Control Loop: The OT Cybersecurity Podcast 7.12.23
Ep 29 | 7.12.23

The IT/OT cultural divide in the federal space.


[ Music ]

Dave Bittner: It's July 12, 2023, and you're listening to "Control Loop". In today's OT cybersecurity briefing; Japan's largest port was disrupted by ransomware, Cl0p breaches Schneider Electric and Siemens Energy, solar panel vulnerabilities, threats and risks to electric vehicle charging stations, RedEnergy ransomware and information stealer is targeting industrial sectors, CISA advisories. Our guest, Christopher Ebley from Blackwood returns to discuss the IT/OT cultural divide in the federal space, and IT threats that are impacting OT systems. Our guest, Christopher Ebley from Blackwood returns to discuss the IT/OT cultural divide in the federal space, and IT threats that are impacting OT systems. The Learning Lab continues Part 2 of the three-part discussion between Dragos' Mark Urban and Vulnerability Analyst Logan Carpenter, talking about the vulnerabilities in the OT world. The Port of Nagoya, Japan's busiest ocean terminal, sustained a ransomware attack against the Nagoya port unified terminal system on July 4, leaping computer reports. "Nikkei Asia" says the issue came to light when a port employee noticed anomalies in his system. Investigation revealed the cause to be a ransomware infestation. "The Japan Times" says the LockBit gang was responsible for the attack. Bloomberg reports that the port began gradually resuming operations on July 6. The Cl0p ransomware gang has used the MOVEit vulnerability to compromise Schneider Electric and Siemens Energy, "Security Affairs" reports. Siemens said in a statement to "BleepingComputer" regarding the security incident, "Siemens Energy is among the targets. Based on the current analysis, no critical data has been compromised and our operations have not been affected. We took immediate action when we learned about the incident." Schneider says they've contained the incident, telling "BleepingComputer," "On May 30, 2023, Schneider Electric become aware of vulnerabilities impacting progress MOVEit transfer software. We promptly deployed available mitigations to secure data and infrastructure and have continued to monitor the situation closely." After applying the mitigations, the company learned of claims that it had been the victim of an attack that exploited MOVEit vulnerabilities. It's investigating those claims as well. An investigation and analysis by the Dragos' threat intelligence team has yielded some important insights into Cl0p's activities, notably Dragos was able to recover targeted process names associated with specific cash values embedded in a Cl0p sample. While most of these are IT related processes, Cl0p ransomware does contain targeting of OT related processes found in Windows operating systems. However, it does not use or target OT specific protocols. The primary threat from Cl0p's activities is directed toward IT networks and IT assets within OT environments. The impact on OT networks can become significant if the adversary manages to encrypt servers, historians engineering workstations, and other essential computing devices. "Security Week" reports that hundreds of instances of the solar power monitoring product, SolarView, affected by an actively exploited vulnerability described by Palo Alto Networks last month. An exploit for the vulnerability, CVE-2022-29303, has been public since May 2022. Researchers at VulnCheck found 600 SolarView instances exposed to the internet, 400 of which are vulnerable. VulnCheck states, "When considered in isolation exploitation of the system is not significant. The SolarView series are all monitoring systems so loss of view is likely the worst case scenario. However, the impact of exploitation could be high depending on the network the SolarView hardware is integrated into. For instance, if the hardware is part of a solar powered generation site, then the attacker may affect loss of productivity and revenue by using the hardware as a network pivot to attack other ICS resources." So the issue isn't the individual panels but rather the potential effect on the grid. WIRED describes the potential impacts of vulnerabilities affecting electric vehicle charging stations. Ken Munro, a co-founder of Pen Test Partners, told WIRED that his top concern was with vulnerabilities that could allow attackers to stop or start chargers en masse, which could destabilize electricity networks. Munro said, "We've inadvertently created a weapon that nation-states can use against our power grid." Munro says, "Legislation in the United Kingdom could serve as a model for lawmakers in the U.S. The UK requires EV charging stations to have a randomized delay functionality of up to 10 minutes, which would mitigate the impact of thousands of charging stations turning on at the same time." Munro stated, "You don't get that spike, which is great, it removes the threat from the power grid." And so, again, it's not so much the station as it is the grid and the effect that deliberately induced power fluctuations can have on that larger electrical grid. A Federal Grand Jury has indicted a man from Tracy, Massachusetts for intentionally causing damage to a protected computer after he was accused of remotely deleting critical software from a water treatment facility. The man, Rambler Gallo, was employed as an instrumentation and control tech for a private company, responsible for operating the Discovery Bay Water Treatment Plant, located in Discovery Bay, California. The indictment was filed on June 27, and was unsealed on July 7. HackRead reports that Gallo apparently resigned from the company responsible for servicing the plant and subsequently uninstalled the critical software on the water plant's computers. We note that Mr. Gallo is, of course, entitled to the presumption of innocence with respect to the allegations. If convicted, Gallo could face up to 10 years in prison and a $250 thousand fine. The motives for such an attack, if indeed it was an attack and not human error, are unknown at the time of writing and according to the press statement, the FBI is investigating the case. Zscaler says the RedEnergy malware operators are targeting entities in the energy, oil, gas, telecomm, and machinery sectors. RedEnergy is what Zscaler calls a "stealer as ransomware," malware designed to exfiltrate data before encrypting it. The researchers state, "Zscaler recently made a significant discovery involving a new and sophisticated threat champion named RedEnergy stealer, targeting the Philippines industrial machinery manufacturing company, as well as other industries with notable LinkedIn pages. These pages typically contain essential company information and website links, making them attractive targets for cyber criminals." Zscaler explains that when someone visits an affected website, they're redirected without their knowledge to a malicious site. Upon arrival they're invited to install what seems to be a legitimate browser update. Should they follow that prompt, they will download not the innocent browser update, but the Red stealer executable. It's a ransomware campaign that's relatively conventional in its affect, but it's noteworthy in that it's being deployed largely against industrial targets. And in case you were wondering where the love was from CISA, fear not, CISA still loves your security. On Thursday afternoon, the agency issued three new ICS security advisories, check the advisories out if you're operators and, as always, apply updates per vendor instructions.

[ Music ]

Our guest, Christopher Ebley from Blackwood returns to discuss the IT/OT cultural divide in the federal space and IT threats that are impacting OT systems. Here's our conversation. You know, it's practical a cliché the sort of ongoing tension between folks on the IT side of the house and the OT side of the house, and I'm course if that still stands. You know, it seems like there's been some time now and in your experience, is there recognition across those two teams that you know, good collaboration is in everyone's best interest?

Christopher Ebley: I think there are varying degrees of that, I think you know, I think you know a lot of times those factors still exist, we see, we have customers we support where even though they're part of public sector institutions, there are different components and different aspects of an environment that fall even to different groups, such as like a union or something to that affect, where quite literally you're talking about different capital sets and different requirements to be able to even go touch something. That's an extreme example but you do have disconnects there. In the same light I think there's a general, I can appreciate the general narrative for people who play in the OT space who are, you know, looking when they look at the idea of a vulnerability differently because there might be factors where it's like, hey, we understand we had this thing, but the traditional processes of remediation, patching, and things might be a nonstarter or nonreality because of the criticality of the system or because of the fact that we're sitting on, you know, some system that's still running on Windows 2000 and that's a, it's a non-available aspect and so there's a factor there where there's potentially frustrations because the general application of what would be a prescribed IT cybersecurity approach to fixing a problem may not be relevant in the OT side. But just the same, I think there's a factor there where when there's an understanding of that, when there's kind of an opportunity to learn kind of the differences between these particular spaces and understanding that you know, sometimes you're not going to have the luxury of controlling something at an endpoint level, sometimes you're going to have to make more decisions on the network, sometimes you have to understand that things are not as dynamic and ephemeral and more static and you can then in turn like take advantage of those particular components I think. And there's a lot of things that could be huge wins and so you know, when you have organizations that within their own security practices and stuff like that have understandings of those narratives, there's typically a lot of wins that come out of it. So, you know, we see both.

Dave Bittner: Yeah, I'm curious for folks in the federal space who really want to focus their career on OT cybersecurity, do you have any words of wisdom? Any recommendations for how they can best go about improving their skills and going down that path?

Christopher Ebley: Yeah, it's a good question. I think like it's a funny question but I get a chance to not necessarily even specific to OT but cybersecurity in general that's, you know, we are at an interesting position where a lot of the professionals that I work alongside have been in IT or OT for a very long time and have had the benefit of learning things over time and been able to go through career evolutions, whether it's someone who is, you know, doing system design or handling like substation connectivity initiatives or actually do a configuration of PLCs and other different components and necessarily understand the nuance of a system, what it is, what the mission is, what the protocols are, what connectivity looks like, you know, and that becomes like a native facet and then you're just now layering in a cybersecurity logic over the top of that. At the end of the day, whether it's that or whether it's IT cybersecurity and the idea of having to understand, you know, how Windows works, or Linux works, or a network and network protocols and communication, they're all burdens of time and so it's not meant to be daunting, but at some capacity the advice is, start yesterday. Right? And there's always an advantage to understanding that there's a huge amount to be learned. And otherwise I think like, you know, for the purpose of getting exposure and experience in this kind of space, I think any kind of lean in, especially into the networking side of things, especially into the understanding of communication and then the understanding of kind of like in the overlay of logic to be able to do things like, you know, whether it be specifically focused in a mission supporting a security operations kind of narrative around like IDIR and response, or something where you're potentially on the opposite side of that just working within kind of a specifically prescribed team to, like a transmission network or a generations network. There's always an opportunity to be able to kind of get in from the ground level and I think there's no necessary wrong way to approach this, whether it's something where it's an evolution from cybersecurity side where you're then learning the OT specifics, or whether you're someone who's coming out of maybe non-cyber oriented OT narratives and you're trying to build the cybersecurity piece alongside that, but at the end of the day to be successful you need to be able to understand both. Especially as more and more systems become connected and we have like kind of the modernization there.

Dave Bittner: To what degree do you think that certifications and, you know, the traditional educational path is valuable in this particular space?

Christopher Ebley: I think there are, you know, within cybersecurity as a whole, there are a number of different ways to look at this, you know, the guidance that I give people quite often, as far as like the educational systems that are associated with this is that completely traditional routes may not be the most appropriate and that's not just unique to the OT side, that's unique to cybersecurity as a whole and some of the reasons, to be totally candid, is that if you look at, you know, a higher education institution, cybersecurity as a practice, as a major, as a pursuit, might be a relatively new concept to that institution and you're looking at a field that pays very well. So sometimes when you look at that and say if this field pays very well and this person's a full-time professor in this particular space, it's like what's the, what's the why between this person wanting to kind of be on this side of things and what is the level of exposure I'm getting in terms of the actual uniqueness of that education. I think a lot of times you approaching like from the institution such as SANS and stuff like that that have very specific practices and very specific kind of career paths for people to pursue in terms of certifications and stuff, that are you know, cutting edge that are led by like absolute leaders in this particular space, I think that starts to become like a differentiated path where, yeah, the outcome might not be something to the effect of a bachelor's degree but will absolutely be like a practical skillset that enables you to kind of tackle the space. So I think cybersecurity as a whole, in terms of the certification side and the value there, it's like there, you know, your mileage may vary and there's some differentiation there, but I think for a lot of it you have to look to, you know, like different providers for that particular education and then that's going to be combined with, there's no replacement for doing. Alright, so any opportunity you have to learn on the job, and that or to be even pursuing those certification paths while actually like you know, starting to tackle a career, I think is typically the best place to be from a success standpoint.

Dave Bittner: Do you find that the organizations themselves are doing a good job of promoting and nurturing folks from within?

Christopher Ebley: I definitely think so. Especially within the federal space, like the federal space is phenomenal from a training and opportunity standpoint. I think the OT security side of things, where we see that prioritization, a lot of the actual coursework that I just referred to, we've seen a large amount of our client base pursue, especially kind of you know, riding alongside, or riding that wave of understanding of the absolute importance of OT security. And so whether that's specific training that's provided by a very specific vendor that has a technological approach to the OT space, or whether that's training that's being provided by like a more agnostic provider, within that we are definitely seeing a focus there and then the public sector does a phenomenal job of providing resources on the training side to be able to build those skillsets.

Dave Bittner: That's Christopher Ebley from Blackwood.

[ Music ]

In Part 2 of our three-part discussion between Dragos' Mark Urban and the Vulnerability Analyst Logan Carpenter, they speak about vulnerabilities in the OT world. Here's this week's Learning Lab.

Mark Urban: Hi, this is Mark Urban with another edition of Learning Lab, here on Control Loop. Today I'm joined by Logan Carpenter, and Logan is a vulnerability analyst here on the Dragos Worldview Intelligence Team. Talk about doing your research, you know, as an analyst, talk about walking through kind of the disclosure and reporting with the vendor and then, but let's turn our attention to, let's say we're an asset owner, asset operator, we've got, you know, these giant industrial systems and thousands and thousands of devices and, you know, in our environment, how do they keep track of vulnerabilities in their environment, right? They can't be, or you know, are they doing the same thing that well, they're not scouring the internet to find these disclosures to analyze them. How does an asset owner/operator kind of assess whether they have vulnerabilities in their environment?

Logan Carpenter: Yeah, so I think the easiest answer to this question is really the only way to do this that is, you know, the only feasible way to do this is you have to have some sort of tooling that does, you know, asset identification and is able to, you know, ingest intelligence you know, whether it be the advisories that vendors release or you know, whatever the various vulnerabilities and CVEs that get published, and map those to those assets in their specific networks. So you would need some sort of tool and that's kind of what Dragos provides here, but there is the hard way to do it, right? And that's the manual way of kind of understanding your network, what's in it, and just trying to pay attention to you know, the various intel reports that come out about those specific devices, which honestly, I think you know, is pretty much impossible to do without using tooling for it.

Mark Urban: Yeah, and just disclosure, so Dragos has a platform that helps track assets' inventory and match those to vulnerabilities, also provide the Worldview Intelligence Service, which is a, you know, being able to have that intelligence in human readable form and those are some of the reports that Logan writes. Well we got that out of the way just to clarify that. Let's look at them okay, say that they have wow, I've got three thousand of these PLCs that you know, there's new disclosed vulnerability, what do I do? Do I go patch those right away? I mean because that's the traditional thing in the IT world, hey, there's a vulnerability over here, you know, the simplest straightforward way to do that is to you know, let's assume that the vendor has a patch and by the way, they often times don't right away, but what has to be done? Do you have to shut that unit down, do you have to patch that unit? As you discover vulnerability in your environment, what should an-- what are the considerations an asset owner/operator kind of has to take at that point?

Logan Carpenter: Yeah, so what I always tell people is like when you're like comparing OT and IT security, OT security is very like, it's more nuanced than IT security, so our recommendations are, is kind of a different layer, like you have this high level layer where you think of all OT networks, right? How can I provide the best guidance to them as to what they should do? And then there's kind of this next layer where it's like, well actually, the right way to give you that answer is what is, you know, the specific environment you have, right? What is your OT network, you know? Like are, for instance like, can you risk shutting down operations is one thing, right? As far as updating. That's traditional for like IT security. If you have a PLC that's susceptible to some, you know, new vulnerability that's disclosed and they offer a firmware patch, it may not be possible for you to shut down operations to just patch one device. Some organizations will kind of do these cycles where they shut down operations to do things like that, and one thing that we do at Dragos, we'll like, our intel team will offer additional mitigations that are outside of your traditional patch to firmware, so whether it be like you disable this service if you don't need it, or block this port if you don't need it, monitor the traffic going from here to here, or restrict access to this particular device or this particular port are some of the mitigations that we'll offer as well outside of your traditional patching, and some of the things like that we'll, whether or not you should care about this vulnerability, even though you have the device. What we traditionally will say is like, if it's in the wild, right, was this vulnerability discovered in the wild, so is it being actively exploited? If that's the case, yes, it should be at the top of your priority list to either implement suggested mitigations or workarounds or the actual patch, because this is something that adversaries are actively using to exploit OT systems. And then kind of the other level you will go is like, is it something that's easy to mitigate? Right? Is it patching firmware, which is not very easy because you've got to shut down operations, or is it just adding an extra firewall that will kind of smooth things over? These are questions that asset owners have to ask themselves and then another thing is like are you a targeted sector? So like, if this was found in the wild, right, and it's been targeting electric utilities, if you're an electric utility, you should probably follow the guidance that's being published out there. So, that's kind of the response I have to that, it's like very nuanced, but the answer isn't always patching. Most of the time it's not patching, most of the times it's you know, other alternate mitigations, but--

Mark Urban: But so the point being that it could take an electrical grid or you could take a, talk about a refinery or manufacturing, the key goal is to keep that stuff going, right? You've got to keep, you've got to keep that environment operating and you mentioned that there are periodic maintenance windows where they shut these, you know, systems down or components down, where they do perform maintenance, but that's something that's scheduled well in advance, there are a lot of procedures for how you do that safely and those are, you know, those are rare occurrences versus hey, let's just shut down these machines and, you know, stop production, you know, perhaps put, you know, safety at risk because you're doing it wrong, you're making a point that OT environments are just very different. Each one has their own kind of considerations but kind of rule number one in OT is to keep the stuff moving, keep revenue producing, keep electricity flowing, keep the production floor moving along, and you know, especially if there are alternative ways to mitigate the risk of that particular vulnerability, so that's yeah, good insight, it's like hey, patch your laptop, Logan, because we found this vulnerability, thankfully that's few and far between. Shutting down your laptop for 10 minutes is different than you know, stopping a refinery for three or four hours.

Logan Carpenter: Yeah, and every now and then you'll get a vulnerability like, for instance, one that comes to mind is like the Log4j one, right, when there was like a lot of hype and publicity behind it and it was very like one of those vulnerabilities that wasn't, it was in a lot of devices, IT and OT and there was a public proof of concept out there, and so stuff like this is stuff that like we often offer to find workarounds or patch, because like you're kind of like what we call scripted [inaudible], you know, those guys who just, you know, attack organizations just to brag on social media or you know, they use like, they don't use your days, they use like you know, open source tooling and stuff like that. Those guys love to go use, you know, the hype tools that are out there like you know, the high vulnerabilities, right? Like the ones that you could find in like Metasploit and stuff like that. So, those are additional ones that we will kind of push to light, alright, we should probably do something about this because although like strategic adversaries may not be trying to attack you, there might be like some kid in Florida who's bored and wants to brag and like and attempt to do it, so. There's always cases like that too. But yeah, it's very nuanced.

Mark Urban: So you just brought up bad guys, you know, based on kind of the observations of you and kind of the Worldview team, can you talk a little bit about the sectors, industries that you see being kind of most at risk of attack? I mean we do, we track these statistics in the Dragos [inaudible] Review, you know, but what industries out there are kind of particularly, maybe not vulnerable but you know, who are more attacked than others?

Logan Carpenter: I mean, you know, critical infrastructure is always going to be the number one target, right, with these, with this. I mean you can think of like the whole ransomware side, which is more you can argue is more IT, even though a lot of OT systems get affected by it, they'll target like manufacturers and stuff like that, because they're doing it for money. But people who want to generally like the threats that we are kind of nightmare scenario, right? Are the ones that affect the well-being and safety of humans and generally that's critical infrastructure, so whether that, like the number one you would think of is like power, right? And everything associated with it, whether it's power generation, transmission, those sectors are the most at risk, right? And those are sectors that we always like, if you look at all of the, what is it now, nine ICS specific malwares since Stuxnet, right? Most of those target energy or utility, energy companies, utility facilities and things like that. And then you kind of want to, like those are, I think that's the biggest group that's like the biggest industry that's under threat is the energy. Because we constantly see it, like we see it in Destroyer 2, we've seen it with Crash Override, there's intel that suggests like a lot of the Pipedream stuff was designed with targeting these systems, so definitely the energy sector is probably the most at risk and then you know, if you're worried about getting [inaudible], if you're making a lot of money and you're a bit company, probably at risk for that.

Mark Urban: So kind of the, yeah, the we don't really focus on that so there are a lot of attack groups focus on energy, and you're saying like, your manufacturing [inaudible], maybe they don't even sometimes think they have operational technology they do, that's when it runs kind of the manufacture plants. But your point is, that's where the ransomware gangs come in because if they can disrupt those operations, they can get a big payoff. Is that effectively?

Logan Carpenter: Yeah, yeah they can get a big payoff and I mean, it's not manufacturing, technically it is energy but like the Colonial Pipeline situation, right? It's, they're manufacturing, they're transporting a commodity, right, and it's a money making operation, alright, opposed to like a lot of energy companies are subsidized and coops and stuff like that. They do make money, but generally the adversaries that are going to attack those, they're just trying to disrupt something. Like we seen in [inaudible] happen over and over again.

Mark Urban: Alright, let's go back a little bit to the, you know, if I'm an asset owner/operator, once you identify the device is vulnerable, how do you prioritize action? Like or if you have several vulnerabilities that you're managing, say you're, you know, hey I have acceptable mitigation for these or how should an asset owner/operator kind of think about prioritizing kind of the vulnerabilities in their environment?

Logan Carpenter: Well it kind of goes back to the question you asked earlier, where you know, the response was like it's a nuanced response. And what the asset owner needs to ask themselves, right, alright first, step one, are any of these vulnerabilities being actively exploited? If yes, that's probably the priority, right? Those particular vulnerabilities are probably the priority. If no, you know, is there a public proof of concept that's been released with it? Maybe it was a research project, right? For some university and they discovered some vulnerabilities but they publish their proof of concepts to GitHub, right? That is more of a threat than, one thing that people kind of get hung up on is like the CVSS scores, right? But like if you want to think about it like this, like 10 CVSS score that has no proof of concept that was you know, discovered by Miter, right, is not as scary as maybe something that's a six or a seven, that has a public proof of concept or is being actively exploited in the wild. So you kind of have to use that mindset when prioritizing these. Because at the end of the day, right, it's all about risk, right? What is your risk? And you know, it's okay to accept risk at times, right? Patching this or implementing these mitigations to that particular device is not feasible so then you have to get to the point where you're at the phase of risk acceptance, and okay, I'm willing to accept the risk that is involved with this particular vulnerability. So the way that I calculate risk with regards to vulnerabilities is the risk is high if it's publicly available, and is actively being exploited. If it's not, you know, it's much lower, it's much, much lower.

Mark Urban: So you mentioned CVSS, what's a CVSS? What does that stand for?

Logan Carpenter: So, that's pretty much, I think the acronym is Common Vulnerability Scoring System, but you can pretty much it's a number that identifies how vulnerable, well how impactful a vulnerability is, right? So, when you find a vulnerability, let's say we find you know, for IT terms, cross site scripting, a cross site scripting vulnerability on some you know, website. Right, or some web server that's publicly available. That particular vulnerability will get assigned a number by what, a CNA, which is pretty much just an authority that issues these CVE numbers, and that CVE number will get assigned a score based on, you know, a bunch of different things. Pretty much you, it's a collection of you know, things like is there a public PLC? You know, does it allow increased privileges, like privilege escalation, things like that. And you put all these yes or no, you answer all these yes or no questions, essentially, and it gives you a number. Now, the thing with CVSS is like it should be taken with a grain of salt, because number one, the whole CVE system was designed specifically for IT systems, IT vulnerabilities, IT security. And like we mentioned earlier, we can't, you know, compare apples and oranges to each other. And because of that, the CVSS scoring mechanism is not tailored towards OT systems. And also, if you understand the inner workings of how these vulnerability disclosures happen, there's a lot of like, I'd say like almost negotiating between whoever found it and, you know, who ever found it and who's affected. So like for instance, if I find a vulnerability, I'll go to the vendor and be like hey, I found a vulnerability, I think this vulnerability has a change in scope, it offers a change in scope. And they can go, oh, I don't agree with that. I don't think it offers change in scope because x, y, and z. Or I believe that is actually a privilege escalation vulnerability, and they can go well no, not necessarily privilege escalation because of whatever reason, right? And you eventually settle on something and sometimes that can be incorrect and not in the best interests of the public. So that's why Dragos, like at Dragos we offer our own score that we kind of go back, we look at the actual vulnerability, we analyze it and we go, here's our you know, new score that actually reflects what we believe this vulnerability score should be.

Mark Urban: And so that's because we're taking what was an IT type of thing and we're applying an OT lens to it, which is very different. So it's like yeah, that might be a good CVSS in the IT world, let's take an OT lens to it and give you more practical understanding of what the risks are.

Logan Carpenter: And also, people get things wrong too. You know, like if it's, if somebody is self-reporting a vulnerability too, right, like they get things wrong sometimes. And that's something that's you know, not mentioned very often but you know, sometimes people report vulnerabilities and you know, there'll be mistakes, so and sometimes the reason why we don't go and try to argue with the CNA to change the score is because that process is complex, convoluted, and it involves, you know, us and you know, the vendor who's affected, and the CNA who published it, and having to do all this conversation to amend some CVE so it's a lot easier for us to just go, here's our score, and offer it on our platform.

Mark Urban: Got you, so let me just do the roundup of acronyms; you talked about CNA, which is Certified Numbering of 40, that's an organization that issues a CVE, which, I had to look it up, Common Vulnerability and Exposure, because I know what it is but I don't remember what the acronym stands for, so CVE is a Common Vulnerability and Exposure. CVSS is Common Vulnerability Scoring System, right, so that's-- and your point is like hey, this CVE, which are numbered, hey you get CVE dash a number string, to uniquely identify that CVE information, you're saying you know, rather than trying to revisit all that, we take that and we do an OT kind of contextualization around that, if that makes sense. Is that a fair description?

Logan Carpenter: Yeah, we'll put an OT lens on it and we'll fix any mistakes that we believe were made and report those, yeah.

Mark Urban: Logan Carpenter, our vulnerability analyst here at Dragos, thank you. Thanks for joining, thanks for all the kind of cool information about vulnerabilities and I'm glad we have you out there looking for them with the other folks here at Dragos and kind of giving that context to, you know, how people can manage through it, much appreciated.

Logan Carpenter: Yeah, thanks for having me. I always enjoy nerding out over vulnerabilities. So whenever you need me to talk about something, I'm always available.

Dave Bittner: And that's Control Loop, brought to you by the CyberWire and powered by Dragos. For links to all of today's stories, check out our show notes at Sound design for this show is done by Elliot Peltzman, with mixing by Tré Hester. Our senior producer is Jennifer Eiben, our Dragos producers are Joanne Rausch and Mark Urban. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening, we'll see you back here next time.

[ Music ]