In our ongoing Hall of Fame series, Industrial Cyber is proud to present Joe Marshall, a prominent cybersecurity researcher currently working at Cisco Talos, where he specializes in protecting critical infrastructure from power grids to grain co-ops across multiple continents. His extensive background in security technology coupled with his ability to manage complex cyber threats has established him as an expert in the field. Marshall’s approach includes a deep understanding of both the technical and human aspects of cybersecurity, enabling him to develop strategies that are technologically advanced and human-centered when considering the role of different stakeholders.
Over the years, Marshall has specialized in industrial control systems (ICS), critical infrastructure protection, and IoT device security. He has worked with public and private industry around the world to help secure critical ICS and IoT assets from threats both mundane and exotic. Through his efforts, Marshall is dedicated to safeguarding critical infrastructure and enhancing the broader understanding of cybersecurity’s importance in maintaining the integrity and effectiveness of these essential systems. His commitment and analytical prowess position him as a pivotal figure in the ongoing initiatives to shield national and economic security from cyber threats.
At Cisco Talos, Marshall frequently contributes to the Talos Blog, sharing his extensive knowledge and insights on current industrial cybersecurity trends and threats. His writings help educate and inform a broad audience about the importance of cybersecurity in protecting critical infrastructure environments, while his contributions underscore his commitment to enhancing cybersecurity awareness and practices around critical infrastructure.
What led Joe Marshall, who started his career in information technology as a systems administrator, to evolve into a senior security strategist for Talos’ Strategic Communications team, specifically focusing on industrial control systems? How did it all begin?
For many professionals, and certainly for me, the path to ICS security is not linear. I never set out to be involved in this awesome but niche security field. I was content to have a career in IT (Information Technology) – but life is not as accommodating as we would all like it to be. One day my local utility called me to interview – and would not take no for an answer. I would interview and accept the job, and the rest is history.
It was a drastic career shift – from DoD (Department of Defense) to private sector, but I was so grateful. I learned so much! Everything in my IT career immediately made sense as a security architect but would apply to how we secure critical infrastructure. The one thing that dawned on me is that everyone is a part of cyber security, *especially* systems administrators. They are the front lines of keeping networks operating, which means keeping them secure. I could not have predicted it, but little did I know this IT career was preparing me for the wide world of ICS!
Through some personal connections, I would later be offered a job at Cisco Talos, and it is an amazing ride. I am incredibly fortunate and privileged to be where I am. My team lets me talk, travel, and help others while helping spread the good word of what we do to help keep the world safe. I get exposed to such a wide variety of critical infrastructure verticals and get to learn so much.
If you had told me 15 years ago, I would be working for my local electric utility, I would have laughed at you. If you had told me 5 years ago, I would be helping the Ukrainians keep their lights on, I would not have believed you. Who can say what I will be doing in the next 5 years?!
Did you gravitate towards control device cybersecurity due to the unaddressed challenges you identified within the organizational framework? Are you satisfied with your focus on control device cybersecurity?
What drew me to device cyber security is taking the time to understand the technology and security of the devices utterly. You begin to peel back the layers – you dive past the marketing fluff, and the specification sheets, and get into the guts of what makes these devices tick. Honestly, it is not terribly encouraging with what you find usually. Then you start to draw a macro picture – not of individual device security, but the larger systems that rely on those devices to operate. With that understanding, you realize where the security maturity of industries and devices is, and it motivates you even more to help secure it. It is a game of continual improvement and understanding, a true journey not a destination as it relates to device cybersecurity.
Your vast experience has given you a greater appreciation for public utilities. What challenges have you faced in your career and how did you overcome them? How difficult has it been to get your message across to the industry and government stakeholders?
One of the earliest lessons I learned is speaking the language your audience understands. When you are in IT administration, rarely are you placed into a position of interfacing with business leaders. And when you are, often diving right into technical jargon is a good opportunity to lose buy-in and audience participation. But if you can take the time to study and learn the language of business – of risk – you will have an engaged listener and can work much easier with them. In the utility space, this is invaluable. Their job is keeping the power flowing and a safe working environment in an inherently dangerous business. When speaking with decision-makers, you must meet them where they are. With that kind of rapport, you can start to build cyber security into conversations and business operations.
The good news is that security is a receptive topic in the ICS space. The industry has really matured in its perspective on cyber security – and that is great! I think where the struggle in implementation is, especially in older legacy ICS. They are not easy problems to solve.
What is the present condition of Industrial Automation and Control Systems (IACS) integrated into critical infrastructures and industrial production facilities? What are the primary concerns impacting industrial cybersecurity and supply chain security sectors today?
I think IACS has come a long way in a short amount of time. A large part of this is due to the cyber security that customers are demanding – and businesses that want to compete are rethinking their products and how secure they are. The supply chain still worries me, however. As ICS networks integrate more with IT, there is some natural bleedover of tools and processes.
Attacks like the SolarWinds attack, which can reach into the entire strata of IT and OT, will be exceedingly difficult to defend against. This is just the natural organic convergence that businesses evolve to – and it’s ok! You must understand the risks and mitigations though.
What challenges do you anticipate industrial control systems face with the implementation of advanced analytics, machine learning, and artificial intelligence
JM: This is tricky. I suspect we already have quite a bit of AI/ML within industrial control systems – but small niche services are being provided to the larger industrial verticals. Think cloud data analytics, historian data analysis, etc., – things that can generate a tremendous amount of data, and AI/ML is all but mandatory to help draw business conclusions. Where things get unsure is how businesses self-implement their own internal AI – which requires infrastructure and expertise not often found in a niche industry. Time will tell.
How did your expertise come into play in Ukraine, where you spent time on the ground with defenders and infrastructure managers to help strengthen the security of the country’s power grid and agricultural supply chain?
I must give all credit to my prior days working for an electric utility. Power grids are power grids – and with some deviations, work the same. When I was fortunate enough to visit Ukraine, I understood their pain points, but also their growth and what they had achieved in difficult conditions. Truth be told – I spent most of my time just listening to them describe their operations, challenges, and shortfalls. I did my best to answer questions, and then just help them ask better questions.
My role was not there to lecture, advise, or admonish. It was just to be there to listen and learn and make sure they understood that we had their backs and would always be there to help them. This would pay untold dividends for them and for us.
Agriculture fascinates me. Here in the U.S., it is one-fifth of our economy. And all agriculture is globally tied together. It affects food prices, scarcity, and global unrest. I do not believe in cyber security you can focus your efforts on one global location. Cybercrime and attacks are international trade, and so you as a researcher must expand your visibility and awareness.
Here in the U.S., I’ve been fortunate enough to help agriculture business leaders understand threats, and mitigations, and then tie that into global agriculture stability, which includes Ukraine. Helping to protect agriculture both locally and globally is a true joy and a challenge.
Could you give our readers a first-hand experience of Russia’s invasion of Ukraine, during which Russian military forces launched kinetic and cyber attacks against critical infrastructure?
I can tell you that the cyber-attacks ramped up against Ukraine, especially against its critical infrastructure. Nothing was truly off the table from the adversary’s perspective. The good news is that they had modest cyber effectiveness on target. The Ukrainians are exceptionally good at cyber security and have had plenty of years of Russia attacking them to get even better. Cyber and kinetic attacks only have a small overlap of coordination. What is interesting is the oversized impact warfare is having in general on critical infrastructure.
Things that warfare utilizes, like GPS jamming, can have an oversized impact on civilian infrastructure absolutely relying upon its availability to have the basics of modern civilization. Ukraine will be a case study for many years to come on how resilient and rugged critical infrastructure needs to be to survive truly inhuman conditions of warfare and cyber conflict.
Would you like to share some details with our readers on the non-governmental organization NetHope, which helps other nonprofits embrace and adapt to new technologies? What are the challenges?
NetHope is an amazing organization that I am very proud to have worked with and continue to work with. So much humanitarian assistance and care rely on technology. The folks at NetHope doing an amazing job of helping enable other humanitarian assistance organizations to think about that technology and their cyber security. These humanitarian assistance organizations help the most vulnerable people on our planet. Their missions are amazing and have a tremendous impact. Working with NetHope has shown me the challenges we face in caring for others, and I’m so thankful for the opportunity to help them.
What aspects of the future of industrial cybersecurity are you most concerned about or excited by? In your view, what are the primary dangers and challenges facing the sector, and how prepared is the industry to address the evolving threat landscape?
I highly suspect IT to OT network and process convergence is going to ramp up even more. Convergence is often viewed as a dirty word within the industrial control system space. But I see it differently. Convergence is the merging of business imperatives with technology that enables the goals of the business. For some businesses that’s better regulatory compliance and safety or moving at more agile speeds to get products to market via manufacturing. Of course, these converged networks and processes find themselves more vulnerable to attackers that can disrupt operations that are incredibly sensitive to any kind of disruption.
An adversary may not need to know how to attack an operational technology network if sufficient attacks cripple that business by just impacting IT systems that happen to also reside with a converged OT network. That disruption may even be minimal, but when critical infrastructure is involved, you must proceed safely and slowly to ensure safety and continuity of operations. This can still cause disruptions. I worry about the smaller organizations that lack the security expertise and funding to protect themselves. Given supply chain fragility, this can still cause upstream damage to critical infrastructure.
Drawing from your extensive experience, what advice would you offer to a young professional entering the industrial cybersecurity field amidst increasing threats, attacks, and evolving government regulations?
The things I would recommend: Have a good attitude. Be easy to work with. Be kind. Focus on soft skills that let you work within any strata of a business. On the technical side, be a forever student.
Stay hungry. Find opportunities to reinforce and practice your security fundamentals. When you examine a technical issue and are looking for solutions, go as many layers as possible deep and then try to go even deeper to find a solution. You never know when this technical knowledge will pay dividends down the road for other solutions. Always remember people are relying on you for that expertise. And sometimes the stakes could be life and death.
Outside of industrial cybersecurity, how do you unwind and relax in your free time?
.
I’m a hyper nerd! I love video games, board games, and role-playing games. I play the banjo to relax, often even between meetings to help focus my thoughts. I also spend a lot of time hosting friends and having grand meals. True happiness is great friends around your dinner table with tasty food.
This post was originally published on the 3rd party site mentioned in the title of this this site