1 00:00:06,200 --> 00:00:12,720 We're building the system for scratch is an option, especially to eliminate any kind 2 00:00:12,800 --> 00:00:27,199 of attack, but it's not practical. Welcome listeners to the Industrial Security Podcast. 3 00:00:27,320 --> 00:00:31,359 My name is Nate Nelson. I'm here with Andrew Ginter, the vice 4 00:00:31,399 --> 00:00:36,719 president of Industrial Security at Waterfall Security Solutions, who's going to be introducing the 5 00:00:36,759 --> 00:00:41,280 subject and guest of our show today. Andrew, how's it going. I'm 6 00:00:41,399 --> 00:00:46,000 very well, Thank you, Niate. Our guest today is Alex yev Tshenko. 7 00:00:46,479 --> 00:00:50,600 He is the CEO and co founder of Salvador Technologies, and Salvador does 8 00:00:50,880 --> 00:00:56,200 resilience. They do rapid recovery after an attack. So you know, we've 9 00:00:56,240 --> 00:01:00,240 been talking a lot about preventing, detecting, responding. This is the recovery 10 00:01:00,280 --> 00:01:04,560 piece of the puzzle. Then, without further Ado, here's your conversation with 11 00:01:04,719 --> 00:01:11,640 Alex. Hello Alex, and welcome to the podcast. Before we get started, 12 00:01:11,680 --> 00:01:15,719 can I ask you to say a few words about your background and about 13 00:01:15,719 --> 00:01:19,079 the good work that you're doing at Salvador Technology. Hello Andrew, and thank 14 00:01:19,079 --> 00:01:25,200 you for inviting me. I'm Alex, CEO and co founder of Salvador Technologies. 15 00:01:25,879 --> 00:01:30,599 I'm coming from electrical engineering background with a lot of experience in software development 16 00:01:32,480 --> 00:01:37,480 more than ten years and more five years in the R and D field, 17 00:01:38,040 --> 00:01:45,959 more technological and a bit of a business part. My goal was to establish 18 00:01:46,120 --> 00:01:51,120 the R and D department and the company I worked for and bring I brought 19 00:01:51,239 --> 00:01:57,079 dozens of product from the Idea to the market. Salvador Technology established three years 20 00:01:57,120 --> 00:02:05,000 ago by me and my co founder Legusiker, who is also a good friend 21 00:02:05,040 --> 00:02:10,840 of mine. Only coming from a national cyber security unit in the Idea with 22 00:02:12,000 --> 00:02:22,319 more than ten years experience in cyber My background was always background to my daily 23 00:02:22,680 --> 00:02:29,280 job, so together we established Salvador. What we are doing in Salvador is 24 00:02:29,719 --> 00:02:36,560 providing fastest and most complete recovery solutions for cyber attacks. We actually redefined the 25 00:02:36,599 --> 00:02:44,280 cyber resilience for ICs and all the organizations you mentioned resilience. Our topic is 26 00:02:44,439 --> 00:02:50,639 resilience for industrial operations. I mean the textbook definition of resilience is like a 27 00:02:50,759 --> 00:02:55,960 spring. You deform something, you put it under pressure, it changes and 28 00:02:57,000 --> 00:03:00,759 then it comes back. That's a x book definition, you know in the 29 00:03:00,800 --> 00:03:06,639 industrial cybersecurity space. To you, what is resilience? What does that mean? 30 00:03:07,039 --> 00:03:14,080 Okay? First of all, I like the definition you mentioned and the 31 00:03:14,919 --> 00:03:22,800 I think the recovery in the real life is a bit similar to what you 32 00:03:22,960 --> 00:03:31,360 determined. It's resilience actually goes beyond definition of preventing bridge resilience. It make 33 00:03:31,520 --> 00:03:42,560 proactive measures to regain the operations once attack a course, and in terms of 34 00:03:42,599 --> 00:03:50,639 recovery, it means have robust recovery solutions to ensure the organizations continue the operations 35 00:03:50,680 --> 00:03:58,599 as it was before. Like you mentioned the spring, the organization should minimize 36 00:03:58,680 --> 00:04:05,520 the impact of the downtime time and swiftly restore all the operations and all the 37 00:04:05,639 --> 00:04:15,599 processes. For example, image a ransomwhare heat manufacturing facilities as it goes down, 38 00:04:15,680 --> 00:04:21,120 all the chmi stopped, the machines are down. It can be days 39 00:04:21,360 --> 00:04:27,240 or even weeks the average time in twenty days of downtime for this sector. 40 00:04:29,000 --> 00:04:35,800 And now imagine you can click a button and go back within seconds to the 41 00:04:35,879 --> 00:04:43,920 stage before the attack. Now downtime, no impact on the organization, exactly 42 00:04:44,040 --> 00:04:47,199 like a spring. Okay, so coming back to you know, the in 43 00:04:47,199 --> 00:04:51,879 a sense, the magic button recovery is something that you know, we have 44 00:04:51,920 --> 00:04:55,800 not had a lot of guests on the show talk about. You know, 45 00:04:55,839 --> 00:05:00,720 the next framework is govern identify, protect, detect, respond, recover. 46 00:05:00,800 --> 00:05:05,399 We've had a lot of people actually talking about detection and to some extent response, 47 00:05:05,920 --> 00:05:10,959 not so much recovery. I mean, in my understanding, there's at 48 00:05:11,040 --> 00:05:14,879 least two ways to recover an industrial system after it's been compromised. You can 49 00:05:15,040 --> 00:05:18,800 rebuild from original known good media, you know, rebuilding the whole system from 50 00:05:18,839 --> 00:05:25,399 scratch if you like, reapplying any changes that you've made over time. You 51 00:05:25,439 --> 00:05:29,360 can restore from backups, but you know that can get tricky as well. 52 00:05:29,439 --> 00:05:31,759 Are your backups synchronized? You have one from three months ago before you made 53 00:05:31,759 --> 00:05:35,519 a bunch of changes, and another system from right now, and you don't 54 00:05:35,560 --> 00:05:39,720 have one on the other system from three months ago. The whole question of 55 00:05:39,759 --> 00:05:46,519 recovery seems complicated, and indeed, rebuilding the system for scratch is an option, 56 00:05:47,639 --> 00:05:51,399 especially to eliminate any kind of attack, but it's not practical, so 57 00:05:51,519 --> 00:05:56,680 let's not discuss this one. But for the second part of the question, 58 00:05:57,160 --> 00:06:05,279 backups are an important part for resilience. The think is the backups used today 59 00:06:05,399 --> 00:06:14,600 are more IT centric centered IT focused. They are focused on the data. 60 00:06:15,120 --> 00:06:25,439 Many required cloud connection or internet connection or always online that are accessible to the 61 00:06:25,480 --> 00:06:30,639 internet, accessible to the attacker that can easily penetrate and destroy the backups. 62 00:06:32,839 --> 00:06:42,319 Another part of backups that are a bit more protected and a bit more better, 63 00:06:42,480 --> 00:06:48,959 let's say, is managing manual backups of the system. Actually taking USB 64 00:06:49,199 --> 00:06:56,639 drive from system to system to take a snapshot, take an image, and 65 00:06:58,120 --> 00:07:05,639 place it to safe location. And this is very long process and not efficient 66 00:07:05,680 --> 00:07:14,360 process. And this is all why their recovery takes so long, an average 67 00:07:14,399 --> 00:07:18,839 of twenty days, about three weeks to recover a facility from ransom or attack. 68 00:07:19,360 --> 00:07:26,560 And this is a probablem we need to solve. Nate, let me 69 00:07:26,680 --> 00:07:30,360 jump in with a couple of concrete examples. I mean, the sort of 70 00:07:30,399 --> 00:07:34,000 textbook high profile case was Colonial. They took something like five and a half 71 00:07:34,040 --> 00:07:41,199 six days to recover their IT network after ransomware hit it. You know, 72 00:07:42,000 --> 00:07:46,079 to my knowledge in the public reports, ransomware did not get into their OT 73 00:07:46,319 --> 00:07:48,959 network, so they didn't have to do anything on the OT side, but 74 00:07:49,040 --> 00:07:54,319 just the IT side took them five six days. I mean, they paid 75 00:07:54,680 --> 00:07:58,639 the ransom, they got the decryption tool. You know, they were hoping 76 00:07:58,680 --> 00:08:03,319 that that decryption tool would solve the problem faster than restoring from backup. It 77 00:08:03,399 --> 00:08:07,399 didn't. They went back to restoring from backup, and this was an IT 78 00:08:07,680 --> 00:08:09,240 infrastructure. You know, I don't know if they had cloud backups. I 79 00:08:09,240 --> 00:08:13,639 don't know if they had what kind of backup systems they had. But you 80 00:08:13,680 --> 00:08:18,480 know, even an IT infrastructure where you have all of the world's technology at 81 00:08:18,519 --> 00:08:22,120 your fingertips, Internet based or not, took you know, five and a 82 00:08:22,120 --> 00:08:24,160 half six days, and I've heard stories on the OT side of things taking 83 00:08:24,319 --> 00:08:31,680 much much longer than that, weeks and sometimes months. So and you know, 84 00:08:31,440 --> 00:08:37,799 he mentioned as well, you know, the possibility of manual backups if 85 00:08:37,840 --> 00:08:41,519 you don't have a lot of infrastructure. You know, what he didn't mention 86 00:08:41,720 --> 00:08:43,679 is what I worry about with manual backups. You know, if you've got 87 00:08:43,720 --> 00:08:48,720 an automated system, you get an alarm if a backup fails. If you're 88 00:08:48,759 --> 00:08:54,039 doing it manually and you forget a system or three, there's no alarms. 89 00:08:54,039 --> 00:09:00,159 It's it's error prone, is what I worry about. Another concern that I 90 00:09:00,159 --> 00:09:03,159 would have, and it's possible that you guys addressed later in the interview, 91 00:09:03,960 --> 00:09:07,519 is that you know, the obvious solution to the most common, at least 92 00:09:07,519 --> 00:09:13,320 the most dramatic attacks today ransomware is extortion, is having those backups ready and 93 00:09:13,360 --> 00:09:18,080 able. But of course attackers know this. And I'm not sure if this 94 00:09:18,200 --> 00:09:22,360 is a relatively new trend or if they've been doing it forever, but I've 95 00:09:22,399 --> 00:09:28,279 heard of cases where ransomware actors specifically target those backups to remove the leverage that 96 00:09:28,360 --> 00:09:33,919 you have over them. Absolutely, And you know, he didn't gloss over 97 00:09:33,919 --> 00:09:35,720 it. He mentioned it only briefly. He said, you know, USB 98 00:09:37,000 --> 00:09:41,360 is a way that you know, USB drives carried around manually is a way 99 00:09:41,399 --> 00:09:46,480 to do that. You know, A disadvantage is that it's manual. An 100 00:09:46,519 --> 00:09:50,200 advantage is that it's offline. When you disconnect the USB, it's gone, 101 00:09:50,440 --> 00:09:54,240 and the bad guys can encrypt the you know what systems they have access to, 102 00:09:54,279 --> 00:09:58,480 they don't have access to the USB anymore. So that's you know, 103 00:09:58,159 --> 00:10:05,679 manual backups in essense have both advantages and disadvantages. That's a lot of problems 104 00:10:05,720 --> 00:10:13,759 with sort of the existing conventional approach to recovery and backups. You know, 105 00:10:13,840 --> 00:10:18,919 again, we're coming back to the magic button. If we want to be 106 00:10:18,960 --> 00:10:24,480 able to recover fast from cyber attacks, how do we do that, Well, 107 00:10:24,759 --> 00:10:28,919 let's divide it to three aspects. One is compatibility to the OT and 108 00:10:30,120 --> 00:10:41,879 it means backup not just the data, but the entire system. Two is 109 00:10:41,919 --> 00:10:48,600 protecting the backup from the attacker and not having them accessible and online. I 110 00:10:48,639 --> 00:10:58,080 mean make offline air gup backups that the attacker cannot penetrate and destroy. And 111 00:10:58,360 --> 00:11:05,120 three is the available ability you need them immediately in the need, the ability 112 00:11:05,279 --> 00:11:13,159 to use them at the moment that you need them. So I would say 113 00:11:13,320 --> 00:11:26,159 the optimal cover strategy would involve make the backups this way that you can have 114 00:11:26,480 --> 00:11:33,080 them clean and available when you need them. You say, you know, 115 00:11:33,360 --> 00:11:37,080 to be maximally compatible with the OT environment, you've got to back up the 116 00:11:37,200 --> 00:11:41,639 entire system. You know, how would you do that? I mean the 117 00:11:41,799 --> 00:11:48,679 vendors, you know, they they I don't know if they don't really like 118 00:11:48,120 --> 00:11:54,559 third party stuff being installed on their machines. You know, sometimes there are 119 00:11:54,799 --> 00:11:58,080 you know, real time databases that are open and are being updated. What 120 00:11:58,120 --> 00:12:03,519 does it mean to take a backup the of the entire system? How do 121 00:12:03,559 --> 00:12:07,840 you deal with this? It's a good it's a good point and good question. 122 00:12:09,639 --> 00:12:16,559 As in the industrial systems, you cannot stop the machine just to make 123 00:12:16,600 --> 00:12:26,799 a backup, and you don't want to wait for the maintenance period to protect 124 00:12:26,840 --> 00:12:35,440 your systems. So actually what we are doing by when you're talking about compatibility 125 00:12:35,440 --> 00:12:39,600 to the out it means first copy the operational system, data configuration and the 126 00:12:39,679 --> 00:12:50,080 licenses and also make it on the fly when the system is running and the 127 00:12:50,120 --> 00:12:58,799 machine is producing. To implement technologies that can take the backups on the flight 128 00:13:00,480 --> 00:13:15,159 without stopping the system and the software. And make the takes the data backup 129 00:13:15,320 --> 00:13:22,320 data when while it's used, and make sure it is still working and competible 130 00:13:22,919 --> 00:13:28,000 for use later than you need it. Making a copy of the whole system 131 00:13:28,399 --> 00:13:33,080 makes sense. But you know you said there were three aspects. You said, 132 00:13:35,080 --> 00:13:39,000 you know, to protect the backups they have to be offline, but 133 00:13:39,120 --> 00:13:41,200 to use the backups they have to be online. That that sounds like a 134 00:13:41,240 --> 00:13:46,440 contradiction. Can you can you explain what's going on there? This is exactly 135 00:13:46,440 --> 00:13:52,759 what we are doing in Savaur technology and we implementing our patent of air gap 136 00:13:52,879 --> 00:14:01,879 technology to protect the backups. We have a concept of hardware and software combination 137 00:14:01,159 --> 00:14:07,720 in our platform. We have the cyber Recovery unit we call it CRU that 138 00:14:07,879 --> 00:14:13,919 is always connected to the system. Inside it includes three and VMI disks, 139 00:14:13,080 --> 00:14:18,840 three full copies of the hard disk, including the operational system, data configuration 140 00:14:20,000 --> 00:14:28,720 and licenses. At every single moment, has only one disc accessible available to 141 00:14:28,799 --> 00:14:37,320 the computer to copy all the data immediately after the backup. The disc is 142 00:14:37,360 --> 00:14:45,879 disconnected. Every day we switch the discs to make it updated. So three 143 00:14:45,960 --> 00:14:50,840 disks, three full copies, different in time, and this means air gap 144 00:14:52,080 --> 00:14:58,360 from one side because it's actually electronically disconnected from the computer. You cannot see 145 00:14:58,399 --> 00:15:03,399 the drive from the other hand, it's always updated every day, full new 146 00:15:03,559 --> 00:15:11,000 copy of the entire computer. And additionally, the software that makes the copy 147 00:15:11,279 --> 00:15:16,679 of the computer is the making a copy in a bootable mode. It means 148 00:15:16,840 --> 00:15:22,000 when you need it, you just restart the computer and click a button on 149 00:15:22,320 --> 00:15:28,600 the device boot from our device instead of the corrupted hard drive. That's way 150 00:15:28,600 --> 00:15:33,480 it takes just thirty seconds to recover using our device, using our device. 151 00:15:35,759 --> 00:15:37,639 Cool. Because I was going to ask you about, you know, the 152 00:15:37,679 --> 00:15:41,679 network impact of doing all these backups over the network, but I guess that's 153 00:15:41,960 --> 00:15:46,159 that's not a question that's worth asking. So that's interesting. Let me ask 154 00:15:46,200 --> 00:15:50,480 you though. You said that inside your unit you've got three hard drives. 155 00:15:50,600 --> 00:15:54,840 You rotate between them daily. They're offline in between backups. That's that's good. 156 00:15:56,759 --> 00:16:00,080 Does daily work? I mean, you know, do we not have 157 00:16:00,159 --> 00:16:03,919 ransomware scenarios? Whether ransomware goes in there and takes several days to you know, 158 00:16:04,080 --> 00:16:08,200 encrypt the entire drive and you don't really notice it until half your drive 159 00:16:08,279 --> 00:16:14,200 is encrypted. You know? Do you have sort of an older rotation for 160 00:16:14,320 --> 00:16:18,799 like a week old, month old? How does that work? Actually? 161 00:16:18,799 --> 00:16:26,519 From our experience, most of our customers do use daily backups on our device, 162 00:16:26,080 --> 00:16:37,399 but we have also backups every two days or even weekly for those organizations 163 00:16:37,480 --> 00:16:42,519 that not change too much in the to too much data in the computer. 164 00:16:44,759 --> 00:16:49,159 However, we do realize the need of older backup and this is why we 165 00:16:49,279 --> 00:16:56,000 have three drives. We call them Current, Previous, and baseline. Current 166 00:16:56,039 --> 00:17:03,399 and previous are rotata daily as you mentioned, and Baseline is older version most 167 00:17:03,440 --> 00:17:08,680 probably without the virus. It's old enough to not contain the malware, but 168 00:17:08,880 --> 00:17:18,279 updated enough to be relevant and not just the ROW system without the configuration and 169 00:17:18,640 --> 00:17:23,480 all the working systems. So this is the last line of defense. When 170 00:17:23,519 --> 00:17:30,359 you run your boot from the current nothing works Previous maybe the virus is still 171 00:17:30,400 --> 00:17:40,680 there, Baseline will be clean. Of course, we also implement additional security 172 00:17:41,000 --> 00:17:52,000 capabilities to try and detect animalys and detect the virus starting to encrease the drive. 173 00:17:52,200 --> 00:17:59,440 And this is additional direction that we are going to with our product to 174 00:17:59,720 --> 00:18:06,799 help customers not just to have a backup, but also protected backup from more 175 00:18:07,799 --> 00:18:15,880 than just air grap So, Andrew, we're talking here about this this three 176 00:18:15,039 --> 00:18:19,720 drive system with the button that you press. What literally are we looking at? 177 00:18:19,759 --> 00:18:23,200 Like? Can you paint a picture of what his solution is? Short 178 00:18:23,200 --> 00:18:26,400 answer is I didn't ask him physically what it looks like. Is there actually 179 00:18:26,440 --> 00:18:33,119 a button? But my understanding is that it is logically a hard drive and 180 00:18:33,279 --> 00:18:37,559 there are you know, physically three he called them envm's you know, non 181 00:18:38,039 --> 00:18:41,079 volatile memory, so it could be hard drive, could be flash, but 182 00:18:41,240 --> 00:18:45,279 three persistent stores that are part of the unit. And my understanding is that 183 00:18:45,319 --> 00:18:49,720 this hardware unit, you know, I'm guessing, looks box like. It 184 00:18:49,759 --> 00:18:53,319 looks like, you know what you expect a hard drive to look like. 185 00:18:53,359 --> 00:18:56,680 It's sort of a metal box with stuff inside, and you stick it into 186 00:18:56,680 --> 00:19:00,640 the computer as if it were another hard drive. It connects to the computer 187 00:19:00,759 --> 00:19:06,240 using the same kind of connection as your hard drives use. I see, 188 00:19:06,519 --> 00:19:12,160 and so with the three drive system, the short term drives for you know, 189 00:19:12,240 --> 00:19:17,359 drive one drive too, and then the longer term that if I recall, 190 00:19:17,400 --> 00:19:22,400 you update like after a month or so. The function of that being 191 00:19:22,440 --> 00:19:27,039 presumably like if if your first two preferred drives are corrupted, then you go 192 00:19:27,079 --> 00:19:30,119 to the third one, But then that one wouldn't be corrupted because you would 193 00:19:30,119 --> 00:19:33,559 have known about it in the time since, because I know there are a 194 00:19:33,559 --> 00:19:37,240 lot of you know, cyber attacks that occur long before any company knows about 195 00:19:37,240 --> 00:19:41,680 it. Actually, let me ask sort of a question that was left over 196 00:19:41,720 --> 00:19:48,799 in my mind from my previous answer here. When you use one of the 197 00:19:48,839 --> 00:19:53,079 backup drives, my understanding is you reboot the machine, and you know, 198 00:19:53,279 --> 00:19:57,440 during the boot sequence, instead of booting from the regular hard drive that's now 199 00:19:57,519 --> 00:20:02,119 corrupted, you boot from one of the backups. How do you select the 200 00:20:02,160 --> 00:20:04,720 backup I didn't ask that. You know, is there a physical button on 201 00:20:04,759 --> 00:20:07,119 the drive that you have to touch, or you know, on the on 202 00:20:07,119 --> 00:20:10,920 the computer that you touch saying use this drive, use that drive. I 203 00:20:10,920 --> 00:20:15,039 don't know. There's different ways you could do it. But once you've rebooted, 204 00:20:15,240 --> 00:20:19,119 now the question becomes, you know, can I use the version that 205 00:20:19,160 --> 00:20:26,039 I've rebooted from. And my question was sometimes ransomware sort of takes a long 206 00:20:26,079 --> 00:20:30,960 time. If you have six hundred gigabytes of stuff on your computer and most 207 00:20:30,960 --> 00:20:36,799 of it's old, you know, old database, old whatever, you might 208 00:20:36,960 --> 00:20:40,799 not notice that. You know it's taking three days to encrypt and if you 209 00:20:40,839 --> 00:20:45,440 do a backup after a day, you've backed up a bunch of encrypted stuff. 210 00:20:45,839 --> 00:20:48,119 After two days you've backed up mostly encrypted stuff. On the third day 211 00:20:48,160 --> 00:20:52,799 you discovered the problem. You try to restore and you discover that your backups 212 00:20:53,000 --> 00:20:57,160 are you know, one third and two thirds encrypted as well. So you 213 00:20:57,200 --> 00:21:00,079 know you might be able to get function out by back, but your old 214 00:21:00,160 --> 00:21:03,759 data is gone. This is where you would want to go back to your 215 00:21:04,039 --> 00:21:11,559 really old backup. And some attacks to your point, you know the volt 216 00:21:11,559 --> 00:21:15,599 typhoon that we heard about recently, you know, living living off the land 217 00:21:15,640 --> 00:21:22,720 attack, Chinese intelligence agencies breaking into critical infrastructure IT networks. They hang around 218 00:21:22,720 --> 00:21:29,839 from months, you know, up to six months was reported, but they're 219 00:21:29,880 --> 00:21:33,960 not encrypting stuff. And so you know, if you're encrypting stuff, if 220 00:21:33,960 --> 00:21:37,319 it takes a couple of days, you're going to notice eventually because your system 221 00:21:37,400 --> 00:21:41,440 malfunctions. If you've got one of these sort of attacks where the bad guys 222 00:21:41,440 --> 00:21:48,000 are just hanging around, you can in a sense recover most of your functionality 223 00:21:48,039 --> 00:21:52,440 even from an old backup, even if that backup is you know, in 224 00:21:52,599 --> 00:21:57,359 theory compromised. By disconnecting those machines from your I network from the Internet. 225 00:21:57,480 --> 00:22:00,839 Now, the bad guys, you know, they they do this stuff by 226 00:22:00,880 --> 00:22:06,359 remote control, you can get, in my understanding, basic functionality back as 227 00:22:06,400 --> 00:22:11,359 long as the remote access trojan, the rat be it you know, software 228 00:22:11,480 --> 00:22:17,400 or you know, built in cannot be accessed by the bad guys anymore. 229 00:22:17,480 --> 00:22:23,279 So, in my understanding, there really isn't a scenario where ransomware starts encrypting 230 00:22:23,359 --> 00:22:29,559 two months ago and your month old backup is partly gone. Ransomware tends to 231 00:22:29,640 --> 00:22:33,759 work reasonably quickly. I mean, I've heard reports of initial contact to completely 232 00:22:33,839 --> 00:22:37,000 encrypt it in forty five minutes. But even if it takes a couple of 233 00:22:37,119 --> 00:22:41,599 days, your old backup would still be good. That was a long complicated 234 00:22:41,599 --> 00:22:45,400 answer. I hope that makes sense. Yeah, and I take your point. 235 00:22:47,039 --> 00:22:51,119 The only thing that I would ask though, is you're right, so 236 00:22:51,200 --> 00:22:55,359 the encryption is quick. The vault typhoon type actor may stay in your system 237 00:22:55,400 --> 00:22:59,160 for a while, but they're not going to corrupt your backups, except you 238 00:22:59,200 --> 00:23:02,319 know, we're taking some things for granted, and your answer there number one, 239 00:23:03,119 --> 00:23:06,559 that you know where their malware is, that it's there, and so 240 00:23:06,599 --> 00:23:10,359 on and so forth. Couldn't it be that, say, you restore from 241 00:23:10,440 --> 00:23:15,400 your older backup in this case scenario, and there's something planted in there that 242 00:23:15,440 --> 00:23:21,039 you don't necessarily find, and then maybe your systems are offline for some period, 243 00:23:21,039 --> 00:23:22,640 but you're going to take them online and then you have a big problem. 244 00:23:23,319 --> 00:23:29,640 Again. You've got to look at the attack scenarios. I think generally 245 00:23:29,680 --> 00:23:36,880 speaking, the ability to come back with a hard drive image that works is 246 00:23:37,000 --> 00:23:41,640 valuable. And with ransomware, which is sort of the pervasive threat, your 247 00:23:42,200 --> 00:23:45,359 hard drive either works or it doesn't. The point of encrypting the hard drive 248 00:23:45,440 --> 00:23:52,279 is to render the system inoperable so that you will pay the ransom. You 249 00:23:52,319 --> 00:23:57,960 knowing, we're mixing metaphors when we talk about ransomware corrupting the system and vol 250 00:23:59,039 --> 00:24:04,079 typhoon sitting there and hanging around, So you know, to me, what 251 00:24:04,119 --> 00:24:10,319 I what I see here is an innovation in the space of backups and rapid 252 00:24:10,359 --> 00:24:15,000 recovery, and you know, is your rapid recovery a little bit more involved 253 00:24:15,039 --> 00:24:18,200 in press the button and you're done. You know, maybe you also want 254 00:24:18,200 --> 00:24:22,920 to press the button and you know, disable internet connectivity on your firewall or 255 00:24:22,039 --> 00:24:26,079 you know disabled I you know, maybe disconnect your firewall so that you can 256 00:24:26,160 --> 00:24:30,680 run you know, air gapped until the forensic teams are done analyzing what just 257 00:24:30,720 --> 00:24:36,559 happened. You know, I think it's valuable having a recovery image that works, 258 00:24:37,440 --> 00:24:44,359 as opposed to recovery images that are completely encrypted and don't work. You 259 00:24:44,519 --> 00:24:51,240 said, press a button, the the unit reboots from the the offline backup 260 00:24:51,279 --> 00:24:53,799 that was not corrupted. That that all sounds good. What do you do 261 00:24:55,480 --> 00:25:00,599 with the corrupted hard drive? Because you know, I imagine in most INCIDET 262 00:25:00,640 --> 00:25:04,359 response teams, they want to take a forensic image, they want to analyze 263 00:25:04,359 --> 00:25:07,519 it later to figure out who were these people who got in? How did 264 00:25:07,519 --> 00:25:14,640 they get in? You know, is there and eventually you know, presumably 265 00:25:15,279 --> 00:25:18,960 clean up the hard drive so that you can go back to sort of normal 266 00:25:18,000 --> 00:25:25,160 operations instead of booting off the backup. What so, what's what's the bigger 267 00:25:25,200 --> 00:25:26,839 picture? What do you do what you know, once you press the button 268 00:25:26,880 --> 00:25:30,799 in your back, what do you do with that corrupted hard drive? So 269 00:25:32,039 --> 00:25:37,440 very good point, and we have more and more questions in field about this 270 00:25:38,319 --> 00:25:48,759 because forensic part is very important for their sponse team and understand why we were 271 00:25:48,799 --> 00:25:55,119 attacked and how to avoid it in the future. So actually, when when 272 00:25:55,160 --> 00:26:03,680 we boot from our device, we make offline the original corrupted hard drive to 273 00:26:03,720 --> 00:26:08,680 avoid the virus to go to the clean system. Now, and more than 274 00:26:08,720 --> 00:26:12,680 this, you can just remove the hard drive from the computer and keep it 275 00:26:12,720 --> 00:26:22,559 for forensic. Because you boot the system from our external hard drive, you 276 00:26:22,799 --> 00:26:27,319 not really need the original hard drive, and you can just bring a new 277 00:26:27,359 --> 00:26:34,559 one, clean one and recover to that one, keeping the corrupted for forensic, 278 00:26:34,759 --> 00:26:41,880 for investigation or any other reason. But by the way, even if 279 00:26:42,359 --> 00:26:49,279 it's not cyber attack and the hard drive is physically broken, you still can 280 00:26:49,359 --> 00:26:59,119 boot from our drive because we replaced logically broken hard drive. Can we go 281 00:26:59,160 --> 00:27:03,039 a little deeper? Does that actually work? I mean, you inside the 282 00:27:03,160 --> 00:27:08,319 unit, you've got three hard drives you switch, you know the day that 283 00:27:08,599 --> 00:27:11,319 the time comes and you say, okay, I'm switching back to you know, 284 00:27:11,400 --> 00:27:15,839 one of my offline drives. It's online. Now I have to update 285 00:27:15,920 --> 00:27:21,119 that drive to make it current. Do I Is there software on the CPU 286 00:27:21,200 --> 00:27:23,640 that says, oh, here here's your your your image? You know? 287 00:27:23,759 --> 00:27:29,920 Update? Do you go somehow directly to the other drive? How do you 288 00:27:29,920 --> 00:27:33,359 you know when you take your backup? How do you do that? So 289 00:27:33,599 --> 00:27:37,400 the hardware unit is part of the solution, and it's absolutely autonomous with its 290 00:27:37,480 --> 00:27:45,799 own micro processes processor to switch between the drives between The attacker even cannot penetrate 291 00:27:47,000 --> 00:27:56,039 and manipulate the unit to make the backups to the currently online drive. And 292 00:27:56,119 --> 00:28:03,079 it's only one such drive that is online. And every moment we use the 293 00:28:03,200 --> 00:28:12,799 software agent that installed on the computer and using the computer's CPU actually access the 294 00:28:12,880 --> 00:28:21,200 original drive and copy the data in the background to our drive. So we 295 00:28:21,519 --> 00:28:27,359 do use the agent software for this. And this may sounds like a problem 296 00:28:27,839 --> 00:28:44,119 for some of out companies using vendors that not allow installing anything on the computer. 297 00:28:45,160 --> 00:28:55,079 And the we're using here interesting approach of agent less version of our software. 298 00:28:55,880 --> 00:29:00,119 It's still using the CPU the computer, but no, not nothing installed 299 00:29:00,319 --> 00:29:07,519 on the computer not impact the system and not impact the warranty of the vendor 300 00:29:07,799 --> 00:29:18,680 of the computer. To do this, we placed the additional small drive inside 301 00:29:18,720 --> 00:29:27,440 our unit. The software runs from this external drive, so, as I 302 00:29:27,480 --> 00:29:33,079 mentioned, nothing installed in the computer, no traces on the systems system. 303 00:29:33,680 --> 00:29:41,200 We use just the CPU power to make the copy from the destination the original 304 00:29:41,279 --> 00:29:51,319 drive to our external unit. And this successful approach that solves a lot of 305 00:29:52,640 --> 00:29:59,680 problems with the customers that cannot use any other backup systems because they just cannot 306 00:30:00,079 --> 00:30:06,559 stall the agent. When I'm backing up my laptop, I've got a terabyte 307 00:30:06,640 --> 00:30:11,240 drive here. The laptop slows down a little when you know, and and 308 00:30:11,480 --> 00:30:17,920 historically, you know, anti virus was always a problem on industrial systems because 309 00:30:18,000 --> 00:30:22,000 a full scan of the hard drive would pull the whole drive in the memory 310 00:30:22,079 --> 00:30:25,559 and would analyze it all with the anti virus and would slow things down so 311 00:30:25,680 --> 00:30:30,920 badly that the often the control system would malfunction. How do you how do 312 00:30:30,960 --> 00:30:33,279 you throttle this? What what do you do to you know, uh, 313 00:30:33,720 --> 00:30:38,279 control the impact on the control system while you're taking a backup. So the 314 00:30:38,319 --> 00:30:48,160 anti virus issue is that it should scan every moment and every movement in the 315 00:30:48,319 --> 00:30:56,319 in the data of the computer. In our case, we can back up 316 00:30:56,480 --> 00:31:03,759 it when the computer is not using full power so the backup can take ten 317 00:31:03,799 --> 00:31:10,119 minutes, it can take two hours, and it not impacts the quality of 318 00:31:10,160 --> 00:31:14,279 the backup. It not impact the computer as well, So we adapt our 319 00:31:15,559 --> 00:31:26,480 usage of the CPU and DRUM to minimum not to harm the resources of the 320 00:31:26,519 --> 00:31:30,480 computer. And as we know in out the computers and are not the strongest. 321 00:31:33,480 --> 00:31:40,960 So unlike antivirus that, as I mentioned, must be a track every 322 00:31:41,480 --> 00:31:48,400 movement, we can slow down when the computer is a bit loaded and adapt 323 00:31:51,079 --> 00:31:59,480 our process to the out world. You've got product in this arena. You 324 00:31:59,519 --> 00:32:02,039 know, we've we've talked about how it works. I assume you've got a 325 00:32:02,119 --> 00:32:07,200 management system as well, so you can reach out and configure these things and 326 00:32:07,359 --> 00:32:09,640 you know, find out if there's I don't know, problems with with backups 327 00:32:09,720 --> 00:32:13,720 on one machine or another. Whenever there's a problem, you know people want 328 00:32:13,720 --> 00:32:16,440 to know about it because backups are important. Can you talk about about what 329 00:32:16,480 --> 00:32:24,440 you've got? It's the management system is part of our platform, and actually 330 00:32:24,440 --> 00:32:34,960 it's maybe the most useful part on the daily basis when the hardware unit always 331 00:32:35,039 --> 00:32:43,359 connected, not touch it on a daily basis, and the software make copy 332 00:32:43,519 --> 00:32:46,920 on the background, so the user even cannot see the backups it's just done 333 00:32:46,960 --> 00:32:52,119 in the background. So to monitor everything and to make sure everything's working, 334 00:32:52,519 --> 00:33:01,200 we build a web portal that is accessible from the cloud if the users have 335 00:33:02,920 --> 00:33:10,279 access to the cloud or on prem the same system on prem to monitor the 336 00:33:10,880 --> 00:33:15,279 backups and the status. It means all the unit. If it's one, 337 00:33:15,400 --> 00:33:21,839 two dozen or one hundreds of units installed, you see all of them in 338 00:33:22,000 --> 00:33:25,640 one centralized system. What you can see is the health of the backups if 339 00:33:25,680 --> 00:33:32,240 they don't correctly start, stopped, correctly, finished correctly, if something happens 340 00:33:32,720 --> 00:33:44,160 with the hardware unit, with the software. Also if we detected some malicious 341 00:33:45,039 --> 00:33:49,559 activity in the system, we want to stop our backup. In the AUTI 342 00:33:49,640 --> 00:33:53,960 you cannot stop the process, you cannot stop the machine, but we can 343 00:33:54,119 --> 00:34:00,680 stop our backups and keep the clean environment. Once we detect an anomaly, 344 00:34:01,160 --> 00:34:08,840 and here comes the management system that alerts the user by email, by SMS 345 00:34:09,400 --> 00:34:17,480 integration to SOCK to seem to show the user a full status, full image 346 00:34:17,559 --> 00:34:28,320 of what's going on in the in the in the production with the backups. 347 00:34:29,599 --> 00:34:36,599 In addition, I want to mention here a corporation, we are not detection 348 00:34:36,760 --> 00:34:40,000 company, so we are not focusing on detect the virus. But we do 349 00:34:40,199 --> 00:34:51,400 have cooperation with other systems or other vendors that do have detection of anomalies of 350 00:34:51,880 --> 00:35:04,360 malverse and we have cooperation with some of this companies to build a mutual product. 351 00:35:04,679 --> 00:35:12,280 When they detect some malicious activity or some anomaly, they can inform us 352 00:35:12,360 --> 00:35:19,239 and we can stop the backups again to protect them from the attacker, to 353 00:35:19,280 --> 00:35:28,159 not copy the virus, not to copies encrypted data and this way destroys the 354 00:35:28,159 --> 00:35:35,000 backups. So we do everything to make sure you have a recovery point and 355 00:35:35,159 --> 00:35:44,079 fast ability to continue the operations. So Andrew Alex has done a pretty thorough 356 00:35:44,199 --> 00:35:47,760 job of explaining this backup system to us. How does it compare with the 357 00:35:47,800 --> 00:35:51,719 rest of the industry, the other kinds of systems that you've come across in 358 00:35:51,760 --> 00:35:57,039 your time. Well, he talked about, you know, manually taking USBs 359 00:35:57,079 --> 00:36:07,519 around. The systems that I recall seeing most frequently are network based. And 360 00:36:07,000 --> 00:36:09,840 you know that was my question backing up. You know, I was going 361 00:36:09,880 --> 00:36:13,840 to ask a question about backing up across the network and then discovered that, 362 00:36:14,239 --> 00:36:15,840 you know, the question made no sense. He's not backing up across the 363 00:36:15,880 --> 00:36:22,559 network. But if you're backing up across the OT network. You're putting load, 364 00:36:22,719 --> 00:36:27,360 you know, communications load on the network and potentially slowing down important communications. 365 00:36:27,760 --> 00:36:32,039 And so in my experience, most people do if they do backups, 366 00:36:32,079 --> 00:36:37,920 they do it over the network. If throughput is a problem, they will, 367 00:36:38,280 --> 00:36:43,039 you know, in my experience, tend to run a parallel network, 368 00:36:43,719 --> 00:36:46,199 call it an a mid network. This is the network they use for security 369 00:36:46,239 --> 00:36:51,360 updates, you know, after they've been tested at nauseum. This is the 370 00:36:51,360 --> 00:36:55,800 network they use for you know, alerts going to their security monitoring system. 371 00:36:55,800 --> 00:36:59,719 This is the network they use for backups. And in a sense, nobody 372 00:36:59,719 --> 00:37:04,599 cares how heavily loaded that admin network is because the real time communication is happening 373 00:37:04,639 --> 00:37:12,400 on a different network. But you know, to Alex's point, let's say 374 00:37:12,400 --> 00:37:15,639 you want You've got I don't know, a thousand machines in a server room, 375 00:37:15,679 --> 00:37:19,360 and you want if you want them backed up to I don't know, 376 00:37:19,679 --> 00:37:23,079 two or three backup servers. You're going to go from one machine to the 377 00:37:23,079 --> 00:37:25,079 other, and it's going to take you an hour or an hour and a 378 00:37:25,119 --> 00:37:29,519 half to back up you know, a half terabyte of data from each of 379 00:37:29,559 --> 00:37:36,039 these machines. Even if you're going across a fast network, which means if 380 00:37:36,079 --> 00:37:42,400 you ever need to recover and you press a button and say restore, you're 381 00:37:42,400 --> 00:37:45,360 going to go around one machine at a time and restore. Because if you're 382 00:37:45,400 --> 00:37:47,480 going to restore a half gigabyte of data or so I have terabyte of data, 383 00:37:47,480 --> 00:37:53,119 it's going to take you some time. And you know, so you 384 00:37:53,159 --> 00:37:57,079 don't have the you know, press a button reboot now here you go. 385 00:37:57,320 --> 00:38:02,920 That's sort of the the the innovation the benefit here. And as I said, 386 00:38:04,679 --> 00:38:07,679 you know, it's probably worse than that. Like I said, the 387 00:38:08,159 --> 00:38:12,239 data point, the public data point from Colonial and they it was an IT 388 00:38:12,599 --> 00:38:15,440 network, they had all of the IT infrastructure behind him. It still took 389 00:38:15,519 --> 00:38:20,519 them five and a half days to recover. So yeah, you know, 390 00:38:20,960 --> 00:38:27,599 having the ability to do this sort of really quickly, to me has real 391 00:38:27,639 --> 00:38:30,800 benefit when you know you have a large investment in a physical process that you 392 00:38:30,840 --> 00:38:36,440 need to bring back online because it's billions of dollars sitting idle there as long 393 00:38:36,480 --> 00:38:43,360 as it's down. Industrial vendors like you know, Honeywell and Siemens and abb 394 00:38:44,079 --> 00:38:49,400 that, these vendors, you know, Schneider Electric, many of their products 395 00:38:49,400 --> 00:38:54,000 already have the option for let's call it high availability, so that, uh, 396 00:38:54,039 --> 00:38:58,400 you know, no single point of hardware failure will cause the system to 397 00:38:59,159 --> 00:39:01,719 becoming pair. They have, you know, systems that are clustered, They 398 00:39:01,760 --> 00:39:07,400 have multiple hard drives, they have rated hard drives. These are all sort 399 00:39:07,440 --> 00:39:13,679 of standard options. It sounds to me like what you've got here is something 400 00:39:13,719 --> 00:39:20,079 that's a logical standard option on lots of different control systems. You know, 401 00:39:21,000 --> 00:39:24,559 you've got the the Instead of saying I've got a rated hard drive so that 402 00:39:24,599 --> 00:39:29,159 if the hard drive fails, the system just keeps going, what you've got 403 00:39:29,159 --> 00:39:34,320 here is multiple hard drives, not configured in a RAID, but configured in 404 00:39:34,400 --> 00:39:38,320 a backup configuration so that if a hard drive fails you can recover, so 405 00:39:38,360 --> 00:39:44,639 that if you're compromised, you can recover. This sounds like, in a 406 00:39:44,719 --> 00:39:50,679 sense, a standard thing that most control system vendors, you know, looking 407 00:39:50,719 --> 00:39:53,960 at at cybersecurity are are I'm guessing they're going to be interested. Are you 408 00:39:54,079 --> 00:39:58,480 talking to these people? You know? Can you can you talk about about, 409 00:39:58,639 --> 00:40:01,760 you know, sort of how this fits into the big picture of control 410 00:40:01,800 --> 00:40:08,840 systems. Absolutely, we are in contact with all of them or most of 411 00:40:08,880 --> 00:40:21,480 them to integrate our solution as a standard est you mentioned the rate systems and 412 00:40:22,000 --> 00:40:32,440 multiple discs. This is what called the the R disaster recovery and more recovery 413 00:40:32,519 --> 00:40:42,199 from functionality and the physical damage. That is great and we compliment this with 414 00:40:42,400 --> 00:40:52,960 the cyber resilience solutions. So our goal is to come to the customer together 415 00:40:52,039 --> 00:41:05,719 with this vendor and provide full solutions with the HTMI or SCADA machine having the 416 00:41:06,360 --> 00:41:15,159 recovery unit built in. We even started to make pocs with some of these 417 00:41:15,239 --> 00:41:22,519 vendors to integrate the cover unit inside the computer to provide the users the computer 418 00:41:22,679 --> 00:41:30,679 with the cyber recovery capabilities inside. This is more strategic and long processes that 419 00:41:30,840 --> 00:41:45,360 we established, but this is part of our strategy to capture the field of 420 00:41:45,440 --> 00:41:53,199 cyber resilience and provide this solution to the out is something that not yet exists 421 00:41:53,440 --> 00:42:00,920 in in the out world. We've talked about computers, We've talked about HMI. 422 00:42:02,920 --> 00:42:08,039 You know, the dominant operating system, the dominant HMI platform in the 423 00:42:08,079 --> 00:42:13,000 industry is Windows. So you know, I'm assuming that we've been talking about 424 00:42:13,000 --> 00:42:16,559 Windows here. Do you have you know, are you looking at a sort 425 00:42:16,559 --> 00:42:20,599 of the bigger picture? Do you have stuff for I don't know, Linux, 426 00:42:21,280 --> 00:42:25,320 you know, Linux is not so popular today in in ot maybe it 427 00:42:25,360 --> 00:42:30,320 will be in the future, so we do have it in our roadmap, 428 00:42:30,440 --> 00:42:37,119 but not not in our focus. Currently. We support most of the Windows 429 00:42:37,880 --> 00:42:46,000 environments, even started to support the Windows XP. Unfortunately it's very popular and 430 00:42:46,159 --> 00:42:52,199 no protection for this, so we decided to support Windows XP. We support 431 00:42:52,239 --> 00:42:59,719 the Windows seven and ten and eleven and Windows servers. But recently we discovered 432 00:42:59,760 --> 00:43:13,000 that the more and more outhy organizations shifts to EXCI and this kind of gap 433 00:43:13,360 --> 00:43:22,320 today. The reason is working on more virtual systems in the manufacturing floor. 434 00:43:22,880 --> 00:43:30,840 We see more and more systems like this in field, so we included it 435 00:43:30,199 --> 00:43:39,440 in our road map to help our customers. It's not an easy task to 436 00:43:39,760 --> 00:43:45,760 boot the XI and run it immediately, so we're working on this and actually 437 00:43:45,800 --> 00:43:53,239 see first results. I would expect it to have some solution for this in 438 00:43:53,360 --> 00:44:04,280 a couple of months as we see growing need for this environment. Cool. 439 00:44:04,440 --> 00:44:07,000 Well, you know, thank you Alex for joining us. This is be 440 00:44:07,000 --> 00:44:09,199 in trementious. I've learned something you know before we let you go, can 441 00:44:09,239 --> 00:44:12,960 you sum up for us what you know? What should we be thinking about 442 00:44:13,440 --> 00:44:16,960 to be to be looking at the problem of recovery the right way. First 443 00:44:17,000 --> 00:44:22,280 of all, thank you for having me to summarize. I would like to 444 00:44:22,320 --> 00:44:30,639 recommend using air gap technology to protect the data, Involve the old people into 445 00:44:30,719 --> 00:44:36,320 the cyber let them understand the risk and be part of the cyber resilience team 446 00:44:36,400 --> 00:44:44,440 the cyber resilience process, and educate them. Win Salvador have a a vast 447 00:44:44,480 --> 00:44:51,679 experience with the cyber attack recovery and I will be happy to answer any questions 448 00:44:52,360 --> 00:45:00,280 or any requirement. You can reach me by LinkedIn, by our web site, 449 00:45:00,360 --> 00:45:05,079 or by email. We're a very responsive team and we'll be happy to 450 00:45:05,159 --> 00:45:13,880 consult on any resilience question. Andrew looks like that does it for your interview? 451 00:45:14,199 --> 00:45:15,599 Do you have any final thoughts that you might want to take us out 452 00:45:15,599 --> 00:45:21,079 with today. Yeah, I mean, you know, reflecting on the episode, 453 00:45:22,239 --> 00:45:29,880 it occurs to me that this is sort of yet another example of sort 454 00:45:29,920 --> 00:45:36,239 of the the difference between security requirements and call it sort of traditional reliability requirements. 455 00:45:36,239 --> 00:45:39,639 I mean, one of the goals of cybersecurity is to you know, 456 00:45:40,199 --> 00:45:46,559 assure you know, reliable operation, keep critical infrastructures and you know, large 457 00:45:46,599 --> 00:45:54,719 investments producing and you know Alex mentioned earlier Raid drives. You know, raids 458 00:45:54,800 --> 00:46:01,039 are examples of sort of continuous online redundancy. If any one of the drives, 459 00:46:01,039 --> 00:46:05,039 there's smoke rises out of any one of the drives in the raid, 460 00:46:05,159 --> 00:46:07,639 the raid just keeps going. I mean, the user doesn't even notice. 461 00:46:07,679 --> 00:46:09,880 They get an alert saying, hey, you should fix this. One of 462 00:46:09,880 --> 00:46:15,880 your drives failed, but it just keeps going. Security is different with sort 463 00:46:15,920 --> 00:46:22,119 of traditional reliability. You assume sort of random equipment failures. You assume random 464 00:46:22,159 --> 00:46:30,440 failures with security. If you corrupt the raid, you've corrupted the entire raid. 465 00:46:30,599 --> 00:46:35,320 There is nothing left and so you know, this is sort of another 466 00:46:35,320 --> 00:46:43,480 example of where security requirements are different from traditional reliability requirements. You have to 467 00:46:43,519 --> 00:46:47,400 take into account that, you know, the failures induced by a cyber attack 468 00:46:47,719 --> 00:46:53,639 are going to be sort of simultaneous across a large swath of infrastructure, and 469 00:46:53,679 --> 00:46:58,000 you need a different system to recover from those. And here's a system I've 470 00:46:58,000 --> 00:47:00,320 never heard of. You know, here's a system or a lot of the 471 00:47:00,360 --> 00:47:05,920 time, you know, you can reboot and you're often running again, which 472 00:47:06,000 --> 00:47:07,800 is tremendous. So, you know, good job to these folks, And 473 00:47:08,360 --> 00:47:14,079 I hope this becomes a standard feature in a lot of the infrastructure that we 474 00:47:14,119 --> 00:47:19,559 rely on going forward. Well, thank you to alex Yev Tushenko for elucidating 475 00:47:19,599 --> 00:47:22,119 all this for us. And Andrew is always thank you for speaking with me. 476 00:47:22,880 --> 00:47:24,440 It's always a pleasure. Thank you, Nane. This has been the 477 00:47:24,519 --> 00:47:30,519 Industrial Security Podcast from Waterfall. Thanks to everyone out there listening.