Cybersecurity Conversations with Leah Dodson & Hayley Lichtenfels (LinkedIn Live)

Show Notes

With October being Cybersecurity Awareness Month, the Automation Ladies decided to speak with some experts in the field Leah & Hayley. Leah is the Principal Cybersecurity Specialist at Nextlink labs, while Hayley is a Product Marketing Specialist for Network and Security at Phoenix Contact. Follow them on LinkedIn!

These cybersecurity ladies discuss ways to protect yourself against cyberattacks, what to look out for as an individual and as a company to stay safe, and the importance of having standards across the board.

Disclaimer: With this being a LinkedIn Live technical difficulties can happen. Unfortunately, this chat was cut short and the stream was unable to continue.

__________________________________________________________________

🎙 About Automation Ladies

Automation Ladies is an industrial automation podcast spotlighting the engineers, integrators, innovators, and leaders shaping the future of manufacturing.

__________________________________________________________________

🎤 Want to be a guest on the show?
https://www.automationladies.io/guests/intake/

__________________________________________________________________

👩‍🏭 Connect with the Hosts

Nikki Gonzales: https://linkedin.com/in/nikki-gonzales

Courtney Fernandez: https://linkedin.com/in/courtneydfernandez

Ali G: https://linkedin.com/in/alicia-gilpin-ali-g-process-controls-engineering

__________________________________________________________________

🎟 The Automation Ladies Community Conference: https://otscada.com

Learn more about the hosts’ industrial automation conference OT SCADA CON attended by 100+ automation professionals, engineers, integrators, and technology leaders for hands-on learning, real-world case studies, and meaningful industry connections.

🎬 Credits

Produced by: Veronica Espinoza
Music by: Sam Janes

P.S. - Help our podcast grow with a 5-star podcast review if you love us! 

Transcript

[00:00:00] Hello, I hope, uh, I know everybody's got it's a crazy day. It's Halloween. Um, we were just talking backstage about how apparently none of us had time to get festive for this event. Um, wearing costumes and such. I'm sure everybody is ready to get out of here. Get out of wherever you are, right? Work wise and go trick or treating.

If you're in the US, if you're watching this from somewhere else, it is, Halloween. So, ladies, thank you so much for joining us here today. I was very excited to do, I guess, like a part 2 of our panel discussion from last year. And this time we have Courtney joining us. She was not around last year. And I think David Garcia, who joined us last year, uh, is now at his own company.

And we did a demo of his software called MarketMate a couple of weeks ago. So check that out, but otherwise we have Haley from Phoenix Contact and Leah Dodson, from NextLeap Labs with us again. And so we thought we would, catch up with everybody, see what is new since we talked last year.[00:01:00] And just, you know, get in the spirit of thinking about cybersecurity all of the time.

I think all of us need to do that all of the time. That is the point of us discussing it. We're not the experts. These ladies are in a way in different areas, but the point is you don't have to be an expert. You shouldn't have to be a cybersecurity expert to help your organization stay safe. And nowadays, especially with all this AI out there.

 You might need to think about how to keep your family safe from cyber attacks as well, which is a different but similar topic because, you know, cyber security is a complicated thing. It has to be built into products. It has to be built into networks. It has to be built into organizational structures.

 But the weakest link is still somebody clicking on a bad email and getting into your things that way or orchestrating, you know, some sort of social hacking to get somebody to do something they shouldn't at work. So I think all of us need to be aware of what are the latest weird. Strategies, um, things that have [00:02:00] gone down and how can we help protect ourselves and our companies, even if we're not in the, uh, I.

T. department, the or networking, or if you have a cyber security department, those folks give them a pat on the back next time you see him because they need all the help they can get from all of us. So with that, I'm Nikki Gonzalez. If you don't know by now, you probably, , are not joining here. So I think you guys know me and Allie and hopefully Courtney.

Courtney, I'm so glad you joined. How are you today? I'm buried in a demo today, so I may actually have to drop off at two o'clock, but this is an exciting discussion and I'm happy to be included in it. Yeah, you jump off when you need to. Courtney's with the United Robotics Group. They're keeping her very busy.

 You just came back from Spain, right, Courtney? I did. Yes, we got to, um, Robotnik Automation is one of our, um, the companies that URG owns, and they have some really cool AMRs, and I got to talk about some really cool projects in Spain for a week, so. Very cool. [00:03:00] Still a little jet lagged, but happy to be home.

For those of us that don't know, what's an AMR? Oh, sorry, an Autonomous Mobile Robot. Okay, very cool. Like the ones that run around in warehouses or other places. Some that have like a little arm on top of them now, so. They're getting to be pretty cool little things. Very cool. I just realized that maybe not everybody knows all the acronyms.

I am guilty of this a lot myself. Like I think last week or the week before I said ICP a lot of times. And then I realized a lot of people in our circle don't know what that means. Uh, I was talking to Anne Wyatt yesterday and she was like, what? I'm like, oh yeah, your ideal client profile is what that stands for.

So Allie, how are you? You're at home. It looks like. Yeah, I'm at home. I'm looking at this, comment from David Turner and me and Leah were just talking about VPNs being able to be hacked. So I'm super excited to talk about that and be like that. We're not we're not safe just because of that.

[00:04:00] So. Cool. We have it home. The tunnel kept us safe in the VPN, no? It used to be safe, but now there's ways to like, I mean, people are getting smarter at how they hack. They're like, how do we, and everyone knows that we're using VPNs. Yeah. So, so they started figuring out how do they mess with the VPNs themselves.

Um, how do you, and they're supposed to be encrypted. There's all these words associated with that, but let's talk about like, you know. What are these trends and what are people figuring out and how are and what are we supposed to do? Yeah, that's a big question. What are we supposed to do? Well, Haley, you want to go next you want to say hi If those that didn't maybe didn't catch you next year or I mean last year tell us who you are what you're doing Um, and then I guess those of us that talked to you last year, you can tell us if you're doing anything different this year than you were last year when we talked.

Sure. Yeah. So for those of you who were not here with us last year, my name is Haley Lichtenfels. I work in the product marketing department for Phoenix Contact USA. And I oversee [00:05:00] our line of industrial routers or security routers as we like to call them. So. It's really our line that handles both VPN routing and any firewall capabilities that you're looking for.

So my day to day is anything from pre sales to helping our, you know, sales engineers figure out which product is going to fit best, as well as post sales delegation of, you know, if the product's not performing, how it's supposed to kind of what we can do to help out with that. So just a very quick, high level intro to me and nothing.

It's really changed too much from last year. Still overseeing that still helping out with various marketing things as well as, you know, having cyber security conversations, which is why October is great because I get to have cyber security conversations pretty much until I turn blue in the face.

So, just trying to spread awareness out to all the customers who kind of like you guys have said before. Struggle with understanding cyber security in the industry and figuring out, you know, where exactly they can start what they can even do, because sometimes it can be such a daunting subject. You don't really know where to go, where to begin.

So, yeah, that's kind of what we do [00:06:00] day to day. Very cool. Do you find that a lot? Like you said, a lot of customers, they just don't know where they're starting. So they're not coming to you with like, Hey, we have this whole process mapped out and our department needs, you know, X, Y, Z, they kind of come to you and say, Hey, we need to figure this out.

Can you help? Pretty much. Yeah, I mean, it's actually more rare that a customer comes to us with a cyber security plan or program in action. Typically, since we are a component manufacturer, we have customers coming to us seeing how we can support their cyber security strategy. If you will, what hardware we have that has features like a firewall VPN.

Something of that nature. But typically, that's when we start having the conversation of, Hey, you know, cyber security is more than just the hardware that you're specking in. And it's also one of those with the hardware that you are bringing in. You want to make sure that you're bringing it in a secure way.

So typically customers. I mean, there are a lot like all of us, right? They have just day to day responsibilities that they have to focus on. And typically who we're dealing with on the controls engineering side, their focus is [00:07:00] not it. Usually cyber security. Usually their focus is just making things run.

So they kind of have to take a step back and work with us a little bit or at least have a conversation as you know where they're trying to go and where we can support them in that because cyber security. And I'm sure Leah knows this as well. It's really not a one size fits all solution. Every customer is going to be different.

Every customer has different needs, a different infrastructure, everything. So it really is a conversation that you have to have with everyone. And it does encompass more than just the technology. It encompasses the people in the processes as well. Yep. So I bet now you've got a whole year's worth more of application examples, you know, real world examples of these things being installed.

And since you handle both pre and post sales, you probably see a bit of the both sides of that coin, right? In terms of the implementation and so on. Well, thank you for joining us. Uh, Leah, I'll let you go next. You want to tell us a bit about what you've been up to and what next link labs does. Yeah, so I'm [00:08:00] Leah Dodson.

I'm a principal cyber security specialist at Nexalink Labs. Our company handles custom software, DevSecOps consulting. So using, tools better within the software development life cycle in order to bring that security in sooner in the development process. We partner with get lab, particularly for that purpose.

And then we also do. So my specialty, um, governance, risk and compliance. I am. The one who will sit down with a client, take a look at where they're currently at in their cybersecurity journey, what some of their goals might be, whether it's compliance, whether it's being able to confidently answer questions that potential customers are asking of them.

 And we'll put together a plan to build out a program that supports those things. Very cool. [00:09:00]So that's me in a nutshell. We've got some different perspectives here, which I think is fantastic, both from your side working with, you know, product development and then that whole. You know, assessing where people are making recommendations, helping them get a program and a plan together.

That's really cool. So I ran into Leah actually a couple of weeks ago at HUSECCon. This is, I think, both of our second time attending. Last year we, collaborated on a talk, which was really cool. And then this year I ran into her. I had a quick talk there and she was volunteering, and actually ran my session.

And so it was very nice to see you again. I wish I had been able to spend, you know, the full two days at the conference because there's a ton to catch up on and learn. Can you tell us any highlights or anything that you learned, that you thought was interesting at HUSECon? And then I'll ask Haley the same question about a conference that she just attended.

Oh man, there, this year it was Bigger and better than last year, and I hear that next year, they're moving to an [00:10:00] even bigger venue. So it's just growing and growing. It's. I really like that 1, because it still has that intimate feel. Um, you can ask questions from the speakers. You know, a lot of them will take questions during the talk.

It's a little bit more informal discussion base in a lot of cases. So, 1 of let's see. I had some really interesting talks in the tracks. I volunteered both days. There were some that stepped through attacks on, 1 of them was a cloud environment. So, how 1 set of compromised credentials could be used to gather data from multiple applications.

 In a cloud environment, and really how that 1 set of credentials could be used to open up that whole can of worms for company. And so it's good to see that attack [00:11:00] process, even as a defender, then you can work backwards and see everywhere. You know, you could have stopped the attack and that's the concept behind like defense in depth and zero trust.

How are we denying those steps along that chain? So I really enjoyed that talk. There were a few others. There was a really good one for people. Looking to break into the field about the concept of social engineering and how to use social engineering, the opposite of what we typically hear it.

Defined as like social engineering is bad. It gets people to give away their credentials or hurt their company. But the idea is how can we apply that to the interviewing process, and really use those same concepts of body language and tone and how we present ourselves in a way to break into the [00:12:00] field and start.

So there's a lot of neat things there. Very cool. I'll, I guess, just link back that example of your earlier, uh, the one set of credentials in a cloud environment situation. Do you think that's why we get targeted so much for things like, Oh, you've been invited to collaborate on this Microsoft 365 document and just go ahead and log into your Microsoft account on this link that we've sent.

Yeah. Yeah, password reuse is. Is a really big vulnerability with the idea that giving up credentials to 1 thing not only opens you up to that 1 thing, becoming a target. But if you use those credentials in multiple places, then now those connection, you can see the connections from those. Um, different applications.

You can try those same credentials again in a different application, and it's that's a big one. Yeah, because I've seen a huge uptick in those, and it used to just be like, [00:13:00] I knew to stay away from any kind of executable file attachments, right? Don't click on attachments from people that you don't know, or from somebody that, you know, that the email looks suspect this one.

I don't think I Oh, I clicked it the first time. I got it. I totally did. I will admit it. I clicked it. But then I didn't log in right when I saw I was asking me to log in with my credentials. I was like, oh, shoot. Wait, I don't know about this. This doesn't seem right. So, I hope that I think I stopped it at that point.

 These things are not super sophisticated in that matter, but. I might be wrong. I don't know too much about this, but I know it always. drives me crazy when something like that happens. Like once I got these or a customer of mine got a fake invoice, or a fake purchase order for fluke meters. And I went on LinkedIn and I was like, Oh, this is crazy.

This happened. And somebody was like, Oh, this is the oldest trick in the book. It's been happening for 30 years. If I had a penny for every time somebody fake ordered a fluke meter for me, you know, everybody knows [00:14:00] this. And here I was going like, Oh my gosh, everybody knows, except for me. What an idiot. But it turns out that a lot of people don't know this, right?

And I think we take for granted what most people don't know, because they, why would they, right? If they're not in that position for it to have gone around, you know, in their little circle. Then why would they know? And so I think the biggest thing that potentially I could add to any cyber security conversation even though it seems stupid It's just to repeat this thing over and over and over because you never know who hasn't heard it the first time Do the rest of you guys have any like common type scam things that we can share?

Or maybe we let me ask hayley, first about her conference and then we can get to this part later Uh Haley, were just at a cyber security conference. Was it last week? Yes, just last week. So I see a cyber security conference down in Atlanta. So it was actually a very nice comments. I don't know.

Nikki or Leah or Courtney Alley. Have any of you been able to attend before? No, so it was [00:15:00]actually pretty, nice. This is my first year going or my first time as the company going. So phoenix usually goes to s four, which is another cyber security conference that happens typically in March time in Miami.

Okay, so this was the 1st time we were going because this 1 is actually aimed a little bit more at those who are kind cybersecurity plans, trying to learn more about cybersecurity, not necessarily the. Developers for those who are working with the day in and day out. It might have maybe a, you know, more enriched understanding of everything just because they're used to it.

This conference is really aimed at people who are getting new to the field as well as vendors who have been in the field and are just looking to educate. So. It had a different perspective, and one of the consistent themes that we ran into, which was also nice with this conference was going back to, I would say, almost the basics of cyber security practices.

So, a lot of times when we talk about cyber security solutions, right, there's a lot of active and offensive or offense type of things that you can do to protect yourself, like threat hunting and going on and doing pen [00:16:00] testing, things like that. But sometimes we forget to look at the more basic side of things, like how is our network even laid out?

Are we reusing passwords? Does everybody have the same default credential? And this conference was really aimed or talking a lot about asset management and asset visibility. So, you know, almost one on one of cyber security is you can't protect what you are unaware about or unaware exists on your network.

So how can you go about creating a robust architecture or a robust plan if you don't even know what your critical assets are that you're trying to protect? So, there was a lot of conversations about understanding the assets on your network and just making sure you have complete visibility into. What exactly is on there?

What firmware revision is it running? Is it maybe a vulnerable firmware? And how is everything talking to each other? Is it on a completely open network where every PLC is able to talk to every PLC or is everything more segmented where things aren't able to talk to everything and taking more of a zero trust approach?

So that was a [00:17:00] really consistent theme, which I really appreciated hearing because, you know. For customers who aren't as engrossed in the cyber security world and aren't aware, you hear these fancy, more advanced solutions and think, oh, I need to adapt that when in reality, there are a lot of more practical things that you can be adapting that dramatically decrease your attack vector surface, but you just aren't really aware or aren't really aware where to start, I guess.

So. That was a great kind of theme that we saw. Another thing that they talked about a lot was also insider threats. So it was a great talk. I can't exactly remember her name, but she was a lady who works at Hexagon, which is a cyber security vendor, and they were talking about, you know how, whether it's intended or unintended, insiders have a lot to contribute to some cyber security problems.

So if someone's configuring a VPN incorrectly, a firewall incorrectly, maybe they're doing stuff that they don't even know about. They can be opening a massive door into your network. And really a great way [00:18:00] to tackle that is awareness training, right? So Nikki, you just mentioned it. You know, you think some of these practices like, oh, everyone should know, right?

And it's been happening for 30 years. But if you're not dealing with it every day and you don't see it, it's not in your face, you really aren't aware. And that's not necessarily anyone's fault. It's just the day to day of a job, right? Everyone's got different things to focus on. So. Just exactly that.

I mean, training up your people, making sure that they understand the threats that are out there and making sure they understand the little things like changing default logins and stuff and knowing what's on your network can really help out in a security posture. So overall, great conference. I really don't have enough good things to say about it.

I was really impressed by both the speakers that were there and the vendors that were there was a great opportunity for both customers as well as hardware vendors to understand what software partners are out there and how they can help you and their solutions might vary from the next. Yeah, because it really is an interplay of not just your network hardware or how you configure the network, right?

That's a big part of it. And that's [00:19:00] kind of the base layer. Right. Like you mentioned, like a lot of companies out there may have old PLCs with old firmware, some of which now has been found, has vulnerabilities. So that's really important to be aware of. And then it's how is your network, how are all these things connected that may or may not be vulnerable?

And then maybe I guess what next layer on that would be how are, how is the OT network kind of connected with the rest of your organization? And then there's like software layers that can sit on top of. I guess either one of those sides or maybe both that can help, you know, kind of cap things or help detect traffic that isn't supposed to be there, different things like that.

So, I mean, to me, as a non expert, it just seems like it's very complicated and there's a lot of areas that need to be like, that you need to be aware of both. What do you have, how it's connected and then what do you have on top of it? And what should you be adding that you're not and then there. Then there's everybody that touches it in any kind of way, [00:20:00] right?

Am I missing something like in terms of, I don't know, an unofficial accounting of what the different layers are of, like, thinking about cyber security? No, I think that you're hitting most of them. Leah. I don't know if you have any thoughts of anything that she might be missing in her methodology, but I mean, that's it's really.

Making sure that the entire network and really every piece that's interconnected is accounted for. And there is a big misconception where, you think, oh, I'm an O. T. Side player. So I need to make sure that my security is good as well as my I. T. Security in the process. And that doesn't have to be the case.

It doesn't have to be. Someone does everything right. Each department can really play their part and by everyone kind of making sure that they practice cyber hygiene, if you will, then Everyone's kind of contributing, right? It's not all up to one person doing it because if it was up to just one person, it probably wouldn't be getting done in the most efficient way anyway.

So exactly right. I mean, checking your floor and just understanding that security posture, checking your understanding that security posture, checking when they are converged and they [00:21:00] are connected. What's that posture look like? What does your human or your personnel posture look like? Is everyone being trained?

What is your process posture look like? Do you have a contingency plan of things go wrong? Do you have it. Anything in place, so there are a lot of different pieces that you kind of have to keep an eye on, but it's really an act of everyone working together, everyone collaborating and communicating what their responsibilities are, what their side looks like, and just having an open conversation of how things can help out.

And that was actually another talk that was at cybersecurity conference, which. I really appreciate it because communication is something that isn't really talked about when we talk about this whole I. T. O. T. convergence or this process mapping thing. But really, we are two different sides that have two different viewpoints, two different responsibilities and we're coming from different playing fields.

And so making sure that we have that open communication barrier and are really just saying, Hey, you know, what do you got on your network? And where are you coming from? And we say, Hey, well, we're coming from this side. We can't [00:22:00] adapt these practices or we can and working together is a big piece of the equation and just making sure that holistically everything is getting accounted for.

Leah, do you have something? I'm going to throw up a few comments. Thank you guys for, uh, so Toby, thank you for joining us. Toby. It's nice to see you. She says there's a difference between O. T. and I. T. definitions. We need to standardize on Purdue and I. S. A. 95. so. I say, obviously, is the International Society of automation, right?

Is that. I think that's right. Sounds right. Something like that. I know there's also, an industrial supply association. It's not. I know it's not that one. Uh, no, the ISA 95. Okay. I'm gonna have to look that up. I know the Purdue model, in general, and when it comes to, I have heard of that.

That's all I should say, in terms of my expertise here. And then Sarah says there are seven layers of cybersecurity. People process technology, data, communications, operations and environment. I have not heard that before. I really am not [00:23:00] super educated on cyber security, but these are all things that we could probably if we wanted to know more.

 We should look up. Right. Do you guys, Haley or Leah have anything to say about either one of these sort of standards or ways of defining things? Sure. Yeah. So I agree with Sarah. She makes a great comment. I haven't actually seen those seven layers before. But I mean, exactly that, making sure that you're taking into equation every single part of your network and not just the O.

T. System, not just the components, also the people in the process, how that data is communicating everything you really have to have an eye on everything that's being communicated or connected. And to Toby's point, there is Definitely a difference between O. T. And I. T. Kind of for the reasons that we were just talking about, right?

O. T. Has different responsibilities and priorities than I. T. Does and O. T. Is also a little bit more constrained on what they are able to do in terms of adapting I. T. Principles and in terms of standardizing. I mean, it's kind of an interesting conversation when you talk about choosing one, you know, one to rule them all, if you will.

[00:24:00] And I think More important to the conversation is trying to find actual enforcement or compliance for these standards. Right? So Purdue is great. I say 95. I think that that's I see 62, 443. I think that's the adopted part of it. It could be. I say 99. I could be wrong, but if it is that standard, they're both great standards.

However, without there being an enforcement body, such as the government or an industry. Then it's a little bit. It's a little bit difficult to figure out which one is the best to standardize on. And it's also a little bit difficult for everyone across the board to choose one for standardization. Good point.

I feel like, yeah, in a lot of ways, we have this kind of like somebody creates a standard and then somebody else can creates a competing standard. And then we're all trying to standardize, but we can't because even if we are standardizing, we're not on the same thing. And then we create an additional standard to try to unify the standards and you just end up with a third standard.

I mean, all three of those are still better than not trying to standardize anything. [00:25:00] Very true. Very true. Toby. Um, she chimes in here. It's the network layers that go with Purdue. Okay. And then Ted. Hey, nice to see you, Ted. Yeah. Hey, just be careful with how you throw around. Who did we call or what? I don't remember.

But noted, well, we have a lot of legacy systems, that we need to upgrade. And I think that's what he was talking about is that we refer to those systems, but we should, we can use the word legacy. I think that has been the go to word for the systems that were created years ago. I'm not using the word, but, um, yeah.

And we have a kind of an off topic question, but hey, that's kind of what we're all about. We meander all over the place here. It's not off topic, it's actually on topic, and that's a, it's not just Rockwell, but that's where everyone kind of got their notification of this DCOM thing. It's about Windows patches and [00:26:00] Windows updates, you know, everyone is trying to get on the site in the security train and windows is one of those ways that like people in I.

T. Not O. T. People in I. T. Religiously use, patches because that's the right thing you should do. They found some kind of vulnerability and they're like, here's how we patch that. However, Skater systems are not made by windows. They're made by other companies that need to use windows. And a lot of times what's going on is the companies that like, I'll tell you firsthand, when you first put in a factory talk view site edition skater server, for example, the first thing in the Rockwell manual says, like, turn off.

All of the windows updates, but that's not something we can do anymore because that's the way that systems were when they were actually what is it called when they were really air gapped back in the day. Yeah, you could do that. You'd be like, yeah, turn it off. This thing doesn't even have internet. Like who [00:27:00] cares?

 Do your thing it's never going to be attacked, but we don't have any servers like that anymore. Most of our servers do have access and over time, people have just, you know, we've been going and going more towards connecting everything. And, so it's not a crazy thing to say, like, how have we done with the decom hardening thing?

Because I think in March of this year. We were told if we didn't figure out our, you know, decom hardening thing, we were not going to be able to like our, for example, a historian or a communications rs links wasn't going to work. So your PLC is we're not going to be able to communicate with other PLC is you were not going to be able to have your skater servers actually look at the controllers and tell you whatever data was on them.

So everyone was panicking at the beginning of this because we're like, well, how, because there were multiple solutions. But yeah, I guess where I was going with that was, it's not off topic because decom hardening is about communications, and that's what we're talking about.

We're talking about security in communications, but, that decom thing affected everybody with PLCs [00:28:00] that had servers on... Um, Windows, which is everybody. Everyone has their Windows servers that they put their SCADA servers on. So how did this get resolved? Like, what did you have to do?

Oh, so there is an actual, there's like two different ways you can solve it. You just had to do it in time. And then you just had to not put that upgrade Or you had to put off putting that particular upgrade on if you could, if not, you just had some other way to disable what it was doing.

Cause by, by default by the next patches in eight in March, what it was going to do was have that DECOM hardening by, cause you could turn the DECOM hardening off. And now it's like default so now you have to have the dcom hardening on and you have to have Basically bypassed it with the directions that at least rockwell gave you if you have siemens or another platform You were given some other directions as to what?

Was your best path forward, basically. Okay, so I was about to ask, how does this get communicated? This is then [00:29:00] from the vendor? Yeah, so you would see everybody, yes, everybody who owns, like, because everybody pays Rockwell, for their licensing, for their, support right so they have really good support And all of those things were just like spamming everybody and by the way If you go to the rockwell website during these times It was actually like the first thing on the top banner that said like hey This dcom stuff is coming and you better be ready and giving you a bunch of links like how to take care of it But you would see multiple emails if you were the person dedicated to be contacted by Rockwell on your organization's behalf.

 And so I imagine I wasn't privy to like other organizations, but that was the big one. Rockwell was spamming everyone telling them this is you need to get ready. You need to be ready. Cause they were expecting basically a mountain of phone calls saying, Oh my God, my story, it doesn't work by communications.

Doesn't work. RS links. Doesn't work. I can't get this to talk to that because that's what the DECOM was going to basically [00:30:00] break was the way that RS links communicates. And there are other softwares, other. PLC platforms that communicate in the same ways using the same Microsoft, you know, basically frame to run its, software.

So, that's how that went down. So there were options for you to save your Stuff, but you had to do it in time. And I think that was their method was just like, let's just spam everybody and tell them like, this is a big deal. And that's when they took everyone. Everyone knew about it. I mean, everyone.

I mean, why does Jason Jones know about it? I mean, we were all basically told. So that's neat. He only had an issue with one N. A. T. R. What does that stand for? A NAT router. Oh, okay. Yeah. Network address translation, which is a really cool way to just have. It's like tricking your network into seeing one address when really the address of the actual device is something else, which is useful for a lot of different things, [00:31:00] including reusing addresses.

So what if you have the same machine, have the same addresses and you're like, well, We just need one address to get over to that machine, and then we can just look at all the devices behind that one address, and yeah, so network address translation, it doesn't have to be one to one is cool for that, and that's why we use it if we want to, if we want to replicate systems that have little local lands, you could use a bunch of NAT routers and then just have.

Yeah, all those devices just have the same IP addresses. It actually makes it easier for configuration and other things. If you have a lot of the same thing, copy paste type of thing, that's a normal thing to do. Haley, I don't know if this is your side of the business at all, but do Phoenix Contact PLCs also, work this much, with the Windows environments, or are they pretty different, in how, They interact with this kind of stuff.

So I'm actually not too clued in to our PLCnext platform. That is actually our friend Ted Thayer. I was about to say Ted, chime in the comments. Hi Ted! [00:32:00] Oh yeah, so if Ted's still there, he'd be able to answer that a lot, a lot better than I could. So I don't really play with that product too much. I should because it's great and I've heard lots of great feedback about it.

But not too clued in to how it is with Windows. Yeah. Yeah. I'm sure you guys deal with a lot. I don't think you have to do Windows. I think you can run it on Linux. You can. So it is. It is. I do know that much. It is a open source Linux box. I just don't know if you're tying it in with Windows servers or if you're using it in conjunction with a box PC or something like that.

I don't really know what that type of relationship looks like. Yeah, it probably depends on the application and the installation. I know, you know, with those, Oftentimes you have a mixture too, right? People are, you know, have legacy systems. Now, I know that the right jargon to say not old, legacy systems and maybe they're, putting some machines on our new processes with more open architecture type PLCs, like the PLCnext platform.

I know quite a few people that have started using it on projects, but it's probably not the majority of their installed base [00:33:00] or things that they've worked on, especially in the past. We got a couple of people training in here. Yay. Lennox. All right, Sarah. I think the possibilities are limitless.

Yeah, I think you're probably right there. And Toby shares a really nice resource here. Link in the comments. If you guys want to learn more about the PLC next platform, she's done the selling for you. Ted. Thanks. Toby. Yes. David. Great discussion here that I appreciate all of you guys chiming in. Does anybody have questions for Haley and Leah?

 Those of you that are watching in the comments, throw them out there. Um, Courtney. Okay. You haven't had a whole lot of, airtime. I want to ask you, I know you've been kind of, working on some newer things, some different projects. Now that you're with your G is, is cyber security. Something that you talk about a lot now with customers.

As you're implementing cool things, and robots that run around, I know Ali is scared. Uh, that anything with legs or wheels can come get her. If it gets hacked, you guys [00:34:00] talk about that. So thus far, it's not any different really at U. R. G. than other companies that I've worked for where I know that I'm not the expert, but I will frequently tell people you should be talking to an expert about this.

 Because if it's a mission critical process. And it can be hacked. You need somebody to be looking at how to prevent it from being hacked. It's something that I push for, but, to my knowledge, we don't necessarily require customers to set it up because it's really, kind of on the customer. Have we seen that even?

Yes. Say that again? Have we seen that yet? I mean, I feel like, we know that everyone's getting hit with ransomware, or different, or social engineering. And they're basically being told like, you know, give me money. That's the biggest hack right now is give me money and I'll let your system go so that you can use it again.

Have we figured, have we seen, and I don't know the answer to this, but my question is have we actually seen them get smart enough to actually hurt the systems [00:35:00] themselves? yet. Because that's what I mean with an AMR or a something with wheels, like it's going to cause a lot more damage, but you can still do damage with BFDs, PLCs, pneumatics, the equipment that's there.

I mean, you could go for refrigeration systems that are toxic to people. I mean, there's just a lot of. Ways that you could, you know, harm people. And we haven't seen that yet, but we're, we're trying not to get there, I think. I mean, there is a possibility that I have heard of out in the wild, that I did not interact with directly myself, but, malicious actors have the ability to use your equipment to very inefficiently mine Bitcoin.

Oh, currency. Yeah. So there was a pieces of, you know, automation hardware that are out. Again, mining cryptocurrency at just the most inefficient, you know, rate you can imagine possible, but that malicious actor doesn't care how efficiently they're mining it. It's just free cryptocurrency for them. So that's one thing that [00:36:00] I have, heard of that I don't even really know how.

Did they find out that this was occurring? Was the piece of equipment, if it was a robot, if it was a PLC, was it being overtaxed? To your point, like, was the CPU just too busy, you know, crunching, mining cryptocurrency to actually make its real decisions? That's basically where I see things falling apart.

Well, the other thing is reporting, right? I don't think that we're reporting this because it's really freaking embarrassing. So I don't think we're able to actually like 100 percent report like, okay, all of the giant cup fortune 500 fortune 100 companies are all getting smashed by, you know, we don't want to report that, but that's where we're at is we're in this like, oh my God stage.

And your cybersecurity people are gold. Those people are the only people that are going to save you from what's going on right now and you have to have them and if you're just like, Oh no, no, we're going to be fine without them. You're not. You're not. And then there's thoughts [00:37:00] I've had before where like say, you're installing new hardware on a system as an integrator or an OEM or, you know, somebody coming in to do this, you can say, Hey, I'm not going to install this unless you do X, Y, and Z to make it safe.

 I won't install new tooling on this unless you put an area scanner. You know, in the area to keep your way man, you can refuse to do work that's not safe. Can we refuse to install hardware in a place where they won't, you know what I mean? Uh, amp up that probably where we're going. I think that's probably where we're headed saying, Hey, I'm not, I won't come in and Expose my hardware to being hacked on your own safe system, you know, so I don't, I'm, I'm curious to know where we start, making those kind of demands on the customers.

That's a good point because sometimes. I mean, it is a complex environment that we work in. Not just from 1 customer site perspective, but from the ecosystem and a lot of the connectivity is being used [00:38:00] to connect the ecosystem equipment, you know, to be able to analyze, you know, remote in for support.

There's. Predictive maintenance applications, all kinds of things like that, right? Where you're having maybe more than 1 party, interacting with your network with your machines. And I also just anecdotally have heard. From systems integrators that their customers are not demanding any kind of cyber security stuff necessarily in their proposals and things like that.

 The government does ask me to do that. Yes. Thankfully. Good point here from Jason Jones. He said last automate. He sat in on the military discussion about automation and AI in military use. Cyber security of the mechanical deployments was at the top of their list for concerns. So thankfully, our government is at least.

On top of, I don't know, researching this and making sure that they care as they should. They're doing cyber security audits of [00:39:00] everything. And I think at this point they've done it all. If you've, if I know that the state governments have done cyber security audits, then I feel like we can safely assume that the federal government has at least tried at this point.

Um, maybe not. I mean, that's hopeful thinking, but I'm thinking that like we're late enough in the game where I'm listening to the. The state governments tell me what I have to do, and those are not the federal government. And so I hope that the federal's ahead also, is it push pull, right. Do we wait for them to demand it of us or do we push it onto them?

Yeah, no, I mean, technology's always worked the other way, right? Like we, we tell them when we have to push it onto them. Yeah. And I mean, that's probably where we're at, but I feel like we. We're past that obviously if the government's the last I think group So we everyone else has done their cyber security audits.

It's the government's that's now Oh, that's not safe. And so i've been directed to remove [00:40:00]Plc's like l 55s. We can't have those There's like different PLCs that, yeah, I've been told we, we need to get rid of. And the other main thing that like I've seen is just everyone really doesn't like, unmanaged switches anymore.

Those are not cool. Those aren't cool. Those were my fit, my best friend. Right. Cause they're easy. They just, you just plug in and you're happy. And that's just really bad, really, really bad. Um, So everyone just get rid of your programming ports and get rid of your hubs because this is a we're in a new we're in a new world now and so you can't have those anymore that used to be wonderful when we used to have this mythical uh the air gap there's no air gap the air gap has been gone it's been gone so at this point Let, let it go.

 And hug your cyber security friends and be like, please help me. Please help me, Toby. Thank you. You keep sharing the resources. Here's the site that will allow you to look up all of the currently known threats. [00:41:00] Rockwell has over 160 found threats currently. I'm not surprised, but then again, like every vendor out there, it's being targeted.

We are targeted. O. T. is a target. Is a black hat target. Yeah, right. Cool. We have a question. Um, yeah, Toby. Oh, go ahead. Um I was saying that Toby brought up a good point there about, compliance and regulation. So, there are a lot of manufacturers who've been sitting in the government supply chain, whether it's the defense industrial base supplying, um.

Products and services to directly to the government that have all along, had to follow certain guidelines. NS 801 71 for class, for compartmentalized unclassified information or confidential unclassified information, and they need to do specific kinds of reporting. Well, the self-reporting [00:42:00] for many companies doesn't cut it anymore.

 When it comes to working with the government and it's turning into, well, now there's going to be audits for a lot of these companies and there's a little bit of a disconnect there of, oh, you know, we said we were doing those things, but how do we verify? That we've been doing these things, or how do we verify that?

It's actually up to the standard that they're going to be auditing. And so there's, there's some disconnect there. That's coming to the industry as CMC is still being worked out and will be implemented possibly. Here shortly, I know they're moving along on that. So there's different regulations coming down the pipes.

 And there's different standards that are starting to build out what cybersecurity, stronger cybersecurity would look like, in this space. You said CMMC, what does that stand for? [00:43:00] CMMC. So that's, I actually don't remember what the CMMC communications stand for. Okay. Um, they, Is it a regulation? Sorry to put you on the spot, Leah.

Google it! Google it faster, Leah! No worries whatsoever. I know, right? No, it is... I'm a professional Googler. Cyber security maturity model certification. Is that the right one? Yes, yes, so it builds off of this 100171 builds it in a manner that is more auditable.