Control Loop: The OT Cybersecurity Podcast 11.2.22
Ep 12 | 11.2.22

Critical infrastructure in the crosshairs.


Dave Bittner: It's November 2, 2022, and you're listening to "Control Loop." In today's OT Cybersecurity Briefing, CISA releases cross-sector cybersecurity performance goals; a look at the ransomware threat to industrial organizations amidst reports of a ransomware attack on a major European metal producer. The TSA says it will issue new aviation cybersecurity requirements and announce a railway cybersecurity directive. And the White House focuses on cybersecurity in the chemical sector. Our guest is Jim Richberg of Fortinet, who addresses the evolving threat landscape and coming supply chain risks. Today's Learning Lab is second in a series with Mike Hoffman, a principal industrial consultant at Dragos, teaching infosec professionals how to think about OT security.

Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency last Thursday issued voluntary cybersecurity performance goals. CISA explains the CPGs are a prioritized subset of IT and operational technology cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques. The goals were informed by existing cybersecurity frameworks and guidance, especially those developed by NIST, as well as the real-world threats and adversary tactics, techniques and procedures observed by CISA and its government and industry partners. By implementing these goals, owners and operators will not only reduce risks to critical infrastructure operations but also to the American people. Described as voluntary and not comprehensive, the goals were formulated to be, first, a baseline set of cybersecurity practices broadly applicable across critical infrastructure with known risk reduction value, a benchmark for critical infrastructure operators to measure and improve their cybersecurity maturity, a combination of recommended practices for IT and OT owners, including a prioritized set of security practices, and unique from other control frameworks, as they consider not only the practices that address risk to individual entities but also the aggregate risk to the nation. 

Dave Bittner: CISA said that it developed the CPGs with extensive input from industry and that the development and application of standards was a cooperative effort. So what's different about these CPGs? CISA says they're different in three ways from similar standards, stating, first, the CPGs provide a succinct set of high-priority security outcomes and recommended actions applicable to IT and OT environments. In this way, the CPGs enable organizations to undertake prioritized and targeted investment to address the most significant cybersecurity risks. Second, the CPGs are accompanied by checklists that allow organizations to prioritize their utilization of each goal based upon cost, complexity and impact, making the CPGs uniquely useful for organizations with limited resources. Finally, the CPGs will be regularly refreshed and updated, allowing them to be used as a continuously effective resource to drive prioritized investments against the most significant threats and critical risks. So they're designed to be easily actionable across the different critical infrastructure sectors. And they're also designed to be adaptable to organizations of varying sizes and resources. 

Dave Bittner: Robert M. Lee, CEO and co-founder of Dragos, applauded CISA's commitment to government-industry cooperation, stating, CISA has shown their commitment to working alongside the industrial cybersecurity community with the release of the common baseline cross-sector cybersecurity performance goals. CISA took extensive input and feedback from industry stakeholders, and this updated guidance reflects that they were listening closely, providing actionable but not overly prescriptive guidance - exactly the type of support the community has been requesting. It allows asset owners and operators to work toward shared goals while giving them the flexibility and expertise to implement them in ways best suited to their organizations and risks. Most of the CPGs map closely to the critical controls needed for strong OT cybersecurity, namely having an incident response plan, a defensible architecture, visibility and monitoring, secure remote access and key vulnerability management. This guidance can help lift industrial cybersecurity standards across the board to better protect our nation's critical infrastructure. CISA's continued focus on OT cybersecurity as foundational to national security and distinct from IT cybersecurity is an important contribution to the community's advancement. 

Dave Bittner: Dragos published a report last week about the ransomware threat industrial organizations confront. It's a longstanding problem. In the third quarter, North America was the most targeted region, with Europe running a close second. The most targeted sector was metal products. Dragos researchers mention the customary difficulty involved in tracking ransomware threat actors as they form, shut down, disperse or rebrand, and they also take note of the way in which the threat tracks political conflict, stating, Dragos observed ransomware trends tied to political and economic reasons such as the conflict between Russia and Ukraine, and Iranian and Albanian political tensions. Dragos observed another trend related to the global crisis of energy supplies and prices, which may have caused Ragnar Locker, ALPHV and possibly other ransomware groups to increase their activities targeting energy sectors. 

Dave Bittner: Looking ahead to the fourth quarter, Dragos assesses with high confidence that ransomware will continue to disrupt industrial operations, whether through the integration of OT kill processes into ransomware strains, flattened networks allowing for ransomware to spread into OT environments, or through precautionary shutdowns of OT environments by operators to prevent ransomware from spreading to OT systems. Due to the changes in ransomware groups and the leaking of the LockBit 3.0 builder, Dragos assesses with moderate confidence that more new ransomware groups will appear in the next quarter as either new or reformed ones. 

Dave Bittner: As of Friday, October 28, there may have been another ransomware attack on an industrial operation. Aurubis, Europe's largest copper smelting company, sustained a cyberattack last week, Reuters reports. SecurityWeek notes that the incident looks like a ransomware attack, although that hasn't yet been confirmed. The company believes it was targeted as a part of a larger campaign against the metals sector. It responded by shutting down certain IT systems and isolating them from the internet. Its core industrial processes have continued to function. Aurubis said, the production and environmental protection facilities at the smelter sites are running, and incoming and outgoing goods are also being maintained manually. Transitional solutions are being implemented to make the company's full services available to business partners again starting next week. Customers and suppliers can still reach their Aurubis contacts by phone. 

Dave Bittner: Early this month, several U.S. airport websites suffered what appeared to be coordinated denial-of-service attacks at the hands of pro-Russian threat actors. In response, Reuters reports, the U.S. Transportation Security Administration has announced plans to issue new cybersecurity requirements for critical aviation systems. The new requirements represent in part a response to a 2020 Government Accountability Office report that urged the FAA to tighten regulations for airport cybersecurity protocols. The FAA last month sent a notice directing airports to consider and address physical and cybersecurity risks relevant to the transportation mode and type and scale of the project, stating that projects that have not appropriately considered and addressed physical and cybersecurity and resilience will be required to do so before receiving funds for construction. The TSA stated on Monday that it has already updated its aviation security programs to require airport and airline operators designate a cybersecurity coordinator and report cybersecurity incidents, conduct a cybersecurity assessment, and develop remediation measures and incident response plans, and that it will soon issue additional performance-based cybersecurity requirements for critical aviation systems. 

Dave Bittner: In related news, TSA has also issued a security directive addressing the cybersecurity of freight railway carriers. Called Rail Cybersecurity Mitigations and Testing, the directive's goal is to protect railway systems from the growing threat of cyberattacks that could disrupt railroad services, preventing the transport of essential goods and, in turn, threatening national security. Railway owners and operators will be required to establish a TSA-approved cybersecurity implementation plan. The goal of such plans would be resilience, ensuring that operations could continue, even in the event of an attack. The rail operators will also be asked to establish a cybersecurity assessment program to measure the effectiveness of their protocols. 

Dave Bittner: The Biden administration announced last week that the White House's ICS Cybersecurity Initiative will now include the chemical sector in addition to the electric pipeline and water sectors, SecurityWeek reports. The administration said in a statement, the majority of chemical companies are privately owned, so we need a collaborative approach between the private sector and government. The nation's leading chemical companies and the government's lead agency for the chemical sector, the Cybersecurity and Infrastructure Agency, have agreed on a plan to promote a higher standard of cybersecurity across the sector, including capabilities that enable visibility and threat detection for industrial control systems. As the risk management agency for the chemical sector, CISA will collaborate with the Chemical Sector Coordinating Council to set up a new task force to oversee the sprint. The Record by Recorded Future notes that plan elements will include the creation of a coordinating council, consisting of 15 chemical industry groups focused on gathering feedback on how best to bolster the sector's digital defenses. As CyberScoop explains, these cybersecurity sprints were first introduced in April 2021, codified by Biden's memorandum on improving critical infrastructure control systems. 

Dave Bittner: Chemists are fond of claiming pride of place for the subject as being the central science. It touches physics on one side and biology on the other. The chemist must know both. In some ways, the chemical sector might be seen as the central industrial sector. Chris Gray, AVP of cybersecurity firm Deepwatch, wrote to elaborate on why this is so and why the chemical sector underlies many other industries, stating, the chemical sector is a significant component of both the critical infrastructure and manufacturing industries. As part of the interoperability of critical infrastructure chains, the chemical sector heavily influences and enables areas such as agriculture, water, nuclear, defense and transportation. Damages to chemical manufacturing, storage, transportation and use are not self-contained. They have significant effects upon a much broader ecosystem, including economic markets. In some respects, the threat actors have also tended to overlook the chemical sector. Dragos found, for example, in their overview of ransomware activity, that LockBit 3.0 is the only group that targeted the chemical industry. As nation-states - the bad guy nation-states, we mean - pay more attention to co-opting criminal groups and using their tools, it's reasonable to address the risk to the central sector before it becomes an unpleasant reality. 

Dave Bittner: Joining us for this episode is Jim Richberg from Fortinet. Our conversation centers on the evolving threat landscape and coming supply chain risks. 

Jim Richberg: So I think - when I look at the OT security landscape, we've certainly seen an increase in the targeting and the penetration of OT. Fortinet has a threat research group that did their semi-annual report. They noted the increase. So I think it comes from a number of things. It's - there's more convergence, more connectivity now between entities, IT networks and their operational networks. There's more internet protocol-based connectivity for the OT devices themselves, in part because they have more industrial internet of things in their environment. So there's increasing connectivity, and frankly, OT security considerably lags IT security in its sophistication and maturity, so in that sense, it's not really surprising that it is more vulnerable as it becomes more connected. 

Jim Richberg: But, Dave, when I think of big changes, I think one thing that is really, really significant is the changed geopolitical landscape and the possibility for firms to be in the crosshairs of nation-state-conducted or nation-state-sponsored attacks from crises that are occurring elsewhere. I come from the U.S. intelligence community, and they have publicly said, Russia in particular - because I'm talking about, clearly, the conflict in Ukraine - Russia continues to target critical infrastructure in the U.S., and it has, in some cases, demonstrated an ability to damage U.S. critical infrastructure in a crisis. Our understanding of Russia's doctrine is they almost certainly consider cyberattack an acceptable option to deter or control escalation and to prosecute conflict. They've got this doctrine called escalate to deescalate, which means if they feel that they are under pressure - you can make the argument Putin increasingly feels he has backed himself into a corner - they may reach out and do something to distract or to punish their opponents. So I think there are a number of companies that have operational technology assets that may very well feel that even though they are not directly involved in the conflict, they still may be targeted by it. The U.S. and its key allies, back in April, were warned of the potential of Russian disruption of Western critical infrastructure. And the director of NSA's cybersecurity component, yesterday, talked about these attacks that not only affected Ukrainian companies but some of their European allies, things like satellite communications and wind turbines. So the possibility that an advanced persistent threat actor could target you, I think, is high on the threat landscape. 

Jim Richberg: But let's not overlook the fact that you can also get caught in the crossfire. You can be collateral damage on an unintended fashion. And I remember from my time in the intelligence community, about 10 years ago, we suddenly saw building elevator controls getting scanned by an advanced persistent threat adversary. And we think what happened is they were looking for organizations that were in the 16 critical infrastructures. But some of these same ICS and SCADA components not only get used in pumps, they get used in elevator control panels. So had something bad happened, you could have had buildings whose elevators would have stopped working. 

Jim Richberg: Even then, you go, wait a minute. I mean, commercial real estate - how did this happen? So I think that's the big thing I worry about on the threat landscape is the geopolitical context and this increasing convergence of IT/OT, the fact that some of these assets are now internet accessible and, frankly, their security posture is less mature than in the corporate IT environment. 

Dave Bittner: So where do you suppose we stand, then, in terms of standing up our defenses against that type of threat? 

Jim Richberg: So Fortinet did a survey that was released earlier this summer. And, you know, the scary part is the overwhelming majority of the organizations, 93%, reported they had been breached at least once in the past year. Nearly - about roughly 50% had three to five successful intrusions. And these were not inconsequential. These were not that, it just got in. Roughly half of these affected the organizations' productivity, and roughly 40% affected safety revenue or the loss of data. So the reality is, organizations continue to be penetrated. It continues to have an impact. 

Jim Richberg: The federal government has taken note of this. Before we started the podcast, you and I talked a little bit about the cyber incident for - Cyber Incident Reporting for Critical Infrastructure Act, which people call CIRCIA, something to that effect, that was passed this year that will require reporting of significant incidents by members of the 16 critical infrastructure sectors if they affect operational technology. And this is going to be an unprecedented reporting requirement, which, because you have to let CISA, Cybersecurity and Infrastructure Security Agency, know within 72 hours, it is going to have implications for the way organizations are monitoring their security and what they do about breaches when they occur. A lot is to be determined on this legislation - what size of the entity, what are the use cases are going to very much drive the kind of information that organizations are going to be expected or, indeed, required to provide. 

Jim Richberg: And I would recommend if someone's listening to this podcast and they haven't heard of CIRCIA, go to CISA's website and look at it. And if you find anything problematic or if you have an opinion about it, now is the time to weigh in. Literally, CISA has had - been holding public listening sessions, a small number of those in specific geographic locations. They're taking online comments. So you can find the link, and if your organization would like to shape what these requirements look like, literally now and between now and the 14 of November is the time to make those - your opinions known. 

Dave Bittner: And what sort of responses have you been hearing or the types of feedback that folks in industry have had to these requirements? 

Jim Richberg: So first off, let's say that the information can only be used to identify and respond to cyberthreats or things that, you know, threaten serious, imminent harm. And in order to share it, you have to anonymize it, even within government. You can't use it for legal or regulatory purposes. That said, a lot remains to be determined. And a lot of the feedback that I've heard is people trying to be constructive and actually offer specific-use cases in order to say so, we can see that this could be used to help identify trends - trends in adversary activity, targeting tactics and techniques. It can be used for indications in warning. We see this hit firm A. We want to share this broadly across that sector. It can be used to drive response. But each of these kinds of use case is going to drive what kind of information CISA would need as well as the timeline. 

Jim Richberg: So we've got this broad requirement that you have to do it, but it really gets down to the - what do you want to do with it because that will very much condition what kind of information you're looking for. You know, this is also significant because for the first time, CISA actually gets regulatory authority. If an organization doesn't comply that is covered, then CISA, if they find out something's happened, can ask them to. And if they refuse, then CISA can actually get a subpoena. So for the first time, you know, CISA, which has always been postured as, we are here to help, genuinely here to help, now they finally get the ability to compel some information. But I think organizations have looked at this and said, this will provide good, useful information, but clearly, we want to be able to shape it. And that's going to very much depend on what their intended usage and purposes are. 

Dave Bittner: You know, you mentioned CISA and, in my mind, certainly they've placed an emphasis on public-private partnerships. How do you envision that going forward? You know, successfully dialing in, to what degree does the government take their part and to what degree do things stay with private industry? 

Jim Richberg: I think it's definitely a partnership. And it's become a cliche that cybersecurity is a team sport. And it's not only a team sport within an enterprise, it is a team sport between the public and private sectors. You know, I ran cyberthreat intelligence for the largest three-letter agencies of the U.S. government and the intelligence community. No one of them had all of the people, the analysts, the data and the understanding of context that it needed to say, I fully understand what I'm seeing, what the implications are. I don't need any help. The private sector, victim companies, who else understands your network and the significance than the people who own and operate that equipment? The people who are providing that security as a service or the security products used in that environment see a lot of data on a basis greater than an individual company and can connect those dots. And clearly, there are things government sees that it may or may not understand and that the private sector sees. Everyone sees more threat data than they can deal with. 

Jim Richberg: Having someone else who can say, I think this part is significant, can be really significant. It is a bona fide partnership. And I've been talking about it as if it's response. And CISA is actually running an activity that aims to build systemic resilience by saying, are there ways we can make changes in how we harden our networks and how we change our practices to not only do better at response but to actually be harder targets to penetrate? When we get penetrated - to minimize the consequences, the ability of that to spread across our IT and our OT networks. 

Dave Bittner: You know, when you think about the folks who are responsible for security on the OT side of the house, you know, they're doing the best they can, often with limited resources. Do you have any advice or words of wisdom for them for how to get the message across that, you know, they need the support of the entire organization? 

Jim Richberg: Well, they clearly do. And I'm reminded of the old quote - that which gets measured gets attention. You know, people often say that which get measured improves. Sometimes it does. Sometimes it doesn't. We saw in our survey that the organizations that didn't just look at security as how does it affect availability of, you know, our operational technology, those who had more nuance, those who reported on vulnerabilities, on mitigation of vulnerabilities, on breaches, even if they didn't affect productivity, they generated data. Their front offices tended to have a more nuanced understanding of security. And those are the organizations that tended to be more resistant to being breached. And those are the organizations that tended to recover from a breach more quickly than those that had a unidimensional or very rudimentary way of measuring and talking about security. The good news is spending on OT security is rising faster than spending on IT security. The bad news is, it's starting from a lower baseline. So part of that reflects the fact that when you're closer to zero, you know, any progress is good progress. So... 

Dave Bittner: Yeah. 

Jim Richberg: ...You know, yeah, it's getting better. But I think part of this is building that constituency. And a lot of it really has to be having advocates in the front office who actually want to know more than the, OK, we're down. When do we come back up? 

Dave Bittner: Our thanks to Jim Richberg from Fortinet for joining us. 

Dave Bittner: In today's Learning Lab, the second in a series with Mike Hoffman, a principal industrial consultant at Dragos, addressing the importance of teaching infosec professionals how to think about OT security. 

Mike Hoffman: So let's look a little bit about attributes of OT systems. So OT systems absolutely interact directly with physical. And this is one of the things I really enjoy about being in this space - being in the OT environment, in the ICS space - is because when we think about it, this is where, you know, you can change a value on an interface and see the actual physical process move, have some sort of a change to the physical environment. So OT systems, one other attribute is you're actually, again, running machines. You're running robots. You're running, you know, large distribution machines and that kind of stuff that are making products. You're running big pumps and compressors and those kind of things. So you actually have - not only are you changing physical process and reading physical process values, you're manipulating machines and that kind of stuff to do such. 

Mike Hoffman: And with this is - we have continuous and batch processing. So continuous processing, which means just something is running all the time. And we are making small changes to that to create the product that we need. Batch processing is where we get - you know, we're dealing with materials. We're putting it together. Think about making cookies at home. You're throwing things into a batch. You're mixing them up and then you're throwing them in the oven. Think about that at large scale and you've got a batch process. Think about - also, these systems have, like I said before, inherit (inaudible) risks, human safety and environmental-type risks that we need to be very, very concerned about. 

Mike Hoffman: And when we look at the requirements of these systems within the OT space, the requirements are absolutely high uptime. So we need to be thinking about, you know - when I say high uptime, what does that mean? To some people, that may mean, oh, OK, well, you know, these systems need to run months. Think years. One of the refineries where I worked before, part - some of the process units would run six years between turnarounds, where you'd actually shut it down, perform maintenance on it. Other of our units would run a year at a time. In a glass manufacturing environment, where I was doing some consultancy, and not that long ago, they were talking about their silica furnace running up to 15 years between shutting off. And so when we think about these extremely long uptimes of these processes, you have to always be - have that in consideration around when we're putting security controls and that kind of stuff in place. 

Mike Hoffman: Some of these critical components cannot be turned off. So therefore, we have redundancy in place. So often, our systems are designed for redundancy. And that wasn't designed from a security aspect, that was designed from that availability and uptime consideration. But our systems do have redundancy, which means that some of our systems can be upgraded, rolled over and you can work around that. But you have to kind of look into your systems to understand what you have as far as redundancy. 

Mike Hoffman: We also have things around low latency. So when we're thinking about - we're touching real systems, when we're manipulating physical processes, when we're talking about latency here, we're talking about microseconds - milliseconds to microseconds. When you think about robots and you think about placing parts on vehicles as they're running down the assembly line or fast processes on a conveyor belt where you're making extremely fast decisions on the quality of a product, if it's going to pass or fail, you're getting down into the microsecond-type times. So we absolutely have extremely fast latency issues that we have to think about. And so when we think about networking and that kind of stuff, latency is always a concern and something that we always have to think about, even from a timing perspective. Using, like, a precision time protocol versus a network time protocol because of a latency issue. 

Mike Hoffman: We also have vendor requirements. And this isn't a dig on vendors at all. Vendors engineer systems to meet these requirements of the customer, to meet requirements of extreme, high uptime, extreme redundancy requirements. But with that, they've created an engineered product. So a lot of times, when you go into these locations and you see those control rooms and you say, well, are we running the right endpoint protection on them or can I put, you know, an EDR tool or a vulnerability-type of scanner tool on this, the answer is probably no or here is a very tiny list of approved applications. And the reason why is because, again, these systems have been engineered. So the vendor is going to - is, you know, producing a product that they give - that they back, but it's all been engineered for that. And they've established what applications can run on it, how their networks will operate and so forth. 

Mike Hoffman: And so just think - just always keep that in mind when we think about, you know, putting different agents on our systems and so forth, you might not be able to do it. So therefore, you need to pivot and look at what can we do inside the OS, such as, like, Windows event forwarding to getting logs off our systems and so forth, where we can use inherent capabilities of our OS and that kind of thing. We also have regulations, of course - NERC CIP, TSA, other things - that are driving the industries in certain directions that a lot of these process - or a lot of our environments, are under. 

Mike Hoffman: And another conversation that we get into is - so oftentimes, our systems require context and when - especially when we talk about security controls, when we talk about, you know, what systems need to, you know, be protected and so forth. So a lot of times, you know, you'll provide an asset of inventory to someone and they'll begin to discuss around, you know, do we have this system and, you know, like, this Windows XP out there? Do we have one of those - you know, we may have identified it. But context matters on how it's used and where it's used because at the top here in the DMZ, the WSUS server that's providing patches or within the DMZ may not be completely business critical. We can probably reboot that server at any time we want, the AV server, of course. But as we go down the network, we begin to look at - the criticality increases so that engineering workstation or the automation servers and even the domain controllers down at these levels become more and more critical until finally we get down to the actual controllers that are interfacing with the process environment. These are the things that are absolutely critical. 

Mike Hoffman: When you think about criticality, though, what we're really talking about is risk. And so a lot of times when we think about risk, we think about risk from the perspective of, you know, that consequence times the threat times the vulnerability. And oftentimes we throw in this little variable that's really tricky as well called likelihood. So I haven't put it in here, but it's something that we think about a lot as far as trying to manage the risk because - why are we doing security? We're doing security to lower risk because we know that there is - we - there's a potential consequence out there. We know that there are threats that are increasing. We know that there are vulnerabilities out there. And so what we're trying to do is manage all of this kind of thing and reduce our risk. 

Mike Hoffman: The thing, though, is that if we just take this little formula or equation that you have in front of you at surface level, there - it doesn't talk about the entire story. And the reason why is because in these environments, there's something also called disaster risk. And that's why - where you're actually - that's where you're actually looking at the hazard. You're - and so that's that thing to kind of go wrong, so that hazard. And then you're looking at the exposure. So how much exposure do I have with this disaster type hazard? And then we look at the vulnerability of what systems can be impacted. But the thing that is kind of different here is the capacity to respond - the capacity within our systems that we have to actually respond to this. You know, when we look at this equation, really, from the industrial perspective, this is a better equation to actually look at it. From - industrial cyber risk is really the consequence of something occurring, times the threat, times the vulnerability. But then we have this thing called resiliency of our systems. And it's - that resiliency is what can kind of take us over that spot if there is some sort of a disruption. 

Mike Hoffman: Also, when you look at this, what are the things - what are some of the handles, if you will, can - that you in your environment, you can change? Sometimes the consequence can be engineered out. Sometimes you can be focusing on the vulnerabilities. Again, vulnerabilities are always going to be with us. Threats are increasing, so it's trying to remove or decrease the consequence, perhaps engineered it completely out, or it's looking at your systems to understand, do I even have enough resiliency in place? So when we look at this - so like I said before, is the threats. So like in Dragos, we track different threat groups. And so, you know, you have ELECTRUM, DYMALLOY here, XENOTIME, some of our other ones. And of course, there's been a number of them that have recently popped up. And again, we track those from our intelligent groups. And so understanding the threat and understanding what threat actors are doing into our environments really helps us to understand - do the controls that I have in place today - you know, are they sufficient for a lot of these threat actor tactics, techniques and procedures? But then also the vulnerabilities - there's a lot of vulnerabilities out there. And so here this one's highlighting Siemens. It's not a dig on Siemens at all. All vendor products have vulnerabilities, and the vulnerabilities, again, are increasing because there's a lot of research community getting diggy (ph) into these systems. So we're finding more stuff. 

Mike Hoffman: And so again, always focusing on just vulnerabilities is not the right perspective. But again, we have resiliency. And that resiliency of how our systems have actually been configured, engineered, what things that we have in place from a mechanical perspective, they can actually help us out and safeguard us if there was some sort of a cyber malicious attack. And then of course, we have that consequence. And so that consequence is really that thing that if something does occur, what could actually - you know, what effect would that have in our environment? Would it just be a loss of view? Would it be a denial-of-service? Or would it be a loss of control where we would have to do a hard shutdown in our plant or, worst-case scenario, a manipulation of control where we're locked out of our environments and the adversary is actually taking over? So this is - these are some of the things that can by - kind of be thinking about, but it's important to understand that resiliency aspect. 

Dave Bittner: And that's "Control Loop," brought to you by the CyberWire and powered by Dragos. For links to all of today's stories, check out our show notes at Sound design for the show is done by Elliott Peltzman with mixing by Tre Hester. Our senior producer is Jennifer Eiben. Our Dragos producers are Joanne Rasch and Mark Urban. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.