PIVision-2017-SBOM-Generation-Screen-hero2

New leadership, new technologies

Oct. 1, 2021
Cybersecurity rules at aDolus

Rod Campbell became CEO and Mark Weatherford joined the board of directors at aDolus Technology. Campbell took over the CEO role from cybersecurity veteran and aDolus founder, Eric Byres, who will focus on his role as CTO.

As CEO, Campbell will lead the company through its next stage of growth, developing new channels to market, expanding the sales organization and managing relationships with key investors and customers. Campbell has deep financial experience across multiple industries and brings a passion for team-building and strategic planning.

“I’m delighted to welcome Rod to the team and, frankly, can’t wait to really focus on the technology side of the business,” says Byres. “Rod’s background in finance, M&As and entrepreneurial environments makes him a perfect fit for growing the company. I’m an engineer at heart; and the work our R&D team is doing on software supply chain security, artificial intelligence and machine learning is really groundbreaking.”

Rod Campbell, CEO, aDolus Technology

Campbell has an MBA from the University of British Columbia, and aDolus provides the FACT platform for brokering security information regarding industrial control system (ICS) and IoT software and firmware.

In his board position, Weatherford will provide strategic guidance to aDolus, shaping the company’s initiatives to partner with key industrial control system (ICS) vendors. In the wake of high-profile threats to the software supply chain, Weatherford will also advise the company on the most impactful strategies to help safeguard trust between developers and operators of critical systems and prevent attacks seeking to exploit that trust.

“We’re excited for Mark to join our board and lend his insight,” says Byres. “His global thought leadership on cybersecurity and his vast experience bring a sophisticated appreciation of the complexities of securing software supply chains. In this era of unprecedented cyberthreats to our critical systems and infrastructure, Mark’s leadership will help us best execute our company goal—to make the world a safer place.”

Mark Weatherford, member of the board of directors at aDolus Technology

aDolus provides advanced analysis tools and the ability to create a software bill of materials (SBOM), a document required by federal agencies by the May 2021 executive order (Figure 1).

“The software supply chain is the next frontier of cybersecurity. Attackers have figured out there is a great return on investment on these kinds of attacks, and they are becoming front-page news,” says Weatherford. “aDolus has been a leader in tackling this problem. They have a headstart on the technology ICS vendors need to make sure the components they use and the products they ship are safe.”

Weatherford has held multiple high-level cybersecurity positions, including vice president and chief security officer at the North American Electric Reliability Corporation (NERC); the Department of Homeland Security’s first deputy under secretary for cybersecurity under the Obama administration; California’s first chief information security officer; and the first CISO for the state of Colorado. In the private sector, Weatherford held executive-level cybersecurity roles including global information security strategist at Booking Holdings, chief cybersecurity strategist at vArmour and a principal at The Chertoff Group.

What are three key things that a machine builder, system integrator or manufacturer should know about your organization?

Mark Weatherford, board member, aDolus Technology: aDolus provides an AI-powered platform called FACT, an advanced aggregation, analytics and correlation engine developed to secure the software supply chain. It derives the most up-to-date cybersecurity risk intelligence on software components as they flow through the ICS ecosystem: between suppliers, developers, OEMs, service providers, operators and even those who should not have the software and may use it for malicious intent.

aDolus helps vendors/OEMs manage risk from incoming third-party software by automating compliance and governance through the entire software lifecycle. aDolus provides intelligence to help security service providers protect their customers’ OT assets. And aDolus provides OT asset owners and operators assurance that files are tamper-free, authentic and safe, prior to installing on critical devices.

Software supply chain attacks are on the rise—up 430% in 2020—and high-profile incidents such as SolarWinds have prompted a government response in Executive Order 14028 on Improving the Nation’s Cybersecurity. aDolus’ one-click SBOMs are an easy solution to pending cybersecurity obligations for critical systems.

What new technologies are driving product development and why?

Mark Weatherford, board member, aDolus Technology: In our case, artificial intelligence (AI), and specifically machine learning (ML) and natural language processing (NLP) techniques, are critical technologies driving our platform. In the ICS world, where product lifespans are measured in decades, it is extraordinarily difficult to link vulnerabilities to products. The National Vulnerability Database (NVD) is far from complete, and it rarely maps vulnerabilities in components back to the products containing those components. And, thanks to mergers and acquisitions, the vendor name on a product often doesn't match the vendor name in the NVD disclosure details or the Common Platform Enumeration (CPE) listing. A regular human could waste untold hours trying to match up vulnerabilities with their installed products, or the other way around. But using AI, aDolus has been able to create these vulnerability associations quickly and comprehensively.

How does the Industrial Internet of Things figure into business strategy?

Mark Weatherford, board member, aDolus Technology: One of the driving factors in starting this business was the realization that the IIoT sector was incredibly underserved compared to the IT sector in terms of cybersecurity. When aDolus looked at the opportunity, the market for securing IT endpoints, while huge, was dwarfed by the market for securing IoT and IIoT devices.

Of course, a modern ICS involves a combination of IT and OT technology, but we started with OT, or IIoT, if you will, thanks to decades of experience with these systems. It is a much more complicated domain, with multiple operating systems, bespoke build environments, thousands of vendors, various communication protocols and no end of legacy products. That strategy was proven successful when we started fielding calls from IT security providers seeking to partner with us to access this growing market. It was easier for aDolus to analyze and validate IT software than for IT-focused companies to get their heads around the complexities of the ICS ecosystem.

Also read: How to align systems, integration and automation

How will machine automation and controls alter the way companies staff their operations in the future?

Rod Campbell, CEO, aDolus Technology: Ideally, more automation transfers repetitive or dangerous tasks to control systems and machines and shifts the higher-value tasks to skilled people. But someone still needs to design, operate, maintain and secure those systems. With more automation comes more opportunity for malicious tampering, ransomware and espionage. It will be critical to have knowledgeable professionals who can make decisions about installing software, responding to incidents, recovering from incidents and generally managing risk.

How is the development of software solutions impacting requirements for hardware?

Rod Campbell, CEO, aDolus Technology: Most industrial hardware is becoming a commodity with the functionality and value being supplied by the software. For example, consider aDolus’ CTO's previous product, the Tofino Firewall; the actual hardware was a commodity single board computer (SBC) that was industrial-hardened. This SBC could and did get used for many different applications from wireless hubs to industrial camera systems. In the Tofino, the real benefit to the ICS security professional was the software running the deep packet inspection engine.

So, protecting the supply chain of the software running in the hardware is critical or the entire functionality of the hardware becomes suspect.

As engineering and IT continue their convergence, which one is and/or will be leading the direction of future automation and technology?

Mark Weatherford, board member, aDolus Technology: IT/OT convergence is challenging because, as an industry, we are trying to blend solutions from two different worlds in a way that respects the needs of both. Collaboration is more important than one side coming out on top. In that spirit, aDolus makes all the information about both OT and IT software—malware, vulnerabilities, code-signing, SBOMs— all available in one simple scoring report, regardless of the supplier. It's like a universal credit score for software that gives companies the assurance that software they are using in their IT/OT convergence strategy is safe and secure.

Looking into the future, how will technology change your organization or other organizations over the next five years?

Rod Campbell, CEO, aDolus Technology: With more smart devices and more IT/OT convergence comes more cybersecurity threats. The recent series of supply chain attacks, such as SolarWinds, and attacks on critical infrastructure, like the Colonial Pipeline attack, have not gone unnoticed. The recent Executive Order 14028 on Improving the Nation’s Cybersecurity is mandating steps, such as requiring software bill of materials, to help secure the software supply chain. Right now, the rules just apply to those doing business with the government, but we foresee lawmakers taking up this cause in the future.

We are anticipating cybersecurity to become more of a team effort, with vendors disclosing to their customers the contents of their software via SBOMs and asset owners and operators using tools, such as our FACT platform, to properly validate the published components before installing software in a critical system. The key to supporting this future is to improve transparency and make it easy for all participants in the software supply chain to reduce risk.

About the author: Mike Bacidore
About the Author

Mike Bacidore | Editor in Chief

Mike Bacidore is chief editor of Control Design and has been an integral part of the Endeavor Business Media editorial team since 2007. Previously, he was editorial director at Hughes Communications and a portfolio manager of the human resources and labor law areas at Wolters Kluwer. Bacidore holds a BA from the University of Illinois and an MBA from Lake Forest Graduate School of Management. He is an award-winning columnist, earning multiple regional and national awards from the American Society of Business Publication Editors. He may be reached at [email protected]