Episode Transcript
[00:00:00] Speaker A: You're listening to protect it all, where Aaron Crow expands the conversation beyond just ot delving into the interconnected worlds of it and ot cybersecurity.
Get ready for essential strategies and insights.
Here's your host, Aaron Crow.
Hey, man, thanks for joining me. Why don't you tell us who you are and why you're wearing a mask and all the things, man? Tell us who you are in the audience, what what you're doing here.
[00:00:27] Speaker B: Well, my name is Luther Chip Harris. I am a cyber criminal investigator, and I'm a certified ethical hacker, pen tester, forensic investigator, and auditor. So I deal with not the nicest people on the planet that are here to do you and the general public harm.
And I've been a. The reason why I wear a mask and I get a lot of questions around that, is it should protect my identity. I've been doxxed, you know, twice, and I've had to been moved, you know, the federal government had to move me once to an undisclosed location, you know, and it was very impactful to me, you know, and I go very hard on protecting my identity against these threat actors from Russia and China, you know, that have come after me and my family. And, you know, I take my security and my, you know, security very, very, as I say, to a whole nother level of paranoia to protect my family, you know, as well as myself, you know, and I have worked with military and special forces for the better part, you know, of a long time, and there are people that wish me dead, you know, so there you go. That is the reason why, when I do a lot of these podcasts, you know, I take it to the nth level and I wear a mask to protect my identity from, you know, for example, the people that wanted to me have deported, which was China, which they have some great facial recognition software.
[00:01:55] Speaker A: Yeah.
[00:01:55] Speaker B: They're really good at tracking down where you're at in your location to send a death squad to come and eliminate you. So therefore, I go to very great lengths to protect my online identity behind, let's say, my four firewalls that I have here in my six proxies that protect me in my ip that rolls every 30 minutes to make sure that you do not know where it is and who it is that I am. So I'm kind of the banksy of the Internet go very hard on, you know, to the paint to protect myself.
[00:02:28] Speaker A: Yeah, absolutely. Well, let's dive in, man. I appreciate you taking the time today. And, you know, we we. We don't know each other. We just started communicating through LinkedIn. But, you know, I've done a lot in critical infrastructure and my background is power generation and critical infrastructure as well, and working in OT spaces and power plants and, and all that. So I know we talked off camera a little bit before this, so let's just dive in. Like, let's talk about the aging infrastructure. Let's talk about the power plants and the wastewater and the water treatment facilities and where we at with that and what you're seeing and obviously the things that you can talk about publicly of the status and criticality of those environments.
[00:03:09] Speaker B: Well, I'm a state in federal pain in the ass because normally when they call me, it's pretty damn bad. I mean, it's like, you know, it's never like a warm reception. Like, oh, look, he's here to help solve the problem. No, my job is to tell you what the problem is and how to go fix it. Now you can take all that information for all you want and it is left up to you. So I tell people, do as thy will. So, you know, then that's one thing that I tell people, especially when it comes down to critical infrastructure that I have to deal with is that, you know, there is a totalitarian, you know, fallout of when these things go bad that affect human people, that affect, you know, human beings. So it's not just like, you know, it where it's, you know, you're dealing with data and servers and, you know, stuff like this. I mean, you're dealing with physical infrastructure, you're dealing with power generation, you're dealing with water, you know, so forth. And right now it's pretty bad. I mean, most of this stuff. And I know this is not a political show and I don't deal with politics. I cut through a boulder of red tape daily just to get stuff done, you know, so I have enough of that that I have to deal with on the state and the federal side. But, you know, as I tell people, our infrastructure is aging out and getting really old, like 30 years old. And, you know, people are like, well, which administration do we blame? Well, I'm part of the blame party. I blame both of them. It's like you got 30 years under multiple, you know, administrations to get the stuff fixed. And it's not what I call sexy news. Like, ooh, we're going to work on the water treatment facility today and, you know, get better pipelines put in the ground and, you know, we're going to start repaving roads, you know, and stuff like that.
You know, these are things that have are steadily, it's what I call the death of a thousand cuts. You know, it's, you know, you're slowly getting cut and you're slowly bleeding. You slowly bleed. But then I, you know, after you get about a thousand cuts, I drop you into a huge, gigantic ocean full of sharks and piranhas that are there to basically eat and destroy you, because that's what these people do. And it's not that we don't know that threat actors like, you know, Russia, China, you know, Iran, have not hit our nuclear power grids, you know, or our power systems at all, or, you know, our water treatment facilities. We know that these countries that are, you know, what I call the dirty 30 countries because there's about 30 of them out there that want us, you know, dead, you know, as the infidels. And they want to do us harm that they hit constantly, you know, from low kinetic attacks to high level, you know, cyber attacks. And it is, it's just a matter of time before they get it. It's not a matter of time of when they're going to do something. It's when they want to do something based on their time clock. And my job is to help roll that time clock back best I possibly can.
Especially in the tower industry, especially in nuclear. You know, that's very, that's a very big thing. People in the United States don't realize that, hey, there's 53 nuclear reactors throughout the continental United States. Well, if one of those goes up, you know, and blows up, that's a very bad situation for about 100,000 years. So, you know, and when I explain that to the general public and the populace, that kind of gets them scared and gets politicians scared, and it gets a lot of people scared. Well, they should be scared because guess what, you know, would you, you know, do you still own a 30 year old, a 30 year old car? No. Do you still, you know, drive on 30 year old, you know, trains and railroad tracks? Yeah. Do you drive on 30 year old planes? No.
But do you drive on 30 year old subways? Yes.
So, you know, the poison that I try to, in the bitter pill that I try to get people to swallow, that I deal with on a daily basis, is that this is completely fixable. It can be done, it's expensive. You know, it's a group I call a green paper problem. There's a lot of money that's got to be invested into doing this. And this current administration actually has passed an infrastructure bill to where we're starting to see improvement on roads, improvement on streets, improvement on bridges, lighting for streets, you know, and it's going to be a gradual rollout. But, you know, as I tell people, you should be spending about 20% of your state's GPD, you know, and the federal GPD should be at least 25% to 30% just on infrastructure projects. Yeah. Throughout the continental United States. Will that ever happen? Well, until it starts breaking and failing, yeah, then they'll start doing it.
And when the bodies start piling up and people die, you know, and, you know, it hits the news, and then everybody goes, oh, my God, I can't believe it. And I'm like, no, I can believe it.
[00:08:08] Speaker A: Yeah, I mean, I supported a nuclear power plant. You know, I worked. I was an asset owner and supported power power generation here in Texas. And one of my plants was. Was a nuclear facility. So I was badged there and, you know, the whole background check and all that kind of stuff, you know, supporting that. And our. The architecture was different in a nuclear power plant than it was my coal fire power plants and the others. But still, that. That plant was built in the. I think it was designed in the fifties, built in the sixties, went online in the seventies, and it's still the same technology, two units, you know, 1800 megawatts, and, you know, it's.
[00:08:40] Speaker B: It's.
[00:08:41] Speaker A: It's still running. Right. It's still the same thing. They actually had a license to build a third and fourth unit that they ended up getting rid of, or getting rid of the license. And, and, you know, it's. It's. Yes, we've upgraded the controls somewhat. You know, the analog controls. They have tertiary systems and ever and everything, safety systems and tertiary everything. But, you know, the analog controls that were put in in the seventies are still there, right? Yes, we have some digital stuff. Yes, we have some upgraded stuff, but still, it's a plant that was built in the seventies. And to your point, it's not that it's bad, it's just it was never designed to run that long. They actually call it Comanche Peak because it was going to be a peaker plant. It was supposed to be ramped up and down. That's how little they understood about nuclear generation at the time when it was designed. And of course, now it's a baseload. It just runs constantly all the time, unless it's an outage for refueling every 18 months. So, you know, talk a little bit about what you know. Obviously that's. And that's the norm, like power. I think there's. There's been, what, two. Two nuclear power plants built in the United States in the last, what, 15 years? And.
[00:09:42] Speaker B: Yeah, and there's three more that are. Yeah, there's three more that are scheduled. And they're being built by Microsoft. They're being built by Bill Gates. So the guy that created windows, which is not the greatest operating system on the planet, is going to be in charge and own nuclear power facilities. Now, I'm not saying that that's set up for failure, but I'm just setting it up for a lot of questions and answers. It's like, wow, you people can't even make an operating system that can't be packed, so you're going to make a goddamn nuclear power plant. I mean, so anyway, you know, it's just, you know, and when you're dealing with Ferp and NuRp and all those guys, you. And all the regulations and stuff to go with it, you know, I mean. You mean, and we've learned from three Mile island, you know, when that happened, you know, the safety and the security that deals with this stuff, you know, and it is issues and stuff that we have to be able to address, first off, from an, you know, a human standpoint and then an environmental standpoint. Now, I'm not a tree hugging hippie by any means whatsoever. Yeah, but I am a conservationist. But, you know, and I tell people that, you know, you have to respect the land that's given to us. You have to respect the environment and stuff that's there, you know, and can we go a little bit greener? Yeah, we can go hard to the paint. You know, if we wanted to put up more, you know, solar, we could do that. I mean, that, you know, the free energy that's gonna have to be in certain locations, and it's only gonna hurt, you know, help certain power grids, you know, but, you know, and it's a. It's a really cool thing to see some of the new technologies that's coming out there. But then I say, okay, that's just really cool and all just because it's really cool and neat and can do these great things is it, you know, and it gives you more. And we are addicted in this country to convenience. We really have become addicted to convenience.
Just because it's convenient necessarily doesn't mean it's secure. You know, and I say that a lot. You know, the. The audits and the investigations and stuff that I do when I really start taking a look at this stuff and going, you know, wow, you know, and I'm going to give an example. You know, they called me in on a colonial pipeline just to look at the evidence, just to look at the stuff that's there.
And those ScADA based systems are running on Windows XP service, pack one. And I was like going, wow, this company makes over a billion dollars, you know, a billion dollars, and they couldn't even upgrade this, right? I mean, they couldn't even mean. And people would just got, you know, and the problem was, the reason why they turned all that off was the gas and the oil still going to flow, you know, seven to 15 miles an hour depending on how far they're pushing it through the pipe. But the problem is it pushes it through all these different states. And when it fails, that gave the state attorney general's the ability to look into how much they're getting charged. So it's like, why is Mississippi getting charged more than Alabama is for the same amount of fuel going through? And that's what they said, okay, turn it all off. Turn it all off until we get it all fixed. Because they didn't want to be audited by all the states that they have to get the oil to go through. You know, so it was a money decision. It wasn't like, the gas is going to run out. It's not going to run out, people. I mean, you know, we, we have a plethora of oil in this country. We need to give it, you know, from the national stockpile all the way down to fracking if we have to, you know, sure, we're not going to run it on natural gas. We're not going to run out. I mean, we have a lot more resources than the, you know, people think that we don't have, that we actually do have, you know, and, but the problem is those telephone poles been there a lot longer than that pipeline has, you know, and some of the, you know, and when I finished up that, you know, looking at the stuff that, you know, that was presented by my states to me to look at that I didn't even charge them for. I did totally pro bono. I was like, going, you're getting screwed by this pipeline because, you know, you have the right to audit them for, you know, the, you know, the taxes that they're charging for you for these certain things. And the actually took it to, you know, the state supreme court. They lost and they said, oh, we're gonna take it to the supreme Court. And they said, bring it because, you know, you, you say that you're supposed to be charging us this rate, but you're actually charging us this rate and that's like three times the normal than the other states that you were charging. So, you know, it was very interesting, to say the least, to see the, you know, the politics that actually ran out of that. Nice. Then they finally said, okay, we'll just cut you a check. You know, we'll just cut you a check and we'll make it all go away. The lawyers will be happy and whatnot. But did it really fix anything? No, it's like, you know, did you go out there and replace that older system that was out there that was causing these issues? No. All it is turn right back on doing the exact same thing, you know, and they followed back up with another, you know, audit and the Doe said, yeah, guess what? They're using the exact same systems. They're going to keep paying the fine, then it would be to the fix. And I'm like, that just makes, you know, no sense to me whatsoever. But then the crashing reality said it's just easier for them to pay the parking ticket than it is in the fine than it is for them to do the fix. And that's, that's where we're missing the point. That is where, you know, Nerp and, you know, Cesa and all these regulatory bodies that we have in Washington should come down on them like the wrath of friggin God, you know, because they're, instead of just paying for the, you know, the fine, which is a bump in the road for them, basically, you know, they should be fixing that system so we don't have the loss of fuel, you know, and whatnot. Same thing with PG and E. PG and e had over, you know, 30 something, 40 something years the ability of placing j hooks that hold their lines up, you know, on their phone poles. And, you know, you literally had a phone pole drop a line, you know, during fire season, you know, during their summer that caused the, you know, the paradise fire that, you know, burned hundreds. I mean, it's the third biggest fire ever in California history to where it burned hundreds of thousands of acres of land and burned cities down to the ground, you know, and there was no alerting or warning system. You know, these in it caused a paradise fire that literally, you know, you had people burning alive and that's, that's the human loss. And will we ever see, see, you know, PG and e going out there and start replacing these things? Well, guess what? This year they've started doing that because people have started filing multi million dollar lawsuits for losing their loved ones, which they should, you know, and you have a city in California that's suing their own power company within their own state because they had the opportunity to fix these things and I never really did. So, you know, and in a way, you know, what I deal with all at that level is a blame game. You know, this, this hands point at this thing. Well, you're all responsible. You know, they're all trying to blame each other, but it's like, congratulations. That blame is actually put on to you as a whole, as a blanketed carpeted thing, not just, you know, one person for one decision that they did or did not make, you know? Yeah. And it's, you know, what we're dealing with now is, and I tell people this is like all these old systems, let's put it on the Internet, which is a really bad idea. You know, it's like, oh, but yeah, I will. I was at a conference last year where the director of cybersecurity had on his iPad on the plane. He was showing me, like, hey, I can take a look at, you know, all this kind of cool stuff and, you know, of my entire, you know, power plant in my coal fire plant in my water treatment facility and all this stuff right here on my iPad. And I was like, going, okay, what about the heck your iPad? And he's like, well, what do you mean? I was like, if I get into your user account and I own your account, I now own those systems. And he's like, that's not totally possible. This is, you know, blah, blah, blah. And I'm like, okay. So I turned on Kali Linux and he was sitting right next to me in the convention and I said, you know, I literally, you know, made a pop up that popped up on his screens. Like, hi there, I'm the guy sitting next to you that now owns your iPad, that now owns your account. And, you know, and dude, he flipped out. He usually, you know, I'm going to sue you. And I'm like, you can't do shit, dude. I'm seriously, I mean, you said it couldn't be done. I did it within about 15 minutes. And congratulations. Now you got to go change all your user accounts and everything for all your stuff. And better yet, you should not be doing your monitoring, you know, from a surface or an iPad for your, you know, systems. And, you know, do I blame the manufacturer for that? No. Do I blame the administration for that? Yes, you should not. You know, there's a certain level of security in.
Well, did you not think this through for 30 seconds conversation? Did you know that should be happening when you're dealing with some of these systems, you know, it's like, you know, do we need to put that on the Internet? Do we still need to be able to have the ability of hand cranking it? You know, something goes wrong, you know, and there's lots of examples out there, you know, that I tell the general public, like, you know, black energy sandworm, you know, there, there's some really good books and some white papers that are floating out there if you really want to learn about what it is a nation state, you know, can do. You know, we've all heard of Stuxnet and all the kind of stuff that can go with that. Yeah, and there's a little spy and intrigue and stuff that kind of goes into that. But there's some other operations that they've written books about that way more, you know, devastating, you know, that I've seen out there, and I participated in some of those, you know, attacks as a nation attacking another nation on their infrastructure. So it can be very delicate. But, you know, there is a human toll and factor that goes with that, and people don't want to acknowledge that yet. They just think it's a bunch of make believe and, oh, the power just cut off. But I'm going to give you a very real world example, and I've explained this one before.
I was hired by a medical company and a hospital to come in and test test with my red team and my little happy man hackers that I work with to come in and do a red teaming event on a hospital to see how secure they were, because they just spent a ton of money with General Electric and Siemens, name a vendor and throw it on a wall, and they stuck there. Right. You know, of how their IoT systems were and how their trace and trackability are, and, you know, how their firewalls have all been done. But guess what? I found out very quickly that their it and their OT merge together, which are two things. And if anybody hears this podcast, anybody out there in the world hears me. You do not merge your information technology systems and your ot systems together. You do. They don't. This one should be way over here on this side of the universe, and the other one should be way over there. They should not even be in the same conversation. But I found out very quickly that they had commingled both of those systems, but they had thought they had been separated.
[00:21:25] Speaker A: Yeah.
[00:21:25] Speaker B: So, you know, and this was just a, you know, a simple, you know, explanation. And then once after about, you know, two weeks, they gave us 14 days to really kind of get in there, and we were within their system within 4 hours. And then, you know, we had physically tested, you know, from low kinetic attacks to high level attacks, everything that we could, you know, on their systems. And then, you know, here I am, you know, suit and tie, not in my normal jeans and t shirt like I am, you know, no mask and everything, you know, and I am in a very closed room with what I call decision making people. You know, the decision making cats, the people that have the checkbook, you know, they've paid all this money and everything. And I had, you know, you know, 300 page report. But of course, you know, they only want the, what I call the two pager report. You know, they just want the. The ten minutes bad and the 30 minutes are good. Well, guess what? It's all bad.
[00:22:17] Speaker A: You know, rich dummy version. Right?
[00:22:19] Speaker B: Yeah. You know, the very simple terms to people that are not it technologists, that's. I mean, they're doctors. You know, these people are. They are not an it staff kind of people. I mean, these are people that, you know, their job is to go out there and save people's lives. Mine is to kill people's lives.
My job is to end it. Theirs is to save it. So, and, you know, after I had done this explanation of, like, hi there, within, you know, 20 minutes, I would be able to get into your systems and delete all of your EMR, your patient record systems. Okay? Then I would, you know, be able to turn on your HVA system and turn it on to the coldest settings that's possibly out there on your, you know, chillers and everything that's on, you know, the building itself. I would turn on the sprinkler system and then, you know, turn the lights off and then cut the power to your life giving care systems, which is, if anybody's been in a hospital, you see those colored plugs that are on the wall there? That's a completely different electrical system than it would be for your lights and so forth. So not only would I turn off your lights, I would turn off that stuff. So that means the people that are in, you know, the, er, the emergency room, you know, are basically, you know, at a loss. And people that are in critical care as well as the NICU units, basically got, you know, people that are going to start dying and babies that are going to start dying very quickly, and you've got, you know, water, you know, and toilets overflowing. You've got no power, you've got no way of tracking and tracing the stuff and then I, you know, turn on all the doors to where everything is locked, you know, because you've got an automated locking system for all your doors. So I've locked all your systems, you know, and then I'm going to do this during like a very inclement weather, you know, time, you know. So for example, I'm going to do it like if it's up north, like a really bad snowstorm, this is where I'm going to do this. So things are freezing. People impatience are going to have to go start going from, you know, beds, you know, can't use the elevators because I've already cut all those off down the stairs, you know, or being evacuated by helicopter or ambulance to another facility. Okay. And, you know, after I, you know, went through this horrific conversation for about, you know, 20 minutes, one of the doctors said, you know, well, this would never happen. I said, well, yeah, yeah, actually it has.
And he's like, no it hasn't. I was like, oh, yeah, yeah, it has. I mean, I was down there when it happened and he was like, what are you talking about? I said, hurricane Katrina. You know this, nobody's learned from that. I mean, this is the scenario that happened at Hurricane Katrina. Well, what happened to the backup power supply? Well, you know, or the backup generator? Well, it was flooded with seawater. You know, you can't, it was dead DOA. I mean, all your fail safes failed, you know, and, you know, can this be done now in a digital kinetic attack versus a physical environmental attack?
[00:25:10] Speaker A: Right?
[00:25:10] Speaker B: Yeah, because I mean, I did it within, you know, you know, a couple, couple days and I could build that into an attack package, you know, to where now, now, you know, I can execute that very quickly and quietly, you know, over the wire and you would never even know about it.
[00:25:26] Speaker A: You could do it then. Who else can do it, right?
[00:25:29] Speaker B: Yeah. And I mean, you know, my five guys, I mean, we're very separated by different states, but I mean, it's like, you know, I'm sitting here at home doing this on a, you know, work computer. I mean, not an HPC, not a high performance computer, not on a quantum bullshit whatever the hell they pull over their butt now, you know, computer. I mean, you know, I'm doing this from a home, home computer, you know, that is not as super duper powerful as you would think it is. Okay? And, you know, this scared the living bejesus out of these people. And I said, this is the reason why you have vendor management and control. You know, that you're constantly working with a patch management cycle, you know, and then you've got all of these departments all together, you know, and cybersecurity people and your it people and your network people all together all at once to sit down, and then nobody leaves the room until we make a very good plan and decision and execute that. Right. And then you think about the evils that can happen, you know, of what can be done to stop these things. Now, the number one sweet, you know, attack, as I tell people right now that we have really got to prepare ourselves for, is water treatment facilities right now. You know, people talk about power, people talking about electricity this year. I'm talking about dams this year. I'm talking a lot about, you know, the high level risk and Iot attack factors that we're dealing with with water treatment facilities. Because out of all the infrastructure, it's out there in the United States. Water is the oldest.
[00:27:09] Speaker A: Yeah.
[00:27:10] Speaker B: It was the first thing that they want to do. They want to put that on the Internet. And I'm like, sure, you know, you know, because if you get somebody that gets in there and starts hacking away and is able to cause pneumatic pressure on 30 year old pipes, that's bad. I mean, they're going to explode out of the road.
[00:27:27] Speaker A: Well, we saw that with Detroit and the water issues that we've seen there. Right.
[00:27:30] Speaker B: It's.
[00:27:31] Speaker A: It's antiquated systems.
[00:27:33] Speaker B: Yeah. We've seen it in Mississippi. We've seen it in Flint, Michigan. I mean, yeah, if you've seen some of the pipes that these guys have cut out of the ground that I've looked at, I mean, am I going, oh, my God, people drink out of that? I mean, it's like, and that's where.
[00:27:44] Speaker A: Your drinking water is coming from. It's. Why drink from bottled water?
[00:27:46] Speaker B: I know. That's the nastiest looking shit I have ever seen in my life. I'm like, oh, that is, like, rustic. There's not enough rust oleum on the planet that could get that rust out of those pipes. You know, I mean, there's not enough stuff. You know, I mean, it was horrible. Yeah. I was like, going, so this is in just, I mean, and this isn't like a posh neighborhood. I mean, this is not like some, you know, this is not some rundown old, you know, 19, you know, but run down neighborhood. I was like, going, this isn't just a posh neighborhood where they're digging up some of these pipes, because, you know, the pipes that they, that they're tapping off of have been there since the 1930s, the 1940s. So, you know, and digging that kind of infrastructure up and replacing that is really expensive and it's really hard. But as I tell people, it also generates a lot of jobs. Okay? Because in the United states, we are not stressing enough a lot about people. I mean, and I'm all for engineering. Trust me, I am so for, but I'm also for vocational education. And how we can fix all of this in our industry right now is that we need to be start bringing back, you know, vocational education in the school systems, because not everybody's going to be a doctor. Not everybody's going to be an IT security guy. But you will eventually need a plumber and a carpenter and a welder. And, you know, and those guys, I mean, I've got a friend of mine that is a professional welder, and he makes way, much more money than I do an hour. I mean, it is ridiculous. But, you know, and he loves what he does, you know, I mean, and I'm, I am for that because, you know, not only my for manufacturing, but I'm also for industrial manufacturing. You know, the jobs that are created out of infrastructure projects are epic. And I mean epically good. And that's good for the states, that's good for the economy. That's, you know, good for everybody to be able to do that. And it's not like this stuff is not going away. I mean, it is there to stay. And, you know, we really need to be stressing, you know, you know, kind of there. I know you're in a electrical engineer and everything, but would you think about, you know, cybersecurity for electrical engineering? I mean, yeah, you know, because you can only trust the vendors so much. You know, they, they're, their inference, you know, their interest is a profit margin, not necessarily the safety and security of what you do with their, you know, you know, hardware and software.
[00:30:08] Speaker A: Well, even, even on that, too.
[00:30:10] Speaker B: Right.
[00:30:10] Speaker A: Is, is maybe vendor is great. So Ge and Siemens and Schneider Electric and Emerson, they're building their system, but at a power plant, there's multiple systems. Same thing in a water treatment site. Right. I've got PLC's over here from vendor a. I've got vendor B. Usually have six different vendors. And yes, they're good at their thing, but they don't know how to integrate with the other vendors. That's not their job.
[00:30:32] Speaker B: Yeah, that's the whole point is there's no intercooperability, and we're going to have to set a standard for that eventually. To where it's like, okay, you guys have got to pick TCIP. TC, you know, how are we all going to interconnect with each other? You know, Modbus is out on its way out. SMB one, two and three on its way out. You know, everybody wants to be TCip, you know, TMP and UDP. So I know the networking people right now are just screaming their heads off, you know, in Vermont, you know, oh my God, I can't believe he's saying this, but it's true, you know, because, you know, in one facility that I have, you've got 22 different vendors. Okay.
[00:31:06] Speaker A: Yeah.
[00:31:06] Speaker B: And all the systems are different. You know, the only reason that we control and contain those is that we have a software management system that is, you know, that's built for monitoring just ot systems, not it, just ot. And out of that we have got basically a four year plan that we're having to put together to fix all of that stuff. And it's going to take multiple years because we're dealing with multiple vendors. Snyder electrical is only going to do so much. After that it's on you, you know, ge, same thing. And don't even be started on Siemens. God bless America. I hate those Germans. I mean, they drive me up the wall. But you know, they've got good stuff. Don't get me wrong, I'm not, you know, you know, saying they don't. It's just that this system is meant as a standalone system. It only does one certain thing. Yeah, it doesn't work with these other systems. Now you've got some other, you know, you've got some hardware and some software solutions that are out there. Like, you know, you've got waterfall, you got the Nozomis, you've got the clarity's that are out there. But you know, they're not meant for patch management systems. You know, that goes back to your window side and your SsE MS and you know what you're doing for patch management, you know. Yeah, same thing with op. Are all the operating systems at the desired level. So for example, some of these systems only run on XP. You know, some of these systems will not work on windows eleven. You know, some of the vendors even tell you, do not put our stuff on windows eleven, period. Like you go to windows seven and that's about it, you know, so there's, you know, risk and vulnerability that it's actually put in there because based on the operating system and the stuff that you're using is how is it going to inter cooperate with some of the systems that are controlled and main, you know, maintaining, monitoring that we do. One way diodes do we do, you know, firewalls and, you know, in front of these things, you know, do we virtualize them? That's the big thing too, is, you know, do we throw everything in VMware or, you know, whatever and, you know, run it that way? Well, you know, in it, you know, how good your network, because latency matters in a lot of this stuff, you know, especially in fuel generation and gasoline, you know, and petrol based products, oil based products, you know, those pressures, you know, have to be very controlled and maintained in real time. And heartbeat matters for some of this stuff. And when it turns off, you know, for you people that don't know, it either goes into a safe mode, which means it just stops, you know, so if you're monitoring on those systems like I do, you see those red lines and those yellow lines and those green lines, you know, when those things start lighting up, it's like, hmm, something is amiss here, you know, and what could that be? And was, well, you know, because there's something that's wrong with that sensor, you know, now in a lot of these things, we can still hand crank, we can still go out there and, you know, turn the knobs and get it where it needs to be. But if some of these people had it their way, you wouldn't do any of that. You know, they want, they want it all to be digitized, you know, they want it. Well, that's not a good thing because sometimes if, you know, what's the failover for that? You know, what if there is a stuxnet stuck net attack, you know, on that system and causes that plant to, you know, either shut off completely or blow something up, you know, you're back now where we originally were in the first part of this conversation, the loss of human life again, you know, and the impact, you know, on what it's going to do. So this is a very circular conversation, you know, and there's no definitive one answer. It's completely different to based on one industry that you're looking at and that you're, you know, looking at doing. And it's a very, as I tell people, exciting time because we have gotten to the point to where it is so bad, you know, we have kicked that can so far down the line, you know, we have no other choice but to fix it, you know. Yeah, and I don't want it to get to the point to where we have a loss of life, you know, or something like that to where we have to really start paying kind of attention on, you know, fixing our infrastructure projects and fixing our infrastructure.
[00:35:14] Speaker A: You hit a really good point there, right. Is if, as you know, a lot of the layman's out there don't see and they don't understand how bad it is. But if we really look at the 17 critical infrastructures and we're looking at power utility and wastewater and, you know, TSA, all the trains and the rail and all the different things, if we just looked at how, I mean, I did a power plant assessment last week and XP was there. The newest operating system they had was windows seven. Right, exactly. And that wasn't even patched to the same level. Now, granted, they have other mitigating controls and, you know, they're not. They're supposed to be segmented, you know, as well as I do that's not always the case. But, you know, if we just took a step back and we looked at the infrastructure in the United States, there's no way. Even if we, even if we get an unlimited budget, if I was czar, they made me king for the day, and I. And I just gave a bazillion dollars to America to upgrade everything. There's no way we could do that in a timely manner. Right. We're going to have to find alternate ways. We can't rip out every XP box and every windows seven box and replace everything in day one. Like, it's just a big. It's a giant problem. We need to build this thing and start, you know, prioritizing the risk, prioritizing the. But having a strategy. But right now we have no strategy. We're just bailing wire and duct tape.
[00:36:36] Speaker B: Yeah. As I tell people, the one I proposed is like, you know, you make it a law that is passed to where a certain amount of the federal budget and state budgets are written to where you cannot touch it. Okay.
[00:36:50] Speaker A: Yeah.
[00:36:51] Speaker B: You're, you know, and that's based on your. Our tax dollars. Okay. That is based on money that we, you know, pay back in taxes, you know, and corporations supposedly pay back in taxes to help, you know, the better good. You know, as I tell the. Help the common folk. Right. So, you know, and there's nothing political about it. As I tell people, there's no politics when it comes into paving a street. Okay. If you political about it, there's a right side and a left side. Whoo. Okay. You know, there you go. That's about as political. It's going to get. Fix the damn pothole. Right. You know, so this goes back to what you're going to see at a township level, you know.
[00:37:31] Speaker A: Yeah.
[00:37:31] Speaker B: Which you're going to see at a state level, and then what you can see in a federal level. Okay, sure. But what it is is you have a certain amount of dollars that go into that pot, like insurance that you can't touch until something happens. Okay.
[00:37:44] Speaker A: Sure.
[00:37:44] Speaker B: So it starts at a. As I tell people, a local level. Like, how much money am I spending or paying back in city, county taxes and property taxes, whatever it may be, to get stuff fixed. Right. And is that being delegated correctly? The way that needs to be done? Okay, next on top of that is estate. How much is the state bringing in, you know, to where we are delegating that down to the township. Right. You know, so it's a trickle down effect that they can't touch. So it's like, okay, 20% of our state, you know, but annual budget goes into infrastructure projects. No matter what they are, we can't touch the money. Okay. Colorado did this. You know, it is a very good example of doing this. You know, when they made, you know, cannabis, you know, or marijuana legal.
[00:38:28] Speaker A: Sure.
[00:38:28] Speaker B: All that money went into infrastructure.
They can't touch that money. The state legislature can't touch that money. The feds can't touch that money. Anything that they get from taxes, from the sale of weed, you know, goes into paving roads, goes into building bridges, goes into, you know, improving the electrical system and the water, you know, congratulations. You know, the. The cities can't touch it, and the feds can't touch it, you know. So next, then we go to a federal level, right? And this is going to be, ladies and gentlemen, a 5710 year agenda. This is not something like just said. You snap your fingers and it magically happens. Doesn't work that way. The federal government moves incredibly slow, you know, and especially when you're doling out money, they work even slower, and sometimes they use the lowest in bidder. So let me give you an example.
NASA, when they were building this wonderful rocket that was going to the moon, you know, Buzz Aldridge looked over to Neil Armstrong and said, neil, how does it feel to be sitting on the world's biggest bomb made by the lowest in bidder? You know, so that's. And Neil Armstrong literally says in the right stuff in, in the book, says he almost threw up in his helmet because he thought about it for about, you know, like, I was like, oh, my God, I'm sitting on the world's biggest bomb, you know, made by the lowest in bidder. And he was right. Yeah. So, you know, there is a state process and a, you know, a federal process of going through bids, which I'm not going to talk about because it just causes me more headache, you know, then it wants me to pull out my eyeballs in some points because that process is very slow, you know, to make sure that you get the proper bidding, you know, that's done for these things, and then you've got to energize that workforce. So, you know, the only time that I've seen the federal government literally just get off its ass and do something was during the COVID you know, pandemic with the NIH and the CDC where they just started, you know, mobilizing everybody immediately to just, like, attack one certain problem. Right. So we did this same thing with infrastructure. You're still looking at a three, five, seven year, ten year process to get all of those monies distributed to the states and then down to the local level to where those projects can be start rolling off, you know, and if they even announced it today, like, hi there, where, you know, and same thing we're seeing now, even with the infrastructure bill that was passed four years ago, we're just now seeing the benefits now, you know, you know, saying, oh, well, this highway got replaced because of, you know, this project that was passed in Congress. Right.
[00:41:02] Speaker A: Yeah.
[00:41:02] Speaker B: So it's a long arborist process, but once it starts rolling, it really starts rolling. So I'm not saying that there should be endless construction going on all the time. What I'm saying is, is there needs to be a checks and balances way and oversight to that. Well, committees that we already have that already exist, and some of them probably need to be eliminated because they're just, you know, fat on the land people, you know, but you need to consolidate all that and look at the streamlining of that just like you would business. You know, businesses in the, you know, have the ability to turn and pivot very quickly. Government is not. It's like a, you know, it's like having a bass boat with, you know, two ranger motors that can turn very quickly, you know, and go from one zigzag all over the river versus an ocean liner. You know, you've got to slowly turn on a dime. You know, there's a lot of moving parts that got to go with it. So the analogies that I use when I explain this, you know, to people in layman's terms, you know, and, and, you know, TEd talks or whatever it is I'm doing, even on podcast, it's like going, you do, you know, the amount of work and effort it goes into writing some of those proposals, you know, and saying, you know, because I mean, the federal government as well as you, even a private citizen, you're gonna be a hundred million dollars. Yeah. Am I gonna give you a hundred million dollars? Well, here's a reason why you're gonna give me $100 million. Well who's involved with that hundred million dollars? There's a lot of pull back and forth, you know, and so forth. And especially when I do audits and you know, vulnerability and risk management reports and stuff is like, I can tell you and give you that information. Now what you do with that, like I said, it's, you know, it's up to you. You've got to figure out what you want to do with it, you know. Um, and I don't try to scare people, you know, into buying, you know, uh, goods and services. I'm vendor agnostic, you know, you need to pick what's going to be best for you. Now I can point you in the general direction, but, you know, I'm not going to, you know, say, well you need to use these people because they're the best, you know, normally.
[00:43:10] Speaker A: And I think, I think that's a problem anyways, right? Is I think you and I both know that there's no technology, there's no silver bullet, that if you install this technology, you solve your problem and it's not a finish.
Just like with a road. I pave a road today, I'm, it's gonna break. I'm gonna have to fix it over time. I can't just pave it once and I'm done. Cybersecurity, all this infrastructure stuff we're talking about, it's the same thing. It should be a constant budget line item. They're doing maintenance, I'm replacing it. How? What is the lifespan of it?
[00:43:42] Speaker B: It's like Medicaid, you know, it's like doing your taxes every year. It's. Unfortunately, yeah, it's just one of those things you're gonna have to do and deal with and, oh, you're gonna have a problem.
[00:43:55] Speaker A: If you don't do your taxes, you're gonna have a problem.
[00:43:57] Speaker B: Well, you kind of go to federal pound you in the ass prison for that, you know, so I mean, you know, and you get in deep trouble. Right? So, you know, and I'm a firm believer if you don't start something, won't be nothing, you know, and if you can, because we in the United States, unfortunately, are a knee jerk reaction society. Until something bad happens, we don't fix it. You know, it's very much, you know, the blind eye. I see no evil, hear no evil.
[00:44:25] Speaker A: Name problem, don't fix it.
[00:44:26] Speaker B: Yeah, if it ain't broke, don't fix it kind of deal. But sometimes you've got to be proactive, you know, on fixing some of these issues, especially when it comes down to nuclear power. Water. Yeah, electrical, you know, and, and I don't blame vendors. They're, they're doing what they're supposed to do. You know, they're trying to make sales and put in stuff and, and do their work and whatnot. But it's like, you know, I'm fighting with a vendor right now at a certain facility. They only pouch one time a year. You know, that's it. Like, that's our patch management cycle. Like, you pay for one patch a year. I'm like, what? I mean, would you and our CIO and CTO, God bless them, I love them and death, they have gotten into some very venomous conversations with this vendor of, like, we will not, you know, work with you and we will rip your out, literally, of our facilities and never use you again. Only unless you start patching our stuff to, you know, patch these Cve's and vulnerabilities that are out there. So for the public doesn't know this, there's certain patches that vendors put out that are supposed to fix their stuff. Now, they don't necessarily do that. That's left up to the facility into the company or the department to do those kinds of things. Normally, you know, you can do it, but sometimes the vendor, if you're depending on your SLA, your service level agreement, the contracts that you have with them will patch your stuff. Now, this one was for a really ass old system, you know, and it was like, okay, do we keep paying these people x amount of dollars a year, or do we just replace it, you know, to where it's newer and it's nice and shiny and it looks like the new car? Well, we figured out very quickly, you know, we could have paid for that new, shiny new car five years ago. Yep. Versus what we're having to pay now. So it was just, you know, it was like, let's do the math, everybody break out your abacus and your calculator, you know, and let's figure this out. And it was like, geez, we could have, like, paid for a new system five years ago if we would have known how bad, bad was, you know, so this is where, you know, like I tell people, this is where I kind of come into play is that, you know, the company that I work for and the great team of people that I have on staff, we are really good at being professional bad guys. We're really good at being, you know, state actors. We're really good at, you know, knowing, you know, how these systems work and how to get into these systems and turn them off, manipulate them, do whatever we need to be able to do. And, you know, and I, and I don't blame anybody because sometimes, you know, you've got to be asleep at the wheel until you have a car crash until to figure out how bad that is.
And I don't want to see that, you know, affect human life and I want to see it then affect the environment. And I definitely don't want to see effect national security because normally when these things happen, they are not privileged.
[00:47:28] Speaker A: Well, I mean, like, like you said, you know, you look at Katrina, we, those of us that were around for that, you know, you look at Katrina, we were a third world country in New Orleans when Katrina hit, right? It was, it was martial law. People dying in the streets. Like, it was, it was insanity. That's what would happen if we lost power in this country and it would happen that quickly.
Wastewater all those things.
[00:47:49] Speaker B: Yeah. I want to say since we live in the biggest glass house, what happens if I turn off the Internet for a week?
I mean, no, I'm not talking about power. I'm just talking about the Internet. So let me give you a really great example that's affecting everybody still today at and t, I mean, all last week I spent, oh, my God, one meeting after, oh, my God, I just much really been set me on fire outside in the middle of the street then having to deal with all the stuff that I deal with with trains, planes, automobiles, transportation and so forth that are dependent on one service carrier, you know.
[00:48:24] Speaker A: Yep.
[00:48:24] Speaker B: And we don't have analog lines anymore. They're all digital, you know, and we lost, you know, connection to a lot of our clients. Lost connection. And we're down the entire day which impacted one facility at the wonderful tune of, you know, $100 million and is at and t going to pay for that. Are they going to cut them a little $5 check, you know, for their, you know, services? No.
[00:48:49] Speaker A: Amazon gift card.
[00:48:50] Speaker B: Yeah, yeah. They lost $100 million, you know.
[00:48:53] Speaker A: Yeah.
[00:48:54] Speaker B: And how are they going to recoup that? They're not. I mean, they literally lost in it. Like, we were shut that that facility was shut down for an entire day. And, I mean, they, then they are a almost, you know, I mean, literally, you know, they, they average money by them, you know, the minute, you know, and, and this also affected, you know, security at airports. This affected, you know, a lot of things that are in our transportation, a lot of things that are in our shipping lanes because, you know, that carrier decided that, well, you know, to hell with it. We aren't going to test things in our DevOps facility. We're just going to throw it in production and, you know, we're just in product. Yeah, test and production. That's, that's the answer right there, kids. So, you know, they didn't do their due diligence and guess what? At and t caused out, you know, I mean, people literally could not call 911. It is written by the FCC that no matter what happens to your phone in so's mode, you'll still be able to call 911 no matter what. I mean, when John McAfee was alive, he said that was the number one attack vector to the United States on the phone system was, congratulations. All cellular phone carriers by law have to have 911 services available no matter where the hell they are. Well, guess what? We couldn't even get to that. So now you got the FBI, the CIA, the NTS, you know, NTSB, FCC for whatever they're good for, you know, investigating, you know, the cell phone carriers that literally, I mean, so I, you know, that is a real world current example, you know, now imagine if I shut down. You know, we saw this during, you know, September 11, you know, the airlines industry shutting down. That is. I mean, they did that for a day, okay? And that cost us. That hit our gross national product. I mean, you know, I mean, FedEx couldn't even fly. I mean, and that tells you something right there. So, you know, when you have a national wide ground stop, which we had never had in our history until then, you know, it really affected the bottom line. Same thing. You got a cell phone carrier that, guess what, that affected people's lives in the bottom line. You know, now, you know, turn off the entire Internet for the west coast or the east coast, it would literally within 24 hours form a recession. I mean, they literally would, you know, if we couldn't because we live in the biggest glass house, you know, we've connected all this crap to the Internet. It. And, you know, I talk about some of this wonderful stuff, you know, and if you want to read a book about it, which is even worse, and this is written, you know, in the past, was there's a book called lights out by Ted Koppel. And he interviewed, like, all these people from the power industry to TSA. I mean, you name it, he interviewed these folks. And that was a really eye opening book, like, you know, of the preparedness of the United States and the lack thereof, you know, if we had a cyber attack hit the United States on critical infrastructure, and I really, first office Ted Koppel, you know, like Uncle Walter, most people don't know, you know, I mean, I give him thumbs up, first off, because he did a book, you know, what I call non sexy news. I mean, critical infrastructure is not necessarily, you know, woohoo, you know, news that people just, you know, totally go out for. But, you know, it is one of those things that until it impacts you, then it becomes new.
[00:52:18] Speaker A: Yes.
[00:52:19] Speaker B: So, but it's a really good book. You know, it was written, you know, back in 2015, 2016, you know, and it really, you know, kind of gave, you know, and there's been 60 minutes, you know, stuff that you can see on YouTube about this, you know, that they've done. But, you know, it's, it's very interesting, you know, when you really pull back that curtain and really see how the sausage is made, you know, sometimes you don't want to eat the sausage or the hot dog, but, you know, absolutely, in the wonderful world that I live in, you pay me now, you pay me later. Still gotta pay me.
[00:52:53] Speaker A: Absolutely. Yeah. And, you know, that that's the key here is we talked a lot today about all the different critical infrastructures, all the different places that we're at, how we're behind, you know, but it's not gonna get solved. We didn't get here in a day. We're not going to solve it in a day. But there's a lot of things that we need to do. And that's why I love having conversations like this.
My intent and goal and hope that the audience takes away from this is reach out to your congressman or reach out to your local authorities, your city, ask your water environment what they're doing.
This matters.
We need to start making changes in this now before left of bang, instead of waiting until right of bang, you hear that term inside and warfare and all that kind of stuff. Right now we're still left of bang in a lot of different spaces. There's been a lot of bangs that have happened, and we just haven't necessarily spread that amongst down or it has a trickle down, trickle down economy, whatever the hell you want to call it, down to all the infrastructure. And we need to continue to push this battle, have these conversations and make sure the right people hear this because we need to make changes or there can be some very big implications, whether it be natural disaster, whether it be a state actor or, you know, just a board kid that, you know, the one in North Carolina, you know, idiots shooting out substations and transformers, any of these things, it doesn't matter what the attack vector is. The outcome is the same. We've got to start making changes.
[00:54:18] Speaker B: And, you know, and there, there are tons, as I tell people, of job opportunities, you know, that are, that are out there for this, you know, from a vendor level, you know, like Siemens, you know, all these, these people will train you. I mean, they will, you know, that's how I got into it was that, you know, on a personal level with me was, you know, that's what really kind of set me on this track was years and years and years ago was that, you know, I had didn't have a lot of job opportunities, you know, in the, in my location, in the state that I live in. And, you know, and if I didn't have vocational education and, you know, my father, you know, pushing me into computer science because he knew as well as I knew in 8th grade, you know, that computer that's sitting behind you on your desk, I was like, that's the future. I mean, like, most people don't remember the days of green screen and command line only, but I mean, that's, you know, and, you know, crap. I mean, I was trying to get this smiley face to wink at me, you know, and I went through all these lines of code and didn't work, you know, and having to redo it and, you know, but, I mean, but I said in 8th grade to myself, it's like, this is the future. I mean, you know, I mean, I got two choices in my area. And I grew up poor. I mean, I grew up. I did not come from privilege, you know, I didn't come from money, you know, I didn't, I had two choices, the funeral business or farming. You know, my family was in the funeral business and I got sick of dealing with dead people and cutting grass at cemeteries. Or I could go work on the family farm, you know, and I didn't want to do that. And I was like, I saw my parents struggle and my grandparents struggle and I was going, you know, man, this little box, you know, man, it is the, this is going to change the whole thing. Thing. And then once I figured out this little box is, you know, integrated into infrastructure, you know, and me being, you know, going through college and going into, you know, learning about cybersecurity. And then, you know, how I really got into all of this was in my twenties, you know, September 11 happened, and I was a federal, you know, got my federal contracting license, and I just got my security plus and, like, two other comptia certifications. And I was, you know, making. Working at Cop USA. Most people don't even remember cop USA. I do, but I was a bitch.
[00:56:38] Speaker A: We sound to be similar age.
[00:56:39] Speaker B: Yeah. I was working as a bench technician, fixing Apple computers and PCs, and I was making a whopping $12 an hour with taxes coming out of that, and I was making no money. It was, you know, eating top end ramen noodle, you know, and I had a blow up mattress and a television on the floor, you know, living in my, you know, one bedroom, you know, know, apartment in the hood, you know, and I was, like, going, I, you know, I got my education. You know, I am ready to rock, you know, and find a good job. And I became a private military contractor, you know, and I spent 18 years, you know, working with special forces and working, you know, in seven different states, 22 different countries. I never thought that I would be able to see the pyramids of Giza in, you know, reality in my life. You know, it's like, wow. I mean, you know, like, some of these places I've only read about in textbooks, I got to go to, you know, and I got to travel around and, you know, really get my hands deep into this, you know, and, you know, I contributed to the war effort, you know, in Afghanistan and in Iraq, you know, and I went to all these different military bases doing really cool things, working in counters, you know, counterintelligence, counter surveillance, espionage, you know, and learning about ot systems, you know, and helping them, you know, secure some of these facilities, you know, that are that state, federal, or, you know, nationally owned and whatnot. You know, like, I got to go to the United Arab Emirates. I never thought I'd do that. Never thought I'd go to Egypt. Never thought I'd get to go to Israel, you know, or some of these places that, you know, that you hear and see read about. Now, most of them are conflict zones, but, you know, sure, that's where the army got in the military kind of go, but, you know, yeah, they say you're going here. It's like, okay, I'm going that way. You know, and then I came back, and then, you know, worked a lot in the transportation and warehousing industry and learned even more, you know, about how these systems are more vulnerable and old and archaic and whatnot. Like, wow, all the stuff plugs into an. As for, it's like, wow, I haven't seen this in decades, you know, but yeah, it, hey, if it runs, it runs, you know, you know, and started interfacing a lot with, you know, cybersecurity companies here in the private sector and, you know, and really enjoyed it. And I worked with some really great companies like, you know, Vardos and Dell, you know, and Asa, you know, and worked with tons of different vendors throughout Nvidia, you know, working on, say, private, you know, contracts and Social Security projects. And then, you know, the infrastructure companies started calling me, like, on, hey, yeah, we really need an audit.
We really need somebody to come in here and tell us these issues and problems that we've run into over the years and how we can fix them, you know, and I really enjoyed that, you know, and now, you know, I am working with a really great company that does, you know, exactly what I do in my wheelhouse. You know, I'm helping with sock and knock services and, you know, doing investigations for a lot of the different stuff. Now, how did I get into that? It took, you know, education. It took time, effort, and energy, and it took, you know, a lot of networking and being in the right place and a lot of luck, you know, being in the right place, you know, for some of these things to kind of fall into place. And I've had my ups and downs in this industry, but, you know, I always encourage, you know, people that are in cybersecurity right now, anybody that can hear my voice look into ot cybersecurity. It is a very growing field, and it pays pretty well there, kids, you know, I mean, you're gonna have to hit the books, you know, and I can't do it for you, you know, and, you know, there, and there are, you know, institutions now that are, you know, even remote institutions that are teaching, you know, about ot cybersecurity, you know, and how it is that, you know, if you want to go work for the state like I do, you know, they, they pay pretty well on an annual basis. You know, they don't, they're not going away anytime soon, you know, and there's also vendors that will train you in, you know, about their systems and whatnot. But, you know, a lot of this goes back into, you know, you got to get your hands in it. You know, it's vocational based, you know, at one end of the spectrum and then the other end of the spectrum, it's very, you know, computer based, so it's a lot of fun. I mean it for it. And it's never, I'm gonna tell you that I will go on the record for this. It's never the same thing twice. It's all. It never is different.
[01:01:06] Speaker A: It is, and it's not. I still. We have the same problems all the time, but it's always a different, a little bit different scenario. And it's always like, holy shit, I've seen this before, but, man, that's a different twist.
[01:01:15] Speaker B: Yeah, it's like tomato, tomato. Still tomato, tomato. But this is how you say tomato, tomato. You know, so.
[01:01:22] Speaker A: Exactly.
[01:01:23] Speaker B: And people laugh about that, but it's true. I mean, it's so true, you know, but, yeah, you know, um, and, uh, I tell people, you know, especially people that see these podcasts like yours, that's out there, you know, it's, you know, there is a lot of work to be done, and we need a lot of people to do it. And if you look at the standard right now, considering how far behind we are, we need about one. I think it was when I turned it into the Department of Energy and, uh, the Department, and actually the department of nuclear regulatory mission. We need about 1.7 million people in ot right now. You know, that's not just ot security. I mean, that's from line technicians down to, you know, people pounding the ground to, you know, working on oil rigs. You know, I mean, we need. I mean, that's a lot of folks. That's a lot of people. And, you know, you don't see a lot of people coming into this industry because, one, they don't know about it, too. They don't want to do the physical labor of the work to get into it. Three, they just think it's going to be handed to them, and they take a certification exam, and then, boom, they automatically are going to get a six figure salary. And it's like, no, I didn't work that way. I wish it did.
So.
[01:02:36] Speaker A: So I'll share in the show notes. You know, obviously anything to. For folks to get in touch with you, and if they need to engage you, they need. They want to have an assessment done, any of that kind of stuff. We'll include all that, how to get ahold of you and all that kind of stuff. Anything you want to make sure everybody's aware or kind of a call to action. Obviously, we already have the get into this dig in. You know, there's. There's organizations like ICs Village. It's a nonprofit that I work with that does training. They're all, they're at conferences, go to a conference, listen to a podcast, reach out to people like me, like chip, you know, we are here. I am 100% willing to have conversations with anybody that asks. I don't always have the unlimited time, but I'm 100%. And most of the people that I've. That I've come across are more than willing to have conversations, give you some guidance, give you some, hey, this is what I would do. This is what worked for me type of thing.
[01:03:25] Speaker B: So, yeah, I mean, I do that for students. Like, you know, I don't charge speaking to students or universities or school systems.
[01:03:33] Speaker A: Right?
[01:03:33] Speaker B: I don't. I mean, that's just me giving back to our industry because no one ever gave it back to me, so, hell, I'm going to give it back them. But, you know, like companies and corporations, I do have a, you know, I do have an agent, and everything is booked through him, you know. You know, most of my speaking engagements if you don't, you know, I mean, like you, I have. I have a family. I have limited amount of time, but I'm glad to talk to anybody about, you know, hey, you know, if you want to have an assessment done and everybody, you go talk to these folks, you know, but if you just want to have, you know, podcasts with me and talk about some of the wonderful things that are actually are happening in our industry versus some of the bad things that happen, have we have seen in our industry that are. That are happening now? Because I am not all doom and gloom. Everybody goes, sure. Jesus. You're a very scary person, though. I'm a very scared person. As I tell people, I'm very scared of some of the bad things that can happen that I know are preventable, you know, and it's just, you know, if I can hand it off at the past, that's what I try to do for people, is to stop the hemorrhaging before, you know, you trying to put a band aid on a bullet wound ain't gonna work, kids. You know, sorry, you right. I yell, scream, cuss, hoot, holler, and throw things. And that's why I work remote, because I am an HR nightmare. You know, you want to keep me at a distance, you know, tell people, because, you know, I'm very passionate about, you know, this industry. I'm very passionate about some of the things that, you know, I engage in because I don't want to see the evil things that I can do happen to you. That's the reason. And I've always stuck with that is because, you know, knowledge is power. But, you know, knowledge. And sometimes power can be used and abused in very horrible ways. You know, and it's the. The mode and the. The instrument of how you want to be able to use that. So I tell people, you know, you want to contact me, that's perfectly fine. You know, I'm only on two social media platforms. You know, I'm not on x, Twitter, whatever they're calling it now. I'm not on Instagram. I'm not on, you know, Pinterest or crap. You know, it's like I'm on Facebook and LinkedIn. And that's about it, because that's all the federal government will allow me to have. You know, everything in this room is monitored by big brother as I tell people, you know, and I have multiple, you know, ways of not only protecting my digital profile, but, I mean, I have, you know, I can't even go to a conference without my lawyer. I mean, I've had people, you know, serve subpoenas to me, and I'm like, no, no, no. You talk to him, not me. You know, it's like, we want you to talk about and testify in this, you know, blah, blah, blah, blah, blah case. And I'm like, no, I can't. Can't do that. You know? Um, yeah, if you want to book my time, you know, you talk to my lawyer over there who's. And he and I are very good friends, and we've been, you know, been been, you know, bosom buddies for, you know, for years now. But it's pretty sad that I go to a conference and I have to wear a mask, or I go to a conference, and I got people that are trying to sequester me for a jury.
[01:06:32] Speaker A: Right.
I laugh about some of the fun out of it, doesn't it?
[01:06:37] Speaker B: I laugh about it. My wife does not.
[01:06:40] Speaker A: Yeah, you're gonna get killed.
[01:06:41] Speaker B: I'm, like, not planning on it. Yeah.
[01:06:45] Speaker A: Well, hey, man, I appreciate your time today. It was an awesome conversation. Maybe we'll do it again and talk about the fun stuff or the. Or the happy things and what's the good side of it? We. I know we focus a lot on the net negative, but it's the truth, and I think it's a conversation that we need to have. So thank you for the time.
I'm sure that we'll run cross paths again it soon. We seem to have a very similar background and a lot of the things all the way back from the Mac over there in the corners.
[01:07:15] Speaker B: Oh, yeah.
[01:07:15] Speaker A: Thanks for your time today, bud. I appreciate it.
[01:07:17] Speaker B: Thank you all so very much. Y'all have a wonderful day today.
[01:07:21] Speaker A: Thanks for joining us on protect it all, where we explore the crossroads of it and ot cybersecurity.
Remember to subscribe wherever you get your podcasts to stay ahead in this ever evolving field. Until next time.