E71: Meeting Cybersecurity Requirements That Don’t Yet Exist

The EU’s new Cyber Resilience Act (CRA) sets higher security requirements but leaves many technical details undecided. This puts pressure on vendors of connected or software-based products to either redesign, retrofit, or withdraw from the market. According to Roland Marx, Senior Product Manager at Swissbit, the CRA’s three-year rollout is meant to give companies time to adapt while regulators finalize the specifics.

Healthcare organizations are prone to the same weaknesses that any other office or manufacturing site may have. Sonu Shankar, Chief Product Officer at Phosphorus Cybersecurity, explains how the devices you might not suspect might be the ones to bring down your organization if they’re not secured. That includes the printer used to print patient wristbands.

Quantum computers could break today’s encryption, leaving many OT systems—which often lack encryption entirely—at even greater risk. Dave Krauthamer, Field CTO at QuSecure, warns that nation-state attackers may target critical infrastructure like power, water, and food supplies first, making it urgent to adopt quantum-resistant cryptography across both IT and OT systems.

This is a story where one maritime company found multiple vendors maintaining unrestricted VPN access to systems across a cruise vessel, exposing safety-critical functions to potential compromise. Bill Moore, CEO of Xona Systems, returns to Error Code to talk about how that company and others, such as data center operators, are recognizing their latent multiple-vendor OT exposure and learning how to address it today.

Operational technology (OT) systems are no longer limited to nation-states; criminal groups and hacktivists now actively target these systems, often driven by financial or ideological motives. Kurt Gaudette, Vice President of Intelligence and Services at Dragos, explains why these systems might not even be the primary targets.

Many organizations spend valuable security resources fixing vulnerabilities in code that never actually runs—an inefficient and often unnecessary effort. Jeff Williams, CTO and founder at Contrast Security, says that 62% of open source libraries included in software are never even loaded into memory, let alone executed. This means only 38% of libraries are typically active and worth prioritizing. 

Critical Infrastructure software lacks the strict liability standards found in industries like automotive manufacturing, leading to minimal accountability for insecure products when they get exploited.  Alex Santos, CEO of Fortress Information Security, explains how they’re typically hired by buyers of ICS equipment—such as utilities—to assess and mitigate supply chain risks, including working with OEMs to improve security.

While cybersecurity threats targeting critical infrastructure, particularly focusing on the vulnerabilities of operational technology (OT) and industrial control systems (ICS).mostly originate on the business or IT side, there’s increasing concern about attacks crossing into OT, which could result in catastrophic consequences, especially in centralized systems like utilities. Michael Welch,  managing director from MorganFranklin Cyber, discusses how Volt Typhoon and other attacks are living off the land, and lying in wait.

This is a story about a Chief Hacking Officer who draws on his expertise in physical and virtual security assessments—along with some intuitive AI-driven coding—to safeguard Operational Technology. Colin Murphy of Frenos and Mitnick Security talks about how some of his early assessment work with Kevin Mitnick is helping him with OT security today.

ROI is always a tricky subject in cybersecurity. If you’re paying millions of dollars in securing your OT networks, you’d want to be able to show that it was worth it. Andrew Hural of UnderDefense talks about the need for continuous vigilance, risk management, and proactive defense, acknowledging both the human and technological elements in cybersecurity and how just because something didn’t happen doesn’t mean that it didn’t.