IoT: The Internet of Threats

On this episode of the IoT: The Internet of Threats podcast, host Eric Greenwald and Larry Pesce (Finite State Director of Product Security Research and Analysis) delve into the recently announced U.S. Cyber Trust Mark, a cybersecurity labeling program for IoT devices - a long-anticipated directive of Executive Order 14028.   Larry and Eric explore how, in contrast to static ratings like ENERGY STAR, this dynamic IoT security score will attempt to reflect the continually evolving landscape of cybersecurity threats and controls. They delve into the efficacy of this voluntary labeling program: Will consumers use it? Will manufacturers comply (and raise prices) or ignore it?   Together, Larry and Eric discuss the initial criteria for assigning these security scores and the user-friendly implementation strategies like QR codes. They also tackle the implications of this program on various connected devices, from baby monitors to solar panels, analyzing whether this voluntary program will see widespread adoption across various industries with varied potential risks (from privacy violations to deadly fires).   In the discussion, Larry turns the tables and asks Eric about the FCC's unexpected role in enforcing IoT labeling compliance and how this labeling initiative aligns with the broader trend towards transparency and accountability in device security regulation and progress.    Interview with Larry Pesce    Since joining Finite State, Larry has been providing expert product security program design and development as well as IoT pen testing services and guidance to product security teams worldwide. He is also a Certified Instructor at the SANS Institute and has co-hosted the Paul's Security Weekly podcast since 2005. Before joining Finite State, Larry spent 15 years as a penetration tester (among other various roles) focused on healthcare, ICS/OT, wireless, and IoT/IIoT embedded devices. Larry holds several GIAC certifications and earned his B.S. in Computer Information Systems from Roger Williams University.    Join in on this insightful discussion where Eric and Larry consider: Similarities and differences between the IoT labeling and ENERGY STAR rating programs  The need to reflect the ever-changing nature of cybersecurity risk and controls within cybersecurity scores  How, and how much, consumers will actually use the score and value higher-rated devices Criteria considered when assigning the scores and where labels will appear  The varying impacts of a voluntary IoT labeling program on consumer vs. industrial connected device cybersecurity The surprising role of the FCC as the enforcing regulator for IoT labeling compliance   Find Larry on LinkedIn: Larry Pesce: https://linkedin.com/in/larrypesce   Learn more about Finite State: https://finitestate.io/   Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.   If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.   To learn more about building a robust software supply chain security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/    

In the latest episode of IoT: The Internet of Threats, podcast host Eric Greenwald sat down with guest Alexander Fleischer for a thought-provoking dialogue. They delved deep into the escalating symbiosis between artificial intelligence (AI) and cybersecurity. Fleischer elaborated on the rapid and complex evolution of AI, particularly in relation to its increasing role in cybersecurity procedures.  The conversation also extended to the potential implications of AI on the future job market and the nature of human-AI interactions. A significant portion of the discussion was dedicated to the question of whether the general public will, or even can, put their trust in the advancements of AI. Finally, the duo weighed in on an intriguing topic: In the ongoing battle between the cybersecurity defenders (the "good guys") and the cybercriminals (the "bad guys"), who stands a better chance of benefiting from the advancements in AI technology? Interview with Alexander Fleischer    Alexander Fleischer is an innovation lead for a leading consulting firm in the IT Services and IT Consulting sector. He works with start-ups, venture capital firms, accelerators, and incubators in finding solutions in emerging tech, including AI. His areas of expertise include Virtual Reality (VR), Augmented Reality (AR), and Artificial Intelligence (AI).  For more than a decade, Alex has worked in innovation, strategy, digital transformation and leadership within different industries in Germany, Hungary, and the United States. He started his career in Telecommunications.  Alex holds a Master of Science (M.Sc.) degree from the WFI - Ingolstadt School of Management, with a concentration in Corporate Strategy and Service Management. Earlier, he earned a Bachelor of Arts (B.A.) in International Business from the Fachhochschule der Wirtschaft (FHDW) in Paderborn, Germany. In this episode, Eric and Alexander discuss: The increasing interconnection and interdependence between AI and cybersecurity   The pace and nature of AI's growth and proliferation in cybersecurity practices What AI means to tomorrow's workforce and how people will interact with AI Whether people can and will trust AI and its advances Who is better positioned to survive and thrive in the AI arms race between the good guys and the bad guys Find Alexander on LinkedIn: Alexander Fleischer: https://www.linkedin.com/in/fleischeralexander/ Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.   If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.   To learn more about building a robust software supply chain security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/

In this episode of the IoT: The Internet of Threats podcast, host Eric Greenwald and Dino Boukouris, Founder and Managing Director of Momentum Cyber, delve into the increasing demand for detailed, actionable data in providing cybersecurity services. Eric and Dino scrutinize the role of regulations, assessing whether they inspire innovation or inadvertently stifle growth. They also examine the crucial part that data analytics and Software Bill of Materials (SBOM) play in today's risk management practices.  Will the increased prevalence of AI and emerging regulations bring about significant improvements in managing cyber risks? Join the conversation to find out.   Interview with Dino Boukouris    Dino Boukouris is a Founder of Momentum Cyber as well as its Managing Director. Momentum serves as a strategic advisor to founders, CEOs, and boards in the cybersecurity space. Dino specializes in cybersecurity, M&A, venture capital and private equity. He also has a background in engineering and finance.    Prior to founding Momentum Cyber, Dino served in a variety of capacities at strategic advisory services  and VC firms, including Illuminate Ventures and Advatech Advisors. Earlier in his career, he held the position of Engineering Manager at Cameron Health, a start-up later acquired by Boston Scientific.    Dino earned an MBA with honors from UC Berkeley's Haas School of Business and a Masters of Science degree in Mechanical Engineering from the University of Michigan's College of Engineering.      In this episode, Eric and Dino discuss: The increasing sophistication of cybersecurity threats and marketplace demand for better data risk management The role of regulation in driving and governing the proliferation of AI and whether it also stifles growth The double-edged sword that these advances bring to cybersecurity tools and threats  Whether AI's promises of efficiency will be a game-changer to today's cybersecurity practices   Find Dino on LinkedIn:   Dino Boukouris: https://www.linkedin.com/in/konstantinosboukouris/   Learn more about Momentum Cyber: https://www.linkedin.com/company/momentumcyber/   Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.   If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.   To learn more about building a robust software supply chain security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/

On this episode of the IoT: The Internet of Threats podcast, host Eric Greenwald and Larry Pesce (Finite State Director of Product Security Research and Analysis) explore the FDA's new Refuse to Accept (RTA) decision process and what it means for successful premarket submissions of medical devices. Together, Larry and Eric examine how prepared the industry is for the coming changes and assess how medical device manufacturers may weigh the new risk-benefit calculus. Eric and Larry also look at how past cyberattacks lead companies to forge enduring changes in cybersecurity culture and controls and discuss whether these regulatory changes will bring about significant improvements in securing connected medical devices.    Interview with Larry Pesce    Since joining Finite State, Larry has been providing expert product security program design and development as well as IoT pen testing guidance and services to product security teams worldwide. He is also a Certified Instructor at the SANS Institute and has co-hosted the Paul's Security Weekly podcast since 2005. Before joining Finite State, Larry spent 15 years as a penetration tester (among other various roles) focused on healthcare, ICS/OT, wireless, and IoT/IIoT embedded devices. Larry holds several GIAC certifications and earned his B.S. in Computer Information Systems from Roger Williams University.    In this episode, Eric and Larry discuss the: FDA's new Refuse-To-Accept (RTA) decision authority and what it means for SBOMs and the premarket submissions of medical devices Whether the medical device sector is adequately prepared for these changes How the new regulations may alter the liability vs. risk tolerance question for medical device manufacturers The extent to which the FDA will rigorously enforce the new premarket submission requirements The potential qualitative difference this new regulation may bring to the the overall security of medical devices How cyberattacks often lead companies to make meaningful, lasting changes in their cybersecurity practices   Find Larry on LinkedIn: Larry Pesce: https://linkedin.com/in/larrypesce   Learn more about Finite State: https://finitestate.io/   Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.   If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.   To learn more about building a robust software supply chain security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/  

On this episode of the IoT: The Internet of Threats podcast, host Eric Greenwald meets up with John Banghart, Senior Director for Cybersecurity Services at Venable LLP, a law firm that provides cybersecurity and privacy risk management advisory to clients of all shapes and sizes across a wide variety of sectors. Venable also runs a nonprofit organization called the Center for Cybersecurity Policy & Law that connects private-sector companies with government organizations to discuss policy and standards issues.    John Banghart has nearly 30 years of federal government and private sector experience in cybersecurity. These days, he focuses mostly on the healthcare sector with an emphasis on cloud computing and information sharing.     Together, Eric and John review the Biden Administration's National Cybersecurity Strategy and what it means for software makers and the liability they may face for their creations. They also examine how the Strategy builds upon Executive Order 14028 and the CMMC (Cybersecurity Maturity Model Certification), and whether the reference to DoJ's Civil Cyber-Fraud Initiative is likely to make companies more careful about what they attest to in their first-party attestations.    Interview with John Banghart   Prior to joining Venable in 2016, John served in a variety of roles spanning risk management, government policy, standards and regulatory compliance, and incident management at Microsoft, the White House National Security Council, and the National Institute of Standards and Technology.   In this episode, Eric and John discuss: Takeaways and conclusions from the Biden Administration's National Cybersecurity Strategy The shifting of cybersecurity liability to software makers and the struggle to enact effective cybersecurity rules How the National Cybersecurity Strategy builds upon Executive Order 14028 and the CMMC How tech companies may approach new cybersecurity regulation (and the safe harbor it may offer) Whether the Strategy's invocation of DoJ's Civil Cyber-Fraud Initiative will compel software vendors to put more scrutiny and time into their cybersecurity attestations    Find John on LinkedIn: John Banghart: https://www.linkedin.com/in/john-banghart-b43b6a/   Learn more about Venable, LLP: https://www.linkedin.com/company/venablellp/   Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.   If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.   To learn more about building a robust software supply chain security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/  

On this episode of the IoT: The Internet of Threats podcast, host Eric Greenwald interviews Matt Wyckhouse, Founder and CEO of Finite State. Throughout his career, Matt has spearheaded complex national security programs ranging from detection of malicious integrated circuits in the supply chain to next-generation intrusion detection systems for automotive systems. Matt directed numerous intelligence programs related to the security of embedded and IoT devices and has been a speaker on the subject at security events.   Together, Eric and Matt revisit February's S4x23 event and its SBOM Challenge. They examine its takeaways and conclusions and analyze the performance of each of the five companies that showcased their SBOM offerings (including Finite State!). Later in the episode, they look at the evolution of the SBOM as a key cybersecurity tool and the drivers credited with its proliferation across the control environments of a growing list of industries.    Interview with Matt Wyckhouse   Matt Wyckhouse, Founder and CEO of Finite State, has invested some 20 years into leading and developing advanced solutions to some of the hardest problems in cyber security. Prior to founding and leading Finite State, Matt served as technical founder and CTO of Battelle's Cyber Innovations business unit.    In this episode, Eric and Matt discuss: Takeaways and conclusions from S4x23 and the SBOM Challenge How Finite State fared among the five companies competing in the SBOM Challenge How competitions like the SBOM Challenge drive attention to the value of software supply chain cybersecurity and the evolving maturity of the SBOM The twin drivers of regulatory and competitive pressures that are advancing SBOM adoption and use across many industries  The SBOM's best use cases: how product security and risk management teams apply SBOM as a critical control in their cybersecurity programs    Find Matt on LinkedIn: Matt Wyckhouse: https://www.linkedin.com/in/mattwyckhouse/   Learn more about Finite State: https://finitestate.io/   Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.   If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.   To learn more about building a robust software supply chain security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/  

On this episode of the IoT: The Internet of Threats podcast, host Eric Greenwald interviews Dr. George Shea, the Chief Technologist of the Transformative Cyber Innovation Lab (also known as the TCIL or the Lab) of the Foundation for Defense of Democracies (FDD), a nonprofit, nonpartisan 501(c)(3) research institute that concentrates on foreign policy and national security. George is also a member of the Operational Resilience Framework (ORF) Task Force, Cybersecurity Canon, and a contributor at The CyberWire.    Together, Eric and George examine the continuous visibility that SBOM brings to software supply chains, the push for SBOM's adoption and use, and the thorny questions that enterprises face when they adopt this critical tool.    Interview with Dr. George Shea    Dr. George Shea, Chief Technologist at FDD, has made vast contributions in SBOM research and thought leadership and to the wider discussion of how to advance cybersecurity. Prior to joining FDD, George served as a Chief Engineer at MITRE, leading initiatives to improve the technical integrity and quality of the products and deliverables of the IT services and consulting leader. She holds a Doctor of Computer Science degree from Colorado Technical University and an MS in Computer and Information Sciences and Support Services from Regis University.    In this episode, Eric and George discuss: How the SBOM offers critical visibility into the supply chain vulnerabilities of existing software deployments The source of the push for SBOM's adoption and use: government or private sector?  Regulators' slow walk toward requiring SBOM as a cybersecurity practice The thorny questions that come with adopting SBOM: how to generate, deploy, and use an SBOM Critical next-step SBOM considerations such as formats, required fields, ensuring its reporting integrity, and building a mechanism to follow through on its results   Find George on LinkedIn: Dr. George Shea: https://www.linkedin.com/in/drgeorgeshea/   Learn more about the Foundation for Defense of Democracies (FDD): https://www.linkedin.com/company/foundation-for-defense-of-democracies/   To see Dr. Shea's Working Draft of the SBOM Lifecycle and Landscape and the SBOM Use Case with RMF that she references on this episode, please see this link.    Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.   If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.   To learn more about building a robust product security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/

On this episode of the IoT: The Internet of Threats podcast, host Eric Greenwald interviews Dale Peterson, a widely recognized name in the OT cybersecurity field and, specifically, in ICS (industrial control system) security. Dale is the founder of S4, the premiere event in ICS security. Dale created the event in 2007 to showcase the best offensive and defensive work in ICS security and to build connections within the industry. He founded Digital Bond, an ICS / SCADA cybersecurity consulting company in 1998 and serves as its CEO.    Together, Eric and Dale examine the origins of Dale's influential S4 conference and the addition of this year's SBOM Challenge (in which Finite State will take part in February). They also discuss the future of ICS cybersecurity, the role the SBOM will play, how manufacturers and asset owners can best derive value from the SBOM, and Dale's insights into developing an effective ICS patching strategy that won't break the bank.    Interview with Dale Peterson    Dale Peterson is the Founder and CEO of Digital Bond, Inc. and S4 Events. Prior to founding Digital Bond in 1998, Dale held a variety of positions in security. Dale started his career as a cryptanalyst with the NSA (National Security Agency) in 1984. He holds a B.S. in Finance from the University of Illinois Urbana-Champaign.    In this episode, Eric and Dale discuss: The genesis of the S4 ICS Security Event: How and why Dale created one of the world's largest and most influential ICS cybersecurity conferences  Dale's insights into what the future of ICS cybersecurity holds and the role that the SBOM will play How manufacturers and asset owners can best derive information and value from the SBOM (and the business models that will support and fund their continued development and improvement) What constitutes an effective and efficient ICS patching strategy Regulation methodology: cyber hygiene-style vs. risk-based regulations    Find Dale on LinkedIn: Dale Peterson: https://www.linkedin.com/in/dale-peterson-s4/   Learn more about S4: https://s4xevents.com/   Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.   If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.   To learn more about building a robust product security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/

On this episode of the IoT: The Internet of Threats podcast, host Eric Greenwald sits down with Larry Pesce, a lifelong tinkerer whose obsession with how things work led him to his role as Finite State's new Product Security and Analysis Director. Together they explore how Larry began his long and accomplished career as a pen tester and security and research expert. Eric and Larry also examine the pressure that lower production budgets impose on product security professionals, the questionable value of regulation as a catalyst to drive product security investment and improvements, and the potential role SBOMs can play in cybersecurity.     Interview with Larry Pesce    Since joining Finite State, Larry has been serving as a senior consultant, providing expert product security program design and development and IoT pen testing guidance and services to product security teams worldwide. He is also a Certified Instructor at the SANS Institute and has co-hosted the Paul's Security Weekly podcast since 2005. Before joining Finite State, Larry spent 15 years as a penetration tester (amongst his various roles) focused on healthcare, ICS/OT, wireless, and IoT/IIoT embedded devices. Larry holds several GIAC certifications and earned his B.S. in Computer Information Systems from Roger Williams University.    In this episode, Eric and Larry discuss: What it was like to pioneer the Paul's Security Weekly podcast in the early days of podcasting (and co-hosting the show for the last 17 years!) How Larry's early interest in taking things apart led to a career in embedded device security and, eventually, to Finite State How the drive to lower production costs pressures manufacturers to sacrifice invisible differentiators like product security Whether regulation can serve as an effective mechanism in encouraging product security improvements How companies can work to overcome the complexities of product security programs The SBOM as a product security tool and whether it could also be a roadmap attackers can use to target your connected device ecosystem   Find Larry on LinkedIn: Larry Pesce: https://www.linkedin.com/in/larry-pesce-6715b73/   Learn more about Finite State: https://finitestate.io/   Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.   If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.   To learn more about building a robust product security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/

On this episode of the IoT: The Internet of Threats podcast, Davis Hake, Co-Founder of Resilience, joins podcast host Eric Greenwald to explore the cybersecurity insurance marketplace and how a startup insurer like Resilience can differentiate itself in the space. Eric and Davis discuss how the increasing frequency and severity of ransomware and supply chain attacks are driving increases in premiums, how insurers evaluate a company's cyber risk, and how they can guide companies to improve their cybersecurity ecosystems.    Interview with Davis Hake    Davis Hake co-founded Resilience in 2016 and currently serves as the cyber insurer's VP of product marketing and business development. He is also an Adjunct Professor on cyber risk management at the University of California Berkeley and a Term Member on the Council of Foreign Relations. Prior to co-founding Resilience, Davis served as the Director of Federal IT Security for the National Security Council and was the Chief of Staff for the Deputy Under Secretary for Cyber Security in the US Department of Homeland Security.   In this episode, Eric and Davis discuss: How ransomware and software supply chain attacks have driven up the cost of cybersecurity insurance  How insurers look at cyber risk and the drivers they have to encourage policyholders to improve their cybersecurity Whether documenting a company's cybersecurity control environment could pose a legal risk and potential liability  The cost-versus-benefit temptation that companies sometimes face when presented with the high costs of cybersecurity improvements Regulation's role as a catalyst in bringing new controls online to confront new and emerging cybersecurity threats   Find Davis on LinkedIn: Davis Hake: https://www.linkedin.com/in/davis-hake/   Learn more about Resilience: https://www.linkedin.com/company/resilience-cyber/   Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.   If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.   To learn more about building a robust product security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/

On this episode of the IoT: The Internet of Threats podcast, Mariam Baksh, Staff Reporter at Nextgov, joins podcast host Eric Greenwald to explore the evolution of cybersecurity regulation, from the Biden Administration's 2021 Executive Order on Improving the Nation's Cybersecurity to September's OMB Memorandum on software supply chain security.   Mariam and Eric discuss the cybersecurity goals of the administration, the merits of first-party versus third-party attestation, and the fine line that NIST walks between effecting change in cybersecurity versus overwhelming the resources of security practitioners and compliance personnel.     Interview with Mariam Baksh    Mariam Baksh is a staff reporter for Nextgov, a Washington, DC-based publication that reports on federal IT and tech policy through journalism, podcasts, and more. In her role at Nextgov, Mariam reports on the development of federal cybersecurity policy. Mariam has been covering technology governance since 2014 and earned her master's degree in journalism and public affairs from American University.    In this episode, Eric and Mariam discuss: Why the Biden administration issued last year's EO NIST's balancing act between improving cybersecurity and avoiding the imposition of costly requirements on companies The challenges involved in measuring cybersecurity performance The implications of a first-party vs. third-party attestation model The value of an SBOM and its growing role in cybersecurity regulation Whether the EO or the OMB memo will deliver any enforcement on the requirements they impose    Find Mariam on LinkedIn: Mariam Baksh: https://www.linkedin.com/in/mariam-baksh-99b1b428/   Learn more about Nextgov: https://www.linkedin.com/company/Nextgov/   Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.   If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.   To learn more about building a robust product security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/. Note: This interview has been edited for length and clarity.

On this episode of the IoT: The Internet of Threats podcast, Jonathan Tubb, Director of Industrial Cyber Security, North America, at Siemens Energy, joins podcast host Eric Greenwald to explore the threats that keep industrial cybersecurity experts up at night, how today's energy and utility companies protect the U.S. power grid from terrorism and natural-disaster worst-case scenarios, the value of regulation as a catalyst for change in improving the industry's control environment, and how to get energy and utility companies committed to critical infrastructure protection.     Interview with Jonathan Tubb:    Jonathan Tubb is a leader for industrial cybersecurity in North America with Siemens Energy, one of the world's largest energy technology companies. In his role at Siemens Energy, Jonathan applies his extensive expertise to developing solutions to the company's biggest security challenges by identifying and mitigating threats in critical infrastructure environments. Jonathan earned his B.S. in Computer Engineering at Ohio State University and maintains a Professional Engineer (P.E.) license in Computer Engineering.      With more than 90,000 employees in over 90 countries, Siemens Energy's operations span nearly all of the energy value chain, from power generation to transmission to storage and includes both conventional and renewable energy technologies. Siemens Energy reported revenues of €28.5 billion for the fiscal year ended September 30, 2021.    In this interview, Eric and Jonathan discuss: The threats that put America's power grid at risk Protecting the power grid from catastrophic acts of terrorism and natural disasters The varied approaches energy and utility companies take toward critical infrastructure regulation How to get energy and utility companies to prioritize cybersecurity   How engineers approach cybersecurity when moonlighting a microbrewery start-up   Find Jonathan on LinkedIn: Jonathan Tubb: https://www.linkedin.com/in/jonathan-tubb/   Learn more about Siemens Energy: https://www.linkedin.com/company/siemens-energy/   Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.   If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.   To learn more about building a robust product security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/.

On this episode of the IoT: The Internet of Threats podcast, Megan Stifel, Chief Strategy Officer at the Institute for Security and Technology (IST) and co-chair of the Ransomware Task Force (RTF) Working Group, joins podcast host Eric Greenwald to discuss the current and future state of ransomware. The RTF recently released a new report, The Blueprint for Ransomware Defense, which the RTF calls a "clear, actionable framework for ransomware mitigation, response, and recovery." Megan and Eric walk through some of the report's key elements and discuss what small- and medium-sized businesses can do to fight ransomware and whether tactics like regulation and insurance actually help or hurt the fight against ransomware​​.   Interview with Megan Stifel:    Megan Stifel is the Chief Strategy Officer at the Institute for Security and Technology (IST), a San Francisco-based think tank that designs and advances solutions to the world's toughest emerging security threats. Megan also serves as a co-chair of the Ransomware Task Force (RTF) Working Group. Launched in April 2021, the RTF brings together key industry, government, and civil-society stakeholders to combat the ransomware threat with a cross-sector approach.    Megan is also the founder and CEO of Silicon Harbor Consultants, LLC, and a Visiting Fellow at the National Security Institute at the Antonin Scalia Law School at George Mason University. Prior to these roles, Megan served as a non-resident senior fellow at the Cyber Statecraft Initiative, Global Policy Officer at the Global Cyber Alliance, and Director for International Cyber Policy at the National Security Council. Megan holds a J.D., Law from Indiana University's Maurer School of Law.    In this interview, Eric and Megan discuss: How small- and medium-sized enterprises can defend against ransomware, even with limited cybersecurity expertise  The current state of ransomware: where it is and where it's going  Whether regulation works in driving companies to improve cybersecurity, or if it just creates compliance theater If ransomware insurance makes things better or actually causes the frequency and severity of ransomware to grow    Find Megan on LinkedIn: Megan Stifel: https://www.linkedin.com/in/megan-s-1204bb4/   Learn more about the Institute for Security and Technology (IST): https://www.linkedin.com/company/institute-security-technology/   Learn more about the Ransomware Task Force (RTF): https://securityandtechnology.org/ransomwaretaskforce/   Access RTF's Blueprint for Ransomware Defense: https://securityandtechnology.org/ransomwaretaskforce/blueprint-for-ransomware-defense/   Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.   If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.   To learn more about building a robust product security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/.

On this episode of the IoT: The Internet of Threats podcast, Jeff Tricoli, Former Section Chief at the FBI's Cyber Division joins podcast host Eric Greenwald to discuss what to know about working with the FBI on cybercrime, the evolution and ethical implications of the ransomware industry, and the differences between cyberattacks from Russia and China.   Interview with Jeffrey Tricoli:    For nearly 20 years, Jeffrey Tricoli served in a variety of roles at the FBI's Cyber Division and most recently as its Sector Chief in charge of overseeing national cyber investigations. Jeff graduated from the University of Syracuse's Maxwell School with an M.P.A. in Public Policy Analysis and holds a Bachelor of Arts from Canisius College. Jeff is now a senior executive at a financial services company responsible for technology and security risk.   The FBI's Cyber division investigates and responds to malicious cyber activities that threaten the safety of the US public and the country's national and economic security.   In this interview, Eric and Jeff discuss: The different motives that drive Russian and Chinese cyberattacks How events like the war in Ukraine or trade wars with China amplify the threats of destructive cyberattacks and intellectual property theft How companies should approach their relationship with law enforcement before, during, and after a cyberattack What it's like to collaborate with the FBI when your organization faces a threat or breach The challenging ethics that businesses face when they're presented with a ransom demand to recover their data   Find Jeff on LinkedIn Jeffrey Tricoli: https://www.linkedin.com/in/jeffrey-tricoli-b5791aaa   Learn more about the FBI's efforts to combat cyber threats: https://www.fbi.gov/investigate/cyber   Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.   If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.   To learn more about building a robust product security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/.

On this episode of the IoT: The Internet of Threats podcast, Health-ISAC's Errol Weiss (Chief Security Officer) and Phil Englert (Director of Medical Device Security) join podcast host Eric Greenwald to discuss the rising stakes of medical device cybersecurity, the growing role of government in regulating cybersecurity controls in healthcare, and how Health-ISAC fits into the picture.    Interview with Errol Weiss and Phil Englert:    Prior to his role as Chief Security Officer of Health-ISAC, Errol served in several SVP-level positions at Bank of America, focusing on cybercrime, fraud prevention, business process cyber assessments, and threat analytics and information sharing. Earlier in his career, he held key positions at Citigroup and SAIC. Errol also served on the Board of the Financial Services ISAC during the 2010s.    Before joining Health-ISAC as Director of Medical Device Security, Phil served as Chief Product Officer at MedSec and was responsible for product management, new business development, and process improvement. Prior to MedSec, Phil served in a variety of roles at Deloitte, Novasano, MDISS (Medical Device Innovation Security and Safety), and Catholic Health Initiatives.    Health-ISAC (also referred to as H-ISAC) is a global, non-profit organization that offers healthcare security stakeholders actionable data in a trusted community.    In this interview, Eric, Errol, and Phil discuss: What is an ISAC and what does the H-ISAC do?  The government's increased appetite for cybersecurity regulation (with a focus on medical device security)  How to protect against attacks with tens of thousands of different medical devices made by a wide array of different manufacturers and that do different things The importance of having visibility into the components that make up those thousands of medical devices Whether the SBOM (Software Bill of Materials) is ready to be a key control in the healthcare cybersecurity ecosystem    Find Errol and Phil on LinkedIn   Errol Weiss: https://linkedin.com/in/errolweiss/   Phil Englert: https://www.linkedin.com/in/phil-englert-2642724   Learn more about Health-ISAC by visiting https://h-isac.org/.   Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.   If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.   To learn more about building a robust product security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/.

On this episode of the IoT: The Internet of Threats podcast, Michael Daniel, President and CEO of Cyber Threat Alliance, joins podcast host Eric Greenwald to discuss the shifting sands of the regulatory landscape in cybersecurity today and the growing prospect of government regulation affecting private-sector cybersecurity practices.    Interview with Michael Daniel:    Prior to his role as President and CEO of Cyber Threat Alliance, Michael served as the Cybersecurity Coordinator to President Obama's National Security Council (NSC). His work at the NSC followed a 17-year tenure a Program Examiner and later a Branch Chief for national security programs with the U.S. Government's Office of Management and Budget.  The Cyber Threat Alliance is a non-profit organization that enables cybersecurity providers to share threat intelligence with each other and improve cybersecurity across the digital ecosystem.   In this interview, Eric and Michael discuss: The government's evolving role in cybersecurity regulation, from the Cybersecurity Maturity Model Certification (CMMC) to Executive Order 14028 How to measure the efficacy of cybersecurity products and practices and the pros and cons of first- and third-party certifications The government's contribution to improving cybersecurity practices by encouraging the adoption and implementation of the Software Bill of Materials (SBOM) How SBOMs help us see inside the software we use and address a key weakness in cybersecurity right now   Find Michael on LinkedIn: https://www.linkedin.com/in/j-michael-daniel-7b71a95/. Learn more about Cyber Threat Alliance by visiting CyberThreatAlliance.org.   Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.   If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast. To learn more about building a robust product security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/.

In this episode of the IoT: The Internet of Threats podcast, host Eric Greenwald and the Vidovich brothers Nick and Sam hack the headlines – they discuss the latest news in security and offer their perspectives. Eric also interviews guest Darren Pulsipher, Chief Solutions Architect at Intel Corporation, about supply chain security at Intel.   Hacking the Headlines:   Researchers warn of the huge risks involved in the rapid deployment of AI in agriculture, noting that cyberattacks on high-tech farm equipment could threaten the global food supply chain. Netgear recently issued a security advisory outlining vulnerabilities in two popular router models. According to Netgear, they are unfixable. Is this a responsible disclosure, or does it just raise more questions/concerns than it addresses?  A malicious Python package that performs supply chain attacks was spotted in the PyPI registry. It was downloaded 325 times before being removed. Is this more serious than funny, or more funny than serious?    Interview with Darren Pulsipher: Darren has been working on security solutions with Intel for 12 years. He's seen from the inside how to build robust security into the software development and supply chain processes. In addition to his day job, he hosts his own tech podcast and is part of a standards body working to articulate how organizations should use the Software Bill of Materials (SBOM) to secure software and meet regulatory requirements.    Eric and Darren discuss: Intel's process for analyzing third-party software and scanning for vulnerabilities Securing the DevOps pipeline Balancing value and risk in using open-source software Potential impacts of Executive Order 14028 on improving the nation's cybersecurity   Find Darren on LinkedIn: https://www.linkedin.com/in/darrenpulsipher/   Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.   If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast. To learn more about building a robust product security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/.

This episode of the IoT: The Internet of Threats podcast features host Eric Greenwald reviewing security news with Nick and Sam, the Vidovich brothers. Eric then welcomes as his guest Vice Admiral TJ White, US Navy (Ret.), former commander of US Fleet Cyber Command/US TENTH Fleet, and Navy Space Command. Together, they discuss the international cybersecurity landscape and the challenges involved in defending the networks of the US Navy.    They also geek out on the policy and process surrounding offensive cyber operations in a deep-dive that you can listen to separately.  Click here to check the bonus track.   News Roundup:   The Weekly News Roundup covers:   A cybersecurity advisory issued by the United States and its allies focusing attention on a set of vulnerabilities that, while very basic, are responsible for a grossly disproportionate share of data breaches A recent Black Hat Asia presentation examining the firmware supply chain and exploring just how complicated it is to secure devices Yet another piece of draft legislation that would impose an SBOM requirement for medical devices   Interview with TJ White: TJ White served more than 37 years in government, including high-level assignments in intelligence, cybersecurity, and cyber operations for the US Navy. He served as Deputy Director for NSA's elite hacking unit — Tailored Access Operations — and capped off his military career with a tour of duty as the Commander of US 10th Fleet.   TJ and Eric discuss:   Growing concern around potential targets of Russian cyber operations The US government policy and process for planning and approving offensive cyber operations The extreme challenge involved in defending big networks—and how the US government is getting better at helping private companies do just that   They also take a deeper dive into the history of US offensive cyber operations and how US policy has evolved since the early days of Cyber Command. Listen to the bonus episode here.    Connect with TJ White: https://www.linkedin.com/in/tjwhite01networkconnection/   Learn more about US Cyber Command: https://www.cybercom.mil/   Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.   If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast. To learn more about building a robust product security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/.

In this bonus track, our host, Eric Greenwald, and Vice Admiral TJ White, US Navy (Ret.), former commander of US Fleet Cyber Command/US TENTH Fleet, and Navy Space Command geeks out on the policy and process surrounding offensive cyber operations.

This week's episode of the IoT: The Internet of Threats podcast features host Eric Greenwald reviewing security news with Nick and Sam, the Vidovich brothers and discussing the future of the Software Bill of Materials (SBOM) Allan Friedman, Senior Advisor and Strategist at CISA.   News Roundup:   This week's Weekly News Roundup covers:   Lessons that IT professionals can take away from the new Windows patch The importance of boardrooms bracing for supply chain cyberattacks The importance of the SBOM in addressing cybersecurity supply chain risk   Interview with Allan Friedman:   Allan is the former Director of Cybersecurity Initiatives at NTIA and has been one of the central figures in advancing the Software Bill of Materials (SBOM) as a key element of product and supply-chain cybersecurity.    Allan and Eric discuss: The history of the SBOM Increasing adoption of the SBOM as a security practice How SBOMs may be mandated under federal rules  Misconceptions and myths around the SBOM   Connect with Allan Friedman: https://www.linkedin.com/in/allanafriedman   Learn more about CISA at: https://www.cisa.gov/   Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading product security solution provider for connected devices and embedded systems.   If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.   To learn more about building out a robust product security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/.

On this week's episode of IoT: The Internet of Threats podcast, host Eric Greenwald discusses recent news in product and supply-chain cybersecurity with Nick and Sam, the Vidovich brothers. He interviews Joshua Corman, former Chief Strategist at CISA COVID Task Force and Founder of I am The Cavalry.   News Roundup:   This week's Weekly News Roundup covers: Assessing the difference between Spring4Shell and Log4j vulnerabilities New draft, bipartisan legislation that would require SBOMs for medical devices   Interview with Josh Corman:   Josh has worked in security for many years. His background includes a lot of in-depth work in cyber and physical security for medical devices.   Josh is also widely known as the godfather of the Software Bill of Materials (SBOM).    All of this experience led to his recent work with the government as the Chief Strategist for the CISA COVID Task Force.   On the episode, Josh and Eric discuss the key functions of a product security team and the critical leadership role of the Chief Product Security Officer.   Josh and Eric also discuss: How a world increasingly dependent on digital infrastructure can be protected Trends and forces that have made product security roles increasingly important General principles for prioritizing and accurately interpreting the severity of threat reports Guidance for teams that lack sufficient resources How to buy down more risk with fewer resources Connect with Josh Corman: https://www.linkedin.com/in/joshcorman/   Learn more about I am The Cavalry at https://iamthecavalry.org/   Read up on the Health Care Industry Cybersecurity Task Force here: https://www.phe.gov/Preparedness/planning/CyberTF/Pages/default.aspx   Thank you for listening to this episode of IoT: The Internet of Threats podcast, powered by Finite State — the leading product security solution provider for connected devices and embedded systems.   If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast. To learn more about building out a robust product security program, protecting your connected devices, and complying with emerging supply-chain cybersecurity regulations and technical standards, visit https://finitestate.io/.

On this episode of the IoT:The Internet of Threats podcast, host Eric Greenwald welcomes Matt Wyckhouse, Founder and CEO of Finite State.   There's a lot more to product security than just knowing threats and vulnerabilities. This is especially true when you have to manage an entire portfolio of technical products. Through this podcast, we hope to provide information and resources that will help cybersecurity professionals sort through some of the complex challenges they face.   In this episode, Matt and Eric explore: The primary objectives of the podcast Why product and supply chain cybersecurity professionals should listen The challenges of building an effective product security operation  The role of Finite State as sponsor of this podcast   Connect with Matt Wyckhouse: https://www.linkedin.com/in/mattwyckhouse   Thank you for listening to this episode of the IoT:The Internet of Threats podcast, powered by Finite State—the leading product security solution provider for connected devices and embedded systems.   If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.   To learn more about building out a robust product security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/.