Automation Ladies
The podcast where girls talk industrial automation!
We interview people from all walks of life in the Industrial Automation industry. Through a personal narrative/conversational framework we talk about PLCs, SCADA, IIoT, Machine Vision, Industrial Robots, Pneumatics, Control Systems, Process Automation, Factory Automation, Systems Integration, Entrepreneurship, Career Stories, Personal Journeys, Company Culture, and any other interesting and timely topic we want to discuss.
Co-Hosted by Nikki Gonzales, Ali G & Courtney Fernandez - find them on LinkedIn!
Automation Ladies
OT, IT, & Cybersecurity in Manufacturing w/ Leah Dodson & Ashley Van Hoeson
OT, IT, and Cybersecurity - how are they different, related, and are you protected?
Join us with Leah Dodson & Ashley Van Hoesen, as we master the distinctions between OT, IT, and Cybersecurity roles in the manufacturing industry.
Gain insider knowledge on governance, risk, compliance, and the psychological tactics of scammers and hackers. Discover best use practices to safeguard operations, mitigate risk, and avoid theft digitally.
Huge thank you to Wolfe Evolution for sponsoring this episode!
__________________________________________________________________
Co-Hosts are Alicia Gilpin Director of Engineering at Process and Controls Engineering LLC, Nikki Gonzales Director of Business Development at Weintek USA, and Courtney Fernandez Robot Master at FAST One Solutions.
Follow us on Linkedin and YouTube for live videos, demos, and other content!
Subscribe to our weekly newsletter for episode updates, job announcements, and more!
Get in touch with us at automationladies.io!
P.S. - Help our podcast grow with a 5-star podcast review if you love us!
hey, happy halloween, um, although I guess we are all too busy or not festive enough to be wearing costumes to this, but I had whiskers earlier, but they were like getting really itchy and I peeled them off, but I had like these little stickers, yeah no, I just.
Speaker 1:It's been a very busy day and I know ali is still in a meeting, but thank you if you're joining us. Hey, david, thanks for joining. Uh, david's one of our speakers from ot skater. So before we got on, we were just talking to Leah about OT Skatecon because I invited her to come and help us out with it. She's in San Antonio, we're in Houston. Do you want to give our guests an intro, if they weren't here last year or the year before, to see you as our recurring resident expert on cybersecurity with Automation Ladies? Introduce yourself and tell us what you've been up to.
Speaker 3:Yeah, so I'm Leah Dodson. I'm a cybersecurity specialist with NextLink Labs. I specialize a little bit more on the governance, risk and compliance side. So all of the fun compliance checklist things. They're fun for me, less fun for other people. But I missed OT Skatecon this year because I had a baby in July. Awesome little boy, love him to bits. But I'm excited that Skatecon seemed to have been awesome and I'm excited to see it in future iterations.
Speaker 1:We also have yeah, I just threw up on the screen Rafi and Michael. Thanks for joining us. They also attended OT Skatecon. So I guess if you guys want to leave a quick review in the comments for those that may be asking about it, you're welcome to. No, I think you'll find.
Speaker 1:Honestly, I'd say, go find somebody that went and ask them. We did have on our exit surveys. So we didn't get a perfect score, of course, especially of course not. It was our first time and we had no idea what we were doing, just like with this podcast and a lot of other things we do. But we try to do them anyway and then we learn and we try to do it better until we get too good at it. Then we get bored and then we go do something else. But in this case we got, I think, a 9.7 out of 10 from our reviews and at least one person said that they would not like to attend again. And we reached out to him and we asked why and we thought he had really really good insight and suggestions and we invited him to be on our advisory board for programming for next year.
Speaker 1:And so he's coming and he even said his employer doesn't approve it, that he'll take some PTO. So you know we're open to suggestion. But I honestly think you know, like you were saying, leah, some of your favorite events are ones where the organizers do a good job of setting things, setting things up and setting the stage but then letting people, kind of, you know, do their thing. And yeah, I think you're absolutely right like I would like to do more of that. This, you know, ot skated con was Ali's idea. It is her baby from the technical programming side of things, but from, like, the community side of things and the, the value that happens when the attendees were together, rather than just us or even just the speakers right, because who can say that these speakers are the foremost experts and are better? They just happen to be the ones that, a know us, b asked to be part of the program, you know, c were willing to invest the time or could.
Speaker 1:So it's not about necessarily learning something from a speaker. That's the you know authority. It's about hearing somebody else's experience, learning something from that and then being able to potentially work with those people in the future. So michael says the smartest group of people I've ever been in a room with and very supportive of each other. So we, through michael, were able to meet his ceo, alex pool or, I'm sorry, owner, I'm not entirely sure what his position is at Masked Owl Technologies.
Speaker 1:Ali and I interviewed him recently and we were really excited for that episode to come out because we loved it and I think we committed on air to doing an AI panel with one of the engineers for Masked Owl and that was just a really great conversation, and so the people that you meet, like the interactions that come after, are very cool. And then we're going to be meeting some people again at Automation Fair. So, courtney, why don't you give us a little info if there's anybody new that doesn't know, and what are you up to, and I look forward to seeing you in a couple of weeks in Anaheim.
Speaker 2:Yeah, I've been missing. You Can't wait to seeing you in a couple of weeks in Anaheim. Yeah, I've been missing. You Can't wait to have you over for a few days. And, like I jumped into small business ownership again it's not new to me, but you know I'm always putting out some form of fire, and half of them are fires I started myself and so it's just been. You know, a lot of uh running around in circles, but um, and still enjoying it. It gives me the the flexibility I need to. You know, problem solve at the hours I like to do it and be mom and the hours I need to be mom. And I have no idea how I ran into you at automate and did not notice that you were about to have a baby. Congratulations. How's it been so far? Tick, tick. You look well rested. You look a little too well rested, honestly.
Speaker 1:You look, you are glowing. Yes, thank you Are you having another one?
Speaker 3:Just kidding. He's tried. Oh boy, yeah, he's hitting his stride, sleeping at night. So I'm doing a little better now.
Speaker 1:That's great yeah, very good, I would like to subscribe to whatever filter you've got going on.
Speaker 3:Leah, right. So I do have to admit that I'm using a guest studio space right now.
Speaker 1:It's not oh so nice, not my uh usual studio space, but it's very set up and I love it yeah, is it like a space that you can kind of subscribe, like just go book time, or it's somebody else's that you just happen to be?
Speaker 3:it's somebody else's. I just happen to be traveling right now and and they're way more decked out than I am, so very nice.
Speaker 1:I've never actually recorded in a podcast studio.
Speaker 3:Yeah, yeah, yeah, I might have to get together a list of all of this equipment and I was just gonna add in my background.
Speaker 1:We were on brand for ot skater con. We have a couple more people, so Rafi says ot skater con was amazing. I traveled halfway around the world and would do it again. So he also brought the most amazing snacks from Pakistan for everybody that were perfect for happy hour, and I took the leftovers home and I'm like still eating them. Some of them were at my office, but yeah, that was so. It gave me the idea. So we had this candy bar and I did that for Alex Marcy.
Speaker 1:Mostly I I don't know why I like commit to things either on LinkedIn or live that were just spur of the moment off the top of my head, and then I end up trying to fulfill those things that I promise um, I don't always manage to, but and I was like, next year, why don't we do it to where everybody can bring candy from wherever they're from and like add it to the candy bar so we can all share with each other something that we brought um? Because a lot of people like even some of the attendees brought swag because they wanted for the swag table like to add their company swag, and then people like exchanged each other's swag and stuff. So that was fun instead of it just being like the big sponsor brands that had their swag at the at the table. So that's really cool. But anyway, our topic of today is cyber security. It is our you. You know it's the end of Cybersecurity Awareness Month and what a month we have had.
Speaker 1:And Allie's not here yet, so I don't want to steal her thunder or Ashley, who basically but here I guess this all relates to OT SkateCon as well. So Ashley was our cybersecurity speaker at OT SkateCon and I was just telling Leah that she did her dry run with me kind of late and her camera was off because she wasn't feeling well or maybe the camera wasn't working. I don't remember, but I was. I didn't really know her at all. She had connected with ali and ali invited her as a speaker and I was a little skeptical just because I I wasn't getting a good feel for her as a speaker at all. And then I met her in person and her talk was amazing and she blew everybody away. And then we were like now she has to be the go-to cybersecurity person for everybody in this room. Like everybody asked her questions, everybody got her involved in their talks. She told some crazy stories of things that she's done.
Speaker 1:And we had a cybersecurity incident at PCE recently and it's really good to have somebody like that on speed dial Because, like Leah, I know that's not necessarily your side of the house to like what to do once you get hacked. You're on the governance side, you know, you're in product development, all those sorts of things, so I had you on my, you know, speed dial, but for very different things. And then Ashley, we just, yeah, it was rough. So PCE got hacked, one of our contractors, emails and payment details were changed, but not through like a one-off email, but like a whole exchange that required multiple levels of approval and that was still changed and then not caught until afterwards.
Speaker 1:And we had to, you know, we called Ashley and she, you know, gave us some advice of what to do and unfortunately, we thought that we had fixed it and gotten the money back from QuickBooks. Because they said so, we went down, you know the whole phone tree with both the bank and then the accounting software that was used to send the ACH, and they said that you know we would be getting, or that they would be getting the money back. And then, you know, follow up, follow up, follow up. It didn't come. Turns out they were like oh, we made a mistake, you're not actually getting it back.
Speaker 1:So now we're looking at, I guess, the cybersecurity insurance claim and you know, filing all the reports and all those sorts of things. But reports and all those sorts of things, but it, you know, this sort of stuff happens to people all of the time, or companies in our industry. And when we said that, you know, the first people that we talked to, or you know some of the people that got notified, are some people like Alma and you know some of the people that we work with at OT Skatecon and we've definitely heard like, oh, my company, or a company I know, lost way more than that, you know, to something similar payment instructions being changed on invoices. You know all kinds of things. So, leah, you've been out there, you know going to conferences and things like that. Do you have any insight for us about the last year, like what are kind of the most common things that people are still grappling with specifically kind of in the you know our industry, if you have any examples?
Speaker 3:Um, so attacks are definitely up in manufacturing. Um, I think one of the big avenues is vulnerabilities in supply chain. So, exactly like you described something that you may not necessarily have direct control over, yeah, but like you're saying, multiple levels of approval scams in general are up right now. In fact, I I had an incident recently where I got approached with a scam and, being in the industry, it was a little bit more apparent, but they did such a good job. I got called from a number that was in an area I used to live and they left me a voicemail. They said that they were with the sheriff's department and that I had a warrant out because I had missed jury duty. So you know things like that, they try to go immediately for some kind of emotional response Okay, get you making an emotional decision as opposed to a logical decision. So you know, you get those little like feelings of maybe this is wrong, but you also get that emotional kick of like what if it's not? Yeah, and so I I did a couple things. I I looked up the person online and they used a real deputy's name, right, um, and they were associated with the place that they said. You know that they were, and so I called not the number that they gave me but the department itself, and there was the deputy was out. So I called the number that they gave me to see kind of what was going on and they did a great job with the impersonation part. And that's what gets a lot of people, especially in manufacturing where there's a lot of connection, supply chain, a lot of people talking to a lot of people and you just you know, you get that human connection and there's a little bit of trust that's built through those things. So he gave me a badge number, obviously not a real badge number, but he was on the spot when I asked, was able to read off a number, and so he he was very well prepped from that aspect.
Speaker 3:A couple of the things, tactics that he used are really common in scams. The sense of urgency is a big one. So he was telling me you can't get off the line because you'll be held in contempt of court if you get off the line. You can't go into your local sheriff's office because they will arrest you if you do, because this warrant is active. So, like all of the normal avenues of verifying is very quick to like cut off. Okay, don't do these things that you probably are naturally feeling like you should do, yeah. And so in the back of my mind as a cybersecurity person, like this is I see what you're doing here, and eventually was able to like, okay, this is, I see what you're doing here and eventually was able to like, okay, I'm done with this conversation.
Speaker 3:So I hung up, called back the sheriff's office and was like this is told them, somebody's impersonating your deputy. They were like, yeah, it's been happening quite a bit and so that's one that's getting a lot more common. But those are the things that they like to pray off of. That sense of urgency of you have to do this right now or some terrible thing is going to happen, that emotional response of like somebody in your family is hurt, you need to send money to them. Oh, that was the other thing that they were telling me. The court was willing to get rid of the warrant if I paid the court fees, but there was only one specific way that I could do it cash app.
Speaker 1:Yeah, really, the court you're telling me the court uses cash app so I actually, uh, I I had to deal with the uh, the court in California when I was living here in Houston and so I was doing everything remotely and then they said to put these documents in the Dropbox. And I was like looking for the link of the Dropbox and I emailed and I think I asked for it and then they were like no, it's on the outside of the courthouse, the Dropbox. I was like, oh, I can't go there, like how can I get this to?
Speaker 3:you. That's funny. Yeah, those limiting things that are like you can't, you can only work within this system. That doesn't make sense.
Speaker 1:No, but even then, like if it was a specific Bizarre system, it would be a remnant of the old times, not a cash app or a sofi or a bitcoin wallet.
Speaker 3:right like government is not that ahead yeah, yeah, and so those are some of the keys, like, when you're looking for those red flags, things that are outside of an expected workflow yeah, yeah, cause not? I mean, most of us aren't well-versed in in workflows of things like government, how the courts work, but there are workflows that are familiar, right, and, like you said, government just isn't. They're not going to be taking Bitcoin for for things like that, right? So identifying those red flags is is pretty important.
Speaker 3:yeah, there's. There's just so much that has been happening um on the attacker from with manufacturing that it really has become a big focus. Yeah, it has been increasing over the years, but in this last year, I think 75% increase in attacks is what some of the recent reports have been saying that are focused on manufacturing Increased. Look at vulnerabilities so there's a lot of systems IT systems that manufacturing has become pretty dependent on that are recently end of life or going to be end of life, and so known vulnerabilities in those systems, knowing that they're not going to be supported or they haven't been supported recently, makes them a big target. Things like Windows 10 is losing support next year and a lot of manufacturing devices relying on windows 10 that's big eyeballs there.
Speaker 1:So do you have like at the top of your head sort of the biggest things that people should be watching out for that might be being targeted right now? And then, from a layman's perspective, like where's the best place to get information on what these things, what these happenings are? Because I feel like if you're in the industry, you can read all of this right, but if you're coming from a non-cyber security background, then reading a lot of the incident like articles and or the new papers that come out or the any of the standards, like it's, it's a lot.
Speaker 3:It is a lot, yeah. So CISA does a good job providing resources specifically for manufacturing. They do different reports, they do different frameworks. They make some resources available for small businesses within manufacturing that are more scaled down concepts that help businesses that maybe don't have the budget or the resources that some of the larger groups do. The FBI, so local field offices, will a lot of times have resources, like you can join InfraGard that will share across the industry different trends that are being seen.
Speaker 1:So if there's a common attack vector that different organizations have have fallen prey to, they'll give advice then on how to protect against those okay, I think I've seen some of the fbi notices when I've been googling certain types of like scams or attacks or whatever um, I think, mostly scams.
Speaker 1:I google scams sometimes when I, and a lot of times, when some of these things come to me, I'm like I clearly know this is a scam, but now I want to know more about it, like why is it here or what is it trying to do, and is it common or is it something you know novel? Hey, ali hello, at least we got now two out of four with costumes, sort of halloween. Yeah, next year we have to do our dia de los muertos episode again, though that was we have to do uh, like a fireside chat with someone that honors that or or has something to say about it, I guess. But yeah, we did get started with. Leah ashley is here, sort of she's having some trouble with her video and her audio right now with all of it with everything it was audio.
Speaker 1:Now it's video, so I'm not sure I'll bring her um. Yeah, I can talk about how I just got robbed of thirty thousand dollars so I stole your thunder a little by mentioning it, but go ahead, floor is yours I mean I mean whatever.
Speaker 4:Like we were hacked. You know I have a domain right and we have emails for my company in that domain. Uh and uh, someone obviously using vpn was able to get and I think this is uh, I migrated from google. She liked google suite for business. Like I, I was using Google, not Microsoft, and Google doesn't automatically do the multi-factor authentication, so it actually isn't really in like any business's like best interest to even use Google.
Speaker 4:But I was doing that and I think that's part of the issue was we didn't really have super secure passwords anyway because of the Gmail, and so I slowly added people and we have had like phishing instances, like many you know, like everybody else has, and you know we catch them. Usually they're kind of obvious, but like, yeah, it'll be, it'll be me, without my phone number or my email, asking my people for shit that they that I'm not actually asking them for. And so this one was kind of sophisticated and I hadn't seen this one before. When I talked to ashley, she's like, yeah, we've seen that a thousand times and I'm like that sucks, um, but basically it was ach fraud. So they posed as someone else. No, they posed as someone we know and that we pay regular. Yeah, and you know it looked like them. It actually was really good because they did hack their email. So there and we can show because it was, because it's still owned by me, like all the email addresses are owned by me. So my guy albert, like albert, is courtney's husband.
Speaker 1:Another OT Skate account speaker.
Speaker 4:He's my IT guy for my company because I don't have IT. Lots of controls. People like to be their own IT. I'd rather kill myself. So I'm not going to be my own IT. Same, I don't even like.
Speaker 4:Honestly, like I think it's really funny because like there's we're supposed to be like computer people, right, we're controls engineers, and like we must be like hacker galore and like that is not what all of us are. Some of us are really good at like it, server management, networking. The rest of us have to learn how to do that crap. Uh, because all we know how to do is like how do we get the plc to do the with the equipment? We don't care if that talks to some other machine, because we just need the machine to physically do the thing. Um, eventually you have remote io and you do need communications, just for one process, but for the most part that's not what we were taught how to do. So, like I know how to do, I know how to size pipes and pick a pump and pick a tank and like put it all together and give you a narrative and then tell a programmer make it. You know, when the tank is level, is this high, turn the valve off and like I'll say all the things to do and like we can do all that, but that doesn't mean that we know how to. For example, when I started skata, I was like oh my God, mostly because we were doing server management, like I'm using virtualization first of all to SCADA. Servers are done on virtual machines. I don't know why, but I guess it's just like cheaper to do that. I don't know why the answer is not Docker or containers, I don't really know. But I know that what we've been doing for the past I don't know a while is we've been putting these programs right. They're just applications that we can buy from Ignition, inductive Automation. We can buy it from Rockwell, siemens, any of the actual PLC. People can sell you their own software or you can just buy one from a free agent like Inductive Automation, who has an amazing SCADA and more. That's actually not even SCADA, it's an IIoT platform, so it can connect way more than your SCADA because you can do like ERP and warehouse management, put it all together into the giant data lake for the United, whatever namespace crap. But like you can't do that, you don't know anything about IT or computer programming. So that's where people are like what is this IT, ot convergence? That's not real. Oh, it's real, like there are mountains of IT people who can do real programming.
Speaker 4:By the way, what we do is not real programming. It never was. We grabbing a block and like connecting lines to it, like that's not programming, that's just like we're telling you what to do. But like see, you know, plus, plus, plus. That's that's computer programming. Like telling it in its own native language. We're using pictures, we're dragging pitch, like function blocks, or like we're dragging ideas and like connecting numbers and being like okay, this channel means this, pump, like, and that's what we're doing. Like, and so all these it people know how that.
Speaker 4:Does a computer like run its own? How does the read the? How does a computer run its own? How does it compile program, run the program? How do you make these decisions? We don't do that. I don't program inside of a controller how it makes. I just tell it when this is true, like it's just the logic.
Speaker 4:So we are only putting facts or logic gates that we come up with in our head in that paper or odd down, and then, but yeah, real programming is people that actually know what the computer's doing and can make the computer do what you want it to do, and so that's real computer programming. And so we've never done real computer programming. We're still engineers, but we're not real programmers, and so that's why I've never felt bad. I'm like, yeah, I'm a programmer, but not a real one. Like and I can. I will always bow to real programmers, which are people that can program. I did like I took AP computer science and I think I did like one really cool HTML, like you all did HTML back in the day. Yeah Well, and I, this one was like really hard for me and I have a copy of it now Cause I was in like 10th grade or something, and I'm like look at my space head and then string and all this and it was like super cool. But like, outside of that, all I've ever done is like ladder logic is is reading, even though everyone gets mad at me and everyone gets mad at everybody.
Speaker 4:It's reading relay logic, the way relay logic. You would read it that you're just making the PLC do the same thing and you even show it the same way, because it was meant like Alan Bradley did this for maintenance people, not for electrical engineers. Maintenance people could read if these contacts are open, you know, latch in this relay and they could just read all this relay logic and so they're like well, this is the easiest thing we could do is take this real relay logic and then shove it in the computer and then make them do the same exact thing, and then they won't be that confused Because, like now, it's like a fake set of contacts from a relay turns on a fake actual coil. But it's still happening. The action's the same.
Speaker 4:Who made the call is a computer instead of a relay, so you use a lot less relays. But now you got to have a programmer. But it was easy because we just had to teach the programmers how to replicate their circuits it's just circuit logic into a computer and it looks just like the circuit logic. So you're like oh, this, we can make computer programmers not real ones, but like out of maintenance people, so you just have to know how to read a freaking it looks really similar to a schematic like.
Speaker 2:if you go to the 24 volt section of the schematic and you see like your actual coils and contacts. It looks very similar to ladder logic in PLC land and almost everybody's first crossover to structured text is like a gajillion if-then statements and nested if-then statements and then you start learning like there's gotta be a better way to write all these if-then statements.
Speaker 1:And then you start learning the next steps from there. Back to your IT guy. The reason you brought this up, the reason you have an IT guy, is because he traced this hack back to a server in Germany, right?
Speaker 4:The Netherlands, the Netherlands, oh okay, whatever that was a VPN. It wasn't even someone in the Netherlands.
Speaker 1:Oh, okay, so just somebody on a VPN.
Speaker 4:It's probably someone I know, it's someone who knows me, I, it's someone who knows me. They don't, I probably don't know them, but it's someone from linkedin who knows anything. And they came after us because I make it really obvious who does what in my company, so they just picked the list. Actually, uh, I know, uh, heather, not heather. Ashley's not on here, but I keep messing up. Ashley and heather are not the same name, not even close. But yeah, um, I forgot where I was going with that. Um, oh, but I was asking her. I was like what do I do? Or she's like, oh, I came up with this list of emails based. I don't remember what she even said. By the way, all those words just are, all those acronyms are not real to me and I'm just like I just waved my hand around.
Speaker 3:I'm like, yeah, they did the thing, so, but we got once she has either audio or video yeah, that's a good point you make, though, ali, about like information being out there a lot of times. So attackers will find publicly available information like that and trying against you, and sometimes it requires deeper dive and sometimes it's pretty easy to find, but the key then being like, the verification of this is publicly available. So are you, is it actually coming from this person? Is it someone you could just call up and be like hey, did you send me this email? Are you really asking me for payment?
Speaker 4:But yeah, Well, this was really good because it was like I owed this person a good amount of money. I was already late to pay them and at some point within the past week like month let's say a month prior to me paying them wrong they came and they were very. This was good. So they knew who would do that, who could do that for them. And I think you can just do that, because once they were in his email, they could tell who you know is that person, because they've already had emails like hey, can you do this? Can you do that? Can you pay me here?
Speaker 4:So they figured out who in my company they need to ask to change their payment information and they're like I just need you to pay me here, which is a fake bank account where I'm gonna steal all your um, but I just need you to do that because I don't want to use this bank anymore, which was his chase account. So I have have a Chase account. They had a Chase account and we paid somebody at SoFi. By the way, whoever has my money, have fun. That is so much money to steal. Like you didn't work for it, but I guess you did a pretty good job. And then actually they didn't know it was going to be such a huge payoff. I could have just been paying them like $200. But it was $ 30,000.
Speaker 2:so like you, you're on the compliance side and just uh, to ask a question. For uh people like me who are really honestly just figuring this stuff out within the last like 18 months. Um, the acronyms are all kind of alphabet soup and sometimes when I hear compliance, you know, uh like as an engineer, a lot of times I'm thinking like product design, like the product has to comply with certain things, and now, with CyberSec, we're also talking about like companies complying with, like what, how they store our information and what they can do with the information.
Speaker 4:So my understanding is, like you're more on that side, right, like with our information that's out there and how companies store it and treat it and everything, yep and uh like training is the bottom line, because if you people that mean my people carried this out like no one held a gun to their head and said give me the thirty thousand dollars, we were tricked and we did it like we wanted to do this. We're like, okay, you want to put your money in a new bank account? Yay for you, let's do it like we wanted to do this. We're like, ok, you want to put your money in a new bank account? Yay for you, let's do it. And we didn't verify and yeah, and then in the future.
Speaker 2:What is you know for, like now that I'm seeking free advice here, like live on on LinkedIn. But you know, like in that kind of situation, you know what you know company has this happen. You know what are the steps that that company takes in the future, to not let this happen again, multiple stages of approval sounds like one.
Speaker 4:No, anything related to money. It's just a flag. You just flag it. If someone was like I need to be paid in a new place, that's a flag.
Speaker 1:I'm any other levels of approval Money transfer.
Speaker 4:Yeah, if they want anything related to cause. This guy gave us new bank information. He's like and he he's like is it time now? Can I give you that? Now, he was so fricking nice or she was a really good hacker Like. They're like oh, I have a new bank. I would like to change that. I mean, could I give you that information? When could I share that with you? He didn't just give it to us, she didn't just give it to us. They're like ask us when we are ready to put the new information in.
Speaker 1:And we're like okay, yeah, so this is a little different. In there it wasn't like oh, I need to get paid today, You're already paid.
Speaker 4:It was. That was a request, which is sometimes urgency helps you find out what that like oh, that's the red flag is the urgency.
Speaker 3:There was no urgency, so it was a really good hack. Yeah, if you've ever, have you seen the movie the beekeeper? If you haven't, no, the opening section of that movie they go through. And ashley's shaking her head, so she knows yeah, they go through and Ashley's shaking her head, so she knows. Yeah, they go through a very realistic depiction of that kind of attack where the target is getting somebody to willingly give over access to their things um, access to their bank account and the goal is to make it their idea or like put the onus on them so you're not out. These people are psychologists too, exactly, and it sucks like hard it sucks. So that's the social engineering aspect, and I think we just got yeah, just got a comment saying the art of social engineering, but that's the social engineering aspect of it right Ways to manipulate people, because, yeah, somebody could hack into your bank account and try and steal the money themselves and move everything.
Speaker 4:This is way better because you can't get it back. Yeah, they did it on purpose and I actually tried to make my claim and they're like, let's just say this a little bit different, because if you say it the way you're saying it, you ain't going to get sh**. That's what happens.
Speaker 5:Yeah, yay, I have sound and camera and audio and everything. We'll all get together. Look, you should have known when you invited me. Okay, I can't make things work, I can only break them. That's what I do, like you know, by trade. I can only break the thing, so I broke it. I couldn't make the camera work, I couldn't make the audio work, so I'm on my phone. Apparently that's how it works, because I tried 15 browsers and none of those want to work.
Speaker 4:so yeah, she's on her phone half the time yeah, today I'm not, but almost always because I give up, I'm like no, this is and I don't get it.
Speaker 1:I try to use this platform because for me, it's the only one I've never had issues with. Like you just click the link and like go in. So every time someone has a stream yard in mind, I'm like, oh great, I know what to do. Like when I'm flying, you know, you know what to do. Everything else I'm like, oh no, it's not gonna work. Oh yeah, apparently does your shirt say hacker.
Speaker 5:It does say hacker, and it's actually. It's actually literally written backwards, so that when I'm on camera, it's actually the correct way. Um, but, like, if you look at it in real life, you're like what is that? That's backwards? But no, it's, it's designed to be on camera. Um, this is my halloween costume. Um, so, uh, yeah, um, but you know it's true in real life though.
Speaker 4:Well, you, know, I mean, and I'm also an actual Mexican, so um, I mean, you know.
Speaker 5:I literally at Costco earlier I saw this uh lady. She had on a gray t-shirt and it says pretend that I'm a donkey. And I was like, yes, that is my level of dressing up this year because, yeah, like I'm actually not in my office right now because my office is piled up with wedding stuff, um, and I can't get in there to do anything. So, uh, so, yeah, it's um, yeah, there's a little bit going on here, but, uh, but yeah, like talking about the fishing stuff, um, it's. It's funny because I actually was talking with a prospective client just last week and we were talking about, you know, external assessment and everything. And they were like, you know, well, you know, we want to do social engineering. And I was like, look, I was like here's my thing with social engineering. I usually don't do it. I was like, if you really really want the service, I will do it, but typically I don't do it. And here's why Because, given enough time, I go on the assumption that, given enough time, if somebody really wants to, they will have a successful phishing campaign.
Speaker 5:That's just the reality of it. How much training you do, it doesn't matter how good your security mechanisms are, whether you have spam filtering, whether you have, you know, all of your, your DNSD mark and all of that in place. Eventually, if they want to, badly enough, they will have. They will have some kind of success. They'll figure out you know something about your company, whether it's based on social media, whether it's based on information that is publicly available on the internet. But they will. They will gain success. So I'm not going to waste somebody's time, money, energy and efforts to do a phishing campaign where in in in the reality of it. If I'm, if I'm doing a two-week assessment, I'm probably not going to have a lot of luck in two weeks.
Speaker 5:Now, if I'm doing a specific social engineering campaign where we're talking this is going to be a three, six, nine or even 12-month engagement where periodically I am just, you know, putting out these phishing emails, then yeah, I'm probably going to have success at some at some point. And all I need is one set of credentials. I don't need 50. I need one. One set of credentials, and it doesn't matter what the permissions are, because that one set of credentials is going to get me on the inside. From there, I can either install my tools and start to you know, propagate through you know, through C2, put in a back door, so I don't lose that, you know, or I can just live off the land and start to pivot my way through. Eventually I'm going to find something somewhere that I can either escalate my privileges or gain another account or create an account, that kind of thing. So that's why, you know, when I look at social engineering, I just say again, my hacker was in there for weeks, yeah, responding me like hey, were you able to do anything about?
Speaker 4:and then Liza would be like oh sorry, like we still have a, I still have a open claim with QuickBooks Cause we can't fix your bank account yet.
Speaker 3:Just really nice slow like, yeah, and you were most likely not their only target during that time. They most likely had multiple people on the line, and so they can be patient.
Speaker 4:Right, they've got fires going everywhere, I would be patient.
Speaker 5:Right, exactly, you know, and when you're talking, you know they're installing ransomware and they're asking for millions upon millions of dollars. You know, if you look at, just if you look at one individual group and you look at the millions, yeah, I mean.
Speaker 4:And like what Dogecoin?
Speaker 5:Oh, absolutely, Absolutely. I mean, they're winning. They're essentially winning the lottery with every single one of these attacks and you can get paid out multiple times.
Speaker 3:So you get paid the ransomware. You could do double encryption but then you also get paid for the data that that you're stealing right, selling the data.
Speaker 5:Oh yeah, absolutely yeah. And and that's that's really what they're doing now is, you know they'll steal the data, they'll ransom you. You pay the ransom. That's no guarantee that they're not going to go ahead and sell that stuff. And they're going ahead and selling it and they're selling it for the same price to multiple people. You know you go anywhere on the dark web. It's, you know, a thousand, a hundred thousand Bitcoin to get this database.
Speaker 3:And they're not doing that once, twice, they're doing it hundreds of times and if you don't make sure that you've gotten them actually out of the system, they could sit there for another year or so and keep quietly collecting data during that time and then hit you again and it'll feel like a separate attack when really it's it's all connected and some of these are like teenagers.
Speaker 4:And we have such incredible like the Kali Linux, like tools, all the tools are free. For all that, if you have any ambition at all at intelligence at all like at all, and you're like a kid, you could take banks down. You just could get busted and then go to jail. But, like, the ability to hack and whether or not you get busted are not the same thing, right. So you don't have to be a genius kid, you just have to be like pretty smart.
Speaker 3:Yeah, there's an industry term script, kitties Script kitties yeah.
Speaker 3:So the low-hanging fruit fruit, the easy attacks that you can. You can buy attacks, you can use tools that are readily available stupid people like me just kidding. Yeah. So the idea is, when you're looking from the protection standpoint, of being able to protect against those low level things, the script kitty attacks, and then elevating your protections from there, like if someone were more motivated or had better skill, then what would they pivot from there and do? And from protection standpoint, that's where you really start, like let's flesh out. And, of course, courtney, you mentioned the, the GRC compliance side. That's where you marry the two concepts right. So protection from the technical standpoint and then protection from the policy. We're going to say that we're doing X, y and Z. Let's make sure that we're actually doing it from a technical standpoint, yeah, yep, and then let's test it, so keeping that ball rolling so that there's those connections across your protections constantly going. Yeah.
Speaker 2:I've done work for companies now that are SOC 2 compliant and what an adventure that is. But it really actually started making me think about like how well do I vet people that I do business with now that this company is like putting me through this ringer Because I do want to make money and I will submit all these things you're asking for. But you know, like I've been background checked and you know stuff I you know as a you know subcontractor and stuff I haven't previously had to do before. But now all of a sudden, like two, three clients in a row have had me like doing a laundry list of things I've never had to do before. I think it makes you know Ali has said before with other difficult customers like hey, they're making me a better company, you know, by making me kind of dig deep and change some things that are kind of painful.
Speaker 1:But yeah, what can the small because this all sounds, you know, like there's, it just kind of adds a lot of costs to doing business. Right To have to add this to your toolbox, to have to add this to your things to worry about, to think about, to plan for, to spend money on right To invest in yeah, CyberSec insurance is kind of new for me yeah mine was four grand a year.
Speaker 4:Is four grand a year. That's a $3 million policy and like most places that's too small. Yeah, like a 3 million is3 million policy. And like, okay, most places that's too small. Yeah, like a 3 million is a little policy.
Speaker 3:Yeah, it's becoming a really big thing Now. Those questionnaires, courtney, like you were mentioning, filling out what your policies are, what you're doing, what certifications you might have. It is becoming a lot, um. There are some techniques that we talk to people about, like the idea of building a trust center, um, but it all, it all takes overhead right, the idea being that you have to look at it as an investment in future, um, your future work, because having those assurances will make more companies happy with working with you. If you're looking at things like getting into government contracts, those are required, and you can't do business in that without having you know those assurances in place. So, yeah, it is a maybe a heavy lift to go from zero to hero, but it's one that pays off.
Speaker 2:I'm curious how realistic it is to fathom something like you know to to be. You know, working with you know many companies are going to require this now and I see just even more in the future. But like the equivalent of TSA pre-check, where you know, like I'm in a system where I'm pre-vetted for everybody so I don't have to do this every single time I take on a new SOC 2 compliant customer, cause I'm fine, you know, with the fact that this vetting needs to happen, you know it's. You know all of us can't afford it.
Speaker 4:Well, gas does it in like their safety. So, like everyone has to like register their safety, whatever. So this is kind of the same thing. It's just like your cyber safety score, um, as a company, and if you've been hacked a million times, then your score sucks like because your people don't get to like number for cyber. Like you get hacked all the time, your people don't know what phishing is and, like you, you're at risk because of it. Yeah, yeah, like a new credit score. Yes, we need more ways to, yeah, to limit us, but yeah, we need credit scores for our cyber trading.
Speaker 5:It's funny. It's funny. It's funny that you guys bring this up, because I had, um, I, I had a, a concept and an idea about that, about I don't know, probably like five, five to 10 years ago. I was like you know, I was like I gotta go through all this stuff to, like you know, buy a house and everything and stuff like that, but I, we don't go through that with like cybersecurity. You know, we just we're just like you know you have these checklists. And then, especially when you're talking like OT or critical infrastructure, you know, if you think about it, really there's only one sector right now that truly has any kind of real regulatory standards or regulatory compliance, and that's energy. You've got NERC, sip, oil and gas. Do you know what audits I had to go through when I did oil and gas socks? That was it. It's a financial thing, has nothing to you know.
Speaker 5:The auditors came and they were like do you have a firewall? I was like yep. And they were like, do you have a firewall between the internal and your ot? Yep, I sure do. One firewall, everything else in the skater is on just one flat vrf. Everything can talk to everything. Don't look over here. No problem, no worries over here.
Speaker 5:This is terrible, we know it, but you're not making us do anything about it, so we're not going to do anything about it. And it was that way until we were purchased by a larger entity that came in and was like y'all, no, you can't do that. And I was like've been saying that, but they didn't want to do anything about it, you know, and we had. We had to make changes then and we had to, you know, put in our network network segmentation and all of that. But because there was no standard making us do it, nobody's going to do it. You know, cybersecurity, while it's probably the most important thing for your business to actually, you know, be sustainable and be able to continue to make that money, nobody wants to actually do it unless they're forced to. This is a voluntary basis. We're going to do the least amount we can because cybersecurity doesn't make money. You know it's like quality assurance it never makes money, it only costs money exactly, exactly.
Speaker 5:And you know, we, we don't, we, we, for some reason in that in in in the business world, we don't have that mentality. You got to spend money to make money. You know, do? Do I want to spend money on advertising? No, I really don't. But if I don't spend money on advertising, then nobody knows who I am. And then you know I'm not getting, I'm not getting, I'm not getting any customers. Um, and it's the same with cyber security you, you have to spend the money to keep yourself and keep your product secure, otherwise you're going to lose that reputation. You're going to spend way more on it.
Speaker 4:Shut down like, yeah, I just lost 30 grand, like that's sucks, but like people can lose more and so, yeah, you can choose to not protect yourself, but you will find it worth the money once you're robbed, like I just was, because now it's worth 30 grand.
Speaker 3:Yeah, you have something like a production line that gets shut down, then you're losing, yeah, yeah, and it becomes exactly, and compliance gets a bad rap and I get why. But it really, like Ashley was saying, it's a motivator, right, if companies aren't going to do something, then compliance will help move that along. And compliance doesn't always equal exact security, but it gets people thinking that way right, if we start doing this, then then we'll be better. And then how can we make that better from there?
Speaker 5:Yeah, absolutely. And you know, the thing is is that I, when I look, when I look at major incidents, you know talking, you know colonial pipeline, you know black energy. Even even if you really look at Stuxnet, these are not, these are not crazy sophisticated attacks, they're not like like the movie, just the easy shit. Yeah, you know, it's it really, it really is. You know colonial. If you look at colonial pipeline, it was a, it was an account, that um, that the person no longer worked. There should have been um. Why can I not think of the word Deleted, removed, deleted, yeah, deactivated, deactivated. Yes, there we go. It should have been deactivated but it wasn't, and they just happened to find this and come across it and clearly they were not. I think the password or something like that had gotten caught in some kind of other leak or breach or something, and so they had the username and password and so they just logged in and then they just started pivoting through.
Speaker 5:And you know most of this ransomware, it's a worm. So all they need to do is get it on one computer. It'll propagate itself across the network and that's it. And fortunately, you know they had a process to, you know, shut down OT so that it didn't have a chance to propagate there. But you're still shutting down OT. So it doesn't matter whether it is an internal attack or whether it's directly, you know, directed at OT. Ultimately the same, you know, end goal happened you shut down OT. It was shut down for three days. Gas on the East Coast went up to $9 a gallon. People were panicking, you know. People were putting gas in trash bags and stuff Like you created panic, and that was only three days. And then, luckily also, they had backups Because even though they paid the ransom ransom they got the decryption key. The decryption key worked so slowly that they had to restore everything from backups anyways. So you know, these are it's not this crazy stuff, it's really. It is that low-hanging fruit. It is going back to the basics.
Speaker 5:Don't, don't keep default passwords. You know, make secure passwords, um, literally as as part of you know, as as part of my, you know, our, our company, we use, we, we, I provide a password management system for everybody and you can have, you can put all of your passwords in there. So there's really no reason for you to not create a, a secure password, because you, you have that to do and I think that you know more companies should do that and and, honestly, it's really not. It's not that expensive things like a hundred dollars a year and I have unlimited users and I, I can provide that. We have a password vault now. Yeah, exactly, but it's little things like that that we just have gotten so far away from, because we're like, oh, we need AI powered IDS to do this stuff and I'm like you can't change a password, you don't need AI anything.
Speaker 4:But we think we need this advanced technology when really we need basic stuff that you know we need to start at square one, which we're not even meeting those requirements.
Speaker 1:So exactly, exactly so, with that we actually coming up close on time, and I know it's Halloween, so we all got, you know, fun things to do. I need to eat stomach aches to have something that you said at your talk at OT SkateCon, ashley, something about there being two types of companies the ones that have been hacked and the ones that haven't been hacked yet, or something to that effect. Right, so assume that you will get hacked one way or another. I'm already there. What are? Just, like you just said, the password manager, right, something like a a bit warden or I don't know what you know recommendations would be for something like that. But what are some of your top takeaways? That, if somebody watched this, that the next time they feel that they can have a conversation with someone about cyber security and you should do that really soon, um, including with people on linkedin you better have an IT guy or woman.
Speaker 1:What are some of the top low-hanging fruit things that people can do to either protect themselves or to make sure that, when the time comes, you're in a position not to be completely effed? If you do get, don't use Google.
Speaker 5:Yeah, definitely passwords. That's a huge thing, you know. In a password vault, yeah, using a password vault, I mean you won't?
Speaker 4:ever know those passwords? It's like x, y, g, 700 letters long. You just save it in there.
Speaker 5:You're like I don't know what the password is Nobody does you have a password vault? Absolutely. You know making sure that you're not using default passwords. When you set up you know any kind of new infrastructure or something like that, immediately change that default password. And that's really important in, you know OT, because a lot of those devices they, you know they're admin, admin, I guess that all day long, every single day, single day.
Speaker 5:You know when. You know when you are storing documents and things like that, make backups, make offline backups. You know get, get. You know get a small. You know one terabyte, two terabyte, five terabyte. You know hard drive that you can plug in and put all the files on there and then unplug it. You know don't have it connected to the internet, none of those types of things. But you know keep those files because if something happens and your files are gone, you have to restore some way and then make sure you're doing those backups on a regular basis. You know whether it be weekly, biweekly, monthly, in some sort of frequency so that you have that data. And then you know.
Speaker 5:The final thing is I always say trust but verify. I'm going to. You know I'm going to trust, but I'm also going to verify, you know, I'm going to make sure that you are who you say you are, that you are authorized to do whatever you're. You know you're saying you're authorized to do um and and have those different things, um, you know, and have, have those, those processes in place, um, and that make sure that everybody is following those processes.
Speaker 5:You know, test your employees. Just, you know, pull them aside, call them up and say, hey, you know, if this happens, do you know what to do? If this happens, do you know what to do? Because that's the other thing is, we write policies and we write procedures, but then we never test them. You know, I can't tell you how many companies I've gone into and I'm like do you have an incident response plan? And they're like, yeah, and I'm like cool, do your employees know about it? And they're like, uh, maybe. I like, have you ever tested it? Have you ever done an exercise? Well, no, we just, you know, we just wrote it down, it's gonna work, right.
Speaker 3:No, you don't know that, because people don't know what to do and people panic, and so you know, those are are some of the biggest things that you can do yeah, a lot of times we'll see people that like, oh, we got, we used a template incident response plan, nothing specific to our environment, nothing specific to the people that are here, or we haven't updated it in 15 years. Person XYZ doesn't even work here anymore. Like making sure those things are applicable to you.
Speaker 1:So, leah, what would be your top tips of any?
Speaker 3:Yeah, I really. From a governance standpoint, I really think that knowing what to do when something happens is a big one. So, like Ashley was saying, it's not if, but when. So, planning for that, knowing who do we call if something happens on a weekend, if something happens over a holiday, are the people who we'd expect to be there? Are they going to be available to be there? Do they know that this is something we're looking to them for? If we need outside help, do we know who we would call If we need to get, like the FBI involved? If it's that big of a deal, do we know how to contact our local field office? A deal, do we know how to contact our local field office?
Speaker 3:Having those things thought of and put into a plan and scaling that back a little bit looking at the risk in your environment, just sitting down and having a conversation of like what could happen and involving people throughout the organization. So just because someone's not an IT person, like Allie was talking about, you don't need to be an IT person to like Allie was talking about. You don't need to be an IT person to think of risks that could happen within your environment. You could be somebody on the shop floor that's like, hey, we leave these ports open all the time and people are constantly walking around. Maybe someone we don't know comes in and just plugs something in. That could be a risk and that's worth having the conversation, that you don't have to be a cyber person or an IT person to even start thinking that way.
Speaker 1:Well, it's kind of that goes with, like the culture. Some companies are open to employee feedback and like continuous improvement and they want people to be on the lookout for problems that can be solved, things that can be done better, like add cybersecurity to that kind of process that you have of getting input from everywhere in your company. Possibly, if you're not already and if you're not the kind of company that asks input from your employees on anything, then I guess you could get hacked and I don't care. But yeah, I want to throw up.
Speaker 4:No too small. I'm not a very big company and I already lost 30 grand.
Speaker 1:So, scott, says retrain your brain to use passphrases. Short sentences are easier for your brain to remember. I guess I'm not one of those that. That can't be in lieu of passwords, though, because usually passwords do require, like all these different types of characters and stuff. Right, so passphrases people say a word.
Speaker 4:What I've done before is I had a passphrase and I would only I would alternate the capital for every other first letter, and so I would make, I would say that passphrase to me and I'm just writing down only the first letter and then alternating caps and whatever. That's a little too Repeat, whatever that password is, without actually having to like, because I don't remember.
Speaker 2:You didn't memorize it. You constructed it again by following some rules.
Speaker 3:Yeah.
Speaker 1:I do passwords.
Speaker 2:A similar way I construct like. I don't memorize any of my passwords, but I have a way to construct the password if I remember what website I'm going to.
Speaker 4:So and then some like that tells you what that was that you made, but not actually what.
Speaker 1:Not enough for them to do, but enough for you, but then like how quickly until AI can like predict the pattern that we use based on the, the website that we're already in one of your or they've got.
Speaker 4:They've bought your credentials for something you have to know every address I ever lived at. But you could do it.
Speaker 1:Anyway, there are practical things that you can do, even if you don't have a department or a budget, but certainly there are companies and resources out there.
Speaker 1:Leah mentioned your local FBI's field office.
Speaker 1:They'll also post about cases that have happened, common scams that are going on, advice on how to avoid them. The other thing is to know some cybersecurity companies or consultants in your industry. It does not hurt you to know them, even if you don't have budget to pay them, because the time will come and you want to have somebody to call. So I mentioned this earlier. We at least were able to call Ashley right away because we know somebody that you know knows about this stuff. So, as a closing remark, ashley and Leah, if you guys could give the audience a pitch for or not a pitch, but just like what exactly you guys do and can help with and how people can reach out to your companies if they want to do business with you or just to kind of start to network with you guys and your colleagues, so that they at least have some cyber security folks in their network, even if they're not, you know, adjacent to that area and if you don't have a cyber security partner, and you're not going to get one, you are screwed.
Speaker 4:Yeah, and so?
Speaker 1:there's a lot of free resources at nist, yes, and I will say like year, a lot of these great resources are pointed out to me, but this is such a low priority in my job that I don't go out and look at websites to look at cybersecurity information. I'm more so when it comes up, when I talk to people, when I see opportunities to hear content. I'm just not one of those people that goes to the websites to like try to do my own research on things that aren't immediately relevant to me.
Speaker 3:in this sense, yeah, one thing I'd suggest is is looking at your workflow and seeing where can you fit things in. So like, if you're, if you're big on LinkedIn, start following some of the things like like NIST or SysA, and you'll see that pop up in your feed some of the things like like NIST or SysA, and you'll see that pop up in your feed some of the the relevant things.
Speaker 1:Well, there you go. So yeah, following them on LinkedIn versus trying to go to their website and look for information.
Speaker 4:Yeah, Stories. You're like oh my God, follow these people on.
Speaker 1:Instagram, like wherever you're scrolling. Okay, that, that's true.
Speaker 4:Like the hackers are getting better.
Speaker 1:Whatever our feeds are news feeds are apple news or you know whatever um, throw some cyber security stuff in there.
Speaker 4:That's a great idea but yeah, go find some people like ashley and leah, because if you don't which is why you're not going to be, okay, I'm not.
Speaker 1:You guys, you guys and Leah, I'll let you go first and then, Ashley, you can close it as the official sponsor of this panel. You can close it with the Pitch for Wolf Evolution. So, leah, can you tell us a bit about NextLink Labs and what you want people to know you guys for and come to you for?
Speaker 3:Yeah, so NextLink Labs, we focus on three different aspects. So custom software development, devsecops and cybersecurity. So when you're building applications and you want to integrate security into them, you want to have better workflows. We look at what your organization is doing and help you identify those gaps in your program and fill them in using frameworks, using you know things that are specific to your organization and the data that you handle and the workflows that you have. So we look at you know things that happen prior to an incident. If you've had an incident, we can look at the risk that you accepted that might have led to the incident and really focus on how can we improve the cybersecurity posture moving forward. How can we give those assurances both to your company, to any board of supervisors that might be over, or to your clients too. So how do we make your clients aware of the efforts that you're putting into your cybersecurity programs?
Speaker 1:Very cool. Thank you, I assume people can find you at is it nextlinklabscom? Yep and follow you guys on LinkedIn? Yep and I know you and a couple of your other colleagues are regular speakers at industry conferences like Automate. Are there any more places that we should expect to see you guys in the near future?
Speaker 3:Automate and Fabtech are our big go-tos, okay.
Speaker 4:What about the ICS Village of DEF CON? I want to go hit that up next year.
Speaker 3:It's amazing if you can go so. Years ago I was senior staff for DEF CON when it was still growing out the villages. They're growing insanely now but they have some really cool stuff. The ICS village is awesome. They do car hacking. That's really cool to see some of the things that we may not be exposed to in like everyday life, to get a chance to go and see the thought process Everyone has a flipper and they're like taking your credit cards.
Speaker 4:You're like, oh my God.
Speaker 1:Very cool. And then, um, ashley, yeah, will you tell us a bit about what you do? I know you've mentioned a little bit about what you do with your clients, but kind of, what's your focus and what type of types of companies should be coming to you?
Speaker 5:Yeah, absolutely so. Our focus is assessments and consulting. So our assessment side we're getting down to the nitty gritty actually looking at devices, looking for particular vulnerabilities, looking at architecture, those types of things, and really addressing those security gaps and giving those recommendations and remediations of how you could secure the devices in your environment. On the consulting side we kind of go a little bit more high level. So that's where we start looking at your policies and your overall security program and look for gaps there. Because a lot of times you know, a lot of people are like well, I need an assessment done. Well, maybe you actually need a consultation first. Maybe we need to look at a higher level and see, you know you have these vulnerabilities in your environment, but how did they get there? Is it because you have gaps in your policies or gaps in your procedures? And that may be something that needs to be addressed first before you're actually going in and picking out these you know little one-off vulnerabilities.
Speaker 5:So that's kind of the primary of what we do, and very, very soon, probably like the beginning of next year, we will also be doing training. So we'll have kind of various different aspects of training. So training for the defensive side, training for if you want to learn how to break things in OT, like I do, then we'll train you to do that and then generalized training for OT. So a lot of companies when you go and you get that generic cybersecurity training right, the IT-minded and everything. I've never seen that in OT where you're actually applying those cybersecurity principles, but for the operators.
Speaker 4:And for operations like the chief operating officer, should get the big training and then roll it out to everybody else.
Speaker 5:Exactly. So, yeah, this is like I'm. I'm in a control room and my mouth starts moving on its own. What do I do? That kind of training. And and for that training, not only are we going to have the generic, but we're also going to work with companies to customize it for their environments, so that'll be something that's upcoming early next year as well.
Speaker 1:Wow, I feel like the pressure to include I want to include access to trainings the two days prior to OT Skate-a-Con so for some of you folks to be able to put on a class that somebody could add to their OT Skate-a-Con registration. I've been saying that, okay, let's close out, I'm gonna. I'm gonna extend it just a little bit longer, if anybody's even still here, but this is the recorded, so that's also fine. Um, ali, you have some training that you're working on. Do you want to talk about it and then sign off?
Speaker 4:yeah, sure, uh, later but uh, no, I I think I've always asked, like, what people wanted to be trained on, and a lot, and I don't know for whatever reason, like people would rather know more about or at least when I did the survey, they wanted to know about programming and SCADA. But what I'm actually good at is design and hardware. So I, like some programmers, love both. Some programmers love one or the other. I have never been the strongest programmer, cause I already told you it's not real programming anyway. Um, but I feel really good about, like, the way that I develop a control panel because I had to.
Speaker 4:As someone who's not trained in electrical at all, like I took one electrical class and I learned ohm's law. I don't know shit, like, but I know how to create an entire control panel from scratch because I learned from other people's drawings and then from building it myself and doing it wrong and wiring it wrong and then being like oh, I have to do it like this, and so I did learn. So I know all of the like layman's terms as to why certain things are there, like why do you have a power supply? Why do you have a control transformer? How do you pick out, like you know, to make this a UL panel. How would you do that?
Speaker 4:So I'm designing a class where I break down all the things that someone like me who's not an electrical engineer specifically not an electrical engineer to be able to create a schematic that worked on DC and AC voltages. So I want to tell you enough rules, colors, sizing of conductors based on NEC, like enough shit in your class that you, without an engineering degree, could design a control panel, even if you are an engineer. That's great, but that's not what this is for. So I want to create a class for why is all that shit in there? And same thing with, like, the size of the enclosure. Does it need a cooling system or a heating system? Like, how do you figure out how to size that? How do you figure out how many IO cards you need? How do you do all the motor circuit shit? So I'm making a class for how do you design a control panel from scratch?
Speaker 1:All right. Well, stay tuned for more information on that. If you're interested in the class, I think we have a wait list going. Or if you don't have a wait list going, emily, we need a wait list for the class going. I think we'll have some info coming out about it in our newsletter next week and then volleying it we also are going to be. I'm not going to give you the floor, though, courtney, because well I should, but yeah, just tell us robot training and then you sign up. Okay, the challenge is to you.
Speaker 2:I'm no longer talking I have a robot and I need to use it. I'll bring it to you and train you the end and then I'll break it afterwards we're only going to get more and more into hacking robots.
Speaker 4:Eventually, robots are going to get hacked and we're going to be like, oh my god, the robot did something bad. Yeah, robots can be hacked.
Speaker 1:Let's keep talking to each other, learning from each other. Make friends with scott. If you don't know scott mcneil yet, he is. He knows a lot. He's got a lot of great resources. Uh, honestly, at any of our events, like, the people that are in the audience are just as knowledgeable as we are on different topics. So the just the opportunity to network with the, with the people that are here. Please do that, um, and then share what you learn, or whatever, with the rest of the world. So, thank you guys for being here, happy halloween and, uh, we'll see you around soon. Bye, bye, thanks everyone. Thanks, thank you guys for being here, happy Halloween and we'll see you around soon. Bye, bye, thanks everyone.
Speaker 5:Thanks.
