Transcript of the podcast interview with James Gruich, cybersecurity expert and educator
Jackie Roembke, editor-in-chief, Feed Strategy and WATT Feed Brands: Hi everyone. Welcome to Feed Strategy Podcast. I'm your host, Jackie Roembke, editor-in-chief of WATT feed brands. This edition of Feed Strategy Podcast is brought to you by FeedStrategy.com. FeedStrategy.com is your source for the latest news and leading-edge analysis of the global animal feed industry today.
Today we're joined by James Gruich. He is a cybersecurity expert and educator, here to discuss some of the ways feed manufacturers can keep their operation safe from cyber attacks.
Hi, James, how are you today?
James Gruich, cybersecurity expert and educator: Doing fine. Jackie, how are you today?
Roembke: I'm doing great. Thank you so much for taking the time to speak with me. Now let's talk a little bit about your background and how you found yourself involved in cybersecurity.
Gruich: Well, to start off with, I have over 30 years of experience in the industry, workforce, working in all three sectors, the private, the public and the government sectors. I hold several degrees. Have a bachelor's degree in computer science. I have an MBA and also have a Ph.D. My career actually started out as a computer programmer, and my first initial job was programming on board the Aegis cruisers and destroyers for government contractor for the Navy. At the same time, I was programming and building the systems. I had to train the master chiefs on board the navy vessels on how to do system administrative functions. And then, as time progressed and technology changed, I moved into networking and then also database administration. I worked several years in for the government sector, and then I moved into the public sector, converting large mainframe systems for educational institutions. Began to work on my Ph.D., and then I heard a knock at the door, and someone offered me a position as a cybersecurity officer for a multi-million-dollar bank, and I made that leap into the cyber world.
I was a cybersecurity officer for 15 years, then moved on up into becoming the CIO and the COO, and ended my career as a COO head of operations. I decided I wanted to come back into the academic world and teach and kind of demonstrate to the students what skill sets they actually had to do in the cyber world from a skill set standpoint, instead of a book knowledge standpoint. So I've been doing this for some time now, and I do a lot of research in the cyber area, and that's a little bit about my background.
Roembke: Well, you are more than qualified for this conversation. And with that, we will go into the big question, how can agrifood companies prepare for the inevitability of a cyber attack, whether that's direct or indirect?
Gruich: Well, preparation is the key word here. Regardless of the sector that we're talking about, everybody is going to be impacted by a cyber threat or a cyber attack. Preparation starts with having qualified individuals on your staff. And when I say qualified, that's one of the reasons I came back to teach. It's one thing to be book smart, but it's another thing to be skill smart. And the institution I teach at, we do a lot of hands-on training, and actually the student touches the equipment, does and performs cyber attacks, and also does the defense accident aspect of it to defend against this cyber attack. I described this because it tells you a little bit about what type of individual you need to have on your staff. And the reason we emphasize hands on is it keeps the, as we like to say, it's where the rubber meets the road. It's one thing to teach a student to use an analogy how to drive a car to get a license, or that student can also get a license by just taking a simple test, 30-question test, and the students got their license, and they're driving a car, but they've never touched the vehicle. They don't even know how how to operate the vehicle. If you correlate that to the cyber world, what we do here is we not only teach the student the aspect of taking the test in the knowledge base, we actually require them to touch the equipment, perform the activities, perform some cyber attacks.
Now I hesitate because I'll know a lot of the listeners are going to say, 'Well, it sounds like they're teaching them to be hackers.' And that is true. It is true in order to understand how to protect the organization, you need to understand what methodologies and tactics are used, and sometimes it's easier for the student to understand that from a hands-on perspective. So you need a very sound personnel that is skilled in the cyber, both the offensive and defensive. I recommend you to have someone who is knowledgeable of an IT audit aspect, so that they can understand what it means to have contingency plans. What does it mean to have an incident response plan in place? So these are the qualifications that I see when it comes to regardless of a direct or indirect attack in preparation.
Roembke: A lot of companies, of course, are finding somebody within their existing staff to take this on, more than likely. What are the attributes that that person should have, and would they go through formal training, through a program? Or what does that kind of look like as they're bringing someone online to take on that responsibility.
Gruich: The attributes would be someone with a college degree, whether that's a two-year or four-year degree, some experience in the field is quite acceptable. Certifications are very important too. Now I recommend, I lean more heavy on the academic degree than the certification, and I'll tell you why: because I've seen some students who can easily pass a certification test to get a certification, but they do not have all the skill sets needed to actually perform the job when they get on into the workforce. In the academic world, someone who has received a two-year, four-year or master's degree in the field will have that robustness in that skill set. So I recommend someone with a degree certification. We push certifications. And there's, there's a plethora of certifications out there that qualify as a student to or an individual to be qualified for the position. One certification that I mentioned would be the Security Plus certification in cyber security. It's offered through CompTIA, and it's widely recognized by the industry, so education, certifications and experience.
Roembke: Now, you mentioned response. What are the key components of an effective incident response plan?
Gruich: Great question. There's basically. Five key components that an individual organization wants to look at when it comes to an effective incident response plan. The first one is preparation. Does your incident response plan prepare you for the multiple types of incidents that may occur, and it should complement your risk assessment. If you don't have a risk assessment, you should have one, because it will identify for the incident response plan what vulnerabilities there are and what attacks could happen. The incident response plan complements the mitigation process of the risk assessment.
The second thing of the incident response plan should be you should have some type of mode of detecting, monitoring and analyzing the threats as they come into your organization. There are many third-party software tools in the cyber world that allows an individual to actually monitor a organization's network, to see and detect what activities are out there that could be potential threats. Some organizations even go as far as implementing some devices that will actually prevent those threats from coming in. Some of the devices and some of the methodologies is to use a firewall to prevent certain threats from coming inside the organization. And here again, this kind of ties back into the qualifications of the individual. An individual who is well versed in the skill of cyber will understand these terms that I'm referring to in the devices such as a firewall, so detection and analysis the second thing, the third thing is to contain the threat.
Once you have a cyber threat in your organization, I tell everyone you, for lack of better words, you have to stop the bleeding, because they will bleed you from data, financial they will throw everything at you from a cyber perspective. And so you have to stop or contain the threat. And so to give you an example how that is done, from a computer networking standpoint, all organizations have some form of networks that tie into the manufacturing process or the administrative process. You can contain a threat by isolating what we call the virtual lands within that network, and that's one methodology.
So detection containment, and then also you have to eradicate the problem. Once you've identified it, the incident response plan needs to have some type of method or steps to stop it. And then, finally, you have to recover from your damage. If the loss of data is the result of the cyber threat, you have to have good backups, clean backups, to recover from that type of threat. And then finally, once all the dust is settled, we have to do what we call a post-incident review analysis to see where was the weakness. How did this actually occur? What can we do mitigate against this from happening again?
And then the last step that I would recommend, and it's something that is pretty much an ongoing process, is a lot of times organizations I see have an incident response plan, but they never test it. And this is a this is a great error on their part, because you never know if the incident response plan is actually effective until you actually test it. So when I worked in the industry, a lot of times, what I would do is what we would call fire drill test, I would have a simulation of an incident a threat, and I would judge and grade how my staff would actually respond to the incident using the incident response plan across those five steps: preparation, detection, containment and recovery, post-incident review and then, finally, testing.
Roembke: How often should companies test their cyber security incident plans, and what should these tests involve?
Gruich: Well, that question depends on how much money they have to spend. So I will answer that question. Normally, you want to test it quarterly, if at minimum, every six months. But, if you have a good plan in place, your cyber security incident plan in place, you should at least test it once a quarter, just to make sure that what changes took place in the operations of the organization has been accounted for and can be addressed. Quite often, the left hand doesn't know what the right hand is doing.
Sometimes we move forward in progress, and sometimes we overlook the possibility of cyber threat when we implement new technology or new manufacturing processes. And for that reason, quarterly would be ideal, if at all, minimum six months and absolutely, at least once a year.
Roembke: Can you explain the importance of clean backups and how IT teams can verify those restore points and make sure that they're free from malware?
Gruich: Yes, when I refer to a clean backup in in the realm of a cyber threat, for instance, if we have to restore, some of these cyber threats may not expose themselves until three, six months down the road, and when you actually get hit with them. So you may be backing up the cyber malware threat and not know it. A clean backup is one that we can go to in a point in time where that malware does not exist on the backup. And you say, well, how do we know that?
Well, what you've done, if we go back to the incident response plan and you've you've contained and eradicated, you should be able to identify where the threat came from, how it entered your organization's network or infrastructure, and identify the key files and components that cause the malware to perform. Once you've done that, then you can go back to your clean backup and identify those backups that do not have that malware existing on it. That is what is referred to as a clean backup. Now let me go one step further and tell you how I recommend it in the industry to do backups. We did a daily backup, we did a weekly backup, we did a monthly backup, we did a quarterly backup, semi-quarterly and an annual backup, so at any point in time we could have a clean backup. So if an incident happened on a Monday and that affected us last week, we could go back to the weekly backup before that, that Friday before it actually occurred, and get a clean backup. But the key factor here is in the incident response plan, being able to identify, detect and evaluate where the actual threat occurred, so you can get a clean backup.
Roembke: Now, I've heard several times that your employees are the first line of defense. What sort of specific awareness training topics are the most crucial for employees to internalize to prevent this sort of incident?
Gruich: Yes, and this is across all industry sectors, believe it or not, most of your cyber attacks, 90% of them come from human error, for a lack of a security awareness a plan or program. Having said that, all organizations should have their employees following some type of security awareness program.
Now, when I say program, many years ago, we didn't have, when I was in the industry, we did not have the third-party software products that we have today from a security awareness training, and I used to have to build it from scratch. But today, fortunately, we have great products out there, offered through third-party entities, one being like, not to not to sell any vendor particular. But Ninjio is a great product. It's a great security awareness, it's a great security awareness tool. It's a five-minute video that the student the employee will watch on different aspects of cyber threats, whether that's phishing or something of the nature that raises the awareness of the employee. So a great security awareness training program starts with constantly on a weekly, on a monthly basis, training the employees on the threats that could possibly happen within the organization for their lack of knowledge in the cyber world.
That's the whole purpose of the security awareness training. So these are some of the products that are out there. There are a multitude of third-party vendors that makes it very easy. The employee receives an email, watches a small five-minute video, takes a maybe a three- or a five-question quiz. If they pass the quiz, they they've considered to be aware of those types of threats.
Roembke: And how frequently would this security awareness training take place?
Gruich: To be honest with you, it should take place daily, but in the organizations that I've worked on and some of the things I've implemented, at least once a month. So every month, all employees will get some type of link to a video and to take some type of security awareness quiz to ensure that we keep a log of what employees have been using as an example, phishing, something as simple as phishing email. A lot of employees, you know, they don't understand the the threats that can happen in a phishing email from just clicking on a link. How about validate and verify that email is a legitimate, valid contact person, so at least once a month.
Roembke: Great. Now switching gears from prevention, let's say the worst happens. What are the potential consequences of negotiating with or paying a ransomware attacker?
Gruich: Oh, that's great question. First of all, according to the FBI, you should not negotiate ransom, and I've heard it's six of one, half a dozen of another. Attitudes toward paying a ransom because they fear reputational exposure. If the public finds out that we've been attacked and we had a cyber attack, they may lose some type of reputation within the industry, and this is the wrong attitude to have. I don't recommend paying ransoms, nor does the FBI recommend you paying a ransom.
So the question comes up, well, how do you mitigate against that, should you get hit with ransomware? Well, first of all, let's go back to us talking about the incident response plan. Incident response plan, believe it or not, something as simple as ransomware, can be easily rectified by a good backup, but you have to identify where the threat occurred, how to enter your system through the incident response plan, OK, your contingency plans, your disaster recovery plans, complement this and allow you to recover from any type of cyber threat, regardless of whether it's ransomware, etc. So I would encourage everyone to constantly be on guard to the types of cyber threats that are out there, and keep your staff in tune of what they need to be aware of to address those issues.
Roembke: Are there any other primary defenses other than employees that companies should have in place to prevent the ransomware attacks?
Gruich: Yes, one of the key things that I teach from the networking classes that I teach on at the college is I encourage organizations to segregate their traffic. And what I mean by segregation in a computer networking world, you can have networks that support administrative functions, you can have network lands that support operational functions, and you can have a just a slew of different types of networks that can be segregated from one another. They can be linked in some form or fashion, but they're segregated. The segregation is what prevents a serious attack from pretty much bringing down an organization, and it's inevitable that it will happen, but if the right steps are taken, you have said segregation within your network. You have good plans and procedures in place. You have skilled personnel on staff, on hand to address these issues, those cyber threats should not impact organization as much as they would otherwise.
Roembke: Now, how frequently should agribusinesses conduct penetration testing and what areas should they focus on?
Gruich: Well, penetration testing is something that is really part of an audit, if you would say you can do an IT audit and to to find out how effective it is, the penetration testing aspect comes into play. Now, here again, it all depends on what that organization is willing to spend for third-party pen tester to come in and to do that type of assessment. The pen testing is simply the approach to find out where your vulnerabilities are within your organization that you may not be aware of. It complements and supports your cybersecurity or your IT support staff and helping them identify these things.
How often do you want it? I would say at least, at minimum, once a year. If you can afford to have a organization come in there twice a year, that would be great. But at least once a year you should have some type of pen testing to help your IT people identify some of those vulnerabilities they may not be aware of. That's the reason we do IT audits and also just an internal audit within every organization to help identify where the weaknesses are within the organization. It's not to ding the organization that they're not doing something correctly, but it's to help them identify where their weaknesses are in the feed and grain industries. Up and down the supply chain, they're working with a lot of different vendors, customers.
Roembke: How can companies balance the need for interconnected systems with the risk of indirect cyber attacks through these connected networks?
Gruich: Yes, that's a great question. That's a big challenge because as we continually evolve and we continue to grow our our network expansion into realms of both the social interaction, but also the technical interaction. The integration is important. So it's important that you know exactly what your third party is actually engaging in, and what they're doing on their side, or what efforts they're doing to prevent such an attack. And I say this because a lot of organizations are not going to say, well, you know what I do business with XYZ widget company in the north here.
How do I know if they they're secure? How can I prove that their cyber plan in place is is effective, and yet they want us to connect to them. You have a right as an organization to request that you just don't have to open up your doors or your ports to anybody to access but having said that, in today's world, what I do teach is the skills needed to allow that integration to take place.
Looping back again, this is where a college degree trumps a certification. The college degree will give you the robustness that you need to know from a skill set on how to allow this integration to occur, to continue the growth of the company, to allow them to continue to connect with other third parties or customers without the risk of a threat to your organization. And this also loops back to what we initially talked about at the beginning, about the different types of devices, such as firewalls, intrusion protection devices, or another type of device. So there's a lot of devices, software and skills that allows that to occur, the integration without the concern of the cyber threat, provided you had the skilled, right person working for you.
Roembke: So assuming that there's different degrees of understanding within a corporation or just the general public, I suppose, can you explore a little bit about what the potential impacts of a ransomware attack could be on a feed manufacturer, and is there any way to minimize these potential consequences?
Gruich: Yes, great question. Ransomware is actually right as last week I saw where they were, a bill being proposed to classify ransomware attacks as terrorist attacks. So Congress has actually raised a red flag about how detrimental ransomware are to our organizations. I've dealt with several organizations who have had ransom attacks and understood how they approached the attack, what impact it will have. It can shut down an entire organization. To put this in perspective for you, I have two industries that I can relate to the agriculture industry, the hospital here on here on the coastal area where I live, we had entire hospital get hit, and it shut down the entire hospital's network, and they couldn't really function from a computer standpoint. OK, that's very detrimental. From a casino standpoint, we've all heard about the MGM attack that took place in Las Vegas. Well, here on the coastal area, we have some extensions of the MGM casinos here, and it affected not only the hotel system, but it also affected and crossed over into the gaming system, so it can essentially shut down an entire organization.
How did these organizations get back up and running so quickly? Incident response plan, testing it, making sure that you have clean backups, making sure you have the correct qualified, skilled staff on hand to address these issues. It's not about, in the agriculture world, what would we do if we get hit in today's world? Folks, I'm telling you, it's going to happen. It's going to be, what are you going to do when you do get hit? Because you're going to get hit eventually, because of the revolving technology in today's world.
It's not if, it's but when you get hit, are you prepared for the inevitable? It's kind of like bad weather coming on the horizon. You see the dark clouds in the sky, and you know there's lightning on the on the horizon, and you know the storm is coming. Eventually, you're hoping it'll blow over. But unfortunately, some of us get the luck of the draw, and we get the cyber attack, whether that's ransomware or not, it can cost you millions of dollars, and it can bring your entire operations to a halt. Now, one of the other things that I teach is internet of things (IoT), where we teach specialized devices and how these devices are used in manufacturing.
Don't be misled to think a cyber attack can only come through a computer. It can come through and a device that's on your manufacturing, in your manufacturing process, it can come we can do attacks through a thermostat, HVAC systems. I have HVAC personnel. I have electricians coming to be trained through my program, because they realize how we're all interconnected from a network standpoint, and they understand cyber affects all aspects.
Roembke: Well, that's scary, put it that way, but given the FBI is recommendation not to pay ransoms, what alternative strategies can companies take on if they fall victim? How can they regain control of their operations, and also protect their customers who may have been affected?
Gruich: Yes, well, first of all, we should not be ignorant of the fact that we are so fearful that we do not want to expose that we've been hit. Sometimes you have to lick your wounds and keep on moving so it when you do have these alternative strategies, such as preparing your your staff to for the testing aspect of the incident response on how to address it.
I forget what the law is, but I know that the FBI or Congress had passed that if you pay a ransom to a foreign entity that had conducted some type of ransomware, you can be fined extremely large amount of money, or reprimanded for that from a federal standpoint. So that's how important it is not to pay the ransom so you get hit. The problem is, if I go back, it's not about being reactive, it's about being proactive. So you're going to eventually have some type of cyber threat. So don't wait until the ship is sinking to try to take some action. Now is the time to put all the elements in place to prevent such a detrimental effect to your organization from happening. Be proactive, folks, not reactive. Proactive in the sense of making sure you have incident response plans in place, contingency plans in place, qualified IT cyber security staff on hand, making sure you're testing your plans, making sure all the funding or budgeting aspect to support the IT staff is in place to have some type of pen testing done each year, to have some type of audit performed each year, making sure your security awareness training is done with amongst all your employees. You know, it takes an entire organization to protect the organization. From a cyber perspective, you cannot put all your eggs in one basket and expect, oh, we hired a cyber security person. We're good. It takes an organization a plan of action, and it has to be a proactive approach to address these issues.
Roembke: That's excellent advice. Now, before we wrap up, are there any resources that you suggest for companies looking into this further?
Gruich: Absolutely, absolutely. Well, first of all, I know you go nationwide and worldwide with some of these podcasts, there are a lot of institutions today pushing cyber security and institutions, collegiate academic institutions. We are one of them here at Mississippi Gulf Coast Community College. Now, one of the things I highly recommend is to get connected to the Department of Homeland Security. And there's an organization called Cyber Information Security Agency (CISA). You can become a member of it. They offer some free cyber assessments through their organization, and they're designed to disseminate cyber information to your IT specialists in your organizations. They can also disseminate to them what we call IOCs, which are indicators of concern list when it comes to cyber threats.
So you hear about ransomware, how do we know if we're going to have some type of ransomware attack CISA? CISA will issue a IOC saying, look for these indicators of concern, and if you see them, it raises a red flag that you're going to potentially be hit by a ransomware attack. And all types of cyber attacks identified this way. They also offer through CISA techniques and tactics that are listing methodologies that these threats come from. So you get these, these IOCs on a periodic basis when you join and connect with them, you get relevant information. That is pretty much hot off the press, should I say. So that's an excellent resource, Department of Homeland Security, if you stay in touch with cyber snoops and that, they'll tell you what's going on, and you'll learn about some of the reality of what is good and what is fake news when it comes to cyber but most important, these organizations like CISA gives you the legitimate stuff to work with to address these issues. They also offer training.
Roembke: Thank you so much for sharing all these excellent insights, and thanks to everybody who tuned in.
Gruich: Bye, bye, thank you.