1 00:00:05,360 --> 00:00:10,240 As we're starting to see increased attacks affecting mining companies, you're starting to get 2 00:00:10,320 --> 00:00:17,559 boardrooms and senior leadership team going to their you know those cybersecurit leads or CSOs 3 00:00:17,679 --> 00:00:28,239 and going hey are we good? Welcome everyone to the Industrial Security Podcast. 4 00:00:28,559 --> 00:00:31,960 My name is Nate Nelson. I'm here as usual with Andrew Ginter, the 5 00:00:32,079 --> 00:00:37,560 vice president of Industrial Security at Waterfall Security Solutions, who will introduce the subject 6 00:00:37,600 --> 00:00:41,759 and guest of our show today. Andrew, how's it gone? I'm very 7 00:00:41,759 --> 00:00:45,240 well, Thank you, Nate. Our guest today is Rob Lebay. He 8 00:00:45,479 --> 00:00:49,960 is the chair of the Mining and Metals ISAAC, which is information sharing at 9 00:00:50,000 --> 00:00:56,640 Analysis Center, and he's going to be looking at industrial cybersecurity from you know, 10 00:00:56,679 --> 00:00:59,840 almost from an IT perspective. He's going to be taking us through SIXT 11 00:01:00,200 --> 00:01:07,760 to integrating it and ot you know networks, people processes everything. All Right, 12 00:01:07,920 --> 00:01:12,920 Then, without further ado, let's get into your interview. Hello Rob, 13 00:01:12,959 --> 00:01:17,719 and thank you for joining us on the podcast. Before we get started, 14 00:01:17,879 --> 00:01:19,760 can I ask you to say a few words about yourself for our listeners, 15 00:01:21,040 --> 00:01:23,040 and you know a few words about the good work that you're doing at 16 00:01:23,040 --> 00:01:29,400 the Metals and Mining IAC. Sure, absolutely. I'm Raphael Bay. I've 17 00:01:29,400 --> 00:01:36,079 been working in cybersecurity for just over twenty years, the last ten or so 18 00:01:36,359 --> 00:01:44,359 of them focused on securing in the mining industry, in particular operational technology. 19 00:01:45,560 --> 00:01:52,040 Through that process, we started the Mining Metals ISSAC to have a place where 20 00:01:52,120 --> 00:01:57,640 mining companies can work together and collaborate not just some intelligence, but also best 21 00:01:57,680 --> 00:02:04,640 practices and processes to secure or the operational technology in our plants and the autonomous 22 00:02:04,640 --> 00:02:09,840 systems in our minds. Thanks for that. Our topic is cybersecurity in in 23 00:02:09,960 --> 00:02:14,039 mining. We're talking about, you know, six steps to to integrate it 24 00:02:14,199 --> 00:02:17,360 and OT in the mining space. Before we dive into those details, though, 25 00:02:17,639 --> 00:02:20,599 you know, it's been a long time since we've had anyone on the 26 00:02:20,599 --> 00:02:25,039 show from the mining industry, and you're with the Metals and Mining Isaac. 27 00:02:27,560 --> 00:02:30,479 You know, I'm not sure we've ever had anyone on from metals. I'm 28 00:02:30,479 --> 00:02:34,080 not even sure what that is. So before we dive into security, can 29 00:02:34,120 --> 00:02:37,759 you can you give us sort of a big picture of the physical process. 30 00:02:37,840 --> 00:02:40,840 What is metals? What is mining? Um? You know, how are 31 00:02:40,879 --> 00:02:46,639 these systems automated? What are the kinds of cybersecurity concerns that you see in 32 00:02:46,879 --> 00:02:53,319 this industry. Metals and mining are two separate but very highly integrated and interdependent 33 00:02:53,960 --> 00:03:01,520 industries. So if we think about what this world needs as our economies change, 34 00:03:02,400 --> 00:03:08,840 as we work forward, move forward with de carbonization, with you know, 35 00:03:08,919 --> 00:03:15,120 clean energy, the reality is everything we have on this planet as a 36 00:03:15,159 --> 00:03:22,240 building block is either grown like our food or trees or lumber or its mind. 37 00:03:23,120 --> 00:03:27,800 So all the material we need to support this transition, whether it be 38 00:03:29,120 --> 00:03:32,479 you know, copper for electric cars or electric infrastructure, and you know cadmium 39 00:03:32,520 --> 00:03:38,400 and lithium for batteries, as steel for wind turbines, all of those commodities 40 00:03:39,120 --> 00:03:42,639 have to be mine. It's the only place we know how to get them 41 00:03:42,879 --> 00:03:49,759 today. And so when we think about you know, the metals industry, 42 00:03:49,840 --> 00:03:54,639 that's the next step in that process. As that or gets dug up and 43 00:03:54,840 --> 00:04:00,919 mine from the earth, then it's the process of refining that and turning it 44 00:04:00,000 --> 00:04:08,560 into usable metal UM that can be used to build UM you know, your 45 00:04:08,599 --> 00:04:15,840 tesla or your your wind turbine, UM or your power grid. So those 46 00:04:15,960 --> 00:04:21,560 those industries, as global industries are critical to to where we need to get 47 00:04:21,600 --> 00:04:28,399 to UM as a society, as a planet. And so if you think 48 00:04:28,439 --> 00:04:33,399 about what a mine might look like um. You know, at its core, 49 00:04:33,439 --> 00:04:38,720 it's a simple process, right, it's you know, taking big rocks, 50 00:04:38,759 --> 00:04:45,079 turning them into little rocks, and extracting the metals from those. But 51 00:04:45,240 --> 00:04:54,480 the process to do that is huge from a scale perspective. UM, when 52 00:04:54,480 --> 00:04:58,319 you look at open pit mining, which is commonly used in things like um, 53 00:04:58,360 --> 00:05:02,399 you know, copper and gold and zinc and other basement commodities. These 54 00:05:02,399 --> 00:05:10,720 are minds you can see from space. They are you know, several kilometers 55 00:05:10,839 --> 00:05:16,240 you know wide, some of them are several kilometers deep, and in those 56 00:05:16,399 --> 00:05:21,120 environments you've got you know, fleets of huge trucks. You know, these 57 00:05:21,160 --> 00:05:29,519 are trucks with seven hundred gun capacities of rocks. And while traditionally those are 58 00:05:29,680 --> 00:05:34,959 maintained and operated by drivers, we're at the point now we're very quickly those 59 00:05:34,959 --> 00:05:44,279 are being passed over to autonomous systems, and so those vehicles are becoming autonomous, 60 00:05:44,800 --> 00:05:49,360 you know, combined with the processes required to drill into the earth blast 61 00:05:49,439 --> 00:05:59,560 the rock away, though again traditionally done by people, but because we have 62 00:05:59,600 --> 00:06:03,839 a knee to de risk and make that safer and more efficient, those tasks 63 00:06:03,879 --> 00:06:11,240 are being turned over very rapidly. To autonomous automated systems. And then at 64 00:06:11,279 --> 00:06:15,360 the mind, you know, other minds are underground, and these are minds 65 00:06:15,399 --> 00:06:20,800 that have shafts running in a lot of cases dozens of kilometers deep into the 66 00:06:20,800 --> 00:06:26,319 earth. And then we've got you know, automated systems again for drilling, 67 00:06:26,360 --> 00:06:30,959 blasting, and hauling rock. But then we also have systems that are providing 68 00:06:30,279 --> 00:06:38,680 ventilation and fume control for the people that are working there. You know a 69 00:06:38,680 --> 00:06:43,199 lot of battery electric vehicles underground, and so we have charging infrastructure and electric 70 00:06:43,240 --> 00:06:49,199 infrastructure, and so you know the scale and the complexity of these well, 71 00:06:49,199 --> 00:06:55,839 they vary widely from mind to mind. In all cases, there's a significant 72 00:06:55,920 --> 00:07:02,879 safety safety risk component. There's a significant environmental component to ensure that we protect 73 00:07:02,920 --> 00:07:11,519 the environment while we do this and have left us in a position to reclaim 74 00:07:11,680 --> 00:07:16,480 that area of earth once we're done and return that to nature when the work 75 00:07:16,600 --> 00:07:26,319 is finished. So huge challenges from a safety from obviously from a production from 76 00:07:26,319 --> 00:07:34,240 an environmental sustainability perspective that goes into into mining. And then you know on 77 00:07:34,279 --> 00:07:39,199 the plant side, we have all the control systems you had seen any other 78 00:07:39,240 --> 00:07:45,560 manufacturing electric environment, so you know, data systems process control systems, you 79 00:07:45,600 --> 00:07:49,560 know, PLCs, motor control units, all of these systems are there. 80 00:07:51,639 --> 00:07:57,639 And then you remember these mines are typically not located in urban centers, you 81 00:07:57,279 --> 00:08:00,000 know, you don't put a mine in the middle of a major city. 82 00:08:00,040 --> 00:08:05,519 Are located in remote areas difficult to get two areas, which requires a lot 83 00:08:05,600 --> 00:08:16,480 of remote control and remote access to enable remote support in those places. So 84 00:08:16,560 --> 00:08:20,360 you take that complexity and you layer on an industry that's rapidly changing. UM 85 00:08:20,600 --> 00:08:28,040 it's an industry that's that's discovered the power of machine learning and artificial intelligence to 86 00:08:28,079 --> 00:08:33,720 optimize and make their their minds and their operation from safer, more sustainable, 87 00:08:33,559 --> 00:08:41,799 and to allow the mining of the posits that might not have been economically feasible 88 00:08:43,679 --> 00:08:50,679 using older methods. And so we've got these control systems and operational technology systems, 89 00:08:50,240 --> 00:08:54,440 you know, based on old technology in a lot of cases that was 90 00:08:54,039 --> 00:09:00,240 you know, designed several years ago or decades ago, and we're layering on 91 00:09:00,279 --> 00:09:07,679 top of that modern remote control, modern cloud based AI and machine learning on 92 00:09:07,799 --> 00:09:13,519 top of systems that whenever architectured were designed for that. You know, we're 93 00:09:13,840 --> 00:09:20,399 taking um autonomy and looking for ways to automated equipment that maybe wasn't originally architected 94 00:09:20,480 --> 00:09:24,159 for that, and so a lot of the challenges how do we do that 95 00:09:24,200 --> 00:09:30,799 in a safe way? You know, how do we protect an environment that's 96 00:09:30,919 --> 00:09:37,440 rapidly commoditizing and you know, specialist dual consentric ring mode bus and you know, 97 00:09:37,559 --> 00:09:45,360 specialists dedicated systems have been replaced by PC infrastructure, Windows networks and um, 98 00:09:46,159 --> 00:09:52,039 you know commodity, Cisco switches on top of that, you know, 99 00:09:52,200 --> 00:10:00,120 legacy OT environment. So there's a lot of challenges in the space to I'm 100 00:10:00,159 --> 00:10:05,240 sure we can keep production, but more importantly, to make sure that the 101 00:10:05,279 --> 00:10:09,279 teams at that site go home to the families every day, to be sure 102 00:10:09,320 --> 00:10:16,120 that the environment's protected so that those areas are there for us to us in 103 00:10:16,279 --> 00:10:20,399 nature, to use and live in and enjoy for the next hundred years. 104 00:10:20,919 --> 00:10:24,240 So, you know, it's a challenging space, makes an exciting space as 105 00:10:24,240 --> 00:10:30,639 we go forward. All Right, So Rob covered a lot there, but 106 00:10:30,679 --> 00:10:33,039 there's been something that he said early on that's been sitting with me, which 107 00:10:33,120 --> 00:10:39,559 is he was talking about automation and how automation is increasingly taking over for jobs 108 00:10:39,679 --> 00:10:43,759 in mining that we're historically done by people. Now Andrew, you and I 109 00:10:43,840 --> 00:10:50,039 talk a lot about safety on this show. How does the industrial security calculus 110 00:10:50,120 --> 00:10:56,559 change though, if in one of the most safety critical safety risk industries in 111 00:10:56,559 --> 00:11:01,519 industrial security, namely mining, you start to find fewer people at these actual 112 00:11:01,559 --> 00:11:07,840 sites, maybe then safety becomes a lower wrong of the totem pole because all 113 00:11:07,879 --> 00:11:11,360 the jobs being done by machines. That's a very good observation. And you 114 00:11:11,360 --> 00:11:18,200 know, the short answer is yes, you know, to me, it's 115 00:11:18,200 --> 00:11:20,960 a very good thing that jobs that were you know, historically putting human lives 116 00:11:22,000 --> 00:11:26,240 at risk if there was any kind of malfunction are being automated to the point 117 00:11:26,279 --> 00:11:31,840 where robots are taking the risk, not people anymore. But you know, 118 00:11:31,559 --> 00:11:37,679 all of this increased automation is sort of being coupled with remote operation, and 119 00:11:37,840 --> 00:11:43,720 remote means you know, you're communicating through the Internet, you've got software that's 120 00:11:43,759 --> 00:11:48,080 protecting you, not hardware. It's you know, you're increasing the risk, 121 00:11:48,720 --> 00:11:54,559 the cyber risk. Rather, you're increasing the opportunities for attack by operating everything 122 00:11:54,600 --> 00:12:01,639 remotely and by automating everything. But you're taking the safety consequence off the table, 123 00:12:01,879 --> 00:12:07,039 and in a sense this makes the the the cybersecurity calculus easier. Um, 124 00:12:07,200 --> 00:12:13,200 you still have very consequential potential outcomes, but they tend to be dollar 125 00:12:13,399 --> 00:12:18,840 outcomes, you know, large dollar outcomes, rather than human life outcomes. 126 00:12:18,200 --> 00:12:24,120 And so that does it does simplify your your your cybersecurity equations. Um, 127 00:12:26,159 --> 00:12:30,399 it's still a very big deal though. We're talking multi billion dollar investments in 128 00:12:30,440 --> 00:12:33,159 one of these big minds, so you're still talking about potentially you know, 129 00:12:33,279 --> 00:12:39,639 very serious consequences dollar wise and in a sense reliability wise, m if if 130 00:12:39,679 --> 00:12:45,120 you if you compromise these systems. But in a sense, it's easier to 131 00:12:45,679 --> 00:12:50,559 design security mechanisms for very large dollar losses than it is to design them for 132 00:12:50,879 --> 00:12:54,519 you know, large you know, human casualty losses. If you have a 133 00:12:54,519 --> 00:13:00,279 whole crew that's you know, underground and is at risk because you've met you 134 00:13:00,320 --> 00:13:05,440 know, somebody is messed with the ventilation, that's very very bad. Whereas 135 00:13:05,320 --> 00:13:09,960 you know, you know, a couple of these seven hundred times trucks colliding 136 00:13:11,240 --> 00:13:15,960 and you know, suffering massive damages with no human operators inside of them is 137 00:13:16,360 --> 00:13:20,639 very bad. It's not very very bad. So it does help. Now 138 00:13:20,840 --> 00:13:28,440 when you talk about it being easier to design security around money problems rather than 139 00:13:28,559 --> 00:13:33,279 human life problems, are you talking about just the sheer severity of the consequences, 140 00:13:33,320 --> 00:13:37,000 like the risks involved, Like it's so much more important to protect human 141 00:13:37,039 --> 00:13:41,440 lives, and so it's easier to just be talking about machines. Or is 142 00:13:41,480 --> 00:13:48,720 it that the nature of protecting against financial losses against machines is characteristically different, 143 00:13:48,759 --> 00:13:52,360 like the kinds of security you might otherwise be investing in talking about putting in 144 00:13:52,440 --> 00:13:56,960 place is easier to implement. It's it's a little both. But you know, 145 00:13:58,039 --> 00:14:00,759 let me give you some concrete examples on the safety side. If my 146 00:14:00,919 --> 00:14:07,159 life depended on an air fol system working, I would need to be confident 147 00:14:07,279 --> 00:14:13,399 that the computers controlling it are really secure. I would prefer that they were 148 00:14:13,440 --> 00:14:18,559 air gapped, that you could not reach them from remotely. I would prefer 149 00:14:18,600 --> 00:14:22,759 that there were mechanical fail safes, that there would be two and three sets 150 00:14:22,799 --> 00:14:26,200 of pumps to get the air down there and get the toxic fumes if any 151 00:14:26,279 --> 00:14:33,360 out. You know, there's extra redundancy, there's extra isolation requirements, there's 152 00:14:33,200 --> 00:14:39,960 you know, I would want detectors that are mechanical, not computer controlled. 153 00:14:39,000 --> 00:14:43,519 In addition to the computer controlled. There's just when you've got safety that you 154 00:14:43,600 --> 00:14:48,960 have entire layers or you know, two extra layers sometimes of protection in place. 155 00:14:50,360 --> 00:14:52,679 And so if you can eliminate a couple of those most expensive layers, 156 00:14:52,679 --> 00:15:00,440 it does simplify everything. And you know, if if everything's being operated remotely, 157 00:15:00,639 --> 00:15:05,240 I really don't want my safety system being operated remotely. Um. So 158 00:15:05,360 --> 00:15:13,600 again, you can operate equipment protection systems remotely sort of more confidently than operating 159 00:15:13,679 --> 00:15:18,120 human safety systems remotely because nobody's there at the plant. So yeah, it's 160 00:15:18,159 --> 00:15:24,000 it's it's a lillaboth. Wow, there's you know, there's a lot going 161 00:15:24,039 --> 00:15:28,559 on there. Um, it's a complicated space and you know we're going to 162 00:15:28,639 --> 00:15:31,679 be speaking to uh, you know, six steps to integrating it and OT 163 00:15:33,120 --> 00:15:37,840 uh you know, security wise and otherwise in the medals and mining industry, 164 00:15:39,039 --> 00:15:43,200 you know ITOT integration is a phrase that was coined in like I think two 165 00:15:43,200 --> 00:15:46,960 thousand and five or so by an analyst at the Gardner Group. Um, 166 00:15:48,519 --> 00:15:52,320 you know, it can mean integrating networks, you know, connecting up networks. 167 00:15:52,320 --> 00:15:56,919 It can mean integrating technology stacks. It can mean integrating teams and business 168 00:15:56,960 --> 00:16:03,399 processes. And like I said, this this kind of all started almost twenty 169 00:16:03,480 --> 00:16:08,440 years ago. So what does ITOT integration mean to you and to the industry, 170 00:16:08,960 --> 00:16:14,159 and you know, sort of what's the state of that process twenty years 171 00:16:14,200 --> 00:16:18,960 after it was kind of invented. Yeah, I think when I look at 172 00:16:18,000 --> 00:16:22,639 mining, and I think the same is true in a lot of the resource 173 00:16:22,759 --> 00:16:30,279 based operational technology spaces. When I look at mining even ten years ago, 174 00:16:33,039 --> 00:16:37,039 or even when looking five years ago, at most miners, you had your 175 00:16:37,039 --> 00:16:41,440 corporate network, corporate systems, and they've looked very much like any other business. 176 00:16:41,919 --> 00:16:49,679 And then you had at each mine an individual operational technology system, unique 177 00:16:49,679 --> 00:16:56,159 technology, unique design, unique architecture that is really driven by that site, 178 00:16:56,919 --> 00:17:02,519 that plant, that general manager owning that I'm really in a lot of ways, 179 00:17:03,200 --> 00:17:10,000 each mind, each operation being its own thief too. And what we've 180 00:17:10,039 --> 00:17:15,880 seen over the last ten years rapidly accelerating I would say for the last five 181 00:17:15,960 --> 00:17:25,000 years, is as technology changes and we have the ability to commoditize a lot 182 00:17:25,000 --> 00:17:29,920 of those systems that can drive down costs, which is wonderful, but it 183 00:17:30,039 --> 00:17:36,559 also opens up the door now to you know, using things like AI, 184 00:17:36,759 --> 00:17:45,079 machine learning to UM help optimize. So I mean that makes sense, you 185 00:17:45,119 --> 00:17:51,200 know, business wise, every every you know, industrial automation operation wants to 186 00:17:51,240 --> 00:17:53,480 improve their efficiencies. They want to use, you know, cheaper stuff. 187 00:17:53,480 --> 00:17:59,240 They want to use the standard stuff to reduce training costs. But you know, 188 00:17:59,359 --> 00:18:02,559 the more it in my books, you know, the more that OT 189 00:18:02,720 --> 00:18:07,319 systems look like IT systems, the more you can attack the OT systems the 190 00:18:07,440 --> 00:18:11,440 same way you attack the IT systems. And you know there's thousands of ransomware 191 00:18:11,960 --> 00:18:17,759 incidents on IT systems every year. We really can't afford that on the OT 192 00:18:17,920 --> 00:18:19,920 side. I mean, what do you do about I don't know, risk? 193 00:18:21,920 --> 00:18:25,240 Sort of, Yes, you're migrating technology, are you not also migrating 194 00:18:25,319 --> 00:18:30,880 risk? You are, and you're introducing new risks to the operations that maybe, 195 00:18:32,240 --> 00:18:36,960 you know, somebody who's been mining for twenty years hasn't had to think 196 00:18:36,960 --> 00:18:41,200 of before at the site level. You know, we're seeing now if you 197 00:18:41,359 --> 00:18:45,759 open up the news, you know almost quarterly, if not more often, 198 00:18:45,839 --> 00:18:51,119 a mining company needing to shut down operations because of a ransomware incident or the 199 00:18:51,240 --> 00:18:55,319 ransomware incident shutting it down for them. You know, there was one in 200 00:18:55,359 --> 00:19:00,799 Canada in January, for example. You know, another one in Germany in 201 00:19:00,880 --> 00:19:07,880 March, and so those are becoming exceedingly common. The other challenge risk wise 202 00:19:08,400 --> 00:19:15,039 is with the geopolitical situation globally, which you know, I've got no idea 203 00:19:15,039 --> 00:19:18,279 where it's going, but it's certainly not going to get less complicated. Mining 204 00:19:19,039 --> 00:19:23,759 and the metals industries sit at the beginning of every single global supply chain. 205 00:19:25,480 --> 00:19:32,799 So if we have adversaries that want to disrupt those supply chains, targeting mining 206 00:19:32,839 --> 00:19:41,599 in the metals industry is a great opportunity to interfere with international, national, 207 00:19:41,680 --> 00:19:48,000 international supply chains at a macro level very efficiently, because yeah, that's the 208 00:19:48,039 --> 00:19:52,680 commonplace they'll start. And so the risk is going up and the accessibility of 209 00:19:52,680 --> 00:19:57,839 the systems is going up, and so because of that, we're starting to 210 00:19:57,880 --> 00:20:06,799 see last face three years, the corporate IT teams being asked to step into 211 00:20:07,000 --> 00:20:11,359 operational technology to you know, sort to manage that risk, to secure those 212 00:20:11,400 --> 00:20:18,720 systems, to secure those plans, and quite frankly will last few years. 213 00:20:19,240 --> 00:20:23,640 Those teams are struggling, and so one of the focuses for me and for 214 00:20:23,680 --> 00:20:29,920 the I FACT is to come up with a plan or a cycle or a 215 00:20:30,000 --> 00:20:38,880 model that those teams can apply and use in order to secure operational technology from 216 00:20:38,920 --> 00:20:44,559 the I T side and secure that shared technology and our you know, our 217 00:20:44,599 --> 00:20:48,880 topic is six steps to integrating itnot This was a an article you wrote recently 218 00:20:49,039 --> 00:20:53,119 sort of summarizing your your experience in the field. These six steps that you're 219 00:20:53,119 --> 00:21:00,000 talking about, what what are they? So really it starts with key So 220 00:21:00,240 --> 00:21:07,240 the steps, the first stages really are learning and building relationships with the people 221 00:21:07,240 --> 00:21:12,839 of sight and establishing trust. The next the next two are really a bit 222 00:21:12,920 --> 00:21:19,720 understanding the technology. It's understanding the assets and understanding the risks and quantifying those 223 00:21:19,839 --> 00:21:25,839 risks. And then the last you know, then we get into deploying tools 224 00:21:25,920 --> 00:21:33,680 and TTPs and practices to that environment, followed by testing invalidation of what you've 225 00:21:33,680 --> 00:21:38,319 done to be short, actually working, and so you know those are those 226 00:21:38,359 --> 00:21:44,680 are those six steps going through? Okay, and it all starts with relationships. 227 00:21:44,720 --> 00:21:47,839 Can you can you take a little deeper? What what is building relationships 228 00:21:47,920 --> 00:21:55,680 mean? So when I started pushing or deploying, you know, into operational 229 00:21:55,759 --> 00:22:00,519 technology, you know a lot of teams make the mistake of thinking that the 230 00:22:00,640 --> 00:22:04,319 technology is the same Windows as Windows, active directors, active directory at Cisco, 231 00:22:04,400 --> 00:22:11,759 switches at Cisco switch. But really in the environment of mining, where 232 00:22:11,039 --> 00:22:17,160 safety is such an issue, reliance and such an issue. The environment that 233 00:22:17,240 --> 00:22:22,720 you run in is very different. It's not a it's a it's an environment 234 00:22:22,720 --> 00:22:30,359 where availability and safetyre king, not data integrity. For example. You need 235 00:22:30,400 --> 00:22:33,319 to take the time to learn the process, to learn the business, to 236 00:22:33,440 --> 00:22:41,359 build relationships with people, to understand what's going on. Really, that phase 237 00:22:41,720 --> 00:22:45,880 is really about learning that operation, how it works, and earning your right 238 00:22:47,960 --> 00:22:52,559 to be at the table upsite. Building the relationships you know from the top 239 00:22:52,640 --> 00:22:57,559 down. So if you're sitting in a senior Mind managers meeting the GM, 240 00:22:57,599 --> 00:23:02,559 you at least understand all the words that are being spoken at that meeting that 241 00:23:02,839 --> 00:23:07,759 it's no longer a foreign language to you. That you know all the people 242 00:23:08,200 --> 00:23:11,680 that are there, You understand what their priorities are, what keeps them up 243 00:23:11,680 --> 00:23:18,359 at night. So that's that first step, and really I consider that earning 244 00:23:18,359 --> 00:23:23,680 your right to be at the table. So once you've earned that right to 245 00:23:23,839 --> 00:23:33,519 be at that table, it then becomes an exercise of establishing trust in your 246 00:23:33,559 --> 00:23:41,200 abilities and your team's abilities not just to secure stuff, but to deliver on 247 00:23:41,319 --> 00:23:48,599 and protect what's important to that site. And it's in these conversations that a 248 00:23:48,599 --> 00:23:52,359 lot of security people make mistakes because they'll go in and say, well, 249 00:23:52,480 --> 00:23:56,759 here's the right way to do something. The right way to patch is to 250 00:23:56,880 --> 00:24:00,759 patch monthly, you know, right after patch shoose day. We have to 251 00:24:00,799 --> 00:24:07,079 get rid of these legacy you know Windows ninety eight or Windows XP systems that 252 00:24:07,160 --> 00:24:10,519 are kicking around. We just we have to do that. But the reality 253 00:24:10,680 --> 00:24:15,160 is in operational technology, the right thing to do is not often correct. 254 00:24:15,200 --> 00:24:25,680 It's not always correct, and so by building trust and understanding how you can 255 00:24:25,720 --> 00:24:32,359 adjust security posture to what you learned in the previous step, you start to 256 00:24:32,359 --> 00:24:37,759 be seen as somebody who has the priorities of that operation as your priorities, 257 00:24:37,119 --> 00:24:45,240 not trying to just push security best practices from the IT side. In the 258 00:24:45,319 --> 00:24:52,319 beginning of the industrial security revolution, engineers were told to use IT security principles, 259 00:24:52,720 --> 00:24:56,160 protect the information. We were told. We knew this was a poor 260 00:24:56,240 --> 00:25:00,640 fit, but it was all we had. Today. The top security priority 261 00:25:00,759 --> 00:25:06,960 at industrial sites is safety. Don't kill anyone, don't cause an environmental disaster. 262 00:25:07,519 --> 00:25:11,640 And the second priority is reliability. Do not shut down our factory or 263 00:25:11,680 --> 00:25:18,400 infrastructure. Today, safe and reliable operations use unhackable protections from cyber risks, 264 00:25:18,759 --> 00:25:25,279 not just cybersecurity. For a deeper look at the evolution of the revolution. 265 00:25:25,599 --> 00:25:30,559 We invite you to download Waterfall's report on the Emerging Consensus for Industrial Security Engineering. 266 00:25:32,119 --> 00:25:37,839 You can access the report at the Waterfall website Waterfall dash Security dot com, 267 00:25:37,920 --> 00:25:42,000 slash Engineering dash Consensus, or just go to the resources menu and click 268 00:25:42,039 --> 00:25:48,319 on white papers and ebooks. So, Nate, let me, you know, 269 00:25:48,400 --> 00:25:51,799 let me chime in here and just sort of remind you and our listeners 270 00:25:52,119 --> 00:25:56,200 of something I mentioned in the introduction. You heard Rob give his sort of, 271 00:25:56,319 --> 00:26:00,839 you know, description of his background. He came from the IT space 272 00:26:00,079 --> 00:26:07,839 into cybersecurity and mining, which is sort of a bit of an unusual perspective 273 00:26:07,680 --> 00:26:12,680 on the space. I'm thinking the last one hundred episodes of the show here, 274 00:26:14,160 --> 00:26:18,359 most of our guests have been from the engineering side talking about cybersecurity. 275 00:26:18,599 --> 00:26:22,920 You know, in the first fifteen years of the industrial security discipline, it 276 00:26:22,960 --> 00:26:30,759 was mostly engineers who were responsible and stayed responsible for the you know, the 277 00:26:30,799 --> 00:26:36,559 industrial automation for the physical process. And you know, we're sort of pulled 278 00:26:36,559 --> 00:26:38,720 into the cybersecurity because they had to. It was a new risk. They 279 00:26:38,720 --> 00:26:41,480 had to deal with it. This is what engineers do. They took advice 280 00:26:41,559 --> 00:26:48,599 from the IT people, what we're seeing in the last about five years is 281 00:26:48,079 --> 00:26:56,319 that increasingly enterprise security teams are being told you're now responsible for industrial cybersecurity, 282 00:26:56,720 --> 00:27:00,559 go fix that problem. This is something that you did not really see, 283 00:27:00,759 --> 00:27:03,559 you know, in the first ten fifteen years of the discipline. We are 284 00:27:03,599 --> 00:27:10,240 seeing it very recently. And so you know, Rob's perspective here really is 285 00:27:10,440 --> 00:27:15,000 he's giving advice to IT teams, to enterprise security teams who are sort of 286 00:27:15,039 --> 00:27:19,440 going through the same life cycle heated, which is here, you're responsible. 287 00:27:19,480 --> 00:27:23,359 Now, you figure out how to work with the engineers. You figure out 288 00:27:23,599 --> 00:27:27,000 how to make this happen, because you're the ones that you know are going 289 00:27:27,039 --> 00:27:32,640 to be held accountable if if there's an incident at the MIND And so you 290 00:27:32,680 --> 00:27:37,160 know Rob's perspective here's a little unusual because he's giving advice to IT people sort 291 00:27:37,200 --> 00:27:41,519 of as an IT person who's made the transition, not as an engineer saying 292 00:27:41,559 --> 00:27:45,039 here's what I wish you would do. You know, here's Rob's is telling 293 00:27:45,119 --> 00:27:52,640 us what actually worked for him. That's the first two steps. Build relationships, 294 00:27:52,720 --> 00:27:56,519 established trust. They both those those both sound like sort of people focused 295 00:27:56,960 --> 00:28:02,759 tasks and goals. You know, you've got four more steps are we you 296 00:28:02,759 --> 00:28:06,240 know, do you dive into the technology next? What comes next? So 297 00:28:06,799 --> 00:28:11,799 you know, once you've taken the time to build relationships and trust, the 298 00:28:11,839 --> 00:28:17,119 next piece is to really understand the technology landscape and the assets of that site. 299 00:28:18,200 --> 00:28:22,279 And it's a bit different the IT world where IT land. We often 300 00:28:22,359 --> 00:28:27,079 have a CMDB that lists all of our systems, or we can run a 301 00:28:27,160 --> 00:28:33,200 scanner to discover all the systems on the network. Can get us started on 302 00:28:33,200 --> 00:28:41,359 that process. Those don't work in the operation. We can't use scanners to 303 00:28:41,400 --> 00:28:49,119 find things. Oftentimes assets are listed in maintenance systems or on spreadsheets or SharePoint 304 00:28:49,160 --> 00:28:55,240 lists, very non traditional places. So you've got a process to go through 305 00:28:55,359 --> 00:29:00,480 to not only find and identify all the assets, but also have a great 306 00:29:02,240 --> 00:29:07,640 sense of what they do. What part of the plant do they drive? 307 00:29:07,880 --> 00:29:11,440 Are they safety sensitive? What happens as we go down is something we're to 308 00:29:11,480 --> 00:29:15,880 fail? What's the worst thing that could happen? Does the protest stoppers? 309 00:29:15,880 --> 00:29:19,640 Somebody get hurt? And that process will take a while as you dig through 310 00:29:19,680 --> 00:29:22,880 not only the maintenance systems, but a lot of things you're not going to 311 00:29:22,960 --> 00:29:30,079 find. You may have to walk the site and identify and find assets yourself. 312 00:29:30,160 --> 00:29:37,200 You might have to use passive network monitoring pulling data off switches and logs 313 00:29:37,240 --> 00:29:41,839 off switches to find assets. And you know, you might have to do 314 00:29:41,880 --> 00:29:45,519 a search on showdown and find those assets that might not even be connected to 315 00:29:45,519 --> 00:29:51,359 your network but might have se SIM cards in them and actually be connected to 316 00:29:51,440 --> 00:29:59,319 the public cell network in those environments. And so you can't underestimate the challenge 317 00:29:59,319 --> 00:30:07,920 of identify those assets. And then the final piece of the context is actually 318 00:30:07,039 --> 00:30:12,119 quantifying the risk. So that's where we take the assets to be found. 319 00:30:12,279 --> 00:30:19,920 The process, we've learned the actual threat information in mining that would come from 320 00:30:21,240 --> 00:30:26,160 the mining a metal's IAC or other sources, and actually begin to use a 321 00:30:26,200 --> 00:30:33,039 model to quantify that risk and communicate it. I once spent two months shadowing 322 00:30:33,039 --> 00:30:38,839 a MIND general manager, and everybody going into his office told him how the 323 00:30:38,920 --> 00:30:44,440 sky was falling, the world was going to come to an end. They 324 00:30:44,519 --> 00:30:49,720 become very quickly immune to the chicken little sky is falling. Five. So 325 00:30:49,799 --> 00:30:53,720 you have to take the risks, quantify them into dollars with some model, 326 00:30:53,799 --> 00:31:00,599 whether you use fare or some other quantification model, and and actually quantify the 327 00:31:00,720 --> 00:31:06,200 risks so you can prioritize where you've got to focus and where you've got to 328 00:31:06,279 --> 00:31:12,640 work based on actual risk numbers. Okay, so understand the assets, quantify 329 00:31:12,680 --> 00:31:18,519 the risks so that your your business decision makers can make you informed decisions. 330 00:31:18,240 --> 00:31:25,000 What's next in this process? So the next thing you're going to do is 331 00:31:26,079 --> 00:31:30,160 for the risks and the controls you identify, you identified as things you're going 332 00:31:30,240 --> 00:31:37,000 to help mitigate with cybersecurity controls. Anyways, then you're going to start to 333 00:31:37,039 --> 00:31:45,839 look at extending your security measures from it in COOT space, So you're going 334 00:31:45,920 --> 00:31:51,240 to do things again starting from looking at your existing run books and playbooks for 335 00:31:51,359 --> 00:31:56,279 things like into response. How do you have to update and modify them to 336 00:31:56,480 --> 00:32:01,960 work well at site? See in the operational technology space, what about the 337 00:32:02,119 --> 00:32:08,559 security technology that you have, your endpoint solutions, your network solutions. Can 338 00:32:08,599 --> 00:32:15,319 they be safely extended into operational technology or do you have to procure something different? 339 00:32:15,920 --> 00:32:20,000 You know, I'm a big fan of finding an endpoint edr or I 340 00:32:20,039 --> 00:32:23,920 guess the buzzword these days is XDR solution that can work across it and OT. 341 00:32:25,240 --> 00:32:28,359 You may be able to do that, you maybe not. You're going 342 00:32:28,400 --> 00:32:34,200 to look at things like extending logging coverage and log aggregation there. So then 343 00:32:34,240 --> 00:32:37,720 you're going to start to look at extending your base controls so that you can 344 00:32:37,759 --> 00:32:43,839 start to mitigate that risk and you start training the team. And that brings 345 00:32:43,960 --> 00:32:47,200 us to the last step of the cycle, which is testing invalidation. Once 346 00:32:47,240 --> 00:32:55,279 you've worked through that process and you've done the testing, you've done the validation, 347 00:32:55,920 --> 00:33:00,079 and that might look like some automated control testing, but it should also 348 00:33:00,160 --> 00:33:07,720 involve an incident tabletop at that site to be sure that your plans are working, 349 00:33:07,920 --> 00:33:13,000 that it integrates with the site emergency procedures and processes, that all those 350 00:33:13,000 --> 00:33:15,880 things are working. You know, before you can kind of hang the mission 351 00:33:15,880 --> 00:33:22,039 accomplished banner and you know have the team barbecue, make sure you take that 352 00:33:22,200 --> 00:33:28,880 time to test and validate that what you're doing is actually working and that well, 353 00:33:28,960 --> 00:33:34,680 that's the last step in my article identifies it's a cycle. And it's 354 00:33:34,680 --> 00:33:42,000 a cycle because as the site introduces new technology, same machine learning or AI, 355 00:33:42,480 --> 00:33:45,319 as the people change, a new general manager gets appointed, a new 356 00:33:45,319 --> 00:33:52,279 plant manager comes in, you have to start back with the building relationships, 357 00:33:53,279 --> 00:33:58,920 building trust. All of that cycle starts again. So it's not a one 358 00:33:58,920 --> 00:34:02,759 and done. Um, you don't get to finish and go, oh, 359 00:34:02,799 --> 00:34:06,359 that was really hard and I got that done. I don't have to worry 360 00:34:06,400 --> 00:34:08,480 about this again. Um, as soon as you get there, you're you're 361 00:34:08,519 --> 00:34:15,440 starting it again with the new people, the new technology at sight you started 362 00:34:15,519 --> 00:34:19,880 personally in the IT space. This this whole discussion has been it you know, 363 00:34:20,239 --> 00:34:22,880 is or at least you know, enterprise security is coming in and saying, 364 00:34:22,920 --> 00:34:24,920 you know, guys, we have to do something and you know, 365 00:34:24,960 --> 00:34:30,639 here's advice to to to the security team to uh, you know, make 366 00:34:30,719 --> 00:34:37,519 that process more effective. Um. Is this sort of unique to your experience 367 00:34:37,639 --> 00:34:40,760 or is this sort of a more common experience in the mining industry who's leading 368 00:34:42,360 --> 00:34:46,360 uh, you know, the the the charge in terms of driving security into 369 00:34:46,360 --> 00:34:51,440 OT. Is this something that tends to be happening from the the IT side 370 00:34:51,440 --> 00:34:57,679 in mining more so than not. It's interesting in mining, um, you 371 00:34:57,719 --> 00:35:00,800 know, because if you look at a mining company, this is an organization 372 00:35:00,960 --> 00:35:07,039 that will derive ninety plus percent of their revenue and carry most of and all 373 00:35:07,079 --> 00:35:14,519 of their safety environmental risk at sight. Yet traditionally, up until I would 374 00:35:14,519 --> 00:35:19,920 say, you know, five years ago, at most mining companies, the 375 00:35:19,960 --> 00:35:29,159 cybersecurity information security function only impacted it. The whole OT stuff was at a 376 00:35:29,239 --> 00:35:32,519 scope and it's you know, it's almost comical to think that, you know, 377 00:35:34,480 --> 00:35:37,519 you're in charge of securing an organization get you're out of scoping ninety percent 378 00:35:37,559 --> 00:35:43,159 of the revenue generation and one hundred percent of the safety environmental risk. You 379 00:35:43,199 --> 00:35:45,519 know, when you think about it, it seems a little bit nonsensical, 380 00:35:45,840 --> 00:35:52,320 because it is. And so now as we're starting to see increased attacks affecting 381 00:35:52,360 --> 00:36:01,119 mining companies, you're starting to get boardrooms and senior leadership teams going to their 382 00:36:01,920 --> 00:36:06,800 you know, those type of secure leads or CSOs and going hey, are 383 00:36:06,800 --> 00:36:13,000 we good, and they're The answer they've been getting back is a very unsatisfactory 384 00:36:13,079 --> 00:36:19,239 version of I don't know, which is typically followed by some kind of a 385 00:36:19,400 --> 00:36:23,760 direction to go figure it out. And where this process comes from is now 386 00:36:23,800 --> 00:36:30,280 we have these IT security teams being chartered, instructed however you want to call 387 00:36:30,320 --> 00:36:36,159 it, to go take care of this OT thing so we don't become like, 388 00:36:36,920 --> 00:36:39,760 you know, pick your company in the news. And they've been getting 389 00:36:39,760 --> 00:36:45,920 a lot of pushback and a lot of struggle um overall. And so really 390 00:36:45,920 --> 00:36:52,840 what this process is designed to do is to overcome that that pushback and struggle 391 00:36:52,920 --> 00:36:55,519 that they're they're they're hitting at sight with the engineering teams, with the mind 392 00:36:55,559 --> 00:37:04,199 management teams who may be at the beginning don't see, didn't see cybersecurity as 393 00:37:04,280 --> 00:37:07,760 critical to their world. Um, you know, I've got bigger issues. 394 00:37:07,880 --> 00:37:10,000 Life would be great if you know, the biggest issue I got down to 395 00:37:10,360 --> 00:37:15,079 was, you know, cybersecurity. I've got you know, union contracts and 396 00:37:15,320 --> 00:37:20,280 communities, and I've got you know, supply chain issues on fuel and parts 397 00:37:20,320 --> 00:37:24,440 and all kinds of issues in my world that are potentially going to get in 398 00:37:24,480 --> 00:37:29,880 the way of my success. You know, they didn't see cyber They don't 399 00:37:30,000 --> 00:37:35,440 see at that site level always cybersecurity being one of those things that can get 400 00:37:35,440 --> 00:37:38,119 in their way of their success until it is. And so the drive is 401 00:37:38,159 --> 00:37:44,559 coming from the boardrooms in a lot of cases, and the senior management teams 402 00:37:45,760 --> 00:37:50,360 to the CSOs and to the security teams to you know, go figure this 403 00:37:50,400 --> 00:37:55,559 thing out. Is the drive I'm seeing in mining. You know that sounds 404 00:37:55,679 --> 00:38:00,880 relatively opposite to how we usually conceive of things, At least on this show. 405 00:38:00,920 --> 00:38:06,840 We've spent plenty of conversation talking about how to convince boards of the necessity 406 00:38:06,840 --> 00:38:12,079 of cybersecurity, how to shake loose budget. But here he's saying that the 407 00:38:12,239 --> 00:38:16,280 initiative comes down from the board to the cybersecurity people. Yes, and that 408 00:38:16,280 --> 00:38:20,840 that is unusual. But you know, I have to wonder, is this 409 00:38:20,960 --> 00:38:25,800 another example of scale because when we're dealing with, you know, the oil 410 00:38:25,840 --> 00:38:30,679 and gas majors, they've been leaders in cybersecurity from the beginning. It was 411 00:38:30,920 --> 00:38:34,079 you know, it was always understood that they had to do cybersecurity. Right. 412 00:38:34,440 --> 00:38:37,559 When we're talking smaller operators that are much more cash constrained, you have 413 00:38:37,599 --> 00:38:42,840 to worry about shaking shaking budget loose. You know. To me, what 414 00:38:42,920 --> 00:38:45,880 I see in the industry is more awareness, awareness across the board in the 415 00:38:45,880 --> 00:38:51,320 board sorry, you know board level, you know, feet on the street 416 00:38:51,400 --> 00:38:55,719 level, every and everything in between. Um, it sounds like you know 417 00:38:55,719 --> 00:39:00,519 what I've observed in the rail industry. I know, rail will sort of 418 00:39:00,519 --> 00:39:05,519 head down for a century safety safety, safety, safety, And it's like 419 00:39:05,599 --> 00:39:09,960 they looked up recently and said, oh, shoot, cyber we have to 420 00:39:10,000 --> 00:39:15,000 do that too. You know, without without cybersecurity, we don't have safety. 421 00:39:15,519 --> 00:39:20,199 And they've embraced cybersecurity. There's standards coming out this progress. It sounds 422 00:39:20,239 --> 00:39:23,039 almost like that might be what's happening in mining, but I don't have enough 423 00:39:23,119 --> 00:39:25,800 data points to be to be confident to that. Well. I do have 424 00:39:25,880 --> 00:39:31,639 one data point in addition to you know, the information Rob's giving us. 425 00:39:31,800 --> 00:39:38,559 I was talking recently to a the CSO of a large mining operation, and 426 00:39:39,480 --> 00:39:45,119 he said, Andrew, you know, the investment in minds is in a 427 00:39:45,159 --> 00:39:51,039 sense cyclic. You have a big, massive upfront capital investment, and then 428 00:39:51,159 --> 00:39:54,360 once you've built the mind at a cost of you know, two billion dollars, 429 00:39:54,400 --> 00:39:59,760 it starts producing and then there's a cash crunch and you need to p 430 00:40:00,119 --> 00:40:04,880 douce extremely efficiently to be competitive in the marketplace. And so you know, 431 00:40:05,800 --> 00:40:08,960 the place to put, you know, the opportunity, the easy opportunity to 432 00:40:08,960 --> 00:40:15,280 get cybersecurity or anything into your mind is during the capital phase of the project, 433 00:40:15,639 --> 00:40:20,400 not the you know, stretch every dollar operations phase. But um, 434 00:40:20,440 --> 00:40:22,760 you know, a if there's a new awareness of risk at the board level, 435 00:40:22,800 --> 00:40:27,159 that's a that's a factor. And be what he said was, look, 436 00:40:27,239 --> 00:40:30,480 Andrew, I've been in the industry a long time. He said, 437 00:40:30,719 --> 00:40:34,280 Um, the you know, after you've operated a mind for ten, twelve, 438 00:40:34,360 --> 00:40:37,480 fifteen years, Um, there comes a point where you say, you 439 00:40:37,519 --> 00:40:42,599 know, we have to modernize because we can become more efficient as a result, 440 00:40:42,679 --> 00:40:45,199 because we can exploit another part of the of the resource. Uh, 441 00:40:45,280 --> 00:40:49,719 you know, if we modernize, and so there's you know, after after 442 00:40:49,760 --> 00:40:52,800 a period of running there, you know, ten twelve years, there tends 443 00:40:52,840 --> 00:40:57,719 to be another massive capital injection. I gained. It's an opportunity to get 444 00:40:57,800 --> 00:41:01,800 your new automation, new security, new every thing what he said was and 445 00:41:01,920 --> 00:41:06,039 what he's observed in the industry is that from time to time there's sort of 446 00:41:06,239 --> 00:41:10,880 episodes where almost every mine on the planet looks around and says, there's new 447 00:41:10,920 --> 00:41:14,599 stuff out there, we have to do it. And there's over a period 448 00:41:14,639 --> 00:41:19,719 of three and four years, there's an episode where most of the mining operations 449 00:41:19,719 --> 00:41:22,840 on the planet upgrade, and he says, in his estimation, one of 450 00:41:22,880 --> 00:41:28,320 these is coming up. There's AI, there's cloud based systems, there's new 451 00:41:28,480 --> 00:41:32,039 kinds of automation, there's new kinds of efficiencies that everybody needs to leverage in 452 00:41:32,079 --> 00:41:36,440 their mining operation. And so it looks like, you know, the these 453 00:41:36,679 --> 00:41:39,360 uh, you know, these these stars might be aligning. The boards have 454 00:41:39,480 --> 00:41:44,360 become aware of cybersecurity and they want to fix it. And you know, 455 00:41:44,440 --> 00:41:47,320 if if the gentleman I was talking to is right, there's an opportunity where 456 00:41:47,360 --> 00:41:52,079 almost everybody is going to be investing a large number of hundreds of millions of 457 00:41:52,039 --> 00:41:58,639 dollars or more into their mining operations to take advantage of modern automation. And 458 00:41:58,719 --> 00:42:01,800 you know, we can we can do the automation and this cybersecurity at once. 459 00:42:01,880 --> 00:42:05,639 If if this is what's coming out, so that's in a sense good 460 00:42:05,679 --> 00:42:09,880 news we can look forward to. This has been great, Rob. Thank 461 00:42:09,880 --> 00:42:14,360 you for joining us. Before we let you go, can you sum up 462 00:42:14,360 --> 00:42:15,760 for us? What should we take away? What's the you know, the 463 00:42:16,039 --> 00:42:21,400 number one thing to remember about this this advice you're giving us. For me, 464 00:42:21,559 --> 00:42:28,840 especially as a security professional, the opportunity to reach into the operation technology 465 00:42:29,559 --> 00:42:32,039 you know when I started working like ten years ago, is a golden opportunity 466 00:42:32,159 --> 00:42:37,000 you shouldn't pass up. It's a chance to really work on securing what matters, 467 00:42:37,400 --> 00:42:42,119 to really work on helping protect people's safety, helping protect the environment, 468 00:42:42,239 --> 00:42:47,480 helping protect sustainability. It's a great opportunity when you get you know, asked 469 00:42:47,559 --> 00:42:52,679 to go do that. But unlike a lot of other areas, you can 470 00:42:52,760 --> 00:43:00,800 only move as fast as you build trust operational technology. Security is the most 471 00:43:00,000 --> 00:43:07,639 human of all security disciplines because you're affecting people's safety, you're affecting people's sense 472 00:43:07,679 --> 00:43:14,719 of well being. Unlike almost any other discipline of security, you have to 473 00:43:14,800 --> 00:43:21,119 go slow. Take the time to build the trust. Those first two steps 474 00:43:21,159 --> 00:43:27,559 could take a year, sometimes more. Take the time that those need to 475 00:43:27,599 --> 00:43:34,039 get right, and you'll get it done safely. You'll get it done efficiently, 476 00:43:34,159 --> 00:43:38,079 and you'll end up with something that gives you a secure, sustainable, 477 00:43:38,239 --> 00:43:43,639 reliable operation going forward. If this is something you've sort of been charged with, 478 00:43:43,880 --> 00:43:49,719 I do encourage you to pop onto the minumental Iacs website or LinkedIn you 479 00:43:49,760 --> 00:43:52,639 can. You can find the article that we reference here today. And you 480 00:43:52,679 --> 00:43:57,360 know, I spend an hour in a webcast digging into this a bit deeper. 481 00:43:57,400 --> 00:44:00,719 So you're you're more than welcome to download and to watch that webcasts as 482 00:44:00,719 --> 00:44:07,639 well. So, Andrew, that was your conversation with Rob Leabay, Do 483 00:44:07,679 --> 00:44:12,360 you have any final insights to take us out with today. I've been learning 484 00:44:12,400 --> 00:44:15,320 a lot about the mining industry. I'm very grateful that Rob was able to 485 00:44:15,400 --> 00:44:19,519 join us. You know, he's the CEO of the Mining and Metals ISAAC. 486 00:44:20,199 --> 00:44:24,920 UM. You know, the the ISAAC is comparatively new. They're you 487 00:44:24,920 --> 00:44:29,559 know, they're looking for new members. UM. I think there's like two 488 00:44:29,639 --> 00:44:32,000 years old. UM. Some other information about the ISAAC. If if you 489 00:44:32,039 --> 00:44:36,480 want to get involved in the metals and mining industry, UM, you know, 490 00:44:36,519 --> 00:44:42,039 Waterfall is getting involved. This is how I know rob Um. Rob 491 00:44:42,079 --> 00:44:47,639 didn't mention it, but he is also hosting a podcast for the ISAAC. 492 00:44:47,800 --> 00:44:53,599 The first episode is up on the ISAAC. It's h mmisac dot org and 493 00:44:53,880 --> 00:44:57,320 the first episode is up there. So I'm going to be listening to to 494 00:44:57,840 --> 00:45:01,639 his podcast as well. M There's other opportunities to get involved in cybersecurity at 495 00:45:01,639 --> 00:45:07,280 the ISAAC. The one that I'm thinking of that I'm looking to become involved 496 00:45:07,280 --> 00:45:12,360 with. They have a committee that is working out how to interact with cloud 497 00:45:12,440 --> 00:45:20,400 based AI programs. The concrete example was, look, every shovel of ore 498 00:45:20,519 --> 00:45:22,880 that comes out of a mine, you know, is a sort of a 499 00:45:22,960 --> 00:45:27,039 quantum of seven or eight hundred tons of ore. Every shovel is different, 500 00:45:27,559 --> 00:45:29,920 and so they take the shovel of ore, they dump it on the truck 501 00:45:30,000 --> 00:45:34,480 they're driving it to the primary processing facility and they're analyzing this stuff, you 502 00:45:34,480 --> 00:45:37,000 know, in the course of filling the shovel and dumping it on the truck 503 00:45:37,000 --> 00:45:40,280 and driving it away, and they're sending all the analysis into the cloud, 504 00:45:40,360 --> 00:45:45,719 and the cloud based AI figures out how to process that shovel of ore optimally 505 00:45:45,800 --> 00:45:50,679 and sends the optimal processing instructions back into the mind. So, in a 506 00:45:50,719 --> 00:45:54,519 real sense, you've got cloud based AI controlling part of the mining process, 507 00:45:54,559 --> 00:45:58,960 part of the primary processing system, and you know, how do you do 508 00:45:59,000 --> 00:46:00,639 that safely? This is how thing I'm keenly interested in, and you know, 509 00:46:00,679 --> 00:46:04,960 I hope to be working with the committee. So if you're interested in 510 00:46:05,039 --> 00:46:07,920 the medals of mining ISAC. Again, it's comparatively new, it's a couple 511 00:46:07,920 --> 00:46:12,599 of years old, and there's opportunities to get involved, to learn more about 512 00:46:12,599 --> 00:46:16,800 it on Rob's podcast, and to contribute to the process MMISAC dot org. 513 00:46:17,480 --> 00:46:21,559 All right, Well, with that, thanks to Rob Lebey for speaking with 514 00:46:21,599 --> 00:46:23,800 you, Andrew, and Andrew, as always, thanks for speaking with me. 515 00:46:24,480 --> 00:46:28,280 It's always a pleasure. Thank you, Nate. This has been the 516 00:46:28,320 --> 00:46:31,719 Industrial Security podcast from Waterfall. Thanks to everybody out there listening.