1 00:00:06,440 --> 00:00:09,359 The way that I look at the risk is that I always use the web 2 00:00:09,480 --> 00:00:24,120 risk with opportunities. Welcome everyone to the Industrial Security Podcast. My name is 3 00:00:24,199 --> 00:00:28,679 Nate Nelson. I'm here with Andrew Ginter, the vice president of Industrial Security 4 00:00:28,879 --> 00:00:33,000 at Waterfall Security Solutions, who's going to introduce the subjecting guest of our show 5 00:00:33,039 --> 00:00:36,399 today. Andrew, how's it going. I'm very well, Thank you, 6 00:00:36,479 --> 00:00:41,960 Nate. Our guest today is doctor Johonnica Ruwanpura. He is a professor at 7 00:00:42,000 --> 00:00:45,799 the University of Calgary. He is the Vice provost of the entire university, 8 00:00:46,520 --> 00:00:51,960 you know, an associated VP of Research, and you know, he's a 9 00:00:51,960 --> 00:00:57,840 professor of engineering and project management. And Johnica does a lot of work with 10 00:00:58,079 --> 00:01:03,640 risk, very generally, and so we're going to explore today how cyber risk 11 00:01:03,880 --> 00:01:10,239 fits into the big picture of risk, you know, inside of engineering and 12 00:01:10,280 --> 00:01:15,760 construction and other kinds of projects and organizations. Then, without further ado, 13 00:01:15,920 --> 00:01:22,879 let's get into the interview. Hello, Chanaka, and welcome to the podcast. 14 00:01:23,840 --> 00:01:26,359 Before we get started, can I ask you to say a few words 15 00:01:26,359 --> 00:01:30,719 about yourself and about the good work that you're doing at the University of Calgary. 16 00:01:30,840 --> 00:01:34,319 Thank you, Andrew. My name is Janaka Ruanpura. I'm currently the 17 00:01:34,480 --> 00:01:42,200 Vice Provost International and Associate Vice Personnel Research at the University of Calgary. At 18 00:01:42,200 --> 00:01:46,079 the same time, I'm also a professor in the Shulike School of Engineering, 19 00:01:46,640 --> 00:01:53,640 specializing in project management. If I were to give about my connectivity with the 20 00:01:53,760 --> 00:01:59,359 university, of course, I look after the global engagement of the University of 21 00:01:59,400 --> 00:02:05,599 Calgary, which includes every aspect of it in terms of academic, research, 22 00:02:05,799 --> 00:02:10,439 mobility and industry connections. In terms of the University of Calgary, I think, 23 00:02:10,479 --> 00:02:16,319 you know, we are very proud that being a young university and particularly 24 00:02:16,479 --> 00:02:23,039 last year we became truly number five in Canada as a top five research university. 25 00:02:24,120 --> 00:02:28,599 At the same time, I think the other key element that I want 26 00:02:28,599 --> 00:02:32,960 to talk about and might be very interested to hear for your audience is that 27 00:02:34,439 --> 00:02:38,919 for two consecutive years, the University of Calgary is the number one startup companies 28 00:02:39,000 --> 00:02:46,199 produced, which is actually a tremendous recognition and reputation for a university like us. 29 00:02:46,840 --> 00:02:52,560 Whereas when you look at even the top five, the remaining four in 30 00:02:52,680 --> 00:02:55,240 terms of the scalability and the size are much bigger, and then also they 31 00:02:55,280 --> 00:03:00,759 are older more than a hundred years old. Cool. I mean, I 32 00:03:00,800 --> 00:03:02,639 am an alumnus of the University of Calgary. I'm I'm a great fan of 33 00:03:02,680 --> 00:03:07,759 the university. But our topic today, our topic today is risk. I 34 00:03:07,759 --> 00:03:14,520 mean, you are an expert in risk in the context of sort of engineering 35 00:03:14,560 --> 00:03:19,639 project management. You know, we're, of course on the podcast interested in 36 00:03:19,719 --> 00:03:25,680 cyber risk, but cyber risk fits into sort of a bigger a bigger picture 37 00:03:27,080 --> 00:03:30,039 of sort of overall risk management. You've got the risk of I don't know, 38 00:03:30,240 --> 00:03:35,800 hurricanes and fires and who knows what. So um, you know you're 39 00:03:35,840 --> 00:03:38,680 an expert on risk. Can you start us at the top? You know, 40 00:03:38,000 --> 00:03:42,039 what is risk? What's the big picture of risk? What are we 41 00:03:42,080 --> 00:03:44,879 worried about? What should we be worried about? Yeah, I mean, 42 00:03:44,960 --> 00:03:47,719 Andrew, the key element of the way that I look at the risk is 43 00:03:47,759 --> 00:03:54,039 that I always use the word risk with opportunities and my expertise is mainly in 44 00:03:54,080 --> 00:04:00,240 the project risk management side of things. And yeah, I think the key 45 00:04:00,560 --> 00:04:09,080 is that we look at every possible thing for a project, that what are 46 00:04:09,159 --> 00:04:19,560 those elements challenges, that uncertainties that could create challenging and problems in moving ahead 47 00:04:19,600 --> 00:04:25,120 with our projects. So I think that's where we look at and say how 48 00:04:25,279 --> 00:04:30,800 we convert some of those negative things, such as the negative risks into a 49 00:04:30,839 --> 00:04:35,439 better opportunities where we will handle them. We identify them up front, we 50 00:04:35,519 --> 00:04:42,160 come up with we come up with good solutions to deal with them so that 51 00:04:42,319 --> 00:04:47,040 we can run projects with minimum impact of risks and uncertainty, so that the 52 00:04:47,079 --> 00:04:53,680 projects will be successfully planned, designed and implemented. And I think that would 53 00:04:53,680 --> 00:05:00,040 apply even in newer domain in the cybersecurity area, about how we identify these 54 00:05:00,600 --> 00:05:06,560 risks in advance, and then how do we come up with a sustainable, 55 00:05:06,680 --> 00:05:14,800 practical solution that would benefit the key stakeholders and to ensure success at the end 56 00:05:14,800 --> 00:05:17,079 and say we have done a good job. So that makes sense at a 57 00:05:17,160 --> 00:05:21,240 high level. But I thought I heard you say that if you look at 58 00:05:21,240 --> 00:05:26,839 them hard, sometimes risks turn into opportunities. Can you give me an example. 59 00:05:26,920 --> 00:05:30,319 How how does that work? Yeah, Andrew like coming when I dealt 60 00:05:30,399 --> 00:05:35,279 with a few risk analysis sessions with industry folks, and I can tell you 61 00:05:35,319 --> 00:05:41,720 that in one occasion that we were doing a project in Fort McMurray and then 62 00:05:42,199 --> 00:05:45,639 we went through the complete risk analysis process which I'm going to explain to you 63 00:05:46,680 --> 00:05:49,480 later. Ben, we identified few risks and then when we look at the 64 00:05:49,519 --> 00:05:55,000 impact of the risks to the project schedule, we realized that we could not 65 00:05:55,600 --> 00:06:00,800 maintain the time challenge in terms of, you know, the number of weeks 66 00:06:00,879 --> 00:06:04,680 or the months to complete the project. And at that moment we felt that, 67 00:06:04,720 --> 00:06:09,480 I think we need to look at some alternate designs so that you could 68 00:06:09,639 --> 00:06:13,839 cut down the time duration of the project. So the team was very committed. 69 00:06:14,040 --> 00:06:18,000 They look at some alternate designs and as a result of that, then 70 00:06:18,040 --> 00:06:21,920 then we did the same thing. We look at them and we simulated to 71 00:06:21,959 --> 00:06:27,519 find out what's a new project duration, and then we realized, yep, 72 00:06:27,680 --> 00:06:30,680 we could achieve the time duration right. And similarly, I can think of 73 00:06:30,759 --> 00:06:36,360 another example that which I can even speak about it, you know openly the 74 00:06:36,600 --> 00:06:43,720 Olympic oval restoration that happened about twelve years ago at the University of Calgary. 75 00:06:45,040 --> 00:06:49,959 And when we look at the risks, we had a big challenge in twenty 76 00:06:49,959 --> 00:06:59,360 eleventh September because the facility was already committed for other clients for practicing. As 77 00:06:59,399 --> 00:07:02,279 you know that this is the place that we call the fastest size, and 78 00:07:02,560 --> 00:07:06,000 when we look at each of the risks, we were very very determined the 79 00:07:06,000 --> 00:07:13,800 project was so committed, and they came up with some creative solutions to reduce 80 00:07:13,800 --> 00:07:15,959 the time duration of the project. Right. That's why I'm saying it. 81 00:07:16,079 --> 00:07:19,800 So sometimes you look at the risk in a negative way, but if you're 82 00:07:19,839 --> 00:07:25,199 committed to come up with a better solution to deal with the risk, it 83 00:07:25,399 --> 00:07:30,279 creates an opportunity to come up with a better design, maybe more efficient design, 84 00:07:30,560 --> 00:07:34,600 maybe a more sustainable design, right, and maybe a more creative design 85 00:07:34,680 --> 00:07:42,480 that helped the project team to achieve the outcomes of the project in terms of 86 00:07:42,920 --> 00:07:48,439 reducing the duration, reducing the cost, maybe enhancing the efficiency and things like 87 00:07:48,519 --> 00:07:54,720 that. So that's what I meant by don't always look at the negative side 88 00:07:54,759 --> 00:08:00,040 of the risks, look at how the risks can create additional opportunity. It 89 00:08:00,279 --> 00:08:05,720 is so Nate Janaka was saying there, um, you know, he gave 90 00:08:05,759 --> 00:08:11,399 an example of of h you know, physical design, physical risks, simplifying 91 00:08:11,519 --> 00:08:16,839 designs. You know, in the cybersecurity space, a lot of people, 92 00:08:16,240 --> 00:08:20,480 uh face that same problem when it comes to patching. You know, imagine, 93 00:08:20,600 --> 00:08:26,279 I don't know, a power plant with you know, four generating units. 94 00:08:26,319 --> 00:08:33,200 Each unit has I don't know, one hundred PLCs If your PLCs are 95 00:08:33,200 --> 00:08:35,480 on the same network as your control system, which is on the same network 96 00:08:35,519 --> 00:08:39,799 as your plant system, which has a firewall going to the IT network, 97 00:08:39,960 --> 00:08:43,840 and the IT network in turn as a firewall going out to the Internet. 98 00:08:45,080 --> 00:08:50,240 That's a very highly connected environment. Any security assessor coming in is going to 99 00:08:50,279 --> 00:08:56,919 look at this and say, you really need to patch really aggressively everything on 100 00:08:56,000 --> 00:09:01,879 your industrial network because it's so exposed to the IT network into the Internet. 101 00:09:03,279 --> 00:09:07,000 And patching is really expensive. I mean, you would have to take the 102 00:09:07,039 --> 00:09:13,480 plant down in order to change the firmware on the PLCs, and you don't 103 00:09:13,480 --> 00:09:16,720 want to do that. You want to keep producing power, and you need 104 00:09:16,759 --> 00:09:20,799 to test these new firmware images extensively. You know, a lot of people 105 00:09:20,840 --> 00:09:24,600 look at this and say, let's not do that. I know that was 106 00:09:26,080 --> 00:09:28,639 sort of the risk that was identified, and the obvious fixed to you know 107 00:09:28,679 --> 00:09:33,279 we're exposed to attack is to fix the vulnerabilities. But what a lot of 108 00:09:33,320 --> 00:09:37,360 people do is what's called compensating measures. They will put additional layers of firewalls 109 00:09:37,360 --> 00:09:41,679 in the put additional layers of security. They might throw a unidirectional gateway, 110 00:09:41,720 --> 00:09:46,639 and they might air gap the safety systems so that they simply cannot be compromised. 111 00:09:46,080 --> 00:09:50,519 And in this way they reduce this you know, they reduce the risk 112 00:09:50,519 --> 00:09:54,919 by you know, changing the design in such a way that you don't have 113 00:09:56,039 --> 00:10:00,080 to do the really expensive patching thing anymore. So so yeah, I you 114 00:10:00,120 --> 00:10:05,279 know what what Janak is saying here makes a lot of sense. Okay, 115 00:10:05,320 --> 00:10:09,360 So, so big picture risk, UM, when we're when you're looking at 116 00:10:09,399 --> 00:10:13,879 a project, how do you get started with with risk management? The main 117 00:10:15,039 --> 00:10:20,399 key component is that you know, especially the risk management and I'm talking about 118 00:10:20,480 --> 00:10:28,200 large capital projects. UM. We always look at at the very beginning of 119 00:10:28,240 --> 00:10:33,799 the project, how we come up with a better risk process to identify the 120 00:10:33,879 --> 00:10:39,360 risks and then we can quantify the risks so that we can come up with 121 00:10:39,399 --> 00:10:45,840 a better risk response plan. And that's where it's important to bring the key 122 00:10:45,919 --> 00:10:52,840 stakeholders who are involved in the project UM and who has expertise and knowledge about 123 00:10:52,960 --> 00:10:58,600 similar projects in the past, and so that they could actually provide the input 124 00:10:58,759 --> 00:11:05,000 for the current project. So before I get into the steps up that I 125 00:11:05,039 --> 00:11:13,440 think we always emphasize share the current information that that that you know about the 126 00:11:13,480 --> 00:11:20,279 project, so that the participants involved in the risk analysis can understand it come 127 00:11:20,360 --> 00:11:26,000 up with a better risk identification. And so when you look at the risk 128 00:11:26,039 --> 00:11:33,440 identification, we want to be we want to ensure that everybody is committed to 129 00:11:33,559 --> 00:11:41,480 identify the unique risks that are relevant to the project, right, And that's 130 00:11:41,519 --> 00:11:46,480 where we ask the question. I mean, like, for example, when 131 00:11:46,519 --> 00:11:50,320 we identify the risks, we have to think about right away how we're going 132 00:11:50,360 --> 00:11:54,600 to deal with the risks. Right, So sometimes we ask a question the 133 00:11:54,720 --> 00:12:01,679 two important things. We ask about how urgent? How important? So I 134 00:12:01,679 --> 00:12:09,200 can refer to Steven Kobe's time management matrix where you know, Stephen Kobe mentioned 135 00:12:09,200 --> 00:12:15,440 about for like a two by two matrix in terms of one side is on 136 00:12:15,519 --> 00:12:18,720 the urgent, the other side is on the important. So for example, 137 00:12:20,080 --> 00:12:26,039 we get what we call the reactive quadrant where are is actually urgent and important. 138 00:12:26,519 --> 00:12:31,440 That means there's an important risk. There's an urgent risk, and there's 139 00:12:31,480 --> 00:12:37,039 a different way of dealing with that. Right. Then there's a quadron number 140 00:12:37,039 --> 00:12:43,279 two which is not urgent but important. That means we have time to really 141 00:12:43,320 --> 00:12:50,480 identify them. We can you know, we can actually proactively deal with that 142 00:12:50,679 --> 00:12:56,120 risk so that that the team is aware what to do. And then comes 143 00:12:56,120 --> 00:13:01,519 the quadrant three, which is not important but urgent, right, which is 144 00:13:01,559 --> 00:13:05,960 also you know, I mean it's a it's a bit of a reactive nature. 145 00:13:07,080 --> 00:13:11,840 At the same time, it is difficult for us to reject it. 146 00:13:11,960 --> 00:13:15,039 We have to deal with it, right, We have to deal with it 147 00:13:15,080 --> 00:13:18,039 because it's so urgent. And then so we need to deal with it. 148 00:13:18,799 --> 00:13:26,440 And then comes the fourth quadrant, which is like not important, not a 149 00:13:26,559 --> 00:13:33,039 gun. So there's no drivers here, right, and then do we really 150 00:13:33,080 --> 00:13:37,559 want to spend time in looking at them? Right? So coming back to 151 00:13:37,679 --> 00:13:43,519 that step number one, as I said, the identification is very really key. 152 00:13:43,559 --> 00:13:48,600 If the team is not identifying the risks properly, then we won't be 153 00:13:48,600 --> 00:13:56,000 able to come up with a robust risk management applan. Yes, what is 154 00:13:56,039 --> 00:14:01,120 referencing there. I've heard this for years now as the name of it being 155 00:14:01,159 --> 00:14:05,559 the Eisenhower matrix and it being applied to the traits of successful people. But 156 00:14:05,600 --> 00:14:09,679 I guess the point he's making is that it could be applied to risk more 157 00:14:09,720 --> 00:14:15,159 easily because it's sort of universal, that's right. I think he attributed it 158 00:14:15,200 --> 00:14:18,679 to Stephen Covey, who I think documented it in one of his books. 159 00:14:18,720 --> 00:14:22,799 I don't know was it seven habits of highly affective people. I'm not sure, 160 00:14:22,559 --> 00:14:26,200 but yeah, it's it's a you know, I think of it as 161 00:14:26,200 --> 00:14:31,080 a you know, I recall being introduced to it as a time management matrix. 162 00:14:31,120 --> 00:14:33,679 But it applies to risk as well. I mean, you know, 163 00:14:33,799 --> 00:14:37,799 in the cyberspace, you know, what are we talking about? Something that's 164 00:14:37,879 --> 00:14:41,919 both urgent and important. There's ransomware on the OT network. This is an 165 00:14:41,919 --> 00:14:48,559 emergency. All hands on deck, fix this problem. You know that's that 166 00:14:48,759 --> 00:14:52,919 urgent and important. Not urgent but important? Is the risk assessment just came 167 00:14:52,960 --> 00:14:56,480 back. The security assessment just came back. You know, we're in trouble. 168 00:14:56,559 --> 00:15:01,919 We have to fix these problems before some work gets into the control network. 169 00:15:01,600 --> 00:15:07,039 An example of you know, not important, but urgent. We urgently 170 00:15:07,440 --> 00:15:13,120 need to change all of the passwords in all of the devices in all of 171 00:15:13,120 --> 00:15:18,240 our substations. Why Nerk SIP says you have to do this. Yeah, 172 00:15:18,320 --> 00:15:22,440 but those substations they're heavily defended. We've got we've got security in their nine 173 00:15:22,440 --> 00:15:24,559 Ways to Sunday. Nobody can get in there with a password and mess with 174 00:15:24,639 --> 00:15:31,159 the It doesn't matter. If we breach the standard, we risk a million 175 00:15:31,200 --> 00:15:35,440 dollars per day of non compliance. Fine, fix this problem. Fix it 176 00:15:35,480 --> 00:15:39,240 now. I don't care if it's not important security wise, it's urgent compliance 177 00:15:39,279 --> 00:15:43,039 wise. So yeah, this, this matrix you know very much applies in 178 00:15:43,039 --> 00:15:50,480 the cyberspace. In the beginning of the industrial security revolution, engineers were told 179 00:15:50,559 --> 00:15:56,559 to use it security principles, protect the information. We were told. We 180 00:15:56,679 --> 00:16:00,519 knew this was a poor fit, but it was all we had to The 181 00:16:00,639 --> 00:16:06,960 top security priority at industrial sites is safety. Don't kill anyone, don't cause 182 00:16:07,000 --> 00:16:12,080 an environmental disaster. And the second priority is reliability. Do not shut down 183 00:16:12,120 --> 00:16:18,919 our factory or infrastructure. Today, safe and reliable operations use unhackable protections from 184 00:16:18,960 --> 00:16:25,879 cyber risks, not just cybersecurity. For a deeper look at the evolution of 185 00:16:25,879 --> 00:16:30,919 the revolution, we invite you to download Waterfall's report on the Emerging Consensus for 186 00:16:30,039 --> 00:16:37,039 Industrial Security Engineering. You can access the report at the Waterfall website Waterfall, 187 00:16:37,240 --> 00:16:41,919 dash Security dot com, slash Engineering, dash Consensus, or just go to 188 00:16:41,960 --> 00:16:48,840 the resources menu and click on white papers and ebooks. Okay, so we've 189 00:16:48,879 --> 00:16:52,039 we've identified the risks, We've got our matrix of urgent versus important. What's 190 00:16:52,080 --> 00:16:56,240 the next step. The next step is, like, this is interesting, 191 00:16:56,240 --> 00:17:03,519 When I've done many of the fansilitation of risk analysis sessions, people come up 192 00:17:03,559 --> 00:17:07,839 with all kinds of risks. Right, then the question is do you really 193 00:17:07,920 --> 00:17:11,599 understand the risk? If somebody asks you about this particular risk, can you 194 00:17:11,680 --> 00:17:18,839 justify that this risk is relevant to this project? So then we ask questions 195 00:17:18,920 --> 00:17:23,319 like, do you have background understanding about this particular risk? Have you seen 196 00:17:23,359 --> 00:17:27,640 that happening in other projects? Do you think it's relevant for this project? 197 00:17:29,559 --> 00:17:33,359 If it happens for this project, would you be able to really analyze the 198 00:17:33,400 --> 00:17:38,960 problem. Because the reason why we ask the question is questions are if you 199 00:17:40,039 --> 00:17:44,200 identify risk and say, hey, this is a high risk, you know 200 00:17:44,319 --> 00:17:47,960 it's going to be like you know the impact is going to be quite significant, 201 00:17:48,920 --> 00:17:52,960 how do you determine those if you don't understand the risk. So that's 202 00:17:52,960 --> 00:17:56,519 what we call the qualification. So we go through what we call it like 203 00:17:56,559 --> 00:18:03,920 a step after the identification, qualify the risks. Are you really champions of 204 00:18:04,000 --> 00:18:11,079 this risk? So that we can take the identified risks into the quantification stage, 205 00:18:11,039 --> 00:18:15,279 But before that, we need to make sure that you understand the risks 206 00:18:15,319 --> 00:18:18,680 and if someone else in the team asks a question, would you be able 207 00:18:18,720 --> 00:18:26,880 to defend whether these risks are relevant for the project, Okay, And once 208 00:18:26,920 --> 00:18:33,240 we pass that stage, then we can go to the risk quantification stage to 209 00:18:33,440 --> 00:18:40,559 determine two things. What is the probability of occurrence of this risk and if 210 00:18:40,559 --> 00:18:47,319 that risk occurs, what would be the impact of the risks to various aspects? 211 00:18:47,720 --> 00:18:51,799 Right? And I can say that one for example, as I say, 212 00:18:52,079 --> 00:18:56,319 you know my background is in more on the Capitol projects. The two 213 00:18:56,440 --> 00:19:02,519 key things we always talk about the risk manage went is how does this these 214 00:19:02,599 --> 00:19:08,359 risks impact the cost of the project, how they impact the time of the 215 00:19:08,400 --> 00:19:12,480 project or the duration of the project. But you can also look at other 216 00:19:12,519 --> 00:19:19,480 things. You know, the impacting categories could be a reputation, safety, 217 00:19:21,519 --> 00:19:25,119 the performance. Right, So you can actually say, okay, if this 218 00:19:25,279 --> 00:19:30,759 risk happens, let's quantify to say that what's the what's the probability or occurrence 219 00:19:30,799 --> 00:19:38,279 of these risks or the impact if this risks happen. Right. And that's 220 00:19:38,319 --> 00:19:42,839 where, especially when we are dealing it, you know, risk analysis with 221 00:19:44,000 --> 00:19:48,960 you know, stakeholders involving there, we want to make sure that everybody really 222 00:19:48,079 --> 00:19:56,440 understand the process of the quantification. And that's where you always adopt standard methodology 223 00:19:56,720 --> 00:20:03,480 to look at the probability of occurrence. For example, if if I say, 224 00:20:03,960 --> 00:20:06,279 oh, you know what, I have this risk, which is, 225 00:20:06,400 --> 00:20:11,799 you know, very likely that it's going to happen, So somebody would ask 226 00:20:11,799 --> 00:20:15,039 the question, what do you mean likely? Can you define what's likely? 227 00:20:17,000 --> 00:20:21,079 So is your like for example, Andrew, even between you and I, 228 00:20:21,079 --> 00:20:26,839 if I use the word likely in a subjective term, what does that mean 229 00:20:26,880 --> 00:20:30,880 to you? And then if I look at that likely, how do I 230 00:20:30,920 --> 00:20:36,319 interpret likely? So that's where we always look at and come up with a 231 00:20:36,440 --> 00:20:41,480 standard methodology that can say, you know what this risk is. You know, 232 00:20:41,559 --> 00:20:48,240 likely means it is forty percent chance happening, right, or is it 233 00:20:48,359 --> 00:20:56,160 fifty percent chance happening? So we come up with a connotative methodology to define 234 00:20:56,839 --> 00:21:02,200 what we mean by a subjective meaning and then what that subjecting meaning into a 235 00:21:02,240 --> 00:21:07,119 quantitative meaning. So that makes sense. Um, but we're talking about you 236 00:21:07,160 --> 00:21:11,400 know, risk, We're talking about things that might not happen. Um. 237 00:21:12,400 --> 00:21:18,319 You know, I might say, Um, you know, you're operating a 238 00:21:18,599 --> 00:21:25,920 large consumer goods factory and competing with a you know, the same kind of 239 00:21:25,960 --> 00:21:32,039 factory in um in another country, and that country, you know, has 240 00:21:32,240 --> 00:21:38,519 an active industrial intelligence uh wing in their in their government. And I think 241 00:21:38,559 --> 00:21:42,680 it's very likely that the large consumer goods factory, you know, laptop factory 242 00:21:44,279 --> 00:21:48,759 is is going to be targeted with a nation state grade and intelligence agency grade 243 00:21:48,880 --> 00:21:52,720 cyber attack. Um, you might disagree. How do you how do you 244 00:21:52,799 --> 00:21:56,119 resolve these things about events that haven't happened yet. I mean, this is 245 00:21:56,160 --> 00:22:02,119 where Andrew like, there's two things sometimes. You know, when we look 246 00:22:02,160 --> 00:22:07,559 at the risk management and identification, we identify which ones are the strategic risks, 247 00:22:07,559 --> 00:22:11,359 which ones are the tactical risks. In the project management domain, we 248 00:22:11,519 --> 00:22:18,519 consider the tactical risk management is available at the projects for the project people to 249 00:22:18,599 --> 00:22:23,440 handle, whereas a senior management will determine the strategic risks. Even the existence 250 00:22:23,440 --> 00:22:27,519 of a project depends on how they look at the strategic risks. And then 251 00:22:27,559 --> 00:22:32,240 if they think, like the example that you have you given is actually more 252 00:22:32,279 --> 00:22:36,160 geopolitical type of thing, which is actually a strategic type of risk, which 253 00:22:36,200 --> 00:22:38,039 would decide whether we want to go ahead with the project or not. But 254 00:22:38,160 --> 00:22:42,400 anyway, the challenge that I have faced in the quantification of the risk is 255 00:22:42,440 --> 00:22:47,680 that you know, do we think the same way like for example, I 256 00:22:47,720 --> 00:22:52,319 mean, you know, I sometimes use a criteria like it says likelihood of 257 00:22:52,319 --> 00:22:59,000 occurrence. We define them in five different subjective ways. Almost certain. Now, 258 00:22:59,039 --> 00:23:03,200 what is almost certain means to you and me? So for us to 259 00:23:03,319 --> 00:23:07,359 really understand the same consistency, then we define and say almost certain means that 260 00:23:07,640 --> 00:23:14,720 it's going to be anywhere about ninety percent probability, A likely means it's a 261 00:23:14,799 --> 00:23:19,359 high risk that we can say between seventy to ninety percent, A possible means 262 00:23:21,319 --> 00:23:26,160 thirty percent to seventy percent, unlikely means ten to thirty percent, and raya 263 00:23:26,319 --> 00:23:30,799 means zero to ten percent. So we come up with a framework that everybody 264 00:23:32,640 --> 00:23:40,359 is thinking along the same definitions, so that when we identify risks and when 265 00:23:40,359 --> 00:23:48,640 we quantify that we get consistency from everybody. And I think that is also 266 00:23:48,799 --> 00:23:53,759 important in terms of when we look at the impact. So so I'll give 267 00:23:53,799 --> 00:23:57,359 you an example on that as well. Like if you want to come up 268 00:23:57,359 --> 00:24:03,920 with a criteria for impacting a simplest way is maybe on a range of ten. 269 00:24:03,960 --> 00:24:07,880 We can say, you know what a ten plus means, it's a 270 00:24:07,880 --> 00:24:15,640 catastrophic impact in terms of time impact or a cost impact. And you can 271 00:24:15,759 --> 00:24:18,599 say a serious means on a scale of ten, maybe eight to ten. 272 00:24:19,519 --> 00:24:25,519 A moderate means anywhere from four to six, a negligible, negligible means zero 273 00:24:25,640 --> 00:24:27,279 to two. So, for example, we could come up with a criteria 274 00:24:27,359 --> 00:24:33,559 that actually has the words called catastrophic, serious, severe, moderate, mine, 275 00:24:33,599 --> 00:24:38,119 and negligible. But then we can say, what do you mean by 276 00:24:38,200 --> 00:24:45,680 catastrophic impact. Catastrophic impact means you know, depending on the project value, 277 00:24:45,720 --> 00:24:49,920 Like we could say that means we are talking about a five million, five 278 00:24:49,920 --> 00:24:56,039 million additional cost to the project, and we are also talking about six months 279 00:24:56,119 --> 00:25:03,319 delay, right versus a negligible means you're talking about maybe up to ten thousand 280 00:25:03,359 --> 00:25:11,359 dollars in our cost impact with one week of delay, you see. And 281 00:25:11,400 --> 00:25:17,799 I think we need to come up with a subjective nature of the impact and 282 00:25:17,839 --> 00:25:22,279 also put a value associated with that one in terms of the cost and the 283 00:25:22,359 --> 00:25:26,400 time, so that everybody in the team when we analyze the risks, that 284 00:25:26,960 --> 00:25:33,720 there's a consistent mindset about these two things, the probability of occurrence and the 285 00:25:33,799 --> 00:25:37,319 impact. And I'm sure Andrew, you could think of many examples in newer 286 00:25:37,480 --> 00:25:44,440 domain in terms of how do you define the probability of occurrence with relevant to 287 00:25:44,480 --> 00:25:48,400 the risks, and then also how do we see the impact of the risks? 288 00:25:51,039 --> 00:25:53,079 So Nate the you know, the keyword I took out of that was 289 00:25:53,640 --> 00:26:00,559 strategic, sort of strategic versus tactical risks. You know, in a large 290 00:26:00,640 --> 00:26:03,880 organization, think, I don't know, a power utility with forty thousand employees, 291 00:26:06,440 --> 00:26:11,759 lots of different people are involved in lots of different kinds of risk management 292 00:26:11,759 --> 00:26:14,720 at lots of different levels. I mean, you know, individual technicians who 293 00:26:14,880 --> 00:26:18,640 drive out to a high voltage substation, they do not touch anything in the 294 00:26:18,680 --> 00:26:23,000 substation unless they know that it's been de energized. Ideally that you know, 295 00:26:23,039 --> 00:26:27,000 they've de energized it themselves so that they don't you know, get two hundred 296 00:26:27,039 --> 00:26:30,519 thousand volts, you know, flying through them and killing them on the job. 297 00:26:32,279 --> 00:26:37,599 Whereas you know, senior management would tend to deal with risks of I 298 00:26:37,640 --> 00:26:42,559 don't know, uh, you know, an earthquake collapsing the head office and 299 00:26:42,640 --> 00:26:47,599 having to relocate you know, the functions of the head office to a backup 300 00:26:47,640 --> 00:26:52,519 office on an emergency basis. But you know, the at what level of 301 00:26:52,519 --> 00:27:00,359 an organization should you be dealing with cyber risk? And I think the the 302 00:27:00,359 --> 00:27:03,880 the answer that I heard sort of in terms of general principles, is that 303 00:27:04,119 --> 00:27:08,359 the highest levels of the organization have to be dealing with strategic risk. And 304 00:27:08,519 --> 00:27:12,599 you know, strategic risk is risk that puts the entire existence or the mandate 305 00:27:14,000 --> 00:27:17,119 of the organization at risk. So you know, in the example of the 306 00:27:17,160 --> 00:27:23,200 the computer factory that I gave to to janaka Um and you know, the 307 00:27:23,200 --> 00:27:29,640 the the interference with the factory by a foreign intelligence agency that's trying to give 308 00:27:29,720 --> 00:27:34,440 their own factories in their own country a competitive advantage, that interference could be 309 00:27:34,559 --> 00:27:41,960 existential. It could drive the computer factory out of business. For example, 310 00:27:41,000 --> 00:27:45,279 if if pricing information has been stolen from the IT network in this in this 311 00:27:45,400 --> 00:27:49,680 factory, and you know, this allows the factories in the other country to 312 00:27:51,200 --> 00:27:56,880 you know, buy ten cents by a dollar undercut the price of the products 313 00:27:56,880 --> 00:28:00,519 produced by by this factory. Or if you know, they if the intelligence 314 00:28:00,559 --> 00:28:04,960 agency has wormed their way into the operations network and has been tampering with the 315 00:28:06,400 --> 00:28:12,279 devices the plc's controlling production and introducing flaws defects into the product that have to 316 00:28:12,319 --> 00:28:18,880 be repaired at a massive cost. You know, you could this with this 317 00:28:18,960 --> 00:28:22,119 kind of interference, you could drive the factory out of business, the company 318 00:28:22,119 --> 00:28:26,480 out of business. That level of threat is something that needs to be discussed 319 00:28:26,880 --> 00:28:30,319 at the board level. In my understanding, that's a strategic threat, you 320 00:28:30,359 --> 00:28:33,720 know, lower level threats of you know, I'm sorry if we mess with 321 00:28:33,799 --> 00:28:38,359 our if we don't comply with with the law regarding I don't know, uh, 322 00:28:38,519 --> 00:28:42,599 you know, electromagnetic emissions or different kinds of compliance risks might be dealt 323 00:28:42,640 --> 00:28:48,559 with lower in the organization, but you know, strategic lift risk has to 324 00:28:48,599 --> 00:28:52,160 be dealt with at the highest levels, and lesser risks are dealt with you 325 00:28:52,200 --> 00:28:56,559 know elsewhere. Is what I took away here. Okay, So, so 326 00:28:56,559 --> 00:29:02,000 we've identified our risks, We've in a sense prioritize them. We understand which 327 00:29:02,000 --> 00:29:06,920 are strategic you know, we've we've quantified them. What's next, how do 328 00:29:06,920 --> 00:29:11,200 we deal with these? So so now you could actually you could come up 329 00:29:11,200 --> 00:29:15,920 with a nice risk matrix, and the risk matrix will tell us based on 330 00:29:15,960 --> 00:29:22,440 the probability of occurrence and the impact, which ones are high risks, which 331 00:29:22,440 --> 00:29:26,480 ones are low risks, which ones are in the middle. And that's where 332 00:29:26,720 --> 00:29:29,960 you look at it and say, hey, I mean we have a high 333 00:29:30,079 --> 00:29:33,960 risk, which is the probability of occurrence is very high. It's a catastrophic 334 00:29:34,079 --> 00:29:41,799 risk. And then do I want that risks to come all the way down 335 00:29:41,839 --> 00:29:47,359 to a low level where we want to make sure that you know, it's 336 00:29:47,359 --> 00:29:52,319 a rare occurrence of that particular risk or the impact is going to be very 337 00:29:52,359 --> 00:29:56,440 negligible. Right. Oh, somebody said, you know what, No, 338 00:29:56,720 --> 00:30:00,400 let's also look at it in an alternate scenario. We want say that's risks 339 00:30:00,480 --> 00:30:03,880 could could could occur, like you know, it could be possible to occur. 340 00:30:04,599 --> 00:30:10,039 If that happens, that maybe there's a moderate impact because of that risk. 341 00:30:10,200 --> 00:30:15,160 Right. So that's where we look at now a framework about risk response 342 00:30:15,559 --> 00:30:22,000 planning. And that's where the two keywords come back again, the one that 343 00:30:22,039 --> 00:30:27,440 I mentioned earlier called the proactive versus reactive. Right. So, and actually, 344 00:30:27,400 --> 00:30:30,960 you know my domain when I do things, I actually have a kind 345 00:30:30,960 --> 00:30:37,839 of a decision tree built into to both proactive risk management versus reactive risk management. 346 00:30:38,759 --> 00:30:45,440 So what are the different options available when you're dealing with a proactive risk 347 00:30:45,480 --> 00:30:52,839 management Because we see that a potential risk coming in, but we do have 348 00:30:52,000 --> 00:30:59,799 time to eliminate the risk, or to mitigate the risks, or to accept 349 00:30:59,799 --> 00:31:03,920 the risks, or to transfer the risks that the four things that I can 350 00:31:03,039 --> 00:31:07,400 I can elaborate on that. Right, But if you're now dealing with proactive 351 00:31:07,480 --> 00:31:11,880 versus reactive, how do we deal with it? You know, I'll give 352 00:31:11,920 --> 00:31:15,480 you, like, you know, a kind of a simple a decision tree. 353 00:31:17,079 --> 00:31:19,680 We can actually say, you know what, the current probability of a 354 00:31:19,680 --> 00:31:26,240 particular risk is about eighty percent, but we have three choices we can eliminate 355 00:31:26,279 --> 00:31:30,119 it. That means there's an eighty percent chance we want to eliminate it, 356 00:31:30,160 --> 00:31:34,119 like we want to make it into a zero percent that we will never see 357 00:31:34,119 --> 00:31:38,720 this risk. Okay, Oh, we can say in about the current probability 358 00:31:38,799 --> 00:31:45,640 is eighty percent. I mean, let's try and mitigate to about a twenty 359 00:31:45,640 --> 00:31:49,440 percent a probability a ten percent chance of this risk happening. Right, so 360 00:31:49,880 --> 00:31:57,680 we will what can we do proactively to mitigate this risk occurring? Oh? 361 00:31:57,799 --> 00:32:00,119 We can say, no, what I think this is kind of a risk 362 00:32:00,240 --> 00:32:07,039 that I mean, in a project environment, there are various key stakeholders in 363 00:32:07,079 --> 00:32:10,880 there. Let's say we have own a consultant or a contractor or other parties 364 00:32:10,880 --> 00:32:15,920 and say, you know, I think for this particular risk, it may 365 00:32:15,960 --> 00:32:21,880 be better for us to transfer the risk to a party that could better handle 366 00:32:22,160 --> 00:32:27,599 this risk. And so we can think of three options eliminate, mitigate, 367 00:32:27,799 --> 00:32:32,400 or transfer, depending on the nature of the risk. But if you were 368 00:32:32,440 --> 00:32:38,000 to look at a proactive nature of risk, the word eliminate does not exist 369 00:32:38,440 --> 00:32:44,640 because you know, reactive means that something has already happened and you can eliminate 370 00:32:44,640 --> 00:32:50,359 it now. So your choices are either to mitigate the impact of the risk, 371 00:32:50,839 --> 00:32:57,400 which means that you know, we through the risk analysis, we identified 372 00:32:57,519 --> 00:33:01,680 if this risk occur, it's one hundred thousand dollar impact. But I can 373 00:33:01,759 --> 00:33:09,759 mitigate this one by maybe spending maybe sixty thousand dollars so that the impact could 374 00:33:09,799 --> 00:33:15,519 be cut down. Or we can even think about it and say, how 375 00:33:15,519 --> 00:33:19,960 do I mitigate the impact of it. Maybe we do something that it will 376 00:33:20,000 --> 00:33:24,880 not have the same hundred thousand dollars impact, right, Or you know what, 377 00:33:25,519 --> 00:33:29,279 Yes, we can see the signs of this risk. But I think 378 00:33:29,920 --> 00:33:35,480 rather than me as a stakeholder handling the risk, I could probably transfer this 379 00:33:35,680 --> 00:33:40,359 risks into another party who has a better authority or the accountability to handle the 380 00:33:40,440 --> 00:33:44,200 risk. And we could do it in our transferring the risk and then handle 381 00:33:44,240 --> 00:33:47,240 it that way. Oh, you know what, the risk has already happened. 382 00:33:47,640 --> 00:33:52,480 There's nothing much we could do it. Let's accept it and deal with 383 00:33:52,519 --> 00:33:58,319 the problem, right, I mean when you are you know, I've also 384 00:33:58,359 --> 00:34:01,000 done some work in the disaster area, right, you know, particularly the 385 00:34:01,079 --> 00:34:08,400 natural disaster area with respect to you know, tsunamis and then also the tornadoes. 386 00:34:09,320 --> 00:34:13,679 Um and and that's where sometimes you know, you have to accept the 387 00:34:13,679 --> 00:34:15,559 impact of it. I mean, you know, it happened, and how 388 00:34:15,559 --> 00:34:21,159 do we deal with it now? Right? Um? So, so depending 389 00:34:21,400 --> 00:34:24,920 on the nature, as I said, proactive versus reactive, you could come 390 00:34:25,000 --> 00:34:31,119 up with a decision tree that will that will show different options and also will 391 00:34:31,159 --> 00:34:38,039 show the consequences of those options to the project so that you can make it 392 00:34:39,000 --> 00:34:45,440 successful and dealing with the risks. So, I mean, one of the 393 00:34:45,519 --> 00:34:47,719 things that that you know, now that we've had some of the big picture 394 00:34:47,800 --> 00:34:52,480 here, one of the things that always always puzzled me is when you're doing 395 00:34:52,880 --> 00:34:55,280 um, you know, I get deeply involved in cyber risk management, but 396 00:34:55,360 --> 00:35:00,519 not so much you know, management of the risks of earthquakes or of you 397 00:35:00,559 --> 00:35:04,159 know, fires, or of you know, pandemics, who knows what? 398 00:35:06,039 --> 00:35:08,239 And so you know, if you're let's say you're building I don't know, 399 00:35:08,320 --> 00:35:14,079 a hospital, the systems that you're putting in place have to protect the confidentiality 400 00:35:14,079 --> 00:35:17,199 of patient information. The design for the structure has to address the risk of 401 00:35:17,320 --> 00:35:21,360 earthquakes in the region, because we can't have the structure collapsing on all the 402 00:35:21,400 --> 00:35:27,559 patients. The design of the electric system has to allow for backup power supplies 403 00:35:27,599 --> 00:35:30,039 if the main power supply fails, because you've got to keep your patients alive 404 00:35:30,079 --> 00:35:34,679 and electricity is used for that. So you've got you've got different kinds of 405 00:35:34,800 --> 00:35:37,679 risks that you're managing. Do you ever have to trade off one against the 406 00:35:37,719 --> 00:35:40,280 other and say this one's more important, I'm going to focus on it, 407 00:35:40,960 --> 00:35:45,519 you know, the other ones I'm just going to accept, or you know, 408 00:35:45,800 --> 00:35:49,039 is something else going on here? I mean, Andrew, I think 409 00:35:49,239 --> 00:35:57,519 it two different things to look at it. One is that if we identify 410 00:35:58,679 --> 00:36:02,480 exactly the same too risks that you mentioned, if they are important, if 411 00:36:02,519 --> 00:36:08,519 they are that been identified in our risk matrix through the probability of occurrence and 412 00:36:08,599 --> 00:36:13,559 the impact has been critically that we need to handle it. How we handle 413 00:36:13,599 --> 00:36:19,039 it proactive versus reactive is two different things. But also the second one is 414 00:36:19,159 --> 00:36:22,679 at what stage this could happen, Like, you know, is it happening 415 00:36:22,760 --> 00:36:25,400 during the design stage, it could happen in they're during the construction stage, 416 00:36:25,719 --> 00:36:30,239 or is it happening in the commissioning stage. So if they're both important and 417 00:36:30,280 --> 00:36:34,039 we need to tackle them, we don't trade off. We deal with different 418 00:36:34,079 --> 00:36:37,239 strategies to deal with it, right you know, you know, one could 419 00:36:37,320 --> 00:36:43,400 be proactively trying to eliminate that, or maybe the other one could be we 420 00:36:43,519 --> 00:36:47,480 will be reactively mitigated. Right, so that two different things. I mean 421 00:36:47,559 --> 00:36:52,320 I think you know, as the time goes, like cybersecurity, relative risks 422 00:36:52,320 --> 00:36:58,960 are really being critical in many of the engineering and construction projects because I mean 423 00:36:59,000 --> 00:37:05,280 the example you gave in hospitals, research facilities at university daies are becoming really 424 00:37:05,320 --> 00:37:07,480 critical now. So that you know, we don't trade off. But if 425 00:37:07,519 --> 00:37:12,800 it's important, I mean, if it's high, um, then we must 426 00:37:12,840 --> 00:37:19,679 find solutions to deal with that. So Nate um, let let me paraphrase 427 00:37:19,679 --> 00:37:22,519 what I just heard there. I mean, the the the question that's been 428 00:37:22,519 --> 00:37:24,960 sticking in my mind for some time. I mean, you know, at 429 00:37:24,960 --> 00:37:29,840 Waterfall we work with you know, heavy industry We're work with people who are 430 00:37:30,000 --> 00:37:34,719 dealing with you know, powerful dangerous physical processes. You know, they deal 431 00:37:34,760 --> 00:37:38,159 with risk every day. Um. And what I've heard from time to time 432 00:37:38,199 --> 00:37:43,000 from from different stakeholders in these organizations, you know, depending on the organization 433 00:37:43,679 --> 00:37:46,159 is you know, um, Andrew, we're not going to worry about cyber 434 00:37:46,960 --> 00:37:50,960 for now. You know, we have bigger fish to fry, and they 435 00:37:51,039 --> 00:37:52,880 talk about other risks. And this was in a sense, you know, 436 00:37:53,239 --> 00:37:59,880 my goal in bringing Janaka on is to try and understand how does cyber fit 437 00:38:00,000 --> 00:38:01,639 into the bigger picture. And what I what I just heard him say was, 438 00:38:01,679 --> 00:38:05,599 look, Andrew, if you've got a strategic risk, if the existence 439 00:38:05,599 --> 00:38:08,840 of the organization, if the mandate of the organization is you know, has 440 00:38:09,039 --> 00:38:13,920 faces a serious threat, Look, you have to deal with that. The 441 00:38:13,960 --> 00:38:15,199 board has to do with that, the executive has to deal with that. 442 00:38:15,280 --> 00:38:22,559 You cannot ignore material risks, Um, it doesn't matter if you have lots 443 00:38:22,559 --> 00:38:27,639 of risks on the table. You have to at least think about every one 444 00:38:27,639 --> 00:38:34,039 of these risks. And you know that that's an insight I didn't have before 445 00:38:34,079 --> 00:38:37,559 that. You know, you know, the folks deal with you know, 446 00:38:37,840 --> 00:38:40,480 senior decision makers, they deal with the risks, you know, major risks 447 00:38:40,639 --> 00:38:45,079 due to fire, due to earthquake, due to cyber you know, sort 448 00:38:45,119 --> 00:38:49,039 of independently. But you know, it still begs the question where did that 449 00:38:49,119 --> 00:38:52,159 question come from? And this is what you know, let's let's listen back 450 00:38:52,199 --> 00:38:57,079 in again sort of. My next question is is a little bit clarifying in 451 00:38:57,159 --> 00:38:59,880 terms of when can you trade stuff off? And it? You know, 452 00:39:00,000 --> 00:39:02,960 it turns out it has more to do with different threats that have the same 453 00:39:04,000 --> 00:39:07,079 consequence. In a sense, it's the same risk as opposed to different risks. 454 00:39:07,119 --> 00:39:10,199 But you know, if you've got different important risks, the lesson here 455 00:39:10,280 --> 00:39:15,199 is you have to deal with each of them. Instead of talking about, 456 00:39:15,360 --> 00:39:21,400 you know, risks with very different outcomes leaking patient information versus the building collapsing, 457 00:39:22,320 --> 00:39:25,000 can we talk about risks that in a sense have the same consequence. 458 00:39:25,679 --> 00:39:30,840 You know, a solar farm might have motors to move the solar panels to 459 00:39:30,880 --> 00:39:35,039 track the position of the sun. And they might have those motors because if 460 00:39:35,440 --> 00:39:37,760 the motors are working properly, they produce you know, the farm produces twice 461 00:39:37,800 --> 00:39:42,599 as much power in a day. If ransomware gets in there and cripples the 462 00:39:43,000 --> 00:39:47,400 computers, that control the motors and the panels freeze. You only produce half 463 00:39:47,400 --> 00:39:52,440 as much power as you expected for the day. But you also might have 464 00:39:52,679 --> 00:39:57,519 mispredicted the weather. I mean, the weather is variable. Sometimes it's cloudier 465 00:39:57,519 --> 00:40:00,519 than you expect, and you only produce half the power in the day that 466 00:40:00,599 --> 00:40:06,000 you thought you would. You know, you might have a cloudy day dozens 467 00:40:06,000 --> 00:40:09,039 of times in the year. You might have a ransomware incident once every two 468 00:40:09,119 --> 00:40:14,320 or three years. When you have, in a sense, the same outcome 469 00:40:14,760 --> 00:40:19,760 of different causes of risk, is this a time where you might legitimately say 470 00:40:19,800 --> 00:40:22,480 I'm going to trade off how much money I spend on one versus the other? 471 00:40:22,599 --> 00:40:27,719 Is you know when is this what makes them comparable? Yeah? I 472 00:40:27,760 --> 00:40:31,960 mean I think that that's where I give that scenario called if then scenarios like, 473 00:40:32,000 --> 00:40:37,599 for example, you could isolately look at each one of them individually, 474 00:40:37,679 --> 00:40:39,679 or you can look at them in a combined way, like for example, 475 00:40:40,719 --> 00:40:49,679 you know what if a ransomware as well as a cloudy nature would have a 476 00:40:49,719 --> 00:40:58,280 more cumulative impact to the to the far right versus you cannot look at individually, 477 00:40:58,679 --> 00:41:01,920 you know, the cloudy situation. I mean, as you said, 478 00:41:01,920 --> 00:41:06,760 the weather is very random if we don't know that one versus ransomware. So 479 00:41:06,840 --> 00:41:10,840 that's where we have I think that's where the team needs to look at by 480 00:41:12,079 --> 00:41:17,440 looking at all those possible risks coming up, it's scenarios and you look at 481 00:41:17,480 --> 00:41:23,320 those scenarios and then that's where the tools like simulation or decision trees or as 482 00:41:23,360 --> 00:41:30,039 I said, this analytical hierarchy process like hpace, we can evaluate each of 483 00:41:30,079 --> 00:41:35,639 these scenarios and see what's the impact, and then maybe as a result of 484 00:41:35,719 --> 00:41:40,119 that, you could even come up with a better risk management strategy, right 485 00:41:40,800 --> 00:41:46,079 and so, and that's a beauty about but the key is it's a committed 486 00:41:46,840 --> 00:41:52,760 effort to identify these scenarios. When you identify the scenarios, you can actually 487 00:41:53,159 --> 00:41:59,000 you know, analyzing and then come up with a better ways of handling. 488 00:41:59,559 --> 00:42:01,760 And then that also will determine, you know what, we probably have to 489 00:42:02,280 --> 00:42:07,199 proactively deal with these things, maybe we need to invest up front to deal 490 00:42:07,239 --> 00:42:15,920 with it, versus you know, looking at the reactive scenarios of managing risks. 491 00:42:15,960 --> 00:42:19,840 Well, thank you, Joniica. This has been this has been educational 492 00:42:19,920 --> 00:42:23,079 for me. Thank you so much. Before we let you go, you 493 00:42:23,119 --> 00:42:27,239 know, what should our listeners take away from this episode, what sort of 494 00:42:27,239 --> 00:42:30,880 the number one takeaway for you? The key message that I want to make, 495 00:42:31,119 --> 00:42:36,159 I want to pass that one. As an academic as well as somebody 496 00:42:36,199 --> 00:42:42,159 who had dealt with industry and work with industry on the risk management side of 497 00:42:42,199 --> 00:42:46,760 things, I've seen people are making a commitment to do a proper job of 498 00:42:46,880 --> 00:42:54,000 a proper risk management process, where sometimes I see them as a procedural thing 499 00:42:54,159 --> 00:42:59,079 or ad hoc thing. They won't have the commitment that they're simply doing it 500 00:42:59,199 --> 00:43:04,199 because they have to do it. So therefore, my message is that if 501 00:43:04,800 --> 00:43:09,480 it's really really important and particularly in your domain about the cybersecurity area, to 502 00:43:09,599 --> 00:43:15,559 make sure that we do a proper risk analysis to ensure that we identify them, 503 00:43:15,719 --> 00:43:19,280 we really understand them, we qualify them, we quantify them, we 504 00:43:19,360 --> 00:43:25,159 come up with a better risk management risk response options. We look at various 505 00:43:25,159 --> 00:43:30,320 scenarios of if then scenarios to see whether like what's the best way of handling 506 00:43:30,360 --> 00:43:34,119 them right. And that's why we can help from the University of Calgary. 507 00:43:34,159 --> 00:43:39,320 I mean, we have we have experts here in terms of the cybersecurity area 508 00:43:39,800 --> 00:43:44,199 at the University of Calgary that we have you know a two our Computer Science 509 00:43:44,239 --> 00:43:51,639 department and then two our Shuli Sklam Engineering And we have experts actually in other 510 00:43:51,679 --> 00:43:55,039 areas in the Faculty of Law, Faculty of Arts in terms of the policy 511 00:43:55,079 --> 00:44:00,360 side of things, as well as we have expert experts in the risk management 512 00:44:00,440 --> 00:44:06,559 through the Project Risk Managements I through through the Shulik School of Engineering with Center 513 00:44:06,679 --> 00:44:09,079 for Project Management Excellence. So there's a lot of things we can we can 514 00:44:09,159 --> 00:44:15,800 help to support the cybersecurity area. And then I hope that my message is 515 00:44:16,519 --> 00:44:22,440 properly relate to you in terms of make a commitment to do a better risk 516 00:44:22,679 --> 00:44:28,079 comprehensive process and you will be happy and at the end of the day. 517 00:44:30,320 --> 00:44:35,480 All right, So that was your interview with Jonica rwand Pura Andrew. Do 518 00:44:35,480 --> 00:44:38,320 you have anything to take out this episode? Yeah, I mean, I'm 519 00:44:38,400 --> 00:44:43,320 I'm very grateful to you know, doctor Ruan Pura for joining us UM. 520 00:44:44,000 --> 00:44:46,079 You know, I've I don't know, I might have mentioned I've been writing 521 00:44:46,079 --> 00:44:50,800 a book on you know, one of the big topics in it is cyber 522 00:44:50,920 --> 00:44:55,880 risk for years now. I'm hoping to be done by October. But something 523 00:44:55,880 --> 00:45:01,960 that had confused me, you know, time again is talking to people doing 524 00:45:02,079 --> 00:45:07,320 risk management, and you know, hearing stories like, look, you know, 525 00:45:07,639 --> 00:45:10,039 we we have bigger fish to fry than cyber. We're not so much 526 00:45:10,039 --> 00:45:14,840 worried about cyber taking down one of our high voltage substations. You know, 527 00:45:14,920 --> 00:45:19,760 we worry more about squirrels eating through the insulation, getting electrocuted, frying themselves 528 00:45:19,800 --> 00:45:22,880 and short circuiting everything and shutting down the substation. And I'd always try to, 529 00:45:23,159 --> 00:45:28,639 you know, understand, how does how does that fit into the big 530 00:45:28,679 --> 00:45:30,679 picture? Does this really make any sense? And what, you know, 531 00:45:31,920 --> 00:45:37,400 what Jonica cleared up for me was looking strategic risks. Important risks, you 532 00:45:37,480 --> 00:45:40,800 have to deal with them independently. If they're important, they're important, you 533 00:45:40,920 --> 00:45:44,400 have to deal with them. You can't trade off, you know, the 534 00:45:44,480 --> 00:45:47,000 risk of a fire against the risk of ourn earthquake. You have to deal 535 00:45:47,039 --> 00:45:52,920 with these um Where you can legitimately trade off is when you have multiple threats 536 00:45:52,960 --> 00:45:59,000 that have the same outcome. So if you're if you're if the cyber scenario 537 00:45:59,079 --> 00:46:02,199 you're looking at is one that would take down one substation the same way that 538 00:46:02,239 --> 00:46:07,440 a squirrel would eat through the insulation and take down one substation, it's reasonable 539 00:46:07,480 --> 00:46:10,000 to say, how often does squirrels do this, how often to cyber do 540 00:46:10,039 --> 00:46:15,119 this? Is is really worth Is this a problem worth solving? If instead 541 00:46:15,199 --> 00:46:17,639 your cyber scenario could take down the entire grid, you know, that's a 542 00:46:17,639 --> 00:46:22,400 different animal. You can't compare that to squirrels. It's a different consequence. 543 00:46:22,400 --> 00:46:25,039 So that that bit of clarity is something that had you know, confused me 544 00:46:25,079 --> 00:46:30,880 for a very long time. And I'm grateful to Jonica for for you know, 545 00:46:30,000 --> 00:46:34,599 clearing that up for me. All Right, then with that, thanks 546 00:46:34,639 --> 00:46:37,960 to doctor Rwandpura for speaking with you, Andrew, and Andrew is always thanks 547 00:46:37,960 --> 00:46:40,719 for speaking with me. It's always a pleasure. Thank you, Nate. 548 00:46:42,400 --> 00:46:47,039 This has been the Industrial Security Podcast from Waterfall. Thanks to everybody out there listening.