“A majority of the water utilities that we're targeting are small systems. They have limited resources and technical capabilities…so often, people talk about how they are interested in learning about cyber because they know it's important, but they don't really know where to start. That’s where [we] plug in.” - Lessie Skiba
Deputy Managing Director at the Cyber Readiness Institute Lessie Skiba joins host Bryson Bort to discuss the CRI’s new program connecting small- and medium-sized water utilities with cyber coaches to strengthen their resilience.
What if the most effective cybersecurity solution isn't a new piece of technology, but a human connection? How can we empower small businesses to tackle cyber threats, even with limited resources? And if Lessie could wave a magic, air-gapped wand, what is one fundamental change she would make to our digital landscape?
Join us for this and more on this episode of Hack the Plan[e]t.
The views and opinions expressed in this podcast represent those of the speaker, and do not necessarily represent the views and opinions of their employers.
Hack the Plant is brought to you by ICS Village and the Institute for Security and Technology.
Bryson: What mistakes in life brought you here to this moment?
Lessie: Ooh, that's a loaded one. So I'd say probably the biggest mistake was not getting an internship in college, because I decided that performing in the circus was more fun. So when I first moved to DC I had no real job lined up, but I had a very specific skill, which was a trapeze instructor. So I started working at the school in Navy Yard that is now Capital City Circus. Then through there, I just built out my network and landed in the cybersecurity space.
Bryson: All right, so I did not know the circus background. We can chalk that up to sort of the carney mistakes of a misread youth. Is that why you feel such a kinship to me being in Florida now?
Lessie: Probably, yeah. I mean, got lots of threads down there for that as well.
Bryson: So what you don't know returning this is I used to be an amateur clown.
Lessie: Oh, did you really?
Bryson: Yes, I was trained in juggling.
Lessie: I'm not surprised at all.
Bryson: I used to volunteer at the hospital with sick kids to cheer them up.
Lessie: Oh, that's so sweet.
Bryson: So how did you go from your clowning around into cybersecurity? Because I don't think a whole lot has changed.
Lessie: Not a whole lot has changed, still managing monkeys, and it is my circus now. So I got from the clowning around into cybersecurity through a venture capital firm that invested in early stage cybersecurity startups.
So I saw a lot of emerging technologies. I really fell in love with the space. From there, I was like, I've gotta just take a deep dive into this. So then I ended up shifting to work for a managed threat intel company called NSOs. And from there I ended up moving overseas and decided to slightly pivot and take advantage of living abroad and work for a nonprofit that had a global mission of securing global supply chains.
Bryson: Can you tell us more about that nonprofit?
Lessie: Now, I work for the Cyber Readiness Institute, and it is a nonprofit that was founded in 2017 when there was a private public commission that was meant to address cybersecurity gaps within the United States. And one of those gaps that was identified was the lack of resources for small and medium sized businesses.
So the Cyber Readiness Institute, some of those large industry partners that were part of that commission, decided to form the Cyber Readiness Institute to address that gap. So we have been around for, I guess it's coming up on seven years? My math might be bad.
Bryson: Eight?
Lessie: Eight years. Oh boy. Right around there.
Then it must be longer than eight years that we've known each other, Bryson. And someone noticed that I was moving overseas, and they knew that the nonprofit was looking for a representative to really expand their global impact. So they reached out to me, asked if I would be interested in joining. I said absolutely.
So I started running different trainings overseas, as well as just establishing relationships with organizations like the ICC and with different international chambers of commerce, and then other local chambers of commerce as well in different countries, as well as working with the US Department of Commerce and their commercial law development program that works specifically with developing countries to facilitate global trade.
And they would bring the Cyber Readiness Institute in to work with those developing governments on their fundamental cybersecurity policies.
Bryson: Okay, so it was through your State Department work and that collaboration with the Cyber Readiness Institute. That's how you're exposed, and you then saw CRI doing its good works and you're like, okay, I wanna be a part of that.
Lessie: The Cyber Readiness Institute had not necessarily been connected with CLDP before. There was not a whole lot of global presence before I was on board.
Bryson: Okay. So they added you to bring that global presence in?
Lessie: Correct.
Bryson: Okay. I misunderstood. And so now what are we doing?
Lessie: So now I have since shifted my role from being the global director of outreach and partner engagement, to the deputy managing director at the Cyber Readiness Institute. Which means I not only still handle a lot of the international efforts, I also get to work with our domestic efforts.
At the moment, we have an initiative to secure critical infrastructure within the United States, and we are partnering with Microsoft and the FDD, the Federal Defense of Democracies, the Center for Cybersecurity Technology and Innovation to secure water utilities within the United States.
Bryson: Does that connect him with what the Franklin Project is doing on water utilities, or is it separate?
Lessie: So we have heard of the Franklin project, but we have not directly partnered with them.
Bryson: So separate thing. All right, so what is your mandate? What are you trying to do? How are you doing it? What are the timeframes we're talking about?
Lessie: We completed our phase one, which was to get 50 small utilities through our online self-paced program and pair them with a cyber readiness coach, to walk them through the program and implement a playbook that focuses on the fundamentals of cybersecurity. So passwords, software updates, phishing. Secure storage and file transfer, as well as creating an incident response plan.
And right now we are in phase two of the pilot program, and our goal is to have 150 utilities go through the cyber readiness program. And right now we are sitting at about 155 total, including phase one, that was 50. So we still have a few more utilities to get through, but we are making progress.
Bryson: If you are a small water utility and you are listening to this podcast, Lessie, how do they contact you and get help?
Lessie: So you can go to our website, cyberreadinessinstitute.org, and search for our water resiliency pilot. And there's a way that you can sign up for the program through that. And if you are a small water utility and you sign up through that, we will give you two different options to go through with a coach or without a coach.
The coach is totally free to you, as Microsoft has sponsored this coaching program. So you're able to sign up and we'll pair you with a coach and then you're off to the races. For any small businesses out there that are not water utilities, you can also go to cyberreadinessinstitute.org. Don't search for water utilities resiliency, and you can just sign up for our program there and it is totally free.
Bryson: So let's talk about what the program is. I know that you have on demand training, which is progressive in a curriculum that then leads to a certificate. The graduation with that certificate is then what pairs them with the cyber readiness coach?
Lessie: Correct. So there's a couple of different ways that people can request a coach if they are working with an organization that already provides the coach.
They'll have a coach from the start of them working through that online, self-paced on demand training through implementing their playbook that is hosted within that training, and then work through the implementation of that within their organization as well. The other option that people have is to just go through the on-demand training on their own, and then if they're interested in getting their playbook checked or verified by the Cyber Readiness Institute, they can reach out to us through our info@cyberreadinessinstitute.org, and request either a review of their playbook and a certification or just a review of their playbook.
Bryson: So what does the training consist of? What do they learn?
Lessie: So within the training, it's focused on core four issues, and these issues were identified by the Cyber Readiness Institute as four issues that can really make a huge impact on an organization without focusing heavily on technology. So we're focusing on the people aspect, which covers a significant portion of the cyber attacks that we face. You can have all the technology in the world, but at the end of the day, if you're still having someone click on a link, or send a password to someone that is not within your organization, you have a problem.
So we focus on that human behavior piece, and the core four issues, again, our passwords. So we talk about having strong passwords or past phrases, implementing multifactor authentication. The second core four issue is software updates. So as you know, a lot of the ransomware out there targets vulnerabilities in software that has not been patched. So we want people to be mindful of that and either enable automatic updates, or keep track closely of when patches become available for software. And when it comes to critical infrastructure, we know that there are some legacy systems. So having some way to combat and just be aware of some of the issues that might be faced if software is not patched.
And the third core four issue is phishing. So we require phishing training, so not just a once a year phishing training. We require quarterly phishing training and encourage monthly phishing communication. Because as you know, things change pretty quickly. Different types of phishing attacks target different industries. So we encourage any company that's going through our program to find out what types of phishing attacks are targeting their industries specifically.
Then the fourth one is secure storage and file transfer, so best practices around how to use USBs safely. Ideally, you don't use USBs, but in a lot of industries that's a requirement and in a lot of countries, that's just the easiest way to get data transferred from point A to point B, and then how to select a secure cloud provider as well.
And outside of that, so those are the core four issues. That's a majority of the program. And we also walk an organization through how to create an incident response plan or a business continuity plan. So we talk through how to identify the most critical portions of their organization. So what's gonna cause the most damage if it's compromised, right?
Because you can't protect everything equally. So once we've had them identify that, then we move into what do you do if something is compromised? Who are you going to report it to? Do you have your legal contact? Do you have your internet service provider like, their phone number, their email? Who are you contacting in the event of an incident?
Because so many small and medium sized businesses don't even think about this. I know that I was at an event the other day sitting through a talk and it was someone talking about working with a company, trying to consult with them on some more advanced issues, but then they realized that there were still passwords sticky-noted up on their computer. And so they realized that they just needed to take a big step back, and focus on those fundamentals before even thinking about adding additional technology.
And that's really where the Cyber Readiness Institute can be helpful for a lot of our organizations.
Bryson: The summary that I'm hearing is an easy to digest package that really is almost what we would also educate a small and medium, more of a small business on, which is a lot of what these water utilities are down at the local and the municipal level.
And then key hygiene requirements for information technology, which does matter from an industrial control system perspective, because the most common access method is still IT into OT for the attacks that we see, and certainly this is some of the work that Josh Corman and I have been doing out of the Institute for Security Technology, is recognizing that water is a fundamental foundation of critical infrastructure.
One of the challenges with the 16 sectors that we've had – I had Kelly Moan on the podcast, she's the CISO for New York City, a couple of years ago, talking about how they have a different perspective on what's critical infrastructure at the city level. Because the cities and states don't necessarily, the federal way to look at it doesn't make sense.
But since we have 16 of these at the federal level, it turns out that they're not all equal, and water is what underpins many of the other critical infrastructure sectors. If you think about it, I can get by with alternatives to electricity for a period of time, but with water, I mean, that's how I cool. That's how things move. Like there, there is no alternative to that. You can't suddenly go to an air cooled solution, right, in your infrastructure. And we had Andy Krapf, who runs the Loudoun Water utility, give a talk on that at Critical Effect recently.
So phase one, you've done this with 50 utilities. What are some of the lessons learned from those 50 utilities and is there a particular case study that we can highlight in depth out of that phase?
Lessie: So we do have some results from the phase one of the pilot. And some of the high level takeaways that we have is that a majority – and Bryson, you just mentioned this – a majority of the water utilities that we're targeting are small systems. They have limited resources and technical capabilities.
In general, they are doing this in their day-to-day job, so they have to think about more things and on top of what they're already having to do, and thinking about cyber is really the last thing they want to do. So, so often people talk about how they are interested in learning about cyber because they know it's important, but they don't really know where to start. And that's kind of where CRI plugs in.
And as it relates to water utilities specifically, we've found that we don't need to dive into water utilities resources as a whole, just starting at a high level with those fundamentals is helpful.
So we do also have a case study from this first pilot and it was with the East Rio Honda Water Supply Corporation. And they are a rural Texas water utility that went through the program. And in general, they knew that cybersecurity was an issue, and they knew that cyber threats could affect their SCADA systems, and they knew that they had to have some awareness within their organization. But they really didn't know where to start.
And there's quotes throughout this entire case study, and one of the quotes was, I am not a cyber expert by any means, but the booklet was easy to understand and the support from my CRI certified cyber coach made a huge difference. So creating this cyber aware culture is really what we're looking for, and the entire cyber readiness program focuses on empowering that cyber leader. So making sure that person that's going through the cyber readiness program understands those fundamentals, and then understands how to educate their employee base.
Bryson: So who are these coaches? How do we find these coaches? How do these coaches get trained or are they based on their industry experience? And then what are the expectations for the water utilities with these coaches?
Lessie: So throughout the Cyber Readiness Institute's existence, we've played around with having our online self-paced program, and then finding ways to convince people to complete this online self-paced program. We found over a number of different pilots with some of our member companies – Apple, Microsoft, our former General Motors and ExxonMobil – that having a person to hold a company accountable really makes a huge difference.
So with one of the pilots we ran, we had a 90% completion rate with companies that went through with a coach, versus a 30% completion rate with companies that went through without a coach. So your question as to how do we find these coaches – so we do take volunteers for coaches and the Cyber Readiness Institute has a whole training process that we put coaches through. So there is an initial coach training call. We do require them to go through our program, of course, and understand all of our materials in depth. Then we go through multiple role play calls where a coach needs to understand how to answer questions, but without getting too technical, and really be able to understand what a small business or a medium sized business is going through. Right? So we sometimes do have industry-specific coaches, but we've also found that at the fundamental level, it's more so we're looking for coaches that are able to connect with people and understand the conversation and human behavior side rather than yes, they need to understand cybersecurity at a high level, but just understand that people are trying to build out their understanding of cybersecurity with you. So again, we've experimented with different types of coaches, but we do have a signup for coaches on our website as well. So feel free to check that out.
Bryson: Okay, so folks can volunteer and get involved with helping to coach. Are you looking for volunteers for any other part of your effort?
Lessie: The volunteer piece with coaching is really where we would be looking for help. Not just with the water utilities, but with other companies that we have going through.
We do have people that have just found our website, which is great because we work with a number of local US Chambers of Commerce, both within the US and outside of the US. And that's really where we end up driving a lot of our users, and then we partner with a number of different organizations as well. As it relates to water, specifically, Water ISAC, AWWA, and the NRWA are all partnered with CRI on this effort as well.
Bryson: Phase two, your goal is 150, you have the 50 from the prior, and we're adding some more. And I know that you're still short on the goal there, but what's the timeframe we're looking at? Are there additional things that we're gonna be adding to this, or is it just now flexing the scale of the program with CRI?
Lessie: We are definitely going to be adding more resources that are related specifically to water utilities. We are actually in the process of adding a water-specific addendum to our playbook guide, so that's going to give water utilities a slightly different perspective on what we currently have. Specifically around, like those passwords, software updates. Like, why should a water utility be focused on those?
So that's what we're going to be adding as well as some additional just industry partners. So with AWWA, they have a significant cybersecurity packet that they offer to their members. Dragos also has a free critical infrastructure specific portal, and so we have gone through and identified some water utility specific resources that anybody going through the program would have access to after. And then the NRWA also has some specific resources that we're promoting.
Bryson: Lessie, what are you doing with the White House? I've heard you're doing awesome things with them.
Lessie: So right now we are currently in talks with the ONCD office at the White House, and we are exploring different ways that we can promote both the Cyber Readiness Institute program with water utilities, but also looking at other critical infrastructures as well, such as rural hospitals and other smaller communities with less resources. So we will hopefully be having some more updates as far as outreach with the ONCD office in the near future. One other office that we're working with right now is the Maryland State Comptroller's Office. And we are working with Brooke Lierman on promoting the Cyber Readiness Institute program throughout Maryland to get small and medium sized businesses signed up, to ideally have Maryland be a more secure state as a whole. And Brooke Lierman has done a video for us that is posted on our website as well.
Bryson: If you could wave a magic air gapped wand, what is one thing you would change?
Lessie: I would probably change, and this is gonna sound really cliche, but make multifactor authentication a default on everything.
I know it's a pain, but that would make things so much better for so many different people. Because so often people don't know to go in and add MFA, or enable MFA, and if it was just a default, that would make so many people's lives, maybe a little bit more tricky. But in the grand scheme of things, make things more secure.
Bryson: Okay, so you, you want the default of making it a little bit harder to breach me?
Lessie: Yes.
Bryson: You've waved your magic wand. Now you're going to look into your crystal ball, which looks suspiciously like a human machine interface. What is one good and one bad thing that you think is going to happen?
Lessie: I think that one good change that will happen in the future is that we'll move from awareness to implementation and engagement. Because people already know there's a problem, but like, we've gotta actually do something about the problem at this point. So I think that's one good thing that's gonna happen. And then one bad thing, it's too little too late, and that's sad.
Bryson: So what do you mean by the ‘too little, too late’?
Lessie: So, too little, too late.
We're already seeing attacks on small- and medium-sized businesses that are affecting global supply chains. We have seen this time and time again, and on critical infrastructure, water utilities we've had a lot of issues over the past couple of years. I could go into the details, but I think pretty much everyone that has been listening to your podcast knows those.
But I would say we're just gonna keep seeing things like that. But at some point, as some of the responsibility has shifted back towards the states and local governments, there will be some gaps, I think, and that may cause issues, but it might also be a real opportunity for organizations like CRI, and other cybersecurity companies to help fill that gap.
Bryson: I think your good thing is we're gonna move from awareness to action. That has been, I believe, the frustration of a number of practitioners, and was very much a theme of Critical Effect that we had this year. With one, considering it a conference, not of talking, but of action, how would we actually bring the things from this? Which is why I was excited that we debuted the Shark Tank policy approach with that, so that there are policy actions that come out of that.
And I hope you're right. It'd be good to see it. And the way I tried to frame it at the conference is, it can be difficult when we look at the long term of where we need to go and what we need. And not feel that we've made the progress that we have made, 'cause we have made progress towards that. My fingers are crossed that your prediction comes true.
Lessie: I hope so. And Critical Effect was a really fantastic conference. I thought the topics were great, the speakers were good, and it was very clearly a conference about action and not just talking. And it's just gonna be small, like one step at a time, to get to where we need to go. And it feels like making any change is difficult and not, not to be really cheesy, but with CRI, we talk about cultural changes all the time, right?
And that's what this really is. But it takes small steps to make bigger cultural changes and different things that different nonprofits and different organizations are doing are really trying to shift that tide.
Bryson: I look forward to your presentation at next year's Critical Effect where you'll update all of us on the good work that you've accomplished at the CRI with these water utilities.
Lessie: Well, thank you. I would love to be there.
Bryson: This is Hack the Plant, a podcast from the ICS Village. Catch us at an event near you. Subscribe wherever you find podcasts to get episodes as soon as they're released. Thanks for listening.