menu

Meet the Guardians of Critical Infrastructure

In this episode of Cybersecurity (Marketing) Unplugged, Curry also discusses:

  • Threat detection for operational technology and how the vFortified product was developed;
  • Merging of digital security and physical security to ensure the supply chain remains uninterrupted;
  • How culture and time constrains the possibilities of technical innovation;
  • The “why” behind vFortified’s mission of sustaining and securing critical operational technology.

Redvers “Red” Curry is the chief marketing officer at vFortified, a leader in the IoT device identity space. vFortified uses a unique, intelligent, disconnected external receptor to instrument a device’s electromagnetic footprint and then they process that telemetry in the cloud in real-time. Operating below network level, vFortified is able to monitor electromagnetic current telemetry and alerts to determine anomalistic behavior.

Prior to vFortified, Curry was most recently working at RSA Security. Curry has been a marketing leader with over 15 years of inbound and outbound marketing experience in the cybersecurity and geospatial intelligence industries. He has a passion for telling great stories helping companies attract visitors, convert leads and close customers. Previously, Curry worked as an SVP of marketing for 2 cybersecurity software startups and continues to work as a strategic advisor to investment companies in the cybersecurity space.

For far too long, the cybersecurity industry has been hyperfocused on software security to the point of disregarding OT security. This neglect has led to numerous vulnerabilities and attacks in the past year alone — the Oldsmar, Florida water systems attack, the Bay Area water supply attack, the Colonial Pipeline attack. Curry remarks on this problem and the importance of integrating IT and OT security.

We believe we can bring new capabilities for monitoring and detection while making it not only virtually impossible to hack, but virtually impossible to detect as well. … And we believe defending critical infrastructure, as it serves all of life today as we know it, is vital because people use it every day.

Full Transcript

This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors. 

 

Steve King 00:13
Good day everyone, I’m Steve King, the managing director of server theory. Today’s episode is going to focus on industrial control systems and their vulnerabilities and our global exposure to cyber attacks on OT. Joining me today is Redvers Curry, the CMO of vFortified a leader in the IoT device identity space, they use a unique, intelligent, disconnected external receptor to instrument a device’s electromagnetic footprint. And then they process that telemetry in the cloud in real time. operating below network level four vFortified the only company I know who monitors electromagnetic current telemetry, and alerts to determine anomalistic behavior. So welcome, Red. I’m glad you could join me today.

Red Curry 01:09
Thanks, Steve, for having me, though. It’s great to be here. I appreciate your time today to very excited.

Steve King 01:13
Sure. V fortified seems to have a kind of a Giant Slayer here with your approach to threat detection for OT. How did this all come about? Where’s the company stand today?

Red Curry 01:28
Well, that’s a really good question. You’ve got three really good point. So bear with me while I kind of unpack that, because Giant Slayer giant killer. I love that term, Steve. We’re certainly hoping that that’s the case. But most importantly, I think, and I believe we can bring new capabilities for monitoring and detection, while making it not only virtually impossible, you know, Steve, I’ll never say totally impossible to hack, but virtually impossible to detect as well. Our device sits outside the network, which helps it to be well positioned to avoid those invasive techniques by the bad guys. But really to dig into your question a little bit more as the company was built on the experiences of the team, of course, and what you rightly call the electromagnetic footprint. Now I’m going to drop some science here. And that’s dangerous, because it doesn’t my science doesn’t go too deep. But all electric currents have a magnetic field and vice versa, which means everything happening in and around any computing system, from the hard drive access to CPU use, and kind of what’s happening in memory, all has an echo on the EM fields around it. So the realization just as Tempest was decades ago, I mean, decades and decades ago, was about picking up on radiation to spy, we could actually use these fields and radiation to instrument systems, rather than spy on them. And unlike Tempest, where proximity was hard to achieve, but vital, you would intentionally place our device, the receptor that we produce, right up close, and even potentially, inside the chassis of a system. So as you know, systems can be very different. Steve. So learning, there’s a learning period under control conditions that’s necessary. Most I OT and even ICS devices and kiosks are metronome, like in their em fluctuations. They may change a little over time. But can you imagine a more ideal environment for machine learning. And so that’s played out, as we thought with telemetry in parallel networks, and coming back to the cloud. And that’s where the magic happens. So the applications are limitless. But the second part of your question here, that’s the key. We’re laser focused right now at V fortified on the applications that are both most marketable, and make the biggest difference, because the key to success for any fast growing company like ours, isn’t to do everything. It’s in fact, to do what we do very well. And delight the customers, if that makes sense.

Steve King 04:01
Yeah. And so which industrial sectors are you in today, and which seem to be the most sort of prone to vulnerabilities?

Red Curry 04:12
Yeah, you know, and I’ll get into this, I’m sure with you in a little bit. But we look at the critical infrastructure around power, energy, oil and gas. The opportunity for breach has never been more alarming. Right. And we’re as we start to upgrade and update the critical infrastructure systems that we have today with the recent investments by administrations, I would say those are the big ones. I mean, you’ve seen and I will probably cover this more later in the chat here. But you look at the Florida Water System, San Francisco water system, you look at the Colonial Pipeline, and maybe people are thinking, that’s an overplayed topic. We’ve heard it No, it’s not overplayed. And there’s lots more we can be doing, and lots more we should be doing. Manufacturing is a big one. Telecom is another huge one. There’s just so many opportunities right now, Steve?

Steve King 04:57
Yeah, and it’s almost as if all of us sort of just appeared one day, you know, here we’re rolling along here worried about IT security and not paying a whole lot of attention, though to security. And then all of a sudden, you know, I think maybe the national or international attention shifted with colonial attack the GBS, or, you know, new Co Op attacks, and brought more attention to the potential critical infrastructure attacks that, you know, are obviously, occurring across the board, as you say, in energy, water and food. And, you know, right here in the US that alone around the planet, we’ve also seen the current administration issued guidelines for addressing these threats. Are you? Are you working with any federal agencies to encourage folks to step up to the hardware plate

Red Curry 05:55
inclusively, I’ve never heard anybody say it quite as well, as you just did. And it’s spot on, Steve. Because the application and critical infrastructure, especially where digital meets the physical, right, you mentioned in now we’re looking really hard at OT, it’s huge. And we began talking to several organizations, but it’s really early days yet, I probably can’t speak much to that. But yes, and frankly, all levels, I really want to hammer on that point you just made, which was great. All levels of government. And really, anyone with physical operations should be all over this right? Drones, trucks, ICS, medical systems, power supply, water supply and food supply, I really have to put that emphasis on there that these are the things that matter to people, right. This is what keeps our world turning every day. We also believe that there is a gap in the standards around this and a lot of new applications and technologies can be developed upstream. That’s the beauty of being in the cloud, I think. And it’s not just a place to have limitless storage and CPU. But it also gives us a lab to experiment to help improve the efficiency and the design of the technologies that we instrument, and to find new value to give back to our customers. And remember, like, like you just said, this is about security and reliability. And it really is about people. One of my biggest worries is in the delivery of food or the supply of medical supplies. So as we go through COVID, right, and we see this recent uptick, we need to make sure that the bad guys who know we’re watching it, that we’re also watching OT and we’re also making sure those supply chains are uninterrupted. So we can keep people safe.

Steve King 07:31
That raises the whole issue got sort of moving back toward it as well, where you know, you’ve got a Raspberry Pi drone that can fly alongside a building and get access to incorrupt workstations, you have workstations in the hallways of medical facilities, and healthcare providers, hospitals, and the like, that are pretty much available for anybody to walk up and you know, insert hardware devices or, you know, substitute a modified keyboard for the keyboard that is on the pedestal there. And so there’s a lot of hardware related issues that we’ve never addressed before we’ve been so focused on software security, that it seems to me there’s opportunity on both it and OT here, just monitoring telemetry, and doing, you know, using your, your em, current analysis and sort of the basic laws of physics to determine anomalistic behavior.

Red Curry 08:44
Yeah, no, absolutely. And you know, I’ll just use ransomware gangs as an example. They’re getting much more creative, much more collaborative with other criminal organizations out there. And what they’re doing is there realizing, while you’re looking over here, we’re gonna go over there. And we looked over the holiday season, and we could see people infiltrating in not just the digital way, but in the physical way on card skimmers. We’ve seen them making those traditional phone calls, right social engineering, trying to get people to give away more through their cell phones through SMS text messages. I mean, they’re going to do whatever it takes to breach and they’re going to go any point they can just be creative about it. You’re absolutely right.

Steve King 09:21
And they get more creative every week, it seems when we talked, we’ve talked before, read about some of that V fortified work that had not exactly come out of the TEMPEST project that NSA spesification But sort of concepts and ideas around that related to emanation leakage from radio and electrical signals and sounds and, and vibrations and so forth. Can you expand a little bit on that and and explain how it may have impacted your product design?

Red Curry 09:54
Yeah, absolutely. And like you said, it didn’t really come out of TEMPEST, but was rather perhaps inspired by As lots of things are right as we look to things of the past, and we build new things from those things, and we learn new stuff, and as far as I’m aware, right now, we are one of the first commercially if not the only commercially available product in the world that’s actually instrumenting, leaky emissions for good. And it was built on common principles with something like TEMPEST, though not directly related to the original work in attack or defense. So to make that kind of clear, but some general comments on that, right and the evolution of our product, and I’m not technical, Steve, by any means. That’s a conversation for a smarter man than I am. But the notion of leveraging ambient energy signatures really to collect telemetry, it’s not new. But the notion This is the exciting part, actually, this is really exciting. Part of the notion of leveraging it to detect security issues at a granular level is radically new. And it’s a radically new concept, which was not fully really achievable until recently, through a unique just a fascinating blend of quantum physics and neurosciences, which our CTO Eric Nielsen, Dr. Eric Nelson, has worked very hard on and thanks to these innovations, we can now qualitatively and non intrusively detect digital risks through physical device technology. I’ve had some great conversations before I joined vFortified with our CEO Harold Moss about this just some great chats about it and got what really got me excited. And where I see this going, truly I think is, well the initial concept of it was the identification of threats and reliability issues that you and I have talked about in this chat in the industrial operation space, and focusing really exclusively on anomalies as a means of augmenting security confidence that however, this is cool. Through a series of dialogues with customers thought leaders, it’s clear, we can introduce a much more meaningful impact on how organizations today address security from their infrastructure by providing a control plane for both the physical and digital security. And that’s where I think we’re headed now, some really exciting things to share this coming January, we’ll keep that a little under wraps. I don’t want to give too much away there. But we have lots to come on that in the new year. Steve?

Steve King 12:10
Yeah, that’s terrific. If you look at the physicality, I guess, of the of the network environments, on the OT side, it seems to me and I, you know, given what we’ve, the various attempts we’ve seen as security protection and defense on that side of the house seems to be related to you know, critical device assets as best they can be. Because, you know, those are pretty much you know, valves and controllers and, and so forth that manage all of that ebb and flow of IE whether it’s a chemical or oil and gas processing facility, or water, wood heavy, or electricity through the grid, and no software solution really kind of addresses that. So I’m, I’m wondering why, you know, other companies haven’t been haven’t brought product to market using a similar approach, it’s seems seems like a no brainer, given the ease with which software can be breached that I that I miss anything there, why late in the game was such what appears to be in to me an empty playing field.

Red Curry 13:23
You know, I love that question. Because as a marketer, I was go, how come? I never thought of that, right? Like, truly great ideas always seem obvious, I think in retrospect, so it’s not you, right? And I think, Wow, no brainer, but there was a term coined and I got to really wreck red brain here. I think it was Neal Stephenson’s seven Eve’s Autistics recommend brains. But basically what people do with any technology, and I apply this to marketing, too, is culturally constrained, I think. So in other words, there are millions of uses for this technology, but most of which we’d never thought of. There’s a fun exercise you can try, right? So pick a breakthrough in time, something that had happened, and then have people sit in a room from many backgrounds, and list the as many problems that could be solved with it as possible. Now, if you stick at it, strange things will come out, right? And the result will rapidly becomes potentially disruptive. Most people don’t know, for instance, that I think it was the Romans, were really getting into this that had a toy steam engine. My brother Sam and I actually talked about this recently, when he was describing something to me. Why didn’t they do something like make a train? Right? That’s the Autistics in it. I mean, if we you and I sat in a room with a couple of cups and some strings, we would probably pour a cup of coffee and tie something or, but when we come up with the phone, so why didn’t we solve problems this way before? I think it’s honest sticks is that term that was from Neal Stephenson’s book there. But finding these things is innovation. And that’s the fun part. I think that’s what we’ve done is we found this through some research and some heavy thought. And like I said, Eric Nelson, our CTO has done a lot of this research Are we looking into these things?

Steve King 15:01
So you’re saying essentially that the answer is right in front of us, there just aren’t very many of us that are equipped with Elon Musk or Steve Jobs, sort of Outlook to be able to identify the obvious when it jumps up and yells at us, or

Red Curry 15:19
even the need, right? Like, is there a need at that time? So maybe they saw the need, and suddenly, it became obvious, right? Maybe that’s what it is. It’s it’s a needed a time. So maybe they were smart enough to figure it out. But they just weren’t thinking in that direction as the Romans right with the toy steam engine, weren’t thinking trains, God Only Knows. Right, what could have been done if they had if they built them.

Steve King 15:40
Yeah, you know, I mean, this, this may seem so folks like a trivial rabbit hole here off this conversation. But I don’t think it is at all, I think, critical thinking and design and, and design thinking and systems thinking, our lost arts, we stopped teaching that we’ve stopped teaching that at the collegiate level, we stopped teaching it at secondary education level years and years and years ago. And so that so the folks that I meet today, who are recent graduates are just, frankly, incapable of much progress. And in those areas, and I think that without critical and design thinking, we’re not going to make the kind of innovative progress, whether that we need to, we need to make to remain competitive here.

Red Curry 16:31
Yeah, you know, you made me think about something, if you and I sat in a room and there was another room of folks next door, and I put a box of blocks in front of you and I and a box of blocks in front of somebody from say, Paris, France, or Egypt is a great example. Are we going to are you in it, you’re going to build pyramids? Are we going to build houses? What would we build with that box of bricks? And versus what they might build? So would we have ever thought to build pyramids? Right? It’s an interesting, that would be a fun thing to watch. If you put several different people from different groups and cultures in a room with the same materials, what would they build? And how radically different would they be? And what problems would they be solving be cool?

Steve King 17:08
You would be indeed, so cultural constraints. And Neal Stephenson’s book will will become the topic of our next conversation. And when we get back together in the kind of March timeframe, sorry, sorry, no, no, no, no, don’t be sorry, I think it’s great. I’m conscious of the time I don’t want to eat up too much of yours. So I’ve got kind of a final couple of questions. And by the way, we should invite your lesser known brother, Sam curry into that same conversation whenever we have that. Your website today does a good job of explaining what you do and how you do it. But it’s pretty short on brand story. And as a marketer, I know you’re a big fan of story, eating and storytelling. When do you guys plan to start bringing V fortifies tail to life because as a story, it’s got such incredible potential.

Red Curry 18:07
You know what, this is something I’m really passionate about. It’s something I’ve spent the last 20 years plus of my life doing, and I’m really glad you asked this. And brandstory is, you know, explains the what the how, and most importantly, I think it’s the why is the why story. And I’ve learned that over 20 something years here, and I think the why on our site is and you probably read it, and we’re the guardians of critical infrastructure, right. And we believe the defending critical infrastructure as it serves, all of life today, as we know it is vital to everything is vital to people because people use it every day. And it’s life supporting, we’ve mentioned that it’s life sustaining, its life advancing. And we’ll be expanding on this across the site and incremental steps as we grow, because we’re really just getting off the ground now. So that does grow. But the question that you’re asking is so much bigger, and way more exciting, like, really exciting for me. And today, I see this as kind of the mistake of CMOs and marketing organizations everywhere, being everything to kind of everyone in one place. And at previous companies I was at it was the challenges that we faced. And it’s often the reason I think that we find ourselves constantly trying to fix and repair our sales enablement, right, our marketing engagements, and many times we try to tackle these pointless rebranding efforts over and over again, without any success, or where are the leads? Where’s the demand? And how come no one’s listening or paying attention? And the reason I think, Steve is that there really isn’t a one size fits all brand story, but better than that. It’s a series of different adventures really unique to the reader, and that being customer partner employee. It’s that cohesive narrative that kind of encompasses the facts and feelings that are created by the V fortified brand. And I think what we’re doing now is we’re review and we are using an experiential marketing approach on our site. Everything we talked about, I believe, should put the you at the center During the conversation, we oftentimes in technical descriptions of products, we never put the you at the center of those network diagrams, right? And that’s sad because it is about you and, and from our images and conversational tone. Why? Because it’s about people, right? partners, customers, nonprofits, public, private, all have very different, I think this is something I really want to highlight different problems to solve in different jobs to do, right. So being that those labels are tied to people, and here’s the key, they really, Steve, really, truly want to be the hero in their own story. They want to solve a very particular job or particular problem. And our website would need, I would imagine, 1000s of pages to cover all those brand possibilities to reach them. So I’m focused. And the answer to your question truly is, I’m focused on telling a story in a targeted way through campaigns that highlight real solutions to real problems that these organizations that we’re trying to reach out to today, feel they have in our blogs, our interviews, media, social media, fireside chats, webinars, getting that conversation started, because it’s a dialogue. And you and I both know, the bad guys out there today. They’re agile, they’re creative. They’re also collaborative and focused, and changing things every day. So our story needs to be the same story needs to be and need to clearly speak, I think, to the multitude of threats, customers, partners, employees, God agencies, nonprofits face today, and more importantly, tomorrow, the ones we don’t know about. So our brand story for all audiences will be in every campaign that we run, to answer your question, yeah, iterative process, the website’s going to grow exciting things coming in January, you and I should talk again real soon. But we want to help them tackle real specific challenges that they face.

Steve King 21:48
So many of the vendors in the space and we’re up to close to 4000, our telling the same story as their competitors are telling, you know, so the wall noise is thick and high, and it’s very hard to get a signal through that wall. Yet, folks tend to refuse to want to leave that narrative and move on to as you say, for example, why are we doing what we’re doing, instead of pushing feature function, which is the tendency for most of these brands in cybersecurity to we stop, you know, 100% of these 99% of time over here. And here’s the speed of which we do that. And we’ve got XYZ technology, and no one cares about that shit, right? We’re looking for outcome based marketing. We as consumers are prosumers, if you’re looking for outcome based marketing, that relates exactly to my, whatever my particular problem happens to be. And it’s so hard to find.

Red Curry 22:49
And you just struck something with me, because I’m gonna, I’ll come right out and tell you why I got into this business and why I joined once RSA V fortified all the companies I’ve been with, it’s obviously on LinkedIn, but I couldn’t be a policeman, I couldn’t be a fireman, I couldn’t be an EMT. And my goal was to make a difference in the world I live in and I one day asked, yep, my brother, Sam, I’m like, Are you making a difference? He goes, I like to think I am every single day, I like to think I’m doing good work here and trying to keep people safe. And this is the real reason I think that a lot of us get into this business. That’s what matters. It’s about knowing that your wife, your children, your husbands, your aunts, uncles, brothers and sisters, when they swipe a card in a store, that they’re safe, that they’re that they’re cared for, that they can trust, the environments they’re working within the organizations they do business with. And that is that truly the why in the story, I do this every day to stop bad guys. That is what I hope that we’re all doing together in a collective. And I don’t see competitors out there. Steve, you mentioned that I see partners, I see ways in which we can close some gaps that are really, really lacking to stop the ransomware gangs. I’d like to think I can work with anybody in the OT security and IT security, to help close some of those weak links and those doors.

Steve King 24:04
You are read. And I’m pleased to know you and I very happy that you’re doing what you’re doing. Both you and Sam and other folks that are passionate about this business need to remain passionate. And I think as Colin Powell once said, perpetual optimism is a force multiplier. And I’m a huge believer in myself. So together we can do this. So I’m grateful that you’re there and and thanks for taking the time today. I want to thank our guest red curry for taking time out of your schedule to join me in what I hope was a brief but thought provoking exchange.

Red Curry 24:45
It was awesome. I can’t thank you enough. This podcast is tons of fun. These questions are great here to do whatever we can together right, Steve, just to get people the information they need to make this world a safer place.

Steve King 24:57
That’s right. That’s the objective man So thanks for listeners also for joining us in another one of our unplugged reviews of the complex and sometimes frightening world of cybersecurity and technology in our new digital reality. Until next time, I’m your host, Steve King, signing out