OT, IT, & Cybersecurity in Manufacturing w/ Leah Dodson & Ashley Van Hoeson

WEBVTT

00:00:00.542 --> 00:00:15.288
hey, happy halloween, um, although I guess we are all too busy or not festive enough to be wearing costumes to this, but I had whiskers earlier, but they were like getting really itchy and I peeled them off, but I had like these little stickers, yeah no, I just.

00:00:15.407 --> 00:00:20.152
It's been a very busy day and I know ali is still in a meeting, but thank you if you're joining us.

00:00:20.152 --> 00:00:21.899
Hey, david, thanks for joining.

00:00:21.899 --> 00:00:25.783
Uh, david's one of our speakers from ot skater.

00:00:25.783 --> 00:00:33.548
So before we got on, we were just talking to Leah about OT Skatecon because I invited her to come and help us out with it.

00:00:33.548 --> 00:00:35.451
She's in San Antonio, we're in Houston.

00:00:35.451 --> 00:00:49.951
Do you want to give our guests an intro, if they weren't here last year or the year before, to see you as our recurring resident expert on cybersecurity with Automation Ladies?

00:00:49.951 --> 00:00:52.368
Introduce yourself and tell us what you've been up to.

00:00:53.000 --> 00:00:55.308
Yeah, so I'm Leah Dodson.

00:00:55.308 --> 00:00:59.310
I'm a cybersecurity specialist with NextLink Labs.

00:00:59.310 --> 00:01:04.070
I specialize a little bit more on the governance, risk and compliance side.

00:01:04.070 --> 00:01:06.665
So all of the fun compliance checklist things.

00:01:06.665 --> 00:01:09.492
They're fun for me, less fun for other people.

00:01:09.492 --> 00:01:15.129
But I missed OT Skatecon this year because I had a baby in July.

00:01:15.129 --> 00:01:18.094
Awesome little boy, love him to bits.

00:01:18.094 --> 00:01:25.990
But I'm excited that Skatecon seemed to have been awesome and I'm excited to see it in future iterations.

00:01:27.021 --> 00:01:30.103
We also have yeah, I just threw up on the screen Rafi and Michael.

00:01:30.103 --> 00:01:30.987
Thanks for joining us.

00:01:30.987 --> 00:01:32.968
They also attended OT Skatecon.

00:01:32.968 --> 00:01:39.709
So I guess if you guys want to leave a quick review in the comments for those that may be asking about it, you're welcome to.

00:01:39.709 --> 00:01:41.984
No, I think you'll find.

00:01:42.465 --> 00:01:45.093
Honestly, I'd say, go find somebody that went and ask them.

00:01:45.093 --> 00:01:47.587
We did have on our exit surveys.

00:01:47.587 --> 00:01:51.808
So we didn't get a perfect score, of course, especially of course not.

00:01:51.808 --> 00:01:57.510
It was our first time and we had no idea what we were doing, just like with this podcast and a lot of other things we do.

00:01:57.510 --> 00:02:03.090
But we try to do them anyway and then we learn and we try to do it better until we get too good at it.

00:02:03.090 --> 00:02:06.903
Then we get bored and then we go do something else.

00:02:06.903 --> 00:02:15.111
But in this case we got, I think, a 9.7 out of 10 from our reviews and at least one person said that they would not like to attend again.

00:02:15.111 --> 00:02:27.950
And we reached out to him and we asked why and we thought he had really really good insight and suggestions and we invited him to be on our advisory board for programming for next year.

00:02:29.040 --> 00:02:33.449
And so he's coming and he even said his employer doesn't approve it, that he'll take some PTO.

00:02:33.449 --> 00:02:35.568
So you know we're open to suggestion.

00:02:35.568 --> 00:02:47.729
But I honestly think you know, like you were saying, leah, some of your favorite events are ones where the organizers do a good job of setting things, setting things up and setting the stage but then letting people, kind of, you know, do their thing.

00:02:47.729 --> 00:02:51.902
And yeah, I think you're absolutely right like I would like to do more of that.

00:02:51.902 --> 00:02:54.993
This, you know, ot skated con was Ali's idea.

00:02:54.993 --> 00:03:11.941
It is her baby from the technical programming side of things, but from, like, the community side of things and the, the value that happens when the attendees were together, rather than just us or even just the speakers right, because who can say that these speakers are the foremost experts and are better?

00:03:11.941 --> 00:03:18.748
They just happen to be the ones that, a know us, b asked to be part of the program, you know, c were willing to invest the time or could.

00:03:19.312 --> 00:03:22.385
So it's not about necessarily learning something from a speaker.

00:03:22.385 --> 00:03:24.115
That's the you know authority.

00:03:24.115 --> 00:03:31.645
It's about hearing somebody else's experience, learning something from that and then being able to potentially work with those people in the future.

00:03:31.645 --> 00:03:37.526
So michael says the smartest group of people I've ever been in a room with and very supportive of each other.

00:03:37.526 --> 00:03:48.174
So we, through michael, were able to meet his ceo, alex pool or, I'm sorry, owner, I'm not entirely sure what his position is at Masked Owl Technologies.

00:03:48.860 --> 00:04:08.031
Ali and I interviewed him recently and we were really excited for that episode to come out because we loved it and I think we committed on air to doing an AI panel with one of the engineers for Masked Owl and that was just a really great conversation, and so the people that you meet, like the interactions that come after, are very cool.

00:04:08.031 --> 00:04:11.266
And then we're going to be meeting some people again at Automation Fair.

00:04:11.266 --> 00:04:22.805
So, courtney, why don't you give us a little info if there's anybody new that doesn't know, and what are you up to, and I look forward to seeing you in a couple of weeks in Anaheim.

00:04:23.660 --> 00:04:24.685
Yeah, I've been missing.

00:04:24.685 --> 00:04:25.314
You Can't wait to seeing you in a couple of weeks in Anaheim.

00:04:25.314 --> 00:04:25.699
Yeah, I've been missing.

00:04:25.699 --> 00:04:27.927
You Can't wait to have you over for a few days.

00:04:27.927 --> 00:04:43.745
And, like I jumped into small business ownership again it's not new to me, but you know I'm always putting out some form of fire, and half of them are fires I started myself and so it's just been.

00:04:43.745 --> 00:04:49.805
You know, a lot of uh running around in circles, but um, and still enjoying it.

00:04:49.805 --> 00:04:52.653
It gives me the the flexibility I need to.

00:04:52.653 --> 00:04:58.629
You know, problem solve at the hours I like to do it and be mom and the hours I need to be mom.

00:04:58.629 --> 00:05:05.769
And I have no idea how I ran into you at automate and did not notice that you were about to have a baby.

00:05:05.769 --> 00:05:07.553
Congratulations.

00:05:07.553 --> 00:05:09.865
How's it been so far?

00:05:09.865 --> 00:05:10.889
Tick, tick.

00:05:10.889 --> 00:05:12.685
You look well rested.

00:05:12.685 --> 00:05:14.747
You look a little too well rested, honestly.

00:05:15.779 --> 00:05:17.142
You look, you are glowing.

00:05:17.142 --> 00:05:20.889
Yes, thank you Are you having another one?

00:05:20.910 --> 00:05:21.672
Just kidding.

00:05:21.672 --> 00:05:22.192
He's tried.

00:05:22.192 --> 00:05:26.920
Oh boy, yeah, he's hitting his stride, sleeping at night.

00:05:26.920 --> 00:05:28.845
So I'm doing a little better now.

00:05:29.286 --> 00:05:35.004
That's great yeah, very good, I would like to subscribe to whatever filter you've got going on.

00:05:35.043 --> 00:05:36.267
Leah, right.

00:05:36.267 --> 00:05:41.041
So I do have to admit that I'm using a guest studio space right now.

00:05:41.201 --> 00:05:54.588
It's not oh so nice, not my uh usual studio space, but it's very set up and I love it yeah, is it like a space that you can kind of subscribe, like just go book time, or it's somebody else's that you just happen to be?

00:05:55.029 --> 00:05:55.934
it's somebody else's.

00:05:55.934 --> 00:06:02.288
I just happen to be traveling right now and and they're way more decked out than I am, so very nice.

00:06:03.209 --> 00:06:05.151
I've never actually recorded in a podcast studio.

00:06:05.733 --> 00:06:12.279
Yeah, yeah, yeah, I might have to get together a list of all of this equipment and I was just gonna add in my background.

00:06:13.622 --> 00:06:15.687
We were on brand for ot skater con.

00:06:15.687 --> 00:06:21.262
We have a couple more people, so Rafi says ot skater con was amazing.

00:06:21.262 --> 00:06:24.353
I traveled halfway around the world and would do it again.

00:06:24.353 --> 00:06:36.267
So he also brought the most amazing snacks from Pakistan for everybody that were perfect for happy hour, and I took the leftovers home and I'm like still eating them.

00:06:36.267 --> 00:06:38.653
Some of them were at my office, but yeah, that was so.

00:06:38.653 --> 00:06:39.600
It gave me the idea.

00:06:39.600 --> 00:06:43.728
So we had this candy bar and I did that for Alex Marcy.

00:06:43.769 --> 00:07:06.274
Mostly I I don't know why I like commit to things either on LinkedIn or live that were just spur of the moment off the top of my head, and then I end up trying to fulfill those things that I promise um, I don't always manage to, but and I was like, next year, why don't we do it to where everybody can bring candy from wherever they're from and like add it to the candy bar so we can all share with each other something that we brought um?

00:07:06.274 --> 00:07:14.886
Because a lot of people like even some of the attendees brought swag because they wanted for the swag table like to add their company swag, and then people like exchanged each other's swag and stuff.

00:07:14.886 --> 00:07:19.728
So that was fun instead of it just being like the big sponsor brands that had their swag at the at the table.

00:07:19.728 --> 00:07:20.911
So that's really cool.

00:07:20.911 --> 00:07:23.624
But anyway, our topic of today is cyber security.

00:07:23.624 --> 00:07:25.447
It is our you.

00:07:25.447 --> 00:07:31.648
You know it's the end of Cybersecurity Awareness Month and what a month we have had.

00:07:32.800 --> 00:07:41.432
And Allie's not here yet, so I don't want to steal her thunder or Ashley, who basically but here I guess this all relates to OT SkateCon as well.

00:07:41.432 --> 00:07:52.408
So Ashley was our cybersecurity speaker at OT SkateCon and I was just telling Leah that she did her dry run with me kind of late and her camera was off because she wasn't feeling well or maybe the camera wasn't working.

00:07:52.408 --> 00:07:53.935
I don't remember, but I was.

00:07:53.935 --> 00:07:55.502
I didn't really know her at all.

00:07:55.502 --> 00:08:05.451
She had connected with ali and ali invited her as a speaker and I was a little skeptical just because I I wasn't getting a good feel for her as a speaker at all.

00:08:05.451 --> 00:08:09.809
And then I met her in person and her talk was amazing and she blew everybody away.

00:08:09.809 --> 00:08:14.735
And then we were like now she has to be the go-to cybersecurity person for everybody in this room.

00:08:14.735 --> 00:08:18.526
Like everybody asked her questions, everybody got her involved in their talks.

00:08:18.526 --> 00:08:21.661
She told some crazy stories of things that she's done.

00:08:22.583 --> 00:08:36.789
And we had a cybersecurity incident at PCE recently and it's really good to have somebody like that on speed dial Because, like Leah, I know that's not necessarily your side of the house to like what to do once you get hacked.

00:08:36.789 --> 00:08:44.469
You're on the governance side, you know, you're in product development, all those sorts of things, so I had you on my, you know, speed dial, but for very different things.

00:08:44.469 --> 00:08:52.682
And then Ashley, we just, yeah, it was rough.

00:08:52.682 --> 00:09:04.524
So PCE got hacked, one of our contractors, emails and payment details were changed, but not through like a one-off email, but like a whole exchange that required multiple levels of approval and that was still changed and then not caught until afterwards.

00:09:05.105 --> 00:09:14.389
And we had to, you know, we called Ashley and she, you know, gave us some advice of what to do and unfortunately, we thought that we had fixed it and gotten the money back from QuickBooks.

00:09:14.389 --> 00:09:26.946
Because they said so, we went down, you know the whole phone tree with both the bank and then the accounting software that was used to send the ACH, and they said that you know we would be getting, or that they would be getting the money back.

00:09:26.946 --> 00:09:30.087
And then, you know, follow up, follow up, follow up.

00:09:30.087 --> 00:09:30.830
It didn't come.

00:09:30.830 --> 00:09:34.105
Turns out they were like oh, we made a mistake, you're not actually getting it back.

00:09:34.320 --> 00:09:41.230
So now we're looking at, I guess, the cybersecurity insurance claim and you know, filing all the reports and all those sorts of things.

00:09:41.230 --> 00:09:46.812
But reports and all those sorts of things, but it, you know, this sort of stuff happens to people all of the time, or companies in our industry.

00:09:46.812 --> 00:10:09.846
And when we said that, you know, the first people that we talked to, or you know some of the people that got notified, are some people like Alma and you know some of the people that we work with at OT Skatecon and we've definitely heard like, oh, my company, or a company I know, lost way more than that, you know, to something similar payment instructions being changed on invoices.

00:10:09.846 --> 00:10:11.149
You know all kinds of things.

00:10:11.149 --> 00:10:16.106
So, leah, you've been out there, you know going to conferences and things like that.

00:10:16.106 --> 00:10:28.528
Do you have any insight for us about the last year, like what are kind of the most common things that people are still grappling with specifically kind of in the you know our industry, if you have any examples?

00:10:29.091 --> 00:10:33.363
Um, so attacks are definitely up in manufacturing.

00:10:33.363 --> 00:10:39.313
Um, I think one of the big avenues is vulnerabilities in supply chain.

00:10:39.313 --> 00:10:53.433
So, exactly like you described something that you may not necessarily have direct control over, yeah, but like you're saying, multiple levels of approval scams in general are up right now.

00:10:53.433 --> 00:11:06.600
In fact, I I had an incident recently where I got approached with a scam and, being in the industry, it was a little bit more apparent, but they did such a good job.

00:11:06.600 --> 00:11:16.922
I got called from a number that was in an area I used to live and they left me a voicemail.

00:11:16.922 --> 00:11:23.684
They said that they were with the sheriff's department and that I had a warrant out because I had missed jury duty.

00:11:23.684 --> 00:11:34.889
So you know things like that, they try to go immediately for some kind of emotional response Okay, get you making an emotional decision as opposed to a logical decision.

00:11:34.889 --> 00:11:43.552
So you know, you get those little like feelings of maybe this is wrong, but you also get that emotional kick of like what if it's not?

00:11:43.552 --> 00:11:47.541
Yeah, and so I I did a couple things.

00:11:47.541 --> 00:11:56.703
I I looked up the person online and they used a real deputy's name, right, um, and they were associated with the place that they said.

00:11:56.703 --> 00:12:08.668
You know that they were, and so I called not the number that they gave me but the department itself, and there was the deputy was out.

00:12:08.668 --> 00:12:15.255
So I called the number that they gave me to see kind of what was going on and they did a great job with the impersonation part.

00:12:15.255 --> 00:12:31.504
And that's what gets a lot of people, especially in manufacturing where there's a lot of connection, supply chain, a lot of people talking to a lot of people and you just you know, you get that human connection and there's a little bit of trust that's built through those things.

00:12:31.504 --> 00:12:43.484
So he gave me a badge number, obviously not a real badge number, but he was on the spot when I asked, was able to read off a number, and so he he was very well prepped from that aspect.

00:12:43.945 --> 00:12:49.114
A couple of the things, tactics that he used are really common in scams.

00:12:49.114 --> 00:12:52.950
The sense of urgency is a big one.

00:12:52.950 --> 00:12:58.952
So he was telling me you can't get off the line because you'll be held in contempt of court if you get off the line.

00:12:58.952 --> 00:13:05.653
You can't go into your local sheriff's office because they will arrest you if you do, because this warrant is active.

00:13:05.653 --> 00:13:11.412
So, like all of the normal avenues of verifying is very quick to like cut off.

00:13:11.412 --> 00:13:17.091
Okay, don't do these things that you probably are naturally feeling like you should do, yeah.

00:13:17.091 --> 00:13:28.174
And so in the back of my mind as a cybersecurity person, like this is I see what you're doing here, and eventually was able to like, okay, this is, I see what you're doing here and eventually was able to like, okay, I'm done with this conversation.

00:13:29.096 --> 00:13:36.009
So I hung up, called back the sheriff's office and was like this is told them, somebody's impersonating your deputy.

00:13:36.009 --> 00:13:42.572
They were like, yeah, it's been happening quite a bit and so that's one that's getting a lot more common.

00:13:42.572 --> 00:13:45.970
But those are the things that they like to pray off of.

00:13:45.970 --> 00:13:57.306
That sense of urgency of you have to do this right now or some terrible thing is going to happen, that emotional response of like somebody in your family is hurt, you need to send money to them.

00:13:57.306 --> 00:14:00.408
Oh, that was the other thing that they were telling me.

00:14:00.408 --> 00:14:09.905
The court was willing to get rid of the warrant if I paid the court fees, but there was only one specific way that I could do it cash app.

00:14:10.307 --> 00:14:31.589
Yeah, really, the court you're telling me the court uses cash app so I actually, uh, I I had to deal with the uh, the court in California when I was living here in Houston and so I was doing everything remotely and then they said to put these documents in the Dropbox.

00:14:31.589 --> 00:14:40.889
And I was like looking for the link of the Dropbox and I emailed and I think I asked for it and then they were like no, it's on the outside of the courthouse, the Dropbox.

00:14:40.889 --> 00:14:49.844
I was like, oh, I can't go there, like how can I get this to?

00:14:49.864 --> 00:14:50.346
you.

00:14:50.346 --> 00:14:52.210
That's funny.

00:14:52.210 --> 00:14:58.164
Yeah, those limiting things that are like you can't, you can only work within this system.

00:14:58.164 --> 00:15:00.611
That doesn't make sense.

00:15:01.240 --> 00:15:12.489
No, but even then, like if it was a specific Bizarre system, it would be a remnant of the old times, not a cash app or a sofi or a bitcoin wallet.

00:15:12.548 --> 00:15:24.950
right like government is not that ahead yeah, yeah, and so those are some of the keys, like, when you're looking for those red flags, things that are outside of an expected workflow yeah, yeah, cause not?

00:15:24.950 --> 00:15:38.653
I mean, most of us aren't well-versed in in workflows of things like government, how the courts work, but there are workflows that are familiar, right, and, like you said, government just isn't.

00:15:38.653 --> 00:15:43.331
They're not going to be taking Bitcoin for for things like that, right?

00:15:43.331 --> 00:15:46.519
So identifying those red flags is is pretty important.

00:15:46.941 --> 00:15:47.501
yeah, there's.

00:15:47.501 --> 00:15:59.303
There's just so much that has been happening um on the attacker from with manufacturing that it really has become a big focus.

00:15:59.303 --> 00:16:15.782
Yeah, it has been increasing over the years, but in this last year, I think 75% increase in attacks is what some of the recent reports have been saying that are focused on manufacturing Increased.

00:16:15.782 --> 00:16:37.702
Look at vulnerabilities so there's a lot of systems IT systems that manufacturing has become pretty dependent on that are recently end of life or going to be end of life, and so known vulnerabilities in those systems, knowing that they're not going to be supported or they haven't been supported recently, makes them a big target.

00:16:37.702 --> 00:16:52.902
Things like Windows 10 is losing support next year and a lot of manufacturing devices relying on windows 10 that's big eyeballs there.

00:16:52.922 --> 00:16:56.855
So do you have like at the top of your head sort of the biggest things that people should be watching out for that might be being targeted right now?

00:16:56.855 --> 00:17:03.341
And then, from a layman's perspective, like where's the best place to get information on what these things, what these happenings are?

00:17:03.341 --> 00:17:21.354
Because I feel like if you're in the industry, you can read all of this right, but if you're coming from a non-cyber security background, then reading a lot of the incident like articles and or the new papers that come out or the any of the standards, like it's, it's a lot.

00:17:22.101 --> 00:17:23.042
It is a lot, yeah.

00:17:23.042 --> 00:17:28.953
So CISA does a good job providing resources specifically for manufacturing.

00:17:28.953 --> 00:17:32.349
They do different reports, they do different frameworks.

00:17:32.349 --> 00:17:46.781
They make some resources available for small businesses within manufacturing that are more scaled down concepts that help businesses that maybe don't have the budget or the resources that some of the larger groups do.

00:17:46.781 --> 00:18:02.515
The FBI, so local field offices, will a lot of times have resources, like you can join InfraGard that will share across the industry different trends that are being seen.

00:18:02.575 --> 00:18:22.328
So if there's a common attack vector that different organizations have have fallen prey to, they'll give advice then on how to protect against those okay, I think I've seen some of the fbi notices when I've been googling certain types of like scams or attacks or whatever um, I think, mostly scams.

00:18:22.589 --> 00:18:34.840
I google scams sometimes when I, and a lot of times, when some of these things come to me, I'm like I clearly know this is a scam, but now I want to know more about it, like why is it here or what is it trying to do, and is it common or is it something you know novel?

00:18:34.840 --> 00:18:43.394
Hey, ali hello, at least we got now two out of four with costumes, sort of halloween.

00:18:43.394 --> 00:18:56.464
Yeah, next year we have to do our dia de los muertos episode again, though that was we have to do uh, like a fireside chat with someone that honors that or or has something to say about it, I guess.

00:18:56.464 --> 00:18:58.849
But yeah, we did get started with.

00:18:58.849 --> 00:19:09.964
Leah ashley is here, sort of she's having some trouble with her video and her audio right now with all of it with everything it was audio.

00:19:10.045 --> 00:19:12.832
Now it's video, so I'm not sure I'll bring her um.

00:19:12.832 --> 00:19:25.797
Yeah, I can talk about how I just got robbed of thirty thousand dollars so I stole your thunder a little by mentioning it, but go ahead, floor is yours I mean I mean whatever.

00:19:25.876 --> 00:19:27.340
Like we were hacked.

00:19:27.340 --> 00:19:32.111
You know I have a domain right and we have emails for my company in that domain.

00:19:32.111 --> 00:19:41.759
Uh and uh, someone obviously using vpn was able to get and I think this is uh, I migrated from google.

00:19:41.759 --> 00:19:44.145
She liked google suite for business.

00:19:44.145 --> 00:19:58.039
Like I, I was using Google, not Microsoft, and Google doesn't automatically do the multi-factor authentication, so it actually isn't really in like any business's like best interest to even use Google.

00:19:58.561 --> 00:20:17.644
But I was doing that and I think that's part of the issue was we didn't really have super secure passwords anyway because of the Gmail, and so I slowly added people and we have had like phishing instances, like many you know, like everybody else has, and you know we catch them.

00:20:17.644 --> 00:20:30.429
Usually they're kind of obvious, but like, yeah, it'll be, it'll be me, without my phone number or my email, asking my people for shit that they that I'm not actually asking them for.

00:20:30.429 --> 00:20:33.769
And so this one was kind of sophisticated and I hadn't seen this one before.

00:20:33.769 --> 00:20:40.690
When I talked to ashley, she's like, yeah, we've seen that a thousand times and I'm like that sucks, um, but basically it was ach fraud.

00:20:40.690 --> 00:20:43.502
So they posed as someone else.

00:20:43.502 --> 00:20:47.457
No, they posed as someone we know and that we pay regular.

00:20:47.457 --> 00:20:50.028
Yeah, and you know it looked like them.

00:20:50.028 --> 00:20:52.880
It actually was really good because they did hack their email.

00:20:52.880 --> 00:20:58.740
So there and we can show because it was, because it's still owned by me, like all the email addresses are owned by me.

00:20:58.740 --> 00:21:02.326
So my guy albert, like albert, is courtney's husband.

00:21:02.646 --> 00:21:04.369
Another OT Skate account speaker.

00:21:04.390 --> 00:21:07.535
He's my IT guy for my company because I don't have IT.

00:21:07.535 --> 00:21:09.022
Lots of controls.

00:21:09.022 --> 00:21:10.568
People like to be their own IT.

00:21:10.568 --> 00:21:12.185
I'd rather kill myself.

00:21:12.185 --> 00:21:13.865
So I'm not going to be my own IT.

00:21:13.865 --> 00:21:15.983
Same, I don't even like.

00:21:16.727 --> 00:21:29.192
Honestly, like I think it's really funny because like there's we're supposed to be like computer people, right, we're controls engineers, and like we must be like hacker galore and like that is not what all of us are.

00:21:29.192 --> 00:21:34.586
Some of us are really good at like it, server management, networking.

00:21:34.586 --> 00:21:38.071
The rest of us have to learn how to do that crap.

00:21:38.071 --> 00:21:43.271
Uh, because all we know how to do is like how do we get the plc to do the with the equipment?

00:21:43.271 --> 00:21:49.628
We don't care if that talks to some other machine, because we just need the machine to physically do the thing.

00:21:49.628 --> 00:21:57.662
Um, eventually you have remote io and you do need communications, just for one process, but for the most part that's not what we were taught how to do.

00:21:57.662 --> 00:22:08.565
So, like I know how to do, I know how to size pipes and pick a pump and pick a tank and like put it all together and give you a narrative and then tell a programmer make it.

00:22:08.565 --> 00:22:16.480
You know, when the tank is level, is this high, turn the valve off and like I'll say all the things to do and like we can do all that, but that doesn't mean that we know how to.

00:22:16.480 --> 00:22:29.340
For example, when I started skata, I was like oh my God, mostly because we were doing server management, like I'm using virtualization first of all to SCADA.

00:22:29.340 --> 00:22:31.627
Servers are done on virtual machines.

00:22:31.627 --> 00:22:34.707
I don't know why, but I guess it's just like cheaper to do that.

00:22:34.707 --> 00:22:38.711
I don't know why the answer is not Docker or containers, I don't really know.

00:22:38.711 --> 00:22:46.470
But I know that what we've been doing for the past I don't know a while is we've been putting these programs right.

00:22:46.470 --> 00:22:51.172
They're just applications that we can buy from Ignition, inductive Automation.

00:22:51.172 --> 00:22:54.182
We can buy it from Rockwell, siemens, any of the actual PLC.

00:22:54.182 --> 00:23:02.332
People can sell you their own software or you can just buy one from a free agent like Inductive Automation, who has an amazing SCADA and more.

00:23:02.332 --> 00:23:16.669
That's actually not even SCADA, it's an IIoT platform, so it can connect way more than your SCADA because you can do like ERP and warehouse management, put it all together into the giant data lake for the United, whatever namespace crap.

00:23:16.669 --> 00:23:22.692
But like you can't do that, you don't know anything about IT or computer programming.

00:23:22.692 --> 00:23:25.920
So that's where people are like what is this IT, ot convergence?

00:23:25.920 --> 00:23:26.662
That's not real.

00:23:26.662 --> 00:23:31.833
Oh, it's real, like there are mountains of IT people who can do real programming.

00:23:31.900 --> 00:23:33.585
By the way, what we do is not real programming.

00:23:33.585 --> 00:23:34.165
It never was.

00:23:34.165 --> 00:23:40.441
We grabbing a block and like connecting lines to it, like that's not programming, that's just like we're telling you what to do.

00:23:40.441 --> 00:23:43.488
But like see, you know, plus, plus, plus.

00:23:43.488 --> 00:23:45.291
That's that's computer programming.

00:23:45.291 --> 00:23:48.244
Like telling it in its own native language.

00:23:48.244 --> 00:23:59.804
We're using pictures, we're dragging pitch, like function blocks, or like we're dragging ideas and like connecting numbers and being like okay, this channel means this, pump, like, and that's what we're doing.

00:23:59.804 --> 00:24:02.569
Like, and so all these it people know how that.

00:24:02.651 --> 00:24:04.224
Does a computer like run its own?

00:24:04.224 --> 00:24:05.050
How does the read the?

00:24:05.050 --> 00:24:05.777
How does a computer run its own?

00:24:05.777 --> 00:24:07.826
How does it compile program, run the program?

00:24:07.826 --> 00:24:10.847
How do you make these decisions?

00:24:10.847 --> 00:24:11.750
We don't do that.

00:24:11.750 --> 00:24:15.326
I don't program inside of a controller how it makes.

00:24:15.326 --> 00:24:18.153
I just tell it when this is true, like it's just the logic.

00:24:18.339 --> 00:24:34.592
So we are only putting facts or logic gates that we come up with in our head in that paper or odd down, and then, but yeah, real programming is people that actually know what the computer's doing and can make the computer do what you want it to do, and so that's real computer programming.

00:24:34.592 --> 00:24:36.484
And so we've never done real computer programming.

00:24:36.484 --> 00:24:42.065
We're still engineers, but we're not real programmers, and so that's why I've never felt bad.

00:24:42.065 --> 00:24:43.867
I'm like, yeah, I'm a programmer, but not a real one.

00:24:43.867 --> 00:24:44.910
Like and I can.

00:24:44.910 --> 00:24:48.035
I will always bow to real programmers, which are people that can program.

00:24:48.035 --> 00:24:57.567
I did like I took AP computer science and I think I did like one really cool HTML, like you all did HTML back in the day.

00:24:57.567 --> 00:25:12.611
Yeah Well, and I, this one was like really hard for me and I have a copy of it now Cause I was in like 10th grade or something, and I'm like look at my space head and then string and all this and it was like super cool.

00:25:12.611 --> 00:25:16.864
But like, outside of that, all I've ever done is like ladder logic is is reading, even though everyone gets mad at me and everyone gets mad at everybody.

00:25:17.003 --> 00:25:20.394
It's reading relay logic, the way relay logic.

00:25:20.394 --> 00:25:34.092
You would read it that you're just making the PLC do the same thing and you even show it the same way, because it was meant like Alan Bradley did this for maintenance people, not for electrical engineers.

00:25:34.092 --> 00:26:00.173
Maintenance people could read if these contacts are open, you know, latch in this relay and they could just read all this relay logic and so they're like well, this is the easiest thing we could do is take this real relay logic and then shove it in the computer and then make them do the same exact thing, and then they won't be that confused Because, like now, it's like a fake set of contacts from a relay turns on a fake actual coil.

00:26:00.173 --> 00:26:02.819
But it's still happening.

00:26:02.819 --> 00:26:05.471
The action's the same.

00:26:05.932 --> 00:26:10.948
Who made the call is a computer instead of a relay, so you use a lot less relays.

00:26:10.948 --> 00:26:12.310
But now you got to have a programmer.

00:26:12.310 --> 00:26:23.067
But it was easy because we just had to teach the programmers how to replicate their circuits it's just circuit logic into a computer and it looks just like the circuit logic.

00:26:23.067 --> 00:26:36.375
So you're like oh, this, we can make computer programmers not real ones, but like out of maintenance people, so you just have to know how to read a freaking it looks really similar to a schematic like.

00:26:36.434 --> 00:26:42.490
if you go to the 24 volt section of the schematic and you see like your actual coils and contacts.

00:26:42.490 --> 00:26:59.428
It looks very similar to ladder logic in PLC land and almost everybody's first crossover to structured text is like a gajillion if-then statements and nested if-then statements and then you start learning like there's gotta be a better way to write all these if-then statements.

00:27:00.643 --> 00:27:03.192
And then you start learning the next steps from there.

00:27:03.192 --> 00:27:04.385
Back to your IT guy.

00:27:04.385 --> 00:27:10.727
The reason you brought this up, the reason you have an IT guy, is because he traced this hack back to a server in Germany, right?

00:27:12.942 --> 00:27:16.751
The Netherlands, the Netherlands, oh okay, whatever that was a VPN.

00:27:16.751 --> 00:27:18.005
It wasn't even someone in the Netherlands.

00:27:18.025 --> 00:27:19.664
Oh, okay, so just somebody on a VPN.

00:27:21.641 --> 00:27:28.083
It's probably someone I know, it's someone who knows me, I, it's someone who knows me.

00:27:28.083 --> 00:27:30.208
They don't, I probably don't know them, but it's someone from linkedin who knows anything.

00:27:30.208 --> 00:27:35.387
And they came after us because I make it really obvious who does what in my company, so they just picked the list.

00:27:35.387 --> 00:27:38.497
Actually, uh, I know, uh, heather, not heather.

00:27:38.497 --> 00:27:40.480
Ashley's not on here, but I keep messing up.

00:27:40.480 --> 00:27:44.125
Ashley and heather are not the same name, not even close.

00:27:44.125 --> 00:27:48.771
But yeah, um, I forgot where I was going with that.

00:27:48.771 --> 00:27:51.015
Um, oh, but I was asking her.

00:27:51.015 --> 00:27:52.702
I was like what do I do?

00:27:52.702 --> 00:27:55.611
Or she's like, oh, I came up with this list of emails based.

00:27:55.611 --> 00:27:56.760
I don't remember what she even said.

00:27:56.760 --> 00:28:02.064
By the way, all those words just are, all those acronyms are not real to me and I'm just like I just waved my hand around.

00:28:02.124 --> 00:28:15.588
I'm like, yeah, they did the thing, so, but we got once she has either audio or video yeah, that's a good point you make, though, ali, about like information being out there a lot of times.

00:28:15.588 --> 00:28:34.017
So attackers will find publicly available information like that and trying against you, and sometimes it requires deeper dive and sometimes it's pretty easy to find, but the key then being like, the verification of this is publicly available.

00:28:34.017 --> 00:28:37.997
So are you, is it actually coming from this person?

00:28:37.997 --> 00:28:41.311
Is it someone you could just call up and be like hey, did you send me this email?

00:28:41.311 --> 00:28:43.651
Are you really asking me for payment?

00:28:44.192 --> 00:28:48.374
But yeah, Well, this was really good because it was like I owed this person a good amount of money.

00:28:48.374 --> 00:29:00.633
I was already late to pay them and at some point within the past week like month let's say a month prior to me paying them wrong they came and they were very.

00:29:00.633 --> 00:29:02.406
This was good.

00:29:02.406 --> 00:29:06.541
So they knew who would do that, who could do that for them.

00:29:06.541 --> 00:29:13.971
And I think you can just do that, because once they were in his email, they could tell who you know is that person, because they've already had emails like hey, can you do this?

00:29:13.971 --> 00:29:14.633
Can you do that?

00:29:14.633 --> 00:29:15.695
Can you pay me here?

00:29:15.785 --> 00:29:35.690
So they figured out who in my company they need to ask to change their payment information and they're like I just need you to pay me here, which is a fake bank account where I'm gonna steal all your um, but I just need you to do that because I don't want to use this bank anymore, which was his chase account.

00:29:35.690 --> 00:29:36.752
So I have have a Chase account.

00:29:36.752 --> 00:29:40.038
They had a Chase account and we paid somebody at SoFi.

00:29:40.038 --> 00:29:42.534
By the way, whoever has my money, have fun.

00:29:42.534 --> 00:29:46.509
That is so much money to steal.

00:29:46.509 --> 00:29:49.412
Like you didn't work for it, but I guess you did a pretty good job.

00:29:49.412 --> 00:29:52.796
And then actually they didn't know it was going to be such a huge payoff.

00:29:52.796 --> 00:29:54.692
I could have just been paying them like $200.

00:29:54.692 --> 00:29:57.669
But it was $ 30,000.

00:29:59.291 --> 00:30:05.845
so like you, you're on the compliance side and just uh, to ask a question.

00:30:05.845 --> 00:30:11.465
For uh people like me who are really honestly just figuring this stuff out within the last like 18 months.

00:30:11.465 --> 00:30:32.779
Um, the acronyms are all kind of alphabet soup and sometimes when I hear compliance, you know, uh like as an engineer, a lot of times I'm thinking like product design, like the product has to comply with certain things, and now, with CyberSec, we're also talking about like companies complying with, like what, how they store our information and what they can do with the information.

00:30:33.385 --> 00:30:57.239
So my understanding is, like you're more on that side, right, like with our information that's out there and how companies store it and treat it and everything, yep and uh like training is the bottom line, because if you people that mean my people carried this out like no one held a gun to their head and said give me the thirty thousand dollars, we were tricked and we did it like we wanted to do this.

00:30:57.239 --> 00:30:59.030
We're like, okay, you want to put your money in a new bank account?

00:30:59.030 --> 00:31:00.075
Yay for you, let's do it like we wanted to do this.

00:31:00.075 --> 00:31:01.359
We're like, ok, you want to put your money in a new bank account?

00:31:01.359 --> 00:31:01.961
Yay for you, let's do it.

00:31:01.961 --> 00:31:06.448
And we didn't verify and yeah, and then in the future.

00:31:06.508 --> 00:31:12.038
What is you know for, like now that I'm seeking free advice here, like live on on LinkedIn.

00:31:12.038 --> 00:31:17.298
But you know, like in that kind of situation, you know what you know company has this happen.

00:31:17.298 --> 00:31:25.696
You know what are the steps that that company takes in the future, to not let this happen again, multiple stages of approval sounds like one.

00:31:25.958 --> 00:31:28.609
No, anything related to money.

00:31:28.609 --> 00:31:30.594
It's just a flag.

00:31:30.594 --> 00:31:31.316
You just flag it.

00:31:31.316 --> 00:31:34.989
If someone was like I need to be paid in a new place, that's a flag.

00:31:35.450 --> 00:31:38.055
I'm any other levels of approval Money transfer.

00:31:38.095 --> 00:31:40.665
Yeah, if they want anything related to cause.

00:31:40.665 --> 00:31:42.711
This guy gave us new bank information.

00:31:42.711 --> 00:31:46.790
He's like and he he's like is it time now?

00:31:46.790 --> 00:31:47.907
Can I give you that?

00:31:47.907 --> 00:31:52.732
Now, he was so fricking nice or she was a really good hacker Like.

00:31:52.732 --> 00:31:55.270
They're like oh, I have a new bank.

00:31:55.270 --> 00:31:57.048
I would like to change that.

00:31:57.048 --> 00:31:58.611
I mean, could I give you that information?

00:31:58.611 --> 00:32:00.134
When could I share that with you?

00:32:00.134 --> 00:32:02.419
He didn't just give it to us, she didn't just give it to us.

00:32:02.419 --> 00:32:07.116
They're like ask us when we are ready to put the new information in.

00:32:07.286 --> 00:32:10.009
And we're like okay, yeah, so this is a little different.

00:32:10.009 --> 00:32:13.434
In there it wasn't like oh, I need to get paid today, You're already paid.

00:32:22.185 --> 00:32:22.406
It was.

00:32:22.406 --> 00:32:26.240
That was a request, which is sometimes urgency helps you find out what that like oh, that's the red flag is the urgency.

00:32:26.259 --> 00:32:27.403
There was no urgency, so it was a really good hack.

00:32:27.403 --> 00:32:29.710
Yeah, if you've ever, have you seen the movie the beekeeper?

00:32:29.710 --> 00:32:35.288
If you haven't, no, the opening section of that movie they go through.

00:32:35.288 --> 00:32:40.482
And ashley's shaking her head, so she knows yeah, they go through and Ashley's shaking her head, so she knows.

00:32:40.482 --> 00:33:04.790
Yeah, they go through a very realistic depiction of that kind of attack where the target is getting somebody to willingly give over access to their things um, access to their bank account and the goal is to make it their idea or like put the onus on them so you're not out.

00:33:04.790 --> 00:33:10.074
These people are psychologists too, exactly, and it sucks like hard it sucks.

00:33:10.074 --> 00:33:27.848
So that's the social engineering aspect, and I think we just got yeah, just got a comment saying the art of social engineering, but that's the social engineering aspect of it right Ways to manipulate people, because, yeah, somebody could hack into your bank account and try and steal the money themselves and move everything.

00:33:27.888 --> 00:33:30.193
This is way better because you can't get it back.

00:33:30.193 --> 00:33:41.474
Yeah, they did it on purpose and I actually tried to make my claim and they're like, let's just say this a little bit different, because if you say it the way you're saying it, you ain't going to get sh**.

00:33:41.474 --> 00:33:42.195
That's what happens.

00:33:42.296 --> 00:33:47.913
Yeah, yay, I have sound and camera and audio and everything.

00:33:47.913 --> 00:33:49.076
We'll all get together.

00:33:49.076 --> 00:33:51.973
Look, you should have known when you invited me.

00:33:51.973 --> 00:33:54.692
Okay, I can't make things work, I can only break them.

00:33:54.692 --> 00:33:58.394
That's what I do, like you know, by trade.

00:33:58.394 --> 00:34:02.307
I can only break the thing, so I broke it.

00:34:02.307 --> 00:34:04.973
I couldn't make the camera work, I couldn't make the audio work, so I'm on my phone.

00:34:04.973 --> 00:34:09.657
Apparently that's how it works, because I tried 15 browsers and none of those want to work.

00:34:09.719 --> 00:34:18.150
so yeah, she's on her phone half the time yeah, today I'm not, but almost always because I give up, I'm like no, this is and I don't get it.

00:34:18.170 --> 00:34:22.190
I try to use this platform because for me, it's the only one I've never had issues with.

00:34:22.190 --> 00:34:24.239
Like you just click the link and like go in.

00:34:24.239 --> 00:34:28.032
So every time someone has a stream yard in mind, I'm like, oh great, I know what to do.

00:34:28.032 --> 00:34:30.148
Like when I'm flying, you know, you know what to do.

00:34:30.148 --> 00:34:32.313
Everything else I'm like, oh no, it's not gonna work.

00:34:32.313 --> 00:34:35.690
Oh yeah, apparently does your shirt say hacker.

00:34:35.771 --> 00:34:37.376
It does say hacker, and it's actually.

00:34:37.376 --> 00:34:42.753
It's actually literally written backwards, so that when I'm on camera, it's actually the correct way.

00:34:42.753 --> 00:34:46.289
Um, but, like, if you look at it in real life, you're like what is that?

00:34:46.289 --> 00:34:47.512
That's backwards?

00:34:47.512 --> 00:34:50.726
But no, it's, it's designed to be on camera.

00:34:50.726 --> 00:34:52.509
Um, this is my halloween costume.

00:34:52.509 --> 00:34:59.398
Um, so, uh, yeah, um, but you know it's true in real life though.

00:35:00.340 --> 00:35:06.355
Well, you, know, I mean, and I'm also an actual Mexican, so um, I mean, you know.

00:35:06.697 --> 00:35:09.105
I literally at Costco earlier I saw this uh lady.

00:35:09.105 --> 00:35:11.972
She had on a gray t-shirt and it says pretend that I'm a donkey.

00:35:11.972 --> 00:35:26.257
And I was like, yes, that is my level of dressing up this year because, yeah, like I'm actually not in my office right now because my office is piled up with wedding stuff, um, and I can't get in there to do anything.

00:35:26.257 --> 00:35:35.289
So, uh, so, yeah, it's um, yeah, there's a little bit going on here, but, uh, but yeah, like talking about the fishing stuff, um, it's.

00:35:35.289 --> 00:35:46.097
It's funny because I actually was talking with a prospective client just last week and we were talking about, you know, external assessment and everything.

00:35:46.097 --> 00:35:48.985
And they were like, you know, well, you know, we want to do social engineering.

00:35:48.985 --> 00:35:52.456
And I was like, look, I was like here's my thing with social engineering.

00:35:52.456 --> 00:35:54.592
I usually don't do it.

00:35:54.592 --> 00:36:00.505
I was like, if you really really want the service, I will do it, but typically I don't do it.

00:36:00.505 --> 00:36:11.635
And here's why Because, given enough time, I go on the assumption that, given enough time, if somebody really wants to, they will have a successful phishing campaign.

00:36:11.936 --> 00:36:14.297
That's just the reality of it.

00:36:14.297 --> 00:36:26.045
How much training you do, it doesn't matter how good your security mechanisms are, whether you have spam filtering, whether you have, you know, all of your, your DNSD mark and all of that in place.

00:36:26.045 --> 00:36:31.398
Eventually, if they want to, badly enough, they will have.

00:36:31.398 --> 00:36:32.987
They will have some kind of success.

00:36:32.987 --> 00:36:42.074
They'll figure out you know something about your company, whether it's based on social media, whether it's based on information that is publicly available on the internet.

00:36:42.074 --> 00:36:42.655
But they will.

00:36:42.655 --> 00:36:43.878
They will gain success.

00:36:43.878 --> 00:36:54.748
So I'm not going to waste somebody's time, money, energy and efforts to do a phishing campaign where in in in the reality of it.

00:36:54.748 --> 00:36:59.833
If I'm, if I'm doing a two-week assessment, I'm probably not going to have a lot of luck in two weeks.

00:37:00.635 --> 00:37:20.606
Now, if I'm doing a specific social engineering campaign where we're talking this is going to be a three, six, nine or even 12-month engagement where periodically I am just, you know, putting out these phishing emails, then yeah, I'm probably going to have success at some at some point.

00:37:20.606 --> 00:37:22.771
And all I need is one set of credentials.

00:37:22.771 --> 00:37:24.335
I don't need 50.

00:37:24.335 --> 00:37:25.257
I need one.

00:37:25.257 --> 00:37:32.293
One set of credentials, and it doesn't matter what the permissions are, because that one set of credentials is going to get me on the inside.

00:37:32.293 --> 00:37:48.065
From there, I can either install my tools and start to you know, propagate through you know, through C2, put in a back door, so I don't lose that, you know, or I can just live off the land and start to pivot my way through.

00:37:48.065 --> 00:37:58.014
Eventually I'm going to find something somewhere that I can either escalate my privileges or gain another account or create an account, that kind of thing.

00:37:58.014 --> 00:38:09.949
So that's why, you know, when I look at social engineering, I just say again, my hacker was in there for weeks, yeah, responding me like hey, were you able to do anything about?

00:38:10.010 --> 00:38:18.534
and then Liza would be like oh sorry, like we still have a, I still have a open claim with QuickBooks Cause we can't fix your bank account yet.

00:38:18.996 --> 00:38:26.280
Just really nice slow like, yeah, and you were most likely not their only target during that time.

00:38:26.280 --> 00:38:30.353
They most likely had multiple people on the line, and so they can be patient.

00:38:30.393 --> 00:38:34.485
Right, they've got fires going everywhere, I would be patient.

00:38:35.286 --> 00:39:02.393
Right, exactly, you know, and when you're talking, you know they're installing ransomware and they're asking for millions upon millions of dollars.

00:39:02.393 --> 00:39:09.512
You know, if you look at, just if you look at one individual group and you look at the millions, yeah, I mean.

00:39:10.346 --> 00:39:12.431
And like what Dogecoin?

00:39:13.793 --> 00:39:15.137
Oh, absolutely, Absolutely.

00:39:15.137 --> 00:39:16.646
I mean, they're winning.

00:39:16.646 --> 00:39:22.757
They're essentially winning the lottery with every single one of these attacks and you can get paid out multiple times.

00:39:22.818 --> 00:39:24.327
So you get paid the ransomware.

00:39:24.327 --> 00:39:30.590
You could do double encryption but then you also get paid for the data that that you're stealing right, selling the data.

00:39:32.112 --> 00:39:34.036
Oh yeah, absolutely yeah.

00:39:34.036 --> 00:39:39.996
And and that's that's really what they're doing now is, you know they'll steal the data, they'll ransom you.

00:39:39.996 --> 00:39:41.177
You pay the ransom.

00:39:41.177 --> 00:39:43.914
That's no guarantee that they're not going to go ahead and sell that stuff.

00:39:43.914 --> 00:39:48.434
And they're going ahead and selling it and they're selling it for the same price to multiple people.

00:39:48.434 --> 00:39:50.871
You know you go anywhere on the dark web.

00:39:50.871 --> 00:39:56.125
It's, you know, a thousand, a hundred thousand Bitcoin to get this database.

00:39:56.545 --> 00:40:19.235
And they're not doing that once, twice, they're doing it hundreds of times and if you don't make sure that you've gotten them actually out of the system, they could sit there for another year or so and keep quietly collecting data during that time and then hit you again and it'll feel like a separate attack when really it's it's all connected and some of these are like teenagers.

00:40:20.115 --> 00:40:27.465
And we have such incredible like the Kali Linux, like tools, all the tools are free.

00:40:27.465 --> 00:40:36.152
For all that, if you have any ambition at all at intelligence at all like at all, and you're like a kid, you could take banks down.

00:40:36.152 --> 00:40:39.474
You just could get busted and then go to jail.

00:40:39.474 --> 00:40:44.197
But, like, the ability to hack and whether or not you get busted are not the same thing, right.

00:40:44.197 --> 00:40:51.804
So you don't have to be a genius kid, you just have to be like pretty smart.

00:40:52.286 --> 00:40:57.378
Yeah, there's an industry term script, kitties Script kitties yeah.

00:40:57.925 --> 00:41:00.994
So the low-hanging fruit fruit, the easy attacks that you can.

00:41:00.994 --> 00:41:10.536
You can buy attacks, you can use tools that are readily available stupid people like me just kidding.

00:41:10.536 --> 00:41:11.179
Yeah.

00:41:11.179 --> 00:41:27.295
So the idea is, when you're looking from the protection standpoint, of being able to protect against those low level things, the script kitty attacks, and then elevating your protections from there, like if someone were more motivated or had better skill, then what would they pivot from there and do?

00:41:27.295 --> 00:41:32.269
And from protection standpoint, that's where you really start, like let's flesh out.

00:41:32.269 --> 00:41:36.106
And, of course, courtney, you mentioned the, the GRC compliance side.

00:41:36.106 --> 00:41:39.757
That's where you marry the two concepts right.

00:41:39.757 --> 00:41:43.155
So protection from the technical standpoint and then protection from the policy.

00:41:43.155 --> 00:41:45.994
We're going to say that we're doing X, y and Z.

00:41:45.994 --> 00:41:59.177
Let's make sure that we're actually doing it from a technical standpoint, yeah, yep, and then let's test it, so keeping that ball rolling so that there's those connections across your protections constantly going.

00:41:59.177 --> 00:41:59.965
Yeah.

00:42:00.144 --> 00:42:07.574
I've done work for companies now that are SOC 2 compliant and what an adventure that is.

00:42:07.574 --> 00:42:20.813
But it really actually started making me think about like how well do I vet people that I do business with now that this company is like putting me through this ringer Because I do want to make money and I will submit all these things you're asking for.

00:42:20.813 --> 00:42:29.548
But you know, like I've been background checked and you know stuff I you know as a you know subcontractor and stuff I haven't previously had to do before.

00:42:29.548 --> 00:42:36.574
But now all of a sudden, like two, three clients in a row have had me like doing a laundry list of things I've never had to do before.

00:42:36.574 --> 00:42:47.596
I think it makes you know Ali has said before with other difficult customers like hey, they're making me a better company, you know, by making me kind of dig deep and change some things that are kind of painful.

00:42:49.306 --> 00:42:55.228
But yeah, what can the small because this all sounds, you know, like there's, it just kind of adds a lot of costs to doing business.

00:42:55.228 --> 00:43:10.552
Right To have to add this to your toolbox, to have to add this to your things to worry about, to think about, to plan for, to spend money on right To invest in yeah, CyberSec insurance is kind of new for me yeah mine was four grand a year.

00:43:11.126 --> 00:43:12.010
Is four grand a year.

00:43:12.010 --> 00:43:17.871
That's a $3 million policy and like most places that's too small.

00:43:17.871 --> 00:43:19.480
Yeah, like a 3 million is3 million policy.

00:43:19.480 --> 00:43:20.344
And like, okay, most places that's too small.

00:43:20.344 --> 00:43:24.195
Yeah, like a 3 million is a little policy.

00:43:25.465 --> 00:43:28.614
Yeah, it's becoming a really big thing Now.

00:43:28.614 --> 00:43:36.385
Those questionnaires, courtney, like you were mentioning, filling out what your policies are, what you're doing, what certifications you might have.

00:43:36.385 --> 00:43:38.771
It is becoming a lot, um.

00:43:38.771 --> 00:44:02.108
There are some techniques that we talk to people about, like the idea of building a trust center, um, but it all, it all takes overhead right, the idea being that you have to look at it as an investment in future, um, your future work, because having those assurances will make more companies happy with working with you.

00:44:02.108 --> 00:44:11.235
If you're looking at things like getting into government contracts, those are required, and you can't do business in that without having you know those assurances in place.

00:44:11.235 --> 00:44:19.898
So, yeah, it is a maybe a heavy lift to go from zero to hero, but it's one that pays off.

00:44:20.865 --> 00:44:26.637
I'm curious how realistic it is to fathom something like you know to to be.

00:44:26.637 --> 00:44:33.585
You know, working with you know many companies are going to require this now and I see just even more in the future.

00:44:33.585 --> 00:44:53.436
But like the equivalent of TSA pre-check, where you know, like I'm in a system where I'm pre-vetted for everybody so I don't have to do this every single time I take on a new SOC 2 compliant customer, cause I'm fine, you know, with the fact that this vetting needs to happen, you know it's.

00:44:53.436 --> 00:44:55.592
You know all of us can't afford it.

00:44:55.784 --> 00:44:57.713
Well, gas does it in like their safety.

00:44:57.713 --> 00:45:01.449
So, like everyone has to like register their safety, whatever.

00:45:01.449 --> 00:45:02.572
So this is kind of the same thing.

00:45:02.572 --> 00:45:14.291
It's just like your cyber safety score, um, as a company, and if you've been hacked a million times, then your score sucks like because your people don't get to like number for cyber.

00:45:14.291 --> 00:45:21.327
Like you get hacked all the time, your people don't know what phishing is and, like you, you're at risk because of it.

00:45:21.327 --> 00:45:25.173
Yeah, yeah, like a new credit score.

00:45:25.173 --> 00:45:31.873
Yes, we need more ways to, yeah, to limit us, but yeah, we need credit scores for our cyber trading.

00:45:31.972 --> 00:45:32.474
It's funny.

00:45:32.474 --> 00:45:33.155
It's funny.

00:45:33.155 --> 00:45:44.728
It's funny that you guys bring this up, because I had, um, I, I had a, a concept and an idea about that, about I don't know, probably like five, five to 10 years ago.

00:45:44.728 --> 00:45:55.748
I was like you know, I was like I gotta go through all this stuff to, like you know, buy a house and everything and stuff like that, but I, we don't go through that with like cybersecurity.

00:45:55.748 --> 00:45:59.898
You know, we just we're just like you know you have these checklists.

00:45:59.898 --> 00:46:14.369
And then, especially when you're talking like OT or critical infrastructure, you know, if you think about it, really there's only one sector right now that truly has any kind of real regulatory standards or regulatory compliance, and that's energy.

00:46:14.369 --> 00:46:16.996
You've got NERC, sip, oil and gas.

00:46:16.996 --> 00:46:21.007
Do you know what audits I had to go through when I did oil and gas socks?

00:46:21.007 --> 00:46:21.788
That was it.

00:46:21.788 --> 00:46:26.157
It's a financial thing, has nothing to you know.

00:46:26.177 --> 00:46:28.570
The auditors came and they were like do you have a firewall?

00:46:28.570 --> 00:46:29.474
I was like yep.

00:46:29.474 --> 00:46:34.510
And they were like, do you have a firewall between the internal and your ot?

00:46:34.510 --> 00:46:36.152
Yep, I sure do.

00:46:36.152 --> 00:46:42.603
One firewall, everything else in the skater is on just one flat vrf.

00:46:42.603 --> 00:46:44.047
Everything can talk to everything.

00:46:44.047 --> 00:46:45.010
Don't look over here.

00:46:45.010 --> 00:46:46.514
No problem, no worries over here.

00:46:46.554 --> 00:46:51.597
This is terrible, we know it, but you're not making us do anything about it, so we're not going to do anything about it.

00:46:51.597 --> 00:46:58.550
And it was that way until we were purchased by a larger entity that came in and was like y'all, no, you can't do that.

00:46:58.550 --> 00:47:02.429
And I was like've been saying that, but they didn't want to do anything about it, you know, and we had.

00:47:02.429 --> 00:47:07.048
We had to make changes then and we had to, you know, put in our network network segmentation and all of that.

00:47:07.048 --> 00:47:12.266
But because there was no standard making us do it, nobody's going to do it.

00:47:12.266 --> 00:47:26.045
You know, cybersecurity, while it's probably the most important thing for your business to actually, you know, be sustainable and be able to continue to make that money, nobody wants to actually do it unless they're forced to.

00:47:26.045 --> 00:47:27.670
This is a voluntary basis.

00:47:27.670 --> 00:47:32.228
We're going to do the least amount we can because cybersecurity doesn't make money.

00:47:32.228 --> 00:47:40.838
You know it's like quality assurance it never makes money, it only costs money exactly, exactly.

00:47:41.239 --> 00:47:47.405
And you know, we, we don't, we, we, for some reason in that in in in the business world, we don't have that mentality.

00:47:47.405 --> 00:47:49.190
You got to spend money to make money.

00:47:49.190 --> 00:47:50.737
You know, do?

00:47:50.737 --> 00:47:52.342
Do I want to spend money on advertising?

00:47:52.342 --> 00:47:53.485
No, I really don't.

00:47:53.485 --> 00:47:56.813
But if I don't spend money on advertising, then nobody knows who I am.

00:47:56.813 --> 00:48:01.208
And then you know I'm not getting, I'm not getting, I'm not getting any customers.

00:48:01.208 --> 00:48:10.545
Um, and it's the same with cyber security you, you have to spend the money to keep yourself and keep your product secure, otherwise you're going to lose that reputation.

00:48:10.545 --> 00:48:13.170
You're going to spend way more on it.

00:48:13.592 --> 00:48:29.614
Shut down like, yeah, I just lost 30 grand, like that's sucks, but like people can lose more and so, yeah, you can choose to not protect yourself, but you will find it worth the money once you're robbed, like I just was, because now it's worth 30 grand.

00:48:30.175 --> 00:48:43.849
Yeah, you have something like a production line that gets shut down, then you're losing, yeah, yeah, and it becomes exactly, and compliance gets a bad rap and I get why.

00:48:43.849 --> 00:48:52.976
But it really, like Ashley was saying, it's a motivator, right, if companies aren't going to do something, then compliance will help move that along.

00:48:52.976 --> 00:49:03.692
And compliance doesn't always equal exact security, but it gets people thinking that way right, if we start doing this, then then we'll be better.

00:49:03.692 --> 00:49:05.898
And then how can we make that better from there?

00:49:07.684 --> 00:49:09.128
Yeah, absolutely.

00:49:09.128 --> 00:49:21.969
And you know, the thing is is that I, when I look, when I look at major incidents, you know talking, you know colonial pipeline, you know black energy.

00:49:21.969 --> 00:49:36.800
Even even if you really look at Stuxnet, these are not, these are not crazy sophisticated attacks, they're not like like the movie, just the easy shit.

00:49:36.800 --> 00:49:40.862
Yeah, you know, it's it really, it really is.

00:49:40.862 --> 00:49:42.547
You know colonial.

00:49:42.547 --> 00:49:50.806
If you look at colonial pipeline, it was a, it was an account, that um, that the person no longer worked.

00:49:50.806 --> 00:49:53.750
There should have been um.

00:49:53.750 --> 00:50:02.007
Why can I not think of the word Deleted, removed, deleted, yeah, deactivated, deactivated.

00:50:02.007 --> 00:50:02.550
Yes, there we go.

00:50:02.550 --> 00:50:15.434
It should have been deactivated but it wasn't, and they just happened to find this and come across it and clearly they were not.

00:50:15.434 --> 00:50:30.085
I think the password or something like that had gotten caught in some kind of other leak or breach or something, and so they had the username and password and so they just logged in and then they just started pivoting through.

00:50:30.606 --> 00:50:33.916
And you know most of this ransomware, it's a worm.

00:50:33.916 --> 00:50:36.152
So all they need to do is get it on one computer.

00:50:36.152 --> 00:50:41.088
It'll propagate itself across the network and that's it.

00:50:41.088 --> 00:50:48.110
And fortunately, you know they had a process to, you know, shut down OT so that it didn't have a chance to propagate there.

00:50:48.110 --> 00:50:49.614
But you're still shutting down OT.

00:50:49.614 --> 00:50:55.898
So it doesn't matter whether it is an internal attack or whether it's directly, you know, directed at OT.

00:50:55.898 --> 00:51:01.077
Ultimately the same, you know, end goal happened you shut down OT.

00:51:01.077 --> 00:51:02.550
It was shut down for three days.

00:51:02.550 --> 00:51:05.251
Gas on the East Coast went up to $9 a gallon.

00:51:05.251 --> 00:51:07.507
People were panicking, you know.

00:51:07.507 --> 00:51:12.554
People were putting gas in trash bags and stuff Like you created panic, and that was only three days.

00:51:12.554 --> 00:51:19.695
And then, luckily also, they had backups Because even though they paid the ransom ransom they got the decryption key.

00:51:19.695 --> 00:51:24.945
The decryption key worked so slowly that they had to restore everything from backups anyways.

00:51:24.945 --> 00:51:30.574
So you know, these are it's not this crazy stuff, it's really.

00:51:30.574 --> 00:51:33.039
It is that low-hanging fruit.

00:51:33.039 --> 00:51:35.088
It is going back to the basics.

00:51:35.708 --> 00:51:37.833
Don't, don't keep default passwords.

00:51:37.833 --> 00:51:56.606
You know, make secure passwords, um, literally as as part of you know, as as part of my, you know, our, our company, we use, we, we, I provide a password management system for everybody and you can have, you can put all of your passwords in there.

00:51:56.606 --> 00:52:09.335
So there's really no reason for you to not create a, a secure password, because you, you have that to do and I think that you know more companies should do that and and, honestly, it's really not.

00:52:09.335 --> 00:52:16.954
It's not that expensive things like a hundred dollars a year and I have unlimited users and I, I can provide that.

00:52:16.954 --> 00:52:18.177
We have a password vault now.

00:52:18.177 --> 00:52:33.731
Yeah, exactly, but it's little things like that that we just have gotten so far away from, because we're like, oh, we need AI powered IDS to do this stuff and I'm like you can't change a password, you don't need AI anything.

00:52:35.630 --> 00:52:45.505
But we think we need this advanced technology when really we need basic stuff that you know we need to start at square one, which we're not even meeting those requirements.

00:52:45.666 --> 00:52:54.893
So exactly, exactly so, with that we actually coming up close on time, and I know it's Halloween, so we all got, you know, fun things to do.

00:52:54.893 --> 00:53:06.414
I need to eat stomach aches to have something that you said at your talk at OT SkateCon, ashley, something about there being two types of companies the ones that have been hacked and the ones that haven't been hacked yet, or something to that effect.

00:53:06.414 --> 00:53:10.469
Right, so assume that you will get hacked one way or another.

00:53:10.469 --> 00:53:13.594
I'm already there.

00:53:13.594 --> 00:53:14.757
What are?

00:53:14.757 --> 00:53:22.639
Just, like you just said, the password manager, right, something like a a bit warden or I don't know what you know recommendations would be for something like that.

00:53:22.639 --> 00:53:24.666
But what are some of your top takeaways?

00:53:24.666 --> 00:53:38.996
That, if somebody watched this, that the next time they feel that they can have a conversation with someone about cyber security and you should do that really soon, um, including with people on linkedin you better have an IT guy or woman.

00:53:43.065 --> 00:53:52.050
What are some of the top low-hanging fruit things that people can do to either protect themselves or to make sure that, when the time comes, you're in a position not to be completely effed?

00:53:52.050 --> 00:53:54.557
If you do get, don't use Google.

00:53:57.367 --> 00:53:59.230
Yeah, definitely passwords.

00:53:59.230 --> 00:54:01.992
That's a huge thing, you know.

00:54:01.992 --> 00:54:05.918
In a password vault, yeah, using a password vault, I mean you won't?

00:54:05.978 --> 00:54:06.820
ever know those passwords?

00:54:06.820 --> 00:54:12.788
It's like x, y, g, 700 letters long.

00:54:12.788 --> 00:54:13.349
You just save it in there.

00:54:13.369 --> 00:54:16.139
You're like I don't know what the password is Nobody does you have a password vault?

00:54:16.139 --> 00:54:16.360
Absolutely.

00:54:16.360 --> 00:54:19.085
You know making sure that you're not using default passwords.

00:54:19.085 --> 00:54:24.969
When you set up you know any kind of new infrastructure or something like that, immediately change that default password.

00:54:24.969 --> 00:54:35.894
And that's really important in, you know OT, because a lot of those devices they, you know they're admin, admin, I guess that all day long, every single day, single day.

00:54:36.375 --> 00:54:37.356
You know when.

00:54:37.356 --> 00:54:46.820
You know when you are storing documents and things like that, make backups, make offline backups.

00:54:46.820 --> 00:54:48.461
You know get, get.

00:54:48.461 --> 00:54:50.463
You know get a small.

00:54:50.463 --> 00:54:53.889
You know one terabyte, two terabyte, five terabyte.

00:54:53.889 --> 00:54:59.599
You know hard drive that you can plug in and put all the files on there and then unplug it.

00:54:59.599 --> 00:55:02.635
You know don't have it connected to the internet, none of those types of things.

00:55:02.635 --> 00:55:12.293
But you know keep those files because if something happens and your files are gone, you have to restore some way and then make sure you're doing those backups on a regular basis.

00:55:12.293 --> 00:55:19.576
You know whether it be weekly, biweekly, monthly, in some sort of frequency so that you have that data.

00:55:19.576 --> 00:55:21.860
And then you know.

00:55:22.045 --> 00:55:26.097
The final thing is I always say trust but verify.

00:55:26.097 --> 00:55:27.481
I'm going to.

00:55:27.481 --> 00:55:38.760
You know I'm going to trust, but I'm also going to verify, you know, I'm going to make sure that you are who you say you are, that you are authorized to do whatever you're.

00:55:38.760 --> 00:55:52.096
You know you're saying you're authorized to do um and and have those different things, um, you know, and have, have those, those processes in place, um, and that make sure that everybody is following those processes.

00:55:52.436 --> 00:55:54.085
You know, test your employees.

00:55:54.085 --> 00:56:00.119
Just, you know, pull them aside, call them up and say, hey, you know, if this happens, do you know what to do?

00:56:00.119 --> 00:56:02.411
If this happens, do you know what to do?

00:56:02.411 --> 00:56:07.516
Because that's the other thing is, we write policies and we write procedures, but then we never test them.

00:56:07.516 --> 00:56:12.894
You know, I can't tell you how many companies I've gone into and I'm like do you have an incident response plan?

00:56:12.894 --> 00:56:16.007
And they're like, yeah, and I'm like cool, do your employees know about it?

00:56:16.007 --> 00:56:17.148
And they're like, uh, maybe.

00:56:17.148 --> 00:56:18.731
I like, have you ever tested it?

00:56:18.731 --> 00:56:20.313
Have you ever done an exercise?

00:56:20.313 --> 00:56:23.739
Well, no, we just, you know, we just wrote it down, it's gonna work, right.

00:56:24.108 --> 00:56:44.733
No, you don't know that, because people don't know what to do and people panic, and so you know, those are are some of the biggest things that you can do yeah, a lot of times we'll see people that like, oh, we got, we used a template incident response plan, nothing specific to our environment, nothing specific to the people that are here, or we haven't updated it in 15 years.

00:56:44.733 --> 00:56:47.092
Person XYZ doesn't even work here anymore.

00:56:47.092 --> 00:56:50.733
Like making sure those things are applicable to you.

00:56:51.465 --> 00:56:53.552
So, leah, what would be your top tips of any?

00:56:55.585 --> 00:56:57.427
Yeah, I really.

00:56:57.427 --> 00:57:05.360
From a governance standpoint, I really think that knowing what to do when something happens is a big one.

00:57:05.360 --> 00:57:08.554
So, like Ashley was saying, it's not if, but when.

00:57:08.554 --> 00:57:20.320
So, planning for that, knowing who do we call if something happens on a weekend, if something happens over a holiday, are the people who we'd expect to be there?

00:57:20.320 --> 00:57:22.032
Are they going to be available to be there?

00:57:22.032 --> 00:57:25.186
Do they know that this is something we're looking to them for?

00:57:25.186 --> 00:57:33.150
If we need outside help, do we know who we would call If we need to get, like the FBI involved?

00:57:33.150 --> 00:57:37.398
If it's that big of a deal, do we know how to contact our local field office?

00:57:37.398 --> 00:57:43.130
A deal, do we know how to contact our local field office?

00:57:43.150 --> 00:57:54.369
Having those things thought of and put into a plan and scaling that back a little bit looking at the risk in your environment, just sitting down and having a conversation of like what could happen and involving people throughout the organization.

00:57:54.369 --> 00:57:59.204
So just because someone's not an IT person, like Allie was talking about, you don't need to be an IT person to like Allie was talking about.

00:57:59.204 --> 00:58:02.956
You don't need to be an IT person to think of risks that could happen within your environment.

00:58:02.956 --> 00:58:09.253
You could be somebody on the shop floor that's like, hey, we leave these ports open all the time and people are constantly walking around.

00:58:09.253 --> 00:58:12.193
Maybe someone we don't know comes in and just plugs something in.

00:58:12.193 --> 00:58:21.059
That could be a risk and that's worth having the conversation, that you don't have to be a cyber person or an IT person to even start thinking that way.

00:58:21.925 --> 00:58:23.753
Well, it's kind of that goes with, like the culture.

00:58:23.753 --> 00:58:39.358
Some companies are open to employee feedback and like continuous improvement and they want people to be on the lookout for problems that can be solved, things that can be done better, like add cybersecurity to that kind of process that you have of getting input from everywhere in your company.

00:58:39.358 --> 00:58:47.829
Possibly, if you're not already and if you're not the kind of company that asks input from your employees on anything, then I guess you could get hacked and I don't care.

00:58:47.829 --> 00:58:50.454
But yeah, I want to throw up.

00:58:54.726 --> 00:58:55.387
No too small.

00:58:55.387 --> 00:58:57.893
I'm not a very big company and I already lost 30 grand.

00:58:57.934 --> 00:59:01.052
So, scott, says retrain your brain to use passphrases.

00:59:01.052 --> 00:59:03.894
Short sentences are easier for your brain to remember.

00:59:03.894 --> 00:59:05.635
I guess I'm not one of those that.

00:59:05.635 --> 00:59:12.889
That can't be in lieu of passwords, though, because usually passwords do require, like all these different types of characters and stuff.

00:59:12.889 --> 00:59:16.202
Right, so passphrases people say a word.

00:59:16.603 --> 00:59:30.090
What I've done before is I had a passphrase and I would only I would alternate the capital for every other first letter, and so I would make, I would say that passphrase to me and I'm just writing down only the first letter and then alternating caps and whatever.

00:59:30.090 --> 00:59:36.568
That's a little too Repeat, whatever that password is, without actually having to like, because I don't remember.

00:59:36.588 --> 00:59:37.492
You didn't memorize it.

00:59:37.492 --> 00:59:40.523
You constructed it again by following some rules.

00:59:40.784 --> 00:59:40.885
Yeah.

00:59:41.326 --> 00:59:42.068
I do passwords.

00:59:42.108 --> 00:59:43.713
A similar way I construct like.

00:59:43.713 --> 00:59:49.851
I don't memorize any of my passwords, but I have a way to construct the password if I remember what website I'm going to.

00:59:49.971 --> 00:59:55.873
So and then some like that tells you what that was that you made, but not actually what.

00:59:56.295 --> 01:00:07.704
Not enough for them to do, but enough for you, but then like how quickly until AI can like predict the pattern that we use based on the, the website that we're already in one of your or they've got.

01:00:07.764 --> 01:00:12.454
They've bought your credentials for something you have to know every address I ever lived at.

01:00:12.454 --> 01:00:13.398
But you could do it.

01:00:16.005 --> 01:00:25.076
Anyway, there are practical things that you can do, even if you don't have a department or a budget, but certainly there are companies and resources out there.

01:00:25.144 --> 01:00:27.753
Leah mentioned your local FBI's field office.

01:00:28.005 --> 01:00:37.947
They'll also post about cases that have happened, common scams that are going on, advice on how to avoid them.

01:00:37.947 --> 01:00:40.052
The other thing is to know some cybersecurity companies or consultants in your industry.

01:00:40.052 --> 01:00:46.193
It does not hurt you to know them, even if you don't have budget to pay them, because the time will come and you want to have somebody to call.

01:00:46.193 --> 01:00:47.496
So I mentioned this earlier.

01:00:47.496 --> 01:00:54.309
We at least were able to call Ashley right away because we know somebody that you know knows about this stuff.

01:00:54.309 --> 01:01:23.672
So, as a closing remark, ashley and Leah, if you guys could give the audience a pitch for or not a pitch, but just like what exactly you guys do and can help with and how people can reach out to your companies if they want to do business with you or just to kind of start to network with you guys and your colleagues, so that they at least have some cyber security folks in their network, even if they're not, you know, adjacent to that area and if you don't have a cyber security partner, and you're not going to get one, you are screwed.

01:01:24.777 --> 01:01:25.981
Yeah, and so?

01:01:26.001 --> 01:01:42.909
there's a lot of free resources at nist, yes, and I will say like year, a lot of these great resources are pointed out to me, but this is such a low priority in my job that I don't go out and look at websites to look at cybersecurity information.

01:01:42.909 --> 01:01:49.010
I'm more so when it comes up, when I talk to people, when I see opportunities to hear content.

01:01:49.010 --> 01:01:56.335
I'm just not one of those people that goes to the websites to like try to do my own research on things that aren't immediately relevant to me.

01:01:56.717 --> 01:02:03.297
in this sense, yeah, one thing I'd suggest is is looking at your workflow and seeing where can you fit things in.

01:02:03.297 --> 01:02:17.688
So like, if you're, if you're big on LinkedIn, start following some of the things like like NIST or SysA, and you'll see that pop up in your feed some of the things like like NIST or SysA, and you'll see that pop up in your feed some of the the relevant things.

01:02:17.708 --> 01:02:18.150
Well, there you go.

01:02:18.150 --> 01:02:21.021
So yeah, following them on LinkedIn versus trying to go to their website and look for information.

01:02:21.041 --> 01:02:21.523
Yeah, Stories.

01:02:21.523 --> 01:02:23.929
You're like oh my God, follow these people on.

01:02:24.009 --> 01:02:27.335
Instagram, like wherever you're scrolling.

01:02:27.335 --> 01:02:29.018
Okay, that, that's true.

01:02:30.652 --> 01:02:31.880
Like the hackers are getting better.

01:02:31.900 --> 01:02:39.597
Whatever our feeds are news feeds are apple news or you know whatever um, throw some cyber security stuff in there.

01:02:40.079 --> 01:02:49.929
That's a great idea but yeah, go find some people like ashley and leah, because if you don't which is why you're not going to be, okay, I'm not.

01:02:49.949 --> 01:02:55.775
You guys, you guys and Leah, I'll let you go first and then, Ashley, you can close it as the official sponsor of this panel.

01:02:55.775 --> 01:02:58.152
You can close it with the Pitch for Wolf Evolution.

01:02:58.152 --> 01:03:04.378
So, leah, can you tell us a bit about NextLink Labs and what you want people to know you guys for and come to you for?

01:03:04.925 --> 01:03:09.838
Yeah, so NextLink Labs, we focus on three different aspects.

01:03:09.838 --> 01:03:14.237
So custom software development, devsecops and cybersecurity.

01:03:14.237 --> 01:03:22.211
So when you're building applications and you want to integrate security into them, you want to have better workflows.

01:03:22.211 --> 01:03:44.878
We look at what your organization is doing and help you identify those gaps in your program and fill them in using frameworks, using you know things that are specific to your organization and the data that you handle and the workflows that you have.

01:03:44.878 --> 01:03:49.784
So we look at you know things that happen prior to an incident.

01:03:49.784 --> 01:04:04.371
If you've had an incident, we can look at the risk that you accepted that might have led to the incident and really focus on how can we improve the cybersecurity posture moving forward.

01:04:04.371 --> 01:04:12.677
How can we give those assurances both to your company, to any board of supervisors that might be over, or to your clients too.

01:04:12.677 --> 01:04:17.695
So how do we make your clients aware of the efforts that you're putting into your cybersecurity programs?

01:04:18.976 --> 01:04:19.418
Very cool.

01:04:19.418 --> 01:04:22.713
Thank you, I assume people can find you at is it nextlinklabscom?

01:04:22.713 --> 01:04:24.909
Yep and follow you guys on LinkedIn?

01:04:24.909 --> 01:04:33.458
Yep and I know you and a couple of your other colleagues are regular speakers at industry conferences like Automate.

01:04:33.458 --> 01:04:36.554
Are there any more places that we should expect to see you guys in the near future?

01:04:37.905 --> 01:04:42.016
Automate and Fabtech are our big go-tos, okay.

01:04:42.625 --> 01:04:44.572
What about the ICS Village of DEF CON?

01:04:44.572 --> 01:04:46.192
I want to go hit that up next year.

01:04:47.327 --> 01:04:48.885
It's amazing if you can go so.

01:04:48.885 --> 01:04:55.425
Years ago I was senior staff for DEF CON when it was still growing out the villages.

01:04:55.425 --> 01:04:59.195
They're growing insanely now but they have some really cool stuff.

01:04:59.195 --> 01:05:01.753
The ICS village is awesome.

01:05:01.753 --> 01:05:03.530
They do car hacking.

01:05:03.530 --> 01:05:14.213
That's really cool to see some of the things that we may not be exposed to in like everyday life, to get a chance to go and see the thought process Everyone has a flipper and they're like taking your credit cards.

01:05:14.253 --> 01:05:15.034
You're like, oh my God.

01:05:17.246 --> 01:05:17.847
Very cool.

01:05:17.847 --> 01:05:22.416
And then, um, ashley, yeah, will you tell us a bit about what you do?

01:05:22.416 --> 01:05:29.972
I know you've mentioned a little bit about what you do with your clients, but kind of, what's your focus and what type of types of companies should be coming to you?

01:05:30.775 --> 01:05:35.284
Yeah, absolutely so.

01:05:35.284 --> 01:05:37.108
Our focus is assessments and consulting.

01:05:37.108 --> 01:05:56.956
So our assessment side we're getting down to the nitty gritty actually looking at devices, looking for particular vulnerabilities, looking at architecture, those types of things, and really addressing those security gaps and giving those recommendations and remediations of how you could secure the devices in your environment.

01:05:56.956 --> 01:05:59.934
On the consulting side we kind of go a little bit more high level.

01:05:59.934 --> 01:06:06.965
So that's where we start looking at your policies and your overall security program and look for gaps there.

01:06:06.965 --> 01:06:11.416
Because a lot of times you know, a lot of people are like well, I need an assessment done.

01:06:11.416 --> 01:06:15.634
Well, maybe you actually need a consultation first.

01:06:15.634 --> 01:06:22.356
Maybe we need to look at a higher level and see, you know you have these vulnerabilities in your environment, but how did they get there?

01:06:22.356 --> 01:06:26.259
Is it because you have gaps in your policies or gaps in your procedures?

01:06:26.259 --> 01:06:35.539
And that may be something that needs to be addressed first before you're actually going in and picking out these you know little one-off vulnerabilities.

01:06:36.606 --> 01:06:45.858
So that's kind of the primary of what we do, and very, very soon, probably like the beginning of next year, we will also be doing training.

01:06:45.858 --> 01:06:52.344
So we'll have kind of various different aspects of training.

01:06:52.344 --> 01:07:05.295
So training for the defensive side, training for if you want to learn how to break things in OT, like I do, then we'll train you to do that and then generalized training for OT.

01:07:05.295 --> 01:07:14.773
So a lot of companies when you go and you get that generic cybersecurity training right, the IT-minded and everything.

01:07:14.773 --> 01:07:22.561
I've never seen that in OT where you're actually applying those cybersecurity principles, but for the operators.

01:07:25.226 --> 01:07:30.833
And for operations like the chief operating officer, should get the big training and then roll it out to everybody else.

01:07:31.094 --> 01:07:31.653
Exactly.

01:07:31.653 --> 01:07:33.275
So, yeah, this is like I'm.

01:07:33.275 --> 01:07:37.621
I'm in a control room and my mouth starts moving on its own.

01:07:37.621 --> 01:07:38.847
What do I do?

01:07:38.847 --> 01:07:40.934
That kind of training.

01:07:40.934 --> 01:07:52.655
And and for that training, not only are we going to have the generic, but we're also going to work with companies to customize it for their environments, so that'll be something that's upcoming early next year as well.

01:07:53.425 --> 01:08:08.449
Wow, I feel like the pressure to include I want to include access to trainings the two days prior to OT Skate-a-Con so for some of you folks to be able to put on a class that somebody could add to their OT Skate-a-Con registration.

01:08:08.449 --> 01:08:12.846
I've been saying that, okay, let's close out, I'm gonna.

01:08:12.846 --> 01:08:17.507
I'm gonna extend it just a little bit longer, if anybody's even still here, but this is the recorded, so that's also fine.

01:08:17.507 --> 01:08:20.256
Um, ali, you have some training that you're working on.

01:08:20.256 --> 01:08:22.108
Do you want to talk about it and then sign off?

01:08:22.529 --> 01:08:40.253
yeah, sure, uh, later but uh, no, I I think I've always asked, like, what people wanted to be trained on, and a lot, and I don't know for whatever reason, like people would rather know more about or at least when I did the survey, they wanted to know about programming and SCADA.

01:08:40.253 --> 01:08:43.595
But what I'm actually good at is design and hardware.

01:08:43.595 --> 01:08:47.855
So I, like some programmers, love both.

01:08:47.855 --> 01:08:49.853
Some programmers love one or the other.

01:08:49.853 --> 01:08:54.194
I have never been the strongest programmer, cause I already told you it's not real programming anyway.

01:08:54.194 --> 01:09:00.494
Um, but I feel really good about, like, the way that I develop a control panel because I had to.

01:09:00.635 --> 01:09:06.104
As someone who's not trained in electrical at all, like I took one electrical class and I learned ohm's law.

01:09:06.104 --> 01:09:19.813
I don't know shit, like, but I know how to create an entire control panel from scratch because I learned from other people's drawings and then from building it myself and doing it wrong and wiring it wrong and then being like oh, I have to do it like this, and so I did learn.

01:09:19.813 --> 01:09:26.757
So I know all of the like layman's terms as to why certain things are there, like why do you have a power supply?

01:09:26.757 --> 01:09:28.287
Why do you have a control transformer?

01:09:28.287 --> 01:09:31.695
How do you pick out, like you know, to make this a UL panel.

01:09:31.695 --> 01:09:32.358
How would you do that?

01:09:37.925 --> 01:09:48.337
So I'm designing a class where I break down all the things that someone like me who's not an electrical engineer specifically not an electrical engineer to be able to create a schematic that worked on DC and AC voltages.

01:09:48.337 --> 01:10:00.789
So I want to tell you enough rules, colors, sizing of conductors based on NEC, like enough shit in your class that you, without an engineering degree, could design a control panel, even if you are an engineer.

01:10:00.789 --> 01:10:02.350
That's great, but that's not what this is for.

01:10:02.350 --> 01:10:07.332
So I want to create a class for why is all that shit in there?

01:10:07.332 --> 01:10:09.573
And same thing with, like, the size of the enclosure.

01:10:09.573 --> 01:10:12.130
Does it need a cooling system or a heating system?

01:10:12.130 --> 01:10:14.215
Like, how do you figure out how to size that?

01:10:14.215 --> 01:10:16.649
How do you figure out how many IO cards you need?

01:10:16.649 --> 01:10:19.037
How do you do all the motor circuit shit?

01:10:19.037 --> 01:10:22.993
So I'm making a class for how do you design a control panel from scratch?

01:10:23.996 --> 01:10:24.358
All right.

01:10:24.358 --> 01:10:26.765
Well, stay tuned for more information on that.

01:10:26.765 --> 01:10:30.131
If you're interested in the class, I think we have a wait list going.

01:10:30.131 --> 01:10:34.619
Or if you don't have a wait list going, emily, we need a wait list for the class going.

01:10:34.619 --> 01:10:43.672
I think we'll have some info coming out about it in our newsletter next week and then volleying it we also are going to be.

01:10:43.672 --> 01:10:52.475
I'm not going to give you the floor, though, courtney, because well I should, but yeah, just tell us robot training and then you sign up.

01:10:52.475 --> 01:10:53.779
Okay, the challenge is to you.

01:10:53.819 --> 01:10:58.215
I'm no longer talking I have a robot and I need to use it.

01:10:58.215 --> 01:11:08.563
I'll bring it to you and train you the end and then I'll break it afterwards we're only going to get more and more into hacking robots.

01:11:08.604 --> 01:11:13.833
Eventually, robots are going to get hacked and we're going to be like, oh my god, the robot did something bad.

01:11:13.833 --> 01:11:16.438
Yeah, robots can be hacked.

01:11:16.457 --> 01:11:20.051
Let's keep talking to each other, learning from each other.

01:11:20.051 --> 01:11:21.735
Make friends with scott.

01:11:21.735 --> 01:11:24.167
If you don't know scott mcneil yet, he is.

01:11:24.167 --> 01:11:25.851
He knows a lot.

01:11:25.851 --> 01:11:27.475
He's got a lot of great resources.

01:11:27.475 --> 01:11:35.810
Uh, honestly, at any of our events, like, the people that are in the audience are just as knowledgeable as we are on different topics.

01:11:35.810 --> 01:11:40.688
So the just the opportunity to network with the, with the people that are here.

01:11:40.688 --> 01:11:45.868
Please do that, um, and then share what you learn, or whatever, with the rest of the world.

01:11:45.868 --> 01:11:50.265
So, thank you guys for being here, happy halloween and, uh, we'll see you around soon.

01:11:50.265 --> 01:11:50.989
Bye, bye, thanks everyone.

01:11:50.989 --> 01:11:52.920
Thanks, thank you guys for being here, happy Halloween and we'll see you around soon.

01:11:52.920 --> 01:11:53.704
Bye, bye, thanks everyone.

01:11:55.426 --> 01:11:55.626
Thanks.