1
00:00:05,599 --> 00:00:09,039
The facilities, guys put the username
and password on a sticky note stuck to

2
00:00:09,039 --> 00:00:13,160
the bottom of the monitor. Now, some of them get super sophisticated about

3
00:00:13,160 --> 00:00:25,199
this and they put it on the
bottom of the keyboard. Welcome listeners to

4
00:00:25,239 --> 00:00:29,640
the Industrial Security Podcast. My name
is Nate Nelson. I'm here with Andrew

5
00:00:29,679 --> 00:00:35,039
Ginter, the vice president of Industrial
Security at Waterfall Security Solutions. He's going

6
00:00:35,079 --> 00:00:38,920
to introduce the subject and guest of
our show today. Andrew, how are

7
00:00:38,960 --> 00:00:42,439
you. I'm very well, Thank
you, Nate. Our guest today is

8
00:00:42,520 --> 00:00:47,600
Kyle Peters. He is a senior
consultant at Intelligent Buildings and he's going to

9
00:00:47,600 --> 00:00:52,000
be talking about safety and security and
how it all fits together with IIC six

10
00:00:52,079 --> 00:00:57,000
two four four three in building automation. Then, without further ado, here's

11
00:00:57,119 --> 00:01:03,719
you and Kyle. Hello Kyle,
and welcome to the podcast. Before we

12
00:01:03,759 --> 00:01:07,560
get started, can I ask you
to say a few sentences about yourself and

13
00:01:07,599 --> 00:01:11,760
about the good work that you're doing
at Intelligent Buildings. Yeah, thanks,

14
00:01:11,760 --> 00:01:17,840
Andrew. So my name's Kyle Peters. I'm a senior consultant for Intelligent Buildings

15
00:01:18,400 --> 00:01:26,799
and I primarily focus on cybersecurity for
building automation systems. Which right now encompasses

16
00:01:26,079 --> 00:01:32,840
me doing on site and virtual assessments
of those systems, a lot of pre

17
00:01:32,920 --> 00:01:38,480
construction document reviews and policy and creation
guidelines. And I kind of got started

18
00:01:38,480 --> 00:01:46,000
in this from the other side where
I was a programmer of building automation systems

19
00:01:46,480 --> 00:01:53,359
and moved over into this world,
this side of things by way of seeing

20
00:01:53,480 --> 00:01:57,480
problems that I was running into.
And so now I get to help out

21
00:01:57,519 --> 00:02:02,439
the guys doing what I used to
do to better secure they're building automation systems.

22
00:02:04,400 --> 00:02:08,919
Thanks for that. And our topic
is everything from safety to six two

23
00:02:08,960 --> 00:02:15,080
four four three in you know,
cybersecurity for building automation. You know,

24
00:02:15,599 --> 00:02:19,599
I understand that you do a lot
of assessments in the space. Can you

25
00:02:19,680 --> 00:02:23,120
walk me through one of your assessments? What do you find in these buildings

26
00:02:23,120 --> 00:02:27,599
that you're looking at? Yeah,
so primarily we'll do we we like to

27
00:02:27,599 --> 00:02:32,280
follow the six two four four three
framework and the CSMs that you'll find at

28
00:02:32,319 --> 00:02:43,400
the end of part two one of
the standard and that framework that walks us

29
00:02:43,400 --> 00:02:46,400
through. You know, we get
started on a project and we have a

30
00:02:46,520 --> 00:02:51,639
high level assessment and so I do
a lot we do a lot more of

31
00:02:51,680 --> 00:02:55,120
those of the high level assessments,
and that's where we would walk into a

32
00:02:55,240 --> 00:03:05,319
site and visually inspect and do some
very light work on the computer systems or

33
00:03:05,319 --> 00:03:13,039
investigation on the computer systems, and
we're looking for vulnerabilities or threats or risks

34
00:03:13,240 --> 00:03:16,000
that exist within the building automation system. So I walk around and I might

35
00:03:16,080 --> 00:03:27,680
look at I might find things like
cellular modems that the vendor, the controls

36
00:03:27,759 --> 00:03:31,439
company themselves put in place for them
to more easily do maintenance. I might

37
00:03:31,520 --> 00:03:38,800
find operating systems that are severely outdated. I might find network equipment that was

38
00:03:38,879 --> 00:03:46,479
installed in the early nineteen nineties and
is still running hopefully and probably covered in

39
00:03:46,639 --> 00:03:51,080
about three inches of dust bunnies.
So it's those kinds of things that we

40
00:03:51,199 --> 00:03:55,319
look for, and that sets us
up to move on down the line of

41
00:03:55,400 --> 00:04:00,560
the program so that we can get
a more in depth look and we can

42
00:04:00,599 --> 00:04:09,000
start developing policies and doing those sorts
of things to really take their their program

43
00:04:09,520 --> 00:04:15,319
and implement countermeasures and those kinds of
things to make their program stronger. Okay,

44
00:04:15,399 --> 00:04:20,120
and you mentioned six two four four
three dash two dash one. I

45
00:04:20,160 --> 00:04:25,639
haven't read that in a while.
You mentioned Appendix B. Can you can

46
00:04:25,680 --> 00:04:29,600
you give us just a bit of
background. What is two dash one and

47
00:04:29,959 --> 00:04:33,360
what's Appendix B and how do you
use it? Yeah, so two dash

48
00:04:33,439 --> 00:04:39,800
one is uh, it's entitled the
Establishment of an Industrial Automation and Control System

49
00:04:39,920 --> 00:04:45,079
Security Program. So it's basically just
how you get started and how you get

50
00:04:45,079 --> 00:04:48,759
going with a security program within an
industrial control space or in our case,

51
00:04:48,959 --> 00:04:55,839
buildings, and Appendix B is the
roadmap for that and it literally has a

52
00:04:55,920 --> 00:05:00,759
diagram that shows where you're at.
So we use that as our as our

53
00:05:00,560 --> 00:05:05,839
diagram for our whole program that we
get going, and specifically as it relates

54
00:05:05,879 --> 00:05:12,279
to what we've been talking about with
walkthroughs, that would be the second section,

55
00:05:12,360 --> 00:05:17,560
the high level risk assessment, and
so that helps us determine what risks

56
00:05:17,680 --> 00:05:24,519
already exist within a facility, within
a building automation system. And at that

57
00:05:24,639 --> 00:05:29,000
point we're also going to start looking
at what the target is that they're trying

58
00:05:29,040 --> 00:05:32,360
to achieve, so that we know
where the disparities are and we can help

59
00:05:32,480 --> 00:05:42,240
the client develop their program from there
into something that more closely reflects what they're

60
00:05:42,240 --> 00:05:47,319
trying to achieve. So nay,
you know, for anyone who hasn't looked

61
00:05:47,360 --> 00:05:50,920
at the six two four four three
series of standards in a while. I

62
00:05:50,920 --> 00:05:55,000
mean, I'm most familiar with three
DASH three, which is the one that

63
00:05:55,079 --> 00:05:58,000
says, you know, you have
to have antivirus here, you have to

64
00:05:58,040 --> 00:06:01,879
have long passwords there, six I
C six two four four three is the

65
00:06:02,959 --> 00:06:09,360
you know, the whole family of
industrial automation standards. One DASH one is

66
00:06:09,720 --> 00:06:13,480
you know, concepts and terminology.
It talks a lot about zones and conduits,

67
00:06:13,519 --> 00:06:17,319
which are basically you know, subnets, its network segmentation. Two DASH

68
00:06:17,399 --> 00:06:20,959
one is the one we're talking about
here, which is getting started with an

69
00:06:21,079 --> 00:06:28,000
automation and control system security program.
Uh. Two DASH three is patch management.

70
00:06:28,079 --> 00:06:30,879
Two Dash four has to do with, uh, you know, when

71
00:06:30,920 --> 00:06:34,680
you're establishing a program, what are
the requirements for the program. So two

72
00:06:34,720 --> 00:06:38,720
DASH one is getting started. Two
Dash four is you know all the rules.

73
00:06:38,879 --> 00:06:43,920
Three Dash three is all the rules
for you know, which controls to

74
00:06:43,920 --> 00:06:47,399
put in. Three DASH two is
doing risk assessments. Uh you know.

75
00:06:47,519 --> 00:06:54,120
Four DASH one is UH secure product
development. This is for the developers of

76
00:06:54,639 --> 00:07:00,439
products. Uh you know. Four
DASH two talks about uh, you know,

77
00:07:00,839 --> 00:07:08,000
requirements for security programs. There's a
lot in there, and what we're

78
00:07:08,040 --> 00:07:12,519
talking about today mostly is the two
dash one, which is getting started designing

79
00:07:12,560 --> 00:07:15,160
one of these programs in the first
place, as opposed to looking at at

80
00:07:15,279 --> 00:07:23,759
individual measures like you know, password
lengths. So that makes sense. But

81
00:07:24,399 --> 00:07:27,879
you know, you said a moment
ago when on your walk through you're finding

82
00:07:28,160 --> 00:07:35,839
ancient gear, you're finding you know, dust and presumably neglect, it sounds

83
00:07:35,879 --> 00:07:40,839
a little depressing, you know,
when you compare what's there to what's in

84
00:07:41,040 --> 00:07:46,240
you know, two dash one,
you find gaps. I assume, you

85
00:07:46,279 --> 00:07:48,920
know, is any of this changing? What's changing in this space? So

86
00:07:49,480 --> 00:07:56,079
the biggest thing that that has changed
recently and there in the last three to

87
00:07:56,199 --> 00:08:03,319
four years. Obviously with COVID and
work from home there's but it started before

88
00:08:03,360 --> 00:08:09,800
that, but you know that timeframe
really accentuated this. That remote access has

89
00:08:09,839 --> 00:08:13,199
become a big thing, and I
think that that is starting to drive more

90
00:08:13,279 --> 00:08:20,480
awareness towards cybersecurity for these buildings that
before this, the most common thing we

91
00:08:20,560 --> 00:08:24,279
might hear is who, what's the
worst that can happen? You know,

92
00:08:24,360 --> 00:08:30,560
it gets warm in an office,
And now they're starting building owners and property

93
00:08:30,560 --> 00:08:37,360
managers are starting to see more of
that risk because it's happening in other sectors

94
00:08:37,399 --> 00:08:45,879
and they're realizing that they're online more
now to to so that that risk is

95
00:08:45,960 --> 00:08:50,120
heightened at that point, So remote
access. I mean, you know,

96
00:08:50,159 --> 00:08:54,039
I'm looking at the news just yesterday
at you know, we're recording this here.

97
00:08:54,120 --> 00:08:58,120
Just yesterday there was news that MGM
had been breached. You know,

98
00:08:58,200 --> 00:09:03,559
details are skilled. Apparently the attackers
claim that they did some social engineering.

99
00:09:03,639 --> 00:09:09,159
They made a ten minute phone call
to the to the help desk and got

100
00:09:09,240 --> 00:09:13,559
in. Now they didn't say remote
access, but you know it, my

101
00:09:13,679 --> 00:09:18,600
guess would be, I don't know
that someone gave him a password. Again,

102
00:09:18,720 --> 00:09:22,320
I don't know how credible this is. It's very early days, you

103
00:09:22,360 --> 00:09:26,200
know. Do you have a take
on what's happening at MGM. Yeah,

104
00:09:26,080 --> 00:09:30,440
as you mentioned, it's it's hard
to say at this time, but I

105
00:09:30,480 --> 00:09:37,399
can envision bringing this over to the
building automation side. If if I were

106
00:09:37,399 --> 00:09:45,360
to call up and pretend to be
the vendor, the programmer for their building

107
00:09:45,360 --> 00:09:48,639
automation system, maybe I installed their
Tritium system or something. I don't have

108
00:09:48,720 --> 00:09:52,639
to actually done it. I just
have to know that it's there and pretend

109
00:09:52,639 --> 00:09:54,720
to be that guy and say,
you know, I'm really trying. They

110
00:09:54,720 --> 00:10:00,600
called they've got an issue I'm trying
to help them remotely. Can you go

111
00:10:00,720 --> 00:10:03,480
over there should be a sticky note. This happens. I see this all

112
00:10:03,519 --> 00:10:09,159
the time that the building, the
facilities guys put the username and password on

113
00:10:09,159 --> 00:10:13,600
a sticky note stuck to the bottom
of the monitor. Now some of them

114
00:10:13,639 --> 00:10:16,080
get super sophisticated about this and they
put it on the bottom of the keyboard

115
00:10:16,960 --> 00:10:20,480
so that you have to turn the
keyboard over to see it. But you

116
00:10:20,480 --> 00:10:24,159
know, if I called up as
you mentioned, if I call up helpdesk

117
00:10:24,159 --> 00:10:24,960
and say, hey, you know, I'm trying to fix this forum,

118
00:10:26,600 --> 00:10:30,879
can you just go look and tell
me that what that says real quick so

119
00:10:30,919 --> 00:10:33,480
that I can take care of that. That might be one thing. You

120
00:10:33,480 --> 00:10:37,279
know. We can also if I
on a call again, pretend to be

121
00:10:37,320 --> 00:10:43,480
a vendor and figure out what systems
they have, Then I know what protocols

122
00:10:43,559 --> 00:10:52,240
they have, and I might be
a short showdown search away from discovering where

123
00:10:52,279 --> 00:10:54,080
their systems are located at on the
internet, you know, finding an IP

124
00:10:54,200 --> 00:11:01,519
address and perhaps getting into things very
quickly that way, just from a conversation.

125
00:11:05,320 --> 00:11:09,519
The latest numbers in the twenty twenty
three Threat Report on ot cyber incidents

126
00:11:09,720 --> 00:11:13,279
show that the threat environment has changed
fundamentally. At the beginning of this decade,

127
00:11:13,960 --> 00:11:20,480
OT cyber attacks with physical consequences have
changed from a theoretical problem to a

128
00:11:20,639 --> 00:11:24,360
very real problem, more than doubling
every year. The new report is focused

129
00:11:24,360 --> 00:11:30,279
on deliberate cyber attacks in the public
record. These are attacks that cause physical

130
00:11:30,320 --> 00:11:35,840
consequences in process industries and discrete manufacturing. Most of these attacks are ransomware,

131
00:11:35,000 --> 00:11:39,759
though the fraction of activist attacks is
growing, and the report's appendix includes a

132
00:11:39,799 --> 00:11:46,080
complete list of all cyber attacks since
Stuxnet that meet these criteria. To see

133
00:11:46,080 --> 00:11:50,120
how today's OT cyber threat environment has
changed, I invite you to download the

134
00:11:50,159 --> 00:11:56,159
report, a joint effort between Waterfall
Security and the ICs drive OT Incident Repository.

135
00:11:56,840 --> 00:12:01,399
You can download the report at Waterfall
dash security dot com slash twenty twenty

136
00:12:01,399 --> 00:12:07,200
three dash Threat dash Report, or
just go to the resources menu at the

137
00:12:07,200 --> 00:12:13,440
Waterfall Security site and click on white
papers and Ebooks. So, Nate,

138
00:12:13,519 --> 00:12:18,200
as you and I recorded, it's
a few weeks after we recorded the UH

139
00:12:18,399 --> 00:12:24,519
the session with Kyle. More is
known about the the MGM hack the UH.

140
00:12:24,240 --> 00:12:28,879
You know, the reports in public
suggest that what happened was there was

141
00:12:28,919 --> 00:12:33,440
social engineering. The bad guys called
up and uh, you know, persuaded,

142
00:12:33,480 --> 00:12:37,000
they helped usk that they were legit, and you know, they had

143
00:12:37,080 --> 00:12:41,960
the uh, the account name.
They've done some you know, some research

144
00:12:43,039 --> 00:12:46,759
on social media on LinkedIn, they
found some employee names. They came in

145
00:12:46,799 --> 00:12:50,399
impersonating one of the employees, uh
said, you know, I've lost my

146
00:12:50,440 --> 00:12:56,120
accounts messed up. Can you reset
my two factor authentication? So they had

147
00:12:56,159 --> 00:13:01,519
two factor authentication allegedly, you know, it's just these are news ports allegedly

148
00:13:01,639 --> 00:13:05,759
enabled, and so they called in
and got the all that reset so that

149
00:13:05,799 --> 00:13:11,440
they could log in and you know, stole I don't know, the reports

150
00:13:11,480 --> 00:13:16,960
I'm reading said unknown terabytes of information. So it was an information theft process

151
00:13:16,879 --> 00:13:22,559
allegedly. You know, they were
apparently eventually discovered, so they handed the

152
00:13:22,639 --> 00:13:28,799
credentials over to another part of the
you know, the the underground economy,

153
00:13:28,840 --> 00:13:35,960
the ransomware ecosystem, who started encrypting
everything in sight and encrypted apparently a lot

154
00:13:35,240 --> 00:13:43,279
of servers and virtual machines and eventually
impaired the gaming systems, the access control

155
00:13:43,320 --> 00:13:48,240
systems, the reservation systems, and
everything ground to a halt. Yeah,

156
00:13:48,279 --> 00:13:52,360
you know, I think that last
bit has to be the most surprising part

157
00:13:52,440 --> 00:13:56,639
of this all for me that you
could, as a general ransomware actor that's

158
00:13:56,720 --> 00:14:01,200
just trying to lock up files and
whatnot, end up affecting you know,

159
00:14:01,399 --> 00:14:03,879
I don't know slot machines and doors
and such. How could it be that

160
00:14:03,919 --> 00:14:09,600
those systems are so interconnected. Short
answer is, I don't know. In

161
00:14:09,639 --> 00:14:15,759
this particular case. You know,
MGM hasn't published their network architecture, and

162
00:14:15,840 --> 00:14:18,519
I really don't know about the gaming
machines. I just I don't know how

163
00:14:18,519 --> 00:14:20,320
that part of the of the industry
works. But you know, let's talk

164
00:14:20,360 --> 00:14:28,200
about the door systems, you know, the when we talk about OT.

165
00:14:30,919 --> 00:14:33,840
You know, I'm not sure I
asked Kyle is but you know, is

166
00:14:33,879 --> 00:14:39,559
the door lock system part of OT? Or is OT really the air conditioning,

167
00:14:39,639 --> 00:14:45,879
the power systems, the sort of
the hard OT. But you know,

168
00:14:45,919 --> 00:14:50,519
we we Waterfall puts out a threat
report last year. There were fifty

169
00:14:50,600 --> 00:14:56,080
seven incidents worldwide that caused shutdowns of
everything from buildings to uh, you know,

170
00:14:56,080 --> 00:15:01,600
oil terminals and very commonly, now
I don't have the numbers, but

171
00:15:01,639 --> 00:15:09,279
it's very common that the ransomware group
targets it, does damage on it,

172
00:15:09,519 --> 00:15:16,639
and then operations has to shut down
because operations depends on something in it,

173
00:15:16,799 --> 00:15:20,440
and you know, it might be
that the door lock systems were in it,

174
00:15:22,039 --> 00:15:24,159
or it might just be that the
door lock systems depended on I don't

175
00:15:24,159 --> 00:15:28,639
know, active directory to log into
an active directory was crippled, or it

176
00:15:28,720 --> 00:15:33,000
might be that the door lock systems
depended on some other system in it that

177
00:15:33,080 --> 00:15:37,720
had been crippled. These dependencies seemed
to be responsible for a lot of physical

178
00:15:39,879 --> 00:15:45,480
shutdowns when it's really it's it systems
that go down. But you know,

179
00:15:45,799 --> 00:15:52,279
people haven't done the dependency analysis and
it bites them. Are people waking up

180
00:15:52,320 --> 00:15:58,039
to this? I think so yes. As we do more of these assessments,

181
00:15:58,039 --> 00:16:03,120
that risk assessments that we've talked about, the eyes start opening a little

182
00:16:03,200 --> 00:16:07,519
more. And you know, here
at Intelligent Buildings we have a remote solution

183
00:16:07,679 --> 00:16:14,960
that's uses as zero trust architecture and
whatnot. That's one solution you guys,

184
00:16:15,039 --> 00:16:19,000
waterfall, you have the unidirectional gateways, and I really do wish I saw

185
00:16:19,039 --> 00:16:22,799
a lot more of that kind of
thing as well within building automation systems,

186
00:16:22,840 --> 00:16:29,720
not just in the industrial sector.
So people are starting to take note.

187
00:16:30,320 --> 00:16:37,399
I'm seeing less and less unsecure team, viewer connections and more there. And

188
00:16:37,440 --> 00:16:40,840
there's other products out there too,
you know, there's more, there's more

189
00:16:40,879 --> 00:16:44,759
solutions coming up every day. So
I'm starting to see more and more of

190
00:16:44,799 --> 00:16:48,879
that. But as much as I
say I'm seeing more, there's still a

191
00:16:48,879 --> 00:16:53,960
long road to go. And as
awareness grows, I think we're going to

192
00:16:55,039 --> 00:17:03,640
see that percentage of unsecure internet access
or remote access sites that number going down

193
00:17:03,720 --> 00:17:08,480
hopefully. When we were, you
know, talking about the possibility of this

194
00:17:08,559 --> 00:17:12,319
podcast, I remember you used a
buzzword that I wasn't familiar with. You

195
00:17:12,440 --> 00:17:15,799
said that, you know, you
do security assessments, risk assessments, he

196
00:17:15,880 --> 00:17:21,240
said, you also do spec reviews. What's that? Yeah, So a

197
00:17:21,279 --> 00:17:26,039
spec review, you know, the
specifications that come out leading up to a

198
00:17:26,119 --> 00:17:30,519
project. So before construction, be
that a new construction at building coming up

199
00:17:30,519 --> 00:17:36,319
out of the ground or maybe we're
redoing a floor, we get the specifications

200
00:17:36,400 --> 00:17:45,759
of what's going to be going in
so design design documents and information about the

201
00:17:45,799 --> 00:17:52,559
systems that a vendor is planning on
installing, so we look at those before

202
00:17:52,599 --> 00:18:02,319
they're built so that hopefully we can
avoid building in issues for from day one.

203
00:18:02,599 --> 00:18:07,000
There's and there's all kinds of things
that we see there from specs that

204
00:18:07,119 --> 00:18:15,200
call out the use of ancient technology, outdated operating systems, those sorts of

205
00:18:15,240 --> 00:18:19,119
things. So we try to catch
those issues when it's when it's most cost

206
00:18:19,119 --> 00:18:23,839
effective to fix them, and that
is before they are purchased, and then

207
00:18:25,079 --> 00:18:30,480
give those results back the engineer reviews, they change the spec hopefully, and

208
00:18:30,480 --> 00:18:37,400
and then we can help ensure that
a building is built, designed and built

209
00:18:37,880 --> 00:18:45,680
to meet the client's own cybersecurity policies
and their goals for for being as CyberSecure

210
00:18:45,720 --> 00:18:49,400
as possible. I guess it makes
sense when you're when you're looking at U

211
00:18:49,440 --> 00:18:53,519
spec, you know, you want
to design the building to be sort of

212
00:18:53,640 --> 00:18:59,680
modern and secure. What does that
mean though, I mean, I'm guessing

213
00:18:59,680 --> 00:19:03,960
that a bank needs a different kind
of system than does like a parking garage.

214
00:19:06,039 --> 00:19:08,039
Yeah, yeah, absolutely, you
know, the risks are different,

215
00:19:08,160 --> 00:19:12,680
and we've seen all kinds of this
stuff. I've seen in doing assessments where

216
00:19:14,640 --> 00:19:21,079
the bank needs to protect against nation
state attackers that they're actually getting hit on

217
00:19:21,119 --> 00:19:26,680
a daily basis, and their parking
garage may not have much more than fans

218
00:19:27,079 --> 00:19:33,759
and CEO or two sensors, and
so they don't view the criticality the same,

219
00:19:33,839 --> 00:19:38,680
so they set different targets for that
so that they can put resources where

220
00:19:38,720 --> 00:19:42,599
they have deemed that they're needed.
So we use the six two four four

221
00:19:42,640 --> 00:19:49,119
three standard to help get this program
in line where they have their their security

222
00:19:49,200 --> 00:19:56,359
levels of zero through four, where
we say zero is essentially we don't need

223
00:19:56,559 --> 00:20:00,799
to protect that system at all,
and a four is the ability to protect

224
00:20:00,880 --> 00:20:08,119
against nation state attackers or something extremely
high level like that. And most buildings

225
00:20:08,599 --> 00:20:12,920
fall somewhere in that one to two
range where they need to be able to

226
00:20:12,920 --> 00:20:18,519
be resilient. They need because the
CO two sensor, for instance, that's

227
00:20:19,680 --> 00:20:27,440
something that's critical in that space,
but may not have quite the same impact

228
00:20:27,920 --> 00:20:37,920
if it goes down or is becomes
vulnerable as the cooling system for the data

229
00:20:37,960 --> 00:20:41,279
center that keeps the whole bank running. So that's why they set different targets

230
00:20:41,319 --> 00:20:49,400
for different systems and different buildings.
Perhaps that's interesting, I mean, I'm

231
00:20:49,640 --> 00:20:55,200
coming from sort of the heavy industry
perspective. In heavy industry, safety is

232
00:20:55,240 --> 00:20:59,200
always job one. If if a
hacker gets into the CO two sensor and

233
00:20:59,480 --> 00:21:03,359
reprogram ams it to say, you
know, it's not three percent CO two

234
00:21:03,440 --> 00:21:07,200
in the air that is is going
to trigger the fans. It's ninety percent

235
00:21:07,319 --> 00:21:11,599
CO two in the air. That's
a safety issue. People in the garage

236
00:21:11,599 --> 00:21:15,319
are going to get sick or worse. Should the CO two cents or not

237
00:21:15,519 --> 00:21:21,519
be you know, really thoroughly protected, just like the bank's data center.

238
00:21:22,519 --> 00:21:26,039
It's a good point, and yes
it should be protected. We don't want

239
00:21:26,079 --> 00:21:32,279
that system to be completely vulnerable.
I would never put that as a at

240
00:21:32,279 --> 00:21:40,519
a zero for instance. But as
far as the risk maybe maybe it's you

241
00:21:40,559 --> 00:21:44,680
know, depends on the construction of
things obviously, and so we still want

242
00:21:44,720 --> 00:21:48,599
to protect it. But do we
need to put the amount of resources towards

243
00:21:48,640 --> 00:21:53,200
that that we do other systems,
and that is up to the client,

244
00:21:53,319 --> 00:21:57,599
and that is up to what their
risk tolerance is. As you mentioned,

245
00:21:57,880 --> 00:22:03,279
that's thattra. It's getting into a
life safety issue, which I think is

246
00:22:03,319 --> 00:22:08,680
important. Uh So we would want
to protect that, and maybe one of

247
00:22:08,720 --> 00:22:15,720
our protections is that we don't have
connectivity to that system. Maybe it's a

248
00:22:15,759 --> 00:22:23,480
standalone system. I don't like.
I don't like necessarily having the air gap

249
00:22:23,640 --> 00:22:33,559
mentality as a firm way of protecting
as they as someone might say, uh,

250
00:22:33,640 --> 00:22:37,759
you know, philosophy of protection for
a system but maybe we put that

251
00:22:40,000 --> 00:22:42,279
as read only points. You know, they have to be hard coded in

252
00:22:42,440 --> 00:22:48,440
or something, so we find countermeasures
that make sense for the application that we're

253
00:22:48,480 --> 00:22:53,279
looking at. This very issue is
actually being discussed within a group called Building

254
00:22:53,319 --> 00:23:00,160
Cybersecurity dot org. It's BCS dot
org, and we're working on taking the

255
00:23:00,160 --> 00:23:07,279
six two four four three standard and
making it more applicable to buildings and safety

256
00:23:07,279 --> 00:23:15,880
instrumentation. Systems that are very common
within industrial controls are less common or not

257
00:23:15,920 --> 00:23:21,319
common at all within building automation,
and so this is still something that is

258
00:23:21,839 --> 00:23:30,079
being debated on how to handle these
things as this as this industry matures.

259
00:23:32,240 --> 00:23:36,480
So Nathan, let me add here. You know, I'm watching what some

260
00:23:36,519 --> 00:23:38,920
of the drafting teams are doing in
six two four fourth three, not just

261
00:23:40,319 --> 00:23:45,240
I'm not part of the Building Automation
BCS dot org. The question of security

262
00:23:45,319 --> 00:23:51,799
levels is being debated even more widely
than BCS dot org. You know what

263
00:23:51,880 --> 00:23:56,000
are security levels? They let me
back up them all. They're basically four

264
00:23:56,079 --> 00:24:03,240
levels that describe the the capability of
an adversary that you have to defeat with

265
00:24:03,279 --> 00:24:07,079
your security program. So you know, sl one says, I've got a

266
00:24:07,119 --> 00:24:10,880
program is strong enough to defeat script
kitties who know almost nothing but you know,

267
00:24:10,920 --> 00:24:14,039
and download a tool, press some
buttons and get in trouble. You

268
00:24:14,079 --> 00:24:17,960
know. SL two in my recollection
is something like, you know, insiders

269
00:24:18,680 --> 00:24:22,119
who've got some knowledge, who's got
some permissions. SL three is basically,

270
00:24:22,359 --> 00:24:26,160
you know, they don't use the
terminology, but I read it as organized

271
00:24:26,240 --> 00:24:30,680
crime, and SL four I read
as nation states. And so if you

272
00:24:30,720 --> 00:24:33,680
say I need, you know,
my network has to be withstand an SL

273
00:24:33,759 --> 00:24:37,039
four attack, It has to withstand
a really sophisticated kind of attack. And

274
00:24:37,319 --> 00:24:42,440
safety systems you might ask, well, how should they be protected? Well,

275
00:24:42,480 --> 00:24:45,759
A, that's being debated, and
you know, b one of the

276
00:24:45,119 --> 00:24:49,839
observations I make in you know,
the book that I just released is that

277
00:24:52,160 --> 00:24:56,519
it makes sense. It often makes
sense to use different security levels for different

278
00:24:56,640 --> 00:25:00,680
adversaries. And so if the ransom
are group nowadays are using what used to

279
00:25:00,680 --> 00:25:04,440
be nation state techniques, and you
know they're they're trailing nation states by only

280
00:25:04,440 --> 00:25:10,359
a few years, it really makes
sense to take really sensitive systems like these

281
00:25:10,400 --> 00:25:15,839
safety systems and protect them from nation
state grade network attacks. But the other

282
00:25:15,880 --> 00:25:21,640
controls, like the anti virus and
you know, those controls really you know,

283
00:25:21,640 --> 00:25:26,240
are passwords or you know, access
management. Those controls really are relevant

284
00:25:26,359 --> 00:25:30,400
to physical access to people, you
know, who are our insiders, not

285
00:25:30,480 --> 00:25:33,960
who are coming in across the network. And the insiders tend to be much

286
00:25:34,039 --> 00:25:37,079
less capable. They tend not to
be you know, to have nation state

287
00:25:37,160 --> 00:25:42,279
attack tool capabilities and knowledge. And
so you know, what I'm seeing people

288
00:25:42,319 --> 00:25:48,920
start to do is using different security
levels within the same network for different types

289
00:25:48,960 --> 00:25:52,960
of security controls. The controls that
are focused on insiders might be set at

290
00:25:53,000 --> 00:25:56,599
an sl too, even for the
safety systems, because you you know,

291
00:25:56,799 --> 00:26:03,400
the insiders just aren't that clever,
bluntly, whereas the security tools that are

292
00:26:03,400 --> 00:26:08,880
focused against network attacks coming in from
the outside are at a much higher level.

293
00:26:10,000 --> 00:26:14,759
So yeah, it's something that's being
debated in multiple places in the industry.

294
00:26:14,759 --> 00:26:18,319
This whole question of I call it
the question of how much is enough.

295
00:26:19,160 --> 00:26:22,599
I'm going to use it as an
excuse that your book is very new

296
00:26:22,599 --> 00:26:26,960
and so I haven't got a chance
to read it yet. But I guess

297
00:26:26,960 --> 00:26:33,039
what I'm wondering is why you wouldn't
otherwise just ramp up all of your defenses

298
00:26:33,160 --> 00:26:36,920
as much as you're able to.
Is it just a matter of resources because

299
00:26:37,359 --> 00:26:40,039
in my head, when you say
okay and then SATURA doesn't have a nation

300
00:26:40,160 --> 00:26:45,200
state's capabilities, Well, what if
a nation state plants somebody in a manufacturing

301
00:26:45,400 --> 00:26:48,799
or wherever you're talking about. I
know that that's a bit far off,

302
00:26:48,880 --> 00:26:53,319
but why wouldn't you overestimate their capabilities
rather than try to guess exactly who you

303
00:26:53,400 --> 00:26:57,160
might be up against. Well,
you certainly, you know in theory you

304
00:26:57,200 --> 00:27:03,680
can protect everything to nation state level, but it gets very expensive, and

305
00:27:03,759 --> 00:27:07,279
you know, the question is is
it is it really needed? So for

306
00:27:07,319 --> 00:27:11,880
example, if you have I don't
know, if you're running something insane like

307
00:27:11,920 --> 00:27:18,400
a nuclear generator, you have to
have everything at the nation state level,

308
00:27:18,640 --> 00:27:23,240
meaning you're even the security controls that
you have deployed to protect against insider attacks.

309
00:27:23,440 --> 00:27:26,880
You've got to consider the fact that
a nation state might put a sleeper

310
00:27:27,200 --> 00:27:32,559
or three, you know, a
spy into your organization twenty years ago and

311
00:27:32,680 --> 00:27:37,440
activate the spy today because conflicts are
ramping up. You know, is it

312
00:27:37,519 --> 00:27:42,240
really reasonable for a building, you
know that, you know, an office

313
00:27:42,240 --> 00:27:51,160
tower with a with a parking garage
to take measures that are sufficient to detect

314
00:27:51,599 --> 00:27:56,440
sleepers that other nations have put into
their organization, you know, twenty years

315
00:27:56,440 --> 00:28:02,079
ago, that's just overkill. So
yeah, it's a cost thing. You

316
00:28:02,400 --> 00:28:08,680
look at the you know, the
obligation that all of us have who are

317
00:28:08,680 --> 00:28:15,119
operating you know, dangerous equipment.
The obligation we have is not to do

318
00:28:15,240 --> 00:28:19,359
the most that is possible. The
obligation we have is to do something reasonable,

319
00:28:19,400 --> 00:28:23,079
to do what any reasonable person would
do if they were in our shoes

320
00:28:23,799 --> 00:28:30,240
and saying, I'm going to protect
against you know, intelligence agencies planting sleepers

321
00:28:30,640 --> 00:28:36,759
in my building that you know,
you know, keeps I don't know,

322
00:28:37,160 --> 00:28:41,440
keeps a retail store going. That's
just not reasonable. And you know it's

323
00:28:41,480 --> 00:28:45,880
it's a lot of money to spend
on stuff that isn't reasonable. I take

324
00:28:45,920 --> 00:28:48,720
your point, Andrew, and I
agree. If you're operating a nuclear or

325
00:28:48,799 --> 00:28:55,519
facility versus a building automation system,
then you would apply different security controls to

326
00:28:55,559 --> 00:28:59,880
those two situations. But if I
understood correctly what you were saying originally,

327
00:29:00,799 --> 00:29:06,039
it was that you would apply different
grades of security to different kinds of systems

328
00:29:06,119 --> 00:29:08,839
within one site, which is what
I'm more curious about, Like, whether

329
00:29:08,920 --> 00:29:15,440
it's building automation or a nuclear facility, why you wouldn't set all of your

330
00:29:15,559 --> 00:29:18,880
security controls to a level four,
a level two, or what have you.

331
00:29:18,920 --> 00:29:22,279
That's a good question. So,
you know, I answered the question

332
00:29:22,359 --> 00:29:30,240
that certain security tools protect you against
insiders versus outsiders, and outsiders nowadays tend

333
00:29:30,279 --> 00:29:33,799
to be much more sophisticated than insiders, so there's some distinction that you make

334
00:29:33,839 --> 00:29:38,839
across different kinds of tools within the
same network. But you're asking, is

335
00:29:38,839 --> 00:29:41,880
the whole network you know, fine, you decide that it's SL two for

336
00:29:41,960 --> 00:29:45,480
insiders and SL four for outsiders,
But is the whole network two for insiders

337
00:29:45,480 --> 00:29:49,440
and four for outsiders, or you
know, is it three somewhere? And

338
00:29:51,640 --> 00:29:55,880
the answer is that in theory,
you know, what's six two four for

339
00:29:56,000 --> 00:30:00,160
three says? Is you know,
every little network that has a slight the

340
00:30:00,200 --> 00:30:04,559
different function you might give a different
security level too. In practice that gets

341
00:30:04,640 --> 00:30:10,359
really complicated and you start making mistakes
about applying, you know, the wrong

342
00:30:10,400 --> 00:30:14,200
security controls to the wrong networks,
the wrong level of security control. So

343
00:30:14,599 --> 00:30:18,599
in practice, what I observe people
doing, yeah, is applying pretty much

344
00:30:18,640 --> 00:30:26,559
the same set of standards, the
same approach to security controls to entire networks,

345
00:30:27,119 --> 00:30:32,039
just because you know, breaking stuff
up into seventy three sub networks each

346
00:30:32,039 --> 00:30:37,039
with a different security policy is just
hard, but in theory you could do

347
00:30:37,160 --> 00:30:42,960
that. There you go, So
that's progress the industry wide. This has

348
00:30:42,960 --> 00:30:47,039
been great Kyle, thank you for
joining us. Before we let you go,

349
00:30:47,440 --> 00:30:49,200
you know, can you sum up
what should be be taken away here?

350
00:30:51,039 --> 00:30:53,440
Yeah? You know, I think
I think the biggest thing to take

351
00:30:53,480 --> 00:31:00,720
away is that there is hope that
things are looking up and the building automation

352
00:31:00,880 --> 00:31:07,359
industry is kind of slowly but steadily
working on catching up to the IT industry

353
00:31:07,400 --> 00:31:15,400
and the ICs industries with regards to
maturity in cybersecurity. As I mentioned,

354
00:31:15,440 --> 00:31:21,000
groups like BCS dot org are doing
great things to help push things along.

355
00:31:21,400 --> 00:31:25,279
And my advice would be that,
you know, if we're going to do

356
00:31:25,359 --> 00:31:30,720
things like remote connectivity and remote management
systems, don't be the bottom rung on

357
00:31:30,759 --> 00:31:33,880
the ladder. You know, Let's
let's start taking a look at this and

358
00:31:34,400 --> 00:31:41,079
take cybersecurity seriously. And it's not
just it's not just who would want to

359
00:31:41,119 --> 00:31:45,279
attack, it's how do we keep
our systems running no matter what happens.

360
00:31:47,400 --> 00:31:49,440
Somebody spills coffee on the server,
you know. I mean, those kinds

361
00:31:49,480 --> 00:31:55,279
of things are our little things that
we look at to keep systems resilient,

362
00:31:55,799 --> 00:32:00,599
and you know here intelligent buildings like
so we do the assess months, we

363
00:32:00,680 --> 00:32:07,039
do manage services to help keep things
going once they're operational, So things like

364
00:32:07,119 --> 00:32:10,200
that. I think, I think
we're moving in a positive direction and I'm

365
00:32:10,880 --> 00:32:17,279
very excited to see where the future
takes us in this industry. And I

366
00:32:17,319 --> 00:32:21,559
love it. You know, it's
just a great, great industry to be

367
00:32:21,559 --> 00:32:27,400
in with some awesome people of keeping
buildings running for the world to keep working.

368
00:32:30,519 --> 00:32:32,960
Andrew, that was your interview with
Kyle. Do you have anything to

369
00:32:34,039 --> 00:32:37,519
take us all out with today.
Yeah. You know, we've had a

370
00:32:37,559 --> 00:32:42,839
couple of episodes on building automation before. I'm reminded. One of them I

371
00:32:42,880 --> 00:32:46,599
think has in the title twenty thousand
CPUs, and we talked about really how

372
00:32:47,240 --> 00:32:52,680
how many you know CPUs in thermostats
are scattered through a large building like a

373
00:32:52,720 --> 00:32:58,200
skyscraper, and how exposed these systems
are because you know, people can touch

374
00:32:58,519 --> 00:33:00,359
the thermostats, they can pull them
off the wall to get access to the

375
00:33:00,400 --> 00:33:05,279
wiring. You know, they're they're
exposed to attacks in ways that you know,

376
00:33:05,440 --> 00:33:09,519
other systems just aren't. I remember
an episode talking about destroying a three

377
00:33:09,599 --> 00:33:14,920
hundred ton chiller by operating it too
fast for a number of hours, the

378
00:33:15,240 --> 00:33:19,640
blades that move the liquid coolant were
moving too fast and there was vacuum cavities

379
00:33:19,799 --> 00:33:24,240
forming behind these blades, tremendous vibration
over a course of hour hours that you

380
00:33:24,440 --> 00:33:30,000
just you destroy the cooler. And
today we're talking about you know, BCS

381
00:33:30,039 --> 00:33:35,559
dot org. Uh, the organization
is debating security levels. It's basically asking

382
00:33:35,599 --> 00:33:38,200
the question how much is enough?
How much security is enough for different kinds

383
00:33:38,200 --> 00:33:43,839
of networks. And you know,
I observe that the I see that debate

384
00:33:43,920 --> 00:33:46,880
in the larger ie C six two
four four three standards community as well,

385
00:33:47,440 --> 00:33:51,920
and you know, the larger community. In part, I mean, there's

386
00:33:51,960 --> 00:33:57,680
many reasons to revisit this question,
but in part, it's because the threat

387
00:33:57,759 --> 00:34:01,240
environment's evolving. Uh. You know, tools and techniques that you know fifteen

388
00:34:01,359 --> 00:34:06,440
thirteen years ago when when the standard
I'm most familiar with the three to three

389
00:34:06,480 --> 00:34:09,599
standard when that standard came out.
The tools and techniques that nation states were

390
00:34:09,679 --> 00:34:15,119
using that was SL four today are
being used by ransomware which is SL three

391
00:34:15,239 --> 00:34:22,239
adversaries. And so you know,
how many of the security approaches. The

392
00:34:22,280 --> 00:34:25,920
security controls that used to be appropriate
to nation states at the SL four level

393
00:34:25,960 --> 00:34:30,360
now need to be reclassified at the
SL three level. All of this is

394
00:34:30,519 --> 00:34:36,320
being debated because again, you know, threats continue to evolve, and you

395
00:34:36,320 --> 00:34:38,519
know, I summed the whole thing
up as with the question how much is

396
00:34:38,639 --> 00:34:42,599
enough? How much security is enough? How high do we put the bar?

397
00:34:42,840 --> 00:34:46,360
This is in a sense a constant
debate, but in the standards community

398
00:34:46,400 --> 00:34:52,480
it's being specifically debated in the last
I think twelve months or so. Well,

399
00:34:52,480 --> 00:34:54,559
then, thank you to Kyle Peters
for bringing all of that to our

400
00:34:54,599 --> 00:34:59,039
attention. And Andrew, thank you
for speaking with me. As always,

401
00:34:59,440 --> 00:35:01,719
it's always a pleasure. Thank you, Nate. This has been the Industrial

402
00:35:01,760 --> 00:35:07,599
Security Podcast from Waterfall. Thanks to
everybody out there listening.