Scalable and Flexible Technology, Deployed Anywhere on Anything so Our Heroes Can Defend Effectively

There’s a lot more that SynSaber can do, and more innovation to come. These are just a few of the things that SynSaber 1.0 means to me. We are Empowering a Revolution in Industrial Visibility, and the journey has just started! 

~Ron 💜🚀