Control Loop: The OT Cybersecurity Podcast 6.28.23
Ep 28 | 6.28.23

OT cybersecurity concerns in the federal space.


[ Music ]

Dave Bittner: It's June 28, 2023 and you're listening to Control Loop. In today's OT Cybersecurity Briefing; the U.S. Department of Energy was affected by Cl0p exploitation of MOVEit Transfer, Canada's oil and gas sector is a local target for Russian cyberattacks, nuclear weapons cybersecurity is lacking, access to a U.S. satellite is being hawked in a Russophone cybercrime forum, and ICS patches. Today's guest is Christopher Ebley from Blackwood speaking with us about OT cybersecurity concerns for Federal IT leaders. The Learning Lab has part one of a 3-part discussion between Dragos' Mark Urban and Vulnerability Analyst Logan Carpenter talking about vulnerabilities in the OT world.

[ Music ]

CISA Director Jen Easterly disclosed in a press briefing on June 15, that several U.S. government agencies were compromised by the Cl0p ransomware gang via the recently disclosed MOVEit file transfer vulnerability, The Register reports. The U.S. Department of Energy is among the compromised agencies. A department spokesperson told The Register upon learning that records from two DOE entities were compromised in the global cyberattack on the file sharing software MOVEit Transfer, DOE took immediate steps to prevent further exposure to the vulnerability and notified CISA. Federal News Network says the two compromised DOE entities are Oak Ridge Associated Universities and the Waste Isolation Pilot Plant in New Mexico. Easterly stated in the press briefing, "since the vulnerability was disclosed, we have been working closely with Progress Software, with the FBI, and with our federal partners to understand prevalence within federal agencies-- We are now providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications." Easterly added, ""We are not aware of Clop actors threatening to extort, or release any data stolen from government agencies. Although we are very concerned about this, we're working on it with urgency. This is not a campaign like SolarWinds that presents a systemic risk to our national security or our nation's network." She noted that the threat actors are only stealing information that is specifically stored on your file transfer application at the precise time that the intrusion occurred. The Canadian Centre for Cyber Security has released a threat assessment finding that Russia aligned threat actors will very likely attempt to disrupt the nation's oil and gas sector to weaken Canadian support for Ukraine. The agency stated, "We assess that the most likely targets for cyber threat actors intending to disrupt the supply of oil and gas in Canada are bottlenecks in the oil transmission and processing stages. Potential targets include the business and OT networks of large-diameter pipelines, transfer terminals, and major refining facilities." The U.S. Government Accountability Office has published a report finding that the National Nuclear Security Administration is still in the early stages of development of mitigating cyber risks to weapons and manufacturing systems. The GAO stated, "NNSA and its contractors remain in the early stages of efforts, even after several years, to address cybersecurity at the system level in its operational technology and nuclear weapons IT environments." The report adds, "NNSA officials told us that cyber risks vary from one nuclear weapon type to another. NNSA officials said that they have conducted preliminary reviews and determined that current nuclear weapons generally contain little IT that is at risk due to their age and reliance on older technology. Newer and more modern weapons are slated to begin entering the stockpile after 2030 and may contain more IT, however. For these weapons, NNSA officials said that each program is still considering approaches to managing cybersecurity risks as part of the weapon design and development process." HackRead reports that a Russian-speaking hacker is offering access to a Maxar Technologies U.S. military satellite for 15 thousand dollars. The account posting the alleged access offers to receive funds through the trusted third-party payment service, Escrow. It's difficult to know what to make of the claim, which seems a little excessive for credibility. Siemens has released 16 advisories addressing approximately 200 vulnerabilities in its industrial products, Security Week reports. Most of the vulnerabilities affect third-party components. CISA last week issued four advisories for vulnerabilities affecting products from Advantech, SpiderControl, Econolite, and Mitsubishi Electric. And finally, the industrial security specialists at Dragos have published four top level lessons they've learned about securing the electrical power grid. They are easy to summarize. Dragos has addressed these before in their annual report, but repetition never hurts. First, you can't defend what you can't see; visibility is the indispensable starting point in securing anything, the military calls it "situational awareness" but unfortunately we see that most electrical utilities can't really see what's in their OT environment. Second, network segmentation improves slightly so people are doing a bit better, but don't get cocky kids, a seven percent improvement is good but there's plenty of room to do better. Third, secure remote access is critical. There's been some positive change here too, with uncontrolled external connections dropping by 22 percent. The sub-sector with the most room left to improve; renewables. And fourth and finally, shared credentials help adversaries. Sharing may seem like caring, but in this case, it's a poor practice. The adversary likes nothing more than shared credentials.

[ Music ]

I recently had the pleasure of speaking with Christopher Ebley from BLACKWOOD. Our conversation centered on OT cybersecurity concerns for Federal IT leaders. So to start off, before we dig into some of the details here, I would love to get to know a little bit about you, the type of things that you do with BLACKWOOD, and what your day to day is like.

Christopher Ebley: Yeah, so I've been with BLACKWOOD about a decade now. BLACKWOOD's a cybersecurity integrator and resell firm, headquartered just outside DC. I really have two day jobs, I tell people that I have an opportunity to meet with a client base so kind of keeping my finger on the pulse of the mission for both our federal customers which represents about 50 percent of our business, so Department of Defense, intelligence community, and civilian business, as well as Fortune 1000 for a commercial practice. The other job that I do is I set our technical go-to-market so both in terms of practice areas, and then we sit there and decide we're going to put in identity security, or OT security, like as today's conversation and stuff like that. And then from there I do the assessment of technology supplied within those spaces, typically in the COTS solution set, so, what are the vendors, what are the technologies, what are the areas and how this thing is kind of played within those particular markets. We do tech assessments, so do assessments and down select from there. And really kind of determines what ends up as a part of our partners, as far as our go-to-market there. So those are the two things that I do.

Dave Bittner: Yeah. Well today we're focusing on the OT cybersecurity concerns for folks in that Federal IT space. I would love to start out by getting a little bit of a reality check from you. Can you describe for us, what is the lay of the land?

Christopher Ebley: Yeah, the Federal markets are really interesting, right, the Federal Government itself is hugely diverse so when you think about like the OT space, there are kind of like the obvious factors that play in when you look at critical infrastructure and kind of the different parts of those, of those markets, so you have, you know, large amounts of the medical sector, government itself is being considered it a component of critical infrastructure, different components of the energy sector. There's the obvious parts, and you know, kind of subcomponents that exist underneath the Department of Energy and then there's entire institutions like the Tennessee Valley Authority, U.S. Bureau of Reclamation, and different things like that that represent different components of energy from an electrical delivery and generation standpoint, as well as even some of the things that you don't necessarily think about within kind of like the footprint of cybersecurity risk that exists within customers like the Postal Service and mail sorters and other things that are connected entities that are critical to their mission but that also represent points of risk and are kind like within the lay of the land from a cyber-standpoint. As far as the Federal Government's concerned, it's an-- they're an interesting intersection place or position because a huge amount of OT and parts of critical infrastructure are privatized so there's an aspect where they are, you know, working within you know, kind of within the private sector to try and establish relationships and kind of bi-directional communication for the purpose of securing the things that matter to most of the nation and equally responsible for their own sections of that. And they themselves are going through evolutions that are dictated by different things, like the different various Executive Orders that are coming out in our various administrations and the subcomponents there, where different factors are, are factoring in the OT space along the IT as being in points of consideration for everything from security, application, zero trust, to just outright monitoring for IDIR use cases and data collection. So, there's a lot going on in that particular space. A lot of, a lot of points that fall within kind of these wheelhouses and if nothing else, like everyone's down to you know, everyone's got an HVAC system, everyone's got something like that to that effect that represents risk and it's sometimes it's just an evolution of the consideration of those points within an independent practice to basically say like hey, this is something we need to think about.

Dave Bittner: Is it fair to say that there are patterns when it comes to how folks in the Federal space approach OT cybersecurity? Are there, are there commonalities there?

Christopher Ebley: I think there are some, they're you know, the traditional answer, right, like what's the sales answer, it's like, yes, right? Like both. Right there are some aspects where you know, as we're continuing to have like an increase in narratives around both the OT and the IOT space, your traditional like top security controls around asset management, what's on the network, you know, what actually has an IP address, all those types of things come into equal points of consideration. So when we look at like just you know, everything from you know, talk about an HVAC system to a refrigerator, a camera, and everything in between, that fall into the ICS space, or potentially in the IOT space, alongside you know, the more known entities based off of an individual enclave's mission, I think there is commonality around the idea of okay, I need to know what's on the network, I need to know what it is, I need to know the state of that particular thing, does that represent risk to us? And then, if it represents risk, what is the appropriate way for us to kind of take control around that? I think those narratives are consistently, you know, being applied across the entirety of the Fed, and then I think there's diversity beyond that. I think there's different identities and different kind of like levels of maturity based off of core mission where you have customers within the, you know, within the Federal space that are specifically focused on things like we talked about, like with energy generation, but that becomes juxtaposed right at the intersection of everything else that is cybersecurity. So, I have a limited amount of human resources to tackle that particular mission, I have varying degrees of maturity in terms of understanding and the ability to kind of allocate resources to those types of things, and so there's different, and different initiatives across the Federal Government to be able to kind of do things like consolidate those things, to be able to bring, for example, like OT security initiatives alongside IT security initiatives underneath one practice, one security operation center, one things like that. And so, those initiatives differ, so I'd say it is both, right? I think there is, there's some commonality in terms of an understanding based off of what we're seeing within the field and different exploits of different things and the trends we've seen within the unfortunately kind of cyber incidents within the OT space that have dictated a relatively normalized understanding of what matters. And then there's going to be things that, from mission to mission, customer to customer, are going to be a little bit different based off of the nuanced factors.

Dave Bittner: I'm curious for your perspective, if sort of comparing and contrasting the differences and the similarities between folks on the defense industrial side, the intelligence side, and then those civilian agencies. Are there commonalities and where do they part ways?

Christopher Ebley: So, yeah, I think there's, there are going to be commonalities within like kind of the more traditional core infrastructure factors of things, I think where you're going to find the other aspect of commonality might be within like the defense industrial base and development and things you'll find within like the civilian and other aspects of energy where they're going to have common narratives as far as segmentation, common narratives as far as disparate networks, things where that might represent kind of the equivalency of NERC environments that are isolated and gapped the same way you might have classified environments that play within those spaces that are gapped and then the different systems that exist within those particular environments where yes, there are kind of logistic narratives that hold true beyond there. I think you know, the other factors that you get into are just the uniqueness of those particular missions. I think it's easier to draw some commonality between what we consider to be the enforcement agencies within the civilian space, things like the State Department, stuff like that, and the defense industrial base where you might have a lot of the, you know, the narratives around the OT space intersecting with like DIL environments, intersecting with different types of communication and different bands to say like hey, what of this is going to go over traditional LANS versus just satellite versus radio, and things that kind of come into play there. And that's, you know, compared to like the more static aspects of like traditional civilian government like things that you find within, within the kind of [inaudible] narrative of; we exist as an entity in these particular locations and kind of have the systems and business, like the business components that we need to kind of promote whatever it is that we're trying to accomplish. And that becomes, you know, a little bit less flex, a little bit less, you know, less dynamic, and I think things start to kind of deviate a little bit there.

Dave Bittner: Mm hmm. Can we dig in some to the regulatory regime here that we find in the Federal space. I mean obviously they have a lot of purchasing power and they're able to kind of set the rules of the road when it comes to a lot of this.

Christopher Ebley: Yeah, so the regulation piece is always something that's interesting, specifically because you're going to have some sort of combination of governing kind of components that sit over top of this. Coming back to the statement you made about, or that were made about like the Executive Orders and things like that you see coming out can be kind of painting with a broad brush across the government at large and there are different, you know, obviously anything like any time something like that is released, and subsequently you have the individual memorandums that are providing some sort of clarity or guidance around different components within an executive order. There's always questions on scope, like what is the extent of scope, especially for entities where the OT and ICS environments might legitimately be understood and separate and understanding is that something that kind of is going to be as, as a part of consideration there in terms of do I have to adhere to these particular controls, guidances, these timelines and things of that nature for accomplishing certain outcomes within you know, for both my IT environment, which is obviously within, within kind of the general fall, you know, umbrella there, and then the more kind of nuanced sectors that we find within like carved out OT space. And then will kind of overlap with things like, you know, we have aspects of the government that still, you know, still adhere to and are a part of like NERC and things like that. So you have kind of the more traditional, the more traditional governing bodies and standards for cybersecurity and the various kind of controls the that you expect to find there that are equally applicable to the private sector as they are to the public sector based off of those particular missions. So it kind of becomes a really interesting juggling act and for a lot of our customers that are responsible for those missions both at a management level or a GRC level, and stuff like that, I think they're kind of clamoring or there's an aspect of desire to basically say like please, please paint, please draw for me, or draw out for me where these things overlap. Like tell me where I can do one thing once and have it check multiple boxes.

Dave Bittner: Right. But it's fascinating to me as you mention, you know, there's such a wide spectrum of missions and mandates across the Federal Government and, you know, I've often heard of some folks who are in these agencies saying, you know, we've got this mandate that's come down, or an Executive Order, or something like that, and but our budget hasn't changed, our personnel hasn't changed, you know, and so it's hard for some organizations to adopt these mandates in the time that's been allotted to them that every organization is different.

Christopher Ebley: Yeah, and I completely agree. I think like with a lot of the programs come out across the, across the government, there's some that have a little bit more clear cut ownership in terms of like parent owners, whether it be CISA or something to that effect, that comes with a funding and kind of procurement vehicle for a kind of approval based off a specific mission, so basically the layman's sense to sit there and say if you are looking to accomplish the following goals that have been prescribed to you, we will go ahead and help fund in some capacity things and there would be a way to basically, you know, apply for resources and have those things prescribed. When you get into the idea of things that come out of, you know, like a presidential administration, it's typically a timeline that starts with the thou shalt do this, there will be some degree of salient characteristics that say like hey, these are the milestones we're going to have, and a lot of times those milestones are really simple, like hey, you're going to name a, every institution or agency shall knight someone or name a head to be the, you know, the head of this particular requirement as that's an easy thing to accomplish within those, within those facets it doesn't necessarily require a budget, and then everything else is TBD down the pipe. But I agree, there's a lot of different initiatives, especially ones that are prescribing things that directly correlate to, for example, data retention or storage implications or increase of functionality or the roll out of a technology that hasn't historically existed where there's a direct aspect to that the says okay, you know, there is some aspect of prescription that results in the need for funding and the need to be able to have the ability to roll these things out and, you know, no one's lacking initiatives within the cybersecurity space so having something, you know, fall within to the rank stack of like how do you prioritize that and if you have to, you know, supersede something, what now suffers or what gets shifted behind as a part of those initiatives. But yeah, you know, there's varying flavors that come out there, but I will definitely say with a lot of the things we've seen come out lately, for a lot of our customers that we're supporting they are tuning into how to achieve these outcomes and the actual funding piece is kind of the laggard.

Dave Bittner: Yeah. Is there good faith collaboration out there? A collegiality between the folks who are responsible for OT security across these Federal agencies or are they sharing information, either you know, directly or healthy back channels?

Christopher Ebley: Yeah, I think there are and I think that the OT space specifically, especially again for those that are factored into very distinct missions where we're kind of keeping our finger on the pulse of that, things that fall underneath like your big name critical infrastructure, again, like communications sectors and energy sectors and different components of like, you know the, to your point, the defense and industrial base and stuff like that, because so many of these aspects that are so important to us as a nation are privatized, there's a longstanding history of collaboration because when you look at different aspects of the intelligence communities and things like that, that need the ability to either understand specifically what is a private institution seeing in terms of targeting, how are they being, how are they being hit, what are they seeing in terms of metrics and other datasets and then in turn, the ability for them to be able to provide like in a bidirectional fashion, you know, intelligence back to them and say hey, you need to look for these things or these are the targeting things that we're seeing, or this is the intelligence that we have. That particular industry has such a long-standing history of collaboration that I think we're seeing the same thing intra agency as well as the, you know, as the OT security is starting to kind of, you know, cybersecurity in a relatively short timeline has become a massive priority, you know, over the last two decades and we're seeing the same thing in terms of the rise of the OT space understanding that, you know, it is a relatively unique space that represents a lot of times dependency on legacy systems that have existed for a long time, a lot of times predating connectivity and the internet where there's a need for modernization and all that kind of stuff and so as those kind of priorities come up, there's distinctly a kind of a collaboration to be able to, at the very least, true up to kind of like a, I call it like an IT standard but if nothing else, then for you know, on the human side of things for people who have those distinct understandings of these spaces, because you are talking about a niche within a niche. People who are very strong within cyber and then people who have a distinct understanding of the OT space that pertains to cybersecurity. I think there's a, there's a serious appetite to be able to share that information, to be able to expand capabilities because you're starting to get into a very specific small percentage subset of the populace that can actually help to achieve a lot of these missions.

Dave Bittner: Our thanks to Christopher Ebley from BLACKWOOD for joining us.

[ Music ]

In this week's Learning Lab, Dragos' Mark Urban and Vulnerability Analyst Logan Carpenter speak about vulnerabilities in the OT world.

Mark Urban: Hi, this is Mark Urban with another edition of Learning Lab, here on Control Loop. Today I'm joined by Logan Carpenter, and Logan is a vulnerability analyst here on the Dragos WorldView Intelligence Team. Welcome Logan. What does a vulnerability analyst do by the way?

Logan Carpenter: Hello, so pretty much what I do in my role is I'm either, you know, looking at random devices, random ICS devices, where there's a PLC, an industrial radio, or some industrial like router or VPN, and analyzing that, looking for you know, vulnerabilities that I will, you know, go and report to the vendors and go through that whole process and then the other side of the job is, you know, looking out for the new, emerging vulnerabilities so that's, you know, looking at reports coming from various vendors, advisories, where there's something that popped up in the news, and kind of going down that route of analyzing those particular vulnerabilities or that particular advisory and offering whether it be mitigations or just OT angled explanation of those vulnerabilities for our customers.

Mark Urban: [inaudible] that, you know, vulnerabilities, it's a wide open space, or it's a large space, you focus specifically on the industrial world, the operational technology vulnerabilities, which is a little bit, that's a specialty, right? Because there's specialized equipment, you know, and it's different than the IT world, right?

Logan Carpenter: Super niche. It's very niche. But there is overlap with IT. It's not a lot but there does exist overlap.

Mark Urban: Got you. So how do you, you talked about seeing things in the news, how do you keep up with vulnerabilities? With new ones.

Logan Carpenter: So, we have a, we have a couple different ways that we do things, we also-- of course we have our own tooling that usually involves scrapers and things like that that we actually go out and look at all the vendors' websites that we look for them publishing reports and advisories that we ingest those, we're subscribed to the various vendors so sometimes vendors allow you to like get email subscriptions of their advisories so we have a couple of those, and then our intel team is very active on social media as our threat hunters and even some vulnerability analysts, and social media is another area that we get a lot of intel quickly. Generally like if there's even an article pushed out about some new emerging vulnerability, you'll see it on social media before it actually, you know, goes to like the big publications. So, a lot of the times it's social media, but the way that we scale it is by you know, building those in-house tools that go out and grab that information for us and process it.

Mark Urban: You're, you're sampling, you're scraping, you're crawling the world to like for vulnerabilities in this space. And part of Dragos, you know, is there also the thought of like trying to find them yourself or trying to find them ourselves by kind of looking at devices?

Logan Carpenter: Yeah, so that's a big part of our vulnerability team's job so mainly, it's mainly three of us that do this regularly, but whether, so sometimes we'll get suggestions, whether it be from devices our customers have or maybe you know, we were just looking at some protocol that had some vulnerabilities and we found out oh, you know, these particular devices happen to be in Dragos' lab. Alright, let's look at those and see if they're vulnerable and if they have other vulnerabilities. So at that point, you know, we'll go about tearing out an assessment on these devices and a lot of the times, most of the times, like we'll find something that's worth reporting on or worth, you know, yeah, worth reporting on and disclosing with the vendor.

Mark Urban: Got you, so we have these labs where you're looking at, you're looking at protocols, you're looking at everything, and then you're also hey, these devices in our ranges and our labs, let's kind of take them apart and see what, see what happens. So--

Logan Carpenter: Yeah, and sometimes we just find a good deal on eBay and we're just like oh, this device is a cool device, it's a good deal, and we just buy it and have it shipped to the house and look at it.

Mark Urban: Let me get that PLC in here from eBay, people are selling those things at eBay?

Logan Carpenter: Yeah, PLCs, relays, they sell everything because a lot of the times, like when these like, especially manufacturers like shut down or liquidate or upgrade stuff, they just you know, there's like these companies that just liquidate all these industrial control equipment and usually ends up on eBay, you can get really good deals so, that's where we get a lot of our stuff. I learned that trick from Reed White, he's like the king of finding stuff on eBay. He has an entire scaler lab in his basement of his house.

Mark Urban: Nice. So [inaudible] if you have any spare equipment that you're looking at, you know, getting rid of them, send them to Logan Carpenter at 555 Mockingbird Lane, New York, New York 0122, no just kidding that was a fake address just in case you're wondering, I made that up. Okay, so you're looking at devices, we have people with basements full of industrial equipment looking for, I think that's super geaky stuff, that's kind of cool. And we're looking at, so what does happen if say you find a vulnerability, what happens next?

Logan Carpenter: You know, our labs are destroyed at that point because that's the worst part of the, the least fun part of the entire process. The best part of it is when you find a vulnerability, the worst part of it is when you find a vulnerability. Because the best part is like you get that immediate joy, like oh, I have succeeded in my efforts. But then you immediately realize, now I have to go through the disclosure process which is not the fun part and that generally involves reaching out to the vendors, you know, sending them the materials we have, we have a policy so we'll reach out to them and we give them four weeks to respond to us, if we don't hear anything, we move on. Once we have first contact with them, we give them 90 days to kind of figure out their reporting, you know, patching, all of that stuff. We feel like that's, 90 days is a generous amount of time to give a vendor to properly respond to a vulnerability we've discovered. And then at that point, we'll go through and create our reports and do the disclosure to the public. But the part of working with the vendors is the more difficult part because you have to work through, you know, defining you know, is this a vulnerability, sometimes you'll hear them say, you know, like is this a vulnerability or is this a feature, right? So, so that's the thing that we constantly have to deal with. And that whole process of having those lines of communication is not, the least fun part of the process but yeah, once we find a vulnerability we immediately reach out to the vendors and then we work with them to royal our reports at the same time. So, you know, we'll let them know, give them all the information they need, let them get their reports together, and then we'll get our report together. We actually let them review our reports before we disclose, they'll look, read it, make sure everything's okay, we'll discuss any you know, discrepancies and then we'll all release it at once.

Dave Bittner: Well, and you bring up a good point, because it's quote-unquote, you know, fun looking for these vulnerabilities because you know, that's your job, it's kind of like looking at a giant puzzle and you know, on one side it's fun to find one, but then you know, the implications are not fun, right? Because vulnerabilities are these things that can be exploited by threat actors, by you know, cyber criminals, in order to get in. That's not fun for anybody, so I can imagine that if I'm a vendor receiving a new vulnerability report, I mean they probably have those processes baked in, but that's not probably the funnest day that they have in their job, because now there's an exposure that they have to sort through, they have to figure out, you know, what they have to do about it, they have to inform people, yeah, I could see how that's not the funnest part of your job.

Logan Carpenter: Yeah, and I completely understand, you know, why they, why they do respond the way that they do, because it is a sensitive topic, and one thing that is worth mentioning, is like something I always say is like OT security is like 10 years behind IT security. So wherever IT security is, go back 10 years and that's kind of where OT security is around like from the perspective of like the vendors and things like that, and the reason why I say that is because like even stuff like, you know, secure development practices are relatively new in the OT space, you know, if you go back to 2005-2006, or late 2000s, what you'll see is like a lot of IT companies were already staffing, you know, security people. And they were already implementing these ideas of secure programming practices and at that same time, in the OT space, so like a guy who works at some random you know, vendor that produces a PLC, these were just embedded software engineers who never really you know, had much exposure to networking outside of oh, I've got to you know, put an ethernet port in this thing so it can, so we can talk to it from the EWS. And they don't, didn't never really had that you know, security mindset when developing and IT security was the popular area to attack. All the attacks you were hearing was from IT security so the OT guys were always thinking like, oh, that's an IT problem. Now there were attacks here and there throughout the 2000s, but for the most part, IT security got all the focus and I think that's what kind of had that latency effect. Now we're kind of playing catch up now, right? Like Dragos was founded you know, in the late 2010s, right, and like you can look at the top IT security companies and you know, they were founded in like the early 2000s, so. It kind of shows you why it's behind and always call Stuxnet like the big bang of OT security. Right, that's when everything kind of changed.

Mark Urban: Stuff is different over here than in the IT space, we better take notice and treat something differently, I never heard that, like that Stuxnet is the big bang of OT security, that got people to become more aware. But that's something, you know, we continue to educate on every day, which is one of the reasons why. Logan Carpenter, our vulnerability analysts here at Dragos, thank you, thanks for joining, thanks for all the kind of cool information about vulnerabilities and I'm glad we have you out there looking for them with the other folks here at Dragos and kind of giving that context to, you know, how people can manage through it, much appreciated.

Logan Carpenter: Yeah, thanks for having me, always enjoy nerding out over vulnerabilities. So whenever you need me to talk about something, I'm always available.

[ Music ]

Dave Bittner: And that's Control Loop, brought to you by the CyberWire and powered by Dragos. For links to all of today's stories, check out our show notes at the Sound design for this show is done by Elliot Peltzman, with mixing by Tré Hester. Our senior producer is Jennifer Eiben, our Dragos producers are Joanne Rausch and Mark Urban. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening, we'll see you back here next time.

[ Music ]