Control Loop: The OT Cybersecurity Podcast 1.10.24
Ep 41 | 1.10.24

A free community initiative to protect small utilities.


Dave Bittner: It's January 10th, 2024, and you're listening to Control Loop. In today's OT cybersecurity briefing, responses to the Aliquippa Water Authority attack, Predatory Sparrow disrupts Iran's gas stations, MITRE launches a threat model for critical infrastructure embedded devices. We welcome guest Dawn Cappelli. Dawn is Dragos's head of OT Cyber Emergency Readiness Team and we'll share details about the launch of Drago's Free Community Initiative to protect small utilities that serve the majority of Americans. The Learning Lab has the final part of a discussion with Drago's Mark Urban and colleagues Daniel Gaeta and Zach Spencer. They talk building automation systems. 

Dave Bittner: The Associated Press outlined state and federal responses to the Iranian attack against the Aliquippa Water Authority in western Pennsylvania, the Environmental Protection Agency withdrew a proposed cybersecurity auditing rule in October after it was challenged by Arkansas, Missouri, and Iowa. Several other bills are tied up in Congress. 

Dave Bittner: The AP explains, one bill would roll out a tiered approach to regulation. More requirements for bigger or more complex water utilities. The other is an amendment to farm bill legislation to send federal employees called circuit riders into the field to help smaller and rural water systems detect cybersecurity weaknesses and address them. 

Dave Bittner: States are also applying for grants from a $1 billion federal cybersecurity program provided by a 2021 federal infrastructure law. Meanwhile, Dragos is offering free access to its online support and vulnerability detection software to water and electric utilities that bring in under $100 million in revenue. More on that later in the show. 

Dave Bittner: To be sure, recent incursions by Iran's cyber avengers into U. S. and European municipal water systems represent a threat to industrial controls, but that may not have been the point of these most recent attacks. The control systems hit were Israeli made, and Dragos thinks the point being made was political and persuasive and that the incidents didn't immediately represent a serious attempt at physical disruption. Dragos tweeted at the end of December, Cyber Avengers hacktivist group actively targeting critical utilities in the US and Europe is less about making an impact on OT and more about driving geopolitical agendas. So, there can be a fine line between sabotage and influence operations. 

Dave Bittner: Iran itself hasn't been immune to cyber attacks affecting control systems. On December 18th, about 70 percent of Iran's gas stations went out of operation due to what Iranian media at first described as a software problem, the AP reports. 

Dave Bittner: Reuters subsequently reported that Iran's oil minister attributed the outages to a cyber attack. Iranian media attributed the attack to Predatory Sparrow, a group Iran attributes to Israel, about which Israel had no comment. Predatory Sparrow itself said in its Telegram channel "this cyber attack comes in response to the aggression of the Islamic Republic and its proxies in the region." 

Dave Bittner: The disruption appears to have affected gas station point of sale systems, the Times of Israel reports. Predatory Sparrow claims to have accessed the payment systems of the impacted gas stations, as well as each station's central server and management system. The U. S. Energy Department's Office of Cybersecurity, Energy Security, and Emergency Response is offering $70 million in funding to "support research into technologies designed to increase resilience and reduce risks to energy delivery infrastructure from a variety of hazards, including cyber and physical threats, natural disasters, and climate change fueled extreme weather events." 

Dave Bittner: The DOE adds "this new competitive funding opportunity will be available to public and private sector stakeholders, universities, and DOE's national laboratories. and will help advance next generation innovations that strengthen the resilience of America's energy systems, which include the power grid, electric utilities, pipelines, and renewable energy generation sources like wind or solar." 

Dave Bittner: MITRE, in collaboration with Red Balloon Security and NARF, has announced a new threat model framework called EMB3D designed to provide "a common understanding of the threats posed to embedded devices and the security mechanisms required to mitigate them." MITRE explains, "EMB3D provides a cultivated knowledge base of cyber threats to devices including those observed in the field environment or demonstrated through proofs of concept or theoretical research. These threats are mapped to device properties to help users develop and tailor accurate threat models for specific embedded devices." The organization adds, "for each threat, suggested mitigations are exclusively focused on technical mechanisms that device vendors should implement to protect against the given threat with the goal of building security into the device. EMB3D is intended to offer a comprehensive framework for the entire security ecosystem, device vendors, manufacturers, asset owners, security researchers, and testing organizations." The threat framework is currently in a pre release review period and is expected to be released in early 2024. 

Dave Bittner: The Department of Homeland Security last week released its annual threat assessment for 2024 predicting that "domestic and foreign adversaries likely will continue to threaten the integrity of U. S. critical infrastructure. Including the transportation sector over the next year in part because they perceive targeting these sectors would have Cascading impacts on US industries and the American way of life." 

Dave Bittner: The DHS notes an increase in racially motivated domestic violent extremists calling for physical attacks against the energy sector foreign adversaries meanwhile are seeking "to develop or improve existing capabilities that can disrupt industrial control systems that support U. S. energy, transportation, health care, and election sectors." The report also draws particular attention to three expected areas of Russian activity against the U. S. to emanate from Russia's war against Ukraine. Influence operations, privateering by cyber criminals and disruption by hacktivist auxiliaries, and cyber espionage by intelligence services. 

Dave Bittner: Iran and China are also prominently mentioned among the cyber threats expected to be active against the U. S. this year. Much of Iran's activity can be expected to be connected to the war between Hamas and Israel. China represents a major continuing threat. Tensions over Taiwan are expected to continue and probably increase. 

Dave Bittner: But most of China's activity in cyberspace will in all likelihood be directed toward long term political and especially economic competition with the U. S. 

Dave Bittner: It is always my pleasure to welcome back to the show Dawn Cappelli. She is the head of OT Cyber Emergency Readiness at Dragos. Uh, Dawn, welcome back.  

Dawn Cappelli: Thanks, Dave.  

Dave Bittner: I want to talk to you today about, um, The challenge that small regional utilities and cooperatives face when it comes to some of the cyber threats that are coming at them. 

Dave Bittner: Can you kind of paint the picture for us? First of all, what is the situation here in the U. S. as an example of, uh, of how these, uh, utilities and co ops are distributed?  

Dawn Cappelli: Well, it was a real eye opener to me last year. I went to the NRECA conference, their annual cybersecurity conference, and there were hundreds of people there that worked in these coops, and they asked them, how many of you are a team of one? 

Dawn Cappelli: You're it. You're IT. You're security. You're everything. And half the hands in the room went up. And then they said, how many of you are a team of two? And the other half went up. And they said, how about three or more? There were like three hands. And I realized, Wow. These small utilities, these are just electric co ops, but water utilities and natural gas utilities, they're in the same boat. 

Dawn Cappelli: We have 49 million people in 2, 000 communities in 49 states that are serviced by these small utilities, and they don't have teams of IT people. They don't have, certainly don't have teams of security people, and they don't really have anyone who understands or is responsible for OT security. So it's a big gap, and it is the critical infrastructure that we all rely on for our personal survival every day. 

Dave Bittner: I really want to dig into this because it's an eye opener for me. I mean, it's hard to imagine, um, something that we label, rightfully so, as critical infrastructure, um, having a single person manning the controls. I mean, the first thing that comes to mind is that sometimes that person has to sleep. Well,  

Dawn Cappelli: not only sleep, but here's the really shocking part. 

Dawn Cappelli: I heard anecdotally through a reliable source that, um, One of the state CIOs, um, he became aware that there was a cyber attack, a compromise of one of their small utilities in the state. And they kept calling and calling and calling and trying to get someone at the utility. And hours later, they finally got a call back and the person said, I'm sorry it took me so long to get back to you, but I'm not only responsible for IT and security, but I also cut the grass. 

Dawn Cappelli: And I have been cutting the grass this whole time you've been calling. And, you know, those, those kinds of stories really, I think, Bring into perspective What the risk is that we're facing out there.  

Dave Bittner: Can you help sort of calibrate the picture in my mind? I mean when we talk about that person who's responsible for all those things including cutting the grass I mean how many people would someone like that be serving? 

Dawn Cappelli: Well, I mean, you know, like the statistics that I gave you, I, I don't know how many I, you know, think about your own water. Yeah. I live in a suburb and I know our municipal water authority is located in a neighborhood, , and I drive past it, and a lot of times there are no cars there, so, you know, it's not these big, um, big water authorities that come to mind when we think about water and waste water. So many of us that even if you're not in a rural. area, even if you're just in a suburb, chances are your water is coming from a municipal water authority. And so they're probably in a situation similar to that.  

Dave Bittner: And so where do we find ourselves in terms of the bad guys coming after these, these types of utilities? 

Dawn Cappelli: Well, just, um, right around Thanksgiving, uh, a water authority not far from me in Aliquippa, Pennsylvania, I live in Pittsburgh, they were compromised by a hacktivist group, the Cyber Avengers, which compromised them simply because they were using a PLC that was manufactured by an Israeli company. So, you know, that's the, that's one threat that demonstrates that it doesn't matter how small you are, you still could be a target. 

Dawn Cappelli: Aliquippa is a small, small area, and yet they were targeted for that reason. And they weren't the only one. There were several water authorities across the country that were targeted in that same attack. Secondly, um, at that same NRECA conference, there were some Um, two people from a power company, small rural co op that was hit with ransomware. 

Dawn Cappelli: And they talked about the impact that that had on them. And so there's ransomware threats out there. They don't care who they hit. In fact, they've been getting more small organizations than large because the large have been going to great lengths to protect themselves. And the small are very vulnerable. 

Dawn Cappelli: Um, and now we have these hacktivists. threats against them. So there are multiple different threats that they need to be aware of. And the threat environment has definitely escalated recently.  

Dave Bittner: Can, can you help me calibrate the, the, the real world risk level in my mind here? I mean, we, we do hear these stories, like you say, you know, the small utility in Pennsylvania, but it's my understanding that there was no interruption of service in that case, and we don't hear stories of the lights going out or the water not being delivered or being unsafe levels or those sorts of things. So how do we align the risk with the real world consequences? 

Dawn Cappelli: Well, I think that we have been lucky, um, you know, we have seen that these kinds of attacks can have very dramatic impacts. You know, we've seen ransomware attacks just recently on a manufacturer that I'm not going to name them, but we noticed on the grocery shelves that their products weren't there because they were hit with ransomware. 

Dawn Cappelli: And this is a large company. We saw a colonial pipeline. So to think that there can't be large impacts from attacks against a small organization is not very practical.  

Dave Bittner: What sort of backup or help from the federal government are organizations like this getting? Is there anything? Well,  

Dawn Cappelli: there's a lot of. Everyone realizes that this is a gap. I've been talking to CISA, for example, a lot about this. They're very concerned. Um, I have been working with our local cybersecurity advisor from CISA in the Pittsburgh area. He has a lot of contacts with these small municipal organizations. And so I think They, they want to help them and they now can use the resources and promote the resources that we are offering from Dragos as something that is concrete that they can actually use in the past, because I came out of retirement to help small and medium organizations with OT cybersecurity, I You know, this is my life now. 

Dawn Cappelli: I see a lot of recommendations for this is what you should do. And it's always what. And what we're providing at Dragos is we're giving them the how. We're giving you the tools. We're not just telling you go do this, figure out how. We're telling you how. We're giving you templates. We're giving you toolkits. 

Dawn Cappelli: And now with our community defense program, We're actually giving them the technology that they can put into  

Dave Bittner: place. Well, let's dig into the details. I mean, you're, you're mentioning some of the things here. Can, can you give us a high level description of this initiative from you and your colleagues there at Dragos? 

Dawn Cappelli: Yes. So our community defense program offers our Dragos platform. Same platform that's being used by large power companies, gas, uh, manufacturing organizations all over the world. We're offering it to small, municipal, and city local utilities that have under $100 million in revenue for free. So they get our platform. 

Dawn Cappelli: They get access to Dragos Academy, which provides them with OT security training. Um, they get access to OT CERT, which, um, they could get anyway. And they are opted in to Neighborhood Keeper. Neighborhood Keeper is a collective defense. program that we run that takes anonymized data from customers that opt in, and if you're in community defense, you are opted in, and it's anonymized. 

Dawn Cappelli: So we don't know who these organizations are, but our threat hunters can see, like with the Aliquippa water attack, if all of those water utilities had been part of that, we would have scene, there is a coordinated attack happening here. There's a compromise that's hitting multiple organizations in the water sector. 

Dawn Cappelli: We don't know who they are, but we know what sector they're in, and we know basically what region they're in. And then we can communicate with them. We don't know who they are, but we can say, Hey, we see that you have a threat in your environment. There's a bunch of you that do let's all get together and let's talk about it and figure out how you should all be responding and how we can help. 

Dawn Cappelli: So, to me, it's just, it's an enormous step forward. to counter this risk.  

Dave Bittner: What can an organization expect? I mean, we've been talking about how under resourced they are. How do you try to offset some of that burden of onboarding someone? Well,  

Dawn Cappelli: it's a self service program. So we simply they apply. If they're accepted, they get instructions, and it tells them, here's how you install it. 

Dawn Cappelli: Um, it runs in a virtualized environment, so first you need instructions on how to set up that virtualized environment. You set it up, you install it. Now it's running. Then we are putting together training programs so that we'll meet with them and we'll provide the training to show them how to use the platform so they'll be able to use the platform to, to. 

Dawn Cappelli: To know what assets do I have, what vulnerabilities do I have, of those vulnerabilities, which ones should I address immediately, because the Dragos platform will tell them which ones need to be addressed now, they're actively being exploited, so you need to address them now. And they'll get alerts when there's a threat in their environment that they should pay attention to. 

Dawn Cappelli: If they don't have the time, because they only have that one person, and he's out cutting the grass, that, those alerts are going into Neighborhood Keeper, and so that way someone else Might notice the alert and be able to contact them.  

Dave Bittner: What do you say to the person who's probably listening and maybe cynically rolling their eyes and saying, Ah, you know, here's a program from Dragos to, uh, to generate leads and, uh, you know, try to upsell somebody to, to something, uh, to something else, uh, it strikes me that I don't sense that that's, that's really what this is about.  

Dawn Cappelli: No. And you know, when I started OT-CERT for Dragos two years ago, almost, that was the reaction that I got, um, especially from the media. Oh, there's a business model here. You you're doing this, you have an ulterior motive. Well, OT-CERT has more than 1600 members in 60 countries. 

Dawn Cappelli: And I think people have found, nope. There's no ulterior motive. We are not trying to sell anything, and especially with community defense. Community defense program is for organizations that have under $100 million in revenue. We are giving it to them because we know they can't afford to pay for it. So, if they can't afford to pay for it, they certainly can't afford to pay for anything else. 

Dawn Cappelli: So that's why we're giving it to them for free. Our mission at Dragos is safeguarding civilization And that's why we're doing that that is solely why we're doing it in support of that mission  

Dave Bittner: What are your aspirational goals here? I mean as you look a you know a year from now as this rolls out and people start to adopt it. Where do you hope we find ourselves?  

Dawn Cappelli: I hope we find ourselves in a situation like I just said with Aliquippa Water, I hope that we have some use cases where we actually detect the threat and are able to work with these small organizations to counter that threat before there's any impact. To me, that, that would be success. 

Dawn Cappelli: We know those threats are out there. We know that they're coming, so we need to be able to help defend against them.  

Dave Bittner: Dawn Cappelli is head of the OT-Cyber Emergency Readiness Team at Dragos. Dawn, thank you so much for joining us.  

Dawn Cappelli: Thank you for the opportunity. 

Dave Bittner: In this week's Learning Lab, Mark Urban is back with the third part of his discussion on building automation. He's joined by Dragos Daniel Gaeta, an ICS and OT Cybersecurity Senior Solutions Architect, as well as Zach Spencer, Senior Enterprise Account Executive. 

Mark Urban: Hi, everybody. Welcome to another episode of Learning Lab. And today we're going to talk about building automation systems. I'm joined by kind of specialists in the area, Daniel Gaeta. And Zach Spencer, uh, here at Dragos, a solution architect and a strategic sales executive here at Dragos that focus on building automation. 

Mark Urban: It's connectivity between these devices that, you know, operate in a building. It's connectivity to the outside world. I mean, uh, Daniel brought up the example of, you know, an HVAC technician, you know, accessing into a technology. It's increased internet connectivity. You made the point it's even the exchange of information on the internet that makes, you know, exploits and kind of open doors much easier to find. 

Mark Urban: So I guess the connectivity is to blame, like how much things in our, you know, modern world, the curse and the blessing of these things, you know, the good and the bad, right,  

Zach Spencer: right. I mean, the amount of. You know, it's and it's not for nothing, right? There are good reasons that these, uh, these institutions are connecting these systems. 

Zach Spencer: They gain, uh, sort of, you know, as with anything, extreme network benefits by connecting these systems within their own environments by connecting their, um, their automation systems to their elevator controls. They gain, um, you know, more accurate ways to control each of them based on each other. Such that they have an impetus to connect those systems within their own environments. 

Zach Spencer: You know, like I said, cybersecurity issues notwithstanding, this is going to continue to ramp up as you know, as I said, technology moves forward. The smart buildings, um, mantra gets, you know, pushed forward as you know, a lot of these Companies and institutions are trying to innovate and provide new ways for them to either increase their own revenue by being able to measure their own energy use through these building automation systems and, you know, the network benefits of being able to connect all, let's say, 1000 branch banks that you have deployed in the field and see how they're all utilizing energy. 

Zach Spencer: And, you know, get sort of learnings from the analytics based on those thousand branch banks that you own and have deployed a building automation system within provide a lot of opportunities for these institutions to, you know, as I mentioned, let's say, save money on energy in this case by running them in a different way. 

Zach Spencer: So it's not to say that these are just being connected for for no reason or willy nilly, so to speak, it's more of a, uh, you know, it's a they have targeted reasons for doing so, and it's just a matter of. Uh, being able to do so securely that I think is really important at this time. Yeah,  

Mark Urban: that's a good point. 

Mark Urban: You know, just efficiency and energy use efficiency and, you know, sending elevators from, you know, point A to point B, um, you know, just analysis of, of data and increasing efficiencies in a lot of different areas. That's a good point. That's the reason why it's happening. And you know, with that, with those reasonings come some, some come some risks. 

Mark Urban: So what, what are the. You know, just to kind of close this up, if those are the risks, you know, what, how do you recommend, you know, people kind of approach kind of mitigating those risks?  

Daniel Gaeta: Yeah, and another good question, because it's oftentimes daunting to consider where do I start with the cybersecurity space? The field can be abstract, and there's a lot of different cybersecurity standards out there. So one resource that I, that I like to mention, it's a, it's a SANS resource coauthored by our Dragos CEO. Rob Lee, uh, and SANS Tim Conway, but it's, it's the 5 ICS Cybersecurity Critical Controls, um, to really build a world class ICS OT cybersecurity program. And, and that becomes relevant because it distills, uh, sometimes even thousands of security controls and to really 5 different things that a building operator owner or manager could, could utilize to start thinking about how to build cybersecurity, a cybersecurity program into their building automation systems. 

Daniel Gaeta: And that 1st critical control is, uh, do you have an incident response program? If you do have a building automation system, cybersecurity incident tomorrow, there is a ransomware incident tomorrow, and you can't access your security systems or your chillers. Do you have a plan? And that's the first security control for those top scenarios that could affect you. 

Daniel Gaeta: And the second is, do you have a defensible architecture and a segmented architecture? And this white paper and resource I mentioned, um, that allocates a couple of pages to each of these controls. And one of those top, a couple of those pages talk about how to build a defensible architecture so that when an event happens, uh, they have limited, that attacker has limited capacity, uh, to then move amongst other to other areas of the network, and just by by the design of it itself, it's actually sensible.  

Daniel Gaeta: The 3rd critical control is, are you monitoring your network? And do you have visibility into your building automation systems network? And that's that's really gaining awareness around. Um, what types of assets comprise your energy management and control systems? What kinds of assets are talking and communicating over your building automation systems and those security systems that awareness will then give you an understanding of the I. C. S. O. T. protocols in use what kind of baseline to expect and really to identify if there are any threats or vulnerable assets that really need to be addressed. 

Daniel Gaeta: And the 4th critical control has to do with that secure remote access and that's that's absolutely relevant in that that 3rd party maintenance access example. For instance, is that remote access? Is it done securely? Is it done at the times? According to the service level agreement? Are they accessing the systems at times that are normal? 

Daniel Gaeta: Or is it off hours and a typical and then huge amounts of data are traversing the water? And those are relevant questions. And so having. A plan for secure remote access will be vital to having a secure environment moving forward. And that last critical control, the 5th, critical control. Talks about focusing vulnerability management efforts on the assets around the perimeter of the network, because we found time and time again. 

Daniel Gaeta: Uh, attackers want to remotely, uh, attack these systems and in doing so, they attempt to penetrate these perimeter assets first. And so by remediating vulnerabilities on assets that are on the perimeter, allowing ingress, ingress and egress traffic, you're going to get a lot more benefit than say, focusing down on assets that are really hard to get to behind several layers of security, et cetera. 

Daniel Gaeta: So those are those five main critical controls and where to start thinking about. How to build ICS OT cybersecurity into your building automation  

Mark Urban: systems. Yeah, it's a good, uh, I think we re ran, uh, re ran the, the Robly, uh, episode recently on the five critical controls. So if, uh, if you're listening to this, I want to reference back to that. 

Mark Urban: You just have to go back one or two episodes. I was one of the first episodes here and we replayed it, uh, because it's such a, uh, it is. Good insight on sorting through the complexity of frameworks and standards and kind of distills it down to some key, some key, uh, some key points. So thanks for that, Daniel. 

Mark Urban: Uh, I think that so, you know, it's building automation. Uh, you know, how, how would you when, when you talk to people in these situations, uh, you know, how do you, how do you. Get them to understand or kind of, how do you, what do you find them asking you about, you know, how they should approach this?  

Zach Spencer: I think a lot of times what I hear most when I'm out in the field talking with, with customers that sort of have these mission critical building automation systems is a lot of times they're sort of. 

Zach Spencer: In the background and, you know, sort of always been functioning for them, and it's important for a lot of their operations folks who are encouraged to make sure that they're keeping them running. Right? I mean, uh, data centers, you know, just to bring up an example from earlier on are always talking about their uptime, you know, in terms of how many nines of uptime is it right in terms of 99 point, however many 9 percent of uptime they can get. 

Zach Spencer: Usually five nines or six nines is a minimum. pretty critical goal that you'll hear in that in that field. And so the operations folks are always worried about uptime of those systems. But for a lot of folks that don't sit directly in the operation seat, uh, don't necessarily know what, what goes into keeping those things running and, and how critical these building automation systems in this case are to keeping their facilities, uh, functional and, and either generating revenue or, or protecting their facilities. 

Zach Spencer: Another thing that comes up a lot is. You know, as soon as we've sort of discussed why it's important, and they sort of understand the the criticality of these systems for them, um, the second is, well, if it hasn't been designed from the ground up with security in mind, and we have these, you know, unencrypted protocols in our network, and if we want to be able to interconnect our systems, how can we do it such that You know, we can get these network benefits that we talked out earlier, but also provide ourselves with a more defensible architecture that is not, uh, just sort of a pot of gold for these threat actors to find when they're poking around, uh, within our networks, if they happen to get some sort of ingress. 

Zach Spencer: And I would say that there are, um, in addition to sort of the five critical controls that Daniel just mentioned, there are advancements being made within the building automation industry. As I mentioned, BACnet is the really big. Uh, open source protocol that everyone's utilizing, uh, typically moving towards these days if you're upgrading your building automation systems to sort of a modern generation and the sort of latest development is a development on the back net protocol called back net SC back net secure connect provides for an encrypted version of the back net protocol that goes a long way to, you know, as sort of all encrypted protocols due to preventing me. 

Zach Spencer: You know, man in the middle attacks, for example, and, um, you know, replay attacks. If you can, if they have access to that traffic, then they can malform that traffic and then send it to a device farther down the line to either, uh, disable it or lock it out or what have you, or have it act in a different way. 

Zach Spencer: Those things are very easy without encrypted protocols. Uh, with encrypted protocols, it's, it's much more difficult. And I think that that while it's still new in its development and deployment, and I would say that it's very rare for someone to have deployed it These days, it's usually a critical next step in terms of when you're upgrading your system to a modern system. 

Zach Spencer: If your BAS is critical, BACnet Secure Connect is a really important step in that direction. Preventing the need for static IP addresses and network broadcasts too goes a really long way in terms of kind of where BACnet has come from as a protocol. Like I said, it's been probably 20 years at this point. 

Zach Spencer: Uh, being used in its sort of current form, and obviously the landscape has changed in the meantime.  

Mark Urban: Yeah, that's, that's good advice. You know, that's like many areas of OT cybersecurity can get, you know, pretty technical pretty quickly. I mean, you know, so we talked about the five critical controls, this framing. 

Mark Urban: And you just talked about it like a lot of other issues that, you know, can be done, can be taken to kind of improve the security posture. And that's, you know, one of the things that I'll say, we'll have some episodes coming up talking about the cybersecurity journey. But you can start like, hey, where am I? 

Mark Urban: If you have mission critical building automation systems, data centers, things like that, you know, a good place to start is get some experts in to do an assessment. Uh, and I'll do a shameless plug here for the Dragos OT cybersecurity assessment as an example of that. And we have specialists in the building control and data center, uh, areas. 

Mark Urban: Uh, but that's because this is a complex area. Uh, you know, you just mentioned 10, you know, Daniel had five things. You just mentioned 10 things and navigating through that all can be a little bit daunting. And so, um, Yeah, that's why we're here at Dragos, uh, to give you some information and if you need some help with that, uh, just give us a call. 

Mark Urban: So, Mark Urban with Daniel Gaeta and Zach Spencer. Uh, thank you, gentlemen. 

Dave Bittner: And that's Control Loop, brought to you by The Cyber Wire and powered by Dragos. For links to all of today's stories, check out our show notes at thecyberwire. com. Sound design for this show is done by Elliott Peltzman with mixing by Tré Hester. Our executive producer is Jennifer Eiben. Our Dragos producers are Joanne Rausch, Mark Urban and Montserrat Thomason. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next time.