Blog
March 10, 2022
CTO, SynSaber
SynSaber 1.0 is a culmination of years of experience out in the field. Not just an incredible and fresh look at the OT visibility problem, but one born from seeing firsthand the critical infrastructure deployed worldwide and the cybersecurity challenges we all face.
So pull up a chair, grab your favorite brew âđş and as our CEO Jori says, âregale me with thoughts of Ron.â
Operators Are the Key
Ask any seasoned ICS cybersecurity person out there whatâs the most important source of information regarding industrial cyber and risk, and theyâll say itâs the Operator. Efforts to close the IT / OT divide are often those of discussion, mission, and đŠ donuts. Itâs never been enough to say things must happen with security because of INSERT REASON. Applicability of real-world impacts of safety and reliability were always considered when assessing true risk in the industrial space.
Questions like, âWhat does a bad day at the plant look likeâ are common and welcome as they get to the heart of the potential impact in relation to security risks. What if, instead of constantly asking what bad days looked like, operators had a way to interface with the security telemetry collected by OT security?
What if instead of hearing all of us talk about âWell, if someone remotes into an HMI, then that HMI sends a command to a controller, which results in an operational failure conditionâ the operational knowledge could be codified into a collection/analytics platform by the operators themselves?
âď¸ SynSaber 1.0 Means: Operator-Based Intelligence is the Future. No One Else Knows Better Than They Do
Operations Happen at the Edge
For years, myself and the OT security community focused on attack paths and choke points. These were the logical starting points for monitoring, risk reduction, assessments, and other security control implementations. But it was just the beginning⌠a reactionary push once everyone accepted these enclaves were converged and modernized. We were no longer trying to convince the community of the reality of the risk, but how to best address it.
Enter the concept of the âCrown Jewelsâ â The idea that there could only be so much accomplished reducing cyber risk in OT due to resources, budgets, and other constraints. I used to call it âAngling the Deflector Shieldsâ and now see itâs only the first step in a longer journey.
Ask any operator what their âCrown Jewelsâ are in the operating environment, and they might very well say âeverythingâ. There are no useless substations, units, manufacturing lines, or wellheads in ICS, and while some have more impact than others when disrupted, all are important.
As we are focused on OT visibility and monitoring, of course, the next thing to say is âmonitoring everything.â In principle, I agree with this but always with an eye on implementation. Since most industrial traffic is âeast to westâ or horizontal, it doesnât make much sense to only monitor vertical or ânorth and southâ networks.
Operations happen at the edge, and without that data, no system can properly identify assets, discover vulnerabilities, detect threats, and provide the key insights necessary to protect ICS. Donât let âCrown Jewelsâ thinking mask the scalability and cost-effectiveness challenge of monitoring at the edge.
Monitoring at the edge provides a wealth of knowledge; we just need technology purpose-built for the edge.
âď¸ SynSaber 1.0 Means: Visibility at the Industrial Edge, Because Technology or Cost Shouldnât Prevent 100% Coverage
Empowering Heroes
Our mission at SynSaber is not to be Link, but rather the guy in the cave who is handing out swords. Technology needs to be wielded, not Swords as a Service, or swords that only work when professional fencers handle them.
By empowering frontline security and industrial operators with visibility tools they can use, the community can overcome numerous other challenges. An example that once inspired me as a young pentester was the âPwnie Express.â
Pwnie Express was the commercial version of what the community often called a âdropbox,â it was a small prebuilt set of scanning and exploitation tools built into a portable and accessible package. There were even versions hidden in surge protectors! It was an amazing time. (I have a heart for putting small computing platforms into cases/form factors that surprise).
The idea was to empower the field operators (internal security teams, consultants/advisors, etc.) with a unified set of tools, a repeatable process, and built to fit on anywhere and anything. But this toolset was really for the attacker. What about the defender? Where was the blue team version of the Pwnie Express?
Monitoring at the edge meant our focus was on an ultra-small, software-first, automated collection and analysis platform that could empower security at scale. But itâs not limited to just permanent installations of Sabers out in the field. A virtual machine on an old laptop or a DIN-rail industrialized device can easily serve the security/industrial operator in all their cyber or compliance needs. Oh, and the Sabers can ingest packet capture files directly, no tedious replay necessary.
âď¸ SynSaber 1.0 Means: Scalable and Flexible Technology, Deployed Anywhere on Anything so Our Heroes Can Defend Effectively
Thereâs a lot more that SynSaber can do, and more innovation to come. These are just a few of the things that SynSaber 1.0 means to me. We are Empowering a Revolution in Industrial Visibility, and the journey has just started!
~Ron đđ
Become a Subscriber
SYNSABER WILL NEVER SELL, RENT, LOAN, OR DISTRIBUTE YOUR EMAIL ADDRESS TO ANY THIRD PARTY. THATâS JUST PLAIN RUDE.
