ICS/OT incident response plans: Don't get caught unprepared.

Dave Bittner: It's January 25, 2023, and you're listening to "Control Loop." In today's OT Cybersecurity briefing, the NOTAM outage was reportedly caused by a corrupted file. The Copper Mountain Mining Corporation is working to recover its IT systems following a ransomware attack. DNV's fleet management software sustains a ransomware attack. Ukrainian hacktivists conduct DDoS attacks against Iranian sites. Our interview today is Part I from Dragos' Ask the ISACs discussion led by Dawn Cappelli, Dragos' head of OT-CERT, with panelists Tim Chase, Eugene Kipniss, Jennifer Lyn Walker and Matt Duncan. In today's Learning Lab, Mark Urban is joined by Dragos' Lesley Carhart, and they discuss Part I of creating an ICS/OT-specific incident response plan.

Dave Bittner: The U.S. Federal Aviation Administration ordered a nationwide grounding of all flights on January 11 after its NOTAM system went offline - that's the Notice to Air Missions system. Bloomberg cites a source familiar with the FAA's ongoing review as saying that the incident was caused by two people working for a contractor who added errors to the system's code. The FAA is investigating whether the changes were made intentionally or accidentally. According to NPR, the incident caused the cancellation of more than 1,300 flights and delayed approximately 10,000 flights. NOTAMs are used to inform planes in the air about hazardous conditions. A senior government official told NBC News that affected software was installed in 1993 and isn't scheduled to be updated for another six years. 

Dave Bittner: The challenge of keeping legacy software up to date is one that will be familiar to those concerned with industrial control systems, where patching is not always as easy and straightforward as one might think, especially if your mental model of patching comes from, say, periodically updating the software on your smartphone. Sound practices, including role-based access control and effective, attentive change management can help avoid the kind of problem that tripped up the FAA. There's another lesson to be drawn - an IT failure, which, essentially, is what the NOTAM disruption amounted to, can have consequences for operations. In this case, the operations that were disrupted, the commercial flights themselves, were central to the business. 

Dave Bittner: The World Economic Forum, in collaboration with Accenture, has published its Global Cybersecurity Outlook for 2023, finding that 93% of cyber leaders believe that global geopolitical instability is moderately, or very likely, to lead to a catastrophic cyber event in the next two years. Much of the report focuses on the relationship between cybersecurity teams, the C-suite and board leadership. The report found that both business leaders and cybersecurity employees made more appearances in front of board members last year, but also concludes that cyber and business leaders still have a great deal of work to do to truly understand each other, articulate the risk cyber issues pose to their business, and translate that into meaningful management and mitigation measures. That sort of close cooperation is as important for industrial control systems as it is for IT systems. And among the most attractive targets for a nation-state waging cyberwar is the adversary's infrastructure. 

Dave Bittner: The Copper Mountain Mining Corporation provided an update on the ransomware attack it sustained on December 27. The company says its mill was back to full production by January 4, and the operation is currently being stabilized as the remaining business systems are fully restored. 

Dave Bittner: Ship classification society DNV disclosed that its ShipManager fleet management software was hit by a ransomware attack on January 7. DNV says approximately 1,000 vessels belonging to 70 of its customers were affected, though the vessels could still use the offline functionalities of the software. DNV issued an update on January 19 stating that the forensic investigation conducted by DNV's global IT security partners has confirmed that no lateral movement to other parts of the DNV IT infrastructure was detected as part of the attack. Information, like DNV user accounts, emails and all other services, have not been affected by the incident. As of January 19, DNV was still working to bring ShipManager back online. 

Dave Bittner: Russian hacktivists have served as auxiliaries in Russia's hybrid war, and they've been particularly active against targets in countries friendly to Ukraine. Russia has far fewer friends and partners internationally, but one of them, Iran, has now apparently been hit by pro-Ukrainian hacktivists. SC Media reports that DDoS attacks have affected a number of Iranian websites, including, but not limited to, sites belonging to the National Iranian Oil Company and Iran's Supreme Leader, Ali Khamenei. The hacktivists who claimed credit, the record reports, are clear that their operations are a reprisal for Iran's willingness to supply Russia with Shahed drones used in attacks against Ukrainian cities. It's also worth noting that the gang, in a statement on its Telegram channel, made an explicit threat to target oil-processing SCADA in future attacks. 

Dave Bittner: Qulliq Energy Corporation in Nunavut, Canada, was hit by a cyberattack on January 15 that took down its IT systems, the CBC reports. QEC disclosed last week that the attack brought down the systems at its customer care and administrative offices. The company has enlisted external cybersecurity experts to investigate the scope of the attack and determine what data was accessed. QEC says it will notify anyone whose information was accessed. The attacks didn't affect power plant operations, just business systems, and customers are presently unable to pay their bills via credit card. Premier P.J. Akeeagok said in a statement that various provincial and federal agencies are assisting with the recovery and that the Royal Canadian Mounted Police are investigating the incident. 

Dave Bittner: Our interview today is Part I from Dragos' Ask the ISACs discussion. It's led by Dawn Cappelli, Dragos' head of OT-CERT, with panelists Tim Chase from the MFG-ISAC, Eugene Kipniss from MS-ISAC, Jennifer Lyn Walker from the WaterISAC and Matt Duncan from E-ISAC. 

Dawn Cappelli: I know (inaudible) on this panel is very passionate about helping to protect a critical infrastructure, and so I'm just really excited to have all of you here. I'd just like to start - let's just jump right in and talk about, what are the big challenges that your members are facing and how have you helped your members up your ISACs to respond? And let's go to you first, Eugene. 

Eugene Kipniss: Oh, thank you, Dawn. So first I'll talk about a couple of the key threats that I just will quickly highlight. When we look at our community, the Multi-State ISAC actually serves state, local, tribal and territorial governments in the U.S. That's everything from, you know, states like - like state of New York, obviously, to our territories, like the Mariana Islands and D.C. and other regions and governments. We also work with really small organizations. Actually, they make up the bulk of our membership. We're talking about small towns, county clerks and recorders who have a role in elections infrastructure, too, which - we're also the home of the Elections Infrastructure ISAC, so we work with all of those offices, as well, through that initiative and that ISAC structure. But we've got everything from your mosquito control districts in Florida to your local public utilities, including municipal water and municipal power. So we've got some overlap and a working partner with our other ISACs a lot with those communities. 

Eugene Kipniss: And I would say that, just to hone in on two key threats that we're seeing, ransomware continues to be crippling for small organizations. It doesn't just affect, always, the ability to conduct business efficiently. It's affecting the ability to deliver critical services to their constituents. We're seeing it across local, small municipal organizations, like I mentioned, we're seeing it in the K-12 space for educational organizations, like school years aren't starting on time in some cases, even just an hour away from where I live, due to ransomware attacks. And we're also seeing a lot of business email compromised. It's extremely lucrative. It's - people are no longer just firing and forgetting basic emails. Sometimes there's some really intensive targeting based on sector that's going on that can be pretty effective and very unfortunate. And the reason for that is often organizations aren't well positioned with the effective business controls in place to manage these things. So we look at the cyber controls, and we look at the business process controls, from those two angles, for how organizations can build the resilience and their strength against these two threats. 

Eugene Kipniss: We're seeing organizations, like I said, when it comes to, like, business email compromise aspect of things, some organizations are losing substantial portions of their funds due to fraudulent wire funds transfers and such. It's a major issue for our small governments, school districts, local, municipal utilities, et cetera. And, really, just - we're focusing on trying to build the community up through some best practices, through direct service provision to the state and local community, any of those municipal governments, direct managed services and things that hopefully take off of their plate because these organizations - it's not so much a threat, but just a hallmark of how they're designed and how they're staffed and resourced. They are traditionally, informally performing cybersecurity functions. And sometimes informally performing IT functions at these organizational levels - we've got people who are wearing a hat, so to speak, part-time as the IT person for an organization, or the infrastructure manager, at some of these small towns and municipals. 

Eugene Kipniss: So that's a big area that opens people up and leaves them exposed to more risk, more threats and causes a lot of trouble. So hopefully, later on and through this call, we'll talk a little bit about some ways to mitigate that. But that is a major concern of our community is just that resourcing, the time and cycles they can put toward cyber, and the thoughtfulness and the resourcing they can pull on because they are working on just keeping the lights on sometimes. 

Dawn Cappelli: Thanks, Eugene. And when we had a prep call for this webinar, we all agreed that we wanted Eugene to go first because, you know, Eugene talked mainly about IT threats in the MS-ISAC members. And let's face it, those IT threats are a threat to everyone. You know, even if the other ISACs are going to talk more about threats in the OT environment, IT is a vector to get into OT. So we all thought that that would be a good place to start. So thanks, Eugene. And now we're going to go to Matt and hear about the electric sector and what kind of threats you're seeing and how you're helping your members. 

Matt Duncan: Hey. Thanks, Dawn. And I just want to give a shout out to my fellow ISAC members here, Jennifer, Tim and particularly Eugene. We partner with all ISACs through the National Council of ISACs, but also on a bilateral basis, particularly the MS-ISAC, who's been a great partner of ours. So everything that Eugene said about the threats to IT, election threats, we're in lockstep with them and really proud to have that partnership. 

Matt Duncan: So from an electricity perspective, I want to talk a little bit about the ever increasing velocity and complexity in the security threat landscape facing electricity and what the E-ISAC and industry is doing about it. I want to remind people that defense is doable, especially if we take a collective defense approach, particularly in the operational technology environment. And while this call is focused on small and medium businesses, I want to point out, in electricity, small and medium utilities are not necessarily as small as some of the businesses in the manufacturing sector or the water sector or other sectors because in our case, small- and medium-size utilities are multimillion-dollar businesses. So that introduces a different type of complexity to the environment, as well as being regulated in many cases. 

Matt Duncan: So if you look at what the E-ISAC has done on behalf of the industry this past year, you can see that collective defense approach I mentioned in action. The E-ISAC has been on a strategic plan that includes a greater focus, not only on OT but supporting small and medium utilities. We're also leveraging access to unique datasets like the CRISC program, Dragos' Neighborhood Keeper, NRECA Essences and a number of others to do hunt activities in our IT and occasionally OT data sets. And we're looking to grow those capabilities as more and more utilities deploy monitoring capabilities inside their OT environments, both north-south and east-west. We're also heavily integrated with the U.S. and Canadian governments, particularly this past year with the Russia invasion of Ukraine. We promoted the CISA Shields Up guidance to our members, but also created our own OT-specific Shields Up guidance for electricity entities, providing some methods and practices to increase OT cybersecurity. 

Matt Duncan: And, of course, that was all available for free on the ISAC Portal, which brings me to our membership. The ISAC membership continues to grow, particularly around events like the Russia invasion, the recent shooting of distribution substations on the physical side. And actually, 65% of our membership is from small and medium utilities, and many of those utilities are paying no additional cost beyond their standard assessment to join the E-ISAC. So we have the benefit in that our program is free to many and doesn't cost any extra to the utilities. And I think that has helped grow our membership and our collective defense community, including with the natural gas subsector, the renewable power generation sector, as well as a vendor program that we recently started to counter the supply chain threat, which brings me to the threats we're seeing. 

Matt Duncan: So in the past year, there's no shortage of supply chain vulnerabilities that actors can use to implant ransomware, do wiper malware and other malicious activities. Supply chain threats, particularly from managed service provider compromises, does present a very real and long-term threat and will remain a feature of our threat landscape. But it also underscores the importance of that remote access monitoring and response, particularly in OT environments. Major nation-state adversaries, specifically China and Russia, remain very active. And we have seen a marked increase in attempts to exploit our sector through real basic things that Eugene talked about, like phishing and credential harvesting campaigns. So you have to do those good, basic cyber hygiene things while in IT to also be successful in OT, I would submit. In addition, we've seen an increase in surveillance activities and reconnaissance that are designed to look at networks and identify unpatched vulnerabilities and other commercial espionage activities. And these activities are reported to us. They're detailed and open source as well as classified sources. And it's also seen in our CRISC program. 

Matt Duncan: Ransomware, as Eugene mentioned, is the scourge facing our economy. And it's a reality of the world we live in. And it's a very real threat as we continue to see not only enterprise IT system compromises, including some in electric utilities in the U.S. and Canada over the last couple of years, but these criminal ransomware services are only going to continue to seek out targets, pick out unpatched vulnerabilities to try to get paid. And so we need to work together to respond to that. 

Matt Duncan: Finally, even though this is a cybersecurity-focused webinar, I do want to point out that the E-ISAC is closely monitoring the recent physical security events that were impacting electric distribution facilities across the country. And while the North American bulk power system has not been affected, the E-ISAC is directly coordinating with the electricity industry as well as federal and state government entities to keep its members and partners abreast of the latest information regarding these troubling physical security incidents. I could certainly say more, and I will, but, Dawn, let me turn it back to you. 

Dawn Cappelli: Yeah, it's been a crazy year. Boy, when you listen to all of that, you think about we started with the Russia-Ukraine war and now the physical attacks that - you know, in security, we never get to rest. 

Matt Duncan: Yeah, unfortunately, you know, for many decades, we were essentially protected by our oceans. But now the grid is really part of the geopolitical battlefield, whether it's nation-state actors looking to influence political decision-making by U.S. government or NATO governments or even ransomware criminals or other groups trying to get paid. We really need to step up our game and work together to counter threats that were not there a generation ago. 

Dave Bittner: In today's Learning Lab, Mark Urban is joined by Dragos' Lesley Carhart, and they discuss part one of creating an ICS/OT-specific incident response plan. 

Mark Urban: Hello once again, Mark Urban with the Learning Lab on "Control Loop." Today's topic is incident response for cyber incidents in industrial control systems in operational technology. And to help us understand that world better, I'm joined by Lesley Carhart, one of our own here at Dragos, the director of Incident Response for North America. Welcome, Lesley. 

Lesley Carhart: Thank you for having me, Mark. 

Mark Urban: Yeah, of course. So maybe you can start with a little bit of your background, kind of where you come from, some of your experiences, especially as they're relevant to instant response. 

Lesley Carhart: Sure, I'd love to. I've been working in cybersecurity specifically for about the last 15 years, and prior to that, I worked in information technology and I was also in the military. I have a - kind of a varied background from electronics to aviation to computers to computer security networks. My degree's in network engineering, and I find, in this space of industrial cybersecurity, people tend to have those very varied backgrounds with exposure to industrial technology and critical systems and also the interest in cybersecurity. And we meld those all together to work in this kind of unique space of securing critical infrastructure and being concerned about safety and kinetic impacts of cyberattacks. So that's my background. I've done a lot of different things, moving from the military space to the network space to the cybersecurity space. But where I'm really happy and I'm really passionate now is working with cybersecurity and specifically incident response, so doing response to breaches and intrusions into critical infrastructure and networks because it's so important. 

Mark Urban: So you brought up a couple of words that - you know, I'm longtime in cybersecurity, but never use the word kinetic, and I think that speaks to the nature of impacting physical things within the environment with industrials. Am I reading that right? 

Lesley Carhart: Absolutely. We refer to kinetic cyberattacks as a way to differentiate these attacks that potentially have an impact that's physical in the real world, so we're talking about tampering with machinery and things that move things in the real world - heat them up, cool them down, move them cross-country, so physical impacts in the real world that can be caused by computer systems, either through a maintenance fault or mechanical fault or a malicious actor trying to do something on purpose. 

Mark Urban: So take us through sort of if those are some of the impacts and some of the incidents that, you know, we are reacting to, take us through - what is an ICS, you know, specific incident response plan? You know, why have it? Why is it different from IT? 

Lesley Carhart: Yeah. So it's always important to have a plan for what's going to happen and what you're going to do if there's an intrusion into your network, whether that's an enterprise network or an industrial network. Anybody can be a target. You could be a target just to be a test bed for somebody else, or you could be a way to reach another network if you have partners, peers, vendors, etc. So anybody can be in a target. And no matter how well you defend, there's always some potential, some percentile percentage chance that you will have an intrusion, an incident, a breach, etc. So you need to prepare for what you're going to do because it gets much more expensive, much more costly, to not prepare in advance. Incident result - response consulting rates, they aren't cheap for a reason. You're dealing with things on fire; you're dealing with an emergency. So having somebody come in and not have any preparation and plans in place in advance, that can get pricey for any organization. So, of course we encourage organizations to have a plan in place and prepare as much as they can, no matter how little of a target they really think they are, how little likelihood they see of having some kind of cyberattack, purposeful or other, it's a good idea to have that in place. 

Lesley Carhart: Now, most organizations have some kind of plan in place for what's going to happen in their enterprise environment if, say, they get ransomed or something gets stolen off their corporate network, they have a data breach. But industrial networks, that's kind of a new frontier. And as we mentioned earlier, these can have really real physical, kinetic impacts on the real world - life and safety. We know how bad it can be if an industrial network has a problem - we've seen industrial accidents; we know what that can look like. So there's big potential there for real physical harm to the world and to people. And dealing with cybersecurity incidents in these environments is very, very different for a lot of reasons. 

Lesley Carhart: First of all, we're thinking about those physical impacts in the real world. So our No. 1 priority is keeping things safe in these environments, keeping people safe and keeping the equipment safe, making sure there isn't environmental contamination. So our priorities can be somewhat different. And our decision-making during an incident response effort is very different, but that's only one piece of the puzzle. We also have to be able to function and do incident response in process hazard environments. We have to take safety considerations into account as we're doing our incident response. And we have to deal with very, very different technologies because not only are there a lot of legacy technologies, incredibly old technologies doing very critical things in these industrial environments, but we also have low-level devices, so things like RTUs and PLCs, SCADA systems, etc., that might not be running a familiar operating system or even an operating system that's documented well. So doing forensics and figuring out what's been done to them can be much more challenging. 

Lesley Carhart: And all of that put together also means that we have to be able to make good decisions about what to do in these environments because we never want to cause a worse impact than a malicious person or a piece of malware as the incident responders. We have to take all of these factors - the legacy-sensitive systems, the low-level devices, the process and safety critical decision-making - into account when we're doing response to a cybersecurity incident so that we don't do something worse than a potential adversary might. 

Mark Urban: It's so interesting. In the IT world, you know, it might be the theft of data or availability of a particular, you know, server that's the impact. Here in industrial, we're talking about a completely different game and, you know, impacting safety systems, potential environmental impacts, different types of systems, old systems and all the downstream impacts from that. It sounds like a very different world than the IT world. 

Lesley Carhart: I'll be blunt. There are certainly - you know, people's lives are on the line with these systems. If you make a mistake or you make the wrong decision, somebody could potentially die. 

Mark Urban: That's a good point about the criticality of it. So if it is a critical world, it is a different world, what are some of those key elements that you see in, you know, in the industrial world around a good incident response plan? 

Lesley Carhart: So the No. 1 thing is having a good relationship between the incident response team, the cybersecurity professionals who will be doing incident response or assisting with it, and the operators and engineers who are on the process side of things. If you don't have that functional relationship, you're going to be in deep trouble if there is a cybersecurity incident. There's, in a lot of cases, a level of animosity and hostility between cybersecurity and industrial staff. That can be because of misunderstandings and miscommunications and misdirected efforts over many, many years. So a lot of the environments we come into, these teams don't communicate well, and there has to be good coordination between the facility management and the engineers and the operators, local IT staff and the cybersecurity people to survive these incidents. So No. 1 thing is get that relationship, get your house in order. That's going to help you do the rest of your planning and understand what to do during a cybersecurity incident. 

Mark Urban: OK, so get the house in order, iron up those relationships between the responders and the operations part of the business. What are some of the next elements? 

Lesley Carhart: Next, we want to understand our environment; that's really crucial, so having a good understanding of how our network is laid out and what technologies are in place. So that means network maps and asset inventories, understanding where we have architectural deficiencies and how we can shore those defenses up. We start with the fundamentals. I know that out there in the cybersecurity space, you'll hear a lot of sales pitches for really advanced technologies to plug into your network. We're back to the fundamentals in ICS, really, and everywhere. We need to get the fundamentals done first to really do effective cybersecurity. So we need to know what's out there to secure it, we need to know how it's laid out, and we need to start trying to shore up and improve our architecture where we can. So that means some of the stuff that we consider boring, like building good network maps, keeping them updated, building good asset inventories and understanding what technologies we have to secure - all of those things, very fundamental but very neglected industrial spaces. 

Mark Urban: OK, so just knowing the environment, having the details of that documented, knowing where some of the shortcomings in the architecture are. OK. So we've got the relationship, now we've got the environment. Is there another component? 

Lesley Carhart: Yep. So now we're going to start building some more cybersecurity functionality in. So we're going to try to start building in passive detection and monitoring into our environment so we actually know if there's a cybersecurity incident, and if there is, we have some record of what happened. What my team does isn't magic. We aren't people on a "CSI" TV show. We have to do things in painstaking, scientific ways to find out what was done to a hacked computer or hacked computer network. No magical blue lights are going to solve our problems. We have to have something as evidence available to us to figure out the narrative of what happened and make good decisions about what to do to resolve it. So having some detections and monitoring in place is another key step that'll help us understand what happened and it'll help you know when to call us or when to call your own incident response team. That's what we're there for. But we can't help you unless you know that something's going wrong. And not every intrusion does something highly visible, like an immediate kinetic impact or a ransoming of your computer. 

Lesley Carhart: Sometimes things are long term. Sometimes adversaries are building footholds to do things in the future. Sometimes they're exfiltrating information so they can learn more about your operations. And if you don't have any detection in place, that could go on for a long time without you knowing and being able to call somebody. So the detection is an important piece and also understanding your vulnerability landscape, so doing some vulnerability management is really important. So what is vulnerable in your environment? Where is the squishy center of your crispy candy outside of your industrial environment? What could somebody potentially tamper with? What are the scenarios that would lead to consequences of concern in your environment? So a little bit of crown jewel analysis. So really, what's your worst day ever? What could cause it? Those are important questions to ask as well to build your incident response plan and understand what you're really concerned about and how you'll weigh risk. 

Mark Urban: All right. That was a lot. Let me ask you a couple questions about - you know, so you talked about what is your worst day. So - no, so first of all, to recap, you know, the cyber functions of passive monitoring so that you can detect when things are going wrong so you have some information to look at and some vulnerability management to find that squishy center. Then you talk about, you know, what's your worst day and what are some of those scenarios that - can you kind of click down on - you said crown jewels, worst day and scenarios. Can you kind of click down on that to give us an understanding to what you're talking about? 

Lesley Carhart: Absolutely, I'd love to. So again, in these environments, your utmost concerns are the safety of humans and the safety of your equipment and your facility and the environment - real physical, real-life things. So your concerns are very quantifiable in these industrial environments, and you should be able to go to even your executive leadership and say, what's our worst day ever look like? What does our worst consequence of concern look like in our environment? And they'll probably name some things, like an operator being injured or dying or a fire in the facility or a event that causes contamination to the environment or something that causes regulatory agencies to be called. All those things could be major consequences of concerns. It has nothing necessarily to do with cybersecurity. There's a lot of things that could cause those consequences - maintenance problems, human error - but they could, perhaps, potentially, be caused by something cybersecurity related. We have to figure that out. We're the cybersecurity experts, right? 

Lesley Carhart: So the question to start with first, though, is - what is my worst day ever? What does that look like? Let's not think about cyber, cyber, cyber. Let's not think about pew-pews. Let's think about what, in a holistic way, what is our organization concerned about happening? And then let's work down from there. Let's work into the industrial network. What could cause a fire to start? Is it a particular piece of equipment? Is there something modifying temperature? Is there safety control mitigating that? Is there a human operator? Is mitigation for that fire potentially starting? What does that all look like? Let's map it out. Let's see all the things in our environment that could potentially cause that consequence that we're worried about. And then as we map that down by talking to system specialists and interviewing people in the operational environment, we'll get a better idea of where our causes of those potential consequences of concern could be and what mitigations are in place to stop them. 

Lesley Carhart: And as we follow that further and further down the line, we might start getting to computer things, so digital devices in our industrial network, like computers or PLCs that could potentially cause those bad things to happen. And hey, we've just reached something that, from an incident response perspective and security monitoring perspective, we might need to be really worried about. And that's where we want to focus our planning - perhaps, our tabletop exercises, if we're doing disaster recovery exercises, our network monitoring exercises, threat hunting - all of those things, we might want to start focusing them around those specific systems; we call those crown jewel systems, the things that could cause those really bad consequences really critical to our operations. And I encourage organizations to never just say, oh, this system must be our crown jewel because it's the most expensive thing or it looks the most important in our environment or somebody said it is in their organization. Do that mapping. Start with the consequences and figure out which devices really could play a part in those really bad days. And that will give you a really good idea of where to focus planning for incident response and all of your other cybersecurity efforts. 

Mark Urban: Interesting. OK, so that's a fascinating kind of working back - you know, starting with a consequence, what's terrible? What's the worst day? Working back to systems; what could cause those systems? What are the settings, and then how you can mitigate it? So that's a fascinating kind of chain of logic to look at, you know, exposures for cyber - even if the consequence, you wouldn't necessarily think about it as cyber, you go back in the chain until you can find if there's some cyber linkage to that consequence. That's a fascinating way to look at it. Lesley Carhart, director of Incident Response in North America for Dragos, thank you so much for your time today and giving us that insight into not only what happens on that day but how to - for those worst days, how to prepare for them with a plan. Thank you, Lesley. 

Dave Bittner: And that's "Control Loop," brought to you by the CyberWire and powered by Dragos. For links to all of today's stories, check out our show notes at thecyberwire.com. 

Dave Bittner: Sound designed for this show by Elliott Peltzman, with mixing by Tre Hester. Our senior producer is Jennifer Eiben. Our Dragos producers are Joanne Rasch and Mark Urban. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.