December 5, 2024 • 66 mins
OT, IT, and Cybersecurity - how are they different, related, and are you protected?
Join us with Leah Dodson & Ashley Van Hoesen, as we master the distinctions between OT, IT, and Cybersecurity roles in the manufacturing industry.
Gain insider knowledge on governance, risk, compliance, and the psychological tactics of scammers and hackers. Discover best use practices to safeguard operations, mitigate risk, and avoid theft digitally.
Huge thank you to Wolfe Evolution for sponsoring this episode!
__________________________________________________________________
Co-Hosts are Alicia Gilpin Director of Engineering at Process and Controls Engineering LLC, Nikki Gonzales Director of Business Development at Weintek USA, and Courtney Fernandez Robot Master at FAST One Solutions.
Follow us on Linkedin and YouTube for live videos, demos, and other content!
Subscribe to our weekly newsletter for episode updates, job announcements, and more!
Get in touch with us at automationladies.io!
P.S. - Help our podcast grow with a 5-star podcast review if you love us!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
hey, happy halloween, um, although I guess we are all
too busy or not festive enoughto be wearing costumes to this,
but I had whiskers earlier, butthey were like getting really
itchy and I peeled them off, butI had like these little
stickers, yeah no, I just.
It's been a very busy day and Iknow ali is still in a meeting,
but thank you if you're joiningus.
Hey, david, thanks for joining.
(00:21):
Uh, david's one of our speakersfrom ot skater.
So before we got on, we werejust talking to Leah about OT
Skatecon because I invited herto come and help us out with it.
She's in San Antonio, we're inHouston.
Do you want to give our guestsan intro, if they weren't here
last year or the year before, tosee you as our recurring
(00:47):
resident expert on cybersecuritywith Automation Ladies?
Introduce yourself and tell uswhat you've been up to.
Speaker 3 (00:53):
Yeah, so I'm Leah Dodson.
I'm a cybersecurity specialistwith NextLink Labs.
I specialize a little bit moreon the governance, risk and
compliance side.
So all of the fun compliancechecklist things.
They're fun for me, less funfor other people.
But I missed OT Skatecon thisyear because I had a baby in
(01:14):
July.
Awesome little boy, love him tobits.
But I'm excited that Skateconseemed to have been awesome and
I'm excited to see it in futureiterations.
Speaker 1 (01:27):
We also have yeah, I just threw up on the screen Rafi
and Michael.
Thanks for joining us.
They also attended OT Skatecon.
So I guess if you guys want toleave a quick review in the
comments for those that may beasking about it, you're welcome
to.
No, I think you'll find.
Honestly, I'd say, go findsomebody that went and ask them.
We did have on our exit surveys.
(01:47):
So we didn't get a perfectscore, of course, especially of
course not.
It was our first time and wehad no idea what we were doing,
just like with this podcast anda lot of other things we do.
But we try to do them anywayand then we learn and we try to
do it better until we get toogood at it.
Then we get bored and then wego do something else.
But in this case we got, Ithink, a 9.7 out of 10 from our
(02:10):
reviews and at least one personsaid that they would not like to
attend again.
And we reached out to him andwe asked why and we thought he
had really really good insightand suggestions and we invited
him to be on our advisory boardfor programming for next year.
And so he's coming and he evensaid his employer doesn't
(02:31):
approve it, that he'll take somePTO.
So you know we're open tosuggestion.
But I honestly think you know,like you were saying, leah, some
of your favorite events areones where the organizers do a
good job of setting things,setting things up and setting
the stage but then lettingpeople, kind of, you know, do
their thing.
And yeah, I think you'reabsolutely right like I would
like to do more of that.
This, you know, ot skated conwas Ali's idea.
(02:54):
It is her baby from thetechnical programming side of
things, but from, like, thecommunity side of things and the
, the value that happens whenthe attendees were together,
rather than just us or even justthe speakers right, because who
can say that these speakers arethe foremost experts and are
better?
They just happen to be the onesthat, a know us, b asked to be
(03:15):
part of the program, you know, cwere willing to invest the time
or could.
So it's not about necessarilylearning something from a
speaker.
That's the you know authority.
It's about hearing somebodyelse's experience, learning
something from that and thenbeing able to potentially work
with those people in the future.
So michael says the smartestgroup of people I've ever been
in a room with and verysupportive of each other.
(03:37):
So we, through michael, wereable to meet his ceo, alex pool
or, I'm sorry, owner, I'm notentirely sure what his position
is at Masked Owl Technologies.
Ali and I interviewed himrecently and we were really
excited for that episode to comeout because we loved it and I
think we committed on air todoing an AI panel with one of
(03:58):
the engineers for Masked Owl andthat was just a really great
conversation, and so the peoplethat you meet, like the
interactions that come after,are very cool.
And then we're going to bemeeting some people again at
Automation Fair.
So, courtney, why don't yougive us a little info if there's
anybody new that doesn't know,and what are you up to, and I
(04:21):
look forward to seeing you in acouple of weeks in Anaheim.
Speaker 2 (04:23):
Yeah, I've been missing.
You Can't wait to seeing you ina couple of weeks in Anaheim.
Yeah, I've been missing.
You Can't wait to have you overfor a few days.
And, like I jumped into smallbusiness ownership again it's
not new to me, but you know I'malways putting out some form of
fire, and half of them are firesI started myself and so it's
just been.
(04:43):
You know, a lot of uh runningaround in circles, but um, and
still enjoying it.
It gives me the the flexibilityI need to.
You know, problem solve at thehours I like to do it and be mom
and the hours I need to be mom.
And I have no idea how I raninto you at automate and did not
notice that you were about tohave a baby.
(05:05):
Congratulations.
How's it been so far?
Tick, tick.
You look well rested.
You look a little too wellrested, honestly.
Speaker 1 (05:15):
You look, you are glowing.
Yes, thank you Are you havinganother one?
Speaker 3 (05:20):
Just kidding.
He's tried.
Oh boy, yeah, he's hitting hisstride, sleeping at night.
So I'm doing a little betternow.
Speaker 1 (05:29):
That's great yeah, very good, I would like to
subscribe to whatever filteryou've got going on.
Speaker 3 (05:35):
Leah, right.
So I do have to admit that I'musing a guest studio space right
now.
Speaker 1 (05:41):
It's not oh so nice, not my uh usual studio space,
but it's very set up and I loveit yeah, is it like a space that
you can kind of subscribe, likejust go book time, or it's
somebody else's that you justhappen to be?
Speaker 3 (05:55):
it's somebody else's.
I just happen to be travelingright now and and they're way
more decked out than I am, sovery nice.
Speaker 1 (06:03):
I've never actually recorded in a podcast studio.
Speaker 3 (06:05):
Yeah, yeah, yeah, I might have to get together a
list of all of this equipmentand I was just gonna add in my
background.
Speaker 1 (06:13):
We were on brand for ot skater con.
We have a couple more people,so Rafi says ot skater con was
amazing.
I traveled halfway around theworld and would do it again.
So he also brought the mostamazing snacks from Pakistan for
everybody that were perfect forhappy hour, and I took the
leftovers home and I'm likestill eating them.
(06:36):
Some of them were at my office,but yeah, that was so.
It gave me the idea.
So we had this candy bar and Idid that for Alex Marcy.
Mostly I I don't know why I likecommit to things either on
LinkedIn or live that were justspur of the moment off the top
of my head, and then I end uptrying to fulfill those things
that I promise um, I don'talways manage to, but and I was
(06:58):
like, next year, why don't we doit to where everybody can bring
candy from wherever they'refrom and like add it to the
candy bar so we can all sharewith each other something that
we brought um?
Because a lot of people likeeven some of the attendees
brought swag because they wantedfor the swag table like to add
their company swag, and thenpeople like exchanged each
other's swag and stuff.
So that was fun instead of itjust being like the big sponsor
brands that had their swag atthe at the table.
(07:19):
So that's really cool.
But anyway, our topic of todayis cyber security.
It is our you.
You know it's the end ofCybersecurity Awareness Month
and what a month we have had.
And Allie's not here yet, so Idon't want to steal her thunder
or Ashley, who basically buthere I guess this all relates to
(07:40):
OT SkateCon as well.
So Ashley was our cybersecurityspeaker at OT SkateCon and I
was just telling Leah that shedid her dry run with me kind of
late and her camera was offbecause she wasn't feeling well
or maybe the camera wasn'tworking.
I don't remember, but I was.
I didn't really know her at all.
She had connected with ali andali invited her as a speaker and
I was a little skeptical justbecause I I wasn't getting a
(08:03):
good feel for her as a speakerat all.
And then I met her in personand her talk was amazing and she
blew everybody away.
And then we were like now shehas to be the go-to
cybersecurity person foreverybody in this room.
Like everybody asked herquestions, everybody got her
involved in their talks.
She told some crazy stories ofthings that she's done.
And we had a cybersecurityincident at PCE recently and
(08:28):
it's really good to havesomebody like that on speed dial
Because, like Leah, I knowthat's not necessarily your side
of the house to like what to doonce you get hacked.
You're on the governance side,you know, you're in product
development, all those sorts ofthings, so I had you on my, you
know, speed dial, but for verydifferent things.
And then Ashley, we just, yeah,it was rough.
(08:52):
So PCE got hacked, one of ourcontractors, emails and payment
details were changed, but notthrough like a one-off email,
but like a whole exchange thatrequired multiple levels of
approval and that was stillchanged and then not caught
until afterwards.
And we had to, you know, wecalled Ashley and she, you know,
gave us some advice of what todo and unfortunately, we thought
that we had fixed it and gottenthe money back from QuickBooks.
(09:14):
Because they said so, we wentdown, you know the whole phone
tree with both the bank and thenthe accounting software that
was used to send the ACH, andthey said that you know we would
be getting, or that they wouldbe getting the money back.
And then, you know, follow up,follow up, follow up.
It didn't come.
Turns out they were like oh, wemade a mistake, you're not
actually getting it back.
So now we're looking at, I guess, the cybersecurity insurance
(09:37):
claim and you know, filing allthe reports and all those sorts
of things.
But reports and all those sortsof things, but it, you know,
this sort of stuff happens topeople all of the time, or
companies in our industry.
And when we said that, you know, the first people that we
talked to, or you know some ofthe people that got notified,
are some people like Alma andyou know some of the people that
we work with at OT Skatecon andwe've definitely heard like, oh
(10:00):
, my company, or a company Iknow, lost way more than that,
you know, to something similarpayment instructions being
changed on invoices.
You know all kinds of things.
So, leah, you've been out there, you know going to conferences
and things like that.
Do you have any insight for usabout the last year, like what
are kind of the most commonthings that people are still
(10:23):
grappling with specifically kindof in the you know our industry
, if you have any examples?
Speaker 3 (10:29):
Um, so attacks are definitely up in manufacturing.
Um, I think one of the bigavenues is vulnerabilities in
supply chain.
So, exactly like you describedsomething that you may not
necessarily have direct controlover, yeah, but like you're
saying, multiple levels ofapproval scams in general are up
(10:52):
right now.
In fact, I I had an incidentrecently where I got approached
with a scam and, being in theindustry, it was a little bit
more apparent, but they did sucha good job.
I got called from a number thatwas in an area I used to live
(11:15):
and they left me a voicemail.
They said that they were withthe sheriff's department and
that I had a warrant out becauseI had missed jury duty.
So you know things like that,they try to go immediately for
some kind of emotional responseOkay, get you making an
emotional decision as opposed toa logical decision.
So you know, you get thoselittle like feelings of maybe
(11:39):
this is wrong, but you also getthat emotional kick of like what
if it's not?
Yeah, and so I I did a couplethings.
I I looked up the person onlineand they used a real deputy's
name, right, um, and they wereassociated with the place that
they said.
You know that they were, and soI called not the number that
(12:02):
they gave me but the departmentitself, and there was the deputy
was out.
So I called the number thatthey gave me to see kind of what
was going on and they did agreat job with the impersonation
part.
And that's what gets a lot ofpeople, especially in
(12:22):
manufacturing where there's alot of connection, supply chain,
a lot of people talking to alot of people and you just you
know, you get that humanconnection and there's a little
bit of trust that's builtthrough those things.
So he gave me a badge number,obviously not a real badge
number, but he was on the spotwhen I asked, was able to read
off a number, and so he he wasvery well prepped from that
(12:43):
aspect.
A couple of the things, tacticsthat he used are really common
in scams.
The sense of urgency is a bigone.
So he was telling me you can'tget off the line because you'll
be held in contempt of court ifyou get off the line.
You can't go into your localsheriff's office because they
will arrest you if you do,because this warrant is active.
(13:05):
So, like all of the normalavenues of verifying is very
quick to like cut off.
Okay, don't do these thingsthat you probably are naturally
feeling like you should do, yeah.
And so in the back of my mindas a cybersecurity person, like
this is I see what you're doinghere, and eventually was able to
like, okay, this is, I see whatyou're doing here and
eventually was able to like,okay, I'm done with this
(13:27):
conversation.
So I hung up, called back thesheriff's office and was like
this is told them, somebody'simpersonating your deputy.
They were like, yeah, it's beenhappening quite a bit and so
that's one that's getting a lotmore common.
But those are the things thatthey like to pray off of.
That sense of urgency of youhave to do this right now or
(13:50):
some terrible thing is going tohappen, that emotional response
of like somebody in your familyis hurt, you need to send money
to them.
Oh, that was the other thingthat they were telling me.
The court was willing to getrid of the warrant if I paid the
court fees, but there was onlyone specific way that I could do
it cash app.
Speaker 1 (14:10):
Yeah, really, the court you're telling me the
court uses cash app so Iactually, uh, I I had to deal
with the uh, the court inCalifornia when I was living
here in Houston and so I wasdoing everything remotely and
then they said to put thesedocuments in the Dropbox.
(14:31):
And I was like looking for thelink of the Dropbox and I
emailed and I think I asked forit and then they were like no,
it's on the outside of thecourthouse, the Dropbox.
I was like, oh, I can't gothere, like how can I get this
to?
Speaker 3 (14:49):
you.
That's funny.
Yeah, those limiting thingsthat are like you can't, you can
only work within this system.
That doesn't make sense.
Speaker 1 (15:01):
No, but even then, like if it was a specific
Bizarre system, it would be aremnant of the old times, not a
cash app or a sofi or a bitcoinwallet.
Speaker 3 (15:12):
right like government is not that ahead yeah, yeah,
and so those are some of thekeys, like, when you're looking
for those red flags, things thatare outside of an expected
workflow yeah, yeah, cause not?
I mean, most of us aren'twell-versed in in workflows of
things like government, how thecourts work, but there are
(15:34):
workflows that are familiar,right, and, like you said,
government just isn't.
They're not going to be takingBitcoin for for things like that
, right?
So identifying those red flagsis is pretty important.
yeah, there's.
There's just so much that hasbeen happening um on the
attacker from with manufacturingthat it really has become a big
(15:58):
focus.
Yeah, it has been increasingover the years, but in this last
year, I think 75% increase inattacks is what some of the
recent reports have been sayingthat are focused on
manufacturing Increased.
Look at vulnerabilities sothere's a lot of systems IT
(16:21):
systems that manufacturing hasbecome pretty dependent on that
are recently end of life orgoing to be end of life, and so
known vulnerabilities in thosesystems, knowing that they're
not going to be supported orthey haven't been supported
recently, makes them a bigtarget.
Things like Windows 10 islosing support next year and a
(16:42):
lot of manufacturing devicesrelying on windows 10 that's big
eyeballs there.
Speaker 1 (16:52):
So do you have like at the top of your head sort of
the biggest things that peopleshould be watching out for that
might be being targeted rightnow?
And then, from a layman'sperspective, like where's the
best place to get information onwhat these things, what these
happenings are?
Because I feel like if you'rein the industry, you can read
all of this right, but if you'recoming from a non-cyber
security background, thenreading a lot of the incident
(17:12):
like articles and or the newpapers that come out or the any
of the standards, like it's,it's a lot.
Speaker 3 (17:22):
It is a lot, yeah.
So CISA does a good jobproviding resources specifically
for manufacturing.
They do different reports, theydo different frameworks.
They make some resourcesavailable for small businesses
within manufacturing that aremore scaled down concepts that
help businesses that maybe don'thave the budget or the
(17:44):
resources that some of thelarger groups do.
The FBI, so local field offices, will a lot of times have
resources, like you can joinInfraGard that will share across
the industry different trendsthat are being seen.
Speaker 1 (18:02):
So if there's a common attack vector that
different organizations havehave fallen prey to, they'll
give advice then on how toprotect against those okay, I
think I've seen some of the fbinotices when I've been googling
certain types of like scams orattacks or whatever um, I think,
mostly scams.
(18:22):
I google scams sometimes when I,and a lot of times, when some
of these things come to me, I'mlike I clearly know this is a
scam, but now I want to knowmore about it, like why is it
here or what is it trying to do,and is it common or is it
something you know novel?
Hey, ali hello, at least we gotnow two out of four with
costumes, sort of halloween.
(18:43):
Yeah, next year we have to doour dia de los muertos episode
again, though that was we haveto do uh, like a fireside chat
with someone that honors that oror has something to say about
it, I guess.
But yeah, we did get startedwith.
Leah ashley is here, sort ofshe's having some trouble with
her video and her audio rightnow with all of it with
(19:08):
everything it was audio.
Now it's video, so I'm not sureI'll bring her um.
Yeah, I can talk about how Ijust got robbed of thirty
thousand dollars so I stole yourthunder a little by mentioning
it, but go ahead, floor is yoursI mean I mean whatever.
Speaker 4 (19:25):
Like we were hacked.
You know I have a domain rightand we have emails for my
company in that domain.
Uh and uh, someone obviouslyusing vpn was able to get and I
think this is uh, I migratedfrom google.
She liked google suite forbusiness.
Like I, I was using Google, notMicrosoft, and Google doesn't
(19:47):
automatically do themulti-factor authentication, so
it actually isn't really in likeany business's like best
interest to even use Google.
But I was doing that and I thinkthat's part of the issue was we
didn't really have super securepasswords anyway because of the
(20:07):
Gmail, and so I slowly addedpeople and we have had like
phishing instances, like manyyou know, like everybody else
has, and you know we catch them.
Usually they're kind of obvious, but like, yeah, it'll be,
it'll be me, without my phonenumber or my email, asking my
people for shit that they thatI'm not actually asking them for
(20:30):
.
And so this one was kind ofsophisticated and I hadn't seen
this one before.
When I talked to ashley, she'slike, yeah, we've seen that a
thousand times and I'm like thatsucks, um, but basically it was
ach fraud.
So they posed as someone else.
No, they posed as someone weknow and that we pay regular.
Yeah, and you know it lookedlike them.
It actually was really goodbecause they did hack their
(20:52):
email.
So there and we can showbecause it was, because it's
still owned by me, like all theemail addresses are owned by me.
So my guy albert, like albert,is courtney's husband.
Speaker 1 (21:02):
Another OT Skate account speaker.
Speaker 4 (21:04):
He's my IT guy for my company because I don't have IT
.
Lots of controls.
People like to be their own IT.
I'd rather kill myself.
So I'm not going to be my ownIT.
Same, I don't even like.
Honestly, like I think it'sreally funny because like
there's we're supposed to belike computer people, right,
we're controls engineers, andlike we must be like hacker
(21:25):
galore and like that is not whatall of us are.
Some of us are really good atlike it, server management,
networking.
The rest of us have to learnhow to do that crap.
Uh, because all we know how todo is like how do we get the plc
to do the with the equipment?
We don't care if that talks tosome other machine, because we
(21:47):
just need the machine tophysically do the thing.
Um, eventually you have remoteio and you do need
communications, just for oneprocess, but for the most part
that's not what we were taughthow to do.
So, like I know how to do, Iknow how to size pipes and pick
a pump and pick a tank and likeput it all together and give you
a narrative and then tell aprogrammer make it.
(22:08):
You know, when the tank islevel, is this high, turn the
valve off and like I'll say allthe things to do and like we can
do all that, but that doesn'tmean that we know how to.
For example, when I startedskata, I was like oh my God,
mostly because we were doingserver management, like I'm
using virtualization first ofall to SCADA.
(22:29):
Servers are done on virtualmachines.
I don't know why, but I guessit's just like cheaper to do
that.
I don't know why the answer isnot Docker or containers, I
don't really know.
But I know that what we've beendoing for the past I don't know
a while is we've been puttingthese programs right.
They're just applications thatwe can buy from Ignition,
(22:50):
inductive Automation.
We can buy it from Rockwell,siemens, any of the actual PLC.
People can sell you their ownsoftware or you can just buy one
from a free agent likeInductive Automation, who has an
amazing SCADA and more.
That's actually not even SCADA,it's an IIoT platform, so it
can connect way more than yourSCADA because you can do like
ERP and warehouse management,put it all together into the
(23:13):
giant data lake for the United,whatever namespace crap.
But like you can't do that, youdon't know anything about IT or
computer programming.
So that's where people are likewhat is this IT, ot convergence
?
That's not real.
Oh, it's real, like there aremountains of IT people who can
do real programming.
By the way, what we do is notreal programming.
(23:33):
It never was.
We grabbing a block and likeconnecting lines to it, like
that's not programming, that'sjust like we're telling you what
to do.
But like see, you know, plus,plus, plus.
That's that's computerprogramming.
Like telling it in its ownnative language.
We're using pictures, we'redragging pitch, like function
blocks, or like we're draggingideas and like connecting
(23:54):
numbers and being like okay,this channel means this, pump,
like, and that's what we'redoing.
Like, and so all these itpeople know how that.
Does a computer like run its own?
How does the read the?
How does a computer run its own?
How does it compile program,run the program?
How do you make these decisions?
We don't do that.
I don't program inside of acontroller how it makes.
(24:15):
I just tell it when this istrue, like it's just the logic.
So we are only putting facts orlogic gates that we come up with
in our head in that paper orodd down, and then, but yeah,
real programming is people thatactually know what the
computer's doing and can makethe computer do what you want it
to do, and so that's realcomputer programming.
And so we've never done realcomputer programming.
(24:36):
We're still engineers, butwe're not real programmers, and
so that's why I've never feltbad.
I'm like, yeah, I'm aprogrammer, but not a real one.
Like and I can.
I will always bow to realprogrammers, which are people
that can program.
I did like I took AP computerscience and I think I did like
one really cool HTML, like youall did HTML back in the day.
(24:57):
Yeah Well, and I, this one waslike really hard for me and I
have a copy of it now Cause Iwas in like 10th grade or
something, and I'm like look atmy space head and then string
and all this and it was likesuper cool.
But like, outside of that, allI've ever done is like ladder
logic is is reading, even thougheveryone gets mad at me and
everyone gets mad at everybody.
It's reading relay logic, theway relay logic.
(25:20):
You would read it that you'rejust making the PLC do the same
thing and you even show it thesame way, because it was meant
like Alan Bradley did this formaintenance people, not for
electrical engineers.
Maintenance people could readif these contacts are open, you
know, latch in this relay andthey could just read all this
(25:41):
relay logic and so they're likewell, this is the easiest thing
we could do is take this realrelay logic and then shove it in
the computer and then make themdo the same exact thing, and
then they won't be that confusedBecause, like now, it's like a
fake set of contacts from arelay turns on a fake actual
coil.
But it's still happening.
(26:02):
The action's the same.
Who made the call is a computerinstead of a relay, so you use a
lot less relays.
But now you got to have aprogrammer.
But it was easy because we justhad to teach the programmers
how to replicate their circuitsit's just circuit logic into a
computer and it looks just likethe circuit logic.
(26:23):
So you're like oh, this, we canmake computer programmers not
real ones, but like out ofmaintenance people, so you just
have to know how to read afreaking it looks really similar
to a schematic like.
Speaker 2 (26:36):
if you go to the 24 volt section of the schematic
and you see like your actualcoils and contacts.
It looks very similar to ladderlogic in PLC land and almost
everybody's first crossover tostructured text is like a
gajillion if-then statements andnested if-then statements and
then you start learning likethere's gotta be a better way to
(26:57):
write all these if-thenstatements.
Speaker 1 (27:00):
And then you start learning the next steps from
there.
Back to your IT guy.
The reason you brought this up,the reason you have an IT guy,
is because he traced this hackback to a server in Germany,
right?
Speaker 4 (27:12):
The Netherlands, the Netherlands, oh okay, whatever
that was a VPN.
It wasn't even someone in theNetherlands.
Speaker 1 (27:18):
Oh, okay, so just somebody on a VPN.
Speaker 4 (27:21):
It's probably someone I know, it's someone who knows
me, I, it's someone who knows me.
They don't, I probably don'tknow them, but it's someone from
linkedin who knows anything.
And they came after us becauseI make it really obvious who
does what in my company, so theyjust picked the list.
Actually, uh, I know, uh,heather, not heather.
Ashley's not on here, but Ikeep messing up.
Ashley and heather are not thesame name, not even close.
(27:44):
But yeah, um, I forgot where Iwas going with that.
Um, oh, but I was asking her.
I was like what do I do?
Or she's like, oh, I came upwith this list of emails based.
I don't remember what she evensaid.
By the way, all those wordsjust are, all those acronyms are
not real to me and I'm justlike I just waved my hand around
.
Speaker 3 (28:02):
I'm like, yeah, they did the thing, so, but we got
once she has either audio orvideo yeah, that's a good point
you make, though, ali, aboutlike information being out there
a lot of times.
So attackers will find publiclyavailable information like that
and trying against you, andsometimes it requires deeper
(28:24):
dive and sometimes it's prettyeasy to find, but the key then
being like, the verification ofthis is publicly available.
So are you, is it actuallycoming from this person?
Is it someone you could justcall up and be like hey, did you
send me this email?
Are you really asking me forpayment?
Speaker 4 (28:44):
But yeah, Well, this was really good because it was
like I owed this person a goodamount of money.
I was already late to pay themand at some point within the
past week like month let's say amonth prior to me paying them
wrong they came and they werevery.
This was good.
So they knew who would do that,who could do that for them.
(29:06):
And I think you can just dothat, because once they were in
his email, they could tell whoyou know is that person, because
they've already had emails likehey, can you do this?
Can you do that?
Can you pay me here?
So they figured out who in mycompany they need to ask to
change their payment informationand they're like I just need
you to pay me here, which is afake bank account where I'm
(29:28):
gonna steal all your um, but Ijust need you to do that because
I don't want to use this bankanymore, which was his chase
account.
So I have have a Chase account.
They had a Chase account and wepaid somebody at SoFi.
By the way, whoever has mymoney, have fun.
That is so much money to steal.
Like you didn't work for it,but I guess you did a pretty
(29:49):
good job.
And then actually they didn'tknow it was going to be such a
huge payoff.
I could have just been payingthem like $200.
But it was $ 30,000.
Speaker 2 (29:59):
so like you, you're on the compliance side and just
uh, to ask a question.
For uh people like me who arereally honestly just figuring
this stuff out within the lastlike 18 months.
Um, the acronyms are all kindof alphabet soup and sometimes
when I hear compliance, you know, uh like as an engineer, a lot
of times I'm thinking likeproduct design, like the product
(30:21):
has to comply with certainthings, and now, with CyberSec,
we're also talking about likecompanies complying with, like
what, how they store ourinformation and what they can do
with the information.
Speaker 4 (30:33):
So my understanding is, like you're more on that
side, right, like with ourinformation that's out there and
how companies store it andtreat it and everything, yep and
uh like training is the bottomline, because if you people that
mean my people carried this outlike no one held a gun to their
head and said give me thethirty thousand dollars, we were
tricked and we did it like wewanted to do this.
(30:57):
We're like, okay, you want toput your money in a new bank
account?
Yay for you, let's do it likewe wanted to do this.
We're like, ok, you want to putyour money in a new bank
account?
Yay for you, let's do it.
And we didn't verify and yeah,and then in the future.
Speaker 2 (31:06):
What is you know for, like now that I'm seeking free
advice here, like live on onLinkedIn.
But you know, like in that kindof situation, you know what you
know company has this happen.
You know what are the stepsthat that company takes in the
future, to not let this happenagain, multiple stages of
approval sounds like one.
Speaker 4 (31:25):
No, anything related to money.
It's just a flag.
You just flag it.
If someone was like I need tobe paid in a new place, that's a
flag.
Speaker 1 (31:35):
I'm any other levels of approval Money transfer.
Speaker 4 (31:38):
Yeah, if they want anything related to cause.
This guy gave us new bankinformation.
He's like and he he's like isit time now?
Can I give you that?
Now, he was so fricking nice orshe was a really good hacker
Like.
They're like oh, I have a newbank.
I would like to change that.
I mean, could I give you thatinformation?
(31:58):
When could I share that withyou?
He didn't just give it to us,she didn't just give it to us.
They're like ask us when we areready to put the new
information in.
Speaker 1 (32:07):
And we're like okay, yeah, so this is a little
different.
In there it wasn't like oh, Ineed to get paid today, You're
already paid.
Speaker 4 (32:22):
It was.
That was a request, which issometimes urgency helps you find
out what that like oh, that'sthe red flag is the urgency.
Speaker 3 (32:26):
There was no urgency, so it was a really good hack.
Yeah, if you've ever, have youseen the movie the beekeeper?
If you haven't, no, the openingsection of that movie they go
through.
And ashley's shaking her head,so she knows yeah, they go
through and Ashley's shaking herhead, so she knows.
Yeah, they go through a veryrealistic depiction of that kind
of attack where the target isgetting somebody to willingly
(32:51):
give over access to their thingsum, access to their bank
account and the goal is to makeit their idea or like put the
onus on them so you're not out.
These people are psychologiststoo, exactly, and it sucks like
hard it sucks.
So that's the socialengineering aspect, and I think
(33:12):
we just got yeah, just got acomment saying the art of social
engineering, but that's thesocial engineering aspect of it
right Ways to manipulate people,because, yeah, somebody could
hack into your bank account andtry and steal the money
themselves and move everything.
Speaker 4 (33:27):
This is way better because you can't get it back.
Yeah, they did it on purposeand I actually tried to make my
claim and they're like, let'sjust say this a little bit
different, because if you say itthe way you're saying it, you
ain't going to get sh**.
That's what happens.
Speaker 5 (33:42):
Yeah, yay, I have sound and camera and audio and
everything.
We'll all get together.
Look, you should have knownwhen you invited me.
Okay, I can't make things work,I can only break them.
That's what I do, like you know, by trade.
I can only break the thing, soI broke it.
(34:02):
I couldn't make the camera work, I couldn't make the audio work
, so I'm on my phone.
Apparently that's how it works,because I tried 15 browsers and
none of those want to work.
Speaker 4 (34:09):
so yeah, she's on her phone half the time yeah, today
I'm not, but almost alwaysbecause I give up, I'm like no,
this is and I don't get it.
Speaker 1 (34:18):
I try to use this platform because for me, it's
the only one I've never hadissues with.
Like you just click the linkand like go in.
So every time someone has astream yard in mind, I'm like,
oh great, I know what to do.
Like when I'm flying, you know,you know what to do.
Everything else I'm like, oh no, it's not gonna work.
Oh yeah, apparently does yourshirt say hacker.
Speaker 5 (34:35):
It does say hacker, and it's actually.
It's actually literally writtenbackwards, so that when I'm on
camera, it's actually thecorrect way.
Um, but, like, if you look atit in real life, you're like
what is that?
That's backwards?
But no, it's, it's designed tobe on camera.
Um, this is my halloweencostume.
Um, so, uh, yeah, um, but youknow it's true in real life
(34:59):
though.
Speaker 4 (35:00):
Well, you, know, I mean, and I'm also an actual
Mexican, so um, I mean, you know.
Speaker 5 (35:06):
I literally at Costco earlier I saw this uh lady.
She had on a gray t-shirt andit says pretend that I'm a
donkey.
And I was like, yes, that is mylevel of dressing up this year
because, yeah, like I'm actuallynot in my office right now
because my office is piled upwith wedding stuff, um, and I
can't get in there to doanything.
So, uh, so, yeah, it's um, yeah, there's a little bit going on
(35:29):
here, but, uh, but yeah, liketalking about the fishing stuff,
um, it's.
It's funny because I actuallywas talking with a prospective
client just last week and wewere talking about, you know,
external assessment andeverything.
And they were like, you know,well, you know, we want to do
social engineering.
And I was like, look, I waslike here's my thing with social
(35:52):
engineering.
I usually don't do it.
I was like, if you reallyreally want the service, I will
do it, but typically I don't doit.
And here's why Because, givenenough time, I go on the
assumption that, given enoughtime, if somebody really wants
to, they will have a successfulphishing campaign.
That's just the reality of it.
(36:14):
How much training you do, itdoesn't matter how good your
security mechanisms are, whetheryou have spam filtering,
whether you have, you know, allof your, your DNSD mark and all
of that in place.
Eventually, if they want to,badly enough, they will have.
They will have some kind ofsuccess.
They'll figure out you knowsomething about your company,
(36:36):
whether it's based on socialmedia, whether it's based on
information that is publiclyavailable on the internet.
But they will.
They will gain success.
So I'm not going to wastesomebody's time, money, energy
and efforts to do a phishingcampaign where in in in the
reality of it.
If I'm, if I'm doing a two-weekassessment, I'm probably not
(36:57):
going to have a lot of luck intwo weeks.
Now, if I'm doing a specificsocial engineering campaign
where we're talking this isgoing to be a three, six, nine
or even 12-month engagementwhere periodically I am just,
you know, putting out thesephishing emails, then yeah, I'm
probably going to have successat some at some point.
(37:20):
And all I need is one set ofcredentials.
I don't need 50.
I need one.
One set of credentials, and itdoesn't matter what the
permissions are, because thatone set of credentials is going
to get me on the inside.
From there, I can eitherinstall my tools and start to
you know, propagate through youknow, through C2, put in a back
(37:40):
door, so I don't lose that, youknow, or I can just live off the
land and start to pivot my waythrough.
Eventually I'm going to findsomething somewhere that I can
either escalate my privileges orgain another account or create
an account, that kind of thing.
So that's why, you know, when Ilook at social engineering, I
(38:02):
just say again, my hacker was inthere for weeks, yeah,
responding me like hey, were youable to do anything about?
Speaker 4 (38:10):
and then Liza would be like oh sorry, like we still
have a, I still have a openclaim with QuickBooks Cause we
can't fix your bank account yet.
Speaker 3 (38:18):
Just really nice slow like, yeah, and you were most
likely not their only targetduring that time.
They most likely had multiplepeople on the line, and so they
can be patient.
Speaker 4 (38:30):
Right, they've got fires going everywhere, I would
be patient.
Speaker 5 (38:35):
Right, exactly, you know, and when you're talking,
you know they're installingransomware and they're asking
(39:00):
for millions upon millions ofdollars.
You know, if you look at, justif you look at one individual
group and you look at themillions, yeah, I mean.
Speaker 4 (39:10):
And like what Dogecoin?
Speaker 5 (39:13):
Oh, absolutely, Absolutely.
I mean, they're winning.
They're essentially winning thelottery with every single one
of these attacks and you can getpaid out multiple times.
Speaker 3 (39:22):
So you get paid the ransomware.
You could do double encryptionbut then you also get paid for
the data that that you'restealing right, selling the data
.
Speaker 5 (39:32):
Oh yeah, absolutely yeah.
And and that's that's reallywhat they're doing now is, you
know they'll steal the data,they'll ransom you.
You pay the ransom.
That's no guarantee thatthey're not going to go ahead
and sell that stuff.
And they're going ahead andselling it and they're selling
it for the same price tomultiple people.
You know you go anywhere on thedark web.
It's, you know, a thousand, ahundred thousand Bitcoin to get
(39:55):
this database.
Speaker 3 (39:56):
And they're not doing that once, twice, they're doing
it hundreds of times and if youdon't make sure that you've
gotten them actually out of thesystem, they could sit there for
another year or so and keepquietly collecting data during
that time and then hit you againand it'll feel like a separate
attack when really it's it's allconnected and some of these are
(40:17):
like teenagers.
Speaker 4 (40:20):
And we have such incredible like the Kali Linux,
like tools, all the tools arefree.
For all that, if you have anyambition at all at intelligence
at all like at all, and you'relike a kid, you could take banks
down.
You just could get busted andthen go to jail.
But, like, the ability to hackand whether or not you get
(40:42):
busted are not the same thing,right.
So you don't have to be agenius kid, you just have to be
like pretty smart.
Speaker 3 (40:52):
Yeah, there's an industry term script, kitties
Script kitties yeah.
So the low-hanging fruit fruit,the easy attacks that you can.
You can buy attacks, you canuse tools that are readily
available stupid people like mejust kidding.
Yeah.
So the idea is, when you'relooking from the protection
(41:13):
standpoint, of being able toprotect against those low level
things, the script kitty attacks, and then elevating your
protections from there, like ifsomeone were more motivated or
had better skill, then whatwould they pivot from there and
do?
And from protection standpoint,that's where you really start,
like let's flesh out.
And, of course, courtney, youmentioned the, the GRC
(41:35):
compliance side.
That's where you marry the twoconcepts right.
So protection from thetechnical standpoint and then
protection from the policy.
We're going to say that we'redoing X, y and Z.
Let's make sure that we'reactually doing it from a
technical standpoint, yeah, yep,and then let's test it, so
keeping that ball rolling sothat there's those connections
(41:56):
across your protectionsconstantly going.
Yeah.
Speaker 2 (42:00):
I've done work for companies now that are SOC 2
compliant and what an adventurethat is.
But it really actually startedmaking me think about like how
well do I vet people that I dobusiness with now that this
company is like putting methrough this ringer Because I do
want to make money and I willsubmit all these things you're
(42:20):
asking for.
But you know, like I've beenbackground checked and you know
stuff I you know as a you knowsubcontractor and stuff I
haven't previously had to dobefore.
But now all of a sudden, liketwo, three clients in a row have
had me like doing a laundrylist of things I've never had to
do before.
I think it makes you know Alihas said before with other
(42:40):
difficult customers like hey,they're making me a better
company, you know, by making mekind of dig deep and change some
things that are kind of painful.
Speaker 1 (42:49):
But yeah, what can the small because this all
sounds, you know, like there's,it just kind of adds a lot of
costs to doing business.
Right To have to add this toyour toolbox, to have to add
this to your things to worryabout, to think about, to plan
for, to spend money on right Toinvest in yeah, CyberSec
insurance is kind of new for meyeah mine was four grand a year.
Speaker 4 (43:11):
Is four grand a year.
That's a $3 million policy andlike most places that's too
small.
Yeah, like a 3 million is3million policy.
And like, okay, most placesthat's too small.
Yeah, like a 3 million is alittle policy.
Speaker 3 (43:25):
Yeah, it's becoming a really big thing Now.
Those questionnaires, courtney,like you were mentioning,
filling out what your policiesare, what you're doing, what
certifications you might have.
It is becoming a lot, um.
There are some techniques thatwe talk to people about, like
the idea of building a trustcenter, um, but it all, it all
(43:46):
takes overhead right, the ideabeing that you have to look at
it as an investment in future,um, your future work, because
having those assurances willmake more companies happy with
working with you.
If you're looking at thingslike getting into government
contracts, those are required,and you can't do business in
(44:07):
that without having you knowthose assurances in place.
So, yeah, it is a maybe a heavylift to go from zero to hero,
but it's one that pays off.
Speaker 2 (44:20):
I'm curious how realistic it is to fathom
something like you know to to be.
You know, working with you knowmany companies are going to
require this now and I see justeven more in the future.
But like the equivalent of TSApre-check, where you know, like
I'm in a system where I'mpre-vetted for everybody so I
(44:42):
don't have to do this everysingle time I take on a new SOC
2 compliant customer, cause I'mfine, you know, with the fact
that this vetting needs tohappen, you know it's.
You know all of us can't affordit.
Speaker 4 (44:55):
Well, gas does it in like their safety.
So, like everyone has to likeregister their safety, whatever.
So this is kind of the samething.
It's just like your cybersafety score, um, as a company,
and if you've been hacked amillion times, then your score
sucks like because your peopledon't get to like number for
cyber.
Like you get hacked all thetime, your people don't know
(45:17):
what phishing is and, like you,you're at risk because of it.
Yeah, yeah, like a new creditscore.
Yes, we need more ways to, yeah, to limit us, but yeah, we need
credit scores for our cybertrading.
Speaker 5 (45:31):
It's funny.
It's funny.
It's funny that you guys bringthis up, because I had, um, I, I
had a, a concept and an ideaabout that, about I don't know,
probably like five, five to 10years ago.
I was like you know, I was likeI gotta go through all this
stuff to, like you know, buy ahouse and everything and stuff
like that, but I, we don't gothrough that with like
(45:54):
cybersecurity.
You know, we just we're justlike you know you have these
checklists.
And then, especially whenyou're talking like OT or
critical infrastructure, youknow, if you think about it,
really there's only one sectorright now that truly has any
kind of real regulatorystandards or regulatory
compliance, and that's energy.
You've got NERC, sip, oil andgas.
(46:16):
Do you know what audits I hadto go through when I did oil and
gas socks?
That was it.
It's a financial thing, hasnothing to you know.
The auditors came and they werelike do you have a firewall?
I was like yep.
And they were like, do you havea firewall between the internal
and your ot?
Yep, I sure do.
One firewall, everything elsein the skater is on just one
(46:41):
flat vrf.
Everything can talk toeverything.
Don't look over here.
No problem, no worries overhere.
This is terrible, we know it,but you're not making us do
anything about it, so we're notgoing to do anything about it.
And it was that way until wewere purchased by a larger
entity that came in and was likey'all, no, you can't do that.
And I was like've been sayingthat, but they didn't want to do
anything about it, you know,and we had.
(47:02):
We had to make changes then andwe had to, you know, put in our
network network segmentationand all of that.
But because there was nostandard making us do it,
nobody's going to do it.
You know, cybersecurity, whileit's probably the most important
thing for your business toactually, you know, be
sustainable and be able tocontinue to make that money,
nobody wants to actually do itunless they're forced to.
(47:26):
This is a voluntary basis.
We're going to do the leastamount we can because
cybersecurity doesn't make money.
You know it's like qualityassurance it never makes money,
it only costs money exactly,exactly.
And you know, we, we don't, we,we, for some reason in that in
in in the business world, wedon't have that mentality.
(47:47):
You got to spend money to makemoney.
You know, do?
Do I want to spend money onadvertising?
No, I really don't.
But if I don't spend money onadvertising, then nobody knows
who I am.
And then you know I'm notgetting, I'm not getting, I'm
not getting any customers.
Um, and it's the same withcyber security you, you have to
spend the money to keep yourselfand keep your product secure,
(48:07):
otherwise you're going to losethat reputation.
You're going to spend way moreon it.
Speaker 4 (48:13):
Shut down like, yeah, I just lost 30 grand, like
that's sucks, but like peoplecan lose more and so, yeah, you
can choose to not protectyourself, but you will find it
worth the money once you'rerobbed, like I just was, because
now it's worth 30 grand.
Speaker 3 (48:30):
Yeah, you have something like a production line
that gets shut down, thenyou're losing, yeah, yeah, and
it becomes exactly, andcompliance gets a bad rap and I
get why.
But it really, like Ashley wassaying, it's a motivator, right,
if companies aren't going to dosomething, then compliance will
(48:52):
help move that along.
And compliance doesn't alwaysequal exact security, but it
gets people thinking that wayright, if we start doing this,
then then we'll be better.
And then how can we make thatbetter from there?
Speaker 5 (49:07):
Yeah, absolutely.
And you know, the thing is isthat I, when I look, when I look
at major incidents, you knowtalking, you know colonial
pipeline, you know black energy.
Even even if you really look atStuxnet, these are not, these
(49:28):
are not crazy sophisticatedattacks, they're not like like
the movie, just the easy shit.
Yeah, you know, it's it really,it really is.
You know colonial.
If you look at colonialpipeline, it was a, it was an
account, that um, that theperson no longer worked.
(49:50):
There should have been um.
Why can I not think of the wordDeleted, removed, deleted, yeah
, deactivated, deactivated.
Yes, there we go.
It should have been deactivatedbut it wasn't, and they just
happened to find this and comeacross it and clearly they were
(50:15):
not.
I think the password orsomething like that had gotten
caught in some kind of otherleak or breach or something, and
so they had the username andpassword and so they just logged
in and then they just startedpivoting through.
And you know most of thisransomware, it's a worm.
So all they need to do is getit on one computer.
(50:36):
It'll propagate itself acrossthe network and that's it.
And fortunately, you know theyhad a process to, you know, shut
down OT so that it didn't havea chance to propagate there.
But you're still shutting downOT.
So it doesn't matter whether itis an internal attack or
whether it's directly, you know,directed at OT.
Ultimately the same, you know,end goal happened you shut down
(51:00):
OT.
It was shut down for three days.
Gas on the East Coast went upto $9 a gallon.
People were panicking, you know.
People were putting gas intrash bags and stuff Like you
created panic, and that was onlythree days.
And then, luckily also, theyhad backups Because even though
they paid the ransom ransom theygot the decryption key.
The decryption key worked soslowly that they had to restore
(51:23):
everything from backups anyways.
So you know, these are it's notthis crazy stuff, it's really.
It is that low-hanging fruit.
It is going back to the basics.
Don't, don't keep defaultpasswords.
You know, make secure passwords, um, literally as as part of
(51:44):
you know, as as part of my, youknow, our, our company, we use,
we, we, I provide a passwordmanagement system for everybody
and you can have, you can putall of your passwords in there.
So there's really no reason foryou to not create a, a secure
password, because you, you havethat to do and I think that you
(52:05):
know more companies should dothat and and, honestly, it's
really not.
It's not that expensive thingslike a hundred dollars a year
and I have unlimited users and I, I can provide that.
We have a password vault now.
Yeah, exactly, but it's littlethings like that that we just
have gotten so far away from,because we're like, oh, we need
(52:26):
AI powered IDS to do this stuffand I'm like you can't change a
password, you don't need AIanything.
Speaker 4 (52:35):
But we think we need this advanced technology when
really we need basic stuff thatyou know we need to start at
square one, which we're not evenmeeting those requirements.
Speaker 1 (52:45):
So exactly, exactly so, with that we actually coming
up close on time, and I knowit's Halloween, so we all got,
you know, fun things to do.
I need to eat stomach aches tohave something that you said at
your talk at OT SkateCon, ashley, something about there being
two types of companies the onesthat have been hacked and the
ones that haven't been hackedyet, or something to that effect
(53:06):
.
Right, so assume that you willget hacked one way or another.
I'm already there.
What are?
Just, like you just said, thepassword manager, right,
something like a a bit warden orI don't know what you know
recommendations would be forsomething like that.
But what are some of your toptakeaways?
That, if somebody watched this,that the next time they feel
(53:28):
that they can have aconversation with someone about
cyber security and you should dothat really soon, um, including
with people on linkedin youbetter have an IT guy or woman.
What are some of the toplow-hanging fruit things that
people can do to either protectthemselves or to make sure that,
when the time comes, you're ina position not to be completely
(53:51):
effed?
If you do get, don't use Google.
Speaker 5 (53:57):
Yeah, definitely passwords.
That's a huge thing, you know.
In a password vault, yeah,using a password vault, I mean
you won't?
Speaker 4 (54:05):
ever know those passwords?
It's like x, y, g, 700 letterslong.
You just save it in there.
Speaker 5 (54:13):
You're like I don't know what the password is Nobody
does you have a password vault?
Absolutely.
You know making sure thatyou're not using default
passwords.
When you set up you know anykind of new infrastructure or
something like that, immediatelychange that default password.
And that's really important in,you know OT, because a lot of
those devices they, you knowthey're admin, admin, I guess
(54:33):
that all day long, every singleday, single day.
You know when.
You know when you are storingdocuments and things like that,
make backups, make offlinebackups.
You know get, get.
You know get a small.
You know one terabyte, twoterabyte, five terabyte.
(54:53):
You know hard drive that youcan plug in and put all the
files on there and then unplugit.
You know don't have itconnected to the internet, none
of those types of things.
But you know keep those filesbecause if something happens and
your files are gone, you haveto restore some way and then
make sure you're doing thosebackups on a regular basis.
You know whether it be weekly,biweekly, monthly, in some sort
(55:17):
of frequency so that you havethat data.
And then you know.
The final thing is I always saytrust but verify.
I'm going to.
You know I'm going to trust,but I'm also going to verify,
you know, I'm going to make surethat you are who you say you
are, that you are authorized todo whatever you're.
(55:38):
You know you're saying you'reauthorized to do um and and have
those different things, um, youknow, and have, have those,
those processes in place, um,and that make sure that
everybody is following thoseprocesses.
You know, test your employees.
Just, you know, pull them aside, call them up and say, hey, you
know, if this happens, do youknow what to do?
(56:00):
If this happens, do you knowwhat to do?
Because that's the other thingis, we write policies and we
write procedures, but then wenever test them.
You know, I can't tell you howmany companies I've gone into
and I'm like do you have anincident response plan?
And they're like, yeah, and I'mlike cool, do your employees
know about it?
And they're like, uh, maybe.
I like, have you ever tested it?
Have you ever done an exercise?
(56:20):
Well, no, we just, you know, wejust wrote it down, it's gonna
work, right.
Speaker 3 (56:24):
No, you don't know that, because people don't know
what to do and people panic, andso you know, those are are some
of the biggest things that youcan do yeah, a lot of times
we'll see people that like, oh,we got, we used a template
incident response plan, nothingspecific to our environment,
nothing specific to the peoplethat are here, or we haven't
updated it in 15 years.
(56:44):
Person XYZ doesn't even workhere anymore.
Like making sure those thingsare applicable to you.
Speaker 1 (56:51):
So, leah, what would be your top tips of any?
Speaker 3 (56:55):
Yeah, I really.
From a governance standpoint, Ireally think that knowing what
to do when something happens isa big one.
So, like Ashley was saying,it's not if, but when.
So, planning for that, knowingwho do we call if something
happens on a weekend, ifsomething happens over a holiday
(57:16):
, are the people who we'd expectto be there?
Are they going to be availableto be there?
Do they know that this issomething we're looking to them
for?
If we need outside help, do weknow who we would call If we
need to get, like the FBIinvolved?
If it's that big of a deal, dowe know how to contact our local
field office?
(57:37):
A deal, do we know how tocontact our local field office?
Having those things thought ofand put into a plan and scaling
that back a little bit lookingat the risk in your environment,
just sitting down and having aconversation of like what could
happen and involving peoplethroughout the organization.
So just because someone's notan IT person, like Allie was
talking about, you don't need tobe an IT person to like Allie
(57:58):
was talking about.
You don't need to be an ITperson to think of risks that
could happen within yourenvironment.
You could be somebody on theshop floor that's like, hey, we
leave these ports open all thetime and people are constantly
walking around.
Maybe someone we don't knowcomes in and just plugs
something in.
That could be a risk and that'sworth having the conversation,
that you don't have to be acyber person or an IT person to
(58:19):
even start thinking that way.
Speaker 1 (58:21):
Well, it's kind of that goes with, like the culture
.
Some companies are open toemployee feedback and like
continuous improvement and theywant people to be on the lookout
for problems that can be solved, things that can be done better
, like add cybersecurity to thatkind of process that you have
of getting input from everywherein your company.
Possibly, if you're not alreadyand if you're not the kind of
(58:42):
company that asks input fromyour employees on anything, then
I guess you could get hackedand I don't care.
But yeah, I want to throw up.
Speaker 4 (58:54):
No too small.
I'm not a very big company andI already lost 30 grand.
Speaker 1 (58:57):
So, scott, says retrain your brain to use
passphrases.
Short sentences are easier foryour brain to remember.
I guess I'm not one of thosethat.
That can't be in lieu ofpasswords, though, because
usually passwords do require,like all these different types
of characters and stuff.
Right, so passphrases peoplesay a word.
Speaker 4 (59:16):
What I've done before is I had a passphrase and I
would only I would alternate thecapital for every other first
letter, and so I would make, Iwould say that passphrase to me
and I'm just writing down onlythe first letter and then
alternating caps and whatever.
That's a little too Repeat,whatever that password is,
without actually having to like,because I don't remember.
Speaker 2 (59:36):
You didn't memorize it.
You constructed it again byfollowing some rules.
Speaker 3 (59:40):
Yeah.
Speaker 1 (59:41):
I do passwords.
Speaker 2 (59:42):
A similar way I construct like.
I don't memorize any of mypasswords, but I have a way to
construct the password if Iremember what website I'm going
to.
Speaker 4 (59:49):
So and then some like that tells you what that was
that you made, but not actuallywhat.
Speaker 1 (59:56):
Not enough for them to do, but enough for you, but
then like how quickly until AIcan like predict the pattern
that we use based on the, thewebsite that we're already in
one of your or they've got.
Speaker 4 (01:00:07):
They've bought your credentials for something you
have to know every address Iever lived at.
But you could do it.
Speaker 1 (01:00:16):
Anyway, there are practical things that you can do
, even if you don't have adepartment or a budget, but
certainly there are companiesand resources out there.
Leah mentioned your local FBI'sfield office.
They'll also post about casesthat have happened, common scams
that are going on, advice onhow to avoid them.
(01:00:37):
The other thing is to know somecybersecurity companies or
consultants in your industry.
It does not hurt you to knowthem, even if you don't have
budget to pay them, because thetime will come and you want to
have somebody to call.
So I mentioned this earlier.
We at least were able to callAshley right away because we
know somebody that you knowknows about this stuff.
So, as a closing remark, ashleyand Leah, if you guys could
(01:01:00):
give the audience a pitch for ornot a pitch, but just like what
exactly you guys do and canhelp with and how people can
reach out to your companies ifthey want to do business with
you or just to kind of start tonetwork with you guys and your
colleagues, so that they atleast have some cyber security
folks in their network, even ifthey're not, you know, adjacent
to that area and if you don'thave a cyber security partner,
(01:01:21):
and you're not going to get one,you are screwed.
Speaker 4 (01:01:24):
Yeah, and so?
Speaker 1 (01:01:26):
there's a lot of free resources at nist, yes, and I
will say like year, a lot ofthese great resources are
pointed out to me, but this issuch a low priority in my job
that I don't go out and look atwebsites to look at
cybersecurity information.
I'm more so when it comes up,when I talk to people, when I
(01:01:46):
see opportunities to hearcontent.
I'm just not one of thosepeople that goes to the websites
to like try to do my ownresearch on things that aren't
immediately relevant to me.
Speaker 3 (01:01:56):
in this sense, yeah, one thing I'd suggest is is
looking at your workflow andseeing where can you fit things
in.
So like, if you're, if you'rebig on LinkedIn, start following
some of the things like likeNIST or SysA, and you'll see
that pop up in your feed some ofthe things like like NIST or
SysA, and you'll see that pop upin your feed some of the the
(01:02:17):
relevant things.
Speaker 1 (01:02:17):
Well, there you go.
So yeah, following them onLinkedIn versus trying to go to
their website and look forinformation.
Speaker 4 (01:02:21):
Yeah, Stories.
You're like oh my God, followthese people on.
Speaker 1 (01:02:24):
Instagram, like wherever you're scrolling.
Okay, that, that's true.
Speaker 4 (01:02:30):
Like the hackers are getting better.
Speaker 1 (01:02:31):
Whatever our feeds are news feeds are apple news or
you know whatever um, throwsome cyber security stuff in
there.
Speaker 4 (01:02:40):
That's a great idea but yeah, go find some people
like ashley and leah, because ifyou don't which is why you're
not going to be, okay, I'm not.
Speaker 1 (01:02:49):
You guys, you guys and Leah, I'll let you go first
and then, Ashley, you can closeit as the official sponsor of
this panel.
You can close it with the Pitchfor Wolf Evolution.
So, leah, can you tell us a bitabout NextLink Labs and what
you want people to know you guysfor and come to you for?
Speaker 3 (01:03:04):
Yeah, so NextLink Labs, we focus on three
different aspects.
So custom software development,devsecops and cybersecurity.
So when you're buildingapplications and you want to
integrate security into them,you want to have better
workflows.
We look at what yourorganization is doing and help
(01:03:25):
you identify those gaps in yourprogram and fill them in using
frameworks, using you knowthings that are specific to your
organization and the data thatyou handle and the workflows
that you have.
So we look at you know thingsthat happen prior to an incident
(01:03:49):
.
If you've had an incident, wecan look at the risk that you
accepted that might have led tothe incident and really focus on
how can we improve thecybersecurity posture moving
forward.
How can we give thoseassurances both to your company,
to any board of supervisorsthat might be over, or to your
(01:04:12):
clients too.
So how do we make your clientsaware of the efforts that you're
putting into your cybersecurityprograms?
Speaker 1 (01:04:18):
Very cool.
Thank you, I assume people canfind you at is it
nextlinklabscom?
Yep and follow you guys onLinkedIn?
Yep and I know you and a coupleof your other colleagues are
regular speakers at industryconferences like Automate.
Are there any more places thatwe should expect to see you guys
in the near future?
Speaker 3 (01:04:37):
Automate and Fabtech are our big go-tos, okay.
Speaker 4 (01:04:42):
What about the ICS Village of DEF CON?
I want to go hit that up nextyear.
Speaker 3 (01:04:47):
It's amazing if you can go so.
Years ago I was senior stafffor DEF CON when it was still
growing out the villages.
They're growing insanely nowbut they have some really cool
stuff.
The ICS village is awesome.
They do car hacking.
That's really cool to see someof the things that we may not be
exposed to in like everydaylife, to get a chance to go and
(01:05:10):
see the thought process Everyonehas a flipper and they're like
taking your credit cards.
Speaker 4 (01:05:14):
You're like, oh my God.
Speaker 1 (01:05:17):
Very cool.
And then, um, ashley, yeah,will you tell us a bit about
what you do?
I know you've mentioned alittle bit about what you do
with your clients, but kind of,what's your focus and what type
of types of companies should becoming to you?
Speaker 5 (01:05:30):
Yeah, absolutely so.
Our focus is assessments andconsulting.
So our assessment side we'regetting down to the nitty gritty
actually looking at devices,looking for particular
vulnerabilities, looking atarchitecture, those types of
things, and really addressingthose security gaps and giving
(01:05:51):
those recommendations andremediations of how you could
secure the devices in yourenvironment.
On the consulting side we kindof go a little bit more high
level.
So that's where we startlooking at your policies and
your overall security programand look for gaps there.
Because a lot of times you know, a lot of people are like well,
I need an assessment done.
Well, maybe you actually need aconsultation first.
(01:06:15):
Maybe we need to look at ahigher level and see, you know
you have these vulnerabilitiesin your environment, but how did
they get there?
Is it because you have gaps inyour policies or gaps in your
procedures?
And that may be something thatneeds to be addressed first
before you're actually going inand picking out these you know
little one-off vulnerabilities.
(01:06:36):
So that's kind of the primary ofwhat we do, and very, very soon
, probably like the beginning ofnext year, we will also be
doing training.
So we'll have kind of variousdifferent aspects of training.
So training for the defensiveside, training for if you want
to learn how to break things inOT, like I do, then we'll train
(01:07:00):
you to do that and thengeneralized training for OT.
So a lot of companies when yougo and you get that generic
cybersecurity training right,the IT-minded and everything.
I've never seen that in OTwhere you're actually applying
those cybersecurity principles,but for the operators.
Speaker 4 (01:07:25):
And for operations like the chief operating officer
, should get the big trainingand then roll it out to
everybody else.
Speaker 5 (01:07:31):
Exactly.
So, yeah, this is like I'm.
I'm in a control room and mymouth starts moving on its own.
What do I do?
That kind of training.
And and for that training, notonly are we going to have the
generic, but we're also going towork with companies to
customize it for theirenvironments, so that'll be
something that's upcoming earlynext year as well.
Speaker 1 (01:07:53):
Wow, I feel like the pressure to include I want to
include access to trainings thetwo days prior to OT Skate-a-Con
so for some of you folks to beable to put on a class that
somebody could add to their OTSkate-a-Con registration.
I've been saying that, okay,let's close out, I'm gonna.
I'm gonna extend it just alittle bit longer, if anybody's
(01:08:15):
even still here, but this is therecorded, so that's also fine.
Um, ali, you have some trainingthat you're working on.
Do you want to talk about itand then sign off?
Speaker 4 (01:08:22):
yeah, sure, uh, later but uh, no, I I think I've
always asked, like, what peoplewanted to be trained on, and a
lot, and I don't know forwhatever reason, like people
would rather know more about orat least when I did the survey,
they wanted to know aboutprogramming and SCADA.
But what I'm actually good atis design and hardware.
(01:08:43):
So I, like some programmers,love both.
Some programmers love one orthe other.
I have never been the strongestprogrammer, cause I already
told you it's not realprogramming anyway.
Um, but I feel really goodabout, like, the way that I
develop a control panel becauseI had to.
As someone who's not trained inelectrical at all, like I took
(01:09:04):
one electrical class and Ilearned ohm's law.
I don't know shit, like, but Iknow how to create an entire
control panel from scratchbecause I learned from other
people's drawings and then frombuilding it myself and doing it
wrong and wiring it wrong andthen being like oh, I have to do
it like this, and so I didlearn.
So I know all of the likelayman's terms as to why certain
(01:09:24):
things are there, like why doyou have a power supply?
Why do you have a controltransformer?
How do you pick out, like youknow, to make this a UL panel.
How would you do that?
So I'm designing a class where Ibreak down all the things that
someone like me who's not anelectrical engineer specifically
not an electrical engineer tobe able to create a schematic
that worked on DC and ACvoltages.
(01:09:48):
So I want to tell you enoughrules, colors, sizing of
conductors based on NEC, likeenough shit in your class that
you, without an engineeringdegree, could design a control
panel, even if you are anengineer.
That's great, but that's notwhat this is for.
So I want to create a class forwhy is all that shit in there?
And same thing with, like, thesize of the enclosure.
(01:10:09):
Does it need a cooling systemor a heating system?
Like, how do you figure out howto size that?
How do you figure out how manyIO cards you need?
How do you do all the motorcircuit shit?
So I'm making a class for howdo you design a control panel
from scratch?
Speaker 1 (01:10:23):
All right.
Well, stay tuned for moreinformation on that.
If you're interested in theclass, I think we have a wait
list going.
Or if you don't have a waitlist going, emily, we need a
wait list for the class going.
I think we'll have some infocoming out about it in our
newsletter next week and thenvolleying it we also are going
to be.
I'm not going to give you thefloor, though, courtney, because
(01:10:45):
well I should, but yeah, justtell us robot training and then
you sign up.
Okay, the challenge is to you.
Speaker 2 (01:10:53):
I'm no longer talking I have a robot and I need to
use it.
I'll bring it to you and trainyou the end and then I'll break
it afterwards we're only goingto get more and more into
hacking robots.
Speaker 4 (01:11:08):
Eventually, robots are going to get hacked and
we're going to be like, oh mygod, the robot did something bad
.
Yeah, robots can be hacked.
Speaker 1 (01:11:16):
Let's keep talking to each other, learning from each
other.
Make friends with scott.
If you don't know scott mcneilyet, he is.
He knows a lot.
He's got a lot of greatresources.
Uh, honestly, at any of ourevents, like, the people that
are in the audience are just asknowledgeable as we are on
different topics.
So the just the opportunity tonetwork with the, with the
(01:11:39):
people that are here.
Please do that, um, and thenshare what you learn, or
whatever, with the rest of theworld.
So, thank you guys for beinghere, happy halloween and, uh,
we'll see you around soon.
Bye, bye, thanks everyone.
Thanks, thank you guys forbeing here, happy Halloween and
we'll see you around soon.
Bye, bye, thanks everyone.
Speaker 5 (01:11:55):
Thanks.
hey, happy halloween, um, although I guess we are all
too busy or not festive enoughto be wearing costumes to this,
but I had whiskers earlier, butthey were like getting really
itchy and I peeled them off, butI had like these little
stickers, yeah no, I just.
It's been a very busy day and Iknow ali is still in a meeting,
but thank you if you're joiningus.
Hey, david, thanks for joining.
(00:21):
Uh, david's one of our speakersfrom ot skater.
So before we got on, we werejust talking to Leah about OT
Skatecon because I invited herto come and help us out with it.
She's in San Antonio, we're inHouston.
Do you want to give our guestsan intro, if they weren't here
last year or the year before, tosee you as our recurring
(00:47):
resident expert on cybersecuritywith Automation Ladies?
Introduce yourself and tell uswhat you've been up to.
Speaker 3 (00:53):
Yeah, so I'm Leah Dodson.
I'm a cybersecurity specialistwith NextLink Labs.
I specialize a little bit moreon the governance, risk and
compliance side.
So all of the fun compliancechecklist things.
They're fun for me, less funfor other people.
But I missed OT Skatecon thisyear because I had a baby in
(01:14):
July.
Awesome little boy, love him tobits.
But I'm excited that Skateconseemed to have been awesome and
I'm excited to see it in futureiterations.
Speaker 1 (01:27):
We also have yeah, I just threw up on the screen Rafi
and Michael.
Thanks for joining us.
They also attended OT Skatecon.
So I guess if you guys want toleave a quick review in the
comments for those that may beasking about it, you're welcome
to.
No, I think you'll find.
Honestly, I'd say, go findsomebody that went and ask them.
We did have on our exit surveys.
(01:47):
So we didn't get a perfectscore, of course, especially of
course not.
It was our first time and wehad no idea what we were doing,
just like with this podcast anda lot of other things we do.
But we try to do them anywayand then we learn and we try to
do it better until we get toogood at it.
Then we get bored and then wego do something else.
But in this case we got, Ithink, a 9.7 out of 10 from our
(02:10):
reviews and at least one personsaid that they would not like to
attend again.
And we reached out to him andwe asked why and we thought he
had really really good insightand suggestions and we invited
him to be on our advisory boardfor programming for next year.
And so he's coming and he evensaid his employer doesn't
(02:31):
approve it, that he'll take somePTO.
So you know we're open tosuggestion.
But I honestly think you know,like you were saying, leah, some
of your favorite events areones where the organizers do a
good job of setting things,setting things up and setting
the stage but then lettingpeople, kind of, you know, do
their thing.
And yeah, I think you'reabsolutely right like I would
like to do more of that.
This, you know, ot skated conwas Ali's idea.
(02:54):
It is her baby from thetechnical programming side of
things, but from, like, thecommunity side of things and the
, the value that happens whenthe attendees were together,
rather than just us or even justthe speakers right, because who
can say that these speakers arethe foremost experts and are
better?
They just happen to be the onesthat, a know us, b asked to be
(03:15):
part of the program, you know, cwere willing to invest the time
or could.
So it's not about necessarilylearning something from a
speaker.
That's the you know authority.
It's about hearing somebodyelse's experience, learning
something from that and thenbeing able to potentially work
with those people in the future.
So michael says the smartestgroup of people I've ever been
in a room with and verysupportive of each other.
(03:37):
So we, through michael, wereable to meet his ceo, alex pool
or, I'm sorry, owner, I'm notentirely sure what his position
is at Masked Owl Technologies.
Ali and I interviewed himrecently and we were really
excited for that episode to comeout because we loved it and I
think we committed on air todoing an AI panel with one of
(03:58):
the engineers for Masked Owl andthat was just a really great
conversation, and so the peoplethat you meet, like the
interactions that come after,are very cool.
And then we're going to bemeeting some people again at
Automation Fair.
So, courtney, why don't yougive us a little info if there's
anybody new that doesn't know,and what are you up to, and I
(04:21):
look forward to seeing you in acouple of weeks in Anaheim.
Speaker 2 (04:23):
Yeah, I've been missing.
You Can't wait to seeing you ina couple of weeks in Anaheim.
Yeah, I've been missing.
You Can't wait to have you overfor a few days.
And, like I jumped into smallbusiness ownership again it's
not new to me, but you know I'malways putting out some form of
fire, and half of them are firesI started myself and so it's
just been.
(04:43):
You know, a lot of uh runningaround in circles, but um, and
still enjoying it.
It gives me the the flexibilityI need to.
You know, problem solve at thehours I like to do it and be mom
and the hours I need to be mom.
And I have no idea how I raninto you at automate and did not
notice that you were about tohave a baby.
(05:05):
Congratulations.
How's it been so far?
Tick, tick.
You look well rested.
You look a little too wellrested, honestly.
Speaker 1 (05:15):
You look, you are glowing.
Yes, thank you Are you havinganother one?
Speaker 3 (05:20):
Just kidding.
He's tried.
Oh boy, yeah, he's hitting hisstride, sleeping at night.
So I'm doing a little betternow.
Speaker 1 (05:29):
That's great yeah, very good, I would like to
subscribe to whatever filteryou've got going on.
Speaker 3 (05:35):
Leah, right.
So I do have to admit that I'musing a guest studio space right
now.
Speaker 1 (05:41):
It's not oh so nice, not my uh usual studio space,
but it's very set up and I loveit yeah, is it like a space that
you can kind of subscribe, likejust go book time, or it's
somebody else's that you justhappen to be?
Speaker 3 (05:55):
it's somebody else's.
I just happen to be travelingright now and and they're way
more decked out than I am, sovery nice.
Speaker 1 (06:03):
I've never actually recorded in a podcast studio.
Speaker 3 (06:05):
Yeah, yeah, yeah, I might have to get together a
list of all of this equipmentand I was just gonna add in my
background.
Speaker 1 (06:13):
We were on brand for ot skater con.
We have a couple more people,so Rafi says ot skater con was
amazing.
I traveled halfway around theworld and would do it again.
So he also brought the mostamazing snacks from Pakistan for
everybody that were perfect forhappy hour, and I took the
leftovers home and I'm likestill eating them.
(06:36):
Some of them were at my office,but yeah, that was so.
It gave me the idea.
So we had this candy bar and Idid that for Alex Marcy.
Mostly I I don't know why I likecommit to things either on
LinkedIn or live that were justspur of the moment off the top
of my head, and then I end uptrying to fulfill those things
that I promise um, I don'talways manage to, but and I was
(06:58):
like, next year, why don't we doit to where everybody can bring
candy from wherever they'refrom and like add it to the
candy bar so we can all sharewith each other something that
we brought um?
Because a lot of people likeeven some of the attendees
brought swag because they wantedfor the swag table like to add
their company swag, and thenpeople like exchanged each
other's swag and stuff.
So that was fun instead of itjust being like the big sponsor
brands that had their swag atthe at the table.
(07:19):
So that's really cool.
But anyway, our topic of todayis cyber security.
It is our you.
You know it's the end ofCybersecurity Awareness Month
and what a month we have had.
And Allie's not here yet, so Idon't want to steal her thunder
or Ashley, who basically buthere I guess this all relates to
(07:40):
OT SkateCon as well.
So Ashley was our cybersecurityspeaker at OT SkateCon and I
was just telling Leah that shedid her dry run with me kind of
late and her camera was offbecause she wasn't feeling well
or maybe the camera wasn'tworking.
I don't remember, but I was.
I didn't really know her at all.
She had connected with ali andali invited her as a speaker and
I was a little skeptical justbecause I I wasn't getting a
(08:03):
good feel for her as a speakerat all.
And then I met her in personand her talk was amazing and she
blew everybody away.
And then we were like now shehas to be the go-to
cybersecurity person foreverybody in this room.
Like everybody asked herquestions, everybody got her
involved in their talks.
She told some crazy stories ofthings that she's done.
And we had a cybersecurityincident at PCE recently and
(08:28):
it's really good to havesomebody like that on speed dial
Because, like Leah, I knowthat's not necessarily your side
of the house to like what to doonce you get hacked.
You're on the governance side,you know, you're in product
development, all those sorts ofthings, so I had you on my, you
know, speed dial, but for verydifferent things.
And then Ashley, we just, yeah,it was rough.
(08:52):
So PCE got hacked, one of ourcontractors, emails and payment
details were changed, but notthrough like a one-off email,
but like a whole exchange thatrequired multiple levels of
approval and that was stillchanged and then not caught
until afterwards.
And we had to, you know, wecalled Ashley and she, you know,
gave us some advice of what todo and unfortunately, we thought
that we had fixed it and gottenthe money back from QuickBooks.
(09:14):
Because they said so, we wentdown, you know the whole phone
tree with both the bank and thenthe accounting software that
was used to send the ACH, andthey said that you know we would
be getting, or that they wouldbe getting the money back.
And then, you know, follow up,follow up, follow up.
It didn't come.
Turns out they were like oh, wemade a mistake, you're not
actually getting it back.
So now we're looking at, I guess, the cybersecurity insurance
(09:37):
claim and you know, filing allthe reports and all those sorts
of things.
But reports and all those sortsof things, but it, you know,
this sort of stuff happens topeople all of the time, or
companies in our industry.
And when we said that, you know, the first people that we
talked to, or you know some ofthe people that got notified,
are some people like Alma andyou know some of the people that
we work with at OT Skatecon andwe've definitely heard like, oh
(10:00):
, my company, or a company Iknow, lost way more than that,
you know, to something similarpayment instructions being
changed on invoices.
You know all kinds of things.
So, leah, you've been out there, you know going to conferences
and things like that.
Do you have any insight for usabout the last year, like what
are kind of the most commonthings that people are still
(10:23):
grappling with specifically kindof in the you know our industry
, if you have any examples?
Speaker 3 (10:29):
Um, so attacks are definitely up in manufacturing.
Um, I think one of the bigavenues is vulnerabilities in
supply chain.
So, exactly like you describedsomething that you may not
necessarily have direct controlover, yeah, but like you're
saying, multiple levels ofapproval scams in general are up
(10:52):
right now.
In fact, I I had an incidentrecently where I got approached
with a scam and, being in theindustry, it was a little bit
more apparent, but they did sucha good job.
I got called from a number thatwas in an area I used to live
(11:15):
and they left me a voicemail.
They said that they were withthe sheriff's department and
that I had a warrant out becauseI had missed jury duty.
So you know things like that,they try to go immediately for
some kind of emotional responseOkay, get you making an
emotional decision as opposed toa logical decision.
So you know, you get thoselittle like feelings of maybe
(11:39):
this is wrong, but you also getthat emotional kick of like what
if it's not?
Yeah, and so I I did a couplethings.
I I looked up the person onlineand they used a real deputy's
name, right, um, and they wereassociated with the place that
they said.
You know that they were, and soI called not the number that
(12:02):
they gave me but the departmentitself, and there was the deputy
was out.
So I called the number thatthey gave me to see kind of what
was going on and they did agreat job with the impersonation
part.
And that's what gets a lot ofpeople, especially in
(12:22):
manufacturing where there's alot of connection, supply chain,
a lot of people talking to alot of people and you just you
know, you get that humanconnection and there's a little
bit of trust that's builtthrough those things.
So he gave me a badge number,obviously not a real badge
number, but he was on the spotwhen I asked, was able to read
off a number, and so he he wasvery well prepped from that
(12:43):
aspect.
A couple of the things, tacticsthat he used are really common
in scams.
The sense of urgency is a bigone.
So he was telling me you can'tget off the line because you'll
be held in contempt of court ifyou get off the line.
You can't go into your localsheriff's office because they
will arrest you if you do,because this warrant is active.
(13:05):
So, like all of the normalavenues of verifying is very
quick to like cut off.
Okay, don't do these thingsthat you probably are naturally
feeling like you should do, yeah.
And so in the back of my mindas a cybersecurity person, like
this is I see what you're doinghere, and eventually was able to
like, okay, this is, I see whatyou're doing here and
eventually was able to like,okay, I'm done with this
(13:27):
conversation.
So I hung up, called back thesheriff's office and was like
this is told them, somebody'simpersonating your deputy.
They were like, yeah, it's beenhappening quite a bit and so
that's one that's getting a lotmore common.
But those are the things thatthey like to pray off of.
That sense of urgency of youhave to do this right now or
(13:50):
some terrible thing is going tohappen, that emotional response
of like somebody in your familyis hurt, you need to send money
to them.
Oh, that was the other thingthat they were telling me.
The court was willing to getrid of the warrant if I paid the
court fees, but there was onlyone specific way that I could do
it cash app.
Speaker 1 (14:10):
Yeah, really, the court you're telling me the
court uses cash app so Iactually, uh, I I had to deal
with the uh, the court inCalifornia when I was living
here in Houston and so I wasdoing everything remotely and
then they said to put thesedocuments in the Dropbox.
(14:31):
And I was like looking for thelink of the Dropbox and I
emailed and I think I asked forit and then they were like no,
it's on the outside of thecourthouse, the Dropbox.
I was like, oh, I can't gothere, like how can I get this
to?
Speaker 3 (14:49):
you.
That's funny.
Yeah, those limiting thingsthat are like you can't, you can
only work within this system.
That doesn't make sense.
Speaker 1 (15:01):
No, but even then, like if it was a specific
Bizarre system, it would be aremnant of the old times, not a
cash app or a sofi or a bitcoinwallet.
Speaker 3 (15:12):
right like government is not that ahead yeah, yeah,
and so those are some of thekeys, like, when you're looking
for those red flags, things thatare outside of an expected
workflow yeah, yeah, cause not?
I mean, most of us aren'twell-versed in in workflows of
things like government, how thecourts work, but there are
(15:34):
workflows that are familiar,right, and, like you said,
government just isn't.
They're not going to be takingBitcoin for for things like that
, right?
So identifying those red flagsis is pretty important.
yeah, there's.
There's just so much that hasbeen happening um on the
attacker from with manufacturingthat it really has become a big
(15:58):
focus.
Yeah, it has been increasingover the years, but in this last
year, I think 75% increase inattacks is what some of the
recent reports have been sayingthat are focused on
manufacturing Increased.
Look at vulnerabilities sothere's a lot of systems IT
(16:21):
systems that manufacturing hasbecome pretty dependent on that
are recently end of life orgoing to be end of life, and so
known vulnerabilities in thosesystems, knowing that they're
not going to be supported orthey haven't been supported
recently, makes them a bigtarget.
Things like Windows 10 islosing support next year and a
(16:42):
lot of manufacturing devicesrelying on windows 10 that's big
eyeballs there.
Speaker 1 (16:52):
So do you have like at the top of your head sort of
the biggest things that peopleshould be watching out for that
might be being targeted rightnow?
And then, from a layman'sperspective, like where's the
best place to get information onwhat these things, what these
happenings are?
Because I feel like if you'rein the industry, you can read
all of this right, but if you'recoming from a non-cyber
security background, thenreading a lot of the incident
(17:12):
like articles and or the newpapers that come out or the any
of the standards, like it's,it's a lot.
Speaker 3 (17:22):
It is a lot, yeah.
So CISA does a good jobproviding resources specifically
for manufacturing.
They do different reports, theydo different frameworks.
They make some resourcesavailable for small businesses
within manufacturing that aremore scaled down concepts that
help businesses that maybe don'thave the budget or the
(17:44):
resources that some of thelarger groups do.
The FBI, so local field offices, will a lot of times have
resources, like you can joinInfraGard that will share across
the industry different trendsthat are being seen.
Speaker 1 (18:02):
So if there's a common attack vector that
different organizations havehave fallen prey to, they'll
give advice then on how toprotect against those okay, I
think I've seen some of the fbinotices when I've been googling
certain types of like scams orattacks or whatever um, I think,
mostly scams.
(18:22):
I google scams sometimes when I,and a lot of times, when some
of these things come to me, I'mlike I clearly know this is a
scam, but now I want to knowmore about it, like why is it
here or what is it trying to do,and is it common or is it
something you know novel?
Hey, ali hello, at least we gotnow two out of four with
costumes, sort of halloween.
(18:43):
Yeah, next year we have to doour dia de los muertos episode
again, though that was we haveto do uh, like a fireside chat
with someone that honors that oror has something to say about
it, I guess.
But yeah, we did get startedwith.
Leah ashley is here, sort ofshe's having some trouble with
her video and her audio rightnow with all of it with
(19:08):
everything it was audio.
Now it's video, so I'm not sureI'll bring her um.
Yeah, I can talk about how Ijust got robbed of thirty
thousand dollars so I stole yourthunder a little by mentioning
it, but go ahead, floor is yoursI mean I mean whatever.
Speaker 4 (19:25):
Like we were hacked.
You know I have a domain rightand we have emails for my
company in that domain.
Uh and uh, someone obviouslyusing vpn was able to get and I
think this is uh, I migratedfrom google.
She liked google suite forbusiness.
Like I, I was using Google, notMicrosoft, and Google doesn't
(19:47):
automatically do themulti-factor authentication, so
it actually isn't really in likeany business's like best
interest to even use Google.
But I was doing that and I thinkthat's part of the issue was we
didn't really have super securepasswords anyway because of the
(20:07):
Gmail, and so I slowly addedpeople and we have had like
phishing instances, like manyyou know, like everybody else
has, and you know we catch them.
Usually they're kind of obvious, but like, yeah, it'll be,
it'll be me, without my phonenumber or my email, asking my
people for shit that they thatI'm not actually asking them for
(20:30):
.
And so this one was kind ofsophisticated and I hadn't seen
this one before.
When I talked to ashley, she'slike, yeah, we've seen that a
thousand times and I'm like thatsucks, um, but basically it was
ach fraud.
So they posed as someone else.
No, they posed as someone weknow and that we pay regular.
Yeah, and you know it lookedlike them.
It actually was really goodbecause they did hack their
(20:52):
email.
So there and we can showbecause it was, because it's
still owned by me, like all theemail addresses are owned by me.
So my guy albert, like albert,is courtney's husband.
Speaker 1 (21:02):
Another OT Skate account speaker.
Speaker 4 (21:04):
He's my IT guy for my company because I don't have IT
.
Lots of controls.
People like to be their own IT.
I'd rather kill myself.
So I'm not going to be my ownIT.
Same, I don't even like.
Honestly, like I think it'sreally funny because like
there's we're supposed to belike computer people, right,
we're controls engineers, andlike we must be like hacker
(21:25):
galore and like that is not whatall of us are.
Some of us are really good atlike it, server management,
networking.
The rest of us have to learnhow to do that crap.
Uh, because all we know how todo is like how do we get the plc
to do the with the equipment?
We don't care if that talks tosome other machine, because we
(21:47):
just need the machine tophysically do the thing.
Um, eventually you have remoteio and you do need
communications, just for oneprocess, but for the most part
that's not what we were taughthow to do.
So, like I know how to do, Iknow how to size pipes and pick
a pump and pick a tank and likeput it all together and give you
a narrative and then tell aprogrammer make it.
(22:08):
You know, when the tank islevel, is this high, turn the
valve off and like I'll say allthe things to do and like we can
do all that, but that doesn'tmean that we know how to.
For example, when I startedskata, I was like oh my God,
mostly because we were doingserver management, like I'm
using virtualization first ofall to SCADA.
(22:29):
Servers are done on virtualmachines.
I don't know why, but I guessit's just like cheaper to do
that.
I don't know why the answer isnot Docker or containers, I
don't really know.
But I know that what we've beendoing for the past I don't know
a while is we've been puttingthese programs right.
They're just applications thatwe can buy from Ignition,
(22:50):
inductive Automation.
We can buy it from Rockwell,siemens, any of the actual PLC.
People can sell you their ownsoftware or you can just buy one
from a free agent likeInductive Automation, who has an
amazing SCADA and more.
That's actually not even SCADA,it's an IIoT platform, so it
can connect way more than yourSCADA because you can do like
ERP and warehouse management,put it all together into the
(23:13):
giant data lake for the United,whatever namespace crap.
But like you can't do that, youdon't know anything about IT or
computer programming.
So that's where people are likewhat is this IT, ot convergence
?
That's not real.
Oh, it's real, like there aremountains of IT people who can
do real programming.
By the way, what we do is notreal programming.
(23:33):
It never was.
We grabbing a block and likeconnecting lines to it, like
that's not programming, that'sjust like we're telling you what
to do.
But like see, you know, plus,plus, plus.
That's that's computerprogramming.
Like telling it in its ownnative language.
We're using pictures, we'redragging pitch, like function
blocks, or like we're draggingideas and like connecting
(23:54):
numbers and being like okay,this channel means this, pump,
like, and that's what we'redoing.
Like, and so all these itpeople know how that.
Does a computer like run its own?
How does the read the?
How does a computer run its own?
How does it compile program,run the program?
How do you make these decisions?
We don't do that.
I don't program inside of acontroller how it makes.
(24:15):
I just tell it when this istrue, like it's just the logic.
So we are only putting facts orlogic gates that we come up with
in our head in that paper orodd down, and then, but yeah,
real programming is people thatactually know what the
computer's doing and can makethe computer do what you want it
to do, and so that's realcomputer programming.
And so we've never done realcomputer programming.
(24:36):
We're still engineers, butwe're not real programmers, and
so that's why I've never feltbad.
I'm like, yeah, I'm aprogrammer, but not a real one.
Like and I can.
I will always bow to realprogrammers, which are people
that can program.
I did like I took AP computerscience and I think I did like
one really cool HTML, like youall did HTML back in the day.
(24:57):
Yeah Well, and I, this one waslike really hard for me and I
have a copy of it now Cause Iwas in like 10th grade or
something, and I'm like look atmy space head and then string
and all this and it was likesuper cool.
But like, outside of that, allI've ever done is like ladder
logic is is reading, even thougheveryone gets mad at me and
everyone gets mad at everybody.
It's reading relay logic, theway relay logic.
(25:20):
You would read it that you'rejust making the PLC do the same
thing and you even show it thesame way, because it was meant
like Alan Bradley did this formaintenance people, not for
electrical engineers.
Maintenance people could readif these contacts are open, you
know, latch in this relay andthey could just read all this
(25:41):
relay logic and so they're likewell, this is the easiest thing
we could do is take this realrelay logic and then shove it in
the computer and then make themdo the same exact thing, and
then they won't be that confusedBecause, like now, it's like a
fake set of contacts from arelay turns on a fake actual
coil.
But it's still happening.
(26:02):
The action's the same.
Who made the call is a computerinstead of a relay, so you use a
lot less relays.
But now you got to have aprogrammer.
But it was easy because we justhad to teach the programmers
how to replicate their circuitsit's just circuit logic into a
computer and it looks just likethe circuit logic.
(26:23):
So you're like oh, this, we canmake computer programmers not
real ones, but like out ofmaintenance people, so you just
have to know how to read afreaking it looks really similar
to a schematic like.
Speaker 2 (26:36):
if you go to the 24 volt section of the schematic
and you see like your actualcoils and contacts.
It looks very similar to ladderlogic in PLC land and almost
everybody's first crossover tostructured text is like a
gajillion if-then statements andnested if-then statements and
then you start learning likethere's gotta be a better way to
(26:57):
write all these if-thenstatements.
Speaker 1 (27:00):
And then you start learning the next steps from
there.
Back to your IT guy.
The reason you brought this up,the reason you have an IT guy,
is because he traced this hackback to a server in Germany,
right?
Speaker 4 (27:12):
The Netherlands, the Netherlands, oh okay, whatever
that was a VPN.
It wasn't even someone in theNetherlands.
Speaker 1 (27:18):
Oh, okay, so just somebody on a VPN.
Speaker 4 (27:21):
It's probably someone I know, it's someone who knows
me, I, it's someone who knows me.
They don't, I probably don'tknow them, but it's someone from
linkedin who knows anything.
And they came after us becauseI make it really obvious who
does what in my company, so theyjust picked the list.
Actually, uh, I know, uh,heather, not heather.
Ashley's not on here, but Ikeep messing up.
Ashley and heather are not thesame name, not even close.
(27:44):
But yeah, um, I forgot where Iwas going with that.
Um, oh, but I was asking her.
I was like what do I do?
Or she's like, oh, I came upwith this list of emails based.
I don't remember what she evensaid.
By the way, all those wordsjust are, all those acronyms are
not real to me and I'm justlike I just waved my hand around
.
Speaker 3 (28:02):
I'm like, yeah, they did the thing, so, but we got
once she has either audio orvideo yeah, that's a good point
you make, though, ali, aboutlike information being out there
a lot of times.
So attackers will find publiclyavailable information like that
and trying against you, andsometimes it requires deeper
(28:24):
dive and sometimes it's prettyeasy to find, but the key then
being like, the verification ofthis is publicly available.
So are you, is it actuallycoming from this person?
Is it someone you could justcall up and be like hey, did you
send me this email?
Are you really asking me forpayment?
Speaker 4 (28:44):
But yeah, Well, this was really good because it was
like I owed this person a goodamount of money.
I was already late to pay themand at some point within the
past week like month let's say amonth prior to me paying them
wrong they came and they werevery.
This was good.
So they knew who would do that,who could do that for them.
(29:06):
And I think you can just dothat, because once they were in
his email, they could tell whoyou know is that person, because
they've already had emails likehey, can you do this?
Can you do that?
Can you pay me here?
So they figured out who in mycompany they need to ask to
change their payment informationand they're like I just need
you to pay me here, which is afake bank account where I'm
(29:28):
gonna steal all your um, but Ijust need you to do that because
I don't want to use this bankanymore, which was his chase
account.
So I have have a Chase account.
They had a Chase account and wepaid somebody at SoFi.
By the way, whoever has mymoney, have fun.
That is so much money to steal.
Like you didn't work for it,but I guess you did a pretty
(29:49):
good job.
And then actually they didn'tknow it was going to be such a
huge payoff.
I could have just been payingthem like $200.
But it was $ 30,000.
Speaker 2 (29:59):
so like you, you're on the compliance side and just
uh, to ask a question.
For uh people like me who arereally honestly just figuring
this stuff out within the lastlike 18 months.
Um, the acronyms are all kindof alphabet soup and sometimes
when I hear compliance, you know, uh like as an engineer, a lot
of times I'm thinking likeproduct design, like the product
(30:21):
has to comply with certainthings, and now, with CyberSec,
we're also talking about likecompanies complying with, like
what, how they store ourinformation and what they can do
with the information.
Speaker 4 (30:33):
So my understanding is, like you're more on that
side, right, like with ourinformation that's out there and
how companies store it andtreat it and everything, yep and
uh like training is the bottomline, because if you people that
mean my people carried this outlike no one held a gun to their
head and said give me thethirty thousand dollars, we were
tricked and we did it like wewanted to do this.
(30:57):
We're like, okay, you want toput your money in a new bank
account?
Yay for you, let's do it likewe wanted to do this.
We're like, ok, you want to putyour money in a new bank
account?
Yay for you, let's do it.
And we didn't verify and yeah,and then in the future.
Speaker 2 (31:06):
What is you know for, like now that I'm seeking free
advice here, like live on onLinkedIn.
But you know, like in that kindof situation, you know what you
know company has this happen.
You know what are the stepsthat that company takes in the
future, to not let this happenagain, multiple stages of
approval sounds like one.
Speaker 4 (31:25):
No, anything related to money.
It's just a flag.
You just flag it.
If someone was like I need tobe paid in a new place, that's a
flag.
Speaker 1 (31:35):
I'm any other levels of approval Money transfer.
Speaker 4 (31:38):
Yeah, if they want anything related to cause.
This guy gave us new bankinformation.
He's like and he he's like isit time now?
Can I give you that?
Now, he was so fricking nice orshe was a really good hacker
Like.
They're like oh, I have a newbank.
I would like to change that.
I mean, could I give you thatinformation?
(31:58):
When could I share that withyou?
He didn't just give it to us,she didn't just give it to us.
They're like ask us when we areready to put the new
information in.
Speaker 1 (32:07):
And we're like okay, yeah, so this is a little
different.
In there it wasn't like oh, Ineed to get paid today, You're
already paid.
Speaker 4 (32:22):
It was.
That was a request, which issometimes urgency helps you find
out what that like oh, that'sthe red flag is the urgency.
Speaker 3 (32:26):
There was no urgency, so it was a really good hack.
Yeah, if you've ever, have youseen the movie the beekeeper?
If you haven't, no, the openingsection of that movie they go
through.
And ashley's shaking her head,so she knows yeah, they go
through and Ashley's shaking herhead, so she knows.
Yeah, they go through a veryrealistic depiction of that kind
of attack where the target isgetting somebody to willingly
(32:51):
give over access to their thingsum, access to their bank
account and the goal is to makeit their idea or like put the
onus on them so you're not out.
These people are psychologiststoo, exactly, and it sucks like
hard it sucks.
So that's the socialengineering aspect, and I think
(33:12):
we just got yeah, just got acomment saying the art of social
engineering, but that's thesocial engineering aspect of it
right Ways to manipulate people,because, yeah, somebody could
hack into your bank account andtry and steal the money
themselves and move everything.
Speaker 4 (33:27):
This is way better because you can't get it back.
Yeah, they did it on purposeand I actually tried to make my
claim and they're like, let'sjust say this a little bit
different, because if you say itthe way you're saying it, you
ain't going to get sh**.
That's what happens.
Speaker 5 (33:42):
Yeah, yay, I have sound and camera and audio and
everything.
We'll all get together.
Look, you should have knownwhen you invited me.
Okay, I can't make things work,I can only break them.
That's what I do, like you know, by trade.
I can only break the thing, soI broke it.
(34:02):
I couldn't make the camera work, I couldn't make the audio work
, so I'm on my phone.
Apparently that's how it works,because I tried 15 browsers and
none of those want to work.
Speaker 4 (34:09):
so yeah, she's on her phone half the time yeah, today
I'm not, but almost alwaysbecause I give up, I'm like no,
this is and I don't get it.
Speaker 1 (34:18):
I try to use this platform because for me, it's
the only one I've never hadissues with.
Like you just click the linkand like go in.
So every time someone has astream yard in mind, I'm like,
oh great, I know what to do.
Like when I'm flying, you know,you know what to do.
Everything else I'm like, oh no, it's not gonna work.
Oh yeah, apparently does yourshirt say hacker.
Speaker 5 (34:35):
It does say hacker, and it's actually.
It's actually literally writtenbackwards, so that when I'm on
camera, it's actually thecorrect way.
Um, but, like, if you look atit in real life, you're like
what is that?
That's backwards?
But no, it's, it's designed tobe on camera.
Um, this is my halloweencostume.
Um, so, uh, yeah, um, but youknow it's true in real life
(34:59):
though.
Speaker 4 (35:00):
Well, you, know, I mean, and I'm also an actual
Mexican, so um, I mean, you know.
Speaker 5 (35:06):
I literally at Costco earlier I saw this uh lady.
She had on a gray t-shirt andit says pretend that I'm a
donkey.
And I was like, yes, that is mylevel of dressing up this year
because, yeah, like I'm actuallynot in my office right now
because my office is piled upwith wedding stuff, um, and I
can't get in there to doanything.
So, uh, so, yeah, it's um, yeah, there's a little bit going on
(35:29):
here, but, uh, but yeah, liketalking about the fishing stuff,
um, it's.
It's funny because I actuallywas talking with a prospective
client just last week and wewere talking about, you know,
external assessment andeverything.
And they were like, you know,well, you know, we want to do
social engineering.
And I was like, look, I waslike here's my thing with social
(35:52):
engineering.
I usually don't do it.
I was like, if you reallyreally want the service, I will
do it, but typically I don't doit.
And here's why Because, givenenough time, I go on the
assumption that, given enoughtime, if somebody really wants
to, they will have a successfulphishing campaign.
That's just the reality of it.
(36:14):
How much training you do, itdoesn't matter how good your
security mechanisms are, whetheryou have spam filtering,
whether you have, you know, allof your, your DNSD mark and all
of that in place.
Eventually, if they want to,badly enough, they will have.
They will have some kind ofsuccess.
They'll figure out you knowsomething about your company,
(36:36):
whether it's based on socialmedia, whether it's based on
information that is publiclyavailable on the internet.
But they will.
They will gain success.
So I'm not going to wastesomebody's time, money, energy
and efforts to do a phishingcampaign where in in in the
reality of it.
If I'm, if I'm doing a two-weekassessment, I'm probably not
(36:57):
going to have a lot of luck intwo weeks.
Now, if I'm doing a specificsocial engineering campaign
where we're talking this isgoing to be a three, six, nine
or even 12-month engagementwhere periodically I am just,
you know, putting out thesephishing emails, then yeah, I'm
probably going to have successat some at some point.
(37:20):
And all I need is one set ofcredentials.
I don't need 50.
I need one.
One set of credentials, and itdoesn't matter what the
permissions are, because thatone set of credentials is going
to get me on the inside.
From there, I can eitherinstall my tools and start to
you know, propagate through youknow, through C2, put in a back
(37:40):
door, so I don't lose that, youknow, or I can just live off the
land and start to pivot my waythrough.
Eventually I'm going to findsomething somewhere that I can
either escalate my privileges orgain another account or create
an account, that kind of thing.
So that's why, you know, when Ilook at social engineering, I
(38:02):
just say again, my hacker was inthere for weeks, yeah,
responding me like hey, were youable to do anything about?
Speaker 4 (38:10):
and then Liza would be like oh sorry, like we still
have a, I still have a openclaim with QuickBooks Cause we
can't fix your bank account yet.
Speaker 3 (38:18):
Just really nice slow like, yeah, and you were most
likely not their only targetduring that time.
They most likely had multiplepeople on the line, and so they
can be patient.
Speaker 4 (38:30):
Right, they've got fires going everywhere, I would
be patient.
Speaker 5 (38:35):
Right, exactly, you know, and when you're talking,
you know they're installingransomware and they're asking
(39:00):
for millions upon millions ofdollars.
You know, if you look at, justif you look at one individual
group and you look at themillions, yeah, I mean.
Speaker 4 (39:10):
And like what Dogecoin?
Speaker 5 (39:13):
Oh, absolutely, Absolutely.
I mean, they're winning.
They're essentially winning thelottery with every single one
of these attacks and you can getpaid out multiple times.
Speaker 3 (39:22):
So you get paid the ransomware.
You could do double encryptionbut then you also get paid for
the data that that you'restealing right, selling the data
.
Speaker 5 (39:32):
Oh yeah, absolutely yeah.
And and that's that's reallywhat they're doing now is, you
know they'll steal the data,they'll ransom you.
You pay the ransom.
That's no guarantee thatthey're not going to go ahead
and sell that stuff.
And they're going ahead andselling it and they're selling
it for the same price tomultiple people.
You know you go anywhere on thedark web.
It's, you know, a thousand, ahundred thousand Bitcoin to get
(39:55):
this database.
Speaker 3 (39:56):
And they're not doing that once, twice, they're doing
it hundreds of times and if youdon't make sure that you've
gotten them actually out of thesystem, they could sit there for
another year or so and keepquietly collecting data during
that time and then hit you againand it'll feel like a separate
attack when really it's it's allconnected and some of these are
(40:17):
like teenagers.
Speaker 4 (40:20):
And we have such incredible like the Kali Linux,
like tools, all the tools arefree.
For all that, if you have anyambition at all at intelligence
at all like at all, and you'relike a kid, you could take banks
down.
You just could get busted andthen go to jail.
But, like, the ability to hackand whether or not you get
(40:42):
busted are not the same thing,right.
So you don't have to be agenius kid, you just have to be
like pretty smart.
Speaker 3 (40:52):
Yeah, there's an industry term script, kitties
Script kitties yeah.
So the low-hanging fruit fruit,the easy attacks that you can.
You can buy attacks, you canuse tools that are readily
available stupid people like mejust kidding.
Yeah.
So the idea is, when you'relooking from the protection
(41:13):
standpoint, of being able toprotect against those low level
things, the script kitty attacks, and then elevating your
protections from there, like ifsomeone were more motivated or
had better skill, then whatwould they pivot from there and
do?
And from protection standpoint,that's where you really start,
like let's flesh out.
And, of course, courtney, youmentioned the, the GRC
(41:35):
compliance side.
That's where you marry the twoconcepts right.
So protection from thetechnical standpoint and then
protection from the policy.
We're going to say that we'redoing X, y and Z.
Let's make sure that we'reactually doing it from a
technical standpoint, yeah, yep,and then let's test it, so
keeping that ball rolling sothat there's those connections
(41:56):
across your protectionsconstantly going.
Yeah.
Speaker 2 (42:00):
I've done work for companies now that are SOC 2
compliant and what an adventurethat is.
But it really actually startedmaking me think about like how
well do I vet people that I dobusiness with now that this
company is like putting methrough this ringer Because I do
want to make money and I willsubmit all these things you're
(42:20):
asking for.
But you know, like I've beenbackground checked and you know
stuff I you know as a you knowsubcontractor and stuff I
haven't previously had to dobefore.
But now all of a sudden, liketwo, three clients in a row have
had me like doing a laundrylist of things I've never had to
do before.
I think it makes you know Alihas said before with other
(42:40):
difficult customers like hey,they're making me a better
company, you know, by making mekind of dig deep and change some
things that are kind of painful.
Speaker 1 (42:49):
But yeah, what can the small because this all
sounds, you know, like there's,it just kind of adds a lot of
costs to doing business.
Right To have to add this toyour toolbox, to have to add
this to your things to worryabout, to think about, to plan
for, to spend money on right Toinvest in yeah, CyberSec
insurance is kind of new for meyeah mine was four grand a year.
Speaker 4 (43:11):
Is four grand a year.
That's a $3 million policy andlike most places that's too
small.
Yeah, like a 3 million is3million policy.
And like, okay, most placesthat's too small.
Yeah, like a 3 million is alittle policy.
Speaker 3 (43:25):
Yeah, it's becoming a really big thing Now.
Those questionnaires, courtney,like you were mentioning,
filling out what your policiesare, what you're doing, what
certifications you might have.
It is becoming a lot, um.
There are some techniques thatwe talk to people about, like
the idea of building a trustcenter, um, but it all, it all
(43:46):
takes overhead right, the ideabeing that you have to look at
it as an investment in future,um, your future work, because
having those assurances willmake more companies happy with
working with you.
If you're looking at thingslike getting into government
contracts, those are required,and you can't do business in
(44:07):
that without having you knowthose assurances in place.
So, yeah, it is a maybe a heavylift to go from zero to hero,
but it's one that pays off.
Speaker 2 (44:20):
I'm curious how realistic it is to fathom
something like you know to to be.
You know, working with you knowmany companies are going to
require this now and I see justeven more in the future.
But like the equivalent of TSApre-check, where you know, like
I'm in a system where I'mpre-vetted for everybody so I
(44:42):
don't have to do this everysingle time I take on a new SOC
2 compliant customer, cause I'mfine, you know, with the fact
that this vetting needs tohappen, you know it's.
You know all of us can't affordit.
Speaker 4 (44:55):
Well, gas does it in like their safety.
So, like everyone has to likeregister their safety, whatever.
So this is kind of the samething.
It's just like your cybersafety score, um, as a company,
and if you've been hacked amillion times, then your score
sucks like because your peopledon't get to like number for
cyber.
Like you get hacked all thetime, your people don't know
(45:17):
what phishing is and, like you,you're at risk because of it.
Yeah, yeah, like a new creditscore.
Yes, we need more ways to, yeah, to limit us, but yeah, we need
credit scores for our cybertrading.
Speaker 5 (45:31):
It's funny.
It's funny.
It's funny that you guys bringthis up, because I had, um, I, I
had a, a concept and an ideaabout that, about I don't know,
probably like five, five to 10years ago.
I was like you know, I was likeI gotta go through all this
stuff to, like you know, buy ahouse and everything and stuff
like that, but I, we don't gothrough that with like
(45:54):
cybersecurity.
You know, we just we're justlike you know you have these
checklists.
And then, especially whenyou're talking like OT or
critical infrastructure, youknow, if you think about it,
really there's only one sectorright now that truly has any
kind of real regulatorystandards or regulatory
compliance, and that's energy.
You've got NERC, sip, oil andgas.
(46:16):
Do you know what audits I hadto go through when I did oil and
gas socks?
That was it.
It's a financial thing, hasnothing to you know.
The auditors came and they werelike do you have a firewall?
I was like yep.
And they were like, do you havea firewall between the internal
and your ot?
Yep, I sure do.
One firewall, everything elsein the skater is on just one
(46:41):
flat vrf.
Everything can talk toeverything.
Don't look over here.
No problem, no worries overhere.
This is terrible, we know it,but you're not making us do
anything about it, so we're notgoing to do anything about it.
And it was that way until wewere purchased by a larger
entity that came in and was likey'all, no, you can't do that.
And I was like've been sayingthat, but they didn't want to do
anything about it, you know,and we had.
(47:02):
We had to make changes then andwe had to, you know, put in our
network network segmentationand all of that.
But because there was nostandard making us do it,
nobody's going to do it.
You know, cybersecurity, whileit's probably the most important
thing for your business toactually, you know, be
sustainable and be able tocontinue to make that money,
nobody wants to actually do itunless they're forced to.
(47:26):
This is a voluntary basis.
We're going to do the leastamount we can because
cybersecurity doesn't make money.
You know it's like qualityassurance it never makes money,
it only costs money exactly,exactly.
And you know, we, we don't, we,we, for some reason in that in
in in the business world, wedon't have that mentality.
(47:47):
You got to spend money to makemoney.
You know, do?
Do I want to spend money onadvertising?
No, I really don't.
But if I don't spend money onadvertising, then nobody knows
who I am.
And then you know I'm notgetting, I'm not getting, I'm
not getting any customers.
Um, and it's the same withcyber security you, you have to
spend the money to keep yourselfand keep your product secure,
(48:07):
otherwise you're going to losethat reputation.
You're going to spend way moreon it.
Speaker 4 (48:13):
Shut down like, yeah, I just lost 30 grand, like
that's sucks, but like peoplecan lose more and so, yeah, you
can choose to not protectyourself, but you will find it
worth the money once you'rerobbed, like I just was, because
now it's worth 30 grand.
Speaker 3 (48:30):
Yeah, you have something like a production line
that gets shut down, thenyou're losing, yeah, yeah, and
it becomes exactly, andcompliance gets a bad rap and I
get why.
But it really, like Ashley wassaying, it's a motivator, right,
if companies aren't going to dosomething, then compliance will
(48:52):
help move that along.
And compliance doesn't alwaysequal exact security, but it
gets people thinking that wayright, if we start doing this,
then then we'll be better.
And then how can we make thatbetter from there?
Speaker 5 (49:07):
Yeah, absolutely.
And you know, the thing is isthat I, when I look, when I look
at major incidents, you knowtalking, you know colonial
pipeline, you know black energy.
Even even if you really look atStuxnet, these are not, these
(49:28):
are not crazy sophisticatedattacks, they're not like like
the movie, just the easy shit.
Yeah, you know, it's it really,it really is.
You know colonial.
If you look at colonialpipeline, it was a, it was an
account, that um, that theperson no longer worked.
(49:50):
There should have been um.
Why can I not think of the wordDeleted, removed, deleted, yeah
, deactivated, deactivated.
Yes, there we go.
It should have been deactivatedbut it wasn't, and they just
happened to find this and comeacross it and clearly they were
(50:15):
not.
I think the password orsomething like that had gotten
caught in some kind of otherleak or breach or something, and
so they had the username andpassword and so they just logged
in and then they just startedpivoting through.
And you know most of thisransomware, it's a worm.
So all they need to do is getit on one computer.
(50:36):
It'll propagate itself acrossthe network and that's it.
And fortunately, you know theyhad a process to, you know, shut
down OT so that it didn't havea chance to propagate there.
But you're still shutting downOT.
So it doesn't matter whether itis an internal attack or
whether it's directly, you know,directed at OT.
Ultimately the same, you know,end goal happened you shut down
(51:00):
OT.
It was shut down for three days.
Gas on the East Coast went upto $9 a gallon.
People were panicking, you know.
People were putting gas intrash bags and stuff Like you
created panic, and that was onlythree days.
And then, luckily also, theyhad backups Because even though
they paid the ransom ransom theygot the decryption key.
The decryption key worked soslowly that they had to restore
(51:23):
everything from backups anyways.
So you know, these are it's notthis crazy stuff, it's really.
It is that low-hanging fruit.
It is going back to the basics.
Don't, don't keep defaultpasswords.
You know, make secure passwords, um, literally as as part of
(51:44):
you know, as as part of my, youknow, our, our company, we use,
we, we, I provide a passwordmanagement system for everybody
and you can have, you can putall of your passwords in there.
So there's really no reason foryou to not create a, a secure
password, because you, you havethat to do and I think that you
(52:05):
know more companies should dothat and and, honestly, it's
really not.
It's not that expensive thingslike a hundred dollars a year
and I have unlimited users and I, I can provide that.
We have a password vault now.
Yeah, exactly, but it's littlethings like that that we just
have gotten so far away from,because we're like, oh, we need
(52:26):
AI powered IDS to do this stuffand I'm like you can't change a
password, you don't need AIanything.
Speaker 4 (52:35):
But we think we need this advanced technology when
really we need basic stuff thatyou know we need to start at
square one, which we're not evenmeeting those requirements.
Speaker 1 (52:45):
So exactly, exactly so, with that we actually coming
up close on time, and I knowit's Halloween, so we all got,
you know, fun things to do.
I need to eat stomach aches tohave something that you said at
your talk at OT SkateCon, ashley, something about there being
two types of companies the onesthat have been hacked and the
ones that haven't been hackedyet, or something to that effect
(53:06):
.
Right, so assume that you willget hacked one way or another.
I'm already there.
What are?
Just, like you just said, thepassword manager, right,
something like a a bit warden orI don't know what you know
recommendations would be forsomething like that.
But what are some of your toptakeaways?
That, if somebody watched this,that the next time they feel
(53:28):
that they can have aconversation with someone about
cyber security and you should dothat really soon, um, including
with people on linkedin youbetter have an IT guy or woman.
What are some of the toplow-hanging fruit things that
people can do to either protectthemselves or to make sure that,
when the time comes, you're ina position not to be completely
(53:51):
effed?
If you do get, don't use Google.
Speaker 5 (53:57):
Yeah, definitely passwords.
That's a huge thing, you know.
In a password vault, yeah,using a password vault, I mean
you won't?
Speaker 4 (54:05):
ever know those passwords?
It's like x, y, g, 700 letterslong.
You just save it in there.
Speaker 5 (54:13):
You're like I don't know what the password is Nobody
does you have a password vault?
Absolutely.
You know making sure thatyou're not using default
passwords.
When you set up you know anykind of new infrastructure or
something like that, immediatelychange that default password.
And that's really important in,you know OT, because a lot of
those devices they, you knowthey're admin, admin, I guess
(54:33):
that all day long, every singleday, single day.
You know when.
You know when you are storingdocuments and things like that,
make backups, make offlinebackups.
You know get, get.
You know get a small.
You know one terabyte, twoterabyte, five terabyte.
(54:53):
You know hard drive that youcan plug in and put all the
files on there and then unplugit.
You know don't have itconnected to the internet, none
of those types of things.
But you know keep those filesbecause if something happens and
your files are gone, you haveto restore some way and then
make sure you're doing thosebackups on a regular basis.
You know whether it be weekly,biweekly, monthly, in some sort
(55:17):
of frequency so that you havethat data.
And then you know.
The final thing is I always saytrust but verify.
I'm going to.
You know I'm going to trust,but I'm also going to verify,
you know, I'm going to make surethat you are who you say you
are, that you are authorized todo whatever you're.
(55:38):
You know you're saying you'reauthorized to do um and and have
those different things, um, youknow, and have, have those,
those processes in place, um,and that make sure that
everybody is following thoseprocesses.
You know, test your employees.
Just, you know, pull them aside, call them up and say, hey, you
know, if this happens, do youknow what to do?
(56:00):
If this happens, do you knowwhat to do?
Because that's the other thingis, we write policies and we
write procedures, but then wenever test them.
You know, I can't tell you howmany companies I've gone into
and I'm like do you have anincident response plan?
And they're like, yeah, and I'mlike cool, do your employees
know about it?
And they're like, uh, maybe.
I like, have you ever tested it?
Have you ever done an exercise?
(56:20):
Well, no, we just, you know, wejust wrote it down, it's gonna
work, right.
Speaker 3 (56:24):
No, you don't know that, because people don't know
what to do and people panic, andso you know, those are are some
of the biggest things that youcan do yeah, a lot of times
we'll see people that like, oh,we got, we used a template
incident response plan, nothingspecific to our environment,
nothing specific to the peoplethat are here, or we haven't
updated it in 15 years.
(56:44):
Person XYZ doesn't even workhere anymore.
Like making sure those thingsare applicable to you.
Speaker 1 (56:51):
So, leah, what would be your top tips of any?
Speaker 3 (56:55):
Yeah, I really.
From a governance standpoint, Ireally think that knowing what
to do when something happens isa big one.
So, like Ashley was saying,it's not if, but when.
So, planning for that, knowingwho do we call if something
happens on a weekend, ifsomething happens over a holiday
(57:16):
, are the people who we'd expectto be there?
Are they going to be availableto be there?
Do they know that this issomething we're looking to them
for?
If we need outside help, do weknow who we would call If we
need to get, like the FBIinvolved?
If it's that big of a deal, dowe know how to contact our local
field office?
(57:37):
A deal, do we know how tocontact our local field office?
Having those things thought ofand put into a plan and scaling
that back a little bit lookingat the risk in your environment,
just sitting down and having aconversation of like what could
happen and involving peoplethroughout the organization.
So just because someone's notan IT person, like Allie was
talking about, you don't need tobe an IT person to like Allie
(57:58):
was talking about.
You don't need to be an ITperson to think of risks that
could happen within yourenvironment.
You could be somebody on theshop floor that's like, hey, we
leave these ports open all thetime and people are constantly
walking around.
Maybe someone we don't knowcomes in and just plugs
something in.
That could be a risk and that'sworth having the conversation,
that you don't have to be acyber person or an IT person to
(58:19):
even start thinking that way.
Speaker 1 (58:21):
Well, it's kind of that goes with, like the culture
.
Some companies are open toemployee feedback and like
continuous improvement and theywant people to be on the lookout
for problems that can be solved, things that can be done better
, like add cybersecurity to thatkind of process that you have
of getting input from everywherein your company.
Possibly, if you're not alreadyand if you're not the kind of
(58:42):
company that asks input fromyour employees on anything, then
I guess you could get hackedand I don't care.
But yeah, I want to throw up.
Speaker 4 (58:54):
No too small.
I'm not a very big company andI already lost 30 grand.
Speaker 1 (58:57):
So, scott, says retrain your brain to use
passphrases.
Short sentences are easier foryour brain to remember.
I guess I'm not one of thosethat.
That can't be in lieu ofpasswords, though, because
usually passwords do require,like all these different types
of characters and stuff.
Right, so passphrases peoplesay a word.
Speaker 4 (59:16):
What I've done before is I had a passphrase and I
would only I would alternate thecapital for every other first
letter, and so I would make, Iwould say that passphrase to me
and I'm just writing down onlythe first letter and then
alternating caps and whatever.
That's a little too Repeat,whatever that password is,
without actually having to like,because I don't remember.
Speaker 2 (59:36):
You didn't memorize it.
You constructed it again byfollowing some rules.
Speaker 3 (59:40):
Yeah.
Speaker 1 (59:41):
I do passwords.
Speaker 2 (59:42):
A similar way I construct like.
I don't memorize any of mypasswords, but I have a way to
construct the password if Iremember what website I'm going
to.
Speaker 4 (59:49):
So and then some like that tells you what that was
that you made, but not actuallywhat.
Speaker 1 (59:56):
Not enough for them to do, but enough for you, but
then like how quickly until AIcan like predict the pattern
that we use based on the, thewebsite that we're already in
one of your or they've got.
Speaker 4 (01:00:07):
They've bought your credentials for something you
have to know every address Iever lived at.
But you could do it.
Speaker 1 (01:00:16):
Anyway, there are practical things that you can do
, even if you don't have adepartment or a budget, but
certainly there are companiesand resources out there.
Leah mentioned your local FBI'sfield office.
They'll also post about casesthat have happened, common scams
that are going on, advice onhow to avoid them.
(01:00:37):
The other thing is to know somecybersecurity companies or
consultants in your industry.
It does not hurt you to knowthem, even if you don't have
budget to pay them, because thetime will come and you want to
have somebody to call.
So I mentioned this earlier.
We at least were able to callAshley right away because we
know somebody that you knowknows about this stuff.
So, as a closing remark, ashleyand Leah, if you guys could
(01:01:00):
give the audience a pitch for ornot a pitch, but just like what
exactly you guys do and canhelp with and how people can
reach out to your companies ifthey want to do business with
you or just to kind of start tonetwork with you guys and your
colleagues, so that they atleast have some cyber security
folks in their network, even ifthey're not, you know, adjacent
to that area and if you don'thave a cyber security partner,
(01:01:21):
and you're not going to get one,you are screwed.
Speaker 4 (01:01:24):
Yeah, and so?
Speaker 1 (01:01:26):
there's a lot of free resources at nist, yes, and I
will say like year, a lot ofthese great resources are
pointed out to me, but this issuch a low priority in my job
that I don't go out and look atwebsites to look at
cybersecurity information.
I'm more so when it comes up,when I talk to people, when I
(01:01:46):
see opportunities to hearcontent.
I'm just not one of thosepeople that goes to the websites
to like try to do my ownresearch on things that aren't
immediately relevant to me.
Speaker 3 (01:01:56):
in this sense, yeah, one thing I'd suggest is is
looking at your workflow andseeing where can you fit things
in.
So like, if you're, if you'rebig on LinkedIn, start following
some of the things like likeNIST or SysA, and you'll see
that pop up in your feed some ofthe things like like NIST or
SysA, and you'll see that pop upin your feed some of the the
(01:02:17):
relevant things.
Speaker 1 (01:02:17):
Well, there you go.
So yeah, following them onLinkedIn versus trying to go to
their website and look forinformation.
Speaker 4 (01:02:21):
Yeah, Stories.
You're like oh my God, followthese people on.
Speaker 1 (01:02:24):
Instagram, like wherever you're scrolling.
Okay, that, that's true.
Speaker 4 (01:02:30):
Like the hackers are getting better.
Speaker 1 (01:02:31):
Whatever our feeds are news feeds are apple news or
you know whatever um, throwsome cyber security stuff in
there.
Speaker 4 (01:02:40):
That's a great idea but yeah, go find some people
like ashley and leah, because ifyou don't which is why you're
not going to be, okay, I'm not.
Speaker 1 (01:02:49):
You guys, you guys and Leah, I'll let you go first
and then, Ashley, you can closeit as the official sponsor of
this panel.
You can close it with the Pitchfor Wolf Evolution.
So, leah, can you tell us a bitabout NextLink Labs and what
you want people to know you guysfor and come to you for?
Speaker 3 (01:03:04):
Yeah, so NextLink Labs, we focus on three
different aspects.
So custom software development,devsecops and cybersecurity.
So when you're buildingapplications and you want to
integrate security into them,you want to have better
workflows.
We look at what yourorganization is doing and help
(01:03:25):
you identify those gaps in yourprogram and fill them in using
frameworks, using you knowthings that are specific to your
organization and the data thatyou handle and the workflows
that you have.
So we look at you know thingsthat happen prior to an incident
(01:03:49):
.
If you've had an incident, wecan look at the risk that you
accepted that might have led tothe incident and really focus on
how can we improve thecybersecurity posture moving
forward.
How can we give thoseassurances both to your company,
to any board of supervisorsthat might be over, or to your
(01:04:12):
clients too.
So how do we make your clientsaware of the efforts that you're
putting into your cybersecurityprograms?
Speaker 1 (01:04:18):
Very cool.
Thank you, I assume people canfind you at is it
nextlinklabscom?
Yep and follow you guys onLinkedIn?
Yep and I know you and a coupleof your other colleagues are
regular speakers at industryconferences like Automate.
Are there any more places thatwe should expect to see you guys
in the near future?
Speaker 3 (01:04:37):
Automate and Fabtech are our big go-tos, okay.
Speaker 4 (01:04:42):
What about the ICS Village of DEF CON?
I want to go hit that up nextyear.
Speaker 3 (01:04:47):
It's amazing if you can go so.
Years ago I was senior stafffor DEF CON when it was still
growing out the villages.
They're growing insanely nowbut they have some really cool
stuff.
The ICS village is awesome.
They do car hacking.
That's really cool to see someof the things that we may not be
exposed to in like everydaylife, to get a chance to go and
(01:05:10):
see the thought process Everyonehas a flipper and they're like
taking your credit cards.
Speaker 4 (01:05:14):
You're like, oh my God.
Speaker 1 (01:05:17):
Very cool.
And then, um, ashley, yeah,will you tell us a bit about
what you do?
I know you've mentioned alittle bit about what you do
with your clients, but kind of,what's your focus and what type
of types of companies should becoming to you?
Speaker 5 (01:05:30):
Yeah, absolutely so.
Our focus is assessments andconsulting.
So our assessment side we'regetting down to the nitty gritty
actually looking at devices,looking for particular
vulnerabilities, looking atarchitecture, those types of
things, and really addressingthose security gaps and giving
(01:05:51):
those recommendations andremediations of how you could
secure the devices in yourenvironment.
On the consulting side we kindof go a little bit more high
level.
So that's where we startlooking at your policies and
your overall security programand look for gaps there.
Because a lot of times you know, a lot of people are like well,
I need an assessment done.
Well, maybe you actually need aconsultation first.
(01:06:15):
Maybe we need to look at ahigher level and see, you know
you have these vulnerabilitiesin your environment, but how did
they get there?
Is it because you have gaps inyour policies or gaps in your
procedures?
And that may be something thatneeds to be addressed first
before you're actually going inand picking out these you know
little one-off vulnerabilities.
(01:06:36):
So that's kind of the primary ofwhat we do, and very, very soon
, probably like the beginning ofnext year, we will also be
doing training.
So we'll have kind of variousdifferent aspects of training.
So training for the defensiveside, training for if you want
to learn how to break things inOT, like I do, then we'll train
(01:07:00):
you to do that and thengeneralized training for OT.
So a lot of companies when yougo and you get that generic
cybersecurity training right,the IT-minded and everything.
I've never seen that in OTwhere you're actually applying
those cybersecurity principles,but for the operators.
Speaker 4 (01:07:25):
And for operations like the chief operating officer
, should get the big trainingand then roll it out to
everybody else.
Speaker 5 (01:07:31):
Exactly.
So, yeah, this is like I'm.
I'm in a control room and mymouth starts moving on its own.
What do I do?
That kind of training.
And and for that training, notonly are we going to have the
generic, but we're also going towork with companies to
customize it for theirenvironments, so that'll be
something that's upcoming earlynext year as well.
Speaker 1 (01:07:53):
Wow, I feel like the pressure to include I want to
include access to trainings thetwo days prior to OT Skate-a-Con
so for some of you folks to beable to put on a class that
somebody could add to their OTSkate-a-Con registration.
I've been saying that, okay,let's close out, I'm gonna.
I'm gonna extend it just alittle bit longer, if anybody's
(01:08:15):
even still here, but this is therecorded, so that's also fine.
Um, ali, you have some trainingthat you're working on.
Do you want to talk about itand then sign off?
Speaker 4 (01:08:22):
yeah, sure, uh, later but uh, no, I I think I've
always asked, like, what peoplewanted to be trained on, and a
lot, and I don't know forwhatever reason, like people
would rather know more about orat least when I did the survey,
they wanted to know aboutprogramming and SCADA.
But what I'm actually good atis design and hardware.
(01:08:43):
So I, like some programmers,love both.
Some programmers love one orthe other.
I have never been the strongestprogrammer, cause I already
told you it's not realprogramming anyway.
Um, but I feel really goodabout, like, the way that I
develop a control panel becauseI had to.
As someone who's not trained inelectrical at all, like I took
(01:09:04):
one electrical class and Ilearned ohm's law.
I don't know shit, like, but Iknow how to create an entire
control panel from scratchbecause I learned from other
people's drawings and then frombuilding it myself and doing it
wrong and wiring it wrong andthen being like oh, I have to do
it like this, and so I didlearn.
So I know all of the likelayman's terms as to why certain
(01:09:24):
things are there, like why doyou have a power supply?
Why do you have a controltransformer?
How do you pick out, like youknow, to make this a UL panel.
How would you do that?
So I'm designing a class where Ibreak down all the things that
someone like me who's not anelectrical engineer specifically
not an electrical engineer tobe able to create a schematic
that worked on DC and ACvoltages.
(01:09:48):
So I want to tell you enoughrules, colors, sizing of
conductors based on NEC, likeenough shit in your class that
you, without an engineeringdegree, could design a control
panel, even if you are anengineer.
That's great, but that's notwhat this is for.
So I want to create a class forwhy is all that shit in there?
And same thing with, like, thesize of the enclosure.
(01:10:09):
Does it need a cooling systemor a heating system?
Like, how do you figure out howto size that?
How do you figure out how manyIO cards you need?
How do you do all the motorcircuit shit?
So I'm making a class for howdo you design a control panel
from scratch?
Speaker 1 (01:10:23):
All right.
Well, stay tuned for moreinformation on that.
If you're interested in theclass, I think we have a wait
list going.
Or if you don't have a waitlist going, emily, we need a
wait list for the class going.
I think we'll have some infocoming out about it in our
newsletter next week and thenvolleying it we also are going
to be.
I'm not going to give you thefloor, though, courtney, because
(01:10:45):
well I should, but yeah, justtell us robot training and then
you sign up.
Okay, the challenge is to you.
Speaker 2 (01:10:53):
I'm no longer talking I have a robot and I need to
use it.
I'll bring it to you and trainyou the end and then I'll break
it afterwards we're only goingto get more and more into
hacking robots.
Speaker 4 (01:11:08):
Eventually, robots are going to get hacked and
we're going to be like, oh mygod, the robot did something bad
.
Yeah, robots can be hacked.
Speaker 1 (01:11:16):
Let's keep talking to each other, learning from each
other.
Make friends with scott.
If you don't know scott mcneilyet, he is.
He knows a lot.
He's got a lot of greatresources.
Uh, honestly, at any of ourevents, like, the people that
are in the audience are just asknowledgeable as we are on
different topics.
So the just the opportunity tonetwork with the, with the
(01:11:39):
people that are here.
Please do that, um, and thenshare what you learn, or
whatever, with the rest of theworld.
So, thank you guys for beinghere, happy halloween and, uh,
we'll see you around soon.
Bye, bye, thanks everyone.
Thanks, thank you guys forbeing here, happy Halloween and
we'll see you around soon.
Bye, bye, thanks everyone.
Speaker 5 (01:11:55):
Thanks.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.