In Orbit: A KBR Podcast

Ensuring Cyberworthiness – KBR and the Achilles Solution

KBR, Inc. Season 3 Episode 17

You’ve heard of “airworthy” and “seaworthy.” But what makes a system cyberworthy? Find out on this episode of In Orbit, featuring Krishaan Wright, cybersecurity lead with KBR’s Government Solutions International APAC. Krishaan discusses cyberworthiness, current threats to the cyber terrain, and a cutting-edge new solution, Achilles, that has the potential to be a game changer in the defense sector and beyond.

IN ORBIT: A KBR PODCAST

 

Season 3, Episode 17

 

Ensuring Cyberworthiness – KBR and the Achilles Solution

 

INTRODUCTION

 

John Arnold

Hello, I'm John and this is In Orbit. Welcome everyone to the podcast. We are very excited you're tuning in and staying in our orbit.

 

Well, the year is speeding along. At time of recording, we are in October already. In the northern hemisphere that means it's autumn. Finally time for cooler weather, fall colors, and pumpkin spice everything, if that's your thing.

 

What you might not know is that October is cybersecurity awareness month. If you're a regular listener, you may remember we had Derrick Nixon, vice president of Cybersecurity Solutions at KBR on the podcast to talk about how KBR is helping customers respond to and defend against threats in the cyber domain. If you didn't listen to that episode, I encourage you to go back and check that out.

 

But in the meantime, we're going to continue in our focus on cybersecurity today. You've probably heard words like airworthy and seaworthy when talking about airplanes and ships, but what does it mean for something to be cyberworthy, and why is that important for KBR customers?

 

Well, here to shed some light on this and on a solution developed to ensure cyberworthiness is Krishaan Wright. Krishaan is cybersecurity lead with KBR’s Government Solutions International business in the Asia Pacific or APAC region, and we're super glad that you're with us.

Welcome to the podcast, Krishaan.

 

Krishaan Wright

Super glad to be here, John. Thanks for the welcome.

 

John Arnold

It's my pleasure. Well, before we get into talking about cyberworthiness and what that means, would you just tell us a little bit about yourself and your career background?

 

Krishaan Wright

Yeah, sure, John. So I grew up in Melbourne, the southern city in Australia, and I was always a curious kid. I was always pulling stuff apart in the garage or around the place and wanted to see how things worked. And that curiosity went into aviation.

 

I had both my grandfather and my great uncle were both pilots in World War II and just suddenly everything became airplanes. I know this isn't related to cyber, but we're getting there, trust me. So basically, everything was airplanes, airplanes, airplanes. And that led to me, 16th birthday, got my pilot's license basically that same week, and started taking my mates from school up flying aerobatics and everything on the weekends.

 

John Arnold

Oh wow.

 

Krishaan Wright

And then I got accepted into the Air Force. Even though I could fly a plane, I couldn't drive a car. So it was a crazy time. But I got accepted into the Air Force and went to the Australian Defense Force Academy, studied aerospace engineering for three years, and then went on to the pilots course with the Royal Australian Air Force.

 

And from there, went and flew transport aircraft. Ended up flying the C-130 Hercules for 20 odd years. Flew both the C-130H, which was the older model, and then the C-130J, which was the completely digital model, and always been fascinated by technology and how things worked. That technological advancement on that aircraft really piqued my interest in all things digital, and that was great. It was a fantastic ride.

 

But after numerous deployments to Afghanistan and Iraq and then serving the country on that front, the Air Force had other ideas for me that didn't align with what I wanted to do family-wise and personally. I looked externally and ended up working with Ernst & Young (EY) for three years as a portfolio program manager, and that was probably my first exposure to cybersecurity.

 

Cyber was just starting to emerge at that point, and there were some projects that were really taking my interest and I thought, I want to go a little bit further into this field. So I left EY, joined a small cybersecurity firm. They're a bit of a startup, but it was good. Really increased my education on cyber and the various aspects.

 

And from that point, I was invited by one of my network to help out and be a project manager on the Australian Defense Forces flagship cyber program, which was to introduce their defensive cyberspace operations capability. I know that sounds like a mouthful, but it was basically this new cyber domain, how do we protect all of our deployed assets, aircraft, ships, troops, and their networks that they're using when they deploy overseas?

 

And I worked on that project for one year. That was really what cemented my interest in this space. And after that, finishing that project and establishing a cyber business with that small company that I was with, KBR came knocking and that led to other great opportunities.

 

John Arnold

What a path. What a career journey. From curious youngster and figuring out how things work to serving in the military to flying planes at 16 and now at KBR. Well, thank you so much, number one, for your service. We always thank veterans, and so we appreciate that part of your journey. But yeah, glad that you're a part of the team of teams now in this very, very critical area of cybersecurity.

We mentioned in our introduction that listeners are probably familiar with terms like airworthy and seaworthy, but cyberworthy, would you talk us through what we mean when we say that something is cyberworthy?

 

Krishaan Wright

I'm glad you raised that in the way that you did, John. We talk about airworthiness, isn't aircraft safe to operate in the air, in the environment and doing the mission that it has to do, whether that's faring passengers, a warplane basically defending something or attacking something, a ship sailing in the seas or troops operating on the ground. So land worthiness, seaworthiness, airworthiness, they're all things.

There's five domains now, as the listeners may be aware. So air, land, sea, your traditional three. Then you've got the space domain, and the fifth domain, as we like to call it, is cyberspace. And I think the unique thing about cyberspace is it affects all of the other domains, and space does to a degree as well. There's a lot of platforms that have to use space in order to navigate or communicate.

 

So there's really that fifth domain with cyber, though, affects all of the other four. There's this term of cyberspace. Well, what is cyberspace? Well, it's basically anything that interacts with digital information. And so that cyberspace is expanding at a rapidly increasing rate. You don't need to look far in modern society to see that we are adopting digital technologies everywhere. So every time we adopt that new technology, we are expanding cyberspace.

 

Cyberworthiness, just like airworthiness or seaworthiness, if I look at airworthiness, only because I'm familiar with it, obviously, you look at the training that goes into the air crew that fly the aircraft or that work on the aircraft as well. Maintenance, what's your maintenance schedules? What are the technical defenses that aircraft has to prevent a crashing into the ground or helping out when you lose various systems? Are your checklists in order? Are your rules and procedures in order? What's the threat? So what's the threat from the ground? What's the threat from the air if you're looking at a combat type environment? So there's all those facets go into airworthiness and we determine whether that aircraft can operate safely.

 

Well, cyberworthiness is exactly the same but in the cyberspace. So if I paint that picture, are our people trained to deal with cyber threats? Do they know what to do? What technical defenses do we have on all of our digital systems? Are they going to protect us against the threats out there? What operational defenses do we have in place? So what are the rules and procedures about password management, access management, all of those types of cyber hygiene aspects from rules and procedures.

So there's a bunch of things that go into make a platform cyberworthy, those just being a few of them. So really, it's a measure of how is that asset going to behave in a contested cyberspace? Because don't forget, the cyberspace has people trying to attack us as well. It has threats, whether that's for criminal type activities or whether that's a nation state trying to degrade your national capability. Cyberspace is becoming incredibly relevant in that area. Let me just highlight that with an example.

 

So, we all travel by air. I think the listeners can all relate that we've got on board aircraft to go somewhere on holidays. Just have a think about that air example. All the things that you go through from a digital perspective to catch a flight somewhere. Your ticketing, check-in, baggage tracking, security screening, the information on the departures and arrivals boards, the air traffic control systems that go and make sure that your aircraft's safe, the digital systems onboard the aircraft that monitor your fuel, your center of gravity, your flight control system. There's all these digital systems that ensure that you travel safely.

So let me pick something simple. We've all been to the airport and the ticketing system falls over. What happens? Delays, cancellations, chaos, diversion of flights, big queues, inconvenience, and that's just one side. So if you were to take out a cyberattack on a ticketing system, you could see the amount of chaos that caused. Imagine if that was a safety critical system, something like the air traffic control system or the air traffic control communication network. That threatens the safety of those passengers, and that's a big concern. And so cyberworthiness of that system is equally valid.

 

John Arnold

Yeah, it's sobering to consider that example that you've just given because from the one standpoint, a cyber breakdown in something like ticketing, that's an inconvenience for a lot of people as opposed to what happens if someone hacked air traffic control. And so it's a very, very sobering example and leads perfectly into this next question. And that is that we do hear more and more about independent or nation-sanctioned cyber threats. And we've talked about them here on the podcast in the past, how sophisticated they are, the many different kinds, how expensive they can be to remedy, especially if it's a ransomware thing or something like that.

 

So what are some potential dangers or threats that customers, and I know that in APAC we work a lot with the Australian government and the Australian Navy as one of our customers. What are the dangers that customers face or could they face if they're not able to detect, quickly assess, and mitigate cyber threats?

 

Krishaan Wright

Yeah, it's a great question. Let me start by breaking down the sophistication levels, because you mentioned sophisticated attacks. A lot of these attacks start via a very unsophisticated intrusion. So unsophisticated by the fact that everybody's heard about the USB drop, stick drop. So you can imagine, and I've seen this in practice with cyber sociologists, which is a fascinating topic. Again, we won't go down that path. But you can go and drop, let's say, a hundred USB sticks with malware on it. Somebody, just because of the human condition, somebody will pick up that USB stick. And despite the best training and everything, curiosity within a human will get the better of us and we will plug that in just to see what's on it. And all of a sudden you've just given an entry for a cyberattack. The sophisticated attack comes later after that unsophisticated entry.

 

Similarly, we all know about phishing. KBR, as you know, puts a lot of emphasis on training its people on how to avoid phishing attacks. But just for the listeners that may not be aware, a phishing attack is an email where you're trying to entice the reader of that email to click on a link and then open up a vulnerability so that then a sophisticated attack can come in behind it, usually from criminal elements to be honest, but nation states also use them as the first entry point. So their unsophisticated attacks then open the gate for a sophisticated attack to either take away data or deny a system, so denial of service is a big thing. You can overload a system by just throwing in volumes and volumes and volumes of useless data, and then it slows down the system so much that it just degrades the service and it becomes absolutely unusable.

 

John Arnold

Right.

 

Krishaan Wright

Now, that is just as frightening as taking it offline or taking data out and then holding it for ransomware or ransomware attack, which is more of a criminal element.

 

John Arnold

Right.

 

Krishaan Wright

But I think some of the things that we need to be careful of from a defense perspective is our adversaries have incredibly sophisticated offensive cyber capabilities to look at our national infrastructure and take out digital systems that affect physical systems if need be. It's a form of what we call asymmetric warfare. So we used to talk about special forces or terrorist threats as asymmetric threats. Well, the cyber threat is also an asymmetric threat. It doesn't require much effort, and yet the effects can be far greater than a conventional-type threat. When you think about it, the reach is unlimited. You can reach into any nation's capability. And taking down those type of critical national assets or defense systems is very expensive from a reputational point of view, from an operational point of view, and from an economic point of view as well. So once again, defending those key assets is really what we're all about when we go to measure cyberworthiness and to help people understand where their critical vulnerabilities are.

 

John Arnold

Some great tangible, practical lessons for listeners, first of all, about phishing and the thumb drive that you were talking about. But yeah, again, sobering to consider all of the ramifications from different points of entry and how sophisticated those threats could be and the kind of chaos they can cause. Fortunately, KBR has invested in the development of a tool that helps ensure cyberworthiness. It's called the Achilles Cyber Terrain Mapping solution. Would you tell us about Achilles?

 

Krishaan Wright

So Achilles is a really innovative piece of software that is looking at a system's center of gravity. And the genesis of this tool is from an individual called James Alexander, who founded a company called Cognition Analytica, and he developed the tool based on his experience in the Special Forces. So he's a veteran like myself. Always happy to support a veteran-owned company, and so KBR has partnered up with Cognition Analytica and James to bring this tool to the forefront of assessing cyberworthiness. And what the tool does is it looks at center of gravity analysis, which in the military is traditionally done on whiteboards, Excel spreadsheets, paper, even rocks on the ground if need be. Whatever's at your disposal to analyze a target, find its critical vulnerability, and collapse that whole system just by focusing on that one critical vulnerability.

 

And James uses this wonderful visual of a Jenga tower. Everybody knows the game Jenga, I'm sure we've all played giant Jenga at various establishments around the place. So this tool looks at what is that key Jenga block that you can take out and collapse that tower? So that is really what it's all about. If you could picture that, what is that one block I can take out and create the most spectacular collapse of the Jenga tower? So that is what Achilles is all about. Now it does this by very simple data entry, and then that data entry instantaneously starts creating a 3D map of all of the various capabilities within the system that interact and their vulnerabilities. So it starts highlighting it in this fantastic 3D model that provides a visual reference of how that vulnerability affects the entire system. And it also, if you click on that critical vulnerability, it will highlight the kill chain that it takes, or if you like, the domino effect that collapses the entire system. So you get an instant visual.

 

Now, the great thing about this tool is that it highlights to an executive or an operational decision maker, who may not have a cyber background, why that particular critical vulnerability is important. So as soon as you show them the visual of that kill chain, that's when they get the 'aha' moment and they go, "Right, now I understand why I need to spend the budget to protect that critical vulnerability, or I need to do something about that critical vulnerability."

 

And that's what it's all about. It's looking at, what are my weak points? So rather than treating the whole system, which is obviously a very expensive activity, we are looking for that one nugget, that one little critical vulnerability that we can treat, and that's where I want to spend my money, that's where I want to spend my resources. So for organizations that are stretched on resource and stretched on budget, this tool is helping them to identify, "Well, where do I really need to spend my money? Where do I really need to put my people to defend my system?" As opposed to trying to treat the whole enterprise or IT or operational technology enterprise in order to protect it, I can just treat those critical vulnerabilities that I need to.

 

John Arnold

That's fascinating that it's enabling cost-effective, proactive decision-making on these critical systems. That's just fascinating to me. So what makes Achilles stand out from the crowd among comparable solutions in this space?

 

Krishaan Wright

Well, John, what makes it stand out is the fact that Achilles, this 3D visualization tool, and I have not seen anything else on the market that maps things out the way that it does. Sure, there's 2D maps of networks and whatnot, but once again, two dimensions, limited to network, and it's usually centered, those products, and I'm talking mainly about vulnerability analysis tools, which the listeners may be aware of, they're live network monitoring tools designed primarily for IT managers or network managers to monitor their network traffic, see where the vulnerabilities are within their various systems, and do something about it once it's happened.

 

Achilles is leaning forward. It's either taking the actual current state of your IT or OT system and looking at it and going, "This is where my vulnerabilities are." Or it's looking even at a future state, "Okay, this is what we're planning to do with it, how's that going to affect our cyberworthiness?"

 

And so it really is, it's almost a predictive tool. And as you mentioned before, it's about getting to that speed of decision. So it's increasing your decision-making speed, that is the real key here. And James talks about this getting inside your adversary's OODA loop. Now, for the listeners that don't know what the OODA loop is, this is another reason I love cyber so much, it's an air defense term. So they've taken an air defense term and they've put it into a cyber defense thing. So observe, orientate, decide, act — OODA, right? So your adversary has an OODA loop where they're looking at what you do and they're trying to get inside your head. If you can make decisions faster than your adversary or the threat, then you are able to see those attacks coming before they happen, and so you can do something about it. And that is what Achilles does that I don't think any other systems out there are doing at the moment.

 

John Arnold

That is so interesting. And how has Achilles been deployed so far? What is the response or what are the results been to this point?

 

Krishaan Wright

The most recent deployment of Achilles has been with the Royal Australian Navy. So they invited us to use Achilles to conduct an analysis of four critical systems on one of their ships. And what we did was use Achilles to map those four critical systems and start conducting analysis straightaway. So in mapping those systems, what would traditionally take dozens of consultants and numerous Excel spreadsheets and Microsoft Visio maps and whatnot, we took one consultant, one version of Achilles, and we were able to map each of those systems in about half a day each. So you're talking about speed to value, as soon as we started creating those system maps, the vulnerabilities just pop out and you can see them straight away. So what we were able to do was map those systems, look at their vulnerability analysis, and then we produced two products, two key products for the Navy to be able to treat their cyberworthiness on that particular ship.

 

And those two products were the cyberworthiness management plan, so they got this plan that was based on factual analytics, the actual systems on board, as opposed to what's in their technical manuals or whatever. Our two consultants even went to sea, they had a five-day sea ride on this ship, and they're looking at the systems as they're operating, so we were able to get a fantastic live picture of what was going on. So the cyberworthiness management plan was created from real analysis and real data.

We also created a software management plan, and that software management plan was looking at things like patch updates, vulnerabilities within the software, and how they could treat that down track. Navy were incredibly impressed with the products that we could produce, and in particular the fleet cyber unit. So they're the cyber warriors within Navy that actually go out and treat these problems and they're a very limited resource. So once again, the Achilles tool was able to help with pointing those resources in the right place to go and treat those vulnerabilities and we could put it into an active plan. And I know that that plan has been shared around other units within Navy to say, "Hey, you could have this too." So they're incredibly proud of the work that was done, and we got a very nice thank you letter after our engagement and I'm sure we'll be back again.

 

John Arnold

That's just remarkable. I feel like you've already alluded to it a little bit, but I would like to get into a little more detail here about what are some other potential use cases for Achilles outside of the defense sector.

 

Krishaan Wright

Okay, so outside of the defense sector, John, it's hard to get me to stop about where this tool could go.

 

John Arnold

The sky is the limit, huh?

 

Krishaan Wright

It really is. We mentioned critical infrastructure or national systems of interest. So imagine applying a tool like this to look at all the physical and digital threats or vulnerabilities on something like a water supply system, or an electricity network, or a transport network, or a fuel supply network, or any of those critical systems within national infrastructure, you can apply this. And it can equally map out something like supply chains within those systems. You can map out, it's a center of gravity analysis tool was where it's come from, so anything that you would want to have a look at where your critical vulnerabilities may lie. This tool can basically dig up and have a look around, but certainly we're looking to get more into the critical infrastructure sector. We see amazing application for it in those systems of national significance. We can start looking at a whole bunch of things on the operational technology side to make sure that those systems are cyberworthy. It's equally important there as it is in defense.

 

John Arnold

Outstanding. Well, what is on the immediate horizon for Achilles?

 

Krishaan Wright

So how Achilles has been deployed so far, has been on a laptop version, very early we decided this is not for the future, so we have developed a cloud-based version to make it more accessible to the client, also make processing speed a lot faster. So the graphics come up a lot faster than what they would on just a single laptop where you're limited by processor speed on that laptop. But the cloud version is available now and the best thing is that it's on a secure cloud, KBR secure cloud that we can then put to the client so they can be confident that data is going to be secure so that your adversaries aren't finding out about the critical vulnerabilities. So that's important.

 

And that's really rolling that out is what's on the immediate horizon for us. We are looking to expand the work that we're doing in defense. We would like to see the tool used as the baselining tool for cyberworthiness across the Australian Defense Force. But I urge any listeners globally, I mean we can deploy this system to any of our global listeners problems out there. So I'm sure other defense forces have exactly the same problems and want the same treatments. So that's the beauty of this product is it does not take much workload or you're not limited by geography. You can deploy this out on a local cloud version to keep data sovereignty for other nations. And then off we go and we're away. It's where I see Achilles going in the future is becoming a global KBR solution.

 

John Arnold

Amazing. Well, who should listeners reach out to if they want to learn more about this, Krishaan?

 

Krishaan Wright

Well, I'd say myself in the first instance, please flood my inbox. I am more than happy to take any inquiries about what we're doing, how we're doing it, and the Achilles tool in general. I could tee up a meeting with any of our listeners and I can also get James involved in that …

 

John Arnold

Excellent.

 

Krishaan Wright

… works as a subcontractor to us, and we can discuss the application of the tool, pick through your problems, and come up with a good solution.

 

John Arnold

Excellent. Well, before I let you go, is there anything else you'd like to add?

 

Krishaan Wright

Look, other than it's been the most pleasing aspect of this is that I've been able to help an Australian sovereign owned business and namely a veteran. Being a veteran myself, I'm the chair of the Armed Forces Community [KBR employee resource group] network here in Australia. And so to support my fellow veterans in developing something as innovative as this, which takes what we know instinctively in defense, but actually turning it into digital solution that we can apply in a commercial sense is really exciting for me. And this is a tool that just has infinite applications.

 

John Arnold

Well, just on a personal note, I want to thank you for, I know that our ERGs are very, very important to the life of KBR, so I want to thank you for the time that you volunteer out to head up the Armed Forces Community in addition to the amazing and critical work that you're doing in cybersecurity. Krishaan, I want to thank you so much for your time. I know it's very valuable. It's been excellent having you on the podcast today.

 

Krishaan Wright

Thanks, John.

 

CONCLUSION

 

John Arnold!

Wow!

 

I hope you all like learning about these kinds of solutions as much as I do. Achilles is yet another cutting-edge example with huge implications not only in defense, but also potentially in critical infrastructure and beyond, and that it's being developed in partnership with a veteran owned business is icing on the cake. We want to thank Krishaan Wright for being our guest and for the important work he's doing to make the cyber domain and the world a more secure place. As you heard, if you're interested in learning more about Achilles, you have Krishaan's permission to bombard his email or LinkedIn.

 

We also want to thank our colleague, Kaye Noske, communications manager for KBR Government Solutions International APAC, for facilitating this episode. And we can't leave out our producer, Emma, for her work in getting this episode edited and out the door. Thank you, Emma, as always.

 

If you're interested in learning more about KBR's cyber capabilities, head on over to the new-and-improved, kbr.com. That's right. The site's got a new look and streamlined user experience that makes for easier navigation. So please go check it out.

 

If you like what you heard today and want to let us hear about it, or if you have an idea for a future episode, drop us a line at inorbit@kbr.com.

 

And one last big thank you to all you listeners out there. We know that you have a lot of things vying for your attention and we're grateful that you chose to spend some time with us here and that you're keeping us in your orbit. Take care.