Episode 37 - Protecting Critical Infrastructure: A Roundtable on Industrial Cybersecurity Strategies

Episode 37 December 23, 2024 01:01:38
Episode 37 - Protecting Critical Infrastructure: A Roundtable on Industrial Cybersecurity Strategies
PrOTect It All
Episode 37 - Protecting Critical Infrastructure: A Roundtable on Industrial Cybersecurity Strategies

Dec 23 2024 | 01:01:38

/

Hosted By

Aaron Crow

Show Notes

In this episode, host Aaron Crow shines a light on the collaborative spirit that unites these professionals as they confront contemporary cybersecurity challenges. It features a roundtable discussion with industry veterans: Pascal Ackermann, Senior Threat Protection and Response Engineer; Brett Seals, expert in incident response and threat detection; and Gabriel Sanchez, head of the Advanced Threat Protection Center

The discussion takes listeners on a journey through both nostalgic tech, with mentions of the Tandy TRS-80, and the pressing issues of today, such as ransomware threats. The guests delve into the delicate balance between old and new technologies, the intricacies of integrating IT and OT security, and the evolving skill sets needed in the field. From power plant vulnerabilities to global geopolitical ramifications, the episode underscores the critical importance of securing essential infrastructure.

Listeners will hear shared histories, stories of past crises, and these experts' proactive solutions. Topics range from cloud and artificial intelligence trends to the crucial need for workforce development. This episode provides a detailed, engaging, and educational experience for anyone interested in cybersecurity.

 

Key Moments: 

 

10:43 Incident detection parallels between the control room, SOC.

13:58 Integrating safety programs into utility sector operations.

19:24 Balancing risk vs. cost of device replacement.

24:10 Immediate support is needed for 24/7 operations critical.

32:21 OT and IT share the same protection goals.

34:59 Focus: Enhancing asset management and system visibility.

39:42 Early hacking: dialing, shared networks, pranking neighbors.

44:32 Shift towards active technology use in OT.

50:58 If it ain't broke, don't fix it.

55:37 Defending infrastructure and impacting global mission together.

59:52 Issues transcend borders; global cooperation is needed.

 

Guest Profiles: 

 

Brett Seals is an expert in instant response and threat detection engineering, currently working at the firm 1898. Before joining 1898, Brett garnered a decade of invaluable experience in the United States Navy, where he supported both expeditionary and cybersecurity operations. During his Navy tenure, he served at the Navy Cyber Defensive Operation Command, the Navy’s equivalent of a Security Operations Center (SOC), managing a fleet of sensors. Brett also spent considerable time around the Fort Meade area. As the COVID-19 pandemic began, he transitioned from his military role to his current position, continuing his commitment to cybersecurity in the private sector.

Gabriel Sanchez embarked on his professional journey in the early 2000s, transitioning from college into what we now recognize as a burgeoning career in cybersecurity. Initially, Gabriel found himself working as a contractor for the Department of Defense, focused on missile simulations and charged with the responsibility of protecting their network—an early, hands-on introduction to cybersecurity before it even had a formal name. Following this formative experience, Gabriel spent the next decade in the electric utility sector, stepping into a groundbreaking role to establish an entirely new cybersecurity program from scratch. His trailblazing efforts in this novel position underscored his capability and foresight in an evolving digital landscape.

 

Pascal Ackermann is a seasoned professional with over two decades of experience in controls engineering and operational technology (OT), having entered the field in 1999. Throughout his career, he has focused on building resilient and secure OT networks. For the past year, Ackermann has specialized in helping customers make sense of security events within their environments. He assists clients in discovering and interpreting security incidents, providing insights into their relevance and impact. Additionally, Ackermann and his team are equipped to respond to security breaches, offering on-site services to recover, remediate, and ensure systems are back up and running efficiently. His deep expertise makes him a trusted resource in cybersecurity for OT environments.

 

Connect Brett at https://www.linkedin.com/in/iambrettseals/

Connect Gabriel at  https://www.linkedin.com/in/gabrielsanchez-1898andco/

Connect Pascal at https://www.linkedin.com/in/pascal-ackerman-036a867b/

Company Website at  https://1898andco.burnsmcd.com/

 

Connect With Aaron Crow:

 

Learn more about PrOTect IT All:

 

To be a guest or suggest a guest/episode, please email us at [email protected]

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: You're listening to Protect it all, where Aaron Crowe expands the conversation beyond just OT delving into the interconnected worlds of IT and OT cybersecurity. Get ready for essential strategies and insights. Here's your host, Aaron Crowe. Awesome. Hey, guys. Thank you so much for joining me. This has been a long time coming. I'm excited. Normally I have one, maybe two guests. This time, there's a whole bunch of us. Right. It's a good roundtable. So I'm going to kick it off with just, you know, kind of pitching it over to you, Pascal. Pascal and I work together at ey. We've known each other for a long time. This, this industry is so small. I love how much, you know, even though we, we, you know, I work for Morgan Franklin, you guys work for 1898 there. I don't see us as competitors. I see us as so much. There's so much that we can do to lift up this, this, the needs in this space, and there's more work than, than any one of us can do or any one company can do. And I really feel that the more we work together, the, the work comes on the, on the back end of this. Right. So, you know, yes, there's going to be times where we're going to be competing in a RFP or anything like that, but there's more times that we can go together and help each other and help the community. So I appreciate you guys taking time and being on my podcast today. So, Pascal, why don't you introduce yourself, tell us who you are, and. And we'll just kind of go around the horn. [00:01:20] Speaker B: Yeah, thanks. Thanks for that. And yeah, by the way, you're absolutely right. Right. So today we're working for 1898 or. Or for Morgan Franklin, but next week or next year, it could be different again. So being friends, having those connections in the community is what's key to me. Right. It doesn't really matter who's paying for your T shirts, but yeah, Pascal Ackermann, I'm the senior Threat protection and response engineer with 1898. That's a long title to basically say that I help our customers make sense of security events. But first of all, we'll try to help them discover security events in their environment and then also try to make sense of it in a means that when there's something comes up, we have the staff to go out and say, hey, this is what this really means. This is really not really relevant to your environment. Or it is. And then we have the team that can go on site and help recover, remediate or another shape or form, get the customer back up and running again. So I've been doing that for about a year now, but before this I've been in controls and engineering and OT and ICS or whatever you want to call it these days, since 1999. So if you followed my career path, I started off as a controls engineer, then I started building resilient and secure network OT networks and then I started attacking them. And now I'm basically combining all of those knowledges into the new role where we have a security operations center specifically designed for OT space. So with that I brought two colleagues of mine on this call that are trying to keep me in charge. Trying to keep me in order, I should say. Well, start with Brad, man, we'll introduce yourself. [00:03:07] Speaker C: Hi, yeah, I'm Brett Seals and I do incident response and threat detection engineering. In 1898, I work for Gabe. And yeah, I came here after 10 years in the United States Navy where I supported expeditionary and cybersecurity operations to include working at the Navy Cyber Defensive Operation Command, which is kind of like the sock of the Navy and their fleet of sensors out there. And yeah, no, I spent some time out and around the Fort Meade area and as the pandemic was hitting, I was transitioning out and you know, the social engineering campaigns that I ran on various industrial cyber cybersecurity consultancies started to yield some fruit and I got my white whale, Burns McDonnell, 125 year old architectural engineering and consulting firm that was right down the road from the rust belt that I grew up in. Right. So it was a name in the household. And I can't tell you how pleased I was to earlier this year find out that the guy who wrote what I consider to be one of the most direct and actionable tomes on industrial cyber that was modern and relevant was being picked up by Mr. Gabriel Sanchez here to come and work with us. So I, when he came on board, I told him that he'd been working here a lot longer than he realized because the way that the words went on the page made sense to me and it was resounding. Truth is resounding to all. So that's the, the kind of philosophy, mindset and shape of the way that I've approached being actionable in industrial cyber. [00:04:55] Speaker B: Yeah. [00:04:56] Speaker C: But Gabe brought us together, so. Over to you, bud. [00:04:59] Speaker A: Good job, Gabe. [00:05:00] Speaker D: Yes, yes. So Gabriel Sanchez been doing cyber security for man the, the 90s. For anyone that gets glimpses at the video, you'll be able to see some antiques in the background. Early 2000s, I was actually getting out of college and actually getting paid to do what we call cyber security today, but was basically doing DoD type contracting. Didn't really realize I was doing cyber security at the time. Was basically organization that was doing different type of missile simulations. And they say you need to protect our network. And so that was kind of cybersecurity for me, learning on the job. And then after that I went into electric utility space for about, for about a decade. And that's really where it was. It was very new. I basically went into position that hadn't existed before. They said build the entire cyber security program. What I thought was going to be two years turned into about a decade after that went into the banking industry kind of at a global scale, supporting about 80,000 employees doing cyber security there for operation centers. And now I sit today leading the advanced threat protection center, trying to make sure I keep Brett and Pascal happy as much as possible. So although sometimes they say that they work for me, it's kind of really the other way around around. I basically work for them to make them happy. So based out of Houston, we run an advanced star protection center. And it's kind of like Pascal said, a security operations center with an OT focus. [00:06:36] Speaker A: Very cool. Yeah, I mean that Mac on your desk looks similar to mine over there in the corner. So that was my very first Mac computer. Back in the day I had a, my first computer was a Tandy TRS 80. [00:06:49] Speaker C: I got a Trash 80 that controls the lights in my underground bunker here. [00:06:53] Speaker A: There you go. [00:06:55] Speaker B: Let's hope it keeps running. [00:06:58] Speaker C: Hey, it's the most dependable computer I have. [00:07:01] Speaker A: Yeah, exactly, exactly. Well, awesome. So, you know, that's what I love about this industry is I think most of us really got this and we came through it like we didn't go get a degree in OT cybersecurity because we were around before it existed. Like we were, we were in the marketplace before OT cyber was a thing. We didn't even call it ot, like very similar. I worked in power utility and I've worked in critical manufacturing and some of those places. But a lot of my career was spent in, in, you know, power gener integration and transmission distribution and. And I got kind of shoehorned in because I, I worked in it. I did networking, I did systems administration and active directory and exchange and all that kind of stuff in corporate America. And I brought those skill sets to this place and like, hey, we, we have to design a secure network and NERC sip And all these things, nobody knew what to do. They were control engineers and they were doing the best they could, but they. That's not their skill set. Right? So. So a lot of the people like us that are out there, most of us have that type of story. Like, we, we started out here and we transitioned, and all of a sudden now we're doing this OT cyber stuff. And, and that, that's a good thing because with that we bring the experience of being a controls engineer first. Right? So when, when Pascal's looking at a problem, he's not coming from, you know, some cyber security textbook he read. And, and he's bringing that thing down. He's like, I was a control engineer, not doing that here. This is why. And we can do it. We just have to do it differently. Right? So that's the conversation I have all the time. And I love the experiences that we bring from, from that perspective, from the plant side. Right. [00:08:37] Speaker B: And. And that can be a very difficult conversation too. Right. You go into a site and there's ransomware everywhere, and they'll be like, what do we do? Do we pull the plug on stuff? I'm like, well, what happens if we do right? If you, if you lose your hmi, if you take this, this switch down, what's it gonna affect the rest of the process? And people be like, okay, maybe if I take this HMI off now, I can't control my steam engine, my steam turbine. Maybe we shouldn't do that. So it makes for a really tough situation, a tough conversations once you get into those scenarios. [00:09:08] Speaker A: Absolutely. It's a different, you know, ot, we have the same problems that they have in it. We have a lot of the same tech stack nowadays that they have in it. It just how we deal with resolutions are different. Like what I do, you know, ride of. And even left of boom, but specifically right of boom is going to be different. Right. In an IT world, I may kick something off the network, force things off, reboot. You know, a lot of things in ot, from my experience, a lot of time that's picking up the phone and calling the control room, hey, something's going on. What can you do? Do you know what's going on? [00:09:44] Speaker B: What am I allowed to do? What am I exactly? [00:09:46] Speaker C: You know, my time in Southeast Asia, there's a saying there. Actually, I have a short shirt I wore the other day on the front says, same, same, but different. [00:09:54] Speaker A: Right, Right. [00:09:55] Speaker C: You know, because there are so many things that are same, same, but different. Because I just. Earlier today I was having a conversation with somebody talking about the way that I've customized the NIST IR8428, I'm not sure if you're, you're savvy, but I think it's just a fantastic framework to be able to, to custom tailor. Right. [00:10:11] Speaker A: So talk about a little bit what, explain what it is for sure. [00:10:14] Speaker C: Yeah, sure. So it is an OT defer framework that NIST put out two, three years ago now. And it has some very. It's a framework. Right. So it's a, a way for you to be able to generalize and abstract the specifics of your process environment. And I tune it to make it a specific thing that we can fit our playbooks, runbooks, whatever we want to call them based off of the magic words of our clients, industry or culture. Right. Because you know, being able to, to look at that first initial phase where we're doing incident alert detection, there's anal between what happens in the control room and what happens in the sock. Right. I'm doing. Each event has attributes, to use the object oriented programming terminology. Right. The, the criteria of those attributes are what constitutes our priority and our communication, our response playbooks in relationship to it. And the same thing is true in ot, except for the most urgent criteria is the plant manager having to put his hard hat on. Right. And if he has to go down onto the floor, then we've got. That's an urgent problem. We have enough downtime to where Bob had to get his hard hat and nobody wants Bob's feet on that floor. Right. Whereas on the other side of things, we're being able to make the urgent assessment of whether or not it's a legitimate root level intrusion of a perimeter DMZ asset. Yeah, but the correlation between those two data sources. Sources is how we still conduct root cause analysis the same way and we share the findings from one another. And all throughout the incident life cycle. It's, it's like that I'm getting data sources the same way from OT that I am from it because a lot of the IT systems that now overlap with that OT environment and the detection sources are from a mature process environment detection system that came from the need, the legitimate need of asset inventory or discovery to be more accurate. [00:12:24] Speaker A: Yeah, and that's the thing. There's a lot of frameworks out there, but I think you hit on a good point there. Right. That framework is really a common language that we know how to talk about things. Right. It's whether. Choose. Choose one. Right. I've implemented lots of different frameworks and you know, you can argue NIST853 is better or NIST872 or any of the frameworks that are out there, which is better. I don't think it matters as much which one you choose. I think there are some that are more applicable to your industry maybe, but even anyone that you choose, it's fine, pick one. And that's the language that you use to, to write the policies and procedures, to implement the, the capabilities and the controls. It's just a language, it's a dictionary that you go, hey, what is an incident? What is a response? What is threat detection? Like, what are those words? So we know we're talking about the same thing at the same time. [00:13:18] Speaker C: Yeah, yeah, an authoritative reference to stand on. [00:13:21] Speaker B: Right. And you'll find that you'll pick one, right? Hopefully you pick one because, well, imperfect security right now is better than perfect security never. Right. Just pick direction. You'll find that after a couple years you'll be like, this is nice. I did the NIST cybersecurity framework or whatever, the NIST DFR and it fits my needs about 90%. What else is out there? But now you've got the terminology, now you got the know how and now you get your environmental awareness to see, okay, maybe something from the ISA portfolio is better suited for me. But you have the ability to ask those questions and to have that knowledge. [00:13:56] Speaker A: So what are what. Go ahead, real quick. [00:13:58] Speaker D: And Aaron, you might have run into this like in the utility space, but one of the, like, the key thing for us is, you know, for example, for me in the utility space, safety. And we could argue OT overall safety is a huge thing, but what programs does that specific sector have? And then how can you implement, and Brett uses the words like tuning or the, or we can even get frameworks. How do we kind of implement those pieces into what they have already, what they've been doing as part of their safety program and kind of risk analysis for, you know, for decades. Right. And that's a, that's a bridge, you know, talking the common language and then also getting it to still kind of feel the same with the same out outcomes, which is basically making sure you can operationalize, you know, whatever it is that that critical sector is doing while keeping, you know, safety in mind has been kind of a key piece. [00:14:49] Speaker A: Yeah, absolutely. All of these places, again, we all came from more of an operational role. Many of us in OT have and, and it's very common to see safety is important. Safety and availability. You know, if you, the CIA triad I don't care, I don't care about confidentiality. I care about availability and, and I US associate availability and safety, those are kind of, you know, parallels. Right. And availability and safety trumps everything else. It's not that I don't care about confidentiality, it's just not the priority. The most important thing is, is to control and be it safe and make it safe. Right. [00:15:22] Speaker C: The way that I sell it is that the, the idea of CIA and IT and ot, we have safety, reliability and productivity. Right. And that's the paramount, that's the triad that governs our OT cybersecurity programs. Because you know, another, another quick and easy analogy that, that is attached to this. In, in it we have zero days and ot, we have forever days. Right. It's a completely different foundational philosophy in it. As a the IT guy who went ot, right. It made me want to rip my skin off. It was terrible. Right. Like it's, it's, it's an awful thing. But it's just a reality of these high availability environments that are also easily to measure whether or not they're actual stable. [00:16:07] Speaker A: Right. [00:16:08] Speaker C: They're so consistent. [00:16:09] Speaker A: Yeah. They don't change. Right. Sun Tzu, Art of War. I'm not patching every day, I'm not updating every year. I'm not replacing all my hardware. There's as we've all been in places where equipment's been there for 40 years and it is reliable and consistent and capable. So you know, and I see a lot of OT cybersecurity pundits, you know, well, you can't scan the network, then it's not safe. You shouldn't rip it out. You shouldn't be dependent upon something that I can't scan. And like that's just right. [00:16:39] Speaker B: Wrong. Even the stuff that's not reliable, if the, if it's part of, if it's an integral part of your process, it's going to have to run. Right. I've been in environments where they had, they had a 386 and every day it would overheat, but it would run, it would run like the most core part of the process, the standardization of the milk standardization process. I think I went around anyway, but they couldn't replace it. So every day they would pull out the plug, put it back in, reboot it and start the process. And after about 20 years of that, they finally decided to move it all to a plc. And that was a million dollar project to get it off that 386 onto like a standardization PLC. So I know why they didn't do it, but in the meantime, they need to keep running. [00:17:28] Speaker C: 386 reminds me of a realization. You know, sometimes you, you learn things that you learned as a kid, but you remember them as an adult and they have a whole new context. Right? So when I was a kid, my mom and I had a Tandy 386 with a floppy drive. We got an extra scuzzy drive. Right. And I didn't understand why it is for the longest time because I was on the peak of Mount Stupid through my cyber security journey for so long and continue to be in so many other ways why it was that I had to like, I typed before I could actually read because there was a book, a compile. Now I understand that it's because the system binaries for the shared objects on that operating system at the time was not universal enough for all the drivers that were being required. So you had to compile the binaries on the 386 because Lord knows what kind of weird drivers that were required to run your sound blasters by Creative Labs, you know, and that's really an analog as well to the reason that that million dollar project happened on something that somebody bought in 1985 for $1,000 maybe. Right. [00:18:36] Speaker A: Well, I mean, we, you know, Gabriel, you came from Power Utility and, and every turbo control, every turbo control cabinet you walk up to has do not key mic when this cabinet is open. Right? [00:18:47] Speaker D: Yeah, exactly. Yes, absolutely. It absolutely did. [00:18:52] Speaker A: And there's a reason for that. Could they get equipment? So could you just say, oh well, that equipment's not good because you can't key a Michael. That's, that's a risk. And yes, and that's the conversation I think we have so often. And the biggest struggle I see from it, practitioners and cybersecurity. You know, folks that come into the OT space that it's hard to wrap their head around sometimes. That, that 386 that's running in the corner, don't touch it. Leave it alone. And it may cost $5 million now to replace that thing. And this, this, this site only makes a million dollars a year. So I would lose money if I replace that thing. But if I, if I, if I, if I, if it doesn't work, then the whole place shuts down. So it's that risk reward conversation of when is it risky enough that I need to replace it or mitigate versus just leave it alone. Accept the risk of, I know I have to reboot it every day, but as long as it works That's a lower risk than replacing the PLC that isn't guaranteed to work in a short period of time. And the cost, it may take me 10 years to recoup that cost because the margins are so small. Right. And that's a different conversation in OT that the IT folks, they just throw capital dollars at it and you know, replace, you know, with brand new MacBooks or you know, whatever and put it to the cloud. And that's just not the same in ot. [00:20:08] Speaker C: No. [00:20:09] Speaker B: If you can even refine the replacement, right. For stuff like that, it's just like, yeah, on the IT side, you go to the next greatest and latest database server, you upgrade that stuff. And there are situations where you can, but in most situations there's, if you throw enough money at it, you can fix it. And on the OT side, I've been in situations where you can have all the money you want, but if a vendor doesn't exist anymore and you're running that Windows NT blow molding machine and you need to have a replacement for that nt, better hope that you get a backup with at least the software that you need to install because. [00:20:42] Speaker A: Well, and it goes back to that availability and reliability, right? We've all had Windows machines, Mac, newer technology, and yes, it's way more capable, we've got GPUs and all the stuff that can do is incredible. But what I want to depend my life on, like if this was a life saving device and I was scuba diving and this computer was controlling my oxygen and I was a mile below the surface of the, of the water and I was depending on a Macintosh or a Windows 11 machine, am I going to put my life and expect it and then allow people to patch it while I'm under, under the water? [00:21:21] Speaker D: Well, a lot higher consequences, right? And that kind of brings us to, and this is probably a bad word, right, it brings us to a lot of that IT convergence, right. A lot of people don't like that. That, yeah, I know we got a drink already. That buzzword of the, of the convergence. But I do think there's convergence with responsibility, with convergence with people, but it's not necessarily always a convergence in the approach, right. Like to your point, the approach is different, the culture is different. And I think sometimes, at least I know I sometimes will take it for granted because I've been through the it, I've been through the whole OT experience and kind of back and forth, but there's a lot of organizations that it just becomes, it seems natural to say, well, I have an operations center that's with it. Well, now I'm just going to extend that into the OT because there are similarities with software and there are similarities with, they need to protect their, their networks and firewalls and so forth. But, but the approach is just a very, very, very different thing and the risks are much higher. And then how do you have operators have enough confidence that someone that is maybe a tier one that does your initial triaging as a typical operations center knows to make the right call to say, hey, I think you should do this when you got. The operator has been, you know, boots on the ground for 15, 20 years and saying, what does this person know about. Right ot, right, Right. So I know I just opened up a can of worms. [00:22:51] Speaker B: Everybody's ready to jump in. I see. [00:22:54] Speaker C: Are you, are you talking, are you saying that I shouldn't send in an Inmap Tac T4 just because I learned it at a sans class T5, not all the way. Is that right? [00:23:11] Speaker B: Yeah, 85 is insane, insane speed SD5. [00:23:15] Speaker C: But yeah, I was trying to be conservative, okay? [00:23:18] Speaker B: Oh yeah, fair enough. [00:23:19] Speaker A: Yeah, well, but you know, it's, it's, it's, it's funny because again, it OT convergence and I, I agree that there are things that we can, for instance, let's, let's pick an easy one. We both have firewalls. We have firewalls in ot. We have firewalls in it. There's a prime example of how you can use and leverage your IT organization, who probably has a firewall organization. And that's all these people do is firewall, firewall, firewall, firewall. And you can use their knowledge to help you make sure your policies are good and that you know your firewall rules are good and you don't have any innies and things like that that we see all the time in ot. Right. But the prime example that I also, that I also see is telecom. And a lot of folks use telecom or their networking organization because again, we're using Cisco switches, whatever switches in these OT spaces. Well, why wouldn't I just have telecom support them? And the prime example, I always ask, and I'm not saying that they can't, and a lot of organizations have been successful. But when that plant that runs 24, 7, when that switch fails at 3 o'clock in the morning on a Saturday, they don't want to put in a ticket and wait three weeks to get a replacement. They need it now. So what happens is, is if you, if you put in it with a dependency upon an IT organization that does not have the SLAs to support the needs of the facility. Then what do they do? They go to Walmart and they replace it with a D link off the shelf because they need the plant to work. And then they kick it out and say you are not supporting me anymore because obviously you're not supporting me anyways. So I'm not going to let you in my facility anymore. And we're going to do it on our own and we're going to leverage our vendors and our insaf, our controls engineers that are smarter than you anyways about our process and we're going to do it our way. And it may not be your secure way, but it works. And your way left me in the dirt and it wasn't working. And I've seen that at every kind of facility you can imagine. Why is that dealing there? We had to go through it. They didn't support us. So we went to Best Buy and got a switch and it works and we're not touching it. Don't even look at it. [00:25:23] Speaker B: I haven't, I haven't just seen that. I've done that in my previous life. Right. Control engineer, middle of the night. Okay, who do we call? Well, it beep beep beep will be there between 1am, between 1pm and 2pm Bye bye. So what do you do? You go to something that's open 24 7. Thank God we still had fries at that time. And then you get, you do what you need. Right. Because production, it's not going to be the IT folks who have to go to the plan manager say well, we have downtime because we couldn't get our ass out of bed. But it's going to be us having to say that. [00:25:58] Speaker A: But yeah, well. And that goes back to another example of why it's different. Right. And it's not just the technology stack is very similar. So if you look at it on paper, it's really easy to see, well I can use, I can leverage my IT organization. But it's that people process and technology and, and Pascal, you just hit on something. Your bonus was probably tied to the availability of that plant. Yeah, it's organization is not. So when it goes down, your bonus, your paycheck, your job is literally on the line. Theirs is not. [00:26:30] Speaker B: And then you're trying to get a hold of them. So that could be. [00:26:33] Speaker A: And they're, they're, you know, best cases again, power plants, they're in the middle of nowhere. They're, you know, I worked at TXU and or Illuminate or Vista or whatever the heck you want to call it. We were, you know, headquarters was in Dallas. Well, my power plant is six hours away. The I, all the IT people are there. They don't have IT staff in the middle of nowhere at my power plant because it's too expensive. It makes sense, but I have to have a way to get this thing back up and running. So I, I lean on a Pascal type person and he's going to go to fries or Best Buy or he's going to go pull a switch out of his. Whatever he has to do to get it up and running. And we've all seen it. [00:27:10] Speaker B: I'll send it to the cloud if I have to. [00:27:12] Speaker A: Right. Whatever. [00:27:14] Speaker B: Opening up again. Yeah. [00:27:16] Speaker C: Getting out of the military, one of the things that I didn't expect was all the fun cultural, like measurements that you had to do as a consultant. Right. It's like considerably different because it's a much more stable culture in the military. [00:27:30] Speaker A: Sure. [00:27:30] Speaker C: But I quickly come to understand that and make the joke that, you know, we are kind of like marriage counselors for OT and it. Right. Like everybody, everybody has different requirements out there and the dynamic of what makes an organization and reminding and having an objective third party kind of help connect the dots between, hey guys. Your requirements actually align to the same business objectives. So this is how you support each other and it's a natural check and balance that you have. But between the, these two parties to be able to maintain safety, reliability and productivity. Right, right. And you know, like the, the stories that I've heard or some version of, you know, 20 or so years ago we had the IT guys come in here at the site. They gave us these Cisco switches. Didn't have the, the real time packet requirements of our protocols. So we ended up getting burnt. Didn't get the good maintenance contracts that we expected. Had to get swapped out, kick them out. Now we have corporate it. Right. And the, the analogs are still there locally at the site. That's typically the configuration that's gone into. But now our OT engineers and the process control guys, maintenance guys, they have been, their, their positions have expanded to include all this cyber stuff. [00:28:53] Speaker A: Yep. [00:28:53] Speaker C: And they're ready to see some help. But they have to learn how to love again, Aaron. There's not trust, you know, so that's where we talk about advocacy, training and, you know, not being too aggressive in communication. [00:29:06] Speaker A: Yeah. Here's the job. [00:29:08] Speaker B: Here's the kicker, though. So here's the kicker from, from all of those, from all of those Companies, organizations I've been with, the ones who do OT and OT cybersecurity, the best are the ones who have IT figured out, right? How to have IT and OT work together. That, that might have like an IT centric, a business acquisition program where they get their equipment, but then they have an OT person who does the maintenance, who does the uptime, who does the patches and stuff so that they, they know what the schedule is about. They don't reboot a switch in the middle of the night. No, they actually communicate with the OT team. Hey, we need to do this update, I need to get some available time. And then they work with them to get that implemented. So the companies who do that, it OT liaison the best and it could be a one person, it could be a team, but the ones that do that are typically the best at doing cybersecurity for the entire organization as well. And I've seen a lot of that, a lot of progress. When I wrote my first book, what ten years ago now, that wasn't there. It was really, it was like, it ot. They didn't like each other. They actually were in each other's way for a lot of things. But it has come a long, long way. Where I'm starting to see the difference now is more into the, into the response of things. So they're really good at segmentation. A lot of customers or a lot of organizations really started to push for architecture that's defendable. They've installed network security monitoring tools and asset management systems or asset discovery systems. But now they're being overwhelmed with all of this extra data they're getting. So what to do with these events? What does it mean to have Frosty Goop going around that is that really relevant for my system? Right. And that's honestly the reason I joined the 1898 team. Because I've had those conversations with so many asset owners that I'm like, we need to come up with something that we can support them. And I think the MSSP that we built is a fantastic way to go out there and help customers say, no, don't worry about Frosty Goop because you're an Ethernet IP shop. Right. It's not going to affect your environment. [00:31:17] Speaker A: Yeah. And people don't know what they don't know. Right. They see what's in the news, we see these nation state attackers going after all these things. You know, there's more and more, you know, fear and you know, the sky's falling, you know, do everything and, and again, the OT market hasn't Helped the, the vendor market of, you know, pushing that fear to sell fear cells. You know, we, we know that, but as an asset owner and as a, you know, provider and a service provider consultant, you know, MSSB all, at the end of the day, the good ones like us want to help. And I don't want to just sell you something to sell you something. That's not what I want. I want, we all want to help because at the end of the day, I'm dependent upon this electricity to work and the, and, you know, the, the gas to get there and, and, you know, my Amazon order to arrive and, and all the things that we like, right? It's Christmas and Pascal's got his hat on, right? You know, it's, it's the tis, the season to order stuff, and we want that stuff to work. So it's dependent up all of these things working. And, and to your point, Pascal, like, I see the biggest challenge and I'm excited to see a change and I've seen it in my career as well, is, is ot and it. We're on the same team, right? We're, we're literally on the same team with the same goals. And, and yes, maybe you're, you know, on the offense and I'm on the defense or we're on special teams or whatever analogy you want to give, but we have the same jersey. Like, remember that we're not enemies, we're not opposing forces. We're literally protecting the set. We want the same protection for these assets. We may do it a different way or come at it from a different perspective, but we all have the same goal of protecting these assets and making sure that it's, it's available and safe and, and reliable and capable and all of those things that aligns with the business organization. Right? And it's just a matter of making sure those teams talk and they network and they, they have relationships and, and I know, hey, I need to do this, and this is a concern I have, and I reach out to Pascal and say, hey, this thing came up and we're, we're doing these things in it. Is that something we need to worry about in the OT space? And he could say, yeah, it's not really a problem here for this, this and this reason. But like, okay, we'll note that, right? [00:33:31] Speaker C: No finding the ways to be able to, to connect and not just, you know, find common ground between those integration points between IT and ot, but also be able to do support functions. Right? To be able to use automation capabilities and data analytics to Be able to gain observations about how to improve the production process. The safety. Like there's a lot of money that is left on the ground that could be weaponized from some of the data that comes off of security tools in this, in these environments too do. Because that's again where it all started off from monitoring process states. But drawing those two together and it's. I'm glad, I'm glad I got here when I did. I also feel like I lucked out because I'm on the tipping point that kind of people were at with OSHA in the 70s that I've heard from a lot of my family members about how everybody was real frustrated about having to pay to implement all these controls. But once they got in place and, and they actually had more uptime from less loss of life and injury. Right? [00:34:42] Speaker A: Yep. [00:34:42] Speaker C: So like we're on the other side of that one now. People appreciate the risks enough to know it's not fairy tales. But we still have some work to do on what I heard here is how we started the call. Workforce development, that culture aspect, right? [00:34:57] Speaker A: Yep. [00:34:58] Speaker C: Hearts and minds. [00:34:59] Speaker A: Well, I mean when, when I started this at, at, at Vistra, you know, doing this, it was, it was really because of NERC SIP is why the company had allocated budgets towards this. But I didn't have budget. So when I was rolling out, going to these, we were literally doing control system upgrades at all these plants and they were having to implement NERC sip. So they were medium sites. We were segmenting units so they were, you know, they wouldn't hit that 1500 minute and 1500 megawatt and 15 minute timeline. So they'd be a low impact which had different requirements than medium. All that to say when I went these sites, I wasn't saying, hey, I want to do cyber security stuff. I was going in saying, hey, I can get you better availability, better visibility and understanding of your assets. Is that something that would be valuable to you? Yeah, absolutely. Awesome. Now on the back end, I was getting all the cyber stuff that I wanted, but they don't care. Especially 12 years ago they didn't care about that nobody cared about. And the answer, anytime anybody came in about cyber security, the plant manager would say the same thing, thing, unplug it from the network. I don't care about cyber security. [00:36:07] Speaker D: Yeah, but you've, you know, like to your example, you've tied that into metrics that they now care about. So I think that was super important because they've been living with metrics for a long time. How long the Light's been on. How long have we been, you know, doing our production? The assembly, you know, lines not. Is not broken. Right. And so tying that into metrics without necessarily just, you know, rushing at them with the cybersecurity piece is a really good approach. [00:36:33] Speaker A: Yeah. [00:36:33] Speaker B: And it's knowing your audience too, because I'm pretty sure the people you told that story to or you told those advantages to of the solution you were implementing were probably engineers, maybe management of a plant. So those, those are typically. They love that, that asset management, maybe some sessions seeing in there what kind of traffic, what anomalies. Hey, what's this new system? But the higher up you go, the more they're distant, the more they go to like an Excel sheet type. Okay, if I install this, yeah. It's going to cost me a little bit extra, but in the long run, I'm preventing a cyber breach, which, if you look like a competitor, is going to save you a million dollars for every occurrence or 10 million, whatever that is nowadays. So it's about finding the audience. [00:37:15] Speaker A: Yeah. [00:37:16] Speaker D: One of my favorites is about the visibility of just vendors that are even authorized to be on their network, but it's only at certain, certain times. Now they're getting visibility into. Wait a minute. Why did they log in at this time or over the weekend? Right. So it's not always the, the big, big bad hacker. Sometimes it's just a matter of just what's going on, who's coming in and out of my house. Now I see that and I know it. I better lock things down. [00:37:39] Speaker C: You know, turns out the integrator that you hired had a layer VPN, layer 2 VPN connection into your process environment. And it's autostart start on his computer. [00:37:49] Speaker D: Yeah. Oops. Yeah. Could be accidental for sure. [00:37:52] Speaker A: I, I literally did an assessment at a power plant in October in West Texas, and there were 3G, 3G modems sitting on the outside of the pack. And I asked the engineer what that was for, and he said, the vibration monitor vendor has remote access through that system. So it completely bypassed everything and it went straight in. Now, the, the, the vibration monitoring system didn't have control, so they say. I said, but what happens if it trips because it detects vibration? I don't know. I'm like, I'm pretty sure it's probably gonna have a trip. Don't you think? If that turbine is out of, out of alignment, you don't think they're going to trip the unit? [00:38:30] Speaker D: Absolutely, yeah. [00:38:32] Speaker A: I'm like, maybe we should look at that. [00:38:37] Speaker C: Any Kind of stuff about the bottom. [00:38:40] Speaker B: Even if it's just a jump point. Right. Even if it's not properly secured and it's just a jump point directly from the Internet to your internal network with the rest of your control system. Eventually, if it's not doing control right now, but you're wide exposed, wide open to the Internet, eventually that's going to be a control point because somebody's going to find that hole and it's going to get on your network and either deliberately or by accident, knock something over. [00:39:04] Speaker A: Yeah. [00:39:05] Speaker C: The old story of how the casino got hacked from a fish tank thermometer. Yeah. You know, I mean, it's out there in the streets, kids. [00:39:13] Speaker A: Well, it's the same thing. Same thing with target, right? When target got attacked, it wasn't. They didn't come in the front door. They went in through a subcontractor and came in the back door. Right. That's the way these things happen. They're gonna. A hacker is going to go the path of least resistance. And the other thing that I always hear is, well, we're too small. Why would anybody want to attack us? Like, I think we know now. They look at Shodan, they. They find if they can see you, they're gonna. Yeah, it's there. I saw you like the opportunity. We are. We also. Yeah. [00:39:41] Speaker D: Training ground. [00:39:41] Speaker C: Right. [00:39:42] Speaker A: We all saw War Games back in the day where he was just dialing, trying to get a video game and ended up in the wrong computer. Which obviously that was a video or as a movie, but still it's the same thing. Like they're just playing around. I remember when, when again, this is dating my technology, but I remember when I first got the very first cable modem. High speed Internet and cable modem at that time was shared network. So when they plug in, you're on a shared network with all of your other neighbors and it's on a, you know, slash 24 network. So I just started pinging around and finding other computers and then I found a printer. Shared. So then I printed something to one of my neighbors, like I see you or something. Did you try annoying on Microsoft? [00:40:23] Speaker C: There's a deep cut from there. I remember that stuff, dude. Yeah, that was bad. It was bad. [00:40:28] Speaker A: But that's the way it was, right? Yeah. It's because I could. I wasn't malicious. I didn't break anything. I wasn't trying to steal anything. I was just being stupid because it was fun. [00:40:39] Speaker C: One of the things that's the coolest about working where, where we do is that I have the ability to like, I, I was going to go talk to a client about trains. So I went and talked to a guy that has worked on trains and nothing but trains as an engineer for the last 30 years. Right. And when I was asking him about these automated braking systems and how they're set up and I was kind of describing the type of attack profile that I was like workshopping with him him and he didn't realize I was weapon weaponizing him. Right, right. But when I was like, so could that work? And he was like, well, yeah, but why, why would you do that? And I was like, yeah, exactly. [00:41:11] Speaker A: That's why it's available. [00:41:15] Speaker C: Yeah. You know, because they just want it to work. It's. It's form over function. And that's why security always falls off by design. Unless it is such a requirement that it makes it just appreciated instantly by the people who are building it it. And it stays through the development of the thing. Right. It has to be there from the beginning and stay in there otherwise you'll be bolting it on forever. [00:41:41] Speaker D: Some interesting use cases that I see just real quick, Aaron. [00:41:43] Speaker A: Yeah. [00:41:44] Speaker D: Interesting use cases that I see sometimes is where it getting impact ransomware doesn't matter what it is. Right? [00:41:51] Speaker A: Sure. [00:41:51] Speaker D: And where they'll just all of a sudden go into just let's shut down all of OT or completely, you know, air gap it. Yeah, air gap it or let's, let's do something because we don't know know if OT's impact or not or we don't know what the root cause is or we don't know how far the hackers got in. And so yeah, I'm hoping that's a trend, you know, that we start seeing that we get away from where you don't even have the visibility to know whether your OT has been impacted or not or how far that threat actor got from your business network into your ot. [00:42:20] Speaker A: Right. [00:42:21] Speaker D: And we see, you know, countless examples. A lot of it hit the news where well, OT has not been impacted and OT has not been breached. But we're doing it just to be on the safe side because we know it did. And it's like, well, well, they kind of had the same outcome. Right. [00:42:34] Speaker B: Yeah. Still OD is impacted. [00:42:35] Speaker D: You got to stop your production because yeah, you have no signs of breach, but you still ended up causing the same effect. [00:42:42] Speaker A: Right. [00:42:42] Speaker D: And so that's, that's hopefully a trend I'd like to see us get away from as well. [00:42:47] Speaker A: But so, so we talked about, we talked about the, the the, the people problem, not the problem, but one of the bigger, you know, value adds is, is that, that, you know, workforce development and training and, you know, camaraderie and coming together as a team. From a technology perspective, what do you guys see as one of the bigger hurdles that we're still facing? I know some of the ones that we've already talked about in the past, but what are some of the ones that are coming up in the next bit that could be an issue to implement and do it in the right way without impacting ot? [00:43:23] Speaker B: I, I actually see something that's got both of those tied in to it, and that's cloud and AI. So because we see a big shortage in the workspace. Right. And it's on the OT cybersecurity side, but it's also on the OT controls engineering side. Right. It's really hard to get dedicated people for your controls environment. So I can foresee within the next five to 10 years, most of those control systems going to the cloud. And I'm not saying that's good or bad at this point, but I can see them moving to the cloud, where you have like your PLC and your HMI and your whole process environment in the cloud. And you have your remote IO sitting in your process space, of course, because you can't get around that. But just so that organized companies, like big companies, like the big engineering companies, can support that remotely without having to have dedicated remote access into your plan. That's the one reason I see that coming. I'm not looking forward to that, because now you're putting a lot of eggs in that one cloud basket, and if anything goes wrong, it can have devastating impact on your environment. [00:44:32] Speaker D: Yeah, but I do see a big. I agree with you, Pascal, but I also see with a lot of the tool sets, whether we're doing it on cloud, whether we're doing on prem, I see a big hurdle when it comes to a certain technology or tool from the whole passive, you know, versus active. Can I, you know, a lot of, you know, critical infrastructure still want to do, just to be on the safe side. Everything passive. Everything passive. Everything passive. And I think, and I'm hoping, and we're starting to see the trend move away from that where there's. There's been more confidence built up into, okay, well, maybe a tad bit more risk to do something active or to, to ping in this way or scan in this way, but doing it in a responsible way way, we're getting a lot more out of knowing exactly what did this PLC actually do. As opposed to let's, let's just rely on everything, you know, as far as network monitoring or whatever comes up with the wire. It's now kind of a little bit more of an intentional kind of let's do a little bit deeper than just a passive, you know, type scan and do something that's, that's, you know, more. And so I see that as a, as a hurdle that both ot still still kind of struggles with. [00:45:38] Speaker A: Yeah, it, it's, it's funny I, I working with one of your, your teammates, you know who I'm talking about at that power utility. You know this was back in 2012 I think it was, it was before any of these passive tools existed. So we took commercially off the shelf IT stuff, you know, Mac and we were scanning OT environments in critical power generation sites using IT off the shelf stuff. And we did it it without incident. But it's not like we were in map scanning randomly and just you know, going after the stuff like we were doing it intentionally and we were very cautious in how we did it. But we rolled out active capabilities again back in 2012 and that and luckily it was probably because nobody had had all the war stories and heard that you can't do active and now everybody believes that you can't do active and there was no passive option that didn't exist. So we, we had to bring in again we did you know, Knack and Splunk and what's up gold and and it tools in, in a power plant running VMware be done. [00:46:44] Speaker C: Absolutely no. And you know, when I, when I came here and met our, our mutual friend and the team that he was hired onto, it was the first time in a long time that I had seen magic on a computer screen. Right. [00:46:59] Speaker A: Right. [00:46:59] Speaker C: With Terraform being able to use open tofu I think is what they're going to call it now to automatically instantiate environments writing code based off of describing a thing instead of making it do a thing. [00:47:14] Speaker A: Right. [00:47:14] Speaker C: And knowing how that could be weaponized with adversary attack platform C2 Infrastructure Malleable profiles for callbacks. It can be handed over seamlessly between something that it didn't exist before the attack and won't exist after. [00:47:29] Speaker A: Right. [00:47:30] Speaker C: That same technology though can be weaponized to create highly available environments that are cross cloud domain and are shared distributed workloads between data centers and cloud resources as well. [00:47:43] Speaker A: Right. [00:47:43] Speaker C: So there's flips of that. We can build those protection domains from comp SCI101 inside of how we integrate these new technologies. But it is something that is going to require a scalpel and not a hatchet, correct? [00:47:59] Speaker D: Yeah, 100%. [00:48:00] Speaker A: And it's like, you know, just like the human body, all of our, all of us are a little bit different, right? We're different sizes and we have different whatever. Like I, I can go to a power company, Duke Energy, Vistra, Nextera, you name it, and I can go to two of their plants that are right next door to each other and they will not be the same. They'll have different controls, they'll have different integrations, they'll have different HMIs, they'll have different processes. All of those things are going to be different. Even, even beyond that. I can go to two units in the same plant and those two units will be different. And that's, that blows people's mind. Obviously it doesn't us because we see it all the time, but it's to that level of, of of difference. And it's because they're on different upgrade schedules. And you know, I upgrade unit one this year and unit two next year and unit three and six years because the budget got pushed out or whatever. A prime example of that is we bought, we bought a power plant again years ago and it was. There were three plants that, this, this, and it may have been Burns and Mac to build it, I don't remember. But whatever company, engineering company that designed it, Fluor whomever it was, when they designed it, they built three plants and they took that one plant design and they built three different locations. So exact same schematics. The hardware was the same, the turbines were the same, the bowlers were the same. Like everything about it was the same name. Two of them were owned by a power company and one was, was bought by a financial company. The whole reason and, and point of my story is after 20 years the power company did control system upgrades and all the different things. And the financial company, that was their only power plant, they didn't do anything to it. It was exactly the same as the day that it was built. It still ran, it still was reliable, it still produced generation and electricity. But when you walked in, it was Sun Microstations. And you know, all of the things that were implemented 20 years ago and never upgraded and it just shows the difference in the two different sites because of when it started out. They were all on the same level playing field. But every outage over 20 years they just grew apart from where they started to where they are today. [00:50:05] Speaker C: That's a, that's a wild evolution literally driven by environmental variations, variables. [00:50:11] Speaker A: Correct. [00:50:11] Speaker C: Right. That's it's almost like twin twin study cases. Yeah. Of, of the rich twin, the poor twin. You know, like how that went down. That's, that's fascinating. [00:50:22] Speaker D: Makes it interesting because every decision you make along from year to year, it actually just, just completely changes the makeup of how you either might protect it or what it looks like and everything else to it. [00:50:34] Speaker C: Right. [00:50:34] Speaker D: So it kind of like, you know, the example we were talking about earlier, if you had to go to Best Buy just to make it work and that was your best option, that, that solution actually will probably survive for years and years because it's now just working. And like you said, you better not look at it. You don't touch it. Everything's good now. [00:50:50] Speaker A: Right. [00:50:51] Speaker D: You might have a D link there. That, that, that lasts eight years because of just that moment in time where that decision had to be made. So that's, that's really. [00:50:58] Speaker A: And, and again, if you look at, and this is where we've got to as an, as an industry, stop looking at, well, you have a D link there. Or you know, it's not a managed switch or it's a, it's, it's a out of support switch or it's a Windows XP machine or whatever that is. And we really need to get back to is it providing it. Is it, is it doing its job, is it reliable? And it. What would, why would I replace it? Like if it. My dad worked in the power utility industry for 40 years and they used to have a saying that he still says today he's 75, 76 years old. If it ain't broke, don't fix it. They don't just replace things because there's a new version. Like you don't, you know, it's, it's like today's generation, you know, you need new tires on your car, so you go buy a new car. No, replace the damn tires. Like you don't need a new car. Your car works, it's reliable, it gets you from point A to point B. You know, you can upgrade the radio. You don't have to buy a new car. I'm not telling you not to. I'm not telling. You shouldn't. Just saying you don't have to. [00:52:03] Speaker B: Yeah, it's a different mentality for sure. [00:52:06] Speaker A: It, it is. Right, but it is. I'm going to replace it every two years. I'm going to give you a new laptop like my, my monitor. [00:52:13] Speaker B: Right. We're leasing our equipment. Yeah, I wish we could do that on the OD side. Oh, every two years. Rockwell's going to give me new PLCs and going to take your old stuff back. But yeah, if you could do that, it's probably not very feasible because between those revisions, you want to, you have to redo your whole PLC program, your I O modules, your communications, the downtime behind it. So wishful thinking. [00:52:35] Speaker A: Well, and you do a control system upgrade at a power plant and yeah, it could be, let's use Emerson or Foxborough or whatever vendor you want to talk to. When you do that upgrade in three years, you may have to change your field IO terminations. Like, it's not just replacing a computer, Right. Sometimes you're having to rewire things, physical things, things. And that, that takes time. And if it doesn't work and maybe, maybe a wire's wrong and you got to rerun a wire like it's, it's bigger than just, I'm going to give you a new laptop. Right? It's not that simple, Aaron. [00:53:06] Speaker C: I think the first time that I heard somebody tell me that they have had an active infection of conficker in their process environment and they were just living with it like bedbugs. It was shocking and a little disappointing, but, I mean, it's still kind of like surprising when it happens. But it still happens, Aaron. Right? And it's okay, right? It sounds counterintuitive, but if it doesn't affect the stability of the system and it can't go down because it's so available, then I guess it's okay, right? [00:53:43] Speaker B: I've been in situations where they let one A cry run and you know what I'm talking about. Which one I'm talking about, Aaron? But they had WannaCry all over the place. We installed a cybersecurity monitoring ot cybersecurity monitoring solution. And it started popping up like 10, 20, 30, 40 stations with WannaCry. And they're like, well, we're still running production and once we get to it, we'll get to it, but until then, we're just gonna let this run. I'm like, yeah, I'm not gonna connect any of my personal stuff on your network for a while. [00:54:13] Speaker A: But again, that's the different mentality. And that right there is so hard for people to grasp that haven't worked in this industry. And you're going to let. If it's not broke, don't fix it. Like, it really comes down to that. Thing is. And that doesn't mean you just let WannaCry run forever. I've actually seen environments where Stuxnet is running but you know, there was no applicable system that stuxnet could impact. Right. [00:54:36] Speaker C: So most prolific for the time. Right. I mean, and to again, go back to the beginning of the call, because this, this is all coming full circle. You know, the, the Navy. I learned at a CMP conference when I was a junior sailor. Like, all public information on this, it's just me being an analyst, being like, oh, that's weird. I know what those words mean. I found out that the payments system for the United States Navy, the thing that cut my check, it was based off of the same language that Amazing Grace Hopper wrote. That's right. The lady who coined the term computer Buck, Cobalt. So whenever it would break, they had to bring somebody out of retirement because they haven't taught Cobalt that I'm aware of in colleges probably since the late 90s. I know some guys that were in some of those last classes around here in these parts. So. Yeah, no, it's just if it ain't broke, don't fix it though. But when it breaks, boy, oh boy. [00:55:34] Speaker D: Yeah. [00:55:34] Speaker C: Does it break? [00:55:36] Speaker A: Absolutely. [00:55:37] Speaker C: Yeah. No. And making sure that we're doing what we can in our part to be able to defend the, the, the global mission and protect critical infrastructure for humanity. Like, I, I, I think three days of a widespread utility outage would cause some pretty severe chaos. That may be genies that don't go back in bottles and doing everything that I can. Getting out of the military was very strategic. Coming here to be able to have a greater impact on how I could help out with that. And I found nothing but brothers and sisters with the same intent since I've gotten out. So I found more of a tribe leaving a tribe that people typically have a hard time translating from. But I'm happy, I'm happy to be here with these two guys. We take good care of each other and I'm, I'm thankful to be able to hang out with you today. Man, this was fun. [00:56:29] Speaker A: Yeah, I mean, that, that goes to, you know, always ask that wrap up question. We already kind of answered it with, with the technology stack and, and, and, and what you just answered there is, is probably the, the, the negative side or, or the scary side, but I mean, we can look back to Katrina and New Orleans and see what happens when you lose power to an area for any period of time and it was within a day and it was martial law. It was, it was, it was scary. Everything stops working right. And same thing in North Carolina when, when they took the substation out and that entire county was without a Power for a week and you can't pump gas. The refrigeration doesn't work. Your water doesn't work. Like everything is dependent upon electricity. Everything. Right. And that goes down and we are a third world country like that. [00:57:15] Speaker C: Very quickly people, people forget. Now now my, my kids are worried about the Internet when it goes out out. Right. [00:57:22] Speaker A: It was the electricity for me when. [00:57:24] Speaker C: I was a kid. Yeah. As long as the WI fi, as long as that battery backup works, then we're good, right? [00:57:29] Speaker A: Yep. [00:57:30] Speaker C: But you know, and then everybody forgets about and they're typically have some of the bigger challenges. Water. [00:57:38] Speaker A: Yeah. [00:57:38] Speaker C: Right. Like that, that really. You forget how much of a caveman you really are until somebody shuts off the water to your house. [00:57:45] Speaker A: Correct. [00:57:46] Speaker C: Right. You get a clogged sink, you have to a main that pops and then all of a sudden sudden you're thinking about the Holiday Inn. Right. [00:57:55] Speaker B: I got, I got enough snow on the ground to have water for a while. [00:58:01] Speaker A: I've got the air conditioner on in Texas. It's like 70 degrees today. It's. It's nice and hot. I'm actually taking a side note, I'm taking my family. So again I live in Texas. My kids have grown up in Texas. So we're going after Christmas. We're, we're taking a vacation. A friend of mine lives, has a house in Minnesota. So I'm taking the kids to Minnesota so they can experience like what actual weather and winter, what it actually feels like. Go ice fishing and do all those fun, you know, real cold weather type stuff. [00:58:31] Speaker B: That's a good idea. [00:58:32] Speaker A: Yeah. [00:58:33] Speaker B: Because you'll. So you won't get that. [00:58:35] Speaker A: No, not here. So what, what's called to action guys? Like how do people find out more about you guys, what you guys do, where you're going to be conferences, speaking events like all that type of stuff. Like lay it on us. [00:58:46] Speaker B: I'm very active on LinkedIn. So anybody who pings me there and a lot of people do for like advice on where to go next with their studies, where to look for jobs and stuff like that. I'm very active. I always share stuff on there. You can ping me up on there. You can go to our 1898 & Co website and contact us through there. So in terms of speaking Gabe, but we got on the plan, I mean S4. [00:59:12] Speaker D: We will be at S4 as well coming up in, in February. [00:59:15] Speaker A: So in Tampa this year. [00:59:17] Speaker D: In Tampa this year. So feel free to meet up with, with us there as well. That's the conference I Know, that's the one coming up. As far as. I think we'll be at the, you know, Hughes TechCon. I think ot Secon and Houston area will be there as well. [00:59:33] Speaker C: Awesome. Gabe. Gabe and Pascal don't let me out of this bunker very often. [00:59:37] Speaker B: I actually we do. We're taking you to Belgium. Remember, we're going to do the ISA conference. So the. [00:59:44] Speaker C: I met my targets this year. [00:59:48] Speaker D: I think that's in June. Yeah. Sometime in June will be ISA conference. [00:59:52] Speaker A: So that's the funny thing is these problems are not just, you know, America focused. They are nationwide, they're countrywide. They're, they're, they're border. They don't depend on borders or the bad actors don't really care where the thing is. Right. And they're just going to see be, like we said earlier, like open for opportunity. So it takes a village for us to protect this nationwide. And we see what's going on in the Ukraine and, and Israel and Gaza and again, not to get political, but just from a, from an impact and availability and all of the downstream things that can happen from, you know, power not being available, water not being available. You know, we depend on electricity and clean water to live the way that we do and the way that we've got accustomed to. And to your point, like, my power goes out, I've got everything on battery backup and my wife's in there, you know, still surfing a phone and there's no electricity. And like, don't you wonder how this still works when we have no electricity? And she's like, you know, I never really thought about it. [01:00:50] Speaker B: You're welcome. [01:00:51] Speaker A: Exactly. [01:00:53] Speaker C: For sure. [01:00:55] Speaker A: That's awesome. Well, gentlemen, I really appreciate y'all taking the time today as always. It, it was a great conversation. I look forward to seeing you guys in person at S4 and other times as well. Thank you again so much for, for being here and, and fighting the good fight. I really appreciate it. [01:01:10] Speaker B: Gentlemen. Pleasure. [01:01:12] Speaker C: Thanks. [01:01:13] Speaker A: Thanks for joining us on Protect it all, where we explore the crossroads of IT and OT cyber security. Remember to subscribe wherever you get your podcasts to stay ahead in this ever evolving field. Until next time.
Previous Episode
Next Episode

Other Episodes

Episode 30

November 04, 2024 00:58:02
Episode Cover

Navigating Cybersecurity Challenges: AI, Tabletop Exercises, and Operational Technology

In this episode, host Aaron Crow is joined by Clint Bodungen, Director of Cybersecurity Innovation at Morgan Franklin Cyber and founder of Threatgen, alongside...

Listen

Episode 8

April 04, 2024 01:07:45
Episode Cover

Securing Our Future: The Cyber Challenge in Aging Infrastructure

Summary The conversation covers the challenges and risks associated with aging infrastructure, particularly in critical sectors such as power generation and water treatment. The...

Listen

Episode 31

November 11, 2024 00:25:22
Episode Cover

Essential Cybersecurity Strategies for Small and Medium-Sized Enterprises

In this episode, host Aaron Crow addresses the pressing issue of cybersecurity for small and medium-sized businesses. With their limited budgets and resources, these...

Listen