1 00:00:04,360 --> 00:00:08,720 Speaker 1: There isn't one team that does troubleshooting in an industrial 2 00:00:08,759 --> 00:00:12,960 control system. There are so many complex parts. There are 3 00:00:13,000 --> 00:00:16,199 literally thousands of people working at some of these large 4 00:00:16,239 --> 00:00:18,079 companies that I've worked at. 5 00:00:19,039 --> 00:00:28,359 Speaker 2: And welcome listeners to the Industrial Security Podcast. My name 6 00:00:28,399 --> 00:00:31,399 is Nate Nelson. I'm here with Andrew Ginter, the vice 7 00:00:31,440 --> 00:00:35,759 president of Industrial Security at Waterfall Security Solutions, who's going 8 00:00:35,799 --> 00:00:39,240 to introduce the subject and guest of our show today. Andrew, 9 00:00:39,479 --> 00:00:39,799 how are you. 10 00:00:40,560 --> 00:00:43,159 Speaker 3: I'm very well, Thank you, Nate. Our guest today is 11 00:00:43,240 --> 00:00:47,719 Doug Lease. He is a longtime security practitioner. He's the 12 00:00:47,920 --> 00:00:54,479 technical manager of Detection and Design at Enridge and Enridge, 13 00:00:54,520 --> 00:00:57,200 if you're not familiar, runs what I believe is the 14 00:00:57,240 --> 00:01:03,520 world's largest petrochemical or lawest petrochemical liquids pipeline and a 15 00:01:03,640 --> 00:01:06,560 very large network of natural gas pipelines as well. So 16 00:01:06,599 --> 00:01:10,560 we're talking oil and gas and our topic is staffing, 17 00:01:10,680 --> 00:01:16,239 is finding people who can work on cybersecurity in these environments. 18 00:01:16,799 --> 00:01:20,280 Speaker 2: Then, without further Ado, here's your conversation with Doug. 19 00:01:23,120 --> 00:01:26,560 Speaker 4: Hello, Doug, and welcome to the podcast. Before we get started, 20 00:01:26,560 --> 00:01:28,640 can I ask you to say a few words about 21 00:01:28,640 --> 00:01:31,040 yourself and your background and about the good work that 22 00:01:31,079 --> 00:01:32,239 you're doing at Enbreage. 23 00:01:32,640 --> 00:01:36,640 Speaker 1: Thanks for having me on this morning. Yeah, I've been 24 00:01:37,560 --> 00:01:44,719 actively involved in it and telecom for almost thirty years now. 25 00:01:44,799 --> 00:01:48,560 It's been a while, and because I've always been working 26 00:01:48,560 --> 00:01:54,560 out of Western Canada, I'm really acquainted with a number 27 00:01:54,560 --> 00:01:59,000 of different oil and gas operations and telecom providers and 28 00:01:59,120 --> 00:02:03,680 the rather adventurous things we had to do in Alberta 29 00:02:03,879 --> 00:02:08,039 twenty thirty years ago to get businesses to work. And 30 00:02:09,080 --> 00:02:14,479 over the last eighteen years or so, I've been actively 31 00:02:14,520 --> 00:02:18,080 involved in cybersecurity as my only job. But when I 32 00:02:18,120 --> 00:02:23,120 started doing this, there was no separate cybersecurity discipline. It 33 00:02:23,199 --> 00:02:26,360 was just part of being a system administrator. You also 34 00:02:26,400 --> 00:02:31,199 took care of the security of your systems. But like 35 00:02:31,240 --> 00:02:34,560 I said, being in Alberta, a number of my customers 36 00:02:34,599 --> 00:02:40,639 over the years are oil and gas or electrical producers, 37 00:02:41,400 --> 00:02:46,319 and currently I'm at a company called Enbridge, who are 38 00:02:47,199 --> 00:02:51,759 the second largest I believe, oil and gas pipeline company 39 00:02:51,759 --> 00:02:56,800 in North America. I don't represent the Enbridge here, but 40 00:02:57,159 --> 00:02:59,120 I'm very proud of the work that they do do 41 00:03:00,080 --> 00:03:04,639 and I'm well acquainted with the cybersecurity challenges that that 42 00:03:04,759 --> 00:03:07,840 company and another large oil and gas company that I 43 00:03:07,879 --> 00:03:13,680 worked for for five years before that, are facing every day. 44 00:03:13,879 --> 00:03:18,439 Speaker 4: Our topic is finding people, finding the right kind of 45 00:03:18,479 --> 00:03:25,400 people to do OT security for these big, important physical processes. 46 00:03:25,879 --> 00:03:29,560 At Enbridge, you've been doing this kind of recruiting. What 47 00:03:29,599 --> 00:03:31,319 does this mean who you're looking for? 48 00:03:32,520 --> 00:03:37,199 Speaker 1: Well, I think the first thing you're looking for is 49 00:03:38,400 --> 00:03:45,360 people that understand cybersecurity challenges. But the special fit here 50 00:03:45,520 --> 00:03:49,280 is that we're not you know, although we have a 51 00:03:49,319 --> 00:03:55,360 significant IT infrastructure to support the business itself, we're not 52 00:03:55,479 --> 00:03:56,120 a bank. 53 00:03:56,439 --> 00:03:56,680 Speaker 4: You know. 54 00:03:58,560 --> 00:04:03,479 Speaker 1: Our physical process are controlled by a lot of technology 55 00:04:04,159 --> 00:04:09,919 choices and every large you know, some people call them 56 00:04:09,919 --> 00:04:13,159 skata systems, some people call them dcs, some people just 57 00:04:13,240 --> 00:04:17,240 call it OT. But in the end, you're using a 58 00:04:17,319 --> 00:04:23,720 computer to manipulate electricity, to turn on big motors and 59 00:04:24,160 --> 00:04:31,120 compressors and valves, and you're also taking measurements from physical processes. 60 00:04:31,680 --> 00:04:35,839 You know, like previous place I worked at, they they 61 00:04:35,920 --> 00:04:40,360 extracted bitchumen from sand with you know, chemicals and heat, 62 00:04:40,519 --> 00:04:43,600 and you know, these are big processes the size of 63 00:04:43,959 --> 00:04:48,160 you know, giant buildings and all of that stuff's controlled 64 00:04:48,199 --> 00:04:53,519 by computers. So I'm always curious when we you know, 65 00:04:53,560 --> 00:04:58,240 when we're talking to somebody about cyber in the physical world, like, 66 00:04:58,319 --> 00:05:02,519 what do you know about OT? And you know, you're 67 00:05:02,600 --> 00:05:06,399 quite right, there's not very many people that even know 68 00:05:07,439 --> 00:05:12,399 what those terms like RTU and PLC mean. But I 69 00:05:12,480 --> 00:05:16,319 think there's even fewer that grasp it's controlling the something's 70 00:05:16,439 --> 00:05:20,680 the size of a jet engine sometimes and what if 71 00:05:20,680 --> 00:05:25,279 that's the wrong instruction, then what happens, Well, it blows apart. 72 00:05:27,560 --> 00:05:32,519 Grasping that physical part of it is a challenge, and 73 00:05:32,759 --> 00:05:35,120 we don't find too many people to walk in the 74 00:05:35,279 --> 00:05:39,480 door with that kind of skill, but it is something 75 00:05:39,560 --> 00:05:45,639 that you know, we've been working on as an industry. 76 00:05:45,680 --> 00:05:49,279 Really here in Calgary, we've been training for this for 77 00:05:49,759 --> 00:05:54,279 probably eight ten years, getting people very aware of these 78 00:05:54,360 --> 00:05:59,040 processes and what's going on. And occasionally somebody will put 79 00:05:59,079 --> 00:06:01,879 their hand up and say, find this very interesting and 80 00:06:01,920 --> 00:06:04,759 I'd want to learn more, and at that point you 81 00:06:05,519 --> 00:06:10,319 invest time in helping them learn. But a lot of 82 00:06:10,360 --> 00:06:15,360 it you can pick up just by reading and you know, 83 00:06:15,680 --> 00:06:19,759 watching you presentations from Ian l and a few others, 84 00:06:19,800 --> 00:06:22,839 so conceptually you get it. But I think the best 85 00:06:22,879 --> 00:06:25,000 fit is bring them out to the field and let 86 00:06:25,040 --> 00:06:27,680 them see firsthand, what's what's really going on. 87 00:06:29,120 --> 00:06:32,959 Speaker 4: It sounds like you're saying it doesn't matter who you recruit. 88 00:06:34,040 --> 00:06:36,959 Anybody you recruit, there's going to have to be some 89 00:06:37,439 --> 00:06:40,160 learning that goes on. It might be, you know, training, 90 00:06:40,199 --> 00:06:44,360 it might be on the job, so learning. Yes. Let 91 00:06:44,360 --> 00:06:49,160 me ask you though, if if you're going to train 92 00:06:49,279 --> 00:06:53,319 people on the job, what are you selecting for then 93 00:06:53,439 --> 00:06:55,160 if you're going to teach them what they already what 94 00:06:55,199 --> 00:06:55,759 they need to know. 95 00:06:56,959 --> 00:06:59,959 Speaker 1: I think one of the first things we we love 96 00:07:00,160 --> 00:07:04,240 for as people that are at least familiar with what 97 00:07:04,519 --> 00:07:08,079 is what is going on. So if somebody comes to 98 00:07:08,160 --> 00:07:12,240 interview you and they don't even understand the nature of 99 00:07:12,279 --> 00:07:16,680 your business and how OT fits into there, you know, 100 00:07:17,639 --> 00:07:22,519 it's a that's a problem. You know, Like I'm always 101 00:07:22,560 --> 00:07:25,759 looking for somebody that's going to be interested in doing 102 00:07:25,800 --> 00:07:28,920 some upfront research and taking some of that initiative on 103 00:07:28,959 --> 00:07:33,839 their own, and that's an indicator that their trainabull because 104 00:07:34,480 --> 00:07:38,040 everybody's agreeable in the interview, but you know, do they 105 00:07:38,079 --> 00:07:44,519 have a history or a habit of that I'm looking at. 106 00:07:44,800 --> 00:07:48,639 You know, We've had a number of people hired over 107 00:07:48,680 --> 00:07:52,639 the last few years where I'm working and I've sat 108 00:07:52,720 --> 00:07:54,399 in on a lot of the interviews, and one of 109 00:07:54,399 --> 00:07:59,199 the things we we do is even in the interview, 110 00:07:59,519 --> 00:08:04,199 we provide a like a pop quiz in a scenario 111 00:08:05,720 --> 00:08:09,000 and ask for the answer. And it's not really even 112 00:08:09,079 --> 00:08:14,360 where they whether they get the answer, it's the willingness 113 00:08:14,399 --> 00:08:19,600 to take that challenge on spur the moment and come 114 00:08:19,680 --> 00:08:23,120 up with something that appears there was some thought behind it. 115 00:08:23,160 --> 00:08:26,160 Even if it's the wrong path. That's not as important 116 00:08:26,199 --> 00:08:29,560 as are is somebody willing to think on their feet 117 00:08:30,680 --> 00:08:38,519 and you know, change their mindset immediately. Because in cybersecurity operations, 118 00:08:39,039 --> 00:08:43,080 everything's going along great and two minutes later you're in 119 00:08:43,120 --> 00:08:47,759 the middle of something. It happens that fast, and especially 120 00:08:47,799 --> 00:08:50,120 at the start of it, it's very unclear what you're 121 00:08:50,120 --> 00:08:53,240 in the middle of. It could be fairly benign or 122 00:08:53,240 --> 00:08:57,759 it could be very serious. And over the last twenty 123 00:08:57,840 --> 00:09:00,440 some years of incident response work. 124 00:09:00,200 --> 00:09:00,600 Speaker 4: I've. 125 00:09:02,360 --> 00:09:04,399 Speaker 1: I won't say I've seen it all, but I've seen 126 00:09:04,440 --> 00:09:11,039 a lot of different you know, gravity of situations. So, 127 00:09:11,320 --> 00:09:14,840 are is there head even capable of making that quick 128 00:09:14,919 --> 00:09:16,559 pivot and focus on the job. 129 00:09:19,679 --> 00:09:23,879 Speaker 2: So Andrew thoughts on Doug's process for finding the right 130 00:09:23,960 --> 00:09:26,240 kinds of people for industrial security jobs. 131 00:09:26,600 --> 00:09:28,799 Speaker 3: I don't hire a lot of technical people. I run 132 00:09:28,840 --> 00:09:32,320 a small, very small technical team at Waterfall, but you know, 133 00:09:32,480 --> 00:09:36,840 in the past, not so much cybersecurity, just general development. 134 00:09:36,879 --> 00:09:39,519 I mean I at one point led a large team 135 00:09:39,600 --> 00:09:43,320 thirty forty fifty people of technical people, a lot of 136 00:09:43,360 --> 00:09:47,759 whom were developing products. Actually some of it was security product, 137 00:09:48,120 --> 00:09:51,879 others of it was control system product. Product that you know, 138 00:09:52,519 --> 00:09:57,120 organizations like Enbridge used to automate their pipeline millions of 139 00:09:57,200 --> 00:10:00,679 lines of code. Very complicated. You know, I never figure 140 00:10:00,720 --> 00:10:05,840 out pop quiz wise what would be a useful a 141 00:10:05,960 --> 00:10:08,399 useful pop quiz. I could never wrap my head around that. 142 00:10:08,480 --> 00:10:13,440 I did something different, you know. I would ask people 143 00:10:13,559 --> 00:10:17,919 if they were interested in something, something technical, what was that? 144 00:10:18,000 --> 00:10:19,960 Could they explain to me what they've been doing that 145 00:10:20,080 --> 00:10:22,399 in that space? And they, you know, some of them 146 00:10:22,440 --> 00:10:25,120 would would look at me a little bit embarrassed. Yeah. 147 00:10:24,559 --> 00:10:27,919 I write games in my spare time. Really what kind 148 00:10:27,919 --> 00:10:31,120 of games? Well, you know, there's some graphics, there's some 149 00:10:31,120 --> 00:10:34,240 some you know, some simulation behind the scenes, it's multiplayer, 150 00:10:34,279 --> 00:10:38,200 there's communications involved on going. That's gold. I need all 151 00:10:38,240 --> 00:10:41,639 of those skills in my team, you know, or they 152 00:10:41,720 --> 00:10:44,879 might say, you know, I've been doing stuff with I 153 00:10:44,919 --> 00:10:47,799 don't know, audio editing. 154 00:10:48,399 --> 00:10:48,600 Speaker 4: You know. 155 00:10:49,919 --> 00:10:52,120 Speaker 3: In a sense, it didn't matter what they were doing. 156 00:10:52,159 --> 00:10:56,159 The field was so broad. What we needed was to 157 00:10:56,279 --> 00:11:00,720 find people who were interested in something, and they migrate 158 00:11:00,840 --> 00:11:05,639 sort of naturally within the organization to tasks to development 159 00:11:05,679 --> 00:11:09,919 tasks that involved the kind of thing they were interested in. 160 00:11:10,120 --> 00:11:14,519 Why is this useful because in my experience, you learn faster, 161 00:11:14,759 --> 00:11:18,440 you learn more thoroughly about things that you're interested in. 162 00:11:18,519 --> 00:11:21,960 So it's really useful to have something that you're interested in. 163 00:11:22,039 --> 00:11:25,879 That was my trick for sort of weeding through the applicants, 164 00:11:26,440 --> 00:11:30,360 you know, from the people who really didn't care what 165 00:11:30,399 --> 00:11:33,200 they did all day every day and they turned the 166 00:11:33,240 --> 00:11:36,120 whole thing off at five o'clock, versus people who actually 167 00:11:36,559 --> 00:11:42,840 would sort of grow and expand and excel in the 168 00:11:42,919 --> 00:11:45,440 job because they loved the piece of it that they 169 00:11:45,440 --> 00:11:45,879 were doing. 170 00:11:45,960 --> 00:11:47,120 Speaker 1: That was that was my trick. 171 00:11:47,600 --> 00:11:52,759 Speaker 3: And I think everybody needs something, because you know, when 172 00:11:52,759 --> 00:11:55,720 you're hiring, you put the job posting out and you know, 173 00:11:56,879 --> 00:12:00,960 if you're lucky, you get one hundred people applying. Now 174 00:12:00,960 --> 00:12:03,320 you've got to reject ninety nine of them. How do 175 00:12:03,360 --> 00:12:05,200 you do that? It's just it's hard. 176 00:12:08,120 --> 00:12:12,399 Speaker 4: I would hope that there's a fair pool of people 177 00:12:12,440 --> 00:12:15,720 out there who can think on their feet. How hard 178 00:12:15,799 --> 00:12:18,840 is it to find the people that you're looking for? Is? 179 00:12:18,879 --> 00:12:21,159 You know, do you have lots of candidates to choose from? 180 00:12:21,200 --> 00:12:24,320 Where are you? Are you digging here? Yeah? 181 00:12:24,399 --> 00:12:26,960 Speaker 1: I think for the most part we are, which is 182 00:12:27,159 --> 00:12:33,399 surprising because you keep reading about the uh, you know, 183 00:12:33,440 --> 00:12:36,519 we as an industry, not we specifically at Enbridge. We 184 00:12:36,639 --> 00:12:40,840 as an industry because I'm also involved with Calgary b 185 00:12:41,039 --> 00:12:45,519 sides and a couple of the local education institutions here. So, 186 00:12:47,320 --> 00:12:51,840 like yourself, I talk to students quite regularly and without 187 00:12:51,879 --> 00:12:54,399 a doubt it's the number one question, and how do 188 00:12:54,480 --> 00:12:59,960 I get into cyber? And my answer is often disappointing 189 00:13:00,080 --> 00:13:03,519 for them, is they go get into it first and 190 00:13:03,679 --> 00:13:08,759 understand it, or if you want to do OT cyber, 191 00:13:09,120 --> 00:13:12,840 go do some OT field work and learn how to 192 00:13:12,919 --> 00:13:16,799 do some of those things. But it's kind of hard 193 00:13:16,879 --> 00:13:20,240 when they've already spent a good deal of time trying 194 00:13:20,240 --> 00:13:23,279 to navigate a curriculum that says they're going to be 195 00:13:23,320 --> 00:13:27,279 guaranteed a job. At the other end, I think there's 196 00:13:27,320 --> 00:13:31,600 a lot of requirements in the industry for technologists and 197 00:13:31,720 --> 00:13:39,039 people who understand how computers work. But every company is 198 00:13:39,120 --> 00:13:43,000 interested in hitting the ground running. And when you're bringing 199 00:13:43,000 --> 00:13:48,279 in somebody that's out of schools and they've not ever 200 00:13:48,360 --> 00:13:52,240 worked in the field, I think it's really an investment 201 00:13:52,320 --> 00:14:00,720 on the organization's part to make that person more useful, 202 00:14:00,759 --> 00:14:03,559 so to speak. And you know, it's not their fault. 203 00:14:03,639 --> 00:14:07,840 We've all started at the beginning, and I think when 204 00:14:07,840 --> 00:14:11,360 I got into it, there was even less people willing 205 00:14:11,440 --> 00:14:14,440 to do this, so I got the chance. But I 206 00:14:14,519 --> 00:14:18,559 think it is I think there is that expectation that 207 00:14:18,639 --> 00:14:22,080 you're going to want to hire people with experience, and 208 00:14:22,159 --> 00:14:25,639 the people that don't have experience yet have no way 209 00:14:25,639 --> 00:14:29,200 to get it until they get that job. And I'm 210 00:14:29,399 --> 00:14:32,320 thinking that some of these labor issues are a catch 211 00:14:32,440 --> 00:14:37,240 twenty two invented by this whole supply demand curve, and 212 00:14:37,919 --> 00:14:41,159 there isn't as much of an entry level way in 213 00:14:41,320 --> 00:14:45,600 cyber as people think. And I'm not sure that's a 214 00:14:45,720 --> 00:14:51,320 bad thing, because we are talking about protecting organizations and 215 00:14:51,519 --> 00:14:56,360 in the case of an industrial control system company, literally 216 00:14:56,440 --> 00:14:59,480 billions of dollars worth of stuff that is, you know, 217 00:15:00,360 --> 00:15:02,960 dangerous to work with and everything. But even if it 218 00:15:03,120 --> 00:15:07,240 was a smaller company and it was just their credit 219 00:15:07,240 --> 00:15:11,960 cards and HR records, that can still ruin a company. 220 00:15:12,080 --> 00:15:16,159 So do you really want a junior person starting there 221 00:15:16,279 --> 00:15:18,200 or do you want them starting on the help desk 222 00:15:19,120 --> 00:15:21,240 where you know there's a lot of recovery. 223 00:15:21,279 --> 00:15:25,039 Speaker 4: Well, go room if we can. Let's let's get specific. 224 00:15:25,120 --> 00:15:29,039 I understand that you were recently looking for some or 225 00:15:29,120 --> 00:15:31,080 you know this is what you do you always look for. 226 00:15:31,159 --> 00:15:37,159 I don't know OT incident responders. Can I ask you, 227 00:15:37,159 --> 00:15:40,600 you know, how how does that? How does that work? 228 00:15:40,600 --> 00:15:44,440 How do you you know, how did that work for you? 229 00:15:44,440 --> 00:15:47,200 You know, let me take a side trip for a second. 230 00:15:47,240 --> 00:15:49,399 You know, it's possible to do some back of the 231 00:15:49,519 --> 00:15:53,279 envelope calculations. When I do that very rough numbers, it 232 00:15:53,480 --> 00:15:57,240 seems to me there's fifty times five zero times as 233 00:15:57,320 --> 00:16:00,919 many you know IT security xp in the world as 234 00:16:01,039 --> 00:16:03,600 OT security experts. If you put out a call for 235 00:16:03,720 --> 00:16:06,799 incident responders, I'm guessing you're going to get a lot 236 00:16:06,840 --> 00:16:10,240 of IT respondents. How do you deal with that? This, 237 00:16:10,480 --> 00:16:14,679 you know is there's what's the difference, you know, in 238 00:16:14,759 --> 00:16:17,159 terms of what you're looking for? Between an IT incident 239 00:16:17,240 --> 00:16:19,799 responder that presumably there's lots of them out there, and 240 00:16:20,000 --> 00:16:23,120 OT incident responders that you know might be in short supply. 241 00:16:23,679 --> 00:16:28,840 Speaker 1: They're definitely in short supply. You know, I still question 242 00:16:28,960 --> 00:16:32,440 whether I'm one of those people. Some days I think 243 00:16:32,519 --> 00:16:34,919 I am. Most people think I am, which is good. 244 00:16:35,559 --> 00:16:40,600 But I've talked with other people at other companies, and 245 00:16:40,919 --> 00:16:43,639 you know, a lot of people don't put this together. 246 00:16:43,799 --> 00:16:47,200 But there's industrial control systems everywhere. I have a friend 247 00:16:47,240 --> 00:16:50,159 of mine that works UPT at a large airline and 248 00:16:50,200 --> 00:16:53,639 they have he said, five flying scat of systems on 249 00:16:53,879 --> 00:16:57,080 every plane. It's like, great, what could go wrong here? 250 00:16:57,879 --> 00:17:05,119 And absolutely, when you know physical processes are controlled by computers, 251 00:17:05,920 --> 00:17:08,480 it's all the same. If there's a mistake, there's a 252 00:17:08,519 --> 00:17:15,160 physical outcome and people are affected. And if anybody ever 253 00:17:15,880 --> 00:17:19,000 answers an interview question like what's the difference between IT 254 00:17:19,319 --> 00:17:23,880 and OT with something as succinct as computers will affect 255 00:17:23,920 --> 00:17:28,319 physical processes, you know that I would cancel all the 256 00:17:28,359 --> 00:17:31,319 rest of the interviews because that is the problem. But 257 00:17:31,400 --> 00:17:34,559 I don't think we're very good at articulating that as 258 00:17:34,559 --> 00:17:41,240 an industry. I I think the bigger challenge is that 259 00:17:41,720 --> 00:17:46,759 an official OT incident responder and an IT incident responder 260 00:17:46,839 --> 00:17:53,000 aren't necessarily distinguishable on the outset unless you look at 261 00:17:53,000 --> 00:17:55,920 their resume and say, well, previously they were a skate 262 00:17:56,000 --> 00:17:59,920 of controls engineer or something like that. But this feel 263 00:18:00,119 --> 00:18:04,920 doesn't tend to attract people that are building the equipment, 264 00:18:05,400 --> 00:18:09,960 so we're always kind of an add on. So far, 265 00:18:10,119 --> 00:18:13,640 I only know of one person who was well into 266 00:18:13,720 --> 00:18:17,079 the operation side and then moved over to cyber. It 267 00:18:17,279 --> 00:18:21,000 tends to be the other way around where cyber folks 268 00:18:21,039 --> 00:18:26,720 get interested in OT, and so we look for people 269 00:18:26,799 --> 00:18:35,200 with relatable experience and then you know, train accordingly, because 270 00:18:35,880 --> 00:18:40,039 especially at the start, the equipment we're using is exactly 271 00:18:40,079 --> 00:18:43,960 the same. You know, a log analytics platform at a 272 00:18:44,000 --> 00:18:48,480 bank is exactly the same one that is running in 273 00:18:48,519 --> 00:18:53,880 a you know, in an OT shop. But the difference 274 00:18:54,640 --> 00:18:58,759 is what the context of those incidents mean. You know, 275 00:18:58,960 --> 00:19:04,160 that computer is experiencing an issue. What's it controlling? Is 276 00:19:04,200 --> 00:19:07,160 it just a pie historian that nobody cares about? Or 277 00:19:07,200 --> 00:19:12,559 is it a you know, an extraction you know controller 278 00:19:12,599 --> 00:19:17,200 of some sort or or a flow computer. So getting 279 00:19:17,200 --> 00:19:21,119 that context switch is something you can train for. But 280 00:19:21,599 --> 00:19:25,519 if somebody doesn't understand how to hunt through data and 281 00:19:26,160 --> 00:19:32,359 separate operational events that are unusual but not outside the normal, 282 00:19:33,279 --> 00:19:37,839 compared to something like, uh, you know, an actual attack. 283 00:19:38,359 --> 00:19:45,039 It's it's not going to be distinguishable. We we often 284 00:19:45,359 --> 00:19:49,160 start as I'm training people on this area, you know, 285 00:19:49,279 --> 00:19:51,319 and it's worked out well. We've had a number of 286 00:19:51,359 --> 00:19:54,359 people go through it's like one simple question, isn't an 287 00:19:54,359 --> 00:19:58,000 intrusion or not? And if you're not sure, what's the 288 00:19:58,039 --> 00:20:00,920 first question you had asked? To try and start narrowing 289 00:20:00,960 --> 00:20:04,200 that down. And so I take more of a binary 290 00:20:04,279 --> 00:20:10,279 decision tree approach and we've turned that into a very 291 00:20:10,319 --> 00:20:13,519 repeatable process. So we've had some good success with that. 292 00:20:14,160 --> 00:20:18,319 But the trick with that is bringing people that understand 293 00:20:18,359 --> 00:20:23,359 the technology on the OT side into the equation how 294 00:20:23,359 --> 00:20:25,960 do I tell these two things apart? And then you 295 00:20:26,000 --> 00:20:29,400 start to get into stuff like was it happening at 296 00:20:29,400 --> 00:20:32,720 three in the morning? Yes, okay, that's not unusual in 297 00:20:32,759 --> 00:20:39,240 an industrial control platform, but it's outside their normal change windows. Okay, 298 00:20:40,400 --> 00:20:42,759 was there an incident? Where would I go check for that? 299 00:20:43,000 --> 00:20:46,279 And they kind of work your way backwards, right, so 300 00:20:46,519 --> 00:20:49,720 it takes longer. You certainly don't have a blinky light 301 00:20:49,799 --> 00:20:54,279 on a screen saying, you know, cocher number forty seven 302 00:20:54,440 --> 00:20:57,920 is on fire. You have a fire system for that, right, 303 00:20:58,319 --> 00:21:01,039 So it's harder in the digital world to see that. 304 00:21:04,440 --> 00:21:08,119 Speaker 2: So I know it was a reference in passing and 305 00:21:08,759 --> 00:21:12,039 not mathematically accurate. Is meant to make a point. But 306 00:21:12,160 --> 00:21:15,039 you were talking Stug there and you said something to 307 00:21:15,079 --> 00:21:17,359 the effect of how they are like fifty to one 308 00:21:17,480 --> 00:21:21,839 IT security professionals out there compared to OT, and that 309 00:21:21,920 --> 00:21:25,680 also rings with my experience too. I'm wondering, is it 310 00:21:25,759 --> 00:21:28,720 that the threats to IT are so much more common 311 00:21:28,720 --> 00:21:31,359 that you just end up with so many more IT professionals, 312 00:21:31,920 --> 00:21:36,720 or is there some reason why, relatively speaking, OT struggles 313 00:21:36,759 --> 00:21:39,759 to attract talent compared to how many people we need 314 00:21:40,200 --> 00:21:42,960 relative to IT, which seems to do a little bit better. 315 00:21:43,880 --> 00:21:45,599 Speaker 3: I think the short answer is I don't know. I mean, 316 00:21:45,640 --> 00:21:49,119 I can speculate. The back of the of the envelope 317 00:21:49,160 --> 00:21:51,880 that I did was I went to there's a thing 318 00:21:51,960 --> 00:21:56,079 called Google Trends, and it doesn't give you hard numbers, 319 00:21:56,119 --> 00:21:58,920 but you can put a query in there, and you know, 320 00:21:59,000 --> 00:22:01,599 it'll show you sort of interest in the query over time, 321 00:22:01,599 --> 00:22:04,960 who's searching for that, and so I put in you know, 322 00:22:05,160 --> 00:22:08,680 OT security, industrial security, any combination of that as I could, 323 00:22:08,920 --> 00:22:13,480 and then I just put in cybersecurity generally, and you know, 324 00:22:13,519 --> 00:22:15,720 it won't give you hard numbers, but it will give 325 00:22:15,720 --> 00:22:19,880 you a comparison. And like I said, that tool suggested 326 00:22:19,960 --> 00:22:24,200 there were fifty times as many people searching for cybersecurity 327 00:22:24,240 --> 00:22:30,000 generally versus industrial cybersecurity any variation of it specifically. So 328 00:22:30,039 --> 00:22:35,519 it was more a measure of interest than of available talent. 329 00:22:35,640 --> 00:22:38,759 So I've you know, inferred that there's a relationship there, 330 00:22:40,680 --> 00:22:44,079 you know, to your question, are there are there more 331 00:22:44,119 --> 00:22:49,400 attacks on it? Is there something else going on? I 332 00:22:49,440 --> 00:22:51,559 think there's just a lot more IT infrastructure in the 333 00:22:51,559 --> 00:22:55,440 world than OT infrastructure. I'm guessing that the fifty to 334 00:22:55,519 --> 00:22:59,440 one is not where it should be. I'm guessing that 335 00:23:00,119 --> 00:23:03,960 it reflects sort of today's interest in the topic. And 336 00:23:05,519 --> 00:23:07,640 over the last fifteen years, what I've observed is that 337 00:23:07,759 --> 00:23:11,160 interest in the topic is steadily growing. So you know, 338 00:23:11,240 --> 00:23:14,240 hopefully ten fifteen years from now, it might settle out 339 00:23:14,359 --> 00:23:18,119 at a smaller ratio. I don't know, twenty to one 340 00:23:18,200 --> 00:23:23,119 instead of fifty to one, But you know, it's it's 341 00:23:23,119 --> 00:23:26,640 a crude it's a very imperfect tool, but it's something 342 00:23:26,759 --> 00:23:28,880 and you know, so that's that's the number I throughout. 343 00:23:31,559 --> 00:23:35,599 Speaker 4: I've never been in it, you know, responsible for a 344 00:23:35,680 --> 00:23:40,480 large organization. But you know, in my understanding, if I'm 345 00:23:40,480 --> 00:23:43,319 in an enterprise security team in an organization with one 346 00:23:43,400 --> 00:23:47,559 hundred thousand employees, each of which have a desktop computer 347 00:23:47,720 --> 00:23:51,359 or a laptop, I've got hundreds of thousands of cyber 348 00:23:51,400 --> 00:23:56,440 assets I'm managing. They're all exposed to the Internet. My 349 00:23:56,559 --> 00:24:02,440 understanding is that these teams assume constant compromise. They assume 350 00:24:02,640 --> 00:24:06,960 we are compromised. They are out there systematically trying to 351 00:24:07,000 --> 00:24:11,720 identify the compromised equipment and you know, take a forensic image, 352 00:24:11,759 --> 00:24:19,359 erase it, restore from backup, repeat. Constant activity in the 353 00:24:19,400 --> 00:24:23,720 OT space. I would hope that there's less to do 354 00:24:23,880 --> 00:24:27,480 incident response wise, but your your OT systems are behind 355 00:24:27,599 --> 00:24:29,880 so many layers of defenses that you just don't see 356 00:24:29,880 --> 00:24:33,200 a lot of activity, you know in your experience. Let 357 00:24:33,200 --> 00:24:35,160 me let me just I don't want to ask you 358 00:24:35,200 --> 00:24:38,160 about about incidents in the businesses you've worked in. You 359 00:24:38,160 --> 00:24:41,960 know that's that's confidential. But let me ask you how 360 00:24:42,000 --> 00:24:45,000 hard is it to stay in practice as an ot 361 00:24:45,160 --> 00:24:46,160 incident responder. 362 00:24:47,160 --> 00:24:50,079 Speaker 1: I don't think it's as hard as people think because 363 00:24:50,880 --> 00:24:55,440 there's plenty of operational events that go on every day. 364 00:24:55,599 --> 00:24:59,720 I mean, equipment fails all the time. When you've got 365 00:24:59,720 --> 00:25:02,039 a lot of it, there's always going to be something 366 00:25:02,119 --> 00:25:07,839 that's not operational. And in a widely dispersed environment, in 367 00:25:07,960 --> 00:25:10,519 or a hostile environment like you look at something like 368 00:25:10,599 --> 00:25:13,680 Fort McMurray in the wintertime. It's a wonder anything works, 369 00:25:13,839 --> 00:25:17,720 but you know there's a small city up there at 370 00:25:17,720 --> 00:25:22,599 every plant where they're where they're doing that work. And 371 00:25:22,759 --> 00:25:26,839 bridge goes across North America. Same with Trans Canada, like 372 00:25:27,400 --> 00:25:32,279 these are big operations and so there are literally thousands 373 00:25:32,359 --> 00:25:34,799 and thousands of assets, just like you have with the 374 00:25:35,160 --> 00:25:40,200 commercial stuff. So by all means, I think hunting for 375 00:25:40,319 --> 00:25:44,880 incidents is very important. That's a very unique skill and 376 00:25:45,039 --> 00:25:50,000 kind of hard to find. But you'll often find that 377 00:25:50,480 --> 00:25:56,759 equipment is misconfigured or something like that, and just through 378 00:25:56,799 --> 00:26:00,079 a change. You know, they forgot to change something and 379 00:26:00,079 --> 00:26:03,480 and you'll start picking up events and the number one 380 00:26:03,599 --> 00:26:05,640 thing you got to do then is figure out was 381 00:26:05,680 --> 00:26:08,720 this as a result of an operational change with a 382 00:26:09,839 --> 00:26:13,079 with a mistake in IT, or you know, a default 383 00:26:13,119 --> 00:26:16,599 setting that never got unchecked or something like that, versus 384 00:26:16,839 --> 00:26:20,839 this is an actual attack because I think what people 385 00:26:20,880 --> 00:26:25,920 don't kind of get about OT security is all you've 386 00:26:25,920 --> 00:26:28,200 got to do is stop the process and you've met 387 00:26:28,240 --> 00:26:33,799 the adversarial goal. The you know, in an IT world 388 00:26:33,839 --> 00:26:36,680 you have to steal some kind of data and then 389 00:26:36,799 --> 00:26:42,920 monetize it. But in OT the minute you're stopping that process. 390 00:26:43,000 --> 00:26:45,720 You know, if the planes can't launch off of the 391 00:26:45,799 --> 00:26:50,759 runway because the air traffic control systems are down, or 392 00:26:50,759 --> 00:26:54,640 they can't load the planes because the baggage is broken, 393 00:26:55,680 --> 00:26:59,799 all of those things are disrupting the operation and that 394 00:27:00,039 --> 00:27:03,680 costs the company money. And as a result, you know, 395 00:27:04,519 --> 00:27:11,079 your security goal is to maintain availability and a trustworthy process. 396 00:27:11,119 --> 00:27:18,880 So instead of confidentiality, integrity and availability, your availability integrity. Yeah, 397 00:27:19,000 --> 00:27:22,440 there really isn't a lot of confidentiality, but there's enough 398 00:27:22,759 --> 00:27:27,119 errors that occur with this complex array of systems that 399 00:27:27,839 --> 00:27:33,880 those same detection capabilities go off and you'll be investigating 400 00:27:33,920 --> 00:27:38,480 every day. You know, almost never is it a real attack, 401 00:27:38,880 --> 00:27:42,119 but you know there's enough events going on you definitely 402 00:27:42,200 --> 00:27:46,480 stay in practice around the investigation processes and the validation. 403 00:27:46,920 --> 00:27:49,480 Speaker 4: Correct me if I'm wrong. It sounds like what you're 404 00:27:49,519 --> 00:27:56,000 saying is that your team is not just OT incident response, 405 00:27:56,079 --> 00:28:02,559 you're also the automation troubleshooters when something goes weird. You know, 406 00:28:02,720 --> 00:28:06,119 is there a separate troubleshooting team in the organizations you 407 00:28:06,160 --> 00:28:09,079 work at? Or are you it? You're the troubleshooters for OT, 408 00:28:09,519 --> 00:28:12,200 and you know, let's call it, let's call you. You know, 409 00:28:12,359 --> 00:28:14,400 deeply paranoid troubleshooters. 410 00:28:16,400 --> 00:28:19,319 Speaker 1: Absolutely, And you know what if you're not just because 411 00:28:19,359 --> 00:28:22,880 you're paranoid doesn't mean they're not after you. We also 412 00:28:22,920 --> 00:28:29,920 assume breach. But the the the difference I think is 413 00:28:30,160 --> 00:28:34,519 there isn't one team that does troubleshooting in an industrial 414 00:28:34,559 --> 00:28:38,759 control system. There are so many complex parts. There are 415 00:28:38,799 --> 00:28:42,000 literally thousands of people working at some of these large 416 00:28:42,039 --> 00:28:47,039 companies that I've worked at that have various parts of 417 00:28:47,079 --> 00:28:50,799 the equation. There's people that only look after wide area networking. 418 00:28:50,880 --> 00:28:55,279 There's people that only look after measurement. There's people that 419 00:28:55,359 --> 00:29:02,240 only look after vibration monitoring, for example, and the pipeline 420 00:29:02,279 --> 00:29:09,119 business's leak detection. In other areas, it's the integrity of 421 00:29:09,160 --> 00:29:15,759 the extraction process and so there's literally hundreds of people. 422 00:29:15,960 --> 00:29:20,519 We just get avue at tip and part of what 423 00:29:20,559 --> 00:29:24,799 we do is we identify those things and we'll try 424 00:29:24,799 --> 00:29:27,720 and let the appropriate party know, hey, we saw something. 425 00:29:28,759 --> 00:29:34,000 Maybe maybe it's an operational related If it's not, or 426 00:29:34,039 --> 00:29:36,559 if you can't explain it, please bring us back in 427 00:29:36,720 --> 00:29:42,319 and we'll treat this like a cyber attack until and yeah, 428 00:29:42,319 --> 00:29:45,400 we're deeply paranoid. I think you have to be, because 429 00:29:46,440 --> 00:29:49,200 only a sophisticated actor is going to be able to 430 00:29:49,279 --> 00:29:55,160 penetrate a large corporation like here in Calgary. I think 431 00:29:55,240 --> 00:29:59,640 there's six or eight fortune five hundred companies that are 432 00:30:00,920 --> 00:30:05,160 industrial control system first, right, and I've worked at most 433 00:30:05,160 --> 00:30:09,599 of them. But what I've seen that's common across the 434 00:30:09,680 --> 00:30:13,559 board is there's not only a lot of people, they 435 00:30:13,599 --> 00:30:18,559 have very sophisticated incident response processes because a lot of 436 00:30:18,599 --> 00:30:23,000 things break mechanically or you know, injury wise and things 437 00:30:23,119 --> 00:30:27,039 like that. Thankfully a lot less injuries than before, but 438 00:30:27,160 --> 00:30:30,680 you know, physics is physics. Thing can still break, and 439 00:30:31,759 --> 00:30:37,319 we've we're very practiced at responding to incidents. So what 440 00:30:37,480 --> 00:30:41,240 I've noticed at different companies is they all had a 441 00:30:41,319 --> 00:30:47,440 fairly robust incident response process. So you know, cyber is 442 00:30:47,519 --> 00:30:50,119 just one more thing that can go wrong, and so 443 00:30:50,200 --> 00:30:53,480 you when you think it's a cyber event, you try 444 00:30:53,480 --> 00:30:58,240 and inject yourself into that incident response process. And conversely, 445 00:30:58,400 --> 00:31:01,039 when something else goes on, we'll get called in and 446 00:31:01,079 --> 00:31:05,119 say is it cyber? And so we work as a group, 447 00:31:05,240 --> 00:31:11,920 which certainly not one individual departments responsible for the whole thing. 448 00:31:12,640 --> 00:31:15,279 Speaker 4: And I'm thinking a little earlier in the interview, you 449 00:31:15,359 --> 00:31:19,400 mentioned a decision process that you had worked out for 450 00:31:19,480 --> 00:31:24,279 trying to distinguish between operational failures and deliberate operational failures 451 00:31:24,319 --> 00:31:26,920 in terms of cyber attacks. Can you go a little 452 00:31:26,960 --> 00:31:28,960 deeper on that. Can you tell us something about what 453 00:31:29,400 --> 00:31:31,400 does that process look like? Yeah? 454 00:31:32,039 --> 00:31:37,160 Speaker 1: Sure can. Now, again I'm not disclosing specifically how my 455 00:31:37,359 --> 00:31:43,920 company does it today, but I teach this methodology publicly occasionally, 456 00:31:44,359 --> 00:31:48,839 and I've been doing so for about ten fifteen years, 457 00:31:48,920 --> 00:31:55,079 so you know, it's not a secret secret. And before 458 00:31:55,119 --> 00:31:58,039 it was even a title, we were thinking along this 459 00:31:58,240 --> 00:32:02,720 concept of living off the land and are there are 460 00:32:02,759 --> 00:32:07,079 there tools or capabilities that are already there for the 461 00:32:07,160 --> 00:32:13,440 attacker that they could use to thwart your behavior? And 462 00:32:13,920 --> 00:32:16,680 when you look at the work coming out of dregos. 463 00:32:16,880 --> 00:32:21,680 They've articulated that as insecure by design. You know, the 464 00:32:21,720 --> 00:32:27,000 protocol itself will accept the you know, command to shut 465 00:32:27,039 --> 00:32:31,759 down the PLC or reset to factory default. And you know, 466 00:32:31,839 --> 00:32:37,240 once they started adding these kind of payload click pain 467 00:32:37,359 --> 00:32:41,079 by numbers ideas into metasploit, that was a pretty clear 468 00:32:41,240 --> 00:32:44,000 sign that, you know, the genie was definitely out of 469 00:32:44,039 --> 00:32:51,160 the bottle. So when the equipment or the the capability 470 00:32:51,240 --> 00:32:55,880 is already there, built right into the operating system or 471 00:32:55,880 --> 00:32:59,480 built right into the control protocol, you now have to 472 00:32:59,519 --> 00:33:02,720 take as that back and look at the context of 473 00:33:02,759 --> 00:33:06,880 why that event is occurring and is there an indication 474 00:33:07,039 --> 00:33:09,319 that it's malicious. So if we were to look at 475 00:33:09,359 --> 00:33:20,119 something like a unusual command going against the PLC, ideally 476 00:33:20,160 --> 00:33:22,319 it would be great if you had a firewall that 477 00:33:22,400 --> 00:33:25,640 said that's not an allowed command in my path, and 478 00:33:25,680 --> 00:33:29,519 if it's an important enough piece of equipment, there you go. 479 00:33:30,599 --> 00:33:34,640 But then you should also be looking at all the 480 00:33:34,680 --> 00:33:37,319 commands that failed, because the attacker is not going to 481 00:33:37,319 --> 00:33:39,119 get it right the first time. You're going to get 482 00:33:39,119 --> 00:33:44,279 a couple of warnings. So you have to do similar 483 00:33:44,319 --> 00:33:46,319 to a hazop or something. You have to kind of 484 00:33:46,359 --> 00:33:49,119 walk the process and figure out where things could break, 485 00:33:50,079 --> 00:33:54,880 and you look at where that would be done digitally, 486 00:33:55,759 --> 00:33:59,920 and you have to think through what indicators would be 487 00:34:00,119 --> 00:34:04,440 that and then ideally you do data mining and you 488 00:34:04,480 --> 00:34:06,720 go look through what does it look like now when 489 00:34:06,759 --> 00:34:11,840 things are okay? And then you have to work against 490 00:34:11,920 --> 00:34:16,159 that process. You know, I get an event. Is this 491 00:34:16,360 --> 00:34:20,159 the same account that I see every day doing this 492 00:34:20,280 --> 00:34:24,199 event and for the last thirty days. Yes, that doesn't 493 00:34:24,239 --> 00:34:27,679 protect me against somebody who's an insider on the payroll 494 00:34:27,719 --> 00:34:33,519 of a nation state, but it's also far less of 495 00:34:33,559 --> 00:34:37,360 a credible risk because you know they've been here for 496 00:34:38,039 --> 00:34:43,360 quite some time. So walking that decision treach through, you 497 00:34:43,480 --> 00:34:48,159 wind up seeing an event. You look at the attributes 498 00:34:48,199 --> 00:34:51,719 of that, think about the context, and then you work 499 00:34:51,800 --> 00:34:56,119 through what would normal look like, what would abnormal but 500 00:34:56,280 --> 00:35:00,199 safe look like, and what's unexplainable And when it's are 501 00:35:00,239 --> 00:35:02,719 not sure the answer is no, that's not normal, you 502 00:35:02,800 --> 00:35:06,360 go to kind of the next criteria and the minute 503 00:35:06,400 --> 00:35:09,519 it looks a little weird, we get other people involved 504 00:35:09,920 --> 00:35:14,000 that are experts close to that system, and we may 505 00:35:14,039 --> 00:35:16,440 have something here. So our job number one is not 506 00:35:16,559 --> 00:35:20,599 to be the crying wolf department all the time. But 507 00:35:21,320 --> 00:35:24,960 if it's done in good faith, you're really figuring out, No, 508 00:35:25,199 --> 00:35:29,719 this is unusual. Usually they'll tell you, yeah, we don't. 509 00:35:29,719 --> 00:35:31,800 We hardly ever log in at three in the morning 510 00:35:31,840 --> 00:35:34,079 to do this. So, yeah, thanks for that, But we 511 00:35:34,159 --> 00:35:39,000 had an MII. So yeah, it's a you know, when 512 00:35:39,800 --> 00:35:42,760 you look at the attacker is going to have to 513 00:35:42,840 --> 00:35:45,800 disrupt your equipment the same way that you operated in 514 00:35:45,920 --> 00:35:51,880 order to do any real damage, and that's that's going 515 00:35:51,960 --> 00:35:55,639 to leave some marks. And if you've instrumented or you've 516 00:35:55,679 --> 00:35:59,800 got the right observability in that environment, you can start 517 00:35:59,840 --> 00:36:04,440 to trace through the path. And so I tend to 518 00:36:04,519 --> 00:36:08,199 take an attack path approach to it, and I look 519 00:36:08,239 --> 00:36:12,639 at logical steps because you're one hundred percent right, we 520 00:36:12,719 --> 00:36:16,519 don't none of the major companies out there have their 521 00:36:16,559 --> 00:36:19,960 infrastructure set up so that if somebody opens a phishing email, 522 00:36:20,159 --> 00:36:23,199 it's all over like that's that could be the start 523 00:36:23,199 --> 00:36:24,960 of it. But that attacker is going to have to 524 00:36:25,000 --> 00:36:28,719 have a lot more steps to get anywhere near a 525 00:36:28,760 --> 00:36:34,440 physical destruction of something. And so if we understand that 526 00:36:34,679 --> 00:36:38,639 path and we're monitoring those paths, we can look at 527 00:36:38,679 --> 00:36:43,960 certain key checkpoints and choke points, have baselines of how 528 00:36:44,079 --> 00:36:48,920 stuff works and work against those things. It's going to 529 00:36:48,960 --> 00:36:52,960 need to be a very patient attacker with an incredible 530 00:36:53,000 --> 00:36:55,800 amount of insider knowledge to get through all of that 531 00:36:56,880 --> 00:37:00,480 without making a mistake. So you see it every now 532 00:37:00,480 --> 00:37:03,960 and again people talk about something called a home field 533 00:37:04,000 --> 00:37:09,719 advantage or the blue team advantage. We know all the path, 534 00:37:10,119 --> 00:37:13,000 the attacker doesn't, so they're going to make mistakes. And 535 00:37:13,239 --> 00:37:19,079 that's that's the idea. As you try and monitor for that. 536 00:37:22,199 --> 00:37:25,320 I think you know, respond accordingly. But the minute it 537 00:37:25,360 --> 00:37:30,519 looks funny, get help. That's take one thing away. That's it. 538 00:37:30,880 --> 00:37:33,719 You know, know what normal is, and if it's not normal, 539 00:37:33,800 --> 00:37:34,239 get help. 540 00:37:37,719 --> 00:37:41,519 Speaker 3: So Nate, what what struck me in Doug's answer there? 541 00:37:42,239 --> 00:37:44,519 You know, we're diverging a bit. We're talking about the 542 00:37:44,639 --> 00:37:49,920 process for incident response rather than recruiting incident responders, you know, 543 00:37:49,960 --> 00:37:52,360 but the process tells us something about the kind of 544 00:37:52,400 --> 00:37:54,360 person that we that we need, that we're looking for. 545 00:37:55,119 --> 00:37:57,800 What I'm reminded by in the description of the process. 546 00:37:57,800 --> 00:38:02,519 What struck me was that he's described what sounded very 547 00:38:02,559 --> 00:38:07,199 similar to what we had Sarah Friedman described. I don't 548 00:38:07,239 --> 00:38:10,119 know a few dozen episodes ago where she was talking 549 00:38:10,159 --> 00:38:13,360 about the book that she and Andrew Bachman wrote. The 550 00:38:13,400 --> 00:38:18,679 book was Countering Cyber Sabotage and the subtitle is Consequence 551 00:38:18,800 --> 00:38:22,960 Driven Cyber Informed Engineering. And the book was, you know, 552 00:38:23,400 --> 00:38:25,519 about a bunch of stuff. Most of it was about 553 00:38:25,559 --> 00:38:28,440 a methodology for risk assessment and the heart of that 554 00:38:28,480 --> 00:38:33,119 methodology was system of systems analysis. Sounds very fancy. What 555 00:38:33,280 --> 00:38:36,880 were they looking for when they're analyzing these systems? They're 556 00:38:36,880 --> 00:38:40,960 looking for choke points, just like Doug said. And so 557 00:38:41,320 --> 00:38:43,760 you know what struck me is Doug someone who's been 558 00:38:43,760 --> 00:38:47,000 doing incident response for a very long time in the 559 00:38:47,039 --> 00:38:49,360 oil and gas industry. You know what struck me is 560 00:38:49,360 --> 00:38:52,639 that when when Idaho National Laboratory writes this stuff up, 561 00:38:52,719 --> 00:38:55,760 when you know Sarah Friedman and Andrew Bachman write this 562 00:38:55,800 --> 00:38:58,599 stuff up, they're not making it up. This is stuff 563 00:38:58,679 --> 00:39:00,360 people have been doing for a long time, and this 564 00:39:00,480 --> 00:39:02,920 is arguably the right way to do it. It's it's 565 00:39:03,039 --> 00:39:06,800 arguably the best way to do it. So you know that, 566 00:39:06,920 --> 00:39:08,960 just that just rung bells with me, going, oh, so 567 00:39:09,320 --> 00:39:11,440 we actually can believe what we lead what we read 568 00:39:11,440 --> 00:39:13,599 in that book, because you know, here's a man who says, yeah, 569 00:39:13,599 --> 00:39:16,000 I've been doing that forever. It's it's not that you're 570 00:39:16,000 --> 00:39:18,880 making this stuff up. It's a question of writing down 571 00:39:19,280 --> 00:39:20,840 what leaders in the field have been doing for a 572 00:39:20,880 --> 00:39:26,440 long time. You've touched on this a couple of times 573 00:39:26,480 --> 00:39:29,039 throughout the interview here, But let me ask you outright. 574 00:39:29,559 --> 00:39:31,679 I have a lot of people coming to me saying, hey, Andrew, 575 00:39:31,800 --> 00:39:34,280 I shoudn't say a lot. I occasionally have people coming 576 00:39:34,280 --> 00:39:37,119 to me saying, Andrew, I'd like to get into OT security. 577 00:39:37,920 --> 00:39:41,159 Speaker 4: How do I do that? What's your advice to people 578 00:39:41,199 --> 00:39:42,840 who are asking that question. 579 00:39:44,039 --> 00:39:47,920 Speaker 1: Yeah, I would love that question. I get it occasionally, 580 00:39:48,000 --> 00:39:50,079 but I don't think a lot of people even know 581 00:39:50,239 --> 00:39:55,679 that there's a giant need for that capability. What I 582 00:39:55,719 --> 00:40:00,440 would do, for sure is I would recommend them, recommend 583 00:40:00,519 --> 00:40:07,840 to them that they do go get other practical IT experience, 584 00:40:07,920 --> 00:40:13,719 whether it's in maintaining server equipment or a couple of 585 00:40:13,920 --> 00:40:21,320 complicated applications that utilize databases and you know, workers with interfaces, 586 00:40:22,760 --> 00:40:28,000 wide area networking, local networking. All of the same components 587 00:40:28,039 --> 00:40:31,880 that we use to control computers in IT T are 588 00:40:32,000 --> 00:40:35,920 the same ones that they're using in OT. The differences 589 00:40:36,840 --> 00:40:42,000 are around both the impact and then the service expectations. 590 00:40:42,280 --> 00:40:44,880 You know, you can't just reboot it at will, and 591 00:40:45,000 --> 00:40:50,119 you can't just you know, let it not run for 592 00:40:50,199 --> 00:40:54,239 the weekend, and you know, any upgrade needs to be 593 00:40:54,360 --> 00:40:58,840 tested impeccably and ideally on a you know, a staged 594 00:40:58,880 --> 00:41:02,840 approach like a lot of this operational rigger. You're not 595 00:41:02,880 --> 00:41:07,159 playing with a desktop. You're playing with a computer that 596 00:41:07,440 --> 00:41:14,840 is controlling a very expensive, complex physical environment. So go 597 00:41:15,000 --> 00:41:23,320 get experience on computers and networking and application support. I 598 00:41:23,360 --> 00:41:26,199 want to say, in a safer environment where there's fewer 599 00:41:26,280 --> 00:41:29,719 physical consequences, and after you've got a couple of years 600 00:41:29,719 --> 00:41:32,480 of that, it's a lot easier to make the pitch 601 00:41:32,599 --> 00:41:36,639 to say I want to do something like this in 602 00:41:36,679 --> 00:41:42,360 the physical world. I've looked around for specific training on this, 603 00:41:42,679 --> 00:41:45,840 and probably the best stuff out there is coming out 604 00:41:45,880 --> 00:41:51,440 of Idaho National Labs and ISA, and that would be 605 00:41:51,719 --> 00:41:58,119 an excellent addition, and there reasonably accessible. But there's also 606 00:41:59,000 --> 00:42:02,000 some online training and books and things like that that 607 00:42:02,039 --> 00:42:05,840 you can get. There's a very good book on cyber 608 00:42:05,880 --> 00:42:11,239 and form consequence driven engineering, and you know, even though 609 00:42:11,320 --> 00:42:15,280 that's a little advanced for you know, how to deliver. 610 00:42:16,360 --> 00:42:19,239 The first four chapters will teach you a lot. There's 611 00:42:19,320 --> 00:42:22,119 another guy I know, in fact, it's you who's written 612 00:42:22,239 --> 00:42:28,519 three great books on this whole problem. Read those, Yeah, 613 00:42:28,679 --> 00:42:33,199 Like I think studying that, but also getting your hands 614 00:42:33,239 --> 00:42:36,559 dirty working with the technology day in and day out. 615 00:42:37,079 --> 00:42:41,639 And I hate to say it, but even just build 616 00:42:41,679 --> 00:42:44,800 yourself something that does a little physical process. Like if 617 00:42:44,800 --> 00:42:48,760 somebody was to say I'm working with embedded devices and 618 00:42:49,119 --> 00:42:52,199 you know, software, radio and things like that, like that 619 00:42:52,320 --> 00:42:55,760 tinkering mindset, that's somebody that's going to be a lot 620 00:42:55,880 --> 00:42:58,800 more useful in the field. 621 00:43:00,199 --> 00:43:02,599 Speaker 4: Well, thank you for the the mension of my books. 622 00:43:02,639 --> 00:43:05,199 I appreciate that. Let me return the favor. I mean, 623 00:43:05,320 --> 00:43:10,239 you are not only an expert OT incident responder, you 624 00:43:10,320 --> 00:43:15,199 are also the co host of the Caffeinated Risk podcast. 625 00:43:15,760 --> 00:43:18,400 And yes, I'm interviewing you, but a couple of weeks 626 00:43:18,440 --> 00:43:21,800 ago you interviewed me, and you know, I was impressed 627 00:43:22,000 --> 00:43:25,320 you and your co host asked me questions that no 628 00:43:25,320 --> 00:43:27,840 one else had ever asked me. So can you talk 629 00:43:27,880 --> 00:43:30,480 a bit about your podcast what's it all about? Because 630 00:43:30,519 --> 00:43:33,920 you know I'm recommending it to our listeners as well. 631 00:43:33,920 --> 00:43:34,239 Thank you? 632 00:43:35,800 --> 00:43:41,400 Speaker 1: Yeah, it was a COVID thing that I kind of 633 00:43:41,440 --> 00:43:45,880 came up with. But I've known Tim for a long 634 00:43:46,000 --> 00:43:50,400 long time and we've worked at different companies, and you 635 00:43:50,440 --> 00:43:53,840 know a lot of them were industrial control companies, so 636 00:43:54,199 --> 00:43:57,880 our heads were both kind of there. But I've learned 637 00:43:57,920 --> 00:44:04,519 over the years that cyber security is really about risk management. 638 00:44:04,559 --> 00:44:08,400 And it's funny. I was scrolling around this morning as 639 00:44:08,440 --> 00:44:12,559 I'm getting coffee going and you know on LinkedIn, you know, 640 00:44:13,960 --> 00:44:17,960 resilience is you know, protection is not feasible at the 641 00:44:17,960 --> 00:44:21,719 scales that we work at, so resilience is everything. And they, oh, 642 00:44:21,880 --> 00:44:25,519 you mean like risk management and it's got a new 643 00:44:25,559 --> 00:44:30,760 brand with resilience. But businesses have always been running risk 644 00:44:30,840 --> 00:44:35,119 And I think what people have missed in the cyber 645 00:44:35,559 --> 00:44:41,639 security equation is no company president or board of directors 646 00:44:41,639 --> 00:44:45,440 ever woke up and said let's take thirty to fifty 647 00:44:45,559 --> 00:44:49,079 million dollars a year and go buy a bunch of 648 00:44:49,119 --> 00:44:52,239 computers and apps and do cool things with it. Like 649 00:44:52,719 --> 00:44:57,400 that wasn't their goal. They had a business function that 650 00:44:57,480 --> 00:45:00,559 needed to be done, and over time the digital elements 651 00:45:01,599 --> 00:45:06,599 fed into it, and after that it becomes a target 652 00:45:06,679 --> 00:45:10,079 because that's how you disrupt the business. That's where the 653 00:45:10,199 --> 00:45:14,159 data about your customers is stored. That's where the effective 654 00:45:14,199 --> 00:45:19,719 controls of the product are. So you know, it's always 655 00:45:19,800 --> 00:45:24,159 about crime and money and power and all the same 656 00:45:24,239 --> 00:45:27,039 things that have been driving the world for I don't know, 657 00:45:27,480 --> 00:45:32,400 five ten thousand years, and risk management has always been. 658 00:45:32,960 --> 00:45:34,039 Speaker 4: Part of that equation. 659 00:45:34,519 --> 00:45:37,519 Speaker 1: You know how big your army needs to be, how 660 00:45:37,559 --> 00:45:40,119 long you're you know, how much food you need to 661 00:45:40,159 --> 00:45:45,760 store in case they seed your castle. To modern things 662 00:45:45,880 --> 00:45:48,880 like the banks obviously were some of the first people 663 00:45:48,960 --> 00:45:53,000 involved in cybersecurity because people figured out you could steal 664 00:45:53,039 --> 00:45:58,000 money from them. But it's it's an evolving field, but 665 00:45:58,039 --> 00:46:02,559 it's fairly immature compared to something like medicine or engineering. 666 00:46:03,400 --> 00:46:06,440 But risk management has been going on since day one. 667 00:46:06,559 --> 00:46:10,639 It maybe wasn't a formalized practice, but they're you know, 668 00:46:10,880 --> 00:46:14,159 let's uh, you fast forward and now it's got a 669 00:46:14,159 --> 00:46:17,119 bunch of different branches and we're a lot more sophisticated 670 00:46:17,159 --> 00:46:20,599 at it, but in the end, it's still managing the 671 00:46:20,679 --> 00:46:24,960 risk to the organization to be successful. Because nobody ever 672 00:46:25,119 --> 00:46:27,559 starts a business hoping they go out of business and 673 00:46:27,599 --> 00:46:32,719 waste a lot of money. And as we digitize, we 674 00:46:32,840 --> 00:46:36,239 have to protect that digital capability, just the same way 675 00:46:36,280 --> 00:46:38,760 we lock the door at the end of the night 676 00:46:38,800 --> 00:46:42,039 when you close up shop so that people don't come 677 00:46:42,079 --> 00:46:48,280 in and steal all your stuff. So it's it sounds 678 00:46:48,360 --> 00:46:53,039 more simplistic maybe the way I'm explaining it, but we've 679 00:46:53,039 --> 00:46:56,159 interviewed a lot of different people on that podcast over 680 00:46:56,199 --> 00:47:00,280 the years, and a lot of different disciplines. Definitely some 681 00:47:00,480 --> 00:47:04,960 brilliant people like yourselves and others in ot but also 682 00:47:05,119 --> 00:47:09,159 people that are dealing with physical things like buildings catching 683 00:47:09,199 --> 00:47:12,760 on fire. We had one episode where they were dealing 684 00:47:12,840 --> 00:47:17,639 with drones identifying shooters and you know, all kinds of 685 00:47:17,679 --> 00:47:21,800 crazy stuff. But it's all risk management because you're always 686 00:47:21,880 --> 00:47:25,639 balancing how much you're going to invest to protect and 687 00:47:25,679 --> 00:47:29,960 preserve versus how much of a chance you're willing to take, 688 00:47:31,119 --> 00:47:35,480 because if it does come to pass, you have enough 689 00:47:36,159 --> 00:47:42,239 money leftover financial reserves or safety tolerance that you can 690 00:47:42,320 --> 00:47:48,159 repair the damage. So it's a you know, risk management's 691 00:47:48,199 --> 00:47:51,480 a very interesting field, and now it's branded a little 692 00:47:51,480 --> 00:47:54,880 bit more like resilience. But in the end, you know, 693 00:47:55,159 --> 00:47:58,440 I can tolerate this level of a cyber intrusion because 694 00:47:58,480 --> 00:48:01,800 if it happens, I know I can rebuild it. And 695 00:48:01,920 --> 00:48:04,719 you had mentioned at the start. I think we were 696 00:48:04,760 --> 00:48:07,760 talking about hundreds of thousands of computers and you take 697 00:48:07,800 --> 00:48:12,320 a forensic image and not typically we'll just pave it 698 00:48:12,360 --> 00:48:15,559 and move on because there's nothing on that computer that 699 00:48:15,760 --> 00:48:19,880 we care about. So it's a dumb TV set. All 700 00:48:19,960 --> 00:48:23,400 the data is elsewhere, and that's backed up in a 701 00:48:23,519 --> 00:48:28,320 very different way than an individual desktop. Doesn't mean we 702 00:48:28,360 --> 00:48:30,840 don't put protection on stuff like that. There's a lot 703 00:48:30,880 --> 00:48:33,000 of great products to do a pretty good job now, 704 00:48:33,320 --> 00:48:35,559 but the number one thing was taken away people's and 705 00:48:35,599 --> 00:48:39,239 min rights and now there's not much value to the 706 00:48:39,280 --> 00:48:42,119 attack or on that laptop if they do get on 707 00:48:42,360 --> 00:48:48,199 kind of thing. But sometimes we'll take a forensic image 708 00:48:48,199 --> 00:48:50,960 of a laptop, like let's say the CFO lost their 709 00:48:51,039 --> 00:48:57,800 laptop on a plane and then it comes back. We're 710 00:48:57,840 --> 00:49:00,880 not plugging that back in, but we may just take 711 00:49:00,920 --> 00:49:04,920 an image of that one because he didn't accidentally lose it, right, 712 00:49:05,039 --> 00:49:11,400 So yeah, there's a risk. Management is complicated. Any of 713 00:49:11,440 --> 00:49:15,559 the advanced digital stuff is expensive and time consuming, so 714 00:49:15,639 --> 00:49:20,559 it'd better be worth it. But there are a number 715 00:49:20,599 --> 00:49:23,920 of things that happen every day that you can absorb. 716 00:49:25,119 --> 00:49:28,760 A lot of companies don't bother chasing people port scanning 717 00:49:28,800 --> 00:49:32,800 the outside of their company anymore because they're not going 718 00:49:32,880 --> 00:49:37,440 to get anywhere. And you would bury people in paperwork 719 00:49:37,480 --> 00:49:41,719 trying to get things shut down with abuse. Now somebody 720 00:49:41,719 --> 00:49:44,719 comes at you in a denial of service attack, that's 721 00:49:44,760 --> 00:49:49,880 a different story, right, you'll address that. But individual port 722 00:49:49,960 --> 00:49:52,480 scanning nobody cares anymore. But that used to be a 723 00:49:52,519 --> 00:49:54,679 thing a long time ago. We'd run around try and 724 00:49:54,679 --> 00:49:57,000 block him in a firewall, and I was like, yeah, 725 00:49:57,400 --> 00:50:01,360 they'll tire themselves out. There's nothing there to hit. So 726 00:50:01,400 --> 00:50:04,159 it's a different way to go about it. And I 727 00:50:04,199 --> 00:50:08,280 think I was to look at how do I how 728 00:50:08,280 --> 00:50:10,840 do I want to sum things up? You know, to me, 729 00:50:11,320 --> 00:50:18,480 risk management is cyber We're just bandaging that through digital means. 730 00:50:19,159 --> 00:50:23,639 And the best value that you can bring to an 731 00:50:23,639 --> 00:50:30,159 OT security scenario is understand both security and the IT 732 00:50:30,599 --> 00:50:36,320 technologies that are controlling these physical processes, and you know, 733 00:50:37,719 --> 00:50:40,599 really be humble enough to accept a gravity that a 734 00:50:40,639 --> 00:50:43,239 lot of the people that have been developing and building 735 00:50:43,280 --> 00:50:48,840 these very amazing technology driven plants and stuff like that, 736 00:50:48,840 --> 00:50:53,599 that they are experts in what they do, and there's 737 00:50:53,639 --> 00:50:55,800 a time to listen and a time to talk, but 738 00:50:56,000 --> 00:50:59,119 mostly listen, especially if you're new to the field. 739 00:51:00,320 --> 00:51:03,199 Speaker 4: Before I let you go, you know, you're a public figure, 740 00:51:03,280 --> 00:51:08,280 you're a podcaster, you know, you're you're teaching. If people 741 00:51:08,320 --> 00:51:10,760 want to get in touch with you to ask you 742 00:51:11,280 --> 00:51:14,440 how to get into OT security, you know, how how 743 00:51:14,480 --> 00:51:15,199 would they reach you? 744 00:51:16,119 --> 00:51:16,280 Speaker 2: Uh? 745 00:51:16,719 --> 00:51:20,639 Speaker 1: Well, probably the easiest is to find me on LinkedIn. 746 00:51:21,920 --> 00:51:27,920 I'm I'm very I'm very bad at immediately hitting the reply, 747 00:51:28,039 --> 00:51:31,079 but I definitely go through them a couple times a 748 00:51:31,119 --> 00:51:36,599 month and accept and I will answer questions through there 749 00:51:37,559 --> 00:51:43,679 without a doubt. And then you know, here in here 750 00:51:43,679 --> 00:51:48,079 in Calgary, Western Canada, like you say, I'm pretty visible. 751 00:51:48,199 --> 00:51:52,119 I'm you know, six three and white hair kind of 752 00:51:52,159 --> 00:51:57,000 stick out. And I'm very approachable on this, especially if 753 00:51:57,000 --> 00:52:00,360 somebody is interested in this at all. I think this 754 00:52:00,400 --> 00:52:03,280 is such important work that we're doing. Like I said, 755 00:52:03,320 --> 00:52:07,320 I don't represent Enbridge here, I don't represent Suncore or 756 00:52:07,320 --> 00:52:11,280 any of the other companies I work for, but I'm 757 00:52:11,360 --> 00:52:13,760 really proud of the work that we are doing here 758 00:52:14,239 --> 00:52:19,760 in Alberta, and the education institutions are taking it very seriously. 759 00:52:20,639 --> 00:52:27,159 There's a lot of momentum in this area of securing 760 00:52:27,199 --> 00:52:29,599 our way of life that is controlled by a lot 761 00:52:29,639 --> 00:52:34,039 of digital stuff. So I'm easily very approachable on this. 762 00:52:34,519 --> 00:52:38,519 Find me on LinkedIn, and I've got a couple things 763 00:52:38,559 --> 00:52:40,599 out there online. But the other one, like you say, 764 00:52:40,679 --> 00:52:46,559 is caffeinated Risk. We have a website, and Doug at 765 00:52:46,599 --> 00:52:50,199 Caffeated Risk would find me if you wanted to send 766 00:52:50,199 --> 00:52:53,679 me an email, and LinkedIn the other best way to 767 00:52:53,719 --> 00:52:54,039 do it. 768 00:52:57,440 --> 00:53:00,920 Speaker 2: Andrew, that just about concludes your interview with Doug Lease. 769 00:53:01,719 --> 00:53:05,159 And as we exit this episode here, I figure in 770 00:53:05,320 --> 00:53:08,239 a show about recruiting, some of our listeners will want 771 00:53:08,280 --> 00:53:11,440 to know how do I get a job in the 772 00:53:11,480 --> 00:53:15,199 OT industry? So, Andrew, how do I get a job 773 00:53:15,559 --> 00:53:18,199 in the OT industry? What are recruiters looking for? 774 00:53:19,159 --> 00:53:22,320 Speaker 3: Well, what I heard Doug say, and I agree with him, 775 00:53:22,519 --> 00:53:25,000 is that if you want to be effective in the 776 00:53:25,039 --> 00:53:28,960 world of OT security, you've got to understand cybersecurity. You've 777 00:53:28,960 --> 00:53:32,760 got to understand it because a lot of that technology 778 00:53:33,119 --> 00:53:36,679 is in the OT space, and you have to understand OT. 779 00:53:36,800 --> 00:53:39,559 You have to understand something about engineering, something about the 780 00:53:39,599 --> 00:53:43,599 physical process, something about automating the physical process. So you 781 00:53:43,639 --> 00:53:46,840 need cybersecurity, you need it. You need OT. You know, 782 00:53:47,159 --> 00:53:51,760 what I heard Doug say is it's it's a hard 783 00:53:51,800 --> 00:53:54,440 fit to have someone come straight out of school and 784 00:53:54,519 --> 00:53:59,760 drop them straight into OT cybersecurity. He would rather people 785 00:53:59,800 --> 00:54:03,159 come straight out of school and do one of the three. 786 00:54:04,480 --> 00:54:08,159 Do some cybersecurity on the I side, do some server 787 00:54:08,280 --> 00:54:12,679 administration on the IT side, or telecoms or network stuff, 788 00:54:13,000 --> 00:54:16,440 just to learn about those tools and how to you know, 789 00:54:16,480 --> 00:54:20,280 apply them to different kinds of problems. Or you know, 790 00:54:20,920 --> 00:54:24,920 do something on the engineering side and you know, learn 791 00:54:25,000 --> 00:54:28,519 then about cybersecurity and the other stuff server administration and 792 00:54:28,519 --> 00:54:34,679 so on. So start with something and grow into or 793 00:54:35,679 --> 00:54:39,639 you know, get recruited into the space that you're really 794 00:54:39,679 --> 00:54:40,320 interested in. 795 00:54:41,280 --> 00:54:41,480 Speaker 1: You know. 796 00:54:41,559 --> 00:54:43,599 Speaker 3: Again, my own experience is I love to hire people 797 00:54:43,639 --> 00:54:46,559 who are interested in something. If your interest is in 798 00:54:46,599 --> 00:54:50,119 OT security and I've hired you into any of these 799 00:54:50,159 --> 00:54:53,679 other functions, I'm going to work as your manager to 800 00:54:53,840 --> 00:54:57,159 give you opportunities to move into the field that you're 801 00:54:57,199 --> 00:54:59,800 interested in. That's how you're going to be the most 802 00:55:00,000 --> 00:55:04,320 efective for you know, my organization, because you keep naturally 803 00:55:04,440 --> 00:55:06,800 learning more about the stuff that you're interested in. So 804 00:55:08,199 --> 00:55:11,519 start somewhere and you know, work into OT security over 805 00:55:11,559 --> 00:55:13,719 time is what Doug said, and it kind of makes sense. 806 00:55:14,199 --> 00:55:16,280 You know, it might be frustrating for people who have 807 00:55:16,480 --> 00:55:20,079 come out of the very few OT security programs in 808 00:55:20,119 --> 00:55:23,960 the world, but you know, if you've come through one 809 00:55:23,960 --> 00:55:26,400 of those programs, I think there's there's there's opportunities for 810 00:55:26,440 --> 00:55:29,039 you as well. But you know, maybe maybe it doesn't 811 00:55:29,079 --> 00:55:32,559 hurt for you to grab something related for a couple 812 00:55:32,599 --> 00:55:35,239 of years and then move into sort of your your 813 00:55:35,280 --> 00:55:38,840 first love as well. So it's complicated. 814 00:55:39,000 --> 00:55:42,559 Speaker 2: Sorry, Well, thanks to Doug Lease for speaking with you 815 00:55:42,599 --> 00:55:45,480 about this. Andrew and is always Andrew, Thank you for 816 00:55:45,599 --> 00:55:46,440 speaking with me. 817 00:55:47,079 --> 00:55:47,960 Speaker 3: It's always a pleasure. 818 00:55:48,000 --> 00:55:48,519 Speaker 1: Thank you, Nan. 819 00:55:49,199 --> 00:55:53,119 Speaker 2: This has been the Industrial Security Podcast from Waterfall. Thanks 820 00:55:53,119 --> 00:55:55,039 to everyone out there listening. 821 00:56:00,960 --> 00:56:01,400 Speaker 4: Something