1 00:00:00,680 --> 00:00:05,719 Speaker 1: And having some kind of you know, local copy is 2 00:00:06,040 --> 00:00:10,400 better than not having any The modern best practices is 3 00:00:10,439 --> 00:00:14,240 to have that that copy actually in an immutable storage 4 00:00:14,240 --> 00:00:14,759 in the cloud. 5 00:00:18,559 --> 00:00:22,480 Speaker 2: Welcome listeners to the Industrial Security Podcast. My name is 6 00:00:22,559 --> 00:00:26,000 Nate Nelson. I'm here with Andrew Ginter, the vice president 7 00:00:26,079 --> 00:00:30,199 of Industrial Security at Waterfall Security Solutions, who's going to 8 00:00:30,239 --> 00:00:33,560 introduce the subject and guest of our show today. Andrew, 9 00:00:33,840 --> 00:00:34,399 how's it going. 10 00:00:35,240 --> 00:00:37,719 Speaker 3: I'm very well, Thank you, Nate. Our guest today is 11 00:00:37,759 --> 00:00:42,079 Stephen Nichols. He is the country manager for Canada at Akronus, 12 00:00:42,640 --> 00:00:45,359 and we're going to be talking about rapid recovery of 13 00:00:45,840 --> 00:00:51,000 OT systems in different kinds of emergencies, including cyber attacks. 14 00:00:51,600 --> 00:00:55,359 Speaker 2: Then, without further ado, here's your conversation with Steven. 15 00:00:58,079 --> 00:01:01,159 Speaker 3: Hello, Stephen, and welcome to the podcast. Before we get started, 16 00:01:01,200 --> 00:01:03,719 can I ask you to introduce yourself for our listeners 17 00:01:03,960 --> 00:01:06,000 and to say a few words about the good work 18 00:01:06,000 --> 00:01:08,319 that you're doing at acronis. 19 00:01:08,519 --> 00:01:11,319 Speaker 1: Absolutely my pleasure to be here. So my name is 20 00:01:11,319 --> 00:01:14,719 Steven Nichols. My current role is as the country manager 21 00:01:14,920 --> 00:01:21,120 for a Chromis. But I've been doing technology and in 22 00:01:21,200 --> 00:01:25,200 all sorts of different places from professional services account management 23 00:01:26,599 --> 00:01:30,400 for about twenty years, and in that time I've worked 24 00:01:30,439 --> 00:01:33,599 at a number of different companies. Most recently, I've been 25 00:01:33,599 --> 00:01:36,239 at Acronas for about six years. Prior to this current 26 00:01:36,359 --> 00:01:39,079 role that I started in January, I actually ran our 27 00:01:39,120 --> 00:01:42,920 solution engineering team for the Americas, so I've been deeply 28 00:01:42,959 --> 00:01:47,400 involved in setting up pocs, working with our partners and 29 00:01:47,439 --> 00:01:50,239 our customers to make sure that they both understand the 30 00:01:50,319 --> 00:01:54,680 technology and get the most out of it. Acronus, who 31 00:01:54,719 --> 00:01:57,599 have been around for about twenty two years, have a 32 00:01:57,760 --> 00:02:03,359 solid background in backup and recovering of data as well 33 00:02:03,400 --> 00:02:09,159 as cybersecurity, so we understand that space and we've definitely 34 00:02:09,199 --> 00:02:11,599 got ways we can help you to solve the problem 35 00:02:11,960 --> 00:02:14,120 of uptime and data availability. 36 00:02:14,960 --> 00:02:18,319 Speaker 3: Our topic is rapid recovery, which you know, to me 37 00:02:18,879 --> 00:02:23,439 implies recovering from some kind of backup in of course 38 00:02:24,039 --> 00:02:27,240 OT networks, you know, some of which are our critical infrastructure. 39 00:02:27,280 --> 00:02:30,560 We if something goes wrong, something breaks, something gets hacked, 40 00:02:30,639 --> 00:02:34,800 we need these things to come back quickly. So yes, 41 00:02:35,199 --> 00:02:38,840 but you know what I'm used to seeing at I 42 00:02:38,840 --> 00:02:40,919 don't know, power plants and such, is that you've got 43 00:02:41,000 --> 00:02:44,199 the control network with you know, a bunch of equipment 44 00:02:44,199 --> 00:02:46,360 on it. You've got a lot of the time a 45 00:02:46,479 --> 00:02:50,719 parallel network. Most of your devices have two network interfaces, 46 00:02:50,759 --> 00:02:54,159 one to the real time network and one to call 47 00:02:54,199 --> 00:02:58,879 it a management network, and there might be a network 48 00:02:58,919 --> 00:03:02,560 attached storage device on the management network that stores backup 49 00:03:02,639 --> 00:03:09,039 files for all of your equipment. You know, you're solving 50 00:03:09,080 --> 00:03:11,520 a problem. Is is this the problem you're solving? Why 51 00:03:11,599 --> 00:03:14,280 is you know, a parallel network and a network is 52 00:03:14,319 --> 00:03:16,919 to that storage not not enough? What is the problem 53 00:03:16,919 --> 00:03:17,639 we're solving here? 54 00:03:18,479 --> 00:03:23,639 Speaker 1: The thing generally when we're talking to you know, in 55 00:03:23,719 --> 00:03:26,439 that that space, when we're talking to customers, the real 56 00:03:26,560 --> 00:03:29,879 thing that they're trying to solve is up time. So 57 00:03:30,080 --> 00:03:35,800 there they downtime is incredibly expensive disruptive, especially you know 58 00:03:35,840 --> 00:03:39,039 with in supply chain issues where you're talking about just 59 00:03:39,120 --> 00:03:41,960 in time delivery. There isn't a lot of flexibility and 60 00:03:41,960 --> 00:03:44,159 there's a whole lot of cost when you have downtime. 61 00:03:44,759 --> 00:03:50,080 So making sure that there is a way if again, 62 00:03:50,199 --> 00:03:56,319 whether it's hardware failure, whether it's a corruption of the data, 63 00:03:57,199 --> 00:03:59,280 whether that you know, haven't forbid that should be some 64 00:03:59,479 --> 00:04:03,000 kind of cyber attack, making sure that you have the 65 00:04:03,039 --> 00:04:08,680 ability to recover from that quickly is super important. And 66 00:04:08,800 --> 00:04:10,879 let me give you an example. There's an auto manufacturer 67 00:04:10,879 --> 00:04:13,919 that we work with and if they have a problem 68 00:04:14,319 --> 00:04:17,920 you know, with their you know, one of their systems, 69 00:04:18,560 --> 00:04:21,160 the only solution that they had prior to working with 70 00:04:21,279 --> 00:04:25,240 us was that somebody from Germany had to get on 71 00:04:25,279 --> 00:04:29,079 a plane and bring a you know, a new device 72 00:04:29,720 --> 00:04:34,240 and get that installed. So that's a huge amount of downtime. 73 00:04:34,360 --> 00:04:41,160 So being able to have a very reliable recovery of 74 00:04:41,160 --> 00:04:44,240 that data and not just being able to recover that 75 00:04:44,279 --> 00:04:46,439 back to the same device, because a lot of times 76 00:04:46,800 --> 00:04:50,360 it can be actual hardware failure. So it's about being 77 00:04:50,360 --> 00:04:56,199 able to recover to dissimilar hardware and be able to 78 00:04:56,240 --> 00:04:59,920 do that quickly and efficiently. And that means being able 79 00:04:59,959 --> 00:05:03,279 to to back those control systems up. It means being 80 00:05:03,360 --> 00:05:08,279 able to work within the network environment from a security 81 00:05:08,319 --> 00:05:12,439 point of view, and it means being able to uh, 82 00:05:12,519 --> 00:05:16,600 you know, for example, if it is just data corruption 83 00:05:16,720 --> 00:05:20,439 is not physical hardware, being able to what we like 84 00:05:20,480 --> 00:05:24,519 to refer to as weaponizing non I people. So if 85 00:05:24,519 --> 00:05:28,920 it is just you know, on that individual endpoint, then 86 00:05:29,079 --> 00:05:34,920 being able to do that recovery quickly and simplify that process, 87 00:05:35,279 --> 00:05:39,079 so it doesn't you don't have that bottleneck of it. Tuh. 88 00:05:39,199 --> 00:05:41,399 The other thing that we're we're seeing that is really 89 00:05:41,480 --> 00:05:44,040 driving a lot of you know kind of that that 90 00:05:44,160 --> 00:05:47,639 approach is around compliance. So in a lot of cases, 91 00:05:48,560 --> 00:05:51,480 from a compliance point of view, making sure that there 92 00:05:51,560 --> 00:05:57,240 are reliable backups of those systems and the ability to 93 00:05:57,360 --> 00:06:01,959 do that in a secure way makes a huge difference 94 00:06:02,160 --> 00:06:04,720 to checking those boxes from a compliance point of view. 95 00:06:05,240 --> 00:06:07,959 Speaker 3: So that all makes sense in the abstract, but you know, 96 00:06:08,319 --> 00:06:10,800 the concrete example I had in mind again was you know, 97 00:06:11,319 --> 00:06:14,519 ICEE sites roll their own they've got a storage server, 98 00:06:14,600 --> 00:06:16,920 they keep the backups on it. But to your point, 99 00:06:17,680 --> 00:06:21,319 you know, for reliability, if ransomware gets in there, your 100 00:06:21,480 --> 00:06:24,399 backup server had better not be online or it's going 101 00:06:24,480 --> 00:06:28,000 to get encrypted, just like everything else got encrypted. So 102 00:06:28,360 --> 00:06:32,680 now we need offline copies, and you know, for compliance, 103 00:06:32,720 --> 00:06:35,319 a lot of the compliance regimes say, well, your offline 104 00:06:35,319 --> 00:06:37,680 copy has to be off site in case, I don't know, 105 00:06:37,759 --> 00:06:39,519 there's a fire in the building and you lose all 106 00:06:39,560 --> 00:06:41,680 your backups because that was the room that caught fire. 107 00:06:43,399 --> 00:06:45,319 Is this is this what you're talking about? Is this 108 00:06:45,399 --> 00:06:46,439 the problem we're solving here? 109 00:06:47,160 --> 00:06:51,519 Speaker 1: Yeah, absolutely, and you know, again having some kind of 110 00:06:51,600 --> 00:06:55,040 you know, local copy is better than not having anything 111 00:06:55,079 --> 00:06:58,199 one hundred percent. But you start to get into a 112 00:06:58,240 --> 00:07:01,800 lot of complexity when you're trying to solve that that 113 00:07:01,959 --> 00:07:06,040 problem with kind of you know, home baked solutions. So 114 00:07:07,319 --> 00:07:12,639 you know, ultimately the what the modern best practice is 115 00:07:12,639 --> 00:07:16,160 is to have that that copy actually in an immutable 116 00:07:16,199 --> 00:07:19,839 storage in the cloud. So, you know, using the Purdue model, 117 00:07:19,920 --> 00:07:23,600 having the the agent you know, move up through the network, 118 00:07:24,240 --> 00:07:27,720 make be able to you know, securely initiate that communication, 119 00:07:29,399 --> 00:07:32,800 copy that to to the to a storage or management 120 00:07:32,839 --> 00:07:34,839 server on site that can be in a d M 121 00:07:34,959 --> 00:07:39,959 z uh and then have that copied out to the cloud, 122 00:07:39,959 --> 00:07:44,199 whether that's an uber public cloud like Azure or a WUS, 123 00:07:44,759 --> 00:07:47,759 or whether that's to you know, a dedicated cloud solution 124 00:07:48,120 --> 00:07:50,680 you know, like a Chronus offers. Being able to do 125 00:07:50,720 --> 00:07:54,399 that and store that in a mutable way is really 126 00:07:54,959 --> 00:07:58,839 where you're going to check those compliance boxes without adding 127 00:07:59,199 --> 00:08:02,959 a large amount out of operational overhead on top by 128 00:08:03,079 --> 00:08:06,480 using a solution this designed to solve this problem. 129 00:08:07,439 --> 00:08:09,560 Speaker 3: I know, this is one of the things a Cronus 130 00:08:09,639 --> 00:08:12,759 does you solve this problem. Can you talk about your solution. 131 00:08:12,920 --> 00:08:14,879 You know, what have you got? How does it work? Please? 132 00:08:15,959 --> 00:08:20,519 Speaker 1: Being able to solve for that problem really requires a 133 00:08:20,560 --> 00:08:23,240 few things, and one of them is ease of use. 134 00:08:23,879 --> 00:08:28,279 It's about being able to back up and restore that 135 00:08:28,399 --> 00:08:32,279 data without a lot of overhead or complication. And in 136 00:08:32,320 --> 00:08:36,600 a lot of cases that restorees even to dissimilar hardware 137 00:08:36,639 --> 00:08:40,039 if you have physical failure, Even if you know it's 138 00:08:40,080 --> 00:08:44,559 the same model of hardware that you're getting from the 139 00:08:44,559 --> 00:08:47,480 same manufacturer, there might be a slightly different chipset, a 140 00:08:47,519 --> 00:08:51,559 slightly different thing like that. So being able to restore 141 00:08:51,679 --> 00:08:54,039 that dissimilar hardware. One of the things we have is 142 00:08:54,039 --> 00:08:57,399 something called universal restore. It means as long as we 143 00:08:57,440 --> 00:09:01,080 can load three drivers, we can make bootable. So as 144 00:09:01,120 --> 00:09:03,679 long as we've got the chipset driver, the network driver, 145 00:09:03,799 --> 00:09:07,919 and the storage driver, and we have technology in place 146 00:09:08,480 --> 00:09:12,879 to be able to detect and load those drivers automatically, 147 00:09:13,279 --> 00:09:17,000 and even if we can't, we have ways you can 148 00:09:17,080 --> 00:09:21,720 manually inject those meaning that the ability to restore and 149 00:09:21,840 --> 00:09:28,000 get that system back up is paramount and we know that, 150 00:09:28,080 --> 00:09:30,399 so we really focus a lot on being able to 151 00:09:30,440 --> 00:09:33,840 do that. And the other thing that I think is 152 00:09:34,240 --> 00:09:37,919 really important about how we solve that problem is easy 153 00:09:37,919 --> 00:09:40,720 of use, so you know, just a handful of clicks. 154 00:09:41,480 --> 00:09:47,320 Being able to deploy, you know, configure the settings for 155 00:09:47,399 --> 00:09:51,600 a backup or being able to recover that backup means 156 00:09:51,720 --> 00:09:55,360 that you're you don't have to learn a complicated interface 157 00:09:55,559 --> 00:09:57,919 to be able to get things to work. 158 00:09:58,639 --> 00:10:00,639 Speaker 3: Can we go back to the basics. Don't know how 159 00:10:00,679 --> 00:10:05,200 your system works? You've talked about cloud, you know, how 160 00:10:05,200 --> 00:10:07,279 do you get data out to the cloud? We talked 161 00:10:07,279 --> 00:10:09,039 about Purdue model. How does that work? 162 00:10:09,840 --> 00:10:14,440 Speaker 1: Our solution is sort of divided up into three pieces. 163 00:10:15,080 --> 00:10:18,440 So the first piece is an agent. So that agent 164 00:10:18,559 --> 00:10:23,679 gets installed onto the control system. It is you know, Windows, Linux, 165 00:10:24,200 --> 00:10:28,360 broad support for any of those legacy systems. But with 166 00:10:28,360 --> 00:10:33,960 that agent, once it is installed, that's what initiates the communication, 167 00:10:34,480 --> 00:10:37,559 so whether that's going out to what we call the 168 00:10:37,879 --> 00:10:43,240 management service. The second piece that's installed on premise, and 169 00:10:43,679 --> 00:10:47,720 that is the piece where you're going to set up 170 00:10:47,799 --> 00:10:49,639 all of the settings, where you're going to do all 171 00:10:49,679 --> 00:10:53,519 of the configuration, and the agent is going to reach 172 00:10:53,600 --> 00:10:57,480 out to that management server to say, hey, what what 173 00:10:57,519 --> 00:10:59,279 are the settings? What do I you know, how often 174 00:10:59,320 --> 00:11:02,960 do I need to back up? If you need to 175 00:11:03,120 --> 00:11:07,120 initiate a recovery that can be done from the device 176 00:11:07,399 --> 00:11:11,399 or from the management server. And basically the agent is 177 00:11:11,440 --> 00:11:13,559 the one that's going to be initiating. That's how we 178 00:11:13,720 --> 00:11:17,960 respect the Purdue model. That management server, that second piece 179 00:11:18,480 --> 00:11:21,759 lives in the DMZ, so it's the part that can 180 00:11:21,799 --> 00:11:25,440 be connected both to the secure network and to the Internet, 181 00:11:25,840 --> 00:11:29,840 meaning that it can then copy those that data out 182 00:11:29,879 --> 00:11:31,720 to the cloud or go and retrieve it from the 183 00:11:31,720 --> 00:11:35,639 cloud and bring it back on premise. And the advantage 184 00:11:35,639 --> 00:11:39,320 of that is it can you know, you have a 185 00:11:39,399 --> 00:11:45,440 way to be able to securely move that data. But 186 00:11:45,519 --> 00:11:48,080 it's the agent, it's doing the heavy lifting, and that's 187 00:11:48,120 --> 00:11:52,279 what's installed on the actual control system itself. 188 00:11:55,320 --> 00:11:57,360 Speaker 3: So Nate, let me jump in for a second. I mean, 189 00:11:58,000 --> 00:12:01,440 this episode is a little bit unusual in that I 190 00:12:01,480 --> 00:12:03,840 can only remember one other episode in all of our 191 00:12:03,960 --> 00:12:07,759 over one hundred episodes where we've talked about the recovery 192 00:12:07,919 --> 00:12:10,480 pillar of the this cybersecurity framework. You know, the this 193 00:12:10,600 --> 00:12:13,360 framework is, of course, hundreds of experts got together and said, 194 00:12:13,360 --> 00:12:16,320 here's what a complete cybersecurity program looks like. It has 195 00:12:16,360 --> 00:12:19,759 six pillars. In the modern instantiation of the of the 196 00:12:19,799 --> 00:12:26,720 framework govern identify, protect, detect, respond, and recover six pillars. 197 00:12:26,759 --> 00:12:29,240 And I only know if I only recall one other 198 00:12:29,279 --> 00:12:31,879 episode where we talked about recover, and that was the 199 00:12:32,240 --> 00:12:35,559 Salvador Tech episode. So here we are talking about the 200 00:12:35,879 --> 00:12:42,440 recovery pillar, you know, and it's it's important. I mean, 201 00:12:42,759 --> 00:12:47,919 in especially safety critical industrial stuff. Nobody wants the system compromised. 202 00:12:48,559 --> 00:12:52,600 Nobody wants you know, heavy industry, nobody wants, well forget 203 00:12:52,600 --> 00:12:56,879 heavy industry, their factory, anything to go down. And you know, 204 00:12:56,960 --> 00:12:59,600 if it goes down for any reason, we want to 205 00:12:59,639 --> 00:13:01,679 be able. We have to be able to bring it 206 00:13:01,759 --> 00:13:04,720 back or you know, we've done the business that is 207 00:13:04,759 --> 00:13:10,320 serviced not just go down because of cyber attacks. It 208 00:13:10,399 --> 00:13:12,759 might just go down because equipment burns out. This happens. 209 00:13:12,759 --> 00:13:17,080 You've got to be able to recover from these these outages. 210 00:13:18,639 --> 00:13:23,039 And you know what is there? We're talking about backup 211 00:13:23,080 --> 00:13:26,080 and recovery. You know, it's a pillar. Is there? Is 212 00:13:26,120 --> 00:13:28,519 there anything else? The only other thing I know of 213 00:13:28,600 --> 00:13:32,840 in that pillar is rebuilding from known good original media 214 00:13:34,440 --> 00:13:37,559 as an alternative instead of backing up and restoring, rebuild 215 00:13:37,600 --> 00:13:42,240 a machine from scratch, which probably takes a lot longer 216 00:13:42,279 --> 00:13:45,720 than recovering from backups, So yeah, most people back their 217 00:13:45,759 --> 00:13:49,159 stuff up, and you know, might also have recover from 218 00:13:49,200 --> 00:13:52,240 from known good media as sort of a second level 219 00:13:52,320 --> 00:13:56,840 of recovery option to be used in I don't know, emergencies. 220 00:13:56,919 --> 00:13:59,080 Speaker 1: For whatever reason, do you. 221 00:13:59,039 --> 00:14:04,759 Speaker 2: Think it's inherently just less complex than those other five pillars, 222 00:14:04,879 --> 00:14:08,679 such that fewer people would either be involved in that 223 00:14:08,720 --> 00:14:12,000 space as specialized in that space as vendors or want 224 00:14:12,080 --> 00:14:15,360 to talk about it on podcasts or is it very fruitful? 225 00:14:15,480 --> 00:14:18,159 And maybe we, just as podcasts hosts, have not been 226 00:14:18,159 --> 00:14:19,759 doing a good job of finding these folks. 227 00:14:20,120 --> 00:14:20,600 Speaker 1: Well, I don't know. 228 00:14:20,639 --> 00:14:22,799 Speaker 3: I haven't actually gone out to see who else is 229 00:14:22,840 --> 00:14:24,679 in the space. I know a Cronus is one of 230 00:14:24,720 --> 00:14:28,600 the major players. I see them everywhere. But I think, 231 00:14:29,320 --> 00:14:31,600 and I don't have the niss CSF open in front 232 00:14:31,639 --> 00:14:34,240 of me, but from what I recall, there are far 233 00:14:34,559 --> 00:14:40,720 fewer things to do requirements in the recovery pillar than 234 00:14:40,759 --> 00:14:44,240 in many of the other pillars. So it is sort 235 00:14:44,279 --> 00:14:49,080 of because there's fewer requirements, it's arguably a little bit easier. 236 00:14:49,080 --> 00:14:51,480 It's you know, there's not as much to do, so yeah, 237 00:14:51,559 --> 00:14:54,399 I think that's part of it, But it is important 238 00:14:54,440 --> 00:14:57,279 and so yeah, maybe we have been remiss. I'm happy 239 00:14:57,279 --> 00:15:01,840 that we have Steven as a guest here. This is 240 00:15:01,879 --> 00:15:05,240 an OT system. You know, sometimes they're old and slow, 241 00:15:06,200 --> 00:15:11,639 you know, sometimes they're modern and fast. Is the is 242 00:15:11,679 --> 00:15:15,360 the backup data passing across the same you know, competing 243 00:15:15,480 --> 00:15:17,840 for bandwidth on the same network that is doing the 244 00:15:18,159 --> 00:15:20,840 real time I don't know, train control or something horrible 245 00:15:20,879 --> 00:15:25,879 like this. Is it on a separate network and you 246 00:15:25,919 --> 00:15:31,039 know these agents? Do you get pushback from the vendor saying, no, 247 00:15:31,279 --> 00:15:34,200 you're not installing your agents on my stuff. You've invalidated 248 00:15:34,240 --> 00:15:36,399 and support agreement. Blah blah blah. You know, can you 249 00:15:36,440 --> 00:15:40,159 talk about the problem of doing this on an OT network. 250 00:15:40,960 --> 00:15:44,720 Speaker 1: First of all, the agent is very lightweight. It does 251 00:15:44,759 --> 00:15:46,519 a little bit of the work, so it will actually 252 00:15:46,639 --> 00:15:50,720 compress that data prior to it being sent, meaning we're 253 00:15:50,759 --> 00:15:55,080 actually sending fewer packets. It is designed to work in 254 00:15:55,120 --> 00:15:59,519 a in a in a high latency environment because the 255 00:16:00,639 --> 00:16:05,240 which means that it doesn't demand a lot of priority 256 00:16:05,519 --> 00:16:08,759 on network traffic. To be able to do that, it 257 00:16:08,759 --> 00:16:10,919 can be configured in a way to work over that 258 00:16:11,000 --> 00:16:15,519 same operational network, or you can configure a separate network 259 00:16:15,519 --> 00:16:18,159 that it's the flexibility of the model I think that 260 00:16:19,080 --> 00:16:23,279 is really important. And as far as you know those environments, 261 00:16:23,559 --> 00:16:27,879 we actually have really tight relationships with a number of 262 00:16:27,960 --> 00:16:32,559 ot vendors. So I talk about Honeywell, e v R, Emerson, 263 00:16:32,600 --> 00:16:38,000 Delta V and Ovation Rockwell. You know, they have OEMed 264 00:16:38,080 --> 00:16:41,360 our product, they've tested it, they've validated it on their systems, 265 00:16:41,840 --> 00:16:47,039 and they resell our solution, which means that they're certified 266 00:16:47,080 --> 00:16:51,960 for those systems. And because of those tight relationships, you 267 00:16:52,000 --> 00:16:57,159 can be confident as a customer that you're getting a 268 00:16:57,159 --> 00:16:59,960 solution that is going to be reliable and not interfere 269 00:17:00,120 --> 00:17:03,039 with the primer use of that device, because one hundred 270 00:17:03,039 --> 00:17:07,079 percent the backups are important. But if it's not delivering 271 00:17:07,240 --> 00:17:09,839 the service that it needs, if you're not you know, 272 00:17:09,960 --> 00:17:15,160 moving people or energy or water around, you're ultimately, you know, 273 00:17:16,279 --> 00:17:17,880 making more problems than you're solving. 274 00:17:19,000 --> 00:17:21,160 Speaker 3: Well, you talked about low bandwidth, you talked about not 275 00:17:21,279 --> 00:17:26,960 competing with the control system. Is it possible to throttle 276 00:17:27,279 --> 00:17:30,319 how much of the network you use for the backup function. 277 00:17:31,279 --> 00:17:33,799 Speaker 1: One of the things about the protection plan or the 278 00:17:33,839 --> 00:17:37,960 backup plan that we have the configuration settings in those options. 279 00:17:38,640 --> 00:17:43,079 We have the ability to set up limits on the 280 00:17:43,160 --> 00:17:45,279 amount of bandits, so you can say a certain percentage, 281 00:17:45,279 --> 00:17:47,559 you can say some certain number of kilobits per second, 282 00:17:48,079 --> 00:17:53,079 and you can also have that change at different times 283 00:17:53,200 --> 00:17:55,799 of the day, different days of the week. So I mean, 284 00:17:55,920 --> 00:17:57,920 if you're running twenty four to seven, you can have it, 285 00:17:57,960 --> 00:18:00,920 you know, consistent across the board. If you have you know, 286 00:18:00,960 --> 00:18:05,200 more priority times that you know you need that operational 287 00:18:05,240 --> 00:18:09,079 information to take priority, and you have you know other 288 00:18:09,160 --> 00:18:12,440 times where you can have the backup take priority. Of 289 00:18:12,480 --> 00:18:16,880 both of those things, we can absolutely accommodate. It's about flexibility. 290 00:18:16,920 --> 00:18:20,359 It's about making sure that you have all of the 291 00:18:20,960 --> 00:18:25,960 capabilities that you need without interfering with the primary requirement 292 00:18:25,960 --> 00:18:26,559 of the network. 293 00:18:27,319 --> 00:18:31,119 Speaker 3: We've been talking sort of again in the abstract systems agents. 294 00:18:32,680 --> 00:18:35,079 You generally can't take a Windows agent and install it 295 00:18:35,119 --> 00:18:39,279 on a PLC, and you might have a challenge installing 296 00:18:39,319 --> 00:18:41,960 it on an old XP system that we still see 297 00:18:42,039 --> 00:18:46,000 running in the plant. Sometimes. Can you talk about, you know, 298 00:18:46,400 --> 00:18:49,039 what kinds of platforms you support. 299 00:18:49,599 --> 00:18:54,160 Speaker 1: Let's start with PSC. So in most cases that information, 300 00:18:54,200 --> 00:19:00,279 those configurations are actually being backed up or protect did 301 00:19:00,359 --> 00:19:04,559 or exported to a control system somewhere, and that's usually 302 00:19:04,599 --> 00:19:11,359 being done by the proprietary software within the within that vendor, 303 00:19:12,119 --> 00:19:14,960 and once it's on the control system, we have the 304 00:19:14,960 --> 00:19:19,960 ability to back that up. Additionally, we have those deep 305 00:19:20,319 --> 00:19:23,519 OEM relationships in a lot of cases, what is actually 306 00:19:23,559 --> 00:19:27,759 being done to back those up directly is the Acronus agent. 307 00:19:28,480 --> 00:19:31,279 And when we talk about legacy systems, we've been we've 308 00:19:31,279 --> 00:19:34,880 been in this data protection, in this this backup and 309 00:19:34,960 --> 00:19:39,359 recovery business for twenty plus years, and we know that 310 00:19:39,440 --> 00:19:44,519 a lot of these systems absolutely rely on legacy operating systems. 311 00:19:44,559 --> 00:19:50,519 So we have maintained support for even out of supported systems, 312 00:19:50,559 --> 00:19:55,279 back to things like XP you know, Windows Server two thousand, 313 00:19:55,799 --> 00:19:59,480 you know, lots of those those systems, And the reason 314 00:19:59,480 --> 00:20:03,160 that we do that is because we know that those 315 00:20:03,319 --> 00:20:06,640 those critical systems can't easily be updated. 316 00:20:07,720 --> 00:20:10,759 Speaker 3: We've talked a lot though about sort of the process 317 00:20:10,799 --> 00:20:14,279 of backing things up. The agent's back things up. You know, 318 00:20:14,359 --> 00:20:17,799 the PLCs have have got relationships with you folks. They 319 00:20:17,839 --> 00:20:19,960 might have you know, your software embedded in them. That's 320 00:20:20,000 --> 00:20:22,640 that's all good. Can you talk about the other side 321 00:20:22,680 --> 00:20:25,759 of the coin. There's I don't know, a cyber attack 322 00:20:26,000 --> 00:20:29,880 or you know just plain old electrical fault in you know, 323 00:20:30,240 --> 00:20:34,079 part of a high power process and you know a 324 00:20:34,119 --> 00:20:37,319 half dozen you know, a couple of Windows devices, a 325 00:20:37,359 --> 00:20:42,039 couple of PLCs fry. So we scramble to find replacement hardware. 326 00:20:42,519 --> 00:20:45,559 We get the replacement hardware there, and and then what 327 00:20:45,839 --> 00:20:46,680 how do we restore? 328 00:20:47,599 --> 00:20:49,799 Speaker 1: Yeah, I think that's a great question because you know, 329 00:20:49,880 --> 00:20:53,519 I've often said that, you know, backups are wonderful, but 330 00:20:54,319 --> 00:20:57,559 it's really recovery. It's the ability to get things back 331 00:20:57,640 --> 00:21:01,799 up that that matters. And so if you kind of 332 00:21:01,839 --> 00:21:04,359 touched on a couple of scenarios there, and we have 333 00:21:04,400 --> 00:21:09,119 a couple of different ways to address that. So uh, 334 00:21:09,240 --> 00:21:11,279 let let's start with the last one you mentioned where 335 00:21:11,559 --> 00:21:15,079 it is now new hardware. So I talked a little 336 00:21:15,119 --> 00:21:17,519 bit earlier about our universal restore, So really it doesn't 337 00:21:17,559 --> 00:21:19,559 have to be exactly the same hardware, and I think 338 00:21:19,599 --> 00:21:23,960 that's that's important. But in addition to that, just generally, 339 00:21:23,960 --> 00:21:26,359 how do you how do you go about get recovering? 340 00:21:27,039 --> 00:21:30,759 And when it's a physical machine, the we have the 341 00:21:30,799 --> 00:21:34,279 ability to have bootable media, so you can you can 342 00:21:34,279 --> 00:21:37,319 go to that management server, you can create a bootable 343 00:21:37,519 --> 00:21:41,160 a USB or or CD, you know, optical drive version 344 00:21:42,039 --> 00:21:45,839 that you can go boot on that machine. It will 345 00:21:47,000 --> 00:21:49,640 give you all you know, very very quickly. It installs 346 00:21:49,680 --> 00:21:54,759 a lightweight version of an operating system and uh it's 347 00:21:54,799 --> 00:21:57,720 it will be registered to the management server and be 348 00:21:57,799 --> 00:22:02,720 able to pull down and do that recovery, whether that's 349 00:22:03,000 --> 00:22:05,319 you know, information you have stored locally or even if 350 00:22:05,319 --> 00:22:08,079 you have information that is stored in the cloud. So 351 00:22:08,160 --> 00:22:11,160 it makes the process of being able to do that 352 00:22:11,359 --> 00:22:15,880 just a few clicks on the physical hardware itself. The 353 00:22:15,960 --> 00:22:19,160 other option, let's say that you don't have a you know, 354 00:22:19,720 --> 00:22:21,920 damaged hardware, but it is in fact, you know, some 355 00:22:22,000 --> 00:22:25,640 kind of cyber attack or you know. Another example could 356 00:22:25,640 --> 00:22:30,160 be the challenge with crowd strike a while ago, where 357 00:22:31,039 --> 00:22:32,799 you know, you have some kind of just you can't 358 00:22:32,839 --> 00:22:36,759 boot the system. It's physically the physical system is fine, 359 00:22:36,759 --> 00:22:40,480 but somehow there's been some corruption or some damage. In 360 00:22:40,480 --> 00:22:44,039 that case, we actually have the ability right on the 361 00:22:44,039 --> 00:22:48,359 machine what we call one click recovery. Technically it's three 362 00:22:48,440 --> 00:22:50,559 or four clicks, but it gives you the ability to 363 00:22:51,680 --> 00:22:54,119 on boot hold down the F eleven key. It will 364 00:22:54,160 --> 00:22:57,319 boot into that recovery manager that can be on the 365 00:22:57,359 --> 00:23:00,880 machine and then you can, you know, simply choose to 366 00:23:00,880 --> 00:23:03,720 restore from a backup a week or a couple of 367 00:23:03,720 --> 00:23:07,920 weeks ago before the problem occurred where that ransomware happened, 368 00:23:08,519 --> 00:23:11,880 and that gives you the ability again very very simply 369 00:23:12,400 --> 00:23:18,480 without needing a lot of time to configure and understand. 370 00:23:18,519 --> 00:23:20,519 It's just a matter of a couple of clicks. 371 00:23:23,359 --> 00:23:29,440 Speaker 2: Steven just mentioned there the crowd strike incident, Andrew. At 372 00:23:29,480 --> 00:23:31,960 the time we're recording this, I assume that we're going 373 00:23:32,000 --> 00:23:33,960 to release it some weeks later. But at the time 374 00:23:33,960 --> 00:23:38,440 of recording, we are almost one exact year to the day, 375 00:23:38,640 --> 00:23:43,759 just two days off of the anniversary of when a 376 00:23:43,839 --> 00:23:51,759 faulty configuration update caused crowdstrikes flagship program to bug out 377 00:23:51,839 --> 00:23:55,480 and do blue screens of error in what was I 378 00:23:55,519 --> 00:24:00,640 think eight point five million devices. This was probably the 379 00:24:00,680 --> 00:24:07,400 most highly publicized it or cyber related event in history, 380 00:24:08,119 --> 00:24:17,640 affecting hospitals, shops, airlines, flights were grounded across America. I 381 00:24:17,680 --> 00:24:19,839 think that the number that I found on the web 382 00:24:20,720 --> 00:24:23,680 was that it caused somewhere in the region of ten 383 00:24:23,720 --> 00:24:27,359 billion dollars in damages all told by the end, a 384 00:24:27,440 --> 00:24:32,079 number which is probably relatively rough, and also reminds me 385 00:24:32,279 --> 00:24:36,880 of the last time such an event occurred, or at 386 00:24:36,960 --> 00:24:40,079 least that I can remember, which would have been an 387 00:24:40,119 --> 00:24:45,240 actual cyber attack, namely not Petia, which, while it caused 388 00:24:45,319 --> 00:24:51,160 fewer public and very visible errors to the general public, 389 00:24:52,160 --> 00:24:55,519 managed to cause hundreds of millions of dollars in damages 390 00:24:55,680 --> 00:25:02,240 for very important supply chain companies or not. So this was, 391 00:25:02,799 --> 00:25:06,039 if anything, ever was to be a case study in 392 00:25:07,000 --> 00:25:09,880 what it looks like to do recovery. It was the 393 00:25:09,880 --> 00:25:11,240 CrowdStrike instant last. 394 00:25:11,079 --> 00:25:14,160 Speaker 3: Year, and I agree with that absolutely, and the crowdsyke 395 00:25:14,240 --> 00:25:18,480 incident was not a cyber attack, but you know, it 396 00:25:18,519 --> 00:25:23,119 does illustrate what some people what I have worried about 397 00:25:23,200 --> 00:25:26,599 for some years on the side of cloud connectivity for 398 00:25:26,640 --> 00:25:34,400 control systems. If you know, an honest mistake in software 399 00:25:34,400 --> 00:25:39,200 development could or testing or whatever the process was, could 400 00:25:39,240 --> 00:25:42,240 cause you know, eight point five million PCs to go down, 401 00:25:42,279 --> 00:25:46,440 and you know, industrial consequences in terms of grounding air 402 00:25:46,759 --> 00:25:50,680 flights and shutting down other processes. If that's possible through 403 00:25:50,720 --> 00:25:54,359 human error, it's arguably possible through a deliberate attack as well. 404 00:25:56,599 --> 00:25:59,960 And you know, so crowd Psyche was not an example 405 00:26:00,119 --> 00:26:02,599 of a liberate attack, but it's an example of the 406 00:26:02,640 --> 00:26:07,200 scale of what's possible. Kassea was actually a deliberate attack. 407 00:26:07,599 --> 00:26:09,759 This was on the IT side, not the OT side, 408 00:26:09,759 --> 00:26:12,640 but it was ransomware that was inserted into a cassea 409 00:26:12,720 --> 00:26:16,480 software update server and infected I think, what was it 410 00:26:16,519 --> 00:26:21,680 eight hundred or one thousand businesses all at once, sort 411 00:26:21,680 --> 00:26:24,880 of on the scale of not Petya, but you know, 412 00:26:25,000 --> 00:26:28,920 ten years later using different technology. So you know, I 413 00:26:29,039 --> 00:26:33,960 worry that it is possible to use these these cloud 414 00:26:34,000 --> 00:26:37,160 based systems to reach back and you know, kill a 415 00:26:37,160 --> 00:26:40,720 lot of industrial stuff that might otherwise seem very heavily defended. 416 00:26:42,000 --> 00:26:45,039 Speaker 2: And I think that this kind of risk has come 417 00:26:45,160 --> 00:26:50,279 up on our podcast before because sometimes we talked to 418 00:26:50,480 --> 00:26:55,279 vendors who provide cloud based security services, for example, security 419 00:26:55,319 --> 00:27:01,200 operation centers through the cloud. In this case, the question 420 00:27:01,279 --> 00:27:04,839 that naturally comes to my mind is if the cloud 421 00:27:05,200 --> 00:27:10,960 is a vector for such widespread destruction, potentially through malicious 422 00:27:11,079 --> 00:27:17,519 or honest means, then is cloud based recovery a good idea. 423 00:27:18,680 --> 00:27:22,440 Speaker 3: That's an important question. But you know, here we're talking 424 00:27:22,480 --> 00:27:25,079 about a backup system. We have to be careful that 425 00:27:25,119 --> 00:27:29,759 we're not throwing out the baby with the bathwater. You know, 426 00:27:29,880 --> 00:27:34,519 look at the world. Most you know, the vast majority 427 00:27:34,680 --> 00:27:38,240 of industrial sites are already connected to the cloud. One 428 00:27:38,279 --> 00:27:41,640 more connection is not changing your threat profile materially, and this, 429 00:27:42,039 --> 00:27:44,480 you know, their corners connection is a connection to a 430 00:27:44,519 --> 00:27:47,920 backup service, something that is increasing your resilience. That's increasing 431 00:27:47,960 --> 00:27:51,759 your you know, the strength of your security program. This, 432 00:27:51,960 --> 00:27:55,200 you know, backing up and recovery is part of the CSF. 433 00:27:55,240 --> 00:27:58,960 You don't have a complete security program until you've got 434 00:27:58,960 --> 00:28:05,440 this capability. And you know, unlike the other cloud connections 435 00:28:05,480 --> 00:28:09,119 at most industrial sites, here's a cloud that increases your 436 00:28:09,160 --> 00:28:14,319 resiliency rather than simply increasing your efficiency, which you know, 437 00:28:14,599 --> 00:28:17,480 predictive maintenance and other sort of conventional cloud connections do. 438 00:28:17,599 --> 00:28:20,960 So you know, that's part of the problem. Part of it, 439 00:28:21,079 --> 00:28:27,799 you know as well, is that you know, we need 440 00:28:27,960 --> 00:28:31,160 we need a way to recover and there are measures 441 00:28:31,160 --> 00:28:33,839 we can take. I mean, I talk about, you know, 442 00:28:34,559 --> 00:28:37,279 plugging my own book network engineering in my latest book 443 00:28:37,279 --> 00:28:39,880 Engineering Grade OT Security, you know, free copies of which 444 00:28:39,920 --> 00:28:43,000 are still available from Waterfall. Check out the website or 445 00:28:43,039 --> 00:28:48,079 send me email. There's a chapter on network engineering. You 446 00:28:48,119 --> 00:28:51,720 can talk about extra inspection, you can talk about you know, 447 00:28:52,200 --> 00:28:56,000 high lockdown, separate paths to the Internet. You can talk 448 00:28:56,000 --> 00:29:00,839 about uni directional gateways when you deem the threat of 449 00:29:00,880 --> 00:29:05,359 compromise over that information flows as a credible threat. So 450 00:29:06,000 --> 00:29:09,319 you know, yes, in theory it's a risk, but what 451 00:29:09,400 --> 00:29:13,240 you have to look at is in practice, what's the 452 00:29:13,279 --> 00:29:17,279 benefit here? And you know, if I recall you know, 453 00:29:17,960 --> 00:29:21,400 Steven said later in the interview, they have the option 454 00:29:21,559 --> 00:29:25,279 of on premise backups as well. Now you lose the 455 00:29:25,319 --> 00:29:29,400 off premise capability, but yeah, there's a lot of options, 456 00:29:29,440 --> 00:29:31,240 and you know, you need to look at the big picture, 457 00:29:31,319 --> 00:29:33,599 not just oh, look there's a cloud connection. You know, 458 00:29:33,640 --> 00:29:39,440 we're doomed. That's it's not that simple. So you mentioned 459 00:29:39,519 --> 00:29:42,640 crowd strike. I mean I find that fascinating. It was 460 00:29:42,720 --> 00:29:47,160 a lot of hosts that went down with CrowdStrike. Is 461 00:29:47,200 --> 00:29:50,119 this sort of hypothetical or is it real? Did you 462 00:29:50,160 --> 00:29:53,759 have customers in your knowledge who were hit by CrowdStrike 463 00:29:53,839 --> 00:29:58,519 and you know recovered this way? You know, you've you've 464 00:29:58,519 --> 00:30:00,119 been deploying this, you were you were a part to 465 00:30:00,160 --> 00:30:02,039 the services team at a Cronus for a long time. 466 00:30:02,519 --> 00:30:07,200 Tell us, you know, what's the experience of using this, Like. 467 00:30:07,960 --> 00:30:10,839 Speaker 1: Yeah, I've got to the crowd strike example is you know, 468 00:30:10,880 --> 00:30:12,880 I brought it up because it is real. We actually 469 00:30:12,920 --> 00:30:16,279 do have a number of customers. One in particular I 470 00:30:16,279 --> 00:30:22,319 can think of that had about two hundred devices and 471 00:30:22,599 --> 00:30:25,599 they they reached out to us to say, hey, can 472 00:30:26,039 --> 00:30:28,119 is this something that a coronas can help with? And 473 00:30:28,359 --> 00:30:31,440 we were able to, you know, walk them through the 474 00:30:31,559 --> 00:30:34,920 very simple process. And they had about thirty of those 475 00:30:34,920 --> 00:30:37,880 machines in particular that were remote where they didn't have 476 00:30:38,000 --> 00:30:43,359 IT people who could easily access those machines and their 477 00:30:43,720 --> 00:30:48,839 process of recovering those booting into safe mode, being able 478 00:30:48,880 --> 00:30:52,640 to you know, go in and make registry changes. Although 479 00:30:52,720 --> 00:30:54,839 that takes a lot of IT experience, It takes someone 480 00:30:54,880 --> 00:30:57,480 who kind of knows what they're doing. You don't want 481 00:30:57,519 --> 00:31:02,000 just your average person and doing that. But for those 482 00:31:02,039 --> 00:31:05,599 remote machines, what they were able to do was walk 483 00:31:05,640 --> 00:31:09,000 a non technical person. Again, this is something we kind 484 00:31:09,000 --> 00:31:14,880 of call weaponizing the non IT employees and the ability 485 00:31:14,960 --> 00:31:18,680 to walk them through a very simple process that took 486 00:31:18,759 --> 00:31:21,960 two or three clicks and was able to fully recover, 487 00:31:22,079 --> 00:31:24,799 meaning that they were back up and running with those 488 00:31:24,799 --> 00:31:29,720 devices in an average of five to fifteen minutes. As 489 00:31:29,720 --> 00:31:32,200 opposed to having someone have maybe have to travel two 490 00:31:32,319 --> 00:31:35,559 or three hours or maybe even longer than that to 491 00:31:35,640 --> 00:31:39,839 be able to recover. And that makes a huge difference. Again, 492 00:31:39,839 --> 00:31:43,000 it's you know, going back to what problem we're solving, 493 00:31:43,039 --> 00:31:45,640 it's uptime. It's the ability to make sure those systems 494 00:31:45,640 --> 00:31:47,920 are online and doing what they need to do. 495 00:31:49,160 --> 00:31:52,519 Speaker 3: Just going in and deploying this in an OT network. 496 00:31:52,559 --> 00:31:54,559 I mean sometimes it's built in the vendor. As you 497 00:31:54,599 --> 00:31:57,359 point out, you've got relationships with the vendors. When you 498 00:31:57,359 --> 00:32:00,680 get the control system, it's there. You know, if I 499 00:32:00,720 --> 00:32:03,559 want to apply something like this after the fact because 500 00:32:03,799 --> 00:32:06,920 you know my vendor didn't support it or whatnot, you know, 501 00:32:07,000 --> 00:32:08,359 what what's that feel like? 502 00:32:09,359 --> 00:32:11,920 Speaker 1: So we really try to make it a flexible model 503 00:32:11,960 --> 00:32:14,880 to deploy. So you know, if you've got a small environment, 504 00:32:15,920 --> 00:32:18,759 you know, maybe it's a highly secure environment, you can 505 00:32:18,799 --> 00:32:21,599 actually deploy and register those agents just by you know, 506 00:32:21,599 --> 00:32:25,079 through sneakernet right walking around with a USB and doing that. 507 00:32:25,119 --> 00:32:28,240 But that doesn't really scale, right, So I think back 508 00:32:28,279 --> 00:32:30,519 to you know, we have a large logistics company that 509 00:32:30,559 --> 00:32:35,119 we work with in North America and they needed just 510 00:32:35,200 --> 00:32:38,920 again a broad range of devices, so they were able 511 00:32:39,000 --> 00:32:43,279 to work with scripting and group policy to be able 512 00:32:43,279 --> 00:32:45,160 to deploy that out, and we were able to get 513 00:32:45,200 --> 00:32:51,799 that onto about sixty thousand end points within thirty days, 514 00:32:51,839 --> 00:32:57,279 and that really made a huge difference to their You know, 515 00:32:57,359 --> 00:33:00,319 choosing us as a as a provider is that because 516 00:33:00,839 --> 00:33:04,039 the effort it takes to actually get this deployed in large, 517 00:33:04,039 --> 00:33:07,720 complex environments can be a huge deciding factor. 518 00:33:08,880 --> 00:33:11,160 Speaker 3: Most of the discussion we had so far, you know, 519 00:33:11,319 --> 00:33:17,240 applies sort of universally. It applies if you know there's 520 00:33:17,240 --> 00:33:19,559 an electrical fault and I have does machines fry? It 521 00:33:19,599 --> 00:33:22,839 applies if there's a software fault, and you know eight 522 00:33:22,880 --> 00:33:29,599 percent of crowdstrikes machines are blue screen. But we also 523 00:33:29,720 --> 00:33:34,279 worry about cyber attacks and recovering after cyber attacks. Is 524 00:33:34,319 --> 00:33:36,519 there anything we need to do differently or everything we 525 00:33:36,559 --> 00:33:38,799 need to think about differently in the world of cyber 526 00:33:38,920 --> 00:33:40,839 versus sort of normal failures. 527 00:33:41,799 --> 00:33:45,119 Speaker 1: Yeah, for sure. And part of that is that sometimes 528 00:33:45,160 --> 00:33:48,200 just recovering doesn't eliminate the problem. Right, If you're just 529 00:33:48,279 --> 00:33:53,000 recovering the ransomware back on, it's really not going to 530 00:33:53,000 --> 00:33:55,599 give you the level of protection that you need. So 531 00:33:55,640 --> 00:33:58,200 although the process of the backup and the recovery aren't 532 00:33:58,319 --> 00:34:03,079 dissimilar in those cases. One of the huge things is 533 00:34:03,119 --> 00:34:07,160 a lot of those control systems. Historically the approach to 534 00:34:07,359 --> 00:34:12,159 cybersecurity has been isolation, right, it's been the air gap network. 535 00:34:12,440 --> 00:34:15,519 So the reality is there are fewer and fewer truly 536 00:34:15,599 --> 00:34:18,480 air gap devices today. People want to be able to 537 00:34:18,519 --> 00:34:22,119 manage them remotely. People, you know, there's lots of those 538 00:34:22,159 --> 00:34:26,239 types of things, which increases the vulnerability of those two 539 00:34:26,360 --> 00:34:32,199 cyber attack but putting you know, a full suite of 540 00:34:32,880 --> 00:34:36,679 protection on that device. A lot of the times it's 541 00:34:36,719 --> 00:34:40,679 older operating systems that don't support the modern anti virus 542 00:34:40,679 --> 00:34:45,280 and anti ransomware solutions. And secondly, there usually isn't a 543 00:34:45,320 --> 00:34:48,719 lot of resource capacity there to be able to do that. 544 00:34:48,920 --> 00:34:51,119 So how do you solve for that? And one of 545 00:34:51,119 --> 00:34:55,039 the things that we can do is once we've taken 546 00:34:55,119 --> 00:34:59,239 the backup, we have the ability to scan that backup 547 00:34:59,519 --> 00:35:02,440 through the same engine that we would use to scan 548 00:35:02,920 --> 00:35:05,880 you know, actively on a system to look for things, 549 00:35:07,000 --> 00:35:09,719 meaning that we can mark a backup as safe to 550 00:35:09,800 --> 00:35:13,039 recover or infect it. So if you did have a 551 00:35:13,119 --> 00:35:18,400 ransomware attack that that that you know had some some 552 00:35:19,400 --> 00:35:22,719 case where things were affected and you needed to be 553 00:35:22,719 --> 00:35:25,000 able to recover from that. You can with a high 554 00:35:25,000 --> 00:35:28,000 degree of confidence know that you can choose a backup 555 00:35:28,039 --> 00:35:31,480 that isn't just going to reinfect those systems. And the 556 00:35:31,639 --> 00:35:33,960 other piece that we have and this is this is 557 00:35:34,000 --> 00:35:35,639 something kind of the first thing we did in the 558 00:35:35,679 --> 00:35:38,840 in the world of security is something we call active protection. 559 00:35:39,519 --> 00:35:42,159 What active protection is, it's a behavior based engine that 560 00:35:42,280 --> 00:35:46,599 runs at the agent level and it detects processes that 561 00:35:46,639 --> 00:35:51,880 are suspicious, particularly when files start to become encrypted. So 562 00:35:51,920 --> 00:35:54,599 what it can do to text that knows that that's 563 00:35:54,639 --> 00:35:58,599 not a normal behavior can stop the process and then 564 00:35:58,719 --> 00:36:03,280 revert those files from system cash. This means that again 565 00:36:03,719 --> 00:36:06,119 you're you're aware that there's a problem, you get on 566 00:36:06,199 --> 00:36:09,119 alert that that has happened, but it means that it 567 00:36:09,159 --> 00:36:12,440 should help to prevent that that downtime and then you 568 00:36:12,440 --> 00:36:15,960 can go and do a recovery from a backup which 569 00:36:16,000 --> 00:36:17,760 has been scanned and marked is safe. 570 00:36:18,559 --> 00:36:23,039 Speaker 3: And we've been talking about OT but I understand you 571 00:36:23,079 --> 00:36:27,239 folks do this kind of thing for I T as well, 572 00:36:27,920 --> 00:36:30,840 So you know, in a sense you're exposed to the 573 00:36:30,840 --> 00:36:34,639 the the sort of the I T O T traditional 574 00:36:34,639 --> 00:36:38,960 sort of conflicts or debates or you know, you're you're 575 00:36:39,039 --> 00:36:40,679 you're living in the in the world of both I 576 00:36:40,800 --> 00:36:42,079 T and O T. How's that working. 577 00:36:42,880 --> 00:36:45,119 Speaker 1: You know a lot of people that I talked to, 578 00:36:45,599 --> 00:36:47,840 you know, bring up this idea of O T and 579 00:36:47,880 --> 00:36:50,599 IT convergence, and when they do, you know, the first 580 00:36:50,599 --> 00:36:53,519 things that come to mind are, you know, being able 581 00:36:53,559 --> 00:36:57,840 to manage O T devices remotely. It's it's about having 582 00:36:58,280 --> 00:37:01,320 you know, a network topology that will support the convergence. 583 00:37:01,400 --> 00:37:06,920 But you know, in our case, it really it's about 584 00:37:07,599 --> 00:37:11,880 being able to have a single solution. It's about you know, 585 00:37:11,920 --> 00:37:16,480 getting away from siloed tools and being able to have 586 00:37:16,679 --> 00:37:21,920 a single skill set. U have expertise, have a single 587 00:37:22,000 --> 00:37:24,280 vendor that you can work with that can support those 588 00:37:24,320 --> 00:37:27,119 So you know, we have and all the things we've 589 00:37:27,119 --> 00:37:31,639 been talking around the the OT about you know, backup 590 00:37:31,760 --> 00:37:36,840 and recovery, being able to recover to dissimilar hardware, about 591 00:37:36,960 --> 00:37:40,440 you know, enabling the end user even to do some 592 00:37:40,480 --> 00:37:45,599 of some of those tasks, being able to centralize the storage, 593 00:37:46,320 --> 00:37:48,920 being able to work with remote workloads as well as 594 00:37:48,960 --> 00:37:53,119 on premise workloads. You know, it's it's about that bringing 595 00:37:53,239 --> 00:37:57,320 all of that together and being you know, it's the 596 00:37:57,440 --> 00:38:02,480 same software, the same vendor, the same management server can 597 00:38:03,239 --> 00:38:06,800 you know, very very similar interface. You don't have to 598 00:38:06,840 --> 00:38:10,079 go and use a different tool and therefore have to 599 00:38:10,239 --> 00:38:14,159 become experts in more and more pieces of software. It 600 00:38:14,280 --> 00:38:20,599 really lends itself well to bringing efficiency and operational excellence 601 00:38:20,639 --> 00:38:22,360 to both the IT and to the OT. 602 00:38:25,440 --> 00:38:29,119 Speaker 3: What strikes me about this, mate, is that we're talking 603 00:38:29,119 --> 00:38:33,440 about using the same backup technology suite for OT and 604 00:38:33,519 --> 00:38:38,800 IT both. You know, I'm reminded that this a lot 605 00:38:38,840 --> 00:38:42,039 of people nowadays, when they hear the phrase iotic convergence, 606 00:38:42,079 --> 00:38:45,960 they think connecting those networks up, you know, the cloud scenario. 607 00:38:45,960 --> 00:38:51,519 We talked about the original vision back in two thousand 608 00:38:51,519 --> 00:38:54,440 and five when the Gardner Group coined the phrase, you know, 609 00:38:54,800 --> 00:38:59,000 IoT convergence and coined the phrase operational technology. The original 610 00:38:59,079 --> 00:39:03,199 vision is that teams would come together. Why do we 611 00:39:03,280 --> 00:39:06,039 have two sort of centers of expertise in the company, 612 00:39:06,079 --> 00:39:08,639 one for SQL server for use on the OT side 613 00:39:08,679 --> 00:39:10,719 and one for SQL server for use on the IT side. 614 00:39:10,719 --> 00:39:15,960 It makes no sense combine these teams. It's the same knowledge, 615 00:39:16,960 --> 00:39:20,760 you know. Why are we using a different relational database 616 00:39:20,840 --> 00:39:23,440 on the OT side than on the IT side. When 617 00:39:23,559 --> 00:39:26,239 you know, we have an application that needs a relational database, 618 00:39:26,239 --> 00:39:28,639 it can use any one of them. On the OT side, 619 00:39:28,639 --> 00:39:30,719 we use SQL server. On the IT side, we use Oracle. 620 00:39:30,719 --> 00:39:32,559 But on the IT side, long ago we bought an 621 00:39:32,639 --> 00:39:35,480 enterprise license. We can deploy as many Oracles as we 622 00:39:35,519 --> 00:39:39,159 want free of charge. Why would we keep buying the 623 00:39:39,280 --> 00:39:43,800 same solution from a different vendor. Combine these, uh, you know, 624 00:39:44,079 --> 00:39:47,039 increase our leverage with the vendor, reduce the amount of 625 00:39:47,039 --> 00:39:50,920 training required. This was the original vision for i OT convergence. 626 00:39:51,760 --> 00:39:53,840 And you know we we see that here in the 627 00:39:53,840 --> 00:39:56,559 a Chronus Solutions saying you can use the same technology 628 00:39:56,559 --> 00:40:00,960 across the board. You know, it was only pushing a 629 00:40:00,960 --> 00:40:04,159 decade later that people started talking about ITOT integration in 630 00:40:04,239 --> 00:40:07,599 terms of connecting the networks. And of course everyone almost 631 00:40:07,639 --> 00:40:11,599 everyone connects the networks today. But the original vision is 632 00:40:11,639 --> 00:40:18,840 this vision, which is reduce the complexity company wide. Well, 633 00:40:18,880 --> 00:40:21,519 this has been great, Thank you Steven. Before I let 634 00:40:21,559 --> 00:40:23,400 you go, can you sum up for our listeners? What 635 00:40:23,840 --> 00:40:25,639 should we take away from this episode? 636 00:40:26,280 --> 00:40:29,320 Speaker 1: Well? Thanks, it's been a great conversation. So you know, 637 00:40:29,559 --> 00:40:31,679 if I was looking for what I'd like people to 638 00:40:31,719 --> 00:40:36,480 take away, it's that we can provide a reliable, secure 639 00:40:36,559 --> 00:40:41,719 way to back up and more importantly, recover their OT 640 00:40:42,039 --> 00:40:46,000 environment as well as their IT environment in a way 641 00:40:46,079 --> 00:40:51,360 that is going to increase up time and help those 642 00:40:51,400 --> 00:40:55,400 sleep at night, so things are properly protected. And we 643 00:40:55,440 --> 00:40:58,679 can do all of that in a way that is 644 00:41:00,159 --> 00:41:06,679 closely aligned with their vendors. With the OEM relationships that 645 00:41:06,760 --> 00:41:12,159 we have, it's easy to deploy and easy to manage. Ultimately, 646 00:41:12,400 --> 00:41:15,280 if you're looking for more information, you can certainly go 647 00:41:15,360 --> 00:41:17,360 to a coronas dot com. But if you want to 648 00:41:17,360 --> 00:41:20,840 start a conversation, please connect with me on LinkedIn and 649 00:41:20,880 --> 00:41:22,920 I'll get you connected with one of our engineers and 650 00:41:22,960 --> 00:41:23,920 we can do a deep dive. 651 00:41:27,599 --> 00:41:30,679 Speaker 2: Andrew, that appears to do it for your conversation with 652 00:41:30,920 --> 00:41:37,559 Stephen Nichols about recovery. You know, not the maybe sexiest 653 00:41:37,599 --> 00:41:41,519 topic we've talked about on the show, but equally important 654 00:41:41,599 --> 00:41:44,599 to anything else we've discussed, and important that some folks 655 00:41:44,599 --> 00:41:45,639 are focused in this area. 656 00:41:46,320 --> 00:41:51,599 Speaker 3: Absolutely, it's you know, it's recovery. Backups are underappreciated. There 657 00:41:51,760 --> 00:41:56,599 sort of happened silently behind the scenes until you need them, 658 00:41:56,880 --> 00:42:00,000 and then it's a mad panicle. And we've covered that somehow, 659 00:42:00,079 --> 00:42:02,760 haven't we And yeah, you know, here's a way to 660 00:42:02,800 --> 00:42:08,159 cover it. The new buzzword in OT security is resilience, 661 00:42:08,559 --> 00:42:12,400 meaning if you get hacked, when you get hacked one 662 00:42:12,400 --> 00:42:15,400 of these days, minimize the impact of the attack. And 663 00:42:15,400 --> 00:42:18,320 one of the ways to minimize it is rapid recovery, 664 00:42:19,960 --> 00:42:23,960 you know, And there's operational benefits. I mean, on we 665 00:42:24,280 --> 00:42:28,119 deploy equipment industrial settings that often that's expected to last 666 00:42:29,079 --> 00:42:32,639 well over a decade, which is sort of beyond the 667 00:42:32,679 --> 00:42:36,800 lifespan of you know, a lot of it. Equipment stuff 668 00:42:36,800 --> 00:42:41,559 wears out, you know, the ability to replace with slightly 669 00:42:41,599 --> 00:42:44,960 new or slightly different hardware and recover and keep going. 670 00:42:45,920 --> 00:42:51,280 That's an important operational benefit forget cyber attacks. And you 671 00:42:51,320 --> 00:42:54,320 know what I didn't know about, you know, was the 672 00:42:54,920 --> 00:42:58,079 clever bit of of offline anti virus scanning built into 673 00:42:58,079 --> 00:43:01,840 the solution, saying you know, both anti virus scanning and hey, 674 00:43:02,840 --> 00:43:05,079 you're not supposed to be encrypting those files. Why is 675 00:43:05,119 --> 00:43:07,960 there new copies of these showing up? You know, ransomware detection. 676 00:43:08,400 --> 00:43:11,280 You know, these are our lovely augments to sort of 677 00:43:11,280 --> 00:43:16,119 a like you said, a mundane backup capability. 678 00:43:16,920 --> 00:43:19,639 Speaker 2: Well, thanks Stephen, for being on the podcast with us. 679 00:43:19,639 --> 00:43:21,719 And Andrew is always thanks for speaking with me. 680 00:43:22,440 --> 00:43:23,840 Speaker 3: It's always a pleasure. Thank you man. 681 00:43:24,480 --> 00:43:28,639 Speaker 2: This has been the Industrial security podcast from Waterfall. Thanks 682 00:43:28,639 --> 00:43:30,400 to everyone out there listening.