Welcome to Verve Visionaries, where we shine a light on the exceptional individuals who power our innovation in Operational Technology (OT) security. At Verve, our strength lies in our people – many of whom boast an impressive 20+ years of hands-on OT experience. This series celebrates the unique blend of long-standing commitment and unparalleled expertise that sets Verve apart. Join us as we explore the stories, insights, and passion of the brilliant minds behind our innovative solutions, because at Verve, our greatest technology is our people.
Unraveling complex OT ecosystems to secure critical infrastructure
In the spotlight this week is Lance Lamont, a key member of our Research Team. Lance brings a wealth of experience and insight to Verve, playing a crucial role in decoding the mysteries of OT devices and enhancing our security platform. Let us dive into Lance’s world and discover how his work contributes to Verve’s mission of securing critical infrastructure.
What are the main goals or objectives for the research team?
We always try to understand a customer’s network environment, what devices they have, and how they use them. Often, they’ll have a device nobody’s heard of, or even a common device they don’t interact with. Regardless, whether they have a thousand or ten of any given device, they may want us to gather information on it, and we may or may not support it or have any automated way to interact with it. Our ops team is great. They can manually interact with the device, gather the information by hand, put it into our product, and that basically gets through the first step.
The next step, is how do we add that to the ADI (Agentless device inventory)? How do we do this automatically, repeatedly? A request comes into our team wanting to support a device. Once we research the device, and determine how small or large the task may be for us, we go through the process of acquiring one of the devices. We get into the nuts and bolts of gathering our facts (model, serial number, network ports, 40+ facts) in an automated fashion, documenting the entirety of that information, and getting it to the development team who can make an automated tool that will be able to inventory that device in the future.
Our research team does a lot of work behind the scenes, connecting the customer requests to the dev team and providing the huge growth and knowledge that’s necessary to understand an entirely new, mysterious device.
Subscribe to our newsletter to stay in the loop with the latest OT cyber security best practices.
Verve's Biweekly Newsletter
Subscribe to stay in the loop with the latest OT cyber security best practices.
Fill out form below
Why does it matter to gather all of this information from these devices?
We are trying to make sure our customers have a secure and well-understood network. We want to make sure they know what devices are on their network, that the information stays accurate, and they can correlate that information with vulnerabilities.
Some of the key data the research team tries to gather is critical to link a specific device with entries in the vulnerability databases. At the end of the day, the biggest value to the customer is that we can say ‘you’ve got 10,000 devices on your network, and of those 10,000 devices, 17 of them have critical vulnerabilities that you should fix in the very near future. We may have 20,000 other vulnerabilities that we’ve identified, and we can help guide you through that process.’
What are some unique or interesting stories about devices you’ve worked on?
We interact with some incredibly interesting problems, just from a security standpoint, identifying new and unpublished vulnerabilities. One device, if we sent a specific packet to it, we found that it would erase itself and reboot. So we could knock this device off a network without even needing to be logged in. We’ve had devices where you have a malformed packet, and you could shut down its network interface. The device would still run, but it wouldn’t talk over the network anymore, so you can’t get status information.
How about some notable success stories or breakthroughs?
We have a very broad knowledge base on this team. We have embedded engineers and database engineers, but we also have people with degrees in research and philosophy. This broad range of skills has allowed us to have a 100% success rate. We have not failed in our research on any devices, with maybe one or two exceptions. Of the hundreds of devices we’ve interacted with, we’ve always been able to be successful.
Some of these projects are very interesting. We had a device that, to get a setup, was going to cost $1M+, so that required some creativity to get access to one. Typically, a win for us is that by the end, we’re interacting with the device as if we were the vendor’s own software, communicating with it in only the ways the device expects, in a very safe and efficient way.
What are some common challenges you’ve encountered along the way?
Scope itself is a challenge. We’ve received requests for anything from phone systems to robot arms. We’ve had devices used in wind generators, and we even interact with devices for nuclear power plants. You must be careful when you’re interacting with a wide selection of devices like this.
We don’t fully understand the scope of a device until we dig in. It has required us to set up unique processes within the team. You can’t just get a request in from a customer, and before you really do anything, tell them you’ll be done within a week. It just doesn’t really work that way. It’s much more of a creative process than an iterative process. We do this triage where we estimate how complicated it’ll be and we’re getting pretty good at that estimation.
How does the work of your research team contribute to the overall security platform at Verve?
A key part of being successful is meeting our customers’ needs. When the salesperson is working with a customer and they ask if we can support a given product, our team allows that response to be a nearly universal ‘yes’ or at least a ‘we are very likely to be able to.’ We can go to a customer who has 10,000 devices in a global setting, and say, ‘yes, we can research it and probably figure it out.’
From a security standpoint, we responsibly share vulnerability disclosures with manufacturers.
Elevate Your OT Security with Verve Industrial
Discover how our comprehensive platform can transform your operational technology security and safeguard your critical infrastructure.
Explore Verve Platform
How do you ensure the confidentiality and integrity of the data gathered during your research?
Most of the content is not terribly confidential. Most of it is information that would be reported on a device’s webpage, or publicly available in user manuals, so we do not have to be extremely concerned about a reasonable amount of the content. But sometimes when we go deeper into our efforts, we need to be a bit more careful with what we disclose and how, particularly when it comes to vulnerabilities. We have separate, private, internal spaces on the network. We have a strong culture of security within Verve, and everyone here understands what is or is not appropriate to share.
What role does collaboration play in your team’s research efforts, within Verve and with external partners?
We pride our department on a low-ego mindset, always being willing to accept feedback, always being willing to help others, and pitch in as part of the team. There is no contest to see who can do something first – we want to make sure we do it the best. We have spontaneous or semi-spontaneous collaboration sessions as necessary, as each team member is working on their project. Together we can get things done faster and better than any one of us could have done individually.
That same mindset extends to other teams in the organization and externally. We want to make sure we are humble, low-ego, helpful, and take the moral high road. We collaborate all over the world to solve issues.
How do you measure success and impact of your team’s work?
At the end of the day, my primary customer is the dev team, internally. The measure of success is finishing our research and having enough of it completed so that our customer is not waiting or begging to get the work done. Being successful is working through the research, making sure that we are doing the best job we can do to gather the right information from the devices in a safe and secure manner.
Can you share your insights into how the landscape or trends of OT security have changed in the past few years?
The first thing is increased visibility. There have been a lot of situations where it has become more acceptable and required to worry about security when talking about OT devices. When we interact with some of our oldest devices, the devices assume that if someone is talking to them, they must have permission to be doing so. These old devices won’t have a network connection, they’ll have a serial connection, but quite often customers will want that to be on the network, so they’ll get a network to serial adapter, and suddenly this device which thought you’d have to be sitting there typing at it, is now connected to the network and the internet.
From a security standpoint, old devices didn’t think about OT security at all. But it seems like manufacturers and companies that use OT devices are all becoming much more aware of the need for security and to make sure their devices cannot be exploited or used for damage. We are seeing more devices with secure communications protocols, starting to work on encryption, and that is incredibly good for the security of those devices and the networks they’re on.
How does your team prioritize which devices or tech to focus on?
In general, we align with our customers’ needs through close collaboration with our internal sales and operations teams. We build a model of which devices are most likely to be valuable across multiple companies, even if some of our customers have not worried about them being inventoried yet. It is a lot of us trying to be proactive to meet our customers’ needs.
Are there any particular areas or technologies that you are excited about exploring in future projects?
Most of our team’s time is dedicated to meeting our customer’s needs. We do allocate some time toward internal improvement. We typically do tools and utilities; we have made some great scanning tools for various protocols that can really help the research process. I am looking forward to building great little tools, getting more of those out to our operations team, and doing some really cool stuff to make the lives of the Verve team members a bit better.
Strengthen Your Industrial Security with Verve
Learn how Verve's OT security solutions can be tailored to protect any industrial environment.