Control Loop: The OT Cybersecurity Podcast 11.1.23
Ep 37 | 11.1.23

Active visibility into OT systems.


Dave Bittner: It's November 1, 2023, and you're listening to Control Loop. In today's OT cybersecurity briefing, Rockwell Stratix routers are vulnerable to a Cisco zero-day. SecurityWeek's ICS Cybersecurity Conference. Malware attacks against IoT devices increased by 400%. A nuclear power plant operator is cited over a cybersecurity plan. and CISA's ICS advisories. We welcome guest Garrett Bladow to the show. He's a distinguished engineer at Dragos. We caught up with Garrett at the CyberCon 2023 event in Bismarck, North Dakota. He discusses active visibility into OT systems. The Learning Lab has the second part of Mark Urban's conversation about cyberthreat intelligence with Paul Lukoskie, who is Dragos' Director of Intelligence Services. Rockwell Automation has warned that its Stratix 5800 and 5200 routers are vulnerable to the recently disclosed vulnerability in Cisco IOS XE Software's Web UI feature. The company notes, While Rockwell Automation has no evidence of active exploitation against the Stratix product line, this vulnerability was discovered by Cisco Talos during an incident response for a Cisco customer. Rockwell adds that it strongly encourages customers to follow guidance disabling Stratix HTTP servers on all Internet facing systems. SecurityWeek held its ICS Cybersecurity Conference in Atlanta last week. In a fireside chat hosted by SecurityWeek Editor-At-Large Ryan Naraine, John Hultquist, chief analyst at Mandiant Intelligence, described activity by China's Volt Typhoon threat actor. Hultquist noted that China's interest in staging potentially destructive attacks is a relatively new development. Later, McKenzie Morris, Senior Industrial Consultant at Dragos, gave a talk emphasizing that better practices beat out best practices recommendations with feasibility, cost, likelihood of implementation, and improvement in security posture. The next day, Benjamin Stirling, Global Director of ICS Cybersecurity at ABS Group, discussed risks to chemical processors in cyber physical environments. Stirling added that one of the major issues facing the petrochemical industry is lack of visibility. A report from Zscaler's ThreatLabz has identified a 400% year-over-year increase in malware attacks against IoT devices in the first six months of 2023. Activity from the Mirai and Gafgyt botnet malware families accounted for 66% of attack payloads against these devices. Additionally, the researchers found that 34 of the 39 most popular IoT exploits specifically directed at vulnerabilities that have existed for more than three years. The most commonly targeted devices were routers. More than half of malware attacks against IoT targeted devices in the manufacturing industry. The report notes, On an average week, the manufacturing sector receives more than triple the number of attacks as any other sector. With a low tolerance for operational disruptions, manufacturing is high stakes for malware attacks. High attack volumes not only jeopardize IoT systems but also pose a serious threat to OT processes. The UK's Office for Nuclear Regulation has cited EDF, a French power utility that runs five nuclear power plants in the UK, for the company's failure to provide the ONR with a comprehensive and fully resourced cybersecurity improvement plan in a timely manner, Silicon UK reports. The ONR stated, EDF's Corporate Center has been moved to significantly enhanced regulatory attention for cybersecurity. EDF has made two new appointments to specifically address cybersecurity. We have subsequently met with EDF's senior team to ensure regulatory expectations are understood. On Tuesday, Rockwell Automation and Dragos announced a partnership under which Rockwell will be making the Dragos ICS Security Platform available to organizations, giving them enhanced ICS OT cybersecurity threat detection, providing global deployment services and support capabilities. The partnership is expected to help customers operationalize their security investment. We close with some advisories on ICS vulnerabilities from the US Cybersecurity and Infrastructure Security Agency. On October 17, CISA issued two advisories for vulnerabilities affecting Schneider Electric EcoStruxure Power Monitoring Expert and Power Operation Products, and Rockwell Automation FactoryTalk Linx. On October 19, the agency published an advisory for a set of critical vulnerabilities affecting Hitachi Energy's RTU500 series. And, on October 26, the agency released advisories for vulnerabilities affecting Dingtian DT-R002; Centralite's Pearl Thermostat; and products from Ashlar-Vellum, Rockwell Automation, Sielco, and BD.

Dave Bittner: I recently attended CyberCon 2023 in Bismarck, North Dakota, where I had the pleasure of catching up with Garrett Bladow. He's a distinguished engineer at Dragos. We discuss active visibility into OT systems. So you and I find ourselves here at Bismarck State College. We are here for CyberCon 2023, and you are presenting later this afternoon. And you've graciously agreed to give us a little preview of that presentation for our show here. What's the title of the presentation?

Garrett Bladow: It's Going Active in OT. And we're going to -- I'm going to talk about sort of the benefits of asset visibility, which is one of the biggest challenges our customers have. They just don't know what's necessarily on their networks because they've evolved through 20 years of, like, static emplacements in oil and gas pipelines or manufacturing or energy grids.

Dave Bittner: Right.

Garrett Bladow: Right. And, you know, a lot of security solutions in the IT space are a route scanning, right. I'm going to bring my Nessus scanner. I'm going to bring NMAP. And I'm going to use those tools to just poke everything out there and see what happens.

Dave Bittner: Yeah.

Garrett Bladow: But the challenge here is, is that IT/OT break again, right?

Dave Bittner: Right.

Garrett Bladow: IT is meant for that resiliency, right? They've -- they've kind of built that into their ecosystem. They're expected to be poked all the time.

Dave Bittner: It's a feature.

Garrett Bladow: Yeah. It's a feature, not a bug. Right. And, you know, the OT systems were built to be closed loop systems, right?

Dave Bittner: Right.

Garrett Bladow: And -- and the devices that are out there, they're really good at their job: real-time measurement, sending data out, being as available and reliable as possible. What didn't happen was any encryption, any authentication, any of that sort of stuff. And then, you know, they were built for the use case they were built for, right? Measure these devices. Send those sensor readings back to a thing, right. And keep doing all these real-time operations. And what happens if they get an interrupt, right, something coming in from the side that says, Hey. Tell me your identification. Hey, tell me it again. No, really. Tell me it again.

Dave Bittner: Right, right.

Garrett Bladow: And it's like -- and one of the examples I have is one of the specific OT protocols, Ethernet, industrial protocol, Ethernet IP. And it's great. It's got one call. You say, Give me your ID. Everything comes back. You get the serial number, the product name, when it was last installed, when it was updated.

Dave Bittner: Right.

Garrett Bladow: You can even get the software that was installed on it and bring it back. The challenge is, you know, if you do that a million times in a row, the darn thing falls right over.

Dave Bittner: Right.

Garrett Bladow: It's because it's trying to do the measurements. It's trying to, you know, grab the stuff from the actuator. And then it's trying to answer your question. And you're just like, bug off.

Dave Bittner: You're like that toddler. Mom, mom, mom.

Garrett Bladow: Yeah. Exactly.

Dave Bittner: Mom.

Garrett Bladow: And -- you know, and, again, it's -- there are programs out there like NMAP or Nessus that people will take off the shelf and try, not that they're bad technology at all.

Dave Bittner: Yeah.

Garrett Bladow: Heck. They're great for cybersecurity.

Dave Bittner: Right.

Garrett Bladow: But, you know, when -- when you take that and take it off the shelf and just say, you know, Beep bop boop, do that thing that I've asked you to do in IT but against OT systems, there's all these unintended consequences because OT is IT plus physics, right?

Dave Bittner: Can you give us a -- sort of a simplified example of a system that would kind of fall victim to this? You know, what sort of workflow would this apply to?

Garrett Bladow: Right. So, you know, we'll look at, like, oil and gas pipeline, right. A lot of them have these programmatic logic controllers, PLCs. And those devices are taking the measurements from the sensors. Or maybe they're moving an actuator, right. This is literally like I am opening the pipe. I am shutting the pipe, right? How much pressure is in that pipe? You know, how much is -- how much liquid or whatever is flowing through that pipe, right? All of that is happening, and it's -- and it's trying to send that data back to some sort of historian or human machine interface, you know, for that control engineer operator to say, My pipeline is green today, right? Everything is working as I -- as I intended it to. And, oh, I need to shut that pipe. I'll hit the button. Boop. I can see that that button happened. The pipe shut, right? All of these things are -- are going on in that real-time -- real-time automated fashion.

Dave Bittner: Right.

Garrett Bladow: You know, all of these protocols are running this. And they're intended to be fast, loose. Make sure its availability overall, right? That's the only thing that's really emphasized in that world. And now, if an attacker should gain access into that environment, right, everyone thought their systems were air-gapped. In six years of Dragos doing business and professional services and reviewing architectures and doing incident response, we have found exactly zero air-gapped OT systems, right. And it doesn't take a lot of technical expertise to go in there and write a packet because they're mostly UDP, User Datagram Protocol, right.

Dave Bittner: Right.

Garrett Bladow: Just write one packet on the wire, and that's it. You don't even have to have a session. Poof; shoot that out. That thing is now off its track and not necessarily, you know, working in the same working state that -- that you have, right? They're all open. They're all read/write. There's not, like, I can put a lock on it and say, Stop listening, right? There's no firewalls on them.

Dave Bittner: And they -- so help me understand here. They're -- they're not built with any sort of adversarial communication in mind.

Garrett Bladow: Not at all, right? Again, this protocol that we're talking -- that I'm emphasizing, Ethernet IP, it was built in 1991, right? Defense in-depth was not a concept yet, right? Another one, Modbus, another protocol that's in this, heavily used in the OT space was built in 1979, right?

Dave Bittner: Right.

Garrett Bladow: We didn't even know that computers existed half the time, right?

Dave Bittner: Right.

Garrett Bladow: And, you know, these have evolved. And they've always evolved in that -- that context in the OT world of, don't worry. No one else has access to this system. It's closed. We'll never, you know, have to have -- worry about an intruder in the system. We control everything, right. And now with the OT/IT convergence that we're seeing across the world, you know, that is not true anymore. The advent of industrial IoT, right, where I have a 4g LTE 5G device, you know, it's now controlled wirelessly.

Dave Bittner: Right.

Garrett Bladow: And it's sending those same datas. I don't even control the wires that go to it anymore.

Dave Bittner: To what degree is it a challenge to know that the information you're getting back from a remote device is truth, is this ground truth. In other words, this device is telling me that the valve is open. But unless I have someone with eyes on, how do I know the valve is open? I suppose I know the valve is open if the other thing is measuring flow through the pipe, right? Is that generally how it works?

Garrett Bladow: That's typically how it works. Yeah. It's a lot of redundancy in these systems --

Dave Bittner: Okay.

Garrett Bladow: -- to kind of, you know, give that control engineer that peace of mind that the system as a whole is working as it's intended.

Dave Bittner: I see.

Garrett Bladow: But, again, from an attacker perspective, which is typically where I come at it from, that's one of the biggest impacts that -- that is -- that can happen in a control system, right. We call that lack of visibility or lack of control, right. Lack of control is I've lost control of the entire device. Lack of visibility is I can't trust the data that's coming back from that.

Dave Bittner: I see.

Garrett Bladow: And it's very, very easy from an attacker's perspective if you're in the system to send the inputs back to something that's reading the console, you know, that the control engineer is looking at. And, you know, you can make it look red when it's green or green when it's red. And that includes even the -- you know, the readings that are coming from a pressure sensor or that, right. You can fake that funk if you know what you're doing from a protocol level. But, again, you know, control engineers don't always look at one component. They always look at the system. And so that's the bigger challenge from an attacker perspective is how do I make everything look like it's supposed to across the entire ecosystem?

Dave Bittner: Yeah. So what are you proposing, then? I mean, in your presentation today, it's not just doom and gloom. You've got some solutions in mind, right?

Garrett Bladow: Right. So a lot of it is go to a vendor that knows what they're doing in the OT space, right? One of the things that our technology does is we've actually taken the write capacity out of it. It's only read at this point, right. And so we are not able to go and change the values within a system and do things, even if an attacker would gain access to the software we're giving, you know, the control engineer. And, you know, a lot of it is really just understand the context of what you're doing. And the biggest takeaway, and this is the last slide in my deck, is do not do this on production systems ever, bar none.

Dave Bittner: Do not do what on production systems?

Garrett Bladow: Do not -- do not do active identification or active, you know, looking for your assets when a system is in production.

Dave Bittner: Okay.

Garrett Bladow: There's always an unintended consequence to what you're doing.

Dave Bittner: So let me push back on you there a little bit. And, you know, I remember from -- in a previous career when I was in the digital video world, there was a saying, you know, never update your software in the midst of a project. And the challenge was, we're always in the midst of a project. So is this a matter of regular downtime, scheduled downtime, those sorts of things?

Garrett Bladow: It is. But that -- but that's built into an OT systems lifecycle.

Dave Bittner: Yeah.

Garrett Bladow: Right? That, you know, if you're running a plant, an oil refinery, they're literally shut down for probably two months out of the year for health and safety and maintenance, not just of, you know, the pipe is worn. But it might be, you know, they're replacing pipes. They're replacing this PLC. They're doing all of these different things, and that's built in to how they operate an operational technology platform. And so what we're -- what we're saying is that's also the time when you start to do your active testing of the systems to make sure that they're working as you intended and also to find that PLC that someone stuck in the rack five years ago that you didn't know.

Dave Bittner: Right, right. Ultimately, where do you suppose we're headed here with this? I mean, what is the -- what does the ideal future state look like to you?

Garrett Bladow: What -- the ideal future state that I think we're headed to is that hybrid environment, right? Most of the OT security vendors in this world, they have some sort of sensor product, right, that's out there passively listening to the chatty protocol traffic that's happening. They'll identify assets. They'll make sure that everything's in, you know, quote, unquote, normal state, right. And we can introduce an active component to that. Maybe as actively I can send a, you know, give me your identification packet, right. But I don't even have to listen to it. I send that out. The thing -- the device burps out their identification, and my sensor picks that up. And I don't have to even further interrogate that or ask it more questions or even, you know, push its registers to the limit because I've -- I can do it with sort of one shot and use the rest of my technology in order to help and facilitate that sort of hybrid environment.

Dave Bittner: All right. Well, I think I have everything I need. Is there anything I missed?

Garrett Bladow: No, not really, I think at least for this -- for this product or this -- this sort of concept. The one thing that I that I would like to talk a little bit about is sort of this -- the new generations of threat intelligence and -- and making sure that, you know, we're all in this together, right. So a lot of what we're doing is these shared threat intelligence environments and being able and participating in that. The nice thing about a lot of the technology that we've built there is that it is anonymous, right? You can provide anonymous data that's not going to get you in trouble with your regulators or any of that sort of data to help with the common defense of these systems. We are already seeing it pay dividends with Dragos Neighborhood Keeper. But, you know, if there's anything that you can participate in, in that sort of ilk, please, please do. The other part of that common defense is common action. One example that I really like to push is it's -- its electric utility concept of, like, the old linemen, right, the linemen in the truck. If there's a hurricane in Louisiana, North Dakota is going to roll truck down and help those people to bring back power in that environment, right?

Dave Bittner: Right.

Garrett Bladow: We're not -- we're not busy. It's spring here, right? Ice storm hits us in North Dakota, there's that mutual assurance where Louisiana is going to roll truck, come back up and to North Dakota. And what we're starting to see is that same concept being applied in the cyber environment where, you know, there may be a large investor-owned utility that has the money to have an IT SOC, an OT soc, you know, intel analyst sources, right, all of these things that come with actually being able to, you know, invest in your cybersecurity program. Or you might be that coop that's out in McKinsey County, North Dakota, where you run the IT, the OT, and you mowed the lawn on Saturday. All right. And this thing blips across your screen, and you have no idea what it does, right? It's -- what we're trying to do in this mutual assurance is being able to click a button and say, Help me and having that investor-owned utility maybe in a different region in the United States, bring their expertise, help that person, get the data they need. And then, at the end, they all press a button, right, and everyone goes back to being anonymous. And that's one of those things that we're -- we're really trying to push for common defense here at Dragos.

Dave Bittner: Thanks to Garrett Bladow from Dragos for joining us. In this week's Learning Lab, the second part of Mark Urban's conversation about cyberthreat intelligence with Paul Lukoskie, Dragos' Director of Intelligence Services.

Mark Urban: Hi. This is Mark Urban with another edition of the Learning Lab. And today we're going to talk about threat intelligence for operational technology. And I'm joined today by Paul Lukoskie here at Dragos. Paul, welcome.

Paul Lukoskie: Thanks, Mark. I really appreciate the opportunity to talk about this.

Mark Urban: Can you talk a little bit about what does a threat intelligence vendor deliver? And we'll just use the Dragos context. Like, how do we deliver that intelligence to a customer environment?

Paul Lukoskie: Sure. So, in the context of Dragos, one of the -- one of the primary ways that we have prioritized delivering threat intelligence or, at minimum, having a threat intelligence influence capabilities is with the Dragos platform. And what I mean by that is our Threat Intelligence Team uses everything that we gather during our daily hunts. And we create detection signatures that are then deployed into the Dragos platform. So, for the customer, having an intelligence driven detection within Dragos platform, it's -- I mean, not only is it one of the aspects that really differentiates Dragos from other threat intel vendors in the -- in the same space, but it gives kind of like that backstop, that peace of mind to Dragos platform customers that they know that any alerts or detections that are popped up, that pop up in their platform, there is a threat intelligence Nexus upstream from that detection. And there's always the opportunity to kind of have that reach back into the Dragos ecosystem and ask for additional context. Now, with those detections, I will say that sometimes detections don't always provide the right level of context. So that's one of the reasons why, whenever we're having those conversations with people, I always -- and irregardless of whether or not this is a Dragos customer or Mandiant customer or CrowdStrike or whoever, it's always good to have multiple points of view. And it's always good to have the kind of understanding of how different components of the threat intelligence delivery model works. And what I mean by that specifically is you want to kind of break it down into three different areas so tactical intelligence, strategic intelligence, and operational intelligence. And this is how I always describe it to our customers at Dragos intel -- or they're our customers of Dragos Intel. So tactical intelligence, it's really designed for kind of that immediate human or security device action. Usually they're driven by indicators of compromised, like I said earlier, malware hashes, IP addresses, domains, URLs, detection signatures, vulnerability information like CVEs and things like that. CVS -- CVS is two scoring. An example in WorldView of what could very easily be consumed as a tactical deliverable is the weekly suspicious domains report that we internally lovingly refer to as, quote, unquote, the Dom. And those reports capture every single week, hundreds of domains and IP addresses that we have assessed to be either, at minimum, suspicious and, at most, certainly malicious. And they are often masquerading as OT vendor URLs, right. A lot of them we see masquerading as very common malicious domains that are trying to mimic Microsoft 365 logins, things like that so really aimed at credential theft and those initial intrusion techniques. And then we have strategic intelligence, which is really designed for long-term projects and security strategies and investments because it focuses on trends and patterns that we've observed over a measurable period of time. So, in the last quarter, we've observed X percentage increase in ransomware operations impacting industrial organizations. And the idea there is that, if you are an industrial organization and you're not paying attention to ransomware, then you probably should be because it's clearly ramped up over the last 90 days. In world view, an example of this would be our executive threat intelligence, our Executive Threat Insights Report, which is a quarterly report that provides a retrospective of the past quarter's OT cyberthreat intelligence. And then, lastly, operational intelligence, which is really the bridge between tactical and strategical intelligence. And that expands on tactical indicators with that added context. And that added context can be anything from those post compromise behavioral elements like the adversary gets into the environment, and then they move laterally through the IT environment using PowerShell and other Windows native tools. And, once they find the -- you know, the DMZ, these are the things that they do. And then, obviously, probably the biggest context that can be added is really around, like, what is our assessment of the adversary's objectives? What are they really trying to do? Is it information gathering? Is it intellectual property theft? Is it destructive or disruptive operations? Is it reconnaissance? Or, in the sense of the cybercrime ecosystem, is it monetary gain? Is it kind of profiteering? So all of those things are -- are added context that we kind of lump into that operational intelligence. And within the Dragos WorldView portal, we have different types of reports that meet and exceed all of those elements.

Mark Urban: Just as a quick summary, you know, a lot of the intelligence is compiled into software that operates on the Dragos platform to fire detections against some of these threat behaviors. So that's kind of thing one. Thing two is then a WorldView subscription, in our example, delivers kind of reports, analysis, etc., at the tactical level, at the operational level that adds context to that tactical level, and then that strategic level that might give more insight into kind of threat groups and campaigns and overall. So it's a good kind of taxonomy there. Can you give me one or two use cases? If I'm in an intel group in a company that, you know, I have, I don't know, three, five feeds, including by prios, how's that -- can you give me an example of how OT threat intelligence thing that comes through WorldView would be used in the context of -- I don't know if it's a SOC analyst in this specific environment. Just give me a use case about how that would be used in a use case form.

Paul Lukoskie: Sure. So one very distinct use case that I can reference in, and that's because one of -- we dealt with this exact situation with one of our concierge customers is so there is a significant risk trend that we've observed with industrial organizations in that there is -- there are often quite a number of OT devices that are publicly accessible from the internet. And with the Dragos Threat Intelligence Team, we have a number of different tools and techniques that we use to kind of identify those things. But what that does is it creates a point of entry in which adversaries can almost directly access the OT environment without having to go into the IT environment, root around, figure out where everything is, enumerate the network, and then successfully navigate over into that and establish persistence. What these publicly accessible devices do is they're, you know, RDP servers and things like that. And sometimes we've even come across circumstances where RDP servers are using very, very weak credentials or the default credentials that were supplied by the vendor at the onset of deployment with an OT environment. So we came across a circumstance with one of our concierge customers, and our concierge analyst that was supporting them observed some kind of bizarre activity. They're also Dragos platform customer, and we observed some bizarre activity where it seemed like there were some brute force attacks that were happening. And what our concierge analyst figured out was it was -- they had a couple of different RDP servers that were linked to their -- that were linked to different engineering workstations within the OT environment, and they were publicly accessible. And adversaries were trying to brute force their way into those RDP servers. So, in this use case, we notified the concierge customer, and then we worked with them to help identify those external network-based indicators that the adversaries were using to conduct the brute force attacks so that all of that network traffic can be dropped at the firewall level. We also helped the customer identify and better map out all of those public-facing OT assets, pull them off of the network so that they were no longer publicly accessible and then, obviously, some of the basic hygiene things and best practices of creating better credentials and hardening those assets with role-based access control and things like that. So that's a really good use case example of very OT-specific threat intelligence.

Mark Urban: Do you have one you can share around like a standard vulnerability report? I mean, we mentioned, you know, control logics. And the things that sometimes Dragos does kind of public-facing webinars and information that are available to the general public, including our customers and non-customers. So, Paul, could you give me an example of a -- kind of a -- how a vulnerability kind of alert might be used by somebody receiving that information?

Paul Lukoskie: Somebody that's receiving one of our vulnerability alerts within their environment through WorldView, what they would want to do is dig into the vulnerabilities, the vulnerability specifically. And the unique aspect of Dragos intelligence and the vulnerability threat intelligence that we provide is that all of the assessments are driven from -- all of the assessments are driven from our own analysis and research conducted at our ICS range located in our -- at our headquarters in Maryland. And, because of that, it allows us to provide very bespoke unique perspective on the different technologies and vulnerabilities that are relevant to those technologies. You're not really going to find that kind of information elsewhere. For example, there's a recent vulnerability that we released, Rdrag systemascada. And when customers get these reports, they can see the insum, which really lays out the CVE numbers. So there's always that link to other resources to compare and contrast what is Dragos saying versus what is also being publicly reported elsewhere. Again, it's always important to have multiple points of reference whenever you're working with threat intelligence, particularly with vulnerabilities because everybody has different interpretations of what the vulnerability is, how an adversary may use it, and what to do about it. We include a lot of our obviously assessment around restricting access, whether or not there are public proof-of-concept exploitations that exists. So customers can take these assessments, identify whether or not they actually have the technology in their environment because, as I mentioned earlier, that's always a big unknown with many organizations is what they actually have in their OT environment. And then taking the vulnerability assessments that we have here, using any of the information that we've provided, whether or not if it's remotely exploitable, maybe you take that information and then build up processes and protocols around those vulnerable devices so that it's no longer remotely accessible.

Mark Urban: That's a great example. So you get a vulnerability analysis. You know or you don't know if it's in your environment. If you do have it in the environment, it provides kind of like, hey. Here are some steps you can take to limit the risk associated with this particular vulnerability, like implementing specific access controls to remove external addressability of that. Good example. What happens then if they need kind of more questions? Obviously there are these standard reports that come in. They can utilize them. Good intelligence means that it's practical to operationalize in their environment. And is there -- is there room for if they need a clarification on something or if they need to understand a little bit more fully than -- than what's in the report?

Paul Lukoskie: It absolutely leads to more questions. And almost every week we field questions from all sorts of customers. But probably the most asked question is, how are these things relevant to me? Years ago, organizations were often just excited to be in the know. And that was a lot of times driven by general curiosity because, as I mentioned earlier, the cyberthreat intelligence ecosystem was still quite new. And a lot of people felt like those things were really reserved for classified environments. I think the CTI landscape has changed quite a bit, and I think customers are now more aware of cyberthreats. And, as a result, they're really hyper focused on this idea of CTI for me, what does this mean for me? Is this impacting me? What should I do about it? So we get a lot of questions around clarification on those things. And one of the neat things about being at Dragos and standing on top of the mountain in terms of OT threat intelligence is that we field a lot of questions from customers that are really just asking us our opinion on different things. And that in and of itself is really cool because it gives us an opportunity to maybe train our attention onto different areas that we weren't necessarily thinking about. A really good example of that is, when you have a customer that says, you know, hey. We saw these localized news articles about ransomware being successfully deployed in an organization's OT environment. And, as a result, all of their OT environment got locked up, and they had to completely shut down their operation. What do you know about that? And that kind of gives us a little bit of an opportunity to retrain our focus onto, okay. Well, how do ransomware operators actually getting into an IP or an OT environment? What are the common points of entry there? Historically, what ransomware operators have gotten into the OT environment before deploying the ransomware and just kind of allows us to build out that level of expertise into a variety of threats that are directly relevant to the OT environment. And, at the same time, it allows us to build up those bona fides with those specific customers and continue to be that trusted advisor. And it's really cool when a customer pings you directly and says, Hey, Paul. We saw this. What do you think about it? They're not asking you for an official confidence-based assessment. They're just simply asking what do you or your colleagues at Dragos think about this particular threat intelligence topic because we're interested in knowing what you think. And it doesn't have to be anything formal. And that's one of the really nice aspects about having a really quality threat intelligence capability like we do.

Mark Urban: Excellent. Ladies and gentlemen, Paul Lukoskie, part of Dragos Threat Intelligence Team here, focused on the OT side of threat intelligence. And that'll be a wrap for today's Learning Lab on threat intel. Paul, thanks very much.

Paul Lukoskie: Thanks, Mark.

Dave Bittner: And that's Control Loop, brought to you by the CyberWire and powered by Dragos. For links to all of today's stories, check out our show notes at Sound design for the show is done by Elliott Peltzman, with mixing by Tré Hester. Our senior producer is Jennifer Eiben. Our Dragos producers are Joanne Rush and Mark Urban. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next time.