1 00:00:04,240 --> 00:00:09,199 When you remove that first area of defense and you no longer have a human 2 00:00:09,759 --> 00:00:13,640 performing that function, you got to ask yourself the question, well, how 3 00:00:13,679 --> 00:00:24,600 can I provide oversight, protection, safety and security for my site? Hey 4 00:00:24,640 --> 00:00:29,399 everybody, and welcome to the Industrial Security Podcast. My name is Nate Nelson. 5 00:00:29,559 --> 00:00:34,479 I'm here with Andrew Ginter, the vice president of Industrial Security at Waterfall 6 00:00:34,520 --> 00:00:38,840 Security Solutions. He's going to introduce the subject and guest of our show today. 7 00:00:39,200 --> 00:00:42,600 Andrew, how's it going. I'm very well, Thank you, Nate. 8 00:00:43,000 --> 00:00:47,840 Our guest today is Michael Almeida. Michael is a senior account manager at 9 00:00:47,920 --> 00:00:54,399 Force five and Force five does physical security for electric utilities, and physical security 10 00:00:54,479 --> 00:00:59,119 is tied into cybersecurity. You don't have cyber if you don't have physical So 11 00:00:59,159 --> 00:01:03,640 he's going to talk about physical security and the connection to cyber All right, 12 00:01:03,679 --> 00:01:08,400 then let's jump right into it. Hello Michael, and thank you for joining 13 00:01:08,439 --> 00:01:12,439 us. Before we get started, can I ask you to say a few 14 00:01:12,480 --> 00:01:17,599 words about yourself for our listeners, and you know, talk about the good 15 00:01:17,599 --> 00:01:19,879 work that you're doing at Force five. All right, Andrew, thank you 16 00:01:19,959 --> 00:01:23,000 so much for bringing me on your podcast. Honor to be here. My 17 00:01:23,079 --> 00:01:26,280 name is Mike Almeida. I am a senior account manager at Force five. 18 00:01:26,319 --> 00:01:32,120 I've been with the company for about five years all together in the power utility 19 00:01:32,159 --> 00:01:36,000 space. I'm entering my thirteenth year in here. I had a previous career 20 00:01:36,040 --> 00:01:38,439 in the United States Army as an officer for a number of years, and 21 00:01:38,760 --> 00:01:44,079 my career sends from being a SIP auditor working for power utility and now working 22 00:01:44,159 --> 00:01:48,439 for a vendor. At Force five, we focus on reducing risk at every 23 00:01:48,840 --> 00:01:53,200 entry point of a power utilities facility. So thanks again for having me, 24 00:01:53,280 --> 00:02:00,200 Andrew. That's great. And our topic today is physical security interacting with sort 25 00:02:00,239 --> 00:02:05,439 of supporting industrial cybersecurity. You know, we're the Industrial Security Podcast. Most 26 00:02:05,439 --> 00:02:12,080 of what we talk about is cybersecurity. How does physical security fit with cybersecurity, 27 00:02:12,800 --> 00:02:15,000 Sir, it's a great, great question, Andrew, and I'll tell 28 00:02:15,039 --> 00:02:22,560 you. At the crux of the matter, physical security really ensures that you're 29 00:02:22,639 --> 00:02:27,439 keeping the bad actors out of your facilities. You're doing your best job to 30 00:02:27,560 --> 00:02:31,520 validate that those individuals have a business need, that they've met your site specific 31 00:02:31,599 --> 00:02:36,360 training, they meet all your policies before they come on site. And it's 32 00:02:36,400 --> 00:02:42,159 important to limit who comes on your site because therein lies the problem. Right. 33 00:02:42,240 --> 00:02:46,759 The first part of any type of criminal or bad actor is always looking 34 00:02:46,759 --> 00:02:52,039 to circumvent your physical security process, and with the right tool set and the 35 00:02:52,080 --> 00:02:58,319 right skill set, once they get inside your facility without being challenged, that 36 00:02:58,360 --> 00:03:04,719 gives them the opportunity to get to areas of your facility that house critical infrastructure 37 00:03:04,759 --> 00:03:09,080 protection components. Especially when we talk about cybersecurity, this could be network cables, 38 00:03:09,120 --> 00:03:13,360 switches, routers, you name it. The moment that they get the 39 00:03:13,400 --> 00:03:17,840 physical access into your site, cybersecurity is just a key stroke away. Right, 40 00:03:19,800 --> 00:03:23,400 So in principle that makes sense. I mean I agree with you. 41 00:03:23,439 --> 00:03:25,280 Can you give us an example, I mean, you know how much trouble 42 00:03:25,280 --> 00:03:30,840 can we get into? Yeah? So this actually is It brings up a 43 00:03:30,840 --> 00:03:35,919 funny story, not really funny, but a really important story of understanding why 44 00:03:35,919 --> 00:03:38,120 cybersecurity is so important. So, as I mentioned in my introduction, I 45 00:03:38,159 --> 00:03:43,599 did spend a number of years in the military and I was deployed. This 46 00:03:43,680 --> 00:03:46,759 is back in two thousand and eight. I got a phone call from my 47 00:03:46,960 --> 00:03:52,879 brigade communications officer about two o'clock in the morning and she told me, which 48 00:03:52,960 --> 00:03:58,240 is this is now a declassified operation, but we had to disable every single 49 00:03:58,439 --> 00:04:01,879 USB drive across all of the computers in my area of operation, and at 50 00:04:01,879 --> 00:04:06,280 the time I probably had over two thousand pieces, and I was geographically dispersed 51 00:04:06,360 --> 00:04:10,400 in nine locations in Iraq, and I had twenty four hours to do it. 52 00:04:11,120 --> 00:04:14,319 My soldiers and I completed the mission. But the reason we had to 53 00:04:14,319 --> 00:04:21,480 do that is because there was a signature of a malware that was attempting to 54 00:04:21,519 --> 00:04:28,560 send information from our secret Internet protocol to Russia. And what we discovered in 55 00:04:28,600 --> 00:04:34,959 our after action review was that it appeared that the virus or the trojan horse 56 00:04:35,240 --> 00:04:41,600 originated from a USB stick that someone had plugged into our network, whether it 57 00:04:41,639 --> 00:04:46,199 was inadvertently or inadvertently. More than likely was probably a soldier who went to 58 00:04:46,279 --> 00:04:51,720 the Morale Recreational Welfare center to go and talk home, contracted the virus on 59 00:04:51,759 --> 00:04:57,000 that device and brought it back and put it into our secret computers. But 60 00:04:57,439 --> 00:05:00,920 the reason I bring this story up and the importance it is if you allow 61 00:05:01,319 --> 00:05:06,639 just about anybody to come onto your site without properly vetting them and making sure 62 00:05:06,680 --> 00:05:12,680 they meet those credentials, they can easily take a jump device, plug it 63 00:05:12,680 --> 00:05:16,319 into one of your network switches or plug it into a computer that controls some 64 00:05:16,360 --> 00:05:21,079 of your industrial control systems, and wreak havoc just like we experience, which 65 00:05:21,120 --> 00:05:26,360 by the way set us back about a decade in terms of technology. So 66 00:05:26,959 --> 00:05:31,560 that's I would absolutely consider that something you should look at when deciding whether or 67 00:05:31,600 --> 00:05:36,839 not you want to let the right people in on your site. You know, 68 00:05:36,920 --> 00:05:42,240 Andrew, When it comes to somebody physically at a plant, it's not 69 00:05:42,279 --> 00:05:46,680 even something that I really associate with cyber I just assume that a cyber attack 70 00:05:46,839 --> 00:05:53,199 occurs when some remote entity tries to get in through technological systems, not when 71 00:05:53,240 --> 00:05:59,600 somebody's literally at a plant. Is this something that happens outside of the context 72 00:05:59,600 --> 00:06:01,920 of like Stuck's net, And if so, are there any defenses against it? 73 00:06:03,079 --> 00:06:06,319 Yes, you know, yes, and yes. Let me give you 74 00:06:06,360 --> 00:06:12,000 sort of a more mundane example to start with. You know, I was 75 00:06:12,160 --> 00:06:17,399 working at at Industrial Defender a long time ago. We were, you know, 76 00:06:17,560 --> 00:06:23,199 building software and we had to test it, and so we had a 77 00:06:23,360 --> 00:06:28,079 large test bed and to standardize our testing, we would reset the entire test 78 00:06:28,079 --> 00:06:34,480 bed to sort of a known state between runs. And that meant taking you 79 00:06:34,519 --> 00:06:39,519 know, Linux CDs, and we'd take an image backups of the hard drive. 80 00:06:40,240 --> 00:06:42,959 Basically, you know, every sector on the hard drive from zero to 81 00:06:43,120 --> 00:06:46,000 as big as big as a hard drive was, and you know, between 82 00:06:46,120 --> 00:06:49,079 runs, we would just put the image back on the hard drive and start 83 00:06:49,079 --> 00:06:54,079 from exactly the same state. So we had to do this. And you 84 00:06:54,079 --> 00:06:58,279 know, I gave the the Linux boot CD and all of the backup CDs 85 00:06:58,399 --> 00:07:00,319 to one of my colleagues who'd never on this before, explained how to do 86 00:07:00,360 --> 00:07:04,720 it, went away. Two hours later he comes back and he says, 87 00:07:04,759 --> 00:07:11,759 Andrew, do you know that with this Linux Boot CD, I can boot 88 00:07:12,079 --> 00:07:15,600 any device in the office here and read all of the data off the hard 89 00:07:15,680 --> 00:07:20,959 drive, you know, And I said yes, I said, welcome to 90 00:07:21,000 --> 00:07:26,399 the dark side. If you can touch it, it's yours. Now, 91 00:07:26,519 --> 00:07:30,639 this was back in the day before hard drives were or flash drives were routinely 92 00:07:30,759 --> 00:07:34,240 encrypted. So to your answer, is it is it real? Is it 93 00:07:34,279 --> 00:07:38,759 mundane? And yes, back in the day, you boot into Linux and 94 00:07:38,800 --> 00:07:42,839 you can read you know, every every bit on the hard drive. Nowadays, 95 00:07:42,879 --> 00:07:46,600 this is why the modern world, modern equipment is is encrypted. The 96 00:07:46,600 --> 00:07:50,439 hard drives are encrypted. If you try to do this you'll get garbage back. 97 00:07:51,560 --> 00:07:56,399 But you know, the bad news is that not all of the equipment 98 00:07:56,519 --> 00:08:00,560 in industrial control systems is modern. A lot of it's still older. And 99 00:08:01,079 --> 00:08:05,240 you know, even modern equipment is vulnerable. If you can touch it, 100 00:08:05,279 --> 00:08:11,600 you have a huge advantage. So sort of a second example is Chinese intelligence 101 00:08:11,639 --> 00:08:16,720 agencies have been accused of doing this to visitors in China. People who visit 102 00:08:16,800 --> 00:08:22,000 China are encouraged to use throwaway devices and not log into any of their important 103 00:08:22,120 --> 00:08:28,759 cloud based systems while they're visiting. Why because Chinese intelligence agencies have been accused 104 00:08:28,879 --> 00:08:33,039 of tapping the hotel on the shoulder, you know, having you know, 105 00:08:33,120 --> 00:08:37,279 tapping, tapping your business partners that you're there to visit on the shoulder saying, 106 00:08:37,559 --> 00:08:41,039 you know, take this man out for a three hour binge somewhere and 107 00:08:41,080 --> 00:08:45,919 then tap the hotel on the shoulder, get into the hotel room. Uh, 108 00:08:46,039 --> 00:08:48,320 you know, look at the the laptop, figure it out and leave, 109 00:08:50,399 --> 00:08:52,559 you know, do it again the next day and come back, and 110 00:08:52,600 --> 00:08:56,759 this time they know exactly what model laptop you have. They've got the tools. 111 00:08:56,960 --> 00:09:01,919 They take it apart, they insert a device, you know, that 112 00:09:01,200 --> 00:09:09,080 a very tiny device between the keyboard controller and the motherboard. And now this 113 00:09:09,200 --> 00:09:13,240 tiny device is recording all of your keystrokes. They come back at the end 114 00:09:13,279 --> 00:09:16,480 of your visit and do the same thing, removing the device, putting your 115 00:09:16,480 --> 00:09:20,559 device all back together again. And now they've got on that little chip all 116 00:09:20,600 --> 00:09:24,720 of the key strokes that you've entered, all of your passwords that you've used 117 00:09:24,759 --> 00:09:30,480 in the last three days. They log into your systems and you know you're 118 00:09:30,519 --> 00:09:33,799 sunk. So and in the modern world, this is why many of the 119 00:09:33,840 --> 00:09:37,000 cloud systems, if you want to log into them, have two factor authentications. 120 00:09:37,000 --> 00:09:43,279 So to your question, yes, if you can touch something, you 121 00:09:43,399 --> 00:09:46,240 have a huge advantage in terms of compromising it. And yes, this is 122 00:09:46,320 --> 00:09:50,440 why we see two factor authentication. This is why we see encrypted hard drives, 123 00:09:50,440 --> 00:09:54,559 This is why we see a lot of modern technology being applied because this 124 00:09:54,600 --> 00:10:01,559 is a real problem. So can we talk about that's the problem? Can 125 00:10:01,559 --> 00:10:05,679 we talk about the solution? I mean, it sounds simple. Do we 126 00:10:05,720 --> 00:10:09,480 not have Is this not why we have guards, gates and guns? You 127 00:10:09,519 --> 00:10:11,879 know, we absolutely do, Andrew, we have guard to gates and guns. 128 00:10:11,919 --> 00:10:18,360 But I can tell you that with the recent financial economical strains, especially 129 00:10:18,360 --> 00:10:22,120 in big businesses, it's becoming more challenging to borrow money and So what I've 130 00:10:22,159 --> 00:10:28,080 seen recently, especially one of my large customers, is that they've made a 131 00:10:28,120 --> 00:10:33,039 decision to move away from a contingent guard force because the cost is astronomical. 132 00:10:33,159 --> 00:10:35,840 At the end of the day, they're beholden to their shareholders. And so 133 00:10:37,080 --> 00:10:41,000 when you remove that first area of defense and you no longer have a human 134 00:10:41,600 --> 00:10:46,960 performing that function, you got to ask yourself the question, well, what 135 00:10:46,080 --> 00:10:50,840 can I do? How can I provide oversight, protection, safety and security 136 00:10:50,879 --> 00:10:56,200 for my site if I don't have somebody that's looking over them. And you 137 00:10:56,240 --> 00:11:01,200 know you know this Andrew be in the power utility space. Power plants are 138 00:11:01,320 --> 00:11:05,679 the It's the bread and butter of how power utilities not only make money, 139 00:11:05,679 --> 00:11:09,720 but allow us to flip a switch and let the lights go on. So 140 00:11:11,200 --> 00:11:16,200 if we can't afford to allow a physical person to do that, we have 141 00:11:16,279 --> 00:11:22,200 to do something different. And that's one of the reasons why at fours five 142 00:11:22,320 --> 00:11:28,600 we provide solutions for outage management and really help provide internal controls that can vet 143 00:11:28,639 --> 00:11:33,639 individuals making sure that they have a proper business need, they're not on some 144 00:11:33,879 --> 00:11:37,080 watch list. They have your site specific training, so you have confidence knowing 145 00:11:37,080 --> 00:11:41,799 that individuals who come on your site not only are who they say they are, 146 00:11:41,159 --> 00:11:46,320 but have the appropriate business need and also meet all the training and policies 147 00:11:46,360 --> 00:11:50,360 you've set in place to protect your organization in the first place. If you've 148 00:11:50,360 --> 00:11:54,240 got organizations that have done away with their guards, I mean, I mean, 149 00:11:54,279 --> 00:11:58,799 what happens if you know, worst case, you know, someone ignores 150 00:11:58,879 --> 00:12:05,000 your security fence, brings a saw, cuts through the fence, cuts through 151 00:12:05,000 --> 00:12:07,240 the doors on the way into the plant, into the server room. I 152 00:12:07,240 --> 00:12:13,039 don't know, with a USB in his hand. Do you not need guards 153 00:12:13,159 --> 00:12:16,240 at least for incident response? I mean, what do you do if you 154 00:12:16,279 --> 00:12:22,120 don't have guards and you've got a situation like this? Right? And this 155 00:12:22,480 --> 00:12:26,240 ties back into your incident response plan as you just mentioned, right, So 156 00:12:26,559 --> 00:12:28,799 the first thing you have to do is, if you know you're going to 157 00:12:28,879 --> 00:12:33,639 move away from a contingent workforce or contingent guards, you have to make sure 158 00:12:33,679 --> 00:12:35,759 that your policies and procedures adapt to that. Right If you're not, if 159 00:12:35,759 --> 00:12:39,000 your policies and procedures say, notify a guard, and obviously you're not using 160 00:12:39,000 --> 00:12:43,879 guards, you need to make sure that there's something in place to follow. 161 00:12:43,600 --> 00:12:48,360 And really it boils down to your level of risk tolerance, Right, do 162 00:12:48,399 --> 00:12:52,080 you really want your employees confronting somebody they think is a bad actor, or 163 00:12:52,159 --> 00:12:56,000 do you probably want them to do something like call nine to one one, 164 00:12:56,200 --> 00:12:58,799 right, call a security company, whatever it is. And more than like, 165 00:13:00,679 --> 00:13:05,279 your sock has probably done both already because they have videos. Most power 166 00:13:05,360 --> 00:13:11,240 utility companies I know have video footage pointing at those critical facilities, and so 167 00:13:11,360 --> 00:13:16,159 if they see somebody that that's not recognizable, they're they're probably gonna go ahead 168 00:13:16,240 --> 00:13:22,440 and start putting in their contective or the protective controls to make sure that they 169 00:13:22,559 --> 00:13:28,120 do that. But the truth is, the more realistic situation is somebody finding 170 00:13:28,159 --> 00:13:33,240 a way to get into your site during a major outage so they can blend 171 00:13:33,279 --> 00:13:39,320 in with the environment and do things being undetected. So that makes sense in 172 00:13:39,360 --> 00:13:41,240 principle. You know, if there's an intruder in the site, there's no 173 00:13:41,279 --> 00:13:43,519 guards, you call nine to one one, you call the authorities. Your 174 00:13:43,559 --> 00:13:50,879 sock might have done that for you, But there's operational decisions that have to 175 00:13:50,879 --> 00:13:52,879 be made if someone has you know, cut into the survery room, if 176 00:13:52,879 --> 00:13:58,919 someone is wandering around the facility with a hammer in their hand, and you 177 00:13:58,960 --> 00:14:01,120 know, with clearly militia intent. They've cut their way into the facility. 178 00:14:01,320 --> 00:14:07,159 The authorities aren't there yet. Do you keep generating power? Do you keep 179 00:14:07,440 --> 00:14:11,919 producing oil out of the refinery? What you know, isn't there a decision 180 00:14:11,960 --> 00:14:16,120 point that has to be has to be made about, you know, what 181 00:14:16,159 --> 00:14:18,399 do we do with someone on site like that? Do we have to shut 182 00:14:18,480 --> 00:14:24,240 down out of out of safety. It's a really, really awesome question, 183 00:14:24,320 --> 00:14:28,600 Andrew, and I guarantee you you're gonna hear different answers from different people, 184 00:14:28,200 --> 00:14:31,960 but I can tell you. You know, Mike Tyson had this famous quote 185 00:14:33,000 --> 00:14:35,360 and it says, you know, everybody has a plan until they get punched 186 00:14:35,399 --> 00:14:39,200 in the mouth, right, So when you think about that, at the 187 00:14:39,279 --> 00:14:43,759 end of the day, your policies, procedures, your your business continuity plan 188 00:14:43,840 --> 00:14:46,919 should absolutely have those steps in there. And if they don't, really it 189 00:14:46,919 --> 00:14:52,840 comes down to the station manager. It's his decision on what to do in 190 00:14:52,879 --> 00:14:58,759 that scenario. I guarantee you your executives are probably concerned about profitability and also 191 00:14:58,799 --> 00:15:03,639 concerned about making sure that the plant generates money to keep the lights on. 192 00:15:03,159 --> 00:15:07,799 But in that moment, the plant manager might be about safety and security for 193 00:15:07,840 --> 00:15:09,840 his employees, and so at the at the end of the day, I 194 00:15:09,879 --> 00:15:15,960 think the responsibility falls on the plant manager whether he continues to have operations going 195 00:15:16,759 --> 00:15:20,679 or he chooses to shut down. And there's a lot of factors considering that. 196 00:15:20,799 --> 00:15:22,279 Right, If they're in a you know, let's just say this happens 197 00:15:22,279 --> 00:15:28,639 in the summertime and it's at the peak of day and it's hot and you're 198 00:15:28,679 --> 00:15:31,919 at your peak load, you probably don't want to shut down your site. 199 00:15:31,279 --> 00:15:35,440 But if it's something that happens in the middle of the night where it's not 200 00:15:35,480 --> 00:15:41,200 really a peak load there, there probably will be more considerations to actually have 201 00:15:41,279 --> 00:15:43,519 the plant shut down while you deal with the security issue. That makes sense, 202 00:15:45,360 --> 00:15:48,559 Well, that makes sense. You mentioned you mentioned NERKSIP a couple of 203 00:15:48,600 --> 00:15:56,200 times. I know there are rules in NIRKSIP about physical security. Can you 204 00:15:56,240 --> 00:16:00,759 can you talk about those rules? I mean, oh, pause, hand, 205 00:16:00,080 --> 00:16:07,039 I'm okay. Something else. You've said a couple of times you talked 206 00:16:07,080 --> 00:16:11,799 about outages. Now you know the questions I've been asking you, I've kind 207 00:16:11,840 --> 00:16:17,480 of been assuming we're talking about physical security during operations when there's you know, 208 00:16:18,559 --> 00:16:22,480 the usual complement of people on site, when you've got power coming out of 209 00:16:22,519 --> 00:16:26,279 the power plant when you got you know, gasoline going through the pipeline. 210 00:16:26,879 --> 00:16:30,200 You've talked about outages a couple of times. Why why are you talking about 211 00:16:30,200 --> 00:16:37,480 outages? What's what's special about them? So outages are something that that commonly 212 00:16:37,519 --> 00:16:42,120 occur for large generation facilities. So if you think about a car, right, 213 00:16:42,240 --> 00:16:45,159 every every so often, you've got to bring your car in for maintenance 214 00:16:45,159 --> 00:16:48,960 so that way it keeps running well. Power plants run on the same schedule. 215 00:16:49,000 --> 00:16:53,799 There are certain components of those plants that have to shut down for maintenance, 216 00:16:53,840 --> 00:17:00,480 and so during these times you can have a large contingent coming on site. 217 00:17:00,480 --> 00:17:04,039 In fact, there's a plant that I visited not too long ago produces 218 00:17:04,039 --> 00:17:08,920 about thirty four hundred megawatts of generation and at their peak outage, they can 219 00:17:08,960 --> 00:17:15,640 have about fifteen hundred people on site that are contractors that you don't know them, 220 00:17:15,799 --> 00:17:18,440 They don't know you, but they were there to perform a service for 221 00:17:18,480 --> 00:17:23,440 a certain period of time. And so when you think about having a large 222 00:17:23,480 --> 00:17:29,519 group of people you don't know anything about them all over your power plant, 223 00:17:29,880 --> 00:17:36,200 around your most critical assets. That creates a security challenge. It also creates 224 00:17:36,200 --> 00:17:40,960 a safety challenge because they've probably never been on your site before. Sometimes they 225 00:17:41,160 --> 00:17:44,440 have to bring vehicles on your site, so now every person and every vehicle 226 00:17:44,519 --> 00:17:48,279 it's on your site creates a liability unless you find a way to validate them 227 00:17:48,319 --> 00:17:52,559 and ensure that they have a proper business need. So it's important. This 228 00:17:52,680 --> 00:17:56,640 is an important part of the power utility space because if those plants don't get 229 00:17:56,640 --> 00:18:00,000 everything done that they have to get done on outage, and they have to 230 00:18:00,119 --> 00:18:03,799 extend their outage for any reason, it puts strain on the bulk electric systems, 231 00:18:04,119 --> 00:18:07,359 on the interconnects as a whole, because now someone's got to pick up 232 00:18:07,359 --> 00:18:11,440 the slack for the power that's not being generated. So again, yes, 233 00:18:11,559 --> 00:18:15,599 it's a for profit industry that generates power for dollars, but at the same 234 00:18:15,640 --> 00:18:22,119 time, if you can't fulfill your obligations how the whole entire landscape is expecting 235 00:18:22,160 --> 00:18:26,400 you to, then it puts unnecessary strain on the system as a whole, 236 00:18:26,400 --> 00:18:30,240 and that can create issues like rolling blackouts and whatnot, which we all remember 237 00:18:30,279 --> 00:18:33,400 from two thousand and three, But that wasn't that wasn't due to a plan 238 00:18:33,440 --> 00:18:38,279 outage. But the point is we have to make sure that during those outages 239 00:18:38,319 --> 00:18:42,519 we're getting everything done that we have to to keep the system online. And 240 00:18:42,559 --> 00:18:48,319 we're also making sure that safety and security is a focal point of ensuring that 241 00:18:48,720 --> 00:18:52,720 none of those contingent workers are going to be in a position where they can 242 00:18:52,720 --> 00:18:56,680 do something to sabotage or inhibit your ability to provide services to your customers. 243 00:18:59,480 --> 00:19:02,400 Let's talk. Let's talk NRKSIP if we can. You know, we're going 244 00:19:02,880 --> 00:19:07,519 you're giving the power plant example. Let's say part of the the outage is 245 00:19:07,759 --> 00:19:14,160 to expand uh the capacity of the server room so we can put more servers 246 00:19:14,160 --> 00:19:18,160 in there to do more stuff, you know, more predictive maintenance or whatever. 247 00:19:18,480 --> 00:19:21,839 And so one of the people who's got to go into the server room 248 00:19:22,359 --> 00:19:26,799 isn't electrician. They're setting up the new rack or three with you know, 249 00:19:27,480 --> 00:19:32,039 uninterruperable power supplies. They're connecting it to the power. They've had to add 250 00:19:32,079 --> 00:19:36,000 some new breakers. They're in there working for a couple of days doing electrical 251 00:19:36,079 --> 00:19:42,039 stuff. But this is the room that contains all of our control system computers. 252 00:19:42,839 --> 00:19:45,240 How does that work? You know, the plant is down, it's 253 00:19:45,240 --> 00:19:48,160 not producing power. You know, do you just let the electrician in there? 254 00:19:48,160 --> 00:19:52,839 What's the rule? Yeah, that's A. It's a it's a really 255 00:19:52,880 --> 00:19:56,920 important rule and this is this is Ryan SIP six. When you have somebody 256 00:19:56,960 --> 00:20:02,319 you have a critical or you have a physical security perimeter that's defined in NERDSIP, 257 00:20:02,880 --> 00:20:04,559 there's two ways you can do it. Right. If this is a 258 00:20:04,680 --> 00:20:10,279 contingent worker that you know that you've done a personnel risk assessment on, you've 259 00:20:10,279 --> 00:20:12,440 performed a seven year background check, they have a valid business need to be 260 00:20:12,519 --> 00:20:18,680 in that space unescorted, you most certainly can give them privileges to go into 261 00:20:18,720 --> 00:20:23,839 that space unescorted. In my history of being not only an auditor but working 262 00:20:23,839 --> 00:20:29,640 for Power utility, this is going to be the exception, not the rule. 263 00:20:29,759 --> 00:20:33,559 And the reason is because this is somebody that's doing work or service for 264 00:20:33,599 --> 00:20:37,279 a small period of time and they're not going to be back, and so 265 00:20:37,759 --> 00:20:41,880 you typically want to reserve those types of authorized unescorted physical access for people that 266 00:20:41,920 --> 00:20:47,880 you trust that are going to be there from a longevity perspective. More frequently, 267 00:20:47,960 --> 00:20:52,480 what we see is when you have a visitor coming into a physical security 268 00:20:52,480 --> 00:20:56,920 perimeter or PSP for short, you have to escort them at all times within 269 00:20:57,000 --> 00:21:00,920 line of sight. So you've got to make sure you document what their name 270 00:21:02,000 --> 00:21:06,480 is, who they're there to see, document what the reason is for them 271 00:21:06,519 --> 00:21:10,000 being in there, what time they arrived, what time that they left. 272 00:21:10,599 --> 00:21:17,559 This is typically done manually from probably say about eighty percent of utilities do it 273 00:21:17,599 --> 00:21:21,799 manually. But again that creates a challenge, right because if you don't, 274 00:21:22,079 --> 00:21:25,680 if you have sloppy handwriting, or you're not putting in the correct information and 275 00:21:25,759 --> 00:21:30,119 there should be an event, then you're relying on what's written on that paper 276 00:21:30,160 --> 00:21:33,279 to see who's in that space, who is the escort, to try to 277 00:21:33,279 --> 00:21:37,839 decipher what happened. I can tell you that there's been a lot of times 278 00:21:37,279 --> 00:21:41,519 on the physical security side where an incident's happened and when they go back and 279 00:21:41,559 --> 00:21:45,440 try to figure out who's in the space, they couldn't decipher the handwriting. 280 00:21:45,440 --> 00:21:49,240 So now they have to go and rely on cameras and rely on different angles 281 00:21:49,279 --> 00:21:52,079 and talk and call up the person who they believe is in the video. 282 00:21:52,759 --> 00:21:56,119 And as you're doing that, it's taking time, and the more time you 283 00:21:56,240 --> 00:22:02,480 take, the more likely whoever it is that doing the malicious act probably is 284 00:22:02,559 --> 00:22:08,759 going to get away with it and be undetected. Just a word of clarification 285 00:22:08,839 --> 00:22:14,680 here, Michael has mentioned the NRK SIP standards a couple of times. NIRKSIP 286 00:22:14,880 --> 00:22:17,440 is a family of standards. It's got like, I don't know, thirteen 287 00:22:17,559 --> 00:22:22,240 or fourteen volumes, and you know the standard that's called SIP zero zero six 288 00:22:22,599 --> 00:22:29,799 six SIP double oh six talks about physical access control. It says stuff like, 289 00:22:30,000 --> 00:22:34,240 you know, if you have an important a piece of the electric system 290 00:22:34,240 --> 00:22:38,000 that is covered by NRKSIP that's medium impact or high impact, because there's sort 291 00:22:38,000 --> 00:22:41,599 of three categorizations low, medium, and high in the NRK SIP. If 292 00:22:41,640 --> 00:22:47,720 it's medium or high, you have to have a process that restricts physical access 293 00:22:47,880 --> 00:22:52,759 to these systems. It's usually described, you know, colloquially as a six 294 00:22:52,920 --> 00:22:55,440 walls rule. You have to have a floor, you have to have a 295 00:22:55,440 --> 00:22:59,039 ceiling. You have to be sealed floor and ceiling, and on four walls. 296 00:22:59,599 --> 00:23:02,920 You have to to have a you know, a system in place, 297 00:23:03,119 --> 00:23:08,839 keys or technology or something that prevents random people from walking in. You have 298 00:23:08,880 --> 00:23:11,680 to have a way to They use different words, but you have to have 299 00:23:11,720 --> 00:23:17,079 waited to clear people who are allowed into it. You know, if you 300 00:23:17,160 --> 00:23:19,440 let people in whenever they want, they have to be trusted people. See, 301 00:23:19,519 --> 00:23:22,400 they need to have background checks. They need training. They you know, 302 00:23:22,480 --> 00:23:27,039 they need to know what they're doing. If you have uncleared people like 303 00:23:27,079 --> 00:23:32,960 the electrician who needs access to the space, they have to be supervised constantly 304 00:23:33,039 --> 00:23:37,799 by a cleared person. You have to have technology in place to monitor if 305 00:23:37,079 --> 00:23:41,720 somebody enters the room who's not authorized. You have to have alarms in place 306 00:23:42,680 --> 00:23:47,920 to detect unauthorized access. All of this, you know, is part of 307 00:23:48,960 --> 00:23:56,160 Zerzoo six because, to a greater or lesser extent, if you can touch 308 00:23:56,160 --> 00:24:00,880 a system, you can compromise it, or you certainly have a tremendous advantage 309 00:24:00,079 --> 00:24:07,799 in terms of compromising. The latest numbers in the twenty twenty three Threat Report 310 00:24:07,920 --> 00:24:11,839 on OT cyber incidents show that the threat environment has changed fundamentally. At the 311 00:24:11,839 --> 00:24:18,839 beginning of this decade, OT cyber attacks with physical consequences have changed from a 312 00:24:18,880 --> 00:24:22,920 theoretical problem to a very real problem, more than doubling every year. The 313 00:24:23,000 --> 00:24:27,759 new report is focused on deliberate cyber attacks in the public record. These are 314 00:24:27,799 --> 00:24:33,480 attacks that cause physical consequences in process industries and discrete manufacturing. Most of these 315 00:24:33,480 --> 00:24:38,039 attacks are ransomware, though the fraction of activist attacks is growing, and the 316 00:24:38,079 --> 00:24:44,359 report's appendix includes a complete list of all cyber attacks since Stuxnet that meet these 317 00:24:44,400 --> 00:24:48,240 criteria. To see how today's OT cyber threat environment has changed, I invite 318 00:24:48,240 --> 00:24:53,039 you to download the report, a joint effort between Waterfall Security and the ICs 319 00:24:53,119 --> 00:25:00,559 drive OT Incident Repository. You can download the report at Waterfall dash Security Slash 320 00:25:00,599 --> 00:25:06,680 twenty twenty three dash Threat dash Report, or just go to the resources menu 321 00:25:06,799 --> 00:25:12,279 at the Waterfall Security site and click on white papers and ebooks. So let's 322 00:25:12,319 --> 00:25:17,079 get into the details about the good work you folks are doing at fours five. 323 00:25:17,519 --> 00:25:21,440 You have solutions in this space. What do you have? Who's using 324 00:25:21,480 --> 00:25:25,119 it? You know? How does this work? So we got started, 325 00:25:25,799 --> 00:25:29,680 ironically, we got started in the SIP space. I actually worked for a 326 00:25:29,799 --> 00:25:34,920 utility company and I discovered Force five at the recommendation of a peer, and 327 00:25:36,000 --> 00:25:40,640 at the time we talked about SIP six. Here we were in when there 328 00:25:40,720 --> 00:25:42,480 was eight regulatory regions at the time, we were in all of them, 329 00:25:42,519 --> 00:25:48,119 and so we had manual paper logs at these physical security perimeters and as you 330 00:25:48,160 --> 00:25:53,559 can imagine, we were getting audited by all eight regional entities and we would 331 00:25:53,559 --> 00:25:57,319 probably get audited every year. And it's something that we consistently had a problem 332 00:25:57,359 --> 00:26:00,279 with. And so when I when I approach FORSE five, I said, 333 00:26:00,319 --> 00:26:03,960 hey, listen, I'm going to make your business requirements very simple for you. 334 00:26:04,599 --> 00:26:08,720 I want an appliance that includes software and hardware. I want it all 335 00:26:08,759 --> 00:26:15,319 one. I want something that can easily be used regardless of the austerity of 336 00:26:15,359 --> 00:26:18,480 any type of environment, whether it's a power plant, it's a substation, 337 00:26:18,720 --> 00:26:22,319 it's a control room, it's a corporate lobby. I want the look and 338 00:26:22,359 --> 00:26:26,319 feel to be the same, and I want a dedicated support line. I 339 00:26:26,359 --> 00:26:30,599 don't want to have to figure out what the hardware needs to be. You 340 00:26:30,640 --> 00:26:33,480 figure it out for me. All I have to do is pick up a 341 00:26:33,480 --> 00:26:40,079 phone or send an email and get help. And that's how Gatekeeper was birth. 342 00:26:40,119 --> 00:26:45,440 And so we now have an automated solution which is the only escort driven 343 00:26:45,680 --> 00:26:52,480 self service log in KIOSK in the industry today that enforces those policies of NERKSIP 344 00:26:52,559 --> 00:26:56,680 at your PSPs. And so instead of relying on paper handwritten errors trying to 345 00:26:56,720 --> 00:27:03,000 decipher that, we have the ability to enforce your policies and procedures. So, 346 00:27:03,720 --> 00:27:07,119 whoever the authorized escort is, he or she is the only person that 347 00:27:07,279 --> 00:27:11,559 can use the system and start a visit your visitor can't. We put all 348 00:27:11,599 --> 00:27:17,160 the onus on the person with the responsibility and that's how we got our start 349 00:27:17,200 --> 00:27:19,279 and NRK SIP and then i'd say about a year and a half later, 350 00:27:19,559 --> 00:27:22,240 we were approached by a plant manager that said, Hey, that's great, 351 00:27:22,759 --> 00:27:27,599 but I don't care about those requirements. I have hundreds of people coming to 352 00:27:27,640 --> 00:27:30,759 my site during an outage. They don't need to be escorted. I just 353 00:27:30,799 --> 00:27:34,519 need to make sure that they have met all the training. They're not on 354 00:27:34,559 --> 00:27:40,640 some sort of watch list that they have a business need to be there. 355 00:27:40,720 --> 00:27:44,279 If you can figure that out, then I see a path through your solution. 356 00:27:44,400 --> 00:27:48,880 And so Force five worked with with some of the outage coordinators and some 357 00:27:48,920 --> 00:27:53,599 of the plant superintendents and plant managers, and that's how the evolution of the 358 00:27:53,599 --> 00:27:59,359 outage management solution of Gatekeeper was birth. And so in this scenario, we 359 00:27:59,519 --> 00:28:04,039 use height turnstyles. We can provide a building or no building, and we 360 00:28:04,480 --> 00:28:08,799 augment those turnstyles with our kiosks to perform access controls. And so if you 361 00:28:08,799 --> 00:28:12,160 think about what's important to a plant manager, they want to make sure that 362 00:28:12,319 --> 00:28:17,680 this person has the site specific training to enter the site. They want to 363 00:28:17,720 --> 00:28:21,920 make sure that they're not on some sort of watch list or have been terminated 364 00:28:22,000 --> 00:28:26,359 or kicked off a plan in the past, and they want to make sure 365 00:28:26,559 --> 00:28:30,279 that they have a valid business need during an outage. So when you take 366 00:28:30,319 --> 00:28:33,720 all those pieces and you assign them to an identity, are chios in a 367 00:28:33,759 --> 00:28:37,400 quick moment. When you use biometrics, they can either use their fingerprint or 368 00:28:37,400 --> 00:28:41,519 they can use their face. Once they come to the kiosk and identify themselves, 369 00:28:41,640 --> 00:28:45,440 the system does all those checks quickly, and if you meet all the 370 00:28:45,759 --> 00:28:49,039 criteria to enter the site, we fire the turnstyles, and if you don't, 371 00:28:49,400 --> 00:28:52,839 we deny entry. And if you metro watch lists, not only do 372 00:28:52,880 --> 00:28:56,920 we not deny entry, but we send out emails, text messages and robocalls 373 00:28:57,319 --> 00:29:02,119 to interested parties letting them know that somebody that's a bad actor is at the 374 00:29:02,200 --> 00:29:07,160 front gate of your facility. And uh, you know you mentioned biometrics. 375 00:29:07,160 --> 00:29:11,319 I mean it's great. Biometrics are high tech? You know, are they 376 00:29:11,400 --> 00:29:18,839 necessary? I mean most places I go they use badges, right, necessary 377 00:29:18,960 --> 00:29:25,359 and necessary? Are are are are definitely good questions? So I can tell 378 00:29:25,359 --> 00:29:30,359 you that for your trusted environment, badges are okay, and they're okay because 379 00:29:30,599 --> 00:29:36,000 you you know who the people are, and you know that they're they they 380 00:29:36,200 --> 00:29:40,920 have already been validated by your company when you talk about your untrusted environment, 381 00:29:40,960 --> 00:29:45,079 which is the reality here with a contingent workforce. In my experience in my 382 00:29:45,160 --> 00:29:48,640 career, I've seen a plethora of things happen. In fact, one time 383 00:29:49,200 --> 00:29:53,119 when I was working for utility, it happened to be at a plant and 384 00:29:53,480 --> 00:29:56,839 there was a large group of contingent workers with a plant with a leader. 385 00:29:57,200 --> 00:30:00,880 There was a contingent workforce. Leader was overseeing all those people, and towards 386 00:30:00,960 --> 00:30:07,319 the i'd say, after lunchtime, this gentleman grabbed all the badges from his 387 00:30:07,799 --> 00:30:14,680 staff and let them out. There was another outage happening not too far away 388 00:30:14,720 --> 00:30:18,160 that they had a contract for, and the priority for that company was that 389 00:30:18,319 --> 00:30:21,680 those staff be there. And at the end of the day, when he 390 00:30:21,720 --> 00:30:23,640 went to go swipe out his badge, guess what he did. He not 391 00:30:23,680 --> 00:30:27,319 only swiped out his badge, but he swiped out the badge of his entire 392 00:30:27,400 --> 00:30:33,640 team. And so for our company, we wound up paying for ten to 393 00:30:33,680 --> 00:30:41,119 twelve individuals that left early right so with badges The problem with that is all 394 00:30:41,160 --> 00:30:45,599 they're intended to do access control looks at the card serial number, make sure 395 00:30:45,640 --> 00:30:49,039 that it matches an authorized entry on that list, and lets him in. 396 00:30:49,720 --> 00:30:55,599 When you use biometrics, it's very hard to fake a face or a finger, 397 00:30:56,359 --> 00:31:00,640 right, so you have to have something phis that's unique to you. 398 00:31:00,759 --> 00:31:06,160 And so when we what we found is not only is it expedite the process 399 00:31:06,279 --> 00:31:11,519 of logging people in, but it also gives you stronger validation knowing that the 400 00:31:11,599 --> 00:31:17,039 individual who presented that credential, whether it be facial recognition or biometric fingerprint, 401 00:31:17,920 --> 00:31:22,400 when you have them presenting that credential, it's a higher confidence of validation. 402 00:31:22,599 --> 00:31:26,559 So you know that they can't hand their thumb and they can't hand their face 403 00:31:26,599 --> 00:31:29,559 to somebody else because you can only use it to go in and you can 404 00:31:29,640 --> 00:31:33,640 only use it to go out. And the system is smart enough to know 405 00:31:33,839 --> 00:31:37,480 if you've went in one time, we were not going to let that same 406 00:31:37,519 --> 00:31:42,720 identity in because it's already in the system. It sounds like that that scenario 407 00:31:42,920 --> 00:31:48,119 that you gave there with the with the badges. You know, the benefit 408 00:31:48,200 --> 00:31:52,519 that the system was providing the plant is, you know, is not really 409 00:31:52,519 --> 00:31:56,119 a security benefit in the sense that it's you know, keeping out people who 410 00:31:56,119 --> 00:31:59,599 shouldn't be there. It was kind of an operational benefit, and you know 411 00:31:59,680 --> 00:32:01,240 in a that's this is this is commonplace. A lot of a lot of 412 00:32:01,240 --> 00:32:06,839 folks that we have on talking about different approaches to solving problems in the industrial 413 00:32:06,880 --> 00:32:12,160 security space. A lot of the time those approaches have sort of ancillary operational 414 00:32:12,200 --> 00:32:14,720 benefits. So you know, you've given us one. Do you have other 415 00:32:14,799 --> 00:32:20,279 examples of, you know, how you can use what appears to be a 416 00:32:20,279 --> 00:32:23,799 security tool to you know, just make the plant more efficient. It's it's 417 00:32:23,799 --> 00:32:29,079 funny you say that, Andrew, because one of our customers recently this year 418 00:32:29,160 --> 00:32:32,599 gave us an interesting story I'm going to share with you where they We always 419 00:32:32,839 --> 00:32:38,000 tell our clients make sure that you tell your contingent work for workforce when you 420 00:32:38,079 --> 00:32:42,440 use the solution it's for a safety and security perspective, because they'll be more 421 00:32:42,480 --> 00:32:49,039 apt to adapt it in everyday routine. But one thing that that he shared 422 00:32:49,079 --> 00:32:53,839 with me was he's always used this same scaffolding company for a long period of 423 00:32:53,880 --> 00:33:00,160 time, and over the years, he said he thought he was getting build 424 00:33:00,480 --> 00:33:06,200 or overcharge for certain type of activities. They were performing, and he could 425 00:33:06,200 --> 00:33:12,359 never validate it because for TNM or time and materials contractors, it's paper based 426 00:33:13,759 --> 00:33:17,559 count cards. For time cards, timesheets right. So he'd say fifty percent 427 00:33:17,559 --> 00:33:21,759 of the time he'd argue back and he'd win, and fifty percent of the 428 00:33:21,799 --> 00:33:27,160 time he'd pay the invoice. And so as soon as he leveraged our solution, 429 00:33:27,559 --> 00:33:30,640 he got his first invoice from the company, and when he looked at 430 00:33:30,680 --> 00:33:32,519 it, he said, ah, you know, this doesn't seem right. 431 00:33:32,640 --> 00:33:36,839 And so he decided on his own accord, you know what, I'm going 432 00:33:36,880 --> 00:33:40,000 to go into gatekeeper and look at the resources that I got for the week. 433 00:33:40,680 --> 00:33:46,359 And what he discovered when he put his invoice alongside the record of who 434 00:33:46,440 --> 00:33:51,400 had actually been on the site, the invoice was for nearly double the amount 435 00:33:51,599 --> 00:33:54,720 of individuals he had on the invoice. So let's just say it was forty 436 00:33:54,920 --> 00:34:00,279 He only got twenty and they were supposed to work forty hours for the week 437 00:34:00,319 --> 00:34:02,880 and they only worked twenty hours. And so when he went back to this 438 00:34:02,960 --> 00:34:07,240 guy, he said, hey, I got your invoice, but I'm not 439 00:34:07,359 --> 00:34:09,159 paying it because you overcharged me. And the guy's like, come on, 440 00:34:09,280 --> 00:34:13,360 man, you know we always go through this conversation every time we have an 441 00:34:13,360 --> 00:34:15,800 outage, you know, I won't do that to you. And he said, 442 00:34:15,800 --> 00:34:17,639 I get it. I said, but I just pulled my report from 443 00:34:17,679 --> 00:34:21,760 the solution that we have for safety and security or GATE, and I can 444 00:34:21,760 --> 00:34:23,960 tell you down to the second who was on my site, and I can 445 00:34:24,039 --> 00:34:28,960 tell you that I got half the resources on this invoice at half the time. 446 00:34:29,079 --> 00:34:30,880 So I'm not paying this invoice. And the gentleman's like, well, 447 00:34:30,960 --> 00:34:35,440 let me let me look into that and find out what the problem is. 448 00:34:35,480 --> 00:34:37,280 And the next day he calls him back. He goes, oh, I 449 00:34:37,360 --> 00:34:42,000 sent you the wrong invoice. I apologize, here's the right one, and 450 00:34:42,320 --> 00:34:45,760 and he kind of my client kind of chuckled, but he said, ever 451 00:34:45,800 --> 00:34:52,159 since that scenario happened, he never has gotten overcharged for an invoice because they 452 00:34:52,199 --> 00:34:55,199 now look at this as a timesheet. So again it's a safety and security 453 00:34:55,280 --> 00:35:00,719 solution, but the contingent workers looking at his timesheet. In addition to that, 454 00:35:00,880 --> 00:35:05,559 one of the things he's been able to discover in using the data that 455 00:35:05,639 --> 00:35:09,000 was typically stale written on paper, now that it's in a database, he 456 00:35:09,119 --> 00:35:14,519 actually can predict whether or not he's going to have enough resources as I mentioned 457 00:35:14,559 --> 00:35:16,519 earlier. You know, if you're you don't have the resources to meet an 458 00:35:16,519 --> 00:35:20,519 outage and you have to extend it, that puts some strain on the power 459 00:35:20,559 --> 00:35:23,159 system. Well, using this solution, he can say, well, I 460 00:35:23,239 --> 00:35:27,639 was supposed to have forty resources at forty hours a week, but for the 461 00:35:27,679 --> 00:35:31,199 past three weeks, I've only had twenty resources at twenty hours. So there's 462 00:35:31,239 --> 00:35:36,119 a he can predict, predict that he's going to fall short in that area 463 00:35:36,400 --> 00:35:40,880 and maybe do some other other methods to help condense that time a little bit 464 00:35:40,920 --> 00:35:46,159 shorter, or bring in additional resources to compensate for the lost time that he 465 00:35:46,280 --> 00:35:50,760 had because he didn't get the resources he was promised. So that's that's an 466 00:35:50,800 --> 00:35:53,199 operational thing. And one other story that I want to embellish here for a 467 00:35:53,239 --> 00:36:00,239 moment that I think is important is the security aspect. And I think this 468 00:36:00,280 --> 00:36:05,599 is operational because operational risk is something that everybody should consider, especially when you 469 00:36:05,639 --> 00:36:13,000 have industrial control systems. We had a customer who had a contractor that got 470 00:36:13,039 --> 00:36:15,840 into an incident with the plant manager and as a result of that incident, 471 00:36:16,199 --> 00:36:21,079 he was placed on a watch list and walked off the site and told that 472 00:36:21,119 --> 00:36:24,480 he was not allowed to come on that site ever again. A few weeks 473 00:36:24,559 --> 00:36:30,159 later, that contractor decided to go work at a different site for the same 474 00:36:30,280 --> 00:36:32,960 company. It's the same utility company, just under a different outage, and 475 00:36:34,360 --> 00:36:39,320 it just so happened when he arrived, the watch list identified him as being 476 00:36:40,280 --> 00:36:45,039 a person that shouldn't be on the site. And that plant manager happened to 477 00:36:45,039 --> 00:36:50,159 be there that day because he worked the zone, and so he looked at 478 00:36:50,199 --> 00:36:53,119 that individual says, don't ever come back to one of my plants ever again. 479 00:36:53,199 --> 00:36:55,960 You're not allowed here. And as a result of that, the company, 480 00:36:55,960 --> 00:37:00,559 the vendor company he worked for, it terminated his services because he could 481 00:37:00,639 --> 00:37:04,840 not perform it. So lo and behold. Several weeks go by, this 482 00:37:04,960 --> 00:37:10,280 individual work gets a job at a new vendor company that happens to have a 483 00:37:10,360 --> 00:37:15,760 contract for an outage at the same power utility company, and when he showed 484 00:37:15,840 --> 00:37:20,920 up for the outage and placed his finger on the reader, it detected him. 485 00:37:21,360 --> 00:37:24,519 Regardless of what uniform he wore, we were still able to identify that 486 00:37:24,599 --> 00:37:28,639 this is the same individual that's on the watch list. He should not be 487 00:37:28,679 --> 00:37:32,119 on site. So the customer was extremely happy because there were three use cases 488 00:37:32,199 --> 00:37:37,280 in a span of six weeks where an individual who was someone that should not 489 00:37:37,360 --> 00:37:44,599 be on site was caught and was identified prior to allowing that individual to get 490 00:37:44,599 --> 00:37:49,360 on site. So that's a great example of the robustness of a solution. 491 00:37:49,559 --> 00:37:53,920 So safety, security, financial, reconciliation, any of those things are important 492 00:37:53,920 --> 00:38:00,960 to your plants. The point that Mike just made it definitely speaks to what's 493 00:38:01,000 --> 00:38:07,159 been sticky in my mind throughout this interview, which is that the technology that 494 00:38:07,199 --> 00:38:12,440 he's describing seems most useful to me, or rather most commonly useful, not 495 00:38:12,480 --> 00:38:16,599 necessarily in that crazy state sponsor like Stucksnet scenario where you're dealing with spies, 496 00:38:17,239 --> 00:38:22,199 but where you're dealing with more run of the mill insider threats, which I 497 00:38:22,199 --> 00:38:27,599 imagine are going to be much more common for customers of his. Although it 498 00:38:27,599 --> 00:38:30,559 occurs to me as well, I don't know if I'm misunderstanding the exact nuances 499 00:38:31,119 --> 00:38:37,840 of the technology here that it might make more sense to have like a list 500 00:38:37,880 --> 00:38:42,199 of people who are allowed on a site and then just exclude everybody else by 501 00:38:42,239 --> 00:38:46,320 default, rather than having like an expressly bad list and then going from there 502 00:38:46,440 --> 00:38:52,599 unless there's a good and a bad list. In my best understanding, and 503 00:38:52,639 --> 00:38:54,599 I didn't quite ask the question this way, but in my understanding, there 504 00:38:54,599 --> 00:39:00,559 are both an allowed and disallowed list. It's not like you allow everybody accept 505 00:39:00,559 --> 00:39:05,400 people on the on the the disallowed list, you don't let any stranger into 506 00:39:05,400 --> 00:39:08,960 the site. My understanding is that before you let someone in, they have 507 00:39:09,000 --> 00:39:14,159 to be entered into the system. You might presumably enter them into the system 508 00:39:14,239 --> 00:39:20,239 when they arrive, but you know, presumably they you know, assuming they 509 00:39:20,239 --> 00:39:23,679 have someone to vouch for them, their their host at the site. But 510 00:39:23,920 --> 00:39:30,159 even if you have an allowed list, you know, the the biometrics I 511 00:39:30,239 --> 00:39:34,800 think come into play when you have a disallowed list. You've got biometric information 512 00:39:35,039 --> 00:39:38,519 for the people that are disallowed. You know. In the example of the 513 00:39:38,800 --> 00:39:44,360 worker who changed vendors, they might well have you know, I imagine they 514 00:39:44,400 --> 00:39:47,840 could have registered with their new employer with a subtly different name, using a 515 00:39:47,920 --> 00:39:52,320 nickname instead of you know, the long spelling of their full name, and 516 00:39:52,360 --> 00:39:57,199 they show up as a different name, a subtly different name, working for 517 00:39:57,239 --> 00:40:01,199 a completely different employer, making their first visit to the site. So they 518 00:40:01,239 --> 00:40:07,280 are on the allowed list, but then the disallowed list catches them because of 519 00:40:07,320 --> 00:40:12,800 the biometrics identify them as the same person with a different name who's been banned 520 00:40:12,800 --> 00:40:19,440 from the site. Cool some some very convincing use cases. You know, 521 00:40:19,719 --> 00:40:22,119 let me ask you. We've been talking about what you folks do. Can 522 00:40:22,159 --> 00:40:28,480 you talk about the future, what's coming in this space? Well, I 523 00:40:28,519 --> 00:40:32,000 think, and this is kind of ironic because we've talked a lot about visitor 524 00:40:32,039 --> 00:40:37,920 management and how we you know, ensure the right folks come on site. 525 00:40:37,400 --> 00:40:42,840 But more recently there's been a lot of shootings at substations. In fact, 526 00:40:42,920 --> 00:40:45,920 last year, I think it was over one hundred and thirteen shootings at substation. 527 00:40:45,039 --> 00:40:49,679 So it's definitely got the attention of a lot of executives in the space. 528 00:40:49,719 --> 00:40:53,440 And as a result of that, we've partnered with a company and we're 529 00:40:53,519 --> 00:41:00,960 now producing what's called BOSS. It's a ballistic overlay shield system and the intent 530 00:41:00,039 --> 00:41:07,960 of this is to provide enhance ballistic protection, security and resilience for substations and 531 00:41:07,000 --> 00:41:13,039 critical assets by reducing those potential attack vectors and threats. Right, So you 532 00:41:13,079 --> 00:41:16,760 think about those that room that we talked about, that hypothetical room with all 533 00:41:16,800 --> 00:41:22,880 this network and security equipment being shot at now is a physical threat. But 534 00:41:22,960 --> 00:41:27,960 again, you damage that equipment, it creates a problem, and so we've 535 00:41:28,039 --> 00:41:31,679 developed a solution based out of poly your you're I think it's polyethylene is the 536 00:41:31,719 --> 00:41:37,079 proper pronunciation, but it's been tested by the US military for over two decades. 537 00:41:37,800 --> 00:41:43,599 But the solution we have now can stop a seven six two round, 538 00:41:43,599 --> 00:41:47,639 which is typically fired from a three TOZH eight Winchester rifle hunting rifle or an 539 00:41:47,639 --> 00:41:52,320 AK forty seven. So as you look at some of these threat vectors and 540 00:41:52,360 --> 00:41:54,960 threat actors, that type of caliber and lower is probably what they're going to 541 00:41:55,079 --> 00:42:00,960 use to target your substation. Whether it's just a discgruntled worker trying to get 542 00:42:00,000 --> 00:42:05,800 back or really somebody that's trying to do damage. This is a big threat 543 00:42:05,840 --> 00:42:09,840 that we're seeing that has certainly got the attention of many power utility executives, 544 00:42:10,400 --> 00:42:16,639 and we feel like in our ability to call ourselves a risk company, this 545 00:42:16,719 --> 00:42:21,800 certainly fits the bill when we talk about how do we reduce risk from those 546 00:42:21,800 --> 00:42:25,519 type of attacks at some of the most critical systems like transformers or whatnot in 547 00:42:25,559 --> 00:42:30,519 the power utility space. There you go, I mean distressing that this is 548 00:42:30,519 --> 00:42:32,639 the world we live in, but it is I mean, this is I 549 00:42:32,679 --> 00:42:37,599 guess this is why we have jobs you know, physical security, cybersecurity, 550 00:42:37,639 --> 00:42:42,639 the interact. You know, thank you for joining us and providing these insights 551 00:42:42,840 --> 00:42:45,039 before we let you go, can you sum up for us? So at 552 00:42:45,079 --> 00:42:51,920 the beginning Andrew were talking about tying physical security and how it relates to cybersecurity. 553 00:42:52,000 --> 00:42:55,800 Right, So if we take cybersecurity at the crux of it, that's 554 00:42:55,880 --> 00:43:01,280 the place where you can predominantly do the most damage undetected in your facility. 555 00:43:01,400 --> 00:43:07,119 And so if you know that that's one of the higher risk to your facility, 556 00:43:07,199 --> 00:43:10,320 to your infrastructure, you want to make sure that that is protected from 557 00:43:10,320 --> 00:43:15,639 a physical standpoint. And taking cybersecurity back to physical if I had a handful 558 00:43:15,679 --> 00:43:20,679 of takeaways, here's what I tell you. Understand the risk that you have 559 00:43:20,760 --> 00:43:24,519 to your environment and what your tolerance is for it. If manual processes like 560 00:43:24,599 --> 00:43:30,639 paper, you're willing to accept that risk, then this is probably not for 561 00:43:30,679 --> 00:43:37,880 you. But if someone circumventing your security, getting to getting someone like an 562 00:43:37,880 --> 00:43:43,960 electrician to a switch room where you've got problems, where you've got critical infrastructure 563 00:43:44,000 --> 00:43:45,760 that can get if it gets damaged, can cause a big problem, you 564 00:43:45,800 --> 00:43:49,480 probably want to automate it. And when you look at automating it. You 565 00:43:49,519 --> 00:43:54,039 want to make sure that you can validate, enforce, and discover things about 566 00:43:54,039 --> 00:43:59,119 your organization. Right, so you log the visitor, you validate their identity 567 00:43:59,119 --> 00:44:02,039 that they have a pro business need to do that, You enforce your policies 568 00:44:02,079 --> 00:44:07,840 and procedures, and you discover trends about the information that you're getting. If 569 00:44:07,880 --> 00:44:13,000 this sounds like something that piques your interest or it's a need at your power 570 00:44:13,119 --> 00:44:16,800 utility, visit forcefive dot com. We only work with power utility companies, 571 00:44:16,840 --> 00:44:20,800 or feel free to reach out to me. You can find me on LinkedIn. 572 00:44:20,960 --> 00:44:22,880 Just look up Mike Almeta, the same name you see in the podcast 573 00:44:22,920 --> 00:44:27,039 title. Andrew, thanks again for having me on today. It's been a 574 00:44:27,039 --> 00:44:32,360 pleasure. Andrew. Usually I ask you for a last word here, but 575 00:44:32,599 --> 00:44:37,440 this episode has given me a lot to think about. I think that the 576 00:44:37,519 --> 00:44:46,400 overall takeaway for me is that physical security is dovetailed always with cybersecurity, that 577 00:44:46,440 --> 00:44:52,960 they are necessarily interlinked, and when you don't have the former, you can't 578 00:44:52,960 --> 00:44:55,880 have the latter. And also, you know we've done over one hundred episodes 579 00:44:55,920 --> 00:45:01,280 of this show. I think that we times take the physical security side for 580 00:45:01,480 --> 00:45:07,679 granted. By talking about you know everything else that happens on the computers as 581 00:45:07,679 --> 00:45:09,599 if that is just going to be taken care of. But at the end 582 00:45:09,599 --> 00:45:14,280 of the day, you know, you need people like Michael to do that 583 00:45:14,840 --> 00:45:19,679 basic, assumed, implicit work so that then we can talk about the more 584 00:45:19,719 --> 00:45:23,679 sophisticated defenses that we spend all our time on. Absolutely, I mean one 585 00:45:23,760 --> 00:45:29,360 of the principles that that you know, I talk about a conferences sometimes, 586 00:45:30,079 --> 00:45:32,079 you know, we talk about the cyber perimeter. A lot of people say, 587 00:45:32,079 --> 00:45:35,480 oh, but the cyber perimeter is it? You know, is there? 588 00:45:35,599 --> 00:45:37,360 Really? Is it dead? Because you know there's experts on the IT 589 00:45:37,639 --> 00:45:42,519 side say the cyber perimeter is dead, and I come back with yes, 590 00:45:42,960 --> 00:45:45,440 but and it might be dead on IT networks. But you know, that's 591 00:45:45,440 --> 00:45:52,039 not the point. The point is that all important industrial facilities have a physical 592 00:45:52,159 --> 00:45:57,880 security perimeter, all of them. They all have, you know, if 593 00:45:57,920 --> 00:46:01,280 not guards, gates and guns, at least you know, a fence and 594 00:46:01,639 --> 00:46:07,280 you know, the a system like Force five at the turnstile letting people into 595 00:46:07,320 --> 00:46:09,360 an out of the side, controlling access to the site. There's always a 596 00:46:09,400 --> 00:46:16,280 physical primeter. You don't let the public walk into a dangerous facility and you 597 00:46:16,400 --> 00:46:21,800 certainly don't want, you know, random malicious actors walking into a dangerous facility. 598 00:46:21,840 --> 00:46:27,920 So yes, absolutely there's always a physical perimeter. It's essential to cybersecurity. 599 00:46:28,000 --> 00:46:30,960 You don't have cybersecurity unless you have physical security. So you know, 600 00:46:30,119 --> 00:46:35,960 good call. Well, thanks to Michael Almeida for speaking about this with you, 601 00:46:36,079 --> 00:46:38,199 Andrew. And Andrew is always thank you for speaking me. It's always 602 00:46:38,239 --> 00:46:43,519 a pleasure. Thank you, Nate. This has been the Industrial Security Podcast 603 00:46:43,519 --> 00:46:46,000 from Waterfall. Thanks to everybody out there listening.