Episode Transcript
[00:00:00] Speaker A: You're listening to protect it all, where Aaron Crow expands the conversation beyond just ot delving into the interconnected worlds of it and OT cybersecurity.
Get ready for essential strategies and insights.
Here's your host, Aaron Crow.
[00:00:23] Speaker B: Thank you for joining me, Andrew. Second time, at least on the, on the podcast, so I appreciate the opportunity. I love our conversation. So why don't you, for those that don't know you, which I don't know how they don't, if they're listening to this, but why don't you introduce yourself and, and who you are, your background, all that kind of good stuff.
[00:00:39] Speaker C: Sure thing. Hello, Aaron. And, you know, thank you for having me. I'm Andrew Ginter, VP, industrial security with waterfall security solutions. It's a, it's a fancy, goofy title. What does it mean? I lead a small team of subject matter experts we are charged with. I mean, Waterfall is a technology vendor. We produce unidirectional gateways and related technologies, and we've got a whole, a large team of people who are experts on the products. If you need to know which button to press in this really strange circumstance, you know, they're the gurus on that. My team is charged with sort of a different mission, which is understand the world of industrial cybersecurity, understand standards and regulations, understand the guidance that's coming out, and, you know, position the waterfall solutions within the bigger picture. So, you know, we're tasked with understanding the threat environment. We have an annual threat report. That's what my team does is sort of the big picture.
[00:01:36] Speaker B: That's awesome. It's a, it's a needed environment because we're constantly having to look and pivot, and our attackers are constantly looking. Regulations are changing. Yeah. It's, it's important and even fun place to be at.
[00:01:51] Speaker C: It's.
I digress. We're going to talk about something different, but it has been fun lately. I don't know if you're tracking it, but I strongly recommend to you and your listeners the Cyber informed engineering initiative out of Idaho National Laboratory.
I'm an understated kind of guy. I don't use the word excited very often. The one thing I'm excited about in the last two years is that I think finally, when I explain Cie. So maybe that's a topic for a different podcast. Or I can introduce you to the leaders of the CIE initiative.
When I explain CIE to owners and operators in the field, the feedback I get, and I'm paraphrasing, but it's roughly what a good idea.
Why is this new? This shouldn't be new. Why have we not been looking at the problem this way for the last 20 years?
It's like it's all the same puzzle pieces, but where we used to put them together this way with all sorts of space between them, now they fit and. And there's no space between them anymore. So, yeah, it's been an exciting time the last two years. And things are changing, surprisingly, in a.
[00:02:56] Speaker B: Field that's 20 years old and in the right direction. Right. We may be lagging a little bit behind, but I actually went to Idaho national labs and took their CIE training and actually going to be doing a talk around CIE at Defcon for ICS Village. So, kind of talking about how do we use it in critical infrastructure? What does it mean? Because it's really easy. Cyber informed engineering. It's really easy to do a green field, easy being relative, and a greenfield environment. But how do I use those same things in existing space? Legacy equipment, all that kind of stuff? We see it's just as relevant in those spaces as it is in Greenfield. But many, when they're looking at it, they think, oh, well, I can only do this when I build new power plant. My old stuff doesn't work. I'll just have to accept what I have and hope for the best next time. And that's just not the case.
[00:03:48] Speaker C: Not true. Not true. It's all about risk. It's all about consequence. But again, different conversation. I look forward to seeing what you have to say at Defcon.
[00:03:58] Speaker B: Yeah, absolutely. Well, let's dive into it. So, secure remote access is something that I have been working with and dealing with and fighting, especially in OT for a long time. Right. We've done such a great job over my career and seeing the difference of, you know, in the beginning, it was just putting in a firewall. When I first started, there was no segmentation from OT to it. So we put in these firewalls, but then we need to have remote access, and you've got vendors that have 3G cards and they can directly get in because I need to monitor and there's just all of these problems. But we see. We've seen multiple instances of vulnerabilities and, you know, changes, not even just cyber ones. Right. But, you know, a vendor logs in and makes a change that I didn't know about. And now it impacted my system from an operational perspective beyond just a cyber attack or a nation state or all these types of things. So talk a little bit about. Obviously, waterfall has a new product coming out, but really just high level. The remote access problem in OT and why it's such a big one that we haven't solved yet.
[00:05:00] Speaker C: Absolutely. So where to begin?
In the OT space, there is a spectrum of, let's call it consequences.
And a lot of people don't understand this. So sidetrack again very briefly to 62443. A lot of people read the standard and say, I must do this, I should do that to be compliant with the standard. So I do all that. And I said there, I'm good. And I have to ask, who are you? I'm a large power plant. And you did everything the standard says you have to do? Yes, I did. You know, I didn't do everything I could do. I did everything I have to do. You realize that the standard applies equally to small shoe factories as it does large power plants?
I didn't really think about that. So you've just implemented the minimum that a small shoe factory needs, because you did the minimum.
And so people, you know, there's this spectrum, and it's mostly a spectrum of consequence. If you breach a large power plant, the consequence is different than if you reach a small shoe factory. And when we talk about remote access, it's in context of consequence. And so the most consequential industrial enterprises on the planet, extreme example, nuclear generators, in my estimation, will never deploy remote access, any kind of remote access.
Why? Well, partly because they have extremely important information to protect and they can't leak that information out to the world. Partly because the other way around.
These are militarily strategic targets, every one of them.
If the military comes after them and they've got remote access enabled, what's to stop a spy from breaking into my house, putting a gun to my head and saying, log in, use your two factor. Do it now. Type this.
You know, I'm sorry, that's, I'm going to log in. So the most consequential are saying nuts to remote access ever. I don't care what kind of remote access you have. You know, the, the least consequential are saying, I've got, you know, I've sprinkled a little VPN, I've sprinkled a little firewall, I've sprinkled a little antivirus, I'm good. Remote, you know, and in between is sort of where it gets complicated.
So we have been talking to a lot of owners and operators who are on the high end of the consequence spectrum, not the extreme end, but the high end. And they're looking at the remote access solutions. And they're saying, and I'm not going to name names. I mean, I could give you concrete examples. This vendor's firewall, 20,000 of them were breached that vendors VPN, but in a sense that serves no purpose. It, you know, you name and shame and you ignore the fact that all the other vendors have the same problem. So what I'll say is that, you know, people are looking at the remote access systems and saying, this vendors VPN product, you know, had a zero day exploited, and 20,000 of them by a nation state, you know, the other one had an end day, you know, you know, exploited in all of the instances that didn't install the, the patch within a week and a half.
And so they're saying, you know, if you breach the firewall, if you breach the VPN server, if you breach the remote access server through a vulnerability, through stolen credentials, if you didn't do two factor through forged credentials, if you're two factor is weak, if you get in any of those ways, it's a very bad thing. It's close to game over, because the enemy, the adversary now has a foothold on the edge of your network and can launch whatever attacks they want deeper into the network. And, you know, the buzzword is pivot. Once they get a foothold in this, and, you know, why is, why is remote access server, why is that different? It's because it's exposed to the Internet. Very little else on your OT network ought to be exposed to the Internet, but that, you know, your remote access server, by definition, is reachable from the Internet because you're on the hotel network and you need to get to it. And so it's vulnerable in a way that you can't afford. The rest of your system be vulnerable. And if you're breached, the bad guys pivot, they use the compromised systems to attack deeper. And this is what our customers are saying.
We really need remote access. We're using remote access. We're not happy with it. We wish there was something stronger. And again, the small shoe factories don't. But a large automobile plant that produces a quarter billion dollars worth of automobiles per day, or a large power plant, or a refinery, these sort of consequential outfits in a large refinery, you've got 300 people walking through the front gate every day, and a large fraction of that coming in remotely as well. It's a huge environment, and it's a very sensitive environment. And, you know, people are saying, can't we get something stronger?
[00:10:23] Speaker B: Yeah, and a lot of times people aren't thinking about remote access the way that you and I do. I know I've fought this battle many times, is the manager wants to be able to access the environment from his office. That's across the street. It's at a different building. Instead of having to walk over to the factory floor or to the control room, etcetera. That's remote access. Well, I'm on site, so it's not the same. But it is like if you can access it from there, which is outside the protected network, it's north of the OT environment. It's north of the firewall. It's exposed. That means that I can do it from virtually anywhere. I don't have to be sitting in that chair. Now, obviously, I can restrict some of that on on, but most of the time, in my experience, that I've seen those, there's no more restriction whether I'm sitting at my office or I'm at Starbucks or I'm in China. Right. There's really not much difference between any of those because it is all remote and I don't have to be there.
[00:11:15] Speaker C: And you can, you can try to restrict it.
But again, if we're dealing with a software artifact, I'm sorry, all software has defects. Some defects are vulnerabilities. In practice, you know, these vulnerabilities, some of them we've discovered, the good guys are discovered and are madly trying to fix before the enemy gets to them. Some of them the adversaries, discovered and is exploiting without us knowing.
You know, worse, it's software. It can be misconfigured accidentally. It can be misconfigured deliberately.
There's issues. And so, again, small shoe factory doesn't worry too much about it. You know, they've got insurance. If they go down for ten days, they restore from backup, and off they go, you know, passenger pass, high speed passengers, you know, rail switching, if it is compromised in the worst possible way, trains collide. You can't buy insurance for a mass casualty event. It's unacceptable. And so. But still, you know, mines are extremely safety conscious, and there's no mine in my backyard. They're out in the middle of nowhere. And, you know, do you want to fly people out to the middle of nowhere? You know, sometimes a two and a half day trip to make a small change? No, you need remote access into these safety critical sites. You mess with the airflow and people die underground. It's just so, you know, there's a need out there for something stronger than software exposed to the Internet.
[00:12:50] Speaker B: Well, and today's pretty relevant. We've seen in the news today a lot of outages across our critical infrastructure from a software product. Right. And we don't even have to name them. Everybody that's listening probably knows it's brought almost all the airlines down. Banks are offline. I logged in my bank account this morning and, and they're like, yeah, you can see your account, but you can't really do anything with it because all of our systems are having an outage. And it was because of software that was installed. I'll just go and say it was the crowdstrike issue and that was not a cyber attack, that was because a patch was an issue and it got pushed out and they removed it eventually, but it had already had this large impact. Right? So it wasn't even a nation state, it wasn't a bad actor, it was just a mistake. And that shows, especially in OT, how critical, you can't have critical systems, even a mistake, even if it's accidental, that's unacceptable in all of these spaces. Lives can be lost.
[00:13:45] Speaker C: That's right. And crash site was errors and emissions. It was not an attack. There have been cloud based attacks in the modern day. They're not called cloud based attacks, they're called supply chain. There was solar winds with the headline recent, a couple of years ago. Before that, the first big one was not Petya took hundreds of victims down simultaneously. And this is why when people talk about cloud systems or supply chain, this is why it's such a big deal if there is an opportunity. I mean, concrete example, a couple of years ago, the war in the Ukraine, the russian invasion of the Ukraine, the front line of the battle was moving back and forth. When it moved towards Russia, apparently the ukrainian farmers got it into their head to drive their million dollar John Deere tractors into the battle zone and drag dead russian tanks out and sell them for scrap.
This annoyed the Russians, so when the battle line moved back the other way, they stole a bunch of million dollar John Deere tractors and drove them 300, 700 km into Russia. The ukrainian farmers were naturally annoyed by this, called up John Deere and said, you know, the Russians have just stolen our tractors. What are you going to do about it? And John Deere said, oh, we'll turn them off. And they turned off the tractors and they don't work anymore. They're dead tractors. And, you know, the good guys said, yay.
And then they said, just a minute, what just happened? What if John Deere gets it into their head to turn off all the tractors in Europe at planting time. What if Russia gets it into their head to break into John Deere and turn off all the tractors? This is the supply chain problem. I think of it as a cloud problem.
Anytime where we have an important asset connected to the cloud, we're vulnerable in new ways that a lot of people aren't considering. Now, I don't know about a lot of remote access systems. Remote access is the topic here. I don't know that they're connected to the cloud, but if they are, and there are cloud based remote access, you can do remote access through teams if you want. And that's a cloud based system. So, you know, anytime we're talking cloud based, again, I'm not saying don't use it. I'm saying consider where you live in the spectrum of consequence. On the low end of the spectrum, you know, go for it, provided, you know, you've got a little bit of protection in place, provided your insurer is okay with it. On the high end of the spectrum, you can't buy insurance for mass casualty events. You can't buy insurance for threats to national security because critical infrastructure has failed. You can't do that. You need something else, and you need to be looking really hard at whether any kind of cloud connection is wise. And, you know, this is, if you're curious, my latest book, engineering grade ot security, has a chapter on network engineering, trying to provide some guidance on where in the spectrum, what kind of protections are appropriate.
[00:16:52] Speaker B: Yeah, and it leads right into what we were just talking about with CIE and really understanding the risks that you're doing. Right. You know, secure remote access, remote access, cloud based, you know, you just need to understand, you don't have to put platinum level the most, you know, physical removing. It's not every side is a nuclear facility. Right? So like you, the shoe, the shoe factory doesn't need to have the same requirements around it that the nuclear facility does. That doesn't mean that it should just haphazardly say, well, we're only a shoe factory, so just whatever you want to do, right. It's just understanding what those risks are and being careful that you understand it. So talk a bit about what is the difference between the product that you guys have now and a software based remote access solution.
[00:17:33] Speaker C: Sure thing. So we've just announced hardware enforced remote access, Hera for short.
And this is something that fits sort of in the spectrum of security. It fits between the high end of software based remote access and the low end of hardware enforced remote access. What is that, the waterfall for years has been selling unidirectional gateways, hardware that sends one way out.
We have a software product that goes with the gateway that sends screen images out. So you can see the engineering workstation, the Microsoft support tech, the GE support tech can see the engineering workstation screen coming out through the one way hardware, but nothing gets back. No keystrokes, no muzzle, nothing needs someone on the inside, on the phone, you know, working with the remote tech, but, you know, so that's extremely secure. Nothing gets back in. Doesn't matter if you've exploited a vulnerability, the hardware you can't get back through, but it's inconvenient because you need someone on. And so customers have been asking us, look, we have scenarios where we need something stronger. We're higher on the consequence, high enough on the consequence spectrum that we need more than software. But you haven't got anything for us. All you've got for us is remote screen view, which works well when you have a comparatively small number of remote access sessions coming in. What if I have a manufacturing plant with a thousand machines in it and 100 vendors, and, you know, at any given moment, three or four of my machines are out. Half of them the technicians can figure out on their own. The other half they have to call the vendor who's going to remote into the machine and help the technician figure out which piece needs, you know, repair.
I've got constant remote access into my systems, a different three vendors into a different three machines every half hour.
You know, remote screen view doesn't work. Software is all I've got. Can you give me something stronger? And so we have this new product called Hera, and, you know, under the hood, yes, it's remote screen view. It's a unidirectional gateway out so that the remote user can see the screen. And I, we're letting keystrokes in. And so the keystrokes come in not through a firewall, where it's software. If you breach it, all bets are off. They're coming in through an inbound gateway with hardware filtering.
[00:19:55] Speaker B: What does that mean, talk through? What does that hardware filtering look like?
[00:20:00] Speaker C: So two or three things.
One is, let's talk about the screen images first. When I say screen images are coming out, it's not tcp coming out of it's screen images being sent through the hardware. And, you know, our own proprietary thing. And on the outside, they show up as a video on a web server that the remote support person can talk to. So there's no. There's no way to open a TCP connection through, even through the outbound to the Internet from the OT, it doesn't work that way. All we're doing is fetching screen images and sending out similarly on the way in. It's not a TCP connection. We're not forwarding, you know, TCP packets. It's not a router. This is what we have is an inbound gateway. And the inbound gateway can only send stuff one way, it can't send anything the other way. That's the nature of the gateway. And in the gateway there is what's called a gate array chip. It's, you know, think of it as a poor man's custom ASIC. It's. It's a million transistors that can be configured as needed. So we've configured them in such a way that what comes in encrypted keystrokes and mouse movements. So, you know, let me back up, what does Hera feel like when you use it? And let's follow the connection path all the way through. If I may, a remote user sitting on my laptop at a conference, and I've just made a change to the power plant network two days ago, and I need to log in and see if it's still working, see if there's anything. So I'm sitting, you know, in my hotel room in the evening, I connect to the hotel Wi Fi, I'm on the Internet, and I fire up Hera. What does it do? It gives me a little screen, says, which power plant do you want to log into? I've got 7th configured, so I pick one, and what it does is opens a standard TL's connection. Now let me say the Hera gateway, the appliance, has got four cpu's in Ithoodae. The outbound component has two cpu's, a source and a destination. And the strange one way hardware. The inbound has two cpu's and the strange one way hardware. Two of the cpu's are Internet exposed and two of the cpu's are ot exposed. So my laptop connects to both of the Internet exposed cpu's one to get the screen images and the other one to send my keystroke and mouse in. And it's a standard TL's connection. There's a trusted platform module. TPM hardware has to be on my laptop laptop, but all modern laptops have this, and it negotiates, and I wind up with a standard encrypted socket. And now it challenges me for, you know, a username and password.
The. It challenges me for the, you know, encryption credentials that are in the TPM. You know, I can only make this connection if I'm on the right laptop, because, you know, all that stuff is buried in the TPM hardware. So I authenticate, and now I see an image of a virtual machine that's been created for me. I'm on the OT network. What do I want to do? I want to start moving the mouse. I move the mouse. The first thing I do, the mouse movement information, a nugget of it, is encrypted using a different key in the TPM.
Okay, so there's two keys, one for the TL's session and one for the mouse movements. And the beauty of the TPM is you can't steal the keys without, you know, physically taking the thing apart and putting it on an electron microscope and nasty stuff like this. The Tpandler designed to hide key information. So now, but I'm using the key information, I'm sending encrypted keystrokes through the TL's connection into the inbound gateway. Okay, it gets to the CPU in the inbound gateway, and now what? Well, the CPU decrypts the TL's.
Its TPM has the credentials to decrypt the TL's. And now it sees the encrypted mouse and keystroke information. Well, it can't do anything with that because it's encrypted.
The Internet exposed cpu does not have the key, so it sends that encrypted information through the one way hardware into the inside, where it has a TPM. It's decrypted and sent to the virtual machine. And I see my mouse boot. Clever.
What's happening in the hardware? The hardware is one way in. And that extra chip I talked about, that million transistor gate array, is looking at every chunk of information. It's not even a message. It's not TCP. Every chunk of information coming through the hardware and saying, the only thing I'm allowing in is encrypted keystrokes and encrypted mouse movements. That's all that's allowed in. I can't send. Even if so, you know, even if I compromise both of the Internet exposed cpu's, I can't send anything through that hardware. I can't send a TCP request. I can't send a UDP request. The only thing I can send through there is encrypted mouse movements. And, you know, that's the only way anything gets into the system. You can send what you want out of the system as long as that's all it's getting in, you cannot pivot and attack through the Internet exposed cpu's, no matter how many zero days you take advantage of. So that's the claim to fame here, is the encryption happens on the inside so that nothing on the outside can forge those keystroke and mouse movements.
[00:25:27] Speaker B: Yeah, that's incredible. Obviously, it's very built upon the idea and the engineering behind your gateways. So having that dual channel only stuff goes out, and the only thing that can come in is hardware, where a lot of remote access solutions are doing that through software. They're saying, hey, I'm not going to. I'm going to block, like, a firewall, I'm going to block RDP, or I'm going to block file transfer. I'm going to block, you know, these other protocols. I don't want to let those things through, but as you know, with a zero day or anything else, there are possible ways to do that. Right? It's better than nothing. But it's not. It's not. It's not foolproof. Right. I can. I can take advantage and I could potentially pivot because I can, you know, obviously. Next gentle. You know, the next gen firewalls have application aware protocols, and they're looking at that, but not everybody even deploys those things. So a lot of times in these spaces, we have old stateful ip firewalls that are just this port and protocol, this destination. And I can send whatever packet down this as long as it's the right destination and it's using the right port number, because it's not just getting that deepest.
[00:26:34] Speaker C: That's right. So, you know, again, classic software technology, you breach, you exploit either a zero day or even a known vulnerability that you just haven't had opportunity to patch yet.
You breach that, and you can. You're in control of that cpu. You can. In principle, you know, it's varying levels of difficulty, but in principle, send any message you want into the OT network here.
If we breach, the outbound cpu does us very little good, because nothing gets back in through the outbound hardware. If we breach the inbound CPU, the hardware is going to filter out any kind of message we try to send through. That's not the encrypted keystroke and mouse information. You might say, well, can't I forge the encrypted keystroke and mouse information? No, it's not just encrypted. It's authenticated as well, using the key information in the client. And so even if I reach that cpu, it doesn't have the key information either to decrypt or to encrypt and create forged inputs. So we see sort of the, what's right, the opportunity, the sort of the low hanging fruit in terms of who's going to use this first are organizations that have, you know, that are higher on the consequence scale and who have a need for a lot of remote access. So I gave the example of manufacturing. You know, large manufacturing plants all have this problem. Doesn't matter what they're manufacturing.
You know, another opportunity that I see is wind farms.
Why wind farms? Well, think, you know, old school. A gas fired power plant, what is it physically? It's a stationary jet engine that you feed natural gas into. The gas turns the engine. The engine is connected to a generator, turns the generator, produces power.
All moving parts. Friction is the enemy of moving parts.
You know, wear is what friction does to you. Vibration is the symptom of wear in these, these rotating equipments. And so a couple of times, you know, once or twice a quarter, every one of these massive turbines needs to be adjusted because, you know, they're, they're connected. You know, we recommend, through a unidirectional gateway out to the Internet, the, the vendor, the turbine vendor can see the vibration information in real time and can say, ah, something's building up here. We want to maximize the life of the turbine between, between services. And so they call up the site and say, you know, I need to service this. And they do it by remote screen view. And so, you know, once or twice a quarter. So you have once or twice a quarter. You've got a remote session with the vendor on each of your six gas turbines at the power plant. It's, you know, it's a session per week, right? In a wind farm. In a wind farm, we've got 300 turbines, and they all wear out at roughly the same rate. They all need adjustment once or twice a quarter. Worse. The windfarm turbines, bluntly, no offense to the vendors, it's not as mature as the gas turbines. Gas turbines with us for a very long time. Wind turbines, less so. It's, you know, they're becoming more mature because they're being deployed so widely. But you might not have one vendor that needs to remote in once or twice a quarter for each turbine. You might have two or three vendors involved because it's not quite, as, you know, mature all in one. And now you've got, let's say, two vendors remoting, let's say once, let's just say once a quarter. Two vendors once a quarter into each of 300 turbines. That's 600 remote sessions in the quarter. There's only 90 days in the quarter. Someone is logged into these turbines all day long.
Again, we've had wind farms come to us and say, andrew, can you give us something here? Because remote access is a nightmare for us. There's too many people in here.
You know, we're too exposed this way. So, you know, these are the, and of course, I gave the example of mines high on the consequence scale and intrinsically, you know, and it's, it's just expensive to pay people this. They're moving the mouse. So, you know, they're looking for a, something, something stronger.
[00:31:06] Speaker B: Well, and this problem is, it's all throughout ot, right to your point, right. Those teams that are monitoring and they're managing these things, that team sits in Atlanta or they're sitting in Germany or they're sitting in Japan. You can't afford, none of these organizations can afford to have those people get on a plane and come here and do the required maintenance in person. Their staff doesn't have the ability or knowledge to do it either. So they're between a rock and a hard place. They have to have remote access. They have to have this ability or they're going to cause damage to their equipment. They're not. They're going to have to spin it down so they can't run it as efficiently. They're losing money. All of these things are consequences.
And up until now, they've had a, they've just had to kind of close their eyes and hope for the best. Right. Well, let's just get them directly into our environment and just hope nothing bad happens. Right. And unfortunately, as we see with all of these different attacks, that's just not enough anymore, especially in critical infrastructure any. But even if it's not critical, you talked about manufacturing. It's critical to them. Like, I was at a plant yesterday that, a manufacturing facility, and if that plant goes down for two days, they're probably out of business. Right. Plain simple. Like, they're, they're a startup. They've been open for nine months. They're, they're, they're, they've got four out of their eight lines running. But if, if they go down, they're probably out of business. I don't know that for sure. I'm just assuming. Right, is, is anytime you're in a startup, that amount of capital that you're no longer doing and you've got all these people staying around and all that kind of stuff, it's going to impact your business. And to your point, some of these things are not insurable because it's just not so understanding these and having a mitigation around them. And one that is non fungible, right. Not one that is, I know good and well that you can't get in here unless I want you in here.
[00:32:50] Speaker C: That's right. And it's a complicated world we live in. You gave the example, I think a telling example is central engineering.
A lot of big businesses centralized their engineering teams. There's huge advantages to doing this.
If you've got a big team of people who know similar stuff in one place, you have the opportunity for people to grow through their careers, to take on management roles, to become specialists, to exercise that specialty across a number of sites, to teach other people, you know, bring them up the learning curve. You have all these, these synergies, all these benefits, but they kind of depend on the people being there together so that, you know, you can walk around and help each other out and whatnot.
And, you know, I talked about the most consequential sites. When you get higher on the consequence scale, nine times out of ten, it's also increasing in size. The facilities are just bigger.
And part of the consequence is because of the amount of money tied up in these facilities.
And think about it, if I have a billion dollar facility, nine times out of ten, maybe 99 times out of 100, it's producing a commodity. What is a commodity? It's producing gasoline. It's producing something that any other refinery in the world can produce to the same specification.
And so how do I compete? Well, I can compete in terms of customer service. I can compete in terms of, you know, faster delivery time if I'm local. But most of the time, a big part of my competition is price.
And, you know, basic Economics says that in an open market and the international market, wherever I large amounts of commodities are traded, the international market is an open market. You might have communist countries saying we control our market, they can't control the international market. OPEC tries, but for most commodities, you're competing on price. And so we are constantly looking for opportunities to reduce cost. And centralized engineering has huge benefits. And a lot of those benefits you can measure reduced cost. And so if you want to remain competitive, you have to do this.
If you want to avoid disaster, you have to deal with the security implications of doing what you need to do from a business perspective. And when we looked at the solution space, we said, yeah, there's the high end stuff, the interdirectional people are doing that.
Everyone else doing remote software, doing remote access software. And there's this gap in between. People are saying, you know, I'd like something in the middle, something that is truly interactive, so I don't need to be supervised. And that is stronger than what I've got. So there was this gap that we're stepping into. And, you know, I mentioned a moment about ago, monitoring and, you know, helping out remotely.
What I should say is this is the first release of the product, and in the first release we have a couple of key features. There's nothing, you know, these are nothing new to the remote access software world. That's a very mature world, technology wise. But if, you know, if we've got people, dozens of people every day, remoting in dozens of times to our plant, we'd kind of like to know what they're doing and so you can record those sessions. So there's a record.
Some of these people we might not trust quite as far as, do what you want, we'll record it. You might want to, you know, get a notice saying, fred wants to come in. Is he allowed? Yes, but let me watch what he's doing so, you know, I don't have to be moving the mouse, but I can be keeping an eye on what Fred's doing. Fred. Fred, you just logged into the wrong machine. Can you go over there? So, extensive logging session recording, session monitoring. These are built into the first version of the product. And of course there's going to be other features over time.
[00:37:17] Speaker B: Yeah, that's great. Obviously, understanding what's going on in the world and when I'm allowing somebody into my. It's no different than I trust a plumber and I'm going to let him into my house. But depending on my relationship, it's just somebody I found on the Internet. I'm probably not going to just give him the key to my house and say good luck, and not have any oversight there. Right. But if it's a longtime friend, a family friend, I've known this guy for 40 years, maybe I do give him the key and I just let him in because I've built that rapport and that trust there. Right, but. But that plumber. Not saying there's anything wrong with the plumber, not saying I shouldn't trust him, but it's trust, but verify. I have no idea who this person is and I'm going, I only want them to. Your point, that's the wrong bathroom. Right. There's a reason why when you go into surgery, they mark on the, on the, you know, if you're doing knee surgery, they mark on your knee. Which one? Are you sure that's the right knee? Yes, that's the right knee. So they don't do surgery on the rock because once they knock you out, you're not observing anymore. So, so that is a huge piece to this. And understanding as well as documenting so I can go back. And there's all sorts of benefits to that from a training perspective, understanding what changes were made. If I wanted to repeat this process again, I can look at the video, what happened? What, what did they do? How did they go through this process so I can more, I can train my people, etcetera. There's a lot of benefits to that capability.
[00:38:33] Speaker C: That's right. It's not just a question of trust. There's these other benefits you've mentioned. It's also a question of training. You know, Fred is, you know, with vendor x, they're new, has, you know, I'm looking at my, my list. Has Fred taken our safety training? No. Have they taken our safety awareness? No. Have they taken our security training? No. Have they?
Tell you what, you can come in, but I'm going to keep an eye on you. Okay. You need to do some training, but we need you today and so.
[00:39:03] Speaker B: Right.
[00:39:03] Speaker C: Yeah. It's not just trust. There's also capabilities that need to be considered.
[00:39:10] Speaker B: Well, again, we do that. I went to a plant yesterday, like I said, and I had escorted access. They let me in the door, but I couldn't be by myself. Like I had a badge on and it said escorted access. They trust me to be there as long as somebody else is watching what I'm doing. Right. Eventually I could go through the training, I could get my own badge, all that kind of stuff. And then I would be, I would have unescorted access. But it's no different than what we're doing in these spaces. And unfortunately, we're not always implementing those types of things in an OT world. And there's, there's potential impacts that. And again, I keep going back to Cie, but a lot of these implications and these risks, they go back to really understanding what you're doing before you roll something out, whether it's a process, a technology, et cetera, and really understanding the implications. And what if, if I give you unfettered access to this environment, what is the worst case scenario?
How could it impact me positively and negatively and just really understanding those things so that I can make an informed decision on how I need to proceed?
[00:40:08] Speaker C: Yeah. And risk is complicated. It's a subjective thing.
I wrote a whole chapter on it in my latest book, and the feedback I've got is, Andrew, you've got some good ideas in there, but you didn't hit the nail on the head. You know, I've got a formula in there. They said, look at your formula. What are the units on the formula? I do the units. The units are dollars. What number comes out the end? Billions and billions and billions of dollars. What does that number mean?
I'm not sure what that number means.
[00:40:39] Speaker B: So.
[00:40:43] Speaker C: I'm doing another version of chapter six. I'm writing the. I've thrown out two versions already, but, yeah, risk is an unserved segment in the marketplace, and this is the opportunity we hope to tap into. And if I may, I've had some, in a sense, pushback. When we did the announcement on social media, one of the bits of pushback was, Andrew, if you've got one way out, sending countless messages out and one way in, sending countless messages in, and, you know, you're taking my tcp and sending the in this way and the out that way, that's a wire. Okay? Twisted pair wire has one way this way and one way that way. That's a wire. How much security the wire got? That's not what we're doing. Okay? There are technologies out there that be unidirectional that are doing that. They claim to be hardware enforced, that they've got all the security of a wire, and you're going, who are you trying to fool?
We're not forwarding messages, okay? All that goes out is the inside cpu scrapes a bunch of screen images and pushes it out. That's it.
It's not a router. People ask sometimes what happens if I send Hera a message that Hera is not expecting, and they're expecting an answer, like, well, there's rules in place for blah, blah, blah. There's no rules.
Hera is expecting, you know, TL's connections. The hardware is expecting keystrokes. If you send anything else through, it says, I don't know what this is.
You know, there was. Even if the hardware let it through, the receiver would go, what is this? I don't know what to do with. With, you know, TCP requests. I'm not a router. And it throws it out. So, you know, sort of buyer beware. When you look at hardware enforced solutions, ask the question, which attacks? Does this solution defeat that the competition does not.
This is why it's essential for all of us practicing the space to understand attack scenarios, understand how attacks happen, so that we have a laundry list of attacks and we say, okay, I've got two competing technologies. This one defeats these six attacks, and, you know, these other ones are irrelevant. This one defeats only four of them. These two relevant attacks aren't defeated. This one is stronger than that one. So when you look at a technology like a wire or like Hera, or like a firewall, look at attack scenarios and understand, and you know, to come back to Hera, any compromise of the Internet, exposed cpu's is unable to propagate into the OT network. That's, that's the claim to fame.
That's not true of the software based competition. No offense to the software based competition. There's lots of industrial sites where it makes sense, there's lots of industrial sites where hardware enforcement makes sense. And there hasn't been that option to date, and there is today.
[00:43:50] Speaker B: Yeah, and using that analogy for folks that maybe are not following along, but if you look at the difference between I'm going to restrict data flow via a firewall, like I'm going to connect these two devices and I'm going to send data through, and a firewall is going to say yes or no, that that data can pass, but I can, I can misconfigure a firewall, I can, I can obfuscate the data so that the firewall is not looking at it like we talked about a minute ago, which the difference of that is not even talking about a waterfall. If I just, let's say I'm going to send data out and I have a fiber pair, one is transmit, one is received. If I only connect the transmit side on my inside device and the receive side on the outside, I can't send data back. It just light goes one way, I would have to roll both fibers, I'd have to do a whole bunch of physical things for that to work.
[00:44:40] Speaker C: And we're digressing a bit, but, you know, your point about firewalls and unidirectional, you know, it's taken me a long time. Only a couple of years ago I realized that, you know, you're not replacing every firewall in an industrial network with a unidirectional gateway. You put the gateways at consequence boundaries, at the boundary between a network whose worst case consequences are unacceptable mass casualty events, and a network whose worst case consequences are acceptable business events that you can buy insurance for at that consequence boundary, that's where you put the gate way. Everywhere else, most people put firewalls, and here's the thing with Hera, the OT to Internet connection, more often than not, is a consequence boundary. And this is where you'd like some hardware and force protection.
[00:45:32] Speaker B: Yeah, absolutely. Awesome. Andrew, I appreciate the time today. Why don't you tell us how can folks find out more about Hera? Maybe get a demo, a deeper dive with you and your team, etcetera?
[00:45:44] Speaker C: Sure thing. Go to the waterfall website. It'll be all over the front page.
I have a webinar coming up the 31st. So the end of the month, July, depending on when this episode airs.
And you know, you can always reach out to me firstname last. Andrew Ginteraterfallenhe security.com and I'm happy to connect you with people. And I'm on LinkedIn as well.
[00:46:09] Speaker B: Awesome. I'll put up, yeah, and I'll put all that stuff in the show notes as well, Andrew. So everybody definitely reach out. It's a, it's a unique use case and it's a great capability that, that can, can do some help in some really cool areas. So thank you for your time. Thanks for diving into it. I'm excited to see more and get my hands on and play around with it as well.
[00:46:26] Speaker C: Thank you so much.
[00:46:27] Speaker B: Absolutely. Thanks, sir.
[00:46:28] Speaker A: Thanks for joining us on protection, where we explore the crossroads of it and OT cybersecurity.
Remember to subscribe wherever you get your podcasts to stay ahead in this ever evolving field. Until next time.
