Control Loop: The OT Cybersecurity Podcast 1.24.24
Ep 42 | 1.24.24

Building community in OT.


Dave Bittner: It's January 24, 2024 and you're listening to "Control Loop." In today's OT cybersecurity briefing an analysis of cyber attacks against Danish energy infrastructure. The U.S government outlines threats posed by Chinese manufactured drones. Vulnerability in Bosch thermostats. IOG says CISA needs to improve collaboration with the water sector. Our guests Mark Stacey of Dragos and Charles Kano from WestCap discuss cyber insurance as an important part of your organization's security plans. The learning lab features Mark Urban and Dragos strategic accounts director Sam Van Ryder talking about building community in OT. [ Music ] A report from the U.S Department of Homeland Security's Office of Inspector General asserts that the U.S Cybersecurity and Infrastructure Security Agency, CISA, needs to improve its collaboration with entities in the water sector, Nextgov reports. The OIG states that although CISA had extensive products and services to manage risks and mitigate cybersecurity threats to critical water and waste water infrastructure and increase its resiliency, the agency did not consistently collaborate with the Environmental Protection Agency and the water and waste water system sector to leverage and integrate its cybersecurity expertise with stakeholders' water expertise. The report adds this occurred because CISA did not have a memorandum of understanding with the Environmental Protection Agency documenting roles, responsibilities, and collaboration mechanisms. CISA also lacked policies and procedures regarding collaboration with the Environmental Protection Agency and other external stakeholders. CISA agreed with the OIG's recommendations and has provided a timeline for its plans to improve collaboration with the water industry, The Record reports. Last week the agency issued a joint report with the EPA and the FBI outlining best practices for cyber incident response in the water and waste water sector. Researchers at Security Scorecard warn that the suspected Chinese state sponsored threat actor Volt Typhoon is targeting vulnerabilities affecting end of life CISCO RV 320 and RV 325 routers, Dark Reading reports. The threat actor may have compromised up to 30% of routers that are part of a bot net and is using the devices as command and control servers in attacks against high value targets. Targeted entities include assets owned by the U.S, U.K, and Australian governments. The Cyber Express reports that the anonymous Sudan hacker gang has claimed credit for cyber attacks against two Israeli ports. The group says it hit the ports' network devices, network administration devices, routers, SNMP, and email servers, VPN, internal servers, and critical client side end points. The gang's claims are unverified, but the Cyber Express observed that one of the ports' websites was offline at the time of publication. While Anonymous Sudan claims to be a hacktivist group based in Sudan, Cloudflare notes that this may be an attempt at misdirection. There are some indications that the group is based in or is operating on behalf of Russia. Forescout has published an analysis of two waves of cyber attacks that hit Denmark's energy sector in May of 2023. While the Danish cert for critical infrastructure, Sektor CERT, attributes the incidents to Russia's Sandworm threat actor, Forescout thinks the evidence for this is lacking. The researchers write, "Evidence suggests that the two waves of attacks on Danish infrastructure reported by Sektor CERT were unrelated." It also suggests that the second wave was simply part of a mass exploitation campaign against unpatched firewalls. Not part of a targeted attack by Sandworm or another state sponsored actor. Our data reveals that the campaign described as the second wave of attacks on Denmark started before and continued after the period reported by Sektor CERT targeting firewalls indiscriminately in a very similar manner, only changing staging servers periodically. We see a prevalence of exploitation attempts in Europe where nearly 80% of publicly identifiable and potentially vulnerable firewalls are located. CISA and the FBI have published a joint report outlining the threats Chinese manufactured drones pose to U.S critical infrastructure. The report warns that giving network access to such drones may result in exposing intellectual property to Chinese companies and jeopardizing an organization's competitive advantage. It may result in providing enhanced details of critical infrastructure operations and vulnerabilities increasing the PRC's capability to disrupt critical services. Additionally, it could result in compromising cybersecurity and physical security controls leading to potential physical effects such as theft or sabotage of critical assets. And it could result in exposing network access details that enhance the PRC's capability to conduct cyber attacks on critical infrastructure. Bitdefender has identified a high severity vulnerability in Bosch smart thermostats that can allow attackers to send commands to the thermostat and replace its firmware. The flaw in the unit's WiFi micro controller which acts as a network gateway for the thermostat's logic micro controller, the vulnerability enables malicious commands to be sent to the thermostat indistinguishable from legitimate cloud server commands. We'd love to know what you think of this podcast and what you'd like to hear more about. Please take a few minutes to submit the survey in the show notes. Your feedback ensures we deliver the information that keeps you a step ahead in the rapidly changing operational technology industry. [ Music ] Next up, a conversation with Mark Stacey of Dragos and Charles Kano from WestCap discussing cyber insurance as an important part of your organization's security plan.

Charles Kano: Cyber insurance is ever changing. 15 years ago I remember attending a conference and it was kind of everyone's first attempt to try to tackle the cyber insurance industry. And I don't think anyone has yet. And so I think it's ever changing. Anybody who says they have cyber and understand how cyber works is not telling the truth. It's ever evolving. I know we're 15 years into cyber insurance, but we are still learning. That's -- that's the honest truth.

Dave Bittner: What are some of the specific challenges that the industry faces here to try to reach an equilibrium?

Charles Kano: Yeah. I think it's really having useful data. That's really the key point. A lot of cyber insurance companies have tried to use models that they would use for other types of policies like property. And that hasn't worked. They've tried to use models that they used for like example professional liability. Again, those models haven't worked and so I think that's what they're trying to do is I think everyone's going back and trying to rewrite the model. And so useful data is something that's really, really important. And no one likes to have claims, but quite honestly they need more claims data. So that's another issue that matters right now. And then the other component of that is they need help in the industry. So, you know, they are forced to take on a lot of risk that they probably don't have their hands around right now. And I think a lot of them are hoping that, you know, regulatory bodies would step in and give them some -- some cover. But that's not happening. So government isn't really getting involved. And so they've been forced to take on some risk they haven't liked. And so now they need help. And so, you know, that's where they start looking to either other industries for what solutions they've used or they're looking to industry partners, vendor partners, to help them kind of come up with solutions to help protect, you know, their bottom line.

Dave Bittner: Mark, I'm curious for your insights here. I mean with the folks that you interact with, the customers who work with you at Dragos, what are you seeing in terms of their approach to engaging with protecting themselves through insurance?

Mark Stacey: From the customer point of view or the insurance carriers'?

Dave Bittner: Well, let's start with the customers.

Mark Stacey: The key from what we've seen from customers, and it's really focused on what is the most economical expedited method of response. And response including containment, eradication, and really return to service. And when we hear of the big complicated incident response cases generally we focus on the technical forensic capability. The practitioners to come in and do the actual incidence triage. And really for a lot of the incidents that we're talking about, especially in OT, the impact extends far past data and information loss. And so we need to include external communications, legal representation, and counsel as well as insurance carriers. And so the incident response team doesn't just comprise the subject matter experts. It needs to include those other business support functions that are really a necessity for business continuity. And ideally as a customer what they want is those different teams brought in to have some rapport. It can be a formal business relationship or informal, but some understanding of each role in the incident response process. And if they establish some rapport prior to the incident response, everything runs smoother. You know, communication is so critical and minutes matter that if each organization understands again their role in it and they can communicate effectively to the other business partners it's really beneficial for the customer in general.

Dave Bittner: Charles, does that align with your experience as well?

Charles Kano: Yeah. It does completely. You know, right now I would say that there's a current reliance in the insurance world on using IT providers to solve OT related problems. And so IT teams while they can get the task done, the biggest differentiator is time. And in the incident response world time equals money. Based on the feedback we're getting from brokers and carriers, kind of the difference is between IT incident response and OT incident response. And that time is significant. So our anecdotal evidence tells us that OT dedicated IR can make initial assessments and take steps to remedy cyber incidents within hours. IT focused incident response teams often take days to get to that same place. So an example of this is, you know, the situational expertise that comes with OT. IT incident respond team -- response teams typically work remotely. So they're not used to or prepared or even sometimes certified to go on site. And this requires some of the kind of higher third party OT teams to help them in their journey where OT teams can get the same work done adding time -- without adding the time and expense related because they are prepared. They are certified to work on site whereas, like I said, most IT incident response teams work remotely. So yeah. I think that's right in line with what Mark is saying.

Dave Bittner: Mark, I mean to dig into some of that, in terms of the preparation that an organization should take thinking about an event that could happen in the future I mean it sounds to me like this sort of planning is really critical. Are we talking about things like tabletop exercises? I mean what are the best practices here?

Mark Stacey: Yeah. Certainly we recommend not just creating an IRP, an incident response plan, but testing it. And in working through this with multiple customers we see that again a lot of those other support functions, they're written into the incident response plan, but when you go through a test it may say, "Okay. At this point we engage say external communications." And no one from that team is in the room. Or at this point the decision -- as Charles mentioned, every decision that's made in a high stress situation, it needs to balance cost, time, and effectiveness. And maybe the person who can gauge cost or time is not in the room. And so going through the exercises where you really identify areas of improvement and efficiencies that could be made. So absolutely have an incident response plan, but until you know whether or not it will really be effective for the incident you need to do some test.

Dave Bittner: Charles, I'm curious for your perspective when we're talking about operational technology. I mean we've certainly seen a lot of attention on that these days. And I'm curious for folks in the insurance industry who are supporting organizations with OT, can you give us some insights as to how that works. I mean where -- where does it sit relative to the IT side of things? And how are providers approaching it?

Charles Kano: Yeah. I would say that most carriers are just now coming to the reality that there is a difference between IT and OT. Spent some time recently in London working with some of the major insurance carriers and a lot of them were not even aware that there was a difference. And when they do realize there's a difference they automatically want that for their customers. So I would say right now that's been the biggest thing is really helping those carriers understand that the OT teams are different, how they're different, and how they can really, you know, equal success for their clients.

Dave Bittner: When the carriers are looking at these sorts of things, what are their concerns? What are some of the challenges they face in this particular vertical?

Charles Kano: Yeah. So I think the two things -- their main primary concerns today are kind of useful data to underwrite. I mentioned before that a lot of them are trying to use old models. And so there continues to be a lack of reliable data to underwrite specific risks that clients are asking for now. So this means that things like threat intel feeds that are coming from clients, but via their cybersecurity service providers is really gold. Especially when the data's for specialized incidents and claims like those that occurred in an OT environment. The second thing I would say is that for insurance carriers expenses prior to a cyber incident like sales, marketing, broker commissions, and client services, they're kind of a fixed cost for them, but what they've indicated to us is expenses after an incident are more like an open checkbook. And so that's a problem for them. So post the incident expenses are why most carriers are profitable. And when coupled with the unreliable underwriting data that we already discussed, it creates a little bit of a conundrum for them. So cyber carriers are looking for industry expertise to accurately predict or at minimum reduce the cost after the incident. And so they're creating panels of cyber industry experts to limit time and expenses associated with their client's risk profile. So that's where they're really, you know, starting to tap people with the OT expertise to help reduce those costs.

Dave Bittner: It strikes me. And, Mark, I'm curious for your take on this, that we've seen a lot of influence from these carriers in terms of getting the organizations to adopt better practices in their day to day. And, you know, saying to them, "If you want coverage and you want it to be reasonably priced, you're going to need to implement these things." Is that your experience?

Mark Stacey: I certainly have confidence that the entire industry. You know, the carriers, brokers, insurance providers, the customers, and security vendors, they all share a common goal. And that's improving the security, you know, protection detection and incident response capabilities as well as the resilience of these networks. Insurance carriers are great at insurance. Security vendors are great at providing and enabling security. And so not trying to masquerade the other's area of expertise, but rather leverage those relationships to help the customer improve, it really benefits everyone. And so I think really doing the best thing for the community, especially you know in incident response there can be no pride. Each team comes in to add their -- their subject matter expertise. Each team if it's IT, insurance, OT, extending even to original equipment manufacturers, OEMs and vendors, everybody is an additive. Everybody complements the total effort. And again the -- the goal is shared. To return the client to a stable state and do it as efficiently and economically as possible.

Charles Kano: What I would say is, you know, earlier, you know, you previously asked me, you know, kind of where cyber insurance is now and, you know, I kind of painted a bleak picture and made it sound like maybe there isn't -- isn't a plan moving forward. I would say, you know, like I said, I think the industry would like to be further along than they are, but what they are doing right now is they're -- they're trying to focus. So, you know, as of recently there's been an increased demand for like specialized coverages and industry specific solutions. So carriers have moved away from a one size fits all cyber policy to -- to limit some of their exposures. Again because they haven't been profitable. And at the same time they're adding specific coverage offerings for things like business interruption, reputational damage, regulatory fines, things that actually matter to the policy holders. So that reduced some of the costs. And then they're adding things like physical damage that traditionally was a property cover. It's now included in some cyber policies because of the exposure created by interactions with operation -- you know, technology. So I would say also that, you know, kind of things in the past adding certain controls or service providers would mean that you'd see a reduction in premium. But those days are gone and those days are behind us as cyber insurance companies continue to not be profitable. Today having good controls and good service provider teams is kind of the minimum requirement for insurability now.

Dave Bittner: You know, you bring up a really interesting point, Charles, and I'm curious about what you're seeing in terms of volatility in the market. In other words, are there -- are there organizations who've been with a particular insurance company for a long time, you know having a long established relationship, but they're finding that they have to do some looking around now because maybe that provider no longer fits all of their needs? And they want to try to get all of their needs fit by one organization. Is there any reality there?

Charles Kano: There is. A client may have, you know, let's say been with an insurance company for a long time and, you know, they -- they had a great relationship for their property or their general liability coverage. And so then they would also buy their cyber insurance from them. And what we're finding is again those traditional insurance companies can't meet their needs and they don't want the additional exposure where before they wanted to kind of round out their entire book of business. And so we're actually seeing some carriers kind of step away from the market. And we're finding more, like I mentioned, specialized carriers who are taking their place. And so it is allowing these companies to create new relationships with some additional insurance companies. So I think it's -- there's some right sizing that's happening where we're matching exposures of the companies with carriers who are willing to take on that risk.

Mark Stacey: I think part of the market volatility with insurance right now as we look at OT, it's also kind of exasperated in the fact that these networks are largely unknown. So when we talk about IT networks generally we've got security controls and, you know, a great recorded history of what is on the network. And with OT we don't have that. We have been talking in industry for a long time on how OT networks have old information systems. Maybe they're no longer supported. Maybe the company that made it is no longer in business. And so identifying what comprises the network is very, very difficult. Part of insurance and those carriers understanding what good risk is and doing proper assessments with accuracy is knowing what capabilities is on the network, where the crown jewels are, what the impact could be. And that's something that a lot of the network owners can't even identify. And so when we look at the maturity of the industry it's identifying first what they're trying to protect, what the impact could be. We have to help the owners understand that before we can even begin to communicate and share that with the insurance industry which can then make appropriate polices that are lucrative for them or advantageous for them as well as enable the customer.

Dave Bittner: Mark, is it fair to say that a lot of these facilities are essentially one offs?

Mark Stacey: What I would say is their OT technology can be unique, but the implementation of it can further that uniqueness. And so how an oil refinery works in one state may be completely different than another oil refinery using the exact same vendors in a different state. And so because of that implementation nuance you have, you have to dig into some of the details. You have to have some visibility over at the network to not just see what's on it, but what contingencies there are, what protocols are being used, how they're implemented, and really the cross functional dependencies you have across it.

Dave Bittner: Mark, how much collaboration is appropriate when purchasing an insurance policy? I mean specifically what I'm thinking is, you know, should my cybersecurity provider have a seat at the table when I'm talking to my insurance provider.

Mark Stacey: That's a great question. I think candidly if I were a system owner I would not want my security vendor there. I would leverage them to advocate to my broker or my carrier for a better rate based on the capabilities that I matured, but I think that relationship is hand in hand. It makes sense that if you have improved security posture you have done a better job of managing the risk and you certainly want to share that with your insurance provider.

Dave Bittner: Charles, any insights there?

Charles Kano: I would agree that, you know, you would want to be able to use their expertise and their reputation to help you in representing yourself to an insurance carrier, but I -- I wouldn't necessarily have them at the table unless there is something so unique that they are doing for you that it would make a difference to an underwriter. And I -- the reason I say that is because most of the insurance carriers have their own panels with their own cybersecurity, you know, partners there. And so unless they match up or something like that, it could be sometimes seen as a conflict or maybe that the -- maybe who you're using isn't as good as their panel. So I would keep them apart. I would, like I said, definitely leverage their reputation to help you in terms of what you are specifically doing for your risk profile, but I wouldn't actually have them at the table with me. No.

Dave Bittner: You know, we've talked about incident response here. And preplanning. And I'm curious when an incident happens, and I think we see a lot of incidents beginning on the IT side of things, how do we deal with overlap between the different responders? Between the folks on the IT team, on the OT team, and you know other security staff or even the vendors who might come into play here? Do you have any guidance there? Mark, let me start with you.

Mark Stacey: Again we can have no pride during incident response, and silos are counterproductive to the entire effort. We being Dragos have partnered with multiple IT firms, and those IT firms know that when they're doing triage in an incident and it extends into OT, they call us. Again we have the shared goal of the most rapid response possible to return the customer to a stable operating state, some return to service. Similar if the incident starts in OT and during our triage we see it extends into OT -- or into IT. Excuse me. Or another vendor. We have an extensive partnership with OEMs and other vendors we can rely on. Those relationships with IT are bilateral. We reach out to them. They reach out to us. And we all work collaboratively to really get the customer returned to that stable state.

Charles Kano: Well, I would add to that that having a plan in place beforehand is really helpful. So, you know, if a company like Dragos is working with an IT team, knowing their clients ahead of time is really useful. You know, I kind of gave that kind of situation where an IT team will realize quickly that, oh we don't have the certifications we need to be on site for an incident. And having a relationship with an OT provider is really, really useful because it cuts down that time and expense. If I'm guiding a client in this type of a situation what I'm telling them is, "Hey, it looks like you have a kind of an OT exposure here. Let's make sure that you have an OT provider selected and that they're already approved by your insurance panel so that if something does happen it's one phone call versus, you know, 30 phone calls to try to find the right person to show up on site." Again, we're trying to reduce time because time equals money in that incident response world.

Dave Bittner: Yeah. Charles, I'm curious where you think we are headed with this. When you look towards the horizon, where -- where do you see this being in the next few years?

Charles Kano: I think it's going to keep moving towards specialization. So I think we're going to get -- you know, we're seeing a lot of the carriers understand that there are specialized solutions for their panels. They used to go and hire kind of generalists. And while there's a place for kind of those general groups, time is money. And so I think we're going to find that insurance carriers are going to get more and more focused on solutions that match their exposures. And again the market is demanding that the cyber policies, you know, get more specific around what they're trying to cover rather than be a general solution. So I think we're going to find specialization is the way that insurance carriers find profitability, but also how they help their clients is moving towards specialized solutions for specialized risk exposures.

Mark Stacey: One quick addition. I -- having talked to multiple different carriers, as Charles mentioned, the old approach of a panel of generalists or approved security vendors, we've seen that kind of mature as we did with IT several years ago where insurance is actively hiring very technical staff with OT expertise. The relationship that I've seen between carriers and their customers is one of continued partnership. They want to help the client continuously mature. It provides the insurance with better risk assessment and it provides a customer with better resiliency. And so they're looking to understand the OT environment, understand what matters and how to navigate some of those risk assessments whether it be internal or through consulting with their customers.

Dave Bittner: Our thanks to Mark Stacey from Dragos and Charles Kano from WestCap for joining us. [ Music ] On today's learning lab Mark Urban is joined by Dragos strategic accounts director Sam Van Ryder to discuss building community in OT. Here's their conversation.

Mark Urban: Hi. Mark Urban again with the learning lab. Today we're going to talk a little bit about community building in the cyber world specifically for critical infrastructure. I've been in cyber for a long time, years, with Blue Coat and Symantec, you know big IT cybersecurity, and when I came to Dragos I started focusing on OT. I think I made the assumption a lot of people do. It's like, okay, there's -- it's the same thing. It's just, you know, slightly different focus. And I got my eyes opened over the last two years. And two of the differences that are most stark to me is one the difference in the environments. I mean securing laptops and servers and point of sales stuff in IT is one thing. Pipelines, electrical grids, manufacturing floors are a whole different sort of thing. So that's one thing that struck me. Two is just how far behind OT security is. It's like the last frontier of cybersecurity because of how little of it there is. And because it's so different, and because it's so far behind, there are a lot fewer skilled people in OT cybersecurity. So you see how important kind of building up that community is. And I'm joined today by Sam Van Ryder who's a strategic account advisor here at Dragos, and we met at DISC, the Dragos Industrial Security Conference, in just about a month ago, two months ago. And I started talking at that because I've been following Sam on what he does on Hou.Sec.Con and a lot of the community building he does there. And so we're joined by Sam Van Ryder. Thanks for joining us, Sam.

Sam Van Ryder: Well, thanks for having me.

Mark Urban: I wonder if we can start. Just give me a little bit about your background. We both work at Dragos. We're both focused on OT cybersecurity and, you know -- but everybody that I talk to has a different journey. So give the audience a little benefit of your background.

Sam Van Ryder: Sure. Sure. So I many years ago is I started. I was a mechanical engineer. And I went that path for several years in different industries starting in aircraft. I did some robotic tooling. I did orthopedic design. I did all kinds of different things just to kind of try different aspects of the discipline of mechanical engineering and things you could do. And during that process I became what I call a CAD jockey. So I was really good at computer aided design and computer aided engineering which kind of accidentally put me in a sales engineering role. So and that's where I kind of got my flavor of the different, you know, working different problems with different customers all the time and ended up in the sales which as I moved back to the states because I started back in Europe I got into the same spot, but then quickly went to a start up that did some service level analysis and things like that. And that put me into the whole network aspect of things. We were acquired by Netscout and that's where I got my taste of security. Not that Netscout was doing security at the time, but I saw the behavioral aspects of attacks on a network and for me that was just a light bulb that went off. I call it coming full circle. A few years later I was at a consulting company and we ended up having a customer that had a compromise that basically flat network compromised the entire organization. And this company did chemicals. There was a risk of in this particular case with this APT of the APT not being targeted, but if they hit the wrong buttons they could release a cloud of chlorine gas into the neighborhood nearby. In Houston we don't have zoning so that's a problem. For me, that was an ah ha moment that brought me back to the OT side where I, you know, understood kind of the control systems and stuff from my days in automation and engineering and things like that.

Mark Urban: Got you. So yes. It's best not to have clouds of chlorine gas pouring across your neighborhood which is a great example of, you know, the difference in impacts with operational technology and if something goes wrong from a cyber perspective they have impacts to safety, to environment, and yes to the bottom line as well. But we all prefer not to have that happen in our community which is why we talked about there's a shortage of skills and understanding. And the reason that I wanted to have this discussion is because you're focused -- tell us a little bit about Hou.Sec.Con which is, you know, Houston area. You know, you work with customers to sort through their issues in cyber on OT. So tell us a little bit about that.

Sam Van Ryder: Yeah. So Hou.Sec.Con was really an effort that was born. It wasn't unintentional, but the growth was. And this is we're a regional conference. We were started close to 14/15 years ago. Farnum -- Michael Farnum, a good friend of mine, and I started working on this. And the very first one was in -- Microsoft actually has a local office. They gave us their office space there to do a little conference. We had about 100 people the first year. That has grown since into our last year was 1,400 people at the Marriott Marquis downtown Houston. And it's really grown to become like the biggest cyber conference in the region. So we're one of the regional areas. And through that journey of -- of many years of doing this I've added the OT element to it. The whole idea behind Hou.Sec.Con has always been to build the community. Our tagline is learn and defend. So, you know, everything that we're trying to do is -- is, you know, we're nonprofit. We are total volunteer driven. We actually hired our first time employee last year only about four or five months ago because we saw how big this was getting and we needed better help and something to drive our attention throughout the year. But it's really turned into a community driven effort. So I have all kinds of great volunteers that step up and help every year, but it's also lots of great speakers and content that offer their time and their knowledge and share it with the community. And it's a great opportunity to network. And these -- these regional conferences are great for that.

Mark Urban: So if you look at, you know, in the Houston area -- because it's not just Hou.Sec.Con. You do another -- a number of other activities. Talk about how you view community building, especially on the OT side. Like what -- you mentioned some of the goals. You want to be able to be -- network, build your skills, but tell us a little bit about besides the annual conference how you view the OT community in Houston. And, you know, some of the advances it's made, some of the things that you'd like to see happen.

Sam Van Ryder: Yeah. So the OT is prevalent, and first off OT is what we kind of use on the cyber side to describe the process engineerings and physical aspects, physical system, cyber systems. But the reality is if you're a process engineer or an industrial engineer you don't really talk about OT per se. So it's kind of our own nomenclature, but kind of like where we all fought the cyber term 10/15 years ago, we're there. So let's not fight it. It's good to use it. But Houston is the energy capital arguably of the world, and so we have a lot of systems. You go out, you know, east of town and you've got all kinds of huge fields of refineries and every -- and chemical plants and all these other things that are running these systems. And a lot of smart people driving them. The thing about this is, to your point early on where you started off with is, yeah, it's been left behind. We're still catching up, but a lot of good effort's happening. In my mind it's just a huge opportunity. Yes. It's been left behind. But that's the opportunity. Like if you're looking for a career in cyber and you want to do something like this, this is a great long term opportunity to do well in your career and do something important for the community. You know, I always use that likeness of saying, hey, your email server goes down. Who cares? But if you blow up a pipeline and somebody gets hurt, that's bad. That's really bad. And people do care. So and it's not just that. It's the trickle effects of any of those things like we saw with Colonial Pipeline and what's happened on the east coast. But so we need to staff this up and it's one of those things is you catch more flies with honey. That's the way we do it. We create a great environment where they want to be. This is also with Hou.Sec.Con is -- has born another day long conference we're about to launch called OT.Sec.Con. So OT sec con that we're planning to do at the end of April and try to bring those owner operators to the table along with our cyber experts to have the conversation because we're still dealing with the differences between IT and OT and we want to make it collaborative, not adversarial. This isn't about protecting my fiefdom or not letting those guys into my environment or thou shalt do this from the cyber perspective. We want people to collaborate. I want the cyber folks to understand this is how these systems work. Right? These are what these plant engineers do every day. Right? So -- so understand what that means to them. And vice versa.

Mark Urban: Sam, Houston security, OT community, thanks for your time.

Dave Bittner: That's Mark Urban joined by Dragos strategic accounts director Sam Van Ryder. You can learn more about the Dragos community defense program which provides free access to Dragos OT cybersecurity technology for qualified utility providers to better protect their communities from potentially destructive attacks. Find out all about it on the Dragos website. [ Music ] And that's "Control Loop" brought to you by the CyberWire and powered by Dragos. For links to all of today's stories, check out our show notes at Sound design for this show is done by Elliott Peltzman with mixing by Tre Hester. Our senior producer is Jennifer Eiben. Our Dragos producers are Joanne Rasch, Mark Urban, and Monserrat Thomason. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]